Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> RDMA/rxe: Remove the direct link to net_device<br /> <br /> The similar patch in siw is in the link:<br /> https://git.kernel.org/rdma/rdma/c/16b87037b48889<br /> <br /> This problem also occurred in RXE. The following analyze this problem.<br /> In the following Call Traces:<br /> "<br /> BUG: KASAN: slab-use-after-free in dev_get_flags+0x188/0x1d0 net/core/dev.c:8782<br /> Read of size 4 at addr ffff8880554640b0 by task kworker/1:4/5295<br /> <br /> CPU: 1 UID: 0 PID: 5295 Comm: kworker/1:4 Not tainted<br /> 6.12.0-rc3-syzkaller-00399-g9197b73fd7bb #0<br /> Hardware name: Google Compute Engine/Google Compute Engine,<br /> BIOS Google 09/13/2024<br /> Workqueue: infiniband ib_cache_event_task<br /> Call Trace:<br /> <br /> __dump_stack lib/dump_stack.c:94 [inline]<br /> dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120<br /> print_address_description mm/kasan/report.c:377 [inline]<br /> print_report+0x169/0x550 mm/kasan/report.c:488<br /> kasan_report+0x143/0x180 mm/kasan/report.c:601<br /> dev_get_flags+0x188/0x1d0 net/core/dev.c:8782<br /> rxe_query_port+0x12d/0x260 drivers/infiniband/sw/rxe/rxe_verbs.c:60<br /> __ib_query_port drivers/infiniband/core/device.c:2111 [inline]<br /> ib_query_port+0x168/0x7d0 drivers/infiniband/core/device.c:2143<br /> ib_cache_update+0x1a9/0xb80 drivers/infiniband/core/cache.c:1494<br /> ib_cache_event_task+0xf3/0x1e0 drivers/infiniband/core/cache.c:1568<br /> process_one_work kernel/workqueue.c:3229 [inline]<br /> process_scheduled_works+0xa65/0x1850 kernel/workqueue.c:3310<br /> worker_thread+0x870/0xd30 kernel/workqueue.c:3391<br /> kthread+0x2f2/0x390 kernel/kthread.c:389<br /> ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147<br /> ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244<br /> <br /> "<br /> <br /> 1). In the link [1],<br /> <br /> "<br /> infiniband syz2: set down<br /> "<br /> <br /> This means that on 839.350575, the event ib_cache_event_task was sent andi<br /> queued in ib_wq.<br /> <br /> 2). In the link [1],<br /> <br /> "<br /> team0 (unregistering): Port device team_slave_0 removed<br /> "<br /> <br /> It indicates that before 843.251853, the net device should be freed.<br /> <br /> 3). In the link [1],<br /> <br /> "<br /> BUG: KASAN: slab-use-after-free in dev_get_flags+0x188/0x1d0<br /> "<br /> <br /> This means that on 850.559070, this slab-use-after-free problem occurred.<br /> <br /> In all, on 839.350575, the event ib_cache_event_task was sent and queued<br /> in ib_wq,<br /> <br /> before 843.251853, the net device veth was freed.<br /> <br /> on 850.559070, this event was executed, and the mentioned freed net device<br /> was called. Thus, the above call trace occurred.<br /> <br /> [1] https://syzkaller.appspot.com/x/log.txt?x=12e7025f980000

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netrom: check buffer length before accessing it<br /> <br /> Syzkaller reports an uninit value read from ax25cmp when sending raw message<br /> through ieee802154 implementation.<br /> <br /> =====================================================<br /> BUG: KMSAN: uninit-value in ax25cmp+0x3a5/0x460 net/ax25/ax25_addr.c:119<br /> ax25cmp+0x3a5/0x460 net/ax25/ax25_addr.c:119<br /> nr_dev_get+0x20e/0x450 net/netrom/nr_route.c:601<br /> nr_route_frame+0x1a2/0xfc0 net/netrom/nr_route.c:774<br /> nr_xmit+0x5a/0x1c0 net/netrom/nr_dev.c:144<br /> __netdev_start_xmit include/linux/netdevice.h:4940 [inline]<br /> netdev_start_xmit include/linux/netdevice.h:4954 [inline]<br /> xmit_one net/core/dev.c:3548 [inline]<br /> dev_hard_start_xmit+0x247/0xa10 net/core/dev.c:3564<br /> __dev_queue_xmit+0x33b8/0x5130 net/core/dev.c:4349<br /> dev_queue_xmit include/linux/netdevice.h:3134 [inline]<br /> raw_sendmsg+0x654/0xc10 net/ieee802154/socket.c:299<br /> ieee802154_sock_sendmsg+0x91/0xc0 net/ieee802154/socket.c:96<br /> sock_sendmsg_nosec net/socket.c:730 [inline]<br /> __sock_sendmsg net/socket.c:745 [inline]<br /> ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584<br /> ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638<br /> __sys_sendmsg net/socket.c:2667 [inline]<br /> __do_sys_sendmsg net/socket.c:2676 [inline]<br /> __se_sys_sendmsg net/socket.c:2674 [inline]<br /> __x64_sys_sendmsg+0x307/0x490 net/socket.c:2674<br /> do_syscall_x64 arch/x86/entry/common.c:52 [inline]<br /> do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83<br /> entry_SYSCALL_64_after_hwframe+0x63/0x6b<br /> <br /> Uninit was created at:<br /> slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768<br /> slab_alloc_node mm/slub.c:3478 [inline]<br /> kmem_cache_alloc_node+0x5e9/0xb10 mm/slub.c:3523<br /> kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:560<br /> __alloc_skb+0x318/0x740 net/core/skbuff.c:651<br /> alloc_skb include/linux/skbuff.h:1286 [inline]<br /> alloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6334<br /> sock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2780<br /> sock_alloc_send_skb include/net/sock.h:1884 [inline]<br /> raw_sendmsg+0x36d/0xc10 net/ieee802154/socket.c:282<br /> ieee802154_sock_sendmsg+0x91/0xc0 net/ieee802154/socket.c:96<br /> sock_sendmsg_nosec net/socket.c:730 [inline]<br /> __sock_sendmsg net/socket.c:745 [inline]<br /> ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584<br /> ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638<br /> __sys_sendmsg net/socket.c:2667 [inline]<br /> __do_sys_sendmsg net/socket.c:2676 [inline]<br /> __se_sys_sendmsg net/socket.c:2674 [inline]<br /> __x64_sys_sendmsg+0x307/0x490 net/socket.c:2674<br /> do_syscall_x64 arch/x86/entry/common.c:52 [inline]<br /> do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83<br /> entry_SYSCALL_64_after_hwframe+0x63/0x6b<br /> <br /> CPU: 0 PID: 5037 Comm: syz-executor166 Not tainted 6.7.0-rc7-syzkaller-00003-gfbafc3e621c3 #0<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023<br /> =====================================================<br /> <br /> This issue occurs because the skb buffer is too small, and it&amp;#39;s actual<br /> allocation is aligned. This hides an actual issue, which is that nr_route_frame<br /> does not validate the buffer size before using it.<br /> <br /> Fix this issue by checking skb-&gt;len before accessing any fields in skb-&gt;data.<br /> <br /> Found by Linux Verification Center (linuxtesting.org) with Syzkaller.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: nft_set_hash: unaligned atomic read on struct nft_set_ext<br /> <br /> Access to genmask field in struct nft_set_ext results in unaligned<br /> atomic read:<br /> <br /> [ 72.130109] Unable to handle kernel paging request at virtual address ffff0000c2bb708c<br /> [ 72.131036] Mem abort info:<br /> [ 72.131213] ESR = 0x0000000096000021<br /> [ 72.131446] EC = 0x25: DABT (current EL), IL = 32 bits<br /> [ 72.132209] SET = 0, FnV = 0<br /> [ 72.133216] EA = 0, S1PTW = 0<br /> [ 72.134080] FSC = 0x21: alignment fault<br /> [ 72.135593] Data abort info:<br /> [ 72.137194] ISV = 0, ISS = 0x00000021, ISS2 = 0x00000000<br /> [ 72.142351] CM = 0, WnR = 0, TnD = 0, TagAccess = 0<br /> [ 72.145989] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0<br /> [ 72.150115] swapper pgtable: 4k pages, 48-bit VAs, pgdp=0000000237d27000<br /> [ 72.154893] [ffff0000c2bb708c] pgd=0000000000000000, p4d=180000023ffff403, pud=180000023f84b403, pmd=180000023f835403,<br /> +pte=0068000102bb7707<br /> [ 72.163021] Internal error: Oops: 0000000096000021 [#1] SMP<br /> [...]<br /> [ 72.170041] CPU: 7 UID: 0 PID: 54 Comm: kworker/7:0 Tainted: G E 6.13.0-rc3+ #2<br /> [ 72.170509] Tainted: [E]=UNSIGNED_MODULE<br /> [ 72.170720] Hardware name: QEMU QEMU Virtual Machine, BIOS edk2-stable202302-for-qemu 03/01/2023<br /> [ 72.171192] Workqueue: events_power_efficient nft_rhash_gc [nf_tables]<br /> [ 72.171552] pstate: 21400005 (nzCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)<br /> [ 72.171915] pc : nft_rhash_gc+0x200/0x2d8 [nf_tables]<br /> [ 72.172166] lr : nft_rhash_gc+0x128/0x2d8 [nf_tables]<br /> [ 72.172546] sp : ffff800081f2bce0<br /> [ 72.172724] x29: ffff800081f2bd40 x28: ffff0000c2bb708c x27: 0000000000000038<br /> [ 72.173078] x26: ffff0000c6780ef0 x25: ffff0000c643df00 x24: ffff0000c6778f78<br /> [ 72.173431] x23: 000000000000001a x22: ffff0000c4b1f000 x21: ffff0000c6780f78<br /> [ 72.173782] x20: ffff0000c2bb70dc x19: ffff0000c2bb7080 x18: 0000000000000000<br /> [ 72.174135] x17: ffff0000c0a4e1c0 x16: 0000000000003000 x15: 0000ac26d173b978<br /> [ 72.174485] x14: ffffffffffffffff x13: 0000000000000030 x12: ffff0000c6780ef0<br /> [ 72.174841] x11: 0000000000000000 x10: ffff800081f2bcf8 x9 : ffff0000c3000000<br /> [ 72.175193] x8 : 00000000000004be x7 : 0000000000000000 x6 : 0000000000000000<br /> [ 72.175544] x5 : 0000000000000040 x4 : ffff0000c3000010 x3 : 0000000000000000<br /> [ 72.175871] x2 : 0000000000003a98 x1 : ffff0000c2bb708c x0 : 0000000000000004<br /> [ 72.176207] Call trace:<br /> [ 72.176316] nft_rhash_gc+0x200/0x2d8 [nf_tables] (P)<br /> [ 72.176653] process_one_work+0x178/0x3d0<br /> [ 72.176831] worker_thread+0x200/0x3f0<br /> [ 72.176995] kthread+0xe8/0xf8<br /> [ 72.177130] ret_from_fork+0x10/0x20<br /> [ 72.177289] Code: 54fff984 d503201f d2800080 91003261 (f820303f)<br /> [ 72.177557] ---[ end trace 0000000000000000 ]---<br /> <br /> Align struct nft_set_ext to word size to address this and<br /> documentation it.<br /> <br /> pahole reports that this increases the size of elements for rhash and<br /> pipapo in 8 bytes on x86_64.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nvmet: Don&amp;#39;t overflow subsysnqn<br /> <br /> nvmet_root_discovery_nqn_store treats the subsysnqn string like a fixed<br /> size buffer, even though it is dynamically allocated to the size of the<br /> string.<br /> <br /> Create a new string with kstrndup instead of using the old buffer.

The Elementor Addon Elements plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.13.10 via the &amp;#39;render&amp;#39; function in modules/modal-popup/widgets/modal-popup.php. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive private, pending, scheduled, and draft template data.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> RDMA/rtrs: Ensure &amp;#39;ib_sge list&amp;#39; is accessible<br /> <br /> Move the declaration of the &amp;#39;ib_sge list&amp;#39; variable outside the<br /> &amp;#39;always_invalidate&amp;#39; block to ensure it remains accessible for use<br /> throughout the function.<br /> <br /> Previously, &amp;#39;ib_sge list&amp;#39; was declared within the &amp;#39;always_invalidate&amp;#39;<br /> block, limiting its accessibility, then caused a<br /> &amp;#39;BUG: kernel NULL pointer dereference&amp;#39;[1].<br /> ? __die_body.cold+0x19/0x27<br /> ? page_fault_oops+0x15a/0x2d0<br /> ? search_module_extables+0x19/0x60<br /> ? search_bpf_extables+0x5f/0x80<br /> ? exc_page_fault+0x7e/0x180<br /> ? asm_exc_page_fault+0x26/0x30<br /> ? memcpy_orig+0xd5/0x140<br /> rxe_mr_copy+0x1c3/0x200 [rdma_rxe]<br /> ? rxe_pool_get_index+0x4b/0x80 [rdma_rxe]<br /> copy_data+0xa5/0x230 [rdma_rxe]<br /> rxe_requester+0xd9b/0xf70 [rdma_rxe]<br /> ? finish_task_switch.isra.0+0x99/0x2e0<br /> rxe_sender+0x13/0x40 [rdma_rxe]<br /> do_task+0x68/0x1e0 [rdma_rxe]<br /> process_one_work+0x177/0x330<br /> worker_thread+0x252/0x390<br /> ? __pfx_worker_thread+0x10/0x10<br /> <br /> This change ensures the variable is available for subsequent operations<br /> that require it.<br /> <br /> [1] https://lore.kernel.org/linux-rdma/6a1f3e8f-deb0-49f9-bc69-a9b03ecfcda7@fujitsu.com/

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: wwan: t7xx: Fix FSM command timeout issue<br /> <br /> When driver processes the internal state change command, it use an<br /> asynchronous thread to process the command operation. If the main<br /> thread detects that the task has timed out, the asynchronous thread<br /> will panic when executing the completion notification because the<br /> main thread completion object has been released.<br /> <br /> BUG: unable to handle page fault for address: fffffffffffffff8<br /> PGD 1f283a067 P4D 1f283a067 PUD 1f283c067 PMD 0<br /> Oops: 0000 [#1] PREEMPT SMP NOPTI<br /> RIP: 0010:complete_all+0x3e/0xa0<br /> [...]<br /> Call Trace:<br /> <br /> ? __die_body+0x68/0xb0<br /> ? page_fault_oops+0x379/0x3e0<br /> ? exc_page_fault+0x69/0xa0<br /> ? asm_exc_page_fault+0x22/0x30<br /> ? complete_all+0x3e/0xa0<br /> fsm_main_thread+0xa3/0x9c0 [mtk_t7xx (HASH:1400 5)]<br /> ? __pfx_autoremove_wake_function+0x10/0x10<br /> kthread+0xd8/0x110<br /> ? __pfx_fsm_main_thread+0x10/0x10 [mtk_t7xx (HASH:1400 5)]<br /> ? __pfx_kthread+0x10/0x10<br /> ret_from_fork+0x38/0x50<br /> ? __pfx_kthread+0x10/0x10<br /> ret_from_fork_asm+0x1b/0x30<br /> <br /> [...]<br /> CR2: fffffffffffffff8<br /> ---[ end trace 0000000000000000 ]---<br /> <br /> Use the reference counter to ensure safe release as Sergey suggests:<br /> https://lore.kernel.org/all/da90f64c-260a-4329-87bf-1f9ff20a5951@gmail.com/

A flaw was found in the FreeIPA API audit, where it sends the whole FreeIPA command line to journalctl. As a consequence, during the FreeIPA installation process, it inadvertently leaks the administrative user credentials, including the administrator password, to the journal database. In the worst-case scenario, where the journal log is centralized, users with access to it can have improper access to the FreeIPA administrator credentials.

The NitroPack plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the &amp;#39;nitropack_dismiss_notice_forever&amp;#39; AJAX action in all versions up to, and including, 1.17.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to update arbitrary options to a fixed value of &amp;#39;1&amp;#39; which can activate certain options (e.g., enable user registration) or modify certain options in a way that leads to a denial of service condition.

The NitroPack plugin for WordPress is vulnerable to unauthorized arbitrary transient update due to a missing capability check on the nitropack_rml_notification function in all versions up to, and including, 1.17.0. This makes it possible for authenticated attackers, with subscriber access or higher, to update arbitrary transients. Note, that these transients can only be updated to integers and not arbitrary values.

The PDF for WPForms + Drag and Drop Template Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin&amp;#39;s yeepdf_dotab shortcode in all versions up to, and including, 4.6.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Inappropriate implementation in Fenced Frames in Google Chrome prior to 132.0.6834.83 allowed a remote attacker to obtain potentially sensitive information from the system via a crafted HTML page. (Chromium security severity: Medium)