Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: fec: Fix possible NPD in fec_enet_phy_reset_after_clk_enable()<br /> <br /> The function of_phy_find_device may return NULL, so we need to take<br /> care before dereferencing phy_dev.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> hsr: hold rcu and dev lock for hsr_get_port_ndev<br /> <br /> hsr_get_port_ndev calls hsr_for_each_port, which need to hold rcu lock.<br /> On the other hand, before return the port device, we need to hold the<br /> device reference to avoid UaF in the caller function.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> dmaengine: idxd: Remove improper idxd_free<br /> <br /> The call to idxd_free() introduces a duplicate put_device() leading to a<br /> reference count underflow:<br /> refcount_t: underflow; use-after-free.<br /> WARNING: CPU: 15 PID: 4428 at lib/refcount.c:28 refcount_warn_saturate+0xbe/0x110<br /> ...<br /> Call Trace:<br /> <br /> idxd_remove+0xe4/0x120 [idxd]<br /> pci_device_remove+0x3f/0xb0<br /> device_release_driver_internal+0x197/0x200<br /> driver_detach+0x48/0x90<br /> bus_remove_driver+0x74/0xf0<br /> pci_unregister_driver+0x2e/0xb0<br /> idxd_exit_module+0x34/0x7a0 [idxd]<br /> __do_sys_delete_module.constprop.0+0x183/0x280<br /> do_syscall_64+0x54/0xd70<br /> entry_SYSCALL_64_after_hwframe+0x76/0x7e<br /> <br /> The idxd_unregister_devices() which is invoked at the very beginning of<br /> idxd_remove(), already takes care of the necessary put_device() through the<br /> following call path:<br /> idxd_unregister_devices() -&gt; device_unregister() -&gt; put_device()<br /> <br /> In addition, when CONFIG_DEBUG_KOBJECT_RELEASE is enabled, put_device() may<br /> trigger asynchronous cleanup via schedule_delayed_work(). If idxd_free() is<br /> called immediately after, it can result in a use-after-free.<br /> <br /> Remove the improper idxd_free() to avoid both the refcount underflow and<br /> potential memory corruption during module unload.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> macsec: sync features on RTM_NEWLINK<br /> <br /> Syzkaller managed to lock the lower device via ETHTOOL_SFEATURES:<br /> <br /> netdev_lock include/linux/netdevice.h:2761 [inline]<br /> netdev_lock_ops include/net/netdev_lock.h:42 [inline]<br /> netdev_sync_lower_features net/core/dev.c:10649 [inline]<br /> __netdev_update_features+0xcb1/0x1be0 net/core/dev.c:10819<br /> netdev_update_features+0x6d/0xe0 net/core/dev.c:10876<br /> macsec_notify+0x2f5/0x660 drivers/net/macsec.c:4533<br /> notifier_call_chain+0x1b3/0x3e0 kernel/notifier.c:85<br /> call_netdevice_notifiers_extack net/core/dev.c:2267 [inline]<br /> call_netdevice_notifiers net/core/dev.c:2281 [inline]<br /> netdev_features_change+0x85/0xc0 net/core/dev.c:1570<br /> __dev_ethtool net/ethtool/ioctl.c:3469 [inline]<br /> dev_ethtool+0x1536/0x19b0 net/ethtool/ioctl.c:3502<br /> dev_ioctl+0x392/0x1150 net/core/dev_ioctl.c:759<br /> <br /> It happens because lower features are out of sync with the upper:<br /> <br /> __dev_ethtool (real_dev)<br /> netdev_lock_ops(real_dev)<br /> ETHTOOL_SFEATURES<br /> __netdev_features_change<br /> netdev_sync_upper_features<br /> disable LRO on the lower<br /> if (old_features != dev-&gt;features)<br /> netdev_features_change<br /> fires NETDEV_FEAT_CHANGE<br /> macsec_notify<br /> NETDEV_FEAT_CHANGE<br /> netdev_update_features (for each macsec dev)<br /> netdev_sync_lower_features<br /> if (upper_features != lower_features)<br /> netdev_lock_ops(lower) # lower == real_dev<br /> stuck<br /> ...<br /> <br /> netdev_unlock_ops(real_dev)<br /> <br /> Per commit af5f54b0ef9e ("net: Lock lower level devices when updating<br /> features"), we elide the lock/unlock when the upper and lower features<br /> are synced. Makes sure the lower (real_dev) has proper features after<br /> the macsec link has been created. This makes sure we never hit the<br /> situation where we need to sync upper flags to the lower.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> igb: Fix NULL pointer dereference in ethtool loopback test<br /> <br /> The igb driver currently causes a NULL pointer dereference when executing<br /> the ethtool loopback test. This occurs because there is no associated<br /> q_vector for the test ring when it is set up, as interrupts are typically<br /> not added to the test rings.<br /> <br /> Since commit 5ef44b3cb43b removed the napi_id assignment in<br /> __xdp_rxq_info_reg(), there is no longer a need to pass a napi_id to it.<br /> Therefore, simply use 0 as the last parameter.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> can: xilinx_can: xcan_write_frame(): fix use-after-free of transmitted SKB<br /> <br /> can_put_echo_skb() takes ownership of the SKB and it may be freed<br /> during or after the call.<br /> <br /> However, xilinx_can xcan_write_frame() keeps using SKB after the call.<br /> <br /> Fix that by only calling can_put_echo_skb() after the code is done<br /> touching the SKB.<br /> <br /> The tx_lock is held for the entire xcan_write_frame() execution and<br /> also on the can_get_echo_skb() side so the order of operations does not<br /> matter.<br /> <br /> An earlier fix commit 3d3c817c3a40 ("can: xilinx_can: Fix usage of skb<br /> memory") did not move the can_put_echo_skb() call far enough.<br /> <br /> [mkl: add "commit" in front of sha1 in patch description]<br /> [mkl: fix indention]

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> dmaengine: idxd: Fix double free in idxd_setup_wqs()<br /> <br /> The clean up in idxd_setup_wqs() has had a couple bugs because the error<br /> handling is a bit subtle. It&amp;#39;s simpler to just re-write it in a cleaner<br /> way. The issues here are:<br /> <br /> 1) If "idxd-&gt;max_wqs" is

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> dmaengine: ti: edma: Fix memory allocation size for queue_priority_map<br /> <br /> Fix a critical memory allocation bug in edma_setup_from_hw() where<br /> queue_priority_map was allocated with insufficient memory. The code<br /> declared queue_priority_map as s8 (*)[2] (pointer to array of 2 s8),<br /> but allocated memory using sizeof(s8) instead of the correct size.<br /> <br /> This caused out-of-bounds memory writes when accessing:<br /> queue_priority_map[i][0] = i;<br /> queue_priority_map[i][1] = i;<br /> <br /> The bug manifested as kernel crashes with "Oops - undefined instruction"<br /> on ARM platforms (BeagleBoard-X15) during EDMA driver probe, as the<br /> memory corruption triggered kernel hardening features on Clang.<br /> <br /> Change the allocation to use sizeof(*queue_priority_map) which<br /> automatically gets the correct size for the 2D array structure.

A vulnerability was detected in code-projects Online Bidding System 1.0. Affected is an unknown function of the file /administrator/wew.php. Performing manipulation of the argument ID results in sql injection. The attack may be initiated remotely. The exploit is now public and may be used.

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

A flaw has been found in Reservation Online Hotel Reservation System 1.0. Affected by this vulnerability is an unknown functionality of the file /reservation/paypalpayout.php. Executing manipulation of the argument confirm can lead to sql injection. The attack may be launched remotely. The exploit has been published and may be used.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> erofs: fix runtime warning on truncate_folio_batch_exceptionals()<br /> <br /> Commit 0e2f80afcfa6("fs/dax: ensure all pages are idle prior to<br /> filesystem unmount") introduced the WARN_ON_ONCE to capture whether<br /> the filesystem has removed all DAX entries or not and applied the<br /> fix to xfs and ext4.<br /> <br /> Apply the missed fix on erofs to fix the runtime warning:<br /> <br /> [ 5.266254] ------------[ cut here ]------------<br /> [ 5.266274] WARNING: CPU: 6 PID: 3109 at mm/truncate.c:89 truncate_folio_batch_exceptionals+0xff/0x260<br /> [ 5.266294] Modules linked in:<br /> [ 5.266999] CPU: 6 UID: 0 PID: 3109 Comm: umount Tainted: G S 6.16.0+ #6 PREEMPT(voluntary)<br /> [ 5.267012] Tainted: [S]=CPU_OUT_OF_SPEC<br /> [ 5.267017] Hardware name: Dell Inc. OptiPlex 5000/05WXFV, BIOS 1.5.1 08/24/2022<br /> [ 5.267024] RIP: 0010:truncate_folio_batch_exceptionals+0xff/0x260<br /> [ 5.267076] Code: 00 00 41 39 df 7f 11 eb 78 83 c3 01 49 83 c4 08 41 39 df 74 6c 48 63 f3 48 83 fe 1f 0f 83 3c 01 00 00 43 f6 44 26 08 01 74 df 0b 4a 8b 34 22 4c 89 ef 48 89 55 90 e8 ff 54 1f 00 48 8b 55 90<br /> [ 5.267083] RSP: 0018:ffffc900013f36c8 EFLAGS: 00010202<br /> [ 5.267095] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000<br /> [ 5.267101] RDX: ffffc900013f3790 RSI: 0000000000000000 RDI: ffff8882a1407898<br /> [ 5.267108] RBP: ffffc900013f3740 R08: 0000000000000000 R09: 0000000000000000<br /> [ 5.267113] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000<br /> [ 5.267119] R13: ffff8882a1407ab8 R14: ffffc900013f3888 R15: 0000000000000001<br /> [ 5.267125] FS: 00007aaa8b437800(0000) GS:ffff88850025b000(0000) knlGS:0000000000000000<br /> [ 5.267132] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [ 5.267138] CR2: 00007aaa8b3aac10 CR3: 000000024f764000 CR4: 0000000000f52ef0<br /> [ 5.267144] PKRU: 55555554<br /> [ 5.267150] Call Trace:<br /> [ 5.267154] <br /> [ 5.267181] truncate_inode_pages_range+0x118/0x5e0<br /> [ 5.267193] ? save_trace+0x54/0x390<br /> [ 5.267296] truncate_inode_pages_final+0x43/0x60<br /> [ 5.267309] evict+0x2a4/0x2c0<br /> [ 5.267339] dispose_list+0x39/0x80<br /> [ 5.267352] evict_inodes+0x150/0x1b0<br /> [ 5.267376] generic_shutdown_super+0x41/0x180<br /> [ 5.267390] kill_block_super+0x1b/0x50<br /> [ 5.267402] erofs_kill_sb+0x81/0x90 [erofs]<br /> [ 5.267436] deactivate_locked_super+0x32/0xb0<br /> [ 5.267450] deactivate_super+0x46/0x60<br /> [ 5.267460] cleanup_mnt+0xc3/0x170<br /> [ 5.267475] __cleanup_mnt+0x12/0x20<br /> [ 5.267485] task_work_run+0x5d/0xb0<br /> [ 5.267499] exit_to_user_mode_loop+0x144/0x170<br /> [ 5.267512] do_syscall_64+0x2b9/0x7c0<br /> [ 5.267523] ? __lock_acquire+0x665/0x2ce0<br /> [ 5.267535] ? __lock_acquire+0x665/0x2ce0<br /> [ 5.267560] ? lock_acquire+0xcd/0x300<br /> [ 5.267573] ? find_held_lock+0x31/0x90<br /> [ 5.267582] ? mntput_no_expire+0x97/0x4e0<br /> [ 5.267606] ? mntput_no_expire+0xa1/0x4e0<br /> [ 5.267625] ? mntput+0x24/0x50<br /> [ 5.267634] ? path_put+0x1e/0x30<br /> [ 5.267647] ? do_faccessat+0x120/0x2f0<br /> [ 5.267677] ? do_syscall_64+0x1a2/0x7c0<br /> [ 5.267686] ? from_kgid_munged+0x17/0x30<br /> [ 5.267703] ? from_kuid_munged+0x13/0x30<br /> [ 5.267711] ? __do_sys_getuid+0x3d/0x50<br /> [ 5.267724] ? do_syscall_64+0x1a2/0x7c0<br /> [ 5.267732] ? irqentry_exit+0x77/0xb0<br /> [ 5.267743] ? clear_bhb_loop+0x30/0x80<br /> [ 5.267752] ? clear_bhb_loop+0x30/0x80<br /> [ 5.267765] entry_SYSCALL_64_after_hwframe+0x76/0x7e<br /> [ 5.267772] RIP: 0033:0x7aaa8b32a9fb<br /> [ 5.267781] Code: c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 f3 0f 1e fa 31 f6 e9 05 00 00 00 0f 1f 44 00 00 f3 0f 1e fa b8 a6 00 00 00 0f 05 3d 00 f0 ff ff 77 05 c3 0f 1f 40 00 48 8b 15 e9 83 0d 00 f7 d8<br /> [ 5.267787] RSP: 002b:00007ffd7c4c9468 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6<br /> [ 5.267796] RAX: 0000000000000000 RBX: 00005a61592a8b00 RCX: 00007aaa8b32a9fb<br /> [ 5.267802] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00005a61592b2080<br /> [ 5.267806] RBP: 00007ffd7c4c9540 R08: 00007aaa8b403b20 R09: 0000000000000020<br /> [ 5.267812] R10: 0000000000000001 R11: 0000000000000246 R12: 00005a61592a8c00<br /> [ 5.267817] R13: 00000000<br /> ---truncated---