generated content from 2024-10-22

dod-cyber-crime-center · Oct 22, 2024 · fa88f66 · fa88f66
1 parent b350edf
commit fa88f66
Show file tree

Hide file tree

Showing 437 changed files with 10,028 additions and 0 deletions.
diff --git a/mapping.csv b/mapping.csv
diff --git a/objects/vulnerability/vulnerability--0036564e-60ce-404e-bf02-c30bf032af4e.json b/objects/vulnerability/vulnerability--0036564e-60ce-404e-bf02-c30bf032af4e.json
@@ -0,0 +1,22 @@
+{
+    "type": "bundle",
+    "id": "bundle--9cec32ae-2651-4e3d-9947-be9022ece6d2",
+    "objects": [
+        {
+            "type": "vulnerability",
+            "spec_version": "2.1",
+            "id": "vulnerability--0036564e-60ce-404e-bf02-c30bf032af4e",
+            "created_by_ref": "identity--8ce3f695-d5a4-4dc8-9e93-a65af453a31a",
+            "created": "2024-10-22T00:37:16.662854Z",
+            "modified": "2024-10-22T00:37:16.662854Z",
+            "name": "CVE-2022-48956",
+            "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: avoid use-after-free in ip6_fragment()\n\nBlamed commit claimed rcu_read_lock() was held by ip6_fragment() callers.\n\nIt seems to not be always true, at least for UDP stack.\n\nsyzbot reported:\n\nBUG: KASAN: use-after-free in ip6_dst_idev include/net/ip6_fib.h:245 [inline]\nBUG: KASAN: use-after-free in ip6_fragment+0x2724/0x2770 net/ipv6/ip6_output.c:951\nRead of size 8 at addr ffff88801d403e80 by task syz-executor.3/7618\n\nCPU: 1 PID: 7618 Comm: syz-executor.3 Not tainted 6.1.0-rc6-syzkaller-00012-g4312098baf37 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0xd1/0x138 lib/dump_stack.c:106\n print_address_description mm/kasan/report.c:284 [inline]\n print_report+0x15e/0x45d mm/kasan/report.c:395\n kasan_report+0xbf/0x1f0 mm/kasan/report.c:495\n ip6_dst_idev include/net/ip6_fib.h:245 [inline]\n ip6_fragment+0x2724/0x2770 net/ipv6/ip6_output.c:951\n __ip6_finish_output net/ipv6/ip6_output.c:193 [inline]\n ip6_finish_output+0x9a3/0x1170 net/ipv6/ip6_output.c:206\n NF_HOOK_COND include/linux/netfilter.h:291 [inline]\n ip6_output+0x1f1/0x540 net/ipv6/ip6_output.c:227\n dst_output include/net/dst.h:445 [inline]\n ip6_local_out+0xb3/0x1a0 net/ipv6/output_core.c:161\n ip6_send_skb+0xbb/0x340 net/ipv6/ip6_output.c:1966\n udp_v6_send_skb+0x82a/0x18a0 net/ipv6/udp.c:1286\n udp_v6_push_pending_frames+0x140/0x200 net/ipv6/udp.c:1313\n udpv6_sendmsg+0x18da/0x2c80 net/ipv6/udp.c:1606\n inet6_sendmsg+0x9d/0xe0 net/ipv6/af_inet6.c:665\n sock_sendmsg_nosec net/socket.c:714 [inline]\n sock_sendmsg+0xd3/0x120 net/socket.c:734\n sock_write_iter+0x295/0x3d0 net/socket.c:1108\n call_write_iter include/linux/fs.h:2191 [inline]\n new_sync_write fs/read_write.c:491 [inline]\n vfs_write+0x9ed/0xdd0 fs/read_write.c:584\n ksys_write+0x1ec/0x250 fs/read_write.c:637\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\nRIP: 0033:0x7fde3588c0d9\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007fde365b6168 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\nRAX: ffffffffffffffda RBX: 00007fde359ac050 RCX: 00007fde3588c0d9\nRDX: 000000000000ffdc RSI: 00000000200000c0 RDI: 000000000000000a\nRBP: 00007fde358e7ae9 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 00007fde35acfb1f R14: 00007fde365b6300 R15: 0000000000022000\n </TASK>\n\nAllocated by task 7618:\n kasan_save_stack+0x22/0x40 mm/kasan/common.c:45\n kasan_set_track+0x25/0x30 mm/kasan/common.c:52\n __kasan_slab_alloc+0x82/0x90 mm/kasan/common.c:325\n kasan_slab_alloc include/linux/kasan.h:201 [inline]\n slab_post_alloc_hook mm/slab.h:737 [inline]\n slab_alloc_node mm/slub.c:3398 [inline]\n slab_alloc mm/slub.c:3406 [inline]\n __kmem_cache_alloc_lru mm/slub.c:3413 [inline]\n kmem_cache_alloc+0x2b4/0x3d0 mm/slub.c:3422\n dst_alloc+0x14a/0x1f0 net/core/dst.c:92\n ip6_dst_alloc+0x32/0xa0 net/ipv6/route.c:344\n ip6_rt_pcpu_alloc net/ipv6/route.c:1369 [inline]\n rt6_make_pcpu_route net/ipv6/route.c:1417 [inline]\n ip6_pol_route+0x901/0x1190 net/ipv6/route.c:2254\n pol_lookup_func include/net/ip6_fib.h:582 [inline]\n fib6_rule_lookup+0x52e/0x6f0 net/ipv6/fib6_rules.c:121\n ip6_route_output_flags_noref+0x2e6/0x380 net/ipv6/route.c:2625\n ip6_route_output_flags+0x76/0x320 net/ipv6/route.c:2638\n ip6_route_output include/net/ip6_route.h:98 [inline]\n ip6_dst_lookup_tail+0x5ab/0x1620 net/ipv6/ip6_output.c:1092\n ip6_dst_lookup_flow+0x90/0x1d0 net/ipv6/ip6_output.c:1222\n ip6_sk_dst_lookup_flow+0x553/0x980 net/ipv6/ip6_output.c:1260\n udpv6_sendmsg+0x151d/0x2c80 net/ipv6/udp.c:1554\n inet6_sendmsg+0x9d/0xe0 net/ipv6/af_inet6.c:665\n sock_sendmsg_nosec n\n---truncated---",
+            "external_references": [
+                {
+                    "source_name": "cve",
+                    "external_id": "CVE-2022-48956"
+                }
+            ]
+        }
+    ]
+}
diff --git a/objects/vulnerability/vulnerability--0162bc81-1c47-4cf3-b523-61b7c3a33b90.json b/objects/vulnerability/vulnerability--0162bc81-1c47-4cf3-b523-61b7c3a33b90.json
@@ -0,0 +1,22 @@
+{
+    "type": "bundle",
+    "id": "bundle--5d0542cd-7083-44cd-b9ff-f8e23775bbb1",
+    "objects": [
+        {
+            "type": "vulnerability",
+            "spec_version": "2.1",
+            "id": "vulnerability--0162bc81-1c47-4cf3-b523-61b7c3a33b90",
+            "created_by_ref": "identity--8ce3f695-d5a4-4dc8-9e93-a65af453a31a",
+            "created": "2024-10-22T00:37:12.279729Z",
+            "modified": "2024-10-22T00:37:12.279729Z",
+            "name": "CVE-2024-49898",
+            "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Check null-initialized variables\n\n[WHAT & HOW]\ndrr_timing and subvp_pipe are initialized to null and they are not\nalways assigned new values. It is necessary to check for null before\ndereferencing.\n\nThis fixes 2 FORWARD_NULL issues reported by Coverity.",
+            "external_references": [
+                {
+                    "source_name": "cve",
+                    "external_id": "CVE-2024-49898"
+                }
+            ]
+        }
+    ]
+}
diff --git a/objects/vulnerability/vulnerability--02194e4a-0630-4be5-971b-6a48ebf59ee0.json b/objects/vulnerability/vulnerability--02194e4a-0630-4be5-971b-6a48ebf59ee0.json
@@ -0,0 +1,22 @@
+{
+    "type": "bundle",
+    "id": "bundle--80c8b6a5-27c4-4890-ad26-67ecf326c324",
+    "objects": [
+        {
+            "type": "vulnerability",
+            "spec_version": "2.1",
+            "id": "vulnerability--02194e4a-0630-4be5-971b-6a48ebf59ee0",
+            "created_by_ref": "identity--8ce3f695-d5a4-4dc8-9e93-a65af453a31a",
+            "created": "2024-10-22T00:37:11.006338Z",
+            "modified": "2024-10-22T00:37:11.006338Z",
+            "name": "CVE-2024-50000",
+            "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Fix NULL deref in mlx5e_tir_builder_alloc()\n\nIn mlx5e_tir_builder_alloc() kvzalloc() may return NULL\nwhich is dereferenced on the next line in a reference\nto the modify field.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.",
+            "external_references": [
+                {
+                    "source_name": "cve",
+                    "external_id": "CVE-2024-50000"
+                }
+            ]
+        }
+    ]
+}
diff --git a/objects/vulnerability/vulnerability--02d3fcbc-3e20-47ca-b45d-80f744afa59a.json b/objects/vulnerability/vulnerability--02d3fcbc-3e20-47ca-b45d-80f744afa59a.json
@@ -0,0 +1,22 @@
+{
+    "type": "bundle",
+    "id": "bundle--a98b0ae0-d52c-472e-bcab-b674caf27647",
+    "objects": [
+        {
+            "type": "vulnerability",
+            "spec_version": "2.1",
+            "id": "vulnerability--02d3fcbc-3e20-47ca-b45d-80f744afa59a",
+            "created_by_ref": "identity--8ce3f695-d5a4-4dc8-9e93-a65af453a31a",
+            "created": "2024-10-22T00:37:12.017324Z",
+            "modified": "2024-10-22T00:37:12.017324Z",
+            "name": "CVE-2024-49850",
+            "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: correctly handle malformed BPF_CORE_TYPE_ID_LOCAL relos\n\nIn case of malformed relocation record of kind BPF_CORE_TYPE_ID_LOCAL\nreferencing a non-existing BTF type, function bpf_core_calc_relo_insn\nwould cause a null pointer deference.\n\nFix this by adding a proper check upper in call stack, as malformed\nrelocation records could be passed from user space.\n\nSimplest reproducer is a program:\n\n    r0 = 0\n    exit\n\nWith a single relocation record:\n\n    .insn_off = 0,          /* patch first instruction */\n    .type_id = 100500,      /* this type id does not exist */\n    .access_str_off = 6,    /* offset of string \"0\" */\n    .kind = BPF_CORE_TYPE_ID_LOCAL,\n\nSee the link for original reproducer or next commit for a test case.",
+            "external_references": [
+                {
+                    "source_name": "cve",
+                    "external_id": "CVE-2024-49850"
+                }
+            ]
+        }
+    ]
+}
diff --git a/objects/vulnerability/vulnerability--030a5255-f423-41b5-97a6-e32b9e24c939.json b/objects/vulnerability/vulnerability--030a5255-f423-41b5-97a6-e32b9e24c939.json
@@ -0,0 +1,22 @@
+{
+    "type": "bundle",
+    "id": "bundle--6c417147-9a78-42c2-a206-f563bd63296e",
+    "objects": [
+        {
+            "type": "vulnerability",
+            "spec_version": "2.1",
+            "id": "vulnerability--030a5255-f423-41b5-97a6-e32b9e24c939",
+            "created_by_ref": "identity--8ce3f695-d5a4-4dc8-9e93-a65af453a31a",
+            "created": "2024-10-22T00:37:10.551158Z",
+            "modified": "2024-10-22T00:37:10.551158Z",
+            "name": "CVE-2024-48659",
+            "description": "An issue in DCME-320-L <=9.3.2.114 allows a remote attacker to execute arbitrary code via the log_u_umount.php component.",
+            "external_references": [
+                {
+                    "source_name": "cve",
+                    "external_id": "CVE-2024-48659"
+                }
+            ]
+        }
+    ]
+}
diff --git a/objects/vulnerability/vulnerability--0336485f-5475-4a2c-8fc9-d80eb9de7e22.json b/objects/vulnerability/vulnerability--0336485f-5475-4a2c-8fc9-d80eb9de7e22.json
@@ -0,0 +1,22 @@
+{
+    "type": "bundle",
+    "id": "bundle--215a6fa0-b5a2-4170-986f-4b13996d355b",
+    "objects": [
+        {
+            "type": "vulnerability",
+            "spec_version": "2.1",
+            "id": "vulnerability--0336485f-5475-4a2c-8fc9-d80eb9de7e22",
+            "created_by_ref": "identity--8ce3f695-d5a4-4dc8-9e93-a65af453a31a",
+            "created": "2024-10-22T00:37:11.630757Z",
+            "modified": "2024-10-22T00:37:11.630757Z",
+            "name": "CVE-2024-40091",
+            "description": "Vilo 5 Mesh WiFi System <= 5.16.1.33 lacks authentication in the Boa webserver, which allows remote, unauthenticated attackers to retrieve logs with sensitive system.",
+            "external_references": [
+                {
+                    "source_name": "cve",
+                    "external_id": "CVE-2024-40091"
+                }
+            ]
+        }
+    ]
+}
diff --git a/objects/vulnerability/vulnerability--03379b81-8799-44bf-965f-8fa8b7522974.json b/objects/vulnerability/vulnerability--03379b81-8799-44bf-965f-8fa8b7522974.json
@@ -0,0 +1,22 @@
+{
+    "type": "bundle",
+    "id": "bundle--ee58b971-a55b-4b33-b273-4a6bf87ba626",
+    "objects": [
+        {
+            "type": "vulnerability",
+            "spec_version": "2.1",
+            "id": "vulnerability--03379b81-8799-44bf-965f-8fa8b7522974",
+            "created_by_ref": "identity--8ce3f695-d5a4-4dc8-9e93-a65af453a31a",
+            "created": "2024-10-22T00:37:16.667236Z",
+            "modified": "2024-10-22T00:37:16.667236Z",
+            "name": "CVE-2022-48965",
+            "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpio/rockchip: fix refcount leak in rockchip_gpiolib_register()\n\nThe node returned by of_get_parent() with refcount incremented,\nof_node_put() needs be called when finish using it. So add it in the\nend of of_pinctrl_get().",
+            "external_references": [
+                {
+                    "source_name": "cve",
+                    "external_id": "CVE-2022-48965"
+                }
+            ]
+        }
+    ]
+}
diff --git a/objects/vulnerability/vulnerability--04bbf17c-2176-476a-9dce-5f97ad213720.json b/objects/vulnerability/vulnerability--04bbf17c-2176-476a-9dce-5f97ad213720.json
@@ -0,0 +1,22 @@
+{
+    "type": "bundle",
+    "id": "bundle--ae90b24a-d40f-4b46-bcfd-6ef4a24871dc",
+    "objects": [
+        {
+            "type": "vulnerability",
+            "spec_version": "2.1",
+            "id": "vulnerability--04bbf17c-2176-476a-9dce-5f97ad213720",
+            "created_by_ref": "identity--8ce3f695-d5a4-4dc8-9e93-a65af453a31a",
+            "created": "2024-10-22T00:37:10.911691Z",
+            "modified": "2024-10-22T00:37:10.911691Z",
+            "name": "CVE-2024-47735",
+            "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/hns: Fix spin_unlock_irqrestore() called with IRQs enabled\n\nFix missuse of spin_lock_irq()/spin_unlock_irq() when\nspin_lock_irqsave()/spin_lock_irqrestore() was hold.\n\nThis was discovered through the lock debugging, and the corresponding\nlog is as follows:\n\nraw_local_irq_restore() called with IRQs enabled\nWARNING: CPU: 96 PID: 2074 at kernel/locking/irqflag-debug.c:10 warn_bogus_irq_restore+0x30/0x40\n...\nCall trace:\n warn_bogus_irq_restore+0x30/0x40\n _raw_spin_unlock_irqrestore+0x84/0xc8\n add_qp_to_list+0x11c/0x148 [hns_roce_hw_v2]\n hns_roce_create_qp_common.constprop.0+0x240/0x780 [hns_roce_hw_v2]\n hns_roce_create_qp+0x98/0x160 [hns_roce_hw_v2]\n create_qp+0x138/0x258\n ib_create_qp_kernel+0x50/0xe8\n create_mad_qp+0xa8/0x128\n ib_mad_port_open+0x218/0x448\n ib_mad_init_device+0x70/0x1f8\n add_client_context+0xfc/0x220\n enable_device_and_get+0xd0/0x140\n ib_register_device.part.0+0xf4/0x1c8\n ib_register_device+0x34/0x50\n hns_roce_register_device+0x174/0x3d0 [hns_roce_hw_v2]\n hns_roce_init+0xfc/0x2c0 [hns_roce_hw_v2]\n __hns_roce_hw_v2_init_instance+0x7c/0x1d0 [hns_roce_hw_v2]\n hns_roce_hw_v2_init_instance+0x9c/0x180 [hns_roce_hw_v2]",
+            "external_references": [
+                {
+                    "source_name": "cve",
+                    "external_id": "CVE-2024-47735"
+                }
+            ]
+        }
+    ]
+}
diff --git a/objects/vulnerability/vulnerability--04e4a7d3-358a-44e7-8fb7-45bc1c896b2b.json b/objects/vulnerability/vulnerability--04e4a7d3-358a-44e7-8fb7-45bc1c896b2b.json
@@ -0,0 +1,22 @@
+{
+    "type": "bundle",
+    "id": "bundle--2fb70cfe-2f79-4791-8544-f3bcf1b072c2",
+    "objects": [
+        {
+            "type": "vulnerability",
+            "spec_version": "2.1",
+            "id": "vulnerability--04e4a7d3-358a-44e7-8fb7-45bc1c896b2b",
+            "created_by_ref": "identity--8ce3f695-d5a4-4dc8-9e93-a65af453a31a",
+            "created": "2024-10-22T00:37:16.686105Z",
+            "modified": "2024-10-22T00:37:16.686105Z",
+            "name": "CVE-2022-48986",
+            "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/gup: fix gup_pud_range() for dax\n\nFor dax pud, pud_huge() returns true on x86. So the function works as long\nas hugetlb is configured. However, dax doesn't depend on hugetlb.\nCommit 414fd080d125 (\"mm/gup: fix gup_pmd_range() for dax\") fixed\ndevmap-backed huge PMDs, but missed devmap-backed huge PUDs. Fix this as\nwell.\n\nThis fixes the below kernel panic:\n\ngeneral protection fault, probably for non-canonical address 0x69e7c000cc478: 0000 [#1] SMP\n\t< snip >\nCall Trace:\n<TASK>\nget_user_pages_fast+0x1f/0x40\niov_iter_get_pages+0xc6/0x3b0\n? mempool_alloc+0x5d/0x170\nbio_iov_iter_get_pages+0x82/0x4e0\n? bvec_alloc+0x91/0xc0\n? bio_alloc_bioset+0x19a/0x2a0\nblkdev_direct_IO+0x282/0x480\n? __io_complete_rw_common+0xc0/0xc0\n? filemap_range_has_page+0x82/0xc0\ngeneric_file_direct_write+0x9d/0x1a0\n? inode_update_time+0x24/0x30\n__generic_file_write_iter+0xbd/0x1e0\nblkdev_write_iter+0xb4/0x150\n? io_import_iovec+0x8d/0x340\nio_write+0xf9/0x300\nio_issue_sqe+0x3c3/0x1d30\n? sysvec_reschedule_ipi+0x6c/0x80\n__io_queue_sqe+0x33/0x240\n? fget+0x76/0xa0\nio_submit_sqes+0xe6a/0x18d0\n? __fget_light+0xd1/0x100\n__x64_sys_io_uring_enter+0x199/0x880\n? __context_tracking_enter+0x1f/0x70\n? irqentry_exit_to_user_mode+0x24/0x30\n? irqentry_exit+0x1d/0x30\n? __context_tracking_exit+0xe/0x70\ndo_syscall_64+0x3b/0x90\nentry_SYSCALL_64_after_hwframe+0x61/0xcb\nRIP: 0033:0x7fc97c11a7be\n\t< snip >\n</TASK>\n---[ end trace 48b2e0e67debcaeb ]---\nRIP: 0010:internal_get_user_pages_fast+0x340/0x990\n\t< snip >\nKernel panic - not syncing: Fatal exception\nKernel Offset: disabled",
+            "external_references": [
+                {
+                    "source_name": "cve",
+                    "external_id": "CVE-2022-48986"
+                }
+            ]
+        }
+    ]
+}
diff --git a/objects/vulnerability/vulnerability--054695e3-b2c9-4698-ae96-d6eac1c63447.json b/objects/vulnerability/vulnerability--054695e3-b2c9-4698-ae96-d6eac1c63447.json
@@ -0,0 +1,22 @@
+{
+    "type": "bundle",
+    "id": "bundle--f634364f-5705-4f1d-9184-ae36f71b0e0d",
+    "objects": [
+        {
+            "type": "vulnerability",
+            "spec_version": "2.1",
+            "id": "vulnerability--054695e3-b2c9-4698-ae96-d6eac1c63447",
+            "created_by_ref": "identity--8ce3f695-d5a4-4dc8-9e93-a65af453a31a",
+            "created": "2024-10-22T00:37:12.030401Z",
+            "modified": "2024-10-22T00:37:12.030401Z",
+            "name": "CVE-2024-49974",
+            "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSD: Limit the number of concurrent async COPY operations\n\nNothing appears to limit the number of concurrent async COPY\noperations that clients can start. In addition, AFAICT each async\nCOPY can copy an unlimited number of 4MB chunks, so can run for a\nlong time. Thus IMO async COPY can become a DoS vector.\n\nAdd a restriction mechanism that bounds the number of concurrent\nbackground COPY operations. Start simple and try to be fair -- this\npatch implements a per-namespace limit.\n\nAn async COPY request that occurs while this limit is exceeded gets\nNFS4ERR_DELAY. The requesting client can choose to send the request\nagain after a delay or fall back to a traditional read/write style\ncopy.\n\nIf there is need to make the mechanism more sophisticated, we can\nvisit that in future patches.",
+            "external_references": [
+                {
+                    "source_name": "cve",
+                    "external_id": "CVE-2024-49974"
+                }
+            ]
+        }
+    ]
+}
diff --git a/objects/vulnerability/vulnerability--05b92c4f-0112-4695-b0fd-3e8ac78dd85d.json b/objects/vulnerability/vulnerability--05b92c4f-0112-4695-b0fd-3e8ac78dd85d.json
@@ -0,0 +1,22 @@
+{
+    "type": "bundle",
+    "id": "bundle--95a85d95-389b-4855-960f-46116f45096e",
+    "objects": [
+        {
+            "type": "vulnerability",
+            "spec_version": "2.1",
+            "id": "vulnerability--05b92c4f-0112-4695-b0fd-3e8ac78dd85d",
+            "created_by_ref": "identity--8ce3f695-d5a4-4dc8-9e93-a65af453a31a",
+            "created": "2024-10-22T00:37:12.185462Z",
+            "modified": "2024-10-22T00:37:12.185462Z",
+            "name": "CVE-2024-49880",
+            "description": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix off by one issue in alloc_flex_gd()\n\nWesley reported an issue:\n\n==================================================================\nEXT4-fs (dm-5): resizing filesystem from 7168 to 786432 blocks\n------------[ cut here ]------------\nkernel BUG at fs/ext4/resize.c:324!\nCPU: 9 UID: 0 PID: 3576 Comm: resize2fs Not tainted 6.11.0+ #27\nRIP: 0010:ext4_resize_fs+0x1212/0x12d0\nCall Trace:\n __ext4_ioctl+0x4e0/0x1800\n ext4_ioctl+0x12/0x20\n __x64_sys_ioctl+0x99/0xd0\n x64_sys_call+0x1206/0x20d0\n do_syscall_64+0x72/0x110\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n==================================================================\n\nWhile reviewing the patch, Honza found that when adjusting resize_bg in\nalloc_flex_gd(), it was possible for flex_gd->resize_bg to be bigger than\nflexbg_size.\n\nThe reproduction of the problem requires the following:\n\n o_group = flexbg_size * 2 * n;\n o_size = (o_group + 1) * group_size;\n n_group: [o_group + flexbg_size, o_group + flexbg_size * 2)\n o_size = (n_group + 1) * group_size;\n\nTake n=0,flexbg_size=16 as an example:\n\n              last:15\n|o---------------|--------------n-|\no_group:0    resize to      n_group:30\n\nThe corresponding reproducer is:\n\nimg=test.img\nrm -f $img\ntruncate -s 600M $img\nmkfs.ext4 -F $img -b 1024 -G 16 8M\ndev=`losetup -f --show $img`\nmkdir -p /tmp/test\nmount $dev /tmp/test\nresize2fs $dev 248M\n\nDelete the problematic plus 1 to fix the issue, and add a WARN_ON_ONCE()\nto prevent the issue from happening again.\n\n[ Note: another reproucer which this commit fixes is:\n\n  img=test.img\n  rm -f $img\n  truncate -s 25MiB $img\n  mkfs.ext4 -b 4096 -E nodiscard,lazy_itable_init=0,lazy_journal_init=0 $img\n  truncate -s 3GiB $img\n  dev=`losetup -f --show $img`\n  mkdir -p /tmp/test\n  mount $dev /tmp/test\n  resize2fs $dev 3G\n  umount $dev\n  losetup -d $dev\n\n  -- TYT ]",
+            "external_references": [
+                {
+                    "source_name": "cve",
+                    "external_id": "CVE-2024-49880"
+                }
+            ]
+        }
+    ]
+}