Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amd/display: Fix disable_otg_wa logic<br /> <br /> [Why]<br /> When switching to another HDMI mode, we are unnecesarilly<br /> disabling/enabling FIFO causing both HPO and DIG registers to be set at<br /> the same time when only HPO is supposed to be set.<br /> <br /> This can lead to a system hang the next time we change refresh rates as<br /> there are cases when we don&amp;#39;t disable OTG/FIFO but FIFO is enabled when<br /> it isn&amp;#39;t supposed to be.<br /> <br /> [How]<br /> Removing the enable/disable FIFO entirely.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> PM / devfreq: Synchronize devfreq_monitor_[start/stop]<br /> <br /> There is a chance if a frequent switch of the governor<br /> done in a loop result in timer list corruption where<br /> timer cancel being done from two place one from<br /> cancel_delayed_work_sync() and followed by expire_timers()<br /> can be seen from the traces[1].<br /> <br /> while true<br /> do<br /> echo "simple_ondemand" &gt; /sys/class/devfreq/1d84000.ufshc/governor<br /> echo "performance" &gt; /sys/class/devfreq/1d84000.ufshc/governor<br /> done<br /> <br /> It looks to be issue with devfreq driver where<br /> device_monitor_[start/stop] need to synchronized so that<br /> delayed work should get corrupted while it is either<br /> being queued or running or being cancelled.<br /> <br /> Let&amp;#39;s use polling flag and devfreq lock to synchronize the<br /> queueing the timer instance twice and work data being<br /> corrupted.<br /> <br /> [1]<br /> ...<br /> ..<br /> -0 [003] 9436.209662: timer_cancel timer=0xffffff80444f0428<br /> -0 [003] 9436.209664: timer_expire_entry timer=0xffffff80444f0428 now=0x10022da1c function=__typeid__ZTSFvP10timer_listE_global_addr baseclk=0x10022da1c<br /> -0 [003] 9436.209718: timer_expire_exit timer=0xffffff80444f0428<br /> kworker/u16:6-14217 [003] 9436.209863: timer_start timer=0xffffff80444f0428 function=__typeid__ZTSFvP10timer_listE_global_addr expires=0x10022da2b now=0x10022da1c flags=182452227<br /> vendor.xxxyyy.ha-1593 [004] 9436.209888: timer_cancel timer=0xffffff80444f0428<br /> vendor.xxxyyy.ha-1593 [004] 9436.216390: timer_init timer=0xffffff80444f0428<br /> vendor.xxxyyy.ha-1593 [004] 9436.216392: timer_start timer=0xffffff80444f0428 function=__typeid__ZTSFvP10timer_listE_global_addr expires=0x10022da2c now=0x10022da1d flags=186646532<br /> vendor.xxxyyy.ha-1593 [005] 9436.220992: timer_cancel timer=0xffffff80444f0428<br /> xxxyyyTraceManag-7795 [004] 9436.261641: timer_cancel timer=0xffffff80444f0428<br /> <br /> [2]<br /> <br /> 9436.261653][ C4] Unable to handle kernel paging request at virtual address dead00000000012a<br /> [ 9436.261664][ C4] Mem abort info:<br /> [ 9436.261666][ C4] ESR = 0x96000044<br /> [ 9436.261669][ C4] EC = 0x25: DABT (current EL), IL = 32 bits<br /> [ 9436.261671][ C4] SET = 0, FnV = 0<br /> [ 9436.261673][ C4] EA = 0, S1PTW = 0<br /> [ 9436.261675][ C4] Data abort info:<br /> [ 9436.261677][ C4] ISV = 0, ISS = 0x00000044<br /> [ 9436.261680][ C4] CM = 0, WnR = 1<br /> [ 9436.261682][ C4] [dead00000000012a] address between user and kernel address ranges<br /> [ 9436.261685][ C4] Internal error: Oops: 96000044 [#1] PREEMPT SMP<br /> [ 9436.261701][ C4] Skip md ftrace buffer dump for: 0x3a982d0<br /> ...<br /> <br /> [ 9436.262138][ C4] CPU: 4 PID: 7795 Comm: TraceManag Tainted: G S W O 5.10.149-android12-9-o-g17f915d29d0c #1<br /> [ 9436.262141][ C4] Hardware name: Qualcomm Technologies, Inc. (DT)<br /> [ 9436.262144][ C4] pstate: 22400085 (nzCv daIf +PAN -UAO +TCO BTYPE=--)<br /> [ 9436.262161][ C4] pc : expire_timers+0x9c/0x438<br /> [ 9436.262164][ C4] lr : expire_timers+0x2a4/0x438<br /> [ 9436.262168][ C4] sp : ffffffc010023dd0<br /> [ 9436.262171][ C4] x29: ffffffc010023df0 x28: ffffffd0636fdc18<br /> [ 9436.262178][ C4] x27: ffffffd063569dd0 x26: ffffffd063536008<br /> [ 9436.262182][ C4] x25: 0000000000000001 x24: ffffff88f7c69280<br /> [ 9436.262185][ C4] x23: 00000000000000e0 x22: dead000000000122<br /> [ 9436.262188][ C4] x21: 000000010022da29 x20: ffffff8af72b4e80<br /> [ 9436.262191][ C4] x19: ffffffc010023e50 x18: ffffffc010025038<br /> [ 9436.262195][ C4] x17: 0000000000000240 x16: 0000000000000201<br /> [ 9436.262199][ C4] x15: ffffffffffffffff x14: ffffff889f3c3100<br /> [ 9436.262203][ C4] x13: ffffff889f3c3100 x12: 00000000049f56b8<br /> [ 9436.262207][ C4] x11: 00000000049f56b8 x10: 00000000ffffffff<br /> [ 9436.262212][ C4] x9 : ffffffc010023e50 x8 : dead000000000122<br /> [ 9436.262216][ C4] x7 : ffffffffffffffff x6 : ffffffc0100239d8<br /> [ 9436.262220][ C4] x5 : 0000000000000000 x4 : 0000000000000101<br /> [ 9436.262223][ C4] x3 : 0000000000000080 x2 : ffffff8<br /> ---truncated---

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> libceph: just wait for more data to be available on the socket<br /> <br /> A short read may occur while reading the message footer from the<br /> socket. Later, when the socket is ready for another read, the<br /> messenger invokes all read_partial_*() handlers, including<br /> read_partial_sparse_msg_data(). The expectation is that<br /> read_partial_sparse_msg_data() would bail, allowing the messenger to<br /> invoke read_partial() for the footer and pick up where it left off.<br /> <br /> However read_partial_sparse_msg_data() violates that and ends up<br /> calling into the state machine in the OSD client. The sparse-read<br /> state machine assumes that it&amp;#39;s a new op and interprets some piece of<br /> the footer as the sparse-read header and returns bogus extents/data<br /> length, etc.<br /> <br /> To determine whether read_partial_sparse_msg_data() should bail, let&amp;#39;s<br /> reuse cursor-&gt;total_resid. Because once it reaches to zero that means<br /> all the extents and data have been successfully received in last read,<br /> else it could break out when partially reading any of the extents and<br /> data. And then osd_sparse_read() could continue where it left off.<br /> <br /> [ idryomov: changelog ]

in OpenHarmony v3.2.4 and prior versions allow a local attacker cause apps crash through type confusion.

in OpenHarmony v3.2.4 and prior versions allow a remote attacker bypass permission verification to install apps, although these require user action.

in OpenHarmony v3.2.4 and prior versions allow a local attacker arbitrary code execution in any apps through use after free.

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> fs/ntfs3: Fix an NULL dereference bug<br /> <br /> The issue here is when this is called from ntfs_load_attr_list(). The<br /> "size" comes from le32_to_cpu(attr-&gt;res.data_size) so it can&amp;#39;t overflow<br /> on a 64bit systems but on 32bit systems the "+ 1023" can overflow and<br /> the result is zero. This means that the kmalloc will succeed by<br /> returning the ZERO_SIZE_PTR and then the memcpy() will crash with an<br /> Oops on the next line.

The Creative Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin&amp;#39;s widgets in all versions up to, and including, 1.5.12 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

The Metform Elementor Contact Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin&amp;#39;s widgets in all versions up to, and including, 3.8.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

The My Calendar WordPress plugin before 3.4.24 does not sanitise and escape some parameters, which could allow users with a role as low as Subscriber to perform Cross-Site Scripting attacks (depending on the permissions set by the admin)

The SecuPress Free — WordPress Security plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2.5.1. This is due to missing or incorrect nonce validation on the secupress_blackhole_ban_ip() function. This makes it possible for unauthenticated attackers to block a user&amp;#39;s IP via a forged request granted they can trick the user into performing an action such as clicking on a link.