Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> vt: prevent kernel-infoleak in con_font_get()<br /> <br /> font.data may not initialize all memory spaces depending on the implementation<br /> of vc-&gt;vc_sw-&gt;con_font_get. This may cause info-leak, so to prevent this, it<br /> is safest to modify it to initialize the allocated memory space to 0, and it<br /> generally does not affect the overall performance of the system.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> io_uring/sqpoll: ensure task state is TASK_RUNNING when running task_work<br /> <br /> When the sqpoll is exiting and cancels pending work items, it may need<br /> to run task_work. If this happens from within io_uring_cancel_generic(),<br /> then it may be under waiting for the io_uring_task waitqueue. This<br /> results in the below splat from the scheduler, as the ring mutex may be<br /> attempted grabbed while in a TASK_INTERRUPTIBLE state.<br /> <br /> Ensure that the task state is set appropriately for that, just like what<br /> is done for the other cases in io_run_task_work().<br /> <br /> do not call blocking ops when !TASK_RUNNING; state=1 set at [] prepare_to_wait+0x88/0x2fc<br /> WARNING: CPU: 6 PID: 59939 at kernel/sched/core.c:8561 __might_sleep+0xf4/0x140<br /> Modules linked in:<br /> CPU: 6 UID: 0 PID: 59939 Comm: iou-sqp-59938 Not tainted 6.12.0-rc3-00113-g8d020023b155 #7456<br /> Hardware name: linux,dummy-virt (DT)<br /> pstate: 61400005 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)<br /> pc : __might_sleep+0xf4/0x140<br /> lr : __might_sleep+0xf4/0x140<br /> sp : ffff80008c5e7830<br /> x29: ffff80008c5e7830 x28: ffff0000d93088c0 x27: ffff60001c2d7230<br /> x26: dfff800000000000 x25: ffff0000e16b9180 x24: ffff80008c5e7a50<br /> x23: 1ffff000118bcf4a x22: ffff0000e16b9180 x21: ffff0000e16b9180<br /> x20: 000000000000011b x19: ffff80008310fac0 x18: 1ffff000118bcd90<br /> x17: 30303c5b20746120 x16: 74657320313d6574 x15: 0720072007200720<br /> x14: 0720072007200720 x13: 0720072007200720 x12: ffff600036c64f0b<br /> x11: 1fffe00036c64f0a x10: ffff600036c64f0a x9 : dfff800000000000<br /> x8 : 00009fffc939b0f6 x7 : ffff0001b6327853 x6 : 0000000000000001<br /> x5 : ffff0001b6327850 x4 : ffff600036c64f0b x3 : ffff8000803c35bc<br /> x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff0000e16b9180<br /> Call trace:<br /> __might_sleep+0xf4/0x140<br /> mutex_lock+0x84/0x124<br /> io_handle_tw_list+0xf4/0x260<br /> tctx_task_work_run+0x94/0x340<br /> io_run_task_work+0x1ec/0x3c0<br /> io_uring_cancel_generic+0x364/0x524<br /> io_sq_thread+0x820/0x124c<br /> ret_from_fork+0x10/0x20

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> pinctrl: apple: check devm_kasprintf() returned value<br /> <br /> devm_kasprintf() can return a NULL pointer on failure but this returned<br /> value is not checked. Fix this lack and check the returned value.<br /> <br /> Found by code review.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> x86/bugs: Use code segment selector for VERW operand<br /> <br /> Robert Gill reported below #GP in 32-bit mode when dosemu software was<br /> executing vm86() system call:<br /> <br /> general protection fault: 0000 [#1] PREEMPT SMP<br /> CPU: 4 PID: 4610 Comm: dosemu.bin Not tainted 6.6.21-gentoo-x86 #1<br /> Hardware name: Dell Inc. PowerEdge 1950/0H723K, BIOS 2.7.0 10/30/2010<br /> EIP: restore_all_switch_stack+0xbe/0xcf<br /> EAX: 00000000 EBX: 00000000 ECX: 00000000 EDX: 00000000<br /> ESI: 00000000 EDI: 00000000 EBP: 00000000 ESP: ff8affdc<br /> DS: 0000 ES: 0000 FS: 0000 GS: 0033 SS: 0068 EFLAGS: 00010046<br /> CR0: 80050033 CR2: 00c2101c CR3: 04b6d000 CR4: 000406d0<br /> Call Trace:<br /> show_regs+0x70/0x78<br /> die_addr+0x29/0x70<br /> exc_general_protection+0x13c/0x348<br /> exc_bounds+0x98/0x98<br /> handle_exception+0x14d/0x14d<br /> exc_bounds+0x98/0x98<br /> restore_all_switch_stack+0xbe/0xcf<br /> exc_bounds+0x98/0x98<br /> restore_all_switch_stack+0xbe/0xcf<br /> <br /> This only happens in 32-bit mode when VERW based mitigations like MDS/RFDS<br /> are enabled. This is because segment registers with an arbitrary user value<br /> can result in #GP when executing VERW. Intel SDM vol. 2C documents the<br /> following behavior for VERW instruction:<br /> <br /> #GP(0) - If a memory operand effective address is outside the CS, DS, ES,<br /> FS, or GS segment limit.<br /> <br /> CLEAR_CPU_BUFFERS macro executes VERW instruction before returning to user<br /> space. Use %cs selector to reference VERW operand. This ensures VERW will<br /> not #GP for an arbitrary user %ds.<br /> <br /> [ mingo: Fixed the SOB chain. ]

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> tty: n_gsm: Fix use-after-free in gsm_cleanup_mux<br /> <br /> BUG: KASAN: slab-use-after-free in gsm_cleanup_mux+0x77b/0x7b0<br /> drivers/tty/n_gsm.c:3160 [n_gsm]<br /> Read of size 8 at addr ffff88815fe99c00 by task poc/3379<br /> CPU: 0 UID: 0 PID: 3379 Comm: poc Not tainted 6.11.0+ #56<br /> Hardware name: VMware, Inc. VMware Virtual Platform/440BX<br /> Desktop Reference Platform, BIOS 6.00 11/12/2020<br /> Call Trace:<br /> <br /> gsm_cleanup_mux+0x77b/0x7b0 drivers/tty/n_gsm.c:3160 [n_gsm]<br /> __pfx_gsm_cleanup_mux+0x10/0x10 drivers/tty/n_gsm.c:3124 [n_gsm]<br /> __pfx_sched_clock_cpu+0x10/0x10 kernel/sched/clock.c:389<br /> update_load_avg+0x1c1/0x27b0 kernel/sched/fair.c:4500<br /> __pfx_min_vruntime_cb_rotate+0x10/0x10 kernel/sched/fair.c:846<br /> __rb_insert_augmented+0x492/0xbf0 lib/rbtree.c:161<br /> gsmld_ioctl+0x395/0x1450 drivers/tty/n_gsm.c:3408 [n_gsm]<br /> _raw_spin_lock_irqsave+0x92/0xf0 arch/x86/include/asm/atomic.h:107<br /> __pfx_gsmld_ioctl+0x10/0x10 drivers/tty/n_gsm.c:3822 [n_gsm]<br /> ktime_get+0x5e/0x140 kernel/time/timekeeping.c:195<br /> ldsem_down_read+0x94/0x4e0 arch/x86/include/asm/atomic64_64.h:79<br /> __pfx_ldsem_down_read+0x10/0x10 drivers/tty/tty_ldsem.c:338<br /> __pfx_do_vfs_ioctl+0x10/0x10 fs/ioctl.c:805<br /> tty_ioctl+0x643/0x1100 drivers/tty/tty_io.c:2818<br /> <br /> Allocated by task 65:<br /> gsm_data_alloc.constprop.0+0x27/0x190 drivers/tty/n_gsm.c:926 [n_gsm]<br /> gsm_send+0x2c/0x580 drivers/tty/n_gsm.c:819 [n_gsm]<br /> gsm1_receive+0x547/0xad0 drivers/tty/n_gsm.c:3038 [n_gsm]<br /> gsmld_receive_buf+0x176/0x280 drivers/tty/n_gsm.c:3609 [n_gsm]<br /> tty_ldisc_receive_buf+0x101/0x1e0 drivers/tty/tty_buffer.c:391<br /> tty_port_default_receive_buf+0x61/0xa0 drivers/tty/tty_port.c:39<br /> flush_to_ldisc+0x1b0/0x750 drivers/tty/tty_buffer.c:445<br /> process_scheduled_works+0x2b0/0x10d0 kernel/workqueue.c:3229<br /> worker_thread+0x3dc/0x950 kernel/workqueue.c:3391<br /> kthread+0x2a3/0x370 kernel/kthread.c:389<br /> ret_from_fork+0x2d/0x70 arch/x86/kernel/process.c:147<br /> ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:257<br /> <br /> Freed by task 3367:<br /> kfree+0x126/0x420 mm/slub.c:4580<br /> gsm_cleanup_mux+0x36c/0x7b0 drivers/tty/n_gsm.c:3160 [n_gsm]<br /> gsmld_ioctl+0x395/0x1450 drivers/tty/n_gsm.c:3408 [n_gsm]<br /> tty_ioctl+0x643/0x1100 drivers/tty/tty_io.c:2818<br /> <br /> [Analysis]<br /> gsm_msg on the tx_ctrl_list or tx_data_list of gsm_mux<br /> can be freed by multi threads through ioctl,which leads<br /> to the occurrence of uaf. Protect it by gsm tx lock.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> parport: Proper fix for array out-of-bounds access<br /> <br /> The recent fix for array out-of-bounds accesses replaced sprintf()<br /> calls blindly with snprintf(). However, since snprintf() returns the<br /> would-be-printed size, not the actually output size, the length<br /> calculation can still go over the given limit.<br /> <br /> Use scnprintf() instead of snprintf(), which returns the actually<br /> output letters, for addressing the potential out-of-bounds access<br /> properly.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Bluetooth: ISO: Fix multiple init when debugfs is disabled<br /> <br /> If bt_debugfs is not created successfully, which happens if either<br /> CONFIG_DEBUG_FS or CONFIG_DEBUG_FS_ALLOW_ALL is unset, then iso_init()<br /> returns early and does not set iso_inited to true. This means that a<br /> subsequent call to iso_init() will result in duplicate calls to<br /> proto_register(), bt_sock_register(), etc.<br /> <br /> With CONFIG_LIST_HARDENED and CONFIG_BUG_ON_DATA_CORRUPTION enabled, the<br /> duplicate call to proto_register() triggers this BUG():<br /> <br /> list_add double add: new=ffffffffc0b280d0, prev=ffffffffbab56250,<br /> next=ffffffffc0b280d0.<br /> ------------[ cut here ]------------<br /> kernel BUG at lib/list_debug.c:35!<br /> Oops: invalid opcode: 0000 [#1] PREEMPT SMP PTI<br /> CPU: 2 PID: 887 Comm: bluetoothd Not tainted 6.10.11-1-ao-desktop #1<br /> RIP: 0010:__list_add_valid_or_report+0x9a/0xa0<br /> ...<br /> __list_add_valid_or_report+0x9a/0xa0<br /> proto_register+0x2b5/0x340<br /> iso_init+0x23/0x150 [bluetooth]<br /> set_iso_socket_func+0x68/0x1b0 [bluetooth]<br /> kmem_cache_free+0x308/0x330<br /> hci_sock_sendmsg+0x990/0x9e0 [bluetooth]<br /> __sock_sendmsg+0x7b/0x80<br /> sock_write_iter+0x9a/0x110<br /> do_iter_readv_writev+0x11d/0x220<br /> vfs_writev+0x180/0x3e0<br /> do_writev+0xca/0x100<br /> ...<br /> <br /> This change removes the early return. The check for iso_debugfs being<br /> NULL was unnecessary, it is always NULL when iso_inited is false.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Bluetooth: Call iso_exit() on module unload<br /> <br /> If iso_init() has been called, iso_exit() must be called on module<br /> unload. Without that, the struct proto that iso_init() registered with<br /> proto_register() becomes invalid, which could cause unpredictable<br /> problems later. In my case, with CONFIG_LIST_HARDENED and<br /> CONFIG_BUG_ON_DATA_CORRUPTION enabled, loading the module again usually<br /> triggers this BUG():<br /> <br /> list_add corruption. next-&gt;prev should be prev (ffffffffb5355fd0),<br /> but was 0000000000000068. (next=ffffffffc0a010d0).<br /> ------------[ cut here ]------------<br /> kernel BUG at lib/list_debug.c:29!<br /> Oops: invalid opcode: 0000 [#1] PREEMPT SMP PTI<br /> CPU: 1 PID: 4159 Comm: modprobe Not tainted 6.10.11-4+bt2-ao-desktop #1<br /> RIP: 0010:__list_add_valid_or_report+0x61/0xa0<br /> ...<br /> __list_add_valid_or_report+0x61/0xa0<br /> proto_register+0x299/0x320<br /> hci_sock_init+0x16/0xc0 [bluetooth]<br /> bt_init+0x68/0xd0 [bluetooth]<br /> __pfx_bt_init+0x10/0x10 [bluetooth]<br /> do_one_initcall+0x80/0x2f0<br /> do_init_module+0x8b/0x230<br /> __do_sys_init_module+0x15f/0x190<br /> do_syscall_64+0x68/0x110<br /> ...

A vulnerability, which was classified as problematic, has been found in LinZhaoguan pb-cms up to 2.0.1. This issue affects some unknown processing of the file /admin#article/edit?id=2 of the component Edit Article Handler. The manipulation leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

IBM Flexible Service Processor (FSP) FW860.00 through FW860.B3, FW950.00 through FW950.C0, FW1030.00 through FW1030.61, FW1050.00 through FW1050.21, and FW1060.00 through FW1060.10 has static credentials which may allow network users to gain service privileges to the FSP.

A vulnerability classified as problematic was found in LinZhaoguan pb-cms up to 2.0.1. This vulnerability affects unknown code of the file /admin#permissions of the component Permission Management Page. The manipulation leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

Tiki through 27.0 allows users who have certain permissions to insert a "Create a Wiki Pages" stored XSS payload in the description.