Vulnerabilities

Textpattern versions prior to 4.8.3 contain an authenticated remote code execution vulnerability that allows logged-in users to upload malicious PHP files. Attackers can upload a PHP file with a shell command execution payload and execute arbitrary commands by accessing the uploaded file through a specific URL parameter.

MyBB Thread Redirect Plugin 0.2.1 contains a cross-site scripting vulnerability in the custom text input field for thread redirects. Attackers can inject malicious SVG scripts that will execute when other users view the thread, allowing arbitrary script execution.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> libceph: replace overzealous BUG_ON in osdmap_apply_incremental()<br /> <br /> If the osdmap is (maliciously) corrupted such that the incremental<br /> osdmap epoch is different from what is expected, there is no need to<br /> BUG. Instead, just declare the incremental osdmap to be invalid.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> libceph: make free_choose_arg_map() resilient to partial allocation<br /> <br /> free_choose_arg_map() may dereference a NULL pointer if its caller fails<br /> after a partial allocation.<br /> <br /> For example, in decode_choose_args(), if allocation of arg_map-&gt;args<br /> fails, execution jumps to the fail label and free_choose_arg_map() is<br /> called. Since arg_map-&gt;size is updated to a non-zero value before memory<br /> allocation, free_choose_arg_map() will iterate over arg_map-&gt;args and<br /> dereference a NULL pointer.<br /> <br /> To prevent this potential NULL pointer dereference and make<br /> free_choose_arg_map() more resilient, add checks for pointers before<br /> iterating.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> libceph: return the handler error from mon_handle_auth_done()<br /> <br /> Currently any error from ceph_auth_handle_reply_done() is propagated<br /> via finish_auth() but isn&amp;#39;t returned from mon_handle_auth_done(). This<br /> results in higher layers learning that (despite the monitor considering<br /> us to be successfully authenticated) something went wrong in the<br /> authentication phase and reacting accordingly, but msgr2 still trying<br /> to proceed with establishing the session in the background. In the<br /> case of secure mode this can trigger a WARN in setup_crypto() and later<br /> lead to a NULL pointer dereference inside of prepare_auth_signature().

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> idpf: Fix RSS LUT NULL ptr issue after soft reset<br /> <br /> During soft reset, the RSS LUT is freed and not restored unless the<br /> interface is up. If an ethtool command that accesses the rss lut is<br /> attempted immediately after reset, it will result in NULL ptr<br /> dereference. Also, there is no need to reset the rss lut if the soft reset<br /> does not involve queue count change.<br /> <br /> After soft reset, set the RSS LUT to default values based on the updated<br /> queue count only if the reset was a result of a queue count change and<br /> the LUT was not configured by the user. In all other cases, don&amp;#39;t touch<br /> the LUT.<br /> <br /> Steps to reproduce:<br /> <br /> ** Bring the interface down (if up)<br /> ifconfig eth1 down<br /> <br /> ** update the queue count (eg., 27-&gt;20)<br /> ethtool -L eth1 combined 20<br /> <br /> ** display the RSS LUT<br /> ethtool -x eth1<br /> <br /> [82375.558338] BUG: kernel NULL pointer dereference, address: 0000000000000000<br /> [82375.558373] #PF: supervisor read access in kernel mode<br /> [82375.558391] #PF: error_code(0x0000) - not-present page<br /> [82375.558408] PGD 0 P4D 0<br /> [82375.558421] Oops: Oops: 0000 [#1] SMP NOPTI<br /> <br /> [82375.558516] RIP: 0010:idpf_get_rxfh+0x108/0x150 [idpf]<br /> [82375.558786] Call Trace:<br /> [82375.558793] <br /> [82375.558804] rss_prepare.isra.0+0x187/0x2a0<br /> [82375.558827] rss_prepare_data+0x3a/0x50<br /> [82375.558845] ethnl_default_doit+0x13d/0x3e0<br /> [82375.558863] genl_family_rcv_msg_doit+0x11f/0x180<br /> [82375.558886] genl_rcv_msg+0x1ad/0x2b0<br /> [82375.558902] ? __pfx_ethnl_default_doit+0x10/0x10<br /> [82375.558920] ? __pfx_genl_rcv_msg+0x10/0x10<br /> [82375.558937] netlink_rcv_skb+0x58/0x100<br /> [82375.558957] genl_rcv+0x2c/0x50<br /> [82375.558971] netlink_unicast+0x289/0x3e0<br /> [82375.558988] netlink_sendmsg+0x215/0x440<br /> [82375.559005] __sys_sendto+0x234/0x240<br /> [82375.559555] __x64_sys_sendto+0x28/0x30<br /> [82375.560068] x64_sys_call+0x1909/0x1da0<br /> [82375.560576] do_syscall_64+0x7a/0xfa0<br /> [82375.561076] ? clear_bhb_loop+0x60/0xb0<br /> [82375.561567] entry_SYSCALL_64_after_hwframe+0x76/0x7e<br />

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf: Fix reference count leak in bpf_prog_test_run_xdp()<br /> <br /> syzbot is reporting<br /> <br /> unregister_netdevice: waiting for sit0 to become free. Usage count = 2<br /> <br /> problem. A debug printk() patch found that a refcount is obtained at<br /> xdp_convert_md_to_buff() from bpf_prog_test_run_xdp().<br /> <br /> According to commit ec94670fcb3b ("bpf: Support specifying ingress via<br /> xdp_md context in BPF_PROG_TEST_RUN"), the refcount obtained by<br /> xdp_convert_md_to_buff() will be released by xdp_convert_buff_to_md().<br /> <br /> Therefore, we can consider that the error handling path introduced by<br /> commit 1c1949982524 ("bpf: introduce frags support to<br /> bpf_prog_test_run_xdp()") forgot to call xdp_convert_buff_to_md().

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ublk: fix use-after-free in ublk_partition_scan_work<br /> <br /> A race condition exists between the async partition scan work and device<br /> teardown that can lead to a use-after-free of ub-&gt;ub_disk:<br /> <br /> 1. ublk_ctrl_start_dev() schedules partition_scan_work after add_disk()<br /> 2. ublk_stop_dev() calls ublk_stop_dev_unlocked() which does:<br /> - del_gendisk(ub-&gt;ub_disk)<br /> - ublk_detach_disk() sets ub-&gt;ub_disk = NULL<br /> - put_disk() which may free the disk<br /> 3. The worker ublk_partition_scan_work() then dereferences ub-&gt;ub_disk<br /> leading to UAF<br /> <br /> Fix this by using ublk_get_disk()/ublk_put_disk() in the worker to hold<br /> a reference to the disk during the partition scan. The spinlock in<br /> ublk_get_disk() synchronizes with ublk_detach_disk() ensuring the worker<br /> either gets a valid reference or sees NULL and exits early.<br /> <br /> Also change flush_work() to cancel_work_sync() to avoid running the<br /> partition scan work unnecessarily when the disk is already detached.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nfsd: provide locking for v4_end_grace<br /> <br /> Writing to v4_end_grace can race with server shutdown and result in<br /> memory being accessed after it was freed - reclaim_str_hashtbl in<br /> particularly.<br /> <br /> We cannot hold nfsd_mutex across the nfsd4_end_grace() call as that is<br /> held while client_tracking_op-&gt;init() is called and that can wait for<br /> an upcall to nfsdcltrack which can write to v4_end_grace, resulting in a<br /> deadlock.<br /> <br /> nfsd4_end_grace() is also called by the landromat work queue and this<br /> doesn&amp;#39;t require locking as server shutdown will stop the work and wait<br /> for it before freeing anything that nfsd4_end_grace() might access.<br /> <br /> However, we must be sure that writing to v4_end_grace doesn&amp;#39;t restart<br /> the work item after shutdown has already waited for it. For this we<br /> add a new flag protected with nn-&gt;client_lock. It is set only while it<br /> is safe to make client tracking calls, and v4_end_grace only schedules<br /> work while the flag is set with the spinlock held.<br /> <br /> So this patch adds a nfsd_net field "client_tracking_active" which is<br /> set as described. Another field "grace_end_forced", is set when<br /> v4_end_grace is written. After this is set, and providing<br /> client_tracking_active is set, the laundromat is scheduled.<br /> This "grace_end_forced" field bypasses other checks for whether the<br /> grace period has finished.<br /> <br /> This resolves a race which can result in use-after-free.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> idpf: detach and close netdevs while handling a reset<br /> <br /> Protect the reset path from callbacks by setting the netdevs to detached<br /> state and close any netdevs in UP state until the reset handling has<br /> completed. During a reset, the driver will de-allocate resources for the<br /> vport, and there is no guarantee that those will recover, which is why the<br /> existing vport_ctrl_lock does not provide sufficient protection.<br /> <br /> idpf_detach_and_close() is called right before reset handling. If the<br /> reset handling succeeds, the netdevs state is recovered via call to<br /> idpf_attach_and_open(). If the reset handling fails the netdevs remain<br /> down. The detach/down calls are protected with RTNL lock to avoid racing<br /> with callbacks. On the recovery side the attach can be done without<br /> holding the RTNL lock as there are no callbacks expected at that point,<br /> due to detach/close always being done first in that flow.<br /> <br /> The previous logic restoring the netdevs state based on the<br /> IDPF_VPORT_UP_REQUESTED flag in the init task is not needed anymore, hence<br /> the removal of idpf_set_vport_state(). The IDPF_VPORT_UP_REQUESTED is<br /> still being used to restore the state of the netdevs following the reset,<br /> but has no use outside of the reset handling flow.<br /> <br /> idpf_init_hard_reset() is converted to void, since it was used as such and<br /> there is no error handling being done based on its return value.<br /> <br /> Before this change, invoking hard and soft resets simultaneously will<br /> cause the driver to lose the vport state:<br /> ip -br a<br /> UP<br /> echo 1 &gt; /sys/class/net/ens801f0/device/reset&amp; \<br /> ethtool -L ens801f0 combined 8<br /> ip -br a<br /> DOWN<br /> ip link set up<br /> ip -br a<br /> DOWN<br /> <br /> Also in case of a failure in the reset path, the netdev is left<br /> exposed to external callbacks, while vport resources are not<br /> initialized, leading to a crash on subsequent ifup/down:<br /> [408471.398966] idpf 0000:83:00.0: HW reset detected<br /> [408471.411744] idpf 0000:83:00.0: Device HW Reset initiated<br /> [408472.277901] idpf 0000:83:00.0: The driver was unable to contact the device&amp;#39;s firmware. Check that the FW is running. Driver state= 0x2<br /> [408508.125551] BUG: kernel NULL pointer dereference, address: 0000000000000078<br /> [408508.126112] #PF: supervisor read access in kernel mode<br /> [408508.126687] #PF: error_code(0x0000) - not-present page<br /> [408508.127256] PGD 2aae2f067 P4D 0<br /> [408508.127824] Oops: Oops: 0000 [#1] SMP NOPTI<br /> ...<br /> [408508.130871] RIP: 0010:idpf_stop+0x39/0x70 [idpf]<br /> ...<br /> [408508.139193] Call Trace:<br /> [408508.139637] <br /> [408508.140077] __dev_close_many+0xbb/0x260<br /> [408508.140533] __dev_change_flags+0x1cf/0x280<br /> [408508.140987] netif_change_flags+0x26/0x70<br /> [408508.141434] dev_change_flags+0x3d/0xb0<br /> [408508.141878] devinet_ioctl+0x460/0x890<br /> [408508.142321] inet_ioctl+0x18e/0x1d0<br /> [408508.142762] ? _copy_to_user+0x22/0x70<br /> [408508.143207] sock_do_ioctl+0x3d/0xe0<br /> [408508.143652] sock_ioctl+0x10e/0x330<br /> [408508.144091] ? find_held_lock+0x2b/0x80<br /> [408508.144537] __x64_sys_ioctl+0x96/0xe0<br /> [408508.144979] do_syscall_64+0x79/0x3d0<br /> [408508.145415] entry_SYSCALL_64_after_hwframe+0x76/0x7e<br /> [408508.145860] RIP: 0033:0x7f3e0bb4caff

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: mscc: ocelot: Fix crash when adding interface under a lag<br /> <br /> Commit 15faa1f67ab4 ("lan966x: Fix crash when adding interface under a lag")<br /> fixed a similar issue in the lan966x driver caused by a NULL pointer dereference.<br /> The ocelot_set_aggr_pgids() function in the ocelot driver has similar logic<br /> and is susceptible to the same crash.<br /> <br /> This issue specifically affects the ocelot_vsc7514.c frontend, which leaves<br /> unused ports as NULL pointers. The felix_vsc9959.c frontend is unaffected as<br /> it uses the DSA framework which registers all ports.<br /> <br /> Fix this by checking if the port pointer is valid before accessing it.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: do not write to msg_get_inq in callee<br /> <br /> NULL pointer dereference fix.<br /> <br /> msg_get_inq is an input field from caller to callee. Don&amp;#39;t set it in<br /> the callee, as the caller may not clear it on struct reuse.<br /> <br /> This is a kernel-internal variant of msghdr only, and the only user<br /> does reinitialize the field. So this is not critical for that reason.<br /> But it is more robust to avoid the write, and slightly simpler code.<br /> And it fixes a bug, see below.<br /> <br /> Callers set msg_get_inq to request the input queue length to be<br /> returned in msg_inq. This is equivalent to but independent from the<br /> SO_INQ request to return that same info as a cmsg (tp-&gt;recvmsg_inq).<br /> To reduce branching in the hot path the second also sets the msg_inq.<br /> That is WAI.<br /> <br /> This is a fix to commit 4d1442979e4a ("af_unix: don&amp;#39;t post cmsg for<br /> SO_INQ unless explicitly asked for"), which fixed the inverse.<br /> <br /> Also avoid NULL pointer dereference in unix_stream_read_generic if<br /> state-&gt;msg is NULL and msg-&gt;msg_get_inq is written. A NULL state-&gt;msg<br /> can happen when splicing as of commit 2b514574f7e8 ("net: af_unix:<br /> implement splice for stream af_unix sockets").<br /> <br /> Also collapse two branches using a bitwise or.