Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amd/display: Add null check before access structs<br /> <br /> In enable_phantom_plane, we should better check null pointer before<br /> accessing various structs.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> media: mediatek: vcodec: Handle invalid decoder vsi<br /> <br /> Handle an invalid decoder vsi in vpu_dec_init to ensure the decoder vsi<br /> is valid for future use.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: missing check virtio<br /> <br /> Two missing check in virtio_net_hdr_to_skb() allowed syzbot<br /> to crash kernels again<br /> <br /> 1. After the skb_segment function the buffer may become non-linear<br /> (nr_frags != 0), but since the SKBTX_SHARED_FRAG flag is not set anywhere<br /> the __skb_linearize function will not be executed, then the buffer will<br /> remain non-linear. Then the condition (offset &gt;= skb_headlen(skb))<br /> becomes true, which causes WARN_ON_ONCE in skb_checksum_help.<br /> <br /> 2. The struct sk_buff and struct virtio_net_hdr members must be<br /> mathematically related.<br /> (gso_size) must be greater than (needed) otherwise WARN_ON_ONCE.<br /> (remainder) must be greater than (needed) otherwise WARN_ON_ONCE.<br /> (remainder) may be 0 if division is without remainder.<br /> <br /> offset+2 (4191) &gt; skb_headlen() (1116)<br /> WARNING: CPU: 1 PID: 5084 at net/core/dev.c:3303 skb_checksum_help+0x5e2/0x740 net/core/dev.c:3303<br /> Modules linked in:<br /> CPU: 1 PID: 5084 Comm: syz-executor336 Not tainted 6.7.0-rc3-syzkaller-00014-gdf60cee26a2e #0<br /> Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023<br /> RIP: 0010:skb_checksum_help+0x5e2/0x740 net/core/dev.c:3303<br /> Code: 89 e8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 52 01 00 00 44 89 e2 2b 53 74 4c 89 ee 48 c7 c7 40 57 e9 8b e8 af 8f dd f8 90 0b 90 90 e9 87 fe ff ff e8 40 0f 6e f9 e9 4b fa ff ff 48 89 ef<br /> RSP: 0018:ffffc90003a9f338 EFLAGS: 00010286<br /> RAX: 0000000000000000 RBX: ffff888025125780 RCX: ffffffff814db209<br /> RDX: ffff888015393b80 RSI: ffffffff814db216 RDI: 0000000000000001<br /> RBP: ffff8880251257f4 R08: 0000000000000001 R09: 0000000000000000<br /> R10: 0000000000000000 R11: 0000000000000001 R12: 000000000000045c<br /> R13: 000000000000105f R14: ffff8880251257f0 R15: 000000000000105d<br /> FS: 0000555555c24380(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 000000002000f000 CR3: 0000000023151000 CR4: 00000000003506f0<br /> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> Call Trace:<br /> <br /> ip_do_fragment+0xa1b/0x18b0 net/ipv4/ip_output.c:777<br /> ip_fragment.constprop.0+0x161/0x230 net/ipv4/ip_output.c:584<br /> ip_finish_output_gso net/ipv4/ip_output.c:286 [inline]<br /> __ip_finish_output net/ipv4/ip_output.c:308 [inline]<br /> __ip_finish_output+0x49c/0x650 net/ipv4/ip_output.c:295<br /> ip_finish_output+0x31/0x310 net/ipv4/ip_output.c:323<br /> NF_HOOK_COND include/linux/netfilter.h:303 [inline]<br /> ip_output+0x13b/0x2a0 net/ipv4/ip_output.c:433<br /> dst_output include/net/dst.h:451 [inline]<br /> ip_local_out+0xaf/0x1a0 net/ipv4/ip_output.c:129<br /> iptunnel_xmit+0x5b4/0x9b0 net/ipv4/ip_tunnel_core.c:82<br /> ipip6_tunnel_xmit net/ipv6/sit.c:1034 [inline]<br /> sit_tunnel_xmit+0xed2/0x28f0 net/ipv6/sit.c:1076<br /> __netdev_start_xmit include/linux/netdevice.h:4940 [inline]<br /> netdev_start_xmit include/linux/netdevice.h:4954 [inline]<br /> xmit_one net/core/dev.c:3545 [inline]<br /> dev_hard_start_xmit+0x13d/0x6d0 net/core/dev.c:3561<br /> __dev_queue_xmit+0x7c1/0x3d60 net/core/dev.c:4346<br /> dev_queue_xmit include/linux/netdevice.h:3134 [inline]<br /> packet_xmit+0x257/0x380 net/packet/af_packet.c:276<br /> packet_snd net/packet/af_packet.c:3087 [inline]<br /> packet_sendmsg+0x24ca/0x5240 net/packet/af_packet.c:3119<br /> sock_sendmsg_nosec net/socket.c:730 [inline]<br /> __sock_sendmsg+0xd5/0x180 net/socket.c:745<br /> __sys_sendto+0x255/0x340 net/socket.c:2190<br /> __do_sys_sendto net/socket.c:2202 [inline]<br /> __se_sys_sendto net/socket.c:2198 [inline]<br /> __x64_sys_sendto+0xe0/0x1b0 net/socket.c:2198<br /> do_syscall_x64 arch/x86/entry/common.c:51 [inline]<br /> do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82<br /> entry_SYSCALL_64_after_hwframe+0x63/0x6b<br /> <br /> Found by Linux Verification Center (linuxtesting.org) with Syzkaller

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ASoC: amd: Adjust error handling in case of absent codec device<br /> <br /> acpi_get_first_physical_node() can return NULL in several cases (no such<br /> device, ACPI table error, reference count drop to 0, etc).<br /> Existing check just emit error message, but doesn&amp;#39;t perform return.<br /> Then this NULL pointer is passed to devm_acpi_dev_add_driver_gpios()<br /> where it is dereferenced.<br /> <br /> Adjust this error handling by adding error code return.<br /> <br /> Found by Linux Verification Center (linuxtesting.org) with SVACE.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> PCI: keystone: Fix NULL pointer dereference in case of DT error in ks_pcie_setup_rc_app_regs()<br /> <br /> If IORESOURCE_MEM is not provided in Device Tree due to<br /> any error, resource_list_first_type() will return NULL and<br /> pci_parse_request_of_pci_ranges() will just emit a warning.<br /> <br /> This will cause a NULL pointer dereference. Fix this bug by adding NULL<br /> return check.<br /> <br /> Found by Linux Verification Center (linuxtesting.org) with SVACE.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ext4: fix infinite loop when replaying fast_commit<br /> <br /> When doing fast_commit replay an infinite loop may occur due to an<br /> uninitialized extent_status struct. ext4_ext_determine_insert_hole() does<br /> not detect the replay and calls ext4_es_find_extent_range(), which will<br /> return immediately without initializing the &amp;#39;es&amp;#39; variable.<br /> <br /> Because &amp;#39;es&amp;#39; contains garbage, an integer overflow may happen causing an<br /> infinite loop in this function, easily reproducible using fstest generic/039.<br /> <br /> This commit fixes this issue by unconditionally initializing the structure<br /> in function ext4_es_find_extent_range().<br /> <br /> Thanks to Zhang Yi, for figuring out the real problem!

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/qxl: Add check for drm_cvt_mode<br /> <br /> Add check for the return value of drm_cvt_mode() and return the error if<br /> it fails in order to avoid NULL pointer dereference.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> leds: trigger: Unregister sysfs attributes before calling deactivate()<br /> <br /> Triggers which have trigger specific sysfs attributes typically store<br /> related data in trigger-data allocated by the activate() callback and<br /> freed by the deactivate() callback.<br /> <br /> Calling device_remove_groups() after calling deactivate() leaves a window<br /> where the sysfs attributes show/store functions could be called after<br /> deactivation and then operate on the just freed trigger-data.<br /> <br /> Move the device_remove_groups() call to before deactivate() to close<br /> this race window.<br /> <br /> This also makes the deactivation path properly do things in reverse order<br /> of the activation path which calls the activate() callback before calling<br /> device_add_groups().

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> s390/uv: Don&amp;#39;t call folio_wait_writeback() without a folio reference<br /> <br /> folio_wait_writeback() requires that no spinlocks are held and that<br /> a folio reference is held, as documented. After we dropped the PTL, the<br /> folio could get freed concurrently. So grab a temporary reference.

The tagDiv Opt-In Builder plugin is vulnerable to Blind SQL Injection via the &amp;#39;subscriptionCouponId&amp;#39; parameter via the &amp;#39;create_stripe_subscription&amp;#39; REST API endpoint in versions up to, and including, 1.4.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers with administrator-level privileges to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

The tagDiv Opt-In Builder plugin is vulnerable to Blind SQL Injection via the &amp;#39;couponId&amp;#39; parameter of the &amp;#39;recreate_stripe_subscription&amp;#39; REST API endpoint in versions up to, and including, 1.4.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers with administrator-level privileges to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> crypto: mxs-dcp - Ensure payload is zero when using key slot<br /> <br /> We could leak stack memory through the payload field when running<br /> AES with a key from one of the hardware&amp;#39;s key slots. Fix this by<br /> ensuring the payload field is set to 0 in such cases.<br /> <br /> This does not affect the common use case when the key is supplied<br /> from main memory via the descriptor payload.