Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> fpga: fix potential null pointer deref in fpga_mgr_test_img_load_sgt()<br /> <br /> fpga_mgr_test_img_load_sgt() allocates memory for sgt using<br /> kunit_kzalloc() however it does not check if the allocation failed.<br /> It then passes sgt to sg_alloc_table(), which passes it to<br /> __sg_alloc_table(). This function calls memset() on sgt in an attempt to<br /> zero it out. If the allocation fails then sgt will be NULL and the<br /> memset will trigger a NULL pointer dereference.<br /> <br /> Fix this by checking the allocation with KUNIT_ASSERT_NOT_ERR_OR_NULL().

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> phy: qcom-qmp-usb: Fix an NULL vs IS_ERR() bug<br /> <br /> The qmp_usb_iomap() helper function currently returns the raw result of<br /> devm_ioremap() for non-exclusive mappings. Since devm_ioremap() may return<br /> a NULL pointer and the caller only checks error pointers with IS_ERR(),<br /> NULL could bypass the check and lead to an invalid dereference.<br /> <br /> Fix the issue by checking if devm_ioremap() returns NULL. When it does,<br /> qmp_usb_iomap() now returns an error pointer via IOMEM_ERR_PTR(-ENOMEM),<br /> ensuring safe and consistent error handling.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: tipc: fix refcount warning in tipc_aead_encrypt<br /> <br /> syzbot reported a refcount warning [1] caused by calling get_net() on<br /> a network namespace that is being destroyed (refcount=0). This happens<br /> when a TIPC discovery timer fires during network namespace cleanup.<br /> <br /> The recently added get_net() call in commit e279024617134 ("net/tipc:<br /> fix slab-use-after-free Read in tipc_aead_encrypt_done") attempts to<br /> hold a reference to the network namespace. However, if the namespace<br /> is already being destroyed, its refcount might be zero, leading to the<br /> use-after-free warning.<br /> <br /> Replace get_net() with maybe_get_net(), which safely checks if the<br /> refcount is non-zero before incrementing it. If the namespace is being<br /> destroyed, return -ENODEV early, after releasing the bearer reference.<br /> <br /> [1]: https://lore.kernel.org/all/68342b55.a70a0220.253bc2.0091.GAE@google.com/T/#m12019cf9ae77e1954f666914640efa36d52704a2

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> serial: jsm: fix NPE during jsm_uart_port_init<br /> <br /> No device was set which caused serial_base_ctrl_add to crash.<br /> <br /> BUG: kernel NULL pointer dereference, address: 0000000000000050<br /> Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI<br /> CPU: 16 UID: 0 PID: 368 Comm: (udev-worker) Not tainted 6.12.25-amd64 #1 Debian 6.12.25-1<br /> RIP: 0010:serial_base_ctrl_add+0x96/0x120<br /> Call Trace:<br /> <br /> serial_core_register_port+0x1a0/0x580<br /> ? __setup_irq+0x39c/0x660<br /> ? __kmalloc_cache_noprof+0x111/0x310<br /> jsm_uart_port_init+0xe8/0x180 [jsm]<br /> jsm_probe_one+0x1f4/0x410 [jsm]<br /> local_pci_probe+0x42/0x90<br /> pci_device_probe+0x22f/0x270<br /> really_probe+0xdb/0x340<br /> ? pm_runtime_barrier+0x54/0x90<br /> ? __pfx___driver_attach+0x10/0x10<br /> __driver_probe_device+0x78/0x110<br /> driver_probe_device+0x1f/0xa0<br /> __driver_attach+0xba/0x1c0<br /> bus_for_each_dev+0x8c/0xe0<br /> bus_add_driver+0x112/0x1f0<br /> driver_register+0x72/0xd0<br /> jsm_init_module+0x36/0xff0 [jsm]<br /> ? __pfx_jsm_init_module+0x10/0x10 [jsm]<br /> do_one_initcall+0x58/0x310<br /> do_init_module+0x60/0x230<br /> <br /> Tested with Digi Neo PCIe 8 port card.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> pinctrl: mediatek: eint: Fix invalid pointer dereference for v1 platforms<br /> <br /> Commit 3ef9f710efcb ("pinctrl: mediatek: Add EINT support for multiple<br /> addresses") introduced an access to the &amp;#39;soc&amp;#39; field of struct<br /> mtk_pinctrl in mtk_eint_do_init() and for that an include of<br /> pinctrl-mtk-common-v2.h.<br /> <br /> However, pinctrl drivers relying on the v1 common driver include<br /> pinctrl-mtk-common.h instead, which provides another definition of<br /> struct mtk_pinctrl that does not contain an &amp;#39;soc&amp;#39; field.<br /> <br /> Since mtk_eint_do_init() can be called both by v1 and v2 drivers, it<br /> will now try to dereference an invalid pointer when called on v1<br /> platforms. This has been observed on Genio 350 EVK (MT8365), which<br /> crashes very early in boot (the kernel trace can only be seen with<br /> earlycon).<br /> <br /> In order to fix this, since &amp;#39;struct mtk_pinctrl&amp;#39; was only needed to get<br /> a &amp;#39;struct mtk_eint_pin&amp;#39;, make &amp;#39;struct mtk_eint_pin&amp;#39; a parameter<br /> of mtk_eint_do_init() so that callers need to supply it, removing<br /> mtk_eint_do_init()&amp;#39;s dependency on any particular &amp;#39;struct mtk_pinctrl&amp;#39;.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ring-buffer: Do not trigger WARN_ON() due to a commit_overrun<br /> <br /> When reading a memory mapped buffer the reader page is just swapped out<br /> with the last page written in the write buffer. If the reader page is the<br /> same as the commit buffer (the buffer that is currently being written to)<br /> it was assumed that it should never have missed events. If it does, it<br /> triggers a WARN_ON_ONCE().<br /> <br /> But there just happens to be one scenario where this can legitimately<br /> happen. That is on a commit_overrun. A commit overrun is when an interrupt<br /> preempts an event being written to the buffer and then the interrupt adds<br /> so many new events that it fills and wraps the buffer back to the commit.<br /> Any new events would then be dropped and be reported as "missed_events".<br /> <br /> In this case, the next page to read is the commit buffer and after the<br /> swap of the reader page, the reader page will be the commit buffer, but<br /> this time there will be missed events and this triggers the following<br /> warning:<br /> <br /> ------------[ cut here ]------------<br /> WARNING: CPU: 2 PID: 1127 at kernel/trace/ring_buffer.c:7357 ring_buffer_map_get_reader+0x49a/0x780<br /> Modules linked in: kvm_intel kvm irqbypass<br /> CPU: 2 UID: 0 PID: 1127 Comm: trace-cmd Not tainted 6.15.0-rc7-test-00004-g478bc2824b45-dirty #564 PREEMPT<br /> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014<br /> RIP: 0010:ring_buffer_map_get_reader+0x49a/0x780<br /> Code: 00 00 00 48 89 fe 48 c1 ee 03 80 3c 2e 00 0f 85 ec 01 00 00 4d 3b a6 a8 00 00 00 0f 85 8a fd ff ff 48 85 c0 0f 84 55 fe ff ff 0b e9 4e fe ff ff be 08 00 00 00 4c 89 54 24 58 48 89 54 24 50<br /> RSP: 0018:ffff888121787dc0 EFLAGS: 00010002<br /> RAX: 00000000000006a2 RBX: ffff888100062800 RCX: ffffffff8190cb49<br /> RDX: ffff888126934c00 RSI: 1ffff11020200a15 RDI: ffff8881010050a8<br /> RBP: dffffc0000000000 R08: 0000000000000000 R09: ffffed1024d26982<br /> R10: ffff888126934c17 R11: ffff8881010050a8 R12: ffff888126934c00<br /> R13: ffff8881010050b8 R14: ffff888101005000 R15: ffff888126930008<br /> FS: 00007f95c8cd7540(0000) GS:ffff8882b576e000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 00007f95c8de4dc0 CR3: 0000000128452002 CR4: 0000000000172ef0<br /> Call Trace:<br /> <br /> ? __pfx_ring_buffer_map_get_reader+0x10/0x10<br /> tracing_buffers_ioctl+0x283/0x370<br /> __x64_sys_ioctl+0x134/0x190<br /> do_syscall_64+0x79/0x1c0<br /> entry_SYSCALL_64_after_hwframe+0x76/0x7e<br /> RIP: 0033:0x7f95c8de48db<br /> Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00<br /> RSP: 002b:00007ffe037ba110 EFLAGS: 00000246 ORIG_RAX: 0000000000000010<br /> RAX: ffffffffffffffda RBX: 00007ffe037bb2b0 RCX: 00007f95c8de48db<br /> RDX: 0000000000000000 RSI: 0000000000005220 RDI: 0000000000000006<br /> RBP: 00007ffe037ba180 R08: 0000000000000000 R09: 0000000000000000<br /> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000<br /> R13: 00007ffe037bb6f8 R14: 00007f95c9065000 R15: 00005575c7492c90<br /> <br /> irq event stamp: 5080<br /> hardirqs last enabled at (5079): [] _raw_spin_unlock_irqrestore+0x50/0x70<br /> hardirqs last disabled at (5080): [] _raw_spin_lock_irqsave+0x63/0x70<br /> softirqs last enabled at (4182): [] handle_softirqs+0x552/0x710<br /> softirqs last disabled at (4159): [] __irq_exit_rcu+0x107/0x210<br /> ---[ end trace 0000000000000000 ]---<br /> <br /> The above was triggered by running on a kernel with both lockdep and KASAN<br /> as well as kmemleak enabled and executing the following command:<br /> <br /> # perf record -o perf-test.dat -a -- trace-cmd record --nosplice -e all -p function hackbench 50<br /> <br /> With perf interjecting a lot of interrupts and trace-cmd enabling all<br /> events as well as function tracing, with lockdep, KASAN and kmemleak<br /> enabled, it could cause an interrupt preempting an event being written to<br /> add enough event<br /> ---truncated---

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> usb: typec: tcpm: move tcpm_queue_vdm_unlocked to asynchronous work<br /> <br /> A state check was previously added to tcpm_queue_vdm_unlocked to<br /> prevent a deadlock where the DisplayPort Alt Mode driver would be<br /> executing work and attempting to grab the tcpm_lock while the TCPM<br /> was holding the lock and attempting to unregister the altmode, blocking<br /> on the altmode driver&amp;#39;s cancel_work_sync call.<br /> <br /> Because the state check isn&amp;#39;t protected, there is a small window<br /> where the Alt Mode driver could determine that the TCPM is<br /> in a ready state and attempt to grab the lock while the<br /> TCPM grabs the lock and changes the TCPM state to one that<br /> causes the deadlock. The callstack is provided below:<br /> <br /> [110121.667392][ C7] Call trace:<br /> [110121.667396][ C7] __switch_to+0x174/0x338<br /> [110121.667406][ C7] __schedule+0x608/0x9f0<br /> [110121.667414][ C7] schedule+0x7c/0xe8<br /> [110121.667423][ C7] kernfs_drain+0xb0/0x114<br /> [110121.667431][ C7] __kernfs_remove+0x16c/0x20c<br /> [110121.667436][ C7] kernfs_remove_by_name_ns+0x74/0xe8<br /> [110121.667442][ C7] sysfs_remove_group+0x84/0xe8<br /> [110121.667450][ C7] sysfs_remove_groups+0x34/0x58<br /> [110121.667458][ C7] device_remove_groups+0x10/0x20<br /> [110121.667464][ C7] device_release_driver_internal+0x164/0x2e4<br /> [110121.667475][ C7] device_release_driver+0x18/0x28<br /> [110121.667484][ C7] bus_remove_device+0xec/0x118<br /> [110121.667491][ C7] device_del+0x1e8/0x4ac<br /> [110121.667498][ C7] device_unregister+0x18/0x38<br /> [110121.667504][ C7] typec_unregister_altmode+0x30/0x44<br /> [110121.667515][ C7] tcpm_reset_port+0xac/0x370<br /> [110121.667523][ C7] tcpm_snk_detach+0x84/0xb8<br /> [110121.667529][ C7] run_state_machine+0x4c0/0x1b68<br /> [110121.667536][ C7] tcpm_state_machine_work+0x94/0xe4<br /> [110121.667544][ C7] kthread_worker_fn+0x10c/0x244<br /> [110121.667552][ C7] kthread+0x104/0x1d4<br /> [110121.667557][ C7] ret_from_fork+0x10/0x20<br /> <br /> [110121.667689][ C7] Workqueue: events dp_altmode_work<br /> [110121.667697][ C7] Call trace:<br /> [110121.667701][ C7] __switch_to+0x174/0x338<br /> [110121.667710][ C7] __schedule+0x608/0x9f0<br /> [110121.667717][ C7] schedule+0x7c/0xe8<br /> [110121.667725][ C7] schedule_preempt_disabled+0x24/0x40<br /> [110121.667733][ C7] __mutex_lock+0x408/0xdac<br /> [110121.667741][ C7] __mutex_lock_slowpath+0x14/0x24<br /> [110121.667748][ C7] mutex_lock+0x40/0xec<br /> [110121.667757][ C7] tcpm_altmode_enter+0x78/0xb4<br /> [110121.667764][ C7] typec_altmode_enter+0xdc/0x10c<br /> [110121.667769][ C7] dp_altmode_work+0x68/0x164<br /> [110121.667775][ C7] process_one_work+0x1e4/0x43c<br /> [110121.667783][ C7] worker_thread+0x25c/0x430<br /> [110121.667789][ C7] kthread+0x104/0x1d4<br /> [110121.667794][ C7] ret_from_fork+0x10/0x20<br /> <br /> Change tcpm_queue_vdm_unlocked to queue for tcpm_queue_vdm_work,<br /> which can perform the state check while holding the TCPM lock<br /> while the Alt Mode lock is no longer held. This requires a new<br /> struct to hold the vdm data, altmode_vdm_event.

A flaw was found in GnuTLS. A double-free vulnerability exists in GnuTLS due to incorrect ownership handling in the export logic of Subject Alternative Name (SAN) entries containing an otherName. If the type-id OID is invalid or malformed, GnuTLS will call asn1_delete_structure() on an ASN.1 node it does not own, leading to a double-free condition when the parent function or caller later attempts to free the same structure.<br /> <br /> This vulnerability can be triggered using only public GnuTLS APIs and may result in denial of service or memory corruption, depending on allocator behavior.

A heap-buffer-overread vulnerability was found in GnuTLS in how it handles the Certificate Transparency (CT) Signed Certificate Timestamp (SCT) extension during X.509 certificate parsing. This flaw allows a malicious user to create a certificate containing a malformed SCT extension (OID 1.3.6.1.4.1.11129.2.4.2) that contains sensitive data. This issue leads to the exposure of confidential information when GnuTLS verifies certificates from certain websites when the certificate (SCT) is not checked correctly.

The Hostel WordPress plugin before 1.1.5.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

The Lana Downloads Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the endpoint parameters in versions up to, and including, 1.10.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with administrator-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

The Hostel WordPress plugin before 1.1.5.8 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.