SUSE-SU-2024:2559-1 - Vulnerability-Lookup

SUSE-SU-2024:2559-1

Vulnerability from csaf_suse - Published: 2024-07-18 09:05 - Updated: 2024-07-18 09:05

Summary

Security update for the Linux Kernel (Live Patch 56 for SLE 12 SP5)

Severity

Important

Notes

Title of the patch: Security update for the Linux Kernel (Live Patch 56 for SLE 12 SP5)

Description of the patch: This update for the Linux Kernel 4.12.14-122_216 fixes several issues. The following security issues were fixed: - CVE-2021-47383: Fixed out-of-bound vmalloc access in imageblit (bsc#1225211). - CVE-2024-26923: Fixed false-positive lockdep splat for spin_lock() in __unix_gc() (bsc#1223683). - CVE-2024-26828: Fixed underflow in parse_server_interfaces() (bsc#1223363). - CVE-2021-46955: Fixed an out-of-bounds read with openvswitch, when fragmenting IPv4 packets (bsc#1220537). - CVE-2023-1829: Fixed a use-after-free vulnerability in the control index filter (tcindex) (bsc#1210619).

Patchnames: SUSE-2024-2559,SUSE-SLE-Live-Patching-12-SP5-2024-2559

Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

CVE-2021-46955

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

CVE-2021-47383

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

CVE-2023-1829

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

CVE-2024-26828

7.3 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

CVE-2024-26923

7 (High)


                        
                          CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

References

URL

Category

	https://www.suse.com/support/security/rating/	external
	https://ftp.suse.com/pub/projects/security/csaf/s…	self
	https://www.suse.com/support/update/announcement/…	self
	https://lists.suse.com/pipermail/sle-security-upd…	self
	https://bugzilla.suse.com/1210619	self
	https://bugzilla.suse.com/1220537	self
	https://bugzilla.suse.com/1223363	self
	https://bugzilla.suse.com/1223683	self
	https://bugzilla.suse.com/1225211	self
	https://www.suse.com/security/cve/CVE-2021-46955/	self
	https://www.suse.com/security/cve/CVE-2021-47383/	self
	https://www.suse.com/security/cve/CVE-2023-1829/	self
	https://www.suse.com/security/cve/CVE-2024-26828/	self
	https://www.suse.com/security/cve/CVE-2024-26923/	self
	https://www.suse.com/security/cve/CVE-2021-46955	external
	https://bugzilla.suse.com/1220513	external
	https://bugzilla.suse.com/1220537	external
	https://www.suse.com/security/cve/CVE-2021-47383	external
	https://bugzilla.suse.com/1225208	external
	https://bugzilla.suse.com/1225211	external
	https://www.suse.com/security/cve/CVE-2023-1829	external
	https://bugzilla.suse.com/1210335	external
	https://bugzilla.suse.com/1210619	external
	https://bugzilla.suse.com/1217444	external
	https://bugzilla.suse.com/1217531	external
	https://bugzilla.suse.com/1220886	external
	https://bugzilla.suse.com/1228311	external
	https://www.suse.com/security/cve/CVE-2024-26828	external
	https://bugzilla.suse.com/1223084	external
	https://bugzilla.suse.com/1223363	external
	https://www.suse.com/security/cve/CVE-2024-26923	external
	https://bugzilla.suse.com/1223384	external
	https://bugzilla.suse.com/1223683	external

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for the Linux Kernel (Live Patch 56 for SLE 12 SP5)",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "This update for the Linux Kernel 4.12.14-122_216 fixes several issues.\n\nThe following security issues were fixed:\n\n- CVE-2021-47383: Fixed out-of-bound vmalloc access in imageblit (bsc#1225211).\n- CVE-2024-26923: Fixed false-positive lockdep splat for spin_lock() in __unix_gc() (bsc#1223683).\n- CVE-2024-26828: Fixed underflow in parse_server_interfaces() (bsc#1223363).\n- CVE-2021-46955: Fixed an out-of-bounds read with openvswitch, when fragmenting IPv4 packets (bsc#1220537).\n- CVE-2023-1829: Fixed a use-after-free vulnerability in the control index filter (tcindex) (bsc#1210619).\n",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "SUSE-2024-2559,SUSE-SLE-Live-Patching-12-SP5-2024-2559",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2024_2559-1.json"
      },
      {
        "category": "self",
        "summary": "URL for SUSE-SU-2024:2559-1",
        "url": "https://www.suse.com/support/update/announcement/2024/suse-su-20242559-1/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for SUSE-SU-2024:2559-1",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-July/018998.html"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1210619",
        "url": "https://bugzilla.suse.com/1210619"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1220537",
        "url": "https://bugzilla.suse.com/1220537"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1223363",
        "url": "https://bugzilla.suse.com/1223363"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1223683",
        "url": "https://bugzilla.suse.com/1223683"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1225211",
        "url": "https://bugzilla.suse.com/1225211"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2021-46955 page",
        "url": "https://www.suse.com/security/cve/CVE-2021-46955/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2021-47383 page",
        "url": "https://www.suse.com/security/cve/CVE-2021-47383/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2023-1829 page",
        "url": "https://www.suse.com/security/cve/CVE-2023-1829/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2024-26828 page",
        "url": "https://www.suse.com/security/cve/CVE-2024-26828/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2024-26923 page",
        "url": "https://www.suse.com/security/cve/CVE-2024-26923/"
      }
    ],
    "title": "Security update for the Linux Kernel (Live Patch 56 for SLE 12 SP5)",
    "tracking": {
      "current_release_date": "2024-07-18T09:05:12Z",
      "generator": {
        "date": "2024-07-18T09:05:12Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "SUSE-SU-2024:2559-1",
      "initial_release_date": "2024-07-18T09:05:12Z",
      "revision_history": [
        {
          "date": "2024-07-18T09:05:12Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "kgraft-patch-4_12_14-122_216-default-3-8.6.1.ppc64le",
                "product": {
                  "name": "kgraft-patch-4_12_14-122_216-default-3-8.6.1.ppc64le",
                  "product_id": "kgraft-patch-4_12_14-122_216-default-3-8.6.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "kgraft-patch-4_12_14-122_216-default-3-8.6.1.s390x",
                "product": {
                  "name": "kgraft-patch-4_12_14-122_216-default-3-8.6.1.s390x",
                  "product_id": "kgraft-patch-4_12_14-122_216-default-3-8.6.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "kgraft-patch-4_12_14-122_216-default-3-8.6.1.x86_64",
                "product": {
                  "name": "kgraft-patch-4_12_14-122_216-default-3-8.6.1.x86_64",
                  "product_id": "kgraft-patch-4_12_14-122_216-default-3-8.6.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Live Patching 12 SP5",
                "product": {
                  "name": "SUSE Linux Enterprise Live Patching 12 SP5",
                  "product_id": "SUSE Linux Enterprise Live Patching 12 SP5",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sle-live-patching:12:sp5"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "kgraft-patch-4_12_14-122_216-default-3-8.6.1.ppc64le as component of SUSE Linux Enterprise Live Patching 12 SP5",
          "product_id": "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_216-default-3-8.6.1.ppc64le"
        },
        "product_reference": "kgraft-patch-4_12_14-122_216-default-3-8.6.1.ppc64le",
        "relates_to_product_reference": "SUSE Linux Enterprise Live Patching 12 SP5"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "kgraft-patch-4_12_14-122_216-default-3-8.6.1.s390x as component of SUSE Linux Enterprise Live Patching 12 SP5",
          "product_id": "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_216-default-3-8.6.1.s390x"
        },
        "product_reference": "kgraft-patch-4_12_14-122_216-default-3-8.6.1.s390x",
        "relates_to_product_reference": "SUSE Linux Enterprise Live Patching 12 SP5"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "kgraft-patch-4_12_14-122_216-default-3-8.6.1.x86_64 as component of SUSE Linux Enterprise Live Patching 12 SP5",
          "product_id": "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_216-default-3-8.6.1.x86_64"
        },
        "product_reference": "kgraft-patch-4_12_14-122_216-default-3-8.6.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise Live Patching 12 SP5"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2021-46955",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2021-46955"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In the Linux kernel, the following vulnerability has been resolved:\n\nopenvswitch: fix stack OOB read while fragmenting IPv4 packets\n\nrunning openvswitch on kernels built with KASAN, it\u0027s possible to see the\nfollowing splat while testing fragmentation of IPv4 packets:\n\n BUG: KASAN: stack-out-of-bounds in ip_do_fragment+0x1b03/0x1f60\n Read of size 1 at addr ffff888112fc713c by task handler2/1367\n\n CPU: 0 PID: 1367 Comm: handler2 Not tainted 5.12.0-rc6+ #418\n Hardware name: Red Hat KVM, BIOS 1.11.1-4.module+el8.1.0+4066+0f1aadab 04/01/2014\n Call Trace:\n  dump_stack+0x92/0xc1\n  print_address_description.constprop.7+0x1a/0x150\n  kasan_report.cold.13+0x7f/0x111\n  ip_do_fragment+0x1b03/0x1f60\n  ovs_fragment+0x5bf/0x840 [openvswitch]\n  do_execute_actions+0x1bd5/0x2400 [openvswitch]\n  ovs_execute_actions+0xc8/0x3d0 [openvswitch]\n  ovs_packet_cmd_execute+0xa39/0x1150 [openvswitch]\n  genl_family_rcv_msg_doit.isra.15+0x227/0x2d0\n  genl_rcv_msg+0x287/0x490\n  netlink_rcv_skb+0x120/0x380\n  genl_rcv+0x24/0x40\n  netlink_unicast+0x439/0x630\n  netlink_sendmsg+0x719/0xbf0\n  sock_sendmsg+0xe2/0x110\n  ____sys_sendmsg+0x5ba/0x890\n  ___sys_sendmsg+0xe9/0x160\n  __sys_sendmsg+0xd3/0x170\n  do_syscall_64+0x33/0x40\n  entry_SYSCALL_64_after_hwframe+0x44/0xae\n RIP: 0033:0x7f957079db07\n Code: c3 66 90 41 54 41 89 d4 55 48 89 f5 53 89 fb 48 83 ec 10 e8 eb ec ff ff 44 89 e2 48 89 ee 89 df 41 89 c0 b8 2e 00 00 00 0f 05 \u003c48\u003e 3d 00 f0 ff ff 77 35 44 89 c7 48 89 44 24 08 e8 24 ed ff ff 48\n RSP: 002b:00007f956ce35a50 EFLAGS: 00000293 ORIG_RAX: 000000000000002e\n RAX: ffffffffffffffda RBX: 0000000000000019 RCX: 00007f957079db07\n RDX: 0000000000000000 RSI: 00007f956ce35ae0 RDI: 0000000000000019\n RBP: 00007f956ce35ae0 R08: 0000000000000000 R09: 00007f9558006730\n R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000\n R13: 00007f956ce37308 R14: 00007f956ce35f80 R15: 00007f956ce35ae0\n\n The buggy address belongs to the page:\n page:00000000af2a1d93 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x112fc7\n flags: 0x17ffffc0000000()\n raw: 0017ffffc0000000 0000000000000000 dead000000000122 0000000000000000\n raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000\n page dumped because: kasan: bad access detected\n\n addr ffff888112fc713c is located in stack of task handler2/1367 at offset 180 in frame:\n  ovs_fragment+0x0/0x840 [openvswitch]\n\n this frame has 2 objects:\n  [32, 144) \u0027ovs_dst\u0027\n  [192, 424) \u0027ovs_rt\u0027\n\n Memory state around the buggy address:\n  ffff888112fc7000: f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n  ffff888112fc7080: 00 f1 f1 f1 f1 00 00 00 00 00 00 00 00 00 00 00\n \u003effff888112fc7100: 00 00 00 f2 f2 f2 f2 f2 f2 00 00 00 00 00 00 00\n                                         ^\n  ffff888112fc7180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n  ffff888112fc7200: 00 00 00 00 00 00 f2 f2 f2 00 00 00 00 00 00 00\n\nfor IPv4 packets, ovs_fragment() uses a temporary struct dst_entry. Then,\nin the following call graph:\n\n  ip_do_fragment()\n    ip_skb_dst_mtu()\n      ip_dst_mtu_maybe_forward()\n        ip_mtu_locked()\n\nthe pointer to struct dst_entry is used as pointer to struct rtable: this\nturns the access to struct members like rt_mtu_locked into an OOB read in\nthe stack. Fix this changing the temporary variable used for IPv4 packets\nin ovs_fragment(), similarly to what is done for IPv6 few lines below.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_216-default-3-8.6.1.ppc64le",
          "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_216-default-3-8.6.1.s390x",
          "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_216-default-3-8.6.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2021-46955",
          "url": "https://www.suse.com/security/cve/CVE-2021-46955"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1220513 for CVE-2021-46955",
          "url": "https://bugzilla.suse.com/1220513"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1220537 for CVE-2021-46955",
          "url": "https://bugzilla.suse.com/1220537"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_216-default-3-8.6.1.ppc64le",
            "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_216-default-3-8.6.1.s390x",
            "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_216-default-3-8.6.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_216-default-3-8.6.1.ppc64le",
            "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_216-default-3-8.6.1.s390x",
            "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_216-default-3-8.6.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-07-18T09:05:12Z",
          "details": "important"
        }
      ],
      "title": "CVE-2021-46955"
    },
    {
      "cve": "CVE-2021-47383",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2021-47383"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In the Linux kernel, the following vulnerability has been resolved:\n\ntty: Fix out-of-bound vmalloc access in imageblit\n\nThis issue happens when a userspace program does an ioctl\nFBIOPUT_VSCREENINFO passing the fb_var_screeninfo struct\ncontaining only the fields xres, yres, and bits_per_pixel\nwith values.\n\nIf this struct is the same as the previous ioctl, the\nvc_resize() detects it and doesn\u0027t call the resize_screen(),\nleaving the fb_var_screeninfo incomplete. And this leads to\nthe updatescrollmode() calculates a wrong value to\nfbcon_display-\u003evrows, which makes the real_y() return a\nwrong value of y, and that value, eventually, causes\nthe imageblit to access an out-of-bound address value.\n\nTo solve this issue I made the resize_screen() be called\neven if the screen does not need any resizing, so it will\n\"fix and fill\" the fb_var_screeninfo independently.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_216-default-3-8.6.1.ppc64le",
          "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_216-default-3-8.6.1.s390x",
          "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_216-default-3-8.6.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2021-47383",
          "url": "https://www.suse.com/security/cve/CVE-2021-47383"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1225208 for CVE-2021-47383",
          "url": "https://bugzilla.suse.com/1225208"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1225211 for CVE-2021-47383",
          "url": "https://bugzilla.suse.com/1225211"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_216-default-3-8.6.1.ppc64le",
            "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_216-default-3-8.6.1.s390x",
            "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_216-default-3-8.6.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_216-default-3-8.6.1.ppc64le",
            "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_216-default-3-8.6.1.s390x",
            "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_216-default-3-8.6.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-07-18T09:05:12Z",
          "details": "important"
        }
      ],
      "title": "CVE-2021-47383"
    },
    {
      "cve": "CVE-2023-1829",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2023-1829"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "A use-after-free vulnerability in the Linux Kernel traffic control index filter (tcindex) can be exploited to achieve local privilege escalation.  The tcindex_delete function which does not properly deactivate filters in case of a perfect hashes while deleting the underlying structure which can later lead to double freeing the structure.  A local attacker user can use this vulnerability to elevate its privileges to root.\nWe recommend upgrading past commit 8c710f75256bb3cf05ac7b1672c82b92c43f3d28.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_216-default-3-8.6.1.ppc64le",
          "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_216-default-3-8.6.1.s390x",
          "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_216-default-3-8.6.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2023-1829",
          "url": "https://www.suse.com/security/cve/CVE-2023-1829"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1210335 for CVE-2023-1829",
          "url": "https://bugzilla.suse.com/1210335"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1210619 for CVE-2023-1829",
          "url": "https://bugzilla.suse.com/1210619"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1217444 for CVE-2023-1829",
          "url": "https://bugzilla.suse.com/1217444"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1217531 for CVE-2023-1829",
          "url": "https://bugzilla.suse.com/1217531"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1220886 for CVE-2023-1829",
          "url": "https://bugzilla.suse.com/1220886"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1228311 for CVE-2023-1829",
          "url": "https://bugzilla.suse.com/1228311"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_216-default-3-8.6.1.ppc64le",
            "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_216-default-3-8.6.1.s390x",
            "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_216-default-3-8.6.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_216-default-3-8.6.1.ppc64le",
            "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_216-default-3-8.6.1.s390x",
            "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_216-default-3-8.6.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-07-18T09:05:12Z",
          "details": "important"
        }
      ],
      "title": "CVE-2023-1829"
    },
    {
      "cve": "CVE-2024-26828",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2024-26828"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: fix underflow in parse_server_interfaces()\n\nIn this loop, we step through the buffer and after each item we check\nif the size_left is greater than the minimum size we need.  However,\nthe problem is that \"bytes_left\" is type ssize_t while sizeof() is type\nsize_t.  That means that because of type promotion, the comparison is\ndone as an unsigned and if we have negative bytes left the loop\ncontinues instead of ending.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_216-default-3-8.6.1.ppc64le",
          "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_216-default-3-8.6.1.s390x",
          "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_216-default-3-8.6.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2024-26828",
          "url": "https://www.suse.com/security/cve/CVE-2024-26828"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1223084 for CVE-2024-26828",
          "url": "https://bugzilla.suse.com/1223084"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1223363 for CVE-2024-26828",
          "url": "https://bugzilla.suse.com/1223363"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_216-default-3-8.6.1.ppc64le",
            "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_216-default-3-8.6.1.s390x",
            "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_216-default-3-8.6.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_216-default-3-8.6.1.ppc64le",
            "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_216-default-3-8.6.1.s390x",
            "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_216-default-3-8.6.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-07-18T09:05:12Z",
          "details": "important"
        }
      ],
      "title": "CVE-2024-26828"
    },
    {
      "cve": "CVE-2024-26923",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2024-26923"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In the Linux kernel, the following vulnerability has been resolved:\n\naf_unix: Fix garbage collector racing against connect()\n\nGarbage collector does not take into account the risk of embryo getting\nenqueued during the garbage collection. If such embryo has a peer that\ncarries SCM_RIGHTS, two consecutive passes of scan_children() may see a\ndifferent set of children. Leading to an incorrectly elevated inflight\ncount, and then a dangling pointer within the gc_inflight_list.\n\nsockets are AF_UNIX/SOCK_STREAM\nS is an unconnected socket\nL is a listening in-flight socket bound to addr, not in fdtable\nV\u0027s fd will be passed via sendmsg(), gets inflight count bumped\n\nconnect(S, addr)\tsendmsg(S, [V]); close(V)\t__unix_gc()\n----------------\t-------------------------\t-----------\n\nNS = unix_create1()\nskb1 = sock_wmalloc(NS)\nL = unix_find_other(addr)\nunix_state_lock(L)\nunix_peer(S) = NS\n\t\t\t// V count=1 inflight=0\n\n \t\t\tNS = unix_peer(S)\n \t\t\tskb2 = sock_alloc()\n\t\t\tskb_queue_tail(NS, skb2[V])\n\n\t\t\t// V became in-flight\n\t\t\t// V count=2 inflight=1\n\n\t\t\tclose(V)\n\n\t\t\t// V count=1 inflight=1\n\t\t\t// GC candidate condition met\n\n\t\t\t\t\t\tfor u in gc_inflight_list:\n\t\t\t\t\t\t  if (total_refs == inflight_refs)\n\t\t\t\t\t\t    add u to gc_candidates\n\n\t\t\t\t\t\t// gc_candidates={L, V}\n\n\t\t\t\t\t\tfor u in gc_candidates:\n\t\t\t\t\t\t  scan_children(u, dec_inflight)\n\n\t\t\t\t\t\t// embryo (skb1) was not\n\t\t\t\t\t\t// reachable from L yet, so V\u0027s\n\t\t\t\t\t\t// inflight remains unchanged\n__skb_queue_tail(L, skb1)\nunix_state_unlock(L)\n\t\t\t\t\t\tfor u in gc_candidates:\n\t\t\t\t\t\t  if (u.inflight)\n\t\t\t\t\t\t    scan_children(u, inc_inflight_move_tail)\n\n\t\t\t\t\t\t// V count=1 inflight=2 (!)\n\nIf there is a GC-candidate listening socket, lock/unlock its state. This\nmakes GC wait until the end of any ongoing connect() to that socket. After\nflipping the lock, a possibly SCM-laden embryo is already enqueued. And if\nthere is another embryo coming, it can not possibly carry SCM_RIGHTS. At\nthis point, unix_inflight() can not happen because unix_gc_lock is already\ntaken. Inflight graph remains unaffected.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_216-default-3-8.6.1.ppc64le",
          "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_216-default-3-8.6.1.s390x",
          "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_216-default-3-8.6.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2024-26923",
          "url": "https://www.suse.com/security/cve/CVE-2024-26923"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1223384 for CVE-2024-26923",
          "url": "https://bugzilla.suse.com/1223384"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1223683 for CVE-2024-26923",
          "url": "https://bugzilla.suse.com/1223683"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_216-default-3-8.6.1.ppc64le",
            "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_216-default-3-8.6.1.s390x",
            "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_216-default-3-8.6.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_216-default-3-8.6.1.ppc64le",
            "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_216-default-3-8.6.1.s390x",
            "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_216-default-3-8.6.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-07-18T09:05:12Z",
          "details": "important"
        }
      ],
      "title": "CVE-2024-26923"
    }
  ]
}

CVE-2024-26923 (GCVE-0-2024-26923)

Vulnerability from cvelistv5 – Published: 2024-04-24 21:49 – Updated: 2025-05-04 08:59

Title

af_unix: Fix garbage collector racing against connect()

Summary

In the Linux kernel, the following vulnerability has been resolved: af_unix: Fix garbage collector racing against connect() Garbage collector does not take into account the risk of embryo getting enqueued during the garbage collection. If such embryo has a peer that carries SCM_RIGHTS, two consecutive passes of scan_children() may see a different set of children. Leading to an incorrectly elevated inflight count, and then a dangling pointer within the gc_inflight_list. sockets are AF_UNIX/SOCK_STREAM S is an unconnected socket L is a listening in-flight socket bound to addr, not in fdtable V's fd will be passed via sendmsg(), gets inflight count bumped connect(S, addr) sendmsg(S, [V]); close(V) __unix_gc() ---------------- ------------------------- ----------- NS = unix_create1() skb1 = sock_wmalloc(NS) L = unix_find_other(addr) unix_state_lock(L) unix_peer(S) = NS // V count=1 inflight=0 NS = unix_peer(S) skb2 = sock_alloc() skb_queue_tail(NS, skb2[V]) // V became in-flight // V count=2 inflight=1 close(V) // V count=1 inflight=1 // GC candidate condition met for u in gc_inflight_list: if (total_refs == inflight_refs) add u to gc_candidates // gc_candidates={L, V} for u in gc_candidates: scan_children(u, dec_inflight) // embryo (skb1) was not // reachable from L yet, so V's // inflight remains unchanged __skb_queue_tail(L, skb1) unix_state_unlock(L) for u in gc_candidates: if (u.inflight) scan_children(u, inc_inflight_move_tail) // V count=1 inflight=2 (!) If there is a GC-candidate listening socket, lock/unlock its state. This makes GC wait until the end of any ongoing connect() to that socket. After flipping the lock, a possibly SCM-laden embryo is already enqueued. And if there is another embryo coming, it can not possibly carry SCM_RIGHTS. At this point, unix_inflight() can not happen because unix_gc_lock is already taken. Inflight graph remains unaffected.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/a36ae0ec2353015f0…
	https://git.kernel.org/stable/c/343c5372d5e17b306…
	https://git.kernel.org/stable/c/2e2a03787f4f0abc0…
	https://git.kernel.org/stable/c/e76c2678228f6aec7…
	https://git.kernel.org/stable/c/b75722be422c276b6…
	https://git.kernel.org/stable/c/507cc232ffe53a352…
	https://git.kernel.org/stable/c/dbdf7bec5c9202000…
	https://git.kernel.org/stable/c/47d8ac011fe1c9251…

Impacted products

Vendor

Product

Version

Affected: 1fd05ba5a2f2aa8e7b9b52ef55df850e2e7d54c9 , < a36ae0ec2353015f0f6762e59f4c2dbc0c906423 (git)
Affected: 1fd05ba5a2f2aa8e7b9b52ef55df850e2e7d54c9 , < 343c5372d5e17b306db5f8f3c895539b06e3177f (git)
Affected: 1fd05ba5a2f2aa8e7b9b52ef55df850e2e7d54c9 , < 2e2a03787f4f0abc0072350654ab0ef3324d9db3 (git)
Affected: 1fd05ba5a2f2aa8e7b9b52ef55df850e2e7d54c9 , < e76c2678228f6aec74b305ae30c9374cc2f28a51 (git)
Affected: 1fd05ba5a2f2aa8e7b9b52ef55df850e2e7d54c9 , < b75722be422c276b699200de90527d01c602ea7c (git)
Affected: 1fd05ba5a2f2aa8e7b9b52ef55df850e2e7d54c9 , < 507cc232ffe53a352847893f8177d276c3b532a9 (git)
Affected: 1fd05ba5a2f2aa8e7b9b52ef55df850e2e7d54c9 , < dbdf7bec5c920200077d693193f989cb1513f009 (git)
Affected: 1fd05ba5a2f2aa8e7b9b52ef55df850e2e7d54c9 , < 47d8ac011fe1c9251070e1bd64cb10b48193ec51 (git)

Affected: 2.6.23
Unaffected: 0 , < 2.6.23 (semver)
Unaffected: 4.19.314 , ≤ 4.19.* (semver)
Unaffected: 5.4.275 , ≤ 5.4.* (semver)
Unaffected: 5.10.216 , ≤ 5.10.* (semver)
Unaffected: 5.15.156 , ≤ 5.15.* (semver)
Unaffected: 6.1.87 , ≤ 6.1.* (semver)
Unaffected: 6.6.28 , ≤ 6.6.* (semver)
Unaffected: 6.8.7 , ≤ 6.8.* (semver)
Unaffected: 6.9 , ≤ * (original_commit_for_fix)

Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-26923",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-07-02T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-07-10T19:34:43.753Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T00:21:05.612Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/a36ae0ec2353015f0f6762e59f4c2dbc0c906423"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/343c5372d5e17b306db5f8f3c895539b06e3177f"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/2e2a03787f4f0abc0072350654ab0ef3324d9db3"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/e76c2678228f6aec74b305ae30c9374cc2f28a51"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/b75722be422c276b699200de90527d01c602ea7c"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/507cc232ffe53a352847893f8177d276c3b532a9"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/dbdf7bec5c920200077d693193f989cb1513f009"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/47d8ac011fe1c9251070e1bd64cb10b48193ec51"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/unix/garbage.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "a36ae0ec2353015f0f6762e59f4c2dbc0c906423",
              "status": "affected",
              "version": "1fd05ba5a2f2aa8e7b9b52ef55df850e2e7d54c9",
              "versionType": "git"
            },
            {
              "lessThan": "343c5372d5e17b306db5f8f3c895539b06e3177f",
              "status": "affected",
              "version": "1fd05ba5a2f2aa8e7b9b52ef55df850e2e7d54c9",
              "versionType": "git"
            },
            {
              "lessThan": "2e2a03787f4f0abc0072350654ab0ef3324d9db3",
              "status": "affected",
              "version": "1fd05ba5a2f2aa8e7b9b52ef55df850e2e7d54c9",
              "versionType": "git"
            },
            {
              "lessThan": "e76c2678228f6aec74b305ae30c9374cc2f28a51",
              "status": "affected",
              "version": "1fd05ba5a2f2aa8e7b9b52ef55df850e2e7d54c9",
              "versionType": "git"
            },
            {
              "lessThan": "b75722be422c276b699200de90527d01c602ea7c",
              "status": "affected",
              "version": "1fd05ba5a2f2aa8e7b9b52ef55df850e2e7d54c9",
              "versionType": "git"
            },
            {
              "lessThan": "507cc232ffe53a352847893f8177d276c3b532a9",
              "status": "affected",
              "version": "1fd05ba5a2f2aa8e7b9b52ef55df850e2e7d54c9",
              "versionType": "git"
            },
            {
              "lessThan": "dbdf7bec5c920200077d693193f989cb1513f009",
              "status": "affected",
              "version": "1fd05ba5a2f2aa8e7b9b52ef55df850e2e7d54c9",
              "versionType": "git"
            },
            {
              "lessThan": "47d8ac011fe1c9251070e1bd64cb10b48193ec51",
              "status": "affected",
              "version": "1fd05ba5a2f2aa8e7b9b52ef55df850e2e7d54c9",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/unix/garbage.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.23"
            },
            {
              "lessThan": "2.6.23",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.19.*",
              "status": "unaffected",
              "version": "4.19.314",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.275",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.216",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.156",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.87",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.28",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.8.*",
              "status": "unaffected",
              "version": "6.8.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.9",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.19.314",
                  "versionStartIncluding": "2.6.23",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.275",
                  "versionStartIncluding": "2.6.23",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.216",
                  "versionStartIncluding": "2.6.23",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.156",
                  "versionStartIncluding": "2.6.23",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.87",
                  "versionStartIncluding": "2.6.23",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.28",
                  "versionStartIncluding": "2.6.23",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.8.7",
                  "versionStartIncluding": "2.6.23",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.9",
                  "versionStartIncluding": "2.6.23",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\naf_unix: Fix garbage collector racing against connect()\n\nGarbage collector does not take into account the risk of embryo getting\nenqueued during the garbage collection. If such embryo has a peer that\ncarries SCM_RIGHTS, two consecutive passes of scan_children() may see a\ndifferent set of children. Leading to an incorrectly elevated inflight\ncount, and then a dangling pointer within the gc_inflight_list.\n\nsockets are AF_UNIX/SOCK_STREAM\nS is an unconnected socket\nL is a listening in-flight socket bound to addr, not in fdtable\nV\u0027s fd will be passed via sendmsg(), gets inflight count bumped\n\nconnect(S, addr)\tsendmsg(S, [V]); close(V)\t__unix_gc()\n----------------\t-------------------------\t-----------\n\nNS = unix_create1()\nskb1 = sock_wmalloc(NS)\nL = unix_find_other(addr)\nunix_state_lock(L)\nunix_peer(S) = NS\n\t\t\t// V count=1 inflight=0\n\n \t\t\tNS = unix_peer(S)\n \t\t\tskb2 = sock_alloc()\n\t\t\tskb_queue_tail(NS, skb2[V])\n\n\t\t\t// V became in-flight\n\t\t\t// V count=2 inflight=1\n\n\t\t\tclose(V)\n\n\t\t\t// V count=1 inflight=1\n\t\t\t// GC candidate condition met\n\n\t\t\t\t\t\tfor u in gc_inflight_list:\n\t\t\t\t\t\t  if (total_refs == inflight_refs)\n\t\t\t\t\t\t    add u to gc_candidates\n\n\t\t\t\t\t\t// gc_candidates={L, V}\n\n\t\t\t\t\t\tfor u in gc_candidates:\n\t\t\t\t\t\t  scan_children(u, dec_inflight)\n\n\t\t\t\t\t\t// embryo (skb1) was not\n\t\t\t\t\t\t// reachable from L yet, so V\u0027s\n\t\t\t\t\t\t// inflight remains unchanged\n__skb_queue_tail(L, skb1)\nunix_state_unlock(L)\n\t\t\t\t\t\tfor u in gc_candidates:\n\t\t\t\t\t\t  if (u.inflight)\n\t\t\t\t\t\t    scan_children(u, inc_inflight_move_tail)\n\n\t\t\t\t\t\t// V count=1 inflight=2 (!)\n\nIf there is a GC-candidate listening socket, lock/unlock its state. This\nmakes GC wait until the end of any ongoing connect() to that socket. After\nflipping the lock, a possibly SCM-laden embryo is already enqueued. And if\nthere is another embryo coming, it can not possibly carry SCM_RIGHTS. At\nthis point, unix_inflight() can not happen because unix_gc_lock is already\ntaken. Inflight graph remains unaffected."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T08:59:47.874Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/a36ae0ec2353015f0f6762e59f4c2dbc0c906423"
        },
        {
          "url": "https://git.kernel.org/stable/c/343c5372d5e17b306db5f8f3c895539b06e3177f"
        },
        {
          "url": "https://git.kernel.org/stable/c/2e2a03787f4f0abc0072350654ab0ef3324d9db3"
        },
        {
          "url": "https://git.kernel.org/stable/c/e76c2678228f6aec74b305ae30c9374cc2f28a51"
        },
        {
          "url": "https://git.kernel.org/stable/c/b75722be422c276b699200de90527d01c602ea7c"
        },
        {
          "url": "https://git.kernel.org/stable/c/507cc232ffe53a352847893f8177d276c3b532a9"
        },
        {
          "url": "https://git.kernel.org/stable/c/dbdf7bec5c920200077d693193f989cb1513f009"
        },
        {
          "url": "https://git.kernel.org/stable/c/47d8ac011fe1c9251070e1bd64cb10b48193ec51"
        }
      ],
      "title": "af_unix: Fix garbage collector racing against connect()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-26923",
    "datePublished": "2024-04-24T21:49:22.001Z",
    "dateReserved": "2024-02-19T14:20:24.194Z",
    "dateUpdated": "2025-05-04T08:59:47.874Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-26828 (GCVE-0-2024-26828)

Vulnerability from cvelistv5 – Published: 2024-04-17 09:43 – Updated: 2025-05-04 08:57

Title

cifs: fix underflow in parse_server_interfaces()

Summary

In the Linux kernel, the following vulnerability has been resolved: cifs: fix underflow in parse_server_interfaces() In this loop, we step through the buffer and after each item we check if the size_left is greater than the minimum size we need. However, the problem is that "bytes_left" is type ssize_t while sizeof() is type size_t. That means that because of type promotion, the comparison is done as an unsigned and if we have negative bytes left the loop continues instead of ending.

Severity ?

6.7 (Medium)


                        
                          CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H

CWE

CWE-noinfo Not enough information

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/7190353835b4a219a…
	https://git.kernel.org/stable/c/f7ff1c89fb6e9610d…
	https://git.kernel.org/stable/c/df2af9fdbc4ddde18…
	https://git.kernel.org/stable/c/cffe487026be13eaf…

Impacted products

Vendor

Product

Version

Affected: fe856be475f7cf5ffcde57341d175ce9fd09434b , < 7190353835b4a219abb70f90b06cdcae97f11512 (git)
Affected: fe856be475f7cf5ffcde57341d175ce9fd09434b , < f7ff1c89fb6e9610d2b01c1821727729e6609308 (git)
Affected: fe856be475f7cf5ffcde57341d175ce9fd09434b , < df2af9fdbc4ddde18a3371c4ca1a86596e8be301 (git)
Affected: fe856be475f7cf5ffcde57341d175ce9fd09434b , < cffe487026be13eaf37ea28b783d9638ab147204 (git)

Affected: 4.18
Unaffected: 0 , < 4.18 (semver)
Unaffected: 6.1.79 , ≤ 6.1.* (semver)
Unaffected: 6.6.18 , ≤ 6.6.* (semver)
Unaffected: 6.7.6 , ≤ 6.7.* (semver)
Unaffected: 6.8 , ≤ * (original_commit_for_fix)

Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "ADJACENT_NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 6.7,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-26828",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-06-12T17:36:16.490979Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "description": "CWE-noinfo Not enough information",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-11-04T18:28:47.130Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T00:14:13.603Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/7190353835b4a219abb70f90b06cdcae97f11512"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/f7ff1c89fb6e9610d2b01c1821727729e6609308"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/df2af9fdbc4ddde18a3371c4ca1a86596e8be301"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/cffe487026be13eaf37ea28b783d9638ab147204"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/smb/client/smb2ops.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "7190353835b4a219abb70f90b06cdcae97f11512",
              "status": "affected",
              "version": "fe856be475f7cf5ffcde57341d175ce9fd09434b",
              "versionType": "git"
            },
            {
              "lessThan": "f7ff1c89fb6e9610d2b01c1821727729e6609308",
              "status": "affected",
              "version": "fe856be475f7cf5ffcde57341d175ce9fd09434b",
              "versionType": "git"
            },
            {
              "lessThan": "df2af9fdbc4ddde18a3371c4ca1a86596e8be301",
              "status": "affected",
              "version": "fe856be475f7cf5ffcde57341d175ce9fd09434b",
              "versionType": "git"
            },
            {
              "lessThan": "cffe487026be13eaf37ea28b783d9638ab147204",
              "status": "affected",
              "version": "fe856be475f7cf5ffcde57341d175ce9fd09434b",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/smb/client/smb2ops.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.18"
            },
            {
              "lessThan": "4.18",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.79",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.18",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.7.*",
              "status": "unaffected",
              "version": "6.7.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.8",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.79",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.18",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.7.6",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.8",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: fix underflow in parse_server_interfaces()\n\nIn this loop, we step through the buffer and after each item we check\nif the size_left is greater than the minimum size we need.  However,\nthe problem is that \"bytes_left\" is type ssize_t while sizeof() is type\nsize_t.  That means that because of type promotion, the comparison is\ndone as an unsigned and if we have negative bytes left the loop\ncontinues instead of ending."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T08:57:25.809Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/7190353835b4a219abb70f90b06cdcae97f11512"
        },
        {
          "url": "https://git.kernel.org/stable/c/f7ff1c89fb6e9610d2b01c1821727729e6609308"
        },
        {
          "url": "https://git.kernel.org/stable/c/df2af9fdbc4ddde18a3371c4ca1a86596e8be301"
        },
        {
          "url": "https://git.kernel.org/stable/c/cffe487026be13eaf37ea28b783d9638ab147204"
        }
      ],
      "title": "cifs: fix underflow in parse_server_interfaces()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-26828",
    "datePublished": "2024-04-17T09:43:52.995Z",
    "dateReserved": "2024-02-19T14:20:24.181Z",
    "dateUpdated": "2025-05-04T08:57:25.809Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2023-1829 (GCVE-0-2023-1829)

Vulnerability from cvelistv5 – Published: 2023-04-12 11:16 – Updated: 2025-02-13 16:39

Title

Use-after-free in tcindex (traffic control index filter) in the Linux Kernel

Summary

A use-after-free vulnerability in the Linux Kernel traffic control index filter (tcindex) can be exploited to achieve local privilege escalation. The tcindex_delete function which does not properly deactivate filters in case of a perfect hashes while deleting the underlying structure which can later lead to double freeing the structure. A local attacker user can use this vulnerability to elevate its privileges to root. We recommend upgrading past commit 8c710f75256bb3cf05ac7b1672c82b92c43f3d28.

Severity ?

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-416 - Use After Free

Assigner

Google

References

URL

Tags

	https://git.kernel.org/pub/scm/linux/kernel/git/t…
	https://kernel.dance/#8c710f75256bb3cf05ac7b1672c…
	https://lists.debian.org/debian-lts-announce/2023…
	https://lists.debian.org/debian-lts-announce/2023…
	https://security.netapp.com/advisory/ntap-2023060…

Impacted products

	Vendor	Product	Version
	Linux	Linux Kernel	Affected: 3.8 , ≤ 6.2 (custom)

Date Public ?

2023-02-16 08:27

Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T06:05:26.153Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8c710f75256bb3cf05ac7b1672c82b92c43f3d28"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://kernel.dance/#8c710f75256bb3cf05ac7b1672c82b92c43f3d28"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00005.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00006.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20230601-0001/"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-1829",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-07T15:50:09.128361Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-07T15:50:15.160Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "packageName": "kernel",
          "product": "Linux Kernel",
          "repo": "https://git.kernel.org",
          "vendor": "Linux",
          "versions": [
            {
              "lessThanOrEqual": "6.2",
              "status": "affected",
              "version": "3.8",
              "versionType": "custom"
            }
          ]
        }
      ],
      "datePublic": "2023-02-16T08:27:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "A use-after-free vulnerability in the Linux Kernel traffic control index filter (tcindex) \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ecan be exploited to achieve local privilege escalation\u003c/span\u003e.\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eThe tcindex_delete function which does not properly deactivate filters in case of a perfect hashes while deleting the underlying structure which can later lead to double freeing the structure.\u0026nbsp;\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"background-color: var(--wht);\"\u003eA local attacker user can use this vulnerability to elevate its privileges to root.\u003cbr\u003e\u003c/span\u003e\u003cp\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eWe recommend upgrading past commit \u003c/span\u003e \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8c710f75256bb3cf05ac7b1672c82b92c43f3d28\"\u003e8c710f75256bb3cf05ac7b1672c82b92c43f3d28\u003c/a\u003e.\u003c/p\u003e"
            }
          ],
          "value": "A use-after-free vulnerability in the Linux Kernel traffic control index filter (tcindex) can be exploited to achieve local privilege escalation.\u00a0The tcindex_delete function which does not properly deactivate filters in case of a perfect hashes while deleting the underlying structure which can later lead to double freeing the structure.\u00a0A local attacker user can use this vulnerability to elevate its privileges to root.\nWe recommend upgrading past commit 8c710f75256bb3cf05ac7b1672c82b92c43f3d28."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-233",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-233 Privilege Escalation"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-416",
              "description": "CWE-416 Use After Free",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-06-01T13:06:20.579Z",
        "orgId": "14ed7db2-1595-443d-9d34-6215bf890778",
        "shortName": "Google"
      },
      "references": [
        {
          "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8c710f75256bb3cf05ac7b1672c82b92c43f3d28"
        },
        {
          "url": "https://kernel.dance/#8c710f75256bb3cf05ac7b1672c82b92c43f3d28"
        },
        {
          "url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00005.html"
        },
        {
          "url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00006.html"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20230601-0001/"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Use-after-free in tcindex (traffic control index filter) in the Linux Kernel",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778",
    "assignerShortName": "Google",
    "cveId": "CVE-2023-1829",
    "datePublished": "2023-04-12T11:16:59.101Z",
    "dateReserved": "2023-04-04T10:32:43.055Z",
    "dateUpdated": "2025-02-13T16:39:39.975Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2021-46955 (GCVE-0-2021-46955)

Vulnerability from cvelistv5 – Published: 2024-02-27 18:46 – Updated: 2025-05-04 12:40

Title

openvswitch: fix stack OOB read while fragmenting IPv4 packets

Summary

In the Linux kernel, the following vulnerability has been resolved: openvswitch: fix stack OOB read while fragmenting IPv4 packets running openvswitch on kernels built with KASAN, it's possible to see the following splat while testing fragmentation of IPv4 packets: BUG: KASAN: stack-out-of-bounds in ip_do_fragment+0x1b03/0x1f60 Read of size 1 at addr ffff888112fc713c by task handler2/1367 CPU: 0 PID: 1367 Comm: handler2 Not tainted 5.12.0-rc6+ #418 Hardware name: Red Hat KVM, BIOS 1.11.1-4.module+el8.1.0+4066+0f1aadab 04/01/2014 Call Trace: dump_stack+0x92/0xc1 print_address_description.constprop.7+0x1a/0x150 kasan_report.cold.13+0x7f/0x111 ip_do_fragment+0x1b03/0x1f60 ovs_fragment+0x5bf/0x840 [openvswitch] do_execute_actions+0x1bd5/0x2400 [openvswitch] ovs_execute_actions+0xc8/0x3d0 [openvswitch] ovs_packet_cmd_execute+0xa39/0x1150 [openvswitch] genl_family_rcv_msg_doit.isra.15+0x227/0x2d0 genl_rcv_msg+0x287/0x490 netlink_rcv_skb+0x120/0x380 genl_rcv+0x24/0x40 netlink_unicast+0x439/0x630 netlink_sendmsg+0x719/0xbf0 sock_sendmsg+0xe2/0x110 ____sys_sendmsg+0x5ba/0x890 ___sys_sendmsg+0xe9/0x160 __sys_sendmsg+0xd3/0x170 do_syscall_64+0x33/0x40 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f957079db07 Code: c3 66 90 41 54 41 89 d4 55 48 89 f5 53 89 fb 48 83 ec 10 e8 eb ec ff ff 44 89 e2 48 89 ee 89 df 41 89 c0 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 48 89 44 24 08 e8 24 ed ff ff 48 RSP: 002b:00007f956ce35a50 EFLAGS: 00000293 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 0000000000000019 RCX: 00007f957079db07 RDX: 0000000000000000 RSI: 00007f956ce35ae0 RDI: 0000000000000019 RBP: 00007f956ce35ae0 R08: 0000000000000000 R09: 00007f9558006730 R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000 R13: 00007f956ce37308 R14: 00007f956ce35f80 R15: 00007f956ce35ae0 The buggy address belongs to the page: page:00000000af2a1d93 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x112fc7 flags: 0x17ffffc0000000() raw: 0017ffffc0000000 0000000000000000 dead000000000122 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected addr ffff888112fc713c is located in stack of task handler2/1367 at offset 180 in frame: ovs_fragment+0x0/0x840 [openvswitch] this frame has 2 objects: [32, 144) 'ovs_dst' [192, 424) 'ovs_rt' Memory state around the buggy address: ffff888112fc7000: f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff888112fc7080: 00 f1 f1 f1 f1 00 00 00 00 00 00 00 00 00 00 00 >ffff888112fc7100: 00 00 00 f2 f2 f2 f2 f2 f2 00 00 00 00 00 00 00 ^ ffff888112fc7180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff888112fc7200: 00 00 00 00 00 00 f2 f2 f2 00 00 00 00 00 00 00 for IPv4 packets, ovs_fragment() uses a temporary struct dst_entry. Then, in the following call graph: ip_do_fragment() ip_skb_dst_mtu() ip_dst_mtu_maybe_forward() ip_mtu_locked() the pointer to struct dst_entry is used as pointer to struct rtable: this turns the access to struct members like rt_mtu_locked into an OOB read in the stack. Fix this changing the temporary variable used for IPv4 packets in ovs_fragment(), similarly to what is done for IPv6 few lines below.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/b1d7280f9ba1bfdbc…
	https://git.kernel.org/stable/c/23e17ec1a5eb53fe3…
	https://git.kernel.org/stable/c/5a52fa8ad45b5a593…
	https://git.kernel.org/stable/c/df9e900de24637be4…
	https://git.kernel.org/stable/c/490ad0a2390442d0a…
	https://git.kernel.org/stable/c/a1478374b0bda89b4…
	https://git.kernel.org/stable/c/d841d3cf5297fde4c…
	https://git.kernel.org/stable/c/b3502b04e84ac5349…
	https://git.kernel.org/stable/c/7c0ea5930c1c21193…

Impacted products

Vendor

Product

Version

Affected: 119bbaa6795a4f4aed46994cc7d9ab01989c87e3 , < b1d7280f9ba1bfdbc3af5bdb82e51f014854f26f (git)
Affected: d543907a4730400f5c5b684c57cb5bbbfd6136ab , < 23e17ec1a5eb53fe39cc34fa5592686d5acd0dac (git)
Affected: 8387fbac8e18e26a60559adc63e0b7067303b0a4 , < 5a52fa8ad45b5a593ed416adf326538638454ff1 (git)
Affected: d52e5a7e7ca49457dd31fc8b42fb7c0d58a31221 , < df9e900de24637be41879e2c50afb713ec4e8b2e (git)
Affected: d52e5a7e7ca49457dd31fc8b42fb7c0d58a31221 , < 490ad0a2390442d0a7b8c00972a83dbb09cab142 (git)
Affected: d52e5a7e7ca49457dd31fc8b42fb7c0d58a31221 , < a1478374b0bda89b4277a8afd39208271faad4be (git)
Affected: d52e5a7e7ca49457dd31fc8b42fb7c0d58a31221 , < d841d3cf5297fde4ce6a41ff35451d0e82917f3e (git)
Affected: d52e5a7e7ca49457dd31fc8b42fb7c0d58a31221 , < b3502b04e84ac5349be95fc033c17bd701d2787a (git)
Affected: d52e5a7e7ca49457dd31fc8b42fb7c0d58a31221 , < 7c0ea5930c1c211931819d83cfb157bff1539a4c (git)
Affected: df9ece1148e2ec242871623dedb004f7a1387125 (git)

Affected: 4.16
Unaffected: 0 , < 4.16 (semver)
Unaffected: 4.4.269 , ≤ 4.4.* (semver)
Unaffected: 4.9.269 , ≤ 4.9.* (semver)
Unaffected: 4.14.233 , ≤ 4.14.* (semver)
Unaffected: 4.19.191 , ≤ 4.19.* (semver)
Unaffected: 5.4.118 , ≤ 5.4.* (semver)
Unaffected: 5.10.36 , ≤ 5.10.* (semver)
Unaffected: 5.11.20 , ≤ 5.11.* (semver)
Unaffected: 5.12.3 , ≤ 5.12.* (semver)
Unaffected: 5.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2021-46955",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-06-28T17:01:12.713223Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-28T17:01:24.427Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T05:17:42.889Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/b1d7280f9ba1bfdbc3af5bdb82e51f014854f26f"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/23e17ec1a5eb53fe39cc34fa5592686d5acd0dac"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/5a52fa8ad45b5a593ed416adf326538638454ff1"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/df9e900de24637be41879e2c50afb713ec4e8b2e"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/490ad0a2390442d0a7b8c00972a83dbb09cab142"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/a1478374b0bda89b4277a8afd39208271faad4be"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/d841d3cf5297fde4ce6a41ff35451d0e82917f3e"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/b3502b04e84ac5349be95fc033c17bd701d2787a"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/7c0ea5930c1c211931819d83cfb157bff1539a4c"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/openvswitch/actions.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "b1d7280f9ba1bfdbc3af5bdb82e51f014854f26f",
              "status": "affected",
              "version": "119bbaa6795a4f4aed46994cc7d9ab01989c87e3",
              "versionType": "git"
            },
            {
              "lessThan": "23e17ec1a5eb53fe39cc34fa5592686d5acd0dac",
              "status": "affected",
              "version": "d543907a4730400f5c5b684c57cb5bbbfd6136ab",
              "versionType": "git"
            },
            {
              "lessThan": "5a52fa8ad45b5a593ed416adf326538638454ff1",
              "status": "affected",
              "version": "8387fbac8e18e26a60559adc63e0b7067303b0a4",
              "versionType": "git"
            },
            {
              "lessThan": "df9e900de24637be41879e2c50afb713ec4e8b2e",
              "status": "affected",
              "version": "d52e5a7e7ca49457dd31fc8b42fb7c0d58a31221",
              "versionType": "git"
            },
            {
              "lessThan": "490ad0a2390442d0a7b8c00972a83dbb09cab142",
              "status": "affected",
              "version": "d52e5a7e7ca49457dd31fc8b42fb7c0d58a31221",
              "versionType": "git"
            },
            {
              "lessThan": "a1478374b0bda89b4277a8afd39208271faad4be",
              "status": "affected",
              "version": "d52e5a7e7ca49457dd31fc8b42fb7c0d58a31221",
              "versionType": "git"
            },
            {
              "lessThan": "d841d3cf5297fde4ce6a41ff35451d0e82917f3e",
              "status": "affected",
              "version": "d52e5a7e7ca49457dd31fc8b42fb7c0d58a31221",
              "versionType": "git"
            },
            {
              "lessThan": "b3502b04e84ac5349be95fc033c17bd701d2787a",
              "status": "affected",
              "version": "d52e5a7e7ca49457dd31fc8b42fb7c0d58a31221",
              "versionType": "git"
            },
            {
              "lessThan": "7c0ea5930c1c211931819d83cfb157bff1539a4c",
              "status": "affected",
              "version": "d52e5a7e7ca49457dd31fc8b42fb7c0d58a31221",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "df9ece1148e2ec242871623dedb004f7a1387125",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/openvswitch/actions.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.16"
            },
            {
              "lessThan": "4.16",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.4.*",
              "status": "unaffected",
              "version": "4.4.269",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.9.*",
              "status": "unaffected",
              "version": "4.9.269",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.14.*",
              "status": "unaffected",
              "version": "4.14.233",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.19.*",
              "status": "unaffected",
              "version": "4.19.191",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.118",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.36",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.11.*",
              "status": "unaffected",
              "version": "5.11.20",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.12.*",
              "status": "unaffected",
              "version": "5.12.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "5.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.4.269",
                  "versionStartIncluding": "4.4.134",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.9.269",
                  "versionStartIncluding": "4.9.104",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.14.233",
                  "versionStartIncluding": "4.14.45",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.19.191",
                  "versionStartIncluding": "4.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.118",
                  "versionStartIncluding": "4.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.36",
                  "versionStartIncluding": "4.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.11.20",
                  "versionStartIncluding": "4.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.12.3",
                  "versionStartIncluding": "4.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.13",
                  "versionStartIncluding": "4.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "3.16.57",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nopenvswitch: fix stack OOB read while fragmenting IPv4 packets\n\nrunning openvswitch on kernels built with KASAN, it\u0027s possible to see the\nfollowing splat while testing fragmentation of IPv4 packets:\n\n BUG: KASAN: stack-out-of-bounds in ip_do_fragment+0x1b03/0x1f60\n Read of size 1 at addr ffff888112fc713c by task handler2/1367\n\n CPU: 0 PID: 1367 Comm: handler2 Not tainted 5.12.0-rc6+ #418\n Hardware name: Red Hat KVM, BIOS 1.11.1-4.module+el8.1.0+4066+0f1aadab 04/01/2014\n Call Trace:\n  dump_stack+0x92/0xc1\n  print_address_description.constprop.7+0x1a/0x150\n  kasan_report.cold.13+0x7f/0x111\n  ip_do_fragment+0x1b03/0x1f60\n  ovs_fragment+0x5bf/0x840 [openvswitch]\n  do_execute_actions+0x1bd5/0x2400 [openvswitch]\n  ovs_execute_actions+0xc8/0x3d0 [openvswitch]\n  ovs_packet_cmd_execute+0xa39/0x1150 [openvswitch]\n  genl_family_rcv_msg_doit.isra.15+0x227/0x2d0\n  genl_rcv_msg+0x287/0x490\n  netlink_rcv_skb+0x120/0x380\n  genl_rcv+0x24/0x40\n  netlink_unicast+0x439/0x630\n  netlink_sendmsg+0x719/0xbf0\n  sock_sendmsg+0xe2/0x110\n  ____sys_sendmsg+0x5ba/0x890\n  ___sys_sendmsg+0xe9/0x160\n  __sys_sendmsg+0xd3/0x170\n  do_syscall_64+0x33/0x40\n  entry_SYSCALL_64_after_hwframe+0x44/0xae\n RIP: 0033:0x7f957079db07\n Code: c3 66 90 41 54 41 89 d4 55 48 89 f5 53 89 fb 48 83 ec 10 e8 eb ec ff ff 44 89 e2 48 89 ee 89 df 41 89 c0 b8 2e 00 00 00 0f 05 \u003c48\u003e 3d 00 f0 ff ff 77 35 44 89 c7 48 89 44 24 08 e8 24 ed ff ff 48\n RSP: 002b:00007f956ce35a50 EFLAGS: 00000293 ORIG_RAX: 000000000000002e\n RAX: ffffffffffffffda RBX: 0000000000000019 RCX: 00007f957079db07\n RDX: 0000000000000000 RSI: 00007f956ce35ae0 RDI: 0000000000000019\n RBP: 00007f956ce35ae0 R08: 0000000000000000 R09: 00007f9558006730\n R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000\n R13: 00007f956ce37308 R14: 00007f956ce35f80 R15: 00007f956ce35ae0\n\n The buggy address belongs to the page:\n page:00000000af2a1d93 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x112fc7\n flags: 0x17ffffc0000000()\n raw: 0017ffffc0000000 0000000000000000 dead000000000122 0000000000000000\n raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000\n page dumped because: kasan: bad access detected\n\n addr ffff888112fc713c is located in stack of task handler2/1367 at offset 180 in frame:\n  ovs_fragment+0x0/0x840 [openvswitch]\n\n this frame has 2 objects:\n  [32, 144) \u0027ovs_dst\u0027\n  [192, 424) \u0027ovs_rt\u0027\n\n Memory state around the buggy address:\n  ffff888112fc7000: f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n  ffff888112fc7080: 00 f1 f1 f1 f1 00 00 00 00 00 00 00 00 00 00 00\n \u003effff888112fc7100: 00 00 00 f2 f2 f2 f2 f2 f2 00 00 00 00 00 00 00\n                                         ^\n  ffff888112fc7180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n  ffff888112fc7200: 00 00 00 00 00 00 f2 f2 f2 00 00 00 00 00 00 00\n\nfor IPv4 packets, ovs_fragment() uses a temporary struct dst_entry. Then,\nin the following call graph:\n\n  ip_do_fragment()\n    ip_skb_dst_mtu()\n      ip_dst_mtu_maybe_forward()\n        ip_mtu_locked()\n\nthe pointer to struct dst_entry is used as pointer to struct rtable: this\nturns the access to struct members like rt_mtu_locked into an OOB read in\nthe stack. Fix this changing the temporary variable used for IPv4 packets\nin ovs_fragment(), similarly to what is done for IPv6 few lines below."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T12:40:36.828Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/b1d7280f9ba1bfdbc3af5bdb82e51f014854f26f"
        },
        {
          "url": "https://git.kernel.org/stable/c/23e17ec1a5eb53fe39cc34fa5592686d5acd0dac"
        },
        {
          "url": "https://git.kernel.org/stable/c/5a52fa8ad45b5a593ed416adf326538638454ff1"
        },
        {
          "url": "https://git.kernel.org/stable/c/df9e900de24637be41879e2c50afb713ec4e8b2e"
        },
        {
          "url": "https://git.kernel.org/stable/c/490ad0a2390442d0a7b8c00972a83dbb09cab142"
        },
        {
          "url": "https://git.kernel.org/stable/c/a1478374b0bda89b4277a8afd39208271faad4be"
        },
        {
          "url": "https://git.kernel.org/stable/c/d841d3cf5297fde4ce6a41ff35451d0e82917f3e"
        },
        {
          "url": "https://git.kernel.org/stable/c/b3502b04e84ac5349be95fc033c17bd701d2787a"
        },
        {
          "url": "https://git.kernel.org/stable/c/7c0ea5930c1c211931819d83cfb157bff1539a4c"
        }
      ],
      "title": "openvswitch: fix stack OOB read while fragmenting IPv4 packets",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2021-46955",
    "datePublished": "2024-02-27T18:46:57.428Z",
    "dateReserved": "2024-02-27T18:42:55.937Z",
    "dateUpdated": "2025-05-04T12:40:36.828Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2021-47383 (GCVE-0-2021-47383)

Vulnerability from cvelistv5 – Published: 2024-05-21 15:03 – Updated: 2025-12-18 11:37

Title

tty: Fix out-of-bound vmalloc access in imageblit

Summary

In the Linux kernel, the following vulnerability has been resolved: tty: Fix out-of-bound vmalloc access in imageblit This issue happens when a userspace program does an ioctl FBIOPUT_VSCREENINFO passing the fb_var_screeninfo struct containing only the fields xres, yres, and bits_per_pixel with values. If this struct is the same as the previous ioctl, the vc_resize() detects it and doesn't call the resize_screen(), leaving the fb_var_screeninfo incomplete. And this leads to the updatescrollmode() calculates a wrong value to fbcon_display->vrows, which makes the real_y() return a wrong value of y, and that value, eventually, causes the imageblit to access an out-of-bound address value. To solve this issue I made the resize_screen() be called even if the screen does not need any resizing, so it will "fix and fill" the fb_var_screeninfo independently.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/7e71fcedfda6f7de1…
	https://git.kernel.org/stable/c/70aed03b1d5a5df97…
	https://git.kernel.org/stable/c/067c694d06040db6f…
	https://git.kernel.org/stable/c/8a6a240f52e143563…
	https://git.kernel.org/stable/c/883f7897a25e3ce14…
	https://git.kernel.org/stable/c/d570c48dd37dbe8fc…
	https://git.kernel.org/stable/c/699d926585daa6ec4…
	https://git.kernel.org/stable/c/3b0c406124719b625…

Impacted products

Vendor

Product

Version

Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 7e71fcedfda6f7de18f850a6b36e78d78b04476f (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 70aed03b1d5a5df974f456cdc8eedb213c94bb8b (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 067c694d06040db6f0c65281bb358452ca6d85b9 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 8a6a240f52e14356386030d8958ae8b1761d2325 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 883f7897a25e3ce14a7f274ca4c73f49ac84002a (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < d570c48dd37dbe8fc6875d4461d01a9554ae2560 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 699d926585daa6ec44be556cdc1ab89e5d54557b (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 3b0c406124719b625b1aba431659f5cdc24a982c (git)

Affected: 2.6.12
Unaffected: 0 , < 2.6.12 (semver)
Unaffected: 4.4.286 , ≤ 4.4.* (semver)
Unaffected: 4.9.285 , ≤ 4.9.* (semver)
Unaffected: 4.14.249 , ≤ 4.14.* (semver)
Unaffected: 4.19.209 , ≤ 4.19.* (semver)
Unaffected: 5.4.151 , ≤ 5.4.* (semver)
Unaffected: 5.10.71 , ≤ 5.10.* (semver)
Unaffected: 5.14.10 , ≤ 5.14.* (semver)
Unaffected: 5.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2021-47383",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-06-17T17:37:20.634635Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-17T17:38:08.205Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T05:39:59.468Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/7e71fcedfda6f7de18f850a6b36e78d78b04476f"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/70aed03b1d5a5df974f456cdc8eedb213c94bb8b"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/067c694d06040db6f0c65281bb358452ca6d85b9"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/8a6a240f52e14356386030d8958ae8b1761d2325"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/883f7897a25e3ce14a7f274ca4c73f49ac84002a"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/d570c48dd37dbe8fc6875d4461d01a9554ae2560"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/699d926585daa6ec44be556cdc1ab89e5d54557b"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/3b0c406124719b625b1aba431659f5cdc24a982c"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/tty/vt/vt.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "7e71fcedfda6f7de18f850a6b36e78d78b04476f",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "70aed03b1d5a5df974f456cdc8eedb213c94bb8b",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "067c694d06040db6f0c65281bb358452ca6d85b9",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "8a6a240f52e14356386030d8958ae8b1761d2325",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "883f7897a25e3ce14a7f274ca4c73f49ac84002a",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "d570c48dd37dbe8fc6875d4461d01a9554ae2560",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "699d926585daa6ec44be556cdc1ab89e5d54557b",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "3b0c406124719b625b1aba431659f5cdc24a982c",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/tty/vt/vt.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.12"
            },
            {
              "lessThan": "2.6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.4.*",
              "status": "unaffected",
              "version": "4.4.286",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.9.*",
              "status": "unaffected",
              "version": "4.9.285",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.14.*",
              "status": "unaffected",
              "version": "4.14.249",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.19.*",
              "status": "unaffected",
              "version": "4.19.209",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.151",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.71",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.14.*",
              "status": "unaffected",
              "version": "5.14.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "5.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.4.286",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.9.285",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.14.249",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.19.209",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.151",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.71",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.14.10",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntty: Fix out-of-bound vmalloc access in imageblit\n\nThis issue happens when a userspace program does an ioctl\nFBIOPUT_VSCREENINFO passing the fb_var_screeninfo struct\ncontaining only the fields xres, yres, and bits_per_pixel\nwith values.\n\nIf this struct is the same as the previous ioctl, the\nvc_resize() detects it and doesn\u0027t call the resize_screen(),\nleaving the fb_var_screeninfo incomplete. And this leads to\nthe updatescrollmode() calculates a wrong value to\nfbcon_display-\u003evrows, which makes the real_y() return a\nwrong value of y, and that value, eventually, causes\nthe imageblit to access an out-of-bound address value.\n\nTo solve this issue I made the resize_screen() be called\neven if the screen does not need any resizing, so it will\n\"fix and fill\" the fb_var_screeninfo independently."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-18T11:37:17.172Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/7e71fcedfda6f7de18f850a6b36e78d78b04476f"
        },
        {
          "url": "https://git.kernel.org/stable/c/70aed03b1d5a5df974f456cdc8eedb213c94bb8b"
        },
        {
          "url": "https://git.kernel.org/stable/c/067c694d06040db6f0c65281bb358452ca6d85b9"
        },
        {
          "url": "https://git.kernel.org/stable/c/8a6a240f52e14356386030d8958ae8b1761d2325"
        },
        {
          "url": "https://git.kernel.org/stable/c/883f7897a25e3ce14a7f274ca4c73f49ac84002a"
        },
        {
          "url": "https://git.kernel.org/stable/c/d570c48dd37dbe8fc6875d4461d01a9554ae2560"
        },
        {
          "url": "https://git.kernel.org/stable/c/699d926585daa6ec44be556cdc1ab89e5d54557b"
        },
        {
          "url": "https://git.kernel.org/stable/c/3b0c406124719b625b1aba431659f5cdc24a982c"
        }
      ],
      "title": "tty: Fix out-of-bound vmalloc access in imageblit",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2021-47383",
    "datePublished": "2024-05-21T15:03:44.286Z",
    "dateReserved": "2024-05-21T14:58:30.812Z",
    "dateUpdated": "2025-12-18T11:37:17.172Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Log in or create an account to share your comment.

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.