Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> hsr: hold rcu and dev lock for hsr_get_port_ndev<br /> <br /> hsr_get_port_ndev calls hsr_for_each_port, which need to hold rcu lock.<br /> On the other hand, before return the port device, we need to hold the<br /> device reference to avoid UaF in the caller function.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> can: xilinx_can: xcan_write_frame(): fix use-after-free of transmitted SKB<br /> <br /> can_put_echo_skb() takes ownership of the SKB and it may be freed<br /> during or after the call.<br /> <br /> However, xilinx_can xcan_write_frame() keeps using SKB after the call.<br /> <br /> Fix that by only calling can_put_echo_skb() after the code is done<br /> touching the SKB.<br /> <br /> The tx_lock is held for the entire xcan_write_frame() execution and<br /> also on the can_get_echo_skb() side so the order of operations does not<br /> matter.<br /> <br /> An earlier fix commit 3d3c817c3a40 ("can: xilinx_can: Fix usage of skb<br /> memory") did not move the can_put_echo_skb() call far enough.<br /> <br /> [mkl: add "commit" in front of sha1 in patch description]<br /> [mkl: fix indention]

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> macsec: sync features on RTM_NEWLINK<br /> <br /> Syzkaller managed to lock the lower device via ETHTOOL_SFEATURES:<br /> <br /> netdev_lock include/linux/netdevice.h:2761 [inline]<br /> netdev_lock_ops include/net/netdev_lock.h:42 [inline]<br /> netdev_sync_lower_features net/core/dev.c:10649 [inline]<br /> __netdev_update_features+0xcb1/0x1be0 net/core/dev.c:10819<br /> netdev_update_features+0x6d/0xe0 net/core/dev.c:10876<br /> macsec_notify+0x2f5/0x660 drivers/net/macsec.c:4533<br /> notifier_call_chain+0x1b3/0x3e0 kernel/notifier.c:85<br /> call_netdevice_notifiers_extack net/core/dev.c:2267 [inline]<br /> call_netdevice_notifiers net/core/dev.c:2281 [inline]<br /> netdev_features_change+0x85/0xc0 net/core/dev.c:1570<br /> __dev_ethtool net/ethtool/ioctl.c:3469 [inline]<br /> dev_ethtool+0x1536/0x19b0 net/ethtool/ioctl.c:3502<br /> dev_ioctl+0x392/0x1150 net/core/dev_ioctl.c:759<br /> <br /> It happens because lower features are out of sync with the upper:<br /> <br /> __dev_ethtool (real_dev)<br /> netdev_lock_ops(real_dev)<br /> ETHTOOL_SFEATURES<br /> __netdev_features_change<br /> netdev_sync_upper_features<br /> disable LRO on the lower<br /> if (old_features != dev-&gt;features)<br /> netdev_features_change<br /> fires NETDEV_FEAT_CHANGE<br /> macsec_notify<br /> NETDEV_FEAT_CHANGE<br /> netdev_update_features (for each macsec dev)<br /> netdev_sync_lower_features<br /> if (upper_features != lower_features)<br /> netdev_lock_ops(lower) # lower == real_dev<br /> stuck<br /> ...<br /> <br /> netdev_unlock_ops(real_dev)<br /> <br /> Per commit af5f54b0ef9e ("net: Lock lower level devices when updating<br /> features"), we elide the lock/unlock when the upper and lower features<br /> are synced. Makes sure the lower (real_dev) has proper features after<br /> the macsec link has been created. This makes sure we never hit the<br /> situation where we need to sync upper flags to the lower.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> igb: Fix NULL pointer dereference in ethtool loopback test<br /> <br /> The igb driver currently causes a NULL pointer dereference when executing<br /> the ethtool loopback test. This occurs because there is no associated<br /> q_vector for the test ring when it is set up, as interrupts are typically<br /> not added to the test rings.<br /> <br /> Since commit 5ef44b3cb43b removed the napi_id assignment in<br /> __xdp_rxq_info_reg(), there is no longer a need to pass a napi_id to it.<br /> Therefore, simply use 0 as the last parameter.

A vulnerability was detected in code-projects Online Bidding System 1.0. Affected is an unknown function of the file /administrator/wew.php. Performing manipulation of the argument ID results in sql injection. The attack may be initiated remotely. The exploit is now public and may be used.

A flaw has been found in Reservation Online Hotel Reservation System 1.0. Affected by this vulnerability is an unknown functionality of the file /reservation/paypalpayout.php. Executing manipulation of the argument confirm can lead to sql injection. The attack may be launched remotely. The exploit has been published and may be used.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: nft_set_pipapo: fix null deref for empty set<br /> <br /> Blamed commit broke the check for a null scratch map:<br /> - if (unlikely(!m || !*raw_cpu_ptr(m-&gt;scratch)))<br /> + if (unlikely(!raw_cpu_ptr(m-&gt;scratch)))<br /> <br /> This should have been "if (!*raw_ ...)".<br /> Use the pattern of the avx2 version which is more readable.<br /> <br /> This can only be reproduced if avx2 support isn&amp;#39;t available.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> erofs: fix runtime warning on truncate_folio_batch_exceptionals()<br /> <br /> Commit 0e2f80afcfa6("fs/dax: ensure all pages are idle prior to<br /> filesystem unmount") introduced the WARN_ON_ONCE to capture whether<br /> the filesystem has removed all DAX entries or not and applied the<br /> fix to xfs and ext4.<br /> <br /> Apply the missed fix on erofs to fix the runtime warning:<br /> <br /> [ 5.266254] ------------[ cut here ]------------<br /> [ 5.266274] WARNING: CPU: 6 PID: 3109 at mm/truncate.c:89 truncate_folio_batch_exceptionals+0xff/0x260<br /> [ 5.266294] Modules linked in:<br /> [ 5.266999] CPU: 6 UID: 0 PID: 3109 Comm: umount Tainted: G S 6.16.0+ #6 PREEMPT(voluntary)<br /> [ 5.267012] Tainted: [S]=CPU_OUT_OF_SPEC<br /> [ 5.267017] Hardware name: Dell Inc. OptiPlex 5000/05WXFV, BIOS 1.5.1 08/24/2022<br /> [ 5.267024] RIP: 0010:truncate_folio_batch_exceptionals+0xff/0x260<br /> [ 5.267076] Code: 00 00 41 39 df 7f 11 eb 78 83 c3 01 49 83 c4 08 41 39 df 74 6c 48 63 f3 48 83 fe 1f 0f 83 3c 01 00 00 43 f6 44 26 08 01 74 df 0b 4a 8b 34 22 4c 89 ef 48 89 55 90 e8 ff 54 1f 00 48 8b 55 90<br /> [ 5.267083] RSP: 0018:ffffc900013f36c8 EFLAGS: 00010202<br /> [ 5.267095] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000<br /> [ 5.267101] RDX: ffffc900013f3790 RSI: 0000000000000000 RDI: ffff8882a1407898<br /> [ 5.267108] RBP: ffffc900013f3740 R08: 0000000000000000 R09: 0000000000000000<br /> [ 5.267113] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000<br /> [ 5.267119] R13: ffff8882a1407ab8 R14: ffffc900013f3888 R15: 0000000000000001<br /> [ 5.267125] FS: 00007aaa8b437800(0000) GS:ffff88850025b000(0000) knlGS:0000000000000000<br /> [ 5.267132] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [ 5.267138] CR2: 00007aaa8b3aac10 CR3: 000000024f764000 CR4: 0000000000f52ef0<br /> [ 5.267144] PKRU: 55555554<br /> [ 5.267150] Call Trace:<br /> [ 5.267154] <br /> [ 5.267181] truncate_inode_pages_range+0x118/0x5e0<br /> [ 5.267193] ? save_trace+0x54/0x390<br /> [ 5.267296] truncate_inode_pages_final+0x43/0x60<br /> [ 5.267309] evict+0x2a4/0x2c0<br /> [ 5.267339] dispose_list+0x39/0x80<br /> [ 5.267352] evict_inodes+0x150/0x1b0<br /> [ 5.267376] generic_shutdown_super+0x41/0x180<br /> [ 5.267390] kill_block_super+0x1b/0x50<br /> [ 5.267402] erofs_kill_sb+0x81/0x90 [erofs]<br /> [ 5.267436] deactivate_locked_super+0x32/0xb0<br /> [ 5.267450] deactivate_super+0x46/0x60<br /> [ 5.267460] cleanup_mnt+0xc3/0x170<br /> [ 5.267475] __cleanup_mnt+0x12/0x20<br /> [ 5.267485] task_work_run+0x5d/0xb0<br /> [ 5.267499] exit_to_user_mode_loop+0x144/0x170<br /> [ 5.267512] do_syscall_64+0x2b9/0x7c0<br /> [ 5.267523] ? __lock_acquire+0x665/0x2ce0<br /> [ 5.267535] ? __lock_acquire+0x665/0x2ce0<br /> [ 5.267560] ? lock_acquire+0xcd/0x300<br /> [ 5.267573] ? find_held_lock+0x31/0x90<br /> [ 5.267582] ? mntput_no_expire+0x97/0x4e0<br /> [ 5.267606] ? mntput_no_expire+0xa1/0x4e0<br /> [ 5.267625] ? mntput+0x24/0x50<br /> [ 5.267634] ? path_put+0x1e/0x30<br /> [ 5.267647] ? do_faccessat+0x120/0x2f0<br /> [ 5.267677] ? do_syscall_64+0x1a2/0x7c0<br /> [ 5.267686] ? from_kgid_munged+0x17/0x30<br /> [ 5.267703] ? from_kuid_munged+0x13/0x30<br /> [ 5.267711] ? __do_sys_getuid+0x3d/0x50<br /> [ 5.267724] ? do_syscall_64+0x1a2/0x7c0<br /> [ 5.267732] ? irqentry_exit+0x77/0xb0<br /> [ 5.267743] ? clear_bhb_loop+0x30/0x80<br /> [ 5.267752] ? clear_bhb_loop+0x30/0x80<br /> [ 5.267765] entry_SYSCALL_64_after_hwframe+0x76/0x7e<br /> [ 5.267772] RIP: 0033:0x7aaa8b32a9fb<br /> [ 5.267781] Code: c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 f3 0f 1e fa 31 f6 e9 05 00 00 00 0f 1f 44 00 00 f3 0f 1e fa b8 a6 00 00 00 0f 05 3d 00 f0 ff ff 77 05 c3 0f 1f 40 00 48 8b 15 e9 83 0d 00 f7 d8<br /> [ 5.267787] RSP: 002b:00007ffd7c4c9468 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6<br /> [ 5.267796] RAX: 0000000000000000 RBX: 00005a61592a8b00 RCX: 00007aaa8b32a9fb<br /> [ 5.267802] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00005a61592b2080<br /> [ 5.267806] RBP: 00007ffd7c4c9540 R08: 00007aaa8b403b20 R09: 0000000000000020<br /> [ 5.267812] R10: 0000000000000001 R11: 0000000000000246 R12: 00005a61592a8c00<br /> [ 5.267817] R13: 00000000<br /> ---truncated---

A security vulnerability has been detected in code-projects Online Bidding System 1.0. This impacts an unknown function of the file /administrator/weweee.php. Such manipulation of the argument ID leads to sql injection. The attack can be launched remotely. The exploit has been disclosed publicly and may be used.

A vulnerability was identified in Tenda AC21 16.03.08.16. The affected element is the function sub_45BB10 of the file /goform/WifiExtraSet. The manipulation of the argument wpapsk_crypto leads to buffer overflow. It is possible to initiate the attack remotely. The exploit is publicly available and might be used.

A security flaw has been discovered in SourceCodester Pet Grooming Management Software 1.0. The impacted element is an unknown function of the file /admin/inv-print.php. The manipulation of the argument ID results in sql injection. It is possible to launch the attack remotely. The exploit has been released to the public and may be exploited.

A weakness has been identified in SourceCodester Pet Grooming Management Software 1.0. This affects an unknown function of the file /admin/print-payment.php. This manipulation of the argument sql111 causes sql injection. The attack can be initiated remotely. The exploit has been made available to the public and could be exploited.