generated content from 2025-02-27

objects/vulnerability/vulnerability--00d45581-b5a0-462e-b70b-ce86b7484e58.json

@@ -0,0 +1,22 @@
+{
+    "type": "bundle",
+    "id": "bundle--f6f95427-00e3-499d-a836-90fe279068c7",
+    "objects": [
+        {
+            "type": "vulnerability",
+            "spec_version": "2.1",
+            "id": "vulnerability--00d45581-b5a0-462e-b70b-ce86b7484e58",
+            "created_by_ref": "identity--8ce3f695-d5a4-4dc8-9e93-a65af453a31a",
+            "created": "2025-02-27T00:38:15.332864Z",
+            "modified": "2025-02-27T00:38:15.332864Z",
+            "name": "CVE-2022-49202",
+            "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_uart: add missing NULL check in h5_enqueue\n\nSyzbot hit general protection fault in __pm_runtime_resume(). The problem\nwas in missing NULL check.\n\nhu->serdev can be NULL and we should not blindly pass &serdev->dev\nsomewhere, since it will cause GPF.",
+            "external_references": [
+                {
+                    "source_name": "cve",
+                    "external_id": "CVE-2022-49202"
+                }
+            ]
+        }
+    ]
+}

objects/vulnerability/vulnerability--014ae28d-17a9-4eda-b146-879c30a8d0da.json

@@ -0,0 +1,22 @@
+{
+    "type": "bundle",
+    "id": "bundle--d2f9fcb5-e6cd-4c44-87ba-679c69f54557",
+    "objects": [
+        {
+            "type": "vulnerability",
+            "spec_version": "2.1",
+            "id": "vulnerability--014ae28d-17a9-4eda-b146-879c30a8d0da",
+            "created_by_ref": "identity--8ce3f695-d5a4-4dc8-9e93-a65af453a31a",
+            "created": "2025-02-27T00:38:15.264732Z",
+            "modified": "2025-02-27T00:38:15.264732Z",
+            "name": "CVE-2022-49547",
+            "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix deadlock between concurrent dio writes when low on free data space\n\nWhen reserving data space for a direct IO write we can end up deadlocking\nif we have multiple tasks attempting a write to the same file range, there\nare multiple extents covered by that file range, we are low on available\nspace for data and the writes don't expand the inode's i_size.\n\nThe deadlock can happen like this:\n\n1) We have a file with an i_size of 1M, at offset 0 it has an extent with\n   a size of 128K and at offset 128K it has another extent also with a\n   size of 128K;\n\n2) Task A does a direct IO write against file range [0, 256K), and because\n   the write is within the i_size boundary, it takes the inode's lock (VFS\n   level) in shared mode;\n\n3) Task A locks the file range [0, 256K) at btrfs_dio_iomap_begin(), and\n   then gets the extent map for the extent covering the range [0, 128K).\n   At btrfs_get_blocks_direct_write(), it creates an ordered extent for\n   that file range ([0, 128K));\n\n4) Before returning from btrfs_dio_iomap_begin(), it unlocks the file\n   range [0, 256K);\n\n5) Task A executes btrfs_dio_iomap_begin() again, this time for the file\n   range [128K, 256K), and locks the file range [128K, 256K);\n\n6) Task B starts a direct IO write against file range [0, 256K) as well.\n   It also locks the inode in shared mode, as it's within the i_size limit,\n   and then tries to lock file range [0, 256K). It is able to lock the\n   subrange [0, 128K) but then blocks waiting for the range [128K, 256K),\n   as it is currently locked by task A;\n\n7) Task A enters btrfs_get_blocks_direct_write() and tries to reserve data\n   space. Because we are low on available free space, it triggers the\n   async data reclaim task, and waits for it to reserve data space;\n\n8) The async reclaim task decides to wait for all existing ordered extents\n   to complete (through btrfs_wait_ordered_roots()).\n   It finds the ordered extent previously created by task A for the file\n   range [0, 128K) and waits for it to complete;\n\n9) The ordered extent for the file range [0, 128K) can not complete\n   because it blocks at btrfs_finish_ordered_io() when trying to lock the\n   file range [0, 128K).\n\n   This results in a deadlock, because:\n\n   - task B is holding the file range [0, 128K) locked, waiting for the\n     range [128K, 256K) to be unlocked by task A;\n\n   - task A is holding the file range [128K, 256K) locked and it's waiting\n     for the async data reclaim task to satisfy its space reservation\n     request;\n\n   - the async data reclaim task is waiting for ordered extent [0, 128K)\n     to complete, but the ordered extent can not complete because the\n     file range [0, 128K) is currently locked by task B, which is waiting\n     on task A to unlock file range [128K, 256K) and task A waiting\n     on the async data reclaim task.\n\n   This results in a deadlock between 4 task: task A, task B, the async\n   data reclaim task and the task doing ordered extent completion (a work\n   queue task).\n\nThis type of deadlock can sporadically be triggered by the test case\ngeneric/300 from fstests, and results in a stack trace like the following:\n\n[12084.033689] INFO: task kworker/u16:7:123749 blocked for more than 241 seconds.\n[12084.034877]       Not tainted 5.18.0-rc2-btrfs-next-115 #1\n[12084.035562] \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n[12084.036548] task:kworker/u16:7   state:D stack:    0 pid:123749 ppid:     2 flags:0x00004000\n[12084.036554] Workqueue: btrfs-flush_delalloc btrfs_work_helper [btrfs]\n[12084.036599] Call Trace:\n[12084.036601]  <TASK>\n[12084.036606]  __schedule+0x3cb/0xed0\n[12084.036616]  schedule+0x4e/0xb0\n[12084.036620]  btrfs_start_ordered_extent+0x109/0x1c0 [btrfs]\n[12084.036651]  ? prepare_to_wait_exclusive+0xc0/0xc0\n[12084.036659]  btrfs_run_ordered_extent_work+0x1a/0x30 [btrfs]\n[12084.036688]  btrfs_work_helper+0xf8/0x400 [btrfs]\n[12084.0367\n---truncated---",
+            "external_references": [
+                {
+                    "source_name": "cve",
+                    "external_id": "CVE-2022-49547"
+                }
+            ]
+        }
+    ]
+}

objects/vulnerability/vulnerability--02369b1c-2a04-49ff-a7db-603018ac70dd.json

@@ -0,0 +1,22 @@
+{
+    "type": "bundle",
+    "id": "bundle--544a7d9a-3741-4b06-a4b5-c449b56fb84f",
+    "objects": [
+        {
+            "type": "vulnerability",
+            "spec_version": "2.1",
+            "id": "vulnerability--02369b1c-2a04-49ff-a7db-603018ac70dd",
+            "created_by_ref": "identity--8ce3f695-d5a4-4dc8-9e93-a65af453a31a",
+            "created": "2025-02-27T00:38:15.623727Z",
+            "modified": "2025-02-27T00:38:15.623727Z",
+            "name": "CVE-2022-49333",
+            "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: E-Switch, pair only capable devices\n\nOFFLOADS paring using devcom is possible only on devices\nthat support LAG. Filter based on lag capabilities.\n\nThis fixes an issue where mlx5_get_next_phys_dev() was\ncalled without holding the interface lock.\n\nThis issue was found when commit\nbc4c2f2e0179 (\"net/mlx5: Lag, filter non compatible devices\")\nadded an assert that verifies the interface lock is held.\n\nWARNING: CPU: 9 PID: 1706 at drivers/net/ethernet/mellanox/mlx5/core/dev.c:642 mlx5_get_next_phys_dev+0xd2/0x100 [mlx5_core]\nModules linked in: mlx5_vdpa vringh vhost_iotlb vdpa mlx5_ib mlx5_core xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xt_addrtype iptable_nat nf_nat br_netfilter rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_iscsi rdma_cm iw_cm ib_umad ib_ipoib ib_cm ib_uverbs ib_core overlay fuse [last unloaded: mlx5_core]\nCPU: 9 PID: 1706 Comm: devlink Not tainted 5.18.0-rc7+ #11\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\nRIP: 0010:mlx5_get_next_phys_dev+0xd2/0x100 [mlx5_core]\nCode: 02 00 75 48 48 8b 85 80 04 00 00 5d c3 31 c0 5d c3 be ff ff ff ff 48 c7 c7 08 41 5b a0 e8 36 87 28 e3 85 c0 0f 85 6f ff ff ff <0f> 0b e9 68 ff ff ff 48 c7 c7 0c 91 cc 84 e8 cb 36 6f e1 e9 4d ff\nRSP: 0018:ffff88811bf47458 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: ffff88811b398000 RCX: 0000000000000001\nRDX: 0000000080000000 RSI: ffffffffa05b4108 RDI: ffff88812daaaa78\nRBP: ffff88812d050380 R08: 0000000000000001 R09: ffff88811d6b3437\nR10: 0000000000000001 R11: 00000000fddd3581 R12: ffff88815238c000\nR13: ffff88812d050380 R14: ffff8881018aa7e0 R15: ffff88811d6b3428\nFS:  00007fc82e18ae80(0000) GS:ffff88842e080000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f9630d1b421 CR3: 0000000149802004 CR4: 0000000000370ea0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n <TASK>\n mlx5_esw_offloads_devcom_event+0x99/0x3b0 [mlx5_core]\n mlx5_devcom_send_event+0x167/0x1d0 [mlx5_core]\n esw_offloads_enable+0x1153/0x1500 [mlx5_core]\n ? mlx5_esw_offloads_controller_valid+0x170/0x170 [mlx5_core]\n ? wait_for_completion_io_timeout+0x20/0x20\n ? mlx5_rescan_drivers_locked+0x318/0x810 [mlx5_core]\n mlx5_eswitch_enable_locked+0x586/0xc50 [mlx5_core]\n ? mlx5_eswitch_disable_pf_vf_vports+0x1d0/0x1d0 [mlx5_core]\n ? mlx5_esw_try_lock+0x1b/0xb0 [mlx5_core]\n ? mlx5_eswitch_enable+0x270/0x270 [mlx5_core]\n ? __debugfs_create_file+0x260/0x3e0\n mlx5_devlink_eswitch_mode_set+0x27e/0x870 [mlx5_core]\n ? mutex_lock_io_nested+0x12c0/0x12c0\n ? esw_offloads_disable+0x250/0x250 [mlx5_core]\n ? devlink_nl_cmd_trap_get_dumpit+0x470/0x470\n ? rcu_read_lock_sched_held+0x3f/0x70\n devlink_nl_cmd_eswitch_set_doit+0x217/0x620",
+            "external_references": [
+                {
+                    "source_name": "cve",
+                    "external_id": "CVE-2022-49333"
+                }
+            ]
+        }
+    ]
+}

objects/vulnerability/vulnerability--027bca92-a56c-43af-8a64-e7c225c4dd66.json

@@ -0,0 +1,22 @@
+{
+    "type": "bundle",
+    "id": "bundle--802d9297-0ba8-4f9c-800c-b9c16aefcc09",
+    "objects": [
+        {
+            "type": "vulnerability",
+            "spec_version": "2.1",
+            "id": "vulnerability--027bca92-a56c-43af-8a64-e7c225c4dd66",
+            "created_by_ref": "identity--8ce3f695-d5a4-4dc8-9e93-a65af453a31a",
+            "created": "2025-02-27T00:38:15.654976Z",
+            "modified": "2025-02-27T00:38:15.654976Z",
+            "name": "CVE-2022-49526",
+            "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd/bitmap: don't set sb values if can't pass sanity check\n\nIf bitmap area contains invalid data, kernel will crash then mdadm\ntriggers \"Segmentation fault\".\nThis is cluster-md speical bug. In non-clustered env, mdadm will\nhandle broken metadata case. In clustered array, only kernel space\nhandles bitmap slot info. But even this bug only happened in clustered\nenv, current sanity check is wrong, the code should be changed.\n\nHow to trigger: (faulty injection)\n\ndd if=/dev/zero bs=1M count=1 oflag=direct of=/dev/sda\ndd if=/dev/zero bs=1M count=1 oflag=direct of=/dev/sdb\nmdadm -C /dev/md0 -b clustered -e 1.2 -n 2 -l mirror /dev/sda /dev/sdb\nmdadm -Ss\necho aaa > magic.txt\n == below modifying slot 2 bitmap data ==\ndd if=magic.txt of=/dev/sda seek=16384 bs=1 count=3 <== destroy magic\ndd if=/dev/zero of=/dev/sda seek=16436 bs=1 count=4 <== ZERO chunksize\nmdadm -A /dev/md0 /dev/sda /dev/sdb\n == kernel crashes. mdadm outputs \"Segmentation fault\" ==\n\nReason of kernel crash:\n\nIn md_bitmap_read_sb (called by md_bitmap_create), bad bitmap magic didn't\nblock chunksize assignment, and zero value made DIV_ROUND_UP_SECTOR_T()\ntrigger \"divide error\".\n\nCrash log:\n\nkernel: md: md0 stopped.\nkernel: md/raid1:md0: not clean -- starting background reconstruction\nkernel: md/raid1:md0: active with 2 out of 2 mirrors\nkernel: dlm: ... ...\nkernel: md-cluster: Joined cluster 44810aba-38bb-e6b8-daca-bc97a0b254aa slot 1\nkernel: md0: invalid bitmap file superblock: bad magic\nkernel: md_bitmap_copy_from_slot can't get bitmap from slot 2\nkernel: md-cluster: Could not gather bitmaps from slot 2\nkernel: divide error: 0000 [#1] SMP NOPTI\nkernel: CPU: 0 PID: 1603 Comm: mdadm Not tainted 5.14.6-1-default\nkernel: Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)\nkernel: RIP: 0010:md_bitmap_create+0x1d1/0x850 [md_mod]\nkernel: RSP: 0018:ffffc22ac0843ba0 EFLAGS: 00010246\nkernel: ... ...\nkernel: Call Trace:\nkernel:  ? dlm_lock_sync+0xd0/0xd0 [md_cluster 77fe..7a0]\nkernel:  md_bitmap_copy_from_slot+0x2c/0x290 [md_mod 24ea..d3a]\nkernel:  load_bitmaps+0xec/0x210 [md_cluster 77fe..7a0]\nkernel:  md_bitmap_load+0x81/0x1e0 [md_mod 24ea..d3a]\nkernel:  do_md_run+0x30/0x100 [md_mod 24ea..d3a]\nkernel:  md_ioctl+0x1290/0x15a0 [md_mod 24ea....d3a]\nkernel:  ? mddev_unlock+0xaa/0x130 [md_mod 24ea..d3a]\nkernel:  ? blkdev_ioctl+0xb1/0x2b0\nkernel:  block_ioctl+0x3b/0x40\nkernel:  __x64_sys_ioctl+0x7f/0xb0\nkernel:  do_syscall_64+0x59/0x80\nkernel:  ? exit_to_user_mode_prepare+0x1ab/0x230\nkernel:  ? syscall_exit_to_user_mode+0x18/0x40\nkernel:  ? do_syscall_64+0x69/0x80\nkernel:  entry_SYSCALL_64_after_hwframe+0x44/0xae\nkernel: RIP: 0033:0x7f4a15fa722b\nkernel: ... ...\nkernel: ---[ end trace 8afa7612f559c868 ]---\nkernel: RIP: 0010:md_bitmap_create+0x1d1/0x850 [md_mod]",
+            "external_references": [
+                {
+                    "source_name": "cve",
+                    "external_id": "CVE-2022-49526"
+                }
+            ]
+        }
+    ]
+}

objects/vulnerability/vulnerability--033bc159-6244-4655-83e6-a6980ee9f3bc.json

@@ -0,0 +1,22 @@
+{
+    "type": "bundle",
+    "id": "bundle--7e648be9-c311-450b-a5fc-7d3f8dd7aafe",
+    "objects": [
+        {
+            "type": "vulnerability",
+            "spec_version": "2.1",
+            "id": "vulnerability--033bc159-6244-4655-83e6-a6980ee9f3bc",
+            "created_by_ref": "identity--8ce3f695-d5a4-4dc8-9e93-a65af453a31a",
+            "created": "2025-02-27T00:38:15.446157Z",
+            "modified": "2025-02-27T00:38:15.446157Z",
+            "name": "CVE-2022-49410",
+            "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Fix potential double free in create_var_ref()\n\nIn create_var_ref(), init_var_ref() is called to initialize the fields\nof variable ref_field, which is allocated in the previous function call\nto create_hist_field(). Function init_var_ref() allocates the\ncorresponding fields such as ref_field->system, but frees these fields\nwhen the function encounters an error. The caller later calls\ndestroy_hist_field() to conduct error handling, which frees the fields\nand the variable itself. This results in double free of the fields which\nare already freed in the previous function.\n\nFix this by storing NULL to the corresponding fields when they are freed\nin init_var_ref().",
+            "external_references": [
+                {
+                    "source_name": "cve",
+                    "external_id": "CVE-2022-49410"
+                }
+            ]
+        }
+    ]
+}

objects/vulnerability/vulnerability--03822a5e-4ce1-408f-bd5a-64f538d0e354.json

@@ -0,0 +1,22 @@
+{
+    "type": "bundle",
+    "id": "bundle--75f4376f-5440-43e1-99ae-8dfdd09f56b8",
+    "objects": [
+        {
+            "type": "vulnerability",
+            "spec_version": "2.1",
+            "id": "vulnerability--03822a5e-4ce1-408f-bd5a-64f538d0e354",
+            "created_by_ref": "identity--8ce3f695-d5a4-4dc8-9e93-a65af453a31a",
+            "created": "2025-02-27T00:38:15.748118Z",
+            "modified": "2025-02-27T00:38:15.748118Z",
+            "name": "CVE-2022-49368",
+            "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ethernet: mtk_eth_soc: out of bounds read in mtk_hwlro_get_fdir_entry()\n\nThe \"fsp->location\" variable comes from user via ethtool_get_rxnfc().\nCheck that it is valid to prevent an out of bounds read.",
+            "external_references": [
+                {
+                    "source_name": "cve",
+                    "external_id": "CVE-2022-49368"
+                }
+            ]
+        }
+    ]
+}

objects/vulnerability/vulnerability--03e60f3e-2891-4f52-a223-c03139a873f8.json

@@ -0,0 +1,22 @@
+{
+    "type": "bundle",
+    "id": "bundle--33342ebe-cbf0-4076-af13-1f0ce7b0a249",
+    "objects": [
+        {
+            "type": "vulnerability",
+            "spec_version": "2.1",
+            "id": "vulnerability--03e60f3e-2891-4f52-a223-c03139a873f8",
+            "created_by_ref": "identity--8ce3f695-d5a4-4dc8-9e93-a65af453a31a",
+            "created": "2025-02-27T00:38:07.737978Z",
+            "modified": "2025-02-27T00:38:07.737978Z",
+            "name": "CVE-2025-25796",
+            "description": "SeaCMS v13.3 was discovered to contain a remote code execution (RCE) vulnerability via the component admin_template.php.",
+            "external_references": [
+                {
+                    "source_name": "cve",
+                    "external_id": "CVE-2025-25796"
+                }
+            ]
+        }
+    ]
+}

objects/vulnerability/vulnerability--04861f6b-d72a-4460-ac60-57dbf8751a8b.json

@@ -0,0 +1,22 @@
+{
+    "type": "bundle",
+    "id": "bundle--7bdfac0d-0813-44a4-a968-d0696b60edb5",
+    "objects": [
+        {
+            "type": "vulnerability",
+            "spec_version": "2.1",
+            "id": "vulnerability--04861f6b-d72a-4460-ac60-57dbf8751a8b",
+            "created_by_ref": "identity--8ce3f695-d5a4-4dc8-9e93-a65af453a31a",
+            "created": "2025-02-27T00:38:15.310814Z",
+            "modified": "2025-02-27T00:38:15.310814Z",
+            "name": "CVE-2022-49640",
+            "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsysctl: Fix data races in proc_douintvec_minmax().\n\nA sysctl variable is accessed concurrently, and there is always a chance\nof data-race.  So, all readers and writers need some basic protection to\navoid load/store-tearing.\n\nThis patch changes proc_douintvec_minmax() to use READ_ONCE() and\nWRITE_ONCE() internally to fix data-races on the sysctl side.  For now,\nproc_douintvec_minmax() itself is tolerant to a data-race, but we still\nneed to add annotations on the other subsystem's side.",
+            "external_references": [
+                {
+                    "source_name": "cve",
+                    "external_id": "CVE-2022-49640"
+                }
+            ]
+        }
+    ]
+}

objects/vulnerability/vulnerability--04a3f1be-0e2b-4115-9c86-7a38e26e1350.json

@@ -0,0 +1,22 @@
+{
+    "type": "bundle",
+    "id": "bundle--dd9af8a2-69ad-4992-a730-9ad831e2a466",
+    "objects": [
+        {
+            "type": "vulnerability",
+            "spec_version": "2.1",
+            "id": "vulnerability--04a3f1be-0e2b-4115-9c86-7a38e26e1350",
+            "created_by_ref": "identity--8ce3f695-d5a4-4dc8-9e93-a65af453a31a",
+            "created": "2025-02-27T00:38:15.363133Z",
+            "modified": "2025-02-27T00:38:15.363133Z",
+            "name": "CVE-2022-49147",
+            "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: Fix the maximum minor value is blk_alloc_ext_minor()\n\nida_alloc_range(..., min, max, ...) returns values from min to max,\ninclusive.\n\nSo, NR_EXT_DEVT is a valid idx returned by blk_alloc_ext_minor().\n\nThis is an issue because in device_add_disk(), this value is used in:\n   ddev->devt = MKDEV(disk->major, disk->first_minor);\nand NR_EXT_DEVT is '(1 << MINORBITS)'.\n\nSo, should 'disk->first_minor' be NR_EXT_DEVT, it would overflow.",
+            "external_references": [
+                {
+                    "source_name": "cve",
+                    "external_id": "CVE-2022-49147"
+                }
+            ]
+        }
+    ]
+}