Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ftrace: Fix potential warning in trace_printk_seq during ftrace_dump<br /> <br /> When calling ftrace_dump_one() concurrently with reading trace_pipe,<br /> a WARN_ON_ONCE() in trace_printk_seq() can be triggered due to a race<br /> condition.<br /> <br /> The issue occurs because:<br /> <br /> CPU0 (ftrace_dump) CPU1 (reader)<br /> echo z &gt; /proc/sysrq-trigger<br /> <br /> !trace_empty(&amp;iter)<br /> trace_iterator_reset(&amp;iter) = s-&gt;seq.size)<br /> <br /> In the context between trace_empty() and trace_find_next_entry_inc()<br /> during ftrace_dump, the ring buffer data was consumed by other readers.<br /> This caused trace_find_next_entry_inc to return NULL, failing to populate<br /> `iter.seq`. At this point, due to the prior trace_iterator_reset, both<br /> `iter.seq.len` and `iter.seq.size` were set to 0. Since they are equal,<br /> the WARN_ON_ONCE condition is triggered.<br /> <br /> Move the trace_printk_seq() into the if block that checks to make sure the<br /> return value of trace_find_next_entry_inc() is non-NULL in<br /> ftrace_dump_one(), ensuring the &amp;#39;iter.seq&amp;#39; is properly populated before<br /> subsequent operations.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ice: fix NULL pointer dereference in ice_unplug_aux_dev() on reset<br /> <br /> Issuing a reset when the driver is loaded without RDMA support, will<br /> results in a crash as it attempts to remove RDMA&amp;#39;s non-existent auxbus<br /> device:<br /> echo 1 &gt; /sys/class/net//device/reset<br /> <br /> BUG: kernel NULL pointer dereference, address: 0000000000000008<br /> ...<br /> RIP: 0010:ice_unplug_aux_dev+0x29/0x70 [ice]<br /> ...<br /> Call Trace:<br /> <br /> ice_prepare_for_reset+0x77/0x260 [ice]<br /> pci_dev_save_and_disable+0x2c/0x70<br /> pci_reset_function+0x88/0x130<br /> reset_store+0x5a/0xa0<br /> kernfs_fop_write_iter+0x15e/0x210<br /> vfs_write+0x273/0x520<br /> ksys_write+0x6b/0xe0<br /> do_syscall_64+0x79/0x3b0<br /> entry_SYSCALL_64_after_hwframe+0x76/0x7e<br /> <br /> ice_unplug_aux_dev() checks pf-&gt;cdev_info-&gt;adev for NULL pointer, but<br /> pf-&gt;cdev_info will also be NULL, leading to the deref in the trace above.<br /> <br /> Introduce a flag to be set when the creation of the auxbus device is<br /> successful, to avoid multiple NULL pointer checks in ice_unplug_aux_dev().

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/xe/vm: Clear the scratch_pt pointer on error<br /> <br /> Avoid triggering a dereference of an error pointer on cleanup in<br /> xe_vm_free_scratch() by clearing any scratch_pt error pointer.<br /> <br /> (cherry picked from commit 358ee50ab565f3c8ea32480e9d03127a81ba32f8)

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> sctp: initialize more fields in sctp_v6_from_sk()<br /> <br /> syzbot found that sin6_scope_id was not properly initialized,<br /> leading to undefined behavior.<br /> <br /> Clear sin6_scope_id and sin6_flowinfo.<br /> <br /> BUG: KMSAN: uninit-value in __sctp_v6_cmp_addr+0x887/0x8c0 net/sctp/ipv6.c:649<br /> __sctp_v6_cmp_addr+0x887/0x8c0 net/sctp/ipv6.c:649<br /> sctp_inet6_cmp_addr+0x4f2/0x510 net/sctp/ipv6.c:983<br /> sctp_bind_addr_conflict+0x22a/0x3b0 net/sctp/bind_addr.c:390<br /> sctp_get_port_local+0x21eb/0x2440 net/sctp/socket.c:8452<br /> sctp_get_port net/sctp/socket.c:8523 [inline]<br /> sctp_listen_start net/sctp/socket.c:8567 [inline]<br /> sctp_inet_listen+0x710/0xfd0 net/sctp/socket.c:8636<br /> __sys_listen_socket net/socket.c:1912 [inline]<br /> __sys_listen net/socket.c:1927 [inline]<br /> __do_sys_listen net/socket.c:1932 [inline]<br /> __se_sys_listen net/socket.c:1930 [inline]<br /> __x64_sys_listen+0x343/0x4c0 net/socket.c:1930<br /> x64_sys_call+0x271d/0x3e20 arch/x86/include/generated/asm/syscalls_64.h:51<br /> do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]<br /> do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> <br /> Local variable addr.i.i created at:<br /> sctp_get_port net/sctp/socket.c:8515 [inline]<br /> sctp_listen_start net/sctp/socket.c:8567 [inline]<br /> sctp_inet_listen+0x650/0xfd0 net/sctp/socket.c:8636<br /> __sys_listen_socket net/socket.c:1912 [inline]<br /> __sys_listen net/socket.c:1927 [inline]<br /> __do_sys_listen net/socket.c:1932 [inline]<br /> __se_sys_listen net/socket.c:1930 [inline]<br /> __x64_sys_listen+0x343/0x4c0 net/socket.c:1930

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bnxt_en: Fix memory corruption when FW resources change during ifdown<br /> <br /> bnxt_set_dflt_rings() assumes that it is always called before any TC has<br /> been created. So it doesn&amp;#39;t take bp-&gt;num_tc into account and assumes<br /> that it is always 0 or 1.<br /> <br /> In the FW resource or capability change scenario, the FW will return<br /> flags in bnxt_hwrm_if_change() that will cause the driver to<br /> reinitialize and call bnxt_cancel_reservations(). This will lead to<br /> bnxt_init_dflt_ring_mode() calling bnxt_set_dflt_rings() and bp-&gt;num_tc<br /> may be greater than 1. This will cause bp-&gt;tx_ring[] to be sized too<br /> small and cause memory corruption in bnxt_alloc_cp_rings().<br /> <br /> Fix it by properly scaling the TX rings by bp-&gt;num_tc in the code<br /> paths mentioned above. Add 2 helper functions to determine<br /> bp-&gt;tx_nr_rings and bp-&gt;tx_nr_rings_per_tc.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> HID: hid-ntrig: fix unable to handle page fault in ntrig_report_version()<br /> <br /> in ntrig_report_version(), hdev parameter passed from hid_probe().<br /> sending descriptor to /dev/uhid can make hdev-&gt;dev.parent-&gt;parent to null<br /> if hdev-&gt;dev.parent-&gt;parent is null, usb_dev has<br /> invalid address(0xffffffffffffff58) that hid_to_usb_dev(hdev) returned<br /> when usb_rcvctrlpipe() use usb_dev,it trigger<br /> page fault error for address(0xffffffffffffff58)<br /> <br /> add null check logic to ntrig_report_version()<br /> before calling hid_to_usb_dev()

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> HID: intel-thc-hid: intel-quicki2c: Fix ACPI dsd ICRS/ISUB length<br /> <br /> The QuickI2C ACPI _DSD methods return ICRS and ISUB data with a<br /> trailing byte, making the actual length is one more byte than the<br /> structs defined.<br /> <br /> It caused stack-out-of-bounds and kernel crash:<br /> <br /> kernel: BUG: KASAN: stack-out-of-bounds in quicki2c_acpi_get_dsd_property.constprop.0+0x111/0x1b0 [intel_quicki2c]<br /> kernel: Write of size 12 at addr ffff888106d1f900 by task kworker/u33:2/75<br /> kernel:<br /> kernel: CPU: 3 UID: 0 PID: 75 Comm: kworker/u33:2 Not tainted 6.16.0+ #3 PREEMPT(voluntary)<br /> kernel: Workqueue: async async_run_entry_fn<br /> kernel: Call Trace:<br /> kernel: <br /> kernel: dump_stack_lvl+0x76/0xa0<br /> kernel: print_report+0xd1/0x660<br /> kernel: ? __pfx__raw_spin_lock_irqsave+0x10/0x10<br /> kernel: ? __kasan_slab_free+0x5d/0x80<br /> kernel: ? kasan_addr_to_slab+0xd/0xb0<br /> kernel: kasan_report+0xe1/0x120<br /> kernel: ? quicki2c_acpi_get_dsd_property.constprop.0+0x111/0x1b0 [intel_quicki2c]<br /> kernel: ? quicki2c_acpi_get_dsd_property.constprop.0+0x111/0x1b0 [intel_quicki2c]<br /> kernel: kasan_check_range+0x11c/0x200<br /> kernel: __asan_memcpy+0x3b/0x80<br /> kernel: quicki2c_acpi_get_dsd_property.constprop.0+0x111/0x1b0 [intel_quicki2c]<br /> kernel: ? __pfx_quicki2c_acpi_get_dsd_property.constprop.0+0x10/0x10 [intel_quicki2c]<br /> kernel: quicki2c_get_acpi_resources+0x237/0x730 [intel_quicki2c]<br /> [...]<br /> kernel: <br /> kernel:<br /> kernel: The buggy address belongs to stack of task kworker/u33:2/75<br /> kernel: and is located at offset 48 in frame:<br /> kernel: quicki2c_get_acpi_resources+0x0/0x730 [intel_quicki2c]<br /> kernel:<br /> kernel: This frame has 3 objects:<br /> kernel: [32, 36) &amp;#39;hid_desc_addr&amp;#39;<br /> kernel: [48, 59) &amp;#39;i2c_param&amp;#39;<br /> kernel: [80, 224) &amp;#39;i2c_config&amp;#39;<br /> <br /> ACPI DSD methods return:<br /> <br /> \_SB.PC00.THC0.ICRS Buffer 000000003fdc947b 001 Len 0C = 0A 00 80 1A 06 00 00 00 00 00 00 00<br /> \_SB.PC00.THC0.ISUB Buffer 00000000f2fcbdc4 001 Len 91 = 00 00 00 00 00 00 00 00 00 00 00 00<br /> <br /> Adding reserved padding to quicki2c_subip_acpi_parameter/config.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> HID: multitouch: fix slab out-of-bounds access in mt_report_fixup()<br /> <br /> A malicious HID device can trigger a slab out-of-bounds during<br /> mt_report_fixup() by passing in report descriptor smaller than<br /> 607 bytes. mt_report_fixup() attempts to patch byte offset 607<br /> of the descriptor with 0x25 by first checking if byte offset<br /> 607 is 0x15 however it lacks bounds checks to verify if the<br /> descriptor is big enough before conducting this check. Fix<br /> this bug by ensuring the descriptor size is at least 608<br /> bytes before accessing it.<br /> <br /> Below is the KASAN splat after the out of bounds access happens:<br /> <br /> [ 13.671954] ==================================================================<br /> [ 13.672667] BUG: KASAN: slab-out-of-bounds in mt_report_fixup+0x103/0x110<br /> [ 13.673297] Read of size 1 at addr ffff888103df39df by task kworker/0:1/10<br /> [ 13.673297]<br /> [ 13.673297] CPU: 0 UID: 0 PID: 10 Comm: kworker/0:1 Not tainted 6.15.0-00005-gec5d573d83f4-dirty #3<br /> [ 13.673297] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/04<br /> [ 13.673297] Call Trace:<br /> [ 13.673297] <br /> [ 13.673297] dump_stack_lvl+0x5f/0x80<br /> [ 13.673297] print_report+0xd1/0x660<br /> [ 13.673297] kasan_report+0xe5/0x120<br /> [ 13.673297] __asan_report_load1_noabort+0x18/0x20<br /> [ 13.673297] mt_report_fixup+0x103/0x110<br /> [ 13.673297] hid_open_report+0x1ef/0x810<br /> [ 13.673297] mt_probe+0x422/0x960<br /> [ 13.673297] hid_device_probe+0x2e2/0x6f0<br /> [ 13.673297] really_probe+0x1c6/0x6b0<br /> [ 13.673297] __driver_probe_device+0x24f/0x310<br /> [ 13.673297] driver_probe_device+0x4e/0x220<br /> [ 13.673297] __device_attach_driver+0x169/0x320<br /> [ 13.673297] bus_for_each_drv+0x11d/0x1b0<br /> [ 13.673297] __device_attach+0x1b8/0x3e0<br /> [ 13.673297] device_initial_probe+0x12/0x20<br /> [ 13.673297] bus_probe_device+0x13d/0x180<br /> [ 13.673297] device_add+0xe3a/0x1670<br /> [ 13.673297] hid_add_device+0x31d/0xa40<br /> [...]

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/mediatek: Add error handling for old state CRTC in atomic_disable<br /> <br /> Introduce error handling to address an issue where, after a hotplug<br /> event, the cursor continues to update. This situation can lead to a<br /> kernel panic due to accessing the NULL `old_state-&gt;crtc`.<br /> <br /> E,g.<br /> Unable to handle kernel NULL pointer dereference at virtual address<br /> Call trace:<br /> mtk_crtc_plane_disable+0x24/0x140<br /> mtk_plane_atomic_update+0x8c/0xa8<br /> drm_atomic_helper_commit_planes+0x114/0x2c8<br /> drm_atomic_helper_commit_tail_rpm+0x4c/0x158<br /> commit_tail+0xa0/0x168<br /> drm_atomic_helper_commit+0x110/0x120<br /> drm_atomic_commit+0x8c/0xe0<br /> drm_atomic_helper_update_plane+0xd4/0x128<br /> __setplane_atomic+0xcc/0x110<br /> drm_mode_cursor_common+0x250/0x440<br /> drm_mode_cursor_ioctl+0x44/0x70<br /> drm_ioctl+0x264/0x5d8<br /> __arm64_sys_ioctl+0xd8/0x510<br /> invoke_syscall+0x6c/0xe0<br /> do_el0_svc+0x68/0xe8<br /> el0_svc+0x34/0x60<br /> el0t_64_sync_handler+0x1c/0xf8<br /> el0t_64_sync+0x180/0x188<br /> <br /> Adding NULL pointer checks to ensure stability by preventing operations<br /> on an invalid CRTC state.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: macb: fix unregister_netdev call order in macb_remove()<br /> <br /> When removing a macb device, the driver calls phy_exit() before<br /> unregister_netdev(). This leads to a WARN from kernfs:<br /> <br /> ------------[ cut here ]------------<br /> kernfs: can not remove &amp;#39;attached_dev&amp;#39;, no directory<br /> WARNING: CPU: 1 PID: 27146 at fs/kernfs/dir.c:1683<br /> Call trace:<br /> kernfs_remove_by_name_ns+0xd8/0xf0<br /> sysfs_remove_link+0x24/0x58<br /> phy_detach+0x5c/0x168<br /> phy_disconnect+0x4c/0x70<br /> phylink_disconnect_phy+0x6c/0xc0 [phylink]<br /> macb_close+0x6c/0x170 [macb]<br /> ...<br /> macb_remove+0x60/0x168 [macb]<br /> platform_remove+0x5c/0x80<br /> ...<br /> <br /> The warning happens because the PHY is being exited while the netdev<br /> is still registered. The correct order is to unregister the netdev<br /> before shutting down the PHY and cleaning up the MDIO bus.<br /> <br /> Fix this by moving unregister_netdev() ahead of phy_exit() in<br /> macb_remove().

This vulnerability exist in PPC 2K15X Router, due to improper input validation for the Common Gateway Interface (CGI) parameters at its web management portal. A remote attacker could exploit this vulnerability by injecting malicious JavaScript into the vulnerable parameter, leading to a reflected Cross-Site Scripting (XSS) attack on the targeted system.

Memory safety bugs present in Firefox ESR 140.2, Thunderbird ESR 140.2, Firefox 142 and Thunderbird 142. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox