Vulnerabilidades

*** Pendiente de traducción *** Missing authorization vulnerability in BeeDrive in Synology BeeDrive for desktop before 1.4.2-13960 allows remote attackers to delete arbitrary files via unspecified vectors.

*** Pendiente de traducción *** Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in BeeDrive in Synology BeeDrive for desktop before 1.4.2-13960 allows local users to execute arbitrary code via unspecified vectors.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Input: cros_ec_keyb - fix an invalid memory access<br /> <br /> If cros_ec_keyb_register_matrix() isn&amp;#39;t called (due to<br /> `buttons_switches_only`) in cros_ec_keyb_probe(), `ckdev-&gt;idev` remains<br /> NULL. An invalid memory access is observed in cros_ec_keyb_process()<br /> when receiving an EC_MKBP_EVENT_KEY_MATRIX event in cros_ec_keyb_work()<br /> in such case.<br /> <br /> Unable to handle kernel read from unreadable memory at virtual address 0000000000000028<br /> ...<br /> x3 : 0000000000000000 x2 : 0000000000000000<br /> x1 : 0000000000000000 x0 : 0000000000000000<br /> Call trace:<br /> input_event<br /> cros_ec_keyb_work<br /> blocking_notifier_call_chain<br /> ec_irq_thread<br /> <br /> It&amp;#39;s still unknown about why the kernel receives such malformed event,<br /> in any cases, the kernel shouldn&amp;#39;t access `ckdev-&gt;idev` and friends if<br /> the driver doesn&amp;#39;t intend to initialize them.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> vfat: fix missing sb_min_blocksize() return value checks<br /> <br /> When emulating an nvme device on qemu with both logical_block_size and<br /> physical_block_size set to 8 KiB, but without format, a kernel panic<br /> was triggered during the early boot stage while attempting to mount a<br /> vfat filesystem.<br /> <br /> [95553.682035] EXT4-fs (nvme0n1): unable to set blocksize<br /> [95553.684326] EXT4-fs (nvme0n1): unable to set blocksize<br /> [95553.686501] EXT4-fs (nvme0n1): unable to set blocksize<br /> [95553.696448] ISOFS: unsupported/invalid hardware sector size 8192<br /> [95553.697117] ------------[ cut here ]------------<br /> [95553.697567] kernel BUG at fs/buffer.c:1582!<br /> [95553.697984] Oops: invalid opcode: 0000 [#1] SMP NOPTI<br /> [95553.698602] CPU: 0 UID: 0 PID: 7212 Comm: mount Kdump: loaded Not tainted 6.18.0-rc2+ #38 PREEMPT(voluntary)<br /> [95553.699511] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014<br /> [95553.700534] RIP: 0010:folio_alloc_buffers+0x1bb/0x1c0<br /> [95553.701018] Code: 48 8b 15 e8 93 18 02 65 48 89 35 e0 93 18 02 48 83 c4 10 5b 41 5c 41 5d 41 5e 41 5f 5d 31 d2 31 c9 31 f6 31 ff c3 cc cc cc cc 0b 90 66 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f<br /> [95553.702648] RSP: 0018:ffffd1b0c676f990 EFLAGS: 00010246<br /> [95553.703132] RAX: ffff8cfc4176d820 RBX: 0000000000508c48 RCX: 0000000000000001<br /> [95553.703805] RDX: 0000000000002000 RSI: 0000000000000000 RDI: 0000000000000000<br /> [95553.704481] RBP: ffffd1b0c676f9c8 R08: 0000000000000000 R09: 0000000000000000<br /> [95553.705148] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000001<br /> [95553.705816] R13: 0000000000002000 R14: fffff8bc8257e800 R15: 0000000000000000<br /> [95553.706483] FS: 000072ee77315840(0000) GS:ffff8cfdd2c8d000(0000) knlGS:0000000000000000<br /> [95553.707248] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [95553.707782] CR2: 00007d8f2a9e5a20 CR3: 0000000039d0c006 CR4: 0000000000772ef0<br /> [95553.708439] PKRU: 55555554<br /> [95553.708734] Call Trace:<br /> [95553.709015] <br /> [95553.709266] __getblk_slow+0xd2/0x230<br /> [95553.709641] ? find_get_block_common+0x8b/0x530<br /> [95553.710084] bdev_getblk+0x77/0xa0<br /> [95553.710449] __bread_gfp+0x22/0x140<br /> [95553.710810] fat_fill_super+0x23a/0xfc0<br /> [95553.711216] ? __pfx_setup+0x10/0x10<br /> [95553.711580] ? __pfx_vfat_fill_super+0x10/0x10<br /> [95553.712014] vfat_fill_super+0x15/0x30<br /> [95553.712401] get_tree_bdev_flags+0x141/0x1e0<br /> [95553.712817] get_tree_bdev+0x10/0x20<br /> [95553.713177] vfat_get_tree+0x15/0x20<br /> [95553.713550] vfs_get_tree+0x2a/0x100<br /> [95553.713910] vfs_cmd_create+0x62/0xf0<br /> [95553.714273] __do_sys_fsconfig+0x4e7/0x660<br /> [95553.714669] __x64_sys_fsconfig+0x20/0x40<br /> [95553.715062] x64_sys_call+0x21ee/0x26a0<br /> [95553.715453] do_syscall_64+0x80/0x670<br /> [95553.715816] ? __fs_parse+0x65/0x1e0<br /> [95553.716172] ? fat_parse_param+0x103/0x4b0<br /> [95553.716587] ? vfs_parse_fs_param_source+0x21/0xa0<br /> [95553.717034] ? __do_sys_fsconfig+0x3d9/0x660<br /> [95553.717548] ? __x64_sys_fsconfig+0x20/0x40<br /> [95553.717957] ? x64_sys_call+0x21ee/0x26a0<br /> [95553.718360] ? do_syscall_64+0xb8/0x670<br /> [95553.718734] ? __x64_sys_fsconfig+0x20/0x40<br /> [95553.719141] ? x64_sys_call+0x21ee/0x26a0<br /> [95553.719545] ? do_syscall_64+0xb8/0x670<br /> [95553.719922] ? x64_sys_call+0x1405/0x26a0<br /> [95553.720317] ? do_syscall_64+0xb8/0x670<br /> [95553.720702] ? __x64_sys_close+0x3e/0x90<br /> [95553.721080] ? x64_sys_call+0x1b5e/0x26a0<br /> [95553.721478] ? do_syscall_64+0xb8/0x670<br /> [95553.721841] ? irqentry_exit+0x43/0x50<br /> [95553.722211] ? exc_page_fault+0x90/0x1b0<br /> [95553.722681] entry_SYSCALL_64_after_hwframe+0x76/0x7e<br /> [95553.723166] RIP: 0033:0x72ee774f3afe<br /> [95553.723562] Code: 73 01 c3 48 8b 0d 0a 33 0f 00 f7 d8 64 89 01 48 83 c8 ff c3 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 49 89 ca b8 af 01 00 00 0f 05 3d 01 f0 ff ff 73 01 c3 48 8b 0d da 32 0f 00 f7 d8 64 89 01 48<br /> [95553.725188] RSP: 002b:00007ffe97148978 EFLAGS: 00000246 ORIG_RAX: 00000000000001af<br /> [95553.725892] RAX: ffffffffffffffda RBX: <br /> ---truncated---

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> KVM: arm64: Check the untrusted offset in FF-A memory share<br /> <br /> Verify the offset to prevent OOB access in the hypervisor<br /> FF-A buffer in case an untrusted large enough value<br /> [U32_MAX - sizeof(struct ffa_composite_mem_region) + 1, U32_MAX]<br /> is set from the host kernel.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nvme: nvme-fc: Ensure -&gt;ioerr_work is cancelled in nvme_fc_delete_ctrl()<br /> <br /> nvme_fc_delete_assocation() waits for pending I/O to complete before<br /> returning, and an error can cause -&gt;ioerr_work to be queued after<br /> cancel_work_sync() had been called. Move the call to cancel_work_sync() to<br /> be after nvme_fc_delete_association() to ensure -&gt;ioerr_work is not running<br /> when the nvme_fc_ctrl object is freed. Otherwise the following can occur:<br /> <br /> [ 1135.911754] list_del corruption, ff2d24c8093f31f8-&gt;next is NULL<br /> [ 1135.917705] ------------[ cut here ]------------<br /> [ 1135.922336] kernel BUG at lib/list_debug.c:52!<br /> [ 1135.926784] Oops: invalid opcode: 0000 [#1] SMP NOPTI<br /> [ 1135.931851] CPU: 48 UID: 0 PID: 726 Comm: kworker/u449:23 Kdump: loaded Not tainted 6.12.0 #1 PREEMPT(voluntary)<br /> [ 1135.943490] Hardware name: Dell Inc. PowerEdge R660/0HGTK9, BIOS 2.5.4 01/16/2025<br /> [ 1135.950969] Workqueue: 0x0 (nvme-wq)<br /> [ 1135.954673] RIP: 0010:__list_del_entry_valid_or_report.cold+0xf/0x6f<br /> [ 1135.961041] Code: c7 c7 98 68 72 94 e8 26 45 fe ff 0f 0b 48 c7 c7 70 68 72 94 e8 18 45 fe ff 0f 0b 48 89 fe 48 c7 c7 80 69 72 94 e8 07 45 fe ff 0b 48 89 d1 48 c7 c7 a0 6a 72 94 48 89 c2 e8 f3 44 fe ff 0f 0b<br /> [ 1135.979788] RSP: 0018:ff579b19482d3e50 EFLAGS: 00010046<br /> [ 1135.985015] RAX: 0000000000000033 RBX: ff2d24c8093f31f0 RCX: 0000000000000000<br /> [ 1135.992148] RDX: 0000000000000000 RSI: ff2d24d6bfa1d0c0 RDI: ff2d24d6bfa1d0c0<br /> [ 1135.999278] RBP: ff2d24c8093f31f8 R08: 0000000000000000 R09: ffffffff951e2b08<br /> [ 1136.006413] R10: ffffffff95122ac8 R11: 0000000000000003 R12: ff2d24c78697c100<br /> [ 1136.013546] R13: fffffffffffffff8 R14: 0000000000000000 R15: ff2d24c78697c0c0<br /> [ 1136.020677] FS: 0000000000000000(0000) GS:ff2d24d6bfa00000(0000) knlGS:0000000000000000<br /> [ 1136.028765] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [ 1136.034510] CR2: 00007fd207f90b80 CR3: 000000163ea22003 CR4: 0000000000f73ef0<br /> [ 1136.041641] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> [ 1136.048776] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400<br /> [ 1136.055910] PKRU: 55555554<br /> [ 1136.058623] Call Trace:<br /> [ 1136.061074] <br /> [ 1136.063179] ? show_trace_log_lvl+0x1b0/0x2f0<br /> [ 1136.067540] ? show_trace_log_lvl+0x1b0/0x2f0<br /> [ 1136.071898] ? move_linked_works+0x4a/0xa0<br /> [ 1136.075998] ? __list_del_entry_valid_or_report.cold+0xf/0x6f<br /> [ 1136.081744] ? __die_body.cold+0x8/0x12<br /> [ 1136.085584] ? die+0x2e/0x50<br /> [ 1136.088469] ? do_trap+0xca/0x110<br /> [ 1136.091789] ? do_error_trap+0x65/0x80<br /> [ 1136.095543] ? __list_del_entry_valid_or_report.cold+0xf/0x6f<br /> [ 1136.101289] ? exc_invalid_op+0x50/0x70<br /> [ 1136.105127] ? __list_del_entry_valid_or_report.cold+0xf/0x6f<br /> [ 1136.110874] ? asm_exc_invalid_op+0x1a/0x20<br /> [ 1136.115059] ? __list_del_entry_valid_or_report.cold+0xf/0x6f<br /> [ 1136.120806] move_linked_works+0x4a/0xa0<br /> [ 1136.124733] worker_thread+0x216/0x3a0<br /> [ 1136.128485] ? __pfx_worker_thread+0x10/0x10<br /> [ 1136.132758] kthread+0xfa/0x240<br /> [ 1136.135904] ? __pfx_kthread+0x10/0x10<br /> [ 1136.139657] ret_from_fork+0x31/0x50<br /> [ 1136.143236] ? __pfx_kthread+0x10/0x10<br /> [ 1136.146988] ret_from_fork_asm+0x1a/0x30<br /> [ 1136.150915]

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Input: imx_sc_key - fix memory corruption on unload<br /> <br /> This is supposed to be "priv" but we accidentally pass "&amp;priv" which is<br /> an address in the stack and so it will lead to memory corruption when<br /> the imx_sc_key_action() function is called. Remove the &amp;.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> be2net: pass wrb_params in case of OS2BMC<br /> <br /> be_insert_vlan_in_pkt() is called with the wrb_params argument being NULL<br /> at be_send_pkt_to_bmc() call site.  This may lead to dereferencing a NULL<br /> pointer when processing a workaround for specific packet, as commit<br /> bc0c3405abbb ("be2net: fix a Tx stall bug caused by a specific ipv6<br /> packet") states.<br /> <br /> The correct way would be to pass the wrb_params from be_xmit().

*** Pendiente de traducción *** Missing authentication for critical function vulnerability in BeeDrive in Synology BeeDrive for desktop before 1.4.2-13960 allows local users to execute arbitrary code via unspecified vectors.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: core: prevent NULL deref in generic_hwtstamp_ioctl_lower()<br /> <br /> The ethtool tsconfig Netlink path can trigger a null pointer<br /> dereference. A call chain such as:<br /> <br /> tsconfig_prepare_data() -&gt;<br /> dev_get_hwtstamp_phylib() -&gt;<br /> vlan_hwtstamp_get() -&gt;<br /> generic_hwtstamp_get_lower() -&gt;<br /> generic_hwtstamp_ioctl_lower()<br /> <br /> results in generic_hwtstamp_ioctl_lower() being called with<br /> kernel_cfg-&gt;ifr as NULL.<br /> <br /> The generic_hwtstamp_ioctl_lower() function does not expect<br /> a NULL ifr and dereferences it, leading to a system crash.<br /> <br /> Fix this by adding a NULL check for kernel_cfg-&gt;ifr in<br /> generic_hwtstamp_ioctl_lower(). If ifr is NULL, return -EINVAL.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> sched_ext: Fix scx_enable() crash on helper kthread creation failure<br /> <br /> A crash was observed when the sched_ext selftests runner was<br /> terminated with Ctrl+\ while test 15 was running:<br /> <br /> NIP [c00000000028fa58] scx_enable.constprop.0+0x358/0x12b0<br /> LR [c00000000028fa2c] scx_enable.constprop.0+0x32c/0x12b0<br /> Call Trace:<br /> scx_enable.constprop.0+0x32c/0x12b0 (unreliable)<br /> bpf_struct_ops_link_create+0x18c/0x22c<br /> __sys_bpf+0x23f8/0x3044<br /> sys_bpf+0x2c/0x6c<br /> system_call_exception+0x124/0x320<br /> system_call_vectored_common+0x15c/0x2ec<br /> <br /> kthread_run_worker() returns an ERR_PTR() on failure rather than NULL,<br /> but the current code in scx_alloc_and_add_sched() only checks for a NULL<br /> helper. Incase of failure on SIGQUIT, the error is not handled in<br /> scx_alloc_and_add_sched() and scx_enable() ends up dereferencing an<br /> error pointer.<br /> <br /> Error handling is fixed in scx_alloc_and_add_sched() to propagate<br /> PTR_ERR() into ret, so that scx_enable() jumps to the existing error<br /> path, avoiding random dereference on failure.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: openvswitch: remove never-working support for setting nsh fields<br /> <br /> The validation of the set(nsh(...)) action is completely wrong.<br /> It runs through the nsh_key_put_from_nlattr() function that is the<br /> same function that validates NSH keys for the flow match and the<br /> push_nsh() action. However, the set(nsh(...)) has a very different<br /> memory layout. Nested attributes in there are doubled in size in<br /> case of the masked set(). That makes proper validation impossible.<br /> <br /> There is also confusion in the code between the &amp;#39;masked&amp;#39; flag, that<br /> says that the nested attributes are doubled in size containing both<br /> the value and the mask, and the &amp;#39;is_mask&amp;#39; that says that the value<br /> we&amp;#39;re parsing is the mask. This is causing kernel crash on trying to<br /> write into mask part of the match with SW_FLOW_KEY_PUT() during<br /> validation, while validate_nsh() doesn&amp;#39;t allocate any memory for it:<br /> <br /> BUG: kernel NULL pointer dereference, address: 0000000000000018<br /> #PF: supervisor read access in kernel mode<br /> #PF: error_code(0x0000) - not-present page<br /> PGD 1c2383067 P4D 1c2383067 PUD 20b703067 PMD 0<br /> Oops: Oops: 0000 [#1] SMP NOPTI<br /> CPU: 8 UID: 0 Kdump: loaded Not tainted 6.17.0-rc4+ #107 PREEMPT(voluntary)<br /> RIP: 0010:nsh_key_put_from_nlattr+0x19d/0x610 [openvswitch]<br /> Call Trace:<br /> <br /> validate_nsh+0x60/0x90 [openvswitch]<br /> validate_set.constprop.0+0x270/0x3c0 [openvswitch]<br /> __ovs_nla_copy_actions+0x477/0x860 [openvswitch]<br /> ovs_nla_copy_actions+0x8d/0x100 [openvswitch]<br /> ovs_packet_cmd_execute+0x1cc/0x310 [openvswitch]<br /> genl_family_rcv_msg_doit+0xdb/0x130<br /> genl_family_rcv_msg+0x14b/0x220<br /> genl_rcv_msg+0x47/0xa0<br /> netlink_rcv_skb+0x53/0x100<br /> genl_rcv+0x24/0x40<br /> netlink_unicast+0x280/0x3b0<br /> netlink_sendmsg+0x1f7/0x430<br /> ____sys_sendmsg+0x36b/0x3a0<br /> ___sys_sendmsg+0x87/0xd0<br /> __sys_sendmsg+0x6d/0xd0<br /> do_syscall_64+0x7b/0x2c0<br /> entry_SYSCALL_64_after_hwframe+0x76/0x7e<br /> <br /> The third issue with this process is that while trying to convert<br /> the non-masked set into masked one, validate_set() copies and doubles<br /> the size of the OVS_KEY_ATTR_NSH as if it didn&amp;#39;t have any nested<br /> attributes. It should be copying each nested attribute and doubling<br /> them in size independently. And the process must be properly reversed<br /> during the conversion back from masked to a non-masked variant during<br /> the flow dump.<br /> <br /> In the end, the only two outcomes of trying to use this action are<br /> either validation failure or a kernel crash. And if somehow someone<br /> manages to install a flow with such an action, it will most definitely<br /> not do what it is supposed to, since all the keys and the masks are<br /> mixed up.<br /> <br /> Fixing all the issues is a complex task as it requires re-writing<br /> most of the validation code.<br /> <br /> Given that and the fact that this functionality never worked since<br /> introduction, let&amp;#39;s just remove it altogether. It&amp;#39;s better to<br /> re-introduce it later with a proper implementation instead of trying<br /> to fix it in stable releases.