Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> scsi: fcoe: Fix transport not deattached when fcoe_if_init() fails<br /> <br /> fcoe_init() calls fcoe_transport_attach(&amp;fcoe_sw_transport), but when<br /> fcoe_if_init() fails, &amp;fcoe_sw_transport is not detached and leaves freed<br /> &amp;fcoe_sw_transport on fcoe_transports list. This causes panic when<br /> reinserting module.<br /> <br /> BUG: unable to handle page fault for address: fffffbfff82e2213<br /> RIP: 0010:fcoe_transport_attach+0xe1/0x230 [libfcoe]<br /> Call Trace:<br /> <br /> do_one_initcall+0xd0/0x4e0<br /> load_module+0x5eee/0x7210<br /> ...

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> parisc: led: Fix potential null-ptr-deref in start_task()<br /> <br /> start_task() calls create_singlethread_workqueue() and not checked the<br /> ret value, which may return NULL. And a null-ptr-deref may happen:<br /> <br /> start_task()<br /> create_singlethread_workqueue() # failed, led_wq is NULL<br /> queue_delayed_work()<br /> queue_delayed_work_on()<br /> __queue_delayed_work() # warning here, but continue<br /> __queue_work() # access wq-&gt;flags, null-ptr-deref<br /> <br /> Check the ret value and return -ENOMEM if it is NULL.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> irqchip/wpcm450: Fix memory leak in wpcm450_aic_of_init()<br /> <br /> If of_iomap() failed, &amp;#39;aic&amp;#39; should be freed before return. Otherwise<br /> there is a memory leak.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drivers/md/md-bitmap: check the return value of md_bitmap_get_counter()<br /> <br /> Check the return value of md_bitmap_get_counter() in case it returns<br /> NULL pointer, which will result in a null pointer dereference.<br /> <br /> v2: update the check to include other dereference

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ext4: fix undefined behavior in bit shift for ext4_check_flag_values<br /> <br /> Shifting signed 32-bit value by 31 bits is undefined, so changing<br /> significant bit to unsigned. The UBSAN warning calltrace like below:<br /> <br /> UBSAN: shift-out-of-bounds in fs/ext4/ext4.h:591:2<br /> left shift of 1 by 31 places cannot be represented in type &amp;#39;int&amp;#39;<br /> Call Trace:<br /> <br /> dump_stack_lvl+0x7d/0xa5<br /> dump_stack+0x15/0x1b<br /> ubsan_epilogue+0xe/0x4e<br /> __ubsan_handle_shift_out_of_bounds+0x1e7/0x20c<br /> ext4_init_fs+0x5a/0x277<br /> do_one_initcall+0x76/0x430<br /> kernel_init_freeable+0x3b3/0x422<br /> kernel_init+0x24/0x1e0<br /> ret_from_fork+0x1f/0x30<br />

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> fbdev: fbcon: release buffer when fbcon_do_set_font() failed<br /> <br /> syzbot is reporting memory leak at fbcon_do_set_font() [1], for<br /> commit a5a923038d70 ("fbdev: fbcon: Properly revert changes when<br /> vc_resize() failed") missed that the buffer might be newly allocated<br /> by fbcon_set_font().

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/tunnel: wait until all sk_user_data reader finish before releasing the sock<br /> <br /> There is a race condition in vxlan that when deleting a vxlan device<br /> during receiving packets, there is a possibility that the sock is<br /> released after getting vxlan_sock vs from sk_user_data. Then in<br /> later vxlan_ecn_decapsulate(), vxlan_get_sk_family() we will got<br /> NULL pointer dereference. e.g.<br /> <br /> #0 [ffffa25ec6978a38] machine_kexec at ffffffff8c669757<br /> #1 [ffffa25ec6978a90] __crash_kexec at ffffffff8c7c0a4d<br /> #2 [ffffa25ec6978b58] crash_kexec at ffffffff8c7c1c48<br /> #3 [ffffa25ec6978b60] oops_end at ffffffff8c627f2b<br /> #4 [ffffa25ec6978b80] page_fault_oops at ffffffff8c678fcb<br /> #5 [ffffa25ec6978bd8] exc_page_fault at ffffffff8d109542<br /> #6 [ffffa25ec6978c00] asm_exc_page_fault at ffffffff8d200b62<br /> [exception RIP: vxlan_ecn_decapsulate+0x3b]<br /> RIP: ffffffffc1014e7b RSP: ffffa25ec6978cb0 RFLAGS: 00010246<br /> RAX: 0000000000000008 RBX: ffff8aa000888000 RCX: 0000000000000000<br /> RDX: 000000000000000e RSI: ffff8a9fc7ab803e RDI: ffff8a9fd1168700<br /> RBP: ffff8a9fc7ab803e R8: 0000000000700000 R9: 00000000000010ae<br /> R10: ffff8a9fcb748980 R11: 0000000000000000 R12: ffff8a9fd1168700<br /> R13: ffff8aa000888000 R14: 00000000002a0000 R15: 00000000000010ae<br /> ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018<br /> #7 [ffffa25ec6978ce8] vxlan_rcv at ffffffffc10189cd [vxlan]<br /> #8 [ffffa25ec6978d90] udp_queue_rcv_one_skb at ffffffff8cfb6507<br /> #9 [ffffa25ec6978dc0] udp_unicast_rcv_skb at ffffffff8cfb6e45<br /> #10 [ffffa25ec6978dc8] __udp4_lib_rcv at ffffffff8cfb8807<br /> #11 [ffffa25ec6978e20] ip_protocol_deliver_rcu at ffffffff8cf76951<br /> #12 [ffffa25ec6978e48] ip_local_deliver at ffffffff8cf76bde<br /> #13 [ffffa25ec6978ea0] __netif_receive_skb_one_core at ffffffff8cecde9b<br /> #14 [ffffa25ec6978ec8] process_backlog at ffffffff8cece139<br /> #15 [ffffa25ec6978f00] __napi_poll at ffffffff8ceced1a<br /> #16 [ffffa25ec6978f28] net_rx_action at ffffffff8cecf1f3<br /> #17 [ffffa25ec6978fa0] __softirqentry_text_start at ffffffff8d4000ca<br /> #18 [ffffa25ec6978ff0] do_softirq at ffffffff8c6fbdc3<br /> <br /> Reproducer: https://github.com/Mellanox/ovs-tests/blob/master/test-ovs-vxlan-remove-tunnel-during-traffic.sh<br /> <br /> Fix this by waiting for all sk_user_data reader to finish before<br /> releasing the sock.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> iomap: iomap: fix memory corruption when recording errors during writeback<br /> <br /> Every now and then I see this crash on arm64:<br /> <br /> Unable to handle kernel NULL pointer dereference at virtual address 00000000000000f8<br /> Buffer I/O error on dev dm-0, logical block 8733687, async page read<br /> Mem abort info:<br /> ESR = 0x0000000096000006<br /> EC = 0x25: DABT (current EL), IL = 32 bits<br /> SET = 0, FnV = 0<br /> EA = 0, S1PTW = 0<br /> FSC = 0x06: level 2 translation fault<br /> Data abort info:<br /> ISV = 0, ISS = 0x00000006<br /> CM = 0, WnR = 0<br /> user pgtable: 64k pages, 42-bit VAs, pgdp=0000000139750000<br /> [00000000000000f8] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000, pmd=0000000000000000<br /> Internal error: Oops: 96000006 [#1] PREEMPT SMP<br /> Buffer I/O error on dev dm-0, logical block 8733688, async page read<br /> Dumping ftrace buffer:<br /> Buffer I/O error on dev dm-0, logical block 8733689, async page read<br /> (ftrace buffer empty)<br /> XFS (dm-0): log I/O error -5<br /> Modules linked in: dm_thin_pool dm_persistent_data<br /> XFS (dm-0): Metadata I/O Error (0x1) detected at xfs_trans_read_buf_map+0x1ec/0x590 [xfs] (fs/xfs/xfs_trans_buf.c:296).<br /> dm_bio_prison<br /> XFS (dm-0): Please unmount the filesystem and rectify the problem(s)<br /> XFS (dm-0): xfs_imap_lookup: xfs_ialloc_read_agi() returned error -5, agno 0<br /> dm_bufio dm_log_writes xfs nft_chain_nat xt_REDIRECT nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip6t_REJECT<br /> potentially unexpected fatal signal 6.<br /> nf_reject_ipv6<br /> potentially unexpected fatal signal 6.<br /> ipt_REJECT nf_reject_ipv4<br /> CPU: 1 PID: 122166 Comm: fsstress Tainted: G W 6.0.0-rc5-djwa #rc5 3004c9f1de887ebae86015f2677638ce51ee7<br /> rpcsec_gss_krb5 auth_rpcgss xt_tcpudp ip_set_hash_ip ip_set_hash_net xt_set nft_compat ip_set_hash_mac ip_set nf_tables<br /> Hardware name: QEMU KVM Virtual Machine, BIOS 1.5.1 06/16/2021<br /> pstate: 60001000 (nZCv daif -PAN -UAO -TCO -DIT +SSBS BTYPE=--)<br /> ip_tables<br /> pc : 000003fd6d7df200<br /> x_tables<br /> lr : 000003fd6d7df1ec<br /> overlay nfsv4<br /> CPU: 0 PID: 54031 Comm: u4:3 Tainted: G W 6.0.0-rc5-djwa #rc5 3004c9f1de887ebae86015f2677638ce51ee7405<br /> Hardware name: QEMU KVM Virtual Machine, BIOS 1.5.1 06/16/2021<br /> Workqueue: writeback wb_workfn<br /> sp : 000003ffd9522fd0<br /> (flush-253:0)<br /> pstate: 60401005 (nZCv daif +PAN -UAO -TCO -DIT +SSBS BTYPE=--)<br /> pc : errseq_set+0x1c/0x100<br /> x29: 000003ffd9522fd0 x28: 0000000000000023 x27: 000002acefeb6780<br /> x26: 0000000000000005 x25: 0000000000000001 x24: 0000000000000000<br /> x23: 00000000ffffffff x22: 0000000000000005<br /> lr : __filemap_set_wb_err+0x24/0xe0<br /> x21: 0000000000000006<br /> sp : fffffe000f80f760<br /> x29: fffffe000f80f760 x28: 0000000000000003 x27: fffffe000f80f9f8<br /> x26: 0000000002523000 x25: 00000000fffffffb x24: fffffe000f80f868<br /> x23: fffffe000f80fbb0 x22: fffffc0180c26a78 x21: 0000000002530000<br /> x20: 0000000000000000 x19: 0000000000000000 x18: 0000000000000000<br /> <br /> x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000<br /> x14: 0000000000000001 x13: 0000000000470af3 x12: fffffc0058f70000<br /> x11: 0000000000000040 x10: 0000000000001b20 x9 : fffffe000836b288<br /> x8 : fffffc00eb9fd480 x7 : 0000000000f83659 x6 : 0000000000000000<br /> x5 : 0000000000000869 x4 : 0000000000000005 x3 : 00000000000000f8<br /> x20: 000003fd6d740020 x19: 000000000001dd36 x18: 0000000000000001<br /> x17: 000003fd6d78704c x16: 0000000000000001 x15: 000002acfac87668<br /> x2 : 0000000000000ffa x1 : 00000000fffffffb x0 : 00000000000000f8<br /> Call trace:<br /> errseq_set+0x1c/0x100<br /> __filemap_set_wb_err+0x24/0xe0<br /> iomap_do_writepage+0x5e4/0xd5c<br /> write_cache_pages+0x208/0x674<br /> iomap_writepages+0x34/0x60<br /> xfs_vm_writepages+0x8c/0xcc [xfs 7a861f39c43631f15d3a5884246ba5035d4ca78b]<br /> x14: 0000000000000000 x13: 2064656e72757465 x12: 0000000000002180<br /> x11: 000003fd6d8a82d0 x10: 0000000000000000 x9 : 000003fd6d8ae288<br /> x8 : 0000000000000083 x7 : 00000000ffffffff x6 : 00000000ffffffee<br /> x5 : 00000000fbad2887 x4 : 000003fd6d9abb58 x3 : 000003fd6d740020<br /> x2 : 0000000000000006 x1 : 000000000001dd36 x0 : 0000000000000000<br /> CPU: <br /> ---truncated---

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> crypto: hisilicon/qm - increase the memory of local variables<br /> <br /> Increase the buffer to prevent stack overflow by fuzz test. The maximum<br /> length of the qos configuration buffer is 256 bytes. Currently, the value<br /> of the &amp;#39;val buffer&amp;#39; is only 32 bytes. The sscanf does not check the dest<br /> memory length. So the &amp;#39;val buffer&amp;#39; may stack overflow.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nfsd: under NFSv4.1, fix double svc_xprt_put on rpc_create failure<br /> <br /> On error situation `clp-&gt;cl_cb_conn.cb_xprt` should not be given<br /> a reference to the xprt otherwise both client cleanup and the<br /> error handling path of the caller call to put it. Better to<br /> delay handing over the reference to a later branch.<br /> <br /> [ 72.530665] refcount_t: underflow; use-after-free.<br /> [ 72.531933] WARNING: CPU: 0 PID: 173 at lib/refcount.c:28 refcount_warn_saturate+0xcf/0x120<br /> [ 72.533075] Modules linked in: nfsd(OE) nfsv4(OE) nfsv3(OE) nfs(OE) lockd(OE) compat_nfs_ssc(OE) nfs_acl(OE) rpcsec_gss_krb5(OE) auth_rpcgss(OE) rpcrdma(OE) dns_resolver fscache netfs grace rdma_cm iw_cm ib_cm sunrpc(OE) mlx5_ib mlx5_core mlxfw pci_hyperv_intf ib_uverbs ib_core xt_MASQUERADE nf_conntrack_netlink nft_counter xt_addrtype nft_compat br_netfilter bridge stp llc nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set overlay nf_tables nfnetlink crct10dif_pclmul crc32_pclmul ghash_clmulni_intel xfs serio_raw virtio_net virtio_blk net_failover failover fuse [last unloaded: sunrpc]<br /> [ 72.540389] CPU: 0 PID: 173 Comm: kworker/u16:5 Tainted: G OE 5.15.82-dan #1<br /> [ 72.541511] Hardware name: Red Hat KVM/RHEL-AV, BIOS 1.16.0-3.module+el8.7.0+1084+97b81f61 04/01/2014<br /> [ 72.542717] Workqueue: nfsd4_callbacks nfsd4_run_cb_work [nfsd]<br /> [ 72.543575] RIP: 0010:refcount_warn_saturate+0xcf/0x120<br /> [ 72.544299] Code: 55 00 0f 0b 5d e9 01 50 98 00 80 3d 75 9e 39 08 00 0f 85 74 ff ff ff 48 c7 c7 e8 d1 60 8e c6 05 61 9e 39 08 01 e8 f6 51 55 00 0b 5d e9 d9 4f 98 00 80 3d 4b 9e 39 08 00 0f 85 4c ff ff ff 48<br /> [ 72.546666] RSP: 0018:ffffb3f841157cf0 EFLAGS: 00010286<br /> [ 72.547393] RAX: 0000000000000026 RBX: ffff89ac6231d478 RCX: 0000000000000000<br /> [ 72.548324] RDX: ffff89adb7c2c2c0 RSI: ffff89adb7c205c0 RDI: ffff89adb7c205c0<br /> [ 72.549271] RBP: ffffb3f841157cf0 R08: 0000000000000000 R09: c0000000ffefffff<br /> [ 72.550209] R10: 0000000000000001 R11: ffffb3f841157ad0 R12: ffff89ac6231d180<br /> [ 72.551142] R13: ffff89ac6231d478 R14: ffff89ac40c06180 R15: ffff89ac6231d4b0<br /> [ 72.552089] FS: 0000000000000000(0000) GS:ffff89adb7c00000(0000) knlGS:0000000000000000<br /> [ 72.553175] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [ 72.553934] CR2: 0000563a310506a8 CR3: 0000000109a66000 CR4: 0000000000350ef0<br /> [ 72.554874] Call Trace:<br /> [ 72.555278] <br /> [ 72.555614] svc_xprt_put+0xaf/0xe0 [sunrpc]<br /> [ 72.556276] nfsd4_process_cb_update.isra.11+0xb7/0x410 [nfsd]<br /> [ 72.557087] ? update_load_avg+0x82/0x610<br /> [ 72.557652] ? cpuacct_charge+0x60/0x70<br /> [ 72.558212] ? dequeue_entity+0xdb/0x3e0<br /> [ 72.558765] ? queued_spin_unlock+0x9/0x20<br /> [ 72.559358] nfsd4_run_cb_work+0xfc/0x270 [nfsd]<br /> [ 72.560031] process_one_work+0x1df/0x390<br /> [ 72.560600] worker_thread+0x37/0x3b0<br /> [ 72.561644] ? process_one_work+0x390/0x390<br /> [ 72.562247] kthread+0x12f/0x150<br /> [ 72.562710] ? set_kthread_struct+0x50/0x50<br /> [ 72.563309] ret_from_fork+0x22/0x30<br /> [ 72.563818] <br /> [ 72.564189] ---[ end trace 031117b1c72ec616 ]---<br /> [ 72.566019] list_add corruption. next-&gt;prev should be prev (ffff89ac4977e538), but was ffff89ac4763e018. (next=ffff89ac4763e018).<br /> [ 72.567647] ------------[ cut here ]------------

An issue Clip Bucket v.5.5.2 Build#90 allows a remote attacker to execute arbitrary codes via the file_downloader.php and the file parameter

In realme BackupRestore app v15.1.12_2810c08_250314, improper URI scheme handling in com.coloros.pc.PcToolMainActivity allows local attackers to cause a crash and potential XSS via crafted ADB intents.