Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> sched/fair: Fix shift-out-of-bounds in load_balance()<br /> <br /> Syzbot reported a handful of occurrences where an sd-&gt;nr_balance_failed can<br /> grow to much higher values than one would expect.<br /> <br /> A successful load_balance() resets it to 0; a failed one increments<br /> it. Once it gets to sd-&gt;cache_nice_tries + 3, this *should* trigger an<br /> active balance, which will either set it to sd-&gt;cache_nice_tries+1 or reset<br /> it to 0. However, in case the to-be-active-balanced task is not allowed to<br /> run on env-&gt;dst_cpu, then the increment is done without any further<br /> modification.<br /> <br /> This could then be repeated ad nauseam, and would explain the absurdly high<br /> values reported by syzbot (86, 149). VincentG noted there is value in<br /> letting sd-&gt;cache_nice_tries grow, so the shift itself should be<br /> fixed. That means preventing:<br /> <br /> """<br /> If the value of the right operand is negative or is greater than or equal<br /> to the width of the promoted left operand, the behavior is undefined.<br /> """<br /> <br /> Thus we need to cap the shift exponent to<br /> BITS_PER_TYPE(typeof(lefthand)) - 1.<br /> <br /> I had a look around for other similar cases via coccinelle:<br /> <br /> @expr@<br /> position pos;<br /> expression E1;<br /> expression E2;<br /> @@<br /> (<br /> E1 &gt;&gt; E2@pos<br /> |<br /> E1 &gt;&gt; E2@pos<br /> )<br /> <br /> @cst depends on expr@<br /> position pos;<br /> expression expr.E1;<br /> constant cst;<br /> @@<br /> (<br /> E1 &gt;&gt; cst@pos<br /> |<br /> E1

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> scsi: lpfc: Fix null pointer dereference in lpfc_prep_els_iocb()<br /> <br /> It is possible to call lpfc_issue_els_plogi() passing a did for which no<br /> matching ndlp is found. A call is then made to lpfc_prep_els_iocb() with a<br /> null pointer to a lpfc_nodelist structure resulting in a null pointer<br /> dereference.<br /> <br /> Fix by returning an error status if no valid ndlp is found. Fix up comments<br /> regarding ndlp reference counting.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amd/display: Fix off by one in hdmi_14_process_transaction()<br /> <br /> The hdcp_i2c_offsets[] array did not have an entry for<br /> HDCP_MESSAGE_ID_WRITE_CONTENT_STREAM_TYPE so it led to an off by one<br /> read overflow. I added an entry and copied the 0x0 value for the offset<br /> from similar code in drivers/gpu/drm/amd/display/modules/hdcp/hdcp_ddc.c.<br /> <br /> I also declared several of these arrays as having HDCP_MESSAGE_ID_MAX<br /> entries. This doesn&amp;#39;t change the code, but it&amp;#39;s just a belt and<br /> suspenders approach to try future proof the code.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> spi: spi-zynqmp-gqspi: return -ENOMEM if dma_map_single fails<br /> <br /> The spi controller supports 44-bit address space on AXI in DMA mode,<br /> so set dma_addr_t width to 44-bit to avoid using a swiotlb mapping.<br /> In addition, if dma_map_single fails, it should return immediately<br /> instead of continuing doing the DMA operation which bases on invalid<br /> address.<br /> <br /> This fixes the following crash which occurs in reading a big block<br /> from flash:<br /> <br /> [ 123.633577] zynqmp-qspi ff0f0000.spi: swiotlb buffer is full (sz: 4194304 bytes), total 32768 (slots), used 0 (slots)<br /> [ 123.644230] zynqmp-qspi ff0f0000.spi: ERR:rxdma:memory not mapped<br /> [ 123.784625] Unable to handle kernel paging request at virtual address 00000000003fffc0<br /> [ 123.792536] Mem abort info:<br /> [ 123.795313] ESR = 0x96000145<br /> [ 123.798351] EC = 0x25: DABT (current EL), IL = 32 bits<br /> [ 123.803655] SET = 0, FnV = 0<br /> [ 123.806693] EA = 0, S1PTW = 0<br /> [ 123.809818] Data abort info:<br /> [ 123.812683] ISV = 0, ISS = 0x00000145<br /> [ 123.816503] CM = 1, WnR = 1<br /> [ 123.819455] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000805047000<br /> [ 123.825887] [00000000003fffc0] pgd=0000000803b45003, p4d=0000000803b45003, pud=0000000000000000<br /> [ 123.834586] Internal error: Oops: 96000145 [#1] PREEMPT SMP

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> spi: spi-zynqmp-gqspi: fix use-after-free in zynqmp_qspi_exec_op<br /> <br /> When handling op-&gt;addr, it is using the buffer "tmpbuf" which has been<br /> freed. This will trigger a use-after-free KASAN warning. Let&amp;#39;s use<br /> temporary variables to store op-&gt;addr.val and op-&gt;cmd.opcode to fix<br /> this issue.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Drivers: hv: vmbus: Use after free in __vmbus_open()<br /> <br /> The "open_info" variable is added to the &amp;vmbus_connection.chn_msg_list,<br /> but the error handling frees "open_info" without removing it from the<br /> list. This will result in a use after free. First remove it from the<br /> list, and then free it.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> memory: renesas-rpc-if: fix possible NULL pointer dereference of resource<br /> <br /> The platform_get_resource_byname() can return NULL which would be<br /> immediately dereferenced by resource_size(). Instead dereference it<br /> after validating the resource.<br /> <br /> Addresses-Coverity: Dereference null return value

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> spi: fsl-lpspi: Fix PM reference leak in lpspi_prepare_xfer_hardware()<br /> <br /> pm_runtime_get_sync will increment pm usage counter even it failed.<br /> Forgetting to putting operation will result in reference leak here.<br /> Fix it by replacing it with pm_runtime_resume_and_get to keep usage<br /> counter balanced.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> crypto: sa2ul - Fix memory leak of rxd<br /> <br /> There are two error return paths that are not freeing rxd and causing<br /> memory leaks. Fix these.<br /> <br /> Addresses-Coverity: ("Resource leak")

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> crypto: sun8i-ss - Fix memory leak of pad<br /> <br /> It appears there are several failure return paths that don&amp;#39;t seem<br /> to be free&amp;#39;ing pad. Fix these.<br /> <br /> Addresses-Coverity: ("Resource leak")

The Under Construction / Maintenance Mode from Acurax plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 2.6 via the &amp;#39;acx_csma_subscribe_ajax&amp;#39; function. This can allow authenticated attackers to extract sensitive data such as names and email addresses of subscribed visitors.

The Gestpay for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 20221130. This is due to missing or incorrect nonce validation on the &amp;#39;ajax_set_default_card&amp;#39; function. This makes it possible for unauthenticated attackers to set the default card token for a user via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.