Vulnerabilities

URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Payara Platform Payara Server (REST Management Interface modules) allows Session Hijacking.This issue affects Payara Server: from 6.0.0 before 6.18.0, from 6.2022.1 before 6.2024.9, from 5.2020.2 before 5.2022.5, from 5.20.0 before 5.67.0, from 4.1.2.191.0 before 4.1.2.191.50.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf: Fix a kernel verifier crash in stacksafe()<br /> <br /> Daniel Hodges reported a kernel verifier crash when playing with sched-ext.<br /> Further investigation shows that the crash is due to invalid memory access<br /> in stacksafe(). More specifically, it is the following code:<br /> <br /> if (exact != NOT_EXACT &amp;&amp;<br /> old-&gt;stack[spi].slot_type[i % BPF_REG_SIZE] !=<br /> cur-&gt;stack[spi].slot_type[i % BPF_REG_SIZE])<br /> return false;<br /> <br /> The &amp;#39;i&amp;#39; iterates old-&gt;allocated_stack.<br /> If cur-&gt;allocated_stack allocated_stack the out-of-bound<br /> access will happen.<br /> <br /> To fix the issue add &amp;#39;i &gt;= cur-&gt;allocated_stack&amp;#39; check such that if<br /> the condition is true, stacksafe() should fail. Otherwise,<br /> cur-&gt;stack[spi].slot_type[i % BPF_REG_SIZE] memory access is legal.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> md/raid1: Fix data corruption for degraded array with slow disk<br /> <br /> read_balance() will avoid reading from slow disks as much as possible,<br /> however, if valid data only lands in slow disks, and a new normal disk<br /> is still in recovery, unrecovered data can be read:<br /> <br /> raid1_read_request<br /> read_balance<br /> raid1_should_read_first<br /> -&gt; return false<br /> choose_best_rdev<br /> -&gt; normal disk is not recovered, return -1<br /> choose_bb_rdev<br /> -&gt; missing the checking of recovery, return the normal disk<br /> -&gt; read unrecovered data<br /> <br /> Root cause is that the checking of recovery is missing in<br /> choose_bb_rdev(). Hence add such checking to fix the problem.<br /> <br /> Also fix similar problem in choose_slow_rdev().

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mm/hugetlb: fix hugetlb vs. core-mm PT locking<br /> <br /> We recently made GUP&amp;#39;s common page table walking code to also walk hugetlb<br /> VMAs without most hugetlb special-casing, preparing for the future of<br /> having less hugetlb-specific page table walking code in the codebase. <br /> Turns out that we missed one page table locking detail: page table locking<br /> for hugetlb folios that are not mapped using a single PMD/PUD.<br /> <br /> Assume we have hugetlb folio that spans multiple PTEs (e.g., 64 KiB<br /> hugetlb folios on arm64 with 4 KiB base page size). GUP, as it walks the<br /> page tables, will perform a pte_offset_map_lock() to grab the PTE table<br /> lock.<br /> <br /> However, hugetlb that concurrently modifies these page tables would<br /> actually grab the mm-&gt;page_table_lock: with USE_SPLIT_PTE_PTLOCKS, the<br /> locks would differ. Something similar can happen right now with hugetlb<br /> folios that span multiple PMDs when USE_SPLIT_PMD_PTLOCKS.<br /> <br /> This issue can be reproduced [1], for example triggering:<br /> <br /> [ 3105.936100] ------------[ cut here ]------------<br /> [ 3105.939323] WARNING: CPU: 31 PID: 2732 at mm/gup.c:142 try_grab_folio+0x11c/0x188<br /> [ 3105.944634] Modules linked in: [...]<br /> [ 3105.974841] CPU: 31 PID: 2732 Comm: reproducer Not tainted 6.10.0-64.eln141.aarch64 #1<br /> [ 3105.980406] Hardware name: QEMU KVM Virtual Machine, BIOS edk2-20240524-4.fc40 05/24/2024<br /> [ 3105.986185] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)<br /> [ 3105.991108] pc : try_grab_folio+0x11c/0x188<br /> [ 3105.994013] lr : follow_page_pte+0xd8/0x430<br /> [ 3105.996986] sp : ffff80008eafb8f0<br /> [ 3105.999346] x29: ffff80008eafb900 x28: ffffffe8d481f380 x27: 00f80001207cff43<br /> [ 3106.004414] x26: 0000000000000001 x25: 0000000000000000 x24: ffff80008eafba48<br /> [ 3106.009520] x23: 0000ffff9372f000 x22: ffff7a54459e2000 x21: ffff7a546c1aa978<br /> [ 3106.014529] x20: ffffffe8d481f3c0 x19: 0000000000610041 x18: 0000000000000001<br /> [ 3106.019506] x17: 0000000000000001 x16: ffffffffffffffff x15: 0000000000000000<br /> [ 3106.024494] x14: ffffb85477fdfe08 x13: 0000ffff9372ffff x12: 0000000000000000<br /> [ 3106.029469] x11: 1fffef4a88a96be1 x10: ffff7a54454b5f0c x9 : ffffb854771b12f0<br /> [ 3106.034324] x8 : 0008000000000000 x7 : ffff7a546c1aa980 x6 : 0008000000000080<br /> [ 3106.038902] x5 : 00000000001207cf x4 : 0000ffff9372f000 x3 : ffffffe8d481f000<br /> [ 3106.043420] x2 : 0000000000610041 x1 : 0000000000000001 x0 : 0000000000000000<br /> [ 3106.047957] Call trace:<br /> [ 3106.049522] try_grab_folio+0x11c/0x188<br /> [ 3106.051996] follow_pmd_mask.constprop.0.isra.0+0x150/0x2e0<br /> [ 3106.055527] follow_page_mask+0x1a0/0x2b8<br /> [ 3106.058118] __get_user_pages+0xf0/0x348<br /> [ 3106.060647] faultin_page_range+0xb0/0x360<br /> [ 3106.063651] do_madvise+0x340/0x598<br /> <br /> Let&amp;#39;s make huge_pte_lockptr() effectively use the same PT locks as any<br /> core-mm page table walker would. Add ptep_lockptr() to obtain the PTE<br /> page table lock using a pte pointer -- unfortunately we cannot convert<br /> pte_lockptr() because virt_to_page() doesn&amp;#39;t work with kmap&amp;#39;ed page tables<br /> we can have with CONFIG_HIGHPTE.<br /> <br /> Handle CONFIG_PGTABLE_LEVELS correctly by checking in reverse order, such<br /> that when e.g., CONFIG_PGTABLE_LEVELS==2 with<br /> PGDIR_SIZE==P4D_SIZE==PUD_SIZE==PMD_SIZE will work as expected. Document<br /> why that works.<br /> <br /> There is one ugly case: powerpc 8xx, whereby we have an 8 MiB hugetlb<br /> folio being mapped using two PTE page tables. While hugetlb wants to take<br /> the PMD table lock, core-mm would grab the PTE table lock of one of both<br /> PTE page tables. In such corner cases, we have to make sure that both<br /> locks match, which is (fortunately!) currently guaranteed for 8xx as it<br /> does not support SMP and consequently doesn&amp;#39;t use split PT locks.<br /> <br /> [1] https://lore.kernel.org/all/1bbfcc7f-f222-45a5-ac44-c5a1381c596d@redhat.com/

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> usb: xhci: Check for xhci-&gt;interrupters being allocated in xhci_mem_clearup()<br /> <br /> If xhci_mem_init() fails, it calls into xhci_mem_cleanup() to mop<br /> up the damage. If it fails early enough, before xhci-&gt;interrupters<br /> is allocated but after xhci-&gt;max_interrupters has been set, which<br /> happens in most (all?) cases, things get uglier, as xhci_mem_cleanup()<br /> unconditionally derefences xhci-&gt;interrupters. With prejudice.<br /> <br /> Gate the interrupt freeing loop with a check on xhci-&gt;interrupters<br /> being non-NULL.<br /> <br /> Found while debugging a DMA allocation issue that led the XHCI driver<br /> on this exact path.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> igb: cope with large MAX_SKB_FRAGS<br /> <br /> Sabrina reports that the igb driver does not cope well with large<br /> MAX_SKB_FRAG values: setting MAX_SKB_FRAG to 45 causes payload<br /> corruption on TX.<br /> <br /> An easy reproducer is to run ssh to connect to the machine. With<br /> MAX_SKB_FRAGS=17 it works, with MAX_SKB_FRAGS=45 it fails. This has<br /> been reported originally in<br /> https://bugzilla.redhat.com/show_bug.cgi?id=2265320<br /> <br /> The root cause of the issue is that the driver does not take into<br /> account properly the (possibly large) shared info size when selecting<br /> the ring layout, and will try to fit two packets inside the same 4K<br /> page even when the 1st fraglist will trump over the 2nd head.<br /> <br /> Address the issue by checking if 2K buffers are insufficient.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: brcmfmac: cfg80211: Handle SSID based pmksa deletion<br /> <br /> wpa_supplicant 2.11 sends since 1efdba5fdc2c ("Handle PMKSA flush in the<br /> driver for SAE/OWE offload cases") SSID based PMKSA del commands.<br /> brcmfmac is not prepared and tries to dereference the NULL bssid and<br /> pmkid pointers in cfg80211_pmksa. PMKID_V3 operations support SSID based<br /> updates so copy the SSID.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> memcg_write_event_control(): fix a user-triggerable oops<br /> <br /> we are *not* guaranteed that anything past the terminating NUL<br /> is mapped (let alone initialized with anything sane).

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mm/vmalloc: fix page mapping if vm_area_alloc_pages() with high order fallback to order 0<br /> <br /> The __vmap_pages_range_noflush() assumes its argument pages** contains<br /> pages with the same page shift. However, since commit e9c3cda4d86e ("mm,<br /> vmalloc: fix high order __GFP_NOFAIL allocations"), if gfp_flags includes<br /> __GFP_NOFAIL with high order in vm_area_alloc_pages() and page allocation<br /> failed for high order, the pages** may contain two different page shifts<br /> (high order and order-0). This could lead __vmap_pages_range_noflush() to<br /> perform incorrect mappings, potentially resulting in memory corruption.<br /> <br /> Users might encounter this as follows (vmap_allow_huge = true, 2M is for<br /> PMD_SIZE):<br /> <br /> kvmalloc(2M, __GFP_NOFAIL|GFP_X)<br /> __vmalloc_node_range_noprof(vm_flags=VM_ALLOW_HUGE_VMAP)<br /> vm_area_alloc_pages(order=9) ---&gt; order-9 allocation failed and fallback to order-0<br /> vmap_pages_range()<br /> vmap_pages_range_noflush()<br /> __vmap_pages_range_noflush(page_shift = 21) ----&gt; wrong mapping happens<br /> <br /> We can remove the fallback code because if a high-order allocation fails,<br /> __vmalloc_node_range_noprof() will retry with order-0. Therefore, it is<br /> unnecessary to fallback to order-0 here. Therefore, fix this by removing<br /> the fallback code.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> fix bitmap corruption on close_range() with CLOSE_RANGE_UNSHARE<br /> <br /> copy_fd_bitmaps(new, old, count) is expected to copy the first<br /> count/BITS_PER_LONG bits from old-&gt;full_fds_bits[] and fill<br /> the rest with zeroes. What it does is copying enough words<br /> (BITS_TO_LONGS(count/BITS_PER_LONG)), then memsets the rest.<br /> That works fine, *if* all bits past the cutoff point are<br /> clear. Otherwise we are risking garbage from the last word<br /> we&amp;#39;d copied.<br /> <br /> For most of the callers that is true - expand_fdtable() has<br /> count equal to old-&gt;max_fds, so there&amp;#39;s no open descriptors<br /> past count, let alone fully occupied words in -&gt;open_fds[],<br /> which is what bits in -&gt;full_fds_bits[] correspond to.<br /> <br /> The other caller (dup_fd()) passes sane_fdtable_size(old_fdt, max_fds),<br /> which is the smallest multiple of BITS_PER_LONG that covers all<br /> opened descriptors below max_fds. In the common case (copying on<br /> fork()) max_fds is ~0U, so all opened descriptors will be below<br /> it and we are fine, by the same reasons why the call in expand_fdtable()<br /> is safe.<br /> <br /> Unfortunately, there is a case where max_fds is less than that<br /> and where we might, indeed, end up with junk in -&gt;full_fds_bits[] -<br /> close_range(from, to, CLOSE_RANGE_UNSHARE) with<br /> * descriptor table being currently shared<br /> * &amp;#39;to&amp;#39; being above the current capacity of descriptor table<br /> * &amp;#39;from&amp;#39; being just under some chunk of opened descriptors.<br /> In that case we end up with observably wrong behaviour - e.g. spawn<br /> a child with CLONE_FILES, get all descriptors in range 0..127 open,<br /> then close_range(64, ~0U, CLOSE_RANGE_UNSHARE) and watch dup(0) ending<br /> up with descriptor #128, despite #64 being observably not open.<br /> <br /> The minimally invasive fix would be to deal with that in dup_fd().<br /> If this proves to add measurable overhead, we can go that way, but<br /> let&amp;#39;s try to fix copy_fd_bitmaps() first.<br /> <br /> * new helper: bitmap_copy_and_expand(to, from, bits_to_copy, size).<br /> * make copy_fd_bitmaps() take the bitmap size in words, rather than<br /> bits; it&amp;#39;s &amp;#39;count&amp;#39; argument is always a multiple of BITS_PER_LONG,<br /> so we are not losing any information, and that way we can use the<br /> same helper for all three bitmaps - compiler will see that count<br /> is a multiple of BITS_PER_LONG for the large ones, so it&amp;#39;ll generate<br /> plain memcpy()+memset().<br /> <br /> Reproducer added to tools/testing/selftests/core/close_range_test.c

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> s390/dasd: fix error recovery leading to data corruption on ESE devices<br /> <br /> Extent Space Efficient (ESE) or thin provisioned volumes need to be<br /> formatted on demand during usual IO processing.<br /> <br /> The dasd_ese_needs_format function checks for error codes that signal<br /> the non existence of a proper track format.<br /> <br /> The check for incorrect length is to imprecise since other error cases<br /> leading to transport of insufficient data also have this flag set.<br /> This might lead to data corruption in certain error cases for example<br /> during a storage server warmstart.<br /> <br /> Fix by removing the check for incorrect length and replacing by<br /> explicitly checking for invalid track format in transport mode.<br /> <br /> Also remove the check for file protected since this is not a valid<br /> ESE handling case.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mmc: mmc_test: Fix NULL dereference on allocation failure<br /> <br /> If the "test-&gt;highmem = alloc_pages()" allocation fails then calling<br /> __free_pages(test-&gt;highmem) will result in a NULL dereference. Also<br /> change the error code to -ENOMEM instead of returning success.