Vulnerabilities

A potential vulnerability was discovered in certain Poly video conferencing devices. The firmware flaw does not properly sanitize user input. The exploitation of this vulnerability is dependent on a layered attack and cannot be exploited by itself.

WebLaudos v20.8 (118) was discovered to contain a cross-site scripting (XSS) vulnerability via the login page.

Substance3D - Painter versions 10.0.1 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/xe/oa: Fix overflow in oa batch buffer<br /> <br /> By default xe_bb_create_job() appends a MI_BATCH_BUFFER_END to batch<br /> buffer, this is not a problem if batch buffer is only used once but<br /> oa reuses the batch buffer for the same metric and at each call<br /> it appends a MI_BATCH_BUFFER_END, printing the warning below and then<br /> overflowing.<br /> <br /> [ 381.072016] ------------[ cut here ]------------<br /> [ 381.072019] xe 0000:00:02.0: [drm] Assertion `bb-&gt;len * 4 + bb_prefetch(q-&gt;gt)

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> dm vdo: don&amp;#39;t refer to dedupe_context after releasing it<br /> <br /> Clear the dedupe_context pointer in a data_vio whenever ownership of<br /> the context is lost, so that vdo can&amp;#39;t examine it accidentally.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: netconsole: fix wrong warning<br /> <br /> A warning is triggered when there is insufficient space in the buffer<br /> for userdata. However, this is not an issue since userdata will be sent<br /> in the next iteration.<br /> <br /> Current warning message:<br /> <br /> ------------[ cut here ]------------<br /> WARNING: CPU: 13 PID: 3013042 at drivers/net/netconsole.c:1122 write_ext_msg+0x3b6/0x3d0<br /> ? write_ext_msg+0x3b6/0x3d0<br /> console_flush_all+0x1e9/0x330<br /> <br /> The code incorrectly issues a warning when this_chunk is zero, which is<br /> a valid scenario. The warning should only be triggered when this_chunk<br /> is negative.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> sfc: Don&amp;#39;t invoke xdp_do_flush() from netpoll.<br /> <br /> Yury reported a crash in the sfc driver originated from<br /> netpoll_send_udp(). The netconsole sends a message and then netpoll<br /> invokes the driver&amp;#39;s NAPI function with a budget of zero. It is<br /> dedicated to allow driver to free TX resources, that it may have used<br /> while sending the packet.<br /> <br /> In the netpoll case the driver invokes xdp_do_flush() unconditionally,<br /> leading to crash because bpf_net_context was never assigned.<br /> <br /> Invoke xdp_do_flush() only if budget is not zero.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: fec: don&amp;#39;t save PTP state if PTP is unsupported<br /> <br /> Some platforms (such as i.MX25 and i.MX27) do not support PTP, so on<br /> these platforms fec_ptp_init() is not called and the related members<br /> in fep are not initialized. However, fec_ptp_save_state() is called<br /> unconditionally, which causes the kernel to panic. Therefore, add a<br /> condition so that fec_ptp_save_state() is not called if PTP is not<br /> supported.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> thermal: intel: int340x: processor: Fix warning during module unload<br /> <br /> The processor_thermal driver uses pcim_device_enable() to enable a PCI<br /> device, which means the device will be automatically disabled on driver<br /> detach. Thus there is no need to call pci_disable_device() again on it.<br /> <br /> With recent PCI device resource management improvements, e.g. commit<br /> f748a07a0b64 ("PCI: Remove legacy pcim_release()"), this problem is<br /> exposed and triggers the warining below.<br /> <br /> [ 224.010735] proc_thermal_pci 0000:00:04.0: disabling already-disabled device<br /> [ 224.010747] WARNING: CPU: 8 PID: 4442 at drivers/pci/pci.c:2250 pci_disable_device+0xe5/0x100<br /> ...<br /> [ 224.010844] Call Trace:<br /> [ 224.010845] <br /> [ 224.010847] ? show_regs+0x6d/0x80<br /> [ 224.010851] ? __warn+0x8c/0x140<br /> [ 224.010854] ? pci_disable_device+0xe5/0x100<br /> [ 224.010856] ? report_bug+0x1c9/0x1e0<br /> [ 224.010859] ? handle_bug+0x46/0x80<br /> [ 224.010862] ? exc_invalid_op+0x1d/0x80<br /> [ 224.010863] ? asm_exc_invalid_op+0x1f/0x30<br /> [ 224.010867] ? pci_disable_device+0xe5/0x100<br /> [ 224.010869] ? pci_disable_device+0xe5/0x100<br /> [ 224.010871] ? kfree+0x21a/0x2b0<br /> [ 224.010873] pcim_disable_device+0x20/0x30<br /> [ 224.010875] devm_action_release+0x16/0x20<br /> [ 224.010878] release_nodes+0x47/0xc0<br /> [ 224.010880] devres_release_all+0x9f/0xe0<br /> [ 224.010883] device_unbind_cleanup+0x12/0x80<br /> [ 224.010885] device_release_driver_internal+0x1ca/0x210<br /> [ 224.010887] driver_detach+0x4e/0xa0<br /> [ 224.010889] bus_remove_driver+0x6f/0xf0<br /> [ 224.010890] driver_unregister+0x35/0x60<br /> [ 224.010892] pci_unregister_driver+0x44/0x90<br /> [ 224.010894] proc_thermal_pci_driver_exit+0x14/0x5f0 [processor_thermal_device_pci]<br /> ...<br /> [ 224.010921] ---[ end trace 0000000000000000 ]---<br /> <br /> Remove the excess pci_disable_device() calls.<br /> <br /> [ rjw: Subject and changelog edits ]

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> RDMA/mad: Improve handling of timed out WRs of mad agent<br /> <br /> Current timeout handler of mad agent acquires/releases mad_agent_priv<br /> lock for every timed out WRs. This causes heavy locking contention<br /> when higher no. of WRs are to be handled inside timeout handler.<br /> <br /> This leads to softlockup with below trace in some use cases where<br /> rdma-cm path is used to establish connection between peer nodes<br /> <br /> Trace:<br /> -----<br /> BUG: soft lockup - CPU#4 stuck for 26s! [kworker/u128:3:19767]<br /> CPU: 4 PID: 19767 Comm: kworker/u128:3 Kdump: loaded Tainted: G OE<br /> ------- --- 5.14.0-427.13.1.el9_4.x86_64 #1<br /> Hardware name: Dell Inc. PowerEdge R740/01YM03, BIOS 2.4.8 11/26/2019<br /> Workqueue: ib_mad1 timeout_sends [ib_core]<br /> RIP: 0010:__do_softirq+0x78/0x2ac<br /> RSP: 0018:ffffb253449e4f98 EFLAGS: 00000246<br /> RAX: 00000000ffffffff RBX: 0000000000000000 RCX: 000000000000001f<br /> RDX: 000000000000001d RSI: 000000003d1879ab RDI: fff363b66fd3a86b<br /> RBP: ffffb253604cbcd8 R08: 0000009065635f3b R09: 0000000000000000<br /> R10: 0000000000000040 R11: ffffb253449e4ff8 R12: 0000000000000000<br /> R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000040<br /> FS: 0000000000000000(0000) GS:ffff8caa1fc80000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 00007fd9ec9db900 CR3: 0000000891934006 CR4: 00000000007706e0<br /> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> PKRU: 55555554<br /> Call Trace:<br /> <br /> ? show_trace_log_lvl+0x1c4/0x2df<br /> ? show_trace_log_lvl+0x1c4/0x2df<br /> ? __irq_exit_rcu+0xa1/0xc0<br /> ? watchdog_timer_fn+0x1b2/0x210<br /> ? __pfx_watchdog_timer_fn+0x10/0x10<br /> ? __hrtimer_run_queues+0x127/0x2c0<br /> ? hrtimer_interrupt+0xfc/0x210<br /> ? __sysvec_apic_timer_interrupt+0x5c/0x110<br /> ? sysvec_apic_timer_interrupt+0x37/0x90<br /> ? asm_sysvec_apic_timer_interrupt+0x16/0x20<br /> ? __do_softirq+0x78/0x2ac<br /> ? __do_softirq+0x60/0x2ac<br /> __irq_exit_rcu+0xa1/0xc0<br /> sysvec_call_function_single+0x72/0x90<br /> <br /> <br /> asm_sysvec_call_function_single+0x16/0x20<br /> RIP: 0010:_raw_spin_unlock_irq+0x14/0x30<br /> RSP: 0018:ffffb253604cbd88 EFLAGS: 00000247<br /> RAX: 000000000001960d RBX: 0000000000000002 RCX: ffff8cad2a064800<br /> RDX: 000000008020001b RSI: 0000000000000001 RDI: ffff8cad5d39f66c<br /> RBP: ffff8cad5d39f600 R08: 0000000000000001 R09: 0000000000000000<br /> R10: ffff8caa443e0c00 R11: ffffb253604cbcd8 R12: ffff8cacb8682538<br /> R13: 0000000000000005 R14: ffffb253604cbd90 R15: ffff8cad5d39f66c<br /> cm_process_send_error+0x122/0x1d0 [ib_cm]<br /> timeout_sends+0x1dd/0x270 [ib_core]<br /> process_one_work+0x1e2/0x3b0<br /> ? __pfx_worker_thread+0x10/0x10<br /> worker_thread+0x50/0x3a0<br /> ? __pfx_worker_thread+0x10/0x10<br /> kthread+0xdd/0x100<br /> ? __pfx_kthread+0x10/0x10<br /> ret_from_fork+0x29/0x50<br /> <br /> <br /> Simplified timeout handler by creating local list of timed out WRs<br /> and invoke send handler post creating the list. The new method acquires/<br /> releases lock once to fetch the list and hence helps to reduce locking<br /> contetiong when processing higher no. of WRs

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nouveau/dmem: Fix vulnerability in migrate_to_ram upon copy error<br /> <br /> The `nouveau_dmem_copy_one` function ensures that the copy push command is<br /> sent to the device firmware but does not track whether it was executed<br /> successfully.<br /> <br /> In the case of a copy error (e.g., firmware or hardware failure), the<br /> copy push command will be sent via the firmware channel, and<br /> `nouveau_dmem_copy_one` will likely report success, leading to the<br /> `migrate_to_ram` function returning a dirty HIGH_USER page to the user.<br /> <br /> This can result in a security vulnerability, as a HIGH_USER page that may<br /> contain sensitive or corrupted data could be returned to the user.<br /> <br /> To prevent this vulnerability, we allocate a zero page. Thus, in case of<br /> an error, a non-dirty (zero) page will be returned to the user.