lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20250310062349.206687-1-harshit.m.mogalapalli@oracle.com>
Date: Sun,  9 Mar 2025 23:23:49 -0700
From: Harshit Mogalapalli <harshit.m.mogalapalli@...cle.com>
To: cve@...nel.org
Cc: andypma@...cent.com, Jesse.Zhang@....com, forst@....gy,
        adobriyan@...il.com, vegard.nossum@...cle.com,
        linux-kernel@...r.kernel.org,
        Harshit Mogalapalli <harshit.m.mogalapalli@...cle.com>
Subject: [PATCH] Add vulnerable commits for few CVEs

CVE-2024-49994: block: fix integer overflow in BLKSECDISCARD
 — Fixes: 44abff2c0b97 ("block: decouple REQ_OP_SECURE_ERASE from REQ_OP_DISCARD")
Reason: The overflowing addition in blk_ioctl_secure_erase() is added in
above mentioned broken commit.

CVE-2024-46861 kernel: usbnet: ipheth: do not stop RX on failing RX callback
 — Fixes: a2d274c62e44 ("usbnet: ipheth: add CDC NCM support")
Reason: dev->rcvbulk_callback() was added in the broken commit, and the
CVE fix is to remove the return statement on failure.
Note: The CVE fix is preventing driver to stop on non-critical failures
-- I think this shouldn't be a CVE

CVE-2024-46819 kernel: drm/amdgpu: the warning dereferencing obj for nbio_v7_4
 - Fixes: 28f87950d935 ("drm/amdgpu: clear ras controller status registers when interrupt occurs")
Reason: ras_manager was first brought into usage in the above mentioned
broken commit.

CVE-2024-40997 kernel: cpufreq: amd-pstate: fix memory leak on CPU EPP exit
 — Fixes: ffa5096a7c33 ("cpufreq: amd-pstate: implement Pstate EPP support for the AMD processors")
Reason: memory allocation in amd_pstate_epp_cpu_init() with kzalloc is
added in the above mentioned broken commit.

Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@...cle.com>
---
 cve/published/2024/CVE-2024-40997.vulnerable | 2 +-
 cve/published/2024/CVE-2024-46819.vulnerable | 1 +
 cve/published/2024/CVE-2024-46861.vulnerable | 1 +
 cve/published/2024/CVE-2024-49994.vulnerable | 1 +
 4 files changed, 4 insertions(+), 1 deletion(-)
 create mode 100644 cve/published/2024/CVE-2024-46819.vulnerable
 create mode 100644 cve/published/2024/CVE-2024-46861.vulnerable
 create mode 100644 cve/published/2024/CVE-2024-49994.vulnerable

diff --git a/cve/published/2024/CVE-2024-40997.vulnerable b/cve/published/2024/CVE-2024-40997.vulnerable
index c45e2b019603..b715f1e960e6 100644
--- a/cve/published/2024/CVE-2024-40997.vulnerable
+++ b/cve/published/2024/CVE-2024-40997.vulnerable
@@ -1 +1 @@
-ec437d71db77a181227bf6d0ac9d4a80e58ecf0f
+ffa5096a7c338641f70fb06d4778e8cf400181a8
diff --git a/cve/published/2024/CVE-2024-46819.vulnerable b/cve/published/2024/CVE-2024-46819.vulnerable
new file mode 100644
index 000000000000..d8021d7b9571
--- /dev/null
+++ b/cve/published/2024/CVE-2024-46819.vulnerable
@@ -0,0 +1 @@
+28f87950d935eec2ba1076933535213f4f5c8a06
diff --git a/cve/published/2024/CVE-2024-46861.vulnerable b/cve/published/2024/CVE-2024-46861.vulnerable
new file mode 100644
index 000000000000..84ad606d707a
--- /dev/null
+++ b/cve/published/2024/CVE-2024-46861.vulnerable
@@ -0,0 +1 @@
+a2d274c62e44b1995c170595db3865c6fe701226
diff --git a/cve/published/2024/CVE-2024-49994.vulnerable b/cve/published/2024/CVE-2024-49994.vulnerable
new file mode 100644
index 000000000000..7ab1e0c8c338
--- /dev/null
+++ b/cve/published/2024/CVE-2024-49994.vulnerable
@@ -0,0 +1 @@
+44abff2c0b970ae3d310b97617525dc01f248d7c
-- 
2.46.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ