Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> iommu/arm-smmu-v3: Fix soft lockup triggered by arm_smmu_mm_invalidate_range<br /> <br /> When running an SVA case, the following soft lockup is triggered:<br /> --------------------------------------------------------------------<br /> watchdog: BUG: soft lockup - CPU#244 stuck for 26s!<br /> pstate: 83400009 (Nzcv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--)<br /> pc : arm_smmu_cmdq_issue_cmdlist+0x178/0xa50<br /> lr : arm_smmu_cmdq_issue_cmdlist+0x150/0xa50<br /> sp : ffff8000d83ef290<br /> x29: ffff8000d83ef290 x28: 000000003b9aca00 x27: 0000000000000000<br /> x26: ffff8000d83ef3c0 x25: da86c0812194a0e8 x24: 0000000000000000<br /> x23: 0000000000000040 x22: ffff8000d83ef340 x21: ffff0000c63980c0<br /> x20: 0000000000000001 x19: ffff0000c6398080 x18: 0000000000000000<br /> x17: 0000000000000000 x16: 0000000000000000 x15: ffff3000b4a3bbb0<br /> x14: ffff3000b4a30888 x13: ffff3000b4a3cf60 x12: 0000000000000000<br /> x11: 0000000000000000 x10: 0000000000000000 x9 : ffffc08120e4d6bc<br /> x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000048cfa<br /> x5 : 0000000000000000 x4 : 0000000000000001 x3 : 000000000000000a<br /> x2 : 0000000080000000 x1 : 0000000000000000 x0 : 0000000000000001<br /> Call trace:<br /> arm_smmu_cmdq_issue_cmdlist+0x178/0xa50<br /> __arm_smmu_tlb_inv_range+0x118/0x254<br /> arm_smmu_tlb_inv_range_asid+0x6c/0x130<br /> arm_smmu_mm_invalidate_range+0xa0/0xa4<br /> __mmu_notifier_invalidate_range_end+0x88/0x120<br /> unmap_vmas+0x194/0x1e0<br /> unmap_region+0xb4/0x144<br /> do_mas_align_munmap+0x290/0x490<br /> do_mas_munmap+0xbc/0x124<br /> __vm_munmap+0xa8/0x19c<br /> __arm64_sys_munmap+0x28/0x50<br /> invoke_syscall+0x78/0x11c<br /> el0_svc_common.constprop.0+0x58/0x1c0<br /> do_el0_svc+0x34/0x60<br /> el0_svc+0x2c/0xd4<br /> el0t_64_sync_handler+0x114/0x140<br /> el0t_64_sync+0x1a4/0x1a8<br /> --------------------------------------------------------------------<br /> <br /> Note that since 6.6-rc1 the arm_smmu_mm_invalidate_range above is renamed<br /> to "arm_smmu_mm_arch_invalidate_secondary_tlbs", yet the problem remains.<br /> <br /> The commit 06ff87bae8d3 ("arm64: mm: remove unused functions and variable<br /> protoypes") fixed a similar lockup on the CPU MMU side. Yet, it can occur<br /> to SMMU too, since arm_smmu_mm_arch_invalidate_secondary_tlbs() is called<br /> typically next to MMU tlb flush function, e.g.<br /> tlb_flush_mmu_tlbonly {<br /> tlb_flush {<br /> __flush_tlb_range {<br /> // check MAX_TLBI_OPS<br /> }<br /> }<br /> mmu_notifier_arch_invalidate_secondary_tlbs {<br /> arm_smmu_mm_arch_invalidate_secondary_tlbs {<br /> // does not check MAX_TLBI_OPS<br /> }<br /> }<br /> }<br /> <br /> Clone a CMDQ_MAX_TLBI_OPS from the MAX_TLBI_OPS in tlbflush.h, since in an<br /> SVA case SMMU uses the CPU page table, so it makes sense to align with the<br /> tlbflush code. Then, replace per-page TLBI commands with a single per-asid<br /> TLBI command, if the request size hits this threshold.

Unrestricted Upload of File with Dangerous Type vulnerability in Mollie Mollie Payments for WooCommerce.This issue affects Mollie Payments for WooCommerce: from n/a through 7.3.11.<br /> <br />

Improper Neutralization of Input During Web Page Generation (&amp;#39;Cross-site Scripting&amp;#39;) vulnerability in Jordy Meow Media Alt Renamer allows Stored XSS.This issue affects Media Alt Renamer: from n/a through 0.0.1.<br /> <br />

Improper Neutralization of Input During Web Page Generation (&amp;#39;Cross-site Scripting&amp;#39;) vulnerability in José Fernandez Adsmonetizer allows Reflected XSS.This issue affects Adsmonetizer: from n/a through 3.1.2.<br /> <br />

The Restaurant Solutions – Checklist plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Checklist points in version 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> x86/srso: Add SRSO mitigation for Hygon processors<br /> <br /> Add mitigation for the speculative return stack overflow vulnerability<br /> which exists on Hygon processors too.

The Marketing Optimizer plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 20200925. This is due to missing or incorrect nonce validation via the admin/main-settings-page.php file. This makes it possible for unauthenticated attackers to update the plugin&amp;#39;s settings and inject malicious JavaScript via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Improper Neutralization of Input During Web Page Generation (&amp;#39;Cross-site Scripting&amp;#39;) vulnerability in Honeywell MPA2 Access Panel (Web server modules) allows XSS Using Invalid Characters.This issue affects MPA2 Access Panel all version prior to R1.00.08.05. <br /> <br /> Honeywell released firmware update package MPA2 firmware R1.00.08.05 which addresses this vulnerability. This version and all later versions<br /> correct the reported vulnerability.<br /> <br />

Missing Authorization vulnerability in Perfmatters.This issue affects Perfmatters: from n/a through 2.1.6.<br /> <br />

Improper Neutralization of Input During Web Page Generation (&amp;#39;Cross-site Scripting&amp;#39;) vulnerability in Melapress WP Activity Log allows Stored XSS.This issue affects WP Activity Log: from n/a through 4.6.1.<br /> <br />

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Input: powermate - fix use-after-free in powermate_config_complete<br /> <br /> syzbot has found a use-after-free bug [1] in the powermate driver. This<br /> happens when the device is disconnected, which leads to a memory free from<br /> the powermate_device struct. When an asynchronous control message<br /> completes after the kfree and its callback is invoked, the lock does not<br /> exist anymore and hence the bug.<br /> <br /> Use usb_kill_urb() on pm-&gt;config to cancel any in-progress requests upon<br /> device disconnection.<br /> <br /> [1] https://syzkaller.appspot.com/bug?extid=0434ac83f907a1dbdd1e

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> usb: hub: Guard against accesses to uninitialized BOS descriptors<br /> <br /> Many functions in drivers/usb/core/hub.c and drivers/usb/core/hub.h<br /> access fields inside udev-&gt;bos without checking if it was allocated and<br /> initialized. If usb_get_bos_descriptor() fails for whatever<br /> reason, udev-&gt;bos will be NULL and those accesses will result in a<br /> crash:<br /> <br /> BUG: kernel NULL pointer dereference, address: 0000000000000018<br /> PGD 0 P4D 0<br /> Oops: 0000 [#1] PREEMPT SMP NOPTI<br /> CPU: 5 PID: 17818 Comm: kworker/5:1 Tainted: G W 5.15.108-18910-gab0e1cb584e1 #1 <br /> Hardware name: Google Kindred/Kindred, BIOS Google_Kindred.12672.413.0 02/03/2021<br /> Workqueue: usb_hub_wq hub_event<br /> RIP: 0010:hub_port_reset+0x193/0x788<br /> Code: 89 f7 e8 20 f7 15 00 48 8b 43 08 80 b8 96 03 00 00 03 75 36 0f b7 88 92 03 00 00 81 f9 10 03 00 00 72 27 48 8b 80 a8 03 00 00 83 78 18 00 74 19 48 89 df 48 8b 75 b0 ba 02 00 00 00 4c 89 e9<br /> RSP: 0018:ffffab740c53fcf8 EFLAGS: 00010246<br /> RAX: 0000000000000000 RBX: ffffa1bc5f678000 RCX: 0000000000000310<br /> RDX: fffffffffffffdff RSI: 0000000000000286 RDI: ffffa1be9655b840<br /> RBP: ffffab740c53fd70 R08: 00001b7d5edaa20c R09: ffffffffb005e060<br /> R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000<br /> R13: ffffab740c53fd3e R14: 0000000000000032 R15: 0000000000000000<br /> FS: 0000000000000000(0000) GS:ffffa1be96540000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 0000000000000018 CR3: 000000022e80c005 CR4: 00000000003706e0<br /> Call Trace:<br /> hub_event+0x73f/0x156e<br /> ? hub_activate+0x5b7/0x68f<br /> process_one_work+0x1a2/0x487<br /> worker_thread+0x11a/0x288<br /> kthread+0x13a/0x152<br /> ? process_one_work+0x487/0x487<br /> ? kthread_associate_blkcg+0x70/0x70<br /> ret_from_fork+0x1f/0x30<br /> <br /> Fall back to a default behavior if the BOS descriptor isn&amp;#39;t accessible<br /> and skip all the functionalities that depend on it: LPM support checks,<br /> Super Speed capabilitiy checks, U1/U2 states setup.