jiachao2130/csaf2cusa
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
0063dc4ae5
csaf2cusa/csaf_sainfos.json
Jia Chao 658ba0e7e8 重新命名默认的 sa、cve 数据库文件 
Signed-off-by: Jia Chao <jiac13@chinaunicom.cn>
2024-07-25 16:21:53 +08:00

2282 lines
455 KiB
JSON
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

{
"openEuler-SA-2024-1877": {
"id": "openEuler-SA-2024-1877",
"url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1877",
"title": "An update for ffmpeg is now available for openEuler-22.03-LTS-SP3",
"severity": "High",
"description": "FFmpeg is a complete and free Internet live audio and video broadcasting solution for Linux/Unix. It also includes a digital VCR. It can encode in real time in many formats including MPEG1 audio and video, MPEG4, h263, ac3, asf, avi, real, mjpeg, and flash.\n\nSecurity Fix(es):\n\nAn integer overflow vulnerability was found in FFmpeg versions before 4.4.2 and before 5.0.1 in g729_parse() in llibavcodec/g729_parser.c when processing a specially crafted file.(CVE-2022-1475)\n\nlibavcodec/pthread_frame.c in FFmpeg before 5.1.2, as used in VLC and other products, leaves stale hwaccel state in worker threads, which allows attackers to trigger a use-after-free and execute arbitrary code in some circumstances (e.g., hardware re-initialization upon a mid-video SPS change when Direct3D11 is used).(CVE-2022-48434)\n\nFFmpeg 7.0 is vulnerable to Buffer Overflow. There is a negative-size-param bug at libavcodec/mpegvideo_enc.c:1216:21 in load_input_picture in FFmpeg7.0(CVE-2024-32230)",
"cves": [
{
"id": "CVE-2022-1475",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1475",
"severity": "Medium"
},
{
"id": "CVE-2022-48434",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48434",
"severity": "High"
},
{
"id": "CVE-2024-32230",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32230",
"severity": "Medium"
}
]
},
"openEuler-SA-2024-1880": {
"id": "openEuler-SA-2024-1880",
"url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1880",
"title": "An update for mongo-c-driver is now available for openEuler-22.03-LTS-SP3,openEuler-20.03-LTS-SP4,openEuler-24.03-LTS,openEuler-22.03-LTS-SP4,openEuler-22.03-LTS-SP1",
"severity": "Medium",
"description": "mongo-c-driver is a project that includes two libraries: libmongoc, a client library written in C for MongoDB. libbson, a library providing useful routines related to building, parsing, and iterating BSON documents.\n\nSecurity Fix(es):\n\nThe bson_string_append function in MongoDB C Driver may be vulnerable to a buffer overflow where the function might attempt to allocate too small of buffer and may lead to memory corruption of neighbouring heap memory. This issue affects libbson versions prior to 1.27.1(CVE-2024-6383)",
"cves": [
{
"id": "CVE-2024-6383",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6383",
"severity": "Medium"
}
]
},
"openEuler-SA-2024-1878": {
"id": "openEuler-SA-2024-1878",
"url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1878",
"title": "An update for freeradius is now available for openEuler-22.03-LTS-SP3,openEuler-20.03-LTS-SP4,openEuler-24.03-LTS,openEuler-22.03-LTS-SP4,openEuler-22.03-LTS-SP1",
"severity": "High",
"description": "Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that provides centralized Authentication, Authorization, and Accounting (AAA or Triple A) management for users who connect and use a network service.\n\nSecurity Fix(es):\n\nRADIUS Protocol under RFC 2865 is susceptible to forgery attacks by a local attacker who can modify any valid Response (Access-Accept, Access-Reject, or Access-Challenge) to any other response using a chosen-prefix collision attack against MD5 Response Authenticator signature.(CVE-2024-3596)",
"cves": [
{
"id": "CVE-2024-3596",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3596",
"severity": "High"
}
]
},
"openEuler-SA-2024-1866": {
"id": "openEuler-SA-2024-1866",
"url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1866",
"title": "An update for python-pip is now available for openEuler-22.03-LTS-SP4",
"severity": "Medium",
"description": "pip is the package installer for Python. You can use pip to install packages from the Python Package Index and other indexes. %global bashcompdir %(b=$(pkg-config --variable=completionsdir bash-completion 2>/dev/null); echo ${b:-/bash_completion.d}) Name: python-pip Version: 20.2.2 Release: 4 Summary: A tool for installing and managing Python packages License: MIT and Python and ASL 2.0 and BSD and ISC and LGPLv2 and MPLv2.0 and (ASL 2.0 or BSD) URL: http://www.pip-installer.org Source0: https://files.pythonhosted.org/packages/source/p/pip/pip-.tar.gz BuildArch: noarch Patch1: allow-stripping-given-prefix-from-wheel-RECORD-files. Patch2: emit-a-warning-when-running-with-root-privileges.patch Patch3: remove-existing-dist-only-if-path-conflicts.patch Patch6000: dummy-certifi.patch Patch6001: backport-CVE-2021-3572.patch\n\nSecurity Fix(es):\n\nurllib3 is a user-friendly HTTP client library for Python. urllib3 previously wouldn't remove the HTTP request body when an HTTP redirect response using status 301, 302, or 303 after the request had its method changed from one that could accept a request body (like `POST`) to `GET` as is required by HTTP RFCs. Although this behavior is not specified in the section for redirects, it can be inferred by piecing together information from different sections and we have observed the behavior in other major HTTP client implementations like curl and web browsers. Because the vulnerability requires a previously trusted service to become compromised in order to have an impact on confidentiality we believe the exploitability of this vulnerability is low. Additionally, many users aren't putting sensitive data in HTTP request bodies, if this is the case then this vulnerability isn't exploitable. Both of the following conditions must be true to be affected by this vulnerability: 1. Using urllib3 and submitting sensitive information in the HTTP request body (such as form data or JSON) and 2. The origin service is compromised and starts redirecting using 301, 302, or 303 to a malicious peer or the redirected-to service becomes compromised. This issue has been addressed in versions 1.26.18 and 2.0.7 and users are advised to update to resolve this issue. Users unable to update should disable redirects for services that aren't expecting to respond with redirects with `redirects=False` and disable automatic redirects with `redirects=False` and handle 301, 302, and 303 redirects manually by stripping the HTTP request body.\n(CVE-2023-45803)\n\n urllib3 is a user-friendly HTTP client library for Python. When using urllib3's proxy support with `ProxyManager`, the `Proxy-Authorization` header is only sent to the configured proxy, as expected. However, when sending HTTP requests *without* using urllib3's proxy support, it's possible to accidentally configure the `Proxy-Authorization` header even though it won't have any effect as the request is not using a forwarding proxy or a tunneling proxy. In those cases, urllib3 doesn't treat the `Proxy-Authorization` HTTP header as one carrying authentication material and thus doesn't strip the header on cross-origin redirects. Because this is a highly unlikely scenario, we believe the severity of this vulnerability is low for almost all users. Out of an abundance of caution urllib3 will automatically strip the `Proxy-Authorization` header during cross-origin redirects to avoid the small chance that users are doing this on accident. Users should use urllib3's proxy support or disable automatic redirects to achieve safe processing of the `Proxy-Authorization` header, but we still decided to strip the header by default in order to further protect users who aren't using the correct approach. We believe the number of usages affected by this advisory is low. It requires all of the following to be true to be exploited: 1. Setting the `Proxy-Authorization` header without using urllib3's built-in proxy support. 2. Not disabling HTTP redirects. 3. Either not using an HTTPS origin server or for the proxy or target origin to redirect to a malicious origin. Users are advised to update to either version 1.26.19 or version 2.2.2. Users unable to upgrade may use the `Proxy-Authorization` header with urllib3's `ProxyManager`, disable HTTP redirects using `redirects=False` when sending requests, or not user the `Proxy-Authorization` header as mitigations.(CVE-2024-37891)",
"cves": [
{
"id": "CVE-2023-45803",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45803",
"severity": "Medium"
},
{
"id": "CVE-2024-37891",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37891",
"severity": "Medium"
}
]
},
"openEuler-SA-2024-1850": {
"id": "openEuler-SA-2024-1850",
"url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1850",
"title": "An update for arm-trusted-firmware is now available for openEuler-22.03-LTS-SP3",
"severity": "Medium",
"description": "Trusted Firmware-A is a reference implementation of secure world software for Arm A-Profile architectures (Armv8-A and Armv7-A), including an Exception Level 3 (EL3) Secure Monitor.\n\nSecurity Fix(es):\n\nBuffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in Renesas arm-trusted-firmware allows Local Execution of Code. This vulnerability is associated with program files https://github.Com/renesas-rcar/arm-trusted-firmware/blob/rcar_gen3_v2.5/drivers/renesas/common/io/i... https://github.Com/renesas-rcar/arm-trusted-firmware/blob/rcar_gen3_v2.5/drivers/renesas/common/io/io_rcar.C .\n\n\n\n\nIn line 313 \"addr_loaded_cnt\" is checked not to be \"CHECK_IMAGE_AREA_CNT\" (5) or larger, this check does not halt the function. Immediately after (line 317) there will be an overflow in the buffer and the value of \"dst\" will be written to the area immediately after the buffer, which is \"addr_loaded_cnt\". This will allow an attacker to freely control the value of \"addr_loaded_cnt\" and thus control the destination of the write immediately after (line 318). The write in line 318 will then be fully controlled by said attacker, with whichever address and whichever value (\"len\") they desire.(CVE-2024-6563)\n\nBuffer overflow in \"rcar_dev_init\" due to using due to using untrusted data (rcar_image_number) as a loop counter before verifying it against RCAR_MAX_BL3X_IMAGE. This could lead to a full bypass of secure boot.(CVE-2024-6564)",
"cves": [
{
"id": "CVE-2024-6563",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6563",
"severity": "Medium"
},
{
"id": "CVE-2024-6564",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6564",
"severity": "Medium"
}
]
},
"openEuler-SA-2024-1853": {
"id": "openEuler-SA-2024-1853",
"url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1853",
"title": "An update for httpd is now available for openEuler-20.03-LTS-SP4",
"severity": "High",
"description": "Apache HTTP Server is a powerful and flexible HTTP/1.1 compliant web server.\n\nSecurity Fix(es):\n\nSubstitution encoding issue in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows attacker to execute scripts in\ndirectories permitted by the configuration but not directly reachable by any URL or source disclosure of scripts meant to only to be executed as CGI.\n\nUsers are recommended to upgrade to version 2.4.60, which fixes this issue.\n\nSome RewriteRules that capture and substitute unsafely will now fail unless rewrite flag \"UnsafeAllow3F\" is specified.(CVE-2024-38474)\n\nnull pointer dereference in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows an attacker to crash the server via a malicious request.\nUsers are recommended to upgrade to version 2.4.60, which fixes this issue.(CVE-2024-38477)",
"cves": [
{
"id": "CVE-2024-38474",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38474",
"severity": "High"
},
{
"id": "CVE-2024-38477",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38477",
"severity": "High"
}
]
},
"openEuler-SA-2024-1837": {
"id": "openEuler-SA-2024-1837",
"url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1837",
"title": "An update for kernel is now available for openEuler-22.03-LTS-SP4",
"severity": "High",
"description": "The Linux Kernel, the operating system core itself.\n\nSecurity Fix(es):\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nARM: 9170/1: fix panic when kasan and kprobe are enabled\n\narm32 uses software to simulate the instruction replaced\nby kprobe. some instructions may be simulated by constructing\nassembly functions. therefore, before executing instruction\nsimulation, it is necessary to construct assembly function\nexecution environment in C language through binding registers.\nafter kasan is enabled, the register binding relationship will\nbe destroyed, resulting in instruction simulation errors and\ncausing kernel panic.\n\nthe kprobe emulate instruction function is distributed in three\nfiles: actions-common.c actions-arm.c actions-thumb.c, so disable\nKASAN when compiling these files.\n\nfor example, use kprobe insert on cap_capable+20 after kasan\nenabled, the cap_capable assembly code is as follows:\n<cap_capable>:\ne92d47f0\tpush\t{r4, r5, r6, r7, r8, r9, sl, lr}\ne1a05000\tmov\tr5, r0\ne280006c\tadd\tr0, r0, #108 ; 0x6c\ne1a04001\tmov\tr4, r1\ne1a06002\tmov\tr6, r2\ne59fa090\tldr\tsl, [pc, #144] ;\nebfc7bf8\tbl\tc03aa4b4 <__asan_load4>\ne595706c\tldr\tr7, [r5, #108] ; 0x6c\ne2859014\tadd\tr9, r5, #20\n......\nThe emulate_ldr assembly code after enabling kasan is as follows:\nc06f1384 <emulate_ldr>:\ne92d47f0\tpush\t{r4, r5, r6, r7, r8, r9, sl, lr}\ne282803c\tadd\tr8, r2, #60 ; 0x3c\ne1a05000\tmov\tr5, r0\ne7e37855\tubfx\tr7, r5, #16, #4\ne1a00008\tmov\tr0, r8\ne1a09001\tmov\tr9, r1\ne1a04002\tmov\tr4, r2\nebf35462\tbl\tc03c6530 <__asan_load4>\ne357000f\tcmp\tr7, #15\ne7e36655\tubfx\tr6, r5, #12, #4\ne205a00f\tand\tsl, r5, #15\n0a000001\tbeq\tc06f13bc <emulate_ldr+0x38>\ne0840107\tadd\tr0, r4, r7, lsl #2\nebf3545c\tbl\tc03c6530 <__asan_load4>\ne084010a\tadd\tr0, r4, sl, lsl #2\nebf3545a\tbl\tc03c6530 <__asan_load4>\ne2890010\tadd\tr0, r9, #16\nebf35458\tbl\tc03c6530 <__asan_load4>\ne5990010\tldr\tr0, [r9, #16]\ne12fff30\tblx\tr0\ne356000f\tcm\tr6, #15\n1a000014\tbne\tc06f1430 <emulate_ldr+0xac>\ne1a06000\tmov\tr6, r0\ne2840040\tadd\tr0, r4, #64 ; 0x40\n......\n\nwhen running in emulate_ldr to simulate the ldr instruction, panic\noccurred, and the log is as follows:\nUnable to handle kernel NULL pointer dereference at virtual address\n00000090\npgd = ecb46400\n[00000090] *pgd=2e0fa003, *pmd=00000000\nInternal error: Oops: 206 [#1] SMP ARM\nPC is at cap_capable+0x14/0xb0\nLR is at emulate_ldr+0x50/0xc0\npsr: 600d0293 sp : ecd63af8 ip : 00000004 fp : c0a7c30c\nr10: 00000000 r9 : c30897f4 r8 : ecd63cd4\nr7 : 0000000f r6 : 0000000a r5 : e59fa090 r4 : ecd63c98\nr3 : c06ae294 r2 : 00000000 r1 : b7611300 r0 : bf4ec008\nFlags: nZCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment user\nControl: 32c5387d Table: 2d546400 DAC: 55555555\nProcess bash (pid: 1643, stack limit = 0xecd60190)\n(cap_capable) from (kprobe_handler+0x218/0x340)\n(kprobe_handler) from (kprobe_trap_handler+0x24/0x48)\n(kprobe_trap_handler) from (do_undefinstr+0x13c/0x364)\n(do_undefinstr) from (__und_svc_finish+0x0/0x30)\n(__und_svc_finish) from (cap_capable+0x18/0xb0)\n(cap_capable) from (cap_vm_enough_memory+0x38/0x48)\n(cap_vm_enough_memory) from\n(security_vm_enough_memory_mm+0x48/0x6c)\n(security_vm_enough_memory_mm) from\n(copy_process.constprop.5+0x16b4/0x25c8)\n(copy_process.constprop.5) from (_do_fork+0xe8/0x55c)\n(_do_fork) from (SyS_clone+0x1c/0x24)\n(SyS_clone) from (__sys_trace_return+0x0/0x10)\nCode: 0050a0e1 6c0080e2 0140a0e1 0260a0e1 (f801f0e7)(CVE-2021-47618)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nax25: Fix reference count leak issue of net_device\n\nThere is a reference count leak issue of the object \"net_device\" in\nax25_dev_device_down(). When the ax25 device is shutting down, the\nax25_dev_device_down() drops the reference count of net_device one\nor zero times depending on if we goto unlock_put or not, which will\ncause memory leak.\n\nIn order to solve the above issue, decrease the reference count of\nnet_device after dev->ax25_ptr is set to null.(CVE-2024-38554)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix potential hang in nilfs_detach_log_writer()\n\nSyzbot has reported a potential hang in nilfs_detach_log_writer() called\nduring nilfs2 unmount.\n\nAnalysis revealed that this is because nilfs_segctor_sync(), which\nsynchronizes with the log writer thread, can be called after\nnilfs_segctor_destroy() terminates that thread, as shown in the call trace\nbelow:\n\nnilfs_detach_log_writer\n nilfs_segctor_destroy\n nilfs_segctor_kill_thread --> Shut down log writer thread\n flush_work\n nilfs_iput_work_func\n nilfs_dispose_list\n iput\n nilfs_evict_inode\n nilfs_transaction_commit\n nilfs_construct_segment (if inode needs sync)\n nilfs_segctor_sync --> Attempt to synchronize with\n log writer thread\n *** DEADLOCK ***\n\nFix this issue by changing nilfs_segctor_sync() so that the log writer\nthread returns normally without synchronizing after it terminates, and by\nforcing tasks that are already waiting to complete once after the thread\nterminates.\n\nThe skipped inode metadata flushout will then be processed together in the\nsubsequent cleanup work in nilfs_segctor_destroy().(CVE-2024-38582)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix use-after-free of timer for log writer thread\n\nPatch series \"nilfs2: fix log writer related issues\".\n\nThis bug fix series covers three nilfs2 log writer-related issues,\nincluding a timer use-after-free issue and potential deadlock issue on\nunmount, and a potential freeze issue in event synchronization found\nduring their analysis. Details are described in each commit log.\n\n\nThis patch (of 3):\n\nA use-after-free issue has been reported regarding the timer sc_timer on\nthe nilfs_sc_info structure.\n\nThe problem is that even though it is used to wake up a sleeping log\nwriter thread, sc_timer is not shut down until the nilfs_sc_info structure\nis about to be freed, and is used regardless of the thread's lifetime.\n\nFix this issue by limiting the use of sc_timer only while the log writer\nthread is alive.(CVE-2024-38583)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Check 'folio' pointer for NULL\n\nIt can be NULL if bmap is called.(CVE-2024-38625)",
"cves": [
{
"id": "CVE-2021-47618",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47618",
"severity": "Medium"
},
{
"id": "CVE-2024-38554",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38554",
"severity": "Medium"
},
{
"id": "CVE-2024-38582",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38582",
"severity": "None"
},
{
"id": "CVE-2024-38583",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38583",
"severity": "High"
},
{
"id": "CVE-2024-38625",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38625",
"severity": "Medium"
}
]
},
"openEuler-SA-2024-1861": {
"id": "openEuler-SA-2024-1861",
"url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1861",
"title": "An update for kernel is now available for openEuler-22.03-LTS-SP3",
"severity": "High",
"description": "The Linux Kernel, the operating system core itself.\n\nSecurity Fix(es):\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix slab out of bounds write in smb_inherit_dacl()\n\nslab out-of-bounds write is caused by that offsets is bigger than pntsd\nallocation size. This patch add the check to validate 3 offsets using\nallocation size.(CVE-2023-52755)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: compress: fix to cover {reserve,release}_compress_blocks() w/ cp_rwsem lock\n\nIt needs to cover {reserve,release}_compress_blocks() w/ cp_rwsem lock\nto avoid racing with checkpoint, otherwise, filesystem metadata including\nblkaddr in dnode, inode fields and .total_valid_block_count may be\ncorrupted after SPO case.(CVE-2024-34027)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nnull_blk: fix null-ptr-dereference while configuring 'power' and 'submit_queues'\n\nWriting 'power' and 'submit_queues' concurrently will trigger kernel\npanic:\n\nTest script:\n\nmodprobe null_blk nr_devices=0\nmkdir -p /sys/kernel/config/nullb/nullb0\nwhile true; do echo 1 > submit_queues; echo 4 > submit_queues; done &\nwhile true; do echo 1 > power; echo 0 > power; done\n\nTest result:\n\nBUG: kernel NULL pointer dereference, address: 0000000000000148\nOops: 0000 [#1] PREEMPT SMP\nRIP: 0010:__lock_acquire+0x41d/0x28f0\nCall Trace:\n <TASK>\n lock_acquire+0x121/0x450\n down_write+0x5f/0x1d0\n simple_recursive_removal+0x12f/0x5c0\n blk_mq_debugfs_unregister_hctxs+0x7c/0x100\n blk_mq_update_nr_hw_queues+0x4a3/0x720\n nullb_update_nr_hw_queues+0x71/0xf0 [null_blk]\n nullb_device_submit_queues_store+0x79/0xf0 [null_blk]\n configfs_write_iter+0x119/0x1e0\n vfs_write+0x326/0x730\n ksys_write+0x74/0x150\n\nThis is because del_gendisk() can concurrent with\nblk_mq_update_nr_hw_queues():\n\nnullb_device_power_store\tnullb_apply_submit_queues\n null_del_dev\n del_gendisk\n\t\t\t\t nullb_update_nr_hw_queues\n\t\t\t\t if (!dev->nullb)\n\t\t\t\t // still set while gendisk is deleted\n\t\t\t\t return 0\n\t\t\t\t blk_mq_update_nr_hw_queues\n dev->nullb = NULL\n\nFix this problem by resuing the global mutex to protect\nnullb_device_power_store() and nullb_update_nr_hw_queues() from configfs.(CVE-2024-36478)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nbnxt_re: avoid shift undefined behavior in bnxt_qplib_alloc_init_hwq\n\nUndefined behavior is triggered when bnxt_qplib_alloc_init_hwq is called\nwith hwq_attr->aux_depth != 0 and hwq_attr->aux_stride == 0.\nIn that case, \"roundup_pow_of_two(hwq_attr->aux_stride)\" gets called.\nroundup_pow_of_two is documented as undefined for 0.\n\nFix it in the one caller that had this combination.\n\nThe undefined behavior was detected by UBSAN:\n UBSAN: shift-out-of-bounds in ./include/linux/log2.h:57:13\n shift exponent 64 is too large for 64-bit type 'long unsigned int'\n CPU: 24 PID: 1075 Comm: (udev-worker) Not tainted 6.9.0-rc6+ #4\n Hardware name: Abacus electric, s.r.o. - servis@abacus.cz Super Server/H12SSW-iN, BIOS 2.7 10/25/2023\n Call Trace:\n <TASK>\n dump_stack_lvl+0x5d/0x80\n ubsan_epilogue+0x5/0x30\n __ubsan_handle_shift_out_of_bounds.cold+0x61/0xec\n __roundup_pow_of_two+0x25/0x35 [bnxt_re]\n bnxt_qplib_alloc_init_hwq+0xa1/0x470 [bnxt_re]\n bnxt_qplib_create_qp+0x19e/0x840 [bnxt_re]\n bnxt_re_create_qp+0x9b1/0xcd0 [bnxt_re]\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? __kmalloc+0x1b6/0x4f0\n ? create_qp.part.0+0x128/0x1c0 [ib_core]\n ? __pfx_bnxt_re_create_qp+0x10/0x10 [bnxt_re]\n create_qp.part.0+0x128/0x1c0 [ib_core]\n ib_create_qp_kernel+0x50/0xd0 [ib_core]\n create_mad_qp+0x8e/0xe0 [ib_core]\n ? __pfx_qp_event_handler+0x10/0x10 [ib_core]\n ib_mad_init_device+0x2be/0x680 [ib_core]\n add_client_context+0x10d/0x1a0 [ib_core]\n enable_device_and_get+0xe0/0x1d0 [ib_core]\n ib_register_device+0x53c/0x630 [ib_core]\n ? srso_alias_return_thunk+0x5/0xfbef5\n bnxt_re_probe+0xbd8/0xe50 [bnxt_re]\n ? __pfx_bnxt_re_probe+0x10/0x10 [bnxt_re]\n auxiliary_bus_probe+0x49/0x80\n ? driver_sysfs_add+0x57/0xc0\n really_probe+0xde/0x340\n ? pm_runtime_barrier+0x54/0x90\n ? __pfx___driver_attach+0x10/0x10\n __driver_probe_device+0x78/0x110\n driver_probe_device+0x1f/0xa0\n __driver_attach+0xba/0x1c0\n bus_for_each_dev+0x8f/0xe0\n bus_add_driver+0x146/0x220\n driver_register+0x72/0xd0\n __auxiliary_driver_register+0x6e/0xd0\n ? __pfx_bnxt_re_mod_init+0x10/0x10 [bnxt_re]\n bnxt_re_mod_init+0x3e/0xff0 [bnxt_re]\n ? __pfx_bnxt_re_mod_init+0x10/0x10 [bnxt_re]\n do_one_initcall+0x5b/0x310\n do_init_module+0x90/0x250\n init_module_from_file+0x86/0xc0\n idempotent_init_module+0x121/0x2b0\n __x64_sys_finit_module+0x5e/0xb0\n do_syscall_64+0x82/0x160\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? syscall_exit_to_user_mode_prepare+0x149/0x170\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? syscall_exit_to_user_mode+0x75/0x230\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? do_syscall_64+0x8e/0x160\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? __count_memcg_events+0x69/0x100\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? count_memcg_events.constprop.0+0x1a/0x30\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? handle_mm_fault+0x1f0/0x300\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? do_user_addr_fault+0x34e/0x640\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? srso_alias_return_thunk+0x5/0xfbef5\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n RIP: 0033:0x7f4e5132821d\n Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e3 db 0c 00 f7 d8 64 89 01 48\n RSP: 002b:00007ffca9c906a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000139\n RAX: ffffffffffffffda RBX: 0000563ec8a8f130 RCX: 00007f4e5132821d\n RDX: 0000000000000000 RSI: 00007f4e518fa07d RDI: 000000000000003b\n RBP: 00007ffca9c90760 R08: 00007f4e513f6b20 R09: 00007ffca9c906f0\n R10: 0000563ec8a8faa0 R11: 0000000000000246 R12: 00007f4e518fa07d\n R13: 0000000000020000 R14: 0000563ec8409e90 R15: 0000563ec8a8fa60\n </TASK>\n ---[ end trace ]---(CVE-2024-38540)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nnet: openvswitch: fix overwriting ct original tuple for ICMPv6\n\nOVS_PACKET_CMD_EXECUTE has 3 main attributes:\n - OVS_PACKET_ATTR_KEY - Packet metadata in a netlink format.\n - OVS_PACKET_ATTR_PACKET - Binary packet content.\n - OVS_PACKET_ATTR_ACTIONS - Actions to execute on the packet.\n\nOVS_PACKET_ATTR_KEY is parsed first to populate sw_flow_key structure\nwith the metadata like conntrack state, input port, recirculation id,\netc. Then the packet itself gets parsed to populate the rest of the\nkeys from the packet headers.\n\nWhenever the packet parsing code starts parsing the ICMPv6 header, it\nfirst zeroes out fields in the key corresponding to Neighbor Discovery\ninformation even if it is not an ND packet.\n\nIt is an 'ipv6.nd' field. However, the 'ipv6' is a union that shares\nthe space between 'nd' and 'ct_orig' that holds the original tuple\nconntrack metadata parsed from the OVS_PACKET_ATTR_KEY.\n\nND packets should not normally have conntrack state, so it's fine to\nshare the space, but normal ICMPv6 Echo packets or maybe other types of\nICMPv6 can have the state attached and it should not be overwritten.\n\nThe issue results in all but the last 4 bytes of the destination\naddress being wiped from the original conntrack tuple leading to\nincorrect packet matching and potentially executing wrong actions\nin case this packet recirculates within the datapath or goes back\nto userspace.\n\nND fields should not be accessed in non-ND packets, so not clearing\nthem should be fine. Executing memset() only for actual ND packets to\navoid the issue.\n\nInitializing the whole thing before parsing is needed because ND packet\nmay not contain all the options.\n\nThe issue only affects the OVS_PACKET_CMD_EXECUTE path and doesn't\naffect packets entering OVS datapath from network interfaces, because\nin this case CT metadata is populated from skb after the packet is\nalready parsed.(CVE-2024-38558)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\ngfs2: Fix potential glock use-after-free on unmount\n\nWhen a DLM lockspace is released and there ares still locks in that\nlockspace, DLM will unlock those locks automatically. Commit\nfb6791d100d1b started exploiting this behavior to speed up filesystem\nunmount: gfs2 would simply free glocks it didn't want to unlock and then\nrelease the lockspace. This didn't take the bast callbacks for\nasynchronous lock contention notifications into account, which remain\nactive until until a lock is unlocked or its lockspace is released.\n\nTo prevent those callbacks from accessing deallocated objects, put the\nglocks that should not be unlocked on the sd_dead_glocks list, release\nthe lockspace, and only then free those glocks.\n\nAs an additional measure, ignore unexpected ast and bast callbacks if\nthe receiving glock is dead.(CVE-2024-38570)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nr8169: Fix possible ring buffer corruption on fragmented Tx packets.\n\nAn issue was found on the RTL8125b when transmitting small fragmented\npackets, whereby invalid entries were inserted into the transmit ring\nbuffer, subsequently leading to calls to dma_unmap_single() with a null\naddress.\n\nThis was caused by rtl8169_start_xmit() not noticing changes to nr_frags\nwhich may occur when small packets are padded (to work around hardware\nquirks) in rtl8169_tso_csum_v2().\n\nTo fix this, postpone inspecting nr_frags until after any padding has been\napplied.(CVE-2024-38586)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nALSA: core: Fix NULL module pointer assignment at card init\n\nThe commit 81033c6b584b (\"ALSA: core: Warn on empty module\")\nintroduced a WARN_ON() for a NULL module pointer passed at snd_card\nobject creation, and it also wraps the code around it with '#ifdef\nMODULE'. This works in most cases, but the devils are always in\ndetails. \"MODULE\" is defined when the target code (i.e. the sound\ncore) is built as a module; but this doesn't mean that the caller is\nalso built-in or not. Namely, when only the sound core is built-in\n(CONFIG_SND=y) while the driver is a module (CONFIG_SND_USB_AUDIO=m),\nthe passed module pointer is ignored even if it's non-NULL, and\ncard->module remains as NULL. This would result in the missing module\nreference up/down at the device open/close, leading to a race with the\ncode execution after the module removal.\n\nFor addressing the bug, move the assignment of card->module again out\nof ifdef. The WARN_ON() is still wrapped with ifdef because the\nmodule can be really NULL when all sound drivers are built-in.\n\nNote that we keep 'ifdef MODULE' for WARN_ON(), otherwise it would\nlead to a false-positive NULL module check. Admittedly it won't catch\nperfectly, i.e. no check is performed when CONFIG_SND=y. But, it's no\nreal problem as it's only for debugging, and the condition is pretty\nrare.(CVE-2024-38605)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nvfio/pci: fix potential memory leak in vfio_intx_enable()\n\nIf vfio_irq_ctx_alloc() failed will lead to 'name' memory leak.(CVE-2024-38632)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nkdb: Fix buffer overflow during tab-complete\n\nCurrently, when the user attempts symbol completion with the Tab key, kdb\nwill use strncpy() to insert the completed symbol into the command buffer.\nUnfortunately it passes the size of the source buffer rather than the\ndestination to strncpy() with predictably horrible results. Most obviously\nif the command buffer is already full but cp, the cursor position, is in\nthe middle of the buffer, then we will write past the end of the supplied\nbuffer.\n\nFix this by replacing the dubious strncpy() calls with memmove()/memcpy()\ncalls plus explicit boundary checks to make sure we have enough space\nbefore we start moving characters around.(CVE-2024-39480)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nbonding: Fix out-of-bounds read in bond_option_arp_ip_targets_set()\n\nIn function bond_option_arp_ip_targets_set(), if newval->string is an\nempty string, newval->string+1 will point to the byte after the\nstring, causing an out-of-bound read.\n\nBUG: KASAN: slab-out-of-bounds in strlen+0x7d/0xa0 lib/string.c:418\nRead of size 1 at addr ffff8881119c4781 by task syz-executor665/8107\nCPU: 1 PID: 8107 Comm: syz-executor665 Not tainted 6.7.0-rc7 #1\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0xd9/0x150 lib/dump_stack.c:106\n print_address_description mm/kasan/report.c:364 [inline]\n print_report+0xc1/0x5e0 mm/kasan/report.c:475\n kasan_report+0xbe/0xf0 mm/kasan/report.c:588\n strlen+0x7d/0xa0 lib/string.c:418\n __fortify_strlen include/linux/fortify-string.h:210 [inline]\n in4_pton+0xa3/0x3f0 net/core/utils.c:130\n bond_option_arp_ip_targets_set+0xc2/0x910\ndrivers/net/bonding/bond_options.c:1201\n __bond_opt_set+0x2a4/0x1030 drivers/net/bonding/bond_options.c:767\n __bond_opt_set_notify+0x48/0x150 drivers/net/bonding/bond_options.c:792\n bond_opt_tryset_rtnl+0xda/0x160 drivers/net/bonding/bond_options.c:817\n bonding_sysfs_store_option+0xa1/0x120 drivers/net/bonding/bond_sysfs.c:156\n dev_attr_store+0x54/0x80 drivers/base/core.c:2366\n sysfs_kf_write+0x114/0x170 fs/sysfs/file.c:136\n kernfs_fop_write_iter+0x337/0x500 fs/kernfs/file.c:334\n call_write_iter include/linux/fs.h:2020 [inline]\n new_sync_write fs/read_write.c:491 [inline]\n vfs_write+0x96a/0xd80 fs/read_write.c:584\n ksys_write+0x122/0x250 fs/read_write.c:637\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\n---[ end trace ]---\n\nFix it by adding a check of string length before using it.(CVE-2024-39487)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\narm64: asm-bug: Add .align 2 to the end of __BUG_ENTRY\n\nWhen CONFIG_DEBUG_BUGVERBOSE=n, we fail to add necessary padding bytes\nto bug_table entries, and as a result the last entry in a bug table will\nbe ignored, potentially leading to an unexpected panic(). All prior\nentries in the table will be handled correctly.\n\nThe arm64 ABI requires that struct fields of up to 8 bytes are\nnaturally-aligned, with padding added within a struct such that struct\nare suitably aligned within arrays.\n\nWhen CONFIG_DEBUG_BUGVERPOSE=y, the layout of a bug_entry is:\n\n\tstruct bug_entry {\n\t\tsigned int bug_addr_disp;\t// 4 bytes\n\t\tsigned int file_disp;\t// 4 bytes\n\t\tunsigned short line;\t\t// 2 bytes\n\t\tunsigned short flags;\t\t// 2 bytes\n\t}\n\n... with 12 bytes total, requiring 4-byte alignment.\n\nWhen CONFIG_DEBUG_BUGVERBOSE=n, the layout of a bug_entry is:\n\n\tstruct bug_entry {\n\t\tsigned int bug_addr_disp;\t// 4 bytes\n\t\tunsigned short flags;\t\t// 2 bytes\n\t\t< implicit padding >\t\t// 2 bytes\n\t}\n\n... with 8 bytes total, with 6 bytes of data and 2 bytes of trailing\npadding, requiring 4-byte alginment.\n\nWhen we create a bug_entry in assembly, we align the start of the entry\nto 4 bytes, which implicitly handles padding for any prior entries.\nHowever, we do not align the end of the entry, and so when\nCONFIG_DEBUG_BUGVERBOSE=n, the final entry lacks the trailing padding\nbytes.\n\nFor the main kernel image this is not a problem as find_bug() doesn't\ndepend on the trailing padding bytes when searching for entries:\n\n\tfor (bug = __start___bug_table; bug < __stop___bug_table; ++bug)\n\t\tif (bugaddr == bug_addr(bug))\n\t\t\treturn bug;\n\nHowever for modules, module_bug_finalize() depends on the trailing\nbytes when calculating the number of entries:\n\n\tmod->num_bugs = sechdrs[i].sh_size / sizeof(struct bug_entry);\n\n... and as the last bug_entry lacks the necessary padding bytes, this entry\nwill not be counted, e.g. in the case of a single entry:\n\n\tsechdrs[i].sh_size == 6\n\tsizeof(struct bug_entry) == 8;\n\n\tsechdrs[i].sh_size / sizeof(struct bug_entry) == 0;\n\nConsequently module_find_bug() will miss the last bug_entry when it does:\n\n\tfor (i = 0; i < mod->num_bugs; ++i, ++bug)\n\t\tif (bugaddr == bug_addr(bug))\n\t\t\tgoto out;\n\n... which can lead to a kenrel panic due to an unhandled bug.\n\nThis can be demonstrated with the following module:\n\n\tstatic int __init buginit(void)\n\t{\n\t\tWARN(1, \"hello\\n\");\n\t\treturn 0;\n\t}\n\n\tstatic void __exit bugexit(void)\n\t{\n\t}\n\n\tmodule_init(buginit);\n\tmodule_exit(bugexit);\n\tMODULE_LICENSE(\"GPL\");\n\n... which will trigger a kernel panic when loaded:\n\n\t------------[ cut here ]------------\n\thello\n\tUnexpected kernel BRK exception at EL1\n\tInternal error: BRK handler: 00000000f2000800 [#1] PREEMPT SMP\n\tModules linked in: hello(O+)\n\tCPU: 0 PID: 50 Comm: insmod Tainted: G O 6.9.1 #8\n\tHardware name: linux,dummy-virt (DT)\n\tpstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n\tpc : buginit+0x18/0x1000 [hello]\n\tlr : buginit+0x18/0x1000 [hello]\n\tsp : ffff800080533ae0\n\tx29: ffff800080533ae0 x28: 0000000000000000 x27: 0000000000000000\n\tx26: ffffaba8c4e70510 x25: ffff800080533c30 x24: ffffaba8c4a28a58\n\tx23: 0000000000000000 x22: 0000000000000000 x21: ffff3947c0eab3c0\n\tx20: ffffaba8c4e3f000 x19: ffffaba846464000 x18: 0000000000000006\n\tx17: 0000000000000000 x16: ffffaba8c2492834 x15: 0720072007200720\n\tx14: 0720072007200720 x13: ffffaba8c49b27c8 x12: 0000000000000312\n\tx11: 0000000000000106 x10: ffffaba8c4a0a7c8 x9 : ffffaba8c49b27c8\n\tx8 : 00000000ffffefff x7 : ffffaba8c4a0a7c8 x6 : 80000000fffff000\n\tx5 : 0000000000000107 x4 : 0000000000000000 x3 : 0000000000000000\n\tx2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff3947c0eab3c0\n\tCall trace:\n\t buginit+0x18/0x1000 [hello]\n\t do_one_initcall+0x80/0x1c8\n\t do_init_module+0x60/0x218\n\t load_module+0x1ba4/0x1d70\n\t __do_sys_init_module+0x198/0x1d0\n\t __arm64_sys_init_module+0x1c/0x28\n\t invoke_syscall+0x48/0x114\n\t el0_svc\n---truncated---(CVE-2024-39488)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nipv6: sr: fix memleak in seg6_hmac_init_algo\n\nseg6_hmac_init_algo returns without cleaning up the previous allocations\nif one fails, so it's going to leak all that memory and the crypto tfms.\n\nUpdate seg6_hmac_exit to only free the memory when allocated, so we can\nreuse the code directly.(CVE-2024-39489)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nsock_map: avoid race between sock_map_close and sk_psock_put\n\nsk_psock_get will return NULL if the refcount of psock has gone to 0, which\nwill happen when the last call of sk_psock_put is done. However,\nsk_psock_drop may not have finished yet, so the close callback will still\npoint to sock_map_close despite psock being NULL.\n\nThis can be reproduced with a thread deleting an element from the sock map,\nwhile the second one creates a socket, adds it to the map and closes it.\n\nThat will trigger the WARN_ON_ONCE:\n\n------------[ cut here ]------------\nWARNING: CPU: 1 PID: 7220 at net/core/sock_map.c:1701 sock_map_close+0x2a2/0x2d0 net/core/sock_map.c:1701\nModules linked in:\nCPU: 1 PID: 7220 Comm: syz-executor380 Not tainted 6.9.0-syzkaller-07726-g3c999d1ae3c7 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024\nRIP: 0010:sock_map_close+0x2a2/0x2d0 net/core/sock_map.c:1701\nCode: df e8 92 29 88 f8 48 8b 1b 48 89 d8 48 c1 e8 03 42 80 3c 20 00 74 08 48 89 df e8 79 29 88 f8 4c 8b 23 eb 89 e8 4f 15 23 f8 90 <0f> 0b 90 48 83 c4 08 5b 41 5c 41 5d 41 5e 41 5f 5d e9 13 26 3d 02\nRSP: 0018:ffffc9000441fda8 EFLAGS: 00010293\nRAX: ffffffff89731ae1 RBX: ffffffff94b87540 RCX: ffff888029470000\nRDX: 0000000000000000 RSI: ffffffff8bcab5c0 RDI: ffffffff8c1faba0\nRBP: 0000000000000000 R08: ffffffff92f9b61f R09: 1ffffffff25f36c3\nR10: dffffc0000000000 R11: fffffbfff25f36c4 R12: ffffffff89731840\nR13: ffff88804b587000 R14: ffff88804b587000 R15: ffffffff89731870\nFS: 000055555e080380(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000000 CR3: 00000000207d4000 CR4: 0000000000350ef0\nCall Trace:\n <TASK>\n unix_release+0x87/0xc0 net/unix/af_unix.c:1048\n __sock_release net/socket.c:659 [inline]\n sock_close+0xbe/0x240 net/socket.c:1421\n __fput+0x42b/0x8a0 fs/file_table.c:422\n __do_sys_close fs/open.c:1556 [inline]\n __se_sys_close fs/open.c:1541 [inline]\n __x64_sys_close+0x7f/0x110 fs/open.c:1541\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7fb37d618070\nCode: 00 00 48 c7 c2 b8 ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb d4 e8 10 2c 00 00 80 3d 31 f0 07 00 00 74 17 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 48 c3 0f 1f 80 00 00 00 00 48 83 ec 18 89 7c\nRSP: 002b:00007ffcd4a525d8 EFLAGS: 00000202 ORIG_RAX: 0000000000000003\nRAX: ffffffffffffffda RBX: 0000000000000005 RCX: 00007fb37d618070\nRDX: 0000000000000010 RSI: 00000000200001c0 RDI: 0000000000000004\nRBP: 0000000000000000 R08: 0000000100000000 R09: 0000000100000000\nR10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n </TASK>\n\nUse sk_psock, which will only check that the pointer is not been set to\nNULL yet, which should only happen after the callbacks are restored. If,\nthen, a reference can still be gotten, we may call sk_psock_stop and cancel\npsock->work.\n\nAs suggested by Paolo Abeni, reorder the condition so the control flow is\nless convoluted.\n\nAfter that change, the reproducer does not trigger the WARN_ON_ONCE\nanymore.(CVE-2024-39500)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nionic: fix use after netif_napi_del()\n\nWhen queues are started, netif_napi_add() and napi_enable() are called.\nIf there are 4 queues and only 3 queues are used for the current\nconfiguration, only 3 queues' napi should be registered and enabled.\nThe ionic_qcq_enable() checks whether the .poll pointer is not NULL for\nenabling only the using queue' napi. Unused queues' napi will not be\nregistered by netif_napi_add(), so the .poll pointer indicates NULL.\nBut it couldn't distinguish whether the napi was unregistered or not\nbecause netif_napi_del() doesn't reset the .poll pointer to NULL.\nSo, ionic_qcq_enable() calls napi_enable() for the queue, which was\nunregistered by netif_napi_del().\n\nReproducer:\n ethtool -L <interface name> rx 1 tx 1 combined 0\n ethtool -L <interface name> rx 0 tx 0 combined 1\n ethtool -L <interface name> rx 0 tx 0 combined 4\n\nSplat looks like:\nkernel BUG at net/core/dev.c:6666!\nOops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\nCPU: 3 PID: 1057 Comm: kworker/3:3 Not tainted 6.10.0-rc2+ #16\nWorkqueue: events ionic_lif_deferred_work [ionic]\nRIP: 0010:napi_enable+0x3b/0x40\nCode: 48 89 c2 48 83 e2 f6 80 b9 61 09 00 00 00 74 0d 48 83 bf 60 01 00 00 00 74 03 80 ce 01 f0 4f\nRSP: 0018:ffffb6ed83227d48 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: ffff97560cda0828 RCX: 0000000000000029\nRDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff97560cda0a28\nRBP: ffffb6ed83227d50 R08: 0000000000000400 R09: 0000000000000001\nR10: 0000000000000001 R11: 0000000000000001 R12: 0000000000000000\nR13: ffff97560ce3c1a0 R14: 0000000000000000 R15: ffff975613ba0a20\nFS: 0000000000000000(0000) GS:ffff975d5f780000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f8f734ee200 CR3: 0000000103e50000 CR4: 00000000007506f0\nPKRU: 55555554\nCall Trace:\n <TASK>\n ? die+0x33/0x90\n ? do_trap+0xd9/0x100\n ? napi_enable+0x3b/0x40\n ? do_error_trap+0x83/0xb0\n ? napi_enable+0x3b/0x40\n ? napi_enable+0x3b/0x40\n ? exc_invalid_op+0x4e/0x70\n ? napi_enable+0x3b/0x40\n ? asm_exc_invalid_op+0x16/0x20\n ? napi_enable+0x3b/0x40\n ionic_qcq_enable+0xb7/0x180 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8]\n ionic_start_queues+0xc4/0x290 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8]\n ionic_link_status_check+0x11c/0x170 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8]\n ionic_lif_deferred_work+0x129/0x280 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8]\n process_one_work+0x145/0x360\n worker_thread+0x2bb/0x3d0\n ? __pfx_worker_thread+0x10/0x10\n kthread+0xcc/0x100\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x2d/0x50\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1a/0x30(CVE-2024-39502)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: ensure snd_una is properly initialized on connect\n\nThis is strictly related to commit fb7a0d334894 (\"mptcp: ensure snd_nxt\nis properly initialized on connect\"). It turns out that syzkaller can\ntrigger the retransmit after fallback and before processing any other\nincoming packet - so that snd_una is still left uninitialized.\n\nAddress the issue explicitly initializing snd_una together with snd_nxt\nand write_seq.(CVE-2024-40931)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nHID: logitech-dj: Fix memory leak in logi_dj_recv_switch_to_dj_mode()\n\nFix a memory leak on logi_dj_recv_send_report() error path.(CVE-2024-40934)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: remove clear SB_INLINECRYPT flag in default_options\n\nIn f2fs_remount, SB_INLINECRYPT flag will be clear and re-set.\nIf create new file or open file during this gap, these files\nwill not use inlinecrypt. Worse case, it may lead to data\ncorruption if wrappedkey_v0 is enable.\n\nThread A: Thread B:\n\n-f2fs_remount\t\t\t\t-f2fs_file_open or f2fs_new_inode\n -default_options\n\t<- clear SB_INLINECRYPT flag\n\n -fscrypt_select_encryption_impl\n\n -parse_options\n\t<- set SB_INLINECRYPT again(CVE-2024-40971)",
"cves": [
{
"id": "CVE-2023-52755",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52755",
"severity": "High"
},
{
"id": "CVE-2024-34027",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34027",
"severity": "Medium"
},
{
"id": "CVE-2024-36478",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36478",
"severity": "Medium"
},
{
"id": "CVE-2024-38540",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38540",
"severity": "Medium"
},
{
"id": "CVE-2024-38558",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38558",
"severity": "Medium"
},
{
"id": "CVE-2024-38570",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38570",
"severity": "Medium"
},
{
"id": "CVE-2024-38586",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38586",
"severity": "Medium"
},
{
"id": "CVE-2024-38605",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38605",
"severity": "Medium"
},
{
"id": "CVE-2024-38632",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38632",
"severity": "Medium"
},
{
"id": "CVE-2024-39480",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39480",
"severity": "Medium"
},
{
"id": "CVE-2024-39487",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39487",
"severity": "Medium"
},
{
"id": "CVE-2024-39488",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39488",
"severity": "Medium"
},
{
"id": "CVE-2024-39489",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39489",
"severity": "Low"
},
{
"id": "CVE-2024-39500",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39500",
"severity": "Medium"
},
{
"id": "CVE-2024-39502",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39502",
"severity": "Medium"
},
{
"id": "CVE-2024-40931",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40931",
"severity": "Medium"
},
{
"id": "CVE-2024-40934",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40934",
"severity": "Medium"
},
{
"id": "CVE-2024-40971",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40971",
"severity": "Medium"
}
]
},
"openEuler-SA-2024-1852": {
"id": "openEuler-SA-2024-1852",
"url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1852",
"title": "An update for httpd is now available for openEuler-22.03-LTS-SP3",
"severity": "High",
"description": "Apache HTTP Server is a powerful and flexible HTTP/1.1 compliant web server.\n\nSecurity Fix(es):\n\nSubstitution encoding issue in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows attacker to execute scripts in\ndirectories permitted by the configuration but not directly reachable by any URL or source disclosure of scripts meant to only to be executed as CGI.\n\nUsers are recommended to upgrade to version 2.4.60, which fixes this issue.\n\nSome RewriteRules that capture and substitute unsafely will now fail unless rewrite flag \"UnsafeAllow3F\" is specified.(CVE-2024-38474)\n\nnull pointer dereference in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows an attacker to crash the server via a malicious request.\nUsers are recommended to upgrade to version 2.4.60, which fixes this issue.(CVE-2024-38477)",
"cves": [
{
"id": "CVE-2024-38474",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38474",
"severity": "High"
},
{
"id": "CVE-2024-38477",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38477",
"severity": "High"
}
]
},
"openEuler-SA-2024-1856": {
"id": "openEuler-SA-2024-1856",
"url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1856",
"title": "An update for httpd is now available for openEuler-22.03-LTS-SP1",
"severity": "High",
"description": "Apache HTTP Server is a powerful and flexible HTTP/1.1 compliant web server.\n\nSecurity Fix(es):\n\nSubstitution encoding issue in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows attacker to execute scripts in\ndirectories permitted by the configuration but not directly reachable by any URL or source disclosure of scripts meant to only to be executed as CGI.\n\nUsers are recommended to upgrade to version 2.4.60, which fixes this issue.\n\nSome RewriteRules that capture and substitute unsafely will now fail unless rewrite flag \"UnsafeAllow3F\" is specified.(CVE-2024-38474)\n\nnull pointer dereference in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows an attacker to crash the server via a malicious request.\nUsers are recommended to upgrade to version 2.4.60, which fixes this issue.(CVE-2024-38477)",
"cves": [
{
"id": "CVE-2024-38474",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38474",
"severity": "High"
},
{
"id": "CVE-2024-38477",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38477",
"severity": "High"
}
]
},
"openEuler-SA-2024-1826": {
"id": "openEuler-SA-2024-1826",
"url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1826",
"title": "An update for vte291 is now available for openEuler-22.03-LTS-SP3",
"severity": "Low",
"description": "VTE provides a virtual terminal widget for GTK applications.VTE is mainly used in gnome-terminal, but can also be used to embed a console/terminal in games, editors, IDEs, etc.\n\nSecurity Fix(es):\n\nGNOME VTE before 0.76.3 allows an attacker to cause a denial of service (memory consumption) via a window resize escape sequence, a related issue to CVE-2000-0476.(CVE-2024-37535)",
"cves": [
{
"id": "CVE-2024-37535",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37535",
"severity": "Low"
}
]
},
"openEuler-SA-2024-1817": {
"id": "openEuler-SA-2024-1817",
"url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1817",
"title": "An update for xorg-x11-server-xwayland is now available for openEuler-22.03-LTS-SP4",
"severity": "High",
"description": "Xwayland is an X server for running X clients under Wayland. %package devel Summary: Development package Requires: pkgconfig %description devel The development package provides the developmental files which are necessary for developing Wayland compositors using Xwayland. %prep %autosetup -n xwayland- %build %meson \\ -Dxwayland_eglstream=true \\ -Ddefault_font_path=\"catalogue:/etc/X11/fontpath.d,built-ins\" \\ -Dbuilder_string=\"Build ID: -\" \\ -Dxkb_output_dir=/lib/xkb \\ -Dxcsecurity=true \\ -Dglamor=true \\ -Ddri3=true %meson_build\n\nSecurity Fix(es):\n\nA flaw was found in the Xorg-x11-server. The specific flaw exists within the handling of ProcXkbSetDeviceInfo requests. The issue results from the lack of proper validation of user-supplied data, which can result in a memory access past the end of an allocated buffer. This flaw allows an attacker to escalate privileges and execute arbitrary code in the context of root.(CVE-2022-2320)",
"cves": [
{
"id": "CVE-2022-2320",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2320",
"severity": "High"
}
]
},
"openEuler-SA-2024-1847": {
"id": "openEuler-SA-2024-1847",
"url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1847",
"title": "An update for mod_http2 is now available for openEuler-24.03-LTS",
"severity": "Low",
"description": "Mod_h[ttp]2 is an official Apache httpd module, first released in 2.4.17. See Apache downloads to get a released version. mod_proxy_h[ttp]2 has been released in 2.4.23.\n\nSecurity Fix(es):\n\nServing WebSocket protocol upgrades over a HTTP/2 connection could result in a Null Pointer dereference, leading to a crash of the server process, degrading performance.(CVE-2024-36387)",
"cves": [
{
"id": "CVE-2024-36387",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36387",
"severity": "Low"
}
]
},
"openEuler-SA-2024-1840": {
"id": "openEuler-SA-2024-1840",
"url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1840",
"title": "An update for openvpn is now available for openEuler-22.03-LTS-SP4,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP3,openEuler-20.03-LTS-SP4,openEuler-24.03-LTS",
"severity": "Medium",
"description": "OpenVPN is a full-featured open source SSL VPN solution that accommodates a wide range of configurations, including remote access, site-to-site VPNs, Wi-Fi security, and enterprise-scale remote access solutions with load balancing, failover, and fine-grained access-controls. Starting with the fundamental premise that complexity is the enemy of security, OpenVPN offers a cost-effective, lightweight alternative to other VPN technologies that is well-adapted for the SME and enterprise markets.\n\nSecurity Fix(es):\n\nOpenVPN from 2.6.0 through 2.6.10 in a server role accepts multiple exit notifications from authenticated clients which will extend the validity of a closing session(CVE-2024-28882)",
"cves": [
{
"id": "CVE-2024-28882",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28882",
"severity": "Medium"
}
]
},
"openEuler-SA-2024-1862": {
"id": "openEuler-SA-2024-1862",
"url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1862",
"title": "An update for kernel is now available for openEuler-20.03-LTS-SP4",
"severity": "High",
"description": "The Linux Kernel, the operating system core itself.\n\nSecurity Fix(es):\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nKVM: PPC: Fix kvm_arch_vcpu_ioctl vcpu_load leak\n\nvcpu_put is not called if the user copy fails. This can result in preempt\nnotifier corruption and crashes, among other issues.(CVE-2021-47296)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nnet: qcom/emac: fix UAF in emac_remove\n\nadpt is netdev private data and it cannot be\nused after free_netdev() call. Using adpt after free_netdev()\ncan cause UAF bug. Fix it by moving free_netdev() at the end of the\nfunction.(CVE-2021-47311)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/cma: Ensure rdma_addr_cancel() happens before issuing more requests\n\nThe FSM can run in a circle allowing rdma_resolve_ip() to be called twice\non the same id_priv. While this cannot happen without going through the\nwork, it violates the invariant that the same address resolution\nbackground request cannot be active twice.\n\n CPU 1 CPU 2\n\nrdma_resolve_addr():\n RDMA_CM_IDLE -> RDMA_CM_ADDR_QUERY\n rdma_resolve_ip(addr_handler) #1\n\n\t\t\t process_one_req(): for #1\n addr_handler():\n RDMA_CM_ADDR_QUERY -> RDMA_CM_ADDR_BOUND\n mutex_unlock(&id_priv->handler_mutex);\n [.. handler still running ..]\n\nrdma_resolve_addr():\n RDMA_CM_ADDR_BOUND -> RDMA_CM_ADDR_QUERY\n rdma_resolve_ip(addr_handler)\n !! two requests are now on the req_list\n\nrdma_destroy_id():\n destroy_id_handler_unlock():\n _destroy_id():\n cma_cancel_operation():\n rdma_addr_cancel()\n\n // process_one_req() self removes it\n\t\t spin_lock_bh(&lock);\n cancel_delayed_work(&req->work);\n\t if (!list_empty(&req->list)) == true\n\n ! rdma_addr_cancel() returns after process_on_req #1 is done\n\n kfree(id_priv)\n\n\t\t\t process_one_req(): for #2\n addr_handler():\n\t mutex_lock(&id_priv->handler_mutex);\n !! Use after free on id_priv\n\nrdma_addr_cancel() expects there to be one req on the list and only\ncancels the first one. The self-removal behavior of the work only happens\nafter the handler has returned. This yields a situations where the\nreq_list can have two reqs for the same \"handle\" but rdma_addr_cancel()\nonly cancels the first one.\n\nThe second req remains active beyond rdma_destroy_id() and will\nuse-after-free id_priv once it inevitably triggers.\n\nFix this by remembering if the id_priv has called rdma_resolve_ip() and\nalways cancel before calling it again. This ensures the req_list never\ngets more than one item in it and doesn't cost anything in the normal flow\nthat never uses this strange error path.(CVE-2021-47391)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nsch_cake: do not call cake_destroy() from cake_init()\n\nqdiscs are not supposed to call their own destroy() method\nfrom init(), because core stack already does that.\n\nsyzbot was able to trigger use after free:\n\nDEBUG_LOCKS_WARN_ON(lock->magic != lock)\nWARNING: CPU: 0 PID: 21902 at kernel/locking/mutex.c:586 __mutex_lock_common kernel/locking/mutex.c:586 [inline]\nWARNING: CPU: 0 PID: 21902 at kernel/locking/mutex.c:586 __mutex_lock+0x9ec/0x12f0 kernel/locking/mutex.c:740\nModules linked in:\nCPU: 0 PID: 21902 Comm: syz-executor189 Not tainted 5.16.0-rc4-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nRIP: 0010:__mutex_lock_common kernel/locking/mutex.c:586 [inline]\nRIP: 0010:__mutex_lock+0x9ec/0x12f0 kernel/locking/mutex.c:740\nCode: 08 84 d2 0f 85 19 08 00 00 8b 05 97 38 4b 04 85 c0 0f 85 27 f7 ff ff 48 c7 c6 20 00 ac 89 48 c7 c7 a0 fe ab 89 e8 bf 76 ba ff <0f> 0b e9 0d f7 ff ff 48 8b 44 24 40 48 8d b8 c8 08 00 00 48 89 f8\nRSP: 0018:ffffc9000627f290 EFLAGS: 00010282\nRAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000\nRDX: ffff88802315d700 RSI: ffffffff815f1db8 RDI: fffff52000c4fe44\nRBP: ffff88818f28e000 R08: 0000000000000000 R09: 0000000000000000\nR10: ffffffff815ebb5e R11: 0000000000000000 R12: 0000000000000000\nR13: dffffc0000000000 R14: ffffc9000627f458 R15: 0000000093c30000\nFS: 0000555556abc400(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007fda689c3303 CR3: 000000001cfbb000 CR4: 0000000000350ef0\nCall Trace:\n <TASK>\n tcf_chain0_head_change_cb_del+0x2e/0x3d0 net/sched/cls_api.c:810\n tcf_block_put_ext net/sched/cls_api.c:1381 [inline]\n tcf_block_put_ext net/sched/cls_api.c:1376 [inline]\n tcf_block_put+0xbc/0x130 net/sched/cls_api.c:1394\n cake_destroy+0x3f/0x80 net/sched/sch_cake.c:2695\n qdisc_create.constprop.0+0x9da/0x10f0 net/sched/sch_api.c:1293\n tc_modify_qdisc+0x4c5/0x1980 net/sched/sch_api.c:1660\n rtnetlink_rcv_msg+0x413/0xb80 net/core/rtnetlink.c:5571\n netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2496\n netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]\n netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1345\n netlink_sendmsg+0x904/0xdf0 net/netlink/af_netlink.c:1921\n sock_sendmsg_nosec net/socket.c:704 [inline]\n sock_sendmsg+0xcf/0x120 net/socket.c:724\n ____sys_sendmsg+0x6e8/0x810 net/socket.c:2409\n ___sys_sendmsg+0xf3/0x170 net/socket.c:2463\n __sys_sendmsg+0xe5/0x1b0 net/socket.c:2492\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x44/0xae\nRIP: 0033:0x7f1bb06badb9\nCode: Unable to access opcode bytes at RIP 0x7f1bb06bad8f.\nRSP: 002b:00007fff3012a658 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\nRAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f1bb06badb9\nRDX: 0000000000000000 RSI: 00000000200007c0 RDI: 0000000000000003\nRBP: 0000000000000000 R08: 0000000000000003 R09: 0000000000000003\nR10: 0000000000000003 R11: 0000000000000246 R12: 00007fff3012a688\nR13: 00007fff3012a6a0 R14: 00007fff3012a6e0 R15: 00000000000013c2\n </TASK>(CVE-2021-47598)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\ndrm/nouveau: fix off by one in BIOS boundary checking\n\nBounds checking when parsing init scripts embedded in the BIOS reject\naccess to the last byte. This causes driver initialization to fail on\nApple eMac's with GeForce 2 MX GPUs, leaving the system with no working\nconsole.\n\nThis is probably only seen on OpenFirmware machines like PowerPC Macs\nbecause the BIOS image provided by OF is only the used parts of the ROM,\nnot a power-of-two blocks read from PCI directly so PCs always have\nempty bytes at the end that are never accessed.(CVE-2022-48732)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nnet: fix information leakage in /proc/net/ptype\n\nIn one net namespace, after creating a packet socket without binding\nit to a device, users in other net namespaces can observe the new\n`packet_type` added by this packet socket by reading `/proc/net/ptype`\nfile. This is minor information leakage as packet socket is\nnamespace aware.\n\nAdd a net pointer in `packet_type` to keep the net namespace of\nof corresponding packet socket. In `ptype_seq_show`, this net pointer\nmust be checked when it is not NULL.(CVE-2022-48757)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nUSB: core: Fix hang in usb_kill_urb by adding memory barriers\n\nThe syzbot fuzzer has identified a bug in which processes hang waiting\nfor usb_kill_urb() to return. It turns out the issue is not unlinking\nthe URB; that works just fine. Rather, the problem arises when the\nwakeup notification that the URB has completed is not received.\n\nThe reason is memory-access ordering on SMP systems. In outline form,\nusb_kill_urb() and __usb_hcd_giveback_urb() operating concurrently on\ndifferent CPUs perform the following actions:\n\nCPU 0\t\t\t\t\tCPU 1\n----------------------------\t\t---------------------------------\nusb_kill_urb():\t\t\t\t__usb_hcd_giveback_urb():\n ...\t\t\t\t\t ...\n atomic_inc(&urb->reject);\t\t atomic_dec(&urb->use_count);\n ...\t\t\t\t\t ...\n wait_event(usb_kill_urb_queue,\n\tatomic_read(&urb->use_count) == 0);\n\t\t\t\t\t if (atomic_read(&urb->reject))\n\t\t\t\t\t\twake_up(&usb_kill_urb_queue);\n\nConfining your attention to urb->reject and urb->use_count, you can\nsee that the overall pattern of accesses on CPU 0 is:\n\n\twrite urb->reject, then read urb->use_count;\n\nwhereas the overall pattern of accesses on CPU 1 is:\n\n\twrite urb->use_count, then read urb->reject.\n\nThis pattern is referred to in memory-model circles as SB (for \"Store\nBuffering\"), and it is well known that without suitable enforcement of\nthe desired order of accesses -- in the form of memory barriers -- it\nis entirely possible for one or both CPUs to execute their reads ahead\nof their writes. The end result will be that sometimes CPU 0 sees the\nold un-decremented value of urb->use_count while CPU 1 sees the old\nun-incremented value of urb->reject. Consequently CPU 0 ends up on\nthe wait queue and never gets woken up, leading to the observed hang\nin usb_kill_urb().\n\nThe same pattern of accesses occurs in usb_poison_urb() and the\nfailure pathway of usb_hcd_submit_urb().\n\nThe problem is fixed by adding suitable memory barriers. To provide\nproper memory-access ordering in the SB pattern, a full barrier is\nrequired on both CPUs. The atomic_inc() and atomic_dec() accesses\nthemselves don't provide any memory ordering, but since they are\npresent, we can use the optimized smp_mb__after_atomic() memory\nbarrier in the various routines to obtain the desired effect.\n\nThis patch adds the necessary memory barriers.(CVE-2022-48760)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nnet: openvswitch: fix overwriting ct original tuple for ICMPv6\n\nOVS_PACKET_CMD_EXECUTE has 3 main attributes:\n - OVS_PACKET_ATTR_KEY - Packet metadata in a netlink format.\n - OVS_PACKET_ATTR_PACKET - Binary packet content.\n - OVS_PACKET_ATTR_ACTIONS - Actions to execute on the packet.\n\nOVS_PACKET_ATTR_KEY is parsed first to populate sw_flow_key structure\nwith the metadata like conntrack state, input port, recirculation id,\netc. Then the packet itself gets parsed to populate the rest of the\nkeys from the packet headers.\n\nWhenever the packet parsing code starts parsing the ICMPv6 header, it\nfirst zeroes out fields in the key corresponding to Neighbor Discovery\ninformation even if it is not an ND packet.\n\nIt is an 'ipv6.nd' field. However, the 'ipv6' is a union that shares\nthe space between 'nd' and 'ct_orig' that holds the original tuple\nconntrack metadata parsed from the OVS_PACKET_ATTR_KEY.\n\nND packets should not normally have conntrack state, so it's fine to\nshare the space, but normal ICMPv6 Echo packets or maybe other types of\nICMPv6 can have the state attached and it should not be overwritten.\n\nThe issue results in all but the last 4 bytes of the destination\naddress being wiped from the original conntrack tuple leading to\nincorrect packet matching and potentially executing wrong actions\nin case this packet recirculates within the datapath or goes back\nto userspace.\n\nND fields should not be accessed in non-ND packets, so not clearing\nthem should be fine. Executing memset() only for actual ND packets to\navoid the issue.\n\nInitializing the whole thing before parsing is needed because ND packet\nmay not contain all the options.\n\nThe issue only affects the OVS_PACKET_CMD_EXECUTE path and doesn't\naffect packets entering OVS datapath from network interfaces, because\nin this case CT metadata is populated from skb after the packet is\nalready parsed.(CVE-2024-38558)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nvfio/pci: fix potential memory leak in vfio_intx_enable()\n\nIf vfio_irq_ctx_alloc() failed will lead to 'name' memory leak.(CVE-2024-38632)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nkdb: Fix buffer overflow during tab-complete\n\nCurrently, when the user attempts symbol completion with the Tab key, kdb\nwill use strncpy() to insert the completed symbol into the command buffer.\nUnfortunately it passes the size of the source buffer rather than the\ndestination to strncpy() with predictably horrible results. Most obviously\nif the command buffer is already full but cp, the cursor position, is in\nthe middle of the buffer, then we will write past the end of the supplied\nbuffer.\n\nFix this by replacing the dubious strncpy() calls with memmove()/memcpy()\ncalls plus explicit boundary checks to make sure we have enough space\nbefore we start moving characters around.(CVE-2024-39480)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nbonding: Fix out-of-bounds read in bond_option_arp_ip_targets_set()\n\nIn function bond_option_arp_ip_targets_set(), if newval->string is an\nempty string, newval->string+1 will point to the byte after the\nstring, causing an out-of-bound read.\n\nBUG: KASAN: slab-out-of-bounds in strlen+0x7d/0xa0 lib/string.c:418\nRead of size 1 at addr ffff8881119c4781 by task syz-executor665/8107\nCPU: 1 PID: 8107 Comm: syz-executor665 Not tainted 6.7.0-rc7 #1\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0xd9/0x150 lib/dump_stack.c:106\n print_address_description mm/kasan/report.c:364 [inline]\n print_report+0xc1/0x5e0 mm/kasan/report.c:475\n kasan_report+0xbe/0xf0 mm/kasan/report.c:588\n strlen+0x7d/0xa0 lib/string.c:418\n __fortify_strlen include/linux/fortify-string.h:210 [inline]\n in4_pton+0xa3/0x3f0 net/core/utils.c:130\n bond_option_arp_ip_targets_set+0xc2/0x910\ndrivers/net/bonding/bond_options.c:1201\n __bond_opt_set+0x2a4/0x1030 drivers/net/bonding/bond_options.c:767\n __bond_opt_set_notify+0x48/0x150 drivers/net/bonding/bond_options.c:792\n bond_opt_tryset_rtnl+0xda/0x160 drivers/net/bonding/bond_options.c:817\n bonding_sysfs_store_option+0xa1/0x120 drivers/net/bonding/bond_sysfs.c:156\n dev_attr_store+0x54/0x80 drivers/base/core.c:2366\n sysfs_kf_write+0x114/0x170 fs/sysfs/file.c:136\n kernfs_fop_write_iter+0x337/0x500 fs/kernfs/file.c:334\n call_write_iter include/linux/fs.h:2020 [inline]\n new_sync_write fs/read_write.c:491 [inline]\n vfs_write+0x96a/0xd80 fs/read_write.c:584\n ksys_write+0x122/0x250 fs/read_write.c:637\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\n---[ end trace ]---\n\nFix it by adding a check of string length before using it.(CVE-2024-39487)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\narm64: asm-bug: Add .align 2 to the end of __BUG_ENTRY\n\nWhen CONFIG_DEBUG_BUGVERBOSE=n, we fail to add necessary padding bytes\nto bug_table entries, and as a result the last entry in a bug table will\nbe ignored, potentially leading to an unexpected panic(). All prior\nentries in the table will be handled correctly.\n\nThe arm64 ABI requires that struct fields of up to 8 bytes are\nnaturally-aligned, with padding added within a struct such that struct\nare suitably aligned within arrays.\n\nWhen CONFIG_DEBUG_BUGVERPOSE=y, the layout of a bug_entry is:\n\n\tstruct bug_entry {\n\t\tsigned int bug_addr_disp;\t// 4 bytes\n\t\tsigned int file_disp;\t// 4 bytes\n\t\tunsigned short line;\t\t// 2 bytes\n\t\tunsigned short flags;\t\t// 2 bytes\n\t}\n\n... with 12 bytes total, requiring 4-byte alignment.\n\nWhen CONFIG_DEBUG_BUGVERBOSE=n, the layout of a bug_entry is:\n\n\tstruct bug_entry {\n\t\tsigned int bug_addr_disp;\t// 4 bytes\n\t\tunsigned short flags;\t\t// 2 bytes\n\t\t< implicit padding >\t\t// 2 bytes\n\t}\n\n... with 8 bytes total, with 6 bytes of data and 2 bytes of trailing\npadding, requiring 4-byte alginment.\n\nWhen we create a bug_entry in assembly, we align the start of the entry\nto 4 bytes, which implicitly handles padding for any prior entries.\nHowever, we do not align the end of the entry, and so when\nCONFIG_DEBUG_BUGVERBOSE=n, the final entry lacks the trailing padding\nbytes.\n\nFor the main kernel image this is not a problem as find_bug() doesn't\ndepend on the trailing padding bytes when searching for entries:\n\n\tfor (bug = __start___bug_table; bug < __stop___bug_table; ++bug)\n\t\tif (bugaddr == bug_addr(bug))\n\t\t\treturn bug;\n\nHowever for modules, module_bug_finalize() depends on the trailing\nbytes when calculating the number of entries:\n\n\tmod->num_bugs = sechdrs[i].sh_size / sizeof(struct bug_entry);\n\n... and as the last bug_entry lacks the necessary padding bytes, this entry\nwill not be counted, e.g. in the case of a single entry:\n\n\tsechdrs[i].sh_size == 6\n\tsizeof(struct bug_entry) == 8;\n\n\tsechdrs[i].sh_size / sizeof(struct bug_entry) == 0;\n\nConsequently module_find_bug() will miss the last bug_entry when it does:\n\n\tfor (i = 0; i < mod->num_bugs; ++i, ++bug)\n\t\tif (bugaddr == bug_addr(bug))\n\t\t\tgoto out;\n\n... which can lead to a kenrel panic due to an unhandled bug.\n\nThis can be demonstrated with the following module:\n\n\tstatic int __init buginit(void)\n\t{\n\t\tWARN(1, \"hello\\n\");\n\t\treturn 0;\n\t}\n\n\tstatic void __exit bugexit(void)\n\t{\n\t}\n\n\tmodule_init(buginit);\n\tmodule_exit(bugexit);\n\tMODULE_LICENSE(\"GPL\");\n\n... which will trigger a kernel panic when loaded:\n\n\t------------[ cut here ]------------\n\thello\n\tUnexpected kernel BRK exception at EL1\n\tInternal error: BRK handler: 00000000f2000800 [#1] PREEMPT SMP\n\tModules linked in: hello(O+)\n\tCPU: 0 PID: 50 Comm: insmod Tainted: G O 6.9.1 #8\n\tHardware name: linux,dummy-virt (DT)\n\tpstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n\tpc : buginit+0x18/0x1000 [hello]\n\tlr : buginit+0x18/0x1000 [hello]\n\tsp : ffff800080533ae0\n\tx29: ffff800080533ae0 x28: 0000000000000000 x27: 0000000000000000\n\tx26: ffffaba8c4e70510 x25: ffff800080533c30 x24: ffffaba8c4a28a58\n\tx23: 0000000000000000 x22: 0000000000000000 x21: ffff3947c0eab3c0\n\tx20: ffffaba8c4e3f000 x19: ffffaba846464000 x18: 0000000000000006\n\tx17: 0000000000000000 x16: ffffaba8c2492834 x15: 0720072007200720\n\tx14: 0720072007200720 x13: ffffaba8c49b27c8 x12: 0000000000000312\n\tx11: 0000000000000106 x10: ffffaba8c4a0a7c8 x9 : ffffaba8c49b27c8\n\tx8 : 00000000ffffefff x7 : ffffaba8c4a0a7c8 x6 : 80000000fffff000\n\tx5 : 0000000000000107 x4 : 0000000000000000 x3 : 0000000000000000\n\tx2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff3947c0eab3c0\n\tCall trace:\n\t buginit+0x18/0x1000 [hello]\n\t do_one_initcall+0x80/0x1c8\n\t do_init_module+0x60/0x218\n\t load_module+0x1ba4/0x1d70\n\t __do_sys_init_module+0x198/0x1d0\n\t __arm64_sys_init_module+0x1c/0x28\n\t invoke_syscall+0x48/0x114\n\t el0_svc\n---truncated---(CVE-2024-39488)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nipv6: sr: fix memleak in seg6_hmac_init_algo\n\nseg6_hmac_init_algo returns without cleaning up the previous allocations\nif one fails, so it's going to leak all that memory and the crypto tfms.\n\nUpdate seg6_hmac_exit to only free the memory when allocated, so we can\nreuse the code directly.(CVE-2024-39489)",
"cves": [
{
"id": "CVE-2021-47296",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47296",
"severity": "Low"
},
{
"id": "CVE-2021-47311",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47311",
"severity": "High"
},
{
"id": "CVE-2021-47391",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47391",
"severity": "Low"
},
{
"id": "CVE-2021-47598",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47598",
"severity": "Low"
},
{
"id": "CVE-2022-48732",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48732",
"severity": "Medium"
},
{
"id": "CVE-2022-48757",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48757",
"severity": "Medium"
},
{
"id": "CVE-2022-48760",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48760",
"severity": "Medium"
},
{
"id": "CVE-2024-38558",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38558",
"severity": "Medium"
},
{
"id": "CVE-2024-38632",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38632",
"severity": "Medium"
},
{
"id": "CVE-2024-39480",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39480",
"severity": "Medium"
},
{
"id": "CVE-2024-39487",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39487",
"severity": "Medium"
},
{
"id": "CVE-2024-39488",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39488",
"severity": "Medium"
},
{
"id": "CVE-2024-39489",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39489",
"severity": "Low"
}
]
},
"openEuler-SA-2024-1838": {
"id": "openEuler-SA-2024-1838",
"url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1838",
"title": "An update for kernel is now available for openEuler-22.03-LTS-SP1",
"severity": "High",
"description": "The Linux Kernel, the operating system core itself.\n\nSecurity Fix(es):\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nARM: 9170/1: fix panic when kasan and kprobe are enabled\n\narm32 uses software to simulate the instruction replaced\nby kprobe. some instructions may be simulated by constructing\nassembly functions. therefore, before executing instruction\nsimulation, it is necessary to construct assembly function\nexecution environment in C language through binding registers.\nafter kasan is enabled, the register binding relationship will\nbe destroyed, resulting in instruction simulation errors and\ncausing kernel panic.\n\nthe kprobe emulate instruction function is distributed in three\nfiles: actions-common.c actions-arm.c actions-thumb.c, so disable\nKASAN when compiling these files.\n\nfor example, use kprobe insert on cap_capable+20 after kasan\nenabled, the cap_capable assembly code is as follows:\n<cap_capable>:\ne92d47f0\tpush\t{r4, r5, r6, r7, r8, r9, sl, lr}\ne1a05000\tmov\tr5, r0\ne280006c\tadd\tr0, r0, #108 ; 0x6c\ne1a04001\tmov\tr4, r1\ne1a06002\tmov\tr6, r2\ne59fa090\tldr\tsl, [pc, #144] ;\nebfc7bf8\tbl\tc03aa4b4 <__asan_load4>\ne595706c\tldr\tr7, [r5, #108] ; 0x6c\ne2859014\tadd\tr9, r5, #20\n......\nThe emulate_ldr assembly code after enabling kasan is as follows:\nc06f1384 <emulate_ldr>:\ne92d47f0\tpush\t{r4, r5, r6, r7, r8, r9, sl, lr}\ne282803c\tadd\tr8, r2, #60 ; 0x3c\ne1a05000\tmov\tr5, r0\ne7e37855\tubfx\tr7, r5, #16, #4\ne1a00008\tmov\tr0, r8\ne1a09001\tmov\tr9, r1\ne1a04002\tmov\tr4, r2\nebf35462\tbl\tc03c6530 <__asan_load4>\ne357000f\tcmp\tr7, #15\ne7e36655\tubfx\tr6, r5, #12, #4\ne205a00f\tand\tsl, r5, #15\n0a000001\tbeq\tc06f13bc <emulate_ldr+0x38>\ne0840107\tadd\tr0, r4, r7, lsl #2\nebf3545c\tbl\tc03c6530 <__asan_load4>\ne084010a\tadd\tr0, r4, sl, lsl #2\nebf3545a\tbl\tc03c6530 <__asan_load4>\ne2890010\tadd\tr0, r9, #16\nebf35458\tbl\tc03c6530 <__asan_load4>\ne5990010\tldr\tr0, [r9, #16]\ne12fff30\tblx\tr0\ne356000f\tcm\tr6, #15\n1a000014\tbne\tc06f1430 <emulate_ldr+0xac>\ne1a06000\tmov\tr6, r0\ne2840040\tadd\tr0, r4, #64 ; 0x40\n......\n\nwhen running in emulate_ldr to simulate the ldr instruction, panic\noccurred, and the log is as follows:\nUnable to handle kernel NULL pointer dereference at virtual address\n00000090\npgd = ecb46400\n[00000090] *pgd=2e0fa003, *pmd=00000000\nInternal error: Oops: 206 [#1] SMP ARM\nPC is at cap_capable+0x14/0xb0\nLR is at emulate_ldr+0x50/0xc0\npsr: 600d0293 sp : ecd63af8 ip : 00000004 fp : c0a7c30c\nr10: 00000000 r9 : c30897f4 r8 : ecd63cd4\nr7 : 0000000f r6 : 0000000a r5 : e59fa090 r4 : ecd63c98\nr3 : c06ae294 r2 : 00000000 r1 : b7611300 r0 : bf4ec008\nFlags: nZCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment user\nControl: 32c5387d Table: 2d546400 DAC: 55555555\nProcess bash (pid: 1643, stack limit = 0xecd60190)\n(cap_capable) from (kprobe_handler+0x218/0x340)\n(kprobe_handler) from (kprobe_trap_handler+0x24/0x48)\n(kprobe_trap_handler) from (do_undefinstr+0x13c/0x364)\n(do_undefinstr) from (__und_svc_finish+0x0/0x30)\n(__und_svc_finish) from (cap_capable+0x18/0xb0)\n(cap_capable) from (cap_vm_enough_memory+0x38/0x48)\n(cap_vm_enough_memory) from\n(security_vm_enough_memory_mm+0x48/0x6c)\n(security_vm_enough_memory_mm) from\n(copy_process.constprop.5+0x16b4/0x25c8)\n(copy_process.constprop.5) from (_do_fork+0xe8/0x55c)\n(_do_fork) from (SyS_clone+0x1c/0x24)\n(SyS_clone) from (__sys_trace_return+0x0/0x10)\nCode: 0050a0e1 6c0080e2 0140a0e1 0260a0e1 (f801f0e7)(CVE-2021-47618)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix use-after-free after failure to create a snapshot\n\nAt ioctl.c:create_snapshot(), we allocate a pending snapshot structure and\nthen attach it to the transaction's list of pending snapshots. After that\nwe call btrfs_commit_transaction(), and if that returns an error we jump\nto 'fail' label, where we kfree() the pending snapshot structure. This can\nresult in a later use-after-free of the pending snapshot:\n\n1) We allocated the pending snapshot and added it to the transaction's\n list of pending snapshots;\n\n2) We call btrfs_commit_transaction(), and it fails either at the first\n call to btrfs_run_delayed_refs() or btrfs_start_dirty_block_groups().\n In both cases, we don't abort the transaction and we release our\n transaction handle. We jump to the 'fail' label and free the pending\n snapshot structure. We return with the pending snapshot still in the\n transaction's list;\n\n3) Another task commits the transaction. This time there's no error at\n all, and then during the transaction commit it accesses a pointer\n to the pending snapshot structure that the snapshot creation task\n has already freed, resulting in a user-after-free.\n\nThis issue could actually be detected by smatch, which produced the\nfollowing warning:\n\n fs/btrfs/ioctl.c:843 create_snapshot() warn: '&pending_snapshot->list' not removed from list\n\nSo fix this by not having the snapshot creation ioctl directly add the\npending snapshot to the transaction's list. Instead add the pending\nsnapshot to the transaction handle, and then at btrfs_commit_transaction()\nwe add the snapshot to the list only when we can guarantee that any error\nreturned after that point will result in a transaction abort, in which\ncase the ioctl code can safely free the pending snapshot and no one can\naccess it anymore.(CVE-2022-48733)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Avoid field-overflowing memcpy()\n\nIn preparation for FORTIFY_SOURCE performing compile-time and run-time\nfield bounds checking for memcpy(), memmove(), and memset(), avoid\nintentionally writing across neighboring fields.\n\nUse flexible arrays instead of zero-element arrays (which look like they\nare always overflowing) and split the cross-field memcpy() into two halves\nthat can be appropriately bounds-checked by the compiler.\n\nWe were doing:\n\n\t#define ETH_HLEN 14\n\t#define VLAN_HLEN 4\n\t...\n\t#define MLX5E_XDP_MIN_INLINE (ETH_HLEN + VLAN_HLEN)\n\t...\n struct mlx5e_tx_wqe *wqe = mlx5_wq_cyc_get_wqe(wq, pi);\n\t...\n struct mlx5_wqe_eth_seg *eseg = &wqe->eth;\n struct mlx5_wqe_data_seg *dseg = wqe->data;\n\t...\n\tmemcpy(eseg->inline_hdr.start, xdptxd->data, MLX5E_XDP_MIN_INLINE);\n\ntarget is wqe->eth.inline_hdr.start (which the compiler sees as being\n2 bytes in size), but copying 18, intending to write across start\n(really vlan_tci, 2 bytes). The remaining 16 bytes get written into\nwqe->data[0], covering byte_count (4 bytes), lkey (4 bytes), and addr\n(8 bytes).\n\nstruct mlx5e_tx_wqe {\n struct mlx5_wqe_ctrl_seg ctrl; /* 0 16 */\n struct mlx5_wqe_eth_seg eth; /* 16 16 */\n struct mlx5_wqe_data_seg data[]; /* 32 0 */\n\n /* size: 32, cachelines: 1, members: 3 */\n /* last cacheline: 32 bytes */\n};\n\nstruct mlx5_wqe_eth_seg {\n u8 swp_outer_l4_offset; /* 0 1 */\n u8 swp_outer_l3_offset; /* 1 1 */\n u8 swp_inner_l4_offset; /* 2 1 */\n u8 swp_inner_l3_offset; /* 3 1 */\n u8 cs_flags; /* 4 1 */\n u8 swp_flags; /* 5 1 */\n __be16 mss; /* 6 2 */\n __be32 flow_table_metadata; /* 8 4 */\n union {\n struct {\n __be16 sz; /* 12 2 */\n u8 start[2]; /* 14 2 */\n } inline_hdr; /* 12 4 */\n struct {\n __be16 type; /* 12 2 */\n __be16 vlan_tci; /* 14 2 */\n } insert; /* 12 4 */\n __be32 trailer; /* 12 4 */\n }; /* 12 4 */\n\n /* size: 16, cachelines: 1, members: 9 */\n /* last cacheline: 16 bytes */\n};\n\nstruct mlx5_wqe_data_seg {\n __be32 byte_count; /* 0 4 */\n __be32 lkey; /* 4 4 */\n __be64 addr; /* 8 8 */\n\n /* size: 16, cachelines: 1, members: 3 */\n /* last cacheline: 16 bytes */\n};\n\nSo, split the memcpy() so the compiler can reason about the buffer\nsizes.\n\n\"pahole\" shows no size nor member offset changes to struct mlx5e_tx_wqe\nnor struct mlx5e_umr_wqe. \"objdump -d\" shows no meaningful object\ncode changes (i.e. only source line number induced differences and\noptimizations).(CVE-2022-48744)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nKVM: LAPIC: Also cancel preemption timer during SET_LAPIC\n\nThe below warning is splatting during guest reboot.\n\n ------------[ cut here ]------------\n WARNING: CPU: 0 PID: 1931 at arch/x86/kvm/x86.c:10322 kvm_arch_vcpu_ioctl_run+0x874/0x880 [kvm]\n CPU: 0 PID: 1931 Comm: qemu-system-x86 Tainted: G I 5.17.0-rc1+ #5\n RIP: 0010:kvm_arch_vcpu_ioctl_run+0x874/0x880 [kvm]\n Call Trace:\n <TASK>\n kvm_vcpu_ioctl+0x279/0x710 [kvm]\n __x64_sys_ioctl+0x83/0xb0\n do_syscall_64+0x3b/0xc0\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n RIP: 0033:0x7fd39797350b\n\nThis can be triggered by not exposing tsc-deadline mode and doing a reboot in\nthe guest. The lapic_shutdown() function which is called in sys_reboot path\nwill not disarm the flying timer, it just masks LVTT. lapic_shutdown() clears\nAPIC state w/ LVT_MASKED and timer-mode bit is 0, this can trigger timer-mode\nswitch between tsc-deadline and oneshot/periodic, which can result in preemption\ntimer be cancelled in apic_update_lvtt(). However, We can't depend on this when\nnot exposing tsc-deadline mode and oneshot/periodic modes emulated by preemption\ntimer. Qemu will synchronise states around reset, let's cancel preemption timer\nunder KVM_SET_LAPIC.(CVE-2022-48765)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nmedia: lgdt3306a: Add a check against null-pointer-def\n\nThe driver should check whether the client provides the platform_data.\n\nThe following log reveals it:\n\n[ 29.610324] BUG: KASAN: null-ptr-deref in kmemdup+0x30/0x40\n[ 29.610730] Read of size 40 at addr 0000000000000000 by task bash/414\n[ 29.612820] Call Trace:\n[ 29.613030] <TASK>\n[ 29.613201] dump_stack_lvl+0x56/0x6f\n[ 29.613496] ? kmemdup+0x30/0x40\n[ 29.613754] print_report.cold+0x494/0x6b7\n[ 29.614082] ? kmemdup+0x30/0x40\n[ 29.614340] kasan_report+0x8a/0x190\n[ 29.614628] ? kmemdup+0x30/0x40\n[ 29.614888] kasan_check_range+0x14d/0x1d0\n[ 29.615213] memcpy+0x20/0x60\n[ 29.615454] kmemdup+0x30/0x40\n[ 29.615700] lgdt3306a_probe+0x52/0x310\n[ 29.616339] i2c_device_probe+0x951/0xa90(CVE-2022-48772)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nclk: mediatek: clk-mt6779: Add check for mtk_alloc_clk_data\n\nAdd the check for the return value of mtk_alloc_clk_data() in order to\navoid NULL pointer dereference.(CVE-2023-52873)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nof: dynamic: Synchronize of_changeset_destroy() with the devlink removals\n\nIn the following sequence:\n 1) of_platform_depopulate()\n 2) of_overlay_remove()\n\nDuring the step 1, devices are destroyed and devlinks are removed.\nDuring the step 2, OF nodes are destroyed but\n__of_changeset_entry_destroy() can raise warnings related to missing\nof_node_put():\n ERROR: memory leak, expected refcount 1 instead of 2 ...\n\nIndeed, during the devlink removals performed at step 1, the removal\nitself releasing the device (and the attached of_node) is done by a job\nqueued in a workqueue and so, it is done asynchronously with respect to\nfunction calls.\nWhen the warning is present, of_node_put() will be called but wrongly\ntoo late from the workqueue job.\n\nIn order to be sure that any ongoing devlink removals are done before\nthe of_node destruction, synchronize the of_changeset_destroy() with the\ndevlink removals.(CVE-2024-35879)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: act_skbmod: prevent kernel-infoleak\n\nsyzbot found that tcf_skbmod_dump() was copying four bytes\nfrom kernel stack to user space [1].\n\nThe issue here is that 'struct tc_skbmod' has a four bytes hole.\n\nWe need to clear the structure before filling fields.\n\n[1]\nBUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]\n BUG: KMSAN: kernel-infoleak in copy_to_user_iter lib/iov_iter.c:24 [inline]\n BUG: KMSAN: kernel-infoleak in iterate_ubuf include/linux/iov_iter.h:29 [inline]\n BUG: KMSAN: kernel-infoleak in iterate_and_advance2 include/linux/iov_iter.h:245 [inline]\n BUG: KMSAN: kernel-infoleak in iterate_and_advance include/linux/iov_iter.h:271 [inline]\n BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185\n instrument_copy_to_user include/linux/instrumented.h:114 [inline]\n copy_to_user_iter lib/iov_iter.c:24 [inline]\n iterate_ubuf include/linux/iov_iter.h:29 [inline]\n iterate_and_advance2 include/linux/iov_iter.h:245 [inline]\n iterate_and_advance include/linux/iov_iter.h:271 [inline]\n _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185\n copy_to_iter include/linux/uio.h:196 [inline]\n simple_copy_to_iter net/core/datagram.c:532 [inline]\n __skb_datagram_iter+0x185/0x1000 net/core/datagram.c:420\n skb_copy_datagram_iter+0x5c/0x200 net/core/datagram.c:546\n skb_copy_datagram_msg include/linux/skbuff.h:4050 [inline]\n netlink_recvmsg+0x432/0x1610 net/netlink/af_netlink.c:1962\n sock_recvmsg_nosec net/socket.c:1046 [inline]\n sock_recvmsg+0x2c4/0x340 net/socket.c:1068\n __sys_recvfrom+0x35a/0x5f0 net/socket.c:2242\n __do_sys_recvfrom net/socket.c:2260 [inline]\n __se_sys_recvfrom net/socket.c:2256 [inline]\n __x64_sys_recvfrom+0x126/0x1d0 net/socket.c:2256\n do_syscall_64+0xd5/0x1f0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nUninit was stored to memory at:\n pskb_expand_head+0x30f/0x19d0 net/core/skbuff.c:2253\n netlink_trim+0x2c2/0x330 net/netlink/af_netlink.c:1317\n netlink_unicast+0x9f/0x1260 net/netlink/af_netlink.c:1351\n nlmsg_unicast include/net/netlink.h:1144 [inline]\n nlmsg_notify+0x21d/0x2f0 net/netlink/af_netlink.c:2610\n rtnetlink_send+0x73/0x90 net/core/rtnetlink.c:741\n rtnetlink_maybe_send include/linux/rtnetlink.h:17 [inline]\n tcf_add_notify net/sched/act_api.c:2048 [inline]\n tcf_action_add net/sched/act_api.c:2071 [inline]\n tc_ctl_action+0x146e/0x19d0 net/sched/act_api.c:2119\n rtnetlink_rcv_msg+0x1737/0x1900 net/core/rtnetlink.c:6595\n netlink_rcv_skb+0x375/0x650 net/netlink/af_netlink.c:2559\n rtnetlink_rcv+0x34/0x40 net/core/rtnetlink.c:6613\n netlink_unicast_kernel net/netlink/af_netlink.c:1335 [inline]\n netlink_unicast+0xf4c/0x1260 net/netlink/af_netlink.c:1361\n netlink_sendmsg+0x10df/0x11f0 net/netlink/af_netlink.c:1905\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0x30f/0x380 net/socket.c:745\n ____sys_sendmsg+0x877/0xb60 net/socket.c:2584\n ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638\n __sys_sendmsg net/socket.c:2667 [inline]\n __do_sys_sendmsg net/socket.c:2676 [inline]\n __se_sys_sendmsg net/socket.c:2674 [inline]\n __x64_sys_sendmsg+0x307/0x4a0 net/socket.c:2674\n do_syscall_64+0xd5/0x1f0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nUninit was stored to memory at:\n __nla_put lib/nlattr.c:1041 [inline]\n nla_put+0x1c6/0x230 lib/nlattr.c:1099\n tcf_skbmod_dump+0x23f/0xc20 net/sched/act_skbmod.c:256\n tcf_action_dump_old net/sched/act_api.c:1191 [inline]\n tcf_action_dump_1+0x85e/0x970 net/sched/act_api.c:1227\n tcf_action_dump+0x1fd/0x460 net/sched/act_api.c:1251\n tca_get_fill+0x519/0x7a0 net/sched/act_api.c:1628\n tcf_add_notify_msg net/sched/act_api.c:2023 [inline]\n tcf_add_notify net/sched/act_api.c:2042 [inline]\n tcf_action_add net/sched/act_api.c:2071 [inline]\n tc_ctl_action+0x1365/0x19d0 net/sched/act_api.c:2119\n rtnetlink_rcv_msg+0x1737/0x1900 net/core/rtnetlink.c:6595\n netlink_rcv_skb+0x375/0x650 net/netlink/af_netli\n---truncated---(CVE-2024-35893)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nipv6: fix race condition between ipv6_get_ifaddr and ipv6_del_addr\n\nAlthough ipv6_get_ifaddr walks inet6_addr_lst under the RCU lock, it\nstill means hlist_for_each_entry_rcu can return an item that got removed\nfrom the list. The memory itself of such item is not freed thanks to RCU\nbut nothing guarantees the actual content of the memory is sane.\n\nIn particular, the reference count can be zero. This can happen if\nipv6_del_addr is called in parallel. ipv6_del_addr removes the entry\nfrom inet6_addr_lst (hlist_del_init_rcu(&ifp->addr_lst)) and drops all\nreferences (__in6_ifa_put(ifp) + in6_ifa_put(ifp)). With bad enough\ntiming, this can happen:\n\n1. In ipv6_get_ifaddr, hlist_for_each_entry_rcu returns an entry.\n\n2. Then, the whole ipv6_del_addr is executed for the given entry. The\n reference count drops to zero and kfree_rcu is scheduled.\n\n3. ipv6_get_ifaddr continues and tries to increments the reference count\n (in6_ifa_hold).\n\n4. The rcu is unlocked and the entry is freed.\n\n5. The freed entry is returned.\n\nPrevent increasing of the reference count in such case. The name\nin6_ifa_hold_safe is chosen to mimic the existing fib6_info_hold_safe.\n\n[ 41.506330] refcount_t: addition on 0; use-after-free.\n[ 41.506760] WARNING: CPU: 0 PID: 595 at lib/refcount.c:25 refcount_warn_saturate+0xa5/0x130\n[ 41.507413] Modules linked in: veth bridge stp llc\n[ 41.507821] CPU: 0 PID: 595 Comm: python3 Not tainted 6.9.0-rc2.main-00208-g49563be82afa #14\n[ 41.508479] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)\n[ 41.509163] RIP: 0010:refcount_warn_saturate+0xa5/0x130\n[ 41.509586] Code: ad ff 90 0f 0b 90 90 c3 cc cc cc cc 80 3d c0 30 ad 01 00 75 a0 c6 05 b7 30 ad 01 01 90 48 c7 c7 38 cc 7a 8c e8 cc 18 ad ff 90 <0f> 0b 90 90 c3 cc cc cc cc 80 3d 98 30 ad 01 00 0f 85 75 ff ff ff\n[ 41.510956] RSP: 0018:ffffbda3c026baf0 EFLAGS: 00010282\n[ 41.511368] RAX: 0000000000000000 RBX: ffff9e9c46914800 RCX: 0000000000000000\n[ 41.511910] RDX: ffff9e9c7ec29c00 RSI: ffff9e9c7ec1c900 RDI: ffff9e9c7ec1c900\n[ 41.512445] RBP: ffff9e9c43660c9c R08: 0000000000009ffb R09: 00000000ffffdfff\n[ 41.512998] R10: 00000000ffffdfff R11: ffffffff8ca58a40 R12: ffff9e9c4339a000\n[ 41.513534] R13: 0000000000000001 R14: ffff9e9c438a0000 R15: ffffbda3c026bb48\n[ 41.514086] FS: 00007fbc4cda1740(0000) GS:ffff9e9c7ec00000(0000) knlGS:0000000000000000\n[ 41.514726] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 41.515176] CR2: 000056233b337d88 CR3: 000000000376e006 CR4: 0000000000370ef0\n[ 41.515713] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 41.516252] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 41.516799] Call Trace:\n[ 41.517037] <TASK>\n[ 41.517249] ? __warn+0x7b/0x120\n[ 41.517535] ? refcount_warn_saturate+0xa5/0x130\n[ 41.517923] ? report_bug+0x164/0x190\n[ 41.518240] ? handle_bug+0x3d/0x70\n[ 41.518541] ? exc_invalid_op+0x17/0x70\n[ 41.520972] ? asm_exc_invalid_op+0x1a/0x20\n[ 41.521325] ? refcount_warn_saturate+0xa5/0x130\n[ 41.521708] ipv6_get_ifaddr+0xda/0xe0\n[ 41.522035] inet6_rtm_getaddr+0x342/0x3f0\n[ 41.522376] ? __pfx_inet6_rtm_getaddr+0x10/0x10\n[ 41.522758] rtnetlink_rcv_msg+0x334/0x3d0\n[ 41.523102] ? netlink_unicast+0x30f/0x390\n[ 41.523445] ? __pfx_rtnetlink_rcv_msg+0x10/0x10\n[ 41.523832] netlink_rcv_skb+0x53/0x100\n[ 41.524157] netlink_unicast+0x23b/0x390\n[ 41.524484] netlink_sendmsg+0x1f2/0x440\n[ 41.524826] __sys_sendto+0x1d8/0x1f0\n[ 41.525145] __x64_sys_sendto+0x1f/0x30\n[ 41.525467] do_syscall_64+0xa5/0x1b0\n[ 41.525794] entry_SYSCALL_64_after_hwframe+0x72/0x7a\n[ 41.526213] RIP: 0033:0x7fbc4cfcea9a\n[ 41.526528] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 7e c3 0f 1f 44 00 00 41 54 48 83 ec 30 44 89\n[ 41.527942] RSP: 002b:00007f\n---truncated---(CVE-2024-35969)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nriscv: Fix TASK_SIZE on 64-bit NOMMU\n\nOn NOMMU, userspace memory can come from anywhere in physical RAM. The\ncurrent definition of TASK_SIZE is wrong if any RAM exists above 4G,\ncausing spurious failures in the userspace access routines.(CVE-2024-35988)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: idxd: Fix oops during rmmod on single-CPU platforms\n\nDuring the removal of the idxd driver, registered offline callback is\ninvoked as part of the clean up process. However, on systems with only\none CPU online, no valid target is available to migrate the\nperf context, resulting in a kernel oops:\n\n BUG: unable to handle page fault for address: 000000000002a2b8\n #PF: supervisor write access in kernel mode\n #PF: error_code(0x0002) - not-present page\n PGD 1470e1067 P4D 0\n Oops: 0002 [#1] PREEMPT SMP NOPTI\n CPU: 0 PID: 20 Comm: cpuhp/0 Not tainted 6.8.0-rc6-dsa+ #57\n Hardware name: Intel Corporation AvenueCity/AvenueCity, BIOS BHSDCRB1.86B.2492.D03.2307181620 07/18/2023\n RIP: 0010:mutex_lock+0x2e/0x50\n ...\n Call Trace:\n <TASK>\n __die+0x24/0x70\n page_fault_oops+0x82/0x160\n do_user_addr_fault+0x65/0x6b0\n __pfx___rdmsr_safe_on_cpu+0x10/0x10\n exc_page_fault+0x7d/0x170\n asm_exc_page_fault+0x26/0x30\n mutex_lock+0x2e/0x50\n mutex_lock+0x1e/0x50\n perf_pmu_migrate_context+0x87/0x1f0\n perf_event_cpu_offline+0x76/0x90 [idxd]\n cpuhp_invoke_callback+0xa2/0x4f0\n __pfx_perf_event_cpu_offline+0x10/0x10 [idxd]\n cpuhp_thread_fun+0x98/0x150\n smpboot_thread_fn+0x27/0x260\n smpboot_thread_fn+0x1af/0x260\n __pfx_smpboot_thread_fn+0x10/0x10\n kthread+0x103/0x140\n __pfx_kthread+0x10/0x10\n ret_from_fork+0x31/0x50\n __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1b/0x30\n <TASK>\n\nFix the issue by preventing the migration of the perf context to an\ninvalid target.(CVE-2024-35989)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\ndrm/arm/malidp: fix a possible null pointer dereference\n\nIn malidp_mw_connector_reset, new memory is allocated with kzalloc, but\nno check is performed. In order to prevent null pointer dereferencing,\nensure that mw_state is checked before calling\n__drm_atomic_helper_connector_reset.(CVE-2024-36014)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\ntls: fix missing memory barrier in tls_init\n\nIn tls_init(), a write memory barrier is missing, and store-store\nreordering may cause NULL dereference in tls_{setsockopt,getsockopt}.\n\nCPU0 CPU1\n----- -----\n// In tls_init()\n// In tls_ctx_create()\nctx = kzalloc()\nctx->sk_proto = READ_ONCE(sk->sk_prot) -(1)\n\n// In update_sk_prot()\nWRITE_ONCE(sk->sk_prot, tls_prots) -(2)\n\n // In sock_common_setsockopt()\n READ_ONCE(sk->sk_prot)->setsockopt()\n\n // In tls_{setsockopt,getsockopt}()\n ctx->sk_proto->setsockopt() -(3)\n\nIn the above scenario, when (1) and (2) are reordered, (3) can observe\nthe NULL value of ctx->sk_proto, causing NULL dereference.\n\nTo fix it, we rely on rcu_assign_pointer() which implies the release\nbarrier semantic. By moving rcu_assign_pointer() after ctx->sk_proto is\ninitialized, we can ensure that ctx->sk_proto are visible when\nchanging sk->sk_prot.(CVE-2024-36489)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nvirtio: delete vq in vp_find_vqs_msix() when request_irq() fails\n\nWhen request_irq() fails, error path calls vp_del_vqs(). There, as vq is\npresent in the list, free_irq() is called for the same vector. That\ncauses following splat:\n\n[ 0.414355] Trying to free already-free IRQ 27\n[ 0.414403] WARNING: CPU: 1 PID: 1 at kernel/irq/manage.c:1899 free_irq+0x1a1/0x2d0\n[ 0.414510] Modules linked in:\n[ 0.414540] CPU: 1 PID: 1 Comm: swapper/0 Not tainted 6.9.0-rc4+ #27\n[ 0.414540] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-1.fc39 04/01/2014\n[ 0.414540] RIP: 0010:free_irq+0x1a1/0x2d0\n[ 0.414540] Code: 1e 00 48 83 c4 08 48 89 e8 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc 90 8b 74 24 04 48 c7 c7 98 80 6c b1 e8 00 c9 f7 ff 90 <0f> 0b 90 90 48 89 ee 4c 89 ef e8 e0 20 b8 00 49 8b 47 40 48 8b 40\n[ 0.414540] RSP: 0000:ffffb71480013ae0 EFLAGS: 00010086\n[ 0.414540] RAX: 0000000000000000 RBX: ffffa099c2722000 RCX: 0000000000000000\n[ 0.414540] RDX: 0000000000000000 RSI: ffffb71480013998 RDI: 0000000000000001\n[ 0.414540] RBP: 0000000000000246 R08: 00000000ffffdfff R09: 0000000000000001\n[ 0.414540] R10: 00000000ffffdfff R11: ffffffffb18729c0 R12: ffffa099c1c91760\n[ 0.414540] R13: ffffa099c1c916a4 R14: ffffa099c1d2f200 R15: ffffa099c1c91600\n[ 0.414540] FS: 0000000000000000(0000) GS:ffffa099fec40000(0000) knlGS:0000000000000000\n[ 0.414540] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 0.414540] CR2: 0000000000000000 CR3: 0000000008e3e001 CR4: 0000000000370ef0\n[ 0.414540] Call Trace:\n[ 0.414540] <TASK>\n[ 0.414540] ? __warn+0x80/0x120\n[ 0.414540] ? free_irq+0x1a1/0x2d0\n[ 0.414540] ? report_bug+0x164/0x190\n[ 0.414540] ? handle_bug+0x3b/0x70\n[ 0.414540] ? exc_invalid_op+0x17/0x70\n[ 0.414540] ? asm_exc_invalid_op+0x1a/0x20\n[ 0.414540] ? free_irq+0x1a1/0x2d0\n[ 0.414540] vp_del_vqs+0xc1/0x220\n[ 0.414540] vp_find_vqs_msix+0x305/0x470\n[ 0.414540] vp_find_vqs+0x3e/0x1a0\n[ 0.414540] vp_modern_find_vqs+0x1b/0x70\n[ 0.414540] init_vqs+0x387/0x600\n[ 0.414540] virtnet_probe+0x50a/0xc80\n[ 0.414540] virtio_dev_probe+0x1e0/0x2b0\n[ 0.414540] really_probe+0xc0/0x2c0\n[ 0.414540] ? __pfx___driver_attach+0x10/0x10\n[ 0.414540] __driver_probe_device+0x73/0x120\n[ 0.414540] driver_probe_device+0x1f/0xe0\n[ 0.414540] __driver_attach+0x88/0x180\n[ 0.414540] bus_for_each_dev+0x85/0xd0\n[ 0.414540] bus_add_driver+0xec/0x1f0\n[ 0.414540] driver_register+0x59/0x100\n[ 0.414540] ? __pfx_virtio_net_driver_init+0x10/0x10\n[ 0.414540] virtio_net_driver_init+0x90/0xb0\n[ 0.414540] do_one_initcall+0x58/0x230\n[ 0.414540] kernel_init_freeable+0x1a3/0x2d0\n[ 0.414540] ? __pfx_kernel_init+0x10/0x10\n[ 0.414540] kernel_init+0x1a/0x1c0\n[ 0.414540] ret_from_fork+0x31/0x50\n[ 0.414540] ? __pfx_kernel_init+0x10/0x10\n[ 0.414540] ret_from_fork_asm+0x1a/0x30\n[ 0.414540] </TASK>\n\nFix this by calling deleting the current vq when request_irq() fails.(CVE-2024-37353)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix crash on racing fsync and size-extending write into prealloc\n\nWe have been seeing crashes on duplicate keys in\nbtrfs_set_item_key_safe():\n\n BTRFS critical (device vdb): slot 4 key (450 108 8192) new key (450 108 8192)\n ------------[ cut here ]------------\n kernel BUG at fs/btrfs/ctree.c:2620!\n invalid opcode: 0000 [#1] PREEMPT SMP PTI\n CPU: 0 PID: 3139 Comm: xfs_io Kdump: loaded Not tainted 6.9.0 #6\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014\n RIP: 0010:btrfs_set_item_key_safe+0x11f/0x290 [btrfs]\n\nWith the following stack trace:\n\n #0 btrfs_set_item_key_safe (fs/btrfs/ctree.c:2620:4)\n #1 btrfs_drop_extents (fs/btrfs/file.c:411:4)\n #2 log_one_extent (fs/btrfs/tree-log.c:4732:9)\n #3 btrfs_log_changed_extents (fs/btrfs/tree-log.c:4955:9)\n #4 btrfs_log_inode (fs/btrfs/tree-log.c:6626:9)\n #5 btrfs_log_inode_parent (fs/btrfs/tree-log.c:7070:8)\n #6 btrfs_log_dentry_safe (fs/btrfs/tree-log.c:7171:8)\n #7 btrfs_sync_file (fs/btrfs/file.c:1933:8)\n #8 vfs_fsync_range (fs/sync.c:188:9)\n #9 vfs_fsync (fs/sync.c:202:9)\n #10 do_fsync (fs/sync.c:212:9)\n #11 __do_sys_fdatasync (fs/sync.c:225:9)\n #12 __se_sys_fdatasync (fs/sync.c:223:1)\n #13 __x64_sys_fdatasync (fs/sync.c:223:1)\n #14 do_syscall_x64 (arch/x86/entry/common.c:52:14)\n #15 do_syscall_64 (arch/x86/entry/common.c:83:7)\n #16 entry_SYSCALL_64+0xaf/0x14c (arch/x86/entry/entry_64.S:121)\n\nSo we're logging a changed extent from fsync, which is splitting an\nextent in the log tree. But this split part already exists in the tree,\ntriggering the BUG().\n\nThis is the state of the log tree at the time of the crash, dumped with\ndrgn (https://github.com/osandov/drgn/blob/main/contrib/btrfs_tree.py)\nto get more details than btrfs_print_leaf() gives us:\n\n >>> print_extent_buffer(prog.crashed_thread().stack_trace()[0][\"eb\"])\n leaf 33439744 level 0 items 72 generation 9 owner 18446744073709551610\n leaf 33439744 flags 0x100000000000000\n fs uuid e5bd3946-400c-4223-8923-190ef1f18677\n chunk uuid d58cb17e-6d02-494a-829a-18b7d8a399da\n item 0 key (450 INODE_ITEM 0) itemoff 16123 itemsize 160\n generation 7 transid 9 size 8192 nbytes 8473563889606862198\n block group 0 mode 100600 links 1 uid 0 gid 0 rdev 0\n sequence 204 flags 0x10(PREALLOC)\n atime 1716417703.220000000 (2024-05-22 15:41:43)\n ctime 1716417704.983333333 (2024-05-22 15:41:44)\n mtime 1716417704.983333333 (2024-05-22 15:41:44)\n otime 17592186044416.000000000 (559444-03-08 01:40:16)\n item 1 key (450 INODE_REF 256) itemoff 16110 itemsize 13\n index 195 namelen 3 name: 193\n item 2 key (450 XATTR_ITEM 1640047104) itemoff 16073 itemsize 37\n location key (0 UNKNOWN.0 0) type XATTR\n transid 7 data_len 1 name_len 6\n name: user.a\n data a\n item 3 key (450 EXTENT_DATA 0) itemoff 16020 itemsize 53\n generation 9 type 1 (regular)\n extent data disk byte 303144960 nr 12288\n extent data offset 0 nr 4096 ram 12288\n extent compression 0 (none)\n item 4 key (450 EXTENT_DATA 4096) itemoff 15967 itemsize 53\n generation 9 type 2 (prealloc)\n prealloc data disk byte 303144960 nr 12288\n prealloc data offset 4096 nr 8192\n item 5 key (450 EXTENT_DATA 8192) itemoff 15914 itemsize 53\n generation 9 type 2 (prealloc)\n prealloc data disk byte 303144960 nr 12288\n prealloc data offset 8192 nr 4096\n ...\n\nSo the real problem happened earlier: notice that items 4 (4k-12k) and 5\n(8k-12k) overlap. Both are prealloc extents. Item 4 straddles i_size and\nitem 5 starts at i_size.\n\nHere is the state of \n---truncated---(CVE-2024-37354)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nnfc: nci: Fix uninit-value in nci_rx_work\n\nsyzbot reported the following uninit-value access issue [1]\n\nnci_rx_work() parses received packet from ndev->rx_q. It should be\nvalidated header size, payload size and total packet size before\nprocessing the packet. If an invalid packet is detected, it should be\nsilently discarded.(CVE-2024-38381)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nmedia: atomisp: ssh_css: Fix a null-pointer dereference in load_video_binaries\n\nThe allocation failure of mycs->yuv_scaler_binary in load_video_binaries()\nis followed with a dereference of mycs->yuv_scaler_binary after the\nfollowing call chain:\n\nsh_css_pipe_load_binaries()\n |-> load_video_binaries(mycs->yuv_scaler_binary == NULL)\n |\n |-> sh_css_pipe_unload_binaries()\n |-> unload_video_binaries()\n\nIn unload_video_binaries(), it calls to ia_css_binary_unload with argument\n&pipe->pipe_settings.video.yuv_scaler_binary[i], which refers to the\nsame memory slot as mycs->yuv_scaler_binary. Thus, a null-pointer\ndereference is triggered.(CVE-2024-38547)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix potential index out of bounds in color transformation function\n\nFixes index out of bounds issue in the color transformation function.\nThe issue could occur when the index 'i' exceeds the number of transfer\nfunction points (TRANSFER_FUNC_POINTS).\n\nThe fix adds a check to ensure 'i' is within bounds before accessing the\ntransfer function points. If 'i' is out of bounds, an error message is\nlogged and the function returns false to indicate an error.\n\nReported by smatch:\ndrivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:405 cm_helper_translate_curve_to_hw_format() error: buffer overflow 'output_tf->tf_pts.red' 1025 <= s32max\ndrivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:406 cm_helper_translate_curve_to_hw_format() error: buffer overflow 'output_tf->tf_pts.green' 1025 <= s32max\ndrivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:407 cm_helper_translate_curve_to_hw_format() error: buffer overflow 'output_tf->tf_pts.blue' 1025 <= s32max(CVE-2024-38552)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nnet: fec: remove .ndo_poll_controller to avoid deadlocks\n\nThere is a deadlock issue found in sungem driver, please refer to the\ncommit ac0a230f719b (\"eth: sungem: remove .ndo_poll_controller to avoid\ndeadlocks\"). The root cause of the issue is that netpoll is in atomic\ncontext and disable_irq() is called by .ndo_poll_controller interface\nof sungem driver, however, disable_irq() might sleep. After analyzing\nthe implementation of fec_poll_controller(), the fec driver should have\nthe same issue. Due to the fec driver uses NAPI for TX completions, the\n.ndo_poll_controller is unnecessary to be implemented in the fec driver,\nso fec_poll_controller() can be safely removed.(CVE-2024-38553)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nax25: Fix reference count leak issue of net_device\n\nThere is a reference count leak issue of the object \"net_device\" in\nax25_dev_device_down(). When the ax25 device is shutting down, the\nax25_dev_device_down() drops the reference count of net_device one\nor zero times depending on if we goto unlock_put or not, which will\ncause memory leak.\n\nIn order to solve the above issue, decrease the reference count of\nnet_device after dev->ax25_ptr is set to null.(CVE-2024-38554)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nrcu-tasks: Fix show_rcu_tasks_trace_gp_kthread buffer overflow\n\nThere is a possibility of buffer overflow in\nshow_rcu_tasks_trace_gp_kthread() if counters, passed\nto sprintf() are huge. Counter numbers, needed for this\nare unrealistically high, but buffer overflow is still\npossible.\n\nUse snprintf() with buffer size instead of sprintf().\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.(CVE-2024-38577)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: bcm - Fix pointer arithmetic\n\nIn spu2_dump_omd() value of ptr is increased by ciph_key_len\ninstead of hash_iv_len which could lead to going beyond the\nbuffer boundaries.\nFix this bug by changing ciph_key_len to hash_iv_len.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.(CVE-2024-38579)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix potential hang in nilfs_detach_log_writer()\n\nSyzbot has reported a potential hang in nilfs_detach_log_writer() called\nduring nilfs2 unmount.\n\nAnalysis revealed that this is because nilfs_segctor_sync(), which\nsynchronizes with the log writer thread, can be called after\nnilfs_segctor_destroy() terminates that thread, as shown in the call trace\nbelow:\n\nnilfs_detach_log_writer\n nilfs_segctor_destroy\n nilfs_segctor_kill_thread --> Shut down log writer thread\n flush_work\n nilfs_iput_work_func\n nilfs_dispose_list\n iput\n nilfs_evict_inode\n nilfs_transaction_commit\n nilfs_construct_segment (if inode needs sync)\n nilfs_segctor_sync --> Attempt to synchronize with\n log writer thread\n *** DEADLOCK ***\n\nFix this issue by changing nilfs_segctor_sync() so that the log writer\nthread returns normally without synchronizing after it terminates, and by\nforcing tasks that are already waiting to complete once after the thread\nterminates.\n\nThe skipped inode metadata flushout will then be processed together in the\nsubsequent cleanup work in nilfs_segctor_destroy().(CVE-2024-38582)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix use-after-free of timer for log writer thread\n\nPatch series \"nilfs2: fix log writer related issues\".\n\nThis bug fix series covers three nilfs2 log writer-related issues,\nincluding a timer use-after-free issue and potential deadlock issue on\nunmount, and a potential freeze issue in event synchronization found\nduring their analysis. Details are described in each commit log.\n\n\nThis patch (of 3):\n\nA use-after-free issue has been reported regarding the timer sc_timer on\nthe nilfs_sc_info structure.\n\nThe problem is that even though it is used to wake up a sleeping log\nwriter thread, sc_timer is not shut down until the nilfs_sc_info structure\nis about to be freed, and is used regardless of the thread's lifetime.\n\nFix this issue by limiting the use of sc_timer only while the log writer\nthread is alive.(CVE-2024-38583)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/hns: Modify the print level of CQE error\n\nToo much print may lead to a panic in kernel. Change ibdev_err() to\nibdev_err_ratelimited(), and change the printing level of cqe dump\nto debug level.(CVE-2024-38590)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\naf_unix: Fix data races in unix_release_sock/unix_stream_sendmsg\n\nA data-race condition has been identified in af_unix. In one data path,\nthe write function unix_release_sock() atomically writes to\nsk->sk_shutdown using WRITE_ONCE. However, on the reader side,\nunix_stream_sendmsg() does not read it atomically. Consequently, this\nissue is causing the following KCSAN splat to occur:\n\n\tBUG: KCSAN: data-race in unix_release_sock / unix_stream_sendmsg\n\n\twrite (marked) to 0xffff88867256ddbb of 1 bytes by task 7270 on cpu 28:\n\tunix_release_sock (net/unix/af_unix.c:640)\n\tunix_release (net/unix/af_unix.c:1050)\n\tsock_close (net/socket.c:659 net/socket.c:1421)\n\t__fput (fs/file_table.c:422)\n\t__fput_sync (fs/file_table.c:508)\n\t__se_sys_close (fs/open.c:1559 fs/open.c:1541)\n\t__x64_sys_close (fs/open.c:1541)\n\tx64_sys_call (arch/x86/entry/syscall_64.c:33)\n\tdo_syscall_64 (arch/x86/entry/common.c:?)\n\tentry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\n\n\tread to 0xffff88867256ddbb of 1 bytes by task 989 on cpu 14:\n\tunix_stream_sendmsg (net/unix/af_unix.c:2273)\n\t__sock_sendmsg (net/socket.c:730 net/socket.c:745)\n\t____sys_sendmsg (net/socket.c:2584)\n\t__sys_sendmmsg (net/socket.c:2638 net/socket.c:2724)\n\t__x64_sys_sendmmsg (net/socket.c:2753 net/socket.c:2750 net/socket.c:2750)\n\tx64_sys_call (arch/x86/entry/syscall_64.c:33)\n\tdo_syscall_64 (arch/x86/entry/common.c:?)\n\tentry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\n\n\tvalue changed: 0x01 -> 0x03\n\nThe line numbers are related to commit dd5a440a31fa (\"Linux 6.9-rc7\").\n\nCommit e1d09c2c2f57 (\"af_unix: Fix data races around sk->sk_shutdown.\")\naddressed a comparable issue in the past regarding sk->sk_shutdown.\nHowever, it overlooked resolving this particular data path.\nThis patch only offending unix_stream_sendmsg() function, since the\nother reads seem to be protected by unix_state_lock() as discussed in(CVE-2024-38596)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nax25: Fix reference count leak issues of ax25_dev\n\nThe ax25_addr_ax25dev() and ax25_dev_device_down() exist a reference\ncount leak issue of the object \"ax25_dev\".\n\nMemory leak issue in ax25_addr_ax25dev():\n\nThe reference count of the object \"ax25_dev\" can be increased multiple\ntimes in ax25_addr_ax25dev(). This will cause a memory leak.\n\nMemory leak issues in ax25_dev_device_down():\n\nThe reference count of ax25_dev is set to 1 in ax25_dev_device_up() and\nthen increase the reference count when ax25_dev is added to ax25_dev_list.\nAs a result, the reference count of ax25_dev is 2. But when the device is\nshutting down. The ax25_dev_device_down() drops the reference count once\nor twice depending on if we goto unlock_put or not, which will cause\nmemory leak.\n\nAs for the issue of ax25_addr_ax25dev(), it is impossible for one pointer\nto be on a list twice. So add a break in ax25_addr_ax25dev(). As for the\nissue of ax25_dev_device_down(), increase the reference count of ax25_dev\nonce in ax25_dev_device_up() and decrease the reference count of ax25_dev\nafter it is removed from the ax25_dev_list.(CVE-2024-38602)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\ndrivers/perf: hisi: hns3: Actually use devm_add_action_or_reset()\n\npci_alloc_irq_vectors() allocates an irq vector. When devm_add_action()\nfails, the irq vector is not freed, which leads to a memory leak.\n\nReplace the devm_add_action with devm_add_action_or_reset to ensure\nthe irq vector can be destroyed when it fails.(CVE-2024-38603)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Check 'folio' pointer for NULL\n\nIt can be NULL if bmap is called.(CVE-2024-38625)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nserial: max3100: Update uart_driver_registered on driver removal\n\nThe removal of the last MAX3100 device triggers the removal of\nthe driver. However, code doesn't update the respective global\nvariable and after insmod — rmmod — insmod cycle the kernel\noopses:\n\n max3100 spi-PRP0001:01: max3100_probe: adding port 0\n BUG: kernel NULL pointer dereference, address: 0000000000000408\n ...\n RIP: 0010:serial_core_register_port+0xa0/0x840\n ...\n max3100_probe+0x1b6/0x280 [max3100]\n spi_probe+0x8d/0xb0\n\nUpdate the actual state so next time UART driver will be registered\nagain.\n\nHugo also noticed, that the error path in the probe also affected\nby having the variable set, and not cleared. Instead of clearing it\nmove the assignment after the successfull uart_register_driver() call.(CVE-2024-38633)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\ngreybus: lights: check return of get_channel_from_mode\n\nIf channel for the given node is not found we return null from\nget_channel_from_mode. Make sure we validate the return pointer\nbefore using it in two of the missing places.\n\nThis was originally reported in [0]:\nFound by Linux Verification Center (linuxtesting.org) with SVACE.\n\n[0] https://lore.kernel.org/all/20240301190425.120605-1-m.lobanov@rosalinux.ru(CVE-2024-38637)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\ndma-buf/sw-sync: don't enable IRQ from sync_print_obj()\n\nSince commit a6aa8fca4d79 (\"dma-buf/sw-sync: Reduce irqsave/irqrestore from\nknown context\") by error replaced spin_unlock_irqrestore() with\nspin_unlock_irq() for both sync_debugfs_show() and sync_print_obj() despite\nsync_print_obj() is called from sync_debugfs_show(), lockdep complains\ninconsistent lock state warning.\n\nUse plain spin_{lock,unlock}() for sync_print_obj(), for\nsync_debugfs_show() is already using spin_{lock,unlock}_irq().(CVE-2024-38780)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nnet/9p: fix uninit-value in p9_client_rpc()\n\nSyzbot with the help of KMSAN reported the following error:\n\nBUG: KMSAN: uninit-value in trace_9p_client_res include/trace/events/9p.h:146 [inline]\nBUG: KMSAN: uninit-value in p9_client_rpc+0x1314/0x1340 net/9p/client.c:754\n trace_9p_client_res include/trace/events/9p.h:146 [inline]\n p9_client_rpc+0x1314/0x1340 net/9p/client.c:754\n p9_client_create+0x1551/0x1ff0 net/9p/client.c:1031\n v9fs_session_init+0x1b9/0x28e0 fs/9p/v9fs.c:410\n v9fs_mount+0xe2/0x12b0 fs/9p/vfs_super.c:122\n legacy_get_tree+0x114/0x290 fs/fs_context.c:662\n vfs_get_tree+0xa7/0x570 fs/super.c:1797\n do_new_mount+0x71f/0x15e0 fs/namespace.c:3352\n path_mount+0x742/0x1f20 fs/namespace.c:3679\n do_mount fs/namespace.c:3692 [inline]\n __do_sys_mount fs/namespace.c:3898 [inline]\n __se_sys_mount+0x725/0x810 fs/namespace.c:3875\n __x64_sys_mount+0xe4/0x150 fs/namespace.c:3875\n do_syscall_64+0xd5/0x1f0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nUninit was created at:\n __alloc_pages+0x9d6/0xe70 mm/page_alloc.c:4598\n __alloc_pages_node include/linux/gfp.h:238 [inline]\n alloc_pages_node include/linux/gfp.h:261 [inline]\n alloc_slab_page mm/slub.c:2175 [inline]\n allocate_slab mm/slub.c:2338 [inline]\n new_slab+0x2de/0x1400 mm/slub.c:2391\n ___slab_alloc+0x1184/0x33d0 mm/slub.c:3525\n __slab_alloc mm/slub.c:3610 [inline]\n __slab_alloc_node mm/slub.c:3663 [inline]\n slab_alloc_node mm/slub.c:3835 [inline]\n kmem_cache_alloc+0x6d3/0xbe0 mm/slub.c:3852\n p9_tag_alloc net/9p/client.c:278 [inline]\n p9_client_prepare_req+0x20a/0x1770 net/9p/client.c:641\n p9_client_rpc+0x27e/0x1340 net/9p/client.c:688\n p9_client_create+0x1551/0x1ff0 net/9p/client.c:1031\n v9fs_session_init+0x1b9/0x28e0 fs/9p/v9fs.c:410\n v9fs_mount+0xe2/0x12b0 fs/9p/vfs_super.c:122\n legacy_get_tree+0x114/0x290 fs/fs_context.c:662\n vfs_get_tree+0xa7/0x570 fs/super.c:1797\n do_new_mount+0x71f/0x15e0 fs/namespace.c:3352\n path_mount+0x742/0x1f20 fs/namespace.c:3679\n do_mount fs/namespace.c:3692 [inline]\n __do_sys_mount fs/namespace.c:3898 [inline]\n __se_sys_mount+0x725/0x810 fs/namespace.c:3875\n __x64_sys_mount+0xe4/0x150 fs/namespace.c:3875\n do_syscall_64+0xd5/0x1f0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nIf p9_check_errors() fails early in p9_client_rpc(), req->rc.tag\nwill not be properly initialized. However, trace_9p_client_res()\nends up trying to print it out anyway before p9_client_rpc()\nfinishes.\n\nFix this issue by assigning default values to p9_fcall fields\nsuch as 'tag' and (just in case KMSAN unearths something new) 'id'\nduring the tag allocation stage.(CVE-2024-39301)\n\nRejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.(CVE-2024-39362)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to do sanity check on i_xattr_nid in sanity_check_inode()\n\nsyzbot reports a kernel bug as below:\n\nF2FS-fs (loop0): Mounted with checkpoint version = 48b305e4\n==================================================================\nBUG: KASAN: slab-out-of-bounds in f2fs_test_bit fs/f2fs/f2fs.h:2933 [inline]\nBUG: KASAN: slab-out-of-bounds in current_nat_addr fs/f2fs/node.h:213 [inline]\nBUG: KASAN: slab-out-of-bounds in f2fs_get_node_info+0xece/0x1200 fs/f2fs/node.c:600\nRead of size 1 at addr ffff88807a58c76c by task syz-executor280/5076\n\nCPU: 1 PID: 5076 Comm: syz-executor280 Not tainted 6.9.0-rc5-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114\n print_address_description mm/kasan/report.c:377 [inline]\n print_report+0x169/0x550 mm/kasan/report.c:488\n kasan_report+0x143/0x180 mm/kasan/report.c:601\n f2fs_test_bit fs/f2fs/f2fs.h:2933 [inline]\n current_nat_addr fs/f2fs/node.h:213 [inline]\n f2fs_get_node_info+0xece/0x1200 fs/f2fs/node.c:600\n f2fs_xattr_fiemap fs/f2fs/data.c:1848 [inline]\n f2fs_fiemap+0x55d/0x1ee0 fs/f2fs/data.c:1925\n ioctl_fiemap fs/ioctl.c:220 [inline]\n do_vfs_ioctl+0x1c07/0x2e50 fs/ioctl.c:838\n __do_sys_ioctl fs/ioctl.c:902 [inline]\n __se_sys_ioctl+0x81/0x170 fs/ioctl.c:890\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nThe root cause is we missed to do sanity check on i_xattr_nid during\nf2fs_iget(), so that in fiemap() path, current_nat_addr() will access\nnat_bitmap w/ offset from invalid i_xattr_nid, result in triggering\nkasan bug report, fix it.(CVE-2024-39467)",
"cves": [
{
"id": "CVE-2021-47618",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47618",
"severity": "Medium"
},
{
"id": "CVE-2022-48733",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48733",
"severity": "Medium"
},
{
"id": "CVE-2022-48744",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48744",
"severity": "Medium"
},
{
"id": "CVE-2022-48765",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48765",
"severity": "Medium"
},
{
"id": "CVE-2022-48772",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48772",
"severity": "Medium"
},
{
"id": "CVE-2023-52873",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52873",
"severity": "Medium"
},
{
"id": "CVE-2024-35879",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35879",
"severity": "Medium"
},
{
"id": "CVE-2024-35893",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35893",
"severity": "Medium"
},
{
"id": "CVE-2024-35969",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35969",
"severity": "Medium"
},
{
"id": "CVE-2024-35988",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35988",
"severity": "Medium"
},
{
"id": "CVE-2024-35989",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35989",
"severity": "Medium"
},
{
"id": "CVE-2024-36014",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36014",
"severity": "Medium"
},
{
"id": "CVE-2024-36489",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36489",
"severity": "Medium"
},
{
"id": "CVE-2024-37353",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37353",
"severity": "Low"
},
{
"id": "CVE-2024-37354",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37354",
"severity": "Medium"
},
{
"id": "CVE-2024-38381",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38381",
"severity": "Medium"
},
{
"id": "CVE-2024-38547",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38547",
"severity": "Medium"
},
{
"id": "CVE-2024-38552",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38552",
"severity": "Medium"
},
{
"id": "CVE-2024-38553",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38553",
"severity": "Medium"
},
{
"id": "CVE-2024-38554",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38554",
"severity": "Medium"
},
{
"id": "CVE-2024-38577",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38577",
"severity": "Medium"
},
{
"id": "CVE-2024-38579",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38579",
"severity": "Medium"
},
{
"id": "CVE-2024-38582",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38582",
"severity": "None"
},
{
"id": "CVE-2024-38583",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38583",
"severity": "High"
},
{
"id": "CVE-2024-38590",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38590",
"severity": "Medium"
},
{
"id": "CVE-2024-38596",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38596",
"severity": "Low"
},
{
"id": "CVE-2024-38602",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38602",
"severity": "Medium"
},
{
"id": "CVE-2024-38603",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38603",
"severity": "Medium"
},
{
"id": "CVE-2024-38625",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38625",
"severity": "Medium"
},
{
"id": "CVE-2024-38633",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38633",
"severity": "Medium"
},
{
"id": "CVE-2024-38637",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38637",
"severity": "Low"
},
{
"id": "CVE-2024-38780",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38780",
"severity": "Medium"
},
{
"id": "CVE-2024-39301",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39301",
"severity": "Medium"
},
{
"id": "CVE-2024-39362",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39362",
"severity": "Medium"
},
{
"id": "CVE-2024-39467",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39467",
"severity": "Medium"
}
]
},
"openEuler-SA-2024-1859": {
"id": "openEuler-SA-2024-1859",
"url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1859",
"title": "An update for firefox is now available for openEuler-20.03-LTS-SP4",
"severity": "Critical",
"description": "Mozilla Firefox is a standalone web browser, designed for standards compliance and performance. Its functionality can be enhanced via a plethora of extensions.\n\nSecurity Fix(es):Mozilla Firefox is an open-source web browser, designed for standards compliance, performance and portability.\n\nSecurity Fix(es):\n\nWhen processing surfaces, the lifetime may outlive a persistent buffer leading to memory corruption and a potentially exploitable crash. This vulnerability affects Firefox < 81.(CVE-2020-15675)\n\nUsing the new logical assignment operators in a JavaScript switch statement could have caused a type confusion, leading to a memory corruption and a potentially exploitable crash. This vulnerability affects Firefox < 85, Thunderbird < 78.7, and Firefox ESR < 78.7.(CVE-2021-23954)\n\nIf an out-of-memory condition occurred when creating a JavaScript global, a JavaScript realm may be deleted while references to it lived on in a BaseShape. This could lead to a use-after-free causing a potentially exploitable crash. This vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox < 107.(CVE-2022-45406)",
"cves": [
{
"id": "CVE-2020-15675",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15675",
"severity": "High"
},
{
"id": "CVE-2021-23954",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23954",
"severity": "High"
},
{
"id": "CVE-2022-45406",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45406",
"severity": "Critical"
}
]
},
"openEuler-SA-2024-1833": {
"id": "openEuler-SA-2024-1833",
"url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1833",
"title": "An update for ffmpeg is now available for openEuler-22.03-LTS-SP3",
"severity": "Medium",
"description": "FFmpeg is a complete and free Internet live audio and video broadcasting solution for Linux/Unix. It also includes a digital VCR. It can encode in real time in many formats including MPEG1 audio and video, MPEG4, h263, ac3, asf, avi, real, mjpeg, and flash.\n\nSecurity Fix(es):\n\nInteger overflow vulnerability in av_timecode_make_string in libavutil/timecode.c in FFmpeg version 4.3.2, allows local attackers to cause a denial of service (DoS) via crafted .mov file.(CVE-2021-28429)",
"cves": [
{
"id": "CVE-2021-28429",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28429",
"severity": "Medium"
}
]
},
"openEuler-SA-2024-1864": {
"id": "openEuler-SA-2024-1864",
"url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1864",
"title": "An update for kernel is now available for openEuler-22.03-LTS-SP4",
"severity": "Medium",
"description": "The Linux Kernel, the operating system core itself.\n\nSecurity Fix(es):\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nbnxt_re: avoid shift undefined behavior in bnxt_qplib_alloc_init_hwq\n\nUndefined behavior is triggered when bnxt_qplib_alloc_init_hwq is called\nwith hwq_attr->aux_depth != 0 and hwq_attr->aux_stride == 0.\nIn that case, \"roundup_pow_of_two(hwq_attr->aux_stride)\" gets called.\nroundup_pow_of_two is documented as undefined for 0.\n\nFix it in the one caller that had this combination.\n\nThe undefined behavior was detected by UBSAN:\n UBSAN: shift-out-of-bounds in ./include/linux/log2.h:57:13\n shift exponent 64 is too large for 64-bit type 'long unsigned int'\n CPU: 24 PID: 1075 Comm: (udev-worker) Not tainted 6.9.0-rc6+ #4\n Hardware name: Abacus electric, s.r.o. - servis@abacus.cz Super Server/H12SSW-iN, BIOS 2.7 10/25/2023\n Call Trace:\n <TASK>\n dump_stack_lvl+0x5d/0x80\n ubsan_epilogue+0x5/0x30\n __ubsan_handle_shift_out_of_bounds.cold+0x61/0xec\n __roundup_pow_of_two+0x25/0x35 [bnxt_re]\n bnxt_qplib_alloc_init_hwq+0xa1/0x470 [bnxt_re]\n bnxt_qplib_create_qp+0x19e/0x840 [bnxt_re]\n bnxt_re_create_qp+0x9b1/0xcd0 [bnxt_re]\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? __kmalloc+0x1b6/0x4f0\n ? create_qp.part.0+0x128/0x1c0 [ib_core]\n ? __pfx_bnxt_re_create_qp+0x10/0x10 [bnxt_re]\n create_qp.part.0+0x128/0x1c0 [ib_core]\n ib_create_qp_kernel+0x50/0xd0 [ib_core]\n create_mad_qp+0x8e/0xe0 [ib_core]\n ? __pfx_qp_event_handler+0x10/0x10 [ib_core]\n ib_mad_init_device+0x2be/0x680 [ib_core]\n add_client_context+0x10d/0x1a0 [ib_core]\n enable_device_and_get+0xe0/0x1d0 [ib_core]\n ib_register_device+0x53c/0x630 [ib_core]\n ? srso_alias_return_thunk+0x5/0xfbef5\n bnxt_re_probe+0xbd8/0xe50 [bnxt_re]\n ? __pfx_bnxt_re_probe+0x10/0x10 [bnxt_re]\n auxiliary_bus_probe+0x49/0x80\n ? driver_sysfs_add+0x57/0xc0\n really_probe+0xde/0x340\n ? pm_runtime_barrier+0x54/0x90\n ? __pfx___driver_attach+0x10/0x10\n __driver_probe_device+0x78/0x110\n driver_probe_device+0x1f/0xa0\n __driver_attach+0xba/0x1c0\n bus_for_each_dev+0x8f/0xe0\n bus_add_driver+0x146/0x220\n driver_register+0x72/0xd0\n __auxiliary_driver_register+0x6e/0xd0\n ? __pfx_bnxt_re_mod_init+0x10/0x10 [bnxt_re]\n bnxt_re_mod_init+0x3e/0xff0 [bnxt_re]\n ? __pfx_bnxt_re_mod_init+0x10/0x10 [bnxt_re]\n do_one_initcall+0x5b/0x310\n do_init_module+0x90/0x250\n init_module_from_file+0x86/0xc0\n idempotent_init_module+0x121/0x2b0\n __x64_sys_finit_module+0x5e/0xb0\n do_syscall_64+0x82/0x160\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? syscall_exit_to_user_mode_prepare+0x149/0x170\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? syscall_exit_to_user_mode+0x75/0x230\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? do_syscall_64+0x8e/0x160\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? __count_memcg_events+0x69/0x100\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? count_memcg_events.constprop.0+0x1a/0x30\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? handle_mm_fault+0x1f0/0x300\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? do_user_addr_fault+0x34e/0x640\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? srso_alias_return_thunk+0x5/0xfbef5\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n RIP: 0033:0x7f4e5132821d\n Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e3 db 0c 00 f7 d8 64 89 01 48\n RSP: 002b:00007ffca9c906a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000139\n RAX: ffffffffffffffda RBX: 0000563ec8a8f130 RCX: 00007f4e5132821d\n RDX: 0000000000000000 RSI: 00007f4e518fa07d RDI: 000000000000003b\n RBP: 00007ffca9c90760 R08: 00007f4e513f6b20 R09: 00007ffca9c906f0\n R10: 0000563ec8a8faa0 R11: 0000000000000246 R12: 00007f4e518fa07d\n R13: 0000000000020000 R14: 0000563ec8409e90 R15: 0000563ec8a8fa60\n </TASK>\n ---[ end trace ]---(CVE-2024-38540)",
"cves": [
{
"id": "CVE-2024-38540",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38540",
"severity": "Medium"
}
]
},
"openEuler-SA-2024-1842": {
"id": "openEuler-SA-2024-1842",
"url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1842",
"title": "An update for cockpit is now available for openEuler-22.03-LTS-SP3,openEuler-20.03-LTS-SP4,openEuler-24.03-LTS,openEuler-22.03-LTS-SP4,openEuler-22.03-LTS-SP1",
"severity": "Low",
"description": "Cockpit makes GNU/Linux discoverable. See Linux server in a web browser and perform system tasks with a mouse. Its easy to start containers, administer storage, configure networks, and inspect logs with this package.\n\nSecurity Fix(es):\n\nA flaw was found in the cockpit package. This flaw allows an authenticated user to kill any process when enabling the pam_env's user_readenv option, which leads to a denial of service (DoS) attack.(CVE-2024-6126)",
"cves": [
{
"id": "CVE-2024-6126",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6126",
"severity": "Low"
}
]
},
"openEuler-SA-2024-1868": {
"id": "openEuler-SA-2024-1868",
"url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1868",
"title": "An update for python-pip is now available for openEuler-22.03-LTS-SP3",
"severity": "High",
"description": "pip is the package installer for Python. You can use pip to install packages from the Python Package Index and other indexes. %global bashcompdir %(b=$(pkg-config --variable=completionsdir bash-completion 2>/dev/null); echo ${b:-/bash_completion.d}) Name: python-pip Version: 20.2.2 Release: 4 Summary: A tool for installing and managing Python packages License: MIT and Python and ASL 2.0 and BSD and ISC and LGPLv2 and MPLv2.0 and (ASL 2.0 or BSD) URL: http://www.pip-installer.org Source0: https://files.pythonhosted.org/packages/source/p/pip/pip-.tar.gz BuildArch: noarch Patch1: allow-stripping-given-prefix-from-wheel-RECORD-files. Patch2: emit-a-warning-when-running-with-root-privileges.patch Patch3: remove-existing-dist-only-if-path-conflicts.patch Patch6000: dummy-certifi.patch Patch6001: backport-CVE-2021-3572.patch\n\nSecurity Fix(es):\n\nurllib3 is a user-friendly HTTP client library for Python. urllib3 doesn't treat the `Cookie` HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a `Cookie` header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly. This issue has been patched in urllib3 version 1.26.17 or 2.0.5.(CVE-2023-43804)\n\nurllib3 is a user-friendly HTTP client library for Python. urllib3 previously wouldn't remove the HTTP request body when an HTTP redirect response using status 301, 302, or 303 after the request had its method changed from one that could accept a request body (like `POST`) to `GET` as is required by HTTP RFCs. Although this behavior is not specified in the section for redirects, it can be inferred by piecing together information from different sections and we have observed the behavior in other major HTTP client implementations like curl and web browsers. Because the vulnerability requires a previously trusted service to become compromised in order to have an impact on confidentiality we believe the exploitability of this vulnerability is low. Additionally, many users aren't putting sensitive data in HTTP request bodies, if this is the case then this vulnerability isn't exploitable. Both of the following conditions must be true to be affected by this vulnerability: 1. Using urllib3 and submitting sensitive information in the HTTP request body (such as form data or JSON) and 2. The origin service is compromised and starts redirecting using 301, 302, or 303 to a malicious peer or the redirected-to service becomes compromised. This issue has been addressed in versions 1.26.18 and 2.0.7 and users are advised to update to resolve this issue. Users unable to update should disable redirects for services that aren't expecting to respond with redirects with `redirects=False` and disable automatic redirects with `redirects=False` and handle 301, 302, and 303 redirects manually by stripping the HTTP request body.\n(CVE-2023-45803)\n\n urllib3 is a user-friendly HTTP client library for Python. When using urllib3's proxy support with `ProxyManager`, the `Proxy-Authorization` header is only sent to the configured proxy, as expected. However, when sending HTTP requests *without* using urllib3's proxy support, it's possible to accidentally configure the `Proxy-Authorization` header even though it won't have any effect as the request is not using a forwarding proxy or a tunneling proxy. In those cases, urllib3 doesn't treat the `Proxy-Authorization` HTTP header as one carrying authentication material and thus doesn't strip the header on cross-origin redirects. Because this is a highly unlikely scenario, we believe the severity of this vulnerability is low for almost all users. Out of an abundance of caution urllib3 will automatically strip the `Proxy-Authorization` header during cross-origin redirects to avoid the small chance that users are doing this on accident. Users should use urllib3's proxy support or disable automatic redirects to achieve safe processing of the `Proxy-Authorization` header, but we still decided to strip the header by default in order to further protect users who aren't using the correct approach. We believe the number of usages affected by this advisory is low. It requires all of the following to be true to be exploited: 1. Setting the `Proxy-Authorization` header without using urllib3's built-in proxy support. 2. Not disabling HTTP redirects. 3. Either not using an HTTPS origin server or for the proxy or target origin to redirect to a malicious origin. Users are advised to update to either version 1.26.19 or version 2.2.2. Users unable to upgrade may use the `Proxy-Authorization` header with urllib3's `ProxyManager`, disable HTTP redirects using `redirects=False` when sending requests, or not user the `Proxy-Authorization` header as mitigations.(CVE-2024-37891)",
"cves": [
{
"id": "CVE-2023-43804",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43804",
"severity": "High"
},
{
"id": "CVE-2023-45803",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45803",
"severity": "Medium"
},
{
"id": "CVE-2024-37891",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37891",
"severity": "Medium"
}
]
},
"openEuler-SA-2024-1851": {
"id": "openEuler-SA-2024-1851",
"url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1851",
"title": "An update for arm-trusted-firmware is now available for openEuler-24.03-LTS",
"severity": "Medium",
"description": "Trusted Firmware-A is a reference implementation of secure world software for Arm A-Profile architectures (Armv8-A and Armv7-A), including an Exception Level 3 (EL3) Secure Monitor.\n\nSecurity Fix(es):\n\nBuffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in Renesas arm-trusted-firmware allows Local Execution of Code. This vulnerability is associated with program files https://github.Com/renesas-rcar/arm-trusted-firmware/blob/rcar_gen3_v2.5/drivers/renesas/common/io/i... https://github.Com/renesas-rcar/arm-trusted-firmware/blob/rcar_gen3_v2.5/drivers/renesas/common/io/io_rcar.C .\n\n\n\n\nIn line 313 \"addr_loaded_cnt\" is checked not to be \"CHECK_IMAGE_AREA_CNT\" (5) or larger, this check does not halt the function. Immediately after (line 317) there will be an overflow in the buffer and the value of \"dst\" will be written to the area immediately after the buffer, which is \"addr_loaded_cnt\". This will allow an attacker to freely control the value of \"addr_loaded_cnt\" and thus control the destination of the write immediately after (line 318). The write in line 318 will then be fully controlled by said attacker, with whichever address and whichever value (\"len\") they desire.(CVE-2024-6563)\n\nBuffer overflow in \"rcar_dev_init\" due to using due to using untrusted data (rcar_image_number) as a loop counter before verifying it against RCAR_MAX_BL3X_IMAGE. This could lead to a full bypass of secure boot.(CVE-2024-6564)",
"cves": [
{
"id": "CVE-2024-6563",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6563",
"severity": "Medium"
},
{
"id": "CVE-2024-6564",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6564",
"severity": "Medium"
}
]
},
"openEuler-SA-2024-1843": {
"id": "openEuler-SA-2024-1843",
"url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1843",
"title": "An update for glibc is now available for openEuler-20.03-LTS-SP4",
"severity": "High",
"description": "The GNU C Library project provides the core libraries for the GNU system and GNU/Linux systems, as well as many other systems that use Linux as the kernel. These libraries provide critical APIs including ISO C11, POSIX.1-2008, BSD, OS-specific APIs and more. These APIs include such foundational facilities as open, read, write, malloc, printf, getaddrinfo, dlopen, pthread_create, crypt, login, exit and more.\n\nSecurity Fix(es):\n\nThe iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.\n(CVE-2024-2961)",
"cves": [
{
"id": "CVE-2024-2961",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2961",
"severity": "High"
}
]
},
"openEuler-SA-2024-1857": {
"id": "openEuler-SA-2024-1857",
"url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1857",
"title": "An update for rapidjson is now available for openEuler-24.03-LTS,openEuler-22.03-LTS-SP4,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP3,openEuler-20.03-LTS-SP4",
"severity": "High",
"description": "RapidJSON as a fast JSON parser which generator for c++. It`s inspired by RapidXML. It`s supports both SAX & DOM style API. It`s small but complete. It`s fast, It`s preformance can be comparabel to strlen(). It`s self-contained. It doesn`t depend on external libraries such as BOOST. It`s Unicode and memory friendly, each JSON valude occupies exactly 16/20 bytes for most 32/64-bit machines. It`s suport UTF-8 UTF-16 UTF-32 (LE & BE).\n\nSecurity Fix(es):\n\nTencent RapidJSON is vulnerable to privilege escalation due to an integer underflow in the `GenericReader::ParseNumber()` function of `include/rapidjson/reader.h` when parsing JSON text from a stream. An attacker needs to send the victim a crafted file which needs to be opened; this triggers the integer underflow vulnerability (when the file is parsed), leading to elevation of privilege.(CVE-2024-38517)",
"cves": [
{
"id": "CVE-2024-38517",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38517",
"severity": "High"
}
]
},
"openEuler-SA-2024-1846": {
"id": "openEuler-SA-2024-1846",
"url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1846",
"title": "An update for openjpeg2 is now available for openEuler-22.03-LTS-SP4,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP3,openEuler-20.03-LTS-SP4,openEuler-24.03-LTS",
"severity": "Medium",
"description": "OpenJPEG is an open-source JPEG 2000 codec written in C language. It has been developed in order to promote the use of JPEG 2000, a still-image compression standard from the Joint Photographic Experts Group (JPEG). Since April 2015, it is officially recognized by ISO/IEC and ITU-T as a JPEG 2000 Reference Software.\n\nSecurity Fix(es):\n\nA vulnerability was found in OpenJPEG similar to CVE-2019-6988. This flaw allows an attacker to bypass existing protections and cause an application crash through a maliciously crafted file.(CVE-2023-39328)",
"cves": [
{
"id": "CVE-2023-39328",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39328",
"severity": "Medium"
}
]
},
"openEuler-SA-2024-1845": {
"id": "openEuler-SA-2024-1845",
"url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1845",
"title": "An update for glibc is now available for openEuler-22.03-LTS-SP3",
"severity": "High",
"description": "The GNU C Library project provides the core libraries for the GNU system and GNU/Linux systems, as well as many other systems that use Linux as the kernel. These libraries provide critical APIs including ISO C11, POSIX.1-2008, BSD, OS-specific APIs and more. These APIs include such foundational facilities as open, read, write, malloc, printf, getaddrinfo, dlopen, pthread_create, crypt, login, exit and more.\n\nSecurity Fix(es):\n\nThe iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.\n(CVE-2024-2961)",
"cves": [
{
"id": "CVE-2024-2961",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2961",
"severity": "High"
}
]
},
"openEuler-SA-2024-1820": {
"id": "openEuler-SA-2024-1820",
"url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1820",
"title": "An update for rubygem-rack is now available for openEuler-20.03-LTS-SP4",
"severity": "High",
"description": "Rack provides a minimal, modular, and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.\n\nSecurity Fix(es):\n\nA denial of service vulnerability in the multipart parsing component of Rack fixed in 2.0.9.2, 2.1.4.2, 2.2.4.1 and 3.0.0.1 could allow an attacker tocraft input that can cause RFC2183 multipart boundary parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that parse multipart posts using Rack (virtually all Rails applications) are impacted.(CVE-2022-44572)\n\nRack is a modular Ruby web server interface. Carefully crafted Range headers can cause a server to respond with an unexpectedly large response. Responding with such large responses could lead to a denial of service issue. Vulnerable applications will use the `Rack::File` middleware or the `Rack::Utils.byte_ranges` methods (this includes Rails applications). The vulnerability is fixed in 3.0.9.1 and 2.2.8.1.(CVE-2024-26141)",
"cves": [
{
"id": "CVE-2022-44572",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-44572",
"severity": "High"
},
{
"id": "CVE-2024-26141",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26141",
"severity": "Medium"
}
]
},
"openEuler-SA-2024-1863": {
"id": "openEuler-SA-2024-1863",
"url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1863",
"title": "An update for kernel is now available for openEuler-24.03-LTS",
"severity": "Critical",
"description": "The Linux Kernel, the operating system core itself.\n\nSecurity Fix(es):\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nrtnetlink: Correct nested IFLA_VF_VLAN_LIST attribute validation\n\nEach attribute inside a nested IFLA_VF_VLAN_LIST is assumed to be a\nstruct ifla_vf_vlan_info so the size of such attribute needs to be at least\nof sizeof(struct ifla_vf_vlan_info) which is 14 bytes.\nThe current size validation in do_setvfinfo is against NLA_HDRLEN (4 bytes)\nwhich is less than sizeof(struct ifla_vf_vlan_info) so this validation\nis not enough and a too small attribute might be cast to a\nstruct ifla_vf_vlan_info, this might result in an out of bands\nread access when accessing the saved (casted) entry in ivvl.(CVE-2024-36017)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nnull_blk: fix null-ptr-dereference while configuring 'power' and 'submit_queues'\n\nWriting 'power' and 'submit_queues' concurrently will trigger kernel\npanic:\n\nTest script:\n\nmodprobe null_blk nr_devices=0\nmkdir -p /sys/kernel/config/nullb/nullb0\nwhile true; do echo 1 > submit_queues; echo 4 > submit_queues; done &\nwhile true; do echo 1 > power; echo 0 > power; done\n\nTest result:\n\nBUG: kernel NULL pointer dereference, address: 0000000000000148\nOops: 0000 [#1] PREEMPT SMP\nRIP: 0010:__lock_acquire+0x41d/0x28f0\nCall Trace:\n <TASK>\n lock_acquire+0x121/0x450\n down_write+0x5f/0x1d0\n simple_recursive_removal+0x12f/0x5c0\n blk_mq_debugfs_unregister_hctxs+0x7c/0x100\n blk_mq_update_nr_hw_queues+0x4a3/0x720\n nullb_update_nr_hw_queues+0x71/0xf0 [null_blk]\n nullb_device_submit_queues_store+0x79/0xf0 [null_blk]\n configfs_write_iter+0x119/0x1e0\n vfs_write+0x326/0x730\n ksys_write+0x74/0x150\n\nThis is because del_gendisk() can concurrent with\nblk_mq_update_nr_hw_queues():\n\nnullb_device_power_store\tnullb_apply_submit_queues\n null_del_dev\n del_gendisk\n\t\t\t\t nullb_update_nr_hw_queues\n\t\t\t\t if (!dev->nullb)\n\t\t\t\t // still set while gendisk is deleted\n\t\t\t\t return 0\n\t\t\t\t blk_mq_update_nr_hw_queues\n dev->nullb = NULL\n\nFix this problem by resuing the global mutex to protect\nnullb_device_power_store() and nullb_update_nr_hw_queues() from configfs.(CVE-2024-36478)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\ntracing/probes: fix error check in parse_btf_field()\n\nbtf_find_struct_member() might return NULL or an error via the\nERR_PTR() macro. However, its caller in parse_btf_field() only checks\nfor the NULL condition. Fix this by using IS_ERR() and returning the\nerror up the stack.(CVE-2024-36481)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nscsi: lpfc: Release hbalock before calling lpfc_worker_wake_up()\n\nlpfc_worker_wake_up() calls the lpfc_work_done() routine, which takes the\nhbalock. Thus, lpfc_worker_wake_up() should not be called while holding the\nhbalock to avoid potential deadlock.(CVE-2024-36924)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nnet: core: reject skb_copy(_expand) for fraglist GSO skbs\n\nSKB_GSO_FRAGLIST skbs must not be linearized, otherwise they become\ninvalid. Return NULL if such an skb is passed to skb_copy or\nskb_copy_expand, in order to prevent a crash on a potential later\ncall to skb_gso_segment.(CVE-2024-36929)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\ns390/cio: Ensure the copied buf is NUL terminated\n\nCurrently, we allocate a lbuf-sized kernel buffer and copy lbuf from\nuserspace to that buffer. Later, we use scanf on this buffer but we don't\nensure that the string is terminated inside the buffer, this can lead to\nOOB read when using scanf. Fix this issue by using memdup_user_nul instead.(CVE-2024-36931)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdkfd: range check cp bad op exception interrupts\n\nDue to a CP interrupt bug, bad packet garbage exception codes are raised.\nDo a range check so that the debugger and runtime do not receive garbage\ncodes.\nUpdate the user api to guard exception code type checking as well.(CVE-2024-36951)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nblk-cgroup: fix list corruption from reorder of WRITE ->lqueued\n\n__blkcg_rstat_flush() can be run anytime, especially when blk_cgroup_bio_start\nis being executed.\n\nIf WRITE of `->lqueued` is re-ordered with READ of 'bisc->lnode.next' in\nthe loop of __blkcg_rstat_flush(), `next_bisc` can be assigned with one\nstat instance being added in blk_cgroup_bio_start(), then the local\nlist in __blkcg_rstat_flush() could be corrupted.\n\nFix the issue by adding one barrier.(CVE-2024-38384)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nnet: openvswitch: fix overwriting ct original tuple for ICMPv6\n\nOVS_PACKET_CMD_EXECUTE has 3 main attributes:\n - OVS_PACKET_ATTR_KEY - Packet metadata in a netlink format.\n - OVS_PACKET_ATTR_PACKET - Binary packet content.\n - OVS_PACKET_ATTR_ACTIONS - Actions to execute on the packet.\n\nOVS_PACKET_ATTR_KEY is parsed first to populate sw_flow_key structure\nwith the metadata like conntrack state, input port, recirculation id,\netc. Then the packet itself gets parsed to populate the rest of the\nkeys from the packet headers.\n\nWhenever the packet parsing code starts parsing the ICMPv6 header, it\nfirst zeroes out fields in the key corresponding to Neighbor Discovery\ninformation even if it is not an ND packet.\n\nIt is an 'ipv6.nd' field. However, the 'ipv6' is a union that shares\nthe space between 'nd' and 'ct_orig' that holds the original tuple\nconntrack metadata parsed from the OVS_PACKET_ATTR_KEY.\n\nND packets should not normally have conntrack state, so it's fine to\nshare the space, but normal ICMPv6 Echo packets or maybe other types of\nICMPv6 can have the state attached and it should not be overwritten.\n\nThe issue results in all but the last 4 bytes of the destination\naddress being wiped from the original conntrack tuple leading to\nincorrect packet matching and potentially executing wrong actions\nin case this packet recirculates within the datapath or goes back\nto userspace.\n\nND fields should not be accessed in non-ND packets, so not clearing\nthem should be fine. Executing memset() only for actual ND packets to\navoid the issue.\n\nInitializing the whole thing before parsing is needed because ND packet\nmay not contain all the options.\n\nThe issue only affects the OVS_PACKET_CMD_EXECUTE path and doesn't\naffect packets entering OVS datapath from network interfaces, because\nin this case CT metadata is populated from skb after the packet is\nalready parsed.(CVE-2024-38558)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\ngfs2: Fix potential glock use-after-free on unmount\n\nWhen a DLM lockspace is released and there ares still locks in that\nlockspace, DLM will unlock those locks automatically. Commit\nfb6791d100d1b started exploiting this behavior to speed up filesystem\nunmount: gfs2 would simply free glocks it didn't want to unlock and then\nrelease the lockspace. This didn't take the bast callbacks for\nasynchronous lock contention notifications into account, which remain\nactive until until a lock is unlocked or its lockspace is released.\n\nTo prevent those callbacks from accessing deallocated objects, put the\nglocks that should not be unlocked on the sd_dead_glocks list, release\nthe lockspace, and only then free those glocks.\n\nAs an additional measure, ignore unexpected ast and bast callbacks if\nthe receiving glock is dead.(CVE-2024-38570)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu/mes: fix use-after-free issue\n\nDelete fence fallback timer to fix the ramdom\nuse-after-free issue.\n\nv2: move to amdgpu_mes.c(CVE-2024-38581)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix use-after-free of timer for log writer thread\n\nPatch series \"nilfs2: fix log writer related issues\".\n\nThis bug fix series covers three nilfs2 log writer-related issues,\nincluding a timer use-after-free issue and potential deadlock issue on\nunmount, and a potential freeze issue in event synchronization found\nduring their analysis. Details are described in each commit log.\n\n\nThis patch (of 3):\n\nA use-after-free issue has been reported regarding the timer sc_timer on\nthe nilfs_sc_info structure.\n\nThe problem is that even though it is used to wake up a sleeping log\nwriter thread, sc_timer is not shut down until the nilfs_sc_info structure\nis about to be freed, and is used regardless of the thread's lifetime.\n\nFix this issue by limiting the use of sc_timer only while the log writer\nthread is alive.(CVE-2024-38583)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nr8169: Fix possible ring buffer corruption on fragmented Tx packets.\n\nAn issue was found on the RTL8125b when transmitting small fragmented\npackets, whereby invalid entries were inserted into the transmit ring\nbuffer, subsequently leading to calls to dma_unmap_single() with a null\naddress.\n\nThis was caused by rtl8169_start_xmit() not noticing changes to nr_frags\nwhich may occur when small packets are padded (to work around hardware\nquirks) in rtl8169_tso_csum_v2().\n\nTo fix this, postpone inspecting nr_frags until after any padding has been\napplied.(CVE-2024-38586)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nopenrisc: traps: Don't send signals to kernel mode threads\n\nOpenRISC exception handling sends signals to user processes on floating\npoint exceptions and trap instructions (for debugging) among others.\nThere is a bug where the trap handling logic may send signals to kernel\nthreads, we should not send these signals to kernel threads, if that\nhappens we treat it as an error.\n\nThis patch adds conditions to die if the kernel receives these\nexceptions in kernel mode code.(CVE-2024-38614)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: HCI: Remove HCI_AMP support\n\nSince BT_HS has been remove HCI_AMP controllers no longer has any use so\nremove it along with the capability of creating AMP controllers.\n\nSince we no longer need to differentiate between AMP and Primary\ncontrollers, as only HCI_PRIMARY is left, this also remove\nhdev->dev_type altogether.(CVE-2024-38620)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nvfio/pci: fix potential memory leak in vfio_intx_enable()\n\nIf vfio_irq_ctx_alloc() failed will lead to 'name' memory leak.(CVE-2024-38632)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\ns390/ap: Fix crash in AP internal function modify_bitmap()\n\nA system crash like this\n\n Failing address: 200000cb7df6f000 TEID: 200000cb7df6f403\n Fault in home space mode while using kernel ASCE.\n AS:00000002d71bc007 R3:00000003fe5b8007 S:000000011a446000 P:000000015660c13d\n Oops: 0038 ilc:3 [#1] PREEMPT SMP\n Modules linked in: mlx5_ib ...\n CPU: 8 PID: 7556 Comm: bash Not tainted 6.9.0-rc7 #8\n Hardware name: IBM 3931 A01 704 (LPAR)\n Krnl PSW : 0704e00180000000 0000014b75e7b606 (ap_parse_bitmap_str+0x10e/0x1f8)\n R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:2 PM:0 RI:0 EA:3\n Krnl GPRS: 0000000000000001 ffffffffffffffc0 0000000000000001 00000048f96b75d3\n 000000cb00000100 ffffffffffffffff ffffffffffffffff 000000cb7df6fce0\n 000000cb7df6fce0 00000000ffffffff 000000000000002b 00000048ffffffff\n 000003ff9b2dbc80 200000cb7df6fcd8 0000014bffffffc0 000000cb7df6fbc8\n Krnl Code: 0000014b75e7b5fc: a7840047 brc 8,0000014b75e7b68a\n 0000014b75e7b600: 18b2 lr %r11,%r2\n #0000014b75e7b602: a7f4000a brc 15,0000014b75e7b616\n >0000014b75e7b606: eb22d00000e6 laog %r2,%r2,0(%r13)\n 0000014b75e7b60c: a7680001 lhi %r6,1\n 0000014b75e7b610: 187b lr %r7,%r11\n 0000014b75e7b612: 84960021 brxh %r9,%r6,0000014b75e7b654\n 0000014b75e7b616: 18e9 lr %r14,%r9\n Call Trace:\n [<0000014b75e7b606>] ap_parse_bitmap_str+0x10e/0x1f8\n ([<0000014b75e7b5dc>] ap_parse_bitmap_str+0xe4/0x1f8)\n [<0000014b75e7b758>] apmask_store+0x68/0x140\n [<0000014b75679196>] kernfs_fop_write_iter+0x14e/0x1e8\n [<0000014b75598524>] vfs_write+0x1b4/0x448\n [<0000014b7559894c>] ksys_write+0x74/0x100\n [<0000014b7618a440>] __do_syscall+0x268/0x328\n [<0000014b761a3558>] system_call+0x70/0x98\n INFO: lockdep is turned off.\n Last Breaking-Event-Address:\n [<0000014b75e7b636>] ap_parse_bitmap_str+0x13e/0x1f8\n Kernel panic - not syncing: Fatal exception: panic_on_oops\n\noccured when /sys/bus/ap/a[pq]mask was updated with a relative mask value\n(like +0x10-0x12,+60,-90) with one of the numeric values exceeding INT_MAX.\n\nThe fix is simple: use unsigned long values for the internal variables. The\ncorrect checks are already in place in the function but a simple int for\nthe internal variables was used with the possibility to overflow.(CVE-2024-38661)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nclk: bcm: dvp: Assign ->num before accessing ->hws\n\nCommit f316cdff8d67 (\"clk: Annotate struct clk_hw_onecell_data with\n__counted_by\") annotated the hws member of 'struct clk_hw_onecell_data'\nwith __counted_by, which informs the bounds sanitizer about the number\nof elements in hws, so that it can warn when hws is accessed out of\nbounds. As noted in that change, the __counted_by member must be\ninitialized with the number of elements before the first array access\nhappens, otherwise there will be a warning from each access prior to the\ninitialization because the number of elements is zero. This occurs in\nclk_dvp_probe() due to ->num being assigned after ->hws has been\naccessed:\n\n UBSAN: array-index-out-of-bounds in drivers/clk/bcm/clk-bcm2711-dvp.c:59:2\n index 0 is out of range for type 'struct clk_hw *[] __counted_by(num)' (aka 'struct clk_hw *[]')\n\nMove the ->num initialization to before the first access of ->hws, which\nclears up the warning.(CVE-2024-39462)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nmedia: v4l: async: Fix notifier list entry init\n\nstruct v4l2_async_notifier has several list_head members, but only\nwaiting_list and done_list are initialized. notifier_entry was kept\n'zeroed' leading to an uninitialized list_head.\nThis results in a NULL-pointer dereference if csi2_async_register() fails,\ne.g. node for remote endpoint is disabled, and returns -ENOTCONN.\nThe following calls to v4l2_async_nf_unregister() results in a NULL\npointer dereference.\nAdd the missing list head initializer.(CVE-2024-39464)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: starfive - Do not free stack buffer\n\nRSA text data uses variable length buffer allocated in software stack.\nCalling kfree on it causes undefined behaviour in subsequent operations.(CVE-2024-39478)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/hwmon: Get rid of devm\n\nWhen both hwmon and hwmon drvdata (on which hwmon depends) are device\nmanaged resources, the expectation, on device unbind, is that hwmon will be\nreleased before drvdata. However, in i915 there are two separate code\npaths, which both release either drvdata or hwmon and either can be\nreleased before the other. These code paths (for device unbind) are as\nfollows (see also the bug referenced below):\n\nCall Trace:\nrelease_nodes+0x11/0x70\ndevres_release_group+0xb2/0x110\ncomponent_unbind_all+0x8d/0xa0\ncomponent_del+0xa5/0x140\nintel_pxp_tee_component_fini+0x29/0x40 [i915]\nintel_pxp_fini+0x33/0x80 [i915]\ni915_driver_remove+0x4c/0x120 [i915]\ni915_pci_remove+0x19/0x30 [i915]\npci_device_remove+0x32/0xa0\ndevice_release_driver_internal+0x19c/0x200\nunbind_store+0x9c/0xb0\n\nand\n\nCall Trace:\nrelease_nodes+0x11/0x70\ndevres_release_all+0x8a/0xc0\ndevice_unbind_cleanup+0x9/0x70\ndevice_release_driver_internal+0x1c1/0x200\nunbind_store+0x9c/0xb0\n\nThis means that in i915, if use devm, we cannot gurantee that hwmon will\nalways be released before drvdata. Which means that we have a uaf if hwmon\nsysfs is accessed when drvdata has been released but hwmon hasn't.\n\nThe only way out of this seems to be do get rid of devm_ and release/free\neverything explicitly during device unbind.\n\nv2: Change commit message and other minor code changes\nv3: Cleanup from i915_hwmon_register on error (Armin Wolf)\nv4: Eliminate potential static analyzer warning (Rodrigo)\n Eliminate fetch_and_zero (Jani)\nv5: Restore previous logic for ddat_gt->hwmon_dev error return (Andi)(CVE-2024-39479)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nkdb: Fix buffer overflow during tab-complete\n\nCurrently, when the user attempts symbol completion with the Tab key, kdb\nwill use strncpy() to insert the completed symbol into the command buffer.\nUnfortunately it passes the size of the source buffer rather than the\ndestination to strncpy() with predictably horrible results. Most obviously\nif the command buffer is already full but cp, the cursor position, is in\nthe middle of the buffer, then we will write past the end of the supplied\nbuffer.\n\nFix this by replacing the dubious strncpy() calls with memmove()/memcpy()\ncalls plus explicit boundary checks to make sure we have enough space\nbefore we start moving characters around.(CVE-2024-39480)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nbonding: Fix out-of-bounds read in bond_option_arp_ip_targets_set()\n\nIn function bond_option_arp_ip_targets_set(), if newval->string is an\nempty string, newval->string+1 will point to the byte after the\nstring, causing an out-of-bound read.\n\nBUG: KASAN: slab-out-of-bounds in strlen+0x7d/0xa0 lib/string.c:418\nRead of size 1 at addr ffff8881119c4781 by task syz-executor665/8107\nCPU: 1 PID: 8107 Comm: syz-executor665 Not tainted 6.7.0-rc7 #1\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0xd9/0x150 lib/dump_stack.c:106\n print_address_description mm/kasan/report.c:364 [inline]\n print_report+0xc1/0x5e0 mm/kasan/report.c:475\n kasan_report+0xbe/0xf0 mm/kasan/report.c:588\n strlen+0x7d/0xa0 lib/string.c:418\n __fortify_strlen include/linux/fortify-string.h:210 [inline]\n in4_pton+0xa3/0x3f0 net/core/utils.c:130\n bond_option_arp_ip_targets_set+0xc2/0x910\ndrivers/net/bonding/bond_options.c:1201\n __bond_opt_set+0x2a4/0x1030 drivers/net/bonding/bond_options.c:767\n __bond_opt_set_notify+0x48/0x150 drivers/net/bonding/bond_options.c:792\n bond_opt_tryset_rtnl+0xda/0x160 drivers/net/bonding/bond_options.c:817\n bonding_sysfs_store_option+0xa1/0x120 drivers/net/bonding/bond_sysfs.c:156\n dev_attr_store+0x54/0x80 drivers/base/core.c:2366\n sysfs_kf_write+0x114/0x170 fs/sysfs/file.c:136\n kernfs_fop_write_iter+0x337/0x500 fs/kernfs/file.c:334\n call_write_iter include/linux/fs.h:2020 [inline]\n new_sync_write fs/read_write.c:491 [inline]\n vfs_write+0x96a/0xd80 fs/read_write.c:584\n ksys_write+0x122/0x250 fs/read_write.c:637\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\n---[ end trace ]---\n\nFix it by adding a check of string length before using it.(CVE-2024-39487)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\narm64: asm-bug: Add .align 2 to the end of __BUG_ENTRY\n\nWhen CONFIG_DEBUG_BUGVERBOSE=n, we fail to add necessary padding bytes\nto bug_table entries, and as a result the last entry in a bug table will\nbe ignored, potentially leading to an unexpected panic(). All prior\nentries in the table will be handled correctly.\n\nThe arm64 ABI requires that struct fields of up to 8 bytes are\nnaturally-aligned, with padding added within a struct such that struct\nare suitably aligned within arrays.\n\nWhen CONFIG_DEBUG_BUGVERPOSE=y, the layout of a bug_entry is:\n\n\tstruct bug_entry {\n\t\tsigned int bug_addr_disp;\t// 4 bytes\n\t\tsigned int file_disp;\t// 4 bytes\n\t\tunsigned short line;\t\t// 2 bytes\n\t\tunsigned short flags;\t\t// 2 bytes\n\t}\n\n... with 12 bytes total, requiring 4-byte alignment.\n\nWhen CONFIG_DEBUG_BUGVERBOSE=n, the layout of a bug_entry is:\n\n\tstruct bug_entry {\n\t\tsigned int bug_addr_disp;\t// 4 bytes\n\t\tunsigned short flags;\t\t// 2 bytes\n\t\t< implicit padding >\t\t// 2 bytes\n\t}\n\n... with 8 bytes total, with 6 bytes of data and 2 bytes of trailing\npadding, requiring 4-byte alginment.\n\nWhen we create a bug_entry in assembly, we align the start of the entry\nto 4 bytes, which implicitly handles padding for any prior entries.\nHowever, we do not align the end of the entry, and so when\nCONFIG_DEBUG_BUGVERBOSE=n, the final entry lacks the trailing padding\nbytes.\n\nFor the main kernel image this is not a problem as find_bug() doesn't\ndepend on the trailing padding bytes when searching for entries:\n\n\tfor (bug = __start___bug_table; bug < __stop___bug_table; ++bug)\n\t\tif (bugaddr == bug_addr(bug))\n\t\t\treturn bug;\n\nHowever for modules, module_bug_finalize() depends on the trailing\nbytes when calculating the number of entries:\n\n\tmod->num_bugs = sechdrs[i].sh_size / sizeof(struct bug_entry);\n\n... and as the last bug_entry lacks the necessary padding bytes, this entry\nwill not be counted, e.g. in the case of a single entry:\n\n\tsechdrs[i].sh_size == 6\n\tsizeof(struct bug_entry) == 8;\n\n\tsechdrs[i].sh_size / sizeof(struct bug_entry) == 0;\n\nConsequently module_find_bug() will miss the last bug_entry when it does:\n\n\tfor (i = 0; i < mod->num_bugs; ++i, ++bug)\n\t\tif (bugaddr == bug_addr(bug))\n\t\t\tgoto out;\n\n... which can lead to a kenrel panic due to an unhandled bug.\n\nThis can be demonstrated with the following module:\n\n\tstatic int __init buginit(void)\n\t{\n\t\tWARN(1, \"hello\\n\");\n\t\treturn 0;\n\t}\n\n\tstatic void __exit bugexit(void)\n\t{\n\t}\n\n\tmodule_init(buginit);\n\tmodule_exit(bugexit);\n\tMODULE_LICENSE(\"GPL\");\n\n... which will trigger a kernel panic when loaded:\n\n\t------------[ cut here ]------------\n\thello\n\tUnexpected kernel BRK exception at EL1\n\tInternal error: BRK handler: 00000000f2000800 [#1] PREEMPT SMP\n\tModules linked in: hello(O+)\n\tCPU: 0 PID: 50 Comm: insmod Tainted: G O 6.9.1 #8\n\tHardware name: linux,dummy-virt (DT)\n\tpstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n\tpc : buginit+0x18/0x1000 [hello]\n\tlr : buginit+0x18/0x1000 [hello]\n\tsp : ffff800080533ae0\n\tx29: ffff800080533ae0 x28: 0000000000000000 x27: 0000000000000000\n\tx26: ffffaba8c4e70510 x25: ffff800080533c30 x24: ffffaba8c4a28a58\n\tx23: 0000000000000000 x22: 0000000000000000 x21: ffff3947c0eab3c0\n\tx20: ffffaba8c4e3f000 x19: ffffaba846464000 x18: 0000000000000006\n\tx17: 0000000000000000 x16: ffffaba8c2492834 x15: 0720072007200720\n\tx14: 0720072007200720 x13: ffffaba8c49b27c8 x12: 0000000000000312\n\tx11: 0000000000000106 x10: ffffaba8c4a0a7c8 x9 : ffffaba8c49b27c8\n\tx8 : 00000000ffffefff x7 : ffffaba8c4a0a7c8 x6 : 80000000fffff000\n\tx5 : 0000000000000107 x4 : 0000000000000000 x3 : 0000000000000000\n\tx2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff3947c0eab3c0\n\tCall trace:\n\t buginit+0x18/0x1000 [hello]\n\t do_one_initcall+0x80/0x1c8\n\t do_init_module+0x60/0x218\n\t load_module+0x1ba4/0x1d70\n\t __do_sys_init_module+0x198/0x1d0\n\t __arm64_sys_init_module+0x1c/0x28\n\t invoke_syscall+0x48/0x114\n\t el0_svc\n---truncated---(CVE-2024-39488)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nipv6: sr: fix memleak in seg6_hmac_init_algo\n\nseg6_hmac_init_algo returns without cleaning up the previous allocations\nif one fails, so it's going to leak all that memory and the crypto tfms.\n\nUpdate seg6_hmac_exit to only free the memory when allocated, so we can\nreuse the code directly.(CVE-2024-39489)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nsock_map: avoid race between sock_map_close and sk_psock_put\n\nsk_psock_get will return NULL if the refcount of psock has gone to 0, which\nwill happen when the last call of sk_psock_put is done. However,\nsk_psock_drop may not have finished yet, so the close callback will still\npoint to sock_map_close despite psock being NULL.\n\nThis can be reproduced with a thread deleting an element from the sock map,\nwhile the second one creates a socket, adds it to the map and closes it.\n\nThat will trigger the WARN_ON_ONCE:\n\n------------[ cut here ]------------\nWARNING: CPU: 1 PID: 7220 at net/core/sock_map.c:1701 sock_map_close+0x2a2/0x2d0 net/core/sock_map.c:1701\nModules linked in:\nCPU: 1 PID: 7220 Comm: syz-executor380 Not tainted 6.9.0-syzkaller-07726-g3c999d1ae3c7 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024\nRIP: 0010:sock_map_close+0x2a2/0x2d0 net/core/sock_map.c:1701\nCode: df e8 92 29 88 f8 48 8b 1b 48 89 d8 48 c1 e8 03 42 80 3c 20 00 74 08 48 89 df e8 79 29 88 f8 4c 8b 23 eb 89 e8 4f 15 23 f8 90 <0f> 0b 90 48 83 c4 08 5b 41 5c 41 5d 41 5e 41 5f 5d e9 13 26 3d 02\nRSP: 0018:ffffc9000441fda8 EFLAGS: 00010293\nRAX: ffffffff89731ae1 RBX: ffffffff94b87540 RCX: ffff888029470000\nRDX: 0000000000000000 RSI: ffffffff8bcab5c0 RDI: ffffffff8c1faba0\nRBP: 0000000000000000 R08: ffffffff92f9b61f R09: 1ffffffff25f36c3\nR10: dffffc0000000000 R11: fffffbfff25f36c4 R12: ffffffff89731840\nR13: ffff88804b587000 R14: ffff88804b587000 R15: ffffffff89731870\nFS: 000055555e080380(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000000 CR3: 00000000207d4000 CR4: 0000000000350ef0\nCall Trace:\n <TASK>\n unix_release+0x87/0xc0 net/unix/af_unix.c:1048\n __sock_release net/socket.c:659 [inline]\n sock_close+0xbe/0x240 net/socket.c:1421\n __fput+0x42b/0x8a0 fs/file_table.c:422\n __do_sys_close fs/open.c:1556 [inline]\n __se_sys_close fs/open.c:1541 [inline]\n __x64_sys_close+0x7f/0x110 fs/open.c:1541\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7fb37d618070\nCode: 00 00 48 c7 c2 b8 ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb d4 e8 10 2c 00 00 80 3d 31 f0 07 00 00 74 17 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 48 c3 0f 1f 80 00 00 00 00 48 83 ec 18 89 7c\nRSP: 002b:00007ffcd4a525d8 EFLAGS: 00000202 ORIG_RAX: 0000000000000003\nRAX: ffffffffffffffda RBX: 0000000000000005 RCX: 00007fb37d618070\nRDX: 0000000000000010 RSI: 00000000200001c0 RDI: 0000000000000004\nRBP: 0000000000000000 R08: 0000000100000000 R09: 0000000100000000\nR10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n </TASK>\n\nUse sk_psock, which will only check that the pointer is not been set to\nNULL yet, which should only happen after the callbacks are restored. If,\nthen, a reference can still be gotten, we may call sk_psock_stop and cancel\npsock->work.\n\nAs suggested by Paolo Abeni, reorder the condition so the control flow is\nless convoluted.\n\nAfter that change, the reproducer does not trigger the WARN_ON_ONCE\nanymore.(CVE-2024-39500)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nionic: fix use after netif_napi_del()\n\nWhen queues are started, netif_napi_add() and napi_enable() are called.\nIf there are 4 queues and only 3 queues are used for the current\nconfiguration, only 3 queues' napi should be registered and enabled.\nThe ionic_qcq_enable() checks whether the .poll pointer is not NULL for\nenabling only the using queue' napi. Unused queues' napi will not be\nregistered by netif_napi_add(), so the .poll pointer indicates NULL.\nBut it couldn't distinguish whether the napi was unregistered or not\nbecause netif_napi_del() doesn't reset the .poll pointer to NULL.\nSo, ionic_qcq_enable() calls napi_enable() for the queue, which was\nunregistered by netif_napi_del().\n\nReproducer:\n ethtool -L <interface name> rx 1 tx 1 combined 0\n ethtool -L <interface name> rx 0 tx 0 combined 1\n ethtool -L <interface name> rx 0 tx 0 combined 4\n\nSplat looks like:\nkernel BUG at net/core/dev.c:6666!\nOops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\nCPU: 3 PID: 1057 Comm: kworker/3:3 Not tainted 6.10.0-rc2+ #16\nWorkqueue: events ionic_lif_deferred_work [ionic]\nRIP: 0010:napi_enable+0x3b/0x40\nCode: 48 89 c2 48 83 e2 f6 80 b9 61 09 00 00 00 74 0d 48 83 bf 60 01 00 00 00 74 03 80 ce 01 f0 4f\nRSP: 0018:ffffb6ed83227d48 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: ffff97560cda0828 RCX: 0000000000000029\nRDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff97560cda0a28\nRBP: ffffb6ed83227d50 R08: 0000000000000400 R09: 0000000000000001\nR10: 0000000000000001 R11: 0000000000000001 R12: 0000000000000000\nR13: ffff97560ce3c1a0 R14: 0000000000000000 R15: ffff975613ba0a20\nFS: 0000000000000000(0000) GS:ffff975d5f780000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f8f734ee200 CR3: 0000000103e50000 CR4: 00000000007506f0\nPKRU: 55555554\nCall Trace:\n <TASK>\n ? die+0x33/0x90\n ? do_trap+0xd9/0x100\n ? napi_enable+0x3b/0x40\n ? do_error_trap+0x83/0xb0\n ? napi_enable+0x3b/0x40\n ? napi_enable+0x3b/0x40\n ? exc_invalid_op+0x4e/0x70\n ? napi_enable+0x3b/0x40\n ? asm_exc_invalid_op+0x16/0x20\n ? napi_enable+0x3b/0x40\n ionic_qcq_enable+0xb7/0x180 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8]\n ionic_start_queues+0xc4/0x290 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8]\n ionic_link_status_check+0x11c/0x170 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8]\n ionic_lif_deferred_work+0x129/0x280 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8]\n process_one_work+0x145/0x360\n worker_thread+0x2bb/0x3d0\n ? __pfx_worker_thread+0x10/0x10\n kthread+0xcc/0x100\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x2d/0x50\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1a/0x30(CVE-2024-39502)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nipv6: fix possible race in __fib6_drop_pcpu_from()\n\nsyzbot found a race in __fib6_drop_pcpu_from() [1]\n\nIf compiler reads more than once (*ppcpu_rt),\nsecond read could read NULL, if another cpu clears\nthe value in rt6_get_pcpu_route().\n\nAdd a READ_ONCE() to prevent this race.\n\nAlso add rcu_read_lock()/rcu_read_unlock() because\nwe rely on RCU protection while dereferencing pcpu_rt.\n\n[1]\n\nOops: general protection fault, probably for non-canonical address 0xdffffc0000000012: 0000 [#1] PREEMPT SMP KASAN PTI\nKASAN: null-ptr-deref in range [0x0000000000000090-0x0000000000000097]\nCPU: 0 PID: 7543 Comm: kworker/u8:17 Not tainted 6.10.0-rc1-syzkaller-00013-g2bfcfd584ff5 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024\nWorkqueue: netns cleanup_net\n RIP: 0010:__fib6_drop_pcpu_from.part.0+0x10a/0x370 net/ipv6/ip6_fib.c:984\nCode: f8 48 c1 e8 03 80 3c 28 00 0f 85 16 02 00 00 4d 8b 3f 4d 85 ff 74 31 e8 74 a7 fa f7 49 8d bf 90 00 00 00 48 89 f8 48 c1 e8 03 <80> 3c 28 00 0f 85 1e 02 00 00 49 8b 87 90 00 00 00 48 8b 0c 24 48\nRSP: 0018:ffffc900040df070 EFLAGS: 00010206\nRAX: 0000000000000012 RBX: 0000000000000001 RCX: ffffffff89932e16\nRDX: ffff888049dd1e00 RSI: ffffffff89932d7c RDI: 0000000000000091\nRBP: dffffc0000000000 R08: 0000000000000005 R09: 0000000000000007\nR10: 0000000000000001 R11: 0000000000000006 R12: ffff88807fa080b8\nR13: fffffbfff1a9a07d R14: ffffed100ff41022 R15: 0000000000000001\nFS: 0000000000000000(0000) GS:ffff8880b9200000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000001b32c26000 CR3: 000000005d56e000 CR4: 00000000003526f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n <TASK>\n __fib6_drop_pcpu_from net/ipv6/ip6_fib.c:966 [inline]\n fib6_drop_pcpu_from net/ipv6/ip6_fib.c:1027 [inline]\n fib6_purge_rt+0x7f2/0x9f0 net/ipv6/ip6_fib.c:1038\n fib6_del_route net/ipv6/ip6_fib.c:1998 [inline]\n fib6_del+0xa70/0x17b0 net/ipv6/ip6_fib.c:2043\n fib6_clean_node+0x426/0x5b0 net/ipv6/ip6_fib.c:2205\n fib6_walk_continue+0x44f/0x8d0 net/ipv6/ip6_fib.c:2127\n fib6_walk+0x182/0x370 net/ipv6/ip6_fib.c:2175\n fib6_clean_tree+0xd7/0x120 net/ipv6/ip6_fib.c:2255\n __fib6_clean_all+0x100/0x2d0 net/ipv6/ip6_fib.c:2271\n rt6_sync_down_dev net/ipv6/route.c:4906 [inline]\n rt6_disable_ip+0x7ed/0xa00 net/ipv6/route.c:4911\n addrconf_ifdown.isra.0+0x117/0x1b40 net/ipv6/addrconf.c:3855\n addrconf_notify+0x223/0x19e0 net/ipv6/addrconf.c:3778\n notifier_call_chain+0xb9/0x410 kernel/notifier.c:93\n call_netdevice_notifiers_info+0xbe/0x140 net/core/dev.c:1992\n call_netdevice_notifiers_extack net/core/dev.c:2030 [inline]\n call_netdevice_notifiers net/core/dev.c:2044 [inline]\n dev_close_many+0x333/0x6a0 net/core/dev.c:1585\n unregister_netdevice_many_notify+0x46d/0x19f0 net/core/dev.c:11193\n unregister_netdevice_many net/core/dev.c:11276 [inline]\n default_device_exit_batch+0x85b/0xae0 net/core/dev.c:11759\n ops_exit_list+0x128/0x180 net/core/net_namespace.c:178\n cleanup_net+0x5b7/0xbf0 net/core/net_namespace.c:640\n process_one_work+0x9fb/0x1b60 kernel/workqueue.c:3231\n process_scheduled_works kernel/workqueue.c:3312 [inline]\n worker_thread+0x6c8/0xf70 kernel/workqueue.c:3393\n kthread+0x2c1/0x3a0 kernel/kthread.c:389\n ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244(CVE-2024-40905)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: ensure snd_una is properly initialized on connect\n\nThis is strictly related to commit fb7a0d334894 (\"mptcp: ensure snd_nxt\nis properly initialized on connect\"). It turns out that syzkaller can\ntrigger the retransmit after fallback and before processing any other\nincoming packet - so that snd_una is still left uninitialized.\n\nAddress the issue explicitly initializing snd_una together with snd_nxt\nand write_seq.(CVE-2024-40931)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nHID: logitech-dj: Fix memory leak in logi_dj_recv_switch_to_dj_mode()\n\nFix a memory leak on logi_dj_recv_send_report() error path.(CVE-2024-40934)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nALSA: hda: cs35l41: Possible null pointer dereference in cs35l41_hda_unbind()\n\nThe cs35l41_hda_unbind() function clears the hda_component entry\nmatching it's index and then dereferences the codec pointer held in the\nfirst element of the hda_component array, this is an issue when the\ndevice index was 0.\n\nInstead use the codec pointer stashed in the cs35l41_hda structure as it\nwill still be valid.(CVE-2024-40964)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: remove clear SB_INLINECRYPT flag in default_options\n\nIn f2fs_remount, SB_INLINECRYPT flag will be clear and re-set.\nIf create new file or open file during this gap, these files\nwill not use inlinecrypt. Worse case, it may lead to data\ncorruption if wrappedkey_v0 is enable.\n\nThread A: Thread B:\n\n-f2fs_remount\t\t\t\t-f2fs_file_open or f2fs_new_inode\n -default_options\n\t<- clear SB_INLINECRYPT flag\n\n -fscrypt_select_encryption_impl\n\n -parse_options\n\t<- set SB_INLINECRYPT again(CVE-2024-40971)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\ncpufreq: amd-pstate: fix memory leak on CPU EPP exit\n\nThe cpudata memory from kzalloc() in amd_pstate_epp_cpu_init() is\nnot freed in the analogous exit function, so fix that.\n\n[ rjw: Subject and changelog edits ](CVE-2024-40997)",
"cves": [
{
"id": "CVE-2024-36017",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36017",
"severity": "Medium"
},
{
"id": "CVE-2024-36478",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36478",
"severity": "Medium"
},
{
"id": "CVE-2024-36481",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36481",
"severity": "Medium"
},
{
"id": "CVE-2024-36924",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36924",
"severity": "Medium"
},
{
"id": "CVE-2024-36929",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36929",
"severity": "Medium"
},
{
"id": "CVE-2024-36931",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36931",
"severity": "Low"
},
{
"id": "CVE-2024-36951",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36951",
"severity": "Medium"
},
{
"id": "CVE-2024-38384",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38384",
"severity": "High"
},
{
"id": "CVE-2024-38558",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38558",
"severity": "Medium"
},
{
"id": "CVE-2024-38570",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38570",
"severity": "Medium"
},
{
"id": "CVE-2024-38581",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38581",
"severity": "Medium"
},
{
"id": "CVE-2024-38583",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38583",
"severity": "High"
},
{
"id": "CVE-2024-38586",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38586",
"severity": "Medium"
},
{
"id": "CVE-2024-38614",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38614",
"severity": "Medium"
},
{
"id": "CVE-2024-38620",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38620",
"severity": "Medium"
},
{
"id": "CVE-2024-38632",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38632",
"severity": "Medium"
},
{
"id": "CVE-2024-38661",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38661",
"severity": "Medium"
},
{
"id": "CVE-2024-39462",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39462",
"severity": "Critical"
},
{
"id": "CVE-2024-39464",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39464",
"severity": "Medium"
},
{
"id": "CVE-2024-39478",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39478",
"severity": "Medium"
},
{
"id": "CVE-2024-39479",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39479",
"severity": "High"
},
{
"id": "CVE-2024-39480",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39480",
"severity": "Medium"
},
{
"id": "CVE-2024-39487",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39487",
"severity": "Medium"
},
{
"id": "CVE-2024-39488",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39488",
"severity": "Medium"
},
{
"id": "CVE-2024-39489",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39489",
"severity": "Low"
},
{
"id": "CVE-2024-39500",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39500",
"severity": "Medium"
},
{
"id": "CVE-2024-39502",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39502",
"severity": "Medium"
},
{
"id": "CVE-2024-40905",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40905",
"severity": "Medium"
},
{
"id": "CVE-2024-40931",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40931",
"severity": "Medium"
},
{
"id": "CVE-2024-40934",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40934",
"severity": "Medium"
},
{
"id": "CVE-2024-40964",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40964",
"severity": "Medium"
},
{
"id": "CVE-2024-40971",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40971",
"severity": "Medium"
},
{
"id": "CVE-2024-40997",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40997",
"severity": "Medium"
}
]
},
"openEuler-SA-2024-1871": {
"id": "openEuler-SA-2024-1871",
"url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1871",
"title": "An update for openssh is now available for openEuler-22.03-LTS-SP3",
"severity": "High",
"description": "OpenSSH is the premier connectivity tool for remote login with the SSH protocol. \\ It encrypts all traffic to eliminate eavesdropping, connection hijacking, and \\ other attacks. In addition, OpenSSH provides a large suite of secure tunneling \\ capabilities, several authentication methods, and sophisticated configuration options.\n\nSecurity Fix(es):\n\nA race condition vulnerability was discovered in how signals are handled by OpenSSH's server (sshd). If a remote attacker does not authenticate within a set time period, then sshd's SIGALRM handler is called asynchronously. However, this signal handler calls various functions that are not async-signal-safe, for example, syslog(). As a consequence of a successful attack, in the worst case scenario, an attacker may be able to perform a remote code execution (RCE) as an unprivileged user running the sshd server.(CVE-2024-6409)",
"cves": [
{
"id": "CVE-2024-6409",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6409",
"severity": "High"
}
]
},
"openEuler-SA-2024-1848": {
"id": "openEuler-SA-2024-1848",
"url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1848",
"title": "An update for arm-trusted-firmware is now available for openEuler-22.03-LTS-SP4",
"severity": "Medium",
"description": "Trusted Firmware-A is a reference implementation of secure world software for Arm A-Profile architectures (Armv8-A and Armv7-A), including an Exception Level 3 (EL3) Secure Monitor.\n\nSecurity Fix(es):\n\nBuffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in Renesas arm-trusted-firmware allows Local Execution of Code. This vulnerability is associated with program files https://github.Com/renesas-rcar/arm-trusted-firmware/blob/rcar_gen3_v2.5/drivers/renesas/common/io/i... https://github.Com/renesas-rcar/arm-trusted-firmware/blob/rcar_gen3_v2.5/drivers/renesas/common/io/io_rcar.C .\n\n\n\n\nIn line 313 \"addr_loaded_cnt\" is checked not to be \"CHECK_IMAGE_AREA_CNT\" (5) or larger, this check does not halt the function. Immediately after (line 317) there will be an overflow in the buffer and the value of \"dst\" will be written to the area immediately after the buffer, which is \"addr_loaded_cnt\". This will allow an attacker to freely control the value of \"addr_loaded_cnt\" and thus control the destination of the write immediately after (line 318). The write in line 318 will then be fully controlled by said attacker, with whichever address and whichever value (\"len\") they desire.(CVE-2024-6563)\n\nBuffer overflow in \"rcar_dev_init\" due to using due to using untrusted data (rcar_image_number) as a loop counter before verifying it against RCAR_MAX_BL3X_IMAGE. This could lead to a full bypass of secure boot.(CVE-2024-6564)",
"cves": [
{
"id": "CVE-2024-6563",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6563",
"severity": "Medium"
},
{
"id": "CVE-2024-6564",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6564",
"severity": "Medium"
}
]
},
"openEuler-SA-2024-1822": {
"id": "openEuler-SA-2024-1822",
"url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1822",
"title": "An update for rubygem-rack is now available for openEuler-22.03-LTS-SP1",
"severity": "High",
"description": "Rack provides a minimal, modular, and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.\n\nSecurity Fix(es):\n\nA denial of service vulnerability in the multipart parsing component of Rack fixed in 2.0.9.2, 2.1.4.2, 2.2.4.1 and 3.0.0.1 could allow an attacker tocraft input that can cause RFC2183 multipart boundary parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that parse multipart posts using Rack (virtually all Rails applications) are impacted.(CVE-2022-44572)\n\nRack is a modular Ruby web server interface. Carefully crafted Range headers can cause a server to respond with an unexpectedly large response. Responding with such large responses could lead to a denial of service issue. Vulnerable applications will use the `Rack::File` middleware or the `Rack::Utils.byte_ranges` methods (this includes Rails applications). The vulnerability is fixed in 3.0.9.1 and 2.2.8.1.(CVE-2024-26141)",
"cves": [
{
"id": "CVE-2022-44572",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-44572",
"severity": "High"
},
{
"id": "CVE-2024-26141",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26141",
"severity": "Medium"
}
]
},
"openEuler-SA-2024-1825": {
"id": "openEuler-SA-2024-1825",
"url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1825",
"title": "An update for krb5 is now available for openEuler-22.03-LTS-SP3,openEuler-20.03-LTS-SP4,openEuler-24.03-LTS,openEuler-22.03-LTS-SP4,openEuler-22.03-LTS-SP1",
"severity": "High",
"description": "Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography.\n\nSecurity Fix(es):\n\nIn MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can modify the plaintext Extra Count field of a confidential GSS krb5 wrap token, causing the unwrapped token to appear truncated to the application.(CVE-2024-37370)\n\nIn MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can cause invalid memory reads during GSS message token handling by sending message tokens with invalid length fields.(CVE-2024-37371)",
"cves": [
{
"id": "CVE-2024-37370",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37370",
"severity": "High"
},
{
"id": "CVE-2024-37371",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37371",
"severity": "Medium"
}
]
},
"openEuler-SA-2024-1831": {
"id": "openEuler-SA-2024-1831",
"url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1831",
"title": "An update for ffmpeg is now available for openEuler-22.03-LTS-SP4",
"severity": "Medium",
"description": "FFmpeg is a complete and free Internet live audio and video broadcasting solution for Linux/Unix. It also includes a digital VCR. It can encode in real time in many formats including MPEG1 audio and video, MPEG4, h263, ac3, asf, avi, real, mjpeg, and flash.\n\nSecurity Fix(es):\n\nInteger overflow vulnerability in av_timecode_make_string in libavutil/timecode.c in FFmpeg version 4.3.2, allows local attackers to cause a denial of service (DoS) via crafted .mov file.(CVE-2021-28429)\n\nA null pointer dereference issue was discovered in 'FFmpeg' in decode_main_header() function of libavformat/nutdec.c file. The flaw occurs because the function lacks check of the return value of avformat_new_stream() and triggers the null pointer dereference error, causing an application to crash.(CVE-2022-3341)",
"cves": [
{
"id": "CVE-2021-28429",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28429",
"severity": "Medium"
},
{
"id": "CVE-2022-3341",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3341",
"severity": "Medium"
}
]
},
"openEuler-SA-2024-1829": {
"id": "openEuler-SA-2024-1829",
"url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1829",
"title": "An update for vte291 is now available for openEuler-22.03-LTS-SP1",
"severity": "Low",
"description": "VTE provides a virtual terminal widget for GTK applications.VTE is mainly used in gnome-terminal, but can also be used to embed a console/terminal in games, editors, IDEs, etc.\n\nSecurity Fix(es):\n\nGNOME VTE before 0.76.3 allows an attacker to cause a denial of service (memory consumption) via a window resize escape sequence, a related issue to CVE-2000-0476.(CVE-2024-37535)",
"cves": [
{
"id": "CVE-2024-37535",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37535",
"severity": "Low"
}
]
},
"openEuler-SA-2024-1849": {
"id": "openEuler-SA-2024-1849",
"url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1849",
"title": "An update for arm-trusted-firmware is now available for openEuler-22.03-LTS-SP1",
"severity": "Medium",
"description": "Trusted Firmware-A is a reference implementation of secure world software for Arm A-Profile architectures (Armv8-A and Armv7-A), including an Exception Level 3 (EL3) Secure Monitor.\n\nSecurity Fix(es):\n\nBuffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in Renesas arm-trusted-firmware allows Local Execution of Code. This vulnerability is associated with program files https://github.Com/renesas-rcar/arm-trusted-firmware/blob/rcar_gen3_v2.5/drivers/renesas/common/io/i... https://github.Com/renesas-rcar/arm-trusted-firmware/blob/rcar_gen3_v2.5/drivers/renesas/common/io/io_rcar.C .\n\n\n\n\nIn line 313 \"addr_loaded_cnt\" is checked not to be \"CHECK_IMAGE_AREA_CNT\" (5) or larger, this check does not halt the function. Immediately after (line 317) there will be an overflow in the buffer and the value of \"dst\" will be written to the area immediately after the buffer, which is \"addr_loaded_cnt\". This will allow an attacker to freely control the value of \"addr_loaded_cnt\" and thus control the destination of the write immediately after (line 318). The write in line 318 will then be fully controlled by said attacker, with whichever address and whichever value (\"len\") they desire.(CVE-2024-6563)\n\nBuffer overflow in \"rcar_dev_init\" due to using due to using untrusted data (rcar_image_number) as a loop counter before verifying it against RCAR_MAX_BL3X_IMAGE. This could lead to a full bypass of secure boot.(CVE-2024-6564)",
"cves": [
{
"id": "CVE-2024-6563",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6563",
"severity": "Medium"
},
{
"id": "CVE-2024-6564",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6564",
"severity": "Medium"
}
]
},
"openEuler-SA-2024-1844": {
"id": "openEuler-SA-2024-1844",
"url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1844",
"title": "An update for glibc is now available for openEuler-22.03-LTS-SP1",
"severity": "High",
"description": "The GNU C Library project provides the core libraries for the GNU system and GNU/Linux systems, as well as many other systems that use Linux as the kernel. These libraries provide critical APIs including ISO C11, POSIX.1-2008, BSD, OS-specific APIs and more. These APIs include such foundational facilities as open, read, write, malloc, printf, getaddrinfo, dlopen, pthread_create, crypt, login, exit and more.\n\nSecurity Fix(es):\n\nThe iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.\n(CVE-2024-2961)",
"cves": [
{
"id": "CVE-2024-2961",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2961",
"severity": "High"
}
]
},
"openEuler-SA-2024-1823": {
"id": "openEuler-SA-2024-1823",
"url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1823",
"title": "An update for rubygem-rack is now available for openEuler-22.03-LTS-SP3",
"severity": "High",
"description": "Rack provides a minimal, modular, and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.\n\nSecurity Fix(es):\n\nA denial of service vulnerability in the multipart parsing component of Rack fixed in 2.0.9.2, 2.1.4.2, 2.2.4.1 and 3.0.0.1 could allow an attacker tocraft input that can cause RFC2183 multipart boundary parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that parse multipart posts using Rack (virtually all Rails applications) are impacted.(CVE-2022-44572)\n\nRack is a modular Ruby web server interface. Carefully crafted Range headers can cause a server to respond with an unexpectedly large response. Responding with such large responses could lead to a denial of service issue. Vulnerable applications will use the `Rack::File` middleware or the `Rack::Utils.byte_ranges` methods (this includes Rails applications). The vulnerability is fixed in 3.0.9.1 and 2.2.8.1.(CVE-2024-26141)",
"cves": [
{
"id": "CVE-2022-44572",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-44572",
"severity": "High"
},
{
"id": "CVE-2024-26141",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26141",
"severity": "Medium"
}
]
},
"openEuler-SA-2024-1875": {
"id": "openEuler-SA-2024-1875",
"url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1875",
"title": "An update for ffmpeg is now available for openEuler-22.03-LTS-SP4",
"severity": "High",
"description": "FFmpeg is a complete and free Internet live audio and video broadcasting solution for Linux/Unix. It also includes a digital VCR. It can encode in real time in many formats including MPEG1 audio and video, MPEG4, h263, ac3, asf, avi, real, mjpeg, and flash.\n\nSecurity Fix(es):\n\nAn integer overflow vulnerability was found in FFmpeg versions before 4.4.2 and before 5.0.1 in g729_parse() in llibavcodec/g729_parser.c when processing a specially crafted file.(CVE-2022-1475)\n\nlibavcodec/pthread_frame.c in FFmpeg before 5.1.2, as used in VLC and other products, leaves stale hwaccel state in worker threads, which allows attackers to trigger a use-after-free and execute arbitrary code in some circumstances (e.g., hardware re-initialization upon a mid-video SPS change when Direct3D11 is used).(CVE-2022-48434)\n\nFFmpeg 7.0 is vulnerable to Buffer Overflow. There is a negative-size-param bug at libavcodec/mpegvideo_enc.c:1216:21 in load_input_picture in FFmpeg7.0(CVE-2024-32230)",
"cves": [
{
"id": "CVE-2022-1475",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1475",
"severity": "Medium"
},
{
"id": "CVE-2022-48434",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48434",
"severity": "High"
},
{
"id": "CVE-2024-32230",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32230",
"severity": "Medium"
}
]
},
"openEuler-SA-2024-1821": {
"id": "openEuler-SA-2024-1821",
"url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1821",
"title": "An update for rubygem-rack is now available for openEuler-22.03-LTS-SP4",
"severity": "High",
"description": "Rack provides a minimal, modular, and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.\n\nSecurity Fix(es):\n\nA denial of service vulnerability in the multipart parsing component of Rack fixed in 2.0.9.2, 2.1.4.2, 2.2.4.1 and 3.0.0.1 could allow an attacker tocraft input that can cause RFC2183 multipart boundary parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that parse multipart posts using Rack (virtually all Rails applications) are impacted.(CVE-2022-44572)\n\nRack is a modular Ruby web server interface. Carefully crafted Range headers can cause a server to respond with an unexpectedly large response. Responding with such large responses could lead to a denial of service issue. Vulnerable applications will use the `Rack::File` middleware or the `Rack::Utils.byte_ranges` methods (this includes Rails applications). The vulnerability is fixed in 3.0.9.1 and 2.2.8.1.(CVE-2024-26141)",
"cves": [
{
"id": "CVE-2022-44572",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-44572",
"severity": "High"
},
{
"id": "CVE-2024-26141",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26141",
"severity": "Medium"
}
]
},
"openEuler-SA-2024-1827": {
"id": "openEuler-SA-2024-1827",
"url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1827",
"title": "An update for vte291 is now available for openEuler-20.03-LTS-SP4",
"severity": "Low",
"description": "VTE provides a virtual terminal widget for GTK applications.VTE is mainly used in gnome-terminal, but can also be used to embed a console/terminal in games, editors, IDEs, etc.\n\nSecurity Fix(es):\n\nGNOME VTE before 0.76.3 allows an attacker to cause a denial of service (memory consumption) via a window resize escape sequence, a related issue to CVE-2000-0476.(CVE-2024-37535)",
"cves": [
{
"id": "CVE-2024-37535",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37535",
"severity": "Low"
}
]
},
"openEuler-SA-2024-1816": {
"id": "openEuler-SA-2024-1816",
"url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1816",
"title": "An update for emacs is now available for openEuler-22.03-LTS-SP4,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP3,openEuler-20.03-LTS-SP4,openEuler-24.03-LTS",
"severity": "High",
"description": "Emacs is the extensible, customizable, self-documenting real-time display editor. At its core is an interpreter for Emacs Lisp, a dialect of the Lisp programming language with extensions to support text editing. And it is an entire ecosystem of functionality beyond text editing, including a project planner, mail and news reader, debugger interface, calendar, and more.\n\nSecurity Fix(es):\n\nIn Emacs before 29.4, org-link-expand-abbrev in lisp/ol.el expands a %(...) link abbrev even when it specifies an unsafe function, such as shell-command-to-string. This affects Org Mode before 9.7.5.(CVE-2024-39331)",
"cves": [
{
"id": "CVE-2024-39331",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39331",
"severity": "High"
}
]
},
"openEuler-SA-2024-1873": {
"id": "openEuler-SA-2024-1873",
"url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1873",
"title": "An update for ffmpeg is now available for openEuler-20.03-LTS-SP4",
"severity": "High",
"description": "FFmpeg is a complete and free Internet live audio and video broadcasting solution for Linux/Unix. It also includes a digital VCR. It can encode in real time in many formats including MPEG1 audio and video, MPEG4, h263, ac3, asf, avi, real, mjpeg, and flash.\n\nSecurity Fix(es):\n\nAn integer overflow vulnerability was found in FFmpeg versions before 4.4.2 and before 5.0.1 in g729_parse() in llibavcodec/g729_parser.c when processing a specially crafted file.(CVE-2022-1475)\n\nlibavcodec/pthread_frame.c in FFmpeg before 5.1.2, as used in VLC and other products, leaves stale hwaccel state in worker threads, which allows attackers to trigger a use-after-free and execute arbitrary code in some circumstances (e.g., hardware re-initialization upon a mid-video SPS change when Direct3D11 is used).(CVE-2022-48434)\n\nFFmpeg 7.0 is vulnerable to Buffer Overflow. There is a negative-size-param bug at libavcodec/mpegvideo_enc.c:1216:21 in load_input_picture in FFmpeg7.0(CVE-2024-32230)",
"cves": [
{
"id": "CVE-2022-1475",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1475",
"severity": "Medium"
},
{
"id": "CVE-2022-48434",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48434",
"severity": "High"
},
{
"id": "CVE-2024-32230",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32230",
"severity": "Medium"
}
]
},
"openEuler-SA-2024-1855": {
"id": "openEuler-SA-2024-1855",
"url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1855",
"title": "An update for httpd is now available for openEuler-22.03-LTS-SP4",
"severity": "High",
"description": "Apache HTTP Server is a powerful and flexible HTTP/1.1 compliant web server.\n\nSecurity Fix(es):\n\nSubstitution encoding issue in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows attacker to execute scripts in\ndirectories permitted by the configuration but not directly reachable by any URL or source disclosure of scripts meant to only to be executed as CGI.\n\nUsers are recommended to upgrade to version 2.4.60, which fixes this issue.\n\nSome RewriteRules that capture and substitute unsafely will now fail unless rewrite flag \"UnsafeAllow3F\" is specified.(CVE-2024-38474)\n\nnull pointer dereference in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows an attacker to crash the server via a malicious request.\nUsers are recommended to upgrade to version 2.4.60, which fixes this issue.(CVE-2024-38477)",
"cves": [
{
"id": "CVE-2024-38474",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38474",
"severity": "High"
},
{
"id": "CVE-2024-38477",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38477",
"severity": "High"
}
]
},
"openEuler-SA-2024-1818": {
"id": "openEuler-SA-2024-1818",
"url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1818",
"title": "An update for xorg-x11-server-xwayland is now available for openEuler-22.03-LTS-SP1",
"severity": "High",
"description": "Xwayland is an X server for running X clients under Wayland. %package devel Summary: Development package Requires: pkgconfig %description devel The development package provides the developmental files which are necessary for developing Wayland compositors using Xwayland. %prep %autosetup -n xwayland- %build %meson \\ -Dxwayland_eglstream=true \\ -Ddefault_font_path=\"catalogue:/etc/X11/fontpath.d,built-ins\" \\ -Dbuilder_string=\"Build ID: -\" \\ -Dxkb_output_dir=/lib/xkb \\ -Dxcsecurity=true \\ -Dglamor=true \\ -Ddri3=true %meson_build\n\nSecurity Fix(es):\n\nA flaw was found in the Xorg-x11-server. The specific flaw exists within the handling of ProcXkbSetDeviceInfo requests. The issue results from the lack of proper validation of user-supplied data, which can result in a memory access past the end of an allocated buffer. This flaw allows an attacker to escalate privileges and execute arbitrary code in the context of root.(CVE-2022-2320)",
"cves": [
{
"id": "CVE-2022-2320",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2320",
"severity": "High"
}
]
},
"openEuler-SA-2024-1824": {
"id": "openEuler-SA-2024-1824",
"url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1824",
"title": "An update for ruby is now available for openEuler-22.03-LTS-SP3,openEuler-20.03-LTS-SP4,openEuler-24.03-LTS,openEuler-22.03-LTS-SP4,openEuler-22.03-LTS-SP1",
"severity": "Medium",
"description": "Ruby is a fast and easy interpreted scripting language for object-oriented programming. It has many functions for processing text Files and perform system management tasks (such as Perl).\n\nSecurity Fix(es):\n\n REXML is an XML toolkit for Ruby. The REXML gem before 3.2.6 has a denial of service vulnerability when it parses an XML that has many `<`s in an attribute value. Those who need to parse untrusted XMLs may be impacted to this vulnerability. The REXML gem 3.2.7 or later include the patch to fix this vulnerability. As a workaround, don't parse untrusted XMLs.(CVE-2024-35176)",
"cves": [
{
"id": "CVE-2024-35176",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35176",
"severity": "Medium"
}
]
},
"openEuler-SA-2024-1870": {
"id": "openEuler-SA-2024-1870",
"url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1870",
"title": "An update for openssh is now available for openEuler-22.03-LTS-SP1",
"severity": "High",
"description": "OpenSSH is the premier connectivity tool for remote login with the SSH protocol. \\ It encrypts all traffic to eliminate eavesdropping, connection hijacking, and \\ other attacks. In addition, OpenSSH provides a large suite of secure tunneling \\ capabilities, several authentication methods, and sophisticated configuration options.\n\nSecurity Fix(es):\n\nA race condition vulnerability was discovered in how signals are handled by OpenSSH's server (sshd). If a remote attacker does not authenticate within a set time period, then sshd's SIGALRM handler is called asynchronously. However, this signal handler calls various functions that are not async-signal-safe, for example, syslog(). As a consequence of a successful attack, in the worst case scenario, an attacker may be able to perform a remote code execution (RCE) as an unprivileged user running the sshd server.(CVE-2024-6409)",
"cves": [
{
"id": "CVE-2024-6409",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6409",
"severity": "High"
}
]
},
"openEuler-SA-2024-1834": {
"id": "openEuler-SA-2024-1834",
"url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1834",
"title": "An update for ffmpeg is now available for openEuler-20.03-LTS-SP4",
"severity": "Medium",
"description": "FFmpeg is a complete and free Internet live audio and video broadcasting solution for Linux/Unix. It also includes a digital VCR. It can encode in real time in many formats including MPEG1 audio and video, MPEG4, h263, ac3, asf, avi, real, mjpeg, and flash.\n\nSecurity Fix(es):\n\nInteger overflow vulnerability in av_timecode_make_string in libavutil/timecode.c in FFmpeg version 4.3.2, allows local attackers to cause a denial of service (DoS) via crafted .mov file.(CVE-2021-28429)",
"cves": [
{
"id": "CVE-2021-28429",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28429",
"severity": "Medium"
}
]
},
"openEuler-SA-2024-1854": {
"id": "openEuler-SA-2024-1854",
"url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1854",
"title": "An update for httpd is now available for openEuler-24.03-LTS",
"severity": "High",
"description": "Apache HTTP Server is a powerful and flexible HTTP/1.1 compliant web server.\n\nSecurity Fix(es):\n\nServing WebSocket protocol upgrades over a HTTP/2 connection could result in a Null Pointer dereference, leading to a crash of the server process, degrading performance.(CVE-2024-36387)\n\nSubstitution encoding issue in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows attacker to execute scripts in\ndirectories permitted by the configuration but not directly reachable by any URL or source disclosure of scripts meant to only to be executed as CGI.\n\nUsers are recommended to upgrade to version 2.4.60, which fixes this issue.\n\nSome RewriteRules that capture and substitute unsafely will now fail unless rewrite flag \"UnsafeAllow3F\" is specified.(CVE-2024-38474)\n\nnull pointer dereference in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows an attacker to crash the server via a malicious request.\nUsers are recommended to upgrade to version 2.4.60, which fixes this issue.(CVE-2024-38477)",
"cves": [
{
"id": "CVE-2024-36387",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36387",
"severity": "Medium"
},
{
"id": "CVE-2024-38474",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38474",
"severity": "High"
},
{
"id": "CVE-2024-38477",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38477",
"severity": "High"
}
]
},
"openEuler-SA-2024-1835": {
"id": "openEuler-SA-2024-1835",
"url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1835",
"title": "An update for kernel is now available for openEuler-20.03-LTS-SP4",
"severity": "High",
"description": "The Linux Kernel, the operating system core itself.\n\nSecurity Fix(es):\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nusb: fix various gadgets null ptr deref on 10gbps cabling.\n\nThis avoids a null pointer dereference in\nf_{ecm,eem,hid,loopback,printer,rndis,serial,sourcesink,subset,tcm}\nby simply reusing the 5gbps config for 10gbps.(CVE-2021-47270)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nseg6: fix the iif in the IPv6 socket control block\n\nWhen an IPv4 packet is received, the ip_rcv_core(...) sets the receiving\ninterface index into the IPv4 socket control block (v5.16-rc4,\nnet/ipv4/ip_input.c line 510):\n\n IPCB(skb)->iif = skb->skb_iif;\n\nIf that IPv4 packet is meant to be encapsulated in an outer IPv6+SRH\nheader, the seg6_do_srh_encap(...) performs the required encapsulation.\nIn this case, the seg6_do_srh_encap function clears the IPv6 socket control\nblock (v5.16-rc4 net/ipv6/seg6_iptunnel.c line 163):\n\n memset(IP6CB(skb), 0, sizeof(*IP6CB(skb)));\n\nThe memset(...) was introduced in commit ef489749aae5 (\"ipv6: sr: clear\nIP6CB(skb) on SRH ip4ip6 encapsulation\") a long time ago (2019-01-29).\n\nSince the IPv6 socket control block and the IPv4 socket control block share\nthe same memory area (skb->cb), the receiving interface index info is lost\n(IP6CB(skb)->iif is set to zero).\n\nAs a side effect, that condition triggers a NULL pointer dereference if\ncommit 0857d6f8c759 (\"ipv6: When forwarding count rx stats on the orig\nnetdev\") is applied.\n\nTo fix that issue, we set the IP6CB(skb)->iif with the index of the\nreceiving interface once again.(CVE-2021-47515)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nmedia: mxl111sf: change mutex_init() location\n\nSyzbot reported, that mxl111sf_ctrl_msg() uses uninitialized\nmutex. The problem was in wrong mutex_init() location.\n\nPrevious mutex_init(&state->msg_lock) call was in ->init() function, but\ndvb_usbv2_init() has this order of calls:\n\n\tdvb_usbv2_init()\n\t dvb_usbv2_adapter_init()\n\t dvb_usbv2_adapter_frontend_init()\n\t props->frontend_attach()\n\n\t props->init()\n\nSince mxl111sf_* devices call mxl111sf_ctrl_msg() in ->frontend_attach()\ninternally we need to initialize state->msg_lock before\nfrontend_attach(). To achieve it, ->probe() call added to all mxl111sf_*\ndevices, which will simply initiaize mutex.(CVE-2021-47583)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nmac80211: validate extended element ID is present\n\nBefore attempting to parse an extended element, verify that\nthe extended element ID is present.(CVE-2021-47611)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\ni40e: Fix queues reservation for XDP\n\nWhen XDP was configured on a system with large number of CPUs\nand X722 NIC there was a call trace with NULL pointer dereference.\n\ni40e 0000:87:00.0: failed to get tracking for 256 queues for VSI 0 err -12\ni40e 0000:87:00.0: setup of MAIN VSI failed\n\nBUG: kernel NULL pointer dereference, address: 0000000000000000\nRIP: 0010:i40e_xdp+0xea/0x1b0 [i40e]\nCall Trace:\n? i40e_reconfig_rss_queues+0x130/0x130 [i40e]\ndev_xdp_install+0x61/0xe0\ndev_xdp_attach+0x18a/0x4c0\ndev_change_xdp_fd+0x1e6/0x220\ndo_setlink+0x616/0x1030\n? ahci_port_stop+0x80/0x80\n? ata_qc_issue+0x107/0x1e0\n? lock_timer_base+0x61/0x80\n? __mod_timer+0x202/0x380\nrtnl_setlink+0xe5/0x170\n? bpf_lsm_binder_transaction+0x10/0x10\n? security_capable+0x36/0x50\nrtnetlink_rcv_msg+0x121/0x350\n? rtnl_calcit.isra.0+0x100/0x100\nnetlink_rcv_skb+0x50/0xf0\nnetlink_unicast+0x1d3/0x2a0\nnetlink_sendmsg+0x22a/0x440\nsock_sendmsg+0x5e/0x60\n__sys_sendto+0xf0/0x160\n? __sys_getsockname+0x7e/0xc0\n? _copy_from_user+0x3c/0x80\n? __sys_setsockopt+0xc8/0x1a0\n__x64_sys_sendto+0x20/0x30\ndo_syscall_64+0x33/0x40\nentry_SYSCALL_64_after_hwframe+0x44/0xae\nRIP: 0033:0x7f83fa7a39e0\n\nThis was caused by PF queue pile fragmentation due to\nflow director VSI queue being placed right after main VSI.\nBecause of this main VSI was not able to resize its\nqueue allocation for XDP resulting in no queues allocated\nfor main VSI when XDP was turned on.\n\nFix this by always allocating last queue in PF queue pile\nfor a flow director VSI.(CVE-2021-47619)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nASoC: max9759: fix underflow in speaker_gain_control_put()\n\nCheck for negative values of \"priv->gain\" to prevent an out of bounds\naccess. The concern is that these might come from the user via:\n -> snd_ctl_elem_write_user()\n -> snd_ctl_elem_write()\n -> kctl->put()(CVE-2022-48717)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nnet: ieee802154: ca8210: Stop leaking skb's\n\nUpon error the ieee802154_xmit_complete() helper is not called. Only\nieee802154_wake_queue() is called manually. We then leak the skb\nstructure.\n\nFree the skb structure upon error before returning.(CVE-2022-48722)\n\nRejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.(CVE-2022-48736)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nASoC: ops: Reject out of bounds values in snd_soc_put_volsw()\n\nWe don't currently validate that the values being set are within the range\nwe advertised to userspace as being valid, do so and reject any values\nthat are out of range.(CVE-2022-48738)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nnet: amd-xgbe: Fix skb data length underflow\n\nThere will be BUG_ON() triggered in include/linux/skbuff.h leading to\nintermittent kernel panic, when the skb length underflow is detected.\n\nFix this by dropping the packet if such length underflows are seen\nbecause of inconsistencies in the hardware descriptors.(CVE-2022-48743)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Avoid field-overflowing memcpy()\n\nIn preparation for FORTIFY_SOURCE performing compile-time and run-time\nfield bounds checking for memcpy(), memmove(), and memset(), avoid\nintentionally writing across neighboring fields.\n\nUse flexible arrays instead of zero-element arrays (which look like they\nare always overflowing) and split the cross-field memcpy() into two halves\nthat can be appropriately bounds-checked by the compiler.\n\nWe were doing:\n\n\t#define ETH_HLEN 14\n\t#define VLAN_HLEN 4\n\t...\n\t#define MLX5E_XDP_MIN_INLINE (ETH_HLEN + VLAN_HLEN)\n\t...\n struct mlx5e_tx_wqe *wqe = mlx5_wq_cyc_get_wqe(wq, pi);\n\t...\n struct mlx5_wqe_eth_seg *eseg = &wqe->eth;\n struct mlx5_wqe_data_seg *dseg = wqe->data;\n\t...\n\tmemcpy(eseg->inline_hdr.start, xdptxd->data, MLX5E_XDP_MIN_INLINE);\n\ntarget is wqe->eth.inline_hdr.start (which the compiler sees as being\n2 bytes in size), but copying 18, intending to write across start\n(really vlan_tci, 2 bytes). The remaining 16 bytes get written into\nwqe->data[0], covering byte_count (4 bytes), lkey (4 bytes), and addr\n(8 bytes).\n\nstruct mlx5e_tx_wqe {\n struct mlx5_wqe_ctrl_seg ctrl; /* 0 16 */\n struct mlx5_wqe_eth_seg eth; /* 16 16 */\n struct mlx5_wqe_data_seg data[]; /* 32 0 */\n\n /* size: 32, cachelines: 1, members: 3 */\n /* last cacheline: 32 bytes */\n};\n\nstruct mlx5_wqe_eth_seg {\n u8 swp_outer_l4_offset; /* 0 1 */\n u8 swp_outer_l3_offset; /* 1 1 */\n u8 swp_inner_l4_offset; /* 2 1 */\n u8 swp_inner_l3_offset; /* 3 1 */\n u8 cs_flags; /* 4 1 */\n u8 swp_flags; /* 5 1 */\n __be16 mss; /* 6 2 */\n __be32 flow_table_metadata; /* 8 4 */\n union {\n struct {\n __be16 sz; /* 12 2 */\n u8 start[2]; /* 14 2 */\n } inline_hdr; /* 12 4 */\n struct {\n __be16 type; /* 12 2 */\n __be16 vlan_tci; /* 14 2 */\n } insert; /* 12 4 */\n __be32 trailer; /* 12 4 */\n }; /* 12 4 */\n\n /* size: 16, cachelines: 1, members: 9 */\n /* last cacheline: 16 bytes */\n};\n\nstruct mlx5_wqe_data_seg {\n __be32 byte_count; /* 0 4 */\n __be32 lkey; /* 4 4 */\n __be64 addr; /* 8 8 */\n\n /* size: 16, cachelines: 1, members: 3 */\n /* last cacheline: 16 bytes */\n};\n\nSo, split the memcpy() so the compiler can reason about the buffer\nsizes.\n\n\"pahole\" shows no size nor member offset changes to struct mlx5e_tx_wqe\nnor struct mlx5e_umr_wqe. \"objdump -d\" shows no meaningful object\ncode changes (i.e. only source line number induced differences and\noptimizations).(CVE-2022-48744)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nscsi: bnx2fc: Flush destroy_work queue before calling bnx2fc_interface_put()\n\nThe bnx2fc_destroy() functions are removing the interface before calling\ndestroy_work. This results multiple WARNings from sysfs_remove_group() as\nthe controller rport device attributes are removed too early.\n\nReplace the fcoe_port's destroy_work queue. It's not needed.\n\nThe problem is easily reproducible with the following steps.\n\nExample:\n\n $ dmesg -w &\n $ systemctl enable --now fcoe\n $ fipvlan -s -c ens2f1\n $ fcoeadm -d ens2f1.802\n [ 583.464488] host2: libfc: Link down on port (7500a1)\n [ 583.472651] bnx2fc: 7500a1 - rport not created Yet!!\n [ 583.490468] ------------[ cut here ]------------\n [ 583.538725] sysfs group 'power' not found for kobject 'rport-2:0-0'\n [ 583.568814] WARNING: CPU: 3 PID: 192 at fs/sysfs/group.c:279 sysfs_remove_group+0x6f/0x80\n [ 583.607130] Modules linked in: dm_service_time 8021q garp mrp stp llc bnx2fc cnic uio rpcsec_gss_krb5 auth_rpcgss nfsv4 ...\n [ 583.942994] CPU: 3 PID: 192 Comm: kworker/3:2 Kdump: loaded Not tainted 5.14.0-39.el9.x86_64 #1\n [ 583.984105] Hardware name: HP ProLiant DL120 G7, BIOS J01 07/01/2013\n [ 584.016535] Workqueue: fc_wq_2 fc_rport_final_delete [scsi_transport_fc]\n [ 584.050691] RIP: 0010:sysfs_remove_group+0x6f/0x80\n [ 584.074725] Code: ff 5b 48 89 ef 5d 41 5c e9 ee c0 ff ff 48 89 ef e8 f6 b8 ff ff eb d1 49 8b 14 24 48 8b 33 48 c7 c7 ...\n [ 584.162586] RSP: 0018:ffffb567c15afdc0 EFLAGS: 00010282\n [ 584.188225] RAX: 0000000000000000 RBX: ffffffff8eec4220 RCX: 0000000000000000\n [ 584.221053] RDX: ffff8c1586ce84c0 RSI: ffff8c1586cd7cc0 RDI: ffff8c1586cd7cc0\n [ 584.255089] RBP: 0000000000000000 R08: 0000000000000000 R09: ffffb567c15afc00\n [ 584.287954] R10: ffffb567c15afbf8 R11: ffffffff8fbe7f28 R12: ffff8c1486326400\n [ 584.322356] R13: ffff8c1486326480 R14: ffff8c1483a4a000 R15: 0000000000000004\n [ 584.355379] FS: 0000000000000000(0000) GS:ffff8c1586cc0000(0000) knlGS:0000000000000000\n [ 584.394419] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n [ 584.421123] CR2: 00007fe95a6f7840 CR3: 0000000107674002 CR4: 00000000000606e0\n [ 584.454888] Call Trace:\n [ 584.466108] device_del+0xb2/0x3e0\n [ 584.481701] device_unregister+0x13/0x60\n [ 584.501306] bsg_unregister_queue+0x5b/0x80\n [ 584.522029] bsg_remove_queue+0x1c/0x40\n [ 584.541884] fc_rport_final_delete+0xf3/0x1d0 [scsi_transport_fc]\n [ 584.573823] process_one_work+0x1e3/0x3b0\n [ 584.592396] worker_thread+0x50/0x3b0\n [ 584.609256] ? rescuer_thread+0x370/0x370\n [ 584.628877] kthread+0x149/0x170\n [ 584.643673] ? set_kthread_struct+0x40/0x40\n [ 584.662909] ret_from_fork+0x22/0x30\n [ 584.680002] ---[ end trace 53575ecefa942ece ]---(CVE-2022-48758)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nmedia: lgdt3306a: Add a check against null-pointer-def\n\nThe driver should check whether the client provides the platform_data.\n\nThe following log reveals it:\n\n[ 29.610324] BUG: KASAN: null-ptr-deref in kmemdup+0x30/0x40\n[ 29.610730] Read of size 40 at addr 0000000000000000 by task bash/414\n[ 29.612820] Call Trace:\n[ 29.613030] <TASK>\n[ 29.613201] dump_stack_lvl+0x56/0x6f\n[ 29.613496] ? kmemdup+0x30/0x40\n[ 29.613754] print_report.cold+0x494/0x6b7\n[ 29.614082] ? kmemdup+0x30/0x40\n[ 29.614340] kasan_report+0x8a/0x190\n[ 29.614628] ? kmemdup+0x30/0x40\n[ 29.614888] kasan_check_range+0x14d/0x1d0\n[ 29.615213] memcpy+0x20/0x60\n[ 29.615454] kmemdup+0x30/0x40\n[ 29.615700] lgdt3306a_probe+0x52/0x310\n[ 29.616339] i2c_device_probe+0x951/0xa90(CVE-2022-48772)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nmmc: sdio: fix possible resource leaks in some error paths\n\nIf sdio_add_func() or sdio_init_func() fails, sdio_remove_func() can\nnot release the resources, because the sdio function is not presented\nin these two cases, it won't call of_node_put() or put_device().\n\nTo fix these leaks, make sdio_func_present() only control whether\ndevice_del() needs to be called or not, then always call of_node_put()\nand put_device().\n\nIn error case in sdio_init_func(), the reference of 'card->dev' is\nnot get, to avoid redundant put in sdio_free_func_cis(), move the\nget_device() to sdio_alloc_func() and put_device() to sdio_release_func(),\nit can keep the get/put function be balanced.\n\nWithout this patch, while doing fault inject test, it can get the\nfollowing leak reports, after this fix, the leak is gone.\n\nunreferenced object 0xffff888112514000 (size 2048):\n comm \"kworker/3:2\", pid 65, jiffies 4294741614 (age 124.774s)\n hex dump (first 32 bytes):\n 00 e0 6f 12 81 88 ff ff 60 58 8d 06 81 88 ff ff ..o.....`X......\n 10 40 51 12 81 88 ff ff 10 40 51 12 81 88 ff ff .@Q......@Q.....\n backtrace:\n [<000000009e5931da>] kmalloc_trace+0x21/0x110\n [<000000002f839ccb>] mmc_alloc_card+0x38/0xb0 [mmc_core]\n [<0000000004adcbf6>] mmc_sdio_init_card+0xde/0x170 [mmc_core]\n [<000000007538fea0>] mmc_attach_sdio+0xcb/0x1b0 [mmc_core]\n [<00000000d4fdeba7>] mmc_rescan+0x54a/0x640 [mmc_core]\n\nunreferenced object 0xffff888112511000 (size 2048):\n comm \"kworker/3:2\", pid 65, jiffies 4294741623 (age 124.766s)\n hex dump (first 32 bytes):\n 00 40 51 12 81 88 ff ff e0 58 8d 06 81 88 ff ff .@Q......X......\n 10 10 51 12 81 88 ff ff 10 10 51 12 81 88 ff ff ..Q.......Q.....\n backtrace:\n [<000000009e5931da>] kmalloc_trace+0x21/0x110\n [<00000000fcbe706c>] sdio_alloc_func+0x35/0x100 [mmc_core]\n [<00000000c68f4b50>] mmc_attach_sdio.cold.18+0xb1/0x395 [mmc_core]\n [<00000000d4fdeba7>] mmc_rescan+0x54a/0x640 [mmc_core](CVE-2023-52730)\n\nIn the Linux kernel through 6.7.1, there is a use-after-free in cec_queue_msg_fh, related to drivers/media/cec/core/cec-adap.c and drivers/media/cec/core/cec-api.c.(CVE-2024-23848)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\ngenirq/cpuhotplug, x86/vector: Prevent vector leak during CPU offline\n\nThe absence of IRQD_MOVE_PCNTXT prevents immediate effectiveness of\ninterrupt affinity reconfiguration via procfs. Instead, the change is\ndeferred until the next instance of the interrupt being triggered on the\noriginal CPU.\n\nWhen the interrupt next triggers on the original CPU, the new affinity is\nenforced within __irq_move_irq(). A vector is allocated from the new CPU,\nbut the old vector on the original CPU remains and is not immediately\nreclaimed. Instead, apicd->move_in_progress is flagged, and the reclaiming\nprocess is delayed until the next trigger of the interrupt on the new CPU.\n\nUpon the subsequent triggering of the interrupt on the new CPU,\nirq_complete_move() adds a task to the old CPU's vector_cleanup list if it\nremains online. Subsequently, the timer on the old CPU iterates over its\nvector_cleanup list, reclaiming old vectors.\n\nHowever, a rare scenario arises if the old CPU is outgoing before the\ninterrupt triggers again on the new CPU.\n\nIn that case irq_force_complete_move() is not invoked on the outgoing CPU\nto reclaim the old apicd->prev_vector because the interrupt isn't currently\naffine to the outgoing CPU, and irq_needs_fixup() returns false. Even\nthough __vector_schedule_cleanup() is later called on the new CPU, it\ndoesn't reclaim apicd->prev_vector; instead, it simply resets both\napicd->move_in_progress and apicd->prev_vector to 0.\n\nAs a result, the vector remains unreclaimed in vector_matrix, leading to a\nCPU vector leak.\n\nTo address this issue, move the invocation of irq_force_complete_move()\nbefore the irq_needs_fixup() call to reclaim apicd->prev_vector, if the\ninterrupt is currently or used to be affine to the outgoing CPU.\n\nAdditionally, reclaim the vector in __vector_schedule_cleanup() as well,\nfollowing a warning message, although theoretically it should never see\napicd->move_in_progress with apicd->prev_cpu pointing to an offline CPU.(CVE-2024-31076)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: act_skbmod: prevent kernel-infoleak\n\nsyzbot found that tcf_skbmod_dump() was copying four bytes\nfrom kernel stack to user space [1].\n\nThe issue here is that 'struct tc_skbmod' has a four bytes hole.\n\nWe need to clear the structure before filling fields.\n\n[1]\nBUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]\n BUG: KMSAN: kernel-infoleak in copy_to_user_iter lib/iov_iter.c:24 [inline]\n BUG: KMSAN: kernel-infoleak in iterate_ubuf include/linux/iov_iter.h:29 [inline]\n BUG: KMSAN: kernel-infoleak in iterate_and_advance2 include/linux/iov_iter.h:245 [inline]\n BUG: KMSAN: kernel-infoleak in iterate_and_advance include/linux/iov_iter.h:271 [inline]\n BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185\n instrument_copy_to_user include/linux/instrumented.h:114 [inline]\n copy_to_user_iter lib/iov_iter.c:24 [inline]\n iterate_ubuf include/linux/iov_iter.h:29 [inline]\n iterate_and_advance2 include/linux/iov_iter.h:245 [inline]\n iterate_and_advance include/linux/iov_iter.h:271 [inline]\n _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185\n copy_to_iter include/linux/uio.h:196 [inline]\n simple_copy_to_iter net/core/datagram.c:532 [inline]\n __skb_datagram_iter+0x185/0x1000 net/core/datagram.c:420\n skb_copy_datagram_iter+0x5c/0x200 net/core/datagram.c:546\n skb_copy_datagram_msg include/linux/skbuff.h:4050 [inline]\n netlink_recvmsg+0x432/0x1610 net/netlink/af_netlink.c:1962\n sock_recvmsg_nosec net/socket.c:1046 [inline]\n sock_recvmsg+0x2c4/0x340 net/socket.c:1068\n __sys_recvfrom+0x35a/0x5f0 net/socket.c:2242\n __do_sys_recvfrom net/socket.c:2260 [inline]\n __se_sys_recvfrom net/socket.c:2256 [inline]\n __x64_sys_recvfrom+0x126/0x1d0 net/socket.c:2256\n do_syscall_64+0xd5/0x1f0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nUninit was stored to memory at:\n pskb_expand_head+0x30f/0x19d0 net/core/skbuff.c:2253\n netlink_trim+0x2c2/0x330 net/netlink/af_netlink.c:1317\n netlink_unicast+0x9f/0x1260 net/netlink/af_netlink.c:1351\n nlmsg_unicast include/net/netlink.h:1144 [inline]\n nlmsg_notify+0x21d/0x2f0 net/netlink/af_netlink.c:2610\n rtnetlink_send+0x73/0x90 net/core/rtnetlink.c:741\n rtnetlink_maybe_send include/linux/rtnetlink.h:17 [inline]\n tcf_add_notify net/sched/act_api.c:2048 [inline]\n tcf_action_add net/sched/act_api.c:2071 [inline]\n tc_ctl_action+0x146e/0x19d0 net/sched/act_api.c:2119\n rtnetlink_rcv_msg+0x1737/0x1900 net/core/rtnetlink.c:6595\n netlink_rcv_skb+0x375/0x650 net/netlink/af_netlink.c:2559\n rtnetlink_rcv+0x34/0x40 net/core/rtnetlink.c:6613\n netlink_unicast_kernel net/netlink/af_netlink.c:1335 [inline]\n netlink_unicast+0xf4c/0x1260 net/netlink/af_netlink.c:1361\n netlink_sendmsg+0x10df/0x11f0 net/netlink/af_netlink.c:1905\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0x30f/0x380 net/socket.c:745\n ____sys_sendmsg+0x877/0xb60 net/socket.c:2584\n ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638\n __sys_sendmsg net/socket.c:2667 [inline]\n __do_sys_sendmsg net/socket.c:2676 [inline]\n __se_sys_sendmsg net/socket.c:2674 [inline]\n __x64_sys_sendmsg+0x307/0x4a0 net/socket.c:2674\n do_syscall_64+0xd5/0x1f0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nUninit was stored to memory at:\n __nla_put lib/nlattr.c:1041 [inline]\n nla_put+0x1c6/0x230 lib/nlattr.c:1099\n tcf_skbmod_dump+0x23f/0xc20 net/sched/act_skbmod.c:256\n tcf_action_dump_old net/sched/act_api.c:1191 [inline]\n tcf_action_dump_1+0x85e/0x970 net/sched/act_api.c:1227\n tcf_action_dump+0x1fd/0x460 net/sched/act_api.c:1251\n tca_get_fill+0x519/0x7a0 net/sched/act_api.c:1628\n tcf_add_notify_msg net/sched/act_api.c:2023 [inline]\n tcf_add_notify net/sched/act_api.c:2042 [inline]\n tcf_action_add net/sched/act_api.c:2071 [inline]\n tc_ctl_action+0x1365/0x19d0 net/sched/act_api.c:2119\n rtnetlink_rcv_msg+0x1737/0x1900 net/core/rtnetlink.c:6595\n netlink_rcv_skb+0x375/0x650 net/netlink/af_netli\n---truncated---(CVE-2024-35893)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nnfc: nci: Fix uninit-value in nci_dev_up and nci_ntf_packet\n\nsyzbot reported the following uninit-value access issue [1][2]:\n\nnci_rx_work() parses and processes received packet. When the payload\nlength is zero, each message type handler reads uninitialized payload\nand KMSAN detects this issue. The receipt of a packet with a zero-size\npayload is considered unexpected, and therefore, such packets should be\nsilently discarded.\n\nThis patch resolved this issue by checking payload size before calling\neach message type handler codes.(CVE-2024-35915)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\ndrm/arm/malidp: fix a possible null pointer dereference\n\nIn malidp_mw_connector_reset, new memory is allocated with kzalloc, but\nno check is performed. In order to prevent null pointer dereferencing,\nensure that mw_state is checked before calling\n__drm_atomic_helper_connector_reset.(CVE-2024-36014)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\namd/amdkfd: sync all devices to wait all processes being evicted\n\nIf there are more than one device doing reset in parallel, the first\ndevice will call kfd_suspend_all_processes() to evict all processes\non all devices, this call takes time to finish. other device will\nstart reset and recover without waiting. if the process has not been\nevicted before doing recover, it will be restored, then caused page\nfault.(CVE-2024-36949)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\ntcp: Fix shift-out-of-bounds in dctcp_update_alpha().\n\nIn dctcp_update_alpha(), we use a module parameter dctcp_shift_g\nas follows:\n\n alpha -= min_not_zero(alpha, alpha >> dctcp_shift_g);\n ...\n delivered_ce <<= (10 - dctcp_shift_g);\n\nIt seems syzkaller started fuzzing module parameters and triggered\nshift-out-of-bounds [0] by setting 100 to dctcp_shift_g:\n\n memcpy((void*)0x20000080,\n \"/sys/module/tcp_dctcp/parameters/dctcp_shift_g\\000\", 47);\n res = syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x20000080ul,\n /*flags=*/2ul, /*mode=*/0ul);\n memcpy((void*)0x20000000, \"100\\000\", 4);\n syscall(__NR_write, /*fd=*/r[0], /*val=*/0x20000000ul, /*len=*/4ul);\n\nLet's limit the max value of dctcp_shift_g by param_set_uint_minmax().\n\nWith this patch:\n\n # echo 10 > /sys/module/tcp_dctcp/parameters/dctcp_shift_g\n # cat /sys/module/tcp_dctcp/parameters/dctcp_shift_g\n 10\n # echo 11 > /sys/module/tcp_dctcp/parameters/dctcp_shift_g\n -bash: echo: write error: Invalid argument\n\n[0]:\nUBSAN: shift-out-of-bounds in net/ipv4/tcp_dctcp.c:143:12\nshift exponent 100 is too large for 32-bit type 'u32' (aka 'unsigned int')\nCPU: 0 PID: 8083 Comm: syz-executor345 Not tainted 6.9.0-05151-g1b294a1f3561 #2\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\n1.13.0-1ubuntu1.1 04/01/2014\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x201/0x300 lib/dump_stack.c:114\n ubsan_epilogue lib/ubsan.c:231 [inline]\n __ubsan_handle_shift_out_of_bounds+0x346/0x3a0 lib/ubsan.c:468\n dctcp_update_alpha+0x540/0x570 net/ipv4/tcp_dctcp.c:143\n tcp_in_ack_event net/ipv4/tcp_input.c:3802 [inline]\n tcp_ack+0x17b1/0x3bc0 net/ipv4/tcp_input.c:3948\n tcp_rcv_state_process+0x57a/0x2290 net/ipv4/tcp_input.c:6711\n tcp_v4_do_rcv+0x764/0xc40 net/ipv4/tcp_ipv4.c:1937\n sk_backlog_rcv include/net/sock.h:1106 [inline]\n __release_sock+0x20f/0x350 net/core/sock.c:2983\n release_sock+0x61/0x1f0 net/core/sock.c:3549\n mptcp_subflow_shutdown+0x3d0/0x620 net/mptcp/protocol.c:2907\n mptcp_check_send_data_fin+0x225/0x410 net/mptcp/protocol.c:2976\n __mptcp_close+0x238/0xad0 net/mptcp/protocol.c:3072\n mptcp_close+0x2a/0x1a0 net/mptcp/protocol.c:3127\n inet_release+0x190/0x1f0 net/ipv4/af_inet.c:437\n __sock_release net/socket.c:659 [inline]\n sock_close+0xc0/0x240 net/socket.c:1421\n __fput+0x41b/0x890 fs/file_table.c:422\n task_work_run+0x23b/0x300 kernel/task_work.c:180\n exit_task_work include/linux/task_work.h:38 [inline]\n do_exit+0x9c8/0x2540 kernel/exit.c:878\n do_group_exit+0x201/0x2b0 kernel/exit.c:1027\n __do_sys_exit_group kernel/exit.c:1038 [inline]\n __se_sys_exit_group kernel/exit.c:1036 [inline]\n __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1036\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xe4/0x240 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x67/0x6f\nRIP: 0033:0x7f6c2b5005b6\nCode: Unable to access opcode bytes at 0x7f6c2b50058c.\nRSP: 002b:00007ffe883eb948 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7\nRAX: ffffffffffffffda RBX: 00007f6c2b5862f0 RCX: 00007f6c2b5005b6\nRDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001\nRBP: 0000000000000001 R08: 00000000000000e7 R09: ffffffffffffffc0\nR10: 0000000000000006 R11: 0000000000000246 R12: 00007f6c2b5862f0\nR13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001\n </TASK>(CVE-2024-37356)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\ndrm: vc4: Fix possible null pointer dereference\n\nIn vc4_hdmi_audio_init() of_get_address() may return\nNULL which is later dereferenced. Fix this bug by adding NULL check.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.(CVE-2024-38546)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nnet: fec: remove .ndo_poll_controller to avoid deadlocks\n\nThere is a deadlock issue found in sungem driver, please refer to the\ncommit ac0a230f719b (\"eth: sungem: remove .ndo_poll_controller to avoid\ndeadlocks\"). The root cause of the issue is that netpoll is in atomic\ncontext and disable_irq() is called by .ndo_poll_controller interface\nof sungem driver, however, disable_irq() might sleep. After analyzing\nthe implementation of fec_poll_controller(), the fec driver should have\nthe same issue. Due to the fec driver uses NAPI for TX completions, the\n.ndo_poll_controller is unnecessary to be implemented in the fec driver,\nso fec_poll_controller() can be safely removed.(CVE-2024-38553)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nax25: Fix reference count leak issue of net_device\n\nThere is a reference count leak issue of the object \"net_device\" in\nax25_dev_device_down(). When the ax25 device is shutting down, the\nax25_dev_device_down() drops the reference count of net_device one\nor zero times depending on if we goto unlock_put or not, which will\ncause memory leak.\n\nIn order to solve the above issue, decrease the reference count of\nnet_device after dev->ax25_ptr is set to null.(CVE-2024-38554)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qedf: Ensure the copied buf is NUL terminated\n\nCurrently, we allocate a count-sized kernel buffer and copy count from\nuserspace to that buffer. Later, we use kstrtouint on this buffer but we\ndon't ensure that the string is terminated inside the buffer, this can\nlead to OOB read when using kstrtouint. Fix this issue by using\nmemdup_user_nul instead of memdup_user.(CVE-2024-38559)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\necryptfs: Fix buffer size for tag 66 packet\n\nThe 'TAG 66 Packet Format' description is missing the cipher code and\nchecksum fields that are packed into the message packet. As a result,\nthe buffer allocated for the packet is 3 bytes too small and\nwrite_tag_66_packet() will write up to 3 bytes past the end of the\nbuffer.\n\nFix this by increasing the size of the allocation so the whole packet\nwill always fit in the buffer.\n\nThis fixes the below kasan slab-out-of-bounds bug:\n\n BUG: KASAN: slab-out-of-bounds in ecryptfs_generate_key_packet_set+0x7d6/0xde0\n Write of size 1 at addr ffff88800afbb2a5 by task touch/181\n\n CPU: 0 PID: 181 Comm: touch Not tainted 6.6.13-gnu #1 4c9534092be820851bb687b82d1f92a426598dc6\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2/GNU Guix 04/01/2014\n Call Trace:\n <TASK>\n dump_stack_lvl+0x4c/0x70\n print_report+0xc5/0x610\n ? ecryptfs_generate_key_packet_set+0x7d6/0xde0\n ? kasan_complete_mode_report_info+0x44/0x210\n ? ecryptfs_generate_key_packet_set+0x7d6/0xde0\n kasan_report+0xc2/0x110\n ? ecryptfs_generate_key_packet_set+0x7d6/0xde0\n __asan_store1+0x62/0x80\n ecryptfs_generate_key_packet_set+0x7d6/0xde0\n ? __pfx_ecryptfs_generate_key_packet_set+0x10/0x10\n ? __alloc_pages+0x2e2/0x540\n ? __pfx_ovl_open+0x10/0x10 [overlay 30837f11141636a8e1793533a02e6e2e885dad1d]\n ? dentry_open+0x8f/0xd0\n ecryptfs_write_metadata+0x30a/0x550\n ? __pfx_ecryptfs_write_metadata+0x10/0x10\n ? ecryptfs_get_lower_file+0x6b/0x190\n ecryptfs_initialize_file+0x77/0x150\n ecryptfs_create+0x1c2/0x2f0\n path_openat+0x17cf/0x1ba0\n ? __pfx_path_openat+0x10/0x10\n do_filp_open+0x15e/0x290\n ? __pfx_do_filp_open+0x10/0x10\n ? __kasan_check_write+0x18/0x30\n ? _raw_spin_lock+0x86/0xf0\n ? __pfx__raw_spin_lock+0x10/0x10\n ? __kasan_check_write+0x18/0x30\n ? alloc_fd+0xf4/0x330\n do_sys_openat2+0x122/0x160\n ? __pfx_do_sys_openat2+0x10/0x10\n __x64_sys_openat+0xef/0x170\n ? __pfx___x64_sys_openat+0x10/0x10\n do_syscall_64+0x60/0xd0\n entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n RIP: 0033:0x7f00a703fd67\n Code: 25 00 00 41 00 3d 00 00 41 00 74 37 64 8b 04 25 18 00 00 00 85 c0 75 5b 44 89 e2 48 89 ee bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 0f 87 85 00 00 00 48 83 c4 68 5d 41 5c c3 0f 1f\n RSP: 002b:00007ffc088e30b0 EFLAGS: 00000246 ORIG_RAX: 0000000000000101\n RAX: ffffffffffffffda RBX: 00007ffc088e3368 RCX: 00007f00a703fd67\n RDX: 0000000000000941 RSI: 00007ffc088e48d7 RDI: 00000000ffffff9c\n RBP: 00007ffc088e48d7 R08: 0000000000000001 R09: 0000000000000000\n R10: 00000000000001b6 R11: 0000000000000246 R12: 0000000000000941\n R13: 0000000000000000 R14: 00007ffc088e48d7 R15: 00007f00a7180040\n </TASK>\n\n Allocated by task 181:\n kasan_save_stack+0x2f/0x60\n kasan_set_track+0x29/0x40\n kasan_save_alloc_info+0x25/0x40\n __kasan_kmalloc+0xc5/0xd0\n __kmalloc+0x66/0x160\n ecryptfs_generate_key_packet_set+0x6d2/0xde0\n ecryptfs_write_metadata+0x30a/0x550\n ecryptfs_initialize_file+0x77/0x150\n ecryptfs_create+0x1c2/0x2f0\n path_openat+0x17cf/0x1ba0\n do_filp_open+0x15e/0x290\n do_sys_openat2+0x122/0x160\n __x64_sys_openat+0xef/0x170\n do_syscall_64+0x60/0xd0\n entry_SYSCALL_64_after_hwframe+0x6e/0xd8(CVE-2024-38578)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: bcm - Fix pointer arithmetic\n\nIn spu2_dump_omd() value of ptr is increased by ciph_key_len\ninstead of hash_iv_len which could lead to going beyond the\nbuffer boundaries.\nFix this bug by changing ciph_key_len to hash_iv_len.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.(CVE-2024-38579)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix potential hang in nilfs_detach_log_writer()\n\nSyzbot has reported a potential hang in nilfs_detach_log_writer() called\nduring nilfs2 unmount.\n\nAnalysis revealed that this is because nilfs_segctor_sync(), which\nsynchronizes with the log writer thread, can be called after\nnilfs_segctor_destroy() terminates that thread, as shown in the call trace\nbelow:\n\nnilfs_detach_log_writer\n nilfs_segctor_destroy\n nilfs_segctor_kill_thread --> Shut down log writer thread\n flush_work\n nilfs_iput_work_func\n nilfs_dispose_list\n iput\n nilfs_evict_inode\n nilfs_transaction_commit\n nilfs_construct_segment (if inode needs sync)\n nilfs_segctor_sync --> Attempt to synchronize with\n log writer thread\n *** DEADLOCK ***\n\nFix this issue by changing nilfs_segctor_sync() so that the log writer\nthread returns normally without synchronizing after it terminates, and by\nforcing tasks that are already waiting to complete once after the thread\nterminates.\n\nThe skipped inode metadata flushout will then be processed together in the\nsubsequent cleanup work in nilfs_segctor_destroy().(CVE-2024-38582)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix use-after-free of timer for log writer thread\n\nPatch series \"nilfs2: fix log writer related issues\".\n\nThis bug fix series covers three nilfs2 log writer-related issues,\nincluding a timer use-after-free issue and potential deadlock issue on\nunmount, and a potential freeze issue in event synchronization found\nduring their analysis. Details are described in each commit log.\n\n\nThis patch (of 3):\n\nA use-after-free issue has been reported regarding the timer sc_timer on\nthe nilfs_sc_info structure.\n\nThe problem is that even though it is used to wake up a sleeping log\nwriter thread, sc_timer is not shut down until the nilfs_sc_info structure\nis about to be freed, and is used regardless of the thread's lifetime.\n\nFix this issue by limiting the use of sc_timer only while the log writer\nthread is alive.(CVE-2024-38583)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nALSA: timer: Set lower bound of start tick time\n\nCurrently ALSA timer doesn't have the lower limit of the start tick\ntime, and it allows a very small size, e.g. 1 tick with 1ns resolution\nfor hrtimer. Such a situation may lead to an unexpected RCU stall,\nwhere the callback repeatedly queuing the expire update, as reported\nby fuzzer.\n\nThis patch introduces a sanity check of the timer start tick time, so\nthat the system returns an error when a too small start size is set.\nAs of this patch, the lower limit is hard-coded to 100us, which is\nsmall enough but can still work somehow.(CVE-2024-38618)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nserial: max3100: Update uart_driver_registered on driver removal\n\nThe removal of the last MAX3100 device triggers the removal of\nthe driver. However, code doesn't update the respective global\nvariable and after insmod — rmmod — insmod cycle the kernel\noopses:\n\n max3100 spi-PRP0001:01: max3100_probe: adding port 0\n BUG: kernel NULL pointer dereference, address: 0000000000000408\n ...\n RIP: 0010:serial_core_register_port+0xa0/0x840\n ...\n max3100_probe+0x1b6/0x280 [max3100]\n spi_probe+0x8d/0xb0\n\nUpdate the actual state so next time UART driver will be registered\nagain.\n\nHugo also noticed, that the error path in the probe also affected\nby having the variable set, and not cleared. Instead of clearing it\nmove the assignment after the successfull uart_register_driver() call.(CVE-2024-38633)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nserial: max3100: Lock port->lock when calling uart_handle_cts_change()\n\nuart_handle_cts_change() has to be called with port lock taken,\nSince we run it in a separate work, the lock may not be taken at\nthe time of running. Make sure that it's taken by explicitly doing\nthat. Without it we got a splat:\n\n WARNING: CPU: 0 PID: 10 at drivers/tty/serial/serial_core.c:3491 uart_handle_cts_change+0xa6/0xb0\n ...\n Workqueue: max3100-0 max3100_work [max3100]\n RIP: 0010:uart_handle_cts_change+0xa6/0xb0\n ...\n max3100_handlerx+0xc5/0x110 [max3100]\n max3100_work+0x12a/0x340 [max3100](CVE-2024-38634)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\ngreybus: lights: check return of get_channel_from_mode\n\nIf channel for the given node is not found we return null from\nget_channel_from_mode. Make sure we validate the return pointer\nbefore using it in two of the missing places.\n\nThis was originally reported in [0]:\nFound by Linux Verification Center (linuxtesting.org) with SVACE.\n\n[0] https://lore.kernel.org/all/20240301190425.120605-1-m.lobanov@rosalinux.ru(CVE-2024-38637)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nenic: Validate length of nl attributes in enic_set_vf_port\n\nenic_set_vf_port assumes that the nl attribute IFLA_PORT_PROFILE\nis of length PORT_PROFILE_MAX and that the nl attributes\nIFLA_PORT_INSTANCE_UUID, IFLA_PORT_HOST_UUID are of length PORT_UUID_MAX.\nThese attributes are validated (in the function do_setlink in rtnetlink.c)\nusing the nla_policy ifla_port_policy. The policy defines IFLA_PORT_PROFILE\nas NLA_STRING, IFLA_PORT_INSTANCE_UUID as NLA_BINARY and\nIFLA_PORT_HOST_UUID as NLA_STRING. That means that the length validation\nusing the policy is for the max size of the attributes and not on exact\nsize so the length of these attributes might be less than the sizes that\nenic_set_vf_port expects. This might cause an out of bands\nread access in the memcpys of the data of these\nattributes in enic_set_vf_port.(CVE-2024-38659)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\ndma-buf/sw-sync: don't enable IRQ from sync_print_obj()\n\nSince commit a6aa8fca4d79 (\"dma-buf/sw-sync: Reduce irqsave/irqrestore from\nknown context\") by error replaced spin_unlock_irqrestore() with\nspin_unlock_irq() for both sync_debugfs_show() and sync_print_obj() despite\nsync_print_obj() is called from sync_debugfs_show(), lockdep complains\ninconsistent lock state warning.\n\nUse plain spin_{lock,unlock}() for sync_print_obj(), for\nsync_debugfs_show() is already using spin_{lock,unlock}_irq().(CVE-2024-38780)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nnet/9p: fix uninit-value in p9_client_rpc()\n\nSyzbot with the help of KMSAN reported the following error:\n\nBUG: KMSAN: uninit-value in trace_9p_client_res include/trace/events/9p.h:146 [inline]\nBUG: KMSAN: uninit-value in p9_client_rpc+0x1314/0x1340 net/9p/client.c:754\n trace_9p_client_res include/trace/events/9p.h:146 [inline]\n p9_client_rpc+0x1314/0x1340 net/9p/client.c:754\n p9_client_create+0x1551/0x1ff0 net/9p/client.c:1031\n v9fs_session_init+0x1b9/0x28e0 fs/9p/v9fs.c:410\n v9fs_mount+0xe2/0x12b0 fs/9p/vfs_super.c:122\n legacy_get_tree+0x114/0x290 fs/fs_context.c:662\n vfs_get_tree+0xa7/0x570 fs/super.c:1797\n do_new_mount+0x71f/0x15e0 fs/namespace.c:3352\n path_mount+0x742/0x1f20 fs/namespace.c:3679\n do_mount fs/namespace.c:3692 [inline]\n __do_sys_mount fs/namespace.c:3898 [inline]\n __se_sys_mount+0x725/0x810 fs/namespace.c:3875\n __x64_sys_mount+0xe4/0x150 fs/namespace.c:3875\n do_syscall_64+0xd5/0x1f0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nUninit was created at:\n __alloc_pages+0x9d6/0xe70 mm/page_alloc.c:4598\n __alloc_pages_node include/linux/gfp.h:238 [inline]\n alloc_pages_node include/linux/gfp.h:261 [inline]\n alloc_slab_page mm/slub.c:2175 [inline]\n allocate_slab mm/slub.c:2338 [inline]\n new_slab+0x2de/0x1400 mm/slub.c:2391\n ___slab_alloc+0x1184/0x33d0 mm/slub.c:3525\n __slab_alloc mm/slub.c:3610 [inline]\n __slab_alloc_node mm/slub.c:3663 [inline]\n slab_alloc_node mm/slub.c:3835 [inline]\n kmem_cache_alloc+0x6d3/0xbe0 mm/slub.c:3852\n p9_tag_alloc net/9p/client.c:278 [inline]\n p9_client_prepare_req+0x20a/0x1770 net/9p/client.c:641\n p9_client_rpc+0x27e/0x1340 net/9p/client.c:688\n p9_client_create+0x1551/0x1ff0 net/9p/client.c:1031\n v9fs_session_init+0x1b9/0x28e0 fs/9p/v9fs.c:410\n v9fs_mount+0xe2/0x12b0 fs/9p/vfs_super.c:122\n legacy_get_tree+0x114/0x290 fs/fs_context.c:662\n vfs_get_tree+0xa7/0x570 fs/super.c:1797\n do_new_mount+0x71f/0x15e0 fs/namespace.c:3352\n path_mount+0x742/0x1f20 fs/namespace.c:3679\n do_mount fs/namespace.c:3692 [inline]\n __do_sys_mount fs/namespace.c:3898 [inline]\n __se_sys_mount+0x725/0x810 fs/namespace.c:3875\n __x64_sys_mount+0xe4/0x150 fs/namespace.c:3875\n do_syscall_64+0xd5/0x1f0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nIf p9_check_errors() fails early in p9_client_rpc(), req->rc.tag\nwill not be properly initialized. However, trace_9p_client_res()\nends up trying to print it out anyway before p9_client_rpc()\nfinishes.\n\nFix this issue by assigning default values to p9_fcall fields\nsuch as 'tag' and (just in case KMSAN unearths something new) 'id'\nduring the tag allocation stage.(CVE-2024-39301)",
"cves": [
{
"id": "CVE-2021-47270",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47270",
"severity": "Low"
},
{
"id": "CVE-2021-47515",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47515",
"severity": "Low"
},
{
"id": "CVE-2021-47583",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47583",
"severity": "Medium"
},
{
"id": "CVE-2021-47611",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47611",
"severity": "Low"
},
{
"id": "CVE-2021-47619",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47619",
"severity": "Medium"
},
{
"id": "CVE-2022-48717",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48717",
"severity": "Medium"
},
{
"id": "CVE-2022-48722",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48722",
"severity": "Medium"
},
{
"id": "CVE-2022-48736",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48736",
"severity": "Medium"
},
{
"id": "CVE-2022-48738",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48738",
"severity": "Medium"
},
{
"id": "CVE-2022-48743",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48743",
"severity": "Medium"
},
{
"id": "CVE-2022-48744",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48744",
"severity": "Medium"
},
{
"id": "CVE-2022-48758",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48758",
"severity": "Medium"
},
{
"id": "CVE-2022-48772",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48772",
"severity": "Medium"
},
{
"id": "CVE-2023-52730",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52730",
"severity": "Medium"
},
{
"id": "CVE-2024-23848",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23848",
"severity": "Medium"
},
{
"id": "CVE-2024-31076",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31076",
"severity": "Medium"
},
{
"id": "CVE-2024-35893",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35893",
"severity": "Medium"
},
{
"id": "CVE-2024-35915",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35915",
"severity": "Low"
},
{
"id": "CVE-2024-36014",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36014",
"severity": "Medium"
},
{
"id": "CVE-2024-36949",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36949",
"severity": "Medium"
},
{
"id": "CVE-2024-37356",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37356",
"severity": "Medium"
},
{
"id": "CVE-2024-38546",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38546",
"severity": "Medium"
},
{
"id": "CVE-2024-38553",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38553",
"severity": "Medium"
},
{
"id": "CVE-2024-38554",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38554",
"severity": "Medium"
},
{
"id": "CVE-2024-38559",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38559",
"severity": "High"
},
{
"id": "CVE-2024-38578",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38578",
"severity": "Low"
},
{
"id": "CVE-2024-38579",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38579",
"severity": "Medium"
},
{
"id": "CVE-2024-38582",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38582",
"severity": "None"
},
{
"id": "CVE-2024-38583",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38583",
"severity": "High"
},
{
"id": "CVE-2024-38618",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38618",
"severity": "Medium"
},
{
"id": "CVE-2024-38633",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38633",
"severity": "Medium"
},
{
"id": "CVE-2024-38634",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38634",
"severity": "Medium"
},
{
"id": "CVE-2024-38637",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38637",
"severity": "Low"
},
{
"id": "CVE-2024-38659",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38659",
"severity": "Low"
},
{
"id": "CVE-2024-38780",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38780",
"severity": "Medium"
},
{
"id": "CVE-2024-39301",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39301",
"severity": "Medium"
}
]
},
"openEuler-SA-2024-1830": {
"id": "openEuler-SA-2024-1830",
"url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1830",
"title": "An update for httpd is now available for openEuler-22.03-LTS-SP4,openEuler-22.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-24.03-LTS,openEuler-22.03-LTS-SP3",
"severity": "High",
"description": "Apache HTTP Server is a powerful and flexible HTTP/1.1 compliant web server.\n\nSecurity Fix(es):\n\nImproper escaping of output in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to map URLs to filesystem locations that are permitted to be served by the server but are not intentionally/directly reachable by any URL, resulting in code execution or source code disclosure. \n\nSubstitutions in server context that use a backreferences or variables as the first segment of the substitution are affected.  Some unsafe RewiteRules will be broken by this change and the rewrite flag \"UnsafePrefixStat\" can be used to opt back in once ensuring the substitution is appropriately constrained.(CVE-2024-38475)\n\nPotential SSRF in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to cause unsafe RewriteRules to unexpectedly setup URL's to be handled by mod_proxy.\nUsers are recommended to upgrade to version 2.4.60, which fixes this issue.(CVE-2024-39573)",
"cves": [
{
"id": "CVE-2024-38475",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38475",
"severity": "High"
},
{
"id": "CVE-2024-39573",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39573",
"severity": "High"
}
]
},
"openEuler-SA-2024-1832": {
"id": "openEuler-SA-2024-1832",
"url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1832",
"title": "An update for ffmpeg is now available for openEuler-22.03-LTS-SP1",
"severity": "Medium",
"description": "FFmpeg is a complete and free Internet live audio and video broadcasting solution for Linux/Unix. It also includes a digital VCR. It can encode in real time in many formats including MPEG1 audio and video, MPEG4, h263, ac3, asf, avi, real, mjpeg, and flash.\n\nSecurity Fix(es):\n\nInteger overflow vulnerability in av_timecode_make_string in libavutil/timecode.c in FFmpeg version 4.3.2, allows local attackers to cause a denial of service (DoS) via crafted .mov file.(CVE-2021-28429)",
"cves": [
{
"id": "CVE-2021-28429",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28429",
"severity": "Medium"
}
]
},
"openEuler-SA-2024-1867": {
"id": "openEuler-SA-2024-1867",
"url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1867",
"title": "An update for python-pip is now available for openEuler-22.03-LTS-SP1",
"severity": "High",
"description": "pip is the package installer for Python. You can use pip to install packages from the Python Package Index and other indexes. %global bashcompdir %(b=$(pkg-config --variable=completionsdir bash-completion 2>/dev/null); echo ${b:-/bash_completion.d}) Name: python-pip Version: 20.2.2 Release: 4 Summary: A tool for installing and managing Python packages License: MIT and Python and ASL 2.0 and BSD and ISC and LGPLv2 and MPLv2.0 and (ASL 2.0 or BSD) URL: http://www.pip-installer.org Source0: https://files.pythonhosted.org/packages/source/p/pip/pip-.tar.gz BuildArch: noarch Patch1: allow-stripping-given-prefix-from-wheel-RECORD-files. Patch2: emit-a-warning-when-running-with-root-privileges.patch Patch3: remove-existing-dist-only-if-path-conflicts.patch Patch6000: dummy-certifi.patch Patch6001: backport-CVE-2021-3572.patch\n\nSecurity Fix(es):\n\nurllib3 is a user-friendly HTTP client library for Python. urllib3 doesn't treat the `Cookie` HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a `Cookie` header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly. This issue has been patched in urllib3 version 1.26.17 or 2.0.5.(CVE-2023-43804)\n\nurllib3 is a user-friendly HTTP client library for Python. urllib3 previously wouldn't remove the HTTP request body when an HTTP redirect response using status 301, 302, or 303 after the request had its method changed from one that could accept a request body (like `POST`) to `GET` as is required by HTTP RFCs. Although this behavior is not specified in the section for redirects, it can be inferred by piecing together information from different sections and we have observed the behavior in other major HTTP client implementations like curl and web browsers. Because the vulnerability requires a previously trusted service to become compromised in order to have an impact on confidentiality we believe the exploitability of this vulnerability is low. Additionally, many users aren't putting sensitive data in HTTP request bodies, if this is the case then this vulnerability isn't exploitable. Both of the following conditions must be true to be affected by this vulnerability: 1. Using urllib3 and submitting sensitive information in the HTTP request body (such as form data or JSON) and 2. The origin service is compromised and starts redirecting using 301, 302, or 303 to a malicious peer or the redirected-to service becomes compromised. This issue has been addressed in versions 1.26.18 and 2.0.7 and users are advised to update to resolve this issue. Users unable to update should disable redirects for services that aren't expecting to respond with redirects with `redirects=False` and disable automatic redirects with `redirects=False` and handle 301, 302, and 303 redirects manually by stripping the HTTP request body.\n(CVE-2023-45803)\n\n urllib3 is a user-friendly HTTP client library for Python. When using urllib3's proxy support with `ProxyManager`, the `Proxy-Authorization` header is only sent to the configured proxy, as expected. However, when sending HTTP requests *without* using urllib3's proxy support, it's possible to accidentally configure the `Proxy-Authorization` header even though it won't have any effect as the request is not using a forwarding proxy or a tunneling proxy. In those cases, urllib3 doesn't treat the `Proxy-Authorization` HTTP header as one carrying authentication material and thus doesn't strip the header on cross-origin redirects. Because this is a highly unlikely scenario, we believe the severity of this vulnerability is low for almost all users. Out of an abundance of caution urllib3 will automatically strip the `Proxy-Authorization` header during cross-origin redirects to avoid the small chance that users are doing this on accident. Users should use urllib3's proxy support or disable automatic redirects to achieve safe processing of the `Proxy-Authorization` header, but we still decided to strip the header by default in order to further protect users who aren't using the correct approach. We believe the number of usages affected by this advisory is low. It requires all of the following to be true to be exploited: 1. Setting the `Proxy-Authorization` header without using urllib3's built-in proxy support. 2. Not disabling HTTP redirects. 3. Either not using an HTTPS origin server or for the proxy or target origin to redirect to a malicious origin. Users are advised to update to either version 1.26.19 or version 2.2.2. Users unable to upgrade may use the `Proxy-Authorization` header with urllib3's `ProxyManager`, disable HTTP redirects using `redirects=False` when sending requests, or not user the `Proxy-Authorization` header as mitigations.(CVE-2024-37891)",
"cves": [
{
"id": "CVE-2023-43804",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43804",
"severity": "High"
},
{
"id": "CVE-2023-45803",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45803",
"severity": "Medium"
},
{
"id": "CVE-2024-37891",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37891",
"severity": "Medium"
}
]
},
"openEuler-SA-2024-1860": {
"id": "openEuler-SA-2024-1860",
"url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1860",
"title": "An update for kernel is now available for openEuler-22.03-LTS-SP1",
"severity": "High",
"description": "The Linux Kernel, the operating system core itself.\n\nSecurity Fix(es):\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/cma: Ensure rdma_addr_cancel() happens before issuing more requests\n\nThe FSM can run in a circle allowing rdma_resolve_ip() to be called twice\non the same id_priv. While this cannot happen without going through the\nwork, it violates the invariant that the same address resolution\nbackground request cannot be active twice.\n\n CPU 1 CPU 2\n\nrdma_resolve_addr():\n RDMA_CM_IDLE -> RDMA_CM_ADDR_QUERY\n rdma_resolve_ip(addr_handler) #1\n\n\t\t\t process_one_req(): for #1\n addr_handler():\n RDMA_CM_ADDR_QUERY -> RDMA_CM_ADDR_BOUND\n mutex_unlock(&id_priv->handler_mutex);\n [.. handler still running ..]\n\nrdma_resolve_addr():\n RDMA_CM_ADDR_BOUND -> RDMA_CM_ADDR_QUERY\n rdma_resolve_ip(addr_handler)\n !! two requests are now on the req_list\n\nrdma_destroy_id():\n destroy_id_handler_unlock():\n _destroy_id():\n cma_cancel_operation():\n rdma_addr_cancel()\n\n // process_one_req() self removes it\n\t\t spin_lock_bh(&lock);\n cancel_delayed_work(&req->work);\n\t if (!list_empty(&req->list)) == true\n\n ! rdma_addr_cancel() returns after process_on_req #1 is done\n\n kfree(id_priv)\n\n\t\t\t process_one_req(): for #2\n addr_handler():\n\t mutex_lock(&id_priv->handler_mutex);\n !! Use after free on id_priv\n\nrdma_addr_cancel() expects there to be one req on the list and only\ncancels the first one. The self-removal behavior of the work only happens\nafter the handler has returned. This yields a situations where the\nreq_list can have two reqs for the same \"handle\" but rdma_addr_cancel()\nonly cancels the first one.\n\nThe second req remains active beyond rdma_destroy_id() and will\nuse-after-free id_priv once it inevitably triggers.\n\nFix this by remembering if the id_priv has called rdma_resolve_ip() and\nalways cancel before calling it again. This ensures the req_list never\ngets more than one item in it and doesn't cost anything in the normal flow\nthat never uses this strange error path.(CVE-2021-47391)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: Forward wakeup to smc socket waitqueue after fallback\n\nWhen we replace TCP with SMC and a fallback occurs, there may be\nsome socket waitqueue entries remaining in smc socket->wq, such\nas eppoll_entries inserted by userspace applications.\n\nAfter the fallback, data flows over TCP/IP and only clcsocket->wq\nwill be woken up. Applications can't be notified by the entries\nwhich were inserted in smc socket->wq before fallback. So we need\na mechanism to wake up smc socket->wq at the same time if some\nentries remaining in it.\n\nThe current workaround is to transfer the entries from smc socket->wq\nto clcsock->wq during the fallback. But this may cause a crash\nlike this:\n\n general protection fault, probably for non-canonical address 0xdead000000000100: 0000 [#1] PREEMPT SMP PTI\n CPU: 3 PID: 0 Comm: swapper/3 Kdump: loaded Tainted: G E 5.16.0+ #107\n RIP: 0010:__wake_up_common+0x65/0x170\n Call Trace:\n <IRQ>\n __wake_up_common_lock+0x7a/0xc0\n sock_def_readable+0x3c/0x70\n tcp_data_queue+0x4a7/0xc40\n tcp_rcv_established+0x32f/0x660\n ? sk_filter_trim_cap+0xcb/0x2e0\n tcp_v4_do_rcv+0x10b/0x260\n tcp_v4_rcv+0xd2a/0xde0\n ip_protocol_deliver_rcu+0x3b/0x1d0\n ip_local_deliver_finish+0x54/0x60\n ip_local_deliver+0x6a/0x110\n ? tcp_v4_early_demux+0xa2/0x140\n ? tcp_v4_early_demux+0x10d/0x140\n ip_sublist_rcv_finish+0x49/0x60\n ip_sublist_rcv+0x19d/0x230\n ip_list_rcv+0x13e/0x170\n __netif_receive_skb_list_core+0x1c2/0x240\n netif_receive_skb_list_internal+0x1e6/0x320\n napi_complete_done+0x11d/0x190\n mlx5e_napi_poll+0x163/0x6b0 [mlx5_core]\n __napi_poll+0x3c/0x1b0\n net_rx_action+0x27c/0x300\n __do_softirq+0x114/0x2d2\n irq_exit_rcu+0xb4/0xe0\n common_interrupt+0xba/0xe0\n </IRQ>\n <TASK>\n\nThe crash is caused by privately transferring waitqueue entries from\nsmc socket->wq to clcsock->wq. The owners of these entries, such as\nepoll, have no idea that the entries have been transferred to a\ndifferent socket wait queue and still use original waitqueue spinlock\n(smc socket->wq.wait.lock) to make the entries operation exclusive,\nbut it doesn't work. The operations to the entries, such as removing\nfrom the waitqueue (now is clcsock->wq after fallback), may cause a\ncrash when clcsock waitqueue is being iterated over at the moment.\n\nThis patch tries to fix this by no longer transferring wait queue\nentries privately, but introducing own implementations of clcsock's\ncallback functions in fallback situation. The callback functions will\nforward the wakeup to smc socket->wq if clcsock->wq is actually woken\nup and smc socket->wq has remaining entries.(CVE-2022-48721)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nice: Do not use WQ_MEM_RECLAIM flag for workqueue\n\nWhen both ice and the irdma driver are loaded, a warning in\ncheck_flush_dependency is being triggered. This is due to ice driver\nworkqueue being allocated with the WQ_MEM_RECLAIM flag and the irdma one\nis not.\n\nAccording to kernel documentation, this flag should be set if the\nworkqueue will be involved in the kernel's memory reclamation flow.\nSince it is not, there is no need for the ice driver's WQ to have this\nflag set so remove it.\n\nExample trace:\n\n[ +0.000004] workqueue: WQ_MEM_RECLAIM ice:ice_service_task [ice] is flushing !WQ_MEM_RECLAIM infiniband:0x0\n[ +0.000139] WARNING: CPU: 0 PID: 728 at kernel/workqueue.c:2632 check_flush_dependency+0x178/0x1a0\n[ +0.000011] Modules linked in: bonding tls xt_CHECKSUM xt_MASQUERADE xt_conntrack ipt_REJECT nf_reject_ipv4 nft_compat nft_cha\nin_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables nfnetlink bridge stp llc rfkill vfat fat intel_rapl_msr intel\n_rapl_common isst_if_common skx_edac nfit libnvdimm x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm irqbypass crct1\n0dif_pclmul crc32_pclmul ghash_clmulni_intel rapl intel_cstate rpcrdma sunrpc rdma_ucm ib_srpt ib_isert iscsi_target_mod target_\ncore_mod ib_iser libiscsi scsi_transport_iscsi rdma_cm ib_cm iw_cm iTCO_wdt iTCO_vendor_support ipmi_ssif irdma mei_me ib_uverbs\nib_core intel_uncore joydev pcspkr i2c_i801 acpi_ipmi mei lpc_ich i2c_smbus intel_pch_thermal ioatdma ipmi_si acpi_power_meter\nacpi_pad xfs libcrc32c sd_mod t10_pi crc64_rocksoft crc64 sg ahci ixgbe libahci ice i40e igb crc32c_intel mdio i2c_algo_bit liba\nta dca wmi dm_mirror dm_region_hash dm_log dm_mod ipmi_devintf ipmi_msghandler fuse\n[ +0.000161] [last unloaded: bonding]\n[ +0.000006] CPU: 0 PID: 728 Comm: kworker/0:2 Tainted: G S 6.2.0-rc2_next-queue-13jan-00458-gc20aabd57164 #1\n[ +0.000006] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0010.010620200716 01/06/2020\n[ +0.000003] Workqueue: ice ice_service_task [ice]\n[ +0.000127] RIP: 0010:check_flush_dependency+0x178/0x1a0\n[ +0.000005] Code: 89 8e 02 01 e8 49 3d 40 00 49 8b 55 18 48 8d 8d d0 00 00 00 48 8d b3 d0 00 00 00 4d 89 e0 48 c7 c7 e0 3b 08\n9f e8 bb d3 07 01 <0f> 0b e9 be fe ff ff 80 3d 24 89 8e 02 00 0f 85 6b ff ff ff e9 06\n[ +0.000004] RSP: 0018:ffff88810a39f990 EFLAGS: 00010282\n[ +0.000005] RAX: 0000000000000000 RBX: ffff888141bc2400 RCX: 0000000000000000\n[ +0.000004] RDX: 0000000000000001 RSI: dffffc0000000000 RDI: ffffffffa1213a80\n[ +0.000003] RBP: ffff888194bf3400 R08: ffffed117b306112 R09: ffffed117b306112\n[ +0.000003] R10: ffff888bd983088b R11: ffffed117b306111 R12: 0000000000000000\n[ +0.000003] R13: ffff888111f84d00 R14: ffff88810a3943ac R15: ffff888194bf3400\n[ +0.000004] FS: 0000000000000000(0000) GS:ffff888bd9800000(0000) knlGS:0000000000000000\n[ +0.000003] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ +0.000003] CR2: 000056035b208b60 CR3: 000000017795e005 CR4: 00000000007706f0\n[ +0.000003] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ +0.000003] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ +0.000002] PKRU: 55555554\n[ +0.000003] Call Trace:\n[ +0.000002] <TASK>\n[ +0.000003] __flush_workqueue+0x203/0x840\n[ +0.000006] ? mutex_unlock+0x84/0xd0\n[ +0.000008] ? __pfx_mutex_unlock+0x10/0x10\n[ +0.000004] ? __pfx___flush_workqueue+0x10/0x10\n[ +0.000006] ? mutex_lock+0xa3/0xf0\n[ +0.000005] ib_cache_cleanup_one+0x39/0x190 [ib_core]\n[ +0.000174] __ib_unregister_device+0x84/0xf0 [ib_core]\n[ +0.000094] ib_unregister_device+0x25/0x30 [ib_core]\n[ +0.000093] irdma_ib_unregister_device+0x97/0xc0 [irdma]\n[ +0.000064] ? __pfx_irdma_ib_unregister_device+0x10/0x10 [irdma]\n[ +0.000059] ? up_write+0x5c/0x90\n[ +0.000005] irdma_remove+0x36/0x90 [irdma]\n[ +0.000062] auxiliary_bus_remove+0x32/0x50\n[ +0.000007] device_r\n---truncated---(CVE-2023-52743)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix slab out of bounds write in smb_inherit_dacl()\n\nslab out-of-bounds write is caused by that offsets is bigger than pntsd\nallocation size. This patch add the check to validate 3 offsets using\nallocation size.(CVE-2023-52755)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: btusb: Add date->evt_skb is NULL check\n\nfix crash because of null pointers\n\n[ 6104.969662] BUG: kernel NULL pointer dereference, address: 00000000000000c8\n[ 6104.969667] #PF: supervisor read access in kernel mode\n[ 6104.969668] #PF: error_code(0x0000) - not-present page\n[ 6104.969670] PGD 0 P4D 0\n[ 6104.969673] Oops: 0000 [#1] SMP NOPTI\n[ 6104.969684] RIP: 0010:btusb_mtk_hci_wmt_sync+0x144/0x220 [btusb]\n[ 6104.969688] RSP: 0018:ffffb8d681533d48 EFLAGS: 00010246\n[ 6104.969689] RAX: 0000000000000000 RBX: ffff8ad560bb2000 RCX: 0000000000000006\n[ 6104.969691] RDX: 0000000000000000 RSI: ffffb8d681533d08 RDI: 0000000000000000\n[ 6104.969692] RBP: ffffb8d681533d70 R08: 0000000000000001 R09: 0000000000000001\n[ 6104.969694] R10: 0000000000000001 R11: 00000000fa83b2da R12: ffff8ad461d1d7c0\n[ 6104.969695] R13: 0000000000000000 R14: ffff8ad459618c18 R15: ffffb8d681533d90\n[ 6104.969697] FS: 00007f5a1cab9d40(0000) GS:ffff8ad578200000(0000) knlGS:00000\n[ 6104.969699] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 6104.969700] CR2: 00000000000000c8 CR3: 000000018620c001 CR4: 0000000000760ef0\n[ 6104.969701] PKRU: 55555554\n[ 6104.969702] Call Trace:\n[ 6104.969708] btusb_mtk_shutdown+0x44/0x80 [btusb]\n[ 6104.969732] hci_dev_do_close+0x470/0x5c0 [bluetooth]\n[ 6104.969748] hci_rfkill_set_block+0x56/0xa0 [bluetooth]\n[ 6104.969753] rfkill_set_block+0x92/0x160\n[ 6104.969755] rfkill_fop_write+0x136/0x1e0\n[ 6104.969759] __vfs_write+0x18/0x40\n[ 6104.969761] vfs_write+0xdf/0x1c0\n[ 6104.969763] ksys_write+0xb1/0xe0\n[ 6104.969765] __x64_sys_write+0x1a/0x20\n[ 6104.969769] do_syscall_64+0x51/0x180\n[ 6104.969771] entry_SYSCALL_64_after_hwframe+0x44/0xa9\n[ 6104.969773] RIP: 0033:0x7f5a21f18fef\n[ 6104.9] RSP: 002b:00007ffeefe39010 EFLAGS: 00000293 ORIG_RAX: 0000000000000001\n[ 6104.969780] RAX: ffffffffffffffda RBX: 000055c10a7560a0 RCX: 00007f5a21f18fef\n[ 6104.969781] RDX: 0000000000000008 RSI: 00007ffeefe39060 RDI: 0000000000000012\n[ 6104.969782] RBP: 00007ffeefe39060 R08: 0000000000000000 R09: 0000000000000017\n[ 6104.969784] R10: 00007ffeefe38d97 R11: 0000000000000293 R12: 0000000000000002\n[ 6104.969785] R13: 00007ffeefe39220 R14: 00007ffeefe391a0 R15: 000055c10a72acf0(CVE-2023-52833)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: compress: fix to cover {reserve,release}_compress_blocks() w/ cp_rwsem lock\n\nIt needs to cover {reserve,release}_compress_blocks() w/ cp_rwsem lock\nto avoid racing with checkpoint, otherwise, filesystem metadata including\nblkaddr in dnode, inode fields and .total_valid_block_count may be\ncorrupted after SPO case.(CVE-2024-34027)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nnull_blk: fix null-ptr-dereference while configuring 'power' and 'submit_queues'\n\nWriting 'power' and 'submit_queues' concurrently will trigger kernel\npanic:\n\nTest script:\n\nmodprobe null_blk nr_devices=0\nmkdir -p /sys/kernel/config/nullb/nullb0\nwhile true; do echo 1 > submit_queues; echo 4 > submit_queues; done &\nwhile true; do echo 1 > power; echo 0 > power; done\n\nTest result:\n\nBUG: kernel NULL pointer dereference, address: 0000000000000148\nOops: 0000 [#1] PREEMPT SMP\nRIP: 0010:__lock_acquire+0x41d/0x28f0\nCall Trace:\n <TASK>\n lock_acquire+0x121/0x450\n down_write+0x5f/0x1d0\n simple_recursive_removal+0x12f/0x5c0\n blk_mq_debugfs_unregister_hctxs+0x7c/0x100\n blk_mq_update_nr_hw_queues+0x4a3/0x720\n nullb_update_nr_hw_queues+0x71/0xf0 [null_blk]\n nullb_device_submit_queues_store+0x79/0xf0 [null_blk]\n configfs_write_iter+0x119/0x1e0\n vfs_write+0x326/0x730\n ksys_write+0x74/0x150\n\nThis is because del_gendisk() can concurrent with\nblk_mq_update_nr_hw_queues():\n\nnullb_device_power_store\tnullb_apply_submit_queues\n null_del_dev\n del_gendisk\n\t\t\t\t nullb_update_nr_hw_queues\n\t\t\t\t if (!dev->nullb)\n\t\t\t\t // still set while gendisk is deleted\n\t\t\t\t return 0\n\t\t\t\t blk_mq_update_nr_hw_queues\n dev->nullb = NULL\n\nFix this problem by resuing the global mutex to protect\nnullb_device_power_store() and nullb_update_nr_hw_queues() from configfs.(CVE-2024-36478)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nbnxt_re: avoid shift undefined behavior in bnxt_qplib_alloc_init_hwq\n\nUndefined behavior is triggered when bnxt_qplib_alloc_init_hwq is called\nwith hwq_attr->aux_depth != 0 and hwq_attr->aux_stride == 0.\nIn that case, \"roundup_pow_of_two(hwq_attr->aux_stride)\" gets called.\nroundup_pow_of_two is documented as undefined for 0.\n\nFix it in the one caller that had this combination.\n\nThe undefined behavior was detected by UBSAN:\n UBSAN: shift-out-of-bounds in ./include/linux/log2.h:57:13\n shift exponent 64 is too large for 64-bit type 'long unsigned int'\n CPU: 24 PID: 1075 Comm: (udev-worker) Not tainted 6.9.0-rc6+ #4\n Hardware name: Abacus electric, s.r.o. - servis@abacus.cz Super Server/H12SSW-iN, BIOS 2.7 10/25/2023\n Call Trace:\n <TASK>\n dump_stack_lvl+0x5d/0x80\n ubsan_epilogue+0x5/0x30\n __ubsan_handle_shift_out_of_bounds.cold+0x61/0xec\n __roundup_pow_of_two+0x25/0x35 [bnxt_re]\n bnxt_qplib_alloc_init_hwq+0xa1/0x470 [bnxt_re]\n bnxt_qplib_create_qp+0x19e/0x840 [bnxt_re]\n bnxt_re_create_qp+0x9b1/0xcd0 [bnxt_re]\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? __kmalloc+0x1b6/0x4f0\n ? create_qp.part.0+0x128/0x1c0 [ib_core]\n ? __pfx_bnxt_re_create_qp+0x10/0x10 [bnxt_re]\n create_qp.part.0+0x128/0x1c0 [ib_core]\n ib_create_qp_kernel+0x50/0xd0 [ib_core]\n create_mad_qp+0x8e/0xe0 [ib_core]\n ? __pfx_qp_event_handler+0x10/0x10 [ib_core]\n ib_mad_init_device+0x2be/0x680 [ib_core]\n add_client_context+0x10d/0x1a0 [ib_core]\n enable_device_and_get+0xe0/0x1d0 [ib_core]\n ib_register_device+0x53c/0x630 [ib_core]\n ? srso_alias_return_thunk+0x5/0xfbef5\n bnxt_re_probe+0xbd8/0xe50 [bnxt_re]\n ? __pfx_bnxt_re_probe+0x10/0x10 [bnxt_re]\n auxiliary_bus_probe+0x49/0x80\n ? driver_sysfs_add+0x57/0xc0\n really_probe+0xde/0x340\n ? pm_runtime_barrier+0x54/0x90\n ? __pfx___driver_attach+0x10/0x10\n __driver_probe_device+0x78/0x110\n driver_probe_device+0x1f/0xa0\n __driver_attach+0xba/0x1c0\n bus_for_each_dev+0x8f/0xe0\n bus_add_driver+0x146/0x220\n driver_register+0x72/0xd0\n __auxiliary_driver_register+0x6e/0xd0\n ? __pfx_bnxt_re_mod_init+0x10/0x10 [bnxt_re]\n bnxt_re_mod_init+0x3e/0xff0 [bnxt_re]\n ? __pfx_bnxt_re_mod_init+0x10/0x10 [bnxt_re]\n do_one_initcall+0x5b/0x310\n do_init_module+0x90/0x250\n init_module_from_file+0x86/0xc0\n idempotent_init_module+0x121/0x2b0\n __x64_sys_finit_module+0x5e/0xb0\n do_syscall_64+0x82/0x160\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? syscall_exit_to_user_mode_prepare+0x149/0x170\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? syscall_exit_to_user_mode+0x75/0x230\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? do_syscall_64+0x8e/0x160\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? __count_memcg_events+0x69/0x100\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? count_memcg_events.constprop.0+0x1a/0x30\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? handle_mm_fault+0x1f0/0x300\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? do_user_addr_fault+0x34e/0x640\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? srso_alias_return_thunk+0x5/0xfbef5\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n RIP: 0033:0x7f4e5132821d\n Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e3 db 0c 00 f7 d8 64 89 01 48\n RSP: 002b:00007ffca9c906a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000139\n RAX: ffffffffffffffda RBX: 0000563ec8a8f130 RCX: 00007f4e5132821d\n RDX: 0000000000000000 RSI: 00007f4e518fa07d RDI: 000000000000003b\n RBP: 00007ffca9c90760 R08: 00007f4e513f6b20 R09: 00007ffca9c906f0\n R10: 0000563ec8a8faa0 R11: 0000000000000246 R12: 00007f4e518fa07d\n R13: 0000000000020000 R14: 0000563ec8409e90 R15: 0000563ec8a8fa60\n </TASK>\n ---[ end trace ]---(CVE-2024-38540)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nnet: openvswitch: fix overwriting ct original tuple for ICMPv6\n\nOVS_PACKET_CMD_EXECUTE has 3 main attributes:\n - OVS_PACKET_ATTR_KEY - Packet metadata in a netlink format.\n - OVS_PACKET_ATTR_PACKET - Binary packet content.\n - OVS_PACKET_ATTR_ACTIONS - Actions to execute on the packet.\n\nOVS_PACKET_ATTR_KEY is parsed first to populate sw_flow_key structure\nwith the metadata like conntrack state, input port, recirculation id,\netc. Then the packet itself gets parsed to populate the rest of the\nkeys from the packet headers.\n\nWhenever the packet parsing code starts parsing the ICMPv6 header, it\nfirst zeroes out fields in the key corresponding to Neighbor Discovery\ninformation even if it is not an ND packet.\n\nIt is an 'ipv6.nd' field. However, the 'ipv6' is a union that shares\nthe space between 'nd' and 'ct_orig' that holds the original tuple\nconntrack metadata parsed from the OVS_PACKET_ATTR_KEY.\n\nND packets should not normally have conntrack state, so it's fine to\nshare the space, but normal ICMPv6 Echo packets or maybe other types of\nICMPv6 can have the state attached and it should not be overwritten.\n\nThe issue results in all but the last 4 bytes of the destination\naddress being wiped from the original conntrack tuple leading to\nincorrect packet matching and potentially executing wrong actions\nin case this packet recirculates within the datapath or goes back\nto userspace.\n\nND fields should not be accessed in non-ND packets, so not clearing\nthem should be fine. Executing memset() only for actual ND packets to\navoid the issue.\n\nInitializing the whole thing before parsing is needed because ND packet\nmay not contain all the options.\n\nThe issue only affects the OVS_PACKET_CMD_EXECUTE path and doesn't\naffect packets entering OVS datapath from network interfaces, because\nin this case CT metadata is populated from skb after the packet is\nalready parsed.(CVE-2024-38558)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\ngfs2: Fix potential glock use-after-free on unmount\n\nWhen a DLM lockspace is released and there ares still locks in that\nlockspace, DLM will unlock those locks automatically. Commit\nfb6791d100d1b started exploiting this behavior to speed up filesystem\nunmount: gfs2 would simply free glocks it didn't want to unlock and then\nrelease the lockspace. This didn't take the bast callbacks for\nasynchronous lock contention notifications into account, which remain\nactive until until a lock is unlocked or its lockspace is released.\n\nTo prevent those callbacks from accessing deallocated objects, put the\nglocks that should not be unlocked on the sd_dead_glocks list, release\nthe lockspace, and only then free those glocks.\n\nAs an additional measure, ignore unexpected ast and bast callbacks if\nthe receiving glock is dead.(CVE-2024-38570)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nr8169: Fix possible ring buffer corruption on fragmented Tx packets.\n\nAn issue was found on the RTL8125b when transmitting small fragmented\npackets, whereby invalid entries were inserted into the transmit ring\nbuffer, subsequently leading to calls to dma_unmap_single() with a null\naddress.\n\nThis was caused by rtl8169_start_xmit() not noticing changes to nr_frags\nwhich may occur when small packets are padded (to work around hardware\nquirks) in rtl8169_tso_csum_v2().\n\nTo fix this, postpone inspecting nr_frags until after any padding has been\napplied.(CVE-2024-38586)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nmd: fix resync softlockup when bitmap size is less than array size\n\nIs is reported that for dm-raid10, lvextend + lvchange --syncaction will\ntrigger following softlockup:\n\nkernel:watchdog: BUG: soft lockup - CPU#3 stuck for 26s! [mdX_resync:6976]\nCPU: 7 PID: 3588 Comm: mdX_resync Kdump: loaded Not tainted 6.9.0-rc4-next-20240419 #1\nRIP: 0010:_raw_spin_unlock_irq+0x13/0x30\nCall Trace:\n <TASK>\n md_bitmap_start_sync+0x6b/0xf0\n raid10_sync_request+0x25c/0x1b40 [raid10]\n md_do_sync+0x64b/0x1020\n md_thread+0xa7/0x170\n kthread+0xcf/0x100\n ret_from_fork+0x30/0x50\n ret_from_fork_asm+0x1a/0x30\n\nAnd the detailed process is as follows:\n\nmd_do_sync\n j = mddev->resync_min\n while (j < max_sectors)\n sectors = raid10_sync_request(mddev, j, &skipped)\n if (!md_bitmap_start_sync(..., &sync_blocks))\n // md_bitmap_start_sync set sync_blocks to 0\n return sync_blocks + sectors_skippe;\n // sectors = 0;\n j += sectors;\n // j never change\n\nRoot cause is that commit 301867b1c168 (\"md/raid10: check\nslab-out-of-bounds in md_bitmap_get_counter\") return early from\nmd_bitmap_get_counter(), without setting returned blocks.\n\nFix this problem by always set returned blocks from\nmd_bitmap_get_counter\"(), as it used to be.\n\nNoted that this patch just fix the softlockup problem in kernel, the\ncase that bitmap size doesn't match array size still need to be fixed.(CVE-2024-38598)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nALSA: core: Fix NULL module pointer assignment at card init\n\nThe commit 81033c6b584b (\"ALSA: core: Warn on empty module\")\nintroduced a WARN_ON() for a NULL module pointer passed at snd_card\nobject creation, and it also wraps the code around it with '#ifdef\nMODULE'. This works in most cases, but the devils are always in\ndetails. \"MODULE\" is defined when the target code (i.e. the sound\ncore) is built as a module; but this doesn't mean that the caller is\nalso built-in or not. Namely, when only the sound core is built-in\n(CONFIG_SND=y) while the driver is a module (CONFIG_SND_USB_AUDIO=m),\nthe passed module pointer is ignored even if it's non-NULL, and\ncard->module remains as NULL. This would result in the missing module\nreference up/down at the device open/close, leading to a race with the\ncode execution after the module removal.\n\nFor addressing the bug, move the assignment of card->module again out\nof ifdef. The WARN_ON() is still wrapped with ifdef because the\nmodule can be really NULL when all sound drivers are built-in.\n\nNote that we keep 'ifdef MODULE' for WARN_ON(), otherwise it would\nlead to a false-positive NULL module check. Admittedly it won't catch\nperfectly, i.e. no check is performed when CONFIG_SND=y. But, it's no\nreal problem as it's only for debugging, and the condition is pretty\nrare.(CVE-2024-38605)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\ncpufreq: exit() callback is optional\n\nThe exit() callback is optional and shouldn't be called without checking\na valid pointer first.\n\nAlso, we must clear freq_table pointer even if the exit() callback isn't\npresent.(CVE-2024-38615)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nvfio/pci: fix potential memory leak in vfio_intx_enable()\n\nIf vfio_irq_ctx_alloc() failed will lead to 'name' memory leak.(CVE-2024-38632)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nkdb: Fix buffer overflow during tab-complete\n\nCurrently, when the user attempts symbol completion with the Tab key, kdb\nwill use strncpy() to insert the completed symbol into the command buffer.\nUnfortunately it passes the size of the source buffer rather than the\ndestination to strncpy() with predictably horrible results. Most obviously\nif the command buffer is already full but cp, the cursor position, is in\nthe middle of the buffer, then we will write past the end of the supplied\nbuffer.\n\nFix this by replacing the dubious strncpy() calls with memmove()/memcpy()\ncalls plus explicit boundary checks to make sure we have enough space\nbefore we start moving characters around.(CVE-2024-39480)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nbonding: Fix out-of-bounds read in bond_option_arp_ip_targets_set()\n\nIn function bond_option_arp_ip_targets_set(), if newval->string is an\nempty string, newval->string+1 will point to the byte after the\nstring, causing an out-of-bound read.\n\nBUG: KASAN: slab-out-of-bounds in strlen+0x7d/0xa0 lib/string.c:418\nRead of size 1 at addr ffff8881119c4781 by task syz-executor665/8107\nCPU: 1 PID: 8107 Comm: syz-executor665 Not tainted 6.7.0-rc7 #1\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0xd9/0x150 lib/dump_stack.c:106\n print_address_description mm/kasan/report.c:364 [inline]\n print_report+0xc1/0x5e0 mm/kasan/report.c:475\n kasan_report+0xbe/0xf0 mm/kasan/report.c:588\n strlen+0x7d/0xa0 lib/string.c:418\n __fortify_strlen include/linux/fortify-string.h:210 [inline]\n in4_pton+0xa3/0x3f0 net/core/utils.c:130\n bond_option_arp_ip_targets_set+0xc2/0x910\ndrivers/net/bonding/bond_options.c:1201\n __bond_opt_set+0x2a4/0x1030 drivers/net/bonding/bond_options.c:767\n __bond_opt_set_notify+0x48/0x150 drivers/net/bonding/bond_options.c:792\n bond_opt_tryset_rtnl+0xda/0x160 drivers/net/bonding/bond_options.c:817\n bonding_sysfs_store_option+0xa1/0x120 drivers/net/bonding/bond_sysfs.c:156\n dev_attr_store+0x54/0x80 drivers/base/core.c:2366\n sysfs_kf_write+0x114/0x170 fs/sysfs/file.c:136\n kernfs_fop_write_iter+0x337/0x500 fs/kernfs/file.c:334\n call_write_iter include/linux/fs.h:2020 [inline]\n new_sync_write fs/read_write.c:491 [inline]\n vfs_write+0x96a/0xd80 fs/read_write.c:584\n ksys_write+0x122/0x250 fs/read_write.c:637\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\n---[ end trace ]---\n\nFix it by adding a check of string length before using it.(CVE-2024-39487)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\narm64: asm-bug: Add .align 2 to the end of __BUG_ENTRY\n\nWhen CONFIG_DEBUG_BUGVERBOSE=n, we fail to add necessary padding bytes\nto bug_table entries, and as a result the last entry in a bug table will\nbe ignored, potentially leading to an unexpected panic(). All prior\nentries in the table will be handled correctly.\n\nThe arm64 ABI requires that struct fields of up to 8 bytes are\nnaturally-aligned, with padding added within a struct such that struct\nare suitably aligned within arrays.\n\nWhen CONFIG_DEBUG_BUGVERPOSE=y, the layout of a bug_entry is:\n\n\tstruct bug_entry {\n\t\tsigned int bug_addr_disp;\t// 4 bytes\n\t\tsigned int file_disp;\t// 4 bytes\n\t\tunsigned short line;\t\t// 2 bytes\n\t\tunsigned short flags;\t\t// 2 bytes\n\t}\n\n... with 12 bytes total, requiring 4-byte alignment.\n\nWhen CONFIG_DEBUG_BUGVERBOSE=n, the layout of a bug_entry is:\n\n\tstruct bug_entry {\n\t\tsigned int bug_addr_disp;\t// 4 bytes\n\t\tunsigned short flags;\t\t// 2 bytes\n\t\t< implicit padding >\t\t// 2 bytes\n\t}\n\n... with 8 bytes total, with 6 bytes of data and 2 bytes of trailing\npadding, requiring 4-byte alginment.\n\nWhen we create a bug_entry in assembly, we align the start of the entry\nto 4 bytes, which implicitly handles padding for any prior entries.\nHowever, we do not align the end of the entry, and so when\nCONFIG_DEBUG_BUGVERBOSE=n, the final entry lacks the trailing padding\nbytes.\n\nFor the main kernel image this is not a problem as find_bug() doesn't\ndepend on the trailing padding bytes when searching for entries:\n\n\tfor (bug = __start___bug_table; bug < __stop___bug_table; ++bug)\n\t\tif (bugaddr == bug_addr(bug))\n\t\t\treturn bug;\n\nHowever for modules, module_bug_finalize() depends on the trailing\nbytes when calculating the number of entries:\n\n\tmod->num_bugs = sechdrs[i].sh_size / sizeof(struct bug_entry);\n\n... and as the last bug_entry lacks the necessary padding bytes, this entry\nwill not be counted, e.g. in the case of a single entry:\n\n\tsechdrs[i].sh_size == 6\n\tsizeof(struct bug_entry) == 8;\n\n\tsechdrs[i].sh_size / sizeof(struct bug_entry) == 0;\n\nConsequently module_find_bug() will miss the last bug_entry when it does:\n\n\tfor (i = 0; i < mod->num_bugs; ++i, ++bug)\n\t\tif (bugaddr == bug_addr(bug))\n\t\t\tgoto out;\n\n... which can lead to a kenrel panic due to an unhandled bug.\n\nThis can be demonstrated with the following module:\n\n\tstatic int __init buginit(void)\n\t{\n\t\tWARN(1, \"hello\\n\");\n\t\treturn 0;\n\t}\n\n\tstatic void __exit bugexit(void)\n\t{\n\t}\n\n\tmodule_init(buginit);\n\tmodule_exit(bugexit);\n\tMODULE_LICENSE(\"GPL\");\n\n... which will trigger a kernel panic when loaded:\n\n\t------------[ cut here ]------------\n\thello\n\tUnexpected kernel BRK exception at EL1\n\tInternal error: BRK handler: 00000000f2000800 [#1] PREEMPT SMP\n\tModules linked in: hello(O+)\n\tCPU: 0 PID: 50 Comm: insmod Tainted: G O 6.9.1 #8\n\tHardware name: linux,dummy-virt (DT)\n\tpstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n\tpc : buginit+0x18/0x1000 [hello]\n\tlr : buginit+0x18/0x1000 [hello]\n\tsp : ffff800080533ae0\n\tx29: ffff800080533ae0 x28: 0000000000000000 x27: 0000000000000000\n\tx26: ffffaba8c4e70510 x25: ffff800080533c30 x24: ffffaba8c4a28a58\n\tx23: 0000000000000000 x22: 0000000000000000 x21: ffff3947c0eab3c0\n\tx20: ffffaba8c4e3f000 x19: ffffaba846464000 x18: 0000000000000006\n\tx17: 0000000000000000 x16: ffffaba8c2492834 x15: 0720072007200720\n\tx14: 0720072007200720 x13: ffffaba8c49b27c8 x12: 0000000000000312\n\tx11: 0000000000000106 x10: ffffaba8c4a0a7c8 x9 : ffffaba8c49b27c8\n\tx8 : 00000000ffffefff x7 : ffffaba8c4a0a7c8 x6 : 80000000fffff000\n\tx5 : 0000000000000107 x4 : 0000000000000000 x3 : 0000000000000000\n\tx2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff3947c0eab3c0\n\tCall trace:\n\t buginit+0x18/0x1000 [hello]\n\t do_one_initcall+0x80/0x1c8\n\t do_init_module+0x60/0x218\n\t load_module+0x1ba4/0x1d70\n\t __do_sys_init_module+0x198/0x1d0\n\t __arm64_sys_init_module+0x1c/0x28\n\t invoke_syscall+0x48/0x114\n\t el0_svc\n---truncated---(CVE-2024-39488)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nipv6: sr: fix memleak in seg6_hmac_init_algo\n\nseg6_hmac_init_algo returns without cleaning up the previous allocations\nif one fails, so it's going to leak all that memory and the crypto tfms.\n\nUpdate seg6_hmac_exit to only free the memory when allocated, so we can\nreuse the code directly.(CVE-2024-39489)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nsock_map: avoid race between sock_map_close and sk_psock_put\n\nsk_psock_get will return NULL if the refcount of psock has gone to 0, which\nwill happen when the last call of sk_psock_put is done. However,\nsk_psock_drop may not have finished yet, so the close callback will still\npoint to sock_map_close despite psock being NULL.\n\nThis can be reproduced with a thread deleting an element from the sock map,\nwhile the second one creates a socket, adds it to the map and closes it.\n\nThat will trigger the WARN_ON_ONCE:\n\n------------[ cut here ]------------\nWARNING: CPU: 1 PID: 7220 at net/core/sock_map.c:1701 sock_map_close+0x2a2/0x2d0 net/core/sock_map.c:1701\nModules linked in:\nCPU: 1 PID: 7220 Comm: syz-executor380 Not tainted 6.9.0-syzkaller-07726-g3c999d1ae3c7 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024\nRIP: 0010:sock_map_close+0x2a2/0x2d0 net/core/sock_map.c:1701\nCode: df e8 92 29 88 f8 48 8b 1b 48 89 d8 48 c1 e8 03 42 80 3c 20 00 74 08 48 89 df e8 79 29 88 f8 4c 8b 23 eb 89 e8 4f 15 23 f8 90 <0f> 0b 90 48 83 c4 08 5b 41 5c 41 5d 41 5e 41 5f 5d e9 13 26 3d 02\nRSP: 0018:ffffc9000441fda8 EFLAGS: 00010293\nRAX: ffffffff89731ae1 RBX: ffffffff94b87540 RCX: ffff888029470000\nRDX: 0000000000000000 RSI: ffffffff8bcab5c0 RDI: ffffffff8c1faba0\nRBP: 0000000000000000 R08: ffffffff92f9b61f R09: 1ffffffff25f36c3\nR10: dffffc0000000000 R11: fffffbfff25f36c4 R12: ffffffff89731840\nR13: ffff88804b587000 R14: ffff88804b587000 R15: ffffffff89731870\nFS: 000055555e080380(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000000 CR3: 00000000207d4000 CR4: 0000000000350ef0\nCall Trace:\n <TASK>\n unix_release+0x87/0xc0 net/unix/af_unix.c:1048\n __sock_release net/socket.c:659 [inline]\n sock_close+0xbe/0x240 net/socket.c:1421\n __fput+0x42b/0x8a0 fs/file_table.c:422\n __do_sys_close fs/open.c:1556 [inline]\n __se_sys_close fs/open.c:1541 [inline]\n __x64_sys_close+0x7f/0x110 fs/open.c:1541\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7fb37d618070\nCode: 00 00 48 c7 c2 b8 ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb d4 e8 10 2c 00 00 80 3d 31 f0 07 00 00 74 17 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 48 c3 0f 1f 80 00 00 00 00 48 83 ec 18 89 7c\nRSP: 002b:00007ffcd4a525d8 EFLAGS: 00000202 ORIG_RAX: 0000000000000003\nRAX: ffffffffffffffda RBX: 0000000000000005 RCX: 00007fb37d618070\nRDX: 0000000000000010 RSI: 00000000200001c0 RDI: 0000000000000004\nRBP: 0000000000000000 R08: 0000000100000000 R09: 0000000100000000\nR10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n </TASK>\n\nUse sk_psock, which will only check that the pointer is not been set to\nNULL yet, which should only happen after the callbacks are restored. If,\nthen, a reference can still be gotten, we may call sk_psock_stop and cancel\npsock->work.\n\nAs suggested by Paolo Abeni, reorder the condition so the control flow is\nless convoluted.\n\nAfter that change, the reproducer does not trigger the WARN_ON_ONCE\nanymore.(CVE-2024-39500)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: ensure snd_una is properly initialized on connect\n\nThis is strictly related to commit fb7a0d334894 (\"mptcp: ensure snd_nxt\nis properly initialized on connect\"). It turns out that syzkaller can\ntrigger the retransmit after fallback and before processing any other\nincoming packet - so that snd_una is still left uninitialized.\n\nAddress the issue explicitly initializing snd_una together with snd_nxt\nand write_seq.(CVE-2024-40931)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: remove clear SB_INLINECRYPT flag in default_options\n\nIn f2fs_remount, SB_INLINECRYPT flag will be clear and re-set.\nIf create new file or open file during this gap, these files\nwill not use inlinecrypt. Worse case, it may lead to data\ncorruption if wrappedkey_v0 is enable.\n\nThread A: Thread B:\n\n-f2fs_remount\t\t\t\t-f2fs_file_open or f2fs_new_inode\n -default_options\n\t<- clear SB_INLINECRYPT flag\n\n -fscrypt_select_encryption_impl\n\n -parse_options\n\t<- set SB_INLINECRYPT again(CVE-2024-40971)",
"cves": [
{
"id": "CVE-2021-47391",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47391",
"severity": "Low"
},
{
"id": "CVE-2022-48721",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48721",
"severity": "Medium"
},
{
"id": "CVE-2023-52743",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52743",
"severity": "Medium"
},
{
"id": "CVE-2023-52755",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52755",
"severity": "High"
},
{
"id": "CVE-2023-52833",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52833",
"severity": "Medium"
},
{
"id": "CVE-2024-34027",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34027",
"severity": "Medium"
},
{
"id": "CVE-2024-36478",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36478",
"severity": "Medium"
},
{
"id": "CVE-2024-38540",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38540",
"severity": "Medium"
},
{
"id": "CVE-2024-38558",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38558",
"severity": "Medium"
},
{
"id": "CVE-2024-38570",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38570",
"severity": "Medium"
},
{
"id": "CVE-2024-38586",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38586",
"severity": "Medium"
},
{
"id": "CVE-2024-38598",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38598",
"severity": "Medium"
},
{
"id": "CVE-2024-38605",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38605",
"severity": "Medium"
},
{
"id": "CVE-2024-38615",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38615",
"severity": "Medium"
},
{
"id": "CVE-2024-38632",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38632",
"severity": "Medium"
},
{
"id": "CVE-2024-39480",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39480",
"severity": "Medium"
},
{
"id": "CVE-2024-39487",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39487",
"severity": "Medium"
},
{
"id": "CVE-2024-39488",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39488",
"severity": "Medium"
},
{
"id": "CVE-2024-39489",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39489",
"severity": "Low"
},
{
"id": "CVE-2024-39500",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39500",
"severity": "Medium"
},
{
"id": "CVE-2024-40931",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40931",
"severity": "Medium"
},
{
"id": "CVE-2024-40971",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40971",
"severity": "Medium"
}
]
},
"openEuler-SA-2024-1879": {
"id": "openEuler-SA-2024-1879",
"url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1879",
"title": "An update for openssl is now available for openEuler-20.03-LTS-SP4,openEuler-24.03-LTS,openEuler-22.03-LTS-SP4,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP3",
"severity": "Medium",
"description": "The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, fully featured, and Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. The project is managed by a worldwide community of volunteers that use the Internet to communicate, plan, and develop the OpenSSL tookit and its related documentation.\n\nSecurity Fix(es):\n\nIssue summary: Calling the OpenSSL API function SSL_select_next_proto with an\nempty supported client protocols buffer may cause a crash or memory contents to\nbe sent to the peer.\n\nImpact summary: A buffer overread can have a range of potential consequences\nsuch as unexpected application beahviour or a crash. In particular this issue\ncould result in up to 255 bytes of arbitrary private data from memory being sent\nto the peer leading to a loss of confidentiality. However, only applications\nthat directly call the SSL_select_next_proto function with a 0 length list of\nsupported client protocols are affected by this issue. This would normally never\nbe a valid scenario and is typically not under attacker control but may occur by\naccident in the case of a configuration or programming error in the calling\napplication.\n\nThe OpenSSL API function SSL_select_next_proto is typically used by TLS\napplications that support ALPN (Application Layer Protocol Negotiation) or NPN\n(Next Protocol Negotiation). NPN is older, was never standardised and\nis deprecated in favour of ALPN. We believe that ALPN is significantly more\nwidely deployed than NPN. The SSL_select_next_proto function accepts a list of\nprotocols from the server and a list of protocols from the client and returns\nthe first protocol that appears in the server list that also appears in the\nclient list. In the case of no overlap between the two lists it returns the\nfirst item in the client list. In either case it will signal whether an overlap\nbetween the two lists was found. In the case where SSL_select_next_proto is\ncalled with a zero length client list it fails to notice this condition and\nreturns the memory immediately following the client list pointer (and reports\nthat there was no overlap in the lists).\n\nThis function is typically called from a server side application callback for\nALPN or a client side application callback for NPN. In the case of ALPN the list\nof protocols supplied by the client is guaranteed by libssl to never be zero in\nlength. The list of server protocols comes from the application and should never\nnormally be expected to be of zero length. In this case if the\nSSL_select_next_proto function has been called as expected (with the list\nsupplied by the client passed in the client/client_len parameters), then the\napplication will not be vulnerable to this issue. If the application has\naccidentally been configured with a zero length server list, and has\naccidentally passed that zero length server list in the client/client_len\nparameters, and has additionally failed to correctly handle a \"no overlap\"\nresponse (which would normally result in a handshake failure in ALPN) then it\nwill be vulnerable to this problem.\n\nIn the case of NPN, the protocol permits the client to opportunistically select\na protocol when there is no overlap. OpenSSL returns the first client protocol\nin the no overlap case in support of this. The list of client protocols comes\nfrom the application and should never normally be expected to be of zero length.\nHowever if the SSL_select_next_proto function is accidentally called with a\nclient_len of 0 then an invalid memory pointer will be returned instead. If the\napplication uses this output as the opportunistic protocol then the loss of\nconfidentiality will occur.\n\nThis issue has been assessed as Low severity because applications are most\nlikely to be vulnerable if they are using NPN instead of ALPN - but NPN is not\nwidely used. It also requires an application configuration or programming error.\nFinally, this issue would not typically be under attacker control making active\nexploitation unlikely.\n\nThe FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.\n\nDue to the low severity of this issue we are not issuing new releases of\nOpenSSL at this time. The fix will be included in the next releases when they\nbecome available.(CVE-2024-5535)",
"cves": [
{
"id": "CVE-2024-5535",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5535",
"severity": "Medium"
}
]
},
"openEuler-SA-2024-1841": {
"id": "openEuler-SA-2024-1841",
"url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1841",
"title": "An update for exiv2 is now available for openEuler-24.03-LTS",
"severity": "Medium",
"description": "Exiv2 is a Cross-platform C++ library and a command line utility to manage image metadata. It provides fast and easy read and write access to the Exif, IPTC and XMP metadata and the ICC Profile embedded within digital images in various formats.\n\nSecurity Fix(es):\n\nExiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. An out-of-bounds read was found in Exiv2 version v0.28.2. The vulnerability is in the parser for the ASF video format, which was a new feature in v0.28.0. The out-of-bounds read is triggered when Exiv2 is used to read the metadata of a crafted video file. The bug is fixed in version v0.28.3.(CVE-2024-39695)",
"cves": [
{
"id": "CVE-2024-39695",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39695",
"severity": "Medium"
}
]
},
"openEuler-SA-2024-1839": {
"id": "openEuler-SA-2024-1839",
"url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1839",
"title": "An update for kernel is now available for openEuler-22.03-LTS-SP3",
"severity": "Critical",
"description": "The Linux Kernel, the operating system core itself.\n\nSecurity Fix(es):\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nASoC: SOF: Fix DSP oops stack dump output contents\n\nFix @buf arg given to hex_dump_to_buffer() and stack address used\nin dump error output.(CVE-2021-47381)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nARM: 9170/1: fix panic when kasan and kprobe are enabled\n\narm32 uses software to simulate the instruction replaced\nby kprobe. some instructions may be simulated by constructing\nassembly functions. therefore, before executing instruction\nsimulation, it is necessary to construct assembly function\nexecution environment in C language through binding registers.\nafter kasan is enabled, the register binding relationship will\nbe destroyed, resulting in instruction simulation errors and\ncausing kernel panic.\n\nthe kprobe emulate instruction function is distributed in three\nfiles: actions-common.c actions-arm.c actions-thumb.c, so disable\nKASAN when compiling these files.\n\nfor example, use kprobe insert on cap_capable+20 after kasan\nenabled, the cap_capable assembly code is as follows:\n<cap_capable>:\ne92d47f0\tpush\t{r4, r5, r6, r7, r8, r9, sl, lr}\ne1a05000\tmov\tr5, r0\ne280006c\tadd\tr0, r0, #108 ; 0x6c\ne1a04001\tmov\tr4, r1\ne1a06002\tmov\tr6, r2\ne59fa090\tldr\tsl, [pc, #144] ;\nebfc7bf8\tbl\tc03aa4b4 <__asan_load4>\ne595706c\tldr\tr7, [r5, #108] ; 0x6c\ne2859014\tadd\tr9, r5, #20\n......\nThe emulate_ldr assembly code after enabling kasan is as follows:\nc06f1384 <emulate_ldr>:\ne92d47f0\tpush\t{r4, r5, r6, r7, r8, r9, sl, lr}\ne282803c\tadd\tr8, r2, #60 ; 0x3c\ne1a05000\tmov\tr5, r0\ne7e37855\tubfx\tr7, r5, #16, #4\ne1a00008\tmov\tr0, r8\ne1a09001\tmov\tr9, r1\ne1a04002\tmov\tr4, r2\nebf35462\tbl\tc03c6530 <__asan_load4>\ne357000f\tcmp\tr7, #15\ne7e36655\tubfx\tr6, r5, #12, #4\ne205a00f\tand\tsl, r5, #15\n0a000001\tbeq\tc06f13bc <emulate_ldr+0x38>\ne0840107\tadd\tr0, r4, r7, lsl #2\nebf3545c\tbl\tc03c6530 <__asan_load4>\ne084010a\tadd\tr0, r4, sl, lsl #2\nebf3545a\tbl\tc03c6530 <__asan_load4>\ne2890010\tadd\tr0, r9, #16\nebf35458\tbl\tc03c6530 <__asan_load4>\ne5990010\tldr\tr0, [r9, #16]\ne12fff30\tblx\tr0\ne356000f\tcm\tr6, #15\n1a000014\tbne\tc06f1430 <emulate_ldr+0xac>\ne1a06000\tmov\tr6, r0\ne2840040\tadd\tr0, r4, #64 ; 0x40\n......\n\nwhen running in emulate_ldr to simulate the ldr instruction, panic\noccurred, and the log is as follows:\nUnable to handle kernel NULL pointer dereference at virtual address\n00000090\npgd = ecb46400\n[00000090] *pgd=2e0fa003, *pmd=00000000\nInternal error: Oops: 206 [#1] SMP ARM\nPC is at cap_capable+0x14/0xb0\nLR is at emulate_ldr+0x50/0xc0\npsr: 600d0293 sp : ecd63af8 ip : 00000004 fp : c0a7c30c\nr10: 00000000 r9 : c30897f4 r8 : ecd63cd4\nr7 : 0000000f r6 : 0000000a r5 : e59fa090 r4 : ecd63c98\nr3 : c06ae294 r2 : 00000000 r1 : b7611300 r0 : bf4ec008\nFlags: nZCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment user\nControl: 32c5387d Table: 2d546400 DAC: 55555555\nProcess bash (pid: 1643, stack limit = 0xecd60190)\n(cap_capable) from (kprobe_handler+0x218/0x340)\n(kprobe_handler) from (kprobe_trap_handler+0x24/0x48)\n(kprobe_trap_handler) from (do_undefinstr+0x13c/0x364)\n(do_undefinstr) from (__und_svc_finish+0x0/0x30)\n(__und_svc_finish) from (cap_capable+0x18/0xb0)\n(cap_capable) from (cap_vm_enough_memory+0x38/0x48)\n(cap_vm_enough_memory) from\n(security_vm_enough_memory_mm+0x48/0x6c)\n(security_vm_enough_memory_mm) from\n(copy_process.constprop.5+0x16b4/0x25c8)\n(copy_process.constprop.5) from (_do_fork+0xe8/0x55c)\n(_do_fork) from (SyS_clone+0x1c/0x24)\n(SyS_clone) from (__sys_trace_return+0x0/0x10)\nCode: 0050a0e1 6c0080e2 0140a0e1 0260a0e1 (f801f0e7)(CVE-2021-47618)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix use-after-free after failure to create a snapshot\n\nAt ioctl.c:create_snapshot(), we allocate a pending snapshot structure and\nthen attach it to the transaction's list of pending snapshots. After that\nwe call btrfs_commit_transaction(), and if that returns an error we jump\nto 'fail' label, where we kfree() the pending snapshot structure. This can\nresult in a later use-after-free of the pending snapshot:\n\n1) We allocated the pending snapshot and added it to the transaction's\n list of pending snapshots;\n\n2) We call btrfs_commit_transaction(), and it fails either at the first\n call to btrfs_run_delayed_refs() or btrfs_start_dirty_block_groups().\n In both cases, we don't abort the transaction and we release our\n transaction handle. We jump to the 'fail' label and free the pending\n snapshot structure. We return with the pending snapshot still in the\n transaction's list;\n\n3) Another task commits the transaction. This time there's no error at\n all, and then during the transaction commit it accesses a pointer\n to the pending snapshot structure that the snapshot creation task\n has already freed, resulting in a user-after-free.\n\nThis issue could actually be detected by smatch, which produced the\nfollowing warning:\n\n fs/btrfs/ioctl.c:843 create_snapshot() warn: '&pending_snapshot->list' not removed from list\n\nSo fix this by not having the snapshot creation ioctl directly add the\npending snapshot to the transaction's list. Instead add the pending\nsnapshot to the transaction handle, and then at btrfs_commit_transaction()\nwe add the snapshot to the list only when we can guarantee that any error\nreturned after that point will result in a transaction abort, in which\ncase the ioctl code can safely free the pending snapshot and no one can\naccess it anymore.(CVE-2022-48733)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Avoid field-overflowing memcpy()\n\nIn preparation for FORTIFY_SOURCE performing compile-time and run-time\nfield bounds checking for memcpy(), memmove(), and memset(), avoid\nintentionally writing across neighboring fields.\n\nUse flexible arrays instead of zero-element arrays (which look like they\nare always overflowing) and split the cross-field memcpy() into two halves\nthat can be appropriately bounds-checked by the compiler.\n\nWe were doing:\n\n\t#define ETH_HLEN 14\n\t#define VLAN_HLEN 4\n\t...\n\t#define MLX5E_XDP_MIN_INLINE (ETH_HLEN + VLAN_HLEN)\n\t...\n struct mlx5e_tx_wqe *wqe = mlx5_wq_cyc_get_wqe(wq, pi);\n\t...\n struct mlx5_wqe_eth_seg *eseg = &wqe->eth;\n struct mlx5_wqe_data_seg *dseg = wqe->data;\n\t...\n\tmemcpy(eseg->inline_hdr.start, xdptxd->data, MLX5E_XDP_MIN_INLINE);\n\ntarget is wqe->eth.inline_hdr.start (which the compiler sees as being\n2 bytes in size), but copying 18, intending to write across start\n(really vlan_tci, 2 bytes). The remaining 16 bytes get written into\nwqe->data[0], covering byte_count (4 bytes), lkey (4 bytes), and addr\n(8 bytes).\n\nstruct mlx5e_tx_wqe {\n struct mlx5_wqe_ctrl_seg ctrl; /* 0 16 */\n struct mlx5_wqe_eth_seg eth; /* 16 16 */\n struct mlx5_wqe_data_seg data[]; /* 32 0 */\n\n /* size: 32, cachelines: 1, members: 3 */\n /* last cacheline: 32 bytes */\n};\n\nstruct mlx5_wqe_eth_seg {\n u8 swp_outer_l4_offset; /* 0 1 */\n u8 swp_outer_l3_offset; /* 1 1 */\n u8 swp_inner_l4_offset; /* 2 1 */\n u8 swp_inner_l3_offset; /* 3 1 */\n u8 cs_flags; /* 4 1 */\n u8 swp_flags; /* 5 1 */\n __be16 mss; /* 6 2 */\n __be32 flow_table_metadata; /* 8 4 */\n union {\n struct {\n __be16 sz; /* 12 2 */\n u8 start[2]; /* 14 2 */\n } inline_hdr; /* 12 4 */\n struct {\n __be16 type; /* 12 2 */\n __be16 vlan_tci; /* 14 2 */\n } insert; /* 12 4 */\n __be32 trailer; /* 12 4 */\n }; /* 12 4 */\n\n /* size: 16, cachelines: 1, members: 9 */\n /* last cacheline: 16 bytes */\n};\n\nstruct mlx5_wqe_data_seg {\n __be32 byte_count; /* 0 4 */\n __be32 lkey; /* 4 4 */\n __be64 addr; /* 8 8 */\n\n /* size: 16, cachelines: 1, members: 3 */\n /* last cacheline: 16 bytes */\n};\n\nSo, split the memcpy() so the compiler can reason about the buffer\nsizes.\n\n\"pahole\" shows no size nor member offset changes to struct mlx5e_tx_wqe\nnor struct mlx5e_umr_wqe. \"objdump -d\" shows no meaningful object\ncode changes (i.e. only source line number induced differences and\noptimizations).(CVE-2022-48744)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nKVM: LAPIC: Also cancel preemption timer during SET_LAPIC\n\nThe below warning is splatting during guest reboot.\n\n ------------[ cut here ]------------\n WARNING: CPU: 0 PID: 1931 at arch/x86/kvm/x86.c:10322 kvm_arch_vcpu_ioctl_run+0x874/0x880 [kvm]\n CPU: 0 PID: 1931 Comm: qemu-system-x86 Tainted: G I 5.17.0-rc1+ #5\n RIP: 0010:kvm_arch_vcpu_ioctl_run+0x874/0x880 [kvm]\n Call Trace:\n <TASK>\n kvm_vcpu_ioctl+0x279/0x710 [kvm]\n __x64_sys_ioctl+0x83/0xb0\n do_syscall_64+0x3b/0xc0\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n RIP: 0033:0x7fd39797350b\n\nThis can be triggered by not exposing tsc-deadline mode and doing a reboot in\nthe guest. The lapic_shutdown() function which is called in sys_reboot path\nwill not disarm the flying timer, it just masks LVTT. lapic_shutdown() clears\nAPIC state w/ LVT_MASKED and timer-mode bit is 0, this can trigger timer-mode\nswitch between tsc-deadline and oneshot/periodic, which can result in preemption\ntimer be cancelled in apic_update_lvtt(). However, We can't depend on this when\nnot exposing tsc-deadline mode and oneshot/periodic modes emulated by preemption\ntimer. Qemu will synchronise states around reset, let's cancel preemption timer\nunder KVM_SET_LAPIC.(CVE-2022-48765)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nmedia: lgdt3306a: Add a check against null-pointer-def\n\nThe driver should check whether the client provides the platform_data.\n\nThe following log reveals it:\n\n[ 29.610324] BUG: KASAN: null-ptr-deref in kmemdup+0x30/0x40\n[ 29.610730] Read of size 40 at addr 0000000000000000 by task bash/414\n[ 29.612820] Call Trace:\n[ 29.613030] <TASK>\n[ 29.613201] dump_stack_lvl+0x56/0x6f\n[ 29.613496] ? kmemdup+0x30/0x40\n[ 29.613754] print_report.cold+0x494/0x6b7\n[ 29.614082] ? kmemdup+0x30/0x40\n[ 29.614340] kasan_report+0x8a/0x190\n[ 29.614628] ? kmemdup+0x30/0x40\n[ 29.614888] kasan_check_range+0x14d/0x1d0\n[ 29.615213] memcpy+0x20/0x60\n[ 29.615454] kmemdup+0x30/0x40\n[ 29.615700] lgdt3306a_probe+0x52/0x310\n[ 29.616339] i2c_device_probe+0x951/0xa90(CVE-2022-48772)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: btusb: Add date->evt_skb is NULL check\n\nfix crash because of null pointers\n\n[ 6104.969662] BUG: kernel NULL pointer dereference, address: 00000000000000c8\n[ 6104.969667] #PF: supervisor read access in kernel mode\n[ 6104.969668] #PF: error_code(0x0000) - not-present page\n[ 6104.969670] PGD 0 P4D 0\n[ 6104.969673] Oops: 0000 [#1] SMP NOPTI\n[ 6104.969684] RIP: 0010:btusb_mtk_hci_wmt_sync+0x144/0x220 [btusb]\n[ 6104.969688] RSP: 0018:ffffb8d681533d48 EFLAGS: 00010246\n[ 6104.969689] RAX: 0000000000000000 RBX: ffff8ad560bb2000 RCX: 0000000000000006\n[ 6104.969691] RDX: 0000000000000000 RSI: ffffb8d681533d08 RDI: 0000000000000000\n[ 6104.969692] RBP: ffffb8d681533d70 R08: 0000000000000001 R09: 0000000000000001\n[ 6104.969694] R10: 0000000000000001 R11: 00000000fa83b2da R12: ffff8ad461d1d7c0\n[ 6104.969695] R13: 0000000000000000 R14: ffff8ad459618c18 R15: ffffb8d681533d90\n[ 6104.969697] FS: 00007f5a1cab9d40(0000) GS:ffff8ad578200000(0000) knlGS:00000\n[ 6104.969699] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 6104.969700] CR2: 00000000000000c8 CR3: 000000018620c001 CR4: 0000000000760ef0\n[ 6104.969701] PKRU: 55555554\n[ 6104.969702] Call Trace:\n[ 6104.969708] btusb_mtk_shutdown+0x44/0x80 [btusb]\n[ 6104.969732] hci_dev_do_close+0x470/0x5c0 [bluetooth]\n[ 6104.969748] hci_rfkill_set_block+0x56/0xa0 [bluetooth]\n[ 6104.969753] rfkill_set_block+0x92/0x160\n[ 6104.969755] rfkill_fop_write+0x136/0x1e0\n[ 6104.969759] __vfs_write+0x18/0x40\n[ 6104.969761] vfs_write+0xdf/0x1c0\n[ 6104.969763] ksys_write+0xb1/0xe0\n[ 6104.969765] __x64_sys_write+0x1a/0x20\n[ 6104.969769] do_syscall_64+0x51/0x180\n[ 6104.969771] entry_SYSCALL_64_after_hwframe+0x44/0xa9\n[ 6104.969773] RIP: 0033:0x7f5a21f18fef\n[ 6104.9] RSP: 002b:00007ffeefe39010 EFLAGS: 00000293 ORIG_RAX: 0000000000000001\n[ 6104.969780] RAX: ffffffffffffffda RBX: 000055c10a7560a0 RCX: 00007f5a21f18fef\n[ 6104.969781] RDX: 0000000000000008 RSI: 00007ffeefe39060 RDI: 0000000000000012\n[ 6104.969782] RBP: 00007ffeefe39060 R08: 0000000000000000 R09: 0000000000000017\n[ 6104.969784] R10: 00007ffeefe38d97 R11: 0000000000000293 R12: 0000000000000002\n[ 6104.969785] R13: 00007ffeefe39220 R14: 00007ffeefe391a0 R15: 000055c10a72acf0(CVE-2023-52833)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\ngenirq/cpuhotplug, x86/vector: Prevent vector leak during CPU offline\n\nThe absence of IRQD_MOVE_PCNTXT prevents immediate effectiveness of\ninterrupt affinity reconfiguration via procfs. Instead, the change is\ndeferred until the next instance of the interrupt being triggered on the\noriginal CPU.\n\nWhen the interrupt next triggers on the original CPU, the new affinity is\nenforced within __irq_move_irq(). A vector is allocated from the new CPU,\nbut the old vector on the original CPU remains and is not immediately\nreclaimed. Instead, apicd->move_in_progress is flagged, and the reclaiming\nprocess is delayed until the next trigger of the interrupt on the new CPU.\n\nUpon the subsequent triggering of the interrupt on the new CPU,\nirq_complete_move() adds a task to the old CPU's vector_cleanup list if it\nremains online. Subsequently, the timer on the old CPU iterates over its\nvector_cleanup list, reclaiming old vectors.\n\nHowever, a rare scenario arises if the old CPU is outgoing before the\ninterrupt triggers again on the new CPU.\n\nIn that case irq_force_complete_move() is not invoked on the outgoing CPU\nto reclaim the old apicd->prev_vector because the interrupt isn't currently\naffine to the outgoing CPU, and irq_needs_fixup() returns false. Even\nthough __vector_schedule_cleanup() is later called on the new CPU, it\ndoesn't reclaim apicd->prev_vector; instead, it simply resets both\napicd->move_in_progress and apicd->prev_vector to 0.\n\nAs a result, the vector remains unreclaimed in vector_matrix, leading to a\nCPU vector leak.\n\nTo address this issue, move the invocation of irq_force_complete_move()\nbefore the irq_needs_fixup() call to reclaim apicd->prev_vector, if the\ninterrupt is currently or used to be affine to the outgoing CPU.\n\nAdditionally, reclaim the vector in __vector_schedule_cleanup() as well,\nfollowing a warning message, although theoretically it should never see\napicd->move_in_progress with apicd->prev_cpu pointing to an offline CPU.(CVE-2024-31076)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nof: dynamic: Synchronize of_changeset_destroy() with the devlink removals\n\nIn the following sequence:\n 1) of_platform_depopulate()\n 2) of_overlay_remove()\n\nDuring the step 1, devices are destroyed and devlinks are removed.\nDuring the step 2, OF nodes are destroyed but\n__of_changeset_entry_destroy() can raise warnings related to missing\nof_node_put():\n ERROR: memory leak, expected refcount 1 instead of 2 ...\n\nIndeed, during the devlink removals performed at step 1, the removal\nitself releasing the device (and the attached of_node) is done by a job\nqueued in a workqueue and so, it is done asynchronously with respect to\nfunction calls.\nWhen the warning is present, of_node_put() will be called but wrongly\ntoo late from the workqueue job.\n\nIn order to be sure that any ongoing devlink removals are done before\nthe of_node destruction, synchronize the of_changeset_destroy() with the\ndevlink removals.(CVE-2024-35879)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: act_skbmod: prevent kernel-infoleak\n\nsyzbot found that tcf_skbmod_dump() was copying four bytes\nfrom kernel stack to user space [1].\n\nThe issue here is that 'struct tc_skbmod' has a four bytes hole.\n\nWe need to clear the structure before filling fields.\n\n[1]\nBUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]\n BUG: KMSAN: kernel-infoleak in copy_to_user_iter lib/iov_iter.c:24 [inline]\n BUG: KMSAN: kernel-infoleak in iterate_ubuf include/linux/iov_iter.h:29 [inline]\n BUG: KMSAN: kernel-infoleak in iterate_and_advance2 include/linux/iov_iter.h:245 [inline]\n BUG: KMSAN: kernel-infoleak in iterate_and_advance include/linux/iov_iter.h:271 [inline]\n BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185\n instrument_copy_to_user include/linux/instrumented.h:114 [inline]\n copy_to_user_iter lib/iov_iter.c:24 [inline]\n iterate_ubuf include/linux/iov_iter.h:29 [inline]\n iterate_and_advance2 include/linux/iov_iter.h:245 [inline]\n iterate_and_advance include/linux/iov_iter.h:271 [inline]\n _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185\n copy_to_iter include/linux/uio.h:196 [inline]\n simple_copy_to_iter net/core/datagram.c:532 [inline]\n __skb_datagram_iter+0x185/0x1000 net/core/datagram.c:420\n skb_copy_datagram_iter+0x5c/0x200 net/core/datagram.c:546\n skb_copy_datagram_msg include/linux/skbuff.h:4050 [inline]\n netlink_recvmsg+0x432/0x1610 net/netlink/af_netlink.c:1962\n sock_recvmsg_nosec net/socket.c:1046 [inline]\n sock_recvmsg+0x2c4/0x340 net/socket.c:1068\n __sys_recvfrom+0x35a/0x5f0 net/socket.c:2242\n __do_sys_recvfrom net/socket.c:2260 [inline]\n __se_sys_recvfrom net/socket.c:2256 [inline]\n __x64_sys_recvfrom+0x126/0x1d0 net/socket.c:2256\n do_syscall_64+0xd5/0x1f0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nUninit was stored to memory at:\n pskb_expand_head+0x30f/0x19d0 net/core/skbuff.c:2253\n netlink_trim+0x2c2/0x330 net/netlink/af_netlink.c:1317\n netlink_unicast+0x9f/0x1260 net/netlink/af_netlink.c:1351\n nlmsg_unicast include/net/netlink.h:1144 [inline]\n nlmsg_notify+0x21d/0x2f0 net/netlink/af_netlink.c:2610\n rtnetlink_send+0x73/0x90 net/core/rtnetlink.c:741\n rtnetlink_maybe_send include/linux/rtnetlink.h:17 [inline]\n tcf_add_notify net/sched/act_api.c:2048 [inline]\n tcf_action_add net/sched/act_api.c:2071 [inline]\n tc_ctl_action+0x146e/0x19d0 net/sched/act_api.c:2119\n rtnetlink_rcv_msg+0x1737/0x1900 net/core/rtnetlink.c:6595\n netlink_rcv_skb+0x375/0x650 net/netlink/af_netlink.c:2559\n rtnetlink_rcv+0x34/0x40 net/core/rtnetlink.c:6613\n netlink_unicast_kernel net/netlink/af_netlink.c:1335 [inline]\n netlink_unicast+0xf4c/0x1260 net/netlink/af_netlink.c:1361\n netlink_sendmsg+0x10df/0x11f0 net/netlink/af_netlink.c:1905\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0x30f/0x380 net/socket.c:745\n ____sys_sendmsg+0x877/0xb60 net/socket.c:2584\n ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638\n __sys_sendmsg net/socket.c:2667 [inline]\n __do_sys_sendmsg net/socket.c:2676 [inline]\n __se_sys_sendmsg net/socket.c:2674 [inline]\n __x64_sys_sendmsg+0x307/0x4a0 net/socket.c:2674\n do_syscall_64+0xd5/0x1f0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nUninit was stored to memory at:\n __nla_put lib/nlattr.c:1041 [inline]\n nla_put+0x1c6/0x230 lib/nlattr.c:1099\n tcf_skbmod_dump+0x23f/0xc20 net/sched/act_skbmod.c:256\n tcf_action_dump_old net/sched/act_api.c:1191 [inline]\n tcf_action_dump_1+0x85e/0x970 net/sched/act_api.c:1227\n tcf_action_dump+0x1fd/0x460 net/sched/act_api.c:1251\n tca_get_fill+0x519/0x7a0 net/sched/act_api.c:1628\n tcf_add_notify_msg net/sched/act_api.c:2023 [inline]\n tcf_add_notify net/sched/act_api.c:2042 [inline]\n tcf_action_add net/sched/act_api.c:2071 [inline]\n tc_ctl_action+0x1365/0x19d0 net/sched/act_api.c:2119\n rtnetlink_rcv_msg+0x1737/0x1900 net/core/rtnetlink.c:6595\n netlink_rcv_skb+0x375/0x650 net/netlink/af_netli\n---truncated---(CVE-2024-35893)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nipv6: fix race condition between ipv6_get_ifaddr and ipv6_del_addr\n\nAlthough ipv6_get_ifaddr walks inet6_addr_lst under the RCU lock, it\nstill means hlist_for_each_entry_rcu can return an item that got removed\nfrom the list. The memory itself of such item is not freed thanks to RCU\nbut nothing guarantees the actual content of the memory is sane.\n\nIn particular, the reference count can be zero. This can happen if\nipv6_del_addr is called in parallel. ipv6_del_addr removes the entry\nfrom inet6_addr_lst (hlist_del_init_rcu(&ifp->addr_lst)) and drops all\nreferences (__in6_ifa_put(ifp) + in6_ifa_put(ifp)). With bad enough\ntiming, this can happen:\n\n1. In ipv6_get_ifaddr, hlist_for_each_entry_rcu returns an entry.\n\n2. Then, the whole ipv6_del_addr is executed for the given entry. The\n reference count drops to zero and kfree_rcu is scheduled.\n\n3. ipv6_get_ifaddr continues and tries to increments the reference count\n (in6_ifa_hold).\n\n4. The rcu is unlocked and the entry is freed.\n\n5. The freed entry is returned.\n\nPrevent increasing of the reference count in such case. The name\nin6_ifa_hold_safe is chosen to mimic the existing fib6_info_hold_safe.\n\n[ 41.506330] refcount_t: addition on 0; use-after-free.\n[ 41.506760] WARNING: CPU: 0 PID: 595 at lib/refcount.c:25 refcount_warn_saturate+0xa5/0x130\n[ 41.507413] Modules linked in: veth bridge stp llc\n[ 41.507821] CPU: 0 PID: 595 Comm: python3 Not tainted 6.9.0-rc2.main-00208-g49563be82afa #14\n[ 41.508479] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)\n[ 41.509163] RIP: 0010:refcount_warn_saturate+0xa5/0x130\n[ 41.509586] Code: ad ff 90 0f 0b 90 90 c3 cc cc cc cc 80 3d c0 30 ad 01 00 75 a0 c6 05 b7 30 ad 01 01 90 48 c7 c7 38 cc 7a 8c e8 cc 18 ad ff 90 <0f> 0b 90 90 c3 cc cc cc cc 80 3d 98 30 ad 01 00 0f 85 75 ff ff ff\n[ 41.510956] RSP: 0018:ffffbda3c026baf0 EFLAGS: 00010282\n[ 41.511368] RAX: 0000000000000000 RBX: ffff9e9c46914800 RCX: 0000000000000000\n[ 41.511910] RDX: ffff9e9c7ec29c00 RSI: ffff9e9c7ec1c900 RDI: ffff9e9c7ec1c900\n[ 41.512445] RBP: ffff9e9c43660c9c R08: 0000000000009ffb R09: 00000000ffffdfff\n[ 41.512998] R10: 00000000ffffdfff R11: ffffffff8ca58a40 R12: ffff9e9c4339a000\n[ 41.513534] R13: 0000000000000001 R14: ffff9e9c438a0000 R15: ffffbda3c026bb48\n[ 41.514086] FS: 00007fbc4cda1740(0000) GS:ffff9e9c7ec00000(0000) knlGS:0000000000000000\n[ 41.514726] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 41.515176] CR2: 000056233b337d88 CR3: 000000000376e006 CR4: 0000000000370ef0\n[ 41.515713] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 41.516252] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 41.516799] Call Trace:\n[ 41.517037] <TASK>\n[ 41.517249] ? __warn+0x7b/0x120\n[ 41.517535] ? refcount_warn_saturate+0xa5/0x130\n[ 41.517923] ? report_bug+0x164/0x190\n[ 41.518240] ? handle_bug+0x3d/0x70\n[ 41.518541] ? exc_invalid_op+0x17/0x70\n[ 41.520972] ? asm_exc_invalid_op+0x1a/0x20\n[ 41.521325] ? refcount_warn_saturate+0xa5/0x130\n[ 41.521708] ipv6_get_ifaddr+0xda/0xe0\n[ 41.522035] inet6_rtm_getaddr+0x342/0x3f0\n[ 41.522376] ? __pfx_inet6_rtm_getaddr+0x10/0x10\n[ 41.522758] rtnetlink_rcv_msg+0x334/0x3d0\n[ 41.523102] ? netlink_unicast+0x30f/0x390\n[ 41.523445] ? __pfx_rtnetlink_rcv_msg+0x10/0x10\n[ 41.523832] netlink_rcv_skb+0x53/0x100\n[ 41.524157] netlink_unicast+0x23b/0x390\n[ 41.524484] netlink_sendmsg+0x1f2/0x440\n[ 41.524826] __sys_sendto+0x1d8/0x1f0\n[ 41.525145] __x64_sys_sendto+0x1f/0x30\n[ 41.525467] do_syscall_64+0xa5/0x1b0\n[ 41.525794] entry_SYSCALL_64_after_hwframe+0x72/0x7a\n[ 41.526213] RIP: 0033:0x7fbc4cfcea9a\n[ 41.526528] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 7e c3 0f 1f 44 00 00 41 54 48 83 ec 30 44 89\n[ 41.527942] RSP: 002b:00007f\n---truncated---(CVE-2024-35969)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nriscv: Fix TASK_SIZE on 64-bit NOMMU\n\nOn NOMMU, userspace memory can come from anywhere in physical RAM. The\ncurrent definition of TASK_SIZE is wrong if any RAM exists above 4G,\ncausing spurious failures in the userspace access routines.(CVE-2024-35988)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\ndrm/arm/malidp: fix a possible null pointer dereference\n\nIn malidp_mw_connector_reset, new memory is allocated with kzalloc, but\nno check is performed. In order to prevent null pointer dereferencing,\nensure that mw_state is checked before calling\n__drm_atomic_helper_connector_reset.(CVE-2024-36014)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\ntls: fix missing memory barrier in tls_init\n\nIn tls_init(), a write memory barrier is missing, and store-store\nreordering may cause NULL dereference in tls_{setsockopt,getsockopt}.\n\nCPU0 CPU1\n----- -----\n// In tls_init()\n// In tls_ctx_create()\nctx = kzalloc()\nctx->sk_proto = READ_ONCE(sk->sk_prot) -(1)\n\n// In update_sk_prot()\nWRITE_ONCE(sk->sk_prot, tls_prots) -(2)\n\n // In sock_common_setsockopt()\n READ_ONCE(sk->sk_prot)->setsockopt()\n\n // In tls_{setsockopt,getsockopt}()\n ctx->sk_proto->setsockopt() -(3)\n\nIn the above scenario, when (1) and (2) are reordered, (3) can observe\nthe NULL value of ctx->sk_proto, causing NULL dereference.\n\nTo fix it, we rely on rcu_assign_pointer() which implies the release\nbarrier semantic. By moving rcu_assign_pointer() after ctx->sk_proto is\ninitialized, we can ensure that ctx->sk_proto are visible when\nchanging sk->sk_prot.(CVE-2024-36489)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nvirtio: delete vq in vp_find_vqs_msix() when request_irq() fails\n\nWhen request_irq() fails, error path calls vp_del_vqs(). There, as vq is\npresent in the list, free_irq() is called for the same vector. That\ncauses following splat:\n\n[ 0.414355] Trying to free already-free IRQ 27\n[ 0.414403] WARNING: CPU: 1 PID: 1 at kernel/irq/manage.c:1899 free_irq+0x1a1/0x2d0\n[ 0.414510] Modules linked in:\n[ 0.414540] CPU: 1 PID: 1 Comm: swapper/0 Not tainted 6.9.0-rc4+ #27\n[ 0.414540] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-1.fc39 04/01/2014\n[ 0.414540] RIP: 0010:free_irq+0x1a1/0x2d0\n[ 0.414540] Code: 1e 00 48 83 c4 08 48 89 e8 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc 90 8b 74 24 04 48 c7 c7 98 80 6c b1 e8 00 c9 f7 ff 90 <0f> 0b 90 90 48 89 ee 4c 89 ef e8 e0 20 b8 00 49 8b 47 40 48 8b 40\n[ 0.414540] RSP: 0000:ffffb71480013ae0 EFLAGS: 00010086\n[ 0.414540] RAX: 0000000000000000 RBX: ffffa099c2722000 RCX: 0000000000000000\n[ 0.414540] RDX: 0000000000000000 RSI: ffffb71480013998 RDI: 0000000000000001\n[ 0.414540] RBP: 0000000000000246 R08: 00000000ffffdfff R09: 0000000000000001\n[ 0.414540] R10: 00000000ffffdfff R11: ffffffffb18729c0 R12: ffffa099c1c91760\n[ 0.414540] R13: ffffa099c1c916a4 R14: ffffa099c1d2f200 R15: ffffa099c1c91600\n[ 0.414540] FS: 0000000000000000(0000) GS:ffffa099fec40000(0000) knlGS:0000000000000000\n[ 0.414540] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 0.414540] CR2: 0000000000000000 CR3: 0000000008e3e001 CR4: 0000000000370ef0\n[ 0.414540] Call Trace:\n[ 0.414540] <TASK>\n[ 0.414540] ? __warn+0x80/0x120\n[ 0.414540] ? free_irq+0x1a1/0x2d0\n[ 0.414540] ? report_bug+0x164/0x190\n[ 0.414540] ? handle_bug+0x3b/0x70\n[ 0.414540] ? exc_invalid_op+0x17/0x70\n[ 0.414540] ? asm_exc_invalid_op+0x1a/0x20\n[ 0.414540] ? free_irq+0x1a1/0x2d0\n[ 0.414540] vp_del_vqs+0xc1/0x220\n[ 0.414540] vp_find_vqs_msix+0x305/0x470\n[ 0.414540] vp_find_vqs+0x3e/0x1a0\n[ 0.414540] vp_modern_find_vqs+0x1b/0x70\n[ 0.414540] init_vqs+0x387/0x600\n[ 0.414540] virtnet_probe+0x50a/0xc80\n[ 0.414540] virtio_dev_probe+0x1e0/0x2b0\n[ 0.414540] really_probe+0xc0/0x2c0\n[ 0.414540] ? __pfx___driver_attach+0x10/0x10\n[ 0.414540] __driver_probe_device+0x73/0x120\n[ 0.414540] driver_probe_device+0x1f/0xe0\n[ 0.414540] __driver_attach+0x88/0x180\n[ 0.414540] bus_for_each_dev+0x85/0xd0\n[ 0.414540] bus_add_driver+0xec/0x1f0\n[ 0.414540] driver_register+0x59/0x100\n[ 0.414540] ? __pfx_virtio_net_driver_init+0x10/0x10\n[ 0.414540] virtio_net_driver_init+0x90/0xb0\n[ 0.414540] do_one_initcall+0x58/0x230\n[ 0.414540] kernel_init_freeable+0x1a3/0x2d0\n[ 0.414540] ? __pfx_kernel_init+0x10/0x10\n[ 0.414540] kernel_init+0x1a/0x1c0\n[ 0.414540] ret_from_fork+0x31/0x50\n[ 0.414540] ? __pfx_kernel_init+0x10/0x10\n[ 0.414540] ret_from_fork_asm+0x1a/0x30\n[ 0.414540] </TASK>\n\nFix this by calling deleting the current vq when request_irq() fails.(CVE-2024-37353)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix crash on racing fsync and size-extending write into prealloc\n\nWe have been seeing crashes on duplicate keys in\nbtrfs_set_item_key_safe():\n\n BTRFS critical (device vdb): slot 4 key (450 108 8192) new key (450 108 8192)\n ------------[ cut here ]------------\n kernel BUG at fs/btrfs/ctree.c:2620!\n invalid opcode: 0000 [#1] PREEMPT SMP PTI\n CPU: 0 PID: 3139 Comm: xfs_io Kdump: loaded Not tainted 6.9.0 #6\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014\n RIP: 0010:btrfs_set_item_key_safe+0x11f/0x290 [btrfs]\n\nWith the following stack trace:\n\n #0 btrfs_set_item_key_safe (fs/btrfs/ctree.c:2620:4)\n #1 btrfs_drop_extents (fs/btrfs/file.c:411:4)\n #2 log_one_extent (fs/btrfs/tree-log.c:4732:9)\n #3 btrfs_log_changed_extents (fs/btrfs/tree-log.c:4955:9)\n #4 btrfs_log_inode (fs/btrfs/tree-log.c:6626:9)\n #5 btrfs_log_inode_parent (fs/btrfs/tree-log.c:7070:8)\n #6 btrfs_log_dentry_safe (fs/btrfs/tree-log.c:7171:8)\n #7 btrfs_sync_file (fs/btrfs/file.c:1933:8)\n #8 vfs_fsync_range (fs/sync.c:188:9)\n #9 vfs_fsync (fs/sync.c:202:9)\n #10 do_fsync (fs/sync.c:212:9)\n #11 __do_sys_fdatasync (fs/sync.c:225:9)\n #12 __se_sys_fdatasync (fs/sync.c:223:1)\n #13 __x64_sys_fdatasync (fs/sync.c:223:1)\n #14 do_syscall_x64 (arch/x86/entry/common.c:52:14)\n #15 do_syscall_64 (arch/x86/entry/common.c:83:7)\n #16 entry_SYSCALL_64+0xaf/0x14c (arch/x86/entry/entry_64.S:121)\n\nSo we're logging a changed extent from fsync, which is splitting an\nextent in the log tree. But this split part already exists in the tree,\ntriggering the BUG().\n\nThis is the state of the log tree at the time of the crash, dumped with\ndrgn (https://github.com/osandov/drgn/blob/main/contrib/btrfs_tree.py)\nto get more details than btrfs_print_leaf() gives us:\n\n >>> print_extent_buffer(prog.crashed_thread().stack_trace()[0][\"eb\"])\n leaf 33439744 level 0 items 72 generation 9 owner 18446744073709551610\n leaf 33439744 flags 0x100000000000000\n fs uuid e5bd3946-400c-4223-8923-190ef1f18677\n chunk uuid d58cb17e-6d02-494a-829a-18b7d8a399da\n item 0 key (450 INODE_ITEM 0) itemoff 16123 itemsize 160\n generation 7 transid 9 size 8192 nbytes 8473563889606862198\n block group 0 mode 100600 links 1 uid 0 gid 0 rdev 0\n sequence 204 flags 0x10(PREALLOC)\n atime 1716417703.220000000 (2024-05-22 15:41:43)\n ctime 1716417704.983333333 (2024-05-22 15:41:44)\n mtime 1716417704.983333333 (2024-05-22 15:41:44)\n otime 17592186044416.000000000 (559444-03-08 01:40:16)\n item 1 key (450 INODE_REF 256) itemoff 16110 itemsize 13\n index 195 namelen 3 name: 193\n item 2 key (450 XATTR_ITEM 1640047104) itemoff 16073 itemsize 37\n location key (0 UNKNOWN.0 0) type XATTR\n transid 7 data_len 1 name_len 6\n name: user.a\n data a\n item 3 key (450 EXTENT_DATA 0) itemoff 16020 itemsize 53\n generation 9 type 1 (regular)\n extent data disk byte 303144960 nr 12288\n extent data offset 0 nr 4096 ram 12288\n extent compression 0 (none)\n item 4 key (450 EXTENT_DATA 4096) itemoff 15967 itemsize 53\n generation 9 type 2 (prealloc)\n prealloc data disk byte 303144960 nr 12288\n prealloc data offset 4096 nr 8192\n item 5 key (450 EXTENT_DATA 8192) itemoff 15914 itemsize 53\n generation 9 type 2 (prealloc)\n prealloc data disk byte 303144960 nr 12288\n prealloc data offset 8192 nr 4096\n ...\n\nSo the real problem happened earlier: notice that items 4 (4k-12k) and 5\n(8k-12k) overlap. Both are prealloc extents. Item 4 straddles i_size and\nitem 5 starts at i_size.\n\nHere is the state of \n---truncated---(CVE-2024-37354)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nnfc: nci: Fix uninit-value in nci_rx_work\n\nsyzbot reported the following uninit-value access issue [1]\n\nnci_rx_work() parses received packet from ndev->rx_q. It should be\nvalidated header size, payload size and total packet size before\nprocessing the packet. If an invalid packet is detected, it should be\nsilently discarded.(CVE-2024-38381)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nmedia: atomisp: ssh_css: Fix a null-pointer dereference in load_video_binaries\n\nThe allocation failure of mycs->yuv_scaler_binary in load_video_binaries()\nis followed with a dereference of mycs->yuv_scaler_binary after the\nfollowing call chain:\n\nsh_css_pipe_load_binaries()\n |-> load_video_binaries(mycs->yuv_scaler_binary == NULL)\n |\n |-> sh_css_pipe_unload_binaries()\n |-> unload_video_binaries()\n\nIn unload_video_binaries(), it calls to ia_css_binary_unload with argument\n&pipe->pipe_settings.video.yuv_scaler_binary[i], which refers to the\nsame memory slot as mycs->yuv_scaler_binary. Thus, a null-pointer\ndereference is triggered.(CVE-2024-38547)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix potential index out of bounds in color transformation function\n\nFixes index out of bounds issue in the color transformation function.\nThe issue could occur when the index 'i' exceeds the number of transfer\nfunction points (TRANSFER_FUNC_POINTS).\n\nThe fix adds a check to ensure 'i' is within bounds before accessing the\ntransfer function points. If 'i' is out of bounds, an error message is\nlogged and the function returns false to indicate an error.\n\nReported by smatch:\ndrivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:405 cm_helper_translate_curve_to_hw_format() error: buffer overflow 'output_tf->tf_pts.red' 1025 <= s32max\ndrivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:406 cm_helper_translate_curve_to_hw_format() error: buffer overflow 'output_tf->tf_pts.green' 1025 <= s32max\ndrivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:407 cm_helper_translate_curve_to_hw_format() error: buffer overflow 'output_tf->tf_pts.blue' 1025 <= s32max(CVE-2024-38552)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nax25: Fix reference count leak issue of net_device\n\nThere is a reference count leak issue of the object \"net_device\" in\nax25_dev_device_down(). When the ax25 device is shutting down, the\nax25_dev_device_down() drops the reference count of net_device one\nor zero times depending on if we goto unlock_put or not, which will\ncause memory leak.\n\nIn order to solve the above issue, decrease the reference count of\nnet_device after dev->ax25_ptr is set to null.(CVE-2024-38554)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nrcu-tasks: Fix show_rcu_tasks_trace_gp_kthread buffer overflow\n\nThere is a possibility of buffer overflow in\nshow_rcu_tasks_trace_gp_kthread() if counters, passed\nto sprintf() are huge. Counter numbers, needed for this\nare unrealistically high, but buffer overflow is still\npossible.\n\nUse snprintf() with buffer size instead of sprintf().\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.(CVE-2024-38577)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: bcm - Fix pointer arithmetic\n\nIn spu2_dump_omd() value of ptr is increased by ciph_key_len\ninstead of hash_iv_len which could lead to going beyond the\nbuffer boundaries.\nFix this bug by changing ciph_key_len to hash_iv_len.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.(CVE-2024-38579)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix potential hang in nilfs_detach_log_writer()\n\nSyzbot has reported a potential hang in nilfs_detach_log_writer() called\nduring nilfs2 unmount.\n\nAnalysis revealed that this is because nilfs_segctor_sync(), which\nsynchronizes with the log writer thread, can be called after\nnilfs_segctor_destroy() terminates that thread, as shown in the call trace\nbelow:\n\nnilfs_detach_log_writer\n nilfs_segctor_destroy\n nilfs_segctor_kill_thread --> Shut down log writer thread\n flush_work\n nilfs_iput_work_func\n nilfs_dispose_list\n iput\n nilfs_evict_inode\n nilfs_transaction_commit\n nilfs_construct_segment (if inode needs sync)\n nilfs_segctor_sync --> Attempt to synchronize with\n log writer thread\n *** DEADLOCK ***\n\nFix this issue by changing nilfs_segctor_sync() so that the log writer\nthread returns normally without synchronizing after it terminates, and by\nforcing tasks that are already waiting to complete once after the thread\nterminates.\n\nThe skipped inode metadata flushout will then be processed together in the\nsubsequent cleanup work in nilfs_segctor_destroy().(CVE-2024-38582)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix use-after-free of timer for log writer thread\n\nPatch series \"nilfs2: fix log writer related issues\".\n\nThis bug fix series covers three nilfs2 log writer-related issues,\nincluding a timer use-after-free issue and potential deadlock issue on\nunmount, and a potential freeze issue in event synchronization found\nduring their analysis. Details are described in each commit log.\n\n\nThis patch (of 3):\n\nA use-after-free issue has been reported regarding the timer sc_timer on\nthe nilfs_sc_info structure.\n\nThe problem is that even though it is used to wake up a sleeping log\nwriter thread, sc_timer is not shut down until the nilfs_sc_info structure\nis about to be freed, and is used regardless of the thread's lifetime.\n\nFix this issue by limiting the use of sc_timer only while the log writer\nthread is alive.(CVE-2024-38583)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/hns: Modify the print level of CQE error\n\nToo much print may lead to a panic in kernel. Change ibdev_err() to\nibdev_err_ratelimited(), and change the printing level of cqe dump\nto debug level.(CVE-2024-38590)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nmd: fix resync softlockup when bitmap size is less than array size\n\nIs is reported that for dm-raid10, lvextend + lvchange --syncaction will\ntrigger following softlockup:\n\nkernel:watchdog: BUG: soft lockup - CPU#3 stuck for 26s! [mdX_resync:6976]\nCPU: 7 PID: 3588 Comm: mdX_resync Kdump: loaded Not tainted 6.9.0-rc4-next-20240419 #1\nRIP: 0010:_raw_spin_unlock_irq+0x13/0x30\nCall Trace:\n <TASK>\n md_bitmap_start_sync+0x6b/0xf0\n raid10_sync_request+0x25c/0x1b40 [raid10]\n md_do_sync+0x64b/0x1020\n md_thread+0xa7/0x170\n kthread+0xcf/0x100\n ret_from_fork+0x30/0x50\n ret_from_fork_asm+0x1a/0x30\n\nAnd the detailed process is as follows:\n\nmd_do_sync\n j = mddev->resync_min\n while (j < max_sectors)\n sectors = raid10_sync_request(mddev, j, &skipped)\n if (!md_bitmap_start_sync(..., &sync_blocks))\n // md_bitmap_start_sync set sync_blocks to 0\n return sync_blocks + sectors_skippe;\n // sectors = 0;\n j += sectors;\n // j never change\n\nRoot cause is that commit 301867b1c168 (\"md/raid10: check\nslab-out-of-bounds in md_bitmap_get_counter\") return early from\nmd_bitmap_get_counter(), without setting returned blocks.\n\nFix this problem by always set returned blocks from\nmd_bitmap_get_counter\"(), as it used to be.\n\nNoted that this patch just fix the softlockup problem in kernel, the\ncase that bitmap size doesn't match array size still need to be fixed.(CVE-2024-38598)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nax25: Fix reference count leak issues of ax25_dev\n\nThe ax25_addr_ax25dev() and ax25_dev_device_down() exist a reference\ncount leak issue of the object \"ax25_dev\".\n\nMemory leak issue in ax25_addr_ax25dev():\n\nThe reference count of the object \"ax25_dev\" can be increased multiple\ntimes in ax25_addr_ax25dev(). This will cause a memory leak.\n\nMemory leak issues in ax25_dev_device_down():\n\nThe reference count of ax25_dev is set to 1 in ax25_dev_device_up() and\nthen increase the reference count when ax25_dev is added to ax25_dev_list.\nAs a result, the reference count of ax25_dev is 2. But when the device is\nshutting down. The ax25_dev_device_down() drops the reference count once\nor twice depending on if we goto unlock_put or not, which will cause\nmemory leak.\n\nAs for the issue of ax25_addr_ax25dev(), it is impossible for one pointer\nto be on a list twice. So add a break in ax25_addr_ax25dev(). As for the\nissue of ax25_dev_device_down(), increase the reference count of ax25_dev\nonce in ax25_dev_device_up() and decrease the reference count of ax25_dev\nafter it is removed from the ax25_dev_list.(CVE-2024-38602)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\ndrivers/perf: hisi: hns3: Actually use devm_add_action_or_reset()\n\npci_alloc_irq_vectors() allocates an irq vector. When devm_add_action()\nfails, the irq vector is not freed, which leads to a memory leak.\n\nReplace the devm_add_action with devm_add_action_or_reset to ensure\nthe irq vector can be destroyed when it fails.(CVE-2024-38603)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\ncpufreq: exit() callback is optional\n\nThe exit() callback is optional and shouldn't be called without checking\na valid pointer first.\n\nAlso, we must clear freq_table pointer even if the exit() callback isn't\npresent.(CVE-2024-38615)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nmedia: stk1160: fix bounds checking in stk1160_copy_video()\n\nThe subtract in this condition is reversed. The ->length is the length\nof the buffer. The ->bytesused is how many bytes we have copied thus\nfar. When the condition is reversed that means the result of the\nsubtraction is always negative but since it's unsigned then the result\nis a very high positive value. That means the overflow check is never\ntrue.\n\nAdditionally, the ->bytesused doesn't actually work for this purpose\nbecause we're not writing to \"buf->mem + buf->bytesused\". Instead, the\nmath to calculate the destination where we are writing is a bit\ninvolved. You calculate the number of full lines already written,\nmultiply by two, skip a line if necessary so that we start on an odd\nnumbered line, and add the offset into the line.\n\nTo fix this buffer overflow, just take the actual destination where we\nare writing, if the offset is already out of bounds print an error and\nreturn. Otherwise, write up to buf->length bytes.(CVE-2024-38621)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Use variable length array instead of fixed size\n\nShould fix smatch warning:\n\tntfs_set_label() error: __builtin_memcpy() 'uni->name' too small (20 vs 256)(CVE-2024-38623)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Check 'folio' pointer for NULL\n\nIt can be NULL if bmap is called.(CVE-2024-38625)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nserial: max3100: Update uart_driver_registered on driver removal\n\nThe removal of the last MAX3100 device triggers the removal of\nthe driver. However, code doesn't update the respective global\nvariable and after insmod — rmmod — insmod cycle the kernel\noopses:\n\n max3100 spi-PRP0001:01: max3100_probe: adding port 0\n BUG: kernel NULL pointer dereference, address: 0000000000000408\n ...\n RIP: 0010:serial_core_register_port+0xa0/0x840\n ...\n max3100_probe+0x1b6/0x280 [max3100]\n spi_probe+0x8d/0xb0\n\nUpdate the actual state so next time UART driver will be registered\nagain.\n\nHugo also noticed, that the error path in the probe also affected\nby having the variable set, and not cleared. Instead of clearing it\nmove the assignment after the successfull uart_register_driver() call.(CVE-2024-38633)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nserial: max3100: Lock port->lock when calling uart_handle_cts_change()\n\nuart_handle_cts_change() has to be called with port lock taken,\nSince we run it in a separate work, the lock may not be taken at\nthe time of running. Make sure that it's taken by explicitly doing\nthat. Without it we got a splat:\n\n WARNING: CPU: 0 PID: 10 at drivers/tty/serial/serial_core.c:3491 uart_handle_cts_change+0xa6/0xb0\n ...\n Workqueue: max3100-0 max3100_work [max3100]\n RIP: 0010:uart_handle_cts_change+0xa6/0xb0\n ...\n max3100_handlerx+0xc5/0x110 [max3100]\n max3100_work+0x12a/0x340 [max3100](CVE-2024-38634)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\ngreybus: lights: check return of get_channel_from_mode\n\nIf channel for the given node is not found we return null from\nget_channel_from_mode. Make sure we validate the return pointer\nbefore using it in two of the missing places.\n\nThis was originally reported in [0]:\nFound by Linux Verification Center (linuxtesting.org) with SVACE.\n\n[0] https://lore.kernel.org/all/20240301190425.120605-1-m.lobanov@rosalinux.ru(CVE-2024-38637)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\ndma-buf/sw-sync: don't enable IRQ from sync_print_obj()\n\nSince commit a6aa8fca4d79 (\"dma-buf/sw-sync: Reduce irqsave/irqrestore from\nknown context\") by error replaced spin_unlock_irqrestore() with\nspin_unlock_irq() for both sync_debugfs_show() and sync_print_obj() despite\nsync_print_obj() is called from sync_debugfs_show(), lockdep complains\ninconsistent lock state warning.\n\nUse plain spin_{lock,unlock}() for sync_print_obj(), for\nsync_debugfs_show() is already using spin_{lock,unlock}_irq().(CVE-2024-38780)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nnet/9p: fix uninit-value in p9_client_rpc()\n\nSyzbot with the help of KMSAN reported the following error:\n\nBUG: KMSAN: uninit-value in trace_9p_client_res include/trace/events/9p.h:146 [inline]\nBUG: KMSAN: uninit-value in p9_client_rpc+0x1314/0x1340 net/9p/client.c:754\n trace_9p_client_res include/trace/events/9p.h:146 [inline]\n p9_client_rpc+0x1314/0x1340 net/9p/client.c:754\n p9_client_create+0x1551/0x1ff0 net/9p/client.c:1031\n v9fs_session_init+0x1b9/0x28e0 fs/9p/v9fs.c:410\n v9fs_mount+0xe2/0x12b0 fs/9p/vfs_super.c:122\n legacy_get_tree+0x114/0x290 fs/fs_context.c:662\n vfs_get_tree+0xa7/0x570 fs/super.c:1797\n do_new_mount+0x71f/0x15e0 fs/namespace.c:3352\n path_mount+0x742/0x1f20 fs/namespace.c:3679\n do_mount fs/namespace.c:3692 [inline]\n __do_sys_mount fs/namespace.c:3898 [inline]\n __se_sys_mount+0x725/0x810 fs/namespace.c:3875\n __x64_sys_mount+0xe4/0x150 fs/namespace.c:3875\n do_syscall_64+0xd5/0x1f0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nUninit was created at:\n __alloc_pages+0x9d6/0xe70 mm/page_alloc.c:4598\n __alloc_pages_node include/linux/gfp.h:238 [inline]\n alloc_pages_node include/linux/gfp.h:261 [inline]\n alloc_slab_page mm/slub.c:2175 [inline]\n allocate_slab mm/slub.c:2338 [inline]\n new_slab+0x2de/0x1400 mm/slub.c:2391\n ___slab_alloc+0x1184/0x33d0 mm/slub.c:3525\n __slab_alloc mm/slub.c:3610 [inline]\n __slab_alloc_node mm/slub.c:3663 [inline]\n slab_alloc_node mm/slub.c:3835 [inline]\n kmem_cache_alloc+0x6d3/0xbe0 mm/slub.c:3852\n p9_tag_alloc net/9p/client.c:278 [inline]\n p9_client_prepare_req+0x20a/0x1770 net/9p/client.c:641\n p9_client_rpc+0x27e/0x1340 net/9p/client.c:688\n p9_client_create+0x1551/0x1ff0 net/9p/client.c:1031\n v9fs_session_init+0x1b9/0x28e0 fs/9p/v9fs.c:410\n v9fs_mount+0xe2/0x12b0 fs/9p/vfs_super.c:122\n legacy_get_tree+0x114/0x290 fs/fs_context.c:662\n vfs_get_tree+0xa7/0x570 fs/super.c:1797\n do_new_mount+0x71f/0x15e0 fs/namespace.c:3352\n path_mount+0x742/0x1f20 fs/namespace.c:3679\n do_mount fs/namespace.c:3692 [inline]\n __do_sys_mount fs/namespace.c:3898 [inline]\n __se_sys_mount+0x725/0x810 fs/namespace.c:3875\n __x64_sys_mount+0xe4/0x150 fs/namespace.c:3875\n do_syscall_64+0xd5/0x1f0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nIf p9_check_errors() fails early in p9_client_rpc(), req->rc.tag\nwill not be properly initialized. However, trace_9p_client_res()\nends up trying to print it out anyway before p9_client_rpc()\nfinishes.\n\nFix this issue by assigning default values to p9_fcall fields\nsuch as 'tag' and (just in case KMSAN unearths something new) 'id'\nduring the tag allocation stage.(CVE-2024-39301)\n\nRejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.(CVE-2024-39362)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to do sanity check on i_xattr_nid in sanity_check_inode()\n\nsyzbot reports a kernel bug as below:\n\nF2FS-fs (loop0): Mounted with checkpoint version = 48b305e4\n==================================================================\nBUG: KASAN: slab-out-of-bounds in f2fs_test_bit fs/f2fs/f2fs.h:2933 [inline]\nBUG: KASAN: slab-out-of-bounds in current_nat_addr fs/f2fs/node.h:213 [inline]\nBUG: KASAN: slab-out-of-bounds in f2fs_get_node_info+0xece/0x1200 fs/f2fs/node.c:600\nRead of size 1 at addr ffff88807a58c76c by task syz-executor280/5076\n\nCPU: 1 PID: 5076 Comm: syz-executor280 Not tainted 6.9.0-rc5-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114\n print_address_description mm/kasan/report.c:377 [inline]\n print_report+0x169/0x550 mm/kasan/report.c:488\n kasan_report+0x143/0x180 mm/kasan/report.c:601\n f2fs_test_bit fs/f2fs/f2fs.h:2933 [inline]\n current_nat_addr fs/f2fs/node.h:213 [inline]\n f2fs_get_node_info+0xece/0x1200 fs/f2fs/node.c:600\n f2fs_xattr_fiemap fs/f2fs/data.c:1848 [inline]\n f2fs_fiemap+0x55d/0x1ee0 fs/f2fs/data.c:1925\n ioctl_fiemap fs/ioctl.c:220 [inline]\n do_vfs_ioctl+0x1c07/0x2e50 fs/ioctl.c:838\n __do_sys_ioctl fs/ioctl.c:902 [inline]\n __se_sys_ioctl+0x81/0x170 fs/ioctl.c:890\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nThe root cause is we missed to do sanity check on i_xattr_nid during\nf2fs_iget(), so that in fiemap() path, current_nat_addr() will access\nnat_bitmap w/ offset from invalid i_xattr_nid, result in triggering\nkasan bug report, fix it.(CVE-2024-39467)",
"cves": [
{
"id": "CVE-2021-47381",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47381",
"severity": "Medium"
},
{
"id": "CVE-2021-47618",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47618",
"severity": "Medium"
},
{
"id": "CVE-2022-48733",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48733",
"severity": "Medium"
},
{
"id": "CVE-2022-48744",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48744",
"severity": "Medium"
},
{
"id": "CVE-2022-48765",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48765",
"severity": "Medium"
},
{
"id": "CVE-2022-48772",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48772",
"severity": "Medium"
},
{
"id": "CVE-2023-52833",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52833",
"severity": "Medium"
},
{
"id": "CVE-2024-31076",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31076",
"severity": "Medium"
},
{
"id": "CVE-2024-35879",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35879",
"severity": "Medium"
},
{
"id": "CVE-2024-35893",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35893",
"severity": "Medium"
},
{
"id": "CVE-2024-35969",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35969",
"severity": "Medium"
},
{
"id": "CVE-2024-35988",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35988",
"severity": "Medium"
},
{
"id": "CVE-2024-36014",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36014",
"severity": "Medium"
},
{
"id": "CVE-2024-36489",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36489",
"severity": "Medium"
},
{
"id": "CVE-2024-37353",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37353",
"severity": "Low"
},
{
"id": "CVE-2024-37354",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37354",
"severity": "Medium"
},
{
"id": "CVE-2024-38381",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38381",
"severity": "Medium"
},
{
"id": "CVE-2024-38547",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38547",
"severity": "Medium"
},
{
"id": "CVE-2024-38552",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38552",
"severity": "Medium"
},
{
"id": "CVE-2024-38554",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38554",
"severity": "Medium"
},
{
"id": "CVE-2024-38577",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38577",
"severity": "Medium"
},
{
"id": "CVE-2024-38579",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38579",
"severity": "Medium"
},
{
"id": "CVE-2024-38582",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38582",
"severity": "None"
},
{
"id": "CVE-2024-38583",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38583",
"severity": "High"
},
{
"id": "CVE-2024-38590",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38590",
"severity": "Medium"
},
{
"id": "CVE-2024-38598",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38598",
"severity": "Medium"
},
{
"id": "CVE-2024-38602",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38602",
"severity": "Medium"
},
{
"id": "CVE-2024-38603",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38603",
"severity": "Medium"
},
{
"id": "CVE-2024-38615",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38615",
"severity": "Medium"
},
{
"id": "CVE-2024-38621",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38621",
"severity": "Medium"
},
{
"id": "CVE-2024-38623",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38623",
"severity": "Critical"
},
{
"id": "CVE-2024-38625",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38625",
"severity": "Medium"
},
{
"id": "CVE-2024-38633",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38633",
"severity": "Medium"
},
{
"id": "CVE-2024-38634",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38634",
"severity": "Medium"
},
{
"id": "CVE-2024-38637",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38637",
"severity": "Low"
},
{
"id": "CVE-2024-38780",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38780",
"severity": "Medium"
},
{
"id": "CVE-2024-39301",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39301",
"severity": "Medium"
},
{
"id": "CVE-2024-39362",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39362",
"severity": "Medium"
},
{
"id": "CVE-2024-39467",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39467",
"severity": "Medium"
}
]
},
"openEuler-SA-2024-1874": {
"id": "openEuler-SA-2024-1874",
"url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1874",
"title": "An update for ffmpeg is now available for openEuler-24.03-LTS",
"severity": "Medium",
"description": "FFmpeg is a complete and free Internet live audio and video broadcasting solution for Linux/Unix. It also includes a digital VCR. It can encode in real time in many formats including MPEG1 audio and video, MPEG4, h263, ac3, asf, avi, real, mjpeg, and flash.\n\nSecurity Fix(es):\n\nBuffer Overflow vulnerability in FFmpeg version n6.1-3-g466799d4f5, allows a local attacker to execute arbitrary code and cause a denial of service (DoS) via the af_dialoguenhance.c:261:5 in the de_stereo component.(CVE-2023-49528)\n\nFFmpeg 7.0 is vulnerable to Buffer Overflow. There is a negative-size-param bug at libavcodec/mpegvideo_enc.c:1216:21 in load_input_picture in FFmpeg7.0(CVE-2024-32230)",
"cves": [
{
"id": "CVE-2023-49528",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-49528",
"severity": "Medium"
},
{
"id": "CVE-2024-32230",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32230",
"severity": "Medium"
}
]
},
"openEuler-SA-2024-1828": {
"id": "openEuler-SA-2024-1828",
"url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1828",
"title": "An update for vte291 is now available for openEuler-22.03-LTS-SP4",
"severity": "Low",
"description": "VTE provides a virtual terminal widget for GTK applications.VTE is mainly used in gnome-terminal, but can also be used to embed a console/terminal in games, editors, IDEs, etc.\n\nSecurity Fix(es):\n\nGNOME VTE before 0.76.3 allows an attacker to cause a denial of service (memory consumption) via a window resize escape sequence, a related issue to CVE-2000-0476.(CVE-2024-37535)",
"cves": [
{
"id": "CVE-2024-37535",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37535",
"severity": "Low"
}
]
},
"openEuler-SA-2024-1858": {
"id": "openEuler-SA-2024-1858",
"url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1858",
"title": "An update for qemu is now available for openEuler-20.03-LTS-SP4,openEuler-24.03-LTS,openEuler-22.03-LTS-SP4,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP3",
"severity": "High",
"description": "QEMU is a FAST! processor emulator using dynamic translation to achieve good emulation speed.\n\nSecurity Fix(es):\n\nA flaw was found in the QEMU disk image utility (qemu-img) 'info' command. A specially crafted image file containing a `json:{}` value describing block devices in QMP could cause the qemu-img process on the host to consume large amounts of memory or CPU time, leading to denial of service or read/write to an existing external file.(CVE-2024-4467)",
"cves": [
{
"id": "CVE-2024-4467",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4467",
"severity": "High"
}
]
},
"openEuler-SA-2024-1869": {
"id": "openEuler-SA-2024-1869",
"url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1869",
"title": "An update for python-pip is now available for openEuler-20.03-LTS-SP4",
"severity": "High",
"description": "pip is the package installer for Python. You can use pip to install packages from the Python Package Index and other indexes. %global bashcompdir %(b=$(pkg-config --variable=completionsdir bash-completion 2>/dev/null); echo ${b:-/bash_completion.d}) Name: python-pip Version: 20.2.2 Release: 4 Summary: A tool for installing and managing Python packages License: MIT and Python and ASL 2.0 and BSD and ISC and LGPLv2 and MPLv2.0 and (ASL 2.0 or BSD) URL: http://www.pip-installer.org Source0: https://files.pythonhosted.org/packages/source/p/pip/pip-.tar.gz BuildArch: noarch Patch1: allow-stripping-given-prefix-from-wheel-RECORD-files. Patch2: emit-a-warning-when-running-with-root-privileges.patch Patch3: remove-existing-dist-only-if-path-conflicts.patch Patch6000: dummy-certifi.patch Patch6001: backport-CVE-2021-3572.patch\n\nSecurity Fix(es):\n\nurllib3 is a user-friendly HTTP client library for Python. urllib3 doesn't treat the `Cookie` HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a `Cookie` header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly. This issue has been patched in urllib3 version 1.26.17 or 2.0.5.(CVE-2023-43804)\n\nurllib3 is a user-friendly HTTP client library for Python. urllib3 previously wouldn't remove the HTTP request body when an HTTP redirect response using status 301, 302, or 303 after the request had its method changed from one that could accept a request body (like `POST`) to `GET` as is required by HTTP RFCs. Although this behavior is not specified in the section for redirects, it can be inferred by piecing together information from different sections and we have observed the behavior in other major HTTP client implementations like curl and web browsers. Because the vulnerability requires a previously trusted service to become compromised in order to have an impact on confidentiality we believe the exploitability of this vulnerability is low. Additionally, many users aren't putting sensitive data in HTTP request bodies, if this is the case then this vulnerability isn't exploitable. Both of the following conditions must be true to be affected by this vulnerability: 1. Using urllib3 and submitting sensitive information in the HTTP request body (such as form data or JSON) and 2. The origin service is compromised and starts redirecting using 301, 302, or 303 to a malicious peer or the redirected-to service becomes compromised. This issue has been addressed in versions 1.26.18 and 2.0.7 and users are advised to update to resolve this issue. Users unable to update should disable redirects for services that aren't expecting to respond with redirects with `redirects=False` and disable automatic redirects with `redirects=False` and handle 301, 302, and 303 redirects manually by stripping the HTTP request body.\n(CVE-2023-45803)\n\n urllib3 is a user-friendly HTTP client library for Python. When using urllib3's proxy support with `ProxyManager`, the `Proxy-Authorization` header is only sent to the configured proxy, as expected. However, when sending HTTP requests *without* using urllib3's proxy support, it's possible to accidentally configure the `Proxy-Authorization` header even though it won't have any effect as the request is not using a forwarding proxy or a tunneling proxy. In those cases, urllib3 doesn't treat the `Proxy-Authorization` HTTP header as one carrying authentication material and thus doesn't strip the header on cross-origin redirects. Because this is a highly unlikely scenario, we believe the severity of this vulnerability is low for almost all users. Out of an abundance of caution urllib3 will automatically strip the `Proxy-Authorization` header during cross-origin redirects to avoid the small chance that users are doing this on accident. Users should use urllib3's proxy support or disable automatic redirects to achieve safe processing of the `Proxy-Authorization` header, but we still decided to strip the header by default in order to further protect users who aren't using the correct approach. We believe the number of usages affected by this advisory is low. It requires all of the following to be true to be exploited: 1. Setting the `Proxy-Authorization` header without using urllib3's built-in proxy support. 2. Not disabling HTTP redirects. 3. Either not using an HTTPS origin server or for the proxy or target origin to redirect to a malicious origin. Users are advised to update to either version 1.26.19 or version 2.2.2. Users unable to upgrade may use the `Proxy-Authorization` header with urllib3's `ProxyManager`, disable HTTP redirects using `redirects=False` when sending requests, or not user the `Proxy-Authorization` header as mitigations.(CVE-2024-37891)",
"cves": [
{
"id": "CVE-2023-43804",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43804",
"severity": "High"
},
{
"id": "CVE-2023-45803",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45803",
"severity": "Medium"
},
{
"id": "CVE-2024-37891",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37891",
"severity": "Medium"
}
]
},
"openEuler-SA-2024-1836": {
"id": "openEuler-SA-2024-1836",
"url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1836",
"title": "An update for kernel is now available for openEuler-24.03-LTS",
"severity": "Critical",
"description": "The Linux Kernel, the operating system core itself.\n\nSecurity Fix(es):\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nmedia: lgdt3306a: Add a check against null-pointer-def\n\nThe driver should check whether the client provides the platform_data.\n\nThe following log reveals it:\n\n[ 29.610324] BUG: KASAN: null-ptr-deref in kmemdup+0x30/0x40\n[ 29.610730] Read of size 40 at addr 0000000000000000 by task bash/414\n[ 29.612820] Call Trace:\n[ 29.613030] <TASK>\n[ 29.613201] dump_stack_lvl+0x56/0x6f\n[ 29.613496] ? kmemdup+0x30/0x40\n[ 29.613754] print_report.cold+0x494/0x6b7\n[ 29.614082] ? kmemdup+0x30/0x40\n[ 29.614340] kasan_report+0x8a/0x190\n[ 29.614628] ? kmemdup+0x30/0x40\n[ 29.614888] kasan_check_range+0x14d/0x1d0\n[ 29.615213] memcpy+0x20/0x60\n[ 29.615454] kmemdup+0x30/0x40\n[ 29.615700] lgdt3306a_probe+0x52/0x310\n[ 29.616339] i2c_device_probe+0x951/0xa90(CVE-2022-48772)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\ngenirq/cpuhotplug, x86/vector: Prevent vector leak during CPU offline\n\nThe absence of IRQD_MOVE_PCNTXT prevents immediate effectiveness of\ninterrupt affinity reconfiguration via procfs. Instead, the change is\ndeferred until the next instance of the interrupt being triggered on the\noriginal CPU.\n\nWhen the interrupt next triggers on the original CPU, the new affinity is\nenforced within __irq_move_irq(). A vector is allocated from the new CPU,\nbut the old vector on the original CPU remains and is not immediately\nreclaimed. Instead, apicd->move_in_progress is flagged, and the reclaiming\nprocess is delayed until the next trigger of the interrupt on the new CPU.\n\nUpon the subsequent triggering of the interrupt on the new CPU,\nirq_complete_move() adds a task to the old CPU's vector_cleanup list if it\nremains online. Subsequently, the timer on the old CPU iterates over its\nvector_cleanup list, reclaiming old vectors.\n\nHowever, a rare scenario arises if the old CPU is outgoing before the\ninterrupt triggers again on the new CPU.\n\nIn that case irq_force_complete_move() is not invoked on the outgoing CPU\nto reclaim the old apicd->prev_vector because the interrupt isn't currently\naffine to the outgoing CPU, and irq_needs_fixup() returns false. Even\nthough __vector_schedule_cleanup() is later called on the new CPU, it\ndoesn't reclaim apicd->prev_vector; instead, it simply resets both\napicd->move_in_progress and apicd->prev_vector to 0.\n\nAs a result, the vector remains unreclaimed in vector_matrix, leading to a\nCPU vector leak.\n\nTo address this issue, move the invocation of irq_force_complete_move()\nbefore the irq_needs_fixup() call to reclaim apicd->prev_vector, if the\ninterrupt is currently or used to be affine to the outgoing CPU.\n\nAdditionally, reclaim the vector in __vector_schedule_cleanup() as well,\nfollowing a warning message, although theoretically it should never see\napicd->move_in_progress with apicd->prev_cpu pointing to an offline CPU.(CVE-2024-31076)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\ntls: fix missing memory barrier in tls_init\n\nIn tls_init(), a write memory barrier is missing, and store-store\nreordering may cause NULL dereference in tls_{setsockopt,getsockopt}.\n\nCPU0 CPU1\n----- -----\n// In tls_init()\n// In tls_ctx_create()\nctx = kzalloc()\nctx->sk_proto = READ_ONCE(sk->sk_prot) -(1)\n\n// In update_sk_prot()\nWRITE_ONCE(sk->sk_prot, tls_prots) -(2)\n\n // In sock_common_setsockopt()\n READ_ONCE(sk->sk_prot)->setsockopt()\n\n // In tls_{setsockopt,getsockopt}()\n ctx->sk_proto->setsockopt() -(3)\n\nIn the above scenario, when (1) and (2) are reordered, (3) can observe\nthe NULL value of ctx->sk_proto, causing NULL dereference.\n\nTo fix it, we rely on rcu_assign_pointer() which implies the release\nbarrier semantic. By moving rcu_assign_pointer() after ctx->sk_proto is\ninitialized, we can ensure that ctx->sk_proto are visible when\nchanging sk->sk_prot.(CVE-2024-36489)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\namd/amdkfd: sync all devices to wait all processes being evicted\n\nIf there are more than one device doing reset in parallel, the first\ndevice will call kfd_suspend_all_processes() to evict all processes\non all devices, this call takes time to finish. other device will\nstart reset and recover without waiting. if the process has not been\nevicted before doing recover, it will be restored, then caused page\nfault.(CVE-2024-36949)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nscsi: lpfc: Move NPIV's transport unregistration to after resource clean up\n\nThere are cases after NPIV deletion where the fabric switch still believes\nthe NPIV is logged into the fabric. This occurs when a vport is\nunregistered before the Remove All DA_ID CT and LOGO ELS are sent to the\nfabric.\n\nCurrently fc_remove_host(), which calls dev_loss_tmo for all D_IDs including\nthe fabric D_ID, removes the last ndlp reference and frees the ndlp rport\nobject. This sometimes causes the race condition where the final DA_ID and\nLOGO are skipped from being sent to the fabric switch.\n\nFix by moving the fc_remove_host() and scsi_remove_host() calls after DA_ID\nand LOGO are sent.(CVE-2024-36952)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nnet: ks8851: Queue RX packets in IRQ handler instead of disabling BHs\n\nCurrently the driver uses local_bh_disable()/local_bh_enable() in its\nIRQ handler to avoid triggering net_rx_action() softirq on exit from\nnetif_rx(). The net_rx_action() could trigger this driver .start_xmit\ncallback, which is protected by the same lock as the IRQ handler, so\ncalling the .start_xmit from netif_rx() from the IRQ handler critical\nsection protected by the lock could lead to an attempt to claim the\nalready claimed lock, and a hang.\n\nThe local_bh_disable()/local_bh_enable() approach works only in case\nthe IRQ handler is protected by a spinlock, but does not work if the\nIRQ handler is protected by mutex, i.e. this works for KS8851 with\nParallel bus interface, but not for KS8851 with SPI bus interface.\n\nRemove the BH manipulation and instead of calling netif_rx() inside\nthe IRQ handler code protected by the lock, queue all the received\nSKBs in the IRQ handler into a queue first, and once the IRQ handler\nexits the critical section protected by the lock, dequeue all the\nqueued SKBs and push them all into netif_rx(). At this point, it is\nsafe to trigger the net_rx_action() softirq, since the netif_rx()\ncall is outside of the lock that protects the IRQ handler.(CVE-2024-36962)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nremoteproc: mediatek: Make sure IPI buffer fits in L2TCM\n\nThe IPI buffer location is read from the firmware that we load to the\nSystem Companion Processor, and it's not granted that both the SRAM\n(L2TCM) size that is defined in the devicetree node is large enough\nfor that, and while this is especially true for multi-core SCP, it's\nstill useful to check on single-core variants as well.\n\nFailing to perform this check may make this driver perform R/W\noperations out of the L2TCM boundary, resulting (at best) in a\nkernel panic.\n\nTo fix that, check that the IPI buffer fits, otherwise return a\nfailure and refuse to boot the relevant SCP core (or the SCP at\nall, if this is single core).(CVE-2024-36965)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nvirtio: delete vq in vp_find_vqs_msix() when request_irq() fails\n\nWhen request_irq() fails, error path calls vp_del_vqs(). There, as vq is\npresent in the list, free_irq() is called for the same vector. That\ncauses following splat:\n\n[ 0.414355] Trying to free already-free IRQ 27\n[ 0.414403] WARNING: CPU: 1 PID: 1 at kernel/irq/manage.c:1899 free_irq+0x1a1/0x2d0\n[ 0.414510] Modules linked in:\n[ 0.414540] CPU: 1 PID: 1 Comm: swapper/0 Not tainted 6.9.0-rc4+ #27\n[ 0.414540] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-1.fc39 04/01/2014\n[ 0.414540] RIP: 0010:free_irq+0x1a1/0x2d0\n[ 0.414540] Code: 1e 00 48 83 c4 08 48 89 e8 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc 90 8b 74 24 04 48 c7 c7 98 80 6c b1 e8 00 c9 f7 ff 90 <0f> 0b 90 90 48 89 ee 4c 89 ef e8 e0 20 b8 00 49 8b 47 40 48 8b 40\n[ 0.414540] RSP: 0000:ffffb71480013ae0 EFLAGS: 00010086\n[ 0.414540] RAX: 0000000000000000 RBX: ffffa099c2722000 RCX: 0000000000000000\n[ 0.414540] RDX: 0000000000000000 RSI: ffffb71480013998 RDI: 0000000000000001\n[ 0.414540] RBP: 0000000000000246 R08: 00000000ffffdfff R09: 0000000000000001\n[ 0.414540] R10: 00000000ffffdfff R11: ffffffffb18729c0 R12: ffffa099c1c91760\n[ 0.414540] R13: ffffa099c1c916a4 R14: ffffa099c1d2f200 R15: ffffa099c1c91600\n[ 0.414540] FS: 0000000000000000(0000) GS:ffffa099fec40000(0000) knlGS:0000000000000000\n[ 0.414540] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 0.414540] CR2: 0000000000000000 CR3: 0000000008e3e001 CR4: 0000000000370ef0\n[ 0.414540] Call Trace:\n[ 0.414540] <TASK>\n[ 0.414540] ? __warn+0x80/0x120\n[ 0.414540] ? free_irq+0x1a1/0x2d0\n[ 0.414540] ? report_bug+0x164/0x190\n[ 0.414540] ? handle_bug+0x3b/0x70\n[ 0.414540] ? exc_invalid_op+0x17/0x70\n[ 0.414540] ? asm_exc_invalid_op+0x1a/0x20\n[ 0.414540] ? free_irq+0x1a1/0x2d0\n[ 0.414540] vp_del_vqs+0xc1/0x220\n[ 0.414540] vp_find_vqs_msix+0x305/0x470\n[ 0.414540] vp_find_vqs+0x3e/0x1a0\n[ 0.414540] vp_modern_find_vqs+0x1b/0x70\n[ 0.414540] init_vqs+0x387/0x600\n[ 0.414540] virtnet_probe+0x50a/0xc80\n[ 0.414540] virtio_dev_probe+0x1e0/0x2b0\n[ 0.414540] really_probe+0xc0/0x2c0\n[ 0.414540] ? __pfx___driver_attach+0x10/0x10\n[ 0.414540] __driver_probe_device+0x73/0x120\n[ 0.414540] driver_probe_device+0x1f/0xe0\n[ 0.414540] __driver_attach+0x88/0x180\n[ 0.414540] bus_for_each_dev+0x85/0xd0\n[ 0.414540] bus_add_driver+0xec/0x1f0\n[ 0.414540] driver_register+0x59/0x100\n[ 0.414540] ? __pfx_virtio_net_driver_init+0x10/0x10\n[ 0.414540] virtio_net_driver_init+0x90/0xb0\n[ 0.414540] do_one_initcall+0x58/0x230\n[ 0.414540] kernel_init_freeable+0x1a3/0x2d0\n[ 0.414540] ? __pfx_kernel_init+0x10/0x10\n[ 0.414540] kernel_init+0x1a/0x1c0\n[ 0.414540] ret_from_fork+0x31/0x50\n[ 0.414540] ? __pfx_kernel_init+0x10/0x10\n[ 0.414540] ret_from_fork_asm+0x1a/0x30\n[ 0.414540] </TASK>\n\nFix this by calling deleting the current vq when request_irq() fails.(CVE-2024-37353)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix crash on racing fsync and size-extending write into prealloc\n\nWe have been seeing crashes on duplicate keys in\nbtrfs_set_item_key_safe():\n\n BTRFS critical (device vdb): slot 4 key (450 108 8192) new key (450 108 8192)\n ------------[ cut here ]------------\n kernel BUG at fs/btrfs/ctree.c:2620!\n invalid opcode: 0000 [#1] PREEMPT SMP PTI\n CPU: 0 PID: 3139 Comm: xfs_io Kdump: loaded Not tainted 6.9.0 #6\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014\n RIP: 0010:btrfs_set_item_key_safe+0x11f/0x290 [btrfs]\n\nWith the following stack trace:\n\n #0 btrfs_set_item_key_safe (fs/btrfs/ctree.c:2620:4)\n #1 btrfs_drop_extents (fs/btrfs/file.c:411:4)\n #2 log_one_extent (fs/btrfs/tree-log.c:4732:9)\n #3 btrfs_log_changed_extents (fs/btrfs/tree-log.c:4955:9)\n #4 btrfs_log_inode (fs/btrfs/tree-log.c:6626:9)\n #5 btrfs_log_inode_parent (fs/btrfs/tree-log.c:7070:8)\n #6 btrfs_log_dentry_safe (fs/btrfs/tree-log.c:7171:8)\n #7 btrfs_sync_file (fs/btrfs/file.c:1933:8)\n #8 vfs_fsync_range (fs/sync.c:188:9)\n #9 vfs_fsync (fs/sync.c:202:9)\n #10 do_fsync (fs/sync.c:212:9)\n #11 __do_sys_fdatasync (fs/sync.c:225:9)\n #12 __se_sys_fdatasync (fs/sync.c:223:1)\n #13 __x64_sys_fdatasync (fs/sync.c:223:1)\n #14 do_syscall_x64 (arch/x86/entry/common.c:52:14)\n #15 do_syscall_64 (arch/x86/entry/common.c:83:7)\n #16 entry_SYSCALL_64+0xaf/0x14c (arch/x86/entry/entry_64.S:121)\n\nSo we're logging a changed extent from fsync, which is splitting an\nextent in the log tree. But this split part already exists in the tree,\ntriggering the BUG().\n\nThis is the state of the log tree at the time of the crash, dumped with\ndrgn (https://github.com/osandov/drgn/blob/main/contrib/btrfs_tree.py)\nto get more details than btrfs_print_leaf() gives us:\n\n >>> print_extent_buffer(prog.crashed_thread().stack_trace()[0][\"eb\"])\n leaf 33439744 level 0 items 72 generation 9 owner 18446744073709551610\n leaf 33439744 flags 0x100000000000000\n fs uuid e5bd3946-400c-4223-8923-190ef1f18677\n chunk uuid d58cb17e-6d02-494a-829a-18b7d8a399da\n item 0 key (450 INODE_ITEM 0) itemoff 16123 itemsize 160\n generation 7 transid 9 size 8192 nbytes 8473563889606862198\n block group 0 mode 100600 links 1 uid 0 gid 0 rdev 0\n sequence 204 flags 0x10(PREALLOC)\n atime 1716417703.220000000 (2024-05-22 15:41:43)\n ctime 1716417704.983333333 (2024-05-22 15:41:44)\n mtime 1716417704.983333333 (2024-05-22 15:41:44)\n otime 17592186044416.000000000 (559444-03-08 01:40:16)\n item 1 key (450 INODE_REF 256) itemoff 16110 itemsize 13\n index 195 namelen 3 name: 193\n item 2 key (450 XATTR_ITEM 1640047104) itemoff 16073 itemsize 37\n location key (0 UNKNOWN.0 0) type XATTR\n transid 7 data_len 1 name_len 6\n name: user.a\n data a\n item 3 key (450 EXTENT_DATA 0) itemoff 16020 itemsize 53\n generation 9 type 1 (regular)\n extent data disk byte 303144960 nr 12288\n extent data offset 0 nr 4096 ram 12288\n extent compression 0 (none)\n item 4 key (450 EXTENT_DATA 4096) itemoff 15967 itemsize 53\n generation 9 type 2 (prealloc)\n prealloc data disk byte 303144960 nr 12288\n prealloc data offset 4096 nr 8192\n item 5 key (450 EXTENT_DATA 8192) itemoff 15914 itemsize 53\n generation 9 type 2 (prealloc)\n prealloc data disk byte 303144960 nr 12288\n prealloc data offset 8192 nr 4096\n ...\n\nSo the real problem happened earlier: notice that items 4 (4k-12k) and 5\n(8k-12k) overlap. Both are prealloc extents. Item 4 straddles i_size and\nitem 5 starts at i_size.\n\nHere is the state of \n---truncated---(CVE-2024-37354)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\ntcp: Fix shift-out-of-bounds in dctcp_update_alpha().\n\nIn dctcp_update_alpha(), we use a module parameter dctcp_shift_g\nas follows:\n\n alpha -= min_not_zero(alpha, alpha >> dctcp_shift_g);\n ...\n delivered_ce <<= (10 - dctcp_shift_g);\n\nIt seems syzkaller started fuzzing module parameters and triggered\nshift-out-of-bounds [0] by setting 100 to dctcp_shift_g:\n\n memcpy((void*)0x20000080,\n \"/sys/module/tcp_dctcp/parameters/dctcp_shift_g\\000\", 47);\n res = syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x20000080ul,\n /*flags=*/2ul, /*mode=*/0ul);\n memcpy((void*)0x20000000, \"100\\000\", 4);\n syscall(__NR_write, /*fd=*/r[0], /*val=*/0x20000000ul, /*len=*/4ul);\n\nLet's limit the max value of dctcp_shift_g by param_set_uint_minmax().\n\nWith this patch:\n\n # echo 10 > /sys/module/tcp_dctcp/parameters/dctcp_shift_g\n # cat /sys/module/tcp_dctcp/parameters/dctcp_shift_g\n 10\n # echo 11 > /sys/module/tcp_dctcp/parameters/dctcp_shift_g\n -bash: echo: write error: Invalid argument\n\n[0]:\nUBSAN: shift-out-of-bounds in net/ipv4/tcp_dctcp.c:143:12\nshift exponent 100 is too large for 32-bit type 'u32' (aka 'unsigned int')\nCPU: 0 PID: 8083 Comm: syz-executor345 Not tainted 6.9.0-05151-g1b294a1f3561 #2\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\n1.13.0-1ubuntu1.1 04/01/2014\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x201/0x300 lib/dump_stack.c:114\n ubsan_epilogue lib/ubsan.c:231 [inline]\n __ubsan_handle_shift_out_of_bounds+0x346/0x3a0 lib/ubsan.c:468\n dctcp_update_alpha+0x540/0x570 net/ipv4/tcp_dctcp.c:143\n tcp_in_ack_event net/ipv4/tcp_input.c:3802 [inline]\n tcp_ack+0x17b1/0x3bc0 net/ipv4/tcp_input.c:3948\n tcp_rcv_state_process+0x57a/0x2290 net/ipv4/tcp_input.c:6711\n tcp_v4_do_rcv+0x764/0xc40 net/ipv4/tcp_ipv4.c:1937\n sk_backlog_rcv include/net/sock.h:1106 [inline]\n __release_sock+0x20f/0x350 net/core/sock.c:2983\n release_sock+0x61/0x1f0 net/core/sock.c:3549\n mptcp_subflow_shutdown+0x3d0/0x620 net/mptcp/protocol.c:2907\n mptcp_check_send_data_fin+0x225/0x410 net/mptcp/protocol.c:2976\n __mptcp_close+0x238/0xad0 net/mptcp/protocol.c:3072\n mptcp_close+0x2a/0x1a0 net/mptcp/protocol.c:3127\n inet_release+0x190/0x1f0 net/ipv4/af_inet.c:437\n __sock_release net/socket.c:659 [inline]\n sock_close+0xc0/0x240 net/socket.c:1421\n __fput+0x41b/0x890 fs/file_table.c:422\n task_work_run+0x23b/0x300 kernel/task_work.c:180\n exit_task_work include/linux/task_work.h:38 [inline]\n do_exit+0x9c8/0x2540 kernel/exit.c:878\n do_group_exit+0x201/0x2b0 kernel/exit.c:1027\n __do_sys_exit_group kernel/exit.c:1038 [inline]\n __se_sys_exit_group kernel/exit.c:1036 [inline]\n __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1036\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xe4/0x240 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x67/0x6f\nRIP: 0033:0x7f6c2b5005b6\nCode: Unable to access opcode bytes at 0x7f6c2b50058c.\nRSP: 002b:00007ffe883eb948 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7\nRAX: ffffffffffffffda RBX: 00007f6c2b5862f0 RCX: 00007f6c2b5005b6\nRDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001\nRBP: 0000000000000001 R08: 00000000000000e7 R09: ffffffffffffffc0\nR10: 0000000000000006 R11: 0000000000000246 R12: 00007f6c2b5862f0\nR13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001\n </TASK>(CVE-2024-37356)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nASoC: mediatek: Assign dummy when codec not specified for a DAI link\n\nMediaTek sound card drivers are checking whether a DAI link is present\nand used on a board to assign the correct parameters and this is done\nby checking the codec DAI names at probe time.\n\nIf no real codec is present, assign the dummy codec to the DAI link\nto avoid NULL pointer during string comparison.(CVE-2024-38551)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix potential index out of bounds in color transformation function\n\nFixes index out of bounds issue in the color transformation function.\nThe issue could occur when the index 'i' exceeds the number of transfer\nfunction points (TRANSFER_FUNC_POINTS).\n\nThe fix adds a check to ensure 'i' is within bounds before accessing the\ntransfer function points. If 'i' is out of bounds, an error message is\nlogged and the function returns false to indicate an error.\n\nReported by smatch:\ndrivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:405 cm_helper_translate_curve_to_hw_format() error: buffer overflow 'output_tf->tf_pts.red' 1025 <= s32max\ndrivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:406 cm_helper_translate_curve_to_hw_format() error: buffer overflow 'output_tf->tf_pts.green' 1025 <= s32max\ndrivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:407 cm_helper_translate_curve_to_hw_format() error: buffer overflow 'output_tf->tf_pts.blue' 1025 <= s32max(CVE-2024-38552)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nax25: Fix reference count leak issue of net_device\n\nThere is a reference count leak issue of the object \"net_device\" in\nax25_dev_device_down(). When the ax25 device is shutting down, the\nax25_dev_device_down() drops the reference count of net_device one\nor zero times depending on if we goto unlock_put or not, which will\ncause memory leak.\n\nIn order to solve the above issue, decrease the reference count of\nnet_device after dev->ax25_ptr is set to null.(CVE-2024-38554)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Discard command completions in internal error\n\nFix use after free when FW completion arrives while device is in\ninternal error state. Avoid calling completion handler in this case,\nsince the device will flush the command interface and trigger all\ncompletions manually.\n\nKernel log:\n------------[ cut here ]------------\nrefcount_t: underflow; use-after-free.\n...\nRIP: 0010:refcount_warn_saturate+0xd8/0xe0\n...\nCall Trace:\n<IRQ>\n? __warn+0x79/0x120\n? refcount_warn_saturate+0xd8/0xe0\n? report_bug+0x17c/0x190\n? handle_bug+0x3c/0x60\n? exc_invalid_op+0x14/0x70\n? asm_exc_invalid_op+0x16/0x20\n? refcount_warn_saturate+0xd8/0xe0\ncmd_ent_put+0x13b/0x160 [mlx5_core]\nmlx5_cmd_comp_handler+0x5f9/0x670 [mlx5_core]\ncmd_comp_notifier+0x1f/0x30 [mlx5_core]\nnotifier_call_chain+0x35/0xb0\natomic_notifier_call_chain+0x16/0x20\nmlx5_eq_async_int+0xf6/0x290 [mlx5_core]\nnotifier_call_chain+0x35/0xb0\natomic_notifier_call_chain+0x16/0x20\nirq_int_handler+0x19/0x30 [mlx5_core]\n__handle_irq_event_percpu+0x4b/0x160\nhandle_irq_event+0x2e/0x80\nhandle_edge_irq+0x98/0x230\n__common_interrupt+0x3b/0xa0\ncommon_interrupt+0x7b/0xa0\n</IRQ>\n<TASK>\nasm_common_interrupt+0x22/0x40(CVE-2024-38555)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nwifi: nl80211: Avoid address calculations via out of bounds array indexing\n\nBefore request->channels[] can be used, request->n_channels must be set.\nAdditionally, address calculations for memory after the \"channels\" array\nneed to be calculated from the allocation base (\"request\") rather than\nvia the first \"out of bounds\" index of \"channels\", otherwise run-time\nbounds checking will throw a warning.(CVE-2024-38562)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Add BPF_PROG_TYPE_CGROUP_SKB attach type enforcement in BPF_LINK_CREATE\n\nbpf_prog_attach uses attach_type_to_prog_type to enforce proper\nattach type for BPF_PROG_TYPE_CGROUP_SKB. link_create uses\nbpf_prog_get and relies on bpf_prog_attach_check_attach_type\nto properly verify prog_type <> attach_type association.\n\nAdd missing attach_type enforcement for the link_create case.\nOtherwise, it's currently possible to attach cgroup_skb prog\ntypes to other cgroup hooks.(CVE-2024-38564)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nrcu-tasks: Fix show_rcu_tasks_trace_gp_kthread buffer overflow\n\nThere is a possibility of buffer overflow in\nshow_rcu_tasks_trace_gp_kthread() if counters, passed\nto sprintf() are huge. Counter numbers, needed for this\nare unrealistically high, but buffer overflow is still\npossible.\n\nUse snprintf() with buffer size instead of sprintf().\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.(CVE-2024-38577)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: bcm - Fix pointer arithmetic\n\nIn spu2_dump_omd() value of ptr is increased by ciph_key_len\ninstead of hash_iv_len which could lead to going beyond the\nbuffer boundaries.\nFix this bug by changing ciph_key_len to hash_iv_len.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.(CVE-2024-38579)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix potential hang in nilfs_detach_log_writer()\n\nSyzbot has reported a potential hang in nilfs_detach_log_writer() called\nduring nilfs2 unmount.\n\nAnalysis revealed that this is because nilfs_segctor_sync(), which\nsynchronizes with the log writer thread, can be called after\nnilfs_segctor_destroy() terminates that thread, as shown in the call trace\nbelow:\n\nnilfs_detach_log_writer\n nilfs_segctor_destroy\n nilfs_segctor_kill_thread --> Shut down log writer thread\n flush_work\n nilfs_iput_work_func\n nilfs_dispose_list\n iput\n nilfs_evict_inode\n nilfs_transaction_commit\n nilfs_construct_segment (if inode needs sync)\n nilfs_segctor_sync --> Attempt to synchronize with\n log writer thread\n *** DEADLOCK ***\n\nFix this issue by changing nilfs_segctor_sync() so that the log writer\nthread returns normally without synchronizing after it terminates, and by\nforcing tasks that are already waiting to complete once after the thread\nterminates.\n\nThe skipped inode metadata flushout will then be processed together in the\nsubsequent cleanup work in nilfs_segctor_destroy().(CVE-2024-38582)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nftrace: Fix possible use-after-free issue in ftrace_location()\n\nKASAN reports a bug:\n\n BUG: KASAN: use-after-free in ftrace_location+0x90/0x120\n Read of size 8 at addr ffff888141d40010 by task insmod/424\n CPU: 8 PID: 424 Comm: insmod Tainted: G W 6.9.0-rc2+\n [...]\n Call Trace:\n <TASK>\n dump_stack_lvl+0x68/0xa0\n print_report+0xcf/0x610\n kasan_report+0xb5/0xe0\n ftrace_location+0x90/0x120\n register_kprobe+0x14b/0xa40\n kprobe_init+0x2d/0xff0 [kprobe_example]\n do_one_initcall+0x8f/0x2d0\n do_init_module+0x13a/0x3c0\n load_module+0x3082/0x33d0\n init_module_from_file+0xd2/0x130\n __x64_sys_finit_module+0x306/0x440\n do_syscall_64+0x68/0x140\n entry_SYSCALL_64_after_hwframe+0x71/0x79\n\nThe root cause is that, in lookup_rec(), ftrace record of some address\nis being searched in ftrace pages of some module, but those ftrace pages\nat the same time is being freed in ftrace_release_mod() as the\ncorresponding module is being deleted:\n\n CPU1 | CPU2\n register_kprobes() { | delete_module() {\n check_kprobe_address_safe() { |\n arch_check_ftrace_location() { |\n ftrace_location() { |\n lookup_rec() // USE! | ftrace_release_mod() // Free!\n\nTo fix this issue:\n 1. Hold rcu lock as accessing ftrace pages in ftrace_location_range();\n 2. Use ftrace_location_range() instead of lookup_rec() in\n ftrace_location();\n 3. Call synchronize_rcu() before freeing any ftrace pages both in\n ftrace_process_locs()/ftrace_release_mod()/ftrace_free_mem().(CVE-2024-38588)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nmd: fix resync softlockup when bitmap size is less than array size\n\nIs is reported that for dm-raid10, lvextend + lvchange --syncaction will\ntrigger following softlockup:\n\nkernel:watchdog: BUG: soft lockup - CPU#3 stuck for 26s! [mdX_resync:6976]\nCPU: 7 PID: 3588 Comm: mdX_resync Kdump: loaded Not tainted 6.9.0-rc4-next-20240419 #1\nRIP: 0010:_raw_spin_unlock_irq+0x13/0x30\nCall Trace:\n <TASK>\n md_bitmap_start_sync+0x6b/0xf0\n raid10_sync_request+0x25c/0x1b40 [raid10]\n md_do_sync+0x64b/0x1020\n md_thread+0xa7/0x170\n kthread+0xcf/0x100\n ret_from_fork+0x30/0x50\n ret_from_fork_asm+0x1a/0x30\n\nAnd the detailed process is as follows:\n\nmd_do_sync\n j = mddev->resync_min\n while (j < max_sectors)\n sectors = raid10_sync_request(mddev, j, &skipped)\n if (!md_bitmap_start_sync(..., &sync_blocks))\n // md_bitmap_start_sync set sync_blocks to 0\n return sync_blocks + sectors_skippe;\n // sectors = 0;\n j += sectors;\n // j never change\n\nRoot cause is that commit 301867b1c168 (\"md/raid10: check\nslab-out-of-bounds in md_bitmap_get_counter\") return early from\nmd_bitmap_get_counter(), without setting returned blocks.\n\nFix this problem by always set returned blocks from\nmd_bitmap_get_counter\"(), as it used to be.\n\nNoted that this patch just fix the softlockup problem in kernel, the\ncase that bitmap size doesn't match array size still need to be fixed.(CVE-2024-38598)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\njffs2: prevent xattr node from overflowing the eraseblock\n\nAdd a check to make sure that the requested xattr node size is no larger\nthan the eraseblock minus the cleanmarker.\n\nUnlike the usual inode nodes, the xattr nodes aren't split into parts\nand spread across multiple eraseblocks, which means that a xattr node\nmust not occupy more than one eraseblock. If the requested xattr value is\ntoo large, the xattr node can spill onto the next eraseblock, overwriting\nthe nodes and causing errors such as:\n\njffs2: argh. node added in wrong place at 0x0000b050(2)\njffs2: nextblock 0x0000a000, expected at 0000b00c\njffs2: error: (823) do_verify_xattr_datum: node CRC failed at 0x01e050,\nread=0xfc892c93, calc=0x000000\njffs2: notice: (823) jffs2_get_inode_nodes: Node header CRC failed\nat 0x01e00c. {848f,2fc4,0fef511f,59a3d171}\njffs2: Node at 0x0000000c with length 0x00001044 would run over the\nend of the erase block\njffs2: Perhaps the file system was created with the wrong erase size?\njffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found\nat 0x00000010: 0x1044 instead\n\nThis breaks the filesystem and can lead to KASAN crashes such as:\n\nBUG: KASAN: slab-out-of-bounds in jffs2_sum_add_kvec+0x125e/0x15d0\nRead of size 4 at addr ffff88802c31e914 by task repro/830\nCPU: 0 PID: 830 Comm: repro Not tainted 6.9.0-rc3+ #1\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996),\nBIOS Arch Linux 1.16.3-1-1 04/01/2014\nCall Trace:\n <TASK>\n dump_stack_lvl+0xc6/0x120\n print_report+0xc4/0x620\n ? __virt_addr_valid+0x308/0x5b0\n kasan_report+0xc1/0xf0\n ? jffs2_sum_add_kvec+0x125e/0x15d0\n ? jffs2_sum_add_kvec+0x125e/0x15d0\n jffs2_sum_add_kvec+0x125e/0x15d0\n jffs2_flash_direct_writev+0xa8/0xd0\n jffs2_flash_writev+0x9c9/0xef0\n ? __x64_sys_setxattr+0xc4/0x160\n ? do_syscall_64+0x69/0x140\n ? entry_SYSCALL_64_after_hwframe+0x76/0x7e\n [...]\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller.(CVE-2024-38599)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nax25: Fix reference count leak issues of ax25_dev\n\nThe ax25_addr_ax25dev() and ax25_dev_device_down() exist a reference\ncount leak issue of the object \"ax25_dev\".\n\nMemory leak issue in ax25_addr_ax25dev():\n\nThe reference count of the object \"ax25_dev\" can be increased multiple\ntimes in ax25_addr_ax25dev(). This will cause a memory leak.\n\nMemory leak issues in ax25_dev_device_down():\n\nThe reference count of ax25_dev is set to 1 in ax25_dev_device_up() and\nthen increase the reference count when ax25_dev is added to ax25_dev_list.\nAs a result, the reference count of ax25_dev is 2. But when the device is\nshutting down. The ax25_dev_device_down() drops the reference count once\nor twice depending on if we goto unlock_put or not, which will cause\nmemory leak.\n\nAs for the issue of ax25_addr_ax25dev(), it is impossible for one pointer\nto be on a list twice. So add a break in ax25_addr_ax25dev(). As for the\nissue of ax25_dev_device_down(), increase the reference count of ax25_dev\nonce in ax25_dev_device_up() and decrease the reference count of ax25_dev\nafter it is removed from the ax25_dev_list.(CVE-2024-38602)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nblock: refine the EOF check in blkdev_iomap_begin\n\nblkdev_iomap_begin rounds down the offset to the logical block size\nbefore stashing it in iomap->offset and checking that it still is\ninside the inode size.\n\nCheck the i_size check to the raw pos value so that we don't try a\nzero size write if iter->pos is unaligned.(CVE-2024-38604)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\ndrivers/virt/acrn: fix PFNMAP PTE checks in acrn_vm_ram_map()\n\nPatch series \"mm: follow_pte() improvements and acrn follow_pte() fixes\".\n\nPatch #1 fixes a bunch of issues I spotted in the acrn driver. It\ncompiles, that's all I know. I'll appreciate some review and testing from\nacrn folks.\n\nPatch #2+#3 improve follow_pte(), passing a VMA instead of the MM, adding\nmore sanity checks, and improving the documentation. Gave it a quick test\non x86-64 using VM_PAT that ends up using follow_pte().\n\n\nThis patch (of 3):\n\nWe currently miss handling various cases, resulting in a dangerous\nfollow_pte() (previously follow_pfn()) usage.\n\n(1) We're not checking PTE write permissions.\n\nMaybe we should simply always require pte_write() like we do for\npin_user_pages_fast(FOLL_WRITE)? Hard to tell, so let's check for\nACRN_MEM_ACCESS_WRITE for now.\n\n(2) We're not rejecting refcounted pages.\n\nAs we are not using MMU notifiers, messing with refcounted pages is\ndangerous and can result in use-after-free. Let's make sure to reject them.\n\n(3) We are only looking at the first PTE of a bigger range.\n\nWe only lookup a single PTE, but memmap->len may span a larger area.\nLet's loop over all involved PTEs and make sure the PFN range is\nactually contiguous. Reject everything else: it couldn't have worked\neither way, and rather made use access PFNs we shouldn't be accessing.(CVE-2024-38610)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/dpu: Add callback function pointer check before its call\n\nIn dpu_core_irq_callback_handler() callback function pointer is compared to NULL,\nbut then callback function is unconditionally called by this pointer.\nFix this bug by adding conditional return.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.\n\nPatchwork: https://patchwork.freedesktop.org/patch/588237/(CVE-2024-38622)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Use variable length array instead of fixed size\n\nShould fix smatch warning:\n\tntfs_set_label() error: __builtin_memcpy() 'uni->name' too small (20 vs 256)(CVE-2024-38623)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Use 64 bit variable to avoid 32 bit overflow\n\nFor example, in the expression:\n\tvbo = 2 * vbo + skip(CVE-2024-38624)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Check 'folio' pointer for NULL\n\nIt can be NULL if bmap is called.(CVE-2024-38625)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: u_audio: Fix race condition use of controls after free during gadget unbind.\n\nHang on to the control IDs instead of pointers since those are correctly\nhandled with locks.(CVE-2024-38628)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: idxd: Avoid unnecessary destruction of file_ida\n\nfile_ida is allocated during cdev open and is freed accordingly\nduring cdev release. This sequence is guaranteed by driver file\noperations. Therefore, there is no need to destroy an already empty\nfile_ida when the WQ cdev is removed.\n\nWorse, ida_free() in cdev release may happen after destruction of\nfile_ida per WQ cdev. This can lead to accessing an id in file_ida\nafter it has been destroyed, resulting in a kernel panic.\n\nRemove ida_destroy(&file_ida) to address these issues.(CVE-2024-38629)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nwatchdog: cpu5wdt.c: Fix use-after-free bug caused by cpu5wdt_trigger\n\nWhen the cpu5wdt module is removing, the origin code uses del_timer() to\nde-activate the timer. If the timer handler is running, del_timer() could\nnot stop it and will return directly. If the port region is released by\nrelease_region() and then the timer handler cpu5wdt_trigger() calls outb()\nto write into the region that is released, the use-after-free bug will\nhappen.\n\nChange del_timer() to timer_shutdown_sync() in order that the timer handler\ncould be finished before the port region is released.(CVE-2024-38630)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nserial: max3100: Lock port->lock when calling uart_handle_cts_change()\n\nuart_handle_cts_change() has to be called with port lock taken,\nSince we run it in a separate work, the lock may not be taken at\nthe time of running. Make sure that it's taken by explicitly doing\nthat. Without it we got a splat:\n\n WARNING: CPU: 0 PID: 10 at drivers/tty/serial/serial_core.c:3491 uart_handle_cts_change+0xa6/0xb0\n ...\n Workqueue: max3100-0 max3100_work [max3100]\n RIP: 0010:uart_handle_cts_change+0xa6/0xb0\n ...\n max3100_handlerx+0xc5/0x110 [max3100]\n max3100_work+0x12a/0x340 [max3100](CVE-2024-38634)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\ngreybus: lights: check return of get_channel_from_mode\n\nIf channel for the given node is not found we return null from\nget_channel_from_mode. Make sure we validate the return pointer\nbefore using it in two of the missing places.\n\nThis was originally reported in [0]:\nFound by Linux Verification Center (linuxtesting.org) with SVACE.\n\n[0] https://lore.kernel.org/all/20240301190425.120605-1-m.lobanov@rosalinux.ru(CVE-2024-38637)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Allow delete from sockmap/sockhash only if update is allowed\n\nWe have seen an influx of syzkaller reports where a BPF program attached to\na tracepoint triggers a locking rule violation by performing a map_delete\non a sockmap/sockhash.\n\nWe don't intend to support this artificial use scenario. Extend the\nexisting verifier allowed-program-type check for updating sockmap/sockhash\nto also cover deleting from a map.\n\nFrom now on only BPF programs which were previously allowed to update\nsockmap/sockhash can delete from these map types.(CVE-2024-38662)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\ndrm: zynqmp_dpsub: Always register bridge\n\nWe must always register the DRM bridge, since zynqmp_dp_hpd_work_func\ncalls drm_bridge_hpd_notify, which in turn expects hpd_mutex to be\ninitialized. We do this before zynqmp_dpsub_drm_init since that calls\ndrm_bridge_attach. This fixes the following lockdep warning:\n\n[ 19.217084] ------------[ cut here ]------------\n[ 19.227530] DEBUG_LOCKS_WARN_ON(lock->magic != lock)\n[ 19.227768] WARNING: CPU: 0 PID: 140 at kernel/locking/mutex.c:582 __mutex_lock+0x4bc/0x550\n[ 19.241696] Modules linked in:\n[ 19.244937] CPU: 0 PID: 140 Comm: kworker/0:4 Not tainted 6.6.20+ #96\n[ 19.252046] Hardware name: xlnx,zynqmp (DT)\n[ 19.256421] Workqueue: events zynqmp_dp_hpd_work_func\n[ 19.261795] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 19.269104] pc : __mutex_lock+0x4bc/0x550\n[ 19.273364] lr : __mutex_lock+0x4bc/0x550\n[ 19.277592] sp : ffffffc085c5bbe0\n[ 19.281066] x29: ffffffc085c5bbe0 x28: 0000000000000000 x27: ffffff88009417f8\n[ 19.288624] x26: ffffff8800941788 x25: ffffff8800020008 x24: ffffffc082aa3000\n[ 19.296227] x23: ffffffc080d90e3c x22: 0000000000000002 x21: 0000000000000000\n[ 19.303744] x20: 0000000000000000 x19: ffffff88002f5210 x18: 0000000000000000\n[ 19.311295] x17: 6c707369642e3030 x16: 3030613464662072 x15: 0720072007200720\n[ 19.318922] x14: 0000000000000000 x13: 284e4f5f4e524157 x12: 0000000000000001\n[ 19.326442] x11: 0001ffc085c5b940 x10: 0001ff88003f388b x9 : 0001ff88003f3888\n[ 19.334003] x8 : 0001ff88003f3888 x7 : 0000000000000000 x6 : 0000000000000000\n[ 19.341537] x5 : 0000000000000000 x4 : 0000000000001668 x3 : 0000000000000000\n[ 19.349054] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffffff88003f3880\n[ 19.356581] Call trace:\n[ 19.359160] __mutex_lock+0x4bc/0x550\n[ 19.363032] mutex_lock_nested+0x24/0x30\n[ 19.367187] drm_bridge_hpd_notify+0x2c/0x6c\n[ 19.371698] zynqmp_dp_hpd_work_func+0x44/0x54\n[ 19.376364] process_one_work+0x3ac/0x988\n[ 19.380660] worker_thread+0x398/0x694\n[ 19.384736] kthread+0x1bc/0x1c0\n[ 19.388241] ret_from_fork+0x10/0x20\n[ 19.392031] irq event stamp: 183\n[ 19.395450] hardirqs last enabled at (183): [<ffffffc0800b9278>] finish_task_switch.isra.0+0xa8/0x2d4\n[ 19.405140] hardirqs last disabled at (182): [<ffffffc081ad3754>] __schedule+0x714/0xd04\n[ 19.413612] softirqs last enabled at (114): [<ffffffc080133de8>] srcu_invoke_callbacks+0x158/0x23c\n[ 19.423128] softirqs last disabled at (110): [<ffffffc080133de8>] srcu_invoke_callbacks+0x158/0x23c\n[ 19.432614] ---[ end trace 0000000000000000 ]---\n\n(cherry picked from commit 61ba791c4a7a09a370c45b70a81b8c7d4cf6b2ae)(CVE-2024-38664)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\ndma-buf/sw-sync: don't enable IRQ from sync_print_obj()\n\nSince commit a6aa8fca4d79 (\"dma-buf/sw-sync: Reduce irqsave/irqrestore from\nknown context\") by error replaced spin_unlock_irqrestore() with\nspin_unlock_irq() for both sync_debugfs_show() and sync_print_obj() despite\nsync_print_obj() is called from sync_debugfs_show(), lockdep complains\ninconsistent lock state warning.\n\nUse plain spin_{lock,unlock}() for sync_print_obj(), for\nsync_debugfs_show() is already using spin_{lock,unlock}_irq().(CVE-2024-38780)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nbonding: fix oops during rmmod\n\n\"rmmod bonding\" causes an oops ever since commit cc317ea3d927 (\"bonding:\nremove redundant NULL check in debugfs function\"). Here are the relevant\nfunctions being called:\n\nbonding_exit()\n bond_destroy_debugfs()\n debugfs_remove_recursive(bonding_debug_root);\n bonding_debug_root = NULL; <--------- SET TO NULL HERE\n bond_netlink_fini()\n rtnl_link_unregister()\n __rtnl_link_unregister()\n unregister_netdevice_many_notify()\n bond_uninit()\n bond_debug_unregister()\n (commit removed check for bonding_debug_root == NULL)\n debugfs_remove()\n simple_recursive_removal()\n down_write() -> OOPS\n\nHowever, reverting the bad commit does not solve the problem completely\nbecause the original code contains a race that could cause the same\noops, although it was much less likely to be triggered unintentionally:\n\nCPU1\n rmmod bonding\n bonding_exit()\n bond_destroy_debugfs()\n debugfs_remove_recursive(bonding_debug_root);\n\nCPU2\n echo -bond0 > /sys/class/net/bonding_masters\n bond_uninit()\n bond_debug_unregister()\n if (!bonding_debug_root)\n\nCPU1\n bonding_debug_root = NULL;\n\nSo do NOT revert the bad commit (since the removed checks were racy\nanyway), and instead change the order of actions taken during module\nremoval. The same oops can also happen if there is an error during\nmodule init, so apply the same fix there.(CVE-2024-39296)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nnet/9p: fix uninit-value in p9_client_rpc()\n\nSyzbot with the help of KMSAN reported the following error:\n\nBUG: KMSAN: uninit-value in trace_9p_client_res include/trace/events/9p.h:146 [inline]\nBUG: KMSAN: uninit-value in p9_client_rpc+0x1314/0x1340 net/9p/client.c:754\n trace_9p_client_res include/trace/events/9p.h:146 [inline]\n p9_client_rpc+0x1314/0x1340 net/9p/client.c:754\n p9_client_create+0x1551/0x1ff0 net/9p/client.c:1031\n v9fs_session_init+0x1b9/0x28e0 fs/9p/v9fs.c:410\n v9fs_mount+0xe2/0x12b0 fs/9p/vfs_super.c:122\n legacy_get_tree+0x114/0x290 fs/fs_context.c:662\n vfs_get_tree+0xa7/0x570 fs/super.c:1797\n do_new_mount+0x71f/0x15e0 fs/namespace.c:3352\n path_mount+0x742/0x1f20 fs/namespace.c:3679\n do_mount fs/namespace.c:3692 [inline]\n __do_sys_mount fs/namespace.c:3898 [inline]\n __se_sys_mount+0x725/0x810 fs/namespace.c:3875\n __x64_sys_mount+0xe4/0x150 fs/namespace.c:3875\n do_syscall_64+0xd5/0x1f0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nUninit was created at:\n __alloc_pages+0x9d6/0xe70 mm/page_alloc.c:4598\n __alloc_pages_node include/linux/gfp.h:238 [inline]\n alloc_pages_node include/linux/gfp.h:261 [inline]\n alloc_slab_page mm/slub.c:2175 [inline]\n allocate_slab mm/slub.c:2338 [inline]\n new_slab+0x2de/0x1400 mm/slub.c:2391\n ___slab_alloc+0x1184/0x33d0 mm/slub.c:3525\n __slab_alloc mm/slub.c:3610 [inline]\n __slab_alloc_node mm/slub.c:3663 [inline]\n slab_alloc_node mm/slub.c:3835 [inline]\n kmem_cache_alloc+0x6d3/0xbe0 mm/slub.c:3852\n p9_tag_alloc net/9p/client.c:278 [inline]\n p9_client_prepare_req+0x20a/0x1770 net/9p/client.c:641\n p9_client_rpc+0x27e/0x1340 net/9p/client.c:688\n p9_client_create+0x1551/0x1ff0 net/9p/client.c:1031\n v9fs_session_init+0x1b9/0x28e0 fs/9p/v9fs.c:410\n v9fs_mount+0xe2/0x12b0 fs/9p/vfs_super.c:122\n legacy_get_tree+0x114/0x290 fs/fs_context.c:662\n vfs_get_tree+0xa7/0x570 fs/super.c:1797\n do_new_mount+0x71f/0x15e0 fs/namespace.c:3352\n path_mount+0x742/0x1f20 fs/namespace.c:3679\n do_mount fs/namespace.c:3692 [inline]\n __do_sys_mount fs/namespace.c:3898 [inline]\n __se_sys_mount+0x725/0x810 fs/namespace.c:3875\n __x64_sys_mount+0xe4/0x150 fs/namespace.c:3875\n do_syscall_64+0xd5/0x1f0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nIf p9_check_errors() fails early in p9_client_rpc(), req->rc.tag\nwill not be properly initialized. However, trace_9p_client_res()\nends up trying to print it out anyway before p9_client_rpc()\nfinishes.\n\nFix this issue by assigning default values to p9_fcall fields\nsuch as 'tag' and (just in case KMSAN unearths something new) 'id'\nduring the tag allocation stage.(CVE-2024-39301)\n\nRejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.(CVE-2024-39362)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nio_uring: check for non-NULL file pointer in io_file_can_poll()\n\nIn earlier kernels, it was possible to trigger a NULL pointer\ndereference off the forced async preparation path, if no file had\nbeen assigned. The trace leading to that looks as follows:\n\nBUG: kernel NULL pointer dereference, address: 00000000000000b0\nPGD 0 P4D 0\nOops: 0000 [#1] PREEMPT SMP\nCPU: 67 PID: 1633 Comm: buf-ring-invali Not tainted 6.8.0-rc3+ #1\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS unknown 2/2/2022\nRIP: 0010:io_buffer_select+0xc3/0x210\nCode: 00 00 48 39 d1 0f 82 ae 00 00 00 48 81 4b 48 00 00 01 00 48 89 73 70 0f b7 50 0c 66 89 53 42 85 ed 0f 85 d2 00 00 00 48 8b 13 <48> 8b 92 b0 00 00 00 48 83 7a 40 00 0f 84 21 01 00 00 4c 8b 20 5b\nRSP: 0018:ffffb7bec38c7d88 EFLAGS: 00010246\nRAX: ffff97af2be61000 RBX: ffff97af234f1700 RCX: 0000000000000040\nRDX: 0000000000000000 RSI: ffff97aecfb04820 RDI: ffff97af234f1700\nRBP: 0000000000000000 R08: 0000000000200030 R09: 0000000000000020\nR10: ffffb7bec38c7dc8 R11: 000000000000c000 R12: ffffb7bec38c7db8\nR13: ffff97aecfb05800 R14: ffff97aecfb05800 R15: ffff97af2be5e000\nFS: 00007f852f74b740(0000) GS:ffff97b1eeec0000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00000000000000b0 CR3: 000000016deab005 CR4: 0000000000370ef0\nCall Trace:\n <TASK>\n ? __die+0x1f/0x60\n ? page_fault_oops+0x14d/0x420\n ? do_user_addr_fault+0x61/0x6a0\n ? exc_page_fault+0x6c/0x150\n ? asm_exc_page_fault+0x22/0x30\n ? io_buffer_select+0xc3/0x210\n __io_import_iovec+0xb5/0x120\n io_readv_prep_async+0x36/0x70\n io_queue_sqe_fallback+0x20/0x260\n io_submit_sqes+0x314/0x630\n __do_sys_io_uring_enter+0x339/0xbc0\n ? __do_sys_io_uring_register+0x11b/0xc50\n ? vm_mmap_pgoff+0xce/0x160\n do_syscall_64+0x5f/0x180\n entry_SYSCALL_64_after_hwframe+0x46/0x4e\nRIP: 0033:0x55e0a110a67e\nCode: ba cc 00 00 00 45 31 c0 44 0f b6 92 d0 00 00 00 31 d2 41 b9 08 00 00 00 41 83 e2 01 41 c1 e2 04 41 09 c2 b8 aa 01 00 00 0f 05 <c3> 90 89 30 eb a9 0f 1f 40 00 48 8b 42 20 8b 00 a8 06 75 af 85 f6\n\nbecause the request is marked forced ASYNC and has a bad file fd, and\nhence takes the forced async prep path.\n\nCurrent kernels with the request async prep cleaned up can no longer hit\nthis issue, but for ease of backporting, let's add this safety check in\nhere too as it really doesn't hurt. For both cases, this will inevitably\nend with a CQE posted with -EBADF.(CVE-2024-39371)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nclk: bcm: rpi: Assign ->num before accessing ->hws\n\nCommit f316cdff8d67 (\"clk: Annotate struct clk_hw_onecell_data with\n__counted_by\") annotated the hws member of 'struct clk_hw_onecell_data'\nwith __counted_by, which informs the bounds sanitizer about the number\nof elements in hws, so that it can warn when hws is accessed out of\nbounds. As noted in that change, the __counted_by member must be\ninitialized with the number of elements before the first array access\nhappens, otherwise there will be a warning from each access prior to the\ninitialization because the number of elements is zero. This occurs in\nraspberrypi_discover_clocks() due to ->num being assigned after ->hws\nhas been accessed:\n\n UBSAN: array-index-out-of-bounds in drivers/clk/bcm/clk-raspberrypi.c:374:4\n index 3 is out of range for type 'struct clk_hw *[] __counted_by(num)' (aka 'struct clk_hw *[]')\n\nMove the ->num initialization to before the first access of ->hws, which\nclears up the warning.(CVE-2024-39461)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nthermal/drivers/qcom/lmh: Check for SCM availability at probe\n\nUp until now, the necessary scm availability check has not been\nperformed, leading to possible null pointer dereferences (which did\nhappen for me on RB1).\n\nFix that.(CVE-2024-39466)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to do sanity check on i_xattr_nid in sanity_check_inode()\n\nsyzbot reports a kernel bug as below:\n\nF2FS-fs (loop0): Mounted with checkpoint version = 48b305e4\n==================================================================\nBUG: KASAN: slab-out-of-bounds in f2fs_test_bit fs/f2fs/f2fs.h:2933 [inline]\nBUG: KASAN: slab-out-of-bounds in current_nat_addr fs/f2fs/node.h:213 [inline]\nBUG: KASAN: slab-out-of-bounds in f2fs_get_node_info+0xece/0x1200 fs/f2fs/node.c:600\nRead of size 1 at addr ffff88807a58c76c by task syz-executor280/5076\n\nCPU: 1 PID: 5076 Comm: syz-executor280 Not tainted 6.9.0-rc5-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114\n print_address_description mm/kasan/report.c:377 [inline]\n print_report+0x169/0x550 mm/kasan/report.c:488\n kasan_report+0x143/0x180 mm/kasan/report.c:601\n f2fs_test_bit fs/f2fs/f2fs.h:2933 [inline]\n current_nat_addr fs/f2fs/node.h:213 [inline]\n f2fs_get_node_info+0xece/0x1200 fs/f2fs/node.c:600\n f2fs_xattr_fiemap fs/f2fs/data.c:1848 [inline]\n f2fs_fiemap+0x55d/0x1ee0 fs/f2fs/data.c:1925\n ioctl_fiemap fs/ioctl.c:220 [inline]\n do_vfs_ioctl+0x1c07/0x2e50 fs/ioctl.c:838\n __do_sys_ioctl fs/ioctl.c:902 [inline]\n __se_sys_ioctl+0x81/0x170 fs/ioctl.c:890\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nThe root cause is we missed to do sanity check on i_xattr_nid during\nf2fs_iget(), so that in fiemap() path, current_nat_addr() will access\nnat_bitmap w/ offset from invalid i_xattr_nid, result in triggering\nkasan bug report, fix it.(CVE-2024-39467)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix deadlock in smb2_find_smb_tcon()\n\nUnlock cifs_tcp_ses_lock before calling cifs_put_smb_ses() to avoid such\ndeadlock.(CVE-2024-39468)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\neventfs: Fix a possible null pointer dereference in eventfs_find_events()\n\nIn function eventfs_find_events,there is a potential null pointer\nthat may be caused by calling update_events_attr which will perform\nsome operations on the members of the ei struct when ei is NULL.\n\nHence,When ei->is_freed is set,return NULL directly.(CVE-2024-39470)",
"cves": [
{
"id": "CVE-2022-48772",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48772",
"severity": "Medium"
},
{
"id": "CVE-2024-31076",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31076",
"severity": "Medium"
},
{
"id": "CVE-2024-36489",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36489",
"severity": "Medium"
},
{
"id": "CVE-2024-36949",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36949",
"severity": "Medium"
},
{
"id": "CVE-2024-36952",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36952",
"severity": "Medium"
},
{
"id": "CVE-2024-36962",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36962",
"severity": "Medium"
},
{
"id": "CVE-2024-36965",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36965",
"severity": "Medium"
},
{
"id": "CVE-2024-37353",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37353",
"severity": "Low"
},
{
"id": "CVE-2024-37354",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37354",
"severity": "Medium"
},
{
"id": "CVE-2024-37356",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37356",
"severity": "Medium"
},
{
"id": "CVE-2024-38551",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38551",
"severity": "None"
},
{
"id": "CVE-2024-38552",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38552",
"severity": "Medium"
},
{
"id": "CVE-2024-38554",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38554",
"severity": "Medium"
},
{
"id": "CVE-2024-38555",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38555",
"severity": "Medium"
},
{
"id": "CVE-2024-38562",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38562",
"severity": "Low"
},
{
"id": "CVE-2024-38564",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38564",
"severity": "High"
},
{
"id": "CVE-2024-38577",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38577",
"severity": "Medium"
},
{
"id": "CVE-2024-38579",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38579",
"severity": "Medium"
},
{
"id": "CVE-2024-38582",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38582",
"severity": "None"
},
{
"id": "CVE-2024-38588",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38588",
"severity": "Medium"
},
{
"id": "CVE-2024-38598",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38598",
"severity": "Medium"
},
{
"id": "CVE-2024-38599",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38599",
"severity": "High"
},
{
"id": "CVE-2024-38602",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38602",
"severity": "Medium"
},
{
"id": "CVE-2024-38604",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38604",
"severity": "Medium"
},
{
"id": "CVE-2024-38610",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38610",
"severity": "High"
},
{
"id": "CVE-2024-38622",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38622",
"severity": "Low"
},
{
"id": "CVE-2024-38623",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38623",
"severity": "Critical"
},
{
"id": "CVE-2024-38624",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38624",
"severity": "Medium"
},
{
"id": "CVE-2024-38625",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38625",
"severity": "Medium"
},
{
"id": "CVE-2024-38628",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38628",
"severity": "None"
},
{
"id": "CVE-2024-38629",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38629",
"severity": "Low"
},
{
"id": "CVE-2024-38630",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38630",
"severity": "None"
},
{
"id": "CVE-2024-38634",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38634",
"severity": "Medium"
},
{
"id": "CVE-2024-38637",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38637",
"severity": "Low"
},
{
"id": "CVE-2024-38662",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38662",
"severity": "Medium"
},
{
"id": "CVE-2024-38664",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38664",
"severity": "High"
},
{
"id": "CVE-2024-38780",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38780",
"severity": "Medium"
},
{
"id": "CVE-2024-39296",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39296",
"severity": "Medium"
},
{
"id": "CVE-2024-39301",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39301",
"severity": "Medium"
},
{
"id": "CVE-2024-39362",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39362",
"severity": "Medium"
},
{
"id": "CVE-2024-39371",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39371",
"severity": "Medium"
},
{
"id": "CVE-2024-39461",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39461",
"severity": "Medium"
},
{
"id": "CVE-2024-39466",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39466",
"severity": "Medium"
},
{
"id": "CVE-2024-39467",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39467",
"severity": "Medium"
},
{
"id": "CVE-2024-39468",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39468",
"severity": "Medium"
},
{
"id": "CVE-2024-39470",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39470",
"severity": "Medium"
}
]
},
"openEuler-SA-2024-1872": {
"id": "openEuler-SA-2024-1872",
"url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1872",
"title": "An update for openssh is now available for openEuler-22.03-LTS-SP4",
"severity": "High",
"description": "OpenSSH is the premier connectivity tool for remote login with the SSH protocol. \\ It encrypts all traffic to eliminate eavesdropping, connection hijacking, and \\ other attacks. In addition, OpenSSH provides a large suite of secure tunneling \\ capabilities, several authentication methods, and sophisticated configuration options.\n\nSecurity Fix(es):\n\nA race condition vulnerability was discovered in how signals are handled by OpenSSH's server (sshd). If a remote attacker does not authenticate within a set time period, then sshd's SIGALRM handler is called asynchronously. However, this signal handler calls various functions that are not async-signal-safe, for example, syslog(). As a consequence of a successful attack, in the worst case scenario, an attacker may be able to perform a remote code execution (RCE) as an unprivileged user running the sshd server.(CVE-2024-6409)",
"cves": [
{
"id": "CVE-2024-6409",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6409",
"severity": "High"
}
]
},
"openEuler-SA-2024-1819": {
"id": "openEuler-SA-2024-1819",
"url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1819",
"title": "An update for xorg-x11-server-xwayland is now available for openEuler-22.03-LTS-SP3",
"severity": "High",
"description": "Xwayland is an X server for running X clients under Wayland. %package devel Summary: Development package Requires: pkgconfig %description devel The development package provides the developmental files which are necessary for developing Wayland compositors using Xwayland. %prep %autosetup -n xwayland- %build %meson \\ -Dxwayland_eglstream=true \\ -Ddefault_font_path=\"catalogue:/etc/X11/fontpath.d,built-ins\" \\ -Dbuilder_string=\"Build ID: -\" \\ -Dxkb_output_dir=/lib/xkb \\ -Dxcsecurity=true \\ -Dglamor=true \\ -Ddri3=true %meson_build\n\nSecurity Fix(es):\n\nA flaw was found in the Xorg-x11-server. The specific flaw exists within the handling of ProcXkbSetDeviceInfo requests. The issue results from the lack of proper validation of user-supplied data, which can result in a memory access past the end of an allocated buffer. This flaw allows an attacker to escalate privileges and execute arbitrary code in the context of root.(CVE-2022-2320)",
"cves": [
{
"id": "CVE-2022-2320",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2320",
"severity": "High"
}
]
},
"openEuler-SA-2024-1865": {
"id": "openEuler-SA-2024-1865",
"url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1865",
"title": "An update for python-pip is now available for openEuler-24.03-LTS",
"severity": "Medium",
"description": "pip is the package installer for Python. You can use pip to install packages from the Python Package Index and other indexes. %global bashcompdir %(b=$(pkg-config --variable=completionsdir bash-completion 2>/dev/null); echo ${b:-/bash_completion.d}) Name: python-pip Version: 20.2.2 Release: 4 Summary: A tool for installing and managing Python packages License: MIT and Python and ASL 2.0 and BSD and ISC and LGPLv2 and MPLv2.0 and (ASL 2.0 or BSD) URL: http://www.pip-installer.org Source0: https://files.pythonhosted.org/packages/source/p/pip/pip-.tar.gz BuildArch: noarch Patch1: allow-stripping-given-prefix-from-wheel-RECORD-files. Patch2: emit-a-warning-when-running-with-root-privileges.patch Patch3: remove-existing-dist-only-if-path-conflicts.patch Patch6000: dummy-certifi.patch Patch6001: backport-CVE-2021-3572.patch\n\nSecurity Fix(es):\n\nurllib3 is a user-friendly HTTP client library for Python. urllib3 previously wouldn't remove the HTTP request body when an HTTP redirect response using status 301, 302, or 303 after the request had its method changed from one that could accept a request body (like `POST`) to `GET` as is required by HTTP RFCs. Although this behavior is not specified in the section for redirects, it can be inferred by piecing together information from different sections and we have observed the behavior in other major HTTP client implementations like curl and web browsers. Because the vulnerability requires a previously trusted service to become compromised in order to have an impact on confidentiality we believe the exploitability of this vulnerability is low. Additionally, many users aren't putting sensitive data in HTTP request bodies, if this is the case then this vulnerability isn't exploitable. Both of the following conditions must be true to be affected by this vulnerability: 1. Using urllib3 and submitting sensitive information in the HTTP request body (such as form data or JSON) and 2. The origin service is compromised and starts redirecting using 301, 302, or 303 to a malicious peer or the redirected-to service becomes compromised. This issue has been addressed in versions 1.26.18 and 2.0.7 and users are advised to update to resolve this issue. Users unable to update should disable redirects for services that aren't expecting to respond with redirects with `redirects=False` and disable automatic redirects with `redirects=False` and handle 301, 302, and 303 redirects manually by stripping the HTTP request body.\n(CVE-2023-45803)\n\n urllib3 is a user-friendly HTTP client library for Python. When using urllib3's proxy support with `ProxyManager`, the `Proxy-Authorization` header is only sent to the configured proxy, as expected. However, when sending HTTP requests *without* using urllib3's proxy support, it's possible to accidentally configure the `Proxy-Authorization` header even though it won't have any effect as the request is not using a forwarding proxy or a tunneling proxy. In those cases, urllib3 doesn't treat the `Proxy-Authorization` HTTP header as one carrying authentication material and thus doesn't strip the header on cross-origin redirects. Because this is a highly unlikely scenario, we believe the severity of this vulnerability is low for almost all users. Out of an abundance of caution urllib3 will automatically strip the `Proxy-Authorization` header during cross-origin redirects to avoid the small chance that users are doing this on accident. Users should use urllib3's proxy support or disable automatic redirects to achieve safe processing of the `Proxy-Authorization` header, but we still decided to strip the header by default in order to further protect users who aren't using the correct approach. We believe the number of usages affected by this advisory is low. It requires all of the following to be true to be exploited: 1. Setting the `Proxy-Authorization` header without using urllib3's built-in proxy support. 2. Not disabling HTTP redirects. 3. Either not using an HTTPS origin server or for the proxy or target origin to redirect to a malicious origin. Users are advised to update to either version 1.26.19 or version 2.2.2. Users unable to upgrade may use the `Proxy-Authorization` header with urllib3's `ProxyManager`, disable HTTP redirects using `redirects=False` when sending requests, or not user the `Proxy-Authorization` header as mitigations.(CVE-2024-37891)",
"cves": [
{
"id": "CVE-2023-45803",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45803",
"severity": "Medium"
},
{
"id": "CVE-2024-37891",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37891",
"severity": "Medium"
}
]
},
"openEuler-SA-2024-1876": {
"id": "openEuler-SA-2024-1876",
"url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1876",
"title": "An update for ffmpeg is now available for openEuler-22.03-LTS-SP1",
"severity": "High",
"description": "FFmpeg is a complete and free Internet live audio and video broadcasting solution for Linux/Unix. It also includes a digital VCR. It can encode in real time in many formats including MPEG1 audio and video, MPEG4, h263, ac3, asf, avi, real, mjpeg, and flash.\n\nSecurity Fix(es):\n\nAn integer overflow vulnerability was found in FFmpeg versions before 4.4.2 and before 5.0.1 in g729_parse() in llibavcodec/g729_parser.c when processing a specially crafted file.(CVE-2022-1475)\n\nlibavcodec/pthread_frame.c in FFmpeg before 5.1.2, as used in VLC and other products, leaves stale hwaccel state in worker threads, which allows attackers to trigger a use-after-free and execute arbitrary code in some circumstances (e.g., hardware re-initialization upon a mid-video SPS change when Direct3D11 is used).(CVE-2022-48434)\n\nFFmpeg 7.0 is vulnerable to Buffer Overflow. There is a negative-size-param bug at libavcodec/mpegvideo_enc.c:1216:21 in load_input_picture in FFmpeg7.0(CVE-2024-32230)",
"cves": [
{
"id": "CVE-2022-1475",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1475",
"severity": "Medium"
},
{
"id": "CVE-2022-48434",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48434",
"severity": "High"
},
{
"id": "CVE-2024-32230",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32230",
"severity": "Medium"
}
]
}
}
Reference in New Issue View Git Blame Copy Permalink