csaf_suse - suse-su-2025:01869-1

suse-su-2025:01869-1

Vulnerability from csaf_suse

Published

2025-06-10 18:33

Modified

2025-06-10 18:33

Summary

Security update for the Linux Kernel (Live Patch 15 for SLE 15 SP5)

Notes

Title of the patch

Security update for the Linux Kernel (Live Patch 15 for SLE 15 SP5)

Description of the patch

This update for the Linux Kernel 5.14.21-150500_55_68 fixes several issues. The following security issues were fixed: - CVE-2022-49080: mm/mempolicy: fix mpol_new leak in shared_policy_replace (bsc#1238324). - CVE-2024-49855: nbd: fix race between timeout and normal completion (bsc#1232900). - CVE-2024-58013: Bluetooth: MGMT: Fix slab-use-after-free Read in mgmt_remove_adv_monitor_sync (bsc#1239096). - CVE-2024-57996: net_sched: sch_sfq: do not allow 1 packet limit (bsc#1239077).

Patchnames

SUSE-2025-1869,SUSE-2025-1870,SUSE-2025-1872,SUSE-SLE-Module-Live-Patching-15-SP5-2025-1871

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for the Linux Kernel (Live Patch 15 for SLE 15 SP5)",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "This update for the Linux Kernel 5.14.21-150500_55_68 fixes several issues.\n\nThe following security issues were fixed:\n\n- CVE-2022-49080: mm/mempolicy: fix mpol_new leak in shared_policy_replace (bsc#1238324).\n- CVE-2024-49855: nbd: fix race between timeout and normal completion (bsc#1232900).\n- CVE-2024-58013: Bluetooth: MGMT: Fix slab-use-after-free Read in mgmt_remove_adv_monitor_sync (bsc#1239096).\n- CVE-2024-57996: net_sched: sch_sfq: do not allow 1 packet limit (bsc#1239077).\n",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "SUSE-2025-1869,SUSE-2025-1870,SUSE-2025-1872,SUSE-SLE-Module-Live-Patching-15-SP5-2025-1871",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2025_01869-1.json"
      },
      {
        "category": "self",
        "summary": "URL for SUSE-SU-2025:01869-1",
        "url": "https://www.suse.com/support/update/announcement/2025/suse-su-202501869-1/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for SUSE-SU-2025:01869-1",
        "url": "https://lists.suse.com/pipermail/sle-updates/2025-June/040216.html"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1232900",
        "url": "https://bugzilla.suse.com/1232900"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1238324",
        "url": "https://bugzilla.suse.com/1238324"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1239077",
        "url": "https://bugzilla.suse.com/1239077"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1239096",
        "url": "https://bugzilla.suse.com/1239096"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2022-49080 page",
        "url": "https://www.suse.com/security/cve/CVE-2022-49080/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2024-49855 page",
        "url": "https://www.suse.com/security/cve/CVE-2024-49855/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2024-57996 page",
        "url": "https://www.suse.com/security/cve/CVE-2024-57996/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2024-58013 page",
        "url": "https://www.suse.com/security/cve/CVE-2024-58013/"
      }
    ],
    "title": "Security update for the Linux Kernel (Live Patch 15 for SLE 15 SP5)",
    "tracking": {
      "current_release_date": "2025-06-10T18:33:35Z",
      "generator": {
        "date": "2025-06-10T18:33:35Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "SUSE-SU-2025:01869-1",
      "initial_release_date": "2025-06-10T18:33:35Z",
      "revision_history": [
        {
          "date": "2025-06-10T18:33:35Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "kernel-livepatch-5_14_21-150500_55_62-default-17-150500.2.2.ppc64le",
                "product": {
                  "name": "kernel-livepatch-5_14_21-150500_55_62-default-17-150500.2.2.ppc64le",
                  "product_id": "kernel-livepatch-5_14_21-150500_55_62-default-17-150500.2.2.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "kernel-livepatch-5_14_21-150500_55_65-default-17-150500.2.2.ppc64le",
                "product": {
                  "name": "kernel-livepatch-5_14_21-150500_55_65-default-17-150500.2.2.ppc64le",
                  "product_id": "kernel-livepatch-5_14_21-150500_55_65-default-17-150500.2.2.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "kernel-livepatch-5_14_21-150500_55_73-default-11-150500.2.2.ppc64le",
                "product": {
                  "name": "kernel-livepatch-5_14_21-150500_55_73-default-11-150500.2.2.ppc64le",
                  "product_id": "kernel-livepatch-5_14_21-150500_55_73-default-11-150500.2.2.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "kernel-livepatch-5_14_21-150500_55_68-default-16-150500.2.2.ppc64le",
                "product": {
                  "name": "kernel-livepatch-5_14_21-150500_55_68-default-16-150500.2.2.ppc64le",
                  "product_id": "kernel-livepatch-5_14_21-150500_55_68-default-16-150500.2.2.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "kernel-livepatch-5_14_21-150500_55_62-default-17-150500.2.2.s390x",
                "product": {
                  "name": "kernel-livepatch-5_14_21-150500_55_62-default-17-150500.2.2.s390x",
                  "product_id": "kernel-livepatch-5_14_21-150500_55_62-default-17-150500.2.2.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "kernel-livepatch-5_14_21-150500_55_65-default-17-150500.2.2.s390x",
                "product": {
                  "name": "kernel-livepatch-5_14_21-150500_55_65-default-17-150500.2.2.s390x",
                  "product_id": "kernel-livepatch-5_14_21-150500_55_65-default-17-150500.2.2.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "kernel-livepatch-5_14_21-150500_55_73-default-11-150500.2.2.s390x",
                "product": {
                  "name": "kernel-livepatch-5_14_21-150500_55_73-default-11-150500.2.2.s390x",
                  "product_id": "kernel-livepatch-5_14_21-150500_55_73-default-11-150500.2.2.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "kernel-livepatch-5_14_21-150500_55_68-default-16-150500.2.2.s390x",
                "product": {
                  "name": "kernel-livepatch-5_14_21-150500_55_68-default-16-150500.2.2.s390x",
                  "product_id": "kernel-livepatch-5_14_21-150500_55_68-default-16-150500.2.2.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "kernel-livepatch-5_14_21-150500_55_62-default-17-150500.2.2.x86_64",
                "product": {
                  "name": "kernel-livepatch-5_14_21-150500_55_62-default-17-150500.2.2.x86_64",
                  "product_id": "kernel-livepatch-5_14_21-150500_55_62-default-17-150500.2.2.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "kernel-livepatch-5_14_21-150500_55_65-default-17-150500.2.2.x86_64",
                "product": {
                  "name": "kernel-livepatch-5_14_21-150500_55_65-default-17-150500.2.2.x86_64",
                  "product_id": "kernel-livepatch-5_14_21-150500_55_65-default-17-150500.2.2.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "kernel-livepatch-5_14_21-150500_55_73-default-11-150500.2.2.x86_64",
                "product": {
                  "name": "kernel-livepatch-5_14_21-150500_55_73-default-11-150500.2.2.x86_64",
                  "product_id": "kernel-livepatch-5_14_21-150500_55_73-default-11-150500.2.2.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "kernel-livepatch-5_14_21-150500_55_68-default-16-150500.2.2.x86_64",
                "product": {
                  "name": "kernel-livepatch-5_14_21-150500_55_68-default-16-150500.2.2.x86_64",
                  "product_id": "kernel-livepatch-5_14_21-150500_55_68-default-16-150500.2.2.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Live Patching 15 SP5",
                "product": {
                  "name": "SUSE Linux Enterprise Live Patching 15 SP5",
                  "product_id": "SUSE Linux Enterprise Live Patching 15 SP5",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sle-module-live-patching:15:sp5"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "kernel-livepatch-5_14_21-150500_55_68-default-16-150500.2.2.ppc64le as component of SUSE Linux Enterprise Live Patching 15 SP5",
          "product_id": "SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_68-default-16-150500.2.2.ppc64le"
        },
        "product_reference": "kernel-livepatch-5_14_21-150500_55_68-default-16-150500.2.2.ppc64le",
        "relates_to_product_reference": "SUSE Linux Enterprise Live Patching 15 SP5"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "kernel-livepatch-5_14_21-150500_55_68-default-16-150500.2.2.s390x as component of SUSE Linux Enterprise Live Patching 15 SP5",
          "product_id": "SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_68-default-16-150500.2.2.s390x"
        },
        "product_reference": "kernel-livepatch-5_14_21-150500_55_68-default-16-150500.2.2.s390x",
        "relates_to_product_reference": "SUSE Linux Enterprise Live Patching 15 SP5"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "kernel-livepatch-5_14_21-150500_55_68-default-16-150500.2.2.x86_64 as component of SUSE Linux Enterprise Live Patching 15 SP5",
          "product_id": "SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_68-default-16-150500.2.2.x86_64"
        },
        "product_reference": "kernel-livepatch-5_14_21-150500_55_68-default-16-150500.2.2.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise Live Patching 15 SP5"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2022-49080",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2022-49080"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/mempolicy: fix mpol_new leak in shared_policy_replace\n\nIf mpol_new is allocated but not used in restart loop, mpol_new will be\nfreed via mpol_put before returning to the caller.  But refcnt is not\ninitialized yet, so mpol_put could not do the right things and might\nleak the unused mpol_new.  This would happen if mempolicy was updated on\nthe shared shmem file while the sp-\u003elock has been dropped during the\nmemory allocation.\n\nThis issue could be triggered easily with the below code snippet if\nthere are many processes doing the below work at the same time:\n\n  shmid = shmget((key_t)5566, 1024 * PAGE_SIZE, 0666|IPC_CREAT);\n  shm = shmat(shmid, 0, 0);\n  loop many times {\n    mbind(shm, 1024 * PAGE_SIZE, MPOL_LOCAL, mask, maxnode, 0);\n    mbind(shm + 128 * PAGE_SIZE, 128 * PAGE_SIZE, MPOL_DEFAULT, mask,\n          maxnode, 0);\n  }",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_68-default-16-150500.2.2.ppc64le",
          "SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_68-default-16-150500.2.2.s390x",
          "SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_68-default-16-150500.2.2.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2022-49080",
          "url": "https://www.suse.com/security/cve/CVE-2022-49080"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1238033 for CVE-2022-49080",
          "url": "https://bugzilla.suse.com/1238033"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1238324 for CVE-2022-49080",
          "url": "https://bugzilla.suse.com/1238324"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_68-default-16-150500.2.2.ppc64le",
            "SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_68-default-16-150500.2.2.s390x",
            "SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_68-default-16-150500.2.2.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_68-default-16-150500.2.2.ppc64le",
            "SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_68-default-16-150500.2.2.s390x",
            "SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_68-default-16-150500.2.2.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-06-10T18:33:35Z",
          "details": "important"
        }
      ],
      "title": "CVE-2022-49080"
    },
    {
      "cve": "CVE-2024-49855",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2024-49855"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnbd: fix race between timeout and normal completion\n\nIf request timetout is handled by nbd_requeue_cmd(), normal completion\nhas to be stopped for avoiding to complete this requeued request, other\nuse-after-free can be triggered.\n\nFix the race by clearing NBD_CMD_INFLIGHT in nbd_requeue_cmd(), meantime\nmake sure that cmd-\u003elock is grabbed for clearing the flag and the\nrequeue.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_68-default-16-150500.2.2.ppc64le",
          "SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_68-default-16-150500.2.2.s390x",
          "SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_68-default-16-150500.2.2.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2024-49855",
          "url": "https://www.suse.com/security/cve/CVE-2024-49855"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1232195 for CVE-2024-49855",
          "url": "https://bugzilla.suse.com/1232195"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1232900 for CVE-2024-49855",
          "url": "https://bugzilla.suse.com/1232900"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_68-default-16-150500.2.2.ppc64le",
            "SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_68-default-16-150500.2.2.s390x",
            "SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_68-default-16-150500.2.2.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_68-default-16-150500.2.2.ppc64le",
            "SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_68-default-16-150500.2.2.s390x",
            "SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_68-default-16-150500.2.2.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-06-10T18:33:35Z",
          "details": "important"
        }
      ],
      "title": "CVE-2024-49855"
    },
    {
      "cve": "CVE-2024-57996",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2024-57996"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet_sched: sch_sfq: don\u0027t allow 1 packet limit\n\nThe current implementation does not work correctly with a limit of\n1. iproute2 actually checks for this and this patch adds the check in\nkernel as well.\n\nThis fixes the following syzkaller reported crash:\n\nUBSAN: array-index-out-of-bounds in net/sched/sch_sfq.c:210:6\nindex 65535 is out of range for type \u0027struct sfq_head[128]\u0027\nCPU: 0 PID: 2569 Comm: syz-executor101 Not tainted 5.10.0-smp-DEV #1\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024\nCall Trace:\n  __dump_stack lib/dump_stack.c:79 [inline]\n  dump_stack+0x125/0x19f lib/dump_stack.c:120\n  ubsan_epilogue lib/ubsan.c:148 [inline]\n  __ubsan_handle_out_of_bounds+0xed/0x120 lib/ubsan.c:347\n  sfq_link net/sched/sch_sfq.c:210 [inline]\n  sfq_dec+0x528/0x600 net/sched/sch_sfq.c:238\n  sfq_dequeue+0x39b/0x9d0 net/sched/sch_sfq.c:500\n  sfq_reset+0x13/0x50 net/sched/sch_sfq.c:525\n  qdisc_reset+0xfe/0x510 net/sched/sch_generic.c:1026\n  tbf_reset+0x3d/0x100 net/sched/sch_tbf.c:319\n  qdisc_reset+0xfe/0x510 net/sched/sch_generic.c:1026\n  dev_reset_queue+0x8c/0x140 net/sched/sch_generic.c:1296\n  netdev_for_each_tx_queue include/linux/netdevice.h:2350 [inline]\n  dev_deactivate_many+0x6dc/0xc20 net/sched/sch_generic.c:1362\n  __dev_close_many+0x214/0x350 net/core/dev.c:1468\n  dev_close_many+0x207/0x510 net/core/dev.c:1506\n  unregister_netdevice_many+0x40f/0x16b0 net/core/dev.c:10738\n  unregister_netdevice_queue+0x2be/0x310 net/core/dev.c:10695\n  unregister_netdevice include/linux/netdevice.h:2893 [inline]\n  __tun_detach+0x6b6/0x1600 drivers/net/tun.c:689\n  tun_detach drivers/net/tun.c:705 [inline]\n  tun_chr_close+0x104/0x1b0 drivers/net/tun.c:3640\n  __fput+0x203/0x840 fs/file_table.c:280\n  task_work_run+0x129/0x1b0 kernel/task_work.c:185\n  exit_task_work include/linux/task_work.h:33 [inline]\n  do_exit+0x5ce/0x2200 kernel/exit.c:931\n  do_group_exit+0x144/0x310 kernel/exit.c:1046\n  __do_sys_exit_group kernel/exit.c:1057 [inline]\n  __se_sys_exit_group kernel/exit.c:1055 [inline]\n  __x64_sys_exit_group+0x3b/0x40 kernel/exit.c:1055\n do_syscall_64+0x6c/0xd0\n entry_SYSCALL_64_after_hwframe+0x61/0xcb\nRIP: 0033:0x7fe5e7b52479\nCode: Unable to access opcode bytes at RIP 0x7fe5e7b5244f.\nRSP: 002b:00007ffd3c800398 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7\nRAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fe5e7b52479\nRDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000\nRBP: 00007fe5e7bcd2d0 R08: ffffffffffffffb8 R09: 0000000000000014\nR10: 0000000000000000 R11: 0000000000000246 R12: 00007fe5e7bcd2d0\nR13: 0000000000000000 R14: 00007fe5e7bcdd20 R15: 00007fe5e7b24270\n\nThe crash can be also be reproduced with the following (with a tc\nrecompiled to allow for sfq limits of 1):\n\ntc qdisc add dev dummy0 handle 1: root tbf rate 1Kbit burst 100b lat 1s\n../iproute2-6.9.0/tc/tc qdisc add dev dummy0 handle 2: parent 1:10 sfq limit 1\nifconfig dummy0 up\nping -I dummy0 -f -c2 -W0.1 8.8.8.8\nsleep 1\n\nScenario that triggers the crash:\n\n* the first packet is sent and queued in TBF and SFQ; qdisc qlen is 1\n\n* TBF dequeues: it peeks from SFQ which moves the packet to the\n  gso_skb list and keeps qdisc qlen set to 1. TBF is out of tokens so\n  it schedules itself for later.\n\n* the second packet is sent and TBF tries to queues it to SFQ. qdisc\n  qlen is now 2 and because the SFQ limit is 1 the packet is dropped\n  by SFQ. At this point qlen is 1, and all of the SFQ slots are empty,\n  however q-\u003etail is not NULL.\n\nAt this point, assuming no more packets are queued, when sch_dequeue\nruns again it will decrement the qlen for the current empty slot\ncausing an underflow and the subsequent out of bounds access.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_68-default-16-150500.2.2.ppc64le",
          "SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_68-default-16-150500.2.2.s390x",
          "SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_68-default-16-150500.2.2.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2024-57996",
          "url": "https://www.suse.com/security/cve/CVE-2024-57996"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1239076 for CVE-2024-57996",
          "url": "https://bugzilla.suse.com/1239076"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1239077 for CVE-2024-57996",
          "url": "https://bugzilla.suse.com/1239077"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_68-default-16-150500.2.2.ppc64le",
            "SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_68-default-16-150500.2.2.s390x",
            "SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_68-default-16-150500.2.2.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_68-default-16-150500.2.2.ppc64le",
            "SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_68-default-16-150500.2.2.s390x",
            "SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_68-default-16-150500.2.2.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-06-10T18:33:35Z",
          "details": "important"
        }
      ],
      "title": "CVE-2024-57996"
    },
    {
      "cve": "CVE-2024-58013",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2024-58013"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: MGMT: Fix slab-use-after-free Read in mgmt_remove_adv_monitor_sync\n\nThis fixes the following crash:\n\n==================================================================\nBUG: KASAN: slab-use-after-free in mgmt_remove_adv_monitor_sync+0x3a/0xd0 net/bluetooth/mgmt.c:5543\nRead of size 8 at addr ffff88814128f898 by task kworker/u9:4/5961\n\nCPU: 1 UID: 0 PID: 5961 Comm: kworker/u9:4 Not tainted 6.12.0-syzkaller-10684-gf1cd565ce577 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024\nWorkqueue: hci0 hci_cmd_sync_work\nCall Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0x169/0x550 mm/kasan/report.c:489\n kasan_report+0x143/0x180 mm/kasan/report.c:602\n mgmt_remove_adv_monitor_sync+0x3a/0xd0 net/bluetooth/mgmt.c:5543\n hci_cmd_sync_work+0x22b/0x400 net/bluetooth/hci_sync.c:332\n process_one_work kernel/workqueue.c:3229 [inline]\n process_scheduled_works+0xa63/0x1850 kernel/workqueue.c:3310\n worker_thread+0x870/0xd30 kernel/workqueue.c:3391\n kthread+0x2f0/0x390 kernel/kthread.c:389\n ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\n \u003c/TASK\u003e\n\nAllocated by task 16026:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\n poison_kmalloc_redzone mm/kasan/common.c:377 [inline]\n __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394\n kasan_kmalloc include/linux/kasan.h:260 [inline]\n __kmalloc_cache_noprof+0x243/0x390 mm/slub.c:4314\n kmalloc_noprof include/linux/slab.h:901 [inline]\n kzalloc_noprof include/linux/slab.h:1037 [inline]\n mgmt_pending_new+0x65/0x250 net/bluetooth/mgmt_util.c:269\n mgmt_pending_add+0x36/0x120 net/bluetooth/mgmt_util.c:296\n remove_adv_monitor+0x102/0x1b0 net/bluetooth/mgmt.c:5568\n hci_mgmt_cmd+0xc47/0x11d0 net/bluetooth/hci_sock.c:1712\n hci_sock_sendmsg+0x7b8/0x11c0 net/bluetooth/hci_sock.c:1832\n sock_sendmsg_nosec net/socket.c:711 [inline]\n __sock_sendmsg+0x221/0x270 net/socket.c:726\n sock_write_iter+0x2d7/0x3f0 net/socket.c:1147\n new_sync_write fs/read_write.c:586 [inline]\n vfs_write+0xaeb/0xd30 fs/read_write.c:679\n ksys_write+0x18f/0x2b0 fs/read_write.c:731\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nFreed by task 16022:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\n kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:582\n poison_slab_object mm/kasan/common.c:247 [inline]\n __kasan_slab_free+0x59/0x70 mm/kasan/common.c:264\n kasan_slab_free include/linux/kasan.h:233 [inline]\n slab_free_hook mm/slub.c:2338 [inline]\n slab_free mm/slub.c:4598 [inline]\n kfree+0x196/0x420 mm/slub.c:4746\n mgmt_pending_foreach+0xd1/0x130 net/bluetooth/mgmt_util.c:259\n __mgmt_power_off+0x183/0x430 net/bluetooth/mgmt.c:9550\n hci_dev_close_sync+0x6c4/0x11c0 net/bluetooth/hci_sync.c:5208\n hci_dev_do_close net/bluetooth/hci_core.c:483 [inline]\n hci_dev_close+0x112/0x210 net/bluetooth/hci_core.c:508\n sock_do_ioctl+0x158/0x460 net/socket.c:1209\n sock_ioctl+0x626/0x8e0 net/socket.c:1328\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:906 [inline]\n __se_sys_ioctl+0xf5/0x170 fs/ioctl.c:892\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_68-default-16-150500.2.2.ppc64le",
          "SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_68-default-16-150500.2.2.s390x",
          "SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_68-default-16-150500.2.2.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2024-58013",
          "url": "https://www.suse.com/security/cve/CVE-2024-58013"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1239095 for CVE-2024-58013",
          "url": "https://bugzilla.suse.com/1239095"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1239096 for CVE-2024-58013",
          "url": "https://bugzilla.suse.com/1239096"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_68-default-16-150500.2.2.ppc64le",
            "SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_68-default-16-150500.2.2.s390x",
            "SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_68-default-16-150500.2.2.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_68-default-16-150500.2.2.ppc64le",
            "SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_68-default-16-150500.2.2.s390x",
            "SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_68-default-16-150500.2.2.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-06-10T18:33:35Z",
          "details": "important"
        }
      ],
      "title": "CVE-2024-58013"
    }
  ]
}

CVE-2024-57996 (GCVE-0-2024-57996)

Vulnerability from cvelistv5

Published

2025-02-27 02:07

Modified

2025-06-27 10:21

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: net_sched: sch_sfq: don't allow 1 packet limit The current implementation does not work correctly with a limit of 1. iproute2 actually checks for this and this patch adds the check in kernel as well. This fixes the following syzkaller reported crash: UBSAN: array-index-out-of-bounds in net/sched/sch_sfq.c:210:6 index 65535 is out of range for type 'struct sfq_head[128]' CPU: 0 PID: 2569 Comm: syz-executor101 Not tainted 5.10.0-smp-DEV #1 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x125/0x19f lib/dump_stack.c:120 ubsan_epilogue lib/ubsan.c:148 [inline] __ubsan_handle_out_of_bounds+0xed/0x120 lib/ubsan.c:347 sfq_link net/sched/sch_sfq.c:210 [inline] sfq_dec+0x528/0x600 net/sched/sch_sfq.c:238 sfq_dequeue+0x39b/0x9d0 net/sched/sch_sfq.c:500 sfq_reset+0x13/0x50 net/sched/sch_sfq.c:525 qdisc_reset+0xfe/0x510 net/sched/sch_generic.c:1026 tbf_reset+0x3d/0x100 net/sched/sch_tbf.c:319 qdisc_reset+0xfe/0x510 net/sched/sch_generic.c:1026 dev_reset_queue+0x8c/0x140 net/sched/sch_generic.c:1296 netdev_for_each_tx_queue include/linux/netdevice.h:2350 [inline] dev_deactivate_many+0x6dc/0xc20 net/sched/sch_generic.c:1362 __dev_close_many+0x214/0x350 net/core/dev.c:1468 dev_close_many+0x207/0x510 net/core/dev.c:1506 unregister_netdevice_many+0x40f/0x16b0 net/core/dev.c:10738 unregister_netdevice_queue+0x2be/0x310 net/core/dev.c:10695 unregister_netdevice include/linux/netdevice.h:2893 [inline] __tun_detach+0x6b6/0x1600 drivers/net/tun.c:689 tun_detach drivers/net/tun.c:705 [inline] tun_chr_close+0x104/0x1b0 drivers/net/tun.c:3640 __fput+0x203/0x840 fs/file_table.c:280 task_work_run+0x129/0x1b0 kernel/task_work.c:185 exit_task_work include/linux/task_work.h:33 [inline] do_exit+0x5ce/0x2200 kernel/exit.c:931 do_group_exit+0x144/0x310 kernel/exit.c:1046 __do_sys_exit_group kernel/exit.c:1057 [inline] __se_sys_exit_group kernel/exit.c:1055 [inline] __x64_sys_exit_group+0x3b/0x40 kernel/exit.c:1055 do_syscall_64+0x6c/0xd0 entry_SYSCALL_64_after_hwframe+0x61/0xcb RIP: 0033:0x7fe5e7b52479 Code: Unable to access opcode bytes at RIP 0x7fe5e7b5244f. RSP: 002b:00007ffd3c800398 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fe5e7b52479 RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000 RBP: 00007fe5e7bcd2d0 R08: ffffffffffffffb8 R09: 0000000000000014 R10: 0000000000000000 R11: 0000000000000246 R12: 00007fe5e7bcd2d0 R13: 0000000000000000 R14: 00007fe5e7bcdd20 R15: 00007fe5e7b24270 The crash can be also be reproduced with the following (with a tc recompiled to allow for sfq limits of 1): tc qdisc add dev dummy0 handle 1: root tbf rate 1Kbit burst 100b lat 1s ../iproute2-6.9.0/tc/tc qdisc add dev dummy0 handle 2: parent 1:10 sfq limit 1 ifconfig dummy0 up ping -I dummy0 -f -c2 -W0.1 8.8.8.8 sleep 1 Scenario that triggers the crash: * the first packet is sent and queued in TBF and SFQ; qdisc qlen is 1 * TBF dequeues: it peeks from SFQ which moves the packet to the gso_skb list and keeps qdisc qlen set to 1. TBF is out of tokens so it schedules itself for later. * the second packet is sent and TBF tries to queues it to SFQ. qdisc qlen is now 2 and because the SFQ limit is 1 the packet is dropped by SFQ. At this point qlen is 1, and all of the SFQ slots are empty, however q->tail is not NULL. At this point, assuming no more packets are queued, when sch_dequeue runs again it will decrement the qlen for the current empty slot causing an underflow and the subsequent out of bounds access.

References

►

URL

Tags

	https://git.kernel.org/stable/c/1e6d9d87626cf89eeffb4d943db12cb5b10bf961
	https://git.kernel.org/stable/c/1b562b7f9231432da40d12e19786c1bd7df653a7
	https://git.kernel.org/stable/c/35d0137305ae2f97260a9047f445bd4434bd6cc7
	https://git.kernel.org/stable/c/833e9a1c27b82024db7ff5038a51651f48f05e5e
	https://git.kernel.org/stable/c/7d8947f2153ee9c5ab4cb17861a11cc45f30e8c4
	https://git.kernel.org/stable/c/7fefc294204f10a3405f175f4ac2be16d63f135e
	https://git.kernel.org/stable/c/10685681bafce6febb39770f3387621bf5d67d0b

Impacted products

Vendor

Product

Version

►

Linux

Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2

Linux

Version: 2.6.12

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/sched/sch_sfq.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "1e6d9d87626cf89eeffb4d943db12cb5b10bf961",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "1b562b7f9231432da40d12e19786c1bd7df653a7",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "35d0137305ae2f97260a9047f445bd4434bd6cc7",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "833e9a1c27b82024db7ff5038a51651f48f05e5e",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "7d8947f2153ee9c5ab4cb17861a11cc45f30e8c4",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "7fefc294204f10a3405f175f4ac2be16d63f135e",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "10685681bafce6febb39770f3387621bf5d67d0b",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/sched/sch_sfq.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.12"
            },
            {
              "lessThan": "2.6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.239",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.186",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.76",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.239",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.186",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.76",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.13",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.2",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet_sched: sch_sfq: don\u0027t allow 1 packet limit\n\nThe current implementation does not work correctly with a limit of\n1. iproute2 actually checks for this and this patch adds the check in\nkernel as well.\n\nThis fixes the following syzkaller reported crash:\n\nUBSAN: array-index-out-of-bounds in net/sched/sch_sfq.c:210:6\nindex 65535 is out of range for type \u0027struct sfq_head[128]\u0027\nCPU: 0 PID: 2569 Comm: syz-executor101 Not tainted 5.10.0-smp-DEV #1\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024\nCall Trace:\n  __dump_stack lib/dump_stack.c:79 [inline]\n  dump_stack+0x125/0x19f lib/dump_stack.c:120\n  ubsan_epilogue lib/ubsan.c:148 [inline]\n  __ubsan_handle_out_of_bounds+0xed/0x120 lib/ubsan.c:347\n  sfq_link net/sched/sch_sfq.c:210 [inline]\n  sfq_dec+0x528/0x600 net/sched/sch_sfq.c:238\n  sfq_dequeue+0x39b/0x9d0 net/sched/sch_sfq.c:500\n  sfq_reset+0x13/0x50 net/sched/sch_sfq.c:525\n  qdisc_reset+0xfe/0x510 net/sched/sch_generic.c:1026\n  tbf_reset+0x3d/0x100 net/sched/sch_tbf.c:319\n  qdisc_reset+0xfe/0x510 net/sched/sch_generic.c:1026\n  dev_reset_queue+0x8c/0x140 net/sched/sch_generic.c:1296\n  netdev_for_each_tx_queue include/linux/netdevice.h:2350 [inline]\n  dev_deactivate_many+0x6dc/0xc20 net/sched/sch_generic.c:1362\n  __dev_close_many+0x214/0x350 net/core/dev.c:1468\n  dev_close_many+0x207/0x510 net/core/dev.c:1506\n  unregister_netdevice_many+0x40f/0x16b0 net/core/dev.c:10738\n  unregister_netdevice_queue+0x2be/0x310 net/core/dev.c:10695\n  unregister_netdevice include/linux/netdevice.h:2893 [inline]\n  __tun_detach+0x6b6/0x1600 drivers/net/tun.c:689\n  tun_detach drivers/net/tun.c:705 [inline]\n  tun_chr_close+0x104/0x1b0 drivers/net/tun.c:3640\n  __fput+0x203/0x840 fs/file_table.c:280\n  task_work_run+0x129/0x1b0 kernel/task_work.c:185\n  exit_task_work include/linux/task_work.h:33 [inline]\n  do_exit+0x5ce/0x2200 kernel/exit.c:931\n  do_group_exit+0x144/0x310 kernel/exit.c:1046\n  __do_sys_exit_group kernel/exit.c:1057 [inline]\n  __se_sys_exit_group kernel/exit.c:1055 [inline]\n  __x64_sys_exit_group+0x3b/0x40 kernel/exit.c:1055\n do_syscall_64+0x6c/0xd0\n entry_SYSCALL_64_after_hwframe+0x61/0xcb\nRIP: 0033:0x7fe5e7b52479\nCode: Unable to access opcode bytes at RIP 0x7fe5e7b5244f.\nRSP: 002b:00007ffd3c800398 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7\nRAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fe5e7b52479\nRDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000\nRBP: 00007fe5e7bcd2d0 R08: ffffffffffffffb8 R09: 0000000000000014\nR10: 0000000000000000 R11: 0000000000000246 R12: 00007fe5e7bcd2d0\nR13: 0000000000000000 R14: 00007fe5e7bcdd20 R15: 00007fe5e7b24270\n\nThe crash can be also be reproduced with the following (with a tc\nrecompiled to allow for sfq limits of 1):\n\ntc qdisc add dev dummy0 handle 1: root tbf rate 1Kbit burst 100b lat 1s\n../iproute2-6.9.0/tc/tc qdisc add dev dummy0 handle 2: parent 1:10 sfq limit 1\nifconfig dummy0 up\nping -I dummy0 -f -c2 -W0.1 8.8.8.8\nsleep 1\n\nScenario that triggers the crash:\n\n* the first packet is sent and queued in TBF and SFQ; qdisc qlen is 1\n\n* TBF dequeues: it peeks from SFQ which moves the packet to the\n  gso_skb list and keeps qdisc qlen set to 1. TBF is out of tokens so\n  it schedules itself for later.\n\n* the second packet is sent and TBF tries to queues it to SFQ. qdisc\n  qlen is now 2 and because the SFQ limit is 1 the packet is dropped\n  by SFQ. At this point qlen is 1, and all of the SFQ slots are empty,\n  however q-\u003etail is not NULL.\n\nAt this point, assuming no more packets are queued, when sch_dequeue\nruns again it will decrement the qlen for the current empty slot\ncausing an underflow and the subsequent out of bounds access."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-27T10:21:13.712Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/1e6d9d87626cf89eeffb4d943db12cb5b10bf961"
        },
        {
          "url": "https://git.kernel.org/stable/c/1b562b7f9231432da40d12e19786c1bd7df653a7"
        },
        {
          "url": "https://git.kernel.org/stable/c/35d0137305ae2f97260a9047f445bd4434bd6cc7"
        },
        {
          "url": "https://git.kernel.org/stable/c/833e9a1c27b82024db7ff5038a51651f48f05e5e"
        },
        {
          "url": "https://git.kernel.org/stable/c/7d8947f2153ee9c5ab4cb17861a11cc45f30e8c4"
        },
        {
          "url": "https://git.kernel.org/stable/c/7fefc294204f10a3405f175f4ac2be16d63f135e"
        },
        {
          "url": "https://git.kernel.org/stable/c/10685681bafce6febb39770f3387621bf5d67d0b"
        }
      ],
      "title": "net_sched: sch_sfq: don\u0027t allow 1 packet limit",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-57996",
    "datePublished": "2025-02-27T02:07:16.765Z",
    "dateReserved": "2025-02-27T02:04:28.914Z",
    "dateUpdated": "2025-06-27T10:21:13.712Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-58013 (GCVE-0-2024-58013)

Vulnerability from cvelistv5

Published

2025-02-27 02:12

Modified

2025-06-19 12:56

Severity ?

7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: Fix slab-use-after-free Read in mgmt_remove_adv_monitor_sync This fixes the following crash: ================================================================== BUG: KASAN: slab-use-after-free in mgmt_remove_adv_monitor_sync+0x3a/0xd0 net/bluetooth/mgmt.c:5543 Read of size 8 at addr ffff88814128f898 by task kworker/u9:4/5961 CPU: 1 UID: 0 PID: 5961 Comm: kworker/u9:4 Not tainted 6.12.0-syzkaller-10684-gf1cd565ce577 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Workqueue: hci0 hci_cmd_sync_work Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x169/0x550 mm/kasan/report.c:489 kasan_report+0x143/0x180 mm/kasan/report.c:602 mgmt_remove_adv_monitor_sync+0x3a/0xd0 net/bluetooth/mgmt.c:5543 hci_cmd_sync_work+0x22b/0x400 net/bluetooth/hci_sync.c:332 process_one_work kernel/workqueue.c:3229 [inline] process_scheduled_works+0xa63/0x1850 kernel/workqueue.c:3310 worker_thread+0x870/0xd30 kernel/workqueue.c:3391 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK> Allocated by task 16026: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:260 [inline] __kmalloc_cache_noprof+0x243/0x390 mm/slub.c:4314 kmalloc_noprof include/linux/slab.h:901 [inline] kzalloc_noprof include/linux/slab.h:1037 [inline] mgmt_pending_new+0x65/0x250 net/bluetooth/mgmt_util.c:269 mgmt_pending_add+0x36/0x120 net/bluetooth/mgmt_util.c:296 remove_adv_monitor+0x102/0x1b0 net/bluetooth/mgmt.c:5568 hci_mgmt_cmd+0xc47/0x11d0 net/bluetooth/hci_sock.c:1712 hci_sock_sendmsg+0x7b8/0x11c0 net/bluetooth/hci_sock.c:1832 sock_sendmsg_nosec net/socket.c:711 [inline] __sock_sendmsg+0x221/0x270 net/socket.c:726 sock_write_iter+0x2d7/0x3f0 net/socket.c:1147 new_sync_write fs/read_write.c:586 [inline] vfs_write+0xaeb/0xd30 fs/read_write.c:679 ksys_write+0x18f/0x2b0 fs/read_write.c:731 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 16022: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:582 poison_slab_object mm/kasan/common.c:247 [inline] __kasan_slab_free+0x59/0x70 mm/kasan/common.c:264 kasan_slab_free include/linux/kasan.h:233 [inline] slab_free_hook mm/slub.c:2338 [inline] slab_free mm/slub.c:4598 [inline] kfree+0x196/0x420 mm/slub.c:4746 mgmt_pending_foreach+0xd1/0x130 net/bluetooth/mgmt_util.c:259 __mgmt_power_off+0x183/0x430 net/bluetooth/mgmt.c:9550 hci_dev_close_sync+0x6c4/0x11c0 net/bluetooth/hci_sync.c:5208 hci_dev_do_close net/bluetooth/hci_core.c:483 [inline] hci_dev_close+0x112/0x210 net/bluetooth/hci_core.c:508 sock_do_ioctl+0x158/0x460 net/socket.c:1209 sock_ioctl+0x626/0x8e0 net/socket.c:1328 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:906 [inline] __se_sys_ioctl+0xf5/0x170 fs/ioctl.c:892 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f

References

►

URL

Tags

	https://git.kernel.org/stable/c/75e65b983c5e2ee51962bfada98a79d805f28827
	https://git.kernel.org/stable/c/4ebbcb9bc794e5be647ee28fdf14eb1ae0659405
	https://git.kernel.org/stable/c/ebb90f23f0ac21044aacf4c61cc5d7841fe99987
	https://git.kernel.org/stable/c/0f3d05aacbfcf3584bbd9caaee34cb02508dab68
	https://git.kernel.org/stable/c/26fbd3494a7dd26269cb0817c289267dbcfdec06

Impacted products

Vendor

Product

Version

►

Linux

Version: 7cf5c2978f23fdbb2dd7b4e8b07e362ae2d8211c
Version: 7cf5c2978f23fdbb2dd7b4e8b07e362ae2d8211c
Version: 7cf5c2978f23fdbb2dd7b4e8b07e362ae2d8211c
Version: 7cf5c2978f23fdbb2dd7b4e8b07e362ae2d8211c
Version: 7cf5c2978f23fdbb2dd7b4e8b07e362ae2d8211c

Linux

Version: 6.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-58013",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-05T21:14:21.847636Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-05T21:21:43.873Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/bluetooth/mgmt.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "75e65b983c5e2ee51962bfada98a79d805f28827",
              "status": "affected",
              "version": "7cf5c2978f23fdbb2dd7b4e8b07e362ae2d8211c",
              "versionType": "git"
            },
            {
              "lessThan": "4ebbcb9bc794e5be647ee28fdf14eb1ae0659405",
              "status": "affected",
              "version": "7cf5c2978f23fdbb2dd7b4e8b07e362ae2d8211c",
              "versionType": "git"
            },
            {
              "lessThan": "ebb90f23f0ac21044aacf4c61cc5d7841fe99987",
              "status": "affected",
              "version": "7cf5c2978f23fdbb2dd7b4e8b07e362ae2d8211c",
              "versionType": "git"
            },
            {
              "lessThan": "0f3d05aacbfcf3584bbd9caaee34cb02508dab68",
              "status": "affected",
              "version": "7cf5c2978f23fdbb2dd7b4e8b07e362ae2d8211c",
              "versionType": "git"
            },
            {
              "lessThan": "26fbd3494a7dd26269cb0817c289267dbcfdec06",
              "status": "affected",
              "version": "7cf5c2978f23fdbb2dd7b4e8b07e362ae2d8211c",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/bluetooth/mgmt.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.0"
            },
            {
              "lessThan": "6.0",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.78",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.14",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.78",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.14",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.3",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: MGMT: Fix slab-use-after-free Read in mgmt_remove_adv_monitor_sync\n\nThis fixes the following crash:\n\n==================================================================\nBUG: KASAN: slab-use-after-free in mgmt_remove_adv_monitor_sync+0x3a/0xd0 net/bluetooth/mgmt.c:5543\nRead of size 8 at addr ffff88814128f898 by task kworker/u9:4/5961\n\nCPU: 1 UID: 0 PID: 5961 Comm: kworker/u9:4 Not tainted 6.12.0-syzkaller-10684-gf1cd565ce577 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024\nWorkqueue: hci0 hci_cmd_sync_work\nCall Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0x169/0x550 mm/kasan/report.c:489\n kasan_report+0x143/0x180 mm/kasan/report.c:602\n mgmt_remove_adv_monitor_sync+0x3a/0xd0 net/bluetooth/mgmt.c:5543\n hci_cmd_sync_work+0x22b/0x400 net/bluetooth/hci_sync.c:332\n process_one_work kernel/workqueue.c:3229 [inline]\n process_scheduled_works+0xa63/0x1850 kernel/workqueue.c:3310\n worker_thread+0x870/0xd30 kernel/workqueue.c:3391\n kthread+0x2f0/0x390 kernel/kthread.c:389\n ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\n \u003c/TASK\u003e\n\nAllocated by task 16026:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\n poison_kmalloc_redzone mm/kasan/common.c:377 [inline]\n __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394\n kasan_kmalloc include/linux/kasan.h:260 [inline]\n __kmalloc_cache_noprof+0x243/0x390 mm/slub.c:4314\n kmalloc_noprof include/linux/slab.h:901 [inline]\n kzalloc_noprof include/linux/slab.h:1037 [inline]\n mgmt_pending_new+0x65/0x250 net/bluetooth/mgmt_util.c:269\n mgmt_pending_add+0x36/0x120 net/bluetooth/mgmt_util.c:296\n remove_adv_monitor+0x102/0x1b0 net/bluetooth/mgmt.c:5568\n hci_mgmt_cmd+0xc47/0x11d0 net/bluetooth/hci_sock.c:1712\n hci_sock_sendmsg+0x7b8/0x11c0 net/bluetooth/hci_sock.c:1832\n sock_sendmsg_nosec net/socket.c:711 [inline]\n __sock_sendmsg+0x221/0x270 net/socket.c:726\n sock_write_iter+0x2d7/0x3f0 net/socket.c:1147\n new_sync_write fs/read_write.c:586 [inline]\n vfs_write+0xaeb/0xd30 fs/read_write.c:679\n ksys_write+0x18f/0x2b0 fs/read_write.c:731\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nFreed by task 16022:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\n kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:582\n poison_slab_object mm/kasan/common.c:247 [inline]\n __kasan_slab_free+0x59/0x70 mm/kasan/common.c:264\n kasan_slab_free include/linux/kasan.h:233 [inline]\n slab_free_hook mm/slub.c:2338 [inline]\n slab_free mm/slub.c:4598 [inline]\n kfree+0x196/0x420 mm/slub.c:4746\n mgmt_pending_foreach+0xd1/0x130 net/bluetooth/mgmt_util.c:259\n __mgmt_power_off+0x183/0x430 net/bluetooth/mgmt.c:9550\n hci_dev_close_sync+0x6c4/0x11c0 net/bluetooth/hci_sync.c:5208\n hci_dev_do_close net/bluetooth/hci_core.c:483 [inline]\n hci_dev_close+0x112/0x210 net/bluetooth/hci_core.c:508\n sock_do_ioctl+0x158/0x460 net/socket.c:1209\n sock_ioctl+0x626/0x8e0 net/socket.c:1328\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:906 [inline]\n __se_sys_ioctl+0xf5/0x170 fs/ioctl.c:892\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-19T12:56:43.171Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/75e65b983c5e2ee51962bfada98a79d805f28827"
        },
        {
          "url": "https://git.kernel.org/stable/c/4ebbcb9bc794e5be647ee28fdf14eb1ae0659405"
        },
        {
          "url": "https://git.kernel.org/stable/c/ebb90f23f0ac21044aacf4c61cc5d7841fe99987"
        },
        {
          "url": "https://git.kernel.org/stable/c/0f3d05aacbfcf3584bbd9caaee34cb02508dab68"
        },
        {
          "url": "https://git.kernel.org/stable/c/26fbd3494a7dd26269cb0817c289267dbcfdec06"
        }
      ],
      "title": "Bluetooth: MGMT: Fix slab-use-after-free Read in mgmt_remove_adv_monitor_sync",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-58013",
    "datePublished": "2025-02-27T02:12:06.735Z",
    "dateReserved": "2025-02-27T02:10:48.227Z",
    "dateUpdated": "2025-06-19T12:56:43.171Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2022-49080 (GCVE-0-2022-49080)

Vulnerability from cvelistv5

Published

2025-02-26 01:54

Modified

2025-05-04 08:29

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: mm/mempolicy: fix mpol_new leak in shared_policy_replace If mpol_new is allocated but not used in restart loop, mpol_new will be freed via mpol_put before returning to the caller. But refcnt is not initialized yet, so mpol_put could not do the right things and might leak the unused mpol_new. This would happen if mempolicy was updated on the shared shmem file while the sp->lock has been dropped during the memory allocation. This issue could be triggered easily with the below code snippet if there are many processes doing the below work at the same time: shmid = shmget((key_t)5566, 1024 * PAGE_SIZE, 0666|IPC_CREAT); shm = shmat(shmid, 0, 0); loop many times { mbind(shm, 1024 * PAGE_SIZE, MPOL_LOCAL, mask, maxnode, 0); mbind(shm + 128 * PAGE_SIZE, 128 * PAGE_SIZE, MPOL_DEFAULT, mask, maxnode, 0); }

References

►

URL

Tags

	https://git.kernel.org/stable/c/8510c2346d9e47a72b7f018a36ef0c39483e53d6
	https://git.kernel.org/stable/c/5e16dc5378abd749a836daa9ee4ab2c8d2668999
	https://git.kernel.org/stable/c/39a32f3c06f6d68a530bf9612afa19f50f12e93d
	https://git.kernel.org/stable/c/25f506273b6ae806fd46bfcb6fdaa5b9ec81a05b
	https://git.kernel.org/stable/c/f7e183b0a7136b6dc9c7b9b2a85a608a8feba894
	https://git.kernel.org/stable/c/198932a14aeb19a15cf19e51e151d023bc4cd648
	https://git.kernel.org/stable/c/6e00309ac716fa8225f0cbde2cd9c24f0e74ee21
	https://git.kernel.org/stable/c/fe39ac59dbbf893b73b24e3184161d0bd06d6651
	https://git.kernel.org/stable/c/4ad099559b00ac01c3726e5c95dc3108ef47d03e

Impacted products

Vendor

Product

Version

►

Linux

Version: 42288fe366c4f1ce7522bc9f27d0bc2a81c55264
Version: 42288fe366c4f1ce7522bc9f27d0bc2a81c55264
Version: 42288fe366c4f1ce7522bc9f27d0bc2a81c55264
Version: 42288fe366c4f1ce7522bc9f27d0bc2a81c55264
Version: 42288fe366c4f1ce7522bc9f27d0bc2a81c55264
Version: 42288fe366c4f1ce7522bc9f27d0bc2a81c55264
Version: 42288fe366c4f1ce7522bc9f27d0bc2a81c55264
Version: 42288fe366c4f1ce7522bc9f27d0bc2a81c55264
Version: 42288fe366c4f1ce7522bc9f27d0bc2a81c55264

Linux

Version: 3.8

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "mm/mempolicy.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "8510c2346d9e47a72b7f018a36ef0c39483e53d6",
              "status": "affected",
              "version": "42288fe366c4f1ce7522bc9f27d0bc2a81c55264",
              "versionType": "git"
            },
            {
              "lessThan": "5e16dc5378abd749a836daa9ee4ab2c8d2668999",
              "status": "affected",
              "version": "42288fe366c4f1ce7522bc9f27d0bc2a81c55264",
              "versionType": "git"
            },
            {
              "lessThan": "39a32f3c06f6d68a530bf9612afa19f50f12e93d",
              "status": "affected",
              "version": "42288fe366c4f1ce7522bc9f27d0bc2a81c55264",
              "versionType": "git"
            },
            {
              "lessThan": "25f506273b6ae806fd46bfcb6fdaa5b9ec81a05b",
              "status": "affected",
              "version": "42288fe366c4f1ce7522bc9f27d0bc2a81c55264",
              "versionType": "git"
            },
            {
              "lessThan": "f7e183b0a7136b6dc9c7b9b2a85a608a8feba894",
              "status": "affected",
              "version": "42288fe366c4f1ce7522bc9f27d0bc2a81c55264",
              "versionType": "git"
            },
            {
              "lessThan": "198932a14aeb19a15cf19e51e151d023bc4cd648",
              "status": "affected",
              "version": "42288fe366c4f1ce7522bc9f27d0bc2a81c55264",
              "versionType": "git"
            },
            {
              "lessThan": "6e00309ac716fa8225f0cbde2cd9c24f0e74ee21",
              "status": "affected",
              "version": "42288fe366c4f1ce7522bc9f27d0bc2a81c55264",
              "versionType": "git"
            },
            {
              "lessThan": "fe39ac59dbbf893b73b24e3184161d0bd06d6651",
              "status": "affected",
              "version": "42288fe366c4f1ce7522bc9f27d0bc2a81c55264",
              "versionType": "git"
            },
            {
              "lessThan": "4ad099559b00ac01c3726e5c95dc3108ef47d03e",
              "status": "affected",
              "version": "42288fe366c4f1ce7522bc9f27d0bc2a81c55264",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "mm/mempolicy.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.8"
            },
            {
              "lessThan": "3.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.9.*",
              "status": "unaffected",
              "version": "4.9.311",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.14.*",
              "status": "unaffected",
              "version": "4.14.276",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.19.*",
              "status": "unaffected",
              "version": "4.19.238",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.189",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.111",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.34",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.16.*",
              "status": "unaffected",
              "version": "5.16.20",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.17.*",
              "status": "unaffected",
              "version": "5.17.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "5.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.9.311",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.14.276",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.19.238",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.189",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.111",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.34",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.16.20",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.17.3",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.18",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/mempolicy: fix mpol_new leak in shared_policy_replace\n\nIf mpol_new is allocated but not used in restart loop, mpol_new will be\nfreed via mpol_put before returning to the caller.  But refcnt is not\ninitialized yet, so mpol_put could not do the right things and might\nleak the unused mpol_new.  This would happen if mempolicy was updated on\nthe shared shmem file while the sp-\u003elock has been dropped during the\nmemory allocation.\n\nThis issue could be triggered easily with the below code snippet if\nthere are many processes doing the below work at the same time:\n\n  shmid = shmget((key_t)5566, 1024 * PAGE_SIZE, 0666|IPC_CREAT);\n  shm = shmat(shmid, 0, 0);\n  loop many times {\n    mbind(shm, 1024 * PAGE_SIZE, MPOL_LOCAL, mask, maxnode, 0);\n    mbind(shm + 128 * PAGE_SIZE, 128 * PAGE_SIZE, MPOL_DEFAULT, mask,\n          maxnode, 0);\n  }"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T08:29:17.556Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/8510c2346d9e47a72b7f018a36ef0c39483e53d6"
        },
        {
          "url": "https://git.kernel.org/stable/c/5e16dc5378abd749a836daa9ee4ab2c8d2668999"
        },
        {
          "url": "https://git.kernel.org/stable/c/39a32f3c06f6d68a530bf9612afa19f50f12e93d"
        },
        {
          "url": "https://git.kernel.org/stable/c/25f506273b6ae806fd46bfcb6fdaa5b9ec81a05b"
        },
        {
          "url": "https://git.kernel.org/stable/c/f7e183b0a7136b6dc9c7b9b2a85a608a8feba894"
        },
        {
          "url": "https://git.kernel.org/stable/c/198932a14aeb19a15cf19e51e151d023bc4cd648"
        },
        {
          "url": "https://git.kernel.org/stable/c/6e00309ac716fa8225f0cbde2cd9c24f0e74ee21"
        },
        {
          "url": "https://git.kernel.org/stable/c/fe39ac59dbbf893b73b24e3184161d0bd06d6651"
        },
        {
          "url": "https://git.kernel.org/stable/c/4ad099559b00ac01c3726e5c95dc3108ef47d03e"
        }
      ],
      "title": "mm/mempolicy: fix mpol_new leak in shared_policy_replace",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-49080",
    "datePublished": "2025-02-26T01:54:41.176Z",
    "dateReserved": "2025-02-26T01:49:39.247Z",
    "dateUpdated": "2025-05-04T08:29:17.556Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-49855 (GCVE-0-2024-49855)

Vulnerability from cvelistv5

Published

2024-10-21 12:18

Modified

2025-05-04 12:59

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: nbd: fix race between timeout and normal completion If request timetout is handled by nbd_requeue_cmd(), normal completion has to be stopped for avoiding to complete this requeued request, other use-after-free can be triggered. Fix the race by clearing NBD_CMD_INFLIGHT in nbd_requeue_cmd(), meantime make sure that cmd->lock is grabbed for clearing the flag and the requeue.

References

►

URL

Tags

	https://git.kernel.org/stable/c/9c25faf72d780a9c71081710cd48759d61ff6e9b
	https://git.kernel.org/stable/c/6e73b946a379a1dfbb62626af93843bdfb53753d
	https://git.kernel.org/stable/c/5236ada8ebbd9e7461f17477357582f5be4f46f7
	https://git.kernel.org/stable/c/9a74c3e6c0d686c26ba2aab66d15ddb89dc139cc
	https://git.kernel.org/stable/c/c9ea57c91f03bcad415e1a20113bdb2077bcf990

Impacted products

Vendor

Product

Version

►

Linux

Version: 2895f1831e911ca87d4efdf43e35eb72a0c7e66e
Version: 2895f1831e911ca87d4efdf43e35eb72a0c7e66e
Version: 2895f1831e911ca87d4efdf43e35eb72a0c7e66e
Version: 2895f1831e911ca87d4efdf43e35eb72a0c7e66e
Version: 2895f1831e911ca87d4efdf43e35eb72a0c7e66e
Version: cdf62c535a9bfd5ff0eef4b91669da39d8abc0c3
Version: 5171ef20bae852ff38f4cfdb368bcdcc744776d0

Linux

Version: 5.19

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-49855",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-10-21T12:56:24.992815Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-10-21T13:04:11.227Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/block/nbd.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "9c25faf72d780a9c71081710cd48759d61ff6e9b",
              "status": "affected",
              "version": "2895f1831e911ca87d4efdf43e35eb72a0c7e66e",
              "versionType": "git"
            },
            {
              "lessThan": "6e73b946a379a1dfbb62626af93843bdfb53753d",
              "status": "affected",
              "version": "2895f1831e911ca87d4efdf43e35eb72a0c7e66e",
              "versionType": "git"
            },
            {
              "lessThan": "5236ada8ebbd9e7461f17477357582f5be4f46f7",
              "status": "affected",
              "version": "2895f1831e911ca87d4efdf43e35eb72a0c7e66e",
              "versionType": "git"
            },
            {
              "lessThan": "9a74c3e6c0d686c26ba2aab66d15ddb89dc139cc",
              "status": "affected",
              "version": "2895f1831e911ca87d4efdf43e35eb72a0c7e66e",
              "versionType": "git"
            },
            {
              "lessThan": "c9ea57c91f03bcad415e1a20113bdb2077bcf990",
              "status": "affected",
              "version": "2895f1831e911ca87d4efdf43e35eb72a0c7e66e",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "cdf62c535a9bfd5ff0eef4b91669da39d8abc0c3",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "5171ef20bae852ff38f4cfdb368bcdcc744776d0",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/block/nbd.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.19"
            },
            {
              "lessThan": "5.19",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.113",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.54",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.10.*",
              "status": "unaffected",
              "version": "6.10.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.11.*",
              "status": "unaffected",
              "version": "6.11.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.12",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.113",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.54",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.10.13",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.11.2",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.17.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.18.4",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnbd: fix race between timeout and normal completion\n\nIf request timetout is handled by nbd_requeue_cmd(), normal completion\nhas to be stopped for avoiding to complete this requeued request, other\nuse-after-free can be triggered.\n\nFix the race by clearing NBD_CMD_INFLIGHT in nbd_requeue_cmd(), meantime\nmake sure that cmd-\u003elock is grabbed for clearing the flag and the\nrequeue."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T12:59:09.061Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/9c25faf72d780a9c71081710cd48759d61ff6e9b"
        },
        {
          "url": "https://git.kernel.org/stable/c/6e73b946a379a1dfbb62626af93843bdfb53753d"
        },
        {
          "url": "https://git.kernel.org/stable/c/5236ada8ebbd9e7461f17477357582f5be4f46f7"
        },
        {
          "url": "https://git.kernel.org/stable/c/9a74c3e6c0d686c26ba2aab66d15ddb89dc139cc"
        },
        {
          "url": "https://git.kernel.org/stable/c/c9ea57c91f03bcad415e1a20113bdb2077bcf990"
        }
      ],
      "title": "nbd: fix race between timeout and normal completion",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-49855",
    "datePublished": "2024-10-21T12:18:47.391Z",
    "dateReserved": "2024-10-21T12:17:06.016Z",
    "dateUpdated": "2025-05-04T12:59:09.061Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

suse-su-2025:01869-1

Vulnerability from csaf_suse

CVE-2024-57996 (GCVE-0-2024-57996)

Vulnerability from cvelistv5

CVE-2024-58013 (GCVE-0-2024-58013)

Vulnerability from cvelistv5

CVE-2022-49080 (GCVE-0-2022-49080)

Vulnerability from cvelistv5

CVE-2024-49855 (GCVE-0-2024-49855)

Vulnerability from cvelistv5

Tags

Sightings

Nomenclature