Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2022-48913

Publication date:
22/08/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> blktrace: fix use after free for struct blk_trace<br /> <br /> When tracing the whole disk, &amp;#39;dropped&amp;#39; and &amp;#39;msg&amp;#39; will be created<br /> under &amp;#39;q-&gt;debugfs_dir&amp;#39; and &amp;#39;bt-&gt;dir&amp;#39; is NULL, thus blk_trace_free()<br /> won&amp;#39;t remove those files. What&amp;#39;s worse, the following UAF can be<br /> triggered because of accessing stale &amp;#39;dropped&amp;#39; and &amp;#39;msg&amp;#39;:<br /> <br /> ==================================================================<br /> BUG: KASAN: use-after-free in blk_dropped_read+0x89/0x100<br /> Read of size 4 at addr ffff88816912f3d8 by task blktrace/1188<br /> <br /> CPU: 27 PID: 1188 Comm: blktrace Not tainted 5.17.0-rc4-next-20220217+ #469<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20190727_073836-4<br /> Call Trace:<br /> <br /> dump_stack_lvl+0x34/0x44<br /> print_address_description.constprop.0.cold+0xab/0x381<br /> ? blk_dropped_read+0x89/0x100<br /> ? blk_dropped_read+0x89/0x100<br /> kasan_report.cold+0x83/0xdf<br /> ? blk_dropped_read+0x89/0x100<br /> kasan_check_range+0x140/0x1b0<br /> blk_dropped_read+0x89/0x100<br /> ? blk_create_buf_file_callback+0x20/0x20<br /> ? kmem_cache_free+0xa1/0x500<br /> ? do_sys_openat2+0x258/0x460<br /> full_proxy_read+0x8f/0xc0<br /> vfs_read+0xc6/0x260<br /> ksys_read+0xb9/0x150<br /> ? vfs_write+0x3d0/0x3d0<br /> ? fpregs_assert_state_consistent+0x55/0x60<br /> ? exit_to_user_mode_prepare+0x39/0x1e0<br /> do_syscall_64+0x35/0x80<br /> entry_SYSCALL_64_after_hwframe+0x44/0xae<br /> RIP: 0033:0x7fbc080d92fd<br /> Code: ce 20 00 00 75 10 b8 00 00 00 00 0f 05 48 3d 01 f0 ff ff 73 31 c3 48 83 1<br /> RSP: 002b:00007fbb95ff9cb0 EFLAGS: 00000293 ORIG_RAX: 0000000000000000<br /> RAX: ffffffffffffffda RBX: 00007fbb95ff9dc0 RCX: 00007fbc080d92fd<br /> RDX: 0000000000000100 RSI: 00007fbb95ff9cc0 RDI: 0000000000000045<br /> RBP: 0000000000000045 R08: 0000000000406299 R09: 00000000fffffffd<br /> R10: 000000000153afa0 R11: 0000000000000293 R12: 00007fbb780008c0<br /> R13: 00007fbb78000938 R14: 0000000000608b30 R15: 00007fbb780029c8<br /> <br /> <br /> Allocated by task 1050:<br /> kasan_save_stack+0x1e/0x40<br /> __kasan_kmalloc+0x81/0xa0<br /> do_blk_trace_setup+0xcb/0x410<br /> __blk_trace_setup+0xac/0x130<br /> blk_trace_ioctl+0xe9/0x1c0<br /> blkdev_ioctl+0xf1/0x390<br /> __x64_sys_ioctl+0xa5/0xe0<br /> do_syscall_64+0x35/0x80<br /> entry_SYSCALL_64_after_hwframe+0x44/0xae<br /> <br /> Freed by task 1050:<br /> kasan_save_stack+0x1e/0x40<br /> kasan_set_track+0x21/0x30<br /> kasan_set_free_info+0x20/0x30<br /> __kasan_slab_free+0x103/0x180<br /> kfree+0x9a/0x4c0<br /> __blk_trace_remove+0x53/0x70<br /> blk_trace_ioctl+0x199/0x1c0<br /> blkdev_common_ioctl+0x5e9/0xb30<br /> blkdev_ioctl+0x1a5/0x390<br /> __x64_sys_ioctl+0xa5/0xe0<br /> do_syscall_64+0x35/0x80<br /> entry_SYSCALL_64_after_hwframe+0x44/0xae<br /> <br /> The buggy address belongs to the object at ffff88816912f380<br /> which belongs to the cache kmalloc-96 of size 96<br /> The buggy address is located 88 bytes inside of<br /> 96-byte region [ffff88816912f380, ffff88816912f3e0)<br /> The buggy address belongs to the page:<br /> page:000000009a1b4e7c refcount:1 mapcount:0 mapping:0000000000000000 index:0x0f<br /> flags: 0x17ffffc0000200(slab|node=0|zone=2|lastcpupid=0x1fffff)<br /> raw: 0017ffffc0000200 ffffea00044f1100 dead000000000002 ffff88810004c780<br /> raw: 0000000000000000 0000000000200020 00000001ffffffff 0000000000000000<br /> page dumped because: kasan: bad access detected<br /> <br /> Memory state around the buggy address:<br /> ffff88816912f280: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc<br /> ffff88816912f300: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc<br /> &gt;ffff88816912f380: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc<br /> ^<br /> ffff88816912f400: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc<br /> ffff88816912f480: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc<br /> ==================================================================
Severity CVSS v4.0: Pending analysis
Last modification:
27/08/2024

CVE-2022-48914

Publication date:
22/08/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> xen/netfront: destroy queues before real_num_tx_queues is zeroed<br /> <br /> xennet_destroy_queues() relies on info-&gt;netdev-&gt;real_num_tx_queues to<br /> delete queues. Since d7dac083414eb5bb99a6d2ed53dc2c1b405224e5<br /> ("net-sysfs: update the queue counts in the unregistration path"),<br /> unregister_netdev() indirectly sets real_num_tx_queues to 0. Those two<br /> facts together means, that xennet_destroy_queues() called from<br /> xennet_remove() cannot do its job, because it&amp;#39;s called after<br /> unregister_netdev(). This results in kfree-ing queues that are still<br /> linked in napi, which ultimately crashes:<br /> <br /> BUG: kernel NULL pointer dereference, address: 0000000000000000<br /> #PF: supervisor read access in kernel mode<br /> #PF: error_code(0x0000) - not-present page<br /> PGD 0 P4D 0<br /> Oops: 0000 [#1] PREEMPT SMP PTI<br /> CPU: 1 PID: 52 Comm: xenwatch Tainted: G W 5.16.10-1.32.fc32.qubes.x86_64+ #226<br /> RIP: 0010:free_netdev+0xa3/0x1a0<br /> Code: ff 48 89 df e8 2e e9 00 00 48 8b 43 50 48 8b 08 48 8d b8 a0 fe ff ff 48 8d a9 a0 fe ff ff 49 39 c4 75 26 eb 47 e8 ed c1 66 ff 8b 85 60 01 00 00 48 8d 95 60 01 00 00 48 89 ef 48 2d 60 01 00<br /> RSP: 0000:ffffc90000bcfd00 EFLAGS: 00010286<br /> RAX: 0000000000000000 RBX: ffff88800edad000 RCX: 0000000000000000<br /> RDX: 0000000000000001 RSI: ffffc90000bcfc30 RDI: 00000000ffffffff<br /> RBP: fffffffffffffea0 R08: 0000000000000000 R09: 0000000000000000<br /> R10: 0000000000000000 R11: 0000000000000001 R12: ffff88800edad050<br /> R13: ffff8880065f8f88 R14: 0000000000000000 R15: ffff8880066c6680<br /> FS: 0000000000000000(0000) GS:ffff8880f3300000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 0000000000000000 CR3: 00000000e998c006 CR4: 00000000003706e0<br /> Call Trace:<br /> <br /> xennet_remove+0x13d/0x300 [xen_netfront]<br /> xenbus_dev_remove+0x6d/0xf0<br /> __device_release_driver+0x17a/0x240<br /> device_release_driver+0x24/0x30<br /> bus_remove_device+0xd8/0x140<br /> device_del+0x18b/0x410<br /> ? _raw_spin_unlock+0x16/0x30<br /> ? klist_iter_exit+0x14/0x20<br /> ? xenbus_dev_request_and_reply+0x80/0x80<br /> device_unregister+0x13/0x60<br /> xenbus_dev_changed+0x18e/0x1f0<br /> xenwatch_thread+0xc0/0x1a0<br /> ? do_wait_intr_irq+0xa0/0xa0<br /> kthread+0x16b/0x190<br /> ? set_kthread_struct+0x40/0x40<br /> ret_from_fork+0x22/0x30<br /> <br /> <br /> Fix this by calling xennet_destroy_queues() from xennet_uninit(),<br /> when real_num_tx_queues is still available. This ensures that queues are<br /> destroyed when real_num_tx_queues is set to 0, regardless of how<br /> unregister_netdev() was called.<br /> <br /> Originally reported at<br /> https://github.com/QubesOS/qubes-issues/issues/7257
Severity CVSS v4.0: Pending analysis
Last modification:
12/09/2024

CVE-2022-48915

Publication date:
22/08/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> thermal: core: Fix TZ_GET_TRIP NULL pointer dereference<br /> <br /> Do not call get_trip_hyst() from thermal_genl_cmd_tz_get_trip() if<br /> the thermal zone does not define one.
Severity CVSS v4.0: Pending analysis
Last modification:
27/08/2024

CVE-2022-48916

Publication date:
22/08/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> iommu/vt-d: Fix double list_add when enabling VMD in scalable mode<br /> <br /> When enabling VMD and IOMMU scalable mode, the following kernel panic<br /> call trace/kernel log is shown in Eagle Stream platform (Sapphire Rapids<br /> CPU) during booting:<br /> <br /> pci 0000:59:00.5: Adding to iommu group 42<br /> ...<br /> vmd 0000:59:00.5: PCI host bridge to bus 10000:80<br /> pci 10000:80:01.0: [8086:352a] type 01 class 0x060400<br /> pci 10000:80:01.0: reg 0x10: [mem 0x00000000-0x0001ffff 64bit]<br /> pci 10000:80:01.0: enabling Extended Tags<br /> pci 10000:80:01.0: PME# supported from D0 D3hot D3cold<br /> pci 10000:80:01.0: DMAR: Setup RID2PASID failed<br /> pci 10000:80:01.0: Failed to add to iommu group 42: -16<br /> pci 10000:80:03.0: [8086:352b] type 01 class 0x060400<br /> pci 10000:80:03.0: reg 0x10: [mem 0x00000000-0x0001ffff 64bit]<br /> pci 10000:80:03.0: enabling Extended Tags<br /> pci 10000:80:03.0: PME# supported from D0 D3hot D3cold<br /> ------------[ cut here ]------------<br /> kernel BUG at lib/list_debug.c:29!<br /> invalid opcode: 0000 [#1] PREEMPT SMP NOPTI<br /> CPU: 0 PID: 7 Comm: kworker/0:1 Not tainted 5.17.0-rc3+ #7<br /> Hardware name: Lenovo ThinkSystem SR650V3/SB27A86647, BIOS ESE101Y-1.00 01/13/2022<br /> Workqueue: events work_for_cpu_fn<br /> RIP: 0010:__list_add_valid.cold+0x26/0x3f<br /> Code: 9a 4a ab ff 4c 89 c1 48 c7 c7 40 0c d9 9e e8 b9 b1 fe ff 0f<br /> 0b 48 89 f2 4c 89 c1 48 89 fe 48 c7 c7 f0 0c d9 9e e8 a2 b1<br /> fe ff 0b 48 89 d1 4c 89 c6 4c 89 ca 48 c7 c7 98 0c d9<br /> 9e e8 8b b1 fe<br /> RSP: 0000:ff5ad434865b3a40 EFLAGS: 00010246<br /> RAX: 0000000000000058 RBX: ff4d61160b74b880 RCX: ff4d61255e1fffa8<br /> RDX: 0000000000000000 RSI: 00000000fffeffff RDI: ffffffff9fd34f20<br /> RBP: ff4d611d8e245c00 R08: 0000000000000000 R09: ff5ad434865b3888<br /> R10: ff5ad434865b3880 R11: ff4d61257fdc6fe8 R12: ff4d61160b74b8a0<br /> R13: ff4d61160b74b8a0 R14: ff4d611d8e245c10 R15: ff4d611d8001ba70<br /> FS: 0000000000000000(0000) GS:ff4d611d5ea00000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: ff4d611fa1401000 CR3: 0000000aa0210001 CR4: 0000000000771ef0<br /> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400<br /> PKRU: 55555554<br /> Call Trace:<br /> <br /> intel_pasid_alloc_table+0x9c/0x1d0<br /> dmar_insert_one_dev_info+0x423/0x540<br /> ? device_to_iommu+0x12d/0x2f0<br /> intel_iommu_attach_device+0x116/0x290<br /> __iommu_attach_device+0x1a/0x90<br /> iommu_group_add_device+0x190/0x2c0<br /> __iommu_probe_device+0x13e/0x250<br /> iommu_probe_device+0x24/0x150<br /> iommu_bus_notifier+0x69/0x90<br /> blocking_notifier_call_chain+0x5a/0x80<br /> device_add+0x3db/0x7b0<br /> ? arch_memremap_can_ram_remap+0x19/0x50<br /> ? memremap+0x75/0x140<br /> pci_device_add+0x193/0x1d0<br /> pci_scan_single_device+0xb9/0xf0<br /> pci_scan_slot+0x4c/0x110<br /> pci_scan_child_bus_extend+0x3a/0x290<br /> vmd_enable_domain.constprop.0+0x63e/0x820<br /> vmd_probe+0x163/0x190<br /> local_pci_probe+0x42/0x80<br /> work_for_cpu_fn+0x13/0x20<br /> process_one_work+0x1e2/0x3b0<br /> worker_thread+0x1c4/0x3a0<br /> ? rescuer_thread+0x370/0x370<br /> kthread+0xc7/0xf0<br /> ? kthread_complete_and_exit+0x20/0x20<br /> ret_from_fork+0x1f/0x30<br /> <br /> Modules linked in:<br /> ---[ end trace 0000000000000000 ]---<br /> ...<br /> Kernel panic - not syncing: Fatal exception<br /> Kernel Offset: 0x1ca00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)<br /> ---[ end Kernel panic - not syncing: Fatal exception ]---<br /> <br /> The following &amp;#39;lspci&amp;#39; output shows devices &amp;#39;10000:80:*&amp;#39; are subdevices of<br /> the VMD device 0000:59:00.5:<br /> <br /> $ lspci<br /> ...<br /> 0000:59:00.5 RAID bus controller: Intel Corporation Volume Management Device NVMe RAID Controller (rev 20)<br /> ...<br /> 10000:80:01.0 PCI bridge: Intel Corporation Device 352a (rev 03)<br /> 10000:80:03.0 PCI bridge: Intel Corporation Device 352b (rev 03)<br /> 10000:80:05.0 PCI bridge: Intel Corporation Device 352c (rev 03)<br /> 10000:80:07.0 PCI bridge: Intel Corporation Device 352d (rev 03)<br /> 10000:81:00.0 Non-Volatile memory controller: Intel Corporation NVMe Datacenter SSD [3DNAND, Beta Rock Controller]<br /> 10000:82:00<br /> ---truncated---
Severity CVSS v4.0: Pending analysis
Last modification:
12/09/2024

CVE-2022-48917

Publication date:
22/08/2024
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
Severity CVSS v4.0: Pending analysis
Last modification:
10/05/2025

CVE-2022-48918

Publication date:
22/08/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> iwlwifi: mvm: check debugfs_dir ptr before use<br /> <br /> When "debugfs=off" is used on the kernel command line, iwiwifi&amp;#39;s<br /> mvm module uses an invalid/unchecked debugfs_dir pointer and causes<br /> a BUG:<br /> <br /> BUG: kernel NULL pointer dereference, address: 000000000000004f<br /> #PF: supervisor read access in kernel mode<br /> #PF: error_code(0x0000) - not-present page<br /> PGD 0 P4D 0<br /> Oops: 0000 [#1] PREEMPT SMP<br /> CPU: 1 PID: 503 Comm: modprobe Tainted: G W 5.17.0-rc5 #7<br /> Hardware name: Dell Inc. Inspiron 15 5510/076F7Y, BIOS 2.4.1 11/05/2021<br /> RIP: 0010:iwl_mvm_dbgfs_register+0x692/0x700 [iwlmvm]<br /> Code: 69 a0 be 80 01 00 00 48 c7 c7 50 73 6a a0 e8 95 cf ee e0 48 8b 83 b0 1e 00 00 48 c7 c2 54 73 6a a0 be 64 00 00 00 48 8d 7d 8c 8b 48 50 e8 15 22 07 e1 48 8b 43 28 48 8d 55 8c 48 c7 c7 5f 73<br /> RSP: 0018:ffffc90000a0ba68 EFLAGS: 00010246<br /> RAX: ffffffffffffffff RBX: ffff88817d6e3328 RCX: ffff88817d6e3328<br /> RDX: ffffffffa06a7354 RSI: 0000000000000064 RDI: ffffc90000a0ba6c<br /> RBP: ffffc90000a0bae0 R08: ffffffff824e4880 R09: ffffffffa069d620<br /> R10: ffffc90000a0ba00 R11: ffffffffffffffff R12: 0000000000000000<br /> R13: ffffc90000a0bb28 R14: ffff88817d6e3328 R15: ffff88817d6e3320<br /> FS: 00007f64dd92d740(0000) GS:ffff88847f640000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 000000000000004f CR3: 000000016fc79001 CR4: 0000000000770ee0<br /> PKRU: 55555554<br /> Call Trace:<br /> <br /> ? iwl_mvm_mac_setup_register+0xbdc/0xda0 [iwlmvm]<br /> iwl_mvm_start_post_nvm+0x71/0x100 [iwlmvm]<br /> iwl_op_mode_mvm_start+0xab8/0xb30 [iwlmvm]<br /> _iwl_op_mode_start+0x6f/0xd0 [iwlwifi]<br /> iwl_opmode_register+0x6a/0xe0 [iwlwifi]<br /> ? 0xffffffffa0231000<br /> iwl_mvm_init+0x35/0x1000 [iwlmvm]<br /> ? 0xffffffffa0231000<br /> do_one_initcall+0x5a/0x1b0<br /> ? kmem_cache_alloc+0x1e5/0x2f0<br /> ? do_init_module+0x1e/0x220<br /> do_init_module+0x48/0x220<br /> load_module+0x2602/0x2bc0<br /> ? __kernel_read+0x145/0x2e0<br /> ? kernel_read_file+0x229/0x290<br /> __do_sys_finit_module+0xc5/0x130<br /> ? __do_sys_finit_module+0xc5/0x130<br /> __x64_sys_finit_module+0x13/0x20<br /> do_syscall_64+0x38/0x90<br /> entry_SYSCALL_64_after_hwframe+0x44/0xae<br /> RIP: 0033:0x7f64dda564dd<br /> Code: 5b 41 5c c3 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 3d 01 f0 ff ff 73 01 c3 48 8b 0d 1b 29 0f 00 f7 d8 64 89 01 48<br /> RSP: 002b:00007ffdba393f88 EFLAGS: 00000246 ORIG_RAX: 0000000000000139<br /> RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f64dda564dd<br /> RDX: 0000000000000000 RSI: 00005575399e2ab2 RDI: 0000000000000001<br /> RBP: 000055753a91c5e0 R08: 0000000000000000 R09: 0000000000000002<br /> R10: 0000000000000001 R11: 0000000000000246 R12: 00005575399e2ab2<br /> R13: 000055753a91ceb0 R14: 0000000000000000 R15: 000055753a923018<br /> <br /> Modules linked in: btintel(+) btmtk bluetooth vfat snd_hda_codec_hdmi fat snd_hda_codec_realtek snd_hda_codec_generic iwlmvm(+) snd_sof_pci_intel_tgl mac80211 snd_sof_intel_hda_common soundwire_intel soundwire_generic_allocation soundwire_cadence soundwire_bus snd_sof_intel_hda snd_sof_pci snd_sof snd_sof_xtensa_dsp snd_soc_hdac_hda snd_hda_ext_core snd_soc_acpi_intel_match snd_soc_acpi snd_soc_core btrfs snd_compress snd_hda_intel snd_intel_dspcfg snd_intel_sdw_acpi snd_hda_codec raid6_pq iwlwifi snd_hda_core snd_pcm snd_timer snd soundcore cfg80211 intel_ish_ipc(+) thunderbolt rfkill intel_ishtp ucsi_acpi wmi i2c_hid_acpi i2c_hid evdev<br /> CR2: 000000000000004f<br /> ---[ end trace 0000000000000000 ]---<br /> <br /> Check the debugfs_dir pointer for an error before using it.<br /> <br /> [change to make both conditional]
Severity CVSS v4.0: Pending analysis
Last modification:
27/08/2024

CVE-2022-48919

Publication date:
22/08/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> cifs: fix double free race when mount fails in cifs_get_root()<br /> <br /> When cifs_get_root() fails during cifs_smb3_do_mount() we call<br /> deactivate_locked_super() which eventually will call delayed_free() which<br /> will free the context.<br /> In this situation we should not proceed to enter the out: section in<br /> cifs_smb3_do_mount() and free the same resources a second time.<br /> <br /> [Thu Feb 10 12:59:06 2022] BUG: KASAN: use-after-free in rcu_cblist_dequeue+0x32/0x60<br /> [Thu Feb 10 12:59:06 2022] Read of size 8 at addr ffff888364f4d110 by task swapper/1/0<br /> <br /> [Thu Feb 10 12:59:06 2022] CPU: 1 PID: 0 Comm: swapper/1 Tainted: G OE 5.17.0-rc3+ #4<br /> [Thu Feb 10 12:59:06 2022] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.0 12/17/2019<br /> [Thu Feb 10 12:59:06 2022] Call Trace:<br /> [Thu Feb 10 12:59:06 2022] <br /> [Thu Feb 10 12:59:06 2022] dump_stack_lvl+0x5d/0x78<br /> [Thu Feb 10 12:59:06 2022] print_address_description.constprop.0+0x24/0x150<br /> [Thu Feb 10 12:59:06 2022] ? rcu_cblist_dequeue+0x32/0x60<br /> [Thu Feb 10 12:59:06 2022] kasan_report.cold+0x7d/0x117<br /> [Thu Feb 10 12:59:06 2022] ? rcu_cblist_dequeue+0x32/0x60<br /> [Thu Feb 10 12:59:06 2022] __asan_load8+0x86/0xa0<br /> [Thu Feb 10 12:59:06 2022] rcu_cblist_dequeue+0x32/0x60<br /> [Thu Feb 10 12:59:06 2022] rcu_core+0x547/0xca0<br /> [Thu Feb 10 12:59:06 2022] ? call_rcu+0x3c0/0x3c0<br /> [Thu Feb 10 12:59:06 2022] ? __this_cpu_preempt_check+0x13/0x20<br /> [Thu Feb 10 12:59:06 2022] ? lock_is_held_type+0xea/0x140<br /> [Thu Feb 10 12:59:06 2022] rcu_core_si+0xe/0x10<br /> [Thu Feb 10 12:59:06 2022] __do_softirq+0x1d4/0x67b<br /> [Thu Feb 10 12:59:06 2022] __irq_exit_rcu+0x100/0x150<br /> [Thu Feb 10 12:59:06 2022] irq_exit_rcu+0xe/0x30<br /> [Thu Feb 10 12:59:06 2022] sysvec_hyperv_stimer0+0x9d/0xc0<br /> ...<br /> [Thu Feb 10 12:59:07 2022] Freed by task 58179:<br /> [Thu Feb 10 12:59:07 2022] kasan_save_stack+0x26/0x50<br /> [Thu Feb 10 12:59:07 2022] kasan_set_track+0x25/0x30<br /> [Thu Feb 10 12:59:07 2022] kasan_set_free_info+0x24/0x40<br /> [Thu Feb 10 12:59:07 2022] ____kasan_slab_free+0x137/0x170<br /> [Thu Feb 10 12:59:07 2022] __kasan_slab_free+0x12/0x20<br /> [Thu Feb 10 12:59:07 2022] slab_free_freelist_hook+0xb3/0x1d0<br /> [Thu Feb 10 12:59:07 2022] kfree+0xcd/0x520<br /> [Thu Feb 10 12:59:07 2022] cifs_smb3_do_mount+0x149/0xbe0 [cifs]<br /> [Thu Feb 10 12:59:07 2022] smb3_get_tree+0x1a0/0x2e0 [cifs]<br /> [Thu Feb 10 12:59:07 2022] vfs_get_tree+0x52/0x140<br /> [Thu Feb 10 12:59:07 2022] path_mount+0x635/0x10c0<br /> [Thu Feb 10 12:59:07 2022] __x64_sys_mount+0x1bf/0x210<br /> [Thu Feb 10 12:59:07 2022] do_syscall_64+0x5c/0xc0<br /> [Thu Feb 10 12:59:07 2022] entry_SYSCALL_64_after_hwframe+0x44/0xae<br /> <br /> [Thu Feb 10 12:59:07 2022] Last potentially related work creation:<br /> [Thu Feb 10 12:59:07 2022] kasan_save_stack+0x26/0x50<br /> [Thu Feb 10 12:59:07 2022] __kasan_record_aux_stack+0xb6/0xc0<br /> [Thu Feb 10 12:59:07 2022] kasan_record_aux_stack_noalloc+0xb/0x10<br /> [Thu Feb 10 12:59:07 2022] call_rcu+0x76/0x3c0<br /> [Thu Feb 10 12:59:07 2022] cifs_umount+0xce/0xe0 [cifs]<br /> [Thu Feb 10 12:59:07 2022] cifs_kill_sb+0xc8/0xe0 [cifs]<br /> [Thu Feb 10 12:59:07 2022] deactivate_locked_super+0x5d/0xd0<br /> [Thu Feb 10 12:59:07 2022] cifs_smb3_do_mount+0xab9/0xbe0 [cifs]<br /> [Thu Feb 10 12:59:07 2022] smb3_get_tree+0x1a0/0x2e0 [cifs]<br /> [Thu Feb 10 12:59:07 2022] vfs_get_tree+0x52/0x140<br /> [Thu Feb 10 12:59:07 2022] path_mount+0x635/0x10c0<br /> [Thu Feb 10 12:59:07 2022] __x64_sys_mount+0x1bf/0x210<br /> [Thu Feb 10 12:59:07 2022] do_syscall_64+0x5c/0xc0<br /> [Thu Feb 10 12:59:07 2022] entry_SYSCALL_64_after_hwframe+0x44/0xae
Severity CVSS v4.0: Pending analysis
Last modification:
23/12/2025

CVE-2021-4441

Publication date:
22/08/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> spi: spi-zynq-qspi: Fix a NULL pointer dereference in zynq_qspi_exec_mem_op()<br /> <br /> In zynq_qspi_exec_mem_op(), kzalloc() is directly used in memset(),<br /> which could lead to a NULL pointer dereference on failure of<br /> kzalloc().<br /> <br /> Fix this bug by adding a check of tmpbuf.<br /> <br /> This bug was found by a static analyzer. The analysis employs<br /> differential checking to identify inconsistent security operations<br /> (e.g., checks or kfrees) between two code paths and confirms that the<br /> inconsistent operations are not recovered in the current function or<br /> the callers, so they constitute bugs.<br /> <br /> Note that, as a bug found by static analysis, it can be a false<br /> positive or hard to trigger. Multiple researchers have cross-reviewed<br /> the bug.<br /> <br /> Builds with CONFIG_SPI_ZYNQ_QSPI=m show no new warnings,<br /> and our static analyzer no longer warns about this code.
Severity CVSS v4.0: Pending analysis
Last modification:
11/09/2024

CVE-2022-48900

Publication date:
22/08/2024
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
Severity CVSS v4.0: Pending analysis
Last modification:
22/08/2024

CVE-2022-48901

Publication date:
22/08/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> btrfs: do not start relocation until in progress drops are done<br /> <br /> We hit a bug with a recovering relocation on mount for one of our file<br /> systems in production. I reproduced this locally by injecting errors<br /> into snapshot delete with balance running at the same time. This<br /> presented as an error while looking up an extent item<br /> <br /> WARNING: CPU: 5 PID: 1501 at fs/btrfs/extent-tree.c:866 lookup_inline_extent_backref+0x647/0x680<br /> CPU: 5 PID: 1501 Comm: btrfs-balance Not tainted 5.16.0-rc8+ #8<br /> RIP: 0010:lookup_inline_extent_backref+0x647/0x680<br /> RSP: 0018:ffffae0a023ab960 EFLAGS: 00010202<br /> RAX: 0000000000000001 RBX: 0000000000000000 RCX: 0000000000000000<br /> RDX: 0000000000000000 RSI: 000000000000000c RDI: 0000000000000000<br /> RBP: ffff943fd2a39b60 R08: 0000000000000000 R09: 0000000000000001<br /> R10: 0001434088152de0 R11: 0000000000000000 R12: 0000000001d05000<br /> R13: ffff943fd2a39b60 R14: ffff943fdb96f2a0 R15: ffff9442fc923000<br /> FS: 0000000000000000(0000) GS:ffff944e9eb40000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 00007f1157b1fca8 CR3: 000000010f092000 CR4: 0000000000350ee0<br /> Call Trace:<br /> <br /> insert_inline_extent_backref+0x46/0xd0<br /> __btrfs_inc_extent_ref.isra.0+0x5f/0x200<br /> ? btrfs_merge_delayed_refs+0x164/0x190<br /> __btrfs_run_delayed_refs+0x561/0xfa0<br /> ? btrfs_search_slot+0x7b4/0xb30<br /> ? btrfs_update_root+0x1a9/0x2c0<br /> btrfs_run_delayed_refs+0x73/0x1f0<br /> ? btrfs_update_root+0x1a9/0x2c0<br /> btrfs_commit_transaction+0x50/0xa50<br /> ? btrfs_update_reloc_root+0x122/0x220<br /> prepare_to_merge+0x29f/0x320<br /> relocate_block_group+0x2b8/0x550<br /> btrfs_relocate_block_group+0x1a6/0x350<br /> btrfs_relocate_chunk+0x27/0xe0<br /> btrfs_balance+0x777/0xe60<br /> balance_kthread+0x35/0x50<br /> ? btrfs_balance+0xe60/0xe60<br /> kthread+0x16b/0x190<br /> ? set_kthread_struct+0x40/0x40<br /> ret_from_fork+0x22/0x30<br /> <br /> <br /> Normally snapshot deletion and relocation are excluded from running at<br /> the same time by the fs_info-&gt;cleaner_mutex. However if we had a<br /> pending balance waiting to get the -&gt;cleaner_mutex, and a snapshot<br /> deletion was running, and then the box crashed, we would come up in a<br /> state where we have a half deleted snapshot.<br /> <br /> Again, in the normal case the snapshot deletion needs to complete before<br /> relocation can start, but in this case relocation could very well start<br /> before the snapshot deletion completes, as we simply add the root to the<br /> dead roots list and wait for the next time the cleaner runs to clean up<br /> the snapshot.<br /> <br /> Fix this by setting a bit on the fs_info if we have any DEAD_ROOT&amp;#39;s that<br /> had a pending drop_progress key. If they do then we know we were in the<br /> middle of the drop operation and set a flag on the fs_info. Then<br /> balance can wait until this flag is cleared to start up again.<br /> <br /> If there are DEAD_ROOT&amp;#39;s that don&amp;#39;t have a drop_progress set then we&amp;#39;re<br /> safe to start balance right away as we&amp;#39;ll be properly protected by the<br /> cleaner_mutex.
Severity CVSS v4.0: Pending analysis
Last modification:
12/09/2024

CVE-2022-48902

Publication date:
22/08/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> btrfs: do not WARN_ON() if we have PageError set<br /> <br /> Whenever we do any extent buffer operations we call<br /> assert_eb_page_uptodate() to complain loudly if we&amp;#39;re operating on an<br /> non-uptodate page. Our overnight tests caught this warning earlier this<br /> week<br /> <br /> WARNING: CPU: 1 PID: 553508 at fs/btrfs/extent_io.c:6849 assert_eb_page_uptodate+0x3f/0x50<br /> CPU: 1 PID: 553508 Comm: kworker/u4:13 Tainted: G W 5.17.0-rc3+ #564<br /> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-2.fc32 04/01/2014<br /> Workqueue: btrfs-cache btrfs_work_helper<br /> RIP: 0010:assert_eb_page_uptodate+0x3f/0x50<br /> RSP: 0018:ffffa961440a7c68 EFLAGS: 00010246<br /> RAX: 0017ffffc0002112 RBX: ffffe6e74453f9c0 RCX: 0000000000001000<br /> RDX: ffffe6e74467c887 RSI: ffffe6e74453f9c0 RDI: ffff8d4c5efc2fc0<br /> RBP: 0000000000000d56 R08: ffff8d4d4a224000 R09: 0000000000000000<br /> R10: 00015817fa9d1ef0 R11: 000000000000000c R12: 00000000000007b1<br /> R13: ffff8d4c5efc2fc0 R14: 0000000001500000 R15: 0000000001cb1000<br /> FS: 0000000000000000(0000) GS:ffff8d4dbbd00000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 00007ff31d3448d8 CR3: 0000000118be8004 CR4: 0000000000370ee0<br /> Call Trace:<br /> <br /> extent_buffer_test_bit+0x3f/0x70<br /> free_space_test_bit+0xa6/0xc0<br /> load_free_space_tree+0x1f6/0x470<br /> caching_thread+0x454/0x630<br /> ? rcu_read_lock_sched_held+0x12/0x60<br /> ? rcu_read_lock_sched_held+0x12/0x60<br /> ? rcu_read_lock_sched_held+0x12/0x60<br /> ? lock_release+0x1f0/0x2d0<br /> btrfs_work_helper+0xf2/0x3e0<br /> ? lock_release+0x1f0/0x2d0<br /> ? finish_task_switch.isra.0+0xf9/0x3a0<br /> process_one_work+0x26d/0x580<br /> ? process_one_work+0x580/0x580<br /> worker_thread+0x55/0x3b0<br /> ? process_one_work+0x580/0x580<br /> kthread+0xf0/0x120<br /> ? kthread_complete_and_exit+0x20/0x20<br /> ret_from_fork+0x1f/0x30<br /> <br /> This was partially fixed by c2e39305299f01 ("btrfs: clear extent buffer<br /> uptodate when we fail to write it"), however all that fix did was keep<br /> us from finding extent buffers after a failed writeout. It didn&amp;#39;t keep<br /> us from continuing to use a buffer that we already had found.<br /> <br /> In this case we&amp;#39;re searching the commit root to cache the block group,<br /> so we can start committing the transaction and switch the commit root<br /> and then start writing. After the switch we can look up an extent<br /> buffer that hasn&amp;#39;t been written yet and start processing that block<br /> group. Then we fail to write that block out and clear Uptodate on the<br /> page, and then we start spewing these errors.<br /> <br /> Normally we&amp;#39;re protected by the tree lock to a certain degree here. If<br /> we read a block we have that block read locked, and we block the writer<br /> from locking the block before we submit it for the write. However this<br /> isn&amp;#39;t necessarily fool proof because the read could happen before we do<br /> the submit_bio and after we locked and unlocked the extent buffer.<br /> <br /> Also in this particular case we have path-&gt;skip_locking set, so that<br /> won&amp;#39;t save us here. We&amp;#39;ll simply get a block that was valid when we<br /> read it, but became invalid while we were using it.<br /> <br /> What we really want is to catch the case where we&amp;#39;ve "read" a block but<br /> it&amp;#39;s not marked Uptodate. On read we ClearPageError(), so if we&amp;#39;re<br /> !Uptodate and !Error we know we didn&amp;#39;t do the right thing for reading<br /> the page.<br /> <br /> Fix this by checking !Uptodate &amp;&amp; !Error, this way we will not complain<br /> if our buffer gets invalidated while we&amp;#39;re using it, and we&amp;#39;ll maintain<br /> the spirit of the check which is to make sure we have a fully in-cache<br /> block while we&amp;#39;re messing with it.
Severity CVSS v4.0: Pending analysis
Last modification:
12/09/2024

CVE-2022-48903

Publication date:
22/08/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> btrfs: fix relocation crash due to premature return from btrfs_commit_transaction()<br /> <br /> We are seeing crashes similar to the following trace:<br /> <br /> [38.969182] WARNING: CPU: 20 PID: 2105 at fs/btrfs/relocation.c:4070 btrfs_relocate_block_group+0x2dc/0x340 [btrfs]<br /> [38.973556] CPU: 20 PID: 2105 Comm: btrfs Not tainted 5.17.0-rc4 #54<br /> [38.974580] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014<br /> [38.976539] RIP: 0010:btrfs_relocate_block_group+0x2dc/0x340 [btrfs]<br /> [38.980336] RSP: 0000:ffffb0dd42e03c20 EFLAGS: 00010206<br /> [38.981218] RAX: ffff96cfc4ede800 RBX: ffff96cfc3ce0000 RCX: 000000000002ca14<br /> [38.982560] RDX: 0000000000000000 RSI: 4cfd109a0bcb5d7f RDI: ffff96cfc3ce0360<br /> [38.983619] RBP: ffff96cfc309c000 R08: 0000000000000000 R09: 0000000000000000<br /> [38.984678] R10: ffff96cec0000001 R11: ffffe84c80000000 R12: ffff96cfc4ede800<br /> [38.985735] R13: 0000000000000000 R14: 0000000000000000 R15: ffff96cfc3ce0360<br /> [38.987146] FS: 00007f11c15218c0(0000) GS:ffff96d6dfb00000(0000) knlGS:0000000000000000<br /> [38.988662] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [38.989398] CR2: 00007ffc922c8e60 CR3: 00000001147a6001 CR4: 0000000000370ee0<br /> [38.990279] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> [38.991219] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> [38.992528] Call Trace:<br /> [38.992854] <br /> [38.993148] btrfs_relocate_chunk+0x27/0xe0 [btrfs]<br /> [38.993941] btrfs_balance+0x78e/0xea0 [btrfs]<br /> [38.994801] ? vsnprintf+0x33c/0x520<br /> [38.995368] ? __kmalloc_track_caller+0x351/0x440<br /> [38.996198] btrfs_ioctl_balance+0x2b9/0x3a0 [btrfs]<br /> [38.997084] btrfs_ioctl+0x11b0/0x2da0 [btrfs]<br /> [38.997867] ? mod_objcg_state+0xee/0x340<br /> [38.998552] ? seq_release+0x24/0x30<br /> [38.999184] ? proc_nr_files+0x30/0x30<br /> [38.999654] ? call_rcu+0xc8/0x2f0<br /> [39.000228] ? __x64_sys_ioctl+0x84/0xc0<br /> [39.000872] ? btrfs_ioctl_get_supported_features+0x30/0x30 [btrfs]<br /> [39.001973] __x64_sys_ioctl+0x84/0xc0<br /> [39.002566] do_syscall_64+0x3a/0x80<br /> [39.003011] entry_SYSCALL_64_after_hwframe+0x44/0xae<br /> [39.003735] RIP: 0033:0x7f11c166959b<br /> [39.007324] RSP: 002b:00007fff2543e998 EFLAGS: 00000246 ORIG_RAX: 0000000000000010<br /> [39.008521] RAX: ffffffffffffffda RBX: 00007f11c1521698 RCX: 00007f11c166959b<br /> [39.009833] RDX: 00007fff2543ea40 RSI: 00000000c4009420 RDI: 0000000000000003<br /> [39.011270] RBP: 0000000000000003 R08: 0000000000000013 R09: 00007f11c16f94e0<br /> [39.012581] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fff25440df3<br /> [39.014046] R13: 0000000000000000 R14: 00007fff2543ea40 R15: 0000000000000001<br /> [39.015040] <br /> [39.015418] ---[ end trace 0000000000000000 ]---<br /> [43.131559] ------------[ cut here ]------------<br /> [43.132234] kernel BUG at fs/btrfs/extent-tree.c:2717!<br /> [43.133031] invalid opcode: 0000 [#1] PREEMPT SMP PTI<br /> [43.133702] CPU: 1 PID: 1839 Comm: btrfs Tainted: G W 5.17.0-rc4 #54<br /> [43.134863] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014<br /> [43.136426] RIP: 0010:unpin_extent_range+0x37a/0x4f0 [btrfs]<br /> [43.139913] RSP: 0000:ffffb0dd4216bc70 EFLAGS: 00010246<br /> [43.140629] RAX: 0000000000000000 RBX: ffff96cfc34490f8 RCX: 0000000000000001<br /> [43.141604] RDX: 0000000080000001 RSI: 0000000051d00000 RDI: 00000000ffffffff<br /> [43.142645] RBP: 0000000000000000 R08: 0000000000000000 R09: ffff96cfd07dca50<br /> [43.143669] R10: ffff96cfc46e8a00 R11: fffffffffffec000 R12: 0000000041d00000<br /> [43.144657] R13: ffff96cfc3ce0000 R14: ffffb0dd4216bd08 R15: 0000000000000000<br /> [43.145686] FS: 00007f7657dd68c0(0000) GS:ffff96d6df640000(0000) knlGS:0000000000000000<br /> [43.146808] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [43.147584] CR2: 00007f7fe81bf5b0 CR3: 00000001093ee004 CR4: 0000000000370ee0<br /> [43.148589] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> [43.149581] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 00000000000<br /> ---truncated---
Severity CVSS v4.0: Pending analysis
Last modification:
12/09/2024