Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: phy: leds: fix memory leak<br /> <br /> A network restart test on a router led to an out-of-memory condition,<br /> which was traced to a memory leak in the PHY LED trigger code.<br /> <br /> The root cause is misuse of the devm API. The registration function<br /> (phy_led_triggers_register) is called from phy_attach_direct, not<br /> phy_probe, and the unregister function (phy_led_triggers_unregister)<br /> is called from phy_detach, not phy_remove. This means the register and<br /> unregister functions can be called multiple times for the same PHY<br /> device, but devm-allocated memory is not freed until the driver is<br /> unbound.<br /> <br /> This also prevents kmemleak from detecting the leak, as the devm API<br /> internally stores the allocated pointer.<br /> <br /> Fix this by replacing devm_kzalloc/devm_kcalloc with standard<br /> kzalloc/kcalloc, and add the corresponding kfree calls in the unregister<br /> path.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: brcm80211: fmac: Add error handling for brcmf_usb_dl_writeimage()<br /> <br /> The function brcmf_usb_dl_writeimage() calls the function<br /> brcmf_usb_dl_cmd() but dose not check its return value. The<br /> &amp;#39;state.state&amp;#39; and the &amp;#39;state.bytes&amp;#39; are uninitialized if the<br /> function brcmf_usb_dl_cmd() fails. It is dangerous to use<br /> uninitialized variables in the conditions.<br /> <br /> Add error handling for brcmf_usb_dl_cmd() to jump to error<br /> handling path if the brcmf_usb_dl_cmd() fails and the<br /> &amp;#39;state.state&amp;#39; and the &amp;#39;state.bytes&amp;#39; are uninitialized.<br /> <br /> Improve the error message to report more detailed error<br /> information.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> parisc: Fix double SIGFPE crash<br /> <br /> Camm noticed that on parisc a SIGFPE exception will crash an application with<br /> a second SIGFPE in the signal handler. Dave analyzed it, and it happens<br /> because glibc uses a double-word floating-point store to atomically update<br /> function descriptors. As a result of lazy binding, we hit a floating-point<br /> store in fpe_func almost immediately.<br /> <br /> When the T bit is set, an assist exception trap occurs when when the<br /> co-processor encounters *any* floating-point instruction except for a double<br /> store of register %fr0. The latter cancels all pending traps. Let&amp;#39;s fix this<br /> by clearing the Trap (T) bit in the FP status register before returning to the<br /> signal handler in userspace.<br /> <br /> The issue can be reproduced with this test program:<br /> <br /> root@parisc:~# cat fpe.c<br /> <br /> static void fpe_func(int sig, siginfo_t *i, void *v) {<br /> sigset_t set;<br /> sigemptyset(&amp;set);<br /> sigaddset(&amp;set, SIGFPE);<br /> sigprocmask(SIG_UNBLOCK, &amp;set, NULL);<br /> printf("GOT signal %d with si_code %ld\n", sig, i-&gt;si_code);<br /> }<br /> <br /> int main() {<br /> struct sigaction action = {<br /> .sa_sigaction = fpe_func,<br /> .sa_flags = SA_RESTART|SA_SIGINFO };<br /> sigaction(SIGFPE, &amp;action, 0);<br /> feenableexcept(FE_OVERFLOW);<br /> return printf("%lf\n",1.7976931348623158E308*1.7976931348623158E308);<br /> }<br /> <br /> root@parisc:~# gcc fpe.c -lm<br /> root@parisc:~# ./a.out<br /> Floating point exception<br /> <br /> root@parisc:~# strace -f ./a.out<br /> execve("./a.out", ["./a.out"], 0xf9ac7034 /* 20 vars */) = 0<br /> getrlimit(RLIMIT_STACK, {rlim_cur=8192*1024, rlim_max=RLIM_INFINITY}) = 0<br /> ...<br /> rt_sigaction(SIGFPE, {sa_handler=0x1110a, sa_mask=[], sa_flags=SA_RESTART|SA_SIGINFO}, NULL, 8) = 0<br /> --- SIGFPE {si_signo=SIGFPE, si_code=FPE_FLTOVF, si_addr=0x1078f} ---<br /> --- SIGFPE {si_signo=SIGFPE, si_code=FPE_FLTOVF, si_addr=0xf8f21237} ---<br /> +++ killed by SIGFPE +++<br /> Floating point exception

This High severity PrivEsc (Privilege Escalation) vulnerability was introduced in versions:<br /> <br /> 9.12.0, 10.3.0, 10.4.0, and 10.5.0 of Jira Core Data Center and Server<br /> <br /> 5.12.0, 10.3.0, 10.4.0, and 10.5.0 of Jira Service Management Data Center and Server<br /> <br /> This PrivEsc (Privilege Escalation) vulnerability, with a CVSS Score of 7.2, allows an attacker to perform actions as a higher-privileged user. <br /> <br /> Atlassian recommends that Jira Core Data Center and Server and Jira Service Management Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:<br /> <br /> Jira Core Data Center and Server 9.12: Upgrade to a release greater than or equal to 9.12.20<br /> <br /> Jira Service Management Data Center and Server 5.12: Upgrade to a release greater than or equal to 5.12.20<br /> <br /> Jira Core Data Center 10.3: Upgrade to a release greater than or equal to 10.3.5<br /> <br /> Jira Service Management Data Center 10.3: Upgrade to a release greater than or equal to 10.3.5<br /> <br /> Jira Core Data Center 10.4: Upgrade to a release greater than or equal to 10.6.0<br /> <br /> Jira Service Management Data Center 10.4: Upgrade to a release greater than or equal to 10.6.0<br /> <br /> Jira Core Data Center 10.5: Upgrade to a release greater than or equal to 10.5.1<br /> <br /> Jira Service Management Data Center 10.5: Upgrade to a release greater than or equal to 10.5.1<br /> <br /> See the release notes. You can download the latest version of Jira Core Data Center and Jira Service Management Data Center from the download center. <br /> <br /> This vulnerability was reported via our Atlassian (Internal) program.

D-link DI-8100 16.07.26A1 is vulnerable to Command Injection. An attacker can exploit this vulnerability by crafting specific HTTP requests, triggering the command execution flaw and gaining the highest privilege shell access to the firmware system.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> block: fix resource leak in blk_register_queue() error path<br /> <br /> When registering a queue fails after blk_mq_sysfs_register() is<br /> successful but the function later encounters an error, we need<br /> to clean up the blk_mq_sysfs resources.<br /> <br /> Add the missing blk_mq_sysfs_unregister() call in the error path<br /> to properly clean up these resources and prevent a memory leak.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> scsi: smartpqi: Use is_kdump_kernel() to check for kdump<br /> <br /> The smartpqi driver checks the reset_devices variable to determine<br /> whether special adjustments need to be made for kdump. This has the<br /> effect that after a regular kexec reboot, some driver parameters such as<br /> max_transfer_size are much lower than usual. More importantly, kexec<br /> reboot tests have revealed memory corruption caused by the driver log<br /> being written to system memory after a kexec.<br /> <br /> Fix this by testing is_kdump_kernel() rather than reset_devices where<br /> appropriate.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: wl1251: fix memory leak in wl1251_tx_work<br /> <br /> The skb dequeued from tx_queue is lost when wl1251_ps_elp_wakeup fails<br /> with a -ETIMEDOUT error. Fix that by queueing the skb back to tx_queue.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> riscv: module: Fix out-of-bounds relocation access<br /> <br /> The current code allows rel[j] to access one element past the end of the<br /> relocation section. Simplify to num_relocations which is equivalent to<br /> the existing size expression.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: ath12k: Fix invalid entry fetch in ath12k_dp_mon_srng_process<br /> <br /> [ Upstream commit 63fdc4509bcf483e79548de6bc08bf3c8e504bb3 ]<br /> <br /> Currently, ath12k_dp_mon_srng_process uses ath12k_hal_srng_src_get_next_entry<br /> to fetch the next entry from the destination ring. This is incorrect because<br /> ath12k_hal_srng_src_get_next_entry is intended for source rings, not destination<br /> rings. This leads to invalid entry fetches, causing potential data corruption or<br /> crashes due to accessing incorrect memory locations. This happens because the<br /> source ring and destination ring have different handling mechanisms and using<br /> the wrong function results in incorrect pointer arithmetic and ring management.<br /> <br /> To fix this issue, replace the call to ath12k_hal_srng_src_get_next_entry with<br /> ath12k_hal_srng_dst_get_next_entry in ath12k_dp_mon_srng_process. This ensures<br /> that the correct function is used for fetching entries from the destination<br /> ring, preventing invalid memory accesses.<br /> <br /> Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.3.1-00173-QCAHKSWPL_SILICONZ-1<br /> Tested-on: WCN7850 hw2.0 WLAN.HMT.1.0.c5-00481-QCAHMTSWPL_V1.0_V2.0_SILICONZ-3

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> scsi: ufs: exynos: Disable iocc if dma-coherent property isn&amp;#39;t set<br /> <br /> If dma-coherent property isn&amp;#39;t set then descriptors are non-cacheable<br /> and the iocc shareability bits should be disabled. Without this UFS can<br /> end up in an incompatible configuration and suffer from random cache<br /> related stability issues.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> block: integrity: Do not call set_page_dirty_lock()<br /> <br /> Placing multiple protection information buffers inside the same page<br /> can lead to oopses because set_page_dirty_lock() can&amp;#39;t be called from<br /> interrupt context.<br /> <br /> Since a protection information buffer is not backed by a file there is<br /> no point in setting its page dirty, there is nothing to synchronize.<br /> Drop the call to set_page_dirty_lock() and remove the last argument to<br /> bio_integrity_unpin_bvec().