Latest vulnerabilities [Wednesday, February 28, 2024]

Latest vulnerabilities [Wednesday, February 28, 2024]
{{titre}}

Last update performed on 02/28/2024 at 11:57:08 PM

(8) CRITICAL VULNERABILITIES [9.0, 10.0]

Source : wordfence.com

Vulnerability ID : CVE-2024-1514

First published on : 28-02-2024 09:15:43
Last modified on : 28-02-2024 14:06:45

Description :
The WP eCommerce plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'cart_contents' parameter in all versions up to, and including, 3.15.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

CVE ID : CVE-2024-1514
Source : security@wordfence.com
CVSS Score : 9.8

References :
https://plugins.trac.wordpress.org/browser/wp-e-commerce/trunk/wpsc-components/marketplace-core-v1/library/Sputnik.php#L334 | source : security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/0ba5da2b-6944-4243-a4f2-0f887abf7a66?source=cve | source : security@wordfence.com


Source : patchstack.com

Vulnerability ID : CVE-2024-25910

First published on : 28-02-2024 13:15:09
Last modified on : 28-02-2024 14:06:45

Description :
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Skymoonlabs MoveTo.This issue affects MoveTo: from n/a through 6.2.

CVE ID : CVE-2024-25910
Source : audit@patchstack.com
CVSS Score : 9.8

References :
https://patchstack.com/database/vulnerability/moveto/wordpress-moveto-plugin-6-2-unauthenticated-sql-injection-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-89


Vulnerability ID : CVE-2024-25927

First published on : 28-02-2024 13:15:09
Last modified on : 28-02-2024 14:06:45

Description :
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Joel Starnes postMash – custom post order.This issue affects postMash – custom post order: from n/a through 1.2.0.

CVE ID : CVE-2024-25927
Source : audit@patchstack.com
CVSS Score : 9.3

References :
https://patchstack.com/database/vulnerability/postmash/wordpress-postmash-custom-post-order-plugin-1-2-0-sql-injection-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-89


Source : huntr.dev

Vulnerability ID : CVE-2024-0550

First published on : 28-02-2024 05:15:08
Last modified on : 28-02-2024 14:06:45

Description :
A user who is privileged already `manager` or `admin` can set their profile picture via the frontend API using a relative filepath to then user the PFP GET API to download any valid files. The attacker would have to have been granted privileged permissions to the system before executing this attack.

CVE ID : CVE-2024-0550
Source : security@huntr.dev
CVSS Score : 9.6

References :
https://github.com/mintplex-labs/anything-llm/commit/e1dcd5ded010b03abd6aa32d1bf0668a48e38e17 | source : security@huntr.dev
https://huntr.com/bounties/c6afeb5e-f211-4b3d-aa4b-6bad734217a6 | source : security@huntr.dev

Vulnerability : CWE-23


Source : 7bc73191-a2b6-4c63-9918-753964601853

Vulnerability ID : CVE-2023-50737

First published on : 28-02-2024 03:15:07
Last modified on : 28-02-2024 14:06:45

Description :
The SE menu contains information used by Lexmark to diagnose device errors. A vulnerability in one of the SE menu routines can be leveraged by an attacker to execute arbitrary code.

CVE ID : CVE-2023-50737
Source : 7bc73191-a2b6-4c63-9918-753964601853
CVSS Score : 9.1

References :
https://www.lexmark.com/en_us/solutions/security/lexmark-security-advisories.html | source : 7bc73191-a2b6-4c63-9918-753964601853

Vulnerability : CWE-20


Vulnerability ID : CVE-2023-50734

First published on : 28-02-2024 02:15:23
Last modified on : 28-02-2024 14:06:45

Description :
A buffer overflow vulnerability has been identified in PostScript interpreter in various Lexmark devices. The vulnerability can be leveraged by an attacker to execute arbitrary code.

CVE ID : CVE-2023-50734
Source : 7bc73191-a2b6-4c63-9918-753964601853
CVSS Score : 9.0

References :
https://www.lexmark.com/en_us/solutions/security/lexmark-security-advisories.html | source : 7bc73191-a2b6-4c63-9918-753964601853

Vulnerability : CWE-121


Vulnerability ID : CVE-2023-50735

First published on : 28-02-2024 03:15:07
Last modified on : 28-02-2024 14:06:45

Description :
A heap corruption vulnerability has been identified in PostScript interpreter in various Lexmark devices. The vulnerability can be leveraged by an attacker to execute arbitrary code.

CVE ID : CVE-2023-50735
Source : 7bc73191-a2b6-4c63-9918-753964601853
CVSS Score : 9.0

References :
https://www.lexmark.com/en_us/solutions/security/lexmark-security-advisories.html | source : 7bc73191-a2b6-4c63-9918-753964601853

Vulnerability : CWE-465


Vulnerability ID : CVE-2023-50736

First published on : 28-02-2024 03:15:07
Last modified on : 28-02-2024 14:06:45

Description :
A memory corruption vulnerability has been identified in PostScript interpreter in various Lexmark devices. The vulnerability can be leveraged by an attacker to execute arbitrary code.

CVE ID : CVE-2023-50736
Source : 7bc73191-a2b6-4c63-9918-753964601853
CVSS Score : 9.0

References :
https://www.lexmark.com/en_us/solutions/security/lexmark-security-advisories.html | source : 7bc73191-a2b6-4c63-9918-753964601853

Vulnerability : CWE-131


(10) HIGH VULNERABILITIES [7.0, 8.9]

Source : wordfence.com

Vulnerability ID : CVE-2024-0786

First published on : 28-02-2024 09:15:42
Last modified on : 28-02-2024 14:06:45

Description :
The Conversios – Google Analytics 4 (GA4), Meta Pixel & more Via Google Tag Manager For WooCommerce plugin for WordPress is vulnerable to time-based SQL Injection via the ee_syncProductCategory function using the parameters conditionData, valueData, productArray, exclude and include in all versions up to, and including, 6.9.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with subscriber access or higher, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

CVE ID : CVE-2024-0786
Source : security@wordfence.com
CVSS Score : 8.8

References :
https://plugins.trac.wordpress.org/browser/enhanced-e-commerce-for-woocommerce-store/trunk/includes/data/class-tvc-ajax-file.php#L1979 | source : security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/c30801d1-9335-4bba-b344-f0ff57cecf84?source=cve | source : security@wordfence.com


Source : progress.com

Vulnerability ID : CVE-2024-1632

First published on : 28-02-2024 12:15:46
Last modified on : 28-02-2024 14:06:45

Description :
Low-privileged users with access to the Sitefinity backend may obtain sensitive information from the site's administrative area.

CVE ID : CVE-2024-1632
Source : security@progress.com
CVSS Score : 8.8

References :
https://community.progress.com/s/article/Sitefinity-Security-Advisory-for-Addressing-Security-Vulnerabilities-CVE-2024-1632-and-CVE-2024-1636-February-2024 | source : security@progress.com
https://www.progress.com/sitefinity-cms | source : security@progress.com

Vulnerability : CWE-284


Vulnerability ID : CVE-2024-1636

First published on : 28-02-2024 12:15:47
Last modified on : 28-02-2024 14:06:45

Description :
Potential Cross-Site Scripting (XSS) in the page editing area.

CVE ID : CVE-2024-1636
Source : security@progress.com
CVSS Score : 8.0

References :
https://community.progress.com/s/article/Sitefinity-Security-Advisory-for-Addressing-Security-Vulnerabilities-CVE-2024-1632-and-CVE-2024-1636-February-2024 | source : security@progress.com
https://www.progress.com/sitefinity-cms | source : security@progress.com

Vulnerability : CWE-79


Source : patchstack.com

Vulnerability ID : CVE-2024-24868

First published on : 28-02-2024 13:15:08
Last modified on : 28-02-2024 14:06:45

Description :
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Smartypants SP Project & Document Manager.This issue affects SP Project & Document Manager: from n/a through 4.69.

CVE ID : CVE-2024-24868
Source : audit@patchstack.com
CVSS Score : 8.5

References :
https://patchstack.com/database/vulnerability/sp-client-document-manager/wordpress-sp-project-document-manager-plugin-4-69-contributor-sql-injection-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-89


Vulnerability ID : CVE-2024-25902

First published on : 28-02-2024 13:15:08
Last modified on : 28-02-2024 14:06:45

Description :
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in miniorange Malware Scanner.This issue affects Malware Scanner: from n/a through 4.7.2.

CVE ID : CVE-2024-25902
Source : audit@patchstack.com
CVSS Score : 7.6

References :
https://patchstack.com/database/vulnerability/miniorange-malware-protection/wordpress-malware-scanner-plugin-4-7-2-admin-sql-injection-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-89


Source : us.ibm.com

Vulnerability ID : CVE-2023-25925

First published on : 28-02-2024 22:15:25
Last modified on : 28-02-2024 22:15:25

Description :
IBM Security Guardium Key Lifecycle Manager 3.0, 3.0.1, 4.0, 4.1, and 4.1.1 could allow a remote authenticated attacker to execute arbitrary commands on the system by sending a specially crafted request. IBM X-Force ID: 247632.

CVE ID : CVE-2023-25925
Source : psirt@us.ibm.com
CVSS Score : 8.5

References :
https://exchange.xforce.ibmcloud.com/vulnerabilities/247632 | source : psirt@us.ibm.com
https://www.ibm.com/support/pages/node/6964516 | source : psirt@us.ibm.com

Vulnerability : CWE-78


Source : redhat.com

Vulnerability ID : CVE-2024-21885

First published on : 28-02-2024 13:15:08
Last modified on : 28-02-2024 14:06:45

Description :
A flaw was found in X.Org server. In the XISendDeviceHierarchyEvent function, it is possible to exceed the allocated array length when certain new device IDs are added to the xXIHierarchyInfo struct. This can trigger a heap buffer overflow condition, which may lead to an application crash or remote code execution in SSH X11 forwarding environments.

CVE ID : CVE-2024-21885
Source : secalert@redhat.com
CVSS Score : 7.8

References :
https://access.redhat.com/errata/RHSA-2024:0320 | source : secalert@redhat.com
https://access.redhat.com/errata/RHSA-2024:0557 | source : secalert@redhat.com
https://access.redhat.com/errata/RHSA-2024:0558 | source : secalert@redhat.com
https://access.redhat.com/errata/RHSA-2024:0597 | source : secalert@redhat.com
https://access.redhat.com/errata/RHSA-2024:0607 | source : secalert@redhat.com
https://access.redhat.com/errata/RHSA-2024:0614 | source : secalert@redhat.com
https://access.redhat.com/errata/RHSA-2024:0617 | source : secalert@redhat.com
https://access.redhat.com/errata/RHSA-2024:0621 | source : secalert@redhat.com
https://access.redhat.com/errata/RHSA-2024:0626 | source : secalert@redhat.com
https://access.redhat.com/errata/RHSA-2024:0629 | source : secalert@redhat.com
https://access.redhat.com/security/cve/CVE-2024-21885 | source : secalert@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=2256540 | source : secalert@redhat.com

Vulnerability : CWE-122


Vulnerability ID : CVE-2024-21886

First published on : 28-02-2024 13:15:08
Last modified on : 28-02-2024 14:06:45

Description :
A heap buffer overflow flaw was found in the DisableDevice function in the X.Org server. This issue may lead to an application crash or, in some circumstances, remote code execution in SSH X11 forwarding environments.

CVE ID : CVE-2024-21886
Source : secalert@redhat.com
CVSS Score : 7.8

References :
https://access.redhat.com/errata/RHSA-2024:0320 | source : secalert@redhat.com
https://access.redhat.com/errata/RHSA-2024:0557 | source : secalert@redhat.com
https://access.redhat.com/errata/RHSA-2024:0558 | source : secalert@redhat.com
https://access.redhat.com/errata/RHSA-2024:0597 | source : secalert@redhat.com
https://access.redhat.com/errata/RHSA-2024:0607 | source : secalert@redhat.com
https://access.redhat.com/errata/RHSA-2024:0614 | source : secalert@redhat.com
https://access.redhat.com/errata/RHSA-2024:0617 | source : secalert@redhat.com
https://access.redhat.com/errata/RHSA-2024:0621 | source : secalert@redhat.com
https://access.redhat.com/errata/RHSA-2024:0626 | source : secalert@redhat.com
https://access.redhat.com/errata/RHSA-2024:0629 | source : secalert@redhat.com
https://access.redhat.com/security/cve/CVE-2024-21886 | source : secalert@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=2256542 | source : secalert@redhat.com

Vulnerability : CWE-122


Source : 3ds.com

Vulnerability ID : CVE-2024-1847

First published on : 28-02-2024 18:15:45
Last modified on : 28-02-2024 18:15:45

Description :
Heap-based Buffer Overflow, Memory Corruption, Out-Of-Bounds Read, Out-Of-Bounds Write, Stack-based Buffer Overflow, Type Confusion, Uninitialized Variable, Use-After-Free vulnerabilities exist in the file reading procedure in eDrawings from Release SOLIDWORKS 2023 through Release SOLIDWORKS 2024. These vulnerabilities could allow an attacker to execute arbitrary code while opening a specially crafted CATPART, DWG, DXF, IPT, JT, SAT, SLDDRW, SLDPRT, STL, STP, X_B or X_T file.

CVE ID : CVE-2024-1847
Source : 3DS.Information-Security@3ds.com
CVSS Score : 7.8

References :
https://www.3ds.com/vulnerability/advisories | source : 3DS.Information-Security@3ds.com

Vulnerability : CWE-125
Vulnerability : CWE-416
Vulnerability : CWE-787
Vulnerability : CWE-843
Vulnerability : CWE-908


Source : huntr.dev

Vulnerability ID : CVE-2024-1892

First published on : 28-02-2024 00:15:53
Last modified on : 28-02-2024 14:06:45

Description :
Parts of the Scrapy API were found to be vulnerable to a ReDoS attack. Handling a malicious response could cause extreme CPU and memory usage during the parsing of its content, due to the use of vulnerable regular expressions for that parsing.

CVE ID : CVE-2024-1892
Source : security@huntr.dev
CVSS Score : 7.5

References :
https://github.com/scrapy/scrapy/commit/479619b340f197a8f24c5db45bc068fb8755f2c5 | source : security@huntr.dev
https://huntr.com/bounties/271f94f2-1e05-4616-ac43-41752389e26b | source : security@huntr.dev

Vulnerability : CWE-1333


(48) MEDIUM VULNERABILITIES [4.0, 6.9]

Source : emc.com

Vulnerability ID : CVE-2024-22459

First published on : 28-02-2024 09:15:43
Last modified on : 28-02-2024 14:06:45

Description :
Dell ECS, versions 3.6 through 3.6.2.5, and 3.7 through 3.7.0.6, and 3.8 through 3.8.0.4 versions, contain an improper access control vulnerability. A remote high privileged attacker could potentially exploit this vulnerability, leading to unauthorized access to all buckets and their data within a namespace

CVE ID : CVE-2024-22459
Source : security_alert@emc.com
CVSS Score : 6.8

References :
https://www.dell.com/support/kbdoc/en-us/000222470/dsa-2024-078-security-update-for-dell-ecs-access-control-vulnerability | source : security_alert@emc.com

Vulnerability : CWE-284


Source : wordfence.com

Vulnerability ID : CVE-2024-1566

First published on : 28-02-2024 09:15:43
Last modified on : 28-02-2024 14:06:45

Description :
The Redirects plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save function in all versions up to, and including, 1.2.1. This makes it possible for unauthenticated attackers to change redirects created with this plugin. This could lead to undesired redirection to phishing sites or malicious web pages.

CVE ID : CVE-2024-1566
Source : security@wordfence.com
CVSS Score : 6.5

References :
https://plugins.trac.wordpress.org/browser/redirects/trunk/index.php#L118 | source : security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/7c6be7f2-5526-4fba-9fe0-003b8460c926?source=cve | source : security@wordfence.com


Vulnerability ID : CVE-2024-1860

First published on : 28-02-2024 10:15:09
Last modified on : 28-02-2024 14:06:45

Description :
The Disable Json API, Login Lockdown, XMLRPC, Pingback, Stop User Enumeration Anti Hacker Scan plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the antihacker_add_whitelist() function in all versions up to, and including, 4.51. This makes it possible for unauthenticated attackers to add their IP Address to the whitelist circumventing protection

CVE ID : CVE-2024-1860
Source : security@wordfence.com
CVSS Score : 6.5

References :
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3040434%40antihacker&new=3040434%40antihacker&sfp_email=&sfph_mail= | source : security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/3d365284-73ac-4730-a83d-9202677cf161?source=cve | source : security@wordfence.com


Vulnerability ID : CVE-2024-1568

First published on : 28-02-2024 07:15:08
Last modified on : 28-02-2024 14:06:45

Description :
The Seraphinite Accelerator plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.20.52 via the OnAdminApi_HtmlCheck function. This makes it possible for authenticated attackers, with subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.

CVE ID : CVE-2024-1568
Source : security@wordfence.com
CVSS Score : 6.4

References :
https://plugins.trac.wordpress.org/changeset/3040707/seraphinite-accelerator | source : security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/07287a85-df00-408a-8b02-978fd3116155?source=cve | source : security@wordfence.com


Vulnerability ID : CVE-2024-1791

First published on : 28-02-2024 09:15:43
Last modified on : 28-02-2024 14:06:45

Description :
The CodeMirror Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Code Mirror block in all versions up to, and including, 1.2.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVE ID : CVE-2024-1791
Source : security@wordfence.com
CVSS Score : 6.4

References :
https://wordpress.org/plugins/wp-codemirror-block/ | source : security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/52569aac-1e9e-40fb-9ff4-5eeb7940375d?source=cve | source : security@wordfence.com


Vulnerability ID : CVE-2024-1808

First published on : 28-02-2024 13:15:07
Last modified on : 28-02-2024 14:06:45

Description :
The WP Shortcodes Plugin β€” Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'su_qrcode' shortcode in all versions up to, and including, 7.0.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVE ID : CVE-2024-1808
Source : security@wordfence.com
CVSS Score : 6.4

References :
https://plugins.trac.wordpress.org/changeset/3041647/shortcodes-ultimate | source : security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/96769a0e-d4a9-4196-8ded-b600046c0943?source=cve | source : security@wordfence.com


Vulnerability ID : CVE-2024-1954

First published on : 28-02-2024 09:15:43
Last modified on : 28-02-2024 14:06:45

Description :
The Oliver POS – A WooCommerce Point of Sale (POS) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.4.1.8. This is due to missing or incorrect nonce validation in the includes/class-pos-bridge-install.php file. This makes it possible for unauthenticated attackers to perform several unauthorized actions like deactivating the plugin, disconnecting the subscription, syncing the status and more via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVE ID : CVE-2024-1954
Source : security@wordfence.com
CVSS Score : 6.3

References :
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3035108%40oliver-pos&new=3035108%40oliver-pos&sfp_email=&sfph_mail= | source : security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/88d16ce2-a1cf-4402-b140-3cab17f8c638?source=cve | source : security@wordfence.com


Vulnerability ID : CVE-2024-0680

First published on : 28-02-2024 09:15:41
Last modified on : 28-02-2024 14:06:45

Description :
The WP Private Content Plus plugin for WordPress is vulnerable to information disclosure in all versions up to, and including, 3.6. This is due to the plugin not properly restricting access to posts via the REST API when a page has been made private. This makes it possible for unauthenticated attackers to view protected posts.

CVE ID : CVE-2024-0680
Source : security@wordfence.com
CVSS Score : 5.3

References :
https://wordpress.org/plugins/wp-private-content-plus/ | source : security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/43d8904f-3bc9-4c67-b44b-8d78762b6b30?source=cve | source : security@wordfence.com


Vulnerability ID : CVE-2024-0682

First published on : 28-02-2024 09:15:41
Last modified on : 28-02-2024 14:06:45

Description :
The Page Restrict plugin for WordPress is vulnerable to information disclosure in all versions up to, and including, 2.5.5. This is due to the plugin not properly restricting access to posts via the REST API when a page has been made private. This makes it possible for unauthenticated attackers to view protected posts.

CVE ID : CVE-2024-0682
Source : security@wordfence.com
CVSS Score : 5.3

References :
https://wordpress.org/plugins/pagerestrict/ | source : security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/63f98fd6-eee8-4281-98ea-a267d0442c85?source=cve | source : security@wordfence.com


Vulnerability ID : CVE-2024-0975

First published on : 28-02-2024 09:15:42
Last modified on : 28-02-2024 14:06:45

Description :
The WordPress Access Control plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.0.13 via the REST API. This makes it possible for unauthenticated attackers to bypass the plugin's "Make Website Members Only" feature (when unset) and view restricted page and post content.

CVE ID : CVE-2024-0975
Source : security@wordfence.com
CVSS Score : 5.3

References :
https://plugins.trac.wordpress.org/browser/wordpress-access-control/trunk/wordpress-access-control.php#L289 | source : security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/31f13524-2bd7-4157-b378-455ac4f822a1?source=cve | source : security@wordfence.com


Vulnerability ID : CVE-2024-1136

First published on : 28-02-2024 09:15:42
Last modified on : 28-02-2024 14:06:45

Description :
The Coming Soon Page & Maintenance Mode plugin for WordPress is vulnerable to unauthorized access of data due to an improperly implemented URL check in the wpsm_coming_soon_redirect function in all versions up to, and including, 2.2.1. This makes it possible for unauthenticated attackers to view a site with maintenance mode or coming-soon mode enabled to view the site's content.

CVE ID : CVE-2024-1136
Source : security@wordfence.com
CVSS Score : 5.3

References :
https://plugins.trac.wordpress.org/browser/responsive-coming-soon/trunk/redirect.php#L11 | source : security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/e3c52d6e-b3f4-4ba8-aee4-b9f11704e1de?source=cve | source : security@wordfence.com


Vulnerability ID : CVE-2024-1368

First published on : 28-02-2024 09:15:42
Last modified on : 28-02-2024 14:06:45

Description :
The Page Duplicator plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the duplicate_dat_page() function in all versions up to, and including, 0.1.1. This makes it possible for unauthenticated attackers to duplicate arbitrary posts and pages.

CVE ID : CVE-2024-1368
Source : security@wordfence.com
CVSS Score : 5.3

References :
https://plugins.trac.wordpress.org/browser/wp-page-duplicator/trunk/page-duplicator.php#L136 | source : security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/bcc10e91-4810-4a0d-919c-de3e87137f76?source=cve | source : security@wordfence.com


Vulnerability ID : CVE-2024-1476

First published on : 28-02-2024 09:15:42
Last modified on : 28-02-2024 14:06:45

Description :
The Under Construction / Maintenance Mode from Acurax plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.6 via the REST API. This makes it possible for unauthenticated attackers to obtain the contents of posts and pages when maintenance mode is active thus bypassing the protection provided by the plugin.

CVE ID : CVE-2024-1476
Source : security@wordfence.com
CVSS Score : 5.3

References :
https://wordpress.org/plugins/coming-soon-maintenance-mode-from-acurax/ | source : security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/f28c47e6-a37d-4328-afb2-6a9e6b3fe20a?source=cve | source : security@wordfence.com


Vulnerability ID : CVE-2024-1516

First published on : 28-02-2024 09:15:43
Last modified on : 28-02-2024 14:06:45

Description :
The WP eCommerce plugin for WordPress is vulnerable to unauthorized arbitrary post creation due to a missing capability check on the check_for_saas_push() function in all versions up to, and including, 3.15.1. This makes it possible for unauthenticated attackers to create arbitrary posts with arbitrary content.

CVE ID : CVE-2024-1516
Source : security@wordfence.com
CVSS Score : 5.3

References :
https://plugins.trac.wordpress.org/browser/wp-e-commerce/trunk/wpsc-components/marketplace-core-v1/library/Sputnik.php#L191 | source : security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/b0a9f3d2-aa7f-4fc2-9cfd-b69ec3f63160?source=cve | source : security@wordfence.com


Vulnerability ID : CVE-2024-1388

First published on : 28-02-2024 07:15:07
Last modified on : 28-02-2024 14:06:45

Description :
The Yuki theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the reset_customizer_options() function in all versions up to, and including, 1.3.13. This makes it possible for authenticated attackers, with subscriber-level access and above, to reset the theme's settings.

CVE ID : CVE-2024-1388
Source : security@wordfence.com
CVSS Score : 4.3

References :
https://themes.trac.wordpress.org/changeset/217428/yuki/1.3.14/inc/extensions/class-reset-extension.php | source : security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/d964e0ef-f14e-463b-bf4e-3f25788df03c?source=cve | source : security@wordfence.com


Vulnerability ID : CVE-2024-1943

First published on : 28-02-2024 07:15:09
Last modified on : 28-02-2024 14:06:45

Description :
The Yuki theme for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including 1.3.14. This is due to missing or incorrect nonce validation on the reset_customizer_options() function. This makes it possible for unauthenticated attackers to reset the themes settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVE ID : CVE-2024-1943
Source : security@wordfence.com
CVSS Score : 4.3

References :
https://themes.trac.wordpress.org/changeset/218603/yuki/1.3.15/inc/extensions/class-reset-extension.php | source : security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/dfb760fb-f281-4649-9bd3-92f8e281f07e?source=cve | source : security@wordfence.com


Vulnerability ID : CVE-2023-6922

First published on : 28-02-2024 09:15:40
Last modified on : 28-02-2024 14:06:45

Description :
The Under Construction / Maintenance Mode from Acurax plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 2.6 via the 'acx_csma_subscribe_ajax' function. This can allow authenticated attackers to extract sensitive data such as names and email addresses of subscribed visitors.

CVE ID : CVE-2023-6922
Source : security@wordfence.com
CVSS Score : 4.3

References :
https://plugins.trac.wordpress.org/browser/coming-soon-maintenance-mode-from-acurax/trunk/function.php?rev=2539156#L612 | source : security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/2a75f4eb-698b-4c92-9829-de6c55e21ecb?source=cve | source : security@wordfence.com


Vulnerability ID : CVE-2024-0431

First published on : 28-02-2024 09:15:40
Last modified on : 28-02-2024 14:06:45

Description :
The Gestpay for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 20221130. This is due to missing or incorrect nonce validation on the 'ajax_set_default_card' function. This makes it possible for unauthenticated attackers to set the default card token for a user via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVE ID : CVE-2024-0431
Source : security@wordfence.com
CVSS Score : 4.3

References :
https://plugins.trac.wordpress.org/browser/gestpay-for-woocommerce/trunk/inc/class-gestpay-cards.php#L117 | source : security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/7d3a6650-5be0-4162-93eb-369538a2ebc5?source=cve | source : security@wordfence.com


Vulnerability ID : CVE-2024-0432

First published on : 28-02-2024 09:15:41
Last modified on : 28-02-2024 14:06:45

Description :
The Gestpay for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 20221130. This is due to missing or incorrect nonce validation on the 'ajax_delete_card' function. This makes it possible for unauthenticated attackers to delete the default card token for a user via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVE ID : CVE-2024-0432
Source : security@wordfence.com
CVSS Score : 4.3

References :
https://wordpress.org/plugins/wppdf/ | source : security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/7561a71a-c3f0-45f1-8230-2c17cbeff916?source=cve | source : security@wordfence.com


Vulnerability ID : CVE-2024-0433

First published on : 28-02-2024 09:15:41
Last modified on : 28-02-2024 14:06:45

Description :
The Gestpay for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 20221130. This is due to missing or incorrect nonce validation on the 'ajax_unset_default_card' function. This makes it possible for unauthenticated attackers to remove the default status of a card token for a user via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVE ID : CVE-2024-0433
Source : security@wordfence.com
CVSS Score : 4.3

References :
https://wordpress.org/plugins/wppdf/ | source : security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/44b62b99-99eb-424b-a04a-9bbacf5fbbaa?source=cve | source : security@wordfence.com


Vulnerability ID : CVE-2024-0766

First published on : 28-02-2024 09:15:41
Last modified on : 28-02-2024 14:06:45

Description :
The Envo's Elementor Templates & Widgets for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the templates_ajax_request function in all versions up to, and including, 1.4.4. This makes it possible for subscribers and higher to create templates.

CVE ID : CVE-2024-0766
Source : security@wordfence.com
CVSS Score : 4.3

References :
https://plugins.trac.wordpress.org/browser/envo-elementor-for-woocommerce/trunk/includes/admin/include/template-library.php | source : security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/996c7433-dd82-4216-86b9-005f43c06c3a?source=cve | source : security@wordfence.com


Vulnerability ID : CVE-2024-0767

First published on : 28-02-2024 09:15:41
Last modified on : 28-02-2024 14:06:45

Description :
The Envo's Elementor Templates & Widgets for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.4.4. This is due to missing or incorrect nonce validation on the ajax_plugin_activation function. This makes it possible for unauthenticated attackers to activate arbitrary installed plugins via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVE ID : CVE-2024-0767
Source : security@wordfence.com
CVSS Score : 4.3

References :
https://plugins.trac.wordpress.org/browser/envo-elementor-for-woocommerce/trunk/includes/admin/include/template-library.php#L332 | source : security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/cca71257-05dc-43d5-8de6-faf0a2feab2e?source=cve | source : security@wordfence.com


Vulnerability ID : CVE-2024-0768

First published on : 28-02-2024 09:15:42
Last modified on : 28-02-2024 14:06:45

Description :
The Envo's Elementor Templates & Widgets for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to and including 1.4.4. This is due to missing or incorrect nonce validation on the ajax_theme_activation function. This makes it possible for unauthenticated attackers to activate arbitrary installed themes via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVE ID : CVE-2024-0768
Source : security@wordfence.com
CVSS Score : 4.3

References :
https://plugins.trac.wordpress.org/browser/envo-elementor-for-woocommerce/trunk/includes/admin/include/template-library.php#L367 | source : security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/6504ae5c-a36d-495e-aa93-40a3753857c6?source=cve | source : security@wordfence.com


Vulnerability ID : CVE-2024-1719

First published on : 28-02-2024 10:15:09
Last modified on : 28-02-2024 14:06:45

Description :
The Easy PayPal & Stripe Buy Now Button plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.8.3 and in Contact Form 7 – PayPal & Stripe Add-on all versions up to, and including 2.1. This is due to missing or incorrect nonce validation on the 'wpecpp_stripe_connect_completion' function. This makes it possible for unauthenticated attackers to modify the plugins settings and chance the stripe connection via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVE ID : CVE-2024-1719
Source : security@wordfence.com
CVSS Score : 4.3

References :
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3040958%40contact-form-7-paypal-add-on&new=3040958%40contact-form-7-paypal-add-on&sfp_email=&sfph_mail= | source : security@wordfence.com
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3040962%40wp-ecommerce-paypal&new=3040962%40wp-ecommerce-paypal&sfp_email=&sfph_mail= | source : security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/a5276227-9bd4-4ad8-a6b7-ac7d05e8b056?source=cve | source : security@wordfence.com


Vulnerability ID : CVE-2024-1861

First published on : 28-02-2024 10:15:09
Last modified on : 28-02-2024 14:06:45

Description :
The Disable Json API, Login Lockdown, XMLRPC, Pingback, Stop User Enumeration Anti Hacker Scan plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the antihacker_truncate_scan_table() function in all versions up to, and including, 4.52. This makes it possible for authenticated attackers, with subscriber-level access and above, to truncate the scan table.

CVE ID : CVE-2024-1861
Source : security@wordfence.com
CVSS Score : 4.3

References :
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3040447%40antihacker&new=3040447%40antihacker&sfp_email=&sfph_mail= | source : security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/b80c8888-e8d6-4458-ae93-8e4182060590?source=cve | source : security@wordfence.com


Source : incibe.es

Vulnerability ID : CVE-2024-1965

First published on : 28-02-2024 13:15:07
Last modified on : 28-02-2024 14:06:45

Description :
Server-Side Request Forgery vulnerability in Haivision's Aviwest Manager and Aviwest Steamhub. This vulnerability could allow an attacker to enumerate internal network configuration without the need for credentials. An attacker could compromise an internal server and retrieve requests sent by other users.

CVE ID : CVE-2024-1965
Source : cve-coordination@incibe.es
CVSS Score : 6.5

References :
https://www.incibe.es/en/incibe-cert/notices/aviso/server-side-request-forgery-vulnerability-haivision-products | source : cve-coordination@incibe.es

Vulnerability : CWE-918


Source : patchstack.com

Vulnerability ID : CVE-2023-51681

First published on : 28-02-2024 17:15:07
Last modified on : 28-02-2024 17:15:07

Description :
Cross-Site Request Forgery (CSRF) vulnerability in Duplicator Duplicator – WordPress Migration & Backup Plugin.This issue affects Duplicator – WordPress Migration & Backup Plugin: from n/a through 1.5.7.

CVE ID : CVE-2023-51681
Source : audit@patchstack.com
CVSS Score : 6.5

References :
https://https://patchstack.com/database/vulnerability/duplicator/wordpress-duplicator-plugin-1-5-7-cross-site-request-forgery-csrf-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-352


Vulnerability ID : CVE-2024-24705

First published on : 28-02-2024 15:15:08
Last modified on : 28-02-2024 15:15:08

Description :
Cross-Site Request Forgery (CSRF) vulnerability in Octa Code Accessibility.This issue affects Accessibility: from n/a through 1.0.6.

CVE ID : CVE-2024-24705
Source : audit@patchstack.com
CVSS Score : 5.4

References :
https://patchstack.com/database/vulnerability/accessibility/wordpress-accessibility-plugin-1-0-6-cross-site-request-forgery-csrf-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-352


Vulnerability ID : CVE-2023-51683

First published on : 28-02-2024 17:15:07
Last modified on : 28-02-2024 17:15:07

Description :
Cross-Site Request Forgery (CSRF) vulnerability in Scott Paterson Easy PayPal & Stripe Buy Now Button.This issue affects Easy PayPal & Stripe Buy Now Button: from n/a through 1.8.1.

CVE ID : CVE-2023-51683
Source : audit@patchstack.com
CVSS Score : 5.4

References :
https://patchstack.com/database/vulnerability/wp-ecommerce-paypal/wordpress-easy-paypal-stripe-buy-now-button-plugin-1-8-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-352


Vulnerability ID : CVE-2023-52223

First published on : 28-02-2024 17:15:07
Last modified on : 28-02-2024 17:15:07

Description :
Cross-Site Request Forgery (CSRF) vulnerability in MailerLite MailerLite – WooCommerce integration.This issue affects MailerLite – WooCommerce integration: from n/a through 2.0.8.

CVE ID : CVE-2023-52223
Source : audit@patchstack.com
CVSS Score : 5.4

References :
https://patchstack.com/database/vulnerability/woo-mailerlite/wordpress-mailerlite-woocommerce-integration-plugin-2-0-7-cross-site-request-forgery-csrf-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-352


Vulnerability ID : CVE-2024-21749

First published on : 28-02-2024 17:15:08
Last modified on : 28-02-2024 17:15:08

Description :
Cross-Site Request Forgery (CSRF) vulnerability in Atakan Au 1 click disable all.This issue affects 1 click disable all: from n/a through 1.0.1.

CVE ID : CVE-2024-21749
Source : audit@patchstack.com
CVSS Score : 5.4

References :
https://patchstack.com/database/vulnerability/first-graders-toolbox/wordpress-1-click-disable-all-plugin-1-0-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-352


Vulnerability ID : CVE-2023-51533

First published on : 28-02-2024 19:15:09
Last modified on : 28-02-2024 19:15:09

Description :
Cross-Site Request Forgery (CSRF) vulnerability in Ecwid Ecommerce Ecwid Ecommerce Shopping Cart.This issue affects Ecwid Ecommerce Shopping Cart: from n/a through 6.12.4.

CVE ID : CVE-2023-51533
Source : audit@patchstack.com
CVSS Score : 5.4

References :
https://patchstack.com/database/vulnerability/ecwid-shopping-cart/wordpress-ecwid-ecommerce-shopping-cart-plugin-6-12-4-cross-site-request-forgery-csrf-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-352


Vulnerability ID : CVE-2024-27948

First published on : 28-02-2024 19:15:11
Last modified on : 28-02-2024 19:15:11

Description :
Cross-Site Request Forgery (CSRF) vulnerability in bytesforall Atahualpa.This issue affects Atahualpa: from n/a through 3.7.24.

CVE ID : CVE-2024-27948
Source : audit@patchstack.com
CVSS Score : 5.4

References :
https://patchstack.com/database/vulnerability/atahualpa/wordpress-atahualpa-theme-3-7-24-cross-site-request-forgery-csrf-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-352


Vulnerability ID : CVE-2024-24702

First published on : 28-02-2024 15:15:08
Last modified on : 28-02-2024 15:15:08

Description :
Cross-Site Request Forgery (CSRF) vulnerability in Matt Martz & Andy Stratton Page Restrict.This issue affects Page Restrict: from n/a through 2.5.5.

CVE ID : CVE-2024-24702
Source : audit@patchstack.com
CVSS Score : 4.3

References :
https://patchstack.com/database/vulnerability/pagerestrict/wordpress-page-restrict-plugin-2-5-5-cross-site-request-forgery-csrf-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-352


Vulnerability ID : CVE-2023-52226

First published on : 28-02-2024 17:15:08
Last modified on : 28-02-2024 17:15:08

Description :
Cross-Site Request Forgery (CSRF) vulnerability in Advanced Flamingo.This issue affects Advanced Flamingo: from n/a through 1.0.

CVE ID : CVE-2023-52226
Source : audit@patchstack.com
CVSS Score : 4.3

References :
https://patchstack.com/database/vulnerability/advanced-flamingo/wordpress-advanced-flamingo-plugin-1-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-352


Vulnerability ID : CVE-2023-51692

First published on : 28-02-2024 19:15:10
Last modified on : 28-02-2024 19:15:10

Description :
Missing Authorization vulnerability in CusRev Customer Reviews for WooCommerce.This issue affects Customer Reviews for WooCommerce: from n/a through 5.38.1.

CVE ID : CVE-2023-51692
Source : audit@patchstack.com
CVSS Score : 4.3

References :
https://patchstack.com/database/vulnerability/customer-reviews-woocommerce/wordpress-customer-reviews-for-woocommerce-plugin-5-38-1-broken-access-control-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-862


Source : redhat.com

Vulnerability ID : CVE-2024-0560

First published on : 28-02-2024 17:15:08
Last modified on : 28-02-2024 17:15:08

Description :
A vulnerability was found in 3Scale, when used with Keycloak 15 (or RHSSO 7.5.0) and superiors. When the auth_type is use_3scale_oidc_issuer_endpoint, the Token Introspection policy discovers the Token Introspection endpoint from the token_introspection_endpoint field, but the field was removed on RH-SSO 7.5. As a result, the policy doesn't inspect tokens, it determines that all tokens are valid.

CVE ID : CVE-2024-0560
Source : secalert@redhat.com
CVSS Score : 6.3

References :
https://access.redhat.com/security/cve/CVE-2024-0560 | source : secalert@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=2258456 | source : secalert@redhat.com
https://github.com/3scale/APIcast/pull/1438 | source : secalert@redhat.com

Vulnerability : CWE-280


Vulnerability ID : CVE-2023-6917

First published on : 28-02-2024 15:15:07
Last modified on : 28-02-2024 15:15:07

Description :
A vulnerability has been identified in the Performance Co-Pilot (PCP) package, stemming from the mixed privilege levels utilized by systemd services associated with PCP. While certain services operate within the confines of limited PCP user/group privileges, others are granted full root privileges. This disparity in privilege levels poses a risk when privileged root processes interact with directories or directory trees owned by unprivileged PCP users. Specifically, this vulnerability may lead to the compromise of PCP user isolation and facilitate local PCP-to-root exploits, particularly through symlink attacks. These vulnerabilities underscore the importance of maintaining robust privilege separation mechanisms within PCP to mitigate the potential for unauthorized privilege escalation.

CVE ID : CVE-2023-6917
Source : secalert@redhat.com
CVSS Score : 6.0

References :
https://access.redhat.com/security/cve/CVE-2023-6917 | source : secalert@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=2254983 | source : secalert@redhat.com

Vulnerability : CWE-378


Source : huntr.dev

Vulnerability ID : CVE-2024-1932

First published on : 28-02-2024 00:15:54
Last modified on : 28-02-2024 14:06:45

Description :
Unrestricted Upload of File with Dangerous Type in freescout-helpdesk/freescout

CVE ID : CVE-2024-1932
Source : security@huntr.dev
CVSS Score : 6.1

References :
https://huntr.com/bounties/fefd711e-3bf0-4884-9acc-167649c1f9a2 | source : security@huntr.dev

Vulnerability : CWE-434


Source : us.ibm.com

Vulnerability ID : CVE-2023-50303

First published on : 28-02-2024 01:15:07
Last modified on : 28-02-2024 14:06:45

Description :
IBM InfoSphere Information Server 11.7 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 273333.

CVE ID : CVE-2023-50303
Source : psirt@us.ibm.com
CVSS Score : 6.1

References :
https://exchange.xforce.ibmcloud.com/vulnerabilities/273333 | source : psirt@us.ibm.com
https://www.ibm.com/support/pages/node/7116120 | source : psirt@us.ibm.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-25922

First published on : 28-02-2024 22:15:25
Last modified on : 28-02-2024 22:15:25

Description :
IBM Security Guardium Key Lifecycle Manager 3.0, 3.0.1, 4.0, 4.1, and 4.1.1 allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment. IBM X-Force ID: 247621.

CVE ID : CVE-2023-25922
Source : psirt@us.ibm.com
CVSS Score : 4.3

References :
https://exchange.xforce.ibmcloud.com/vulnerabilities/247621 | source : psirt@us.ibm.com
https://www.ibm.com/support/pages/node/6964516 | source : psirt@us.ibm.com

Vulnerability : CWE-434


Source : github.com

Vulnerability ID : CVE-2024-27103

First published on : 28-02-2024 18:15:45
Last modified on : 28-02-2024 18:15:45

Description :
Querybook is a Big Data Querying UI. When a user searches for their queries, datadocs, tables and lists, the search result is marked and highlighted, and this feature uses dangerouslySetInnerHTML which means that if the highlighted result has an XSS payload it will trigger. While the input to dangerouslySetInnerHTML is not sanitized for the data inside of queries which leads to an XSS vulnerability. During the "query auto-suggestion" the name of the suggested tables are set with innerHTML which leads to the XSS vulnerability. A patch to rectify this issue has been introduced in Querybook version 3.31.2.

CVE ID : CVE-2024-27103
Source : security-advisories@github.com
CVSS Score : 6.1

References :
https://github.com/pinterest/querybook/commit/449bdc9e7d679e042c3718b7ed07d2ffa3c46a8f | source : security-advisories@github.com
https://github.com/pinterest/querybook/security/advisories/GHSA-3hjm-9277-5c88 | source : security-advisories@github.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2024-27285

First published on : 28-02-2024 20:15:41
Last modified on : 28-02-2024 20:15:41

Description :
YARD is a Ruby Documentation tool. The "frames.html" file within the Yard Doc's generated documentation is vulnerable to Cross-Site Scripting (XSS) attacks due to inadequate sanitization of user input within the JavaScript segment of the "frames.erb" template file. This vulnerability is fixed in 0.9.35.

CVE ID : CVE-2024-27285
Source : security-advisories@github.com
CVSS Score : 5.4

References :
https://github.com/lsegal/yard/commit/2069e2bf08293bda2fcc78f7d0698af6354054be | source : security-advisories@github.com
https://github.com/lsegal/yard/security/advisories/GHSA-8mq4-9jjh-9xrc | source : security-advisories@github.com

Vulnerability : CWE-79


Source : apache.org

Vulnerability ID : CVE-2024-24779

First published on : 28-02-2024 12:15:47
Last modified on : 28-02-2024 15:15:09

Description :
Apache Superset with custom roles that include `can write on dataset` and without all data access permissions, allows for users to create virtual datasets to data they don't have access to. These users could then use those virtual datasets to get access to unauthorized data. This issue affects Apache Superset: before 3.0.4, from 3.1.0 before 3.1.1. Users are recommended to upgrade to version 3.1.1 or 3.0.4, which fixes the issue.

CVE ID : CVE-2024-24779
Source : security@apache.org
CVSS Score : 5.0

References :
http://www.openwall.com/lists/oss-security/2024/02/28/6 | source : security@apache.org
https://lists.apache.org/thread/xzhz1m5bb9zxhyqgoy4q2d689b3zp4pq | source : security@apache.org

Vulnerability : CWE-863


Vulnerability ID : CVE-2024-24773

First published on : 28-02-2024 12:15:47
Last modified on : 28-02-2024 15:15:09

Description :
Improper parsing of nested SQL statements on SQLLab would allow authenticated users to surpass their data authorization scope. This issue affects Apache Superset: before 3.0.4, from 3.1.0 before 3.1.1. Users are recommended to upgrade to version 3.1.1, which fixes the issue.

CVE ID : CVE-2024-24773
Source : security@apache.org
CVSS Score : 4.9

References :
http://www.openwall.com/lists/oss-security/2024/02/28/4 | source : security@apache.org
https://lists.apache.org/thread/h66fy6nj41cfx07zh7l552w6dmtjh501 | source : security@apache.org

Vulnerability : CWE-863


Vulnerability ID : CVE-2024-27315

First published on : 28-02-2024 10:15:09
Last modified on : 28-02-2024 15:15:09

Description :
An authenticated user with privileges to create Alerts on Alerts & Reports has the capability to generate a specially crafted SQL statement that triggers an error on the database. This error is not properly handled by Apache Superset and may inadvertently surface in the error log of the Alert exposing possibly sensitive data. This issue affects Apache Superset: before 3.0.4, from 3.1.0 before 3.1.1. Users are recommended to upgrade to version 3.1.1 or 3.0.4, which fixes the issue.

CVE ID : CVE-2024-27315
Source : security@apache.org
CVSS Score : 4.3

References :
http://www.openwall.com/lists/oss-security/2024/02/28/3 | source : security@apache.org
https://lists.apache.org/thread/qcwbx7q2s3ynsd405895bx3wcwq32j7z | source : security@apache.org

Vulnerability : CWE-200


Vulnerability ID : CVE-2024-24772

First published on : 28-02-2024 12:15:47
Last modified on : 28-02-2024 15:15:09

Description :
A guest user could exploit a chart data REST API and send arbitrary SQL statements that on error could leak information from the underlying analytics database.This issue affects Apache Superset: before 3.0.4, from 3.1.0 before 3.1.1. Users are recommended to upgrade to version 3.1.1 or 3.0.4, which fixes the issue.

CVE ID : CVE-2024-24772
Source : security@apache.org
CVSS Score : 4.3

References :
http://www.openwall.com/lists/oss-security/2024/02/28/5 | source : security@apache.org
https://lists.apache.org/thread/gfl3ckwy6y9tpz9jmpv62orh2q346sn5 | source : security@apache.org

Vulnerability : CWE-20


Vulnerability ID : CVE-2024-26016

First published on : 28-02-2024 12:15:47
Last modified on : 28-02-2024 15:15:09

Description :
A low privilege authenticated user could import an existing dashboard or chart that they do not have access to and then modify its metadata, thereby gaining ownership of the object. However, it's important to note that access to the analytical data of these charts and dashboards would still be subject to validation based on data access privileges. This issue affects Apache Superset: before 3.0.4, from 3.1.0 before 3.1.1.Users are recommended to upgrade to version 3.1.1, which fixes the issue.

CVE ID : CVE-2024-26016
Source : security@apache.org
CVSS Score : 4.3

References :
http://www.openwall.com/lists/oss-security/2024/02/28/7 | source : security@apache.org
https://lists.apache.org/thread/76v1jjcylgk4p3m0258qr359ook3vl8s | source : security@apache.org

Vulnerability : CWE-863


(1) LOW VULNERABILITIES [0.1, 3.9]

Source : vuldb.com

Vulnerability ID : CVE-2024-1972

First published on : 28-02-2024 22:15:26
Last modified on : 28-02-2024 22:15:26

Description :
A vulnerability was found in SourceCodester Online Job Portal 1.0 and classified as problematic. Affected by this issue is some unknown functionality of the file /Employer/EditProfile.php. The manipulation of the argument Address leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-255128.

CVE ID : CVE-2024-1972
Source : cna@vuldb.com
CVSS Score : 3.5

References :
https://prnt.sc/gtk7Fj43Qwy9 | source : cna@vuldb.com
https://vuldb.com/?ctiid.255128 | source : cna@vuldb.com
https://vuldb.com/?id.255128 | source : cna@vuldb.com

Vulnerability : CWE-79


(110) NO SCORE VULNERABILITIES [0.0, 0.0]

Source : mitre.org

Vulnerability ID : CVE-2024-22723

First published on : 28-02-2024 06:15:49
Last modified on : 28-02-2024 14:06:45

Description :
Webtrees 2.1.18 is vulnerable to Directory Traversal. By manipulating the "media_folder" parameter in the URL, an attacker (in this case, an administrator) can navigate beyond the intended directory (the 'media/' directory) to access sensitive files in other parts of the application's file system.

CVE ID : CVE-2024-22723
Source : cve@mitre.org
CVSS Score : /

References :
https://cupc4k3.medium.com/cve-2024-22723-webtrees-vulnerability-uncovering-sensitive-data-through-path-traversal-7442e7a38b68 | source : cve@mitre.org


Vulnerability ID : CVE-2024-27913

First published on : 28-02-2024 07:15:09
Last modified on : 28-02-2024 14:06:45

Description :
ospf_te_parse_te in ospfd/ospf_te.c in FRRouting (FRR) through 9.1 allows remote attackers to cause a denial of service (ospfd daemon crash) via a malformed OSPF LSA packet, because of an attempted access to a missing attribute field.

CVE ID : CVE-2024-27913
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/FRRouting/frr/pull/15431 | source : cve@mitre.org


Vulnerability ID : CVE-2024-27515

First published on : 28-02-2024 13:15:09
Last modified on : 28-02-2024 14:06:45

Description :
Osclass 5.1.2 is vulnerable to SQL Injection.

CVE ID : CVE-2024-27515
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/mindstellar/Osclass/issues/495 | source : cve@mitre.org


Vulnerability ID : CVE-2024-26342

First published on : 28-02-2024 18:15:45
Last modified on : 28-02-2024 18:15:45

Description :
A Null pointer dereference in usr/sbin/httpd in ASUS AC68U 3.0.0.4.384.82230 allows remote attackers to trigger DoS via network packet.

CVE ID : CVE-2024-26342
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/Nicholas-wei/bug-discovery/blob/main/asus/2/ASUS_ac68u.md | source : cve@mitre.org


Vulnerability ID : CVE-2023-52047

First published on : 28-02-2024 20:15:41
Last modified on : 28-02-2024 20:15:41

Description :
Dedecms v5.7.112 was discovered to contain a Cross-Site Request Forgery (CSRF) in the file manager.

CVE ID : CVE-2023-52047
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/chongfujun/test/blob/main/2023-52047.docx | source : cve@mitre.org


Vulnerability ID : CVE-2023-52048

First published on : 28-02-2024 20:15:41
Last modified on : 28-02-2024 20:15:41

Description :
RuoYi v4.7.8 was discovered to contain a cross-site scripting (XSS) vulnerability via the component /system/notice/.

CVE ID : CVE-2023-52048
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/chongfujun/test/blob/main/2023-52048.docx | source : cve@mitre.org


Vulnerability ID : CVE-2024-24148

First published on : 28-02-2024 20:15:41
Last modified on : 28-02-2024 20:15:41

Description :
A memory leak issue discovered in parseSWF_FREECHARACTER in libming v0.4.8 allows attackers to cause a denial of service via a crafted SWF file.

CVE ID : CVE-2024-24148
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/libming/libming/issues/308 | source : cve@mitre.org


Vulnerability ID : CVE-2024-25169

First published on : 28-02-2024 20:15:41
Last modified on : 28-02-2024 20:15:41

Description :
An issue in Mezzanine v6.0.0 allows attackers to bypass access control mechanisms in the admin panel via a crafted request.

CVE ID : CVE-2024-25169
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/shenhav12/CVE-2024-25169-Mezzanine-v6.0.0 | source : cve@mitre.org
https://ibb.co/JKh4hmD | source : cve@mitre.org
https://ibb.co/Pt9qd8t | source : cve@mitre.org
https://ibb.co/hLLPTVp | source : cve@mitre.org
https://ibb.co/rfrKj3r | source : cve@mitre.org


Vulnerability ID : CVE-2024-25170

First published on : 28-02-2024 20:15:41
Last modified on : 28-02-2024 20:15:41

Description :
An issue in Mezzanine v6.0.0 allows attackers to bypass access controls via manipulating the Host header.

CVE ID : CVE-2024-25170
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/shenhav12/CVE-2024-25170-Mezzanine-v6.0.0 | source : cve@mitre.org
https://ibb.co/DpxHpz9 | source : cve@mitre.org
https://ibb.co/T0fhLwR | source : cve@mitre.org


Vulnerability ID : CVE-2024-25202

First published on : 28-02-2024 20:15:41
Last modified on : 28-02-2024 20:15:41

Description :
Cross Site Scripting vulnerability in Phpgurukul User Registration & Login and User Management System 1.0 allows attackers to run arbitrary code via the search bar.

CVE ID : CVE-2024-25202
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/Agampreet-Singh/CVE-2024-25202 | source : cve@mitre.org


Vulnerability ID : CVE-2024-25435

First published on : 28-02-2024 20:15:41
Last modified on : 28-02-2024 20:15:41

Description :
A cross-site scripting (XSS) vulnerability in Md1health Md1patient v2.0.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Msg parameter.

CVE ID : CVE-2024-25435
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/machisri/CVEs-and-Vulnerabilities/blob/main/CVE-2024-25435%20-%3E%20Reflected%20XSS%20on%20md1patient%20login%20page | source : cve@mitre.org


Vulnerability ID : CVE-2024-25859

First published on : 28-02-2024 20:15:41
Last modified on : 28-02-2024 20:15:41

Description :
A path traversal vulnerability in the /path/to/uploads/ directory of Blesta before v5.9.2 allows attackers to takeover user accounts and execute arbitrary code.

CVE ID : CVE-2024-25859
Source : cve@mitre.org
CVSS Score : /

References :
https://www.blesta.com/2024/02/08/security-advisory/ | source : cve@mitre.org


Vulnerability ID : CVE-2023-45859

First published on : 28-02-2024 22:15:26
Last modified on : 28-02-2024 22:15:26

Description :
In Hazelcast through 4.1.10, 4.2 through 4.2.8, 5.0 through 5.0.5, 5.1 through 5.1.7, 5.2 through 5.2.4, and 5.3 through 5.3.2, some client operations don't check permissions properly, allowing authenticated users to access data stored in the cluster.

CVE ID : CVE-2023-45859
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/hazelcast/hazelcast/pull/25509 | source : cve@mitre.org
https://github.com/hazelcast/hazelcast/security/advisories/GHSA-xh6m-7cr7-xx66 | source : cve@mitre.org


Vulnerability ID : CVE-2023-45873

First published on : 28-02-2024 22:15:26
Last modified on : 28-02-2024 22:15:26

Description :
An issue was discovered in Couchbase Server through 7.2.2. A data reader may cause a denial of service (application exist) because of the OOM killer.

CVE ID : CVE-2023-45873
Source : cve@mitre.org
CVSS Score : /

References :
https://docs.couchbase.com/server/current/release-notes/relnotes.html | source : cve@mitre.org
https://forums.couchbase.com/tags/security | source : cve@mitre.org
https://www.couchbase.com/alerts/ | source : cve@mitre.org


Vulnerability ID : CVE-2023-49338

First published on : 28-02-2024 22:15:26
Last modified on : 28-02-2024 22:15:26

Description :
Couchbase Server 7.1.x and 7.2.x before 7.2.4 does not require authentication for the /admin/stats and /admin/vitals endpoints on TCP port 8093 of localhost.

CVE ID : CVE-2023-49338
Source : cve@mitre.org
CVSS Score : /

References :
https://docs.couchbase.com/server/current/release-notes/relnotes.html | source : cve@mitre.org
https://forums.couchbase.com/tags/security | source : cve@mitre.org
https://www.couchbase.com/alerts/ | source : cve@mitre.org


Vulnerability ID : CVE-2024-22983

First published on : 28-02-2024 22:15:26
Last modified on : 28-02-2024 22:15:26

Description :
SQL injection vulnerability in Projectworlds Visitor Management System in PHP v.1.0 allows a remote attacker to escalate privileges via the name parameter in the myform.php endpoint.

CVE ID : CVE-2024-22983
Source : cve@mitre.org
CVSS Score : /

References :
http://projectworlds.com | source : cve@mitre.org
http://visitor.com | source : cve@mitre.org
https://github.com/keru6k/CVE-2024-22983/blob/main/CVE-2024-22983.md | source : cve@mitre.org


Vulnerability ID : CVE-2024-25350

First published on : 28-02-2024 22:15:26
Last modified on : 28-02-2024 22:15:26

Description :
SQL Injection vulnerability in /zms/admin/edit-ticket.php in PHPGurukul Zoo Management System 1.0 via tickettype and tprice parameters.

CVE ID : CVE-2024-25350
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/0xQRx/VulnerabilityResearch/blob/master/2024/ZooManagementSystem-SQL_Injection_Edit_Ticket.md | source : cve@mitre.org


Vulnerability ID : CVE-2024-25351

First published on : 28-02-2024 22:15:26
Last modified on : 28-02-2024 22:15:26

Description :
SQL Injection vulnerability in /zms/admin/changeimage.php in PHPGurukul Zoo Management System 1.0 allows attackers to run arbitrary SQL commands via the editid parameter.

CVE ID : CVE-2024-25351
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/0xQRx/VulnerabilityResearch/blob/master/2024/ZooManagementSystem-SQL_Injection_Change_Image.md | source : cve@mitre.org


Vulnerability ID : CVE-2024-25866

First published on : 28-02-2024 22:15:26
Last modified on : 28-02-2024 22:15:26

Description :
A SQL Injection vulnerability in CodeAstro Membership Management System in PHP v.1.0 allows a remote attacker to execute arbitrary SQL commands via the email parameter in the index.php component.

CVE ID : CVE-2024-25866
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/0xQRx/VulnerabilityResearch/blob/master/2024/MembershipManagementSystem-SQL_Injection_Login.md | source : cve@mitre.org


Vulnerability ID : CVE-2024-25867

First published on : 28-02-2024 22:15:26
Last modified on : 28-02-2024 22:15:26

Description :
A SQL Injection vulnerability in CodeAstro Membership Management System in PHP v.1.0 allows a remote attacker to execute arbitrary SQL commands via the membershipType and membershipAmount parameters in the add_type.php component.

CVE ID : CVE-2024-25867
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/0xQRx/VulnerabilityResearch/blob/master/2024/MembershipManagementSystem-SQL_Injection_Add_Type.md | source : cve@mitre.org


Vulnerability ID : CVE-2024-25868

First published on : 28-02-2024 22:15:26
Last modified on : 28-02-2024 22:15:26

Description :
A Cross Site Scripting (XSS) vulnerability in CodeAstro Membership Management System in PHP v.1.0 allows a remote attacker to execute arbitrary code via the membershipType parameter in the add_type.php component.

CVE ID : CVE-2024-25868
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/0xQRx/VulnerabilityResearch/blob/master/2024/MembershipManagementSystem-Stored_XSS_Add_Type.md | source : cve@mitre.org


Vulnerability ID : CVE-2024-25869

First published on : 28-02-2024 22:15:26
Last modified on : 28-02-2024 22:15:26

Description :
An Unrestricted File Upload vulnerability in CodeAstro Membership Management System in PHP v.1.0 allows a remote attacker to execute arbitrary code via upload of a crafted php file in the settings.php component.

CVE ID : CVE-2024-25869
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/0xQRx/VulnerabilityResearch/blob/master/2024/MembershipManagementSystem-Unrestricted_Fileupload.md | source : cve@mitre.org


Vulnerability ID : CVE-2024-26450

First published on : 28-02-2024 22:15:26
Last modified on : 28-02-2024 22:15:26

Description :
Cross Site Scripting vulnerability in Piwigo before v.14.2.0 allows a remote attacker to escalate privileges via the batch function on the admin page.

CVE ID : CVE-2024-26450
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/Piwigo/Piwigo/security/advisories/GHSA-p362-cfpj-q55f | source : cve@mitre.org


Vulnerability ID : CVE-2024-26476

First published on : 28-02-2024 22:15:26
Last modified on : 28-02-2024 22:15:26

Description :
An issue in open-emr before v.7.0.2 allows a remote attacker to escalate privileges via a crafted script to the formid parameter in the ereq_form.php component.

CVE ID : CVE-2024-26476
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/c4v4r0n/Research/blob/main/openemr_BlindSSRF/README.md | source : cve@mitre.org
https://github.com/mpdf/mpdf/issues/867 | source : cve@mitre.org


Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67

Vulnerability ID : CVE-2020-36778

First published on : 28-02-2024 09:15:36
Last modified on : 28-02-2024 14:06:45

Description :
In the Linux kernel, the following vulnerability has been resolved: i2c: xiic: fix reference leak when pm_runtime_get_sync fails The PM reference count is not expected to be incremented on return in xiic_xfer and xiic_i2c_remove. However, pm_runtime_get_sync will increment the PM reference count even failed. Forgetting to putting operation will result in a reference leak here. Replace it with pm_runtime_resume_and_get to keep usage counter balanced.

CVE ID : CVE-2020-36778
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/a42ac16e6573f19c78f556ea292f5b534fcc4514 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/a85c5c7a3aa8041777ff691400b4046e56149fd3 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/c977426db644ba476938125597947979e8aba725 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/e2ba996577eaea423694dc69ae43d56f1410a22b | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2020-36779

First published on : 28-02-2024 09:15:36
Last modified on : 28-02-2024 14:06:45

Description :
In the Linux kernel, the following vulnerability has been resolved: i2c: stm32f7: fix reference leak when pm_runtime_get_sync fails The PM reference count is not expected to be incremented on return in these stm32f7_i2c_xx serious functions. However, pm_runtime_get_sync will increment the PM reference count even failed. Forgetting to putting operation will result in a reference leak here. Replace it with pm_runtime_resume_and_get to keep usage counter balanced.

CVE ID : CVE-2020-36779
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/2c662660ce2bd3b09dae21a9a9ac9395e1e6c00b | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/c323b270a52a26aa8038a4d1fd9a850904a41166 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/c7ea772c9fcf711ed566814b92eecaffc0e2bfd0 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/d791b90f5c5e5aa8ccf9e33386c16bd2b7e333a4 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2020-36780

First published on : 28-02-2024 09:15:36
Last modified on : 28-02-2024 14:06:45

Description :
In the Linux kernel, the following vulnerability has been resolved: i2c: sprd: fix reference leak when pm_runtime_get_sync fails The PM reference count is not expected to be incremented on return in sprd_i2c_master_xfer() and sprd_i2c_remove(). However, pm_runtime_get_sync will increment the PM reference count even failed. Forgetting to putting operation will result in a reference leak here. Replace it with pm_runtime_resume_and_get to keep usage counter balanced.

CVE ID : CVE-2020-36780
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/3a4f326463117cee3adcb72999ca34a9aaafda93 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/7e1764312440c5df9dfe6b436035a03673b0c1b9 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/9223505e938ba3db5907e058f4209770cff2f2a7 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/d3406ab52097328a3bc4cbe124bfd8f6d51fb86f | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/e547640cee7981fd751d2c9cde3a61bdb678b755 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2020-36781

First published on : 28-02-2024 09:15:36
Last modified on : 28-02-2024 14:06:45

Description :
In the Linux kernel, the following vulnerability has been resolved: i2c: imx: fix reference leak when pm_runtime_get_sync fails In i2c_imx_xfer() and i2c_imx_remove(), the pm reference count is not expected to be incremented on return. However, pm_runtime_get_sync will increment pm reference count even failed. Forgetting to putting operation will result in a reference leak here. Replace it with pm_runtime_resume_and_get to keep usage counter balanced.

CVE ID : CVE-2020-36781
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/1ecc0ebc2ebbad4a22a670a07d27a21fa0b59c77 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/3a0cdd336d92c429b51a79bf4f64b17eafa0325d | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/47ff617217ca6a13194fcb35c6c3a0c57c080693 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/ff406f6cd09c273337ab4854292e4aca48f8affd | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2020-36782

First published on : 28-02-2024 09:15:36
Last modified on : 28-02-2024 14:06:45

Description :
In the Linux kernel, the following vulnerability has been resolved: i2c: imx-lpi2c: fix reference leak when pm_runtime_get_sync fails The PM reference count is not expected to be incremented on return in lpi2c_imx_master_enable. However, pm_runtime_get_sync will increment the PM reference count even failed. Forgetting to putting operation will result in a reference leak here. Replace it with pm_runtime_resume_and_get to keep usage counter balanced.

CVE ID : CVE-2020-36782
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/278e5bbdb9a94fa063c0f9bcde2479d0b8042462 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/815859cb1d2302e74f11bf6894bceace9ca9eb4a | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/b100650d80cd2292f6c152f5f2943b5944b3e8ce | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/bb300acc867e937edc2a6898e92b21f88e4e4e66 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/cc49d206414240483bb93ffa3d80243e6a776916 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2020-36783

First published on : 28-02-2024 09:15:36
Last modified on : 28-02-2024 14:06:45

Description :
In the Linux kernel, the following vulnerability has been resolved: i2c: img-scb: fix reference leak when pm_runtime_get_sync fails The PM reference count is not expected to be incremented on return in functions img_i2c_xfer and img_i2c_init. However, pm_runtime_get_sync will increment the PM reference count even failed. Forgetting to putting operation will result in a reference leak here. Replace it with pm_runtime_resume_and_get to keep usage counter balanced.

CVE ID : CVE-2020-36783
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/223125e37af8a641ea4a09747a6a52172fc4b903 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/4734c4b1d9573c9d20bbc46cf37dde095ee011b8 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/7ee35cde1e810ad6ca589980b9ec2b7b62946a5b | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/96c4a03658d661666c360959aa80cdabfe2972ed | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/e80ae8bde41266d3b8bf012460b6593851766006 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2020-36784

First published on : 28-02-2024 09:15:36
Last modified on : 28-02-2024 14:06:45

Description :
In the Linux kernel, the following vulnerability has been resolved: i2c: cadence: fix reference leak when pm_runtime_get_sync fails The PM reference count is not expected to be incremented on return in functions cdns_i2c_master_xfer and cdns_reg_slave. However, pm_runtime_get_sync will increment pm usage counter even failed. Forgetting to putting operation will result in a reference leak here. Replace it with pm_runtime_resume_and_get to keep usage counter balanced.

CVE ID : CVE-2020-36784
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/23ceb8462dc6f4b4decdb5536a7e5fc477cdf0b6 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/30410519328c94367e561fd878e5f0d3a0303585 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/a45fc41beed8e0fe31864619c34aa00797fb60c1 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/d57ff04e0ed6f3be1682ae861ead33f879225e07 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2020-36785

First published on : 28-02-2024 09:15:36
Last modified on : 28-02-2024 14:06:45

Description :
In the Linux kernel, the following vulnerability has been resolved: media: atomisp: Fix use after free in atomisp_alloc_css_stat_bufs() The "s3a_buf" is freed along with all the other items on the "asd->s3a_stats" list. It leads to a double free and a use after free.

CVE ID : CVE-2020-36785
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/801c1d505894008c888bc71d08d5cff5d87f8aba | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/8267ccd7b9df7ab682043507dd682fe0621cf045 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/ba11bbf303fafb33989e95473e409f6ab412b18d | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/d218c7a0284f6b92a7b82d2e19706e18663b4193 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2020-36786

First published on : 28-02-2024 09:15:36
Last modified on : 28-02-2024 14:06:45

Description :
In the Linux kernel, the following vulnerability has been resolved: media: [next] staging: media: atomisp: fix memory leak of object flash In the case where the call to lm3554_platform_data_func returns an error there is a memory leak on the error return path of object flash. Fix this by adding an error return path that will free flash and rename labels fail2 to fail3 and fail1 to fail2.

CVE ID : CVE-2020-36786
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/27d2eab69f7da8e94e4751ac5c6d22d809275484 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/4f0f37d03cde8f4341df8454f9b40a67fda94a33 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/6045b01dd0e3cd3759eafe7f290ed04c957500b1 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/cc4cc2fb5aaf9adb83c02211eb13b16cfcb7ba64 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2020-36787

First published on : 28-02-2024 09:15:37
Last modified on : 28-02-2024 14:06:45

Description :
In the Linux kernel, the following vulnerability has been resolved: media: aspeed: fix clock handling logic Video engine uses eclk and vclk for its clock sources and its reset control is coupled with eclk so the current clock enabling sequence works like below. Enable eclk De-assert Video Engine reset 10ms delay Enable vclk It introduces improper reset on the Video Engine hardware and eventually the hardware generates unexpected DMA memory transfers that can corrupt memory region in random and sporadic patterns. This issue is observed very rarely on some specific AST2500 SoCs but it causes a critical kernel panic with making a various shape of signature so it's extremely hard to debug. Moreover, the issue is observed even when the video engine is not actively used because udevd turns on the video engine hardware for a short time to make a query in every boot. To fix this issue, this commit changes the clock handling logic to make the reset de-assertion triggered after enabling both eclk and vclk. Also, it adds clk_unprepare call for a case when probe fails. clk: ast2600: fix reset settings for eclk and vclk Video engine reset setting should be coupled with eclk to match it with the setting for previous Aspeed SoCs which is defined in clk-aspeed.c since all Aspeed SoCs are sharing a single video engine driver. Also, reset bit 6 is defined as 'Video Engine' reset in datasheet so it should be de-asserted when eclk is enabled. This commit fixes the setting.

CVE ID : CVE-2020-36787
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/1dc1d30ac101bb8335d9852de2107af60c2580e7 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/2964c37563e86cfdc439f217eb3c5a69adfdba6a | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/3536169f8531c2c5b153921dc7d1ac9fd570cda7 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/75321dc8aebe3f30eff226028fe6da340fe0bf02 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/a59d01384c80a8a4392665802df57c3df20055f5 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-46976

First published on : 28-02-2024 09:15:37
Last modified on : 28-02-2024 14:06:45

Description :
In the Linux kernel, the following vulnerability has been resolved: drm/i915: Fix crash in auto_retire The retire logic uses the 2 lower bits of the pointer to the retire function to store flags. However, the auto_retire function is not guaranteed to be aligned to a multiple of 4, which causes crashes as we jump to the wrong address, for example like this: 2021-04-24T18:03:53.804300Z WARNING kernel: [ 516.876901] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI 2021-04-24T18:03:53.804310Z WARNING kernel: [ 516.876906] CPU: 7 PID: 146 Comm: kworker/u16:6 Tainted: G U 5.4.105-13595-g3cd84167b2df #1 2021-04-24T18:03:53.804311Z WARNING kernel: [ 516.876907] Hardware name: Google Volteer2/Volteer2, BIOS Google_Volteer2.13672.76.0 02/22/2021 2021-04-24T18:03:53.804312Z WARNING kernel: [ 516.876911] Workqueue: events_unbound active_work 2021-04-24T18:03:53.804313Z WARNING kernel: [ 516.876914] RIP: 0010:auto_retire+0x1/0x20 2021-04-24T18:03:53.804314Z WARNING kernel: [ 516.876916] Code: e8 01 f2 ff ff eb 02 31 db 48 89 d8 5b 5d c3 0f 1f 44 00 00 55 48 89 e5 f0 ff 87 c8 00 00 00 0f 88 ab 47 4a 00 31 c0 5d c3 0f <1f> 44 00 00 55 48 89 e5 f0 ff 8f c8 00 00 00 0f 88 9a 47 4a 00 74 2021-04-24T18:03:53.804319Z WARNING kernel: [ 516.876918] RSP: 0018:ffff9b4d809fbe38 EFLAGS: 00010286 2021-04-24T18:03:53.804320Z WARNING kernel: [ 516.876919] RAX: 0000000000000007 RBX: ffff927915079600 RCX: 0000000000000007 2021-04-24T18:03:53.804320Z WARNING kernel: [ 516.876921] RDX: ffff9b4d809fbe40 RSI: 0000000000000286 RDI: ffff927915079600 2021-04-24T18:03:53.804321Z WARNING kernel: [ 516.876922] RBP: ffff9b4d809fbe68 R08: 8080808080808080 R09: fefefefefefefeff 2021-04-24T18:03:53.804321Z WARNING kernel: [ 516.876924] R10: 0000000000000010 R11: ffffffff92e44bd8 R12: ffff9279150796a0 2021-04-24T18:03:53.804322Z WARNING kernel: [ 516.876925] R13: ffff92791c368180 R14: ffff927915079640 R15: 000000001c867605 2021-04-24T18:03:53.804323Z WARNING kernel: [ 516.876926] FS: 0000000000000000(0000) GS:ffff92791ffc0000(0000) knlGS:0000000000000000 2021-04-24T18:03:53.804323Z WARNING kernel: [ 516.876928] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 2021-04-24T18:03:53.804324Z WARNING kernel: [ 516.876929] CR2: 0000239514955000 CR3: 00000007f82da001 CR4: 0000000000760ee0 2021-04-24T18:03:53.804325Z WARNING kernel: [ 516.876930] PKRU: 55555554 2021-04-24T18:03:53.804325Z WARNING kernel: [ 516.876931] Call Trace: 2021-04-24T18:03:53.804326Z WARNING kernel: [ 516.876935] __active_retire+0x77/0xcf 2021-04-24T18:03:53.804326Z WARNING kernel: [ 516.876939] process_one_work+0x1da/0x394 2021-04-24T18:03:53.804327Z WARNING kernel: [ 516.876941] worker_thread+0x216/0x375 2021-04-24T18:03:53.804327Z WARNING kernel: [ 516.876944] kthread+0x147/0x156 2021-04-24T18:03:53.804335Z WARNING kernel: [ 516.876946] ? pr_cont_work+0x58/0x58 2021-04-24T18:03:53.804335Z WARNING kernel: [ 516.876948] ? kthread_blkcg+0x2e/0x2e 2021-04-24T18:03:53.804336Z WARNING kernel: [ 516.876950] ret_from_fork+0x1f/0x40 2021-04-24T18:03:53.804336Z WARNING kernel: [ 516.876952] Modules linked in: cdc_mbim cdc_ncm cdc_wdm xt_cgroup rfcomm cmac algif_hash algif_skcipher af_alg xt_MASQUERADE uinput snd_soc_rt5682_sdw snd_soc_rt5682 snd_soc_max98373_sdw snd_soc_max98373 snd_soc_rl6231 regmap_sdw snd_soc_sof_sdw snd_soc_hdac_hdmi snd_soc_dmic snd_hda_codec_hdmi snd_sof_pci snd_sof_intel_hda_common intel_ipu6_psys snd_sof_xtensa_dsp soundwire_intel soundwire_generic_allocation soundwire_cadence snd_sof_intel_hda snd_sof snd_soc_hdac_hda snd_soc_acpi_intel_match snd_soc_acpi snd_hda_ext_core soundwire_bus snd_hda_intel snd_intel_dspcfg snd_hda_codec snd_hwdep snd_hda_core intel_ipu6_isys videobuf2_dma_contig videobuf2_v4l2 videobuf2_common videobuf2_memops mei_hdcp intel_ipu6 ov2740 ov8856 at24 sx9310 dw9768 v4l2_fwnode cros_ec_typec intel_pmc_mux roles acpi_als typec fuse iio_trig_sysfs cros_ec_light_prox cros_ec_lid_angle cros_ec_sensors cros ---truncated---

CVE ID : CVE-2021-46976
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/402be8a101190969fc7ff122d07e262df86e132b | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/608441de3976c526b02af4d7063093c8adf351e3 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/805c990a9c54b9451d3daff640b850909c31ab9d | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/f7520970d5353cb1fa4d9089a1b23669c5da97fe | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-46977

First published on : 28-02-2024 09:15:37
Last modified on : 28-02-2024 14:06:45

Description :
In the Linux kernel, the following vulnerability has been resolved: KVM: VMX: Disable preemption when probing user return MSRs Disable preemption when probing a user return MSR via RDSMR/WRMSR. If the MSR holds a different value per logical CPU, the WRMSR could corrupt the host's value if KVM is preempted between the RDMSR and WRMSR, and then rescheduled on a different CPU. Opportunistically land the helper in common x86, SVM will use the helper in a future commit.

CVE ID : CVE-2021-46977
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/31f29749ee970c251b3a7e5b914108425940d089 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/5104d7ffcf24749939bea7fdb5378d186473f890 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/5adcdeb57007ccf8ab7ac20bf787ffb6fafb1a94 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/e3ea1895df719c4ef87862501bb10d95f4177bed | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-46978

First published on : 28-02-2024 09:15:37
Last modified on : 28-02-2024 14:06:45

Description :
In the Linux kernel, the following vulnerability has been resolved: KVM: nVMX: Always make an attempt to map eVMCS after migration When enlightened VMCS is in use and nested state is migrated with vmx_get_nested_state()/vmx_set_nested_state() KVM can't map evmcs page right away: evmcs gpa is not 'struct kvm_vmx_nested_state_hdr' and we can't read it from VP assist page because userspace may decide to restore HV_X64_MSR_VP_ASSIST_PAGE after restoring nested state (and QEMU, for example, does exactly that). To make sure eVMCS is mapped /vmx_set_nested_state() raises KVM_REQ_GET_NESTED_STATE_PAGES request. Commit f2c7ef3ba955 ("KVM: nSVM: cancel KVM_REQ_GET_NESTED_STATE_PAGES on nested vmexit") added KVM_REQ_GET_NESTED_STATE_PAGES clearing to nested_vmx_vmexit() to make sure MSR permission bitmap is not switched when an immediate exit from L2 to L1 happens right after migration (caused by a pending event, for example). Unfortunately, in the exact same situation we still need to have eVMCS mapped so nested_sync_vmcs12_to_shadow() reflects changes in VMCS12 to eVMCS. As a band-aid, restore nested_get_evmcs_page() when clearing KVM_REQ_GET_NESTED_STATE_PAGES in nested_vmx_vmexit(). The 'fix' is far from being ideal as we can't easily propagate possible failures and even if we could, this is most likely already too late to do so. The whole 'KVM_REQ_GET_NESTED_STATE_PAGES' idea for mapping eVMCS after migration seems to be fragile as we diverge too much from the 'native' path when vmptr loading happens on vmx_set_nested_state().

CVE ID : CVE-2021-46978
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/200a45649ab7361bc80c70aebf7165b64f9a6c9f | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/bd0e8455b85b651a4c77de9616e307129b15aaa7 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/c8bf64e3fb77cc19bad146fbe26651985b117194 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/f5c7e8425f18fdb9bdb7d13340651d7876890329 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-46979

First published on : 28-02-2024 09:15:37
Last modified on : 28-02-2024 14:06:45

Description :
In the Linux kernel, the following vulnerability has been resolved: iio: core: fix ioctl handlers removal Currently ioctl handlers are removed twice. For the first time during iio_device_unregister() then later on inside iio_device_unregister_eventset() and iio_buffers_free_sysfs_and_mask(). Double free leads to kernel panic. Fix this by not touching ioctl handlers list directly but rather letting code responsible for registration call the matching cleanup routine itself.

CVE ID : CVE-2021-46979
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/11e1cae5da4096552f7c091476cbadbc0d1817da | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/901f84de0e16bde10a72d7eb2f2eb73fcde8fa1a | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/ab6c935ba3a04317632f3b8b68675bdbaf395303 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-46980

First published on : 28-02-2024 09:15:37
Last modified on : 28-02-2024 14:06:45

Description :
In the Linux kernel, the following vulnerability has been resolved: usb: typec: ucsi: Retrieve all the PDOs instead of just the first 4 commit 4dbc6a4ef06d ("usb: typec: ucsi: save power data objects in PD mode") introduced retrieval of the PDOs when connected to a PD-capable source. But only the first 4 PDOs are received since that is the maximum number that can be fetched at a time given the MESSAGE_IN length limitation (16 bytes). However, as per the PD spec a connected source may advertise up to a maximum of 7 PDOs. If such a source is connected it's possible the PPM could have negotiated a power contract with one of the PDOs at index greater than 4, and would be reflected in the request data object's (RDO) object position field. This would result in an out-of-bounds access when the rdo_index() is used to index into the src_pdos array in ucsi_psy_get_voltage_now(). With the help of the UBSAN -fsanitize=array-bounds checker enabled this exact issue is revealed when connecting to a PD source adapter that advertise 5 PDOs and the PPM enters a contract having selected the 5th one. [ 151.545106][ T70] Unexpected kernel BRK exception at EL1 [ 151.545112][ T70] Internal error: BRK handler: f2005512 [#1] PREEMPT SMP ... [ 151.545499][ T70] pc : ucsi_psy_get_prop+0x208/0x20c [ 151.545507][ T70] lr : power_supply_show_property+0xc0/0x328 ... [ 151.545542][ T70] Call trace: [ 151.545544][ T70] ucsi_psy_get_prop+0x208/0x20c [ 151.545546][ T70] power_supply_uevent+0x1a4/0x2f0 [ 151.545550][ T70] dev_uevent+0x200/0x384 [ 151.545555][ T70] kobject_uevent_env+0x1d4/0x7e8 [ 151.545557][ T70] power_supply_changed_work+0x174/0x31c [ 151.545562][ T70] process_one_work+0x244/0x6f0 [ 151.545564][ T70] worker_thread+0x3e0/0xa64 We can resolve this by instead retrieving and storing up to the maximum of 7 PDOs in the con->src_pdos array. This would involve two calls to the GET_PDOS command.

CVE ID : CVE-2021-46980
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/1f4642b72be79757f050924a9b9673b6a02034bc | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/5e9c6f58b01e6fdfbc740390c01f542a35c97e57 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/a453bfd7ef15fd9d524004d3ca7b05353a302911 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/e5366bea0277425e1868ba20eeb27c879d5a6e2d | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-46981

First published on : 28-02-2024 09:15:37
Last modified on : 28-02-2024 14:06:45

Description :
In the Linux kernel, the following vulnerability has been resolved: nbd: Fix NULL pointer in flush_workqueue Open /dev/nbdX first, the config_refs will be 1 and the pointers in nbd_device are still null. Disconnect /dev/nbdX, then reference a null recv_workq. The protection by config_refs in nbd_genl_disconnect is useless. [ 656.366194] BUG: kernel NULL pointer dereference, address: 0000000000000020 [ 656.368943] #PF: supervisor write access in kernel mode [ 656.369844] #PF: error_code(0x0002) - not-present page [ 656.370717] PGD 10cc87067 P4D 10cc87067 PUD 1074b4067 PMD 0 [ 656.371693] Oops: 0002 [#1] SMP [ 656.372242] CPU: 5 PID: 7977 Comm: nbd-client Not tainted 5.11.0-rc5-00040-g76c057c84d28 #1 [ 656.373661] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20190727_073836-buildvm-ppc64le-16.ppc.fedoraproject.org-3.fc31 04/01/2014 [ 656.375904] RIP: 0010:mutex_lock+0x29/0x60 [ 656.376627] Code: 00 0f 1f 44 00 00 55 48 89 fd 48 83 05 6f d7 fe 08 01 e8 7a c3 ff ff 48 83 05 6a d7 fe 08 01 31 c0 65 48 8b 14 25 00 6d 01 00 <f0> 48 0f b1 55 d [ 656.378934] RSP: 0018:ffffc900005eb9b0 EFLAGS: 00010246 [ 656.379350] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 [ 656.379915] RDX: ffff888104cf2600 RSI: ffffffffaae8f452 RDI: 0000000000000020 [ 656.380473] RBP: 0000000000000020 R08: 0000000000000000 R09: ffff88813bd6b318 [ 656.381039] R10: 00000000000000c7 R11: fefefefefefefeff R12: ffff888102710b40 [ 656.381599] R13: ffffc900005eb9e0 R14: ffffffffb2930680 R15: ffff88810770ef00 [ 656.382166] FS: 00007fdf117ebb40(0000) GS:ffff88813bd40000(0000) knlGS:0000000000000000 [ 656.382806] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 656.383261] CR2: 0000000000000020 CR3: 0000000100c84000 CR4: 00000000000006e0 [ 656.383819] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 656.384370] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 656.384927] Call Trace: [ 656.385111] flush_workqueue+0x92/0x6c0 [ 656.385395] nbd_disconnect_and_put+0x81/0xd0 [ 656.385716] nbd_genl_disconnect+0x125/0x2a0 [ 656.386034] genl_family_rcv_msg_doit.isra.0+0x102/0x1b0 [ 656.386422] genl_rcv_msg+0xfc/0x2b0 [ 656.386685] ? nbd_ioctl+0x490/0x490 [ 656.386954] ? genl_family_rcv_msg_doit.isra.0+0x1b0/0x1b0 [ 656.387354] netlink_rcv_skb+0x62/0x180 [ 656.387638] genl_rcv+0x34/0x60 [ 656.387874] netlink_unicast+0x26d/0x590 [ 656.388162] netlink_sendmsg+0x398/0x6c0 [ 656.388451] ? netlink_rcv_skb+0x180/0x180 [ 656.388750] ____sys_sendmsg+0x1da/0x320 [ 656.389038] ? ____sys_recvmsg+0x130/0x220 [ 656.389334] ___sys_sendmsg+0x8e/0xf0 [ 656.389605] ? ___sys_recvmsg+0xa2/0xf0 [ 656.389889] ? handle_mm_fault+0x1671/0x21d0 [ 656.390201] __sys_sendmsg+0x6d/0xe0 [ 656.390464] __x64_sys_sendmsg+0x23/0x30 [ 656.390751] do_syscall_64+0x45/0x70 [ 656.391017] entry_SYSCALL_64_after_hwframe+0x44/0xa9 To fix it, just add if (nbd->recv_workq) to nbd_disconnect_and_put().

CVE ID : CVE-2021-46981
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/1c4962df938891af9ab4775f5224ef8601764107 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/54b78ba7e96e5fe1edb8054e375d31a6c0dc60dc | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/79ebe9110fa458d58f1fceb078e2068d7ad37390 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/b31d237796fd618379ec8e0f4de3370b5e4aeee7 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/cde4b55cfb24522dcbba80bbdb0c082303e76c43 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-46982

First published on : 28-02-2024 09:15:37
Last modified on : 28-02-2024 14:06:45

Description :
In the Linux kernel, the following vulnerability has been resolved: f2fs: compress: fix race condition of overwrite vs truncate pos_fsstress testcase complains a panic as belew: ------------[ cut here ]------------ kernel BUG at fs/f2fs/compress.c:1082! invalid opcode: 0000 [#1] SMP PTI CPU: 4 PID: 2753477 Comm: kworker/u16:2 Tainted: G OE 5.12.0-rc1-custom #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014 Workqueue: writeback wb_workfn (flush-252:16) RIP: 0010:prepare_compress_overwrite+0x4c0/0x760 [f2fs] Call Trace: f2fs_prepare_compress_overwrite+0x5f/0x80 [f2fs] f2fs_write_cache_pages+0x468/0x8a0 [f2fs] f2fs_write_data_pages+0x2a4/0x2f0 [f2fs] do_writepages+0x38/0xc0 __writeback_single_inode+0x44/0x2a0 writeback_sb_inodes+0x223/0x4d0 __writeback_inodes_wb+0x56/0xf0 wb_writeback+0x1dd/0x290 wb_workfn+0x309/0x500 process_one_work+0x220/0x3c0 worker_thread+0x53/0x420 kthread+0x12f/0x150 ret_from_fork+0x22/0x30 The root cause is truncate() may race with overwrite as below, so that one reference count left in page can not guarantee the page attaching in mapping tree all the time, after truncation, later find_lock_page() may return NULL pointer. - prepare_compress_overwrite - f2fs_pagecache_get_page - unlock_page - f2fs_setattr - truncate_setsize - truncate_inode_page - delete_from_page_cache - find_lock_page Fix this by avoiding referencing updated page.

CVE ID : CVE-2021-46982
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/5639b73fd3bc6fc8ca72e3a9ac15aacaabd7ebff | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/64acb100fe3beb5d20184d0ae3307235bd3555c4 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/936158b15e2648253afb824d252c910c496d34b5 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/a949dc5f2c5cfe0c910b664650f45371254c0744 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-46983

First published on : 28-02-2024 09:15:37
Last modified on : 28-02-2024 14:06:45

Description :
In the Linux kernel, the following vulnerability has been resolved: nvmet-rdma: Fix NULL deref when SEND is completed with error When running some traffic and taking down the link on peer, a retry counter exceeded error is received. This leads to nvmet_rdma_error_comp which tried accessing the cq_context to obtain the queue. The cq_context is no longer valid after the fix to use shared CQ mechanism and should be obtained similar to how it is obtained in other functions from the wc->qp. [ 905.786331] nvmet_rdma: SEND for CQE 0x00000000e3337f90 failed with status transport retry counter exceeded (12). [ 905.832048] BUG: unable to handle kernel NULL pointer dereference at 0000000000000048 [ 905.839919] PGD 0 P4D 0 [ 905.842464] Oops: 0000 1 SMP NOPTI [ 905.846144] CPU: 13 PID: 1557 Comm: kworker/13:1H Kdump: loaded Tainted: G OE --------- - - 4.18.0-304.el8.x86_64 #1 [ 905.872135] RIP: 0010:nvmet_rdma_error_comp+0x5/0x1b [nvmet_rdma] [ 905.878259] Code: 19 4f c0 e8 89 b3 a5 f6 e9 5b e0 ff ff 0f b7 75 14 4c 89 ea 48 c7 c7 08 1a 4f c0 e8 71 b3 a5 f6 e9 4b e0 ff ff 0f 1f 44 00 00 <48> 8b 47 48 48 85 c0 74 08 48 89 c7 e9 98 bf 49 00 e9 c3 e3 ff ff [ 905.897135] RSP: 0018:ffffab601c45fe28 EFLAGS: 00010246 [ 905.902387] RAX: 0000000000000065 RBX: ffff9e729ea2f800 RCX: 0000000000000000 [ 905.909558] RDX: 0000000000000000 RSI: ffff9e72df9567c8 RDI: 0000000000000000 [ 905.916731] RBP: ffff9e729ea2b400 R08: 000000000000074d R09: 0000000000000074 [ 905.923903] R10: 0000000000000000 R11: ffffab601c45fcc0 R12: 0000000000000010 [ 905.931074] R13: 0000000000000000 R14: 0000000000000010 R15: ffff9e729ea2f400 [ 905.938247] FS: 0000000000000000(0000) GS:ffff9e72df940000(0000) knlGS:0000000000000000 [ 905.938249] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 905.950067] nvmet_rdma: SEND for CQE 0x00000000c7356cca failed with status transport retry counter exceeded (12). [ 905.961855] CR2: 0000000000000048 CR3: 000000678d010004 CR4: 00000000007706e0 [ 905.961855] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 905.961856] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 905.961857] PKRU: 55555554 [ 906.010315] Call Trace: [ 906.012778] __ib_process_cq+0x89/0x170 [ib_core] [ 906.017509] ib_cq_poll_work+0x26/0x80 [ib_core] [ 906.022152] process_one_work+0x1a7/0x360 [ 906.026182] ? create_worker+0x1a0/0x1a0 [ 906.030123] worker_thread+0x30/0x390 [ 906.033802] ? create_worker+0x1a0/0x1a0 [ 906.037744] kthread+0x116/0x130 [ 906.040988] ? kthread_flush_work_fn+0x10/0x10 [ 906.045456] ret_from_fork+0x1f/0x40

CVE ID : CVE-2021-46983
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/17fb6dfa5162b89ecfa07df891a53afec321abe8 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/5bdb34466ad8370546dfa0497594fb1d6f2fed90 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/64f3410c7bfc389b1a58611d0799f4a36ce4b6b5 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/8cc365f9559b86802afc0208389f5c8d46b4ad61 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-46984

First published on : 28-02-2024 09:15:37
Last modified on : 28-02-2024 14:06:45

Description :
In the Linux kernel, the following vulnerability has been resolved: kyber: fix out of bounds access when preempted __blk_mq_sched_bio_merge() gets the ctx and hctx for the current CPU and passes the hctx to ->bio_merge(). kyber_bio_merge() then gets the ctx for the current CPU again and uses that to get the corresponding Kyber context in the passed hctx. However, the thread may be preempted between the two calls to blk_mq_get_ctx(), and the ctx returned the second time may no longer correspond to the passed hctx. This "works" accidentally most of the time, but it can cause us to read garbage if the second ctx came from an hctx with more ctx's than the first one (i.e., if ctx->index_hw[hctx->type] > hctx->nr_ctx). This manifested as this UBSAN array index out of bounds error reported by Jakub: UBSAN: array-index-out-of-bounds in ../kernel/locking/qspinlock.c:130:9 index 13106 is out of range for type 'long unsigned int [128]' Call Trace: dump_stack+0xa4/0xe5 ubsan_epilogue+0x5/0x40 __ubsan_handle_out_of_bounds.cold.13+0x2a/0x34 queued_spin_lock_slowpath+0x476/0x480 do_raw_spin_lock+0x1c2/0x1d0 kyber_bio_merge+0x112/0x180 blk_mq_submit_bio+0x1f5/0x1100 submit_bio_noacct+0x7b0/0x870 submit_bio+0xc2/0x3a0 btrfs_map_bio+0x4f0/0x9d0 btrfs_submit_data_bio+0x24e/0x310 submit_one_bio+0x7f/0xb0 submit_extent_page+0xc4/0x440 __extent_writepage_io+0x2b8/0x5e0 __extent_writepage+0x28d/0x6e0 extent_write_cache_pages+0x4d7/0x7a0 extent_writepages+0xa2/0x110 do_writepages+0x8f/0x180 __writeback_single_inode+0x99/0x7f0 writeback_sb_inodes+0x34e/0x790 __writeback_inodes_wb+0x9e/0x120 wb_writeback+0x4d2/0x660 wb_workfn+0x64d/0xa10 process_one_work+0x53a/0xa80 worker_thread+0x69/0x5b0 kthread+0x20b/0x240 ret_from_fork+0x1f/0x30 Only Kyber uses the hctx, so fix it by passing the request_queue to ->bio_merge() instead. BFQ and mq-deadline just use that, and Kyber can map the queues itself to avoid the mismatch.

CVE ID : CVE-2021-46984
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/0b6b4b90b74c27bea968c214d820ba4254b903a5 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/2ef3c76540c49167a0bc3d5f80d00fd1fc4586df | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/54dbe2d2c1fcabf650c7a8b747601da355cd7f9f | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/a287cd84e047045f5a4d4da793414e848de627c6 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/efed9a3337e341bd0989161b97453b52567bc59d | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-46985

First published on : 28-02-2024 09:15:37
Last modified on : 28-02-2024 14:06:45

Description :
In the Linux kernel, the following vulnerability has been resolved: ACPI: scan: Fix a memory leak in an error handling path If 'acpi_device_set_name()' fails, we must free 'acpi_device_bus_id->bus_id' or there is a (potential) memory leak.

CVE ID : CVE-2021-46985
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/0c8bd174f0fc131bc9dfab35cd8784f59045da87 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/5ab9857dde7c3ea3faef6b128d718cf8ba98721b | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/6901a4f795e0e8d65ae779cb37fc22e0bf294712 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/69cc821e89ce572884548ac54c4f80eec7a837a5 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/a7e17a8d421ae23c920240625b4413c7b94d94a4 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/c5c8f6ffc942cf42f990f22e35bcf4cbe9d8c2fb | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/dafd4c0b5e835db020cff11c74b4af9493a58e72 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/e2381174daeae0ca35eddffef02dcc8de8c1ef8a | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-46986

First published on : 28-02-2024 09:15:37
Last modified on : 28-02-2024 14:06:45

Description :
In the Linux kernel, the following vulnerability has been resolved: usb: dwc3: gadget: Free gadget structure only after freeing endpoints As part of commit e81a7018d93a ("usb: dwc3: allocate gadget structure dynamically") the dwc3_gadget_release() was added which will free the dwc->gadget structure upon the device's removal when usb_del_gadget_udc() is called in dwc3_gadget_exit(). However, simply freeing the gadget results a dangling pointer situation: the endpoints created in dwc3_gadget_init_endpoints() have their dep->endpoint.ep_list members chained off the list_head anchored at dwc->gadget->ep_list. Thus when dwc->gadget is freed, the first dwc3_ep in the list now has a dangling prev pointer and likewise for the next pointer of the dwc3_ep at the tail of the list. The dwc3_gadget_free_endpoints() that follows will result in a use-after-free when it calls list_del(). This was caught by enabling KASAN and performing a driver unbind. The recent commit 568262bf5492 ("usb: dwc3: core: Add shutdown callback for dwc3") also exposes this as a panic during shutdown. There are a few possibilities to fix this. One could be to perform a list_del() of the gadget->ep_list itself which removes it from the rest of the dwc3_ep chain. Another approach is what this patch does, by splitting up the usb_del_gadget_udc() call into its separate "del" and "put" components. This allows dwc3_gadget_free_endpoints() to be called before the gadget is finally freed with usb_put_gadget().

CVE ID : CVE-2021-46986
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/1ea775021282d90e1d08d696b7ab54aa75d688e5 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/b4b8e9601d7ee8806d2687f081a42485d27674a1 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/bb9c74a5bd1462499fe5ccb1e3c5ac40dcfa9139 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/bc0cdd72493236fb72b390ad38ce581e353c143c | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-46987

First published on : 28-02-2024 09:15:37
Last modified on : 28-02-2024 14:06:45

Description :
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix deadlock when cloning inline extents and using qgroups There are a few exceptional cases where cloning an inline extent needs to copy the inline extent data into a page of the destination inode. When this happens, we end up starting a transaction while having a dirty page for the destination inode and while having the range locked in the destination's inode iotree too. Because when reserving metadata space for a transaction we may need to flush existing delalloc in case there is not enough free space, we have a mechanism in place to prevent a deadlock, which was introduced in commit 3d45f221ce627d ("btrfs: fix deadlock when cloning inline extent and low on free metadata space"). However when using qgroups, a transaction also reserves metadata qgroup space, which can also result in flushing delalloc in case there is not enough available space at the moment. When this happens we deadlock, since flushing delalloc requires locking the file range in the inode's iotree and the range was already locked at the very beginning of the clone operation, before attempting to start the transaction. When this issue happens, stack traces like the following are reported: [72747.556262] task:kworker/u81:9 state:D stack: 0 pid: 225 ppid: 2 flags:0x00004000 [72747.556268] Workqueue: writeback wb_workfn (flush-btrfs-1142) [72747.556271] Call Trace: [72747.556273] __schedule+0x296/0x760 [72747.556277] schedule+0x3c/0xa0 [72747.556279] io_schedule+0x12/0x40 [72747.556284] __lock_page+0x13c/0x280 [72747.556287] ? generic_file_readonly_mmap+0x70/0x70 [72747.556325] extent_write_cache_pages+0x22a/0x440 [btrfs] [72747.556331] ? __set_page_dirty_nobuffers+0xe7/0x160 [72747.556358] ? set_extent_buffer_dirty+0x5e/0x80 [btrfs] [72747.556362] ? update_group_capacity+0x25/0x210 [72747.556366] ? cpumask_next_and+0x1a/0x20 [72747.556391] extent_writepages+0x44/0xa0 [btrfs] [72747.556394] do_writepages+0x41/0xd0 [72747.556398] __writeback_single_inode+0x39/0x2a0 [72747.556403] writeback_sb_inodes+0x1ea/0x440 [72747.556407] __writeback_inodes_wb+0x5f/0xc0 [72747.556410] wb_writeback+0x235/0x2b0 [72747.556414] ? get_nr_inodes+0x35/0x50 [72747.556417] wb_workfn+0x354/0x490 [72747.556420] ? newidle_balance+0x2c5/0x3e0 [72747.556424] process_one_work+0x1aa/0x340 [72747.556426] worker_thread+0x30/0x390 [72747.556429] ? create_worker+0x1a0/0x1a0 [72747.556432] kthread+0x116/0x130 [72747.556435] ? kthread_park+0x80/0x80 [72747.556438] ret_from_fork+0x1f/0x30 [72747.566958] Workqueue: btrfs-flush_delalloc btrfs_work_helper [btrfs] [72747.566961] Call Trace: [72747.566964] __schedule+0x296/0x760 [72747.566968] ? finish_wait+0x80/0x80 [72747.566970] schedule+0x3c/0xa0 [72747.566995] wait_extent_bit.constprop.68+0x13b/0x1c0 [btrfs] [72747.566999] ? finish_wait+0x80/0x80 [72747.567024] lock_extent_bits+0x37/0x90 [btrfs] [72747.567047] btrfs_invalidatepage+0x299/0x2c0 [btrfs] [72747.567051] ? find_get_pages_range_tag+0x2cd/0x380 [72747.567076] __extent_writepage+0x203/0x320 [btrfs] [72747.567102] extent_write_cache_pages+0x2bb/0x440 [btrfs] [72747.567106] ? update_load_avg+0x7e/0x5f0 [72747.567109] ? enqueue_entity+0xf4/0x6f0 [72747.567134] extent_writepages+0x44/0xa0 [btrfs] [72747.567137] ? enqueue_task_fair+0x93/0x6f0 [72747.567140] do_writepages+0x41/0xd0 [72747.567144] __filemap_fdatawrite_range+0xc7/0x100 [72747.567167] btrfs_run_delalloc_work+0x17/0x40 [btrfs] [72747.567195] btrfs_work_helper+0xc2/0x300 [btrfs] [72747.567200] process_one_work+0x1aa/0x340 [72747.567202] worker_thread+0x30/0x390 [72747.567205] ? create_worker+0x1a0/0x1a0 [72747.567208] kthread+0x116/0x130 [72747.567211] ? kthread_park+0x80/0x80 [72747.567214] ret_from_fork+0x1f/0x30 [72747.569686] task:fsstress state:D stack: ---truncated---

CVE ID : CVE-2021-46987
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/96157707c0420e3d3edfe046f1cc797fee117ade | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/d5347827d0b4b2250cbce6eccaa1c81dc78d8651 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/f9baa501b4fd6962257853d46ddffbc21f27e344 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-46988

First published on : 28-02-2024 09:15:37
Last modified on : 28-02-2024 14:06:45

Description :
In the Linux kernel, the following vulnerability has been resolved: userfaultfd: release page in error path to avoid BUG_ON Consider the following sequence of events: 1. Userspace issues a UFFD ioctl, which ends up calling into shmem_mfill_atomic_pte(). We successfully account the blocks, we shmem_alloc_page(), but then the copy_from_user() fails. We return -ENOENT. We don't release the page we allocated. 2. Our caller detects this error code, tries the copy_from_user() after dropping the mmap_lock, and retries, calling back into shmem_mfill_atomic_pte(). 3. Meanwhile, let's say another process filled up the tmpfs being used. 4. So shmem_mfill_atomic_pte() fails to account blocks this time, and immediately returns - without releasing the page. This triggers a BUG_ON in our caller, which asserts that the page should always be consumed, unless -ENOENT is returned. To fix this, detect if we have such a "dangling" page when accounting fails, and if so, release it before returning.

CVE ID : CVE-2021-46988
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/07c9b834c97d0fa3402fb7f3f3b32df370a6ff1f | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/140cfd9980124aecb6c03ef2e69c72d0548744de | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/2d59a0ed8b26b8f3638d8afc31f839e27759f1f6 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/319116227e52d49eee671f0aa278bac89b3c1b69 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/7ed9d238c7dbb1fdb63ad96a6184985151b0171c | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/ad53127973034c63b5348715a1043d0e80ceb330 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/b3f1731c6d7fbc1ebe3ed8eff6d6bec56d76ff43 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-46989

First published on : 28-02-2024 09:15:37
Last modified on : 28-02-2024 14:06:45

Description :
In the Linux kernel, the following vulnerability has been resolved: hfsplus: prevent corruption in shrinking truncate I believe there are some issues introduced by commit 31651c607151 ("hfsplus: avoid deadlock on file truncation") HFS+ has extent records which always contains 8 extents. In case the first extent record in catalog file gets full, new ones are allocated from extents overflow file. In case shrinking truncate happens to middle of an extent record which locates in extents overflow file, the logic in hfsplus_file_truncate() was changed so that call to hfs_brec_remove() is not guarded any more. Right action would be just freeing the extents that exceed the new size inside extent record by calling hfsplus_free_extents(), and then check if the whole extent record should be removed. However since the guard (blk_cnt > start) is now after the call to hfs_brec_remove(), this has unfortunate effect that the last matching extent record is removed unconditionally. To reproduce this issue, create a file which has at least 10 extents, and then perform shrinking truncate into middle of the last extent record, so that the number of remaining extents is not under or divisible by 8. This causes the last extent record (8 extents) to be removed totally instead of truncating into middle of it. Thus this causes corruption, and lost data. Fix for this is simply checking if the new truncated end is below the start of this extent record, making it safe to remove the full extent record. However call to hfs_brec_remove() can't be moved to it's previous place since we're dropping ->tree_lock and it can cause a race condition and the cached info being invalidated possibly corrupting the node data. Another issue is related to this one. When entering into the block (blk_cnt > start) we are not holding the ->tree_lock. We break out from the loop not holding the lock, but hfs_find_exit() does unlock it. Not sure if it's possible for someone else to take the lock under our feet, but it can cause hard to debug errors and premature unlocking. Even if there's no real risk of it, the locking should still always be kept in balance. Thus taking the lock now just before the check.

CVE ID : CVE-2021-46989
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/52dde855663e5db824af51db39b5757d2ef3e28a | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/97314e45aa1223a42d60256a62c5d9af54baf446 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/adbd8a2a8cc05d9e501f93e5c95c59307874cc99 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/c3187cf32216313fb316084efac4dab3a8459b1d | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/c451a6bafb5f422197d31536f82116aed132b72c | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/c477f62db1a0c0ecaa60a29713006ceeeb04b685 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-46990

First published on : 28-02-2024 09:15:37
Last modified on : 28-02-2024 14:06:45

Description :
In the Linux kernel, the following vulnerability has been resolved: powerpc/64s: Fix crashes when toggling entry flush barrier The entry flush mitigation can be enabled/disabled at runtime via a debugfs file (entry_flush), which causes the kernel to patch itself to enable/disable the relevant mitigations. However depending on which mitigation we're using, it may not be safe to do that patching while other CPUs are active. For example the following crash: sleeper[15639]: segfault (11) at c000000000004c20 nip c000000000004c20 lr c000000000004c20 Shows that we returned to userspace with a corrupted LR that points into the kernel, due to executing the partially patched call to the fallback entry flush (ie. we missed the LR restore). Fix it by doing the patching under stop machine. The CPUs that aren't doing the patching will be spinning in the core of the stop machine logic. That is currently sufficient for our purposes, because none of the patching we do is to that code or anywhere in the vicinity.

CVE ID : CVE-2021-46990
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/0b4eb172cc12dc102cd0ad013e53ee4463db9508 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/0c25a7bb697f2e6ee65b6d63782f675bf129511a | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/2db22ba4e0e103f00e0512e0ecce36ac78c644f8 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/5bc00fdda1e934c557351a9c751a205293e68cbf | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/8382b15864e5014261b4f36c2aa89723612ee058 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/aec86b052df6541cc97c5fca44e5934cbea4963b | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/d2e3590ca39ccfd8a5a46d8c7f095cb6c7b9ae92 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/dd0d6117052faace5440db20fc37175efe921c7d | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/ee4b7aab93c2631c3bb0753023c5dda592bb666b | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-46991

First published on : 28-02-2024 09:15:37
Last modified on : 28-02-2024 14:06:45

Description :
In the Linux kernel, the following vulnerability has been resolved: i40e: Fix use-after-free in i40e_client_subtask() Currently the call to i40e_client_del_instance frees the object pf->cinst, however pf->cinst->lan_info is being accessed after the free. Fix this by adding the missing return. Addresses-Coverity: ("Read from pointer after free")

CVE ID : CVE-2021-46991
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/1fd5d262e7442192ac7611ff1597a36c5b044323 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/38318f23a7ef86a8b1862e5e8078c4de121960c3 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/4ebc10aa7cd17fd9857dedac69600465c9dd16d1 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/829a713450b8fb127cbabfc1244c1d8179ec5107 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/c1322eaeb8af0d8985b5cc5fa759140fa0e57b84 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/d718c15a2bf9ae082d5ae4d177fb19ef23cb4132 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-46992

First published on : 28-02-2024 09:15:37
Last modified on : 28-02-2024 14:06:45

Description :
In the Linux kernel, the following vulnerability has been resolved: netfilter: nftables: avoid overflows in nft_hash_buckets() Number of buckets being stored in 32bit variables, we have to ensure that no overflows occur in nft_hash_buckets() syzbot injected a size == 0x40000000 and reported: UBSAN: shift-out-of-bounds in ./include/linux/log2.h:57:13 shift exponent 64 is too large for 64-bit type 'long unsigned int' CPU: 1 PID: 29539 Comm: syz-executor.4 Not tainted 5.12.0-rc7-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x141/0x1d7 lib/dump_stack.c:120 ubsan_epilogue+0xb/0x5a lib/ubsan.c:148 __ubsan_handle_shift_out_of_bounds.cold+0xb1/0x181 lib/ubsan.c:327 __roundup_pow_of_two include/linux/log2.h:57 [inline] nft_hash_buckets net/netfilter/nft_set_hash.c:411 [inline] nft_hash_estimate.cold+0x19/0x1e net/netfilter/nft_set_hash.c:652 nft_select_set_ops net/netfilter/nf_tables_api.c:3586 [inline] nf_tables_newset+0xe62/0x3110 net/netfilter/nf_tables_api.c:4322 nfnetlink_rcv_batch+0xa09/0x24b0 net/netfilter/nfnetlink.c:488 nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:612 [inline] nfnetlink_rcv+0x3af/0x420 net/netfilter/nfnetlink.c:630 netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline] netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1338 netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1927 sock_sendmsg_nosec net/socket.c:654 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:674 ____sys_sendmsg+0x6e8/0x810 net/socket.c:2350 ___sys_sendmsg+0xf3/0x170 net/socket.c:2404 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2433 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46

CVE ID : CVE-2021-46992
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/1e8ab479cfbe5751efccedb95afb9b112a5ba475 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/2824cafc6a93792d9ad85939c499161214d84c4b | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/72b49dd116ca00a46a11d5a4d8d7987f05ed9cd7 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/a388d10961ff8578b1a6691945d406c0f33aa71b | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/a54754ec9891830ba548e2010c889e3c8146e449 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/c77e2ef18167ad334e27610ced9a7f6af5ec1787 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/efcd730ddd6f25578bd31bfe703e593e2421d708 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-46993

First published on : 28-02-2024 09:15:37
Last modified on : 28-02-2024 14:06:45

Description :
In the Linux kernel, the following vulnerability has been resolved: sched: Fix out-of-bound access in uclamp Util-clamp places tasks in different buckets based on their clamp values for performance reasons. However, the size of buckets is currently computed using a rounding division, which can lead to an off-by-one error in some configurations. For instance, with 20 buckets, the bucket size will be 1024/20=51. A task with a clamp of 1024 will be mapped to bucket id 1024/51=20. Sadly, correct indexes are in range [0,19], hence leading to an out of bound memory access. Clamp the bucket id to fix the issue.

CVE ID : CVE-2021-46993
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/3da3f804b82a0a382d523a21acf4cf3bb35f936d | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/42ee47c7e3569d9a0e2cb5053c496d97d380472f | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/687f523c134b7f0bd040ee1230f6d17990d54172 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/6d2f8909a5fabb73fe2a63918117943986c39b6c | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/f7347c85490b92dd144fa1fba9e1eca501656ab3 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-46994

First published on : 28-02-2024 09:15:37
Last modified on : 28-02-2024 14:06:45

Description :
In the Linux kernel, the following vulnerability has been resolved: can: mcp251x: fix resume from sleep before interface was brought up Since 8ce8c0abcba3 the driver queues work via priv->restart_work when resuming after suspend, even when the interface was not previously enabled. This causes a null dereference error as the workqueue is only allocated and initialized in mcp251x_open(). To fix this we move the workqueue init to mcp251x_can_probe() as there is no reason to do it later and repeat it whenever mcp251x_open() is called. [mkl: fix error handling in mcp251x_stop()]

CVE ID : CVE-2021-46994
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/03c427147b2d3e503af258711af4fc792b89b0af | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/6f8f1c27b577de15f69fefce3c502bb6300d825c | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/e1e10a390fd9479209c4d834d916ca5e6d5d396b | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/eecb4df8ec9f896b19ee05bfa632ac6c1dcd8f21 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-46995

First published on : 28-02-2024 09:15:37
Last modified on : 28-02-2024 14:06:45

Description :
In the Linux kernel, the following vulnerability has been resolved: can: mcp251xfd: mcp251xfd_probe(): fix an error pointer dereference in probe When we converted this code to use dev_err_probe() we accidentally removed a return. It means that if devm_clk_get() it will lead to an Oops when we call clk_get_rate() on the next line.

CVE ID : CVE-2021-46995
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/15f8f96ec7fc35024d4e03296e4d838fcea33d83 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/4cc7faa406975b460aa674606291dea197c1210c | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-46996

First published on : 28-02-2024 09:15:38
Last modified on : 28-02-2024 14:06:45

Description :
In the Linux kernel, the following vulnerability has been resolved: netfilter: nftables: Fix a memleak from userdata error path in new objects Release object name if userdata allocation fails.

CVE ID : CVE-2021-46996
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/2c784a500f5edd337258b0fdb2f31bc9abde1a23 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/59fa98bfa1f4013d658d990cac88c87b46ff410c | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/85dfd816fabfc16e71786eda0a33a7046688b5b0 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/dd3bebf515f336214a91994348a2b86b9a1d3d7f | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-46997

First published on : 28-02-2024 09:15:38
Last modified on : 28-02-2024 14:06:45

Description :
In the Linux kernel, the following vulnerability has been resolved: arm64: entry: always set GIC_PRIO_PSR_I_SET during entry Zenghui reports that booting a kernel with "irqchip.gicv3_pseudo_nmi=1" on the command line hits a warning during kernel entry, due to the way we manipulate the PMR. Early in the entry sequence, we call lockdep_hardirqs_off() to inform lockdep that interrupts have been masked (as the HW sets DAIF wqhen entering an exception). Architecturally PMR_EL1 is not affected by exception entry, and we don't set GIC_PRIO_PSR_I_SET in the PMR early in the exception entry sequence, so early in exception entry the PMR can indicate that interrupts are unmasked even though they are masked by DAIF. If DEBUG_LOCKDEP is selected, lockdep_hardirqs_off() will check that interrupts are masked, before we set GIC_PRIO_PSR_I_SET in any of the exception entry paths, and hence lockdep_hardirqs_off() will WARN() that something is amiss. We can avoid this by consistently setting GIC_PRIO_PSR_I_SET during exception entry so that kernel code sees a consistent environment. We must also update local_daif_inherit() to undo this, as currently only touches DAIF. For other paths, local_daif_restore() will update both DAIF and the PMR. With this done, we can remove the existing special cases which set this later in the entry code. We always use (GIC_PRIO_IRQON | GIC_PRIO_PSR_I_SET) for consistency with local_daif_save(), as this will warn if it ever encounters (GIC_PRIO_IRQOFF | GIC_PRIO_PSR_I_SET), and never sets this itself. This matches the gic_prio_kentry_setup that we have to retain for ret_to_user. The original splat from Zenghui's report was: | DEBUG_LOCKS_WARN_ON(!irqs_disabled()) | WARNING: CPU: 3 PID: 125 at kernel/locking/lockdep.c:4258 lockdep_hardirqs_off+0xd4/0xe8 | Modules linked in: | CPU: 3 PID: 125 Comm: modprobe Tainted: G W 5.12.0-rc8+ #463 | Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015 | pstate: 604003c5 (nZCv DAIF +PAN -UAO -TCO BTYPE=--) | pc : lockdep_hardirqs_off+0xd4/0xe8 | lr : lockdep_hardirqs_off+0xd4/0xe8 | sp : ffff80002a39bad0 | pmr_save: 000000e0 | x29: ffff80002a39bad0 x28: ffff0000de214bc0 | x27: ffff0000de1c0400 x26: 000000000049b328 | x25: 0000000000406f30 x24: ffff0000de1c00a0 | x23: 0000000020400005 x22: ffff8000105f747c | x21: 0000000096000044 x20: 0000000000498ef9 | x19: ffff80002a39bc88 x18: ffffffffffffffff | x17: 0000000000000000 x16: ffff800011c61eb0 | x15: ffff800011700a88 x14: 0720072007200720 | x13: 0720072007200720 x12: 0720072007200720 | x11: 0720072007200720 x10: 0720072007200720 | x9 : ffff80002a39bad0 x8 : ffff80002a39bad0 | x7 : ffff8000119f0800 x6 : c0000000ffff7fff | x5 : ffff8000119f07a8 x4 : 0000000000000001 | x3 : 9bcdab23f2432800 x2 : ffff800011730538 | x1 : 9bcdab23f2432800 x0 : 0000000000000000 | Call trace: | lockdep_hardirqs_off+0xd4/0xe8 | enter_from_kernel_mode.isra.5+0x7c/0xa8 | el1_abort+0x24/0x100 | el1_sync_handler+0x80/0xd0 | el1_sync+0x6c/0x100 | __arch_clear_user+0xc/0x90 | load_elf_binary+0x9fc/0x1450 | bprm_execve+0x404/0x880 | kernel_execve+0x180/0x188 | call_usermodehelper_exec_async+0xdc/0x158 | ret_from_fork+0x10/0x18

CVE ID : CVE-2021-46997
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/4d6a38da8e79e94cbd1344aa90876f0f805db705 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/51524fa8b5f7b879ba569227738375d283b79382 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/d8d52005f57bbb4a4ec02f647e2555d327135c68 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/e67a83f078005461b59b4c776e6b5addd11725fa | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-46998

First published on : 28-02-2024 09:15:38
Last modified on : 28-02-2024 14:06:45

Description :
In the Linux kernel, the following vulnerability has been resolved: ethernet:enic: Fix a use after free bug in enic_hard_start_xmit In enic_hard_start_xmit, it calls enic_queue_wq_skb(). Inside enic_queue_wq_skb, if some error happens, the skb will be freed by dev_kfree_skb(skb). But the freed skb is still used in skb_tx_timestamp(skb). My patch makes enic_queue_wq_skb() return error and goto spin_unlock() incase of error. The solution is provided by Govind. See https://lkml.org/lkml/2021/4/30/961.

CVE ID : CVE-2021-46998
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/25a87b1f566b5eb2af2857a928f0e2310d900976 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/643001b47adc844ae33510c4bb93c236667008a3 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/6892396ebf04ea2c021d80e10f4075e014cd7cc3 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/7afdd6aba95c8a526038e7abe283eeac3e4320f1 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/d90529392aaf498dafa95d212295d64b2cea4e24 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/f7f6f07774091a6ddd98500b85386c3c6afb30d3 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-46999

First published on : 28-02-2024 09:15:38
Last modified on : 28-02-2024 14:06:45

Description :
In the Linux kernel, the following vulnerability has been resolved: sctp: do asoc update earlier in sctp_sf_do_dupcook_a There's a panic that occurs in a few of envs, the call trace is as below: [] general protection fault, ... 0x29acd70f1000a: 0000 [#1] SMP PTI [] RIP: 0010:sctp_ulpevent_notify_peer_addr_change+0x4b/0x1fa [sctp] [] sctp_assoc_control_transport+0x1b9/0x210 [sctp] [] sctp_do_8_2_transport_strike.isra.16+0x15c/0x220 [sctp] [] sctp_cmd_interpreter.isra.21+0x1231/0x1a10 [sctp] [] sctp_do_sm+0xc3/0x2a0 [sctp] [] sctp_generate_timeout_event+0x81/0xf0 [sctp] This is caused by a transport use-after-free issue. When processing a duplicate COOKIE-ECHO chunk in sctp_sf_do_dupcook_a(), both COOKIE-ACK and SHUTDOWN chunks are allocated with the transort from the new asoc. However, later in the sideeffect machine, the old asoc is used to send them out and old asoc's shutdown_last_sent_to is set to the transport that SHUTDOWN chunk attached to in sctp_cmd_setup_t2(), which actually belongs to the new asoc. After the new_asoc is freed and the old asoc T2 timeout, the old asoc's shutdown_last_sent_to that is already freed would be accessed in sctp_sf_t2_timer_expire(). Thanks Alexander and Jere for helping dig into this issue. To fix it, this patch is to do the asoc update first, then allocate the COOKIE-ACK and SHUTDOWN chunks with the 'updated' old asoc. This would make more sense, as a chunk from an asoc shouldn't be sent out with another asoc. We had fixed quite a few issues caused by this.

CVE ID : CVE-2021-46999
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/0bfd913c2121b3d553bfd52810fe6061d542d625 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/35b4f24415c854cd718ccdf38dbea6297f010aae | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/61b877bad9bb0d82b7d8841be50872557090a704 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/b1b31948c0af44628e43353828453461bb74098f | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/d624f2991b977821375fbd56c91b0c91d456a697 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/f01988ecf3654f805282dce2d3bb9afe68d2691e | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-47000

First published on : 28-02-2024 09:15:38
Last modified on : 28-02-2024 14:06:45

Description :
In the Linux kernel, the following vulnerability has been resolved: ceph: fix inode leak on getattr error in __fh_to_dentry

CVE ID : CVE-2021-47000
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/0a219432127d396120fc88cabd82785e0ff72a2f | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/1775c7ddacfcea29051c67409087578f8f4d751b | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/22fa4c8288f1ec40f6d62d7a32c57ac176f9f0bc | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/2ad8af2b70e986284050213230428b823b950a38 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/bf45c9fe99aa8003d2703f1bd353f956dea47e40 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-47001

First published on : 28-02-2024 09:15:38
Last modified on : 28-02-2024 14:06:45

Description :
In the Linux kernel, the following vulnerability has been resolved: xprtrdma: Fix cwnd update ordering After a reconnect, the reply handler is opening the cwnd (and thus enabling more RPC Calls to be sent) /before/ rpcrdma_post_recvs() can post enough Receive WRs to receive their replies. This causes an RNR and the new connection is lost immediately. The race is most clearly exposed when KASAN and disconnect injection are enabled. This slows down rpcrdma_rep_create() enough to allow the send side to post a bunch of RPC Calls before the Receive completion handler can invoke ib_post_recv().

CVE ID : CVE-2021-47001
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/19b5fa9489b5706bc878c3a522a7f771079e2fa0 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/35d8b10a25884050bb3b0149b62c3818ec59f77c | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/8834ecb5df22b7ff3c9b0deba7726579bb613f95 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/eddae8be7944096419c2ae29477a45f767d0fcd4 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-47002

First published on : 28-02-2024 09:15:38
Last modified on : 28-02-2024 14:06:45

Description :
In the Linux kernel, the following vulnerability has been resolved: SUNRPC: Fix null pointer dereference in svc_rqst_free() When alloc_pages_node() returns null in svc_rqst_alloc(), the null rq_scratch_page pointer will be dereferenced when calling put_page() in svc_rqst_free(). Fix it by adding a null check. Addresses-Coverity: ("Dereference after null check")

CVE ID : CVE-2021-47002
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/1e10f58f1c9a6b667b045513c7a4e6111c24fe7c | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/b9f83ffaa0c096b4c832a43964fe6bff3acffe10 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/c664aaec9aee544538a78ba4893a44bc73a6d742 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-47003

First published on : 28-02-2024 09:15:38
Last modified on : 28-02-2024 14:06:45

Description :
In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: Fix potential null dereference on pointer status There are calls to idxd_cmd_exec that pass a null status pointer however a recent commit has added an assignment to *status that can end up with a null pointer dereference. The function expects a null status pointer sometimes as there is a later assignment to *status where status is first null checked. Fix the issue by null checking status before making the assignment. Addresses-Coverity: ("Explicit null dereferenced")

CVE ID : CVE-2021-47003
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/2280b4cc29d8cdd2be3d1b2d1ea4f958e2131c97 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/28ac8e03c43dfc6a703aa420d18222540b801120 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/5756f757c72501ef1a16f5f63f940623044180e9 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/7bc402f843e7817a4a808e7b9ab0bcd7ffd55bfa | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-47004

First published on : 28-02-2024 09:15:38
Last modified on : 28-02-2024 14:06:45

Description :
In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid touching checkpointed data in get_victim() In CP disabling mode, there are two issues when using LFS or SSR | AT_SSR mode to select victim: 1. LFS is set to find source section during GC, the victim should have no checkpointed data, since after GC, section could not be set free for reuse. Previously, we only check valid chpt blocks in current segment rather than section, fix it. 2. SSR | AT_SSR are set to find target segment for writes which can be fully filled by checkpointed and newly written blocks, we should never select such segment, otherwise it can cause panic or data corruption during allocation, potential case is described as below: a) target segment has 'n' (n < 512) ckpt valid blocks b) GC migrates 'n' valid blocks to other segment (segment is still in dirty list) c) GC migrates '512 - n' blocks to target segment (segment has 'n' cp_vblocks and '512 - n' vblocks) d) If GC selects target segment via {AT,}SSR allocator, however there is no free space in targe segment.

CVE ID : CVE-2021-47004
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/105155a8146ddb54c119d8318964eef3859d109d | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/1e116f87825f01a6380286472196882746b16f63 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/211372b2571520e394b56b431a0705586013b3ff | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/61461fc921b756ae16e64243f72af2bfc2e620db | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-47005

First published on : 28-02-2024 09:15:38
Last modified on : 28-02-2024 14:06:45

Description :
In the Linux kernel, the following vulnerability has been resolved: PCI: endpoint: Fix NULL pointer dereference for ->get_features() get_features ops of pci_epc_ops may return NULL, causing NULL pointer dereference in pci_epf_test_alloc_space function. Let us add a check for pci_epc_feature pointer in pci_epf_test_bind before we access it to avoid any such NULL pointer dereference and return -ENOTSUPP in case pci_epc_feature is not found. When the patch is not applied and EPC features is not implemented in the platform driver, we see the following dump due to kernel NULL pointer dereference. Call trace: pci_epf_test_bind+0xf4/0x388 pci_epf_bind+0x3c/0x80 pci_epc_epf_link+0xa8/0xcc configfs_symlink+0x1a4/0x48c vfs_symlink+0x104/0x184 do_symlinkat+0x80/0xd4 __arm64_sys_symlinkat+0x1c/0x24 el0_svc_common.constprop.3+0xb8/0x170 el0_svc_handler+0x70/0x88 el0_svc+0x8/0x640 Code: d2800581 b9403ab9 f9404ebb 8b394f60 (f9400400) ---[ end trace a438e3c5a24f9df0 ]---

CVE ID : CVE-2021-47005
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/0169d4f0bee44fdfef908c13ed21fcb326c38695 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/6613bc2301ba291a1c5a90e1dc24cf3edf223c03 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/679ebad058b8168f10e63876d63b0877fd2fe784 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/bbed83d7060e07a5d309104d25a00f0a24441428 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-47006

First published on : 28-02-2024 09:15:38
Last modified on : 28-02-2024 14:06:45

Description :
In the Linux kernel, the following vulnerability has been resolved: ARM: 9064/1: hw_breakpoint: Do not directly check the event's overflow_handler hook The commit 1879445dfa7b ("perf/core: Set event's default ::overflow_handler()") set a default event->overflow_handler in perf_event_alloc(), and replace the check event->overflow_handler with is_default_overflow_handler(), but one is missing. Currently, the bp->overflow_handler can not be NULL. As a result, enable_single_step() is always not invoked. Comments from Zhen Lei: https://patchwork.kernel.org/project/linux-arm-kernel/patch/20210207105934.2001-1-thunder.leizhen@huawei.com/

CVE ID : CVE-2021-47006
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/3ed8832aeaa9a37b0fc386bb72ff604352567c80 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/555a70f7fff03bd669123487905c47ae27dbdaac | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/630146203108bf6b8934eec0dfdb3e46dcb917de | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/7eeacc6728c5478e3c01bc82a1f08958eaa12366 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/a506bd5756290821a4314f502b4bafc2afcf5260 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/a9938d6d78a238d6ab8de57a4d3dcf77adceb9bb | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/dabe299425b1a53a69461fed7ac8922ea6733a25 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/ed1f67465327cec4457bb988775245b199da86e6 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-47007

First published on : 28-02-2024 09:15:38
Last modified on : 28-02-2024 14:06:45

Description :
In the Linux kernel, the following vulnerability has been resolved: f2fs: fix panic during f2fs_resize_fs() f2fs_resize_fs() hangs in below callstack with testcase: - mkfs 16GB image & mount image - dd 8GB fileA - dd 8GB fileB - sync - rm fileA - sync - resize filesystem to 8GB kernel BUG at segment.c:2484! Call Trace: allocate_segment_by_default+0x92/0xf0 [f2fs] f2fs_allocate_data_block+0x44b/0x7e0 [f2fs] do_write_page+0x5a/0x110 [f2fs] f2fs_outplace_write_data+0x55/0x100 [f2fs] f2fs_do_write_data_page+0x392/0x850 [f2fs] move_data_page+0x233/0x320 [f2fs] do_garbage_collect+0x14d9/0x1660 [f2fs] free_segment_range+0x1f7/0x310 [f2fs] f2fs_resize_fs+0x118/0x330 [f2fs] __f2fs_ioctl+0x487/0x3680 [f2fs] __x64_sys_ioctl+0x8e/0xd0 do_syscall_64+0x33/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xa9 The root cause is we forgot to check that whether we have enough space in resized filesystem to store all valid blocks in before-resizing filesystem, then allocator will run out-of-space during block migration in free_segment_range().

CVE ID : CVE-2021-47007
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/1c20a4896409f5ca1c770e1880c33d0a28a8b10f | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/3ab0598e6d860ef49d029943ba80f627c15c15d6 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/822054e5026c43b1dd60cf387dd999e95ee2ecc2 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/860afd680d9cc1dabd61cda3cd246f60aa1eb705 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-47008

First published on : 28-02-2024 09:15:38
Last modified on : 28-02-2024 14:06:45

Description :
In the Linux kernel, the following vulnerability has been resolved: KVM: SVM: Make sure GHCB is mapped before updating Access to the GHCB is mainly in the VMGEXIT path and it is known that the GHCB will be mapped. But there are two paths where it is possible the GHCB might not be mapped. The sev_vcpu_deliver_sipi_vector() routine will update the GHCB to inform the caller of the AP Reset Hold NAE event that a SIPI has been delivered. However, if a SIPI is performed without a corresponding AP Reset Hold, then the GHCB might not be mapped (depending on the previous VMEXIT), which will result in a NULL pointer dereference. The svm_complete_emulated_msr() routine will update the GHCB to inform the caller of a RDMSR/WRMSR operation about any errors. While it is likely that the GHCB will be mapped in this situation, add a safe guard in this path to be certain a NULL pointer dereference is not encountered.

CVE ID : CVE-2021-47008
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/a3ba26ecfb569f4aa3f867e80c02aa65f20aadad | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/fb9e14f4f8217a0980f8da2c8ff70dee058cbe47 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/fd722a57fe0b80133dacae4e1c852ee4212f9b2e | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-47009

First published on : 28-02-2024 09:15:38
Last modified on : 28-02-2024 14:06:45

Description :
In the Linux kernel, the following vulnerability has been resolved: KEYS: trusted: Fix memory leak on object td Two error return paths are neglecting to free allocated object td, causing a memory leak. Fix this by returning via the error return path that securely kfree's td. Fixes clang scan-build warning: security/keys/trusted-keys/trusted_tpm1.c:496:10: warning: Potential memory leak [unix.Malloc]

CVE ID : CVE-2021-47009
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/1c4031014106aff48e1e686e40101c31eab5d44c | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/31c9a4b24d86cbb36ff0d7a085725a3b4f0138c8 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/3e24fbd37e72e8a67b74991970fecc82d14f57af | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/83a775d5f9bfda95b1c295f95a3a041a40c7f321 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-47010

First published on : 28-02-2024 09:15:38
Last modified on : 28-02-2024 14:06:45

Description :
In the Linux kernel, the following vulnerability has been resolved: net: Only allow init netns to set default tcp cong to a restricted algo tcp_set_default_congestion_control() is netns-safe in that it writes to &net->ipv4.tcp_congestion_control, but it also sets ca->flags |= TCP_CONG_NON_RESTRICTED which is not namespaced. This has the unintended side-effect of changing the global net.ipv4.tcp_allowed_congestion_control sysctl, despite the fact that it is read-only: 97684f0970f6 ("net: Make tcp_allowed_congestion_control readonly in non-init netns") Resolve this netns "leak" by only allowing the init netns to set the default algorithm to one that is restricted. This restriction could be removed if tcp_allowed_congestion_control were namespace-ified in the future. This bug was uncovered with https://github.com/JonathonReinhart/linux-netns-sysctl-verify

CVE ID : CVE-2021-47010
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/6c1ea8bee75df8fe2184a50fcd0f70bf82986f42 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/8d432592f30fcc34ef5a10aac4887b4897884493 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/9884f745108f7d25b189bbcd6754e284fb29ab68 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/992de06308d9a9584d59b96d294ac676f924e437 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/e7d7bedd507bb732e600403b7a96f9fe48d0ca31 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/efe1532a6e1a8e3c343d04fff510f0ed80328f9c | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-47011

First published on : 28-02-2024 09:15:38
Last modified on : 28-02-2024 14:06:45

Description :
In the Linux kernel, the following vulnerability has been resolved: mm: memcontrol: slab: fix obtain a reference to a freeing memcg Patch series "Use obj_cgroup APIs to charge kmem pages", v5. Since Roman's series "The new cgroup slab memory controller" applied. All slab objects are charged with the new APIs of obj_cgroup. The new APIs introduce a struct obj_cgroup to charge slab objects. It prevents long-living objects from pinning the original memory cgroup in the memory. But there are still some corner objects (e.g. allocations larger than order-1 page on SLUB) which are not charged with the new APIs. Those objects (include the pages which are allocated from buddy allocator directly) are charged as kmem pages which still hold a reference to the memory cgroup. E.g. We know that the kernel stack is charged as kmem pages because the size of the kernel stack can be greater than 2 pages (e.g. 16KB on x86_64 or arm64). If we create a thread (suppose the thread stack is charged to memory cgroup A) and then move it from memory cgroup A to memory cgroup B. Because the kernel stack of the thread hold a reference to the memory cgroup A. The thread can pin the memory cgroup A in the memory even if we remove the cgroup A. If we want to see this scenario by using the following script. We can see that the system has added 500 dying cgroups (This is not a real world issue, just a script to show that the large kmallocs are charged as kmem pages which can pin the memory cgroup in the memory). #!/bin/bash cat /proc/cgroups | grep memory cd /sys/fs/cgroup/memory echo 1 > memory.move_charge_at_immigrate for i in range{1..500} do mkdir kmem_test echo $$ > kmem_test/cgroup.procs sleep 3600 & echo $$ > cgroup.procs echo `cat kmem_test/cgroup.procs` > cgroup.procs rmdir kmem_test done cat /proc/cgroups | grep memory This patchset aims to make those kmem pages to drop the reference to memory cgroup by using the APIs of obj_cgroup. Finally, we can see that the number of the dying cgroups will not increase if we run the above test script. This patch (of 7): The rcu_read_lock/unlock only can guarantee that the memcg will not be freed, but it cannot guarantee the success of css_get (which is in the refill_stock when cached memcg changed) to memcg. rcu_read_lock() memcg = obj_cgroup_memcg(old) __memcg_kmem_uncharge(memcg) refill_stock(memcg) if (stock->cached != memcg) // css_get can change the ref counter from 0 back to 1. css_get(&memcg->css) rcu_read_unlock() This fix is very like the commit: eefbfa7fd678 ("mm: memcg/slab: fix use after free in obj_cgroup_charge") Fix this by holding a reference to the memcg which is passed to the __memcg_kmem_uncharge() before calling __memcg_kmem_uncharge().

CVE ID : CVE-2021-47011
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/31df8bc4d3feca9f9c6b2cd06fd64a111ae1a0e6 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/89b1ed358e01e1b0417f5d3b0082359a23355552 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/9f38f03ae8d5f57371b71aa6b4275765b65454fd | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/c3ae6a3f3ca4f02f6ccddf213c027302586580d0 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-47012

First published on : 28-02-2024 09:15:38
Last modified on : 28-02-2024 14:06:45

Description :
In the Linux kernel, the following vulnerability has been resolved: RDMA/siw: Fix a use after free in siw_alloc_mr Our code analyzer reported a UAF. In siw_alloc_mr(), it calls siw_mr_add_mem(mr,..). In the implementation of siw_mr_add_mem(), mem is assigned to mr->mem and then mem is freed via kfree(mem) if xa_alloc_cyclic() failed. Here, mr->mem still point to a freed object. After, the execution continue up to the err_out branch of siw_alloc_mr, and the freed mr->mem is used in siw_mr_drop_mem(mr). My patch moves "mr->mem = mem" behind the if (xa_alloc_cyclic(..)<0) {} section, to avoid the uaf.

CVE ID : CVE-2021-47012
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/3093ee182f01689b89e9f8797b321603e5de4f63 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/30b9e92d0b5e5d5dc1101ab856c17009537cbca4 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/3e22b88e02c194f6c80867abfef5cc09383461f4 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/608a4b90ece039940e9425ee2b39c8beff27e00c | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/ad9ce7188432650469a6c7625bf479f5ed0b6155 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-47013

First published on : 28-02-2024 09:15:38
Last modified on : 28-02-2024 14:06:45

Description :
In the Linux kernel, the following vulnerability has been resolved: net:emac/emac-mac: Fix a use after free in emac_mac_tx_buf_send In emac_mac_tx_buf_send, it calls emac_tx_fill_tpd(..,skb,..). If some error happens in emac_tx_fill_tpd(), the skb will be freed via dev_kfree_skb(skb) in error branch of emac_tx_fill_tpd(). But the freed skb is still used via skb->len by netdev_sent_queue(,skb->len). As i observed that emac_tx_fill_tpd() haven't modified the value of skb->len, thus my patch assigns skb->len to 'len' before the possible free and use 'len' instead of skb->len later.

CVE ID : CVE-2021-47013
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/16d8c44be52e3650917736d45f5904384a9da834 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/55fcdd1258faaecca74b91b88cc0921f9edd775d | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/6d72e7c767acbbdd44ebc7d89c6690b405b32b57 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/8c06f34785068b87e2b560534c77c163d6c6dca7 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/9dc373f74097edd0e35f3393d6248eda8d1ba99d | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/c7f75d11fe72913d2619f97b2334b083cd7bb955 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/dc1b438a35773d030be0ee80d9c635c3e558a322 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/e407495ba6788a67d1bd41714158c079e340879b | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-47014

First published on : 28-02-2024 09:15:38
Last modified on : 28-02-2024 14:06:45

Description :
In the Linux kernel, the following vulnerability has been resolved: net/sched: act_ct: fix wild memory access when clearing fragments while testing re-assembly/re-fragmentation using act_ct, it's possible to observe a crash like the following one: KASAN: maybe wild-memory-access in range [0x0001000000000448-0x000100000000044f] CPU: 50 PID: 0 Comm: swapper/50 Tainted: G S 5.12.0-rc7+ #424 Hardware name: Dell Inc. PowerEdge R730/072T6D, BIOS 2.4.3 01/17/2017 RIP: 0010:inet_frag_rbtree_purge+0x50/0xc0 Code: 00 fc ff df 48 89 c3 31 ed 48 89 df e8 a9 7a 38 ff 4c 89 fe 48 89 df 49 89 c6 e8 5b 3a 38 ff 48 8d 7b 40 48 89 f8 48 c1 e8 03 <42> 80 3c 20 00 75 59 48 8d bb d0 00 00 00 4c 8b 6b 40 48 89 f8 48 RSP: 0018:ffff888c31449db8 EFLAGS: 00010203 RAX: 0000200000000089 RBX: 000100000000040e RCX: ffffffff989eb960 RDX: 0000000000000140 RSI: ffffffff97cfb977 RDI: 000100000000044e RBP: 0000000000000900 R08: 0000000000000000 R09: ffffed1186289350 R10: 0000000000000003 R11: ffffed1186289350 R12: dffffc0000000000 R13: 000100000000040e R14: 0000000000000000 R15: ffff888155e02160 FS: 0000000000000000(0000) GS:ffff888c31440000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00005600cb70a5b8 CR3: 0000000a2c014005 CR4: 00000000003706e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <IRQ> inet_frag_destroy+0xa9/0x150 call_timer_fn+0x2d/0x180 run_timer_softirq+0x4fe/0xe70 __do_softirq+0x197/0x5a0 irq_exit_rcu+0x1de/0x200 sysvec_apic_timer_interrupt+0x6b/0x80 </IRQ> when act_ct temporarily stores an IP fragment, restoring the skb qdisc cb results in putting random data in FRAG_CB(), and this causes those "wild" memory accesses later, when the rbtree is purged. Never overwrite the skb cb in case tcf_ct_handle_fragments() returns -EINPROGRESS.

CVE ID : CVE-2021-47014
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/0648941f4c8bbf8b4b6c0b270889ae7aa769b921 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/f77bd544a6bbe69aa50d9ed09f13494cf36ff806 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-47015

First published on : 28-02-2024 09:15:38
Last modified on : 28-02-2024 14:06:45

Description :
In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Fix RX consumer index logic in the error path. In bnxt_rx_pkt(), the RX buffers are expected to complete in order. If the RX consumer index indicates an out of order buffer completion, it means we are hitting a hardware bug and the driver will abort all remaining RX packets and reset the RX ring. The RX consumer index that we pass to bnxt_discard_rx() is not correct. We should be passing the current index (tmp_raw_cons) instead of the old index (raw_cons). This bug can cause us to be at the wrong index when trying to abort the next RX packet. It can crash like this: #0 [ffff9bbcdf5c39a8] machine_kexec at ffffffff9b05e007 #1 [ffff9bbcdf5c3a00] __crash_kexec at ffffffff9b111232 #2 [ffff9bbcdf5c3ad0] panic at ffffffff9b07d61e #3 [ffff9bbcdf5c3b50] oops_end at ffffffff9b030978 #4 [ffff9bbcdf5c3b78] no_context at ffffffff9b06aaf0 #5 [ffff9bbcdf5c3bd8] __bad_area_nosemaphore at ffffffff9b06ae2e #6 [ffff9bbcdf5c3c28] bad_area_nosemaphore at ffffffff9b06af24 #7 [ffff9bbcdf5c3c38] __do_page_fault at ffffffff9b06b67e #8 [ffff9bbcdf5c3cb0] do_page_fault at ffffffff9b06bb12 #9 [ffff9bbcdf5c3ce0] page_fault at ffffffff9bc015c5 [exception RIP: bnxt_rx_pkt+237] RIP: ffffffffc0259cdd RSP: ffff9bbcdf5c3d98 RFLAGS: 00010213 RAX: 000000005dd8097f RBX: ffff9ba4cb11b7e0 RCX: ffffa923cf6e9000 RDX: 0000000000000fff RSI: 0000000000000627 RDI: 0000000000001000 RBP: ffff9bbcdf5c3e60 R8: 0000000000420003 R9: 000000000000020d R10: ffffa923cf6ec138 R11: ffff9bbcdf5c3e83 R12: ffff9ba4d6f928c0 R13: ffff9ba4cac28080 R14: ffff9ba4cb11b7f0 R15: ffff9ba4d5a30000 ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018

CVE ID : CVE-2021-47015
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/3fbc5bc651d688fbea2a59cdc91520a2f5334d0a | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/4fcaad2b7dac3f16704f8118c7e481024ddbd3ed | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/b1523e4ba293b2a32d9fabaf70c1dcaa6e3e2847 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/bbd6f0a948139970f4a615dff189d9a503681a39 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/e187ef83c04a5d23e68d39cfdff1a1931e29890c | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-47017

First published on : 28-02-2024 09:15:38
Last modified on : 28-02-2024 14:06:45

Description :
In the Linux kernel, the following vulnerability has been resolved: ath10k: Fix a use after free in ath10k_htc_send_bundle In ath10k_htc_send_bundle, the bundle_skb could be freed by dev_kfree_skb_any(bundle_skb). But the bundle_skb is used later by bundle_skb->len. As skb_len = bundle_skb->len, my patch replaces bundle_skb->len to skb_len after the bundle_skb was freed.

CVE ID : CVE-2021-47017
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/3b1ac40c6012140828caa79e592a438a18ebf71b | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/5e413c0831ff4700d1739db3fa3ae9f859744676 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/8392df5d7e0b6a7d21440da1fc259f9938f4dec3 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/8bb054fb336f4250002fff4e0b075221c05c3c65 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-47018

First published on : 28-02-2024 09:15:39
Last modified on : 28-02-2024 14:06:45

Description :
In the Linux kernel, the following vulnerability has been resolved: powerpc/64: Fix the definition of the fixmap area At the time being, the fixmap area is defined at the top of the address space or just below KASAN. This definition is not valid for PPC64. For PPC64, use the top of the I/O space. Because of circular dependencies, it is not possible to include asm/fixmap.h in asm/book3s/64/pgtable.h , so define a fixed size AREA at the top of the I/O space for fixmap and ensure during build that the size is big enough.

CVE ID : CVE-2021-47018
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/4b9fb2c9039a206d37f215936a4d5bee7b1bf9cd | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/9ccba66d4d2aff9a3909aa77d57ea8b7cc166f3c | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/a84df7c80bdac598d6ac9268ae578da6928883e8 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/abb07dc5e8b61ab7b1dde20dd73aa01a3aeb183f | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-47019

First published on : 28-02-2024 09:15:39
Last modified on : 28-02-2024 14:06:45

Description :
In the Linux kernel, the following vulnerability has been resolved: mt76: mt7921: fix possible invalid register access Disable the interrupt and synchronze for the pending irq handlers to ensure the irq tasklet is not being scheduled after the suspend to avoid the possible invalid register access acts when the host pcie controller is suspended. [17932.910534] mt7921e 0000:01:00.0: pci_pm_suspend+0x0/0x22c returned 0 after 21375 usecs [17932.910590] pcieport 0000:00:00.0: calling pci_pm_suspend+0x0/0x22c @ 18565, parent: pci0000:00 [17932.910602] pcieport 0000:00:00.0: pci_pm_suspend+0x0/0x22c returned 0 after 8 usecs [17932.910671] mtk-pcie 11230000.pcie: calling platform_pm_suspend+0x0/0x60 @ 22783, parent: soc [17932.910674] mtk-pcie 11230000.pcie: platform_pm_suspend+0x0/0x60 returned 0 after 0 usecs ... 17933.615352] x1 : 00000000000d4200 x0 : ffffff8269ca2300 [17933.620666] Call trace: [17933.623127] mt76_mmio_rr+0x28/0xf0 [mt76] [17933.627234] mt7921_rr+0x38/0x44 [mt7921e] [17933.631339] mt7921_irq_tasklet+0x54/0x1d8 [mt7921e] [17933.636309] tasklet_action_common+0x12c/0x16c [17933.640754] tasklet_action+0x24/0x2c [17933.644418] __do_softirq+0x16c/0x344 [17933.648082] irq_exit+0xa8/0xac [17933.651224] scheduler_ipi+0xd4/0x148 [17933.654890] handle_IPI+0x164/0x2d4 [17933.658379] gic_handle_irq+0x140/0x178 [17933.662216] el1_irq+0xb8/0x180 [17933.665361] cpuidle_enter_state+0xf8/0x204 [17933.669544] cpuidle_enter+0x38/0x4c [17933.673122] do_idle+0x1a4/0x2a8 [17933.676352] cpu_startup_entry+0x24/0x28 [17933.680276] rest_init+0xd4/0xe0 [17933.683508] arch_call_rest_init+0x10/0x18 [17933.687606] start_kernel+0x340/0x3b4 [17933.691279] Code: aa0003f5 d503201f f953eaa8 8b344108 (b9400113) [17933.697373] ---[ end trace a24b8e26ffbda3c5 ]--- [17933.767846] Kernel panic - not syncing: Fatal exception in interrupt

CVE ID : CVE-2021-47019
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/b13cbc536990ff609afa878b6211cd6f6265ba60 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/fe3fccde8870764ba3e60610774bd7bc9f8faeff | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-47021

First published on : 28-02-2024 09:15:39
Last modified on : 28-02-2024 14:06:45

Description :
In the Linux kernel, the following vulnerability has been resolved: mt76: mt7915: fix memleak when mt7915_unregister_device() mt7915_tx_token_put() should get call before mt76_free_pending_txwi().

CVE ID : CVE-2021-47021
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/81483309ce861a9fa7835322787f68a443fea364 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/d754c80ae82a662e692a82faad71b8c218cb7f52 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/e9d32af478cfc3744a45245c0b126738af4b3ac4 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-47022

First published on : 28-02-2024 09:15:39
Last modified on : 28-02-2024 14:06:45

Description :
In the Linux kernel, the following vulnerability has been resolved: mt76: mt7615: fix memleak when mt7615_unregister_device() mt7615_tx_token_put() should get call before mt76_free_pending_txwi().

CVE ID : CVE-2021-47022
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/107bcbb219ac84d885ac63b25246f8d33212bc47 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/4fa28c807da54c1d720b3cc12e48eb9bea1e2c8f | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/6c5b2b0c6e5a6ce2d8f9f85b8b72bfad60eaa506 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/8ab31da7b89f71c4c2defcca989fab7b42f87d71 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-47023

First published on : 28-02-2024 09:15:39
Last modified on : 28-02-2024 14:06:45

Description :
In the Linux kernel, the following vulnerability has been resolved: net: marvell: prestera: fix port event handling on init For some reason there might be a crash during ports creation if port events are handling at the same time because fw may send initial port event with down state. The crash points to cancel_delayed_work() which is called when port went is down. Currently I did not find out the real cause of the issue, so fixed it by cancel port stats work only if previous port's state was up & runnig. The following is the crash which can be triggered: [ 28.311104] Unable to handle kernel paging request at virtual address 000071775f776600 [ 28.319097] Mem abort info: [ 28.321914] ESR = 0x96000004 [ 28.324996] EC = 0x25: DABT (current EL), IL = 32 bits [ 28.330350] SET = 0, FnV = 0 [ 28.333430] EA = 0, S1PTW = 0 [ 28.336597] Data abort info: [ 28.339499] ISV = 0, ISS = 0x00000004 [ 28.343362] CM = 0, WnR = 0 [ 28.346354] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000100bf7000 [ 28.352842] [000071775f776600] pgd=0000000000000000, p4d=0000000000000000 [ 28.359695] Internal error: Oops: 96000004 [#1] PREEMPT SMP [ 28.365310] Modules linked in: prestera_pci(+) prestera uio_pdrv_genirq [ 28.372005] CPU: 0 PID: 1291 Comm: kworker/0:1H Not tainted 5.11.0-rc4 #1 [ 28.378846] Hardware name: DNI AmazonGo1 A7040 board (DT) [ 28.384283] Workqueue: prestera_fw_wq prestera_fw_evt_work_fn [prestera_pci] [ 28.391413] pstate: 60000085 (nZCv daIf -PAN -UAO -TCO BTYPE=--) [ 28.397468] pc : get_work_pool+0x48/0x60 [ 28.401442] lr : try_to_grab_pending+0x6c/0x1b0 [ 28.406018] sp : ffff80001391bc60 [ 28.409358] x29: ffff80001391bc60 x28: 0000000000000000 [ 28.414725] x27: ffff000104fc8b40 x26: ffff80001127de88 [ 28.420089] x25: 0000000000000000 x24: ffff000106119760 [ 28.425452] x23: ffff00010775dd60 x22: ffff00010567e000 [ 28.430814] x21: 0000000000000000 x20: ffff80001391bcb0 [ 28.436175] x19: ffff00010775deb8 x18: 00000000000000c0 [ 28.441537] x17: 0000000000000000 x16: 000000008d9b0e88 [ 28.446898] x15: 0000000000000001 x14: 00000000000002ba [ 28.452261] x13: 80a3002c00000002 x12: 00000000000005f4 [ 28.457622] x11: 0000000000000030 x10: 000000000000000c [ 28.462985] x9 : 000000000000000c x8 : 0000000000000030 [ 28.468346] x7 : ffff800014400000 x6 : ffff000106119758 [ 28.473708] x5 : 0000000000000003 x4 : ffff00010775dc60 [ 28.479068] x3 : 0000000000000000 x2 : 0000000000000060 [ 28.484429] x1 : 000071775f776600 x0 : ffff00010775deb8 [ 28.489791] Call trace: [ 28.492259] get_work_pool+0x48/0x60 [ 28.495874] cancel_delayed_work+0x38/0xb0 [ 28.500011] prestera_port_handle_event+0x90/0xa0 [prestera] [ 28.505743] prestera_evt_recv+0x98/0xe0 [prestera] [ 28.510683] prestera_fw_evt_work_fn+0x180/0x228 [prestera_pci] [ 28.516660] process_one_work+0x1e8/0x360 [ 28.520710] worker_thread+0x44/0x480 [ 28.524412] kthread+0x154/0x160 [ 28.527670] ret_from_fork+0x10/0x38 [ 28.531290] Code: a8c17bfd d50323bf d65f03c0 9278dc21 (f9400020) [ 28.537429] ---[ end trace 5eced933df3a080b ]---

CVE ID : CVE-2021-47023
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/0ce6052802be2cb61a57b753e41301339c88c839 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/333980481b99edb24ebd5d1a53af70a15d9146de | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/9d1ba11fabdd8f25abb24272ef1621417981320b | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/b5bba6ede42693f50ce1c9944315cefed7491061 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-47024

First published on : 28-02-2024 09:15:39
Last modified on : 28-02-2024 14:06:45

Description :
In the Linux kernel, the following vulnerability has been resolved: vsock/virtio: free queued packets when closing socket As reported by syzbot [1], there is a memory leak while closing the socket. We partially solved this issue with commit ac03046ece2b ("vsock/virtio: free packets during the socket release"), but we forgot to drain the RX queue when the socket is definitely closed by the scheduled work. To avoid future issues, let's use the new virtio_transport_remove_sock() to drain the RX queue before removing the socket from the af_vsock lists calling vsock_remove_sock(). [1] https://syzkaller.appspot.com/bug?extid=24452624fc4c571eedd9

CVE ID : CVE-2021-47024
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/27691665145e74a45034a9dccf1150cf1894763a | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/37c38674ef2f8d7e8629e5d433c37d6c1273d16b | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/8432b8114957235f42e070a16118a7f750de9d39 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/b605673b523fe33abeafb2136759bcbc9c1e6ebf | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-47025

First published on : 28-02-2024 09:15:39
Last modified on : 28-02-2024 14:06:45

Description :
In the Linux kernel, the following vulnerability has been resolved: iommu/mediatek: Always enable the clk on resume In mtk_iommu_runtime_resume always enable the clk, even if m4u_dom is null. Otherwise the 'suspend' cb might disable the clk which is already disabled causing the warning: [ 1.586104] infra_m4u already disabled [ 1.586133] WARNING: CPU: 0 PID: 121 at drivers/clk/clk.c:952 clk_core_disable+0xb0/0xb8 [ 1.594391] mtk-iommu 10205000.iommu: bound 18001000.larb (ops mtk_smi_larb_component_ops) [ 1.598108] Modules linked in: [ 1.598114] CPU: 0 PID: 121 Comm: kworker/0:2 Not tainted 5.12.0-rc5 #69 [ 1.609246] mtk-iommu 10205000.iommu: bound 14027000.larb (ops mtk_smi_larb_component_ops) [ 1.617487] Hardware name: Google Elm (DT) [ 1.617491] Workqueue: pm pm_runtime_work [ 1.620545] mtk-iommu 10205000.iommu: bound 19001000.larb (ops mtk_smi_larb_component_ops) [ 1.627229] pstate: 60000085 (nZCv daIf -PAN -UAO -TCO BTYPE=--) [ 1.659297] pc : clk_core_disable+0xb0/0xb8 [ 1.663475] lr : clk_core_disable+0xb0/0xb8 [ 1.667652] sp : ffff800011b9bbe0 [ 1.670959] x29: ffff800011b9bbe0 x28: 0000000000000000 [ 1.676267] x27: ffff800011448000 x26: ffff8000100cfd98 [ 1.681574] x25: ffff800011b9bd48 x24: 0000000000000000 [ 1.686882] x23: 0000000000000000 x22: ffff8000106fad90 [ 1.692189] x21: 000000000000000a x20: ffff0000c0048500 [ 1.697496] x19: ffff0000c0048500 x18: ffffffffffffffff [ 1.702804] x17: 0000000000000000 x16: 0000000000000000 [ 1.708112] x15: ffff800011460300 x14: fffffffffffe0000 [ 1.713420] x13: ffff8000114602d8 x12: 0720072007200720 [ 1.718727] x11: 0720072007200720 x10: 0720072007200720 [ 1.724035] x9 : ffff800011b9bbe0 x8 : ffff800011b9bbe0 [ 1.729342] x7 : 0000000000000009 x6 : ffff8000114b8328 [ 1.734649] x5 : 0000000000000000 x4 : 0000000000000000 [ 1.739956] x3 : 00000000ffffffff x2 : ffff800011460298 [ 1.745263] x1 : 1af1d7de276f4500 x0 : 0000000000000000 [ 1.750572] Call trace: [ 1.753010] clk_core_disable+0xb0/0xb8 [ 1.756840] clk_core_disable_lock+0x24/0x40 [ 1.761105] clk_disable+0x20/0x30 [ 1.764501] mtk_iommu_runtime_suspend+0x88/0xa8 [ 1.769114] pm_generic_runtime_suspend+0x2c/0x48 [ 1.773815] __rpm_callback+0xe0/0x178 [ 1.777559] rpm_callback+0x24/0x88 [ 1.781041] rpm_suspend+0xdc/0x470 [ 1.784523] rpm_idle+0x12c/0x170 [ 1.787831] pm_runtime_work+0xa8/0xc0 [ 1.791573] process_one_work+0x1e8/0x360 [ 1.795580] worker_thread+0x44/0x478 [ 1.799237] kthread+0x150/0x158 [ 1.802460] ret_from_fork+0x10/0x30 [ 1.806034] ---[ end trace 82402920ef64573b ]--- [ 1.810728] ------------[ cut here ]------------ In addition, we now don't need to enable the clock from the function mtk_iommu_hw_init since it is already enabled by the resume.

CVE ID : CVE-2021-47025
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/5cad9e2caa9613fdcd246bd4ebf0ffbec1cba2ca | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/b34ea31fe013569d42b7e8681ef3f717f77c5b72 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-47026

First published on : 28-02-2024 09:15:39
Last modified on : 28-02-2024 14:06:45

Description :
In the Linux kernel, the following vulnerability has been resolved: RDMA/rtrs-clt: destroy sysfs after removing session from active list A session can be removed dynamically by sysfs interface "remove_path" that eventually calls rtrs_clt_remove_path_from_sysfs function. The current rtrs_clt_remove_path_from_sysfs first removes the sysfs interfaces and frees sess->stats object. Second it removes the session from the active list. Therefore some functions could access non-connected session and access the freed sess->stats object even-if they check the session status before accessing the session. For instance rtrs_clt_request and get_next_path_min_inflight check the session status and try to send IO to the session. The session status could be changed when they are trying to send IO but they could not catch the change and update the statistics information in sess->stats object, and generate use-after-free problem. (see: "RDMA/rtrs-clt: Check state of the rtrs_clt_sess before reading its stats") This patch changes the rtrs_clt_remove_path_from_sysfs to remove the session from the active session list and then destroy the sysfs interfaces. Each function still should check the session status because closing or error recovery paths can change the status.

CVE ID : CVE-2021-47026
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/676171f9405dcaa45a33d18241c32f387dbaae39 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/7f4a8592ff29f19c5a2ca549d0973821319afaad | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/b64415c6b3476cf9fa4d0aea3807065b8403a937 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/d3cca8067d43dfee4a3535c645b55f618708dccb | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-47027

First published on : 28-02-2024 09:15:39
Last modified on : 28-02-2024 14:06:45

Description :
In the Linux kernel, the following vulnerability has been resolved: mt76: mt7921: fix kernel crash when the firmware fails to download Fix kernel crash when the firmware is missing or fails to download. [ 9.444758] kernel BUG at drivers/pci/msi.c:375! [ 9.449363] Internal error: Oops - BUG: 0 [#1] PREEMPT SMP [ 9.501033] pstate: a0400009 (NzCv daif +PAN -UAO) [ 9.505814] pc : free_msi_irqs+0x180/0x184 [ 9.509897] lr : free_msi_irqs+0x40/0x184 [ 9.513893] sp : ffffffc015193870 [ 9.517194] x29: ffffffc015193870 x28: 00000000f0e94fa2 [ 9.522492] x27: 0000000000000acd x26: 000000000000009a [ 9.527790] x25: ffffffc0152cee58 x24: ffffffdbb383e0d8 [ 9.533087] x23: ffffffdbb38628d0 x22: 0000000000040200 [ 9.538384] x21: ffffff8cf7de7318 x20: ffffff8cd65a2480 [ 9.543681] x19: ffffff8cf7de7000 x18: 0000000000000000 [ 9.548979] x17: ffffff8cf9ca03b4 x16: ffffffdc13ad9a34 [ 9.554277] x15: 0000000000000000 x14: 0000000000080800 [ 9.559575] x13: ffffff8cd65a2980 x12: 0000000000000000 [ 9.564873] x11: ffffff8cfa45d820 x10: ffffff8cfa45d6d0 [ 9.570171] x9 : 0000000000000040 x8 : ffffff8ccef1b780 [ 9.575469] x7 : aaaaaaaaaaaaaaaa x6 : 0000000000000000 [ 9.580766] x5 : ffffffdc13824900 x4 : ffffff8ccefe0000 [ 9.586063] x3 : 0000000000000000 x2 : 0000000000000000 [ 9.591362] x1 : 0000000000000125 x0 : ffffff8ccefe0000 [ 9.596660] Call trace: [ 9.599095] free_msi_irqs+0x180/0x184 [ 9.602831] pci_disable_msi+0x100/0x130 [ 9.606740] pci_free_irq_vectors+0x24/0x30 [ 9.610915] mt7921_pci_probe+0xbc/0x250 [mt7921e] [ 9.615693] pci_device_probe+0xd4/0x14c [ 9.619604] really_probe+0x134/0x2ec [ 9.623252] driver_probe_device+0x64/0xfc [ 9.627335] device_driver_attach+0x4c/0x6c [ 9.631506] __driver_attach+0xac/0xc0 [ 9.635243] bus_for_each_dev+0x8c/0xd4 [ 9.639066] driver_attach+0x2c/0x38 [ 9.642628] bus_add_driver+0xfc/0x1d0 [ 9.646365] driver_register+0x64/0xf8 [ 9.650101] __pci_register_driver+0x6c/0x7c [ 9.654360] init_module+0x28/0xfdc [mt7921e] [ 9.658704] do_one_initcall+0x13c/0x2d0 [ 9.662615] do_init_module+0x58/0x1e8 [ 9.666351] load_module+0xd80/0xeb4 [ 9.669912] __arm64_sys_finit_module+0xa8/0xe0 [ 9.674430] el0_svc_common+0xa4/0x16c [ 9.678168] el0_svc_compat_handler+0x2c/0x40 [ 9.682511] el0_svc_compat+0x8/0x10 [ 9.686076] Code: a94257f6 f9400bf7 a8c47bfd d65f03c0 (d4210000) [ 9.692155] ---[ end trace 7621f966afbf0a29 ]--- [ 9.697385] Kernel panic - not syncing: Fatal exception [ 9.702599] SMP: stopping secondary CPUs [ 9.706549] Kernel Offset: 0x1c03600000 from 0xffffffc010000000 [ 9.712456] PHYS_OFFSET: 0xfffffff440000000 [ 9.716625] CPU features: 0x080026,2a80aa18 [ 9.720795] Memory Limit: none

CVE ID : CVE-2021-47027
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/a46b536cd60c0dbd4bf767c62a8774dec52bf099 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/e230f0c44f011f3270680a506b19b7e84c5e8923 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-47028

First published on : 28-02-2024 09:15:39
Last modified on : 28-02-2024 14:06:45

Description :
In the Linux kernel, the following vulnerability has been resolved: mt76: mt7915: fix txrate reporting Properly check rate_info to fix unexpected reporting. [ 1215.161863] Call trace: [ 1215.164307] cfg80211_calculate_bitrate+0x124/0x200 [cfg80211] [ 1215.170139] ieee80211s_update_metric+0x80/0xc0 [mac80211] [ 1215.175624] ieee80211_tx_status_ext+0x508/0x838 [mac80211] [ 1215.181190] mt7915_mcu_get_rx_rate+0x28c/0x8d0 [mt7915e] [ 1215.186580] mt7915_mac_tx_free+0x324/0x7c0 [mt7915e] [ 1215.191623] mt7915_queue_rx_skb+0xa8/0xd0 [mt7915e] [ 1215.196582] mt76_dma_cleanup+0x7b0/0x11d0 [mt76] [ 1215.201276] __napi_poll+0x38/0xf8 [ 1215.204668] napi_workfn+0x40/0x80 [ 1215.208062] process_one_work+0x1fc/0x390 [ 1215.212062] worker_thread+0x48/0x4d0 [ 1215.215715] kthread+0x120/0x128 [ 1215.218935] ret_from_fork+0x10/0x1c

CVE ID : CVE-2021-47028
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/4bd926e5ca88eac4d95eacb806b229f8729bc62e | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/dfc8a71448c7d4fec38fb22bdc8a76d79c14b6da | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/f43b941fd61003659a3f0e039595e5e525917aa8 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-47029

First published on : 28-02-2024 09:15:39
Last modified on : 28-02-2024 14:06:45

Description :
In the Linux kernel, the following vulnerability has been resolved: mt76: connac: fix kernel warning adding monitor interface Fix the following kernel warning adding a monitor interface in mt76_connac_mcu_uni_add_dev routine. [ 507.984882] ------------[ cut here ]------------ [ 507.989515] WARNING: CPU: 1 PID: 3017 at mt76_connac_mcu_uni_add_dev+0x178/0x190 [mt76_connac_lib] [ 508.059379] CPU: 1 PID: 3017 Comm: ifconfig Not tainted 5.4.98 #0 [ 508.065461] Hardware name: MT7622_MT7531 RFB (DT) [ 508.070156] pstate: 80000005 (Nzcv daif -PAN -UAO) [ 508.074939] pc : mt76_connac_mcu_uni_add_dev+0x178/0x190 [mt76_connac_lib] [ 508.081806] lr : mt7921_eeprom_init+0x1288/0x1cb8 [mt7921e] [ 508.087367] sp : ffffffc013a33930 [ 508.090671] x29: ffffffc013a33930 x28: ffffff801e628ac0 [ 508.095973] x27: ffffff801c7f1200 x26: ffffff801c7eb008 [ 508.101275] x25: ffffff801c7eaef0 x24: ffffff801d025610 [ 508.106577] x23: ffffff801d022990 x22: ffffff801d024de8 [ 508.111879] x21: ffffff801d0226a0 x20: ffffff801c7eaee8 [ 508.117181] x19: ffffff801d0226a0 x18: 000000005d00b000 [ 508.122482] x17: 00000000ffffffff x16: 0000000000000000 [ 508.127785] x15: 0000000000000080 x14: ffffff801d704000 [ 508.133087] x13: 0000000000000040 x12: 0000000000000002 [ 508.138389] x11: 000000000000000c x10: 0000000000000000 [ 508.143691] x9 : 0000000000000020 x8 : 0000000000000001 [ 508.148992] x7 : 0000000000000000 x6 : 0000000000000000 [ 508.154294] x5 : ffffff801c7eaee8 x4 : 0000000000000006 [ 508.159596] x3 : 0000000000000001 x2 : 0000000000000000 [ 508.164898] x1 : ffffff801c7eac08 x0 : ffffff801d0226a0 [ 508.170200] Call trace: [ 508.172640] mt76_connac_mcu_uni_add_dev+0x178/0x190 [mt76_connac_lib] [ 508.179159] mt7921_eeprom_init+0x1288/0x1cb8 [mt7921e] [ 508.184394] drv_add_interface+0x34/0x88 [mac80211] [ 508.189271] ieee80211_add_virtual_monitor+0xe0/0xb48 [mac80211] [ 508.195277] ieee80211_do_open+0x86c/0x918 [mac80211] [ 508.200328] ieee80211_do_open+0x900/0x918 [mac80211] [ 508.205372] __dev_open+0xcc/0x150 [ 508.208763] __dev_change_flags+0x134/0x198 [ 508.212937] dev_change_flags+0x20/0x60 [ 508.216764] devinet_ioctl+0x3e8/0x748 [ 508.220503] inet_ioctl+0x1e4/0x350 [ 508.223983] sock_do_ioctl+0x48/0x2a0 [ 508.227635] sock_ioctl+0x310/0x4f8 [ 508.231116] do_vfs_ioctl+0xa4/0xac0 [ 508.234681] ksys_ioctl+0x44/0x90 [ 508.237985] __arm64_sys_ioctl+0x1c/0x48 [ 508.241901] el0_svc_common.constprop.1+0x7c/0x100 [ 508.246681] el0_svc_handler+0x18/0x20 [ 508.250421] el0_svc+0x8/0x1c8 [ 508.253465] ---[ end trace c7b90fee13d72c39 ]--- [ 508.261278] ------------[ cut here ]------------

CVE ID : CVE-2021-47029
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/2554b9cb4b5e097c6071ec3ed5bc7c665c477ca7 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/c996f0346e40e3b1ac2ebaf0681df898fb157f60 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-47030

First published on : 28-02-2024 09:15:39
Last modified on : 28-02-2024 14:06:45

Description :
In the Linux kernel, the following vulnerability has been resolved: mt76: mt7615: fix memory leak in mt7615_coredump_work Similar to the issue fixed in mt7921_coredump_work, fix a possible memory leak in mt7615_coredump_work routine.

CVE ID : CVE-2021-47030
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/49cc85059a2cb656f96ff3693f891e8fe8f669a9 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/54b989653c5531bc4416ced33f146b9cb633d978 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-47031

First published on : 28-02-2024 09:15:39
Last modified on : 28-02-2024 14:06:45

Description :
In the Linux kernel, the following vulnerability has been resolved: mt76: mt7921: fix memory leak in mt7921_coredump_work Fix possible memory leak in mt7921_coredump_work.

CVE ID : CVE-2021-47031
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/4811226374453607175ea057777faa7e7f752204 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/782b3e86ea970e899f8e723db9f64708a15ca30e | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-47032

First published on : 28-02-2024 09:15:39
Last modified on : 28-02-2024 14:06:45

Description :
In the Linux kernel, the following vulnerability has been resolved: mt76: mt7915: fix tx skb dma unmap The first pointer in the txp needs to be unmapped as well, otherwise it will leak DMA mapping entries

CVE ID : CVE-2021-47032
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/4a9dcd6efb2a268fc5707dcfb3b0c412975c4462 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/4e7914ce23306b28d377ec395e00e5fde0e6f96e | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/7dcf3c04f0aca746517a77433b33d40868ca4749 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/e2cdc9cb33c5963efe1a7c022753386f9463d1b7 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-47033

First published on : 28-02-2024 09:15:39
Last modified on : 28-02-2024 14:06:45

Description :
In the Linux kernel, the following vulnerability has been resolved: mt76: mt7615: fix tx skb dma unmap The first pointer in the txp needs to be unmapped as well, otherwise it will leak DMA mapping entries

CVE ID : CVE-2021-47033
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/75bc5f779a7664d1fc19cb915039439c6e58bb94 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/821ae236ccea989a1fcc6abfc4d5b74ad4ba39d2 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/a025277a80add18c33d01042525a74fe5b875f25 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/ebee7885bb12a8fe2c2f9bac87dbd87a05b645f9 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-47034

First published on : 28-02-2024 09:15:39
Last modified on : 28-02-2024 14:06:45

Description :
In the Linux kernel, the following vulnerability has been resolved: powerpc/64s: Fix pte update for kernel memory on radix When adding a PTE a ptesync is needed to order the update of the PTE with subsequent accesses otherwise a spurious fault may be raised. radix__set_pte_at() does not do this for performance gains. For non-kernel memory this is not an issue as any faults of this kind are corrected by the page fault handler. For kernel memory these faults are not handled. The current solution is that there is a ptesync in flush_cache_vmap() which should be called when mapping from the vmalloc region. However, map_kernel_page() does not call flush_cache_vmap(). This is troublesome in particular for code patching with Strict RWX on radix. In do_patch_instruction() the page frame that contains the instruction to be patched is mapped and then immediately patched. With no ordering or synchronization between setting up the PTE and writing to the page it is possible for faults. As the code patching is done using __put_user_asm_goto() the resulting fault is obscured - but using a normal store instead it can be seen: BUG: Unable to handle kernel data access on write at 0xc008000008f24a3c Faulting instruction address: 0xc00000000008bd74 Oops: Kernel access of bad area, sig: 11 [#1] LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA PowerNV Modules linked in: nop_module(PO+) [last unloaded: nop_module] CPU: 4 PID: 757 Comm: sh Tainted: P O 5.10.0-rc5-01361-ge3c1b78c8440-dirty #43 NIP: c00000000008bd74 LR: c00000000008bd50 CTR: c000000000025810 REGS: c000000016f634a0 TRAP: 0300 Tainted: P O (5.10.0-rc5-01361-ge3c1b78c8440-dirty) MSR: 9000000000009033 <SF,HV,EE,ME,IR,DR,RI,LE> CR: 44002884 XER: 00000000 CFAR: c00000000007c68c DAR: c008000008f24a3c DSISR: 42000000 IRQMASK: 1 This results in the kind of issue reported here: https://lore.kernel.org/linuxppc-dev/15AC5B0E-A221-4B8C-9039-FA96B8EF7C88@lca.pw/ Chris Riedl suggested a reliable way to reproduce the issue: $ mount -t debugfs none /sys/kernel/debug $ (while true; do echo function > /sys/kernel/debug/tracing/current_tracer ; echo nop > /sys/kernel/debug/tracing/current_tracer ; done) & Turning ftrace on and off does a large amount of code patching which in usually less then 5min will crash giving a trace like: ftrace-powerpc: (____ptrval____): replaced (4b473b11) != old (60000000) ------------[ ftrace bug ]------------ ftrace failed to modify [<c000000000bf8e5c>] napi_busy_loop+0xc/0x390 actual: 11:3b:47:4b Setting ftrace call site to call ftrace function ftrace record flags: 80000001 (1) expected tramp: c00000000006c96c ------------[ cut here ]------------ WARNING: CPU: 4 PID: 809 at kernel/trace/ftrace.c:2065 ftrace_bug+0x28c/0x2e8 Modules linked in: nop_module(PO-) [last unloaded: nop_module] CPU: 4 PID: 809 Comm: sh Tainted: P O 5.10.0-rc5-01360-gf878ccaf250a #1 NIP: c00000000024f334 LR: c00000000024f330 CTR: c0000000001a5af0 REGS: c000000004c8b760 TRAP: 0700 Tainted: P O (5.10.0-rc5-01360-gf878ccaf250a) MSR: 900000000282b033 <SF,HV,VEC,VSX,EE,FP,ME,IR,DR,RI,LE> CR: 28008848 XER: 20040000 CFAR: c0000000001a9c98 IRQMASK: 0 GPR00: c00000000024f330 c000000004c8b9f0 c000000002770600 0000000000000022 GPR04: 00000000ffff7fff c000000004c8b6d0 0000000000000027 c0000007fe9bcdd8 GPR08: 0000000000000023 ffffffffffffffd8 0000000000000027 c000000002613118 GPR12: 0000000000008000 c0000007fffdca00 0000000000000000 0000000000000000 GPR16: 0000000023ec37c5 0000000000000000 0000000000000000 0000000000000008 GPR20: c000000004c8bc90 c0000000027a2d20 c000000004c8bcd0 c000000002612fe8 GPR24: 0000000000000038 0000000000000030 0000000000000028 0000000000000020 GPR28: c000000000ff1b68 c000000000bf8e5c c00000000312f700 c000000000fbb9b0 NIP ftrace_bug+0x28c/0x2e8 LR ftrace_bug+0x288/0x2e8 Call T ---truncated---

CVE ID : CVE-2021-47034
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/01ac203e2119d8922126886ddea309fb676f955f | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/73f9dccb29e4f82574bec2765c0090cdb0404301 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/84c0762633f2a7ac8399e6b97d3b9bb8e6e1d50f | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/b3d5d0983388d6c4fb35f7d722556d5595f167a7 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/b8b2f37cf632434456182e9002d63cbc4cccc50c | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/e40c52ee67b155ad59f59e73ea136d02685f0e0d | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-47035

First published on : 28-02-2024 09:15:39
Last modified on : 28-02-2024 14:06:45

Description :
In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Remove WO permissions on second-level paging entries When the first level page table is used for IOVA translation, it only supports Read-Only and Read-Write permissions. The Write-Only permission is not supported as the PRESENT bit (implying Read permission) should always set. When using second level, we still give separate permissions that allows WriteOnly which seems inconsistent and awkward. We want to have consistent behavior. After moving to 1st level, we don't want things to work sometimes, and break if we use 2nd level for the same mappings. Hence remove this configuration.

CVE ID : CVE-2021-47035
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/25faff78138933244c678c7fc78f7c0340fa04a0 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/66c24699f266ff310381a9552d3576eea8ad6e20 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/89bd620798704a8805fc9db0d71d7f812cf5b3d2 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/c848416cc05afc1589edba04fe00b85c2f797ee3 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/eea53c5816889ee8b64544fa2e9311a81184ff9c | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-47036

First published on : 28-02-2024 09:15:39
Last modified on : 28-02-2024 14:06:45

Description :
In the Linux kernel, the following vulnerability has been resolved: udp: skip L4 aggregation for UDP tunnel packets If NETIF_F_GRO_FRAGLIST or NETIF_F_GRO_UDP_FWD are enabled, and there are UDP tunnels available in the system, udp_gro_receive() could end-up doing L4 aggregation (either SKB_GSO_UDP_L4 or SKB_GSO_FRAGLIST) at the outer UDP tunnel level for packets effectively carrying and UDP tunnel header. That could cause inner protocol corruption. If e.g. the relevant packets carry a vxlan header, different vxlan ids will be ignored/ aggregated to the same GSO packet. Inner headers will be ignored, too, so that e.g. TCP over vxlan push packets will be held in the GRO engine till the next flush, etc. Just skip the SKB_GSO_UDP_L4 and SKB_GSO_FRAGLIST code path if the current packet could land in a UDP tunnel, and let udp_gro_receive() do GRO via udp_sk(sk)->gro_receive. The check implemented in this patch is broader than what is strictly needed, as the existing UDP tunnel could be e.g. configured on top of a different device: we could end-up skipping GRO at-all for some packets. Anyhow, that is a very thin corner case and covering it will add quite a bit of complexity. v1 -> v2: - hopefully clarify the commit message

CVE ID : CVE-2021-47036
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/18f25dc399901426dff61e676ba603ff52c666f7 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/450687386cd16d081b58cd7a342acff370a96078 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-47037

First published on : 28-02-2024 09:15:39
Last modified on : 28-02-2024 14:06:45

Description :
In the Linux kernel, the following vulnerability has been resolved: ASoC: q6afe-clocks: fix reprobing of the driver Q6afe-clocks driver can get reprobed. For example if the APR services are restarted after the firmware crash. However currently Q6afe-clocks driver will oops because hw.init will get cleared during first _probe call. Rewrite the driver to fill the clock data at runtime rather than using big static array of clocks.

CVE ID : CVE-2021-47037
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/62413972f5266568848a36fd15160397b211fa74 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/6893df3753beafa5f7351228a9dd8157a57d7492 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/96fadf7e8ff49fdb74754801228942b67c3eeebd | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-47038

First published on : 28-02-2024 09:15:39
Last modified on : 28-02-2024 14:06:45

Description :
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: avoid deadlock between hci_dev->lock and socket lock Commit eab2404ba798 ("Bluetooth: Add BT_PHY socket option") added a dependency between socket lock and hci_dev->lock that could lead to deadlock. It turns out that hci_conn_get_phy() is not in any way relying on hdev being immutable during the runtime of this function, neither does it even look at any of the members of hdev, and as such there is no need to hold that lock. This fixes the lockdep splat below: ====================================================== WARNING: possible circular locking dependency detected 5.12.0-rc1-00026-g73d464503354 #10 Not tainted ------------------------------------------------------ bluetoothd/1118 is trying to acquire lock: ffff8f078383c078 (&hdev->lock){+.+.}-{3:3}, at: hci_conn_get_phy+0x1c/0x150 [bluetooth] but task is already holding lock: ffff8f07e831d920 (sk_lock-AF_BLUETOOTH-BTPROTO_L2CAP){+.+.}-{0:0}, at: l2cap_sock_getsockopt+0x8b/0x610 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #3 (sk_lock-AF_BLUETOOTH-BTPROTO_L2CAP){+.+.}-{0:0}: lock_sock_nested+0x72/0xa0 l2cap_sock_ready_cb+0x18/0x70 [bluetooth] l2cap_config_rsp+0x27a/0x520 [bluetooth] l2cap_sig_channel+0x658/0x1330 [bluetooth] l2cap_recv_frame+0x1ba/0x310 [bluetooth] hci_rx_work+0x1cc/0x640 [bluetooth] process_one_work+0x244/0x5f0 worker_thread+0x3c/0x380 kthread+0x13e/0x160 ret_from_fork+0x22/0x30 -> #2 (&chan->lock#2/1){+.+.}-{3:3}: __mutex_lock+0xa3/0xa10 l2cap_chan_connect+0x33a/0x940 [bluetooth] l2cap_sock_connect+0x141/0x2a0 [bluetooth] __sys_connect+0x9b/0xc0 __x64_sys_connect+0x16/0x20 do_syscall_64+0x33/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xae -> #1 (&conn->chan_lock){+.+.}-{3:3}: __mutex_lock+0xa3/0xa10 l2cap_chan_connect+0x322/0x940 [bluetooth] l2cap_sock_connect+0x141/0x2a0 [bluetooth] __sys_connect+0x9b/0xc0 __x64_sys_connect+0x16/0x20 do_syscall_64+0x33/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xae -> #0 (&hdev->lock){+.+.}-{3:3}: __lock_acquire+0x147a/0x1a50 lock_acquire+0x277/0x3d0 __mutex_lock+0xa3/0xa10 hci_conn_get_phy+0x1c/0x150 [bluetooth] l2cap_sock_getsockopt+0x5a9/0x610 [bluetooth] __sys_getsockopt+0xcc/0x200 __x64_sys_getsockopt+0x20/0x30 do_syscall_64+0x33/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xae other info that might help us debug this: Chain exists of: &hdev->lock --> &chan->lock#2/1 --> sk_lock-AF_BLUETOOTH-BTPROTO_L2CAP Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(sk_lock-AF_BLUETOOTH-BTPROTO_L2CAP); lock(&chan->lock#2/1); lock(sk_lock-AF_BLUETOOTH-BTPROTO_L2CAP); lock(&hdev->lock); *** DEADLOCK *** 1 lock held by bluetoothd/1118: #0: ffff8f07e831d920 (sk_lock-AF_BLUETOOTH-BTPROTO_L2CAP){+.+.}-{0:0}, at: l2cap_sock_getsockopt+0x8b/0x610 [bluetooth] stack backtrace: CPU: 3 PID: 1118 Comm: bluetoothd Not tainted 5.12.0-rc1-00026-g73d464503354 #10 Hardware name: LENOVO 20K5S22R00/20K5S22R00, BIOS R0IET38W (1.16 ) 05/31/2017 Call Trace: dump_stack+0x7f/0xa1 check_noncircular+0x105/0x120 ? __lock_acquire+0x147a/0x1a50 __lock_acquire+0x147a/0x1a50 lock_acquire+0x277/0x3d0 ? hci_conn_get_phy+0x1c/0x150 [bluetooth] ? __lock_acquire+0x2e1/0x1a50 ? lock_is_held_type+0xb4/0x120 ? hci_conn_get_phy+0x1c/0x150 [bluetooth] __mutex_lock+0xa3/0xa10 ? hci_conn_get_phy+0x1c/0x150 [bluetooth] ? lock_acquire+0x277/0x3d0 ? mark_held_locks+0x49/0x70 ? mark_held_locks+0x49/0x70 ? hci_conn_get_phy+0x1c/0x150 [bluetooth] hci_conn_get_phy+0x ---truncated---

CVE ID : CVE-2021-47038
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/17486960d79b900c45e0bb8fbcac0262848582ba | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/332e69eb3bd90370f2d9f2c2ca7974ff523dea17 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/7cc0ba67883c6c8d3bddb283f56c167fc837a555 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/fee71f480bc1dec5f6ae3b0b185ff12a62bceabc | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-47039

First published on : 28-02-2024 09:15:39
Last modified on : 28-02-2024 14:06:45

Description :
In the Linux kernel, the following vulnerability has been resolved: ataflop: potential out of bounds in do_format() The function uses "type" as an array index: q = unit[drive].disk[type]->queue; Unfortunately the bounds check on "type" isn't done until later in the function. Fix this by moving the bounds check to the start.

CVE ID : CVE-2021-47039
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/07f86aa8f4fe077be1b018cc177eb8c6573e5671 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/1ffec389a6431782a8a28805830b6fae9bf00af1 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/2a3a8bbca28b899806844c00d49ed1b7ccb50957 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-47040

First published on : 28-02-2024 09:15:39
Last modified on : 28-02-2024 14:06:45

Description :
In the Linux kernel, the following vulnerability has been resolved: io_uring: fix overflows checks in provide buffers Colin reported before possible overflow and sign extension problems in io_provide_buffers_prep(). As Linus pointed out previous attempt did nothing useful, see d81269fecb8ce ("io_uring: fix provide_buffers sign extension"). Do that with help of check_<op>_overflow helpers. And fix struct io_provide_buf::len type, as it doesn't make much sense to keep it signed.

CVE ID : CVE-2021-47040
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/38134ada0ceea3e848fe993263c0ff6207fd46e7 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/51bf90901952aaac564bbdb36b2b503050c53dd9 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/84b8c266c4bfe9ed5128e13253c388deb74b1b03 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/cbbc13b115b8f18e0a714d89f87fbdc499acfe2d | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-47041

First published on : 28-02-2024 09:15:40
Last modified on : 28-02-2024 14:06:45

Description :
In the Linux kernel, the following vulnerability has been resolved: nvmet-tcp: fix incorrect locking in state_change sk callback We are not changing anything in the TCP connection state so we should not take a write_lock but rather a read lock. This caused a deadlock when running nvmet-tcp and nvme-tcp on the same system, where state_change callbacks on the host and on the controller side have causal relationship and made lockdep report on this with blktests: ================================ WARNING: inconsistent lock state 5.12.0-rc3 #1 Tainted: G I -------------------------------- inconsistent {IN-SOFTIRQ-W} -> {SOFTIRQ-ON-R} usage. nvme/1324 [HC0[0]:SC0[0]:HE1:SE1] takes: ffff888363151000 (clock-AF_INET){++-?}-{2:2}, at: nvme_tcp_state_change+0x21/0x150 [nvme_tcp] {IN-SOFTIRQ-W} state was registered at: __lock_acquire+0x79b/0x18d0 lock_acquire+0x1ca/0x480 _raw_write_lock_bh+0x39/0x80 nvmet_tcp_state_change+0x21/0x170 [nvmet_tcp] tcp_fin+0x2a8/0x780 tcp_data_queue+0xf94/0x1f20 tcp_rcv_established+0x6ba/0x1f00 tcp_v4_do_rcv+0x502/0x760 tcp_v4_rcv+0x257e/0x3430 ip_protocol_deliver_rcu+0x69/0x6a0 ip_local_deliver_finish+0x1e2/0x2f0 ip_local_deliver+0x1a2/0x420 ip_rcv+0x4fb/0x6b0 __netif_receive_skb_one_core+0x162/0x1b0 process_backlog+0x1ff/0x770 __napi_poll.constprop.0+0xa9/0x5c0 net_rx_action+0x7b3/0xb30 __do_softirq+0x1f0/0x940 do_softirq+0xa1/0xd0 __local_bh_enable_ip+0xd8/0x100 ip_finish_output2+0x6b7/0x18a0 __ip_queue_xmit+0x706/0x1aa0 __tcp_transmit_skb+0x2068/0x2e20 tcp_write_xmit+0xc9e/0x2bb0 __tcp_push_pending_frames+0x92/0x310 inet_shutdown+0x158/0x300 __nvme_tcp_stop_queue+0x36/0x270 [nvme_tcp] nvme_tcp_stop_queue+0x87/0xb0 [nvme_tcp] nvme_tcp_teardown_admin_queue+0x69/0xe0 [nvme_tcp] nvme_do_delete_ctrl+0x100/0x10c [nvme_core] nvme_sysfs_delete.cold+0x8/0xd [nvme_core] kernfs_fop_write_iter+0x2c7/0x460 new_sync_write+0x36c/0x610 vfs_write+0x5c0/0x870 ksys_write+0xf9/0x1d0 do_syscall_64+0x33/0x40 entry_SYSCALL_64_after_hwframe+0x44/0xae irq event stamp: 10687 hardirqs last enabled at (10687): [<ffffffff9ec376bd>] _raw_spin_unlock_irqrestore+0x2d/0x40 hardirqs last disabled at (10686): [<ffffffff9ec374d8>] _raw_spin_lock_irqsave+0x68/0x90 softirqs last enabled at (10684): [<ffffffff9f000608>] __do_softirq+0x608/0x940 softirqs last disabled at (10649): [<ffffffff9cdedd31>] do_softirq+0xa1/0xd0 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(clock-AF_INET); <Interrupt> lock(clock-AF_INET); *** DEADLOCK *** 5 locks held by nvme/1324: #0: ffff8884a01fe470 (sb_writers#4){.+.+}-{0:0}, at: ksys_write+0xf9/0x1d0 #1: ffff8886e435c090 (&of->mutex){+.+.}-{3:3}, at: kernfs_fop_write_iter+0x216/0x460 #2: ffff888104d90c38 (kn->active#255){++++}-{0:0}, at: kernfs_remove_self+0x22d/0x330 #3: ffff8884634538d0 (&queue->queue_lock){+.+.}-{3:3}, at: nvme_tcp_stop_queue+0x52/0xb0 [nvme_tcp] #4: ffff888363150d30 (sk_lock-AF_INET){+.+.}-{0:0}, at: inet_shutdown+0x59/0x300 stack backtrace: CPU: 26 PID: 1324 Comm: nvme Tainted: G I 5.12.0-rc3 #1 Hardware name: Dell Inc. PowerEdge R640/06NR82, BIOS 2.10.0 11/12/2020 Call Trace: dump_stack+0x93/0xc2 mark_lock_irq.cold+0x2c/0xb3 ? verify_lock_unused+0x390/0x390 ? stack_trace_consume_entry+0x160/0x160 ? lock_downgrade+0x100/0x100 ? save_trace+0x88/0x5e0 ? _raw_spin_unlock_irqrestore+0x2d/0x40 mark_lock+0x530/0x1470 ? mark_lock_irq+0x1d10/0x1d10 ? enqueue_timer+0x660/0x660 mark_usage+0x215/0x2a0 __lock_acquire+0x79b/0x18d0 ? tcp_schedule_loss_probe.part.0+0x38c/0x520 lock_acquire+0x1ca/0x480 ? nvme_tcp_state_change+0x21/0x150 [nvme_tcp] ? rcu_read_unlock+0x40/0x40 ? tcp_mtu_probe+0x1ae0/0x1ae0 ? kmalloc_reserve+0xa0/0xa0 ? sysfs_file_ops+0x170/0x170 _raw_read_lock+0x3d/0xa0 ? nvme_tcp_state_change+0x21/0x150 [nvme_tcp] nvme_tcp_state_change+0x21/0x150 [nvme_tcp] ? sysfs_file_ops ---truncated---

CVE ID : CVE-2021-47041
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/06beaa1a9f6e501213195e47c30416032fd2bbd5 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/60ade0d56b06537a28884745059b3801c78e03bc | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/906c538340dde6d891df89fe7dac8eaa724e40da | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/999d606a820c36ae9b9e9611360c8b3d8d4bb777 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/b5332a9f3f3d884a1b646ce155e664cc558c1722 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-47042

First published on : 28-02-2024 09:15:40
Last modified on : 28-02-2024 14:06:45

Description :
In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Free local data after use Fixes the following memory leak in dc_link_construct(): unreferenced object 0xffffa03e81471400 (size 1024): comm "amd_module_load", pid 2486, jiffies 4294946026 (age 10.544s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<000000000bdf5c4a>] kmem_cache_alloc_trace+0x30a/0x4a0 [<00000000e7c59f0e>] link_create+0xce/0xac0 [amdgpu] [<000000002fb6c072>] dc_create+0x370/0x720 [amdgpu] [<000000000094d1f3>] amdgpu_dm_init+0x18e/0x17a0 [amdgpu] [<00000000bec048fd>] dm_hw_init+0x12/0x20 [amdgpu] [<00000000a2bb7cf6>] amdgpu_device_init+0x1463/0x1e60 [amdgpu] [<0000000032d3bb13>] amdgpu_driver_load_kms+0x5b/0x330 [amdgpu] [<00000000a27834f9>] amdgpu_pci_probe+0x192/0x280 [amdgpu] [<00000000fec7d291>] local_pci_probe+0x47/0xa0 [<0000000055dbbfa7>] pci_device_probe+0xe3/0x180 [<00000000815da970>] really_probe+0x1c4/0x4e0 [<00000000b4b6974b>] driver_probe_device+0x62/0x150 [<000000000f9ecc61>] device_driver_attach+0x58/0x60 [<000000000f65c843>] __driver_attach+0xd6/0x150 [<000000002f5e3683>] bus_for_each_dev+0x6a/0xc0 [<00000000a1cfc897>] driver_attach+0x1e/0x20

CVE ID : CVE-2021-47042
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/296443139f893b554dddd56a99ba8471ab5802d4 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/616cf23b6cf40ad6f03ffbddfa1b6c4eb68d8ae1 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-47043

First published on : 28-02-2024 09:15:40
Last modified on : 28-02-2024 14:06:45

Description :
In the Linux kernel, the following vulnerability has been resolved: media: venus: core: Fix some resource leaks in the error path of 'venus_probe()' If an error occurs after a successful 'of_icc_get()' call, it must be undone. Use 'devm_of_icc_get()' instead of 'of_icc_get()' to avoid the leak. Update the remove function accordingly and axe the now unneeded 'icc_put()' calls.

CVE ID : CVE-2021-47043
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/00b68a7478343afdf83f30c43e64db5296057030 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/5a465c5391a856a0c1e9554964d660676c35d1b2 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/711acdf0228dc71601247f28b56f13e850e395c8 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/940d01eceb3a7866fbfca136a55a5625fc75a565 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-47044

First published on : 28-02-2024 09:15:40
Last modified on : 28-02-2024 14:06:45

Description :
In the Linux kernel, the following vulnerability has been resolved: sched/fair: Fix shift-out-of-bounds in load_balance() Syzbot reported a handful of occurrences where an sd->nr_balance_failed can grow to much higher values than one would expect. A successful load_balance() resets it to 0; a failed one increments it. Once it gets to sd->cache_nice_tries + 3, this *should* trigger an active balance, which will either set it to sd->cache_nice_tries+1 or reset it to 0. However, in case the to-be-active-balanced task is not allowed to run on env->dst_cpu, then the increment is done without any further modification. This could then be repeated ad nauseam, and would explain the absurdly high values reported by syzbot (86, 149). VincentG noted there is value in letting sd->cache_nice_tries grow, so the shift itself should be fixed. That means preventing: """ If the value of the right operand is negative or is greater than or equal to the width of the promoted left operand, the behavior is undefined. """ Thus we need to cap the shift exponent to BITS_PER_TYPE(typeof(lefthand)) - 1. I had a look around for other similar cases via coccinelle: @expr@ position pos; expression E1; expression E2; @@ ( E1 >> E2@pos | E1 >> E2@pos ) @cst depends on expr@ position pos; expression expr.E1; constant cst; @@ ( E1 >> cst@pos | E1 << cst@pos ) @script:python depends on !cst@ pos << expr.pos; exp << expr.E2; @@ # Dirty hack to ignore constexpr if exp.upper() != exp: coccilib.report.print_report(pos[0], "Possible UB shift here") The only other match in kernel/sched is rq_clock_thermal() which employs sched_thermal_decay_shift, and that exponent is already capped to 10, so that one is fine.

CVE ID : CVE-2021-47044
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/2f3eab368e313dba35fc2f51ede778bf7b030b54 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/39a2a6eb5c9b66ea7c8055026303b3aa681b49a5 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/805cea93e66ca7deaaf6ad3b67224ce47c104c2f | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/80862cbf76c2646f709a57c4517aefe0b094c774 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-47045

First published on : 28-02-2024 09:15:40
Last modified on : 28-02-2024 14:06:45

Description :
In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Fix null pointer dereference in lpfc_prep_els_iocb() It is possible to call lpfc_issue_els_plogi() passing a did for which no matching ndlp is found. A call is then made to lpfc_prep_els_iocb() with a null pointer to a lpfc_nodelist structure resulting in a null pointer dereference. Fix by returning an error status if no valid ndlp is found. Fix up comments regarding ndlp reference counting.

CVE ID : CVE-2021-47045
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/8dd1c125f7f838abad009b64bff5f0a11afe3cb6 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/9bdcfbed2a9fe24d2c7eaa1bad7c705e18de8cc7 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/a09677de458d500b00701f6036baa423d9995408 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-47046

First published on : 28-02-2024 09:15:40
Last modified on : 28-02-2024 14:06:45

Description :
In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix off by one in hdmi_14_process_transaction() The hdcp_i2c_offsets[] array did not have an entry for HDCP_MESSAGE_ID_WRITE_CONTENT_STREAM_TYPE so it led to an off by one read overflow. I added an entry and copied the 0x0 value for the offset from similar code in drivers/gpu/drm/amd/display/modules/hdcp/hdcp_ddc.c. I also declared several of these arrays as having HDCP_MESSAGE_ID_MAX entries. This doesn't change the code, but it's just a belt and suspenders approach to try future proof the code.

CVE ID : CVE-2021-47046
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/080bd41d6478a64edf96704fddcda52b1fd5fed7 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/403c4528e5887af3deb9838cb77a557631d1e138 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/6a58310d5d1e5b02d0fc9b393ba540c9367bced5 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/8e6fafd5a22e7a2eb216f5510db7aab54cc545c1 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-47047

First published on : 28-02-2024 09:15:40
Last modified on : 28-02-2024 14:06:45

Description :
In the Linux kernel, the following vulnerability has been resolved: spi: spi-zynqmp-gqspi: return -ENOMEM if dma_map_single fails The spi controller supports 44-bit address space on AXI in DMA mode, so set dma_addr_t width to 44-bit to avoid using a swiotlb mapping. In addition, if dma_map_single fails, it should return immediately instead of continuing doing the DMA operation which bases on invalid address. This fixes the following crash which occurs in reading a big block from flash: [ 123.633577] zynqmp-qspi ff0f0000.spi: swiotlb buffer is full (sz: 4194304 bytes), total 32768 (slots), used 0 (slots) [ 123.644230] zynqmp-qspi ff0f0000.spi: ERR:rxdma:memory not mapped [ 123.784625] Unable to handle kernel paging request at virtual address 00000000003fffc0 [ 123.792536] Mem abort info: [ 123.795313] ESR = 0x96000145 [ 123.798351] EC = 0x25: DABT (current EL), IL = 32 bits [ 123.803655] SET = 0, FnV = 0 [ 123.806693] EA = 0, S1PTW = 0 [ 123.809818] Data abort info: [ 123.812683] ISV = 0, ISS = 0x00000145 [ 123.816503] CM = 1, WnR = 1 [ 123.819455] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000805047000 [ 123.825887] [00000000003fffc0] pgd=0000000803b45003, p4d=0000000803b45003, pud=0000000000000000 [ 123.834586] Internal error: Oops: 96000145 [#1] PREEMPT SMP

CVE ID : CVE-2021-47047
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/126bdb606fd2802454e6048caef1be3e25dd121e | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/5980a3b9c933408bc22b0e349b78c3ebd7cbf880 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/bad5a23cf2b477fa78b85fd392736dae09a1e818 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/c26c026eb496261dbc0adbf606cc81989cd2038c | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-47048

First published on : 28-02-2024 09:15:40
Last modified on : 28-02-2024 14:06:45

Description :
In the Linux kernel, the following vulnerability has been resolved: spi: spi-zynqmp-gqspi: fix use-after-free in zynqmp_qspi_exec_op When handling op->addr, it is using the buffer "tmpbuf" which has been freed. This will trigger a use-after-free KASAN warning. Let's use temporary variables to store op->addr.val and op->cmd.opcode to fix this issue.

CVE ID : CVE-2021-47048
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/1231279389b5e638bc3b66b9741c94077aed4b5a | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/23269ac9f123eca3aea7682d3345c02e71ed696c | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/a2c5bedb2d55dd27c642c7b9fb6886d7ad7bdb58 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/d67e0d6bd92ebbb0294e7062bbf5cdc773764e62 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-47049

First published on : 28-02-2024 09:15:40
Last modified on : 28-02-2024 14:06:45

Description :
In the Linux kernel, the following vulnerability has been resolved: Drivers: hv: vmbus: Use after free in __vmbus_open() The "open_info" variable is added to the &vmbus_connection.chn_msg_list, but the error handling frees "open_info" without removing it from the list. This will result in a use after free. First remove it from the list, and then free it.

CVE ID : CVE-2021-47049
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/2728f289b3270b0e273292b46c534421a33bbfd5 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/3e9bf43f7f7a46f21ec071cb47be92d0874c48da | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/d5c7b42c9f56ca46b286daa537d181bd7f69214f | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/f37dd5d1b5d38a79a4f7b8dd7bbb705505f05560 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-47050

First published on : 28-02-2024 09:15:40
Last modified on : 28-02-2024 14:06:45

Description :
In the Linux kernel, the following vulnerability has been resolved: memory: renesas-rpc-if: fix possible NULL pointer dereference of resource The platform_get_resource_byname() can return NULL which would be immediately dereferenced by resource_size(). Instead dereference it after validating the resource. Addresses-Coverity: Dereference null return value

CVE ID : CVE-2021-47050
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/59e27d7c94aa02da039b000d33c304c179395801 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/71bcc1b4a1743534d8abdcb57ff912e6bc390438 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/a74cb41af7dbe019e4096171f8bc641c7ce910ad | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/e16acc3a37f09e18835dc5d8014942c2ef6ca957 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-47051

First published on : 28-02-2024 09:15:40
Last modified on : 28-02-2024 14:06:45

Description :
In the Linux kernel, the following vulnerability has been resolved: spi: fsl-lpspi: Fix PM reference leak in lpspi_prepare_xfer_hardware() pm_runtime_get_sync will increment pm usage counter even it failed. Forgetting to putting operation will result in reference leak here. Fix it by replacing it with pm_runtime_resume_and_get to keep usage counter balanced.

CVE ID : CVE-2021-47051
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/4a01ad002d2e03c399af536562693752af7c81b1 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/6a2b5cee0d31ab6cc51030c441135b0e31217282 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/a03675497970a93fcf25d81d9d92a59c2d7377a7 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/b8207bfc539cd07d15e753ff2d179c5b61c673b1 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/ce02e58ddf8658a4c3bed2296f32a5873b3f7cce | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-47052

First published on : 28-02-2024 09:15:40
Last modified on : 28-02-2024 14:06:45

Description :
In the Linux kernel, the following vulnerability has been resolved: crypto: sa2ul - Fix memory leak of rxd There are two error return paths that are not freeing rxd and causing memory leaks. Fix these. Addresses-Coverity: ("Resource leak")

CVE ID : CVE-2021-47052
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/0e596b3734649041ed77edc86a23c0442bbe062b | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/854b7737199848a91f6adfa0a03cf6f0c46c86e8 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/b7bd0657c2036add71981d88a7fae50188150b6e | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/dfd6443bf49ac17adf882ca46c40c506a0284bd6 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-47053

First published on : 28-02-2024 09:15:40
Last modified on : 28-02-2024 14:06:45

Description :
In the Linux kernel, the following vulnerability has been resolved: crypto: sun8i-ss - Fix memory leak of pad It appears there are several failure return paths that don't seem to be free'ing pad. Fix these. Addresses-Coverity: ("Resource leak")

CVE ID : CVE-2021-47053
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/2c67a9333da9d0a3b87310e0d116b7c9070c7b00 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/50274b01ac1689b1a3f6bc4b5b3dbf361a55dd3a | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/c633e025bd04f54d7b33331cfcdb71354b08ce59 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/d3d702084d125689edb2b9395c707e09b471352e | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


This website uses the NVD API, but is not approved or certified by it.

About the author
Julien B.

Securitricks

Up-to-Date Cybersecurity Insights & Malware Reports

Securitricks

Great! You’ve successfully signed up.

Welcome back! You've successfully signed in.

You've successfully subscribed to Securitricks.

Success! Check your email for magic link to sign-in.

Success! Your billing info has been updated.

Your billing was not updated.