Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Revert "f2fs: block cache/dio write during f2fs_enable_checkpoint()"<br /> <br /> This reverts commit 196c81fdd438f7ac429d5639090a9816abb9760a.<br /> <br /> Original patch may cause below deadlock, revert it.<br /> <br /> write remount<br /> - write_begin<br /> - lock_page --- lock A<br /> - prepare_write_begin<br /> - f2fs_map_lock<br /> - f2fs_enable_checkpoint<br /> - down_write(cp_enable_rwsem) --- lock B<br /> - sync_inode_sb<br /> - writepages<br /> - lock_page --- lock A<br /> - down_read(cp_enable_rwsem) --- lock A

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> f2fs: fix to avoid mapping wrong physical block for swapfile<br /> <br /> Xiaolong Guo reported a f2fs bug in bugzilla [1]<br /> <br /> [1] https://bugzilla.kernel.org/show_bug.cgi?id=220951<br /> <br /> Quoted:<br /> <br /> "When using stress-ng&amp;#39;s swap stress test on F2FS filesystem with kernel 6.6+,<br /> the system experiences data corruption leading to either:<br /> 1 dm-verity corruption errors and device reboot<br /> 2 F2FS node corruption errors and boot hangs<br /> <br /> The issue occurs specifically when:<br /> 1 Using F2FS filesystem (ext4 is unaffected)<br /> 2 Swapfile size is less than F2FS section size (2MB)<br /> 3 Swapfile has fragmented physical layout (multiple non-contiguous extents)<br /> 4 Kernel version is 6.6+ (6.1 is unaffected)<br /> <br /> The root cause is in check_swap_activate() function in fs/f2fs/data.c. When the<br /> first extent of a small swapfile (main_blkaddr) % blks_per_sec ||<br /> nr_pblocks % blks_per_sec ||<br /> !f2fs_valid_pinned_area(sbi, pblock)) {<br /> bool last_extent = false;<br /> <br /> not_aligned++;<br /> <br /> nr_pblocks = roundup(nr_pblocks, blks_per_sec);<br /> if (cur_lblock + nr_pblocks &gt; sis-&gt;max)<br /> nr_pblocks -= blks_per_sec;<br /> <br /> /* this extent is last one */<br /> if (!nr_pblocks) {<br /> nr_pblocks = last_lblock - cur_lblock;<br /> last_extent = true;<br /> }<br /> <br /> ret = f2fs_migrate_blocks(inode, cur_lblock, nr_pblocks);<br /> if (ret) {<br /> if (ret == -ENOENT)<br /> ret = -EINVAL;<br /> goto out;<br /> }<br /> <br /> if (!last_extent)<br /> goto retry;<br /> }<br /> <br /> When the first extent is unaligned and roundup(nr_pblocks, blks_per_sec)<br /> exceeds sis-&gt;max, we subtract blks_per_sec resulting in nr_pblocks = 0. The<br /> code then incorrectly assumes this is the last extent, sets nr_pblocks =<br /> last_lblock - cur_lblock (entire swapfile), and performs migration. After<br /> migration, it doesn&amp;#39;t retry mapping, so subsequent extents are never processed.<br /> "<br /> <br /> In order to fix this issue, we need to lookup block mapping info after<br /> we migrate all blocks in the tail of swapfile.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> f2fs: fix to avoid UAF in f2fs_write_end_io()<br /> <br /> As syzbot reported an use-after-free issue in f2fs_write_end_io().<br /> <br /> It is caused by below race condition:<br /> <br /> loop device umount<br /> - worker_thread<br /> - loop_process_work<br /> - do_req_filebacked<br /> - lo_rw_aio<br /> - lo_rw_aio_complete<br /> - blk_mq_end_request<br /> - blk_update_request<br /> - f2fs_write_end_io<br /> - dec_page_count<br /> - folio_end_writeback<br /> - kill_f2fs_super<br /> - kill_block_super<br /> - f2fs_put_super<br /> : free(sbi)<br /> : get_pages(, F2FS_WB_CP_DATA)<br /> accessed sbi which is freed<br /> <br /> In kill_f2fs_super(), we will drop all page caches of f2fs inodes before<br /> call free(sbi), it guarantee that all folios should end its writeback, so<br /> it should be safe to access sbi before last folio_end_writeback().<br /> <br /> Let&amp;#39;s relocate ckpt thread wakeup flow before folio_end_writeback() to<br /> resolve this issue.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> f2fs: fix out-of-bounds access in sysfs attribute read/write<br /> <br /> Some f2fs sysfs attributes suffer from out-of-bounds memory access and<br /> incorrect handling of integer values whose size is not 4 bytes.<br /> <br /> For example:<br /> vm:~# echo 65537 &gt; /sys/fs/f2fs/vde/carve_out<br /> vm:~# cat /sys/fs/f2fs/vde/carve_out<br /> 65537<br /> vm:~# echo 4294967297 &gt; /sys/fs/f2fs/vde/atgc_age_threshold<br /> vm:~# cat /sys/fs/f2fs/vde/atgc_age_threshold<br /> 1<br /> <br /> carve_out maps to {struct f2fs_sb_info}-&gt;carve_out, which is a 8-bit<br /> integer. However, the sysfs interface allows setting it to a value<br /> larger than 255, resulting in an out-of-range update.<br /> <br /> atgc_age_threshold maps to {struct atgc_management}-&gt;age_threshold,<br /> which is a 64-bit integer, but its sysfs interface cannot correctly set<br /> values larger than UINT_MAX.<br /> <br /> The root causes are:<br /> 1. __sbi_store() treats all default values as unsigned int, which<br /> prevents updating integers larger than 4 bytes and causes out-of-bounds<br /> writes for integers smaller than 4 bytes.<br /> <br /> 2. f2fs_sbi_show() also assumes all default values are unsigned int,<br /> leading to out-of-bounds reads and incorrect access to integers larger<br /> than 4 bytes.<br /> <br /> This patch introduces {struct f2fs_attr}-&gt;size to record the actual size<br /> of the integer associated with each sysfs attribute. With this<br /> information, sysfs read and write operations can correctly access and<br /> update values according to their real data size, avoiding memory<br /> corruption and truncation.

erase-install prior to v40.4 commit 2c31239 writes swiftDialog credential output to a hardcoded path /var/tmp/dialog.json. This allows an unauthenticated attacker to intercept admin credentials entered during reinstall/erase operations via creating a named pipe.

Insecure permissions in App-Auto-Patch v3.4.2 create a race condition which allows attackers to write arbitrary files.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> scsi: qla2xxx: Fix bsg_done() causing double free<br /> <br /> Kernel panic observed on system,<br /> <br /> [5353358.825191] BUG: unable to handle page fault for address: ff5f5e897b024000<br /> [5353358.825194] #PF: supervisor write access in kernel mode<br /> [5353358.825195] #PF: error_code(0x0002) - not-present page<br /> [5353358.825196] PGD 100006067 P4D 0<br /> [5353358.825198] Oops: 0002 [#1] PREEMPT SMP NOPTI<br /> [5353358.825200] CPU: 5 PID: 2132085 Comm: qlafwupdate.sub Kdump: loaded Tainted: G W L ------- --- 5.14.0-503.34.1.el9_5.x86_64 #1<br /> [5353358.825203] Hardware name: HPE ProLiant DL360 Gen11/ProLiant DL360 Gen11, BIOS 2.44 01/17/2025<br /> [5353358.825204] RIP: 0010:memcpy_erms+0x6/0x10<br /> [5353358.825211] RSP: 0018:ff591da8f4f6b710 EFLAGS: 00010246<br /> [5353358.825212] RAX: ff5f5e897b024000 RBX: 0000000000007090 RCX: 0000000000001000<br /> [5353358.825213] RDX: 0000000000001000 RSI: ff591da8f4fed090 RDI: ff5f5e897b024000<br /> [5353358.825214] RBP: 0000000000010000 R08: ff5f5e897b024000 R09: 0000000000000000<br /> [5353358.825215] R10: ff46cf8c40517000 R11: 0000000000000001 R12: 0000000000008090<br /> [5353358.825216] R13: ff591da8f4f6b720 R14: 0000000000001000 R15: 0000000000000000<br /> [5353358.825218] FS: 00007f1e88d47740(0000) GS:ff46cf935f940000(0000) knlGS:0000000000000000<br /> [5353358.825219] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [5353358.825220] CR2: ff5f5e897b024000 CR3: 0000000231532004 CR4: 0000000000771ef0<br /> [5353358.825221] PKRU: 55555554<br /> [5353358.825222] Call Trace:<br /> [5353358.825223] <br /> [5353358.825224] ? show_trace_log_lvl+0x1c4/0x2df<br /> [5353358.825229] ? show_trace_log_lvl+0x1c4/0x2df<br /> [5353358.825232] ? sg_copy_buffer+0xc8/0x110<br /> [5353358.825236] ? __die_body.cold+0x8/0xd<br /> [5353358.825238] ? page_fault_oops+0x134/0x170<br /> [5353358.825242] ? kernelmode_fixup_or_oops+0x84/0x110<br /> [5353358.825244] ? exc_page_fault+0xa8/0x150<br /> [5353358.825247] ? asm_exc_page_fault+0x22/0x30<br /> [5353358.825252] ? memcpy_erms+0x6/0x10<br /> [5353358.825253] sg_copy_buffer+0xc8/0x110<br /> [5353358.825259] qla2x00_process_vendor_specific+0x652/0x1320 [qla2xxx]<br /> [5353358.825317] qla24xx_bsg_request+0x1b2/0x2d0 [qla2xxx]<br /> <br /> Most routines in qla_bsg.c call bsg_done() only for success cases.<br /> However a few invoke it for failure case as well leading to a double<br /> free. Validate before calling bsg_done().

A logic error in the remove_password() function in Checkmk GmbH&amp;#39;s Checkmk versions

The server certificate was not verified when an Arc agent connected to a Guardian or CMC.<br /> <br /> <br /> <br /> A malicious actor could perform a man-in-the-middle attack and intercept the communication between the Arc agent and the Guardian or CMC. This could result in theft of the client token and sensitive information (such as assets and alerts), impersonation of the server, or injection of spoofed data (such as false asset information or vulnerabilities) into the Guardian or CMC.

A Stored HTML Injection vulnerability was discovered in the Alerted Nodes Dashboard functionality due to improper validation on an input parameter.<br /> <br /> <br /> <br /> A malicious authenticated user with the required privileges could edit a node label to inject HTML tags. If the system is configured to use the Alerted Nodes Dashboard, and alerts are reported for the affected node, then the injected HTML may render in the browser of a victim user interacting with it, enabling phishing and possibly open redirect attacks. Full XSS exploitation and direct information disclosure are prevented by the existing input validation and Content Security Policy configuration.

A Stored HTML Injection vulnerability was discovered in the CMC&amp;#39;s Sensor Map functionality due to improper validation on connected Guardians&amp;#39; properties.<br /> <br /> <br /> <br /> A malicious authenticated user with administrator privileges on a Guardian connected to a CMC can edit the Guardian&amp;#39;s properties to inject HTML tags. If the Sensor Map functionality is enabled in the CMC, when a victim CMC user interacts with it, then the injected HTML may render in their browser, enabling phishing and possibly open redirect attacks. Full XSS exploitation and direct information disclosure are prevented by the existing input validation and Content Security Policy configuration.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: nf_tables: fix use-after-free in nf_tables_addchain()<br /> <br /> nf_tables_addchain() publishes the chain to table-&gt;chains via<br /> list_add_tail_rcu() (in nft_chain_add()) before registering hooks.<br /> If nf_tables_register_hook() then fails, the error path calls<br /> nft_chain_del() (list_del_rcu()) followed by nf_tables_chain_destroy()<br /> with no RCU grace period in between.<br /> <br /> This creates two use-after-free conditions:<br /> <br /> 1) Control-plane: nf_tables_dump_chains() traverses table-&gt;chains<br /> under rcu_read_lock(). A concurrent dump can still be walking<br /> the chain when the error path frees it.<br /> <br /> 2) Packet path: for NFPROTO_INET, nf_register_net_hook() briefly<br /> installs the IPv4 hook before IPv6 registration fails. Packets<br /> entering nft_do_chain() via the transient IPv4 hook can still be<br /> dereferencing chain-&gt;blob_gen_X when the error path frees the<br /> chain.<br /> <br /> Add synchronize_rcu() between nft_chain_del() and the chain destroy<br /> so that all RCU readers -- both dump threads and in-flight packet<br /> evaluation -- have finished before the chain is freed.