Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mptcp: Use __sk_dst_get() and dst_dev_rcu() in mptcp_active_enable().<br /> <br /> mptcp_active_enable() is called from subflow_finish_connect(),<br /> which is icsk-&gt;icsk_af_ops-&gt;sk_rx_dst_set() and it&amp;#39;s not always<br /> under RCU.<br /> <br /> Using sk_dst_get(sk)-&gt;dev could trigger UAF.<br /> <br /> Let&amp;#39;s use __sk_dst_get() and dst_dev_rcu().

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> misc: pci_endpoint_test: Fix array underflow in pci_endpoint_test_ioctl()<br /> <br /> Commit eefb83790a0d ("misc: pci_endpoint_test: Add doorbell test case")<br /> added NO_BAR (-1) to the pci_barno enum which, in practical terms,<br /> changes the enum from an unsigned int to a signed int. If the user<br /> passes a negative number in pci_endpoint_test_ioctl() then it results in<br /> an array underflow in pci_endpoint_test_bar().

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> scsi: pm80xx: Fix array-index-out-of-of-bounds on rmmod<br /> <br /> Since commit f7b705c238d1 ("scsi: pm80xx: Set phy_attached to zero when<br /> device is gone") UBSAN reports:<br /> <br /> UBSAN: array-index-out-of-bounds in drivers/scsi/pm8001/pm8001_sas.c:786:17<br /> index 28 is out of range for type &amp;#39;pm8001_phy [16]&amp;#39;<br /> <br /> on rmmod when using an expander.<br /> <br /> For a direct attached device, attached_phy contains the local phy id.<br /> For a device behind an expander, attached_phy contains the remote phy<br /> id, not the local phy id.<br /> <br /> I.e. while pm8001_ha will have pm8001_ha-&gt;chip-&gt;n_phy local phys, for a<br /> device behind an expander, attached_phy can be much larger than<br /> pm8001_ha-&gt;chip-&gt;n_phy (depending on the amount of phys of the<br /> expander).<br /> <br /> E.g. on my system pm8001_ha has 8 phys with phy ids 0-7. One of the<br /> ports has an expander connected. The expander has 31 phys with phy ids<br /> 0-30.<br /> <br /> The pm8001_ha-&gt;phy array only contains the phys of the HBA. It does not<br /> contain the phys of the expander. Thus, it is wrong to use attached_phy<br /> to index the pm8001_ha-&gt;phy array for a device behind an expander.<br /> <br /> Thus, we can only clear phy_attached for devices that are directly<br /> attached.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ext4: fix potential null deref in ext4_mb_init()<br /> <br /> In ext4_mb_init(), ext4_mb_avg_fragment_size_destroy() may be called<br /> when sbi-&gt;s_mb_avg_fragment_size remains uninitialized (e.g., if groupinfo<br /> slab cache allocation fails). Since ext4_mb_avg_fragment_size_destroy()<br /> lacks null pointer checking, this leads to a null pointer dereference.<br /> <br /> ==================================================================<br /> EXT4-fs: no memory for groupinfo slab cache<br /> BUG: kernel NULL pointer dereference, address: 0000000000000000<br /> PGD 0 P4D 0<br /> Oops: Oops: 0002 [#1] SMP PTI<br /> CPU:2 UID: 0 PID: 87 Comm:mount Not tainted 6.17.0-rc2 #1134 PREEMPT(none)<br /> RIP: 0010:_raw_spin_lock_irqsave+0x1b/0x40<br /> Call Trace:<br /> <br /> xa_destroy+0x61/0x130<br /> ext4_mb_init+0x483/0x540<br /> __ext4_fill_super+0x116d/0x17b0<br /> ext4_fill_super+0xd3/0x280<br /> get_tree_bdev_flags+0x132/0x1d0<br /> vfs_get_tree+0x29/0xd0<br /> do_new_mount+0x197/0x300<br /> __x64_sys_mount+0x116/0x150<br /> do_syscall_64+0x50/0x1c0<br /> entry_SYSCALL_64_after_hwframe+0x76/0x7e<br /> ==================================================================<br /> <br /> Therefore, add necessary null check to ext4_mb_avg_fragment_size_destroy()<br /> to prevent this issue. The same fix is also applied to<br /> ext4_mb_largest_free_orders_destroy().

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: usb: asix: hold PM usage ref to avoid PM/MDIO + RTNL deadlock<br /> <br /> Prevent USB runtime PM (autosuspend) for AX88772* in bind.<br /> <br /> usbnet enables runtime PM (autosuspend) by default, so disabling it via<br /> the usb_driver flag is ineffective. On AX88772B, autosuspend shows no<br /> measurable power saving with current driver (no link partner, admin<br /> up/down). The ~0.453 W -&gt; ~0.248 W drop on v6.1 comes from phylib powering<br /> the PHY off on admin-down, not from USB autosuspend.<br /> <br /> The real hazard is that with runtime PM enabled, ndo_open() (under RTNL)<br /> may synchronously trigger autoresume (usb_autopm_get_interface()) into<br /> asix_resume() while the USB PM lock is held. Resume paths then invoke<br /> phylink/phylib and MDIO, which also expect RTNL, leading to possible<br /> deadlocks or PM lock vs MDIO wake issues.<br /> <br /> To avoid this, keep the device runtime-PM active by taking a usage<br /> reference in ax88772_bind() and dropping it in unbind(). A non-zero PM<br /> usage count blocks runtime suspend regardless of userspace policy<br /> (.../power/control - pm_runtime_allow/forbid), making this approach<br /> robust against sysfs overrides.<br /> <br /> Holding a runtime-PM usage ref does not affect system-wide suspend;<br /> system sleep/resume callbacks continue to run as before.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ASoC: Intel: bytcr_rt5651: Fix invalid quirk input mapping<br /> <br /> When an invalid value is passed via quirk option, currently<br /> bytcr_rt5640 driver just ignores and leaves as is, which may lead to<br /> unepxected results like OOB access.<br /> <br /> This patch adds the sanity check and corrects the input mapping to the<br /> certain default value if an invalid value is passed.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> perf/x86/intel: Fix IA32_PMC_x_CFG_B MSRs access error<br /> <br /> When running perf_fuzzer on PTL, sometimes the below "unchecked MSR<br /> access error" is seen when accessing IA32_PMC_x_CFG_B MSRs.<br /> <br /> [ 55.611268] unchecked MSR access error: WRMSR to 0x1986 (tried to write 0x0000000200000001) at rIP: 0xffffffffac564b28 (native_write_msr+0x8/0x30)<br /> [ 55.611280] Call Trace:<br /> [ 55.611282] <br /> [ 55.611284] ? intel_pmu_config_acr+0x87/0x160<br /> [ 55.611289] intel_pmu_enable_acr+0x6d/0x80<br /> [ 55.611291] intel_pmu_enable_event+0xce/0x460<br /> [ 55.611293] x86_pmu_start+0x78/0xb0<br /> [ 55.611297] x86_pmu_enable+0x218/0x3a0<br /> [ 55.611300] ? x86_pmu_enable+0x121/0x3a0<br /> [ 55.611302] perf_pmu_enable+0x40/0x50<br /> [ 55.611307] ctx_resched+0x19d/0x220<br /> [ 55.611309] __perf_install_in_context+0x284/0x2f0<br /> [ 55.611311] ? __pfx_remote_function+0x10/0x10<br /> [ 55.611314] remote_function+0x52/0x70<br /> [ 55.611317] ? __pfx_remote_function+0x10/0x10<br /> [ 55.611319] generic_exec_single+0x84/0x150<br /> [ 55.611323] smp_call_function_single+0xc5/0x1a0<br /> [ 55.611326] ? __pfx_remote_function+0x10/0x10<br /> [ 55.611329] perf_install_in_context+0xd1/0x1e0<br /> [ 55.611331] ? __pfx___perf_install_in_context+0x10/0x10<br /> [ 55.611333] __do_sys_perf_event_open+0xa76/0x1040<br /> [ 55.611336] __x64_sys_perf_event_open+0x26/0x30<br /> [ 55.611337] x64_sys_call+0x1d8e/0x20c0<br /> [ 55.611339] do_syscall_64+0x4f/0x120<br /> [ 55.611343] entry_SYSCALL_64_after_hwframe+0x76/0x7e<br /> <br /> On PTL, GP counter 0 and 1 doesn&amp;#39;t support auto counter reload feature,<br /> thus it would trigger a #GP when trying to write 1 on bit 0 of CFG_B MSR<br /> which requires to enable auto counter reload on GP counter 0.<br /> <br /> The root cause of causing this issue is the check for auto counter<br /> reload (ACR) counter mask from user space is incorrect in<br /> intel_pmu_acr_late_setup() helper. It leads to an invalid ACR counter<br /> mask from user space could be set into hw.config1 and then written into<br /> CFG_B MSRs and trigger the MSR access warning.<br /> <br /> e.g., User may create a perf event with ACR counter mask (config2=0xcb),<br /> and there is only 1 event created, so "cpuc-&gt;n_events" is 1.<br /> <br /> The correct check condition should be "i + idx &gt;= cpuc-&gt;n_events"<br /> instead of "i + idx &gt; cpuc-&gt;n_events" (it looks a typo). Otherwise,<br /> the counter mask would traverse twice and an invalid "cpuc-&gt;assign[1]"<br /> bit (bit 0) is set into hw.config1 and cause MSR accessing error.<br /> <br /> Besides, also check if the ACR counter mask corresponding events are<br /> ACR events. If not, filter out these counter mask. If a event is not a<br /> ACR event, it could be scheduled to an HW counter which doesn&amp;#39;t support<br /> ACR. It&amp;#39;s invalid to add their counter index in ACR counter mask.<br /> <br /> Furthermore, remove the WARN_ON_ONCE() since it&amp;#39;s easily triggered as<br /> user could set any invalid ACR counter mask and the warning message<br /> could mislead users.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf: Enforce expected_attach_type for tailcall compatibility<br /> <br /> Yinhao et al. recently reported:<br /> <br /> Our fuzzer tool discovered an uninitialized pointer issue in the<br /> bpf_prog_test_run_xdp() function within the Linux kernel&amp;#39;s BPF subsystem.<br /> This leads to a NULL pointer dereference when a BPF program attempts to<br /> deference the txq member of struct xdp_buff object.<br /> <br /> The test initializes two programs of BPF_PROG_TYPE_XDP: progA acts as the<br /> entry point for bpf_prog_test_run_xdp() and its expected_attach_type can<br /> neither be of be BPF_XDP_DEVMAP nor BPF_XDP_CPUMAP. progA calls into a slot<br /> of a tailcall map it owns. progB&amp;#39;s expected_attach_type must be BPF_XDP_DEVMAP<br /> to pass xdp_is_valid_access() validation. The program returns struct xdp_md&amp;#39;s<br /> egress_ifindex, and the latter is only allowed to be accessed under mentioned<br /> expected_attach_type. progB is then inserted into the tailcall which progA<br /> calls.<br /> <br /> The underlying issue goes beyond XDP though. Another example are programs<br /> of type BPF_PROG_TYPE_CGROUP_SOCK_ADDR. sock_addr_is_valid_access() as well<br /> as sock_addr_func_proto() have different logic depending on the programs&amp;#39;<br /> expected_attach_type. Similarly, a program attached to BPF_CGROUP_INET4_GETPEERNAME<br /> should not be allowed doing a tailcall into a program which calls bpf_bind()<br /> out of BPF which is only enabled for BPF_CGROUP_INET4_CONNECT.<br /> <br /> In short, specifying expected_attach_type allows to open up additional<br /> functionality or restrictions beyond what the basic bpf_prog_type enables.<br /> The use of tailcalls must not violate these constraints. Fix it by enforcing<br /> expected_attach_type in __bpf_prog_map_compatible().<br /> <br /> Note that we only enforce this for tailcall maps, but not for BPF devmaps or<br /> cpumaps: There, the programs are invoked through dev_map_bpf_prog_run*() and<br /> cpu_map_bpf_prog_run*() which set up a new environment / context and therefore<br /> these situations are not prone to this issue.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> sparc: fix accurate exception reporting in copy_{from_to}_user for UltraSPARC III<br /> <br /> Anthony Yznaga tracked down that a BUG_ON in ext4 code with large folios<br /> enabled resulted from copy_from_user() returning impossibly large values<br /> greater than the size to be copied. This lead to __copy_from_iter()<br /> returning impossible values instead of the actual number of bytes it was<br /> able to copy.<br /> <br /> The BUG_ON has been reported in<br /> https://lore.kernel.org/r/b14f55642207e63e907965e209f6323a0df6dcee.camel@physik.fu-berlin.de<br /> <br /> The referenced commit introduced exception handlers on user-space memory<br /> references in copy_from_user and copy_to_user. These handlers return from<br /> the respective function and calculate the remaining bytes left to copy<br /> using the current register contents. The exception handlers expect that<br /> %o2 has already been masked during the bulk copy loop, but the masking was<br /> performed after that loop. This will fix the return value of copy_from_user<br /> and copy_to_user in the faulting case. The behaviour of memcpy stays<br /> unchanged.

The Easy Email Subscription plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the &amp;#39;name&amp;#39; parameter in all versions up to, and including, 1.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> sparc: fix accurate exception reporting in copy_{from_to}_user for Niagara<br /> <br /> The referenced commit introduced exception handlers on user-space memory<br /> references in copy_from_user and copy_to_user. These handlers return from<br /> the respective function and calculate the remaining bytes left to copy<br /> using the current register contents. This commit fixes a couple of bad<br /> calculations and a broken epilogue in the exception handlers. This will<br /> prevent crashes and ensure correct return values of copy_from_user and<br /> copy_to_user in the faulting case. The behaviour of memcpy stays unchanged.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> remoteproc: qcom: pas: Shutdown lite ADSP DTB on X1E<br /> <br /> The ADSP firmware on X1E has separate firmware binaries for the main<br /> firmware and the DTB. The same applies for the "lite" firmware loaded by<br /> the boot firmware.<br /> <br /> When preparing to load the new ADSP firmware we shutdown the lite_pas_id<br /> for the main firmware, but we don&amp;#39;t shutdown the corresponding lite pas_id<br /> for the DTB. The fact that we&amp;#39;re leaving it "running" forever becomes<br /> obvious if you try to reuse (or just access) the memory region used by the<br /> "lite" firmware: The &amp;adsp_boot_mem is accessible, but accessing the<br /> &amp;adsp_boot_dtb_mem results in a crash.<br /> <br /> We don&amp;#39;t support reusing the memory regions currently, but nevertheless we<br /> should not keep part of the lite firmware running. Fix this by adding the<br /> lite_dtb_pas_id and shutting it down as well.<br /> <br /> We don&amp;#39;t have a way to detect if the lite firmware is actually running yet,<br /> so ignore the return status of qcom_scm_pas_shutdown() for now. This was<br /> already the case before, the assignment to "ret" is not used anywhere.