Advisory Database Sync

advisories/unreviewed/2024/05/GHSA-2hh5-254v-jpf4/GHSA-2hh5-254v-jpf4.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-2hh5-254v-jpf4",
-  "modified": "2024-05-21T15:31:40Z",
+  "modified": "2024-12-30T21:30:46Z",
   "published": "2024-05-21T15:31:40Z",
   "aliases": [
     "CVE-2021-47247"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Fix use-after-free of encap entry in neigh update handler\n\nFunction mlx5e_rep_neigh_update() wasn't updated to accommodate rtnl lock\nremoval from TC filter update path and properly handle concurrent encap\nentry insertion/deletion which can lead to following use-after-free:\n\n [23827.464923] ==================================================================\n [23827.469446] BUG: KASAN: use-after-free in mlx5e_encap_take+0x72/0x140 [mlx5_core]\n [23827.470971] Read of size 4 at addr ffff8881d132228c by task kworker/u20:6/21635\n [23827.472251]\n [23827.472615] CPU: 9 PID: 21635 Comm: kworker/u20:6 Not tainted 5.13.0-rc3+ #5\n [23827.473788] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n [23827.475639] Workqueue: mlx5e mlx5e_rep_neigh_update [mlx5_core]\n [23827.476731] Call Trace:\n [23827.477260]  dump_stack+0xbb/0x107\n [23827.477906]  print_address_description.constprop.0+0x18/0x140\n [23827.478896]  ? mlx5e_encap_take+0x72/0x140 [mlx5_core]\n [23827.479879]  ? mlx5e_encap_take+0x72/0x140 [mlx5_core]\n [23827.480905]  kasan_report.cold+0x7c/0xd8\n [23827.481701]  ? mlx5e_encap_take+0x72/0x140 [mlx5_core]\n [23827.482744]  kasan_check_range+0x145/0x1a0\n [23827.493112]  mlx5e_encap_take+0x72/0x140 [mlx5_core]\n [23827.494054]  ? mlx5e_tc_tun_encap_info_equal_generic+0x140/0x140 [mlx5_core]\n [23827.495296]  mlx5e_rep_neigh_update+0x41e/0x5e0 [mlx5_core]\n [23827.496338]  ? mlx5e_rep_neigh_entry_release+0xb80/0xb80 [mlx5_core]\n [23827.497486]  ? read_word_at_a_time+0xe/0x20\n [23827.498250]  ? strscpy+0xa0/0x2a0\n [23827.498889]  process_one_work+0x8ac/0x14e0\n [23827.499638]  ? lockdep_hardirqs_on_prepare+0x400/0x400\n [23827.500537]  ? pwq_dec_nr_in_flight+0x2c0/0x2c0\n [23827.501359]  ? rwlock_bug.part.0+0x90/0x90\n [23827.502116]  worker_thread+0x53b/0x1220\n [23827.502831]  ? process_one_work+0x14e0/0x14e0\n [23827.503627]  kthread+0x328/0x3f0\n [23827.504254]  ? _raw_spin_unlock_irq+0x24/0x40\n [23827.505065]  ? __kthread_bind_mask+0x90/0x90\n [23827.505912]  ret_from_fork+0x1f/0x30\n [23827.506621]\n [23827.506987] Allocated by task 28248:\n [23827.507694]  kasan_save_stack+0x1b/0x40\n [23827.508476]  __kasan_kmalloc+0x7c/0x90\n [23827.509197]  mlx5e_attach_encap+0xde1/0x1d40 [mlx5_core]\n [23827.510194]  mlx5e_tc_add_fdb_flow+0x397/0xc40 [mlx5_core]\n [23827.511218]  __mlx5e_add_fdb_flow+0x519/0xb30 [mlx5_core]\n [23827.512234]  mlx5e_configure_flower+0x191c/0x4870 [mlx5_core]\n [23827.513298]  tc_setup_cb_add+0x1d5/0x420\n [23827.514023]  fl_hw_replace_filter+0x382/0x6a0 [cls_flower]\n [23827.514975]  fl_change+0x2ceb/0x4a51 [cls_flower]\n [23827.515821]  tc_new_tfilter+0x89a/0x2070\n [23827.516548]  rtnetlink_rcv_msg+0x644/0x8c0\n [23827.517300]  netlink_rcv_skb+0x11d/0x340\n [23827.518021]  netlink_unicast+0x42b/0x700\n [23827.518742]  netlink_sendmsg+0x743/0xc20\n [23827.519467]  sock_sendmsg+0xb2/0xe0\n [23827.520131]  ____sys_sendmsg+0x590/0x770\n [23827.520851]  ___sys_sendmsg+0xd8/0x160\n [23827.521552]  __sys_sendmsg+0xb7/0x140\n [23827.522238]  do_syscall_64+0x3a/0x70\n [23827.522907]  entry_SYSCALL_64_after_hwframe+0x44/0xae\n [23827.523797]\n [23827.524163] Freed by task 25948:\n [23827.524780]  kasan_save_stack+0x1b/0x40\n [23827.525488]  kasan_set_track+0x1c/0x30\n [23827.526187]  kasan_set_free_info+0x20/0x30\n [23827.526968]  __kasan_slab_free+0xed/0x130\n [23827.527709]  slab_free_freelist_hook+0xcf/0x1d0\n [23827.528528]  kmem_cache_free_bulk+0x33a/0x6e0\n [23827.529317]  kfree_rcu_work+0x55f/0xb70\n [23827.530024]  process_one_work+0x8ac/0x14e0\n [23827.530770]  worker_thread+0x53b/0x1220\n [23827.531480]  kthread+0x328/0x3f0\n [23827.532114]  ret_from_fork+0x1f/0x30\n [23827.532785]\n [23827.533147] Last potentially related work creation:\n [23827.534007]  kasan_save_stack+0x1b/0x40\n [23827.534710]  kasan_record_aux_stack+0xab/0xc0\n [23827.535492]  kvfree_call_rcu+0x31/0x7b0\n [23827.536206]  mlx5e_tc_del\n---truncated---",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -24,8 +29,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-416"
+    ],
+    "severity": "HIGH",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2024-05-21T15:15:13Z"

advisories/unreviewed/2024/05/GHSA-2m8j-fx85-xvhm/GHSA-2m8j-fx85-xvhm.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-2m8j-fx85-xvhm",
-  "modified": "2024-06-26T00:31:43Z",
+  "modified": "2024-12-30T21:30:45Z",
   "published": "2024-05-19T09:34:47Z",
   "aliases": [
     "CVE-2024-35905"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Protect against int overflow for stack access size\n\nThis patch re-introduces protection against the size of access to stack\nmemory being negative; the access size can appear negative as a result\nof overflowing its signed int representation. This should not actually\nhappen, as there are other protections along the way, but we should\nprotect against it anyway. One code path was missing such protections\n(fixed in the previous patch in the series), causing out-of-bounds array\naccesses in check_stack_range_initialized(). This patch causes the\nverification of a program with such a non-sensical access size to fail.\n\nThis check used to exist in a more indirect way, but was inadvertendly\nremoved in a833a17aeac7.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -44,8 +49,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-129"
+    ],
+    "severity": "HIGH",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2024-05-19T09:15:11Z"

advisories/unreviewed/2024/05/GHSA-2pp7-rwqg-2gcx/GHSA-2pp7-rwqg-2gcx.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-2pp7-rwqg-2gcx",
-  "modified": "2024-05-21T15:31:45Z",
+  "modified": "2024-12-30T21:30:46Z",
   "published": "2024-05-21T15:31:45Z",
   "aliases": [
     "CVE-2021-47409"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: dwc2: check return value after calling platform_get_resource()\n\nIt will cause null-ptr-deref if platform_get_resource() returns NULL,\nwe need check the return value.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -40,8 +45,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-476"
+    ],
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2024-05-21T15:15:26Z"

advisories/unreviewed/2024/05/GHSA-2r6r-v6fp-6x6r/GHSA-2r6r-v6fp-6x6r.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-2r6r-v6fp-6x6r",
-  "modified": "2024-12-02T09:39:11Z",
+  "modified": "2024-12-30T21:30:46Z",
   "published": "2024-05-21T18:31:21Z",
   "aliases": [
     "CVE-2023-52812"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd: check num of link levels when update pcie param\n\nIn SR-IOV environment, the value of pcie_table->num_of_link_levels will\nbe 0, and num_of_levels - 1 will cause array index out of bounds",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -32,8 +37,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-129"
+    ],
+    "severity": "HIGH",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2024-05-21T16:15:19Z"

advisories/unreviewed/2024/05/GHSA-44v6-xcjw-whc3/GHSA-44v6-xcjw-whc3.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-44v6-xcjw-whc3",
-  "modified": "2024-05-21T18:31:21Z",
+  "modified": "2024-12-30T21:30:46Z",
   "published": "2024-05-21T18:31:21Z",
   "aliases": [
     "CVE-2023-52818"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd: Fix UBSAN array-index-out-of-bounds for SMU7\n\nFor pptable structs that use flexible array sizes, use flexible arrays.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -52,8 +57,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-129"
+    ],
+    "severity": "HIGH",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2024-05-21T16:15:19Z"

advisories/unreviewed/2024/05/GHSA-4g8g-hf76-7rpm/GHSA-4g8g-hf76-7rpm.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-4g8g-hf76-7rpm",
-  "modified": "2024-05-21T18:31:22Z",
+  "modified": "2024-12-30T21:30:46Z",
   "published": "2024-05-21T18:31:22Z",
   "aliases": [
     "CVE-2023-52852"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: compress: fix to avoid use-after-free on dic\n\nCall trace:\n __memcpy+0x128/0x250\n f2fs_read_multi_pages+0x940/0xf7c\n f2fs_mpage_readpages+0x5a8/0x624\n f2fs_readahead+0x5c/0x110\n page_cache_ra_unbounded+0x1b8/0x590\n do_sync_mmap_readahead+0x1dc/0x2e4\n filemap_fault+0x254/0xa8c\n f2fs_filemap_fault+0x2c/0x104\n __do_fault+0x7c/0x238\n do_handle_mm_fault+0x11bc/0x2d14\n do_mem_abort+0x3a8/0x1004\n el0_da+0x3c/0xa0\n el0t_64_sync_handler+0xc4/0xec\n el0t_64_sync+0x1b4/0x1b8\n\nIn f2fs_read_multi_pages(), once f2fs_decompress_cluster() was called if\nwe hit cached page in compress_inode's cache, dic may be released, it needs\nbreak the loop rather than continuing it, in order to avoid accessing\ninvalid dic pointer.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -36,8 +41,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-416"
+    ],
+    "severity": "HIGH",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2024-05-21T16:15:22Z"

advisories/unreviewed/2024/05/GHSA-4mc8-63f2-q4p2/GHSA-4mc8-63f2-q4p2.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-4mc8-63f2-q4p2",
-  "modified": "2024-05-21T18:31:22Z",
+  "modified": "2024-12-30T21:30:46Z",
   "published": "2024-05-21T18:31:22Z",
   "aliases": [
     "CVE-2023-52826"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/panel/panel-tpo-tpg110: fix a possible null pointer dereference\n\nIn tpg110_get_modes(), the return value of drm_mode_duplicate() is\nassigned to mode, which will lead to a NULL pointer dereference on\nfailure of drm_mode_duplicate(). Add a check to avoid npd.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -40,8 +45,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-476"
+    ],
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2024-05-21T16:15:20Z"

advisories/unreviewed/2024/05/GHSA-5x62-xmmp-3f69/GHSA-5x62-xmmp-3f69.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-5x62-xmmp-3f69",
-  "modified": "2024-06-27T15:30:39Z",
+  "modified": "2024-12-30T21:30:45Z",
   "published": "2024-05-19T12:30:38Z",
   "aliases": [
     "CVE-2024-35933"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: btintel: Fix null ptr deref in btintel_read_version\n\nIf hci_cmd_sync_complete() is triggered and skb is NULL, then\nhdev->req_skb is NULL, which will cause this issue.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -56,8 +61,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-476"
+    ],
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2024-05-19T11:15:49Z"

advisories/unreviewed/2024/05/GHSA-6h98-v544-xj7q/GHSA-6h98-v544-xj7q.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-6h98-v544-xj7q",
-  "modified": "2024-05-21T15:31:40Z",
+  "modified": "2024-12-30T21:30:46Z",
   "published": "2024-05-21T15:31:40Z",
   "aliases": [
     "CVE-2021-47240"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: qrtr: fix OOB Read in qrtr_endpoint_post\n\nSyzbot reported slab-out-of-bounds Read in\nqrtr_endpoint_post. The problem was in wrong\n_size_ type:\n\n\tif (len != ALIGN(size, 4) + hdrlen)\n\t\tgoto err;\n\nIf size from qrtr_hdr is 4294967293 (0xfffffffd), the result of\nALIGN(size, 4) will be 0. In case of len == hdrlen and size == 4294967293\nin header this check won't fail and\n\n\tskb_put_data(skb, data + hdrlen, size);\n\nwill read out of bound from data, which is hdrlen allocated block.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -36,8 +41,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-125"
+    ],
+    "severity": "HIGH",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2024-05-21T15:15:13Z"

advisories/unreviewed/2024/05/GHSA-6pvp-xcj5-pgh8/GHSA-6pvp-xcj5-pgh8.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-6pvp-xcj5-pgh8",
-  "modified": "2024-05-21T15:31:40Z",
+  "modified": "2024-12-30T21:30:46Z",
   "published": "2024-05-21T15:31:40Z",
   "aliases": [
     "CVE-2021-47243"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nsch_cake: Fix out of bounds when parsing TCP options and header\n\nThe TCP option parser in cake qdisc (cake_get_tcpopt and\ncake_tcph_may_drop) could read one byte out of bounds. When the length\nis 1, the execution flow gets into the loop, reads one byte of the\nopcode, and if the opcode is neither TCPOPT_EOL nor TCPOPT_NOP, it reads\none more byte, which exceeds the length of 1.\n\nThis fix is inspired by commit 9609dad263f8 (\"ipv4: tcp_input: fix stack\nout of bounds when parsing TCP options.\").\n\nv2 changes:\n\nAdded doff validation in cake_get_tcphdr to avoid parsing garbage as TCP\nheader. Although it wasn't strictly an out-of-bounds access (memory was\nallocated), garbage values could be read where CAKE expected the TCP\nheader if doff was smaller than 5.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -36,8 +41,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-125"
+    ],
+    "severity": "HIGH",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2024-05-21T15:15:13Z"

advisories/unreviewed/2024/05/GHSA-747f-wh5x-mp2p/GHSA-747f-wh5x-mp2p.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-747f-wh5x-mp2p",
-  "modified": "2024-05-21T15:31:40Z",
+  "modified": "2024-12-30T21:30:46Z",
   "published": "2024-05-21T15:31:40Z",
   "aliases": [
     "CVE-2021-47239"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: fix possible use-after-free in smsc75xx_bind\n\nThe commit 46a8b29c6306 (\"net: usb: fix memory leak in smsc75xx_bind\")\nfails to clean up the work scheduled in smsc75xx_reset->\nsmsc75xx_set_multicast, which leads to use-after-free if the work is\nscheduled to start after the deallocation. In addition, this patch\nalso removes a dangling pointer - dev->data[0].\n\nThis patch calls cancel_work_sync to cancel the scheduled work and set\nthe dangling pointer to NULL.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -48,8 +53,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-416"
+    ],
+    "severity": "HIGH",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2024-05-21T15:15:13Z"