Vulnerabilities

Cross-Site Request Forgery (CSRF) vulnerability in Ahmet İmamoğlu Ahmeti Wp Güzel Sözler allows Cross Site Request Forgery.This issue affects Ahmeti Wp Güzel Sözler: from n/a through 4.0.

Missing Authorization vulnerability in AutoQuiz AI Quiz allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects AI Quiz: from n/a through 1.1.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bdevs Generic Elements allows DOM-Based XSS.This issue affects Generic Elements: from n/a through 1.2.3.

Cross-Site Request Forgery (CSRF) vulnerability in ITERAS ITERAS allows Stored XSS.This issue affects ITERAS: from n/a through 1.7.0.

Cross-Site Request Forgery (CSRF) vulnerability in Jean-Marc BIANCA Hotlink2Watermark allows Stored XSS.This issue affects Hotlink2Watermark: from n/a through 0.3.2.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: fix data-races around sk-&gt;sk_forward_alloc<br /> <br /> Syzkaller reported this warning:<br /> ------------[ cut here ]------------<br /> WARNING: CPU: 0 PID: 16 at net/ipv4/af_inet.c:156 inet_sock_destruct+0x1c5/0x1e0<br /> Modules linked in:<br /> CPU: 0 UID: 0 PID: 16 Comm: ksoftirqd/0 Not tainted 6.12.0-rc5 #26<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014<br /> RIP: 0010:inet_sock_destruct+0x1c5/0x1e0<br /> Code: 24 12 4c 89 e2 5b 48 c7 c7 98 ec bb 82 41 5c e9 d1 18 17 ff 4c 89 e6 5b 48 c7 c7 d0 ec bb 82 41 5c e9 bf 18 17 ff 0f 0b eb 83 0b eb 97 0f 0b eb 87 0f 0b e9 68 ff ff ff 66 66 2e 0f 1f 84 00<br /> RSP: 0018:ffffc9000008bd90 EFLAGS: 00010206<br /> RAX: 0000000000000300 RBX: ffff88810b172a90 RCX: 0000000000000007<br /> RDX: 0000000000000002 RSI: 0000000000000300 RDI: ffff88810b172a00<br /> RBP: ffff88810b172a00 R08: ffff888104273c00 R09: 0000000000100007<br /> R10: 0000000000020000 R11: 0000000000000006 R12: ffff88810b172a00<br /> R13: 0000000000000004 R14: 0000000000000000 R15: ffff888237c31f78<br /> FS: 0000000000000000(0000) GS:ffff888237c00000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 00007ffc63fecac8 CR3: 000000000342e000 CR4: 00000000000006f0<br /> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> Call Trace:<br /> <br /> ? __warn+0x88/0x130<br /> ? inet_sock_destruct+0x1c5/0x1e0<br /> ? report_bug+0x18e/0x1a0<br /> ? handle_bug+0x53/0x90<br /> ? exc_invalid_op+0x18/0x70<br /> ? asm_exc_invalid_op+0x1a/0x20<br /> ? inet_sock_destruct+0x1c5/0x1e0<br /> __sk_destruct+0x2a/0x200<br /> rcu_do_batch+0x1aa/0x530<br /> ? rcu_do_batch+0x13b/0x530<br /> rcu_core+0x159/0x2f0<br /> handle_softirqs+0xd3/0x2b0<br /> ? __pfx_smpboot_thread_fn+0x10/0x10<br /> run_ksoftirqd+0x25/0x30<br /> smpboot_thread_fn+0xdd/0x1d0<br /> kthread+0xd3/0x100<br /> ? __pfx_kthread+0x10/0x10<br /> ret_from_fork+0x34/0x50<br /> ? __pfx_kthread+0x10/0x10<br /> ret_from_fork_asm+0x1a/0x30<br /> <br /> ---[ end trace 0000000000000000 ]---<br /> <br /> Its possible that two threads call tcp_v6_do_rcv()/sk_forward_alloc_add()<br /> concurrently when sk-&gt;sk_state == TCP_LISTEN with sk-&gt;sk_lock unlocked,<br /> which triggers a data-race around sk-&gt;sk_forward_alloc:<br /> tcp_v6_rcv<br /> tcp_v6_do_rcv<br /> skb_clone_and_charge_r<br /> sk_rmem_schedule<br /> __sk_mem_schedule<br /> sk_forward_alloc_add()<br /> skb_set_owner_r<br /> sk_mem_charge<br /> sk_forward_alloc_add()<br /> __kfree_skb<br /> skb_release_all<br /> skb_release_head_state<br /> sock_rfree<br /> sk_mem_uncharge<br /> sk_forward_alloc_add()<br /> sk_mem_reclaim<br /> // set local var reclaimable<br /> __sk_mem_reclaim<br /> sk_forward_alloc_add()<br /> <br /> In this syzkaller testcase, two threads call<br /> tcp_v6_do_rcv() with skb-&gt;truesize=768, the sk_forward_alloc changes like<br /> this:<br /> (cpu 1) | (cpu 2) | sk_forward_alloc<br /> ... | ... | 0<br /> __sk_mem_schedule() | | +4096 = 4096<br /> | __sk_mem_schedule() | +4096 = 8192<br /> sk_mem_charge() | | -768 = 7424<br /> | sk_mem_charge() | -768 = 6656<br /> ... | ... |<br /> sk_mem_uncharge() | | +768 = 7424<br /> reclaimable=7424 | |<br /> | sk_mem_uncharge() | +768 = 8192<br /> | reclaimable=8192 |<br /> __sk_mem_reclaim() | | -4096 = 4096<br /> | __sk_mem_reclaim() | -8192 = -4096 != 0<br /> <br /> The skb_clone_and_charge_r() should not be called in tcp_v6_do_rcv() when<br /> sk-&gt;sk_state is TCP_LISTEN, it happens later in tcp_v6_syn_recv_sock().<br /> Fix the same issue in dccp_v6_do_rcv().

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mptcp: cope racing subflow creation in mptcp_rcv_space_adjust<br /> <br /> Additional active subflows - i.e. created by the in kernel path<br /> manager - are included into the subflow list before starting the<br /> 3whs.<br /> <br /> A racing recvmsg() spooling data received on an already established<br /> subflow would unconditionally call tcp_cleanup_rbuf() on all the<br /> current subflows, potentially hitting a divide by zero error on<br /> the newly created ones.<br /> <br /> Explicitly check that the subflow is in a suitable state before<br /> invoking tcp_cleanup_rbuf().

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mptcp: error out earlier on disconnect<br /> <br /> Eric reported a division by zero splat in the MPTCP protocol:<br /> <br /> Oops: divide error: 0000 [#1] PREEMPT SMP KASAN PTI<br /> CPU: 1 UID: 0 PID: 6094 Comm: syz-executor317 Not tainted<br /> 6.12.0-rc5-syzkaller-00291-g05b92660cdfe #0<br /> Hardware name: Google Google Compute Engine/Google Compute Engine,<br /> BIOS Google 09/13/2024<br /> RIP: 0010:__tcp_select_window+0x5b4/0x1310 net/ipv4/tcp_output.c:3163<br /> Code: f6 44 01 e3 89 df e8 9b 75 09 f8 44 39 f3 0f 8d 11 ff ff ff e8<br /> 0d 74 09 f8 45 89 f4 e9 04 ff ff ff e8 00 74 09 f8 44 89 f0 99 7c<br /> 24 14 41 29 d6 45 89 f4 e9 ec fe ff ff e8 e8 73 09 f8 48 89<br /> RSP: 0018:ffffc900041f7930 EFLAGS: 00010293<br /> RAX: 0000000000017e67 RBX: 0000000000017e67 RCX: ffffffff8983314b<br /> RDX: 0000000000000000 RSI: ffffffff898331b0 RDI: 0000000000000004<br /> RBP: 00000000005d6000 R08: 0000000000000004 R09: 0000000000017e67<br /> R10: 0000000000003e80 R11: 0000000000000000 R12: 0000000000003e80<br /> R13: ffff888031d9b440 R14: 0000000000017e67 R15: 00000000002eb000<br /> FS: 00007feb5d7f16c0(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 00007feb5d8adbb8 CR3: 0000000074e4c000 CR4: 00000000003526f0<br /> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> Call Trace:<br /> <br /> __tcp_cleanup_rbuf+0x3e7/0x4b0 net/ipv4/tcp.c:1493<br /> mptcp_rcv_space_adjust net/mptcp/protocol.c:2085 [inline]<br /> mptcp_recvmsg+0x2156/0x2600 net/mptcp/protocol.c:2289<br /> inet_recvmsg+0x469/0x6a0 net/ipv4/af_inet.c:885<br /> sock_recvmsg_nosec net/socket.c:1051 [inline]<br /> sock_recvmsg+0x1b2/0x250 net/socket.c:1073<br /> __sys_recvfrom+0x1a5/0x2e0 net/socket.c:2265<br /> __do_sys_recvfrom net/socket.c:2283 [inline]<br /> __se_sys_recvfrom net/socket.c:2279 [inline]<br /> __x64_sys_recvfrom+0xe0/0x1c0 net/socket.c:2279<br /> do_syscall_x64 arch/x86/entry/common.c:52 [inline]<br /> do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> RIP: 0033:0x7feb5d857559<br /> Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 18 00 00 90 48 89 f8 48<br /> 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 3d<br /> 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48<br /> RSP: 002b:00007feb5d7f1208 EFLAGS: 00000246 ORIG_RAX: 000000000000002d<br /> RAX: ffffffffffffffda RBX: 00007feb5d8e1318 RCX: 00007feb5d857559<br /> RDX: 000000800000000e RSI: 0000000000000000 RDI: 0000000000000003<br /> RBP: 00007feb5d8e1310 R08: 0000000000000000 R09: ffffffff81000000<br /> R10: 0000000000000100 R11: 0000000000000246 R12: 00007feb5d8e131c<br /> R13: 00007feb5d8ae074 R14: 000000800000000e R15: 00000000fffffdef<br /> <br /> and provided a nice reproducer.<br /> <br /> The root cause is the current bad handling of racing disconnect.<br /> After the blamed commit below, sk_wait_data() can return (with<br /> error) with the underlying socket disconnected and a zero rcv_mss.<br /> <br /> Catch the error and return without performing any additional<br /> operations on the current socket.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> x86/CPU/AMD: Clear virtualized VMLOAD/VMSAVE on Zen4 client<br /> <br /> A number of Zen4 client SoCs advertise the ability to use virtualized<br /> VMLOAD/VMSAVE, but using these instructions is reported to be a cause<br /> of a random host reboot.<br /> <br /> These instructions aren&amp;#39;t intended to be advertised on Zen4 client<br /> so clear the capability.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/vmwgfx: avoid null_ptr_deref in vmw_framebuffer_surface_create_handle<br /> <br /> The &amp;#39;vmw_user_object_buffer&amp;#39; function may return NULL with incorrect<br /> inputs. To avoid possible null pointer dereference, add a check whether<br /> the &amp;#39;bo&amp;#39; is NULL in the vmw_framebuffer_surface_create_handle.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/panthor: Fix handling of partial GPU mapping of BOs<br /> <br /> This commit fixes the bug in the handling of partial mapping of the<br /> buffer objects to the GPU, which caused kernel warnings.<br /> <br /> Panthor didn&amp;#39;t correctly handle the case where the partial mapping<br /> spanned multiple scatterlists and the mapping offset didn&amp;#39;t point<br /> to the 1st page of starting scatterlist. The offset variable was<br /> not cleared after reaching the starting scatterlist.<br /> <br /> Following warning messages were seen.<br /> WARNING: CPU: 1 PID: 650 at drivers/iommu/io-pgtable-arm.c:659 __arm_lpae_unmap+0x254/0x5a0<br /> <br /> pc : __arm_lpae_unmap+0x254/0x5a0<br /> lr : __arm_lpae_unmap+0x2cc/0x5a0<br /> <br /> Call trace:<br /> __arm_lpae_unmap+0x254/0x5a0<br /> __arm_lpae_unmap+0x108/0x5a0<br /> __arm_lpae_unmap+0x108/0x5a0<br /> __arm_lpae_unmap+0x108/0x5a0<br /> arm_lpae_unmap_pages+0x80/0xa0<br /> panthor_vm_unmap_pages+0xac/0x1c8 [panthor]<br /> panthor_gpuva_sm_step_unmap+0x4c/0xc8 [panthor]<br /> op_unmap_cb.isra.23.constprop.30+0x54/0x80<br /> __drm_gpuvm_sm_unmap+0x184/0x1c8<br /> drm_gpuvm_sm_unmap+0x40/0x60<br /> panthor_vm_exec_op+0xa8/0x120 [panthor]<br /> panthor_vm_bind_exec_sync_op+0xc4/0xe8 [panthor]<br /> panthor_ioctl_vm_bind+0x10c/0x170 [panthor]<br /> drm_ioctl_kernel+0xbc/0x138<br /> drm_ioctl+0x210/0x4b0<br /> __arm64_sys_ioctl+0xb0/0xf8<br /> invoke_syscall+0x4c/0x110<br /> el0_svc_common.constprop.1+0x98/0xf8<br /> do_el0_svc+0x24/0x38<br /> el0_svc+0x34/0xc8<br /> el0t_64_sync_handler+0xa0/0xc8<br /> el0t_64_sync+0x174/0x178<br /> <br /> panthor : [drm] drm_WARN_ON(unmapped_sz != pgsize * pgcount)<br /> WARNING: CPU: 1 PID: 650 at drivers/gpu/drm/panthor/panthor_mmu.c:922 panthor_vm_unmap_pages+0x124/0x1c8 [panthor]<br /> <br /> pc : panthor_vm_unmap_pages+0x124/0x1c8 [panthor]<br /> lr : panthor_vm_unmap_pages+0x124/0x1c8 [panthor]<br /> <br /> panthor : [drm] *ERROR* failed to unmap range ffffa388f000-ffffa3890000 (requested range ffffa388c000-ffffa3890000)

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> virtio/vsock: Improve MSG_ZEROCOPY error handling<br /> <br /> Add a missing kfree_skb() to prevent memory leaks.