Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bridge: mrp: reject zero test interval to avoid OOM panic<br /> <br /> br_mrp_start_test() and br_mrp_start_in_test() accept the user-supplied<br /> interval value from netlink without validation. When interval is 0,<br /> usecs_to_jiffies(0) yields 0, causing the delayed work<br /> (br_mrp_test_work_expired / br_mrp_in_test_work_expired) to reschedule<br /> itself with zero delay. This creates a tight loop on system_percpu_wq<br /> that allocates and transmits MRP test frames at maximum rate, exhausting<br /> all system memory and causing a kernel panic via OOM deadlock.<br /> <br /> The same zero-interval issue applies to br_mrp_start_in_test_parse()<br /> for interconnect test frames.<br /> <br /> Use NLA_POLICY_MIN(NLA_U32, 1) in the nla_policy tables for both<br /> IFLA_BRIDGE_MRP_START_TEST_INTERVAL and<br /> IFLA_BRIDGE_MRP_START_IN_TEST_INTERVAL, so zero is rejected at the<br /> netlink attribute parsing layer before the value ever reaches the<br /> workqueue scheduling code. This is consistent with how other bridge<br /> subsystems (br_fdb, br_mst) enforce range constraints on netlink<br /> attributes.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: ipset: drop logically empty buckets in mtype_del<br /> <br /> mtype_del() counts empty slots below n-&gt;pos in k, but it only drops the<br /> bucket when both n-&gt;pos and k are zero. This misses buckets whose live<br /> entries have all been removed while n-&gt;pos still points past deleted slots.<br /> <br /> Treat a bucket as empty when all positions below n-&gt;pos are unused and<br /> release it directly instead of shrinking it further.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/sched: cls_fw: fix NULL pointer dereference on shared blocks<br /> <br /> The old-method path in fw_classify() calls tcf_block_q() and<br /> dereferences q-&gt;handle. Shared blocks leave block-&gt;q NULL, causing a<br /> NULL deref when an empty cls_fw filter is attached to a shared block<br /> and a packet with a nonzero major skb mark is classified.<br /> <br /> Reject the configuration in fw_change() when the old method (no<br /> TCA_OPTIONS) is used on a shared block, since fw_classify()&amp;#39;s<br /> old-method path needs block-&gt;q which is NULL for shared blocks.<br /> <br /> The fixed null-ptr-deref calling stack:<br /> KASAN: null-ptr-deref in range [0x0000000000000038-0x000000000000003f]<br /> RIP: 0010:fw_classify (net/sched/cls_fw.c:81)<br /> Call Trace:<br /> tcf_classify (./include/net/tc_wrapper.h:197 net/sched/cls_api.c:1764 net/sched/cls_api.c:1860)<br /> tc_run (net/core/dev.c:4401)<br /> __dev_queue_xmit (net/core/dev.c:4535 net/core/dev.c:4790)

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/sched: cls_flow: fix NULL pointer dereference on shared blocks<br /> <br /> flow_change() calls tcf_block_q() and dereferences q-&gt;handle to derive<br /> a default baseclass. Shared blocks leave block-&gt;q NULL, causing a NULL<br /> deref when a flow filter without a fully qualified baseclass is created<br /> on a shared block.<br /> <br /> Check tcf_block_shared() before accessing block-&gt;q and return -EINVAL<br /> for shared blocks. This avoids the null-deref shown below:<br /> <br /> =======================================================================<br /> KASAN: null-ptr-deref in range [0x0000000000000038-0x000000000000003f]<br /> RIP: 0010:flow_change (net/sched/cls_flow.c:508)<br /> Call Trace:<br /> tc_new_tfilter (net/sched/cls_api.c:2432)<br /> rtnetlink_rcv_msg (net/core/rtnetlink.c:6980)<br /> [...]<br /> =======================================================================

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/x25: Fix overflow when accumulating packets<br /> <br /> Add a check to ensure that `x25_sock.fraglen` does not overflow.<br /> <br /> The `fraglen` also needs to be resetted when purging `fragment_queue` in<br /> `x25_clear_queues()`.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: bonding: fix use-after-free in bond_xmit_broadcast()<br /> <br /> bond_xmit_broadcast() reuses the original skb for the last slave<br /> (determined by bond_is_last_slave()) and clones it for others.<br /> Concurrent slave enslave/release can mutate the slave list during<br /> RCU-protected iteration, changing which slave is "last" mid-loop.<br /> This causes the original skb to be double-consumed (double-freed).<br /> <br /> Replace the racy bond_is_last_slave() check with a simple index<br /> comparison (i + 1 == slaves_count) against the pre-snapshot slave<br /> count taken via READ_ONCE() before the loop. This preserves the<br /> zero-copy optimization for the last slave while making the "last"<br /> determination stable against concurrent list mutations.<br /> <br /> The UAF can trigger the following crash:<br /> <br /> ==================================================================<br /> BUG: KASAN: slab-use-after-free in skb_clone<br /> Read of size 8 at addr ffff888100ef8d40 by task exploit/147<br /> <br /> CPU: 1 UID: 0 PID: 147 Comm: exploit Not tainted 7.0.0-rc3+ #4 PREEMPTLAZY<br /> Call Trace:<br /> <br /> dump_stack_lvl (lib/dump_stack.c:123)<br /> print_report (mm/kasan/report.c:379 mm/kasan/report.c:482)<br /> kasan_report (mm/kasan/report.c:597)<br /> skb_clone (include/linux/skbuff.h:1724 include/linux/skbuff.h:1792 include/linux/skbuff.h:3396 net/core/skbuff.c:2108)<br /> bond_xmit_broadcast (drivers/net/bonding/bond_main.c:5334)<br /> bond_start_xmit (drivers/net/bonding/bond_main.c:5567 drivers/net/bonding/bond_main.c:5593)<br /> dev_hard_start_xmit (include/linux/netdevice.h:5325 include/linux/netdevice.h:5334 net/core/dev.c:3871 net/core/dev.c:3887)<br /> __dev_queue_xmit (include/linux/netdevice.h:3601 net/core/dev.c:4838)<br /> ip6_finish_output2 (include/net/neighbour.h:540 include/net/neighbour.h:554 net/ipv6/ip6_output.c:136)<br /> ip6_finish_output (net/ipv6/ip6_output.c:208 net/ipv6/ip6_output.c:219)<br /> ip6_output (net/ipv6/ip6_output.c:250)<br /> ip6_send_skb (net/ipv6/ip6_output.c:1985)<br /> udp_v6_send_skb (net/ipv6/udp.c:1442)<br /> udpv6_sendmsg (net/ipv6/udp.c:1733)<br /> __sys_sendto (net/socket.c:730 net/socket.c:742 net/socket.c:2206)<br /> __x64_sys_sendto (net/socket.c:2209)<br /> do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)<br /> entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)<br /> <br /> <br /> Allocated by task 147:<br /> <br /> Freed by task 147:<br /> <br /> The buggy address belongs to the object at ffff888100ef8c80<br /> which belongs to the cache skbuff_head_cache of size 224<br /> The buggy address is located 192 bytes inside of<br /> freed 224-byte region [ffff888100ef8c80, ffff888100ef8d60)<br /> <br /> Memory state around the buggy address:<br /> ffff888100ef8c00: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc<br /> ffff888100ef8c80: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb<br /> &gt;ffff888100ef8d00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc<br /> ^<br /> ffff888100ef8d80: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb<br /> ffff888100ef8e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb<br /> ==================================================================

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ipv6: avoid overflows in ip6_datagram_send_ctl()<br /> <br /> Yiming Qian reported :<br /> <br /> I believe I found a locally triggerable kernel bug in the IPv6 sendmsg<br /> ancillary-data path that can panic the kernel via `skb_under_panic()`<br /> (local DoS).<br /> <br /> The core issue is a mismatch between:<br /> <br /> - a 16-bit length accumulator (`struct ipv6_txoptions::opt_flen`, type<br /> `__u16`) and<br /> - a pointer to the *last* provided destination-options header (`opt-&gt;dst1opt`)<br /> <br /> when multiple `IPV6_DSTOPTS` control messages (cmsgs) are provided.<br /> <br /> - `include/net/ipv6.h`:<br /> - `struct ipv6_txoptions::opt_flen` is `__u16` (wrap possible).<br /> (lines 291-307, especially 298)<br /> - `net/ipv6/datagram.c:ip6_datagram_send_ctl()`:<br /> - Accepts repeated `IPV6_DSTOPTS` and accumulates into `opt_flen`<br /> without rejecting duplicates. (lines 909-933)<br /> - `net/ipv6/ip6_output.c:__ip6_append_data()`:<br /> - Uses `opt-&gt;opt_flen + opt-&gt;opt_nflen` to compute header<br /> sizes/headroom decisions. (lines 1448-1466, especially 1463-1465)<br /> - `net/ipv6/ip6_output.c:__ip6_make_skb()`:<br /> - Calls `ipv6_push_frag_opts()` if `opt-&gt;opt_flen` is non-zero.<br /> (lines 1930-1934)<br /> - `net/ipv6/exthdrs.c:ipv6_push_frag_opts()` / `ipv6_push_exthdr()`:<br /> - Push size comes from `ipv6_optlen(opt-&gt;dst1opt)` (based on the<br /> pointed-to header). (lines 1179-1185 and 1206-1211)<br /> <br /> 1. `opt_flen` is a 16-bit accumulator:<br /> <br /> - `include/net/ipv6.h:298` defines `__u16 opt_flen; /* after fragment hdr */`.<br /> <br /> 2. `ip6_datagram_send_ctl()` accepts *repeated* `IPV6_DSTOPTS` cmsgs<br /> and increments `opt_flen` each time:<br /> <br /> - In `net/ipv6/datagram.c:909-933`, for `IPV6_DSTOPTS`:<br /> - It computes `len = ((hdr-&gt;hdrlen + 1) opt_flen += len;` (line 927)<br /> - `opt-&gt;dst1opt = hdr;` (line 928)<br /> <br /> There is no duplicate rejection here (unlike the legacy<br /> `IPV6_2292DSTOPTS` path which rejects duplicates at<br /> `net/ipv6/datagram.c:901-904`).<br /> <br /> If enough large `IPV6_DSTOPTS` cmsgs are provided, `opt_flen` wraps<br /> while `dst1opt` still points to a large (2048-byte)<br /> destination-options header.<br /> <br /> In the attached PoC (`poc.c`):<br /> <br /> - 32 cmsgs with `hdrlen=255` =&gt; `len = (255+1)*8 = 2048`<br /> - 1 cmsg with `hdrlen=0` =&gt; `len = 8`<br /> - Total increment: `32*2048 + 8 = 65544`, so `(__u16)opt_flen == 8`<br /> - The last cmsg is 2048 bytes, so `dst1opt` points to a 2048-byte header.<br /> <br /> 3. The transmit path sizes headers using the wrapped `opt_flen`:<br /> <br /> - In `net/ipv6/ip6_output.c:1463-1465`:<br /> - `headersize = sizeof(struct ipv6hdr) + (opt ? opt-&gt;opt_flen +<br /> opt-&gt;opt_nflen : 0) + ...;`<br /> <br /> With wrapped `opt_flen`, `headersize`/headroom decisions underestimate<br /> what will be pushed later.<br /> <br /> 4. When building the final skb, the actual push length comes from<br /> `dst1opt` and is not limited by wrapped `opt_flen`:<br /> <br /> - In `net/ipv6/ip6_output.c:1930-1934`:<br /> - `if (opt-&gt;opt_flen) proto = ipv6_push_frag_opts(skb, opt, proto);`<br /> - In `net/ipv6/exthdrs.c:1206-1211`, `ipv6_push_frag_opts()` pushes<br /> `dst1opt` via `ipv6_push_exthdr()`.<br /> - In `net/ipv6/exthdrs.c:1179-1184`, `ipv6_push_exthdr()` does:<br /> - `skb_push(skb, ipv6_optlen(opt));`<br /> - `memcpy(h, opt, ipv6_optlen(opt));`<br /> <br /> With insufficient headroom, `skb_push()` underflows and triggers<br /> `skb_under_panic()` -&gt; `BUG()`:<br /> <br /> - `net/core/skbuff.c:2669-2675` (`skb_push()` calls `skb_under_panic()`)<br /> - `net/core/skbuff.c:207-214` (`skb_panic()` ends in `BUG()`)<br /> <br /> - The `IPV6_DSTOPTS` cmsg path requires `CAP_NET_RAW` in the target<br /> netns user namespace (`ns_capable(net-&gt;user_ns, CAP_NET_RAW)`).<br /> - Root (or any task with `CAP_NET_RAW`) can trigger this without user<br /> namespaces.<br /> - An unprivileged `uid=1000` user can trigger this if unprivileged<br /> user namespaces are enabled and it can create a userns+netns to obtain<br /> namespaced `CAP_NET_RAW` (the attached PoC does this).<br /> <br /> - Local denial of service: kernel BUG/panic (system crash).<br /> -<br /> ---truncated---

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: nfnetlink_log: account for netlink header size<br /> <br /> This is a followup to an old bug fix: NLMSG_DONE needs to account<br /> for the netlink header size, not just the attribute size.<br /> <br /> This can result in a WARN splat + drop of the netlink message,<br /> but other than this there are no ill effects.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: nf_conntrack_expect: use expect-&gt;helper<br /> <br /> Use expect-&gt;helper in ctnetlink and /proc to dump the helper name.<br /> Using nfct_help() without holding a reference to the master conntrack<br /> is unsafe.<br /> <br /> Use exp-&gt;master-&gt;helper in ctnetlink path if userspace does not provide<br /> an explicit helper when creating an expectation to retain the existing<br /> behaviour. The ctnetlink expectation path holds the reference on the<br /> master conntrack and nf_conntrack_expect lock and the nfnetlink glue<br /> path refers to the master ct that is attached to the skb.

Sourcecodester Cab Management System v1.0 is vulnerable to SQL injection in the file /cms/admin/categories/view_category.php.

Sourcecodester Cab Management System 1.0 is vulnerable to SQL Injection in the file /cms/admin/bookings/view_booking.php.

Sourcecodester Online Reviewer System v1.0 is vulnerable to SQL Injection in the file /system/system/admins/assessments/examproper/questions-view.php.