Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> tracing: Fix bad hist from corrupting named_triggers list<br /> <br /> The following commands causes a crash:<br /> <br /> ~# cd /sys/kernel/tracing/events/rcu/rcu_callback<br /> ~# echo &amp;#39;hist:name=bad:keys=common_pid:onmax(bogus).save(common_pid)&amp;#39; &gt; trigger<br /> bash: echo: write error: Invalid argument<br /> ~# echo &amp;#39;hist:name=bad:keys=common_pid&amp;#39; &gt; trigger<br /> <br /> Because the following occurs:<br /> <br /> event_trigger_write() {<br /> trigger_process_regex() {<br /> event_hist_trigger_parse() {<br /> <br /> data = event_trigger_alloc(..);<br /> <br /> event_trigger_register(.., data) {<br /> cmd_ops-&gt;reg(.., data, ..) [hist_register_trigger()] {<br /> data-&gt;ops-&gt;init() [event_hist_trigger_init()] {<br /> save_named_trigger(name, data) {<br /> list_add(&amp;data-&gt;named_list, &amp;named_triggers);<br /> }<br /> }<br /> }<br /> }<br /> <br /> ret = create_actions(); (return -EINVAL)<br /> if (ret)<br /> goto out_unreg;<br /> [..]<br /> ret = hist_trigger_enable(data, ...) {<br /> list_add_tail_rcu(&amp;data-&gt;list, &amp;file-&gt;triggers); free) name)<br /> del_named_trigger(data) {<br /> list_del(&amp;data-&gt;named_list);

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> caif_virtio: fix wrong pointer check in cfv_probe()<br /> <br /> del_vqs() frees virtqueues, therefore cfv-&gt;vq_tx pointer should be checked<br /> for NULL before calling it, not cfv-&gt;vdev. Also the current implementation<br /> is redundant because the pointer cfv-&gt;vdev is dereferenced before it is<br /> checked for NULL.<br /> <br /> Fix this by checking cfv-&gt;vq_tx for NULL instead of cfv-&gt;vdev before<br /> calling del_vqs().

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: iwlwifi: limit printed string from FW file<br /> <br /> There&amp;#39;s no guarantee here that the file is always with a<br /> NUL-termination, so reading the string may read beyond the<br /> end of the TLV. If that&amp;#39;s the last TLV in the file, it can<br /> perhaps even read beyond the end of the file buffer.<br /> <br /> Fix that by limiting the print format to the size of the<br /> buffer we have.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: enetc: VFs do not support HWTSTAMP_TX_ONESTEP_SYNC<br /> <br /> Actually ENETC VFs do not support HWTSTAMP_TX_ONESTEP_SYNC because only<br /> ENETC PF can access PMa_SINGLE_STEP registers. And there will be a crash<br /> if VFs are used to test one-step timestamp, the crash log as follows.<br /> <br /> [ 129.110909] Unable to handle kernel paging request at virtual address 00000000000080c0<br /> [ 129.287769] Call trace:<br /> [ 129.290219] enetc_port_mac_wr+0x30/0xec (P)<br /> [ 129.294504] enetc_start_xmit+0xda4/0xe74<br /> [ 129.298525] enetc_xmit+0x70/0xec<br /> [ 129.301848] dev_hard_start_xmit+0x98/0x118

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> perf/core: Order the PMU list to fix warning about unordered pmu_ctx_list<br /> <br /> Syskaller triggers a warning due to prev_epc-&gt;pmu != next_epc-&gt;pmu in<br /> perf_event_swap_task_ctx_data(). vmcore shows that two lists have the same<br /> perf_event_pmu_context, but not in the same order.<br /> <br /> The problem is that the order of pmu_ctx_list for the parent is impacted by<br /> the time when an event/PMU is added. While the order for a child is<br /> impacted by the event order in the pinned_groups and flexible_groups. So<br /> the order of pmu_ctx_list in the parent and child may be different.<br /> <br /> To fix this problem, insert the perf_event_pmu_context to its proper place<br /> after iteration of the pmu_ctx_list.<br /> <br /> The follow testcase can trigger above warning:<br /> <br /> # perf record -e cycles --call-graph lbr -- taskset -c 3 ./a.out &amp;<br /> # perf stat -e cpu-clock,cs -p xxx // xxx is the pid of a.out<br /> <br /> test.c<br /> <br /> void main() {<br /> int count = 0;<br /> pid_t pid;<br /> <br /> printf("%d running\n", getpid());<br /> sleep(30);<br /> printf("running\n");<br /> <br /> pid = fork();<br /> if (pid == -1) {<br /> printf("fork error\n");<br /> return;<br /> }<br /> if (pid == 0) {<br /> while (1) {<br /> count++;<br /> }<br /> } else {<br /> while (1) {<br /> count++;<br /> }<br /> }<br /> }<br /> <br /> The testcase first opens an LBR event, so it will allocate task_ctx_data,<br /> and then open tracepoint and software events, so the parent context will<br /> have 3 different perf_event_pmu_contexts. On inheritance, child ctx will<br /> insert the perf_event_pmu_context in another order and the warning will<br /> trigger.<br /> <br /> [ mingo: Tidied up the changelog. ]

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> fuse: revert back to __readahead_folio() for readahead<br /> <br /> In commit 3eab9d7bc2f4 ("fuse: convert readahead to use folios"), the<br /> logic was converted to using the new folio readahead code, which drops<br /> the reference on the folio once it is locked, using an inferred<br /> reference on the folio. Previously we held a reference on the folio for<br /> the entire duration of the readpages call.<br /> <br /> This is fine, however for the case for splice pipe responses where we<br /> will remove the old folio and splice in the new folio (see<br /> fuse_try_move_page()), we assume that there is a reference held on the<br /> folio for ap-&gt;folios, which is no longer the case.<br /> <br /> To fix this, revert back to __readahead_folio() which allows us to hold<br /> the reference on the folio for the duration of readpages until either we<br /> drop the reference ourselves in fuse_readpages_end() or the reference is<br /> dropped after it&amp;#39;s replaced in the page cache in the splice case.<br /> This will fix the UAF bug that was reported.

Cross-Site Request Forgery (CSRF) vulnerability in ProfitShare.ro WP Profitshare wp-profitshare allows Stored XSS.This issue affects WP Profitshare: from n/a through

Cross-Site Request Forgery (CSRF) vulnerability in Sami Ahmed Siddiqui JSON Structuring Markup json-structuring-markup allows Stored XSS.This issue affects JSON Structuring Markup: from n/a through

Improper Neutralization of Special Elements used in an SQL Command (&amp;#39;SQL Injection&amp;#39;) vulnerability in reputeinfosystems BookingPress bookingpress-appointment-booking allows SQL Injection.This issue affects BookingPress: from n/a through

Improper Neutralization of Input During Web Page Generation (&amp;#39;Cross-site Scripting&amp;#39;) vulnerability in Mashi Simple Map No Api simple-map-no-api allows Stored XSS.This issue affects Simple Map No Api: from n/a through

Improper Neutralization of Input During Web Page Generation (&amp;#39;Cross-site Scripting&amp;#39;) vulnerability in Gosign Gosign – Posts Slider Block gosign-posts-slider-block allows Stored XSS.This issue affects Gosign – Posts Slider Block: from n/a through

Improper Neutralization of Input During Web Page Generation (&amp;#39;Cross-site Scripting&amp;#39;) vulnerability in Themeum WP Crowdfunding wp-crowdfunding allows Stored XSS.This issue affects WP Crowdfunding: from n/a through