Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> PCI: endpoint: Avoid creating sub-groups asynchronously<br /> <br /> The asynchronous creation of sub-groups by a delayed work could lead to a<br /> NULL pointer dereference when the driver directory is removed before the<br /> work completes.<br /> <br /> The crash can be easily reproduced with the following commands:<br /> <br /> # cd /sys/kernel/config/pci_ep/functions/pci_epf_test<br /> # for i in {1..20}; do mkdir test &amp;&amp; rmdir test; done<br /> <br /> BUG: kernel NULL pointer dereference, address: 0000000000000088<br /> ...<br /> Call Trace:<br /> configfs_register_group+0x3d/0x190<br /> pci_epf_cfs_work+0x41/0x110<br /> process_one_work+0x18f/0x350<br /> worker_thread+0x25a/0x3a0<br /> <br /> Fix this issue by using configfs_add_default_group() API which does not<br /> have the deadlock problem as configfs_register_group() and does not require<br /> the delayed work handler.<br /> <br /> [mani: slightly reworded the description and added stable list]

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: rtl8xxxu: fix slab-out-of-bounds in rtl8xxxu_sta_add<br /> <br /> The driver does not set hw-&gt;sta_data_size, which causes mac80211 to<br /> allocate insufficient space for driver private station data in<br /> __sta_info_alloc(). When rtl8xxxu_sta_add() accesses members of<br /> struct rtl8xxxu_sta_info through sta-&gt;drv_priv, this results in a<br /> slab-out-of-bounds write.<br /> <br /> KASAN report on RISC-V (VisionFive 2) with RTL8192EU adapter:<br /> <br /> BUG: KASAN: slab-out-of-bounds in rtl8xxxu_sta_add+0x31c/0x346<br /> Write of size 8 at addr ffffffd6d3e9ae88 by task kworker/u16:0/12<br /> <br /> Set hw-&gt;sta_data_size to sizeof(struct rtl8xxxu_sta_info) during<br /> probe, similar to how hw-&gt;vif_data_size is configured. This ensures<br /> mac80211 allocates sufficient space for the driver&amp;#39;s per-station<br /> private data.<br /> <br /> Tested on StarFive VisionFive 2 v1.2A board.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> scsi: qla2xxx: Delay module unload while fabric scan in progress<br /> <br /> System crash seen during load/unload test in a loop.<br /> <br /> [105954.384919] RBP: ffff914589838dc0 R08: 0000000000000000 R09: 0000000000000086<br /> [105954.384920] R10: 000000000000000f R11: ffffa31240904be5 R12: ffff914605f868e0<br /> [105954.384921] R13: ffff914605f86910 R14: 0000000000008010 R15: 00000000ddb7c000<br /> [105954.384923] FS: 0000000000000000(0000) GS:ffff9163fec40000(0000) knlGS:0000000000000000<br /> [105954.384925] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [105954.384926] CR2: 000055d31ce1d6a0 CR3: 0000000119f5e001 CR4: 0000000000770ee0<br /> [105954.384928] PKRU: 55555554<br /> [105954.384929] Call Trace:<br /> [105954.384931] <br /> [105954.384934] qla24xx_sp_unmap+0x1f3/0x2a0 [qla2xxx]<br /> [105954.384962] ? qla_async_scan_sp_done+0x114/0x1f0 [qla2xxx]<br /> [105954.384980] ? qla24xx_els_ct_entry+0x4de/0x760 [qla2xxx]<br /> [105954.384999] ? __wake_up_common+0x80/0x190<br /> [105954.385004] ? qla24xx_process_response_queue+0xc2/0xaa0 [qla2xxx]<br /> [105954.385023] ? qla24xx_msix_rsp_q+0x44/0xb0 [qla2xxx]<br /> [105954.385040] ? __handle_irq_event_percpu+0x3d/0x190<br /> [105954.385044] ? handle_irq_event+0x58/0xb0<br /> [105954.385046] ? handle_edge_irq+0x93/0x240<br /> [105954.385050] ? __common_interrupt+0x41/0xa0<br /> [105954.385055] ? common_interrupt+0x3e/0xa0<br /> [105954.385060] ? asm_common_interrupt+0x22/0x40<br /> <br /> The root cause of this was that there was a free (dma_free_attrs) in the<br /> interrupt context. There was a device discovery/fabric scan in<br /> progress. A module unload was issued which set the UNLOADING flag. As<br /> part of the discovery, after receiving an interrupt a work queue was<br /> scheduled (which involved a work to be queued). Since the UNLOADING<br /> flag is set, the work item was not allocated and the mapped memory had<br /> to be freed. The free occurred in interrupt context leading to system<br /> crash. Delay the driver unload until the fabric scan is complete to<br /> avoid the crash.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> scsi: qla2xxx: Validate sp before freeing associated memory<br /> <br /> System crash with the following signature<br /> [154563.214890] nvme nvme2: NVME-FC{1}: controller connect complete<br /> [154564.169363] qla2xxx [0000:b0:00.1]-3002:2: nvme: Sched: Set ZIO exchange threshold to 3.<br /> [154564.169405] qla2xxx [0000:b0:00.1]-ffffff:2: SET ZIO Activity exchange threshold to 5.<br /> [154565.539974] qla2xxx [0000:b0:00.1]-5013:2: RSCN database changed – 0078 0080 0000.<br /> [154565.545744] qla2xxx [0000:b0:00.1]-5013:2: RSCN database changed – 0078 00a0 0000.<br /> [154565.545857] qla2xxx [0000:b0:00.1]-11a2:2: FEC=enabled (data rate).<br /> [154565.552760] qla2xxx [0000:b0:00.1]-11a2:2: FEC=enabled (data rate).<br /> [154565.553079] BUG: kernel NULL pointer dereference, address: 00000000000000f8<br /> [154565.553080] #PF: supervisor read access in kernel mode<br /> [154565.553082] #PF: error_code(0x0000) - not-present page<br /> [154565.553084] PGD 80000010488ab067 P4D 80000010488ab067 PUD 104978a067 PMD 0<br /> [154565.553089] Oops: 0000 1 PREEMPT SMP PTI<br /> [154565.553092] CPU: 10 PID: 858 Comm: qla2xxx_2_dpc Kdump: loaded Tainted: G OE ------- --- 5.14.0-503.11.1.el9_5.x86_64 #1<br /> [154565.553096] Hardware name: HPE Synergy 660 Gen10/Synergy 660 Gen10 Compute Module, BIOS I43 09/30/2024<br /> [154565.553097] RIP: 0010:qla_fab_async_scan.part.0+0x40b/0x870 [qla2xxx]<br /> [154565.553141] Code: 00 00 e8 58 a3 ec d4 49 89 e9 ba 12 20 00 00 4c 89 e6 49 c7 c0 00 ee a8 c0 48 c7 c1 66 c0 a9 c0 bf 00 80 00 10 e8 15 69 00 00 8b 8d f8 00 00 00 4d 85 c9 74 35 49 8b 84 24 00 19 00 00 48 8b<br /> [154565.553143] RSP: 0018:ffffb4dbc8aebdd0 EFLAGS: 00010286<br /> [154565.553145] RAX: 0000000000000000 RBX: ffff8ec2cf0908d0 RCX: 0000000000000002<br /> [154565.553147] RDX: 0000000000000000 RSI: ffffffffc0a9c896 RDI: ffffb4dbc8aebd47<br /> [154565.553148] RBP: 0000000000000000 R08: ffffb4dbc8aebd45 R09: 0000000000ffff0a<br /> [154565.553150] R10: 0000000000000000 R11: 000000000000000f R12: ffff8ec2cf0908d0<br /> [154565.553151] R13: ffff8ec2cf090900 R14: 0000000000000102 R15: ffff8ec2cf084000<br /> [154565.553152] FS: 0000000000000000(0000) GS:ffff8ed27f800000(0000) knlGS:0000000000000000<br /> [154565.553154] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [154565.553155] CR2: 00000000000000f8 CR3: 000000113ae0a005 CR4: 00000000007706f0<br /> [154565.553157] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> [154565.553158] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> [154565.553159] PKRU: 55555554<br /> [154565.553160] Call Trace:<br /> [154565.553162] <br /> [154565.553165] ? show_trace_log_lvl+0x1c4/0x2df<br /> [154565.553172] ? show_trace_log_lvl+0x1c4/0x2df<br /> [154565.553177] ? qla_fab_async_scan.part.0+0x40b/0x870 [qla2xxx]<br /> [154565.553215] ? __die_body.cold+0x8/0xd<br /> [154565.553218] ? page_fault_oops+0x134/0x170<br /> [154565.553223] ? snprintf+0x49/0x70<br /> [154565.553229] ? exc_page_fault+0x62/0x150<br /> [154565.553238] ? asm_exc_page_fault+0x22/0x30<br /> <br /> Check for sp being non NULL before freeing any associated memory

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nilfs2: Fix potential block overflow that cause system hang<br /> <br /> When a user executes the FITRIM command, an underflow can occur when<br /> calculating nblocks if end_block is too small. Since nblocks is of<br /> type sector_t, which is u64, a negative nblocks value will become a<br /> very large positive integer. This ultimately leads to the block layer<br /> function __blkdev_issue_discard() taking an excessively long time to<br /> process the bio chain, and the ns_segctor_sem lock remains held for a<br /> long period. This prevents other tasks from acquiring the ns_segctor_sem<br /> lock, resulting in the hang reported by syzbot in [1].<br /> <br /> If the ending block is too small, typically if it is smaller than 4KiB<br /> range, depending on the usage of the segment 0, it may be possible to<br /> attempt a discard request beyond the device size causing the hang.<br /> <br /> Exiting successfully and assign the discarded size (0 in this case)<br /> to range-&gt;len.<br /> <br /> Although the start and len values in the user input range are too small,<br /> a conservative strategy is adopted here to safely ignore them, which is<br /> equivalent to a no-op; it will not perform any trimming and will not<br /> throw an error.<br /> <br /> [1]<br /> task:segctord state:D stack:28968 pid:6093 tgid:6093 ppid:2 task_flags:0x200040 flags:0x00080000<br /> Call Trace:<br /> rwbase_write_lock+0x3dd/0x750 kernel/locking/rwbase_rt.c:272<br /> nilfs_transaction_lock+0x253/0x4c0 fs/nilfs2/segment.c:357<br /> nilfs_segctor_thread_construct fs/nilfs2/segment.c:2569 [inline]<br /> nilfs_segctor_thread+0x6ec/0xe00 fs/nilfs2/segment.c:2684<br /> <br /> [ryusuke: corrected part of the commit message about the consequences]

ZoneMinder v1.36.34 is vulnerable to Command Injection in web/views/image.php. The application passes unsanitized user input directly to the exec() function.

UTT HiPER 810 / nv810v4 router firmware v1.5.0-140603 was discovered to contain insecure default credentials for the telnet service, possibly allowing a remote attacker to gain root access via a crafted script.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: rtw88: Fix alignment fault in rtw_core_enable_beacon()<br /> <br /> rtw_core_enable_beacon() reads 4 bytes from an address that is not a<br /> multiple of 4. This results in a crash on some systems.<br /> <br /> Do 1 byte reads/writes instead.<br /> <br /> Unable to handle kernel paging request at virtual address ffff8000827e0522<br /> Mem abort info:<br /> ESR = 0x0000000096000021<br /> EC = 0x25: DABT (current EL), IL = 32 bits<br /> SET = 0, FnV = 0<br /> EA = 0, S1PTW = 0<br /> FSC = 0x21: alignment fault<br /> Data abort info:<br /> ISV = 0, ISS = 0x00000021, ISS2 = 0x00000000<br /> CM = 0, WnR = 0, TnD = 0, TagAccess = 0<br /> GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0<br /> swapper pgtable: 4k pages, 48-bit VAs, pgdp=0000000005492000<br /> [ffff8000827e0522] pgd=0000000000000000, p4d=10000001021d9403, pud=10000001021da403, pmd=100000011061c403, pte=00780000f3200f13<br /> Internal error: Oops: 0000000096000021 [#1] SMP<br /> Modules linked in: [...] rtw88_8822ce rtw88_8822c rtw88_pci rtw88_core [...]<br /> CPU: 0 UID: 0 PID: 73 Comm: kworker/u32:2 Tainted: G W 6.17.9 #1-NixOS VOLUNTARY<br /> Tainted: [W]=WARN<br /> Hardware name: FriendlyElec NanoPC-T6 LTS (DT)<br /> Workqueue: phy0 rtw_c2h_work [rtw88_core]<br /> pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)<br /> pc : rtw_pci_read32+0x18/0x40 [rtw88_pci]<br /> lr : rtw_core_enable_beacon+0xe0/0x148 [rtw88_core]<br /> sp : ffff800080cc3ca0<br /> x29: ffff800080cc3ca0 x28: ffff0001031fc240 x27: ffff000102100828<br /> x26: ffffd2cb7c9b4088 x25: ffff0001031fc2c0 x24: ffff000112fdef00<br /> x23: ffff000112fdef18 x22: ffff000111c29970 x21: 0000000000000001<br /> x20: 0000000000000001 x19: ffff000111c22040 x18: 0000000000000000<br /> x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000<br /> x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000<br /> x11: 0000000000000000 x10: 0000000000000000 x9 : ffffd2cb6507c090<br /> x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000<br /> x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000<br /> x2 : 0000000000007f10 x1 : 0000000000000522 x0 : ffff8000827e0522<br /> Call trace:<br /> rtw_pci_read32+0x18/0x40 [rtw88_pci] (P)<br /> rtw_hw_scan_chan_switch+0x124/0x1a8 [rtw88_core]<br /> rtw_fw_c2h_cmd_handle+0x254/0x290 [rtw88_core]<br /> rtw_c2h_work+0x50/0x98 [rtw88_core]<br /> process_one_work+0x178/0x3f8<br /> worker_thread+0x208/0x418<br /> kthread+0x120/0x220<br /> ret_from_fork+0x10/0x20<br /> Code: d28fe202 8b020000 f9524400 8b214000 (b9400000)<br /> ---[ end trace 0000000000000000 ]---

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> hfs: ensure sb-&gt;s_fs_info is always cleaned up<br /> <br /> When hfs was converted to the new mount api a bug was introduced by<br /> changing the allocation pattern of sb-&gt;s_fs_info. If setup_bdev_super()<br /> fails after a new superblock has been allocated by sget_fc(), but before<br /> hfs_fill_super() takes ownership of the filesystem-specific s_fs_info<br /> data it was leaked.<br /> <br /> Fix this by freeing sb-&gt;s_fs_info in hfs_kill_super().

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> crypto: iaa - Fix out-of-bounds index in find_empty_iaa_compression_mode<br /> <br /> The local variable &amp;#39;i&amp;#39; is initialized with -EINVAL, but the for loop<br /> immediately overwrites it and -EINVAL is never returned.<br /> <br /> If no empty compression mode can be found, the function would return the<br /> out-of-bounds index IAA_COMP_MODES_MAX, which would cause an invalid<br /> array access in add_iaa_compression_mode().<br /> <br /> Fix both issues by returning either a valid index or -EINVAL.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> scsi: qla2xxx: Free sp in error path to fix system crash<br /> <br /> System crash seen during load/unload test in a loop,<br /> <br /> [61110.449331] qla2xxx [0000:27:00.0]-0042:0: Disabled MSI-X.<br /> [61110.467494] =============================================================================<br /> [61110.467498] BUG qla2xxx_srbs (Tainted: G OE -------- --- ): Objects remaining in qla2xxx_srbs on __kmem_cache_shutdown()<br /> [61110.467501] -----------------------------------------------------------------------------<br /> <br /> [61110.467502] Slab 0x000000000ffc8162 objects=51 used=1 fp=0x00000000e25d3d85 flags=0x57ffffc0010200(slab|head|node=1|zone=2|lastcpupid=0x1fffff)<br /> [61110.467509] CPU: 53 PID: 455206 Comm: rmmod Kdump: loaded Tainted: G OE -------- --- 5.14.0-284.11.1.el9_2.x86_64 #1<br /> [61110.467513] Hardware name: HPE ProLiant DL385 Gen10 Plus v2/ProLiant DL385 Gen10 Plus v2, BIOS A42 08/17/2023<br /> [61110.467515] Call Trace:<br /> [61110.467516] <br /> [61110.467519] dump_stack_lvl+0x34/0x48<br /> [61110.467526] slab_err.cold+0x53/0x67<br /> [61110.467534] __kmem_cache_shutdown+0x16e/0x320<br /> [61110.467540] kmem_cache_destroy+0x51/0x160<br /> [61110.467544] qla2x00_module_exit+0x93/0x99 [qla2xxx]<br /> [61110.467607] ? __do_sys_delete_module.constprop.0+0x178/0x280<br /> [61110.467613] ? syscall_trace_enter.constprop.0+0x145/0x1d0<br /> [61110.467616] ? do_syscall_64+0x5c/0x90<br /> [61110.467619] ? exc_page_fault+0x62/0x150<br /> [61110.467622] ? entry_SYSCALL_64_after_hwframe+0x63/0xcd<br /> [61110.467626] <br /> [61110.467627] Disabling lock debugging due to kernel taint<br /> [61110.467635] Object 0x0000000026f7e6e6 @offset=16000<br /> [61110.467639] ------------[ cut here ]------------<br /> [61110.467639] kmem_cache_destroy qla2xxx_srbs: Slab cache still has objects when called from qla2x00_module_exit+0x93/0x99 [qla2xxx]<br /> [61110.467659] WARNING: CPU: 53 PID: 455206 at mm/slab_common.c:520 kmem_cache_destroy+0x14d/0x160<br /> [61110.467718] CPU: 53 PID: 455206 Comm: rmmod Kdump: loaded Tainted: G B OE -------- --- 5.14.0-284.11.1.el9_2.x86_64 #1<br /> [61110.467720] Hardware name: HPE ProLiant DL385 Gen10 Plus v2/ProLiant DL385 Gen10 Plus v2, BIOS A42 08/17/2023<br /> [61110.467721] RIP: 0010:kmem_cache_destroy+0x14d/0x160<br /> [61110.467724] Code: 99 7d 07 00 48 89 ef e8 e1 6a 07 00 eb b3 48 8b 55 60 48 8b 4c 24 20 48 c7 c6 70 fc 66 90 48 c7 c7 f8 ef a1 90 e8 e1 ed 7c 00 0b eb 93 c3 cc cc cc cc 66 2e 0f 1f 84 00 00 00 00 00 55 48 89<br /> [61110.467725] RSP: 0018:ffffa304e489fe80 EFLAGS: 00010282<br /> [61110.467727] RAX: 0000000000000000 RBX: ffffffffc0d9a860 RCX: 0000000000000027<br /> [61110.467729] RDX: ffff8fd5ff9598a8 RSI: 0000000000000001 RDI: ffff8fd5ff9598a0<br /> [61110.467730] RBP: ffff8fb6aaf78700 R08: 0000000000000000 R09: 0000000100d863b7<br /> [61110.467731] R10: ffffa304e489fd20 R11: ffffffff913bef48 R12: 0000000040002000<br /> [61110.467731] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000<br /> [61110.467733] FS: 00007f64c89fb740(0000) GS:ffff8fd5ff940000(0000) knlGS:0000000000000000<br /> [61110.467734] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [61110.467735] CR2: 00007f0f02bfe000 CR3: 00000020ad6dc005 CR4: 0000000000770ee0<br /> [61110.467736] PKRU: 55555554<br /> [61110.467737] Call Trace:<br /> [61110.467738] <br /> [61110.467739] qla2x00_module_exit+0x93/0x99 [qla2xxx]<br /> [61110.467755] ? __do_sys_delete_module.constprop.0+0x178/0x280<br /> <br /> Free sp in the error path to fix the crash.

Deserialization of Untrusted Data vulnerability in OpenText™ Directory Services allows Object Injection. The vulnerability could lead to remote code execution, denial of service, or<br /> privilege escalation.<br /> <br /> This issue affects Directory Services: from 10.5 through 26.1.