Sync Collecting Fix Commits: Sat May 16 14:39:33 UTC 2026

Signed-off-by: AboutCode Automation <automation@aboutcode.org>

Author: aboutcode-automation

data/fix-commits/advisory-database-b78f1d41.json

@@ -1,26 +1,31 @@
 {
   "vcs_url": "https://github.com/github/advisory-database",
   "vulnerabilities": {
-    "GHSA-2F3M-J83V-344C": {
-      "375a9c3686d628bc7d1d0125f084c6dd8e6de7ba": "Publish Advisories\n\nGHSA-2f3m-j83v-344c\nGHSA-j4fx-xxwh-2485"
-    },
-    "GHSA-J4FX-XXWH-2485": {
-      "375a9c3686d628bc7d1d0125f084c6dd8e6de7ba": "Publish Advisories\n\nGHSA-2f3m-j83v-344c\nGHSA-j4fx-xxwh-2485"
-    },
-    "GHSA-J4VJ-FPX3-V8RX": {
-      "54a9b5fd7fcc42ced3758a340ff34669f5ebb0b2": "Publish Advisories\n\nGHSA-j4vj-fpx3-v8rx\nGHSA-4fcc-vrwx-v754\nGHSA-5cq6-9f97-wjwx\nGHSA-r2q3-hjc8-7x6q\nGHSA-wxv8-w48j-r2f4"
-    },
-    "GHSA-4FCC-VRWX-V754": {
-      "54a9b5fd7fcc42ced3758a340ff34669f5ebb0b2": "Publish Advisories\n\nGHSA-j4vj-fpx3-v8rx\nGHSA-4fcc-vrwx-v754\nGHSA-5cq6-9f97-wjwx\nGHSA-r2q3-hjc8-7x6q\nGHSA-wxv8-w48j-r2f4"
-    },
     "GHSA-5CQ6-9F97-WJWX": {
+      "97b118988aa2a4264c51d2bcffcb6cf39076abe5": "Improve GHSA-5cq6-9f97-wjwx",
       "54a9b5fd7fcc42ced3758a340ff34669f5ebb0b2": "Publish Advisories\n\nGHSA-j4vj-fpx3-v8rx\nGHSA-4fcc-vrwx-v754\nGHSA-5cq6-9f97-wjwx\nGHSA-r2q3-hjc8-7x6q\nGHSA-wxv8-w48j-r2f4",
       "0a2e13bc7275a8017e4cf8c26ca4915d9b6b7c07": "Publish Advisories\n\nGHSA-2f54-v4hm-fx73\nGHSA-5cq6-9f97-wjwx\nGHSA-6275-mpwc-pq3g\nGHSA-8r2w-8p2v-h4g4\nGHSA-r2q3-hjc8-7x6q\nGHSA-x5pc-h62r-4rgx"
     },
     "GHSA-R2Q3-HJC8-7X6Q": {
+      "5fbd97f9cc99b08ebee07dee21cded16c7c2715d": "Improve GHSA-r2q3-hjc8-7x6q",
       "54a9b5fd7fcc42ced3758a340ff34669f5ebb0b2": "Publish Advisories\n\nGHSA-j4vj-fpx3-v8rx\nGHSA-4fcc-vrwx-v754\nGHSA-5cq6-9f97-wjwx\nGHSA-r2q3-hjc8-7x6q\nGHSA-wxv8-w48j-r2f4",
       "0a2e13bc7275a8017e4cf8c26ca4915d9b6b7c07": "Publish Advisories\n\nGHSA-2f54-v4hm-fx73\nGHSA-5cq6-9f97-wjwx\nGHSA-6275-mpwc-pq3g\nGHSA-8r2w-8p2v-h4g4\nGHSA-r2q3-hjc8-7x6q\nGHSA-x5pc-h62r-4rgx"
     },
+    "GHSA-4FCC-VRWX-V754": {
+      "23d4d201a0748352b79eda03b289cc77690ba5ba": "Improve GHSA-4fcc-vrwx-v754",
+      "54a9b5fd7fcc42ced3758a340ff34669f5ebb0b2": "Publish Advisories\n\nGHSA-j4vj-fpx3-v8rx\nGHSA-4fcc-vrwx-v754\nGHSA-5cq6-9f97-wjwx\nGHSA-r2q3-hjc8-7x6q\nGHSA-wxv8-w48j-r2f4"
+    },
+    "GHSA-J4FX-XXWH-2485": {
+      "a4e74bd6d7c6040f3a0c90612c41afc58caee198": "Improve GHSA-j4fx-xxwh-2485",
+      "375a9c3686d628bc7d1d0125f084c6dd8e6de7ba": "Publish Advisories\n\nGHSA-2f3m-j83v-344c\nGHSA-j4fx-xxwh-2485"
+    },
+    "GHSA-2F3M-J83V-344C": {
+      "aacedba87b4e4cf642e833d83ef97bdba7198968": "Improve GHSA-2f3m-j83v-344c",
+      "375a9c3686d628bc7d1d0125f084c6dd8e6de7ba": "Publish Advisories\n\nGHSA-2f3m-j83v-344c\nGHSA-j4fx-xxwh-2485"
+    },
+    "GHSA-J4VJ-FPX3-V8RX": {
+      "54a9b5fd7fcc42ced3758a340ff34669f5ebb0b2": "Publish Advisories\n\nGHSA-j4vj-fpx3-v8rx\nGHSA-4fcc-vrwx-v754\nGHSA-5cq6-9f97-wjwx\nGHSA-r2q3-hjc8-7x6q\nGHSA-wxv8-w48j-r2f4"
+    },
     "GHSA-WXV8-W48J-R2F4": {
       "54a9b5fd7fcc42ced3758a340ff34669f5ebb0b2": "Publish Advisories\n\nGHSA-j4vj-fpx3-v8rx\nGHSA-4fcc-vrwx-v754\nGHSA-5cq6-9f97-wjwx\nGHSA-r2q3-hjc8-7x6q\nGHSA-wxv8-w48j-r2f4",
       "cb4688f90ef177beaf004338dfde7b13e3354fc4": "Publish Advisories\n\nGHSA-9mrx-mqmg-gwj9\nGHSA-2p5v-p767-wqv5\nGHSA-frh9-7wfp-w73p\nGHSA-cm99-m826-vgg7\nGHSA-j666-j6hj-fpc7\nGHSA-xxmc-fm3p-q3x8\nGHSA-3h63-fx68-x5fm\nGHSA-c33v-7hr2-gw69\nGHSA-fqhc-8hwj-969h\nGHSA-gh28-ww79-7h4v\nGHSA-mx57-4jmx-5cvf\nGHSA-qj4w-p892-c352\nGHSA-r396-2q2c-pjhr\nGHSA-r83p-32gc-q9c8\nGHSA-vv9w-vff6-5rx9\nGHSA-vwxw-q9j2-rh5v\nGHSA-wxv8-w48j-r2f4\nGHSA-x3qr-8f53-fg74"

data/fix-commits/driver-core.git-67a4fee3.json

@@ -1,6 +1,25 @@
 {
   "vcs_url": "https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core.git",
   "vulnerabilities": {
+    "CVE-2023-20585": {
+      "1f44aab79bac31f459422dfb213e907bb386509c": "iommu/amd: Use maximum PPR log buffer size when SNP is enabled on Family 0x19\n\nDue to CVE-2023-20585, the PPR log buffer must use the maximum supported\nsize (512K) on Genoa (Family 0x19, model >= 0x10) systems when SNP is\nenabled, to mitigate a potential security vulnerability. Note that Family\n0x19 models below 0x10 (Milan) do not support PPR when SNP is enabled.\nHence the PPR log size increase is only applied for model >= 0x10.\nAll other systems continue to use the default PPR log buffer size (8K).\n\nApply the errata fix by making the following changes:\n\n- Introduce global new variable (amd_iommu_pprlog_size) to have PPR log buffer\n  size. Adjust variable size for Genoa family.\n\n- Extend 'amd_iommu_apply_erratum_snp()' to also set the PPR log buffer\n  size to maximum for Family 0x19 model >= 0x10 when SNP is enabled.\n\n- Rename PPR_* macros to make it more readable.\n\nLink: https://www.amd.com/en/resources/product-security/bulletin/amd-sb-3016.html\nCc: Borislav Petkov <bp@alien8.de>\nCc: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>\nCc: Joerg Roedel <joerg.roedel@amd.com>\nSigned-off-by: Vasant Hegde <vasant.hegde@amd.com>\nTested-by: Dheeraj Kumar Srivastava <dheerajkumar.srivastava@amd.com>\nSigned-off-by: Joerg Roedel <joerg.roedel@amd.com>",
+      "58c0ac6125d89bf6ec65a521eaeb52a0e8e20a9f": "iommu/amd: Use maximum Event log buffer size when SNP is enabled on Family 0x19\n\nDue to CVE-2023-20585, the Event log buffer must use the maximum supported\nsize (512K) on Milan/Genoa (Family 0x19) systems when SNP is enabled,\nto mitigate a potential security vulnerability. All other systems continue to\nuse the default Event log buffer size (8K).\n\nApply the errata fix by making the following changes:\n\n* Introduce new global variable (amd_iommu_evtlog_size) to have event log\n  buffer size. Adjust variable size for family 0x19.\n\n* Since 'iommu_snp_enable()' must be called after the core IOMMU subsystem\n  is initialized, it cannot be moved to the early init stage. The SNP errata\n  must also be applied after the 'iommu_snp_enable()' check. Therefore,\n  'alloc_event_buffer()' and 'iommu_enable_event_buffer()' are now called\n  in the IOMMU_ENABLED state, after the errata is applied.\n\n* Adjust alloc_event_buffer() and iommu_enable_event_buffer() to handle\n  all IOMMU instances.\n\n* Also rename EVT_* macros to make it more readable.\n\nLink: https://www.amd.com/en/resources/product-security/bulletin/amd-sb-3016.html\nCc: Borislav Petkov <bp@alien8.de>\nCc: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>\nCc: Joerg Roedel <joerg.roedel@amd.com>\nSigned-off-by: Vasant Hegde <vasant.hegde@amd.com>\nTested-by: Dheeraj Kumar Srivastava <dheerajkumar.srivastava@amd.com>\nSigned-off-by: Joerg Roedel <joerg.roedel@amd.com>"
+    },
+    "CVE-2026-31787": {
+      "24daca4fc07f3ff8cd0e3f629cd982187f48436a": "xen/privcmd: fix double free via VMA splitting\n\nprivcmd_vm_ops defines .close (privcmd_close), but neither .may_split\nnor .open. When userspace does a partial munmap() on a privcmd mapping,\nthe kernel splits the VMA via __split_vma(). Since may_split is NULL,\nthe split is allowed. vm_area_dup() copies vm_private_data (a pages\narray allocated in alloc_empty_pages()) into the new VMA without any\nfixup, because there is no .open callback.\n\nBoth VMAs now point to the same pages array. When the unmapped portion\nis closed, privcmd_close() calls:\n    - xen_unmap_domain_gfn_range()\n    - xen_free_unpopulated_pages()\n    - kvfree(pages)\n\nThe surviving VMA still holds the dangling pointer. When it is later\ndestroyed, the same sequence runs again, which leads to a double free.\n\nFix this issue by adding a .may_split callback denying the VMA split.\n\nThis is XSA-487 / CVE-2026-31787\n\nFixes: d71f513985c2 (\"xen: privcmd: support autotranslated physmap guests.\")\nReported-by: Atharva Vartak <atharva.a.vartak@gmail.com>\nSuggested-by: Atharva Vartak <atharva.a.vartak@gmail.com>\nSigned-off-by: Juergen Gross <jgross@suse.com>\nReviewed-by: Jan Beulich <jbeulich@suse.com>"
+    },
+    "CVE-2026-31786": {
+      "27fdbab4221b375de54bf91919798d88520c6e28": "Buffer overflow in drivers/xen/sys-hypervisor.c\n\nThe build id returned by HYPERVISOR_xen_version(XENVER_build_id) is\nneither NUL terminated nor a string.\n\nThe first causes a buffer overflow as sprintf in buildid_show will\nread and copy till it finds a NUL.\n\n00000000  f4 91 51 f4 dd 38 9e 9d  65 47 52 eb 10 71 db 50  |..Q..8..eGR..q.P|\n00000010  b9 a8 01 42 6f 2e 32                              |...Bo.2|\n00000017\n\nSo use a memcpy instead of sprintf to have the correct value:\n\n00000000  f4 91 51 f4 dd 00 9e 9d  65 47 52 eb 10 71 db 50  |..Q.....eGR..q.P|\n00000010  b9 a8 01 42                                       |...B|\n00000014\n\n(the above have a hack to embed a zero inside and check it's\nreturned correctly).\n\nThis is XSA-485 / CVE-2026-31786\n\nFixes: 84b7625728ea (\"xen: add sysfs node for hypervisor build id\")\nSigned-off-by: Frediano Ziglio <frediano.ziglio@citrix.com>\nReviewed-by: Juergen Gross <jgross@suse.com>\nSigned-off-by: Juergen Gross <jgross@suse.com>"
+    },
+    "CVE-2025-37780": {
+      "24376458138387fb251e782e624c7776e9826796": "isofs: validate block number from NFS file handle in isofs_export_iget\n\nisofs_fh_to_dentry() and isofs_fh_to_parent() pass an attacker-\ncontrolled block number (ifid->block or ifid->parent_block) from\nthe NFS file handle to isofs_export_iget(), which only rejects\nblock == 0 before calling isofs_iget() and ultimately sb_bread().\nA crafted file handle with fh_len sufficient to pass the check\nadded by commit 0405d4b63d08 (\"isofs: Prevent the use of too small\nfid\") can still drive the server to read any in-range block on the\nbacking device as if it were an iso_directory_record.  That earlier\nfix was assigned CVE-2025-37780.\n\nsb_bread() on an out-of-range block returns NULL cleanly via the\nEIO path, so there is no memory-safety violation.  For in-range\nreads of adjacent-partition data on the same block device, the\nunrelated bytes end up in iso_inode_info fields that reach the NFS\nclient as dentry metadata.  The deployment surface (isofs exported\nover NFS from loop-mounted images) is narrow and requires an\nauthenticated NFS peer, but the malformed-file-handle class is\nreportable as hardening next to the existing CVE-2025-37780 fix.\n\nReject block >= ISOFS_SB(sb)->s_nzones in isofs_export_iget() so\nthe check covers both isofs_fh_to_dentry() and isofs_fh_to_parent()\ncall sites with a single line.\n\nFixes: 0405d4b63d08 (\"isofs: Prevent the use of too small fid\")\nCc: stable@vger.kernel.org\nAssisted-by: Claude:claude-opus-4-7\nSigned-off-by: Michael Bommarito <michael.bommarito@gmail.com>\nLink: https://patch.msgid.link/20260419212155.2169382-3-michael.bommarito@gmail.com\nSigned-off-by: Jan Kara <jack@suse.cz>"
+    },
+    "CVE-2026-0995": {
+      "858fbd7248bd84b2899fb2c29bc7bc2634296edf": "Merge branch 'for-next/c1-pro-erratum-4193714' into for-next/core\n\n* for-next/c1-pro-erratum-4193714:\n  : Work around C1-Pro erratum 4193714 (CVE-2026-0995)\n  arm64: errata: Work around early CME DVMSync acknowledgement\n  arm64: cputype: Add C1-Pro definitions\n  arm64: tlb: Pass the corresponding mm to __tlbi_sync_s1ish()\n  arm64: tlb: Introduce __tlbi_sync_s1ish_{kernel,batch}() for TLB maintenance"
+    },
+    "CVE-2026-23234": {
+      "39d4ee19c1e7d753dd655aebee632271b171f43a": "f2fs: fix use-after-free of sbi in f2fs_compress_write_end_io()\n\nIn f2fs_compress_write_end_io(), dec_page_count(sbi, type) can bring\nthe F2FS_WB_CP_DATA counter to zero, unblocking\nf2fs_wait_on_all_pages() in f2fs_put_super() on a concurrent unmount\nCPU. The unmount path then proceeds to call\nf2fs_destroy_page_array_cache(sbi), which destroys\nsbi->page_array_slab via kmem_cache_destroy(), and eventually\nkfree(sbi). Meanwhile, the bio completion callback is still executing:\nwhen it reaches page_array_free(sbi, ...), it dereferences\nsbi->page_array_slab \u2014 a destroyed slab cache \u2014 to call\nkmem_cache_free(), causing a use-after-free.\n\nThis is the same class of bug as CVE-2026-23234 (which fixed the\nequivalent race in f2fs_write_end_io() in data.c), but in the\ncompressed writeback completion path that was not covered by that fix.\n\nFix this by moving dec_page_count() to after page_array_free(), so\nthat all sbi accesses complete before the counter decrement that can\nunblock unmount. For non-last folios (where atomic_dec_return on\ncic->pending_pages is nonzero), dec_page_count is called immediately\nbefore returning \u2014 page_array_free is not reached on this path, so\nthere is no post-decrement sbi access. For the last folio,\npage_array_free runs while the F2FS_WB_CP_DATA counter is still\nnonzero (this folio has not yet decremented it), keeping sbi alive,\nand dec_page_count runs as the final operation.\n\nFixes: 4c8ff7095bef (\"f2fs: support data compression\")\nCc: stable@vger.kernel.org\nSigned-off-by: George Saad <geoo115@gmail.com>\nReviewed-by: Chao Yu <chao@kernel.org>\nSigned-off-by: Jaegeuk Kim <jaegeuk@kernel.org>"
+    },
     "CVE-2025-38617": {
       "42156f93d123436f2a27c468f18c966b7e5db796": "net: fix fanout UAF in packet_release() via NETDEV_UP race\n\n`packet_release()` has a race window where `NETDEV_UP` can re-register a\nsocket into a fanout group's `arr[]` array. The re-registration is not\ncleaned up by `fanout_release()`, leaving a dangling pointer in the fanout\narray.\n`packet_release()` does NOT zero `po->num` in its `bind_lock` section.\nAfter releasing `bind_lock`, `po->num` is still non-zero and `po->ifindex`\nstill matches the bound device. A concurrent `packet_notifier(NETDEV_UP)`\nthat already found the socket in `sklist` can re-register the hook.\nFor fanout sockets, this re-registration calls `__fanout_link(sk, po)`\nwhich adds the socket back into `f->arr[]` and increments `f->num_members`,\nbut does NOT increment `f->sk_ref`.\n\nThe fix sets `po->num` to zero in `packet_release` while `bind_lock` is\nheld to prevent NETDEV_UP from linking, preventing the race window.\n\nThis bug was found following an additional audit with Claude Code based\non CVE-2025-38617.\n\nFixes: ce06b03e60fc (\"packet: Add helpers to register/unregister ->prot_hook\")\nLink: https://blog.calif.io/p/a-race-within-a-race-exploiting-cve\nSigned-off-by: Yochai Eisenrich <echelonh@gmail.com>\nReviewed-by: Willem de Bruijn <willemb@google.com>\nLink: https://patch.msgid.link/20260319200610.25101-1-echelonh@gmail.com\nSigned-off-by: Jakub Kicinski <kuba@kernel.org>"
     },