Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/mlx5e: fix a potential double-free in fs_any_create_groups<br /> <br /> When kcalloc() for ft-&gt;g succeeds but kvzalloc() for in fails,<br /> fs_any_create_groups() will free ft-&gt;g. However, its caller<br /> fs_any_create_table() will free ft-&gt;g again through calling<br /> mlx5e_destroy_flow_table(), which will lead to a double-free.<br /> Fix this by setting ft-&gt;g to NULL in fs_any_create_groups().

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> btrfs: zoned: fix lock ordering in btrfs_zone_activate()<br /> <br /> The btrfs CI reported a lockdep warning as follows by running generic<br /> generic/129.<br /> <br /> WARNING: possible circular locking dependency detected<br /> 6.7.0-rc5+ #1 Not tainted<br /> ------------------------------------------------------<br /> kworker/u5:5/793427 is trying to acquire lock:<br /> ffff88813256d028 (&amp;cache-&gt;lock){+.+.}-{2:2}, at: btrfs_zone_finish_one_bg+0x5e/0x130<br /> but task is already holding lock:<br /> ffff88810a23a318 (&amp;fs_info-&gt;zone_active_bgs_lock){+.+.}-{2:2}, at: btrfs_zone_finish_one_bg+0x34/0x130<br /> which lock already depends on the new lock.<br /> <br /> the existing dependency chain (in reverse order) is:<br /> -&gt; #1 (&amp;fs_info-&gt;zone_active_bgs_lock){+.+.}-{2:2}:<br /> ...<br /> -&gt; #0 (&amp;cache-&gt;lock){+.+.}-{2:2}:<br /> ...<br /> <br /> This is because we take fs_info-&gt;zone_active_bgs_lock after a block_group&amp;#39;s<br /> lock in btrfs_zone_activate() while doing the opposite in other places.<br /> <br /> Fix the issue by expanding the fs_info-&gt;zone_active_bgs_lock&amp;#39;s critical<br /> section and taking it before a block_group&amp;#39;s lock.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> crypto: s390/aes - Fix buffer overread in CTR mode<br /> <br /> When processing the last block, the s390 ctr code will always read<br /> a whole block, even if there isn&amp;#39;t a whole block of data left. Fix<br /> this by using the actual length left and copy it into a buffer first<br /> for processing.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/tegra: rgb: Fix missing clk_put() in the error handling paths of tegra_dc_rgb_probe()<br /> <br /> If clk_get_sys(..., "pll_d2_out0") fails, the clk_get_sys() call must be<br /> undone.<br /> <br /> Add the missing clk_put and a new &amp;#39;put_pll_d_out0&amp;#39; label in the error<br /> handling path, and use it.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/vmwgfx: fix a memleak in vmw_gmrid_man_get_node<br /> <br /> When ida_alloc_max fails, resources allocated before should be freed,<br /> including *res allocated by kmalloc and ttm_resource_init.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ASoC: SOF: amd: Fix memory leak in amd_sof_acp_probe()<br /> <br /> Driver uses kasprintf() to initialize fw_{code,data}_bin members of<br /> struct acp_dev_data, but kfree() is never called to deallocate the<br /> memory, which results in a memory leak.<br /> <br /> Fix the issue by switching to devm_kasprintf(). Additionally, ensure the<br /> allocation was successful by checking the pointer validity.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: atlantic: eliminate double free in error handling logic<br /> <br /> Driver has a logic leak in ring data allocation/free,<br /> where aq_ring_free could be called multiple times on same ring,<br /> if system is under stress and got memory allocation error.<br /> <br /> Ring pointer was used as an indicator of failure, but this is<br /> not correct since only ring data is allocated/deallocated.<br /> Ring itself is an array member.<br /> <br /> Changing ring allocation functions to return error code directly.<br /> This simplifies error handling and eliminates aq_ring_free<br /> on higher layer.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> debugfs: fix wait/cancellation handling during remove<br /> <br /> Ben Greear further reports deadlocks during concurrent debugfs<br /> remove while files are being accessed, even though the code in<br /> question now uses debugfs cancellations. Turns out that despite<br /> all the review on the locking, we missed completely that the<br /> logic is wrong: if the refcount hits zero we can finish (and<br /> need not wait for the completion), but if it doesn&amp;#39;t we have<br /> to trigger all the cancellations. As written, we can _never_<br /> get into the loop triggering the cancellations. Fix this, and<br /> explain it better while at it.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> dm-raid: really frozen sync_thread during suspend<br /> <br /> 1) commit f52f5c71f3d4 ("md: fix stopping sync thread") remove<br /> MD_RECOVERY_FROZEN from __md_stop_writes() and doesn&amp;#39;t realize that<br /> dm-raid relies on __md_stop_writes() to frozen sync_thread<br /> indirectly. Fix this problem by adding MD_RECOVERY_FROZEN in<br /> md_stop_writes(), and since stop_sync_thread() is only used for<br /> dm-raid in this case, also move stop_sync_thread() to<br /> md_stop_writes().<br /> 2) The flag MD_RECOVERY_FROZEN doesn&amp;#39;t mean that sync thread is frozen,<br /> it only prevent new sync_thread to start, and it can&amp;#39;t stop the<br /> running sync thread; In order to frozen sync_thread, after seting the<br /> flag, stop_sync_thread() should be used.<br /> 3) The flag MD_RECOVERY_FROZEN doesn&amp;#39;t mean that writes are stopped, use<br /> it as condition for md_stop_writes() in raid_postsuspend() doesn&amp;#39;t<br /> look correct. Consider that reentrant stop_sync_thread() do nothing,<br /> always call md_stop_writes() in raid_postsuspend().<br /> 4) raid_message can set/clear the flag MD_RECOVERY_FROZEN at anytime,<br /> and if MD_RECOVERY_FROZEN is cleared while the array is suspended,<br /> new sync_thread can start unexpected. Fix this by disallow<br /> raid_message() to change sync_thread status during suspend.<br /> <br /> Note that after commit f52f5c71f3d4 ("md: fix stopping sync thread"), the<br /> test shell/lvconvert-raid-reshape.sh start to hang in stop_sync_thread(),<br /> and with previous fixes, the test won&amp;#39;t hang there anymore, however, the<br /> test will still fail and complain that ext4 is corrupted. And with this<br /> patch, the test won&amp;#39;t hang due to stop_sync_thread() or fail due to ext4<br /> is corrupted anymore. However, there is still a deadlock related to<br /> dm-raid456 that will be fixed in following patches.

A vulnerability was found in SourceCodester Online Birth Certificate Management System 1.0. It has been declared as problematic. This vulnerability affects unknown code of the file /admin. The manipulation leads to files or directories accessible. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-264742 is the identifier assigned to this vulnerability.

A vulnerability was found in SourceCodester Online Examination System 1.0. It has been rated as critical. This issue affects some unknown processing of the file registeracc.php. The manipulation of the argument email leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-264743.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> crypto: rk3288 - Fix use after free in unprepare<br /> <br /> The unprepare call must be carried out before the finalize call<br /> as the latter can free the request.