Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> slab: Avoid race on slab-&gt;obj_exts in alloc_slab_obj_exts<br /> <br /> If two competing threads enter alloc_slab_obj_exts() and one of them<br /> fails to allocate the object extension vector, it might override the<br /> valid slab-&gt;obj_exts allocated by the other thread with<br /> OBJEXTS_ALLOC_FAIL. This will cause the thread that lost this race and<br /> expects a valid pointer to dereference a NULL pointer later on.<br /> <br /> Update slab-&gt;obj_exts atomically using cmpxchg() to avoid<br /> slab-&gt;obj_exts overrides by racing threads.<br /> <br /> Thanks for Vlastimil and Suren&amp;#39;s help with debugging.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> hfs: validate record offset in hfsplus_bmap_alloc<br /> <br /> hfsplus_bmap_alloc can trigger a crash if a<br /> record offset or length is larger than node_size<br /> <br /> [ 15.264282] BUG: KASAN: slab-out-of-bounds in hfsplus_bmap_alloc+0x887/0x8b0<br /> [ 15.265192] Read of size 8 at addr ffff8881085ca188 by task test/183<br /> [ 15.265949]<br /> [ 15.266163] CPU: 0 UID: 0 PID: 183 Comm: test Not tainted 6.17.0-rc2-gc17b750b3ad9 #14 PREEMPT(voluntary)<br /> [ 15.266165] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014<br /> [ 15.266167] Call Trace:<br /> [ 15.266168] <br /> [ 15.266169] dump_stack_lvl+0x53/0x70<br /> [ 15.266173] print_report+0xd0/0x660<br /> [ 15.266181] kasan_report+0xce/0x100<br /> [ 15.266185] hfsplus_bmap_alloc+0x887/0x8b0<br /> [ 15.266208] hfs_btree_inc_height.isra.0+0xd5/0x7c0<br /> [ 15.266217] hfsplus_brec_insert+0x870/0xb00<br /> [ 15.266222] __hfsplus_ext_write_extent+0x428/0x570<br /> [ 15.266225] __hfsplus_ext_cache_extent+0x5e/0x910<br /> [ 15.266227] hfsplus_ext_read_extent+0x1b2/0x200<br /> [ 15.266233] hfsplus_file_extend+0x5a7/0x1000<br /> [ 15.266237] hfsplus_get_block+0x12b/0x8c0<br /> [ 15.266238] __block_write_begin_int+0x36b/0x12c0<br /> [ 15.266251] block_write_begin+0x77/0x110<br /> [ 15.266252] cont_write_begin+0x428/0x720<br /> [ 15.266259] hfsplus_write_begin+0x51/0x100<br /> [ 15.266262] cont_write_begin+0x272/0x720<br /> [ 15.266270] hfsplus_write_begin+0x51/0x100<br /> [ 15.266274] generic_perform_write+0x321/0x750<br /> [ 15.266285] generic_file_write_iter+0xc3/0x310<br /> [ 15.266289] __kernel_write_iter+0x2fd/0x800<br /> [ 15.266296] dump_user_range+0x2ea/0x910<br /> [ 15.266301] elf_core_dump+0x2a94/0x2ed0<br /> [ 15.266320] vfs_coredump+0x1d85/0x45e0<br /> [ 15.266349] get_signal+0x12e3/0x1990<br /> [ 15.266357] arch_do_signal_or_restart+0x89/0x580<br /> [ 15.266362] irqentry_exit_to_user_mode+0xab/0x110<br /> [ 15.266364] asm_exc_page_fault+0x26/0x30<br /> [ 15.266366] RIP: 0033:0x41bd35<br /> [ 15.266367] Code: bc d1 f3 0f 7f 27 f3 0f 7f 6f 10 f3 0f 7f 77 20 f3 0f 7f 7f 30 49 83 c0 0f 49 29 d0 48 8d 7c 17 31 e9 9f 0b 00 00 66 0f ef c0 0f 6f 0e f3 0f 6f 56 10 66 0f 74 c1 66 0f d7 d0 49 83 f8f<br /> [ 15.266369] RSP: 002b:00007ffc9e62d078 EFLAGS: 00010283<br /> [ 15.266371] RAX: 00007ffc9e62d100 RBX: 0000000000000000 RCX: 0000000000000000<br /> [ 15.266372] RDX: 00000000000000e0 RSI: 0000000000000000 RDI: 00007ffc9e62d100<br /> [ 15.266373] RBP: 0000400000000040 R08: 00000000000000e0 R09: 0000000000000000<br /> [ 15.266374] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000<br /> [ 15.266375] R13: 0000000000000000 R14: 0000000000000000 R15: 0000400000000000<br /> [ 15.266376] <br /> <br /> When calling hfsplus_bmap_alloc to allocate a free node, this function<br /> first retrieves the bitmap from header node and map node using node-&gt;page<br /> together with the offset and length from hfs_brec_lenoff<br /> <br /> ```<br /> len = hfs_brec_lenoff(node, 2, &amp;off16);<br /> off = off16;<br /> <br /> off += node-&gt;page_offset;<br /> pagep = node-&gt;page + (off &gt;&gt; PAGE_SHIFT);<br /> data = kmap_local_page(*pagep);<br /> ```<br /> <br /> However, if the retrieved offset or length is invalid(i.e. exceeds<br /> node_size), the code may end up accessing pages outside the allocated<br /> range for this node.<br /> <br /> This patch adds proper validation of both offset and length before use,<br /> preventing out-of-bounds page access. Move is_bnode_offset_valid and<br /> check_and_correct_requested_length to hfsplus_fs.h, as they may be<br /> required by other functions.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/mlx5e: RX, Fix generating skb from non-linear xdp_buff for striding RQ<br /> <br /> XDP programs can change the layout of an xdp_buff through<br /> bpf_xdp_adjust_tail() and bpf_xdp_adjust_head(). Therefore, the driver<br /> cannot assume the size of the linear data area nor fragments. Fix the<br /> bug in mlx5 by generating skb according to xdp_buff after XDP programs<br /> run.<br /> <br /> Currently, when handling multi-buf XDP, the mlx5 driver assumes the<br /> layout of an xdp_buff to be unchanged. That is, the linear data area<br /> continues to be empty and fragments remain the same. This may cause<br /> the driver to generate erroneous skb or triggering a kernel<br /> warning. When an XDP program added linear data through<br /> bpf_xdp_adjust_head(), the linear data will be ignored as<br /> mlx5e_build_linear_skb() builds an skb without linear data and then<br /> pull data from fragments to fill the linear data area. When an XDP<br /> program has shrunk the non-linear data through bpf_xdp_adjust_tail(),<br /> the delta passed to __pskb_pull_tail() may exceed the actual nonlinear<br /> data size and trigger the BUG_ON in it.<br /> <br /> To fix the issue, first record the original number of fragments. If the<br /> number of fragments changes after the XDP program runs, rewind the end<br /> fragment pointer by the difference and recalculate the truesize. Then,<br /> build the skb with the linear data area matching the xdp_buff. Finally,<br /> only pull data in if there is non-linear data and fill the linear part<br /> up to 256 bytes.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> hfsplus: fix KMSAN uninit-value issue in hfsplus_delete_cat()<br /> <br /> The syzbot reported issue in hfsplus_delete_cat():<br /> <br /> [ 70.682285][ T9333] =====================================================<br /> [ 70.682943][ T9333] BUG: KMSAN: uninit-value in hfsplus_subfolders_dec+0x1d7/0x220<br /> [ 70.683640][ T9333] hfsplus_subfolders_dec+0x1d7/0x220<br /> [ 70.684141][ T9333] hfsplus_delete_cat+0x105d/0x12b0<br /> [ 70.684621][ T9333] hfsplus_rmdir+0x13d/0x310<br /> [ 70.685048][ T9333] vfs_rmdir+0x5ba/0x810<br /> [ 70.685447][ T9333] do_rmdir+0x964/0xea0<br /> [ 70.685833][ T9333] __x64_sys_rmdir+0x71/0xb0<br /> [ 70.686260][ T9333] x64_sys_call+0xcd8/0x3cf0<br /> [ 70.686695][ T9333] do_syscall_64+0xd9/0x1d0<br /> [ 70.687119][ T9333] entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> [ 70.687646][ T9333]<br /> [ 70.687856][ T9333] Uninit was stored to memory at:<br /> [ 70.688311][ T9333] hfsplus_subfolders_inc+0x1c2/0x1d0<br /> [ 70.688779][ T9333] hfsplus_create_cat+0x148e/0x1800<br /> [ 70.689231][ T9333] hfsplus_mknod+0x27f/0x600<br /> [ 70.689730][ T9333] hfsplus_mkdir+0x5a/0x70<br /> [ 70.690146][ T9333] vfs_mkdir+0x483/0x7a0<br /> [ 70.690545][ T9333] do_mkdirat+0x3f2/0xd30<br /> [ 70.690944][ T9333] __x64_sys_mkdir+0x9a/0xf0<br /> [ 70.691380][ T9333] x64_sys_call+0x2f89/0x3cf0<br /> [ 70.691816][ T9333] do_syscall_64+0xd9/0x1d0<br /> [ 70.692229][ T9333] entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> [ 70.692773][ T9333]<br /> [ 70.692990][ T9333] Uninit was stored to memory at:<br /> [ 70.693469][ T9333] hfsplus_subfolders_inc+0x1c2/0x1d0<br /> [ 70.693960][ T9333] hfsplus_create_cat+0x148e/0x1800<br /> [ 70.694438][ T9333] hfsplus_fill_super+0x21c1/0x2700<br /> [ 70.694911][ T9333] mount_bdev+0x37b/0x530<br /> [ 70.695320][ T9333] hfsplus_mount+0x4d/0x60<br /> [ 70.695729][ T9333] legacy_get_tree+0x113/0x2c0<br /> [ 70.696167][ T9333] vfs_get_tree+0xb3/0x5c0<br /> [ 70.696588][ T9333] do_new_mount+0x73e/0x1630<br /> [ 70.697013][ T9333] path_mount+0x6e3/0x1eb0<br /> [ 70.697425][ T9333] __se_sys_mount+0x733/0x830<br /> [ 70.697857][ T9333] __x64_sys_mount+0xe4/0x150<br /> [ 70.698269][ T9333] x64_sys_call+0x2691/0x3cf0<br /> [ 70.698704][ T9333] do_syscall_64+0xd9/0x1d0<br /> [ 70.699117][ T9333] entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> [ 70.699730][ T9333]<br /> [ 70.699946][ T9333] Uninit was created at:<br /> [ 70.700378][ T9333] __alloc_pages_noprof+0x714/0xe60<br /> [ 70.700843][ T9333] alloc_pages_mpol_noprof+0x2a2/0x9b0<br /> [ 70.701331][ T9333] alloc_pages_noprof+0xf8/0x1f0<br /> [ 70.701774][ T9333] allocate_slab+0x30e/0x1390<br /> [ 70.702194][ T9333] ___slab_alloc+0x1049/0x33a0<br /> [ 70.702635][ T9333] kmem_cache_alloc_lru_noprof+0x5ce/0xb20<br /> [ 70.703153][ T9333] hfsplus_alloc_inode+0x5a/0xd0<br /> [ 70.703598][ T9333] alloc_inode+0x82/0x490<br /> [ 70.703984][ T9333] iget_locked+0x22e/0x1320<br /> [ 70.704428][ T9333] hfsplus_iget+0x5c/0xba0<br /> [ 70.704827][ T9333] hfsplus_btree_open+0x135/0x1dd0<br /> [ 70.705291][ T9333] hfsplus_fill_super+0x1132/0x2700<br /> [ 70.705776][ T9333] mount_bdev+0x37b/0x530<br /> [ 70.706171][ T9333] hfsplus_mount+0x4d/0x60<br /> [ 70.706579][ T9333] legacy_get_tree+0x113/0x2c0<br /> [ 70.707019][ T9333] vfs_get_tree+0xb3/0x5c0<br /> [ 70.707444][ T9333] do_new_mount+0x73e/0x1630<br /> [ 70.707865][ T9333] path_mount+0x6e3/0x1eb0<br /> [ 70.708270][ T9333] __se_sys_mount+0x733/0x830<br /> [ 70.708711][ T9333] __x64_sys_mount+0xe4/0x150<br /> [ 70.709158][ T9333] x64_sys_call+0x2691/0x3cf0<br /> [ 70.709630][ T9333] do_syscall_64+0xd9/0x1d0<br /> [ 70.710053][ T9333] entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> [ 70.710611][ T9333]<br /> [ 70.710842][ T9333] CPU: 3 UID: 0 PID: 9333 Comm: repro Not tainted 6.12.0-rc6-dirty #17<br /> [ 70.711568][ T9333] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014<br /> [ 70.712490][ T9333] =====================================================<br /> [ 70.713085][ T9333] Disabling lock debugging due to kernel taint<br /> [ 70.713618][ T9333] Kernel panic - not syncing: kmsan.panic set ...<br /> [ 70.714159][ T9333] <br /> ---truncated---

WaveView client allows users to execute restricted set of predefined commands and scripts on the connected WaveStore Server. A malicious attacker with high-privileges is able to read or delete files, with the permissions of dvr user, on the server using path traversal in the alog script.<br /> <br /> This issue was fixed in version 6.44.44

WaveView client allows users to execute restricted set of predefined commands and scripts on the connected WaveStore Server. A malicious attacker with high-privileges is able to read or delete any file on the server using path traversal in the ilog script. This script is being run with root privileges.<br /> <br /> This issue was fixed in version 6.44.44

A vulnerability was detected in Xiongwei Smart Catering Cloud Platform 2.1.6446.28761. The affected element is an unknown function of the file /dishtrade/dish_trade_detail_get. The manipulation of the argument filter results in sql injection. The attack can be executed remotely. The exploit is now public and may be used.

WaveView client allows users to execute restricted set of predefined commands and scripts on the connected WaveStore Server. A malicious attacker with high-privileges is able to execute arbitrary OS commands on the server using path traversal in the showerr script.<br /> <br /> This issue was fixed in version 6.44.44

A flaw was found in ose-openshift-apiserver. This vulnerability allows internal network enumeration, service discovery, limited information disclosure, and potential denial-of-service (DoS) through Server-Side Request Forgery (SSRF) due to missing IP address and network-range validation when processing user-supplied image references.

Authorization Bypass Through User-Controlled Key vulnerability in Menulux Software Inc. Mobile App allows Exploitation of Trusted Identifiers.This issue affects Mobile App: before 9.5.8.

The Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the getAuthors function in all versions up to, and including, 4.9.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to retrieve emails for all users with edit_posts capability.

The Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin&amp;#39;s Text Path widget in all versions up to, and including, 3.33.3 due to insufficient neutralization of user-supplied input used to build SVG markup inside the widget. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.