Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> smb: client: fix potential UAF in cifs_stats_proc_show()<br /> <br /> Skip sessions that are being teared down (status == SES_EXITING) to<br /> avoid UAF.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> x86/mm/pat: fix VM_PAT handling in COW mappings<br /> <br /> PAT handling won&amp;#39;t do the right thing in COW mappings: the first PTE (or,<br /> in fact, all PTEs) can be replaced during write faults to point at anon<br /> folios. Reliably recovering the correct PFN and cachemode using<br /> follow_phys() from PTEs will not work in COW mappings.<br /> <br /> Using follow_phys(), we might just get the address+protection of the anon<br /> folio (which is very wrong), or fail on swap/nonswap entries, failing<br /> follow_phys() and triggering a WARN_ON_ONCE() in untrack_pfn() and<br /> track_pfn_copy(), not properly calling free_pfn_range().<br /> <br /> In free_pfn_range(), we either wouldn&amp;#39;t call memtype_free() or would call<br /> it with the wrong range, possibly leaking memory.<br /> <br /> To fix that, let&amp;#39;s update follow_phys() to refuse returning anon folios,<br /> and fallback to using the stored PFN inside vma-&gt;vm_pgoff for COW mappings<br /> if we run into that.<br /> <br /> We will now properly handle untrack_pfn() with COW mappings, where we<br /> don&amp;#39;t need the cachemode. We&amp;#39;ll have to fail fork()-&gt;track_pfn_copy() if<br /> the first page was replaced by an anon folio, though: we&amp;#39;d have to store<br /> the cachemode in the VMA to make this work, likely growing the VMA size.<br /> <br /> For now, lets keep it simple and let track_pfn_copy() just fail in that<br /> case: it would have failed in the past with swap/nonswap entries already,<br /> and it would have done the wrong thing with anon folios.<br /> <br /> Simple reproducer to trigger the WARN_ON_ONCE() in untrack_pfn():<br /> <br /> <br /> #include <br /> #include <br /> #include <br /> #include <br /> <br /> int main(void)<br /> {<br /> struct io_uring_params p = {};<br /> int ring_fd;<br /> size_t size;<br /> char *map;<br /> <br /> ring_fd = io_uring_setup(1, &amp;p);<br /> if (ring_fd

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> riscv: process: Fix kernel gp leakage<br /> <br /> childregs represents the registers which are active for the new thread<br /> in user context. For a kernel thread, childregs-&gt;gp is never used since<br /> the kernel gp is not touched by switch_to. For a user mode helper, the<br /> gp value can be observed in user space after execve or possibly by other<br /> means.<br /> <br /> [From the email thread]<br /> <br /> The /* Kernel thread */ comment is somewhat inaccurate in that it is also used<br /> for user_mode_helper threads, which exec a user process, e.g. /sbin/init or<br /> when /proc/sys/kernel/core_pattern is a pipe. Such threads do not have<br /> PF_KTHREAD set and are valid targets for ptrace etc. even before they exec.<br /> <br /> childregs is the *user* context during syscall execution and it is observable<br /> from userspace in at least five ways:<br /> <br /> 1. kernel_execve does not currently clear integer registers, so the starting<br /> register state for PID 1 and other user processes started by the kernel has<br /> sp = user stack, gp = kernel __global_pointer$, all other integer registers<br /> zeroed by the memset in the patch comment.<br /> <br /> This is a bug in its own right, but I&amp;#39;m unwilling to bet that it is the only<br /> way to exploit the issue addressed by this patch.<br /> <br /> 2. ptrace(PTRACE_GETREGSET): you can PTRACE_ATTACH to a user_mode_helper thread<br /> before it execs, but ptrace requires SIGSTOP to be delivered which can only<br /> happen at user/kernel boundaries.<br /> <br /> 3. /proc/*/task/*/syscall: this is perfectly happy to read pt_regs for<br /> user_mode_helpers before the exec completes, but gp is not one of the<br /> registers it returns.<br /> <br /> 4. PERF_SAMPLE_REGS_USER: LOCKDOWN_PERF normally prevents access to kernel<br /> addresses via PERF_SAMPLE_REGS_INTR, but due to this bug kernel addresses<br /> are also exposed via PERF_SAMPLE_REGS_USER which is permitted under<br /> LOCKDOWN_PERF. I have not attempted to write exploit code.<br /> <br /> 5. Much of the tracing infrastructure allows access to user registers. I have<br /> not attempted to determine which forms of tracing allow access to user<br /> registers without already allowing access to kernel registers.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> smb: client: fix UAF in smb2_reconnect_server()<br /> <br /> The UAF bug is due to smb2_reconnect_server() accessing a session that<br /> is already being teared down by another thread that is executing<br /> __cifs_put_smb_ses(). This can happen when (a) the client has<br /> connection to the server but no session or (b) another thread ends up<br /> setting @ses-&gt;ses_status again to something different than<br /> SES_EXITING.<br /> <br /> To fix this, we need to make sure to unconditionally set<br /> @ses-&gt;ses_status to SES_EXITING and prevent any other threads from<br /> setting a new status while we&amp;#39;re still tearing it down.<br /> <br /> The following can be reproduced by adding some delay to right after<br /> the ipc is freed in __cifs_put_smb_ses() - which will give<br /> smb2_reconnect_server() worker a chance to run and then accessing<br /> @ses-&gt;ipc:<br /> <br /> kinit ...<br /> mount.cifs //srv/share /mnt/1 -o sec=krb5,nohandlecache,echo_interval=10<br /> [disconnect srv]<br /> ls /mnt/1 &amp;&gt;/dev/null<br /> sleep 30<br /> kdestroy<br /> [reconnect srv]<br /> sleep 10<br /> umount /mnt/1<br /> ...<br /> CIFS: VFS: Verify user has a krb5 ticket and keyutils is installed<br /> CIFS: VFS: \\srv Send error in SessSetup = -126<br /> CIFS: VFS: Verify user has a krb5 ticket and keyutils is installed<br /> CIFS: VFS: \\srv Send error in SessSetup = -126<br /> general protection fault, probably for non-canonical address<br /> 0x6b6b6b6b6b6b6b6b: 0000 [#1] PREEMPT SMP NOPTI<br /> CPU: 3 PID: 50 Comm: kworker/3:1 Not tainted 6.9.0-rc2 #1<br /> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-1.fc39<br /> 04/01/2014<br /> Workqueue: cifsiod smb2_reconnect_server [cifs]<br /> RIP: 0010:__list_del_entry_valid_or_report+0x33/0xf0<br /> Code: 4f 08 48 85 d2 74 42 48 85 c9 74 59 48 b8 00 01 00 00 00 00 ad<br /> de 48 39 c2 74 61 48 b8 22 01 00 00 00 00 74 69 8b 01 48 39 f8 75<br /> 7b 48 8b 72 08 48 39 c6 0f 85 88 00 00 00 b8<br /> RSP: 0018:ffffc900001bfd70 EFLAGS: 00010a83<br /> RAX: dead000000000122 RBX: ffff88810da53838 RCX: 6b6b6b6b6b6b6b6b<br /> RDX: 6b6b6b6b6b6b6b6b RSI: ffffffffc02f6878 RDI: ffff88810da53800<br /> RBP: ffff88810da53800 R08: 0000000000000001 R09: 0000000000000000<br /> R10: 0000000000000000 R11: 0000000000000001 R12: ffff88810c064000<br /> R13: 0000000000000001 R14: ffff88810c064000 R15: ffff8881039cc000<br /> FS: 0000000000000000(0000) GS:ffff888157c00000(0000)<br /> knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 00007fe3728b1000 CR3: 000000010caa4000 CR4: 0000000000750ef0<br /> PKRU: 55555554<br /> Call Trace:<br /> <br /> ? die_addr+0x36/0x90<br /> ? exc_general_protection+0x1c1/0x3f0<br /> ? asm_exc_general_protection+0x26/0x30<br /> ? __list_del_entry_valid_or_report+0x33/0xf0<br /> __cifs_put_smb_ses+0x1ae/0x500 [cifs]<br /> smb2_reconnect_server+0x4ed/0x710 [cifs]<br /> process_one_work+0x205/0x6b0<br /> worker_thread+0x191/0x360<br /> ? __pfx_worker_thread+0x10/0x10<br /> kthread+0xe2/0x110<br /> ? __pfx_kthread+0x10/0x10<br /> ret_from_fork+0x34/0x50<br /> ? __pfx_kthread+0x10/0x10<br /> ret_from_fork_asm+0x1a/0x30<br />

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> smb: client: guarantee refcounted children from parent session<br /> <br /> Avoid potential use-after-free bugs when walking DFS referrals,<br /> mounting and performing DFS failover by ensuring that all children<br /> from parent @tcon-&gt;ses are also refcounted. They&amp;#39;re all needed across<br /> the entire DFS mount. Get rid of @tcon-&gt;dfs_ses_list while we&amp;#39;re at<br /> it, too.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> smb: client: fix potential UAF in cifs_dump_full_key()<br /> <br /> Skip sessions that are being teared down (status == SES_EXITING) to<br /> avoid UAF.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf: support deferring bpf_link dealloc to after RCU grace period<br /> <br /> BPF link for some program types is passed as a "context" which can be<br /> used by those BPF programs to look up additional information. E.g., for<br /> multi-kprobes and multi-uprobes, link is used to fetch BPF cookie values.<br /> <br /> Because of this runtime dependency, when bpf_link refcnt drops to zero<br /> there could still be active BPF programs running accessing link data.<br /> <br /> This patch adds generic support to defer bpf_link dealloc callback to<br /> after RCU GP, if requested. This is done by exposing two different<br /> deallocation callbacks, one synchronous and one deferred. If deferred<br /> one is provided, bpf_link_free() will schedule dealloc_deferred()<br /> callback to happen after RCU GP.<br /> <br /> BPF is using two flavors of RCU: "classic" non-sleepable one and RCU<br /> tasks trace one. The latter is used when sleepable BPF programs are<br /> used. bpf_link_free() accommodates that by checking underlying BPF<br /> program&amp;#39;s sleepable flag, and goes either through normal RCU GP only for<br /> non-sleepable, or through RCU tasks trace GP *and* then normal RCU GP<br /> (taking into account rcu_trace_implies_rcu_gp() optimization), if BPF<br /> program is sleepable.<br /> <br /> We use this for multi-kprobe and multi-uprobe links, which dereference<br /> link during program run. We also preventively switch raw_tp link to use<br /> deferred dealloc callback, as upcoming changes in bpf-next tree expose<br /> raw_tp link data (specifically, cookie value) to BPF program at runtime<br /> as well.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> smb: client: fix potential UAF in cifs_signal_cifsd_for_reconnect()<br /> <br /> Skip sessions that are being teared down (status == SES_EXITING) to<br /> avoid UAF.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> smb: client: fix potential UAF in smb2_is_network_name_deleted()<br /> <br /> Skip sessions that are being teared down (status == SES_EXITING) to<br /> avoid UAF.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> smb: client: fix potential UAF in is_valid_oplock_break()<br /> <br /> Skip sessions that are being teared down (status == SES_EXITING) to<br /> avoid UAF.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> smb: client: fix potential UAF in smb2_is_valid_lease_break()<br /> <br /> Skip sessions that are being teared down (status == SES_EXITING) to<br /> avoid UAF.

A vulnerability was found in SourceCodester Simple Inventory System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file updateprice.php. The manipulation of the argument ITEM leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-265082 is the identifier assigned to this vulnerability.