Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> s390/vfio-ap: always filter entire AP matrix<br /> <br /> The vfio_ap_mdev_filter_matrix function is called whenever a new adapter or<br /> domain is assigned to the mdev. The purpose of the function is to update<br /> the guest&amp;#39;s AP configuration by filtering the matrix of adapters and<br /> domains assigned to the mdev. When an adapter or domain is assigned, only<br /> the APQNs associated with the APID of the new adapter or APQI of the new<br /> domain are inspected. If an APQN does not reference a queue device bound to<br /> the vfio_ap device driver, then it&amp;#39;s APID will be filtered from the mdev&amp;#39;s<br /> matrix when updating the guest&amp;#39;s AP configuration.<br /> <br /> Inspecting only the APID of the new adapter or APQI of the new domain will<br /> result in passing AP queues through to a guest that are not bound to the<br /> vfio_ap device driver under certain circumstances. Consider the following:<br /> <br /> guest&amp;#39;s AP configuration (all also assigned to the mdev&amp;#39;s matrix):<br /> 14.0004<br /> 14.0005<br /> 14.0006<br /> 16.0004<br /> 16.0005<br /> 16.0006<br /> <br /> unassign domain 4<br /> unbind queue 16.0005<br /> assign domain 4<br /> <br /> When domain 4 is re-assigned, since only domain 4 will be inspected, the<br /> APQNs that will be examined will be:<br /> 14.0004<br /> 16.0004<br /> <br /> Since both of those APQNs reference queue devices that are bound to the<br /> vfio_ap device driver, nothing will get filtered from the mdev&amp;#39;s matrix<br /> when updating the guest&amp;#39;s AP configuration. Consequently, queue 16.0005<br /> will get passed through despite not being bound to the driver. This<br /> violates the linux device model requirement that a guest shall only be<br /> given access to devices bound to the device driver facilitating their<br /> pass-through.<br /> <br /> To resolve this problem, every adapter and domain assigned to the mdev will<br /> be inspected when filtering the mdev&amp;#39;s matrix.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> arm64/sme: Always exit sme_alloc() early with existing storage<br /> <br /> When sme_alloc() is called with existing storage and we are not flushing we<br /> will always allocate new storage, both leaking the existing storage and<br /> corrupting the state. Fix this by separating the checks for flushing and<br /> for existing storage as we do for SVE.<br /> <br /> Callers that reallocate (eg, due to changing the vector length) should<br /> call sme_free() themselves.

The User Registration WordPress plugin before 2.12 does not prevent users with at least the contributor role from rendering sensitive shortcodes, allowing them to generate, and leak, valid password reset URLs, which they can use to take over any accounts.

The Photos and Files Contest Gallery WordPress plugin before 21.3.1 does not sanitize and escape some parameters, which could allow users with a role as low as author to perform Cross-Site Scripting attacks.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ksmbd: fix global oob in ksmbd_nl_policy<br /> <br /> Similar to a reported issue (check the commit b33fb5b801c6 ("net:<br /> qualcomm: rmnet: fix global oob in rmnet_policy"), my local fuzzer finds<br /> another global out-of-bounds read for policy ksmbd_nl_policy. See bug<br /> trace below:<br /> <br /> ==================================================================<br /> BUG: KASAN: global-out-of-bounds in validate_nla lib/nlattr.c:386 [inline]<br /> BUG: KASAN: global-out-of-bounds in __nla_validate_parse+0x24af/0x2750 lib/nlattr.c:600<br /> Read of size 1 at addr ffffffff8f24b100 by task syz-executor.1/62810<br /> <br /> CPU: 0 PID: 62810 Comm: syz-executor.1 Tainted: G N 6.1.0 #3<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014<br /> Call Trace:<br /> <br /> __dump_stack lib/dump_stack.c:88 [inline]<br /> dump_stack_lvl+0x8b/0xb3 lib/dump_stack.c:106<br /> print_address_description mm/kasan/report.c:284 [inline]<br /> print_report+0x172/0x475 mm/kasan/report.c:395<br /> kasan_report+0xbb/0x1c0 mm/kasan/report.c:495<br /> validate_nla lib/nlattr.c:386 [inline]<br /> __nla_validate_parse+0x24af/0x2750 lib/nlattr.c:600<br /> __nla_parse+0x3e/0x50 lib/nlattr.c:697<br /> __nlmsg_parse include/net/netlink.h:748 [inline]<br /> genl_family_rcv_msg_attrs_parse.constprop.0+0x1b0/0x290 net/netlink/genetlink.c:565<br /> genl_family_rcv_msg_doit+0xda/0x330 net/netlink/genetlink.c:734<br /> genl_family_rcv_msg net/netlink/genetlink.c:833 [inline]<br /> genl_rcv_msg+0x441/0x780 net/netlink/genetlink.c:850<br /> netlink_rcv_skb+0x14f/0x410 net/netlink/af_netlink.c:2540<br /> genl_rcv+0x24/0x40 net/netlink/genetlink.c:861<br /> netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]<br /> netlink_unicast+0x54e/0x800 net/netlink/af_netlink.c:1345<br /> netlink_sendmsg+0x930/0xe50 net/netlink/af_netlink.c:1921<br /> sock_sendmsg_nosec net/socket.c:714 [inline]<br /> sock_sendmsg+0x154/0x190 net/socket.c:734<br /> ____sys_sendmsg+0x6df/0x840 net/socket.c:2482<br /> ___sys_sendmsg+0x110/0x1b0 net/socket.c:2536<br /> __sys_sendmsg+0xf3/0x1c0 net/socket.c:2565<br /> do_syscall_x64 arch/x86/entry/common.c:50 [inline]<br /> do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80<br /> entry_SYSCALL_64_after_hwframe+0x63/0xcd<br /> RIP: 0033:0x7fdd66a8f359<br /> Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48<br /> RSP: 002b:00007fdd65e00168 EFLAGS: 00000246 ORIG_RAX: 000000000000002e<br /> RAX: ffffffffffffffda RBX: 00007fdd66bbcf80 RCX: 00007fdd66a8f359<br /> RDX: 0000000000000000 RSI: 0000000020000500 RDI: 0000000000000003<br /> RBP: 00007fdd66ada493 R08: 0000000000000000 R09: 0000000000000000<br /> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000<br /> R13: 00007ffc84b81aff R14: 00007fdd65e00300 R15: 0000000000022000<br /> <br /> <br /> The buggy address belongs to the variable:<br /> ksmbd_nl_policy+0x100/0xa80<br /> <br /> The buggy address belongs to the physical page:<br /> page:0000000034f47940 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1ccc4b<br /> flags: 0x200000000001000(reserved|node=0|zone=2)<br /> raw: 0200000000001000 ffffea00073312c8 ffffea00073312c8 0000000000000000<br /> raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000<br /> page dumped because: kasan: bad access detected<br /> <br /> Memory state around the buggy address:<br /> ffffffff8f24b000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br /> ffffffff8f24b080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br /> &gt;ffffffff8f24b100: f9 f9 f9 f9 00 00 f9 f9 f9 f9 f9 f9 00 00 07 f9<br /> ^<br /> ffffffff8f24b180: f9 f9 f9 f9 00 05 f9 f9 f9 f9 f9 f9 00 00 00 05<br /> ffffffff8f24b200: f9 f9 f9 f9 00 00 03 f9 f9 f9 f9 f9 00 00 04 f9<br /> ==================================================================<br /> <br /> To fix it, add a placeholder named __KSMBD_EVENT_MAX and let<br /> KSMBD_EVENT_MAX to be its original value - 1 according to what other<br /> netlink families do. Also change two sites that refer the<br /> KSMBD_EVENT_MAX to correct value.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bus: mhi: host: Add alignment check for event ring read pointer<br /> <br /> Though we do check the event ring read pointer by "is_valid_ring_ptr"<br /> to make sure it is in the buffer range, but there is another risk the<br /> pointer may be not aligned. Since we are expecting event ring elements<br /> are 128 bits(struct mhi_ring_element) aligned, an unaligned read pointer<br /> could lead to multiple issues like DoS or ring buffer memory corruption.<br /> <br /> So add a alignment check for event ring read pointer.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> soc: qcom: pmic_glink_altmode: fix port sanity check<br /> <br /> The PMIC GLINK altmode driver currently supports at most two ports.<br /> <br /> Fix the incomplete port sanity check on notifications to avoid<br /> accessing and corrupting memory beyond the port array if we ever get a<br /> notification for an unsupported port.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> PM: sleep: Fix possible deadlocks in core system-wide PM code<br /> <br /> It is reported that in low-memory situations the system-wide resume core<br /> code deadlocks, because async_schedule_dev() executes its argument<br /> function synchronously if it cannot allocate memory (and not only in<br /> that case) and that function attempts to acquire a mutex that is already<br /> held. Executing the argument function synchronously from within<br /> dpm_async_fn() may also be problematic for ordering reasons (it may<br /> cause a consumer device&amp;#39;s resume callback to be invoked before a<br /> requisite supplier device&amp;#39;s one, for example).<br /> <br /> Address this by changing the code in question to use<br /> async_schedule_dev_nocall() for scheduling the asynchronous<br /> execution of device suspend and resume functions and to directly<br /> run them synchronously if async_schedule_dev_nocall() returns false.

The Seriously Simple Podcasting WordPress plugin before 3.0.0 discloses the Podcast owner&amp;#39;s email address (which by default is the admin email address) via an unauthenticated crafted request.

The Login as User or Customer WordPress plugin through 3.8 does not prevent users to log in as any other user on the site.

The Enhanced Text Widget WordPress plugin before 1.6.6 does not validate and escape some of its Widget options before outputting them back in attributes, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

The Ultimate Posts Widget WordPress plugin before 2.3.1 does not validate and escape some of its Widget options before outputting them back in attributes, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)