Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> af_unix: Fix task hung while purging oob_skb in GC.<br /> <br /> syzbot reported a task hung; at the same time, GC was looping infinitely<br /> in list_for_each_entry_safe() for OOB skb. [0]<br /> <br /> syzbot demonstrated that the list_for_each_entry_safe() was not actually<br /> safe in this case.<br /> <br /> A single skb could have references for multiple sockets. If we free such<br /> a skb in the list_for_each_entry_safe(), the current and next sockets could<br /> be unlinked in a single iteration.<br /> <br /> unix_notinflight() uses list_del_init() to unlink the socket, so the<br /> prefetched next socket forms a loop itself and list_for_each_entry_safe()<br /> never stops.<br /> <br /> Here, we must use while() and make sure we always fetch the first socket.<br /> <br /> [0]:<br /> Sending NMI from CPU 0 to CPUs 1:<br /> NMI backtrace for cpu 1<br /> CPU: 1 PID: 5065 Comm: syz-executor236 Not tainted 6.8.0-rc3-syzkaller-00136-g1f719a2f3fa6 #0<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024<br /> RIP: 0010:preempt_count arch/x86/include/asm/preempt.h:26 [inline]<br /> RIP: 0010:check_kcov_mode kernel/kcov.c:173 [inline]<br /> RIP: 0010:__sanitizer_cov_trace_pc+0xd/0x60 kernel/kcov.c:207<br /> Code: cc cc cc cc 66 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 65 48 8b 14 25 40 c2 03 00 8b 05 b4 7c 78 7e a9 00 01 ff 00 48 8b 34 24 74 0f f6 c4 01 74<br /> RSP: 0018:ffffc900033efa58 EFLAGS: 00000283<br /> RAX: ffff88807b077800 RBX: ffff88807b077800 RCX: 1ffffffff27b1189<br /> RDX: ffff88802a5a3b80 RSI: ffffffff8968488d RDI: ffff88807b077f70<br /> RBP: ffffc900033efbb0 R08: 0000000000000001 R09: fffffbfff27a900c<br /> R10: ffffffff93d48067 R11: ffffffff8ae000eb R12: ffff88807b077800<br /> R13: dffffc0000000000 R14: ffff88807b077e40 R15: 0000000000000001<br /> FS: 0000000000000000(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 0000564f4fc1e3a8 CR3: 000000000d57a000 CR4: 00000000003506f0<br /> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> Call Trace:<br /> <br /> <br /> <br /> unix_gc+0x563/0x13b0 net/unix/garbage.c:319<br /> unix_release_sock+0xa93/0xf80 net/unix/af_unix.c:683<br /> unix_release+0x91/0xf0 net/unix/af_unix.c:1064<br /> __sock_release+0xb0/0x270 net/socket.c:659<br /> sock_close+0x1c/0x30 net/socket.c:1421<br /> __fput+0x270/0xb80 fs/file_table.c:376<br /> task_work_run+0x14f/0x250 kernel/task_work.c:180<br /> exit_task_work include/linux/task_work.h:38 [inline]<br /> do_exit+0xa8a/0x2ad0 kernel/exit.c:871<br /> do_group_exit+0xd4/0x2a0 kernel/exit.c:1020<br /> __do_sys_exit_group kernel/exit.c:1031 [inline]<br /> __se_sys_exit_group kernel/exit.c:1029 [inline]<br /> __x64_sys_exit_group+0x3e/0x50 kernel/exit.c:1029<br /> do_syscall_x64 arch/x86/entry/common.c:52 [inline]<br /> do_syscall_64+0xd5/0x270 arch/x86/entry/common.c:83<br /> entry_SYSCALL_64_after_hwframe+0x6f/0x77<br /> RIP: 0033:0x7f9d6cbdac09<br /> Code: Unable to access opcode bytes at 0x7f9d6cbdabdf.<br /> RSP: 002b:00007fff5952feb8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7<br /> RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f9d6cbdac09<br /> RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000<br /> RBP: 00007f9d6cc552b0 R08: ffffffffffffffb8 R09: 0000000000000006<br /> R10: 0000000000000006 R11: 0000000000000246 R12: 00007f9d6cc552b0<br /> R13: 0000000000000000 R14: 00007f9d6cc55d00 R15: 00007f9d6cbabe70<br />

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mptcp: fix possible deadlock in subflow diag<br /> <br /> Syzbot and Eric reported a lockdep splat in the subflow diag:<br /> <br /> WARNING: possible circular locking dependency detected<br /> 6.8.0-rc4-syzkaller-00212-g40b9385dd8e6 #0 Not tainted<br /> <br /> syz-executor.2/24141 is trying to acquire lock:<br /> ffff888045870130 (k-sk_lock-AF_INET6){+.+.}-{0:0}, at:<br /> tcp_diag_put_ulp net/ipv4/tcp_diag.c:100 [inline]<br /> ffff888045870130 (k-sk_lock-AF_INET6){+.+.}-{0:0}, at:<br /> tcp_diag_get_aux+0x738/0x830 net/ipv4/tcp_diag.c:137<br /> <br /> but task is already holding lock:<br /> ffffc9000135e488 (&amp;h-&gt;lhash2[i].lock){+.+.}-{2:2}, at: spin_lock<br /> include/linux/spinlock.h:351 [inline]<br /> ffffc9000135e488 (&amp;h-&gt;lhash2[i].lock){+.+.}-{2:2}, at:<br /> inet_diag_dump_icsk+0x39f/0x1f80 net/ipv4/inet_diag.c:1038<br /> <br /> which lock already depends on the new lock.<br /> <br /> the existing dependency chain (in reverse order) is:<br /> <br /> -&gt; #1 (&amp;h-&gt;lhash2[i].lock){+.+.}-{2:2}:<br /> lock_acquire+0x1e3/0x530 kernel/locking/lockdep.c:5754<br /> __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]<br /> _raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154<br /> spin_lock include/linux/spinlock.h:351 [inline]<br /> __inet_hash+0x335/0xbe0 net/ipv4/inet_hashtables.c:743<br /> inet_csk_listen_start+0x23a/0x320 net/ipv4/inet_connection_sock.c:1261<br /> __inet_listen_sk+0x2a2/0x770 net/ipv4/af_inet.c:217<br /> inet_listen+0xa3/0x110 net/ipv4/af_inet.c:239<br /> rds_tcp_listen_init+0x3fd/0x5a0 net/rds/tcp_listen.c:316<br /> rds_tcp_init_net+0x141/0x320 net/rds/tcp.c:577<br /> ops_init+0x352/0x610 net/core/net_namespace.c:136<br /> __register_pernet_operations net/core/net_namespace.c:1214 [inline]<br /> register_pernet_operations+0x2cb/0x660 net/core/net_namespace.c:1283<br /> register_pernet_device+0x33/0x80 net/core/net_namespace.c:1370<br /> rds_tcp_init+0x62/0xd0 net/rds/tcp.c:735<br /> do_one_initcall+0x238/0x830 init/main.c:1236<br /> do_initcall_level+0x157/0x210 init/main.c:1298<br /> do_initcalls+0x3f/0x80 init/main.c:1314<br /> kernel_init_freeable+0x42f/0x5d0 init/main.c:1551<br /> kernel_init+0x1d/0x2a0 init/main.c:1441<br /> ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147<br /> ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:242<br /> <br /> -&gt; #0 (k-sk_lock-AF_INET6){+.+.}-{0:0}:<br /> check_prev_add kernel/locking/lockdep.c:3134 [inline]<br /> check_prevs_add kernel/locking/lockdep.c:3253 [inline]<br /> validate_chain+0x18ca/0x58e0 kernel/locking/lockdep.c:3869<br /> __lock_acquire+0x1345/0x1fd0 kernel/locking/lockdep.c:5137<br /> lock_acquire+0x1e3/0x530 kernel/locking/lockdep.c:5754<br /> lock_sock_fast include/net/sock.h:1723 [inline]<br /> subflow_get_info+0x166/0xd20 net/mptcp/diag.c:28<br /> tcp_diag_put_ulp net/ipv4/tcp_diag.c:100 [inline]<br /> tcp_diag_get_aux+0x738/0x830 net/ipv4/tcp_diag.c:137<br /> inet_sk_diag_fill+0x10ed/0x1e00 net/ipv4/inet_diag.c:345<br /> inet_diag_dump_icsk+0x55b/0x1f80 net/ipv4/inet_diag.c:1061<br /> __inet_diag_dump+0x211/0x3a0 net/ipv4/inet_diag.c:1263<br /> inet_diag_dump_compat+0x1c1/0x2d0 net/ipv4/inet_diag.c:1371<br /> netlink_dump+0x59b/0xc80 net/netlink/af_netlink.c:2264<br /> __netlink_dump_start+0x5df/0x790 net/netlink/af_netlink.c:2370<br /> netlink_dump_start include/linux/netlink.h:338 [inline]<br /> inet_diag_rcv_msg_compat+0x209/0x4c0 net/ipv4/inet_diag.c:1405<br /> sock_diag_rcv_msg+0xe7/0x410<br /> netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2543<br /> sock_diag_rcv+0x2a/0x40 net/core/sock_diag.c:280<br /> netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline]<br /> netlink_unicast+0x7ea/0x980 net/netlink/af_netlink.c:1367<br /> netlink_sendmsg+0xa3b/0xd70 net/netlink/af_netlink.c:1908<br /> sock_sendmsg_nosec net/socket.c:730 [inline]<br /> __sock_sendmsg+0x221/0x270 net/socket.c:745<br /> ____sys_sendmsg+0x525/0x7d0 net/socket.c:2584<br /> ___sys_sendmsg net/socket.c:2638 [inline]<br /> __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2667<br /> do_syscall_64+0xf9/0x240<br /> entry_SYSCALL_64_after_hwframe+0x6f/0x77<br /> <br /> As noted by Eric we can break the lock dependency chain avoid<br /> dumping <br /> ---truncated---

Incorrect Access Control in ITB-GmbH TradePro v9.5, allows remote attackers to receive all orders from the online shop via oordershow component in customer function.

A problem has been identified in the CloudStack additional VM configuration (extraconfig) feature which can be misused by anyone who has privilege to deploy a VM instance or configure settings of an already deployed VM instance, to configure additional VM configuration even when the feature is not explicitly enabled by the administrator. In a KVM based CloudStack environment, an attacker can exploit this issue to attach host devices such as storage disks, and PCI and USB devices such as network adapters and GPUs, in a regular VM instance that can be further exploited to gain access to the underlying network and storage infrastructure resources, and access any VM instance disks on the local storage.<br /> <br /> Users are advised to upgrade to version 4.18.1.1 or 4.19.0.1, which fixes this issue.<br /> <br />

An issue was discovered in SeaCMS version 12.9, allows remote attackers to execute arbitrary code via admin notify.php.

Cross Site Scripting (XSS) vulnerability in ZoneMinder before version 1.34.21, allows remote attackers execute arbitrary code, escalate privileges, and obtain sensitive information via PHP_SELF component in classic/views/download.php.

By default the CloudStack management server honours the x-forwarded-for HTTP header and logs it as the source IP of an API request. This could lead to authentication bypass and other operational problems should an attacker decide to spoof their IP address this way. Users are recommended to upgrade to CloudStack version 4.18.1.1 or 4.19.0.1, which fixes this issue.<br /> <br />

The CloudStack management server and secondary storage VM could be tricked into making requests to restricted or random resources by means of following 301 HTTP redirects presented by external servers when downloading templates or ISOs. Users are recommended to upgrade to version 4.18.1.1 or 4.19.0.1, which fixes this issue.<br /> <br />

Cross Site Scripting (XSS) vulnerability in Advanced REST Client v.17.0.9 allows a remote attacker to execute arbitrary code and obtain sensitive information via a crafted script to the edit details parameter of the New Project function.

An HTML injection vulnerability exists in the MT Safeline X-Ray X3310 webserver version NXG 19.05 that enables a remote attacker to render malicious HTML and obtain sensitive information in a victim&amp;#39;s browser.

CSV Injection vulnerability in Addactis IBNRS v.3.10.3.107 allows a remote attacker to execute arbitrary code via a crafted .ibnrs file to the Project Description, Identifiers, Custom Triangle Name (inside Input Triangles) and Yield Curve Name parameters.

A reflected cross-site scripting (XSS) vulnerability exists in the MT Safeline X-Ray X3310 webserver version NXG 19.05 that enables a remote attacker to execute JavaScript code and obtain sensitive information in a victim&amp;#39;s browser.