Vulnerabilities

Missing Authentication for Critical Function, Missing Authorization vulnerability in Yordam Information Technology Mobile Library Application allows Retrieve Embedded Sensitive Data.This issue affects Mobile Library Application: before 5.0.

An attacker with access to the network where CIRCUTOR Q-SMT is located in its firmware version 1.0.4, could steal the tokens used on the web, since these have no expiration date to access the web application without restrictions. Token theft can originate from different methods such as network captures, locally stored web information, etc.

Vulnerability in CIRCUTOR TCP2RS+ firmware version 1.3b, which could allow an attacker to modify any configuration value, even if the device has the user/password authentication option enabled, without authentication by sending packets through the UDP protocol and port 2000, deconfiguring the device and thus disabling its use. This equipment is at the end of its useful life cycle.

IBM Business Automation Workflow <br /> <br /> 22.0.2, 23.0.1, 23.0.2, and 24.0.0<br /> <br /> could allow a privileged user to perform unauthorized activities due to improper client side validation.

CIRCUTOR Q-SMT in its firmware version 1.0.4, could be affected by a denial of service (DoS) attack if an attacker with access to the web service bypasses the authentication mechanisms on the login page, allowing the attacker to use all the functionalities implemented at web level that allow interacting with the device.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> codetag: debug: mark codetags for poisoned page as empty<br /> <br /> When PG_hwpoison pages are freed they are treated differently in<br /> free_pages_prepare() and instead of being released they are isolated.<br /> <br /> Page allocation tag counters are decremented at this point since the page<br /> is considered not in use. Later on when such pages are released by<br /> unpoison_memory(), the allocation tag counters will be decremented again<br /> and the following warning gets reported:<br /> <br /> [ 113.930443][ T3282] ------------[ cut here ]------------<br /> [ 113.931105][ T3282] alloc_tag was not set<br /> [ 113.931576][ T3282] WARNING: CPU: 2 PID: 3282 at ./include/linux/alloc_tag.h:130 pgalloc_tag_sub.part.66+0x154/0x164<br /> [ 113.932866][ T3282] Modules linked in: hwpoison_inject fuse ip6t_rpfilter ip6t_REJECT nf_reject_ipv6 ipt_REJECT nf_reject_ipv4 xt_conntrack ebtable_nat ebtable_broute ip6table_nat ip6table_man4<br /> [ 113.941638][ T3282] CPU: 2 UID: 0 PID: 3282 Comm: madvise11 Kdump: loaded Tainted: G W 6.11.0-rc4-dirty #18<br /> [ 113.943003][ T3282] Tainted: [W]=WARN<br /> [ 113.943453][ T3282] Hardware name: QEMU KVM Virtual Machine, BIOS unknown 2/2/2022<br /> [ 113.944378][ T3282] pstate: 40400005 (nZcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)<br /> [ 113.945319][ T3282] pc : pgalloc_tag_sub.part.66+0x154/0x164<br /> [ 113.946016][ T3282] lr : pgalloc_tag_sub.part.66+0x154/0x164<br /> [ 113.946706][ T3282] sp : ffff800087093a10<br /> [ 113.947197][ T3282] x29: ffff800087093a10 x28: ffff0000d7a9d400 x27: ffff80008249f0a0<br /> [ 113.948165][ T3282] x26: 0000000000000000 x25: ffff80008249f2b0 x24: 0000000000000000<br /> [ 113.949134][ T3282] x23: 0000000000000001 x22: 0000000000000001 x21: 0000000000000000<br /> [ 113.950597][ T3282] x20: ffff0000c08fcad8 x19: ffff80008251e000 x18: ffffffffffffffff<br /> [ 113.952207][ T3282] x17: 0000000000000000 x16: 0000000000000000 x15: ffff800081746210<br /> [ 113.953161][ T3282] x14: 0000000000000000 x13: 205d323832335420 x12: 5b5d353031313339<br /> [ 113.954120][ T3282] x11: ffff800087093500 x10: 000000000000005d x9 : 00000000ffffffd0<br /> [ 113.955078][ T3282] x8 : 7f7f7f7f7f7f7f7f x7 : ffff80008236ba90 x6 : c0000000ffff7fff<br /> [ 113.956036][ T3282] x5 : ffff000b34bf4dc8 x4 : ffff8000820aba90 x3 : 0000000000000001<br /> [ 113.956994][ T3282] x2 : ffff800ab320f000 x1 : 841d1e35ac932e00 x0 : 0000000000000000<br /> [ 113.957962][ T3282] Call trace:<br /> [ 113.958350][ T3282] pgalloc_tag_sub.part.66+0x154/0x164<br /> [ 113.959000][ T3282] pgalloc_tag_sub+0x14/0x1c<br /> [ 113.959539][ T3282] free_unref_page+0xf4/0x4b8<br /> [ 113.960096][ T3282] __folio_put+0xd4/0x120<br /> [ 113.960614][ T3282] folio_put+0x24/0x50<br /> [ 113.961103][ T3282] unpoison_memory+0x4f0/0x5b0<br /> [ 113.961678][ T3282] hwpoison_unpoison+0x30/0x48 [hwpoison_inject]<br /> [ 113.962436][ T3282] simple_attr_write_xsigned.isra.34+0xec/0x1cc<br /> [ 113.963183][ T3282] simple_attr_write+0x38/0x48<br /> [ 113.963750][ T3282] debugfs_attr_write+0x54/0x80<br /> [ 113.964330][ T3282] full_proxy_write+0x68/0x98<br /> [ 113.964880][ T3282] vfs_write+0xdc/0x4d0<br /> [ 113.965372][ T3282] ksys_write+0x78/0x100<br /> [ 113.965875][ T3282] __arm64_sys_write+0x24/0x30<br /> [ 113.966440][ T3282] invoke_syscall+0x7c/0x104<br /> [ 113.966984][ T3282] el0_svc_common.constprop.1+0x88/0x104<br /> [ 113.967652][ T3282] do_el0_svc+0x2c/0x38<br /> [ 113.968893][ T3282] el0_svc+0x3c/0x1b8<br /> [ 113.969379][ T3282] el0t_64_sync_handler+0x98/0xbc<br /> [ 113.969980][ T3282] el0t_64_sync+0x19c/0x1a0<br /> [ 113.970511][ T3282] ---[ end trace 0000000000000000 ]---<br /> <br /> To fix this, clear the page tag reference after the page got isolated<br /> and accounted for.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> riscv: misaligned: Restrict user access to kernel memory<br /> <br /> raw_copy_{to,from}_user() do not call access_ok(), so this code allowed<br /> userspace to access any virtual memory address.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ASoC: Intel: Boards: Fix NULL pointer deref in BYT/CHT boards harder<br /> <br /> Since commit 13f58267cda3 ("ASoC: soc.h: don&amp;#39;t create dummy Component<br /> via COMP_DUMMY()") dummy codecs declared like this:<br /> <br /> SND_SOC_DAILINK_DEF(dummy,<br /> DAILINK_COMP_ARRAY(COMP_DUMMY()));<br /> <br /> expand to:<br /> <br /> static struct snd_soc_dai_link_component dummy[] = {<br /> };<br /> <br /> Which means that dummy is a zero sized array and thus dais[i].codecs should<br /> not be dereferenced *at all* since it points to the address of the next<br /> variable stored in the data section as the "dummy" variable has an address<br /> but no size, so even dereferencing dais[0] is already an out of bounds<br /> array reference.<br /> <br /> Which means that the if (dais[i].codecs-&gt;name) check added in<br /> commit 7d99a70b6595 ("ASoC: Intel: Boards: Fix NULL pointer deref<br /> in BYT/CHT boards") relies on that the part of the next variable which<br /> the name member maps to just happens to be NULL.<br /> <br /> Which apparently so far it usually is, except when it isn&amp;#39;t<br /> and then it results in crashes like this one:<br /> <br /> [ 28.795659] BUG: unable to handle page fault for address: 0000000000030011<br /> ...<br /> [ 28.795780] Call Trace:<br /> [ 28.795787] <br /> ...<br /> [ 28.795862] ? strcmp+0x18/0x40<br /> [ 28.795872] 0xffffffffc150c605<br /> [ 28.795887] platform_probe+0x40/0xa0<br /> ...<br /> [ 28.795979] ? __pfx_init_module+0x10/0x10 [snd_soc_sst_bytcr_wm5102]<br /> <br /> Really fix things this time around by checking dais.num_codecs != 0.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> smb: client: fix double put of @cfile in smb2_set_path_size()<br /> <br /> If smb2_compound_op() is called with a valid @cfile and returned<br /> -EINVAL, we need to call cifs_get_writable_path() before retrying it<br /> as the reference of @cfile was already dropped by previous call.<br /> <br /> This fixes the following KASAN splat when running fstests generic/013<br /> against Windows Server 2022:<br /> <br /> CIFS: Attempting to mount //w22-fs0/scratch<br /> run fstests generic/013 at 2024-09-02 19:48:59<br /> ==================================================================<br /> BUG: KASAN: slab-use-after-free in detach_if_pending+0xab/0x200<br /> Write of size 8 at addr ffff88811f1a3730 by task kworker/3:2/176<br /> <br /> CPU: 3 UID: 0 PID: 176 Comm: kworker/3:2 Not tainted 6.11.0-rc6 #2<br /> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40<br /> 04/01/2014<br /> Workqueue: cifsoplockd cifs_oplock_break [cifs]<br /> Call Trace:<br /> <br /> dump_stack_lvl+0x5d/0x80<br /> ? detach_if_pending+0xab/0x200<br /> print_report+0x156/0x4d9<br /> ? detach_if_pending+0xab/0x200<br /> ? __virt_addr_valid+0x145/0x300<br /> ? __phys_addr+0x46/0x90<br /> ? detach_if_pending+0xab/0x200<br /> kasan_report+0xda/0x110<br /> ? detach_if_pending+0xab/0x200<br /> detach_if_pending+0xab/0x200<br /> timer_delete+0x96/0xe0<br /> ? __pfx_timer_delete+0x10/0x10<br /> ? rcu_is_watching+0x20/0x50<br /> try_to_grab_pending+0x46/0x3b0<br /> __cancel_work+0x89/0x1b0<br /> ? __pfx___cancel_work+0x10/0x10<br /> ? kasan_save_track+0x14/0x30<br /> cifs_close_deferred_file+0x110/0x2c0 [cifs]<br /> ? __pfx_cifs_close_deferred_file+0x10/0x10 [cifs]<br /> ? __pfx_down_read+0x10/0x10<br /> cifs_oplock_break+0x4c1/0xa50 [cifs]<br /> ? __pfx_cifs_oplock_break+0x10/0x10 [cifs]<br /> ? lock_is_held_type+0x85/0xf0<br /> ? mark_held_locks+0x1a/0x90<br /> process_one_work+0x4c6/0x9f0<br /> ? find_held_lock+0x8a/0xa0<br /> ? __pfx_process_one_work+0x10/0x10<br /> ? lock_acquired+0x220/0x550<br /> ? __list_add_valid_or_report+0x37/0x100<br /> worker_thread+0x2e4/0x570<br /> ? __kthread_parkme+0xd1/0xf0<br /> ? __pfx_worker_thread+0x10/0x10<br /> kthread+0x17f/0x1c0<br /> ? kthread+0xda/0x1c0<br /> ? __pfx_kthread+0x10/0x10<br /> ret_from_fork+0x31/0x60<br /> ? __pfx_kthread+0x10/0x10<br /> ret_from_fork_asm+0x1a/0x30<br /> <br /> <br /> Allocated by task 1118:<br /> kasan_save_stack+0x30/0x50<br /> kasan_save_track+0x14/0x30<br /> __kasan_kmalloc+0xaa/0xb0<br /> cifs_new_fileinfo+0xc8/0x9d0 [cifs]<br /> cifs_atomic_open+0x467/0x770 [cifs]<br /> lookup_open.isra.0+0x665/0x8b0<br /> path_openat+0x4c3/0x1380<br /> do_filp_open+0x167/0x270<br /> do_sys_openat2+0x129/0x160<br /> __x64_sys_creat+0xad/0xe0<br /> do_syscall_64+0xbb/0x1d0<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> <br /> Freed by task 83:<br /> kasan_save_stack+0x30/0x50<br /> kasan_save_track+0x14/0x30<br /> kasan_save_free_info+0x3b/0x70<br /> poison_slab_object+0xe9/0x160<br /> __kasan_slab_free+0x32/0x50<br /> kfree+0xf2/0x300<br /> process_one_work+0x4c6/0x9f0<br /> worker_thread+0x2e4/0x570<br /> kthread+0x17f/0x1c0<br /> ret_from_fork+0x31/0x60<br /> ret_from_fork_asm+0x1a/0x30<br /> <br /> Last potentially related work creation:<br /> kasan_save_stack+0x30/0x50<br /> __kasan_record_aux_stack+0xad/0xc0<br /> insert_work+0x29/0xe0<br /> __queue_work+0x5ea/0x760<br /> queue_work_on+0x6d/0x90<br /> _cifsFileInfo_put+0x3f6/0x770 [cifs]<br /> smb2_compound_op+0x911/0x3940 [cifs]<br /> smb2_set_path_size+0x228/0x270 [cifs]<br /> cifs_set_file_size+0x197/0x460 [cifs]<br /> cifs_setattr+0xd9c/0x14b0 [cifs]<br /> notify_change+0x4e3/0x740<br /> do_truncate+0xfa/0x180<br /> vfs_truncate+0x195/0x200<br /> __x64_sys_truncate+0x109/0x150<br /> do_syscall_64+0xbb/0x1d0<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> powerpc/qspinlock: Fix deadlock in MCS queue<br /> <br /> If an interrupt occurs in queued_spin_lock_slowpath() after we increment<br /> qnodesp-&gt;count and before node-&gt;lock is initialized, another CPU might<br /> see stale lock values in get_tail_qnode(). If the stale lock value happens<br /> to match the lock on that CPU, then we write to the "next" pointer of<br /> the wrong qnode. This causes a deadlock as the former CPU, once it becomes<br /> the head of the MCS queue, will spin indefinitely until it&amp;#39;s "next" pointer<br /> is set by its successor in the queue.<br /> <br /> Running stress-ng on a 16 core (16EC/16VP) shared LPAR, results in<br /> occasional lockups similar to the following:<br /> <br /> $ stress-ng --all 128 --vm-bytes 80% --aggressive \<br /> --maximize --oomable --verify --syslog \<br /> --metrics --times --timeout 5m<br /> <br /> watchdog: CPU 15 Hard LOCKUP<br /> ......<br /> NIP [c0000000000b78f4] queued_spin_lock_slowpath+0x1184/0x1490<br /> LR [c000000001037c5c] _raw_spin_lock+0x6c/0x90<br /> Call Trace:<br /> 0xc000002cfffa3bf0 (unreliable)<br /> _raw_spin_lock+0x6c/0x90<br /> raw_spin_rq_lock_nested.part.135+0x4c/0xd0<br /> sched_ttwu_pending+0x60/0x1f0<br /> __flush_smp_call_function_queue+0x1dc/0x670<br /> smp_ipi_demux_relaxed+0xa4/0x100<br /> xive_muxed_ipi_action+0x20/0x40<br /> __handle_irq_event_percpu+0x80/0x240<br /> handle_irq_event_percpu+0x2c/0x80<br /> handle_percpu_irq+0x84/0xd0<br /> generic_handle_irq+0x54/0x80<br /> __do_irq+0xac/0x210<br /> __do_IRQ+0x74/0xd0<br /> 0x0<br /> do_IRQ+0x8c/0x170<br /> hardware_interrupt_common_virt+0x29c/0x2a0<br /> --- interrupt: 500 at queued_spin_lock_slowpath+0x4b8/0x1490<br /> ......<br /> NIP [c0000000000b6c28] queued_spin_lock_slowpath+0x4b8/0x1490<br /> LR [c000000001037c5c] _raw_spin_lock+0x6c/0x90<br /> --- interrupt: 500<br /> 0xc0000029c1a41d00 (unreliable)<br /> _raw_spin_lock+0x6c/0x90<br /> futex_wake+0x100/0x260<br /> do_futex+0x21c/0x2a0<br /> sys_futex+0x98/0x270<br /> system_call_exception+0x14c/0x2f0<br /> system_call_vectored_common+0x15c/0x2ec<br /> <br /> The following code flow illustrates how the deadlock occurs.<br /> For the sake of brevity, assume that both locks (A and B) are<br /> contended and we call the queued_spin_lock_slowpath() function.<br /> <br /> CPU0 CPU1<br /> ---- ----<br /> spin_lock_irqsave(A) |<br /> spin_unlock_irqrestore(A) |<br /> spin_lock(B) |<br /> | |<br /> ▼ |<br /> id = qnodesp-&gt;count++; |<br /> (Note that nodes[0].lock == A) |<br /> | |<br /> ▼ |<br /> Interrupt |<br /> (happens before "nodes[0].lock = B") |<br /> | |<br /> ▼ |<br /> spin_lock_irqsave(A) |<br /> | |<br /> ▼ |<br /> id = qnodesp-&gt;count++ |<br /> nodes[1].lock = A |<br /> | |<br /> ▼ |<br /> Tail of MCS queue |<br /> | spin_lock_irqsave(A)<br /> ▼ |<br /> Head of MCS queue ▼<br /> | CPU0 is previous tail<br /> ▼ |<br /> Spin indefinitely ▼<br /> (until "nodes[1].next != NULL") prev = get_tail_qnode(A, CPU0)<br /> |<br /> ▼<br /> prev == &amp;qnodes[CPU0].nodes[0]<br /> (as qnodes<br /> ---truncated---

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: ethernet: ti: am65-cpsw: Fix NULL dereference on XDP_TX<br /> <br /> If number of TX queues are set to 1 we get a NULL pointer<br /> dereference during XDP_TX.<br /> <br /> ~# ethtool -L eth0 tx 1<br /> ~# ./xdp-trafficgen udp -A -a eth0 -t 2<br /> Transmitting on eth0 (ifindex 2)<br /> [ 241.135257] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000030<br /> <br /> Fix this by using actual TX queues instead of max TX queues<br /> when picking the TX channel in am65_cpsw_ndo_xdp_xmit().

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> libfs: fix get_stashed_dentry()<br /> <br /> get_stashed_dentry() tries to optimistically retrieve a stashed dentry<br /> from a provided location. It needs to ensure to hold rcu lock before it<br /> dereference the stashed location to prevent UAF issues. Use<br /> rcu_dereference() instead of READ_ONCE() it&amp;#39;s effectively equivalent<br /> with some lockdep bells and whistles and it communicates clearly that<br /> this expects rcu protection.