Vulnerabilities

Tenda FH1206 V1.2.0.8(8155) was discovered to contain a command injection vulnerability via the cmdinput parameter at ip/goform/formexeCommand.

PingCAP TiDB v7.5.1 was discovered to contain a NULL pointer dereference via the component SortedRowContainer.

An issue in Open Quantum Safe liboqs v.10.0 allows a remote attacker to escalate privileges via the crypto_sign_signature parameter in the /pqcrystals-dilithium-standard_ml-dsa-44-ipd_avx2/sign.c component.

An issue in the SMTP Email Settings of AVTECH Room Alert 4E v4.4.0 allows attackers to gain access to credentials in plaintext via a passback attack. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Kwik commit 745fd4e2 does not discard unused encryption keys.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ksmbd: fix memleak in get_file_stream_info()<br /> <br /> Fix memleak in get_file_stream_info()

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> io_uring: fail cancellation for EXITING tasks<br /> <br /> WARNING: CPU: 1 PID: 20 at fs/io_uring.c:6269 io_try_cancel_userdata+0x3c5/0x640 fs/io_uring.c:6269<br /> CPU: 1 PID: 20 Comm: kworker/1:0 Not tainted 5.16.0-rc1-syzkaller #0<br /> Workqueue: events io_fallback_req_func<br /> RIP: 0010:io_try_cancel_userdata+0x3c5/0x640 fs/io_uring.c:6269<br /> Call Trace:<br /> <br /> io_req_task_link_timeout+0x6b/0x1e0 fs/io_uring.c:6886<br /> io_fallback_req_func+0xf9/0x1ae fs/io_uring.c:1334<br /> process_one_work+0x9b2/0x1690 kernel/workqueue.c:2298<br /> worker_thread+0x658/0x11f0 kernel/workqueue.c:2445<br /> kthread+0x405/0x4f0 kernel/kthread.c:327<br /> ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295<br /> <br /> <br /> We need original task&amp;#39;s context to do cancellations, so if it&amp;#39;s dying<br /> and the callback is executed in a fallback mode, fail the cancellation<br /> attempt.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> staging: r8188eu: fix a memory leak in rtw_wx_read32()<br /> <br /> Free "ptmp" before returning -EINVAL.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> staging: rtl8192e: Fix use after free in _rtl92e_pci_disconnect()<br /> <br /> The free_rtllib() function frees the "dev" pointer so there is use<br /> after free on the next line. Re-arrange things to avoid that.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: nexthop: fix null pointer dereference when IPv6 is not enabled<br /> <br /> When we try to add an IPv6 nexthop and IPv6 is not enabled<br /> (!CONFIG_IPV6) we&amp;#39;ll hit a NULL pointer dereference[1] in the error path<br /> of nh_create_ipv6() due to calling ipv6_stub-&gt;fib6_nh_release. The bug<br /> has been present since the beginning of IPv6 nexthop gateway support.<br /> Commit 1aefd3de7bc6 ("ipv6: Add fib6_nh_init and release to stubs") tells<br /> us that only fib6_nh_init has a dummy stub because fib6_nh_release should<br /> not be called if fib6_nh_init returns an error, but the commit below added<br /> a call to ipv6_stub-&gt;fib6_nh_release in its error path. To fix it return<br /> the dummy stub&amp;#39;s -EAFNOSUPPORT error directly without calling<br /> ipv6_stub-&gt;fib6_nh_release in nh_create_ipv6()&amp;#39;s error path.<br /> <br /> [1]<br /> Output is a bit truncated, but it clearly shows the error.<br /> BUG: kernel NULL pointer dereference, address: 000000000000000000<br /> #PF: supervisor instruction fetch in kernel modede<br /> #PF: error_code(0x0010) - not-present pagege<br /> PGD 0 P4D 0<br /> Oops: 0010 [#1] PREEMPT SMP NOPTI<br /> CPU: 4 PID: 638 Comm: ip Kdump: loaded Not tainted 5.16.0-rc1+ #446<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-4.fc34 04/01/2014<br /> RIP: 0010:0x0<br /> Code: Unable to access opcode bytes at RIP 0xffffffffffffffd6.<br /> RSP: 0018:ffff888109f5b8f0 EFLAGS: 00010286^Ac<br /> RAX: 0000000000000000 RBX: ffff888109f5ba28 RCX: 0000000000000000<br /> RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff8881008a2860<br /> RBP: ffff888109f5b9d8 R08: 0000000000000000 R09: 0000000000000000<br /> R10: ffff888109f5b978 R11: ffff888109f5b948 R12: 00000000ffffff9f<br /> R13: ffff8881008a2a80 R14: ffff8881008a2860 R15: ffff8881008a2840<br /> FS: 00007f98de70f100(0000) GS:ffff88822bf00000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: ffffffffffffffd6 CR3: 0000000100efc000 CR4: 00000000000006e0<br /> Call Trace:<br /> <br /> nh_create_ipv6+0xed/0x10c<br /> rtm_new_nexthop+0x6d7/0x13f3<br /> ? check_preemption_disabled+0x3d/0xf2<br /> ? lock_is_held_type+0xbe/0xfd<br /> rtnetlink_rcv_msg+0x23f/0x26a<br /> ? check_preemption_disabled+0x3d/0xf2<br /> ? rtnl_calcit.isra.0+0x147/0x147<br /> netlink_rcv_skb+0x61/0xb2<br /> netlink_unicast+0x100/0x187<br /> netlink_sendmsg+0x37f/0x3a0<br /> ? netlink_unicast+0x187/0x187<br /> sock_sendmsg_nosec+0x67/0x9b<br /> ____sys_sendmsg+0x19d/0x1f9<br /> ? copy_msghdr_from_user+0x4c/0x5e<br /> ? rcu_read_lock_any_held+0x2a/0x78<br /> ___sys_sendmsg+0x6c/0x8c<br /> ? asm_sysvec_apic_timer_interrupt+0x12/0x20<br /> ? lockdep_hardirqs_on+0xd9/0x102<br /> ? sockfd_lookup_light+0x69/0x99<br /> __sys_sendmsg+0x50/0x6e<br /> do_syscall_64+0xcb/0xf2<br /> entry_SYSCALL_64_after_hwframe+0x44/0xae<br /> RIP: 0033:0x7f98dea28914<br /> Code: 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b5 0f 1f 80 00 00 00 00 48 8d 05 e9 5d 0c 00 8b 00 85 c0 75 13 b8 2e 00 00 00 0f 05 3d 00 f0 ff ff 77 54 c3 0f 1f 00 41 54 41 89 d4 55 48 89 f5 53<br /> RSP: 002b:00007fff859f5e68 EFLAGS: 00000246 ORIG_RAX: 000000000000002e2e<br /> RAX: ffffffffffffffda RBX: 00000000619cb810 RCX: 00007f98dea28914<br /> RDX: 0000000000000000 RSI: 00007fff859f5ed0 RDI: 0000000000000003<br /> RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000008<br /> R10: fffffffffffffce6 R11: 0000000000000246 R12: 0000000000000001<br /> R13: 000055c0097ae520 R14: 000055c0097957fd R15: 00007fff859f63a0<br /> <br /> Modules linked in: bridge stp llc bonding virtio_net

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ice: avoid bpf_prog refcount underflow<br /> <br /> Ice driver has the routines for managing XDP resources that are shared<br /> between ndo_bpf op and VSI rebuild flow. The latter takes place for<br /> example when user changes queue count on an interface via ethtool&amp;#39;s<br /> set_channels().<br /> <br /> There is an issue around the bpf_prog refcounting when VSI is being<br /> rebuilt - since ice_prepare_xdp_rings() is called with vsi-&gt;xdp_prog as<br /> an argument that is used later on by ice_vsi_assign_bpf_prog(), same<br /> bpf_prog pointers are swapped with each other. Then it is also<br /> interpreted as an &amp;#39;old_prog&amp;#39; which in turn causes us to call<br /> bpf_prog_put on it that will decrement its refcount.<br /> <br /> Below splat can be interpreted in a way that due to zero refcount of a<br /> bpf_prog it is wiped out from the system while kernel still tries to<br /> refer to it:<br /> <br /> [ 481.069429] BUG: unable to handle page fault for address: ffffc9000640f038<br /> [ 481.077390] #PF: supervisor read access in kernel mode<br /> [ 481.083335] #PF: error_code(0x0000) - not-present page<br /> [ 481.089276] PGD 100000067 P4D 100000067 PUD 1001cb067 PMD 106d2b067 PTE 0<br /> [ 481.097141] Oops: 0000 [#1] PREEMPT SMP PTI<br /> [ 481.101980] CPU: 12 PID: 3339 Comm: sudo Tainted: G OE 5.15.0-rc5+ #1<br /> [ 481.110840] Hardware name: Intel Corp. GRANTLEY/GRANTLEY, BIOS GRRFCRB1.86B.0276.D07.1605190235 05/19/2016<br /> [ 481.122021] RIP: 0010:dev_xdp_prog_id+0x25/0x40<br /> [ 481.127265] Code: 80 00 00 00 00 0f 1f 44 00 00 89 f6 48 c1 e6 04 48 01 fe 48 8b 86 98 08 00 00 48 85 c0 74 13 48 8b 50 18 31 c0 48 85 d2 74 07 8b 42 38 8b 40 20 c3 48 8b 96 90 08 00 00 eb e8 66 2e 0f 1f 84<br /> [ 481.148991] RSP: 0018:ffffc90007b63868 EFLAGS: 00010286<br /> [ 481.155034] RAX: 0000000000000000 RBX: ffff889080824000 RCX: 0000000000000000<br /> [ 481.163278] RDX: ffffc9000640f000 RSI: ffff889080824010 RDI: ffff889080824000<br /> [ 481.171527] RBP: ffff888107af7d00 R08: 0000000000000000 R09: ffff88810db5f6e0<br /> [ 481.179776] R10: 0000000000000000 R11: ffff8890885b9988 R12: ffff88810db5f4bc<br /> [ 481.188026] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000<br /> [ 481.196276] FS: 00007f5466d5bec0(0000) GS:ffff88903fb00000(0000) knlGS:0000000000000000<br /> [ 481.205633] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [ 481.212279] CR2: ffffc9000640f038 CR3: 000000014429c006 CR4: 00000000003706e0<br /> [ 481.220530] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> [ 481.228771] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> [ 481.237029] Call Trace:<br /> [ 481.239856] rtnl_fill_ifinfo+0x768/0x12e0<br /> [ 481.244602] rtnl_dump_ifinfo+0x525/0x650<br /> [ 481.249246] ? __alloc_skb+0xa5/0x280<br /> [ 481.253484] netlink_dump+0x168/0x3c0<br /> [ 481.257725] netlink_recvmsg+0x21e/0x3e0<br /> [ 481.262263] ____sys_recvmsg+0x87/0x170<br /> [ 481.266707] ? __might_fault+0x20/0x30<br /> [ 481.271046] ? _copy_from_user+0x66/0xa0<br /> [ 481.275591] ? iovec_from_user+0xf6/0x1c0<br /> [ 481.280226] ___sys_recvmsg+0x82/0x100<br /> [ 481.284566] ? sock_sendmsg+0x5e/0x60<br /> [ 481.288791] ? __sys_sendto+0xee/0x150<br /> [ 481.293129] __sys_recvmsg+0x56/0xa0<br /> [ 481.297267] do_syscall_64+0x3b/0xc0<br /> [ 481.301395] entry_SYSCALL_64_after_hwframe+0x44/0xae<br /> [ 481.307238] RIP: 0033:0x7f5466f39617<br /> [ 481.311373] Code: 0c 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb bd 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2f 00 00 00 0f 05 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 89 74 24 10<br /> [ 481.342944] RSP: 002b:00007ffedc7f4308 EFLAGS: 00000246 ORIG_RAX: 000000000000002f<br /> [ 481.361783] RAX: ffffffffffffffda RBX: 00007ffedc7f5460 RCX: 00007f5466f39617<br /> [ 481.380278] RDX: 0000000000000000 RSI: 00007ffedc7f5360 RDI: 0000000000000003<br /> [ 481.398500] RBP: 00007ffedc7f53f0 R08: 0000000000000000 R09: 000055d556f04d50<br /> [ 481.416463] R10: 0000000000000077 R11: 0000000000000246 R12: 00007ffedc7f5360<br /> [ 481.434131] R13: 00007ffedc7f5350 R14: 00007ffedc7f5344 R15: 0000000000000e98<br /> [ 481.451520] Modules linked in: ice<br /> ---truncated---

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: marvell: prestera: fix double free issue on err path<br /> <br /> fix error path handling in prestera_bridge_port_join() that<br /> cases prestera driver to crash (see below).<br /> <br /> Trace:<br /> Internal error: Oops: 96000044 [#1] SMP<br /> Modules linked in: prestera_pci prestera uio_pdrv_genirq<br /> CPU: 1 PID: 881 Comm: ip Not tainted 5.15.0 #1<br /> pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)<br /> pc : prestera_bridge_destroy+0x2c/0xb0 [prestera]<br /> lr : prestera_bridge_port_join+0x2cc/0x350 [prestera]<br /> sp : ffff800011a1b0f0<br /> ...<br /> x2 : ffff000109ca6c80 x1 : dead000000000100 x0 : dead000000000122<br /> Call trace:<br /> prestera_bridge_destroy+0x2c/0xb0 [prestera]<br /> prestera_bridge_port_join+0x2cc/0x350 [prestera]<br /> prestera_netdev_port_event.constprop.0+0x3c4/0x450 [prestera]<br /> prestera_netdev_event_handler+0xf4/0x110 [prestera]<br /> raw_notifier_call_chain+0x54/0x80<br /> call_netdevice_notifiers_info+0x54/0xa0<br /> __netdev_upper_dev_link+0x19c/0x380