Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> scsi: qla2xxx: Fix command flush on cable pull<br /> <br /> System crash due to command failed to flush back to SCSI layer.<br /> <br /> BUG: unable to handle kernel NULL pointer dereference at 0000000000000000<br /> PGD 0 P4D 0<br /> Oops: 0000 [#1] SMP NOPTI<br /> CPU: 27 PID: 793455 Comm: kworker/u130:6 Kdump: loaded Tainted: G OE --------- - - 4.18.0-372.9.1.el8.x86_64 #1<br /> Hardware name: HPE ProLiant DL360 Gen10/ProLiant DL360 Gen10, BIOS U32 09/03/2021<br /> Workqueue: nvme-wq nvme_fc_connect_ctrl_work [nvme_fc]<br /> RIP: 0010:__wake_up_common+0x4c/0x190<br /> Code: 24 10 4d 85 c9 74 0a 41 f6 01 04 0f 85 9d 00 00 00 48 8b 43 08 48 83 c3 08 4c 8d 48 e8 49 8d 41 18 48 39 c3 0f 84 f0 00 00 00 8b 41 18 89 54 24 08 31 ed 4c 8d 70 e8 45 8b 29 41 f6 c5 04 75<br /> RSP: 0018:ffff95f3e0cb7cd0 EFLAGS: 00010086<br /> RAX: 0000000000000000 RBX: ffff8b08d3b26328 RCX: 0000000000000000<br /> RDX: 0000000000000001 RSI: 0000000000000003 RDI: ffff8b08d3b26320<br /> RBP: 0000000000000001 R08: 0000000000000000 R09: ffffffffffffffe8<br /> R10: 0000000000000000 R11: ffff95f3e0cb7a60 R12: ffff95f3e0cb7d20<br /> R13: 0000000000000003 R14: 0000000000000000 R15: 0000000000000000<br /> FS: 0000000000000000(0000) GS:ffff8b2fdf6c0000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 0000000000000000 CR3: 0000002f1e410002 CR4: 00000000007706e0<br /> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> PKRU: 55555554<br /> Call Trace:<br /> __wake_up_common_lock+0x7c/0xc0<br /> qla_nvme_ls_req+0x355/0x4c0 [qla2xxx]<br /> qla2xxx [0000:12:00.1]-f084:3: qlt_free_session_done: se_sess 0000000000000000 / sess ffff8ae1407ca000 from port 21:32:00:02:ac:07:ee:b8 loop_id 0x02 s_id 01:02:00 logout 1 keep 0 els_logo 0<br /> ? __nvme_fc_send_ls_req+0x260/0x380 [nvme_fc]<br /> qla2xxx [0000:12:00.1]-207d:3: FCPort 21:32:00:02:ac:07:ee:b8 state transitioned from ONLINE to LOST - portid=010200.<br /> ? nvme_fc_send_ls_req.constprop.42+0x1a/0x45 [nvme_fc]<br /> qla2xxx [0000:12:00.1]-2109:3: qla2x00_schedule_rport_del 21320002ac07eeb8. rport ffff8ae598122000 roles 1<br /> ? nvme_fc_connect_ctrl_work.cold.63+0x1e3/0xa7d [nvme_fc]<br /> qla2xxx [0000:12:00.1]-f084:3: qlt_free_session_done: se_sess 0000000000000000 / sess ffff8ae14801e000 from port 21:32:01:02:ad:f7:ee:b8 loop_id 0x04 s_id 01:02:01 logout 1 keep 0 els_logo 0<br /> ? __switch_to+0x10c/0x450<br /> ? process_one_work+0x1a7/0x360<br /> qla2xxx [0000:12:00.1]-207d:3: FCPort 21:32:01:02:ad:f7:ee:b8 state transitioned from ONLINE to LOST - portid=010201.<br /> ? worker_thread+0x1ce/0x390<br /> ? create_worker+0x1a0/0x1a0<br /> qla2xxx [0000:12:00.1]-2109:3: qla2x00_schedule_rport_del 21320102adf7eeb8. rport ffff8ae3b2312800 roles 70<br /> ? kthread+0x10a/0x120<br /> qla2xxx [0000:12:00.1]-2112:3: qla_nvme_unregister_remote_port: unregister remoteport on ffff8ae14801e000 21320102adf7eeb8<br /> ? set_kthread_struct+0x40/0x40<br /> qla2xxx [0000:12:00.1]-2110:3: remoteport_delete of ffff8ae14801e000 21320102adf7eeb8 completed.<br /> ? ret_from_fork+0x1f/0x40<br /> qla2xxx [0000:12:00.1]-f086:3: qlt_free_session_done: waiting for sess ffff8ae14801e000 logout<br /> <br /> The system was under memory stress where driver was not able to allocate an<br /> SRB to carry out error recovery of cable pull. The failure to flush causes<br /> upper layer to start modifying scsi_cmnd. When the system frees up some<br /> memory, the subsequent cable pull trigger another command flush. At this<br /> point the driver access a null pointer when attempting to DMA unmap the<br /> SGL.<br /> <br /> Add a check to make sure commands are flush back on session tear down to<br /> prevent the null pointer access.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> usb: typec: tcpm: fix double-free issue in tcpm_port_unregister_pd()<br /> <br /> When unregister pd capabilitie in tcpm, KASAN will capture below double<br /> -free issue. The root cause is the same capabilitiy will be kfreed twice,<br /> the first time is kfreed by pd_capabilities_release() and the second time<br /> is explicitly kfreed by tcpm_port_unregister_pd().<br /> <br /> [ 3.988059] BUG: KASAN: double-free in tcpm_port_unregister_pd+0x1a4/0x3dc<br /> [ 3.995001] Free of addr ffff0008164d3000 by task kworker/u16:0/10<br /> [ 4.001206]<br /> [ 4.002712] CPU: 2 PID: 10 Comm: kworker/u16:0 Not tainted 6.8.0-rc5-next-20240220-05616-g52728c567a55 #53<br /> [ 4.012402] Hardware name: Freescale i.MX8QXP MEK (DT)<br /> [ 4.017569] Workqueue: events_unbound deferred_probe_work_func<br /> [ 4.023456] Call trace:<br /> [ 4.025920] dump_backtrace+0x94/0xec<br /> [ 4.029629] show_stack+0x18/0x24<br /> [ 4.032974] dump_stack_lvl+0x78/0x90<br /> [ 4.036675] print_report+0xfc/0x5c0<br /> [ 4.040289] kasan_report_invalid_free+0xa0/0xc0<br /> [ 4.044937] __kasan_slab_free+0x124/0x154<br /> [ 4.049072] kfree+0xb4/0x1e8<br /> [ 4.052069] tcpm_port_unregister_pd+0x1a4/0x3dc<br /> [ 4.056725] tcpm_register_port+0x1dd0/0x2558<br /> [ 4.061121] tcpci_register_port+0x420/0x71c<br /> [ 4.065430] tcpci_probe+0x118/0x2e0<br /> <br /> To fix the issue, this will remove kree() from tcpm_port_unregister_pd().

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> USB: core: Fix deadlock in port "disable" sysfs attribute<br /> <br /> The show and store callback routines for the "disable" sysfs attribute<br /> file in port.c acquire the device lock for the port&amp;#39;s parent hub<br /> device. This can cause problems if another process has locked the hub<br /> to remove it or change its configuration:<br /> <br /> Removing the hub or changing its configuration requires the<br /> hub interface to be removed, which requires the port device<br /> to be removed, and device_del() waits until all outstanding<br /> sysfs attribute callbacks for the ports have returned. The<br /> lock can&amp;#39;t be released until then.<br /> <br /> But the disable_show() or disable_store() routine can&amp;#39;t return<br /> until after it has acquired the lock.<br /> <br /> The resulting deadlock can be avoided by calling<br /> sysfs_break_active_protection(). This will cause the sysfs core not<br /> to wait for the attribute&amp;#39;s callback routine to return, allowing the<br /> removal to proceed. The disadvantage is that after making this call,<br /> there is no guarantee that the hub structure won&amp;#39;t be deallocated at<br /> any moment. To prevent this, we have to acquire a reference to it<br /> first by calling hub_get().

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> media: nxp: imx8-isi: Check whether crossbar pad is non-NULL before access<br /> <br /> When translating source to sink streams in the crossbar subdev, the<br /> driver tries to locate the remote subdev connected to the sink pad. The<br /> remote pad may be NULL, if userspace tries to enable a stream that ends<br /> at an unconnected crossbar sink. When that occurs, the driver<br /> dereferences the NULL pad, leading to a crash.<br /> <br /> Prevent the crash by checking if the pad is NULL before using it, and<br /> return an error if it is.

Dell OpenManage Enterprise, versions 3.10 and 4.0, contains an Improper Access Control vulnerability. A high privileged remote attacker could potentially exploit this vulnerability, leading to unauthorized access to resources.

Dell OpenManage Enterprise, versions 4.1.0 and older, contains an Improper Neutralization of Input During Web Page Generation (&amp;#39;Cross-site Scripting&amp;#39;) vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to Script injection.

lunasvg v2.3.9 was discovered to contain a stack-buffer-underflow at lunasvg/source/layoutcontext.cpp.

lunasvg v2.3.9 was discovered to contain a stack-overflow at lunasvg/source/element.h.

lunasvg v2.3.9 was discovered to contain an FPE (Floating Point Exception) at blend_transformed_tiled_argb.isra.0.

lunasvg v2.3.9 was discovered to contain a segmentation violation via the component composition_solid_source.

lunasvg v2.3.9 was discovered to contain a segmentation violation via the component composition_solid_source_over.

An information disclosure flaw was found in OpenShift&amp;#39;s internal image registry operator. The AZURE_CLIENT_SECRET can be exposed through an environment variable defined in the pod definition, but is limited to Azure environments. An attacker controlling an account that has high enough permissions to obtain pod information from the openshift-image-registry namespace could use this obtained client secret to perform actions as the registry operator&amp;#39;s Azure service account.