Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/mlx5: Clear port select structure when fail to create<br /> <br /> Clear the port select structure on error so no stale values left after<br /> definers are destroyed. That&amp;#39;s because the mlx5_lag_destroy_definers()<br /> always try to destroy all lag definers in the tt_map, so in the flow<br /> below lag definers get double-destroyed and cause kernel crash:<br /> <br /> mlx5_lag_port_sel_create()<br /> mlx5_lag_create_definers()<br /> mlx5_lag_create_definer()

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> gtp: Destroy device along with udp socket&amp;#39;s netns dismantle.<br /> <br /> gtp_newlink() links the device to a list in dev_net(dev) instead of<br /> src_net, where a udp tunnel socket is created.<br /> <br /> Even when src_net is removed, the device stays alive on dev_net(dev).<br /> Then, removing src_net triggers the splat below. [0]<br /> <br /> In this example, gtp0 is created in ns2, and the udp socket is created<br /> in ns1.<br /> <br /> ip netns add ns1<br /> ip netns add ns2<br /> ip -n ns1 link add netns ns2 name gtp0 type gtp role sgsn<br /> ip netns del ns1<br /> <br /> Let&amp;#39;s link the device to the socket&amp;#39;s netns instead.<br /> <br /> Now, gtp_net_exit_batch_rtnl() needs another netdev iteration to remove<br /> all gtp devices in the netns.<br /> <br /> [0]:<br /> ref_tracker: net notrefcnt@000000003d6e7d05 has 1/2 users at<br /> sk_alloc (./include/net/net_namespace.h:345 net/core/sock.c:2236)<br /> inet_create (net/ipv4/af_inet.c:326 net/ipv4/af_inet.c:252)<br /> __sock_create (net/socket.c:1558)<br /> udp_sock_create4 (net/ipv4/udp_tunnel_core.c:18)<br /> gtp_create_sock (./include/net/udp_tunnel.h:59 drivers/net/gtp.c:1423)<br /> gtp_create_sockets (drivers/net/gtp.c:1447)<br /> gtp_newlink (drivers/net/gtp.c:1507)<br /> rtnl_newlink (net/core/rtnetlink.c:3786 net/core/rtnetlink.c:3897 net/core/rtnetlink.c:4012)<br /> rtnetlink_rcv_msg (net/core/rtnetlink.c:6922)<br /> netlink_rcv_skb (net/netlink/af_netlink.c:2542)<br /> netlink_unicast (net/netlink/af_netlink.c:1321 net/netlink/af_netlink.c:1347)<br /> netlink_sendmsg (net/netlink/af_netlink.c:1891)<br /> ____sys_sendmsg (net/socket.c:711 net/socket.c:726 net/socket.c:2583)<br /> ___sys_sendmsg (net/socket.c:2639)<br /> __sys_sendmsg (net/socket.c:2669)<br /> do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)<br /> <br /> WARNING: CPU: 1 PID: 60 at lib/ref_tracker.c:179 ref_tracker_dir_exit (lib/ref_tracker.c:179)<br /> Modules linked in:<br /> CPU: 1 UID: 0 PID: 60 Comm: kworker/u16:2 Not tainted 6.13.0-rc5-00147-g4c1224501e9d #5<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014<br /> Workqueue: netns cleanup_net<br /> RIP: 0010:ref_tracker_dir_exit (lib/ref_tracker.c:179)<br /> Code: 00 00 00 fc ff df 4d 8b 26 49 bd 00 01 00 00 00 00 ad de 4c 39 f5 0f 85 df 00 00 00 48 8b 74 24 08 48 89 df e8 a5 cc 12 02 90 0b 90 48 8d 6b 44 be 04 00 00 00 48 89 ef e8 80 de 67 ff 48 89<br /> RSP: 0018:ff11000009a07b60 EFLAGS: 00010286<br /> RAX: 0000000000002bd3 RBX: ff1100000f4e1aa0 RCX: 1ffffffff0e40ac6<br /> RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffff8423ee3c<br /> RBP: ff1100000f4e1af0 R08: 0000000000000001 R09: fffffbfff0e395ae<br /> R10: 0000000000000001 R11: 0000000000036001 R12: ff1100000f4e1af0<br /> R13: dead000000000100 R14: ff1100000f4e1af0 R15: dffffc0000000000<br /> FS: 0000000000000000(0000) GS:ff1100006ce80000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 00007f9b2464bd98 CR3: 0000000005286005 CR4: 0000000000771ef0<br /> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400<br /> PKRU: 55555554<br /> Call Trace:<br /> <br /> ? __warn (kernel/panic.c:748)<br /> ? ref_tracker_dir_exit (lib/ref_tracker.c:179)<br /> ? report_bug (lib/bug.c:201 lib/bug.c:219)<br /> ? handle_bug (arch/x86/kernel/traps.c:285)<br /> ? exc_invalid_op (arch/x86/kernel/traps.c:309 (discriminator 1))<br /> ? asm_exc_invalid_op (./arch/x86/include/asm/idtentry.h:621)<br /> ? _raw_spin_unlock_irqrestore (./arch/x86/include/asm/irqflags.h:42 ./arch/x86/include/asm/irqflags.h:97 ./arch/x86/include/asm/irqflags.h:155 ./include/linux/spinlock_api_smp.h:151 kernel/locking/spinlock.c:194)<br /> ? ref_tracker_dir_exit (lib/ref_tracker.c:179)<br /> ? __pfx_ref_tracker_dir_exit (lib/ref_tracker.c:158)<br /> ? kfree (mm/slub.c:4613 mm/slub.c:4761)<br /> net_free (net/core/net_namespace.c:476 net/core/net_namespace.c:467)<br /> cleanup_net (net/core/net_namespace.c:664 (discriminator 3))<br /> process_one_work (kernel/workqueue.c:3229)<br /> worker_thread (kernel/workqueue.c:3304 kernel/workqueue.c:3391<br /> ---truncated---

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: fec: handle page_pool_dev_alloc_pages error<br /> <br /> The fec_enet_update_cbd function calls page_pool_dev_alloc_pages but did<br /> not handle the case when it returned NULL. There was a WARN_ON(!new_page)<br /> but it would still proceed to use the NULL pointer and then crash.<br /> <br /> This case does seem somewhat rare but when the system is under memory<br /> pressure it can happen. One case where I can duplicate this with some<br /> frequency is when writing over a smbd share to a SATA HDD attached to an<br /> imx6q.<br /> <br /> Setting /proc/sys/vm/min_free_kbytes to higher values also seems to solve<br /> the problem for my test case. But it still seems wrong that the fec driver<br /> ignores the memory allocation error and can crash.<br /> <br /> This commit handles the allocation error by dropping the current packet.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mac802154: check local interfaces before deleting sdata list<br /> <br /> syzkaller reported a corrupted list in ieee802154_if_remove. [1]<br /> <br /> Remove an IEEE 802.15.4 network interface after unregister an IEEE 802.15.4<br /> hardware device from the system.<br /> <br /> CPU0 CPU1<br /> ==== ====<br /> genl_family_rcv_msg_doit ieee802154_unregister_hw<br /> ieee802154_del_iface ieee802154_remove_interfaces<br /> rdev_del_virtual_intf_deprecated list_del(&amp;sdata-&gt;list)<br /> ieee802154_if_remove<br /> list_del_rcu<br /> <br /> The net device has been unregistered, since the rcu grace period,<br /> unregistration must be run before ieee802154_if_remove.<br /> <br /> To avoid this issue, add a check for local-&gt;interfaces before deleting<br /> sdata list.<br /> <br /> [1]<br /> kernel BUG at lib/list_debug.c:58!<br /> Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI<br /> CPU: 0 UID: 0 PID: 6277 Comm: syz-executor157 Not tainted 6.12.0-rc6-syzkaller-00005-g557329bcecc2 #0<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024<br /> RIP: 0010:__list_del_entry_valid_or_report+0xf4/0x140 lib/list_debug.c:56<br /> Code: e8 a1 7e 00 07 90 0f 0b 48 c7 c7 e0 37 60 8c 4c 89 fe e8 8f 7e 00 07 90 0f 0b 48 c7 c7 40 38 60 8c 4c 89 fe e8 7d 7e 00 07 90 0b 48 c7 c7 a0 38 60 8c 4c 89 fe e8 6b 7e 00 07 90 0f 0b 48 c7<br /> RSP: 0018:ffffc9000490f3d0 EFLAGS: 00010246<br /> RAX: 000000000000004e RBX: dead000000000122 RCX: d211eee56bb28d00<br /> RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000<br /> RBP: ffff88805b278dd8 R08: ffffffff8174a12c R09: 1ffffffff2852f0d<br /> R10: dffffc0000000000 R11: fffffbfff2852f0e R12: dffffc0000000000<br /> R13: dffffc0000000000 R14: dead000000000100 R15: ffff88805b278cc0<br /> FS: 0000555572f94380(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 000056262e4a3000 CR3: 0000000078496000 CR4: 00000000003526f0<br /> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> Call Trace:<br /> <br /> __list_del_entry_valid include/linux/list.h:124 [inline]<br /> __list_del_entry include/linux/list.h:215 [inline]<br /> list_del_rcu include/linux/rculist.h:157 [inline]<br /> ieee802154_if_remove+0x86/0x1e0 net/mac802154/iface.c:687<br /> rdev_del_virtual_intf_deprecated net/ieee802154/rdev-ops.h:24 [inline]<br /> ieee802154_del_iface+0x2c0/0x5c0 net/ieee802154/nl-phy.c:323<br /> genl_family_rcv_msg_doit net/netlink/genetlink.c:1115 [inline]<br /> genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]<br /> genl_rcv_msg+0xb14/0xec0 net/netlink/genetlink.c:1210<br /> netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2551<br /> genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219<br /> netlink_unicast_kernel net/netlink/af_netlink.c:1331 [inline]<br /> netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1357<br /> netlink_sendmsg+0x8e4/0xcb0 net/netlink/af_netlink.c:1901<br /> sock_sendmsg_nosec net/socket.c:729 [inline]<br /> __sock_sendmsg+0x221/0x270 net/socket.c:744<br /> ____sys_sendmsg+0x52a/0x7e0 net/socket.c:2607<br /> ___sys_sendmsg net/socket.c:2661 [inline]<br /> __sys_sendmsg+0x292/0x380 net/socket.c:2690<br /> do_syscall_x64 arch/x86/entry/common.c:52 [inline]<br /> do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> filemap: avoid truncating 64-bit offset to 32 bits<br /> <br /> On 32-bit kernels, folio_seek_hole_data() was inadvertently truncating a<br /> 64-bit value to 32 bits, leading to a possible infinite loop when writing<br /> to an xfs filesystem.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> vsock: prevent null-ptr-deref in vsock_*[has_data|has_space]<br /> <br /> Recent reports have shown how we sometimes call vsock_*_has_data()<br /> when a vsock socket has been de-assigned from a transport (see attached<br /> links), but we shouldn&amp;#39;t.<br /> <br /> Previous commits should have solved the real problems, but we may have<br /> more in the future, so to avoid null-ptr-deref, we can return 0<br /> (no space, no data available) but with a warning.<br /> <br /> This way the code should continue to run in a nearly consistent state<br /> and have a warning that allows us to debug future problems.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> iomap: avoid avoid truncating 64-bit offset to 32 bits<br /> <br /> on 32-bit kernels, iomap_write_delalloc_scan() was inadvertently using a<br /> 32-bit position due to folio_next_index() returning an unsigned long.<br /> This could lead to an infinite loop when writing to an xfs filesystem.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> pmdomain: imx8mp-blk-ctrl: add missing loop break condition<br /> <br /> Currently imx8mp_blk_ctrl_remove() will continue the for loop<br /> until an out-of-bounds exception occurs.<br /> <br /> pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)<br /> pc : dev_pm_domain_detach+0x8/0x48<br /> lr : imx8mp_blk_ctrl_shutdown+0x58/0x90<br /> sp : ffffffc084f8bbf0<br /> x29: ffffffc084f8bbf0 x28: ffffff80daf32ac0 x27: 0000000000000000<br /> x26: ffffffc081658d78 x25: 0000000000000001 x24: ffffffc08201b028<br /> x23: ffffff80d0db9490 x22: ffffffc082340a78 x21: 00000000000005b0<br /> x20: ffffff80d19bc180 x19: 000000000000000a x18: ffffffffffffffff<br /> x17: ffffffc080a39e08 x16: ffffffc080a39c98 x15: 4f435f464f006c72<br /> x14: 0000000000000004 x13: ffffff80d0172110 x12: 0000000000000000<br /> x11: ffffff80d0537740 x10: ffffff80d05376c0 x9 : ffffffc0808ed2d8<br /> x8 : ffffffc084f8bab0 x7 : 0000000000000000 x6 : 0000000000000000<br /> x5 : ffffff80d19b9420 x4 : fffffffe03466e60 x3 : 0000000080800077<br /> x2 : 0000000000000000 x1 : 0000000000000001 x0 : 0000000000000000<br /> Call trace:<br /> dev_pm_domain_detach+0x8/0x48<br /> platform_shutdown+0x2c/0x48<br /> device_shutdown+0x158/0x268<br /> kernel_restart_prepare+0x40/0x58<br /> kernel_kexec+0x58/0xe8<br /> __do_sys_reboot+0x198/0x258<br /> __arm64_sys_reboot+0x2c/0x40<br /> invoke_syscall+0x5c/0x138<br /> el0_svc_common.constprop.0+0x48/0xf0<br /> do_el0_svc+0x24/0x38<br /> el0_svc+0x38/0xc8<br /> el0t_64_sync_handler+0x120/0x130<br /> el0t_64_sync+0x190/0x198<br /> Code: 8128c2d0 ffffffc0 aa1e03e9 d503201f

The Drag and Drop Multiple File Upload – Contact Form 7 plugin for WordPress is vulnerable to limited arbitrary file deletion due to insufficient file path validation in the dnd_codedropz_upload_delete() function in all versions up to, and including, 1.3.8.5. This makes it possible for unauthenticated attackers to delete limited arbitrary files on the server. It is not possible to delete files like wp-config.php that would make RCE possible.

The The AI Infographic Maker plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 4.9.0. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.

The eHive Objects Image Grid plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin&amp;#39;s &amp;#39;ehive_objects_image_grid&amp;#39; shortcode in all versions up to, and including, 2.4.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

The Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin&amp;#39;s &amp;#39;bf_new_submission_link&amp;#39; shortcode in all versions up to, and including, 2.8.13 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.