Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> riscv/mm: Add handling for VM_FAULT_SIGSEGV in mm_fault_error()<br /> <br /> Handle VM_FAULT_SIGSEGV in the page fault path so that we correctly<br /> kill the process and we don&amp;#39;t BUG() the kernel.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/mlx5: Fix missing lock on sync reset reload<br /> <br /> On sync reset reload work, when remote host updates devlink on reload<br /> actions performed on that host, it misses taking devlink lock before<br /> calling devlink_remote_reload_actions_performed() which results in<br /> triggering lock assert like the following:<br /> <br /> WARNING: CPU: 4 PID: 1164 at net/devlink/core.c:261 devl_assert_locked+0x3e/0x50<br /> …<br /> CPU: 4 PID: 1164 Comm: kworker/u96:6 Tainted: G S W 6.10.0-rc2+ #116<br /> Hardware name: Supermicro SYS-2028TP-DECTR/X10DRT-PT, BIOS 2.0 12/18/2015<br /> Workqueue: mlx5_fw_reset_events mlx5_sync_reset_reload_work [mlx5_core]<br /> RIP: 0010:devl_assert_locked+0x3e/0x50<br /> …<br /> Call Trace:<br /> <br /> ? __warn+0xa4/0x210<br /> ? devl_assert_locked+0x3e/0x50<br /> ? report_bug+0x160/0x280<br /> ? handle_bug+0x3f/0x80<br /> ? exc_invalid_op+0x17/0x40<br /> ? asm_exc_invalid_op+0x1a/0x20<br /> ? devl_assert_locked+0x3e/0x50<br /> devlink_notify+0x88/0x2b0<br /> ? mlx5_attach_device+0x20c/0x230 [mlx5_core]<br /> ? __pfx_devlink_notify+0x10/0x10<br /> ? process_one_work+0x4b6/0xbb0<br /> process_one_work+0x4b6/0xbb0<br /> […]

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: iptables: Fix potential null-ptr-deref in ip6table_nat_table_init().<br /> <br /> ip6table_nat_table_init() accesses net-&gt;gen-&gt;ptr[ip6table_nat_net_ops.id],<br /> but the function is exposed to user space before the entry is allocated<br /> via register_pernet_subsys().<br /> <br /> Let&amp;#39;s call register_pernet_subsys() before xt_register_template().

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: iptables: Fix null-ptr-deref in iptable_nat_table_init().<br /> <br /> We had a report that iptables-restore sometimes triggered null-ptr-deref<br /> at boot time. [0]<br /> <br /> The problem is that iptable_nat_table_init() is exposed to user space<br /> before the kernel fully initialises netns.<br /> <br /> In the small race window, a user could call iptable_nat_table_init()<br /> that accesses net_generic(net, iptable_nat_net_id), which is available<br /> only after registering iptable_nat_net_ops.<br /> <br /> Let&amp;#39;s call register_pernet_subsys() before xt_register_template().<br /> <br /> [0]:<br /> bpfilter: Loaded bpfilter_umh pid 11702<br /> Started bpfilter<br /> BUG: kernel NULL pointer dereference, address: 0000000000000013<br /> PF: supervisor write access in kernel mode<br /> PF: error_code(0x0002) - not-present page<br /> PGD 0 P4D 0<br /> PREEMPT SMP NOPTI<br /> CPU: 2 PID: 11879 Comm: iptables-restor Not tainted 6.1.92-99.174.amzn2023.x86_64 #1<br /> Hardware name: Amazon EC2 c6i.4xlarge/, BIOS 1.0 10/16/2017<br /> RIP: 0010:iptable_nat_table_init (net/ipv4/netfilter/iptable_nat.c:87 net/ipv4/netfilter/iptable_nat.c:121) iptable_nat<br /> Code: 10 4c 89 f6 48 89 ef e8 0b 19 bb ff 41 89 c4 85 c0 75 38 41 83 c7 01 49 83 c6 28 41 83 ff 04 75 dc 48 8b 44 24 08 48 8b 0c 24 89 08 4c 89 ef e8 a2 3b a2 cf 48 83 c4 10 44 89 e0 5b 5d 41 5c<br /> RSP: 0018:ffffbef902843cd0 EFLAGS: 00010246<br /> RAX: 0000000000000013 RBX: ffff9f4b052caa20 RCX: ffff9f4b20988d80<br /> RDX: 0000000000000000 RSI: 0000000000000064 RDI: ffffffffc04201c0<br /> RBP: ffff9f4b29394000 R08: ffff9f4b07f77258 R09: ffff9f4b07f77240<br /> R10: 0000000000000000 R11: ffff9f4b09635388 R12: 0000000000000000<br /> R13: ffff9f4b1a3c6c00 R14: ffff9f4b20988e20 R15: 0000000000000004<br /> FS: 00007f6284340000(0000) GS:ffff9f51fe280000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 0000000000000013 CR3: 00000001d10a6005 CR4: 00000000007706e0<br /> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> PKRU: 55555554<br /> Call Trace:<br /> <br /> ? show_trace_log_lvl (arch/x86/kernel/dumpstack.c:259)<br /> ? show_trace_log_lvl (arch/x86/kernel/dumpstack.c:259)<br /> ? xt_find_table_lock (net/netfilter/x_tables.c:1259)<br /> ? __die_body.cold (arch/x86/kernel/dumpstack.c:478 arch/x86/kernel/dumpstack.c:420)<br /> ? page_fault_oops (arch/x86/mm/fault.c:727)<br /> ? exc_page_fault (./arch/x86/include/asm/irqflags.h:40 ./arch/x86/include/asm/irqflags.h:75 arch/x86/mm/fault.c:1470 arch/x86/mm/fault.c:1518)<br /> ? asm_exc_page_fault (./arch/x86/include/asm/idtentry.h:570)<br /> ? iptable_nat_table_init (net/ipv4/netfilter/iptable_nat.c:87 net/ipv4/netfilter/iptable_nat.c:121) iptable_nat<br /> xt_find_table_lock (net/netfilter/x_tables.c:1259)<br /> xt_request_find_table_lock (net/netfilter/x_tables.c:1287)<br /> get_info (net/ipv4/netfilter/ip_tables.c:965)<br /> ? security_capable (security/security.c:809 (discriminator 13))<br /> ? ns_capable (kernel/capability.c:376 kernel/capability.c:397)<br /> ? do_ipt_get_ctl (net/ipv4/netfilter/ip_tables.c:1656)<br /> ? bpfilter_send_req (net/bpfilter/bpfilter_kern.c:52) bpfilter<br /> nf_getsockopt (net/netfilter/nf_sockopt.c:116)<br /> ip_getsockopt (net/ipv4/ip_sockglue.c:1827)<br /> __sys_getsockopt (net/socket.c:2327)<br /> __x64_sys_getsockopt (net/socket.c:2342 net/socket.c:2339 net/socket.c:2339)<br /> do_syscall_64 (arch/x86/entry/common.c:51 arch/x86/entry/common.c:81)<br /> entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:121)<br /> RIP: 0033:0x7f62844685ee<br /> Code: 48 8b 0d 45 28 0f 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 37 00 00 00 0f 05 3d 00 f0 ff ff 77 0a c3 66 0f 1f 84 00 00 00 00 00 48 8b 15 09<br /> RSP: 002b:00007ffd1f83d638 EFLAGS: 00000246 ORIG_RAX: 0000000000000037<br /> RAX: ffffffffffffffda RBX: 00007ffd1f83d680 RCX: 00007f62844685ee<br /> RDX: 0000000000000040 RSI: 0000000000000000 RDI: 0000000000000004<br /> RBP: 0000000000000004 R08: 00007ffd1f83d670 R09: 0000558798ffa2a0<br /> R10: 00007ffd1f83d680 R11: 0000000000000246 R12: 00007ffd1f83e3b2<br /> R13: 00007f6284<br /> ---truncated---

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/iucv: fix use after free in iucv_sock_close()<br /> <br /> iucv_sever_path() is called from process context and from bh context.<br /> iucv-&gt;path is used as indicator whether somebody else is taking care of<br /> severing the path (or it is already removed / never existed).<br /> This needs to be done with atomic compare and swap, otherwise there is a<br /> small window where iucv_sock_close() will try to work with a path that has<br /> already been severed and freed by iucv_callback_connrej() called by<br /> iucv_tasklet_fn().<br /> <br /> Example:<br /> [452744.123844] Call Trace:<br /> [452744.123845] ([] 0x1e87f03880)<br /> [452744.123966] [] iucv_path_sever+0x96/0x138<br /> [452744.124330] [] iucv_sever_path+0xc2/0xd0 [af_iucv]<br /> [452744.124336] [] iucv_sock_close+0xa6/0x310 [af_iucv]<br /> [452744.124341] [] iucv_sock_release+0x3c/0xd0 [af_iucv]<br /> [452744.124345] [] __sock_release+0x5e/0xe8<br /> [452744.124815] [] sock_close+0x34/0x48<br /> [452744.124820] [] __fput+0xba/0x268<br /> [452744.124826] [] task_work_run+0xbc/0xf0<br /> [452744.124832] [] do_notify_resume+0x88/0x90<br /> [452744.124841] [] system_call+0xe2/0x2c8<br /> [452744.125319] Last Breaking-Event-Address:<br /> [452744.125321] [] iucv_path_sever+0x90/0x138<br /> [452744.125324]<br /> [452744.125325] Kernel panic - not syncing: Fatal exception in interrupt<br /> <br /> Note that bh_lock_sock() is not serializing the tasklet context against<br /> process context, because the check for sock_owned_by_user() and<br /> corresponding handling is missing.<br /> <br /> Ideas for a future clean-up patch:<br /> A) Correct usage of bh_lock_sock() in tasklet context, as described in<br /> Re-enqueue, if needed. This may require adding return values to the<br /> tasklet functions and thus changes to all users of iucv.<br /> <br /> B) Change iucv tasklet into worker and use only lock_sock() in af_iucv.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> sched: act_ct: take care of padding in struct zones_ht_key<br /> <br /> Blamed commit increased lookup key size from 2 bytes to 16 bytes,<br /> because zones_ht_key got a struct net pointer.<br /> <br /> Make sure rhashtable_lookup() is not using the padding bytes<br /> which are not initialized.<br /> <br /> BUG: KMSAN: uninit-value in rht_ptr_rcu include/linux/rhashtable.h:376 [inline]<br /> BUG: KMSAN: uninit-value in __rhashtable_lookup include/linux/rhashtable.h:607 [inline]<br /> BUG: KMSAN: uninit-value in rhashtable_lookup include/linux/rhashtable.h:646 [inline]<br /> BUG: KMSAN: uninit-value in rhashtable_lookup_fast include/linux/rhashtable.h:672 [inline]<br /> BUG: KMSAN: uninit-value in tcf_ct_flow_table_get+0x611/0x2260 net/sched/act_ct.c:329<br /> rht_ptr_rcu include/linux/rhashtable.h:376 [inline]<br /> __rhashtable_lookup include/linux/rhashtable.h:607 [inline]<br /> rhashtable_lookup include/linux/rhashtable.h:646 [inline]<br /> rhashtable_lookup_fast include/linux/rhashtable.h:672 [inline]<br /> tcf_ct_flow_table_get+0x611/0x2260 net/sched/act_ct.c:329<br /> tcf_ct_init+0xa67/0x2890 net/sched/act_ct.c:1408<br /> tcf_action_init_1+0x6cc/0xb30 net/sched/act_api.c:1425<br /> tcf_action_init+0x458/0xf00 net/sched/act_api.c:1488<br /> tcf_action_add net/sched/act_api.c:2061 [inline]<br /> tc_ctl_action+0x4be/0x19d0 net/sched/act_api.c:2118<br /> rtnetlink_rcv_msg+0x12fc/0x1410 net/core/rtnetlink.c:6647<br /> netlink_rcv_skb+0x375/0x650 net/netlink/af_netlink.c:2550<br /> rtnetlink_rcv+0x34/0x40 net/core/rtnetlink.c:6665<br /> netlink_unicast_kernel net/netlink/af_netlink.c:1331 [inline]<br /> netlink_unicast+0xf52/0x1260 net/netlink/af_netlink.c:1357<br /> netlink_sendmsg+0x10da/0x11e0 net/netlink/af_netlink.c:1901<br /> sock_sendmsg_nosec net/socket.c:730 [inline]<br /> __sock_sendmsg+0x30f/0x380 net/socket.c:745<br /> ____sys_sendmsg+0x877/0xb60 net/socket.c:2597<br /> ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2651<br /> __sys_sendmsg net/socket.c:2680 [inline]<br /> __do_sys_sendmsg net/socket.c:2689 [inline]<br /> __se_sys_sendmsg net/socket.c:2687 [inline]<br /> __x64_sys_sendmsg+0x307/0x4a0 net/socket.c:2687<br /> x64_sys_call+0x2dd6/0x3c10 arch/x86/include/generated/asm/syscalls_64.h:47<br /> do_syscall_x64 arch/x86/entry/common.c:52 [inline]<br /> do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> <br /> Local variable key created at:<br /> tcf_ct_flow_table_get+0x4a/0x2260 net/sched/act_ct.c:324<br /> tcf_ct_init+0xa67/0x2890 net/sched/act_ct.c:1408

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> f2fs: assign CURSEG_ALL_DATA_ATGC if blkaddr is valid<br /> <br /> mkdir /mnt/test/comp<br /> f2fs_io setflags compression /mnt/test/comp<br /> dd if=/dev/zero of=/mnt/test/comp/testfile bs=16k count=1<br /> truncate --size 13 /mnt/test/comp/testfile<br /> <br /> In the above scenario, we can get a BUG_ON.<br /> kernel BUG at fs/f2fs/segment.c:3589!<br /> Call Trace:<br /> do_write_page+0x78/0x390 [f2fs]<br /> f2fs_outplace_write_data+0x62/0xb0 [f2fs]<br /> f2fs_do_write_data_page+0x275/0x740 [f2fs]<br /> f2fs_write_single_data_page+0x1dc/0x8f0 [f2fs]<br /> f2fs_write_multi_pages+0x1e5/0xae0 [f2fs]<br /> f2fs_write_cache_pages+0xab1/0xc60 [f2fs]<br /> f2fs_write_data_pages+0x2d8/0x330 [f2fs]<br /> do_writepages+0xcf/0x270<br /> __writeback_single_inode+0x44/0x350<br /> writeback_sb_inodes+0x242/0x530<br /> __writeback_inodes_wb+0x54/0xf0<br /> wb_writeback+0x192/0x310<br /> wb_workfn+0x30d/0x400<br /> <br /> The reason is we gave CURSEG_ALL_DATA_ATGC to COMPR_ADDR where the<br /> page was set the gcing flag by set_cluster_dirty().

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Revert "ALSA: firewire-lib: operate for period elapse event in process context"<br /> <br /> Commit 7ba5ca32fe6e ("ALSA: firewire-lib: operate for period elapse event<br /> in process context") removed the process context workqueue from<br /> amdtp_domain_stream_pcm_pointer() and update_pcm_pointers() to remove<br /> its overhead.<br /> <br /> With RME Fireface 800, this lead to a regression since<br /> Kernels 5.14.0, causing an AB/BA deadlock competition for the<br /> substream lock with eventual system freeze under ALSA operation:<br /> <br /> thread 0:<br /> * (lock A) acquire substream lock by<br /> snd_pcm_stream_lock_irq() in<br /> snd_pcm_status64()<br /> * (lock B) wait for tasklet to finish by calling<br /> tasklet_unlock_spin_wait() in<br /> tasklet_disable_in_atomic() in<br /> ohci_flush_iso_completions() of ohci.c<br /> <br /> thread 1:<br /> * (lock B) enter tasklet<br /> * (lock A) attempt to acquire substream lock,<br /> waiting for it to be released:<br /> snd_pcm_stream_lock_irqsave() in<br /> snd_pcm_period_elapsed() in<br /> update_pcm_pointers() in<br /> process_ctx_payloads() in<br /> process_rx_packets() of amdtp-stream.c<br /> <br /> ? tasklet_unlock_spin_wait<br /> <br /> <br /> ohci_flush_iso_completions firewire_ohci<br /> amdtp_domain_stream_pcm_pointer snd_firewire_lib<br /> snd_pcm_update_hw_ptr0 snd_pcm<br /> snd_pcm_status64 snd_pcm<br /> <br /> ? native_queued_spin_lock_slowpath<br /> <br /> <br /> _raw_spin_lock_irqsave<br /> snd_pcm_period_elapsed snd_pcm<br /> process_rx_packets snd_firewire_lib<br /> irq_target_callback snd_firewire_lib<br /> handle_it_packet firewire_ohci<br /> context_tasklet firewire_ohci<br /> <br /> Restore the process context work queue to prevent deadlock<br /> AB/BA deadlock competition for ALSA substream lock of<br /> snd_pcm_stream_lock_irq() in snd_pcm_status64()<br /> and snd_pcm_stream_lock_irqsave() in snd_pcm_period_elapsed().<br /> <br /> revert commit 7ba5ca32fe6e ("ALSA: firewire-lib: operate for period<br /> elapse event in process context")<br /> <br /> Replace inline description to prevent future deadlock.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nvme-pci: add missing condition check for existence of mapped data<br /> <br /> nvme_map_data() is called when request has physical segments, hence<br /> the nvme_unmap_data() should have same condition to avoid dereference.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> iommu: sprd: Avoid NULL deref in sprd_iommu_hw_en<br /> <br /> In sprd_iommu_cleanup() before calling function sprd_iommu_hw_en()<br /> dom-&gt;sdev is equal to NULL, which leads to null dereference.<br /> <br /> Found by Linux Verification Center (linuxtesting.org) with SVACE.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mISDN: Fix a use after free in hfcmulti_tx()<br /> <br /> Don&amp;#39;t dereference *sp after calling dev_kfree_skb(*sp).

The BackWPup plugin for WordPress is vulnerable to Directory Traversal in versions up to, and including, 4.0.1 via the job-specific backup folder. This allows authenticated attackers to store backups in arbitrary folders on the server provided they can be written to by the server. Additionally, default settings will place an index.php and a .htaccess file into the chosen directory (unless already present) when the first backup job is run that are intended to prevent directory listing and file access. This means that an attacker could set the backup directory to the root of another site in a shared environment and thus disable that site.