CVSS: 7.8EPSS: 0%CPEs: 7EXPL: 0CVE-2022-48837 – usb: gadget: rndis: prevent integer overflow in rndis_set_response()
https://notcve.org/view.php?id=CVE-2022-48837
In the Linux kernel, the following vulnerability has been resolved: usb: gadget: rndis: prevent integer overflow in rndis_set_response() If "BufOffset" is very large the "BufOffset + 8" operation can have an integer overflow. • https://git.kernel.org/stable/c/ff0a90739925734c91c7e39befe3f4378e0c1369 https://git.kernel.org/stable/c/4c22fbcef778badb00fb8bb9f409daa29811c175 https://git.kernel.org/stable/c/db9aaa3026298d652e98f777bc0f5756e2455dda https://git.kernel.org/stable/c/c9e952871ae47af784b4aef0a77db02e557074d6 https://git.kernel.org/stable/c/fb4ff0f96de37c44236598e8b53fe43b1df36bf3 https://git.kernel.org/stable/c/2da3b0ab54fb7f4d7c5a82757246d0ee33a47197 https://git.kernel.org/stable/c/2724ebafda0a8df08a9cb91557d33226bee80f7b https://git.kernel.org/stable/c/8b3e4d26bc9cd0f6373d0095b9ffd99e7 • CWE-190: Integer Overflow or Wraparound •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2022-48827 – NFSD: Fix the behavior of READ near OFFSET_MAX
https://notcve.org/view.php?id=CVE-2022-48827
A vulnerability was found in the Linux kernel's NFSD, where improper handling of read requests near the maximum offset can lead to an integer overflow. • https://git.kernel.org/stable/c/1726a39b0879acfb490b22dca643f26f4f907da9 https://git.kernel.org/stable/c/c6eff5c4277146a78b4fb8c9b668dd64542c41b0 https://git.kernel.org/stable/c/44502aca8e02ab32d6b0eb52e006a5ec9402719b https://git.kernel.org/stable/c/0cb4d23ae08c48f6bf3c29a8e5c4a74b8388b960 https://access.redhat.com/security/cve/CVE-2022-48827 https://bugzilla.redhat.com/show_bug.cgi?id=2298166 • CWE-125: Out-of-bounds Read •
CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2022-48804 – vt_ioctl: fix array_index_nospec in vt_setactivate
https://notcve.org/view.php?id=CVE-2022-48804
Decreasing the value by one afterwards causes a transient integer underflow. vsa.console should be decreased first and then sanitized with array_index_nospec. Kasper Acknowledgements: Jakob Koschel, Brian Johannesmeyer, Kaveh Razavi, Herbert Bos, Cristiano Giuffrida from the VUSec group at VU Amsterdam. • https://git.kernel.org/stable/c/830c5aa302ec16b4ee641aec769462c37f802c90 https://git.kernel.org/stable/c/2a45a6bd1e6d651770aafff57ab3e1d3bb0b42e0 https://git.kernel.org/stable/c/170325aba4608bde3e7d21c9c19b7bc266ac0885 https://git.kernel.org/stable/c/ae3d57411562260ee3f4fd5e875f410002341104 https://git.kernel.org/stable/c/778302ca09498b448620edd372dc908bebf80bdf https://git.kernel.org/stable/c/ffe54289b02e9c732d6f04c8ebbe3b2d90d32118 https://git.kernel.org/stable/c/6550bdf52846f85a2a3726a5aa0c7c4399f2fc02 https://git.kernel.org/stable/c/61cc70d9e8ef5b042d4ed87994d20100e •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2024-41000 – block/ioctl: prefer different overflow check
https://notcve.org/view.php?id=CVE-2024-41000
In the Linux kernel, the following vulnerability has been resolved: block/ioctl: prefer different overflow check Running syzkaller with the newly reintroduced signed integer overflow sanitizer shows this report: [ 62.982337] ------------[ cut here ]------------ [ 62.985692] cgroup: Invalid name [ 62.986211] UBSAN: signed-integer-overflow in ..... arch_exit_to_user_mode_prepare+0x3a/0x60 [ 63.001479] entry_SYSCALL_64_after_hwframe+0x6f/0x77 [ 63.001535] RIP: 0033:0x7f7fd3ebf539 [ 63.001551] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 63.001562] RSP: 002b:00007f7fd32570c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 63.001584] RAX: ffffffffffffffda RBX: 00007f7fd3ff3f80 RCX: 00007f7fd3ebf539 [ 63.001590] RDX: 4db6d1e4f7e43360 RSI: 0000000020000000 RDI: 0000000000000004 [ 63.001595] RBP: 00007f7fd3f1e496 R08: 0000000000000000 R09: 0000000000000000 [ 63.001599] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 63.001604] R13: 0000000000000006 R14: 00007f7fd3ff3f80 R15: 00007ffd415ad2b8 ... [ 63.018142] ---[ end trace ]--- Historically, the signed integer overflow sanitizer did not work in the kernel due to its interaction with `-fwrapv` but this has since been changed [1] in the newest version of Clang; It was re-enabled in the kernel with Commit 557f8c582a9ba8ab ("ubsan: Reintroduce signed overflow sanitizer"). Let's rework this overflow checking logic to not actually perform an overflow during the check itself, thus avoiding the UBSAN splat. [1]: https://github.com/llvm/llvm-project/pull/82432 • https://git.kernel.org/stable/c/58706e482bf45c4db48b0c53aba2468c97adda24 https://git.kernel.org/stable/c/3220c90f4dbdc6d20d0608b164d964434a810d66 https://git.kernel.org/stable/c/61ec76ec930709b7bcd69029ef1fe90491f20cf9 https://git.kernel.org/stable/c/fd841ee01fb4a79cb7f5cc424b5c96c3a73b2d1e https://git.kernel.org/stable/c/54160fb1db2de367485f21e30196c42f7ee0be4e https://git.kernel.org/stable/c/ccb326b5f9e623eb7f130fbbf2505ec0e2dcaff9 •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2024-40994 – ptp: fix integer overflow in max_vclocks_store
https://notcve.org/view.php?id=CVE-2024-40994
In the Linux kernel, the following vulnerability has been resolved: ptp: fix integer overflow in max_vclocks_store On 32bit systems, the "4 * max" multiply can overflow. • https://git.kernel.org/stable/c/44c494c8e30e35713c7d11ca3c5ab332cbfabacf https://git.kernel.org/stable/c/4b03da87d0b7074c93d9662c6e1a8939f9b8b86e https://git.kernel.org/stable/c/d50d62d5e6ee6aa03c00bddb91745d0b632d3b0f https://git.kernel.org/stable/c/666e934d749e50a37f3796caaf843a605f115b6f https://git.kernel.org/stable/c/e1fccfb4638ee6188377867f6015d0ce35764a8e https://git.kernel.org/stable/c/81d23d2a24012e448f651e007fac2cfd20a45ce0 •