Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> cxl/region: Avoid null pointer dereference in region lookup<br /> <br /> cxl_dpa_to_region() looks up a region based on a memdev and DPA.<br /> It wrongly assumes an endpoint found mapping the DPA is also of<br /> a fully assembled region. When not true it leads to a null pointer<br /> dereference looking up the region name.<br /> <br /> This appears during testing of region lookup after a failure to<br /> assemble a BIOS defined region or if the lookup raced with the<br /> assembly of the BIOS defined region.<br /> <br /> Failure to clean up BIOS defined regions that fail assembly is an<br /> issue in itself and a fix to that problem will alleviate some of<br /> the impact. It will not alleviate the race condition so let&amp;#39;s harden<br /> this path.<br /> <br /> The behavior change is that the kernel oops due to a null pointer<br /> dereference is replaced with a dev_dbg() message noting that an<br /> endpoint was mapped.<br /> <br /> Additional comments are added so that future users of this function<br /> can more clearly understand what it provides.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> cxl/mem: Fix no cxl_nvd during pmem region auto-assembling<br /> <br /> When CXL subsystem is auto-assembling a pmem region during cxl<br /> endpoint port probing, always hit below calltrace.<br /> <br /> BUG: kernel NULL pointer dereference, address: 0000000000000078<br /> #PF: supervisor read access in kernel mode<br /> #PF: error_code(0x0000) - not-present page<br /> RIP: 0010:cxl_pmem_region_probe+0x22e/0x360 [cxl_pmem]<br /> Call Trace:<br /> <br /> ? __die+0x24/0x70<br /> ? page_fault_oops+0x82/0x160<br /> ? do_user_addr_fault+0x65/0x6b0<br /> ? exc_page_fault+0x7d/0x170<br /> ? asm_exc_page_fault+0x26/0x30<br /> ? cxl_pmem_region_probe+0x22e/0x360 [cxl_pmem]<br /> ? cxl_pmem_region_probe+0x1ac/0x360 [cxl_pmem]<br /> cxl_bus_probe+0x1b/0x60 [cxl_core]<br /> really_probe+0x173/0x410<br /> ? __pfx___device_attach_driver+0x10/0x10<br /> __driver_probe_device+0x80/0x170<br /> driver_probe_device+0x1e/0x90<br /> __device_attach_driver+0x90/0x120<br /> bus_for_each_drv+0x84/0xe0<br /> __device_attach+0xbc/0x1f0<br /> bus_probe_device+0x90/0xa0<br /> device_add+0x51c/0x710<br /> devm_cxl_add_pmem_region+0x1b5/0x380 [cxl_core]<br /> cxl_bus_probe+0x1b/0x60 [cxl_core]<br /> <br /> The cxl_nvd of the memdev needs to be available during the pmem region<br /> probe. Currently the cxl_nvd is registered after the endpoint port probe.<br /> The endpoint probe, in the case of autoassembly of regions, can cause a<br /> pmem region probe requiring the not yet available cxl_nvd. Adjust the<br /> sequence so this dependency is met.<br /> <br /> This requires adding a port parameter to cxl_find_nvdimm_bridge() that<br /> can be used to query the ancestor root port. The endpoint port is not<br /> yet available, but will share a common ancestor with its parent, so<br /> start the query from there instead.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: can: j1939: enhanced error handling for tightly received RTS messages in xtp_rx_rts_session_new<br /> <br /> This patch enhances error handling in scenarios with RTS (Request to<br /> Send) messages arriving closely. It replaces the less informative WARN_ON_ONCE<br /> backtraces with a new error handling method. This provides clearer error<br /> messages and allows for the early termination of problematic sessions.<br /> Previously, sessions were only released at the end of j1939_xtp_rx_rts().<br /> <br /> Potentially this could be reproduced with something like:<br /> testj1939 -r vcan0:0x80 &amp;<br /> while true; do<br /> # send first RTS<br /> cansend vcan0 18EC8090#1014000303002301;<br /> # send second RTS<br /> cansend vcan0 18EC8090#1014000303002301;<br /> # send abort<br /> cansend vcan0 18EC8090#ff00000000002301;<br /> done

Magento-lts is a long-term support alternative to Magento Community Edition (CE). This XSS vulnerability affects the design/header/welcome, design/header/logo_src, design/header/logo_src_small, and design/header/logo_alt system configs.They are intended to enable admins to set a text in the two cases, and to define an image url for the other two cases.<br /> But because of previously missing escaping allowed to input arbitrary html and as a consequence also arbitrary JavaScript. The problem is patched with Version 20.10.1 or higher.

tgstation-server is a production scale tool for BYOND server management. Prior to 6.8.0, low permission users using the "Set .dme Path" privilege could potentially set malicious .dme files existing on the host machine to be compiled and executed. These .dme files could be uploaded via tgstation-server (requiring a separate, isolated privilege) or some other means. A server configured to execute in BYOND&amp;#39;s trusted security level (requiring a third separate, isolated privilege OR being set by another user) could lead to this escalating into remote code execution via BYOND&amp;#39;s shell() proc. The ability to execute this kind of attack is a known side effect of having privileged TGS users, but normally requires multiple privileges with known weaknesses. This vector is not intentional as it does not require control over the where deployment code is sourced from and _may_ not require remote write access to an instance&amp;#39;s `Configuration` directory. This problem is fixed in versions 6.8.0 and above.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nvme-fabrics: use reserved tag for reg read/write command<br /> <br /> In some scenarios, if too many commands are issued by nvme command in<br /> the same time by user tasks, this may exhaust all tags of admin_q. If<br /> a reset (nvme reset or IO timeout) occurs before these commands finish,<br /> reconnect routine may fail to update nvme regs due to insufficient tags,<br /> which will cause kernel hang forever. In order to workaround this issue,<br /> maybe we can let reg_read32()/reg_read64()/reg_write32() use reserved<br /> tags. This maybe safe for nvmf:<br /> <br /> 1. For the disable ctrl path, we will not issue connect command<br /> 2. For the enable ctrl / fw activate path, since connect and reg_xx()<br /> are called serially.<br /> <br /> So the reserved tags may still be enough while reg_xx() use reserved tags.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> cachefiles: Set object to close if ondemand_id

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> cachefiles: add consistency check for copen/cread<br /> <br /> This prevents malicious processes from completing random copen/cread<br /> requests and crashing the system. Added checks are listed below:<br /> <br /> * Generic, copen can only complete open requests, and cread can only<br /> complete read requests.<br /> * For copen, ondemand_id must not be 0, because this indicates that the<br /> request has not been read by the daemon.<br /> * For cread, the object corresponding to fd and req should be the same.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> NFSv4: Fix memory leak in nfs4_set_security_label<br /> <br /> We leak nfs_fattr and nfs4_label every time we set a security xattr.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> null_blk: fix validation of block size<br /> <br /> Block size should be between 512 and PAGE_SIZE and be a power of 2. The current<br /> check does not validate this, so update the check.<br /> <br /> Without this patch, null_blk would Oops due to a null pointer deref when<br /> loaded with bs=1536 [1].<br /> <br /> <br /> [axboe: remove unnecessary braces and != 0 check]

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> btrfs: qgroup: fix quota root leak after quota disable failure<br /> <br /> If during the quota disable we fail when cleaning the quota tree or when<br /> deleting the root from the root tree, we jump to the &amp;#39;out&amp;#39; label without<br /> ever dropping the reference on the quota root, resulting in a leak of the<br /> root since fs_info-&gt;quota_root is no longer pointing to the root (we have<br /> set it to NULL just before those steps).<br /> <br /> Fix this by always doing a btrfs_put_root() call under the &amp;#39;out&amp;#39; label.<br /> This is a problem that exists since qgroups were first added in 2012 by<br /> commit bed92eae26cc ("Btrfs: qgroup implementation and prototypes"), but<br /> back then we missed a kfree on the quota root and free_extent_buffer()<br /> calls on its root and commit root nodes, since back then roots were not<br /> yet reference counted.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nvmet: always initialize cqe.result<br /> <br /> The spec doesn&amp;#39;t mandate that the first two double words (aka results)<br /> for the command queue entry need to be set to 0 when they are not<br /> used (not specified). Though, the target implemention returns 0 for TCP<br /> and FC but not for RDMA.<br /> <br /> Let&amp;#39;s make RDMA behave the same and thus explicitly initializing the<br /> result field. This prevents leaking any data from the stack.