Vulnerabilidades

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> libceph: fix invalid accesses to ceph_connection_v1_info<br /> <br /> There is a place where generic code in messenger.c is reading and<br /> another place where it is writing to con-&gt;v1 union member without<br /> checking that the union member is active (i.e. msgr1 is in use).<br /> <br /> On 64-bit systems, con-&gt;v1.auth_retry overlaps with con-&gt;v2.out_iter,<br /> so such a read is almost guaranteed to return a bogus value instead of<br /> 0 when msgr2 is in use. This ends up being fairly benign because the<br /> side effect is just the invalidation of the authorizer and successive<br /> fetching of new tickets.<br /> <br /> con-&gt;v1.connect_seq overlaps with con-&gt;v2.conn_bufs and the fact that<br /> it&amp;#39;s being written to can cause more serious consequences, but luckily<br /> it&amp;#39;s not something that happens often.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mm/damon/sysfs: fix use-after-free in state_show()<br /> <br /> state_show() reads kdamond-&gt;damon_ctx without holding damon_sysfs_lock. <br /> This allows a use-after-free race:<br /> <br /> CPU 0 CPU 1<br /> ----- -----<br /> state_show() damon_sysfs_turn_damon_on()<br /> ctx = kdamond-&gt;damon_ctx; mutex_lock(&amp;damon_sysfs_lock);<br /> damon_destroy_ctx(kdamond-&gt;damon_ctx);<br /> kdamond-&gt;damon_ctx = NULL;<br /> mutex_unlock(&amp;damon_sysfs_lock);<br /> damon_is_running(ctx); /* ctx is freed */<br /> mutex_lock(&amp;ctx-&gt;kdamond_lock); /* UAF */<br /> <br /> (The race can also occur with damon_sysfs_kdamonds_rm_dirs() and<br /> damon_sysfs_kdamond_release(), which free or replace the context under<br /> damon_sysfs_lock.)<br /> <br /> Fix by taking damon_sysfs_lock before dereferencing the context, mirroring<br /> the locking used in pid_show().<br /> <br /> The bug has existed since state_show() first accessed kdamond-&gt;damon_ctx.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: fec: Fix possible NPD in fec_enet_phy_reset_after_clk_enable()<br /> <br /> The function of_phy_find_device may return NULL, so we need to take<br /> care before dereferencing phy_dev.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> hsr: hold rcu and dev lock for hsr_get_port_ndev<br /> <br /> hsr_get_port_ndev calls hsr_for_each_port, which need to hold rcu lock.<br /> On the other hand, before return the port device, we need to hold the<br /> device reference to avoid UaF in the caller function.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> dmaengine: idxd: Remove improper idxd_free<br /> <br /> The call to idxd_free() introduces a duplicate put_device() leading to a<br /> reference count underflow:<br /> refcount_t: underflow; use-after-free.<br /> WARNING: CPU: 15 PID: 4428 at lib/refcount.c:28 refcount_warn_saturate+0xbe/0x110<br /> ...<br /> Call Trace:<br /> <br /> idxd_remove+0xe4/0x120 [idxd]<br /> pci_device_remove+0x3f/0xb0<br /> device_release_driver_internal+0x197/0x200<br /> driver_detach+0x48/0x90<br /> bus_remove_driver+0x74/0xf0<br /> pci_unregister_driver+0x2e/0xb0<br /> idxd_exit_module+0x34/0x7a0 [idxd]<br /> __do_sys_delete_module.constprop.0+0x183/0x280<br /> do_syscall_64+0x54/0xd70<br /> entry_SYSCALL_64_after_hwframe+0x76/0x7e<br /> <br /> The idxd_unregister_devices() which is invoked at the very beginning of<br /> idxd_remove(), already takes care of the necessary put_device() through the<br /> following call path:<br /> idxd_unregister_devices() -&gt; device_unregister() -&gt; put_device()<br /> <br /> In addition, when CONFIG_DEBUG_KOBJECT_RELEASE is enabled, put_device() may<br /> trigger asynchronous cleanup via schedule_delayed_work(). If idxd_free() is<br /> called immediately after, it can result in a use-after-free.<br /> <br /> Remove the improper idxd_free() to avoid both the refcount underflow and<br /> potential memory corruption during module unload.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> macsec: sync features on RTM_NEWLINK<br /> <br /> Syzkaller managed to lock the lower device via ETHTOOL_SFEATURES:<br /> <br /> netdev_lock include/linux/netdevice.h:2761 [inline]<br /> netdev_lock_ops include/net/netdev_lock.h:42 [inline]<br /> netdev_sync_lower_features net/core/dev.c:10649 [inline]<br /> __netdev_update_features+0xcb1/0x1be0 net/core/dev.c:10819<br /> netdev_update_features+0x6d/0xe0 net/core/dev.c:10876<br /> macsec_notify+0x2f5/0x660 drivers/net/macsec.c:4533<br /> notifier_call_chain+0x1b3/0x3e0 kernel/notifier.c:85<br /> call_netdevice_notifiers_extack net/core/dev.c:2267 [inline]<br /> call_netdevice_notifiers net/core/dev.c:2281 [inline]<br /> netdev_features_change+0x85/0xc0 net/core/dev.c:1570<br /> __dev_ethtool net/ethtool/ioctl.c:3469 [inline]<br /> dev_ethtool+0x1536/0x19b0 net/ethtool/ioctl.c:3502<br /> dev_ioctl+0x392/0x1150 net/core/dev_ioctl.c:759<br /> <br /> It happens because lower features are out of sync with the upper:<br /> <br /> __dev_ethtool (real_dev)<br /> netdev_lock_ops(real_dev)<br /> ETHTOOL_SFEATURES<br /> __netdev_features_change<br /> netdev_sync_upper_features<br /> disable LRO on the lower<br /> if (old_features != dev-&gt;features)<br /> netdev_features_change<br /> fires NETDEV_FEAT_CHANGE<br /> macsec_notify<br /> NETDEV_FEAT_CHANGE<br /> netdev_update_features (for each macsec dev)<br /> netdev_sync_lower_features<br /> if (upper_features != lower_features)<br /> netdev_lock_ops(lower) # lower == real_dev<br /> stuck<br /> ...<br /> <br /> netdev_unlock_ops(real_dev)<br /> <br /> Per commit af5f54b0ef9e ("net: Lock lower level devices when updating<br /> features"), we elide the lock/unlock when the upper and lower features<br /> are synced. Makes sure the lower (real_dev) has proper features after<br /> the macsec link has been created. This makes sure we never hit the<br /> situation where we need to sync upper flags to the lower.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> igb: Fix NULL pointer dereference in ethtool loopback test<br /> <br /> The igb driver currently causes a NULL pointer dereference when executing<br /> the ethtool loopback test. This occurs because there is no associated<br /> q_vector for the test ring when it is set up, as interrupts are typically<br /> not added to the test rings.<br /> <br /> Since commit 5ef44b3cb43b removed the napi_id assignment in<br /> __xdp_rxq_info_reg(), there is no longer a need to pass a napi_id to it.<br /> Therefore, simply use 0 as the last parameter.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> can: xilinx_can: xcan_write_frame(): fix use-after-free of transmitted SKB<br /> <br /> can_put_echo_skb() takes ownership of the SKB and it may be freed<br /> during or after the call.<br /> <br /> However, xilinx_can xcan_write_frame() keeps using SKB after the call.<br /> <br /> Fix that by only calling can_put_echo_skb() after the code is done<br /> touching the SKB.<br /> <br /> The tx_lock is held for the entire xcan_write_frame() execution and<br /> also on the can_get_echo_skb() side so the order of operations does not<br /> matter.<br /> <br /> An earlier fix commit 3d3c817c3a40 ("can: xilinx_can: Fix usage of skb<br /> memory") did not move the can_put_echo_skb() call far enough.<br /> <br /> [mkl: add "commit" in front of sha1 in patch description]<br /> [mkl: fix indention]

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> dmaengine: idxd: Fix double free in idxd_setup_wqs()<br /> <br /> The clean up in idxd_setup_wqs() has had a couple bugs because the error<br /> handling is a bit subtle. It&amp;#39;s simpler to just re-write it in a cleaner<br /> way. The issues here are:<br /> <br /> 1) If "idxd-&gt;max_wqs" is

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> dmaengine: ti: edma: Fix memory allocation size for queue_priority_map<br /> <br /> Fix a critical memory allocation bug in edma_setup_from_hw() where<br /> queue_priority_map was allocated with insufficient memory. The code<br /> declared queue_priority_map as s8 (*)[2] (pointer to array of 2 s8),<br /> but allocated memory using sizeof(s8) instead of the correct size.<br /> <br /> This caused out-of-bounds memory writes when accessing:<br /> queue_priority_map[i][0] = i;<br /> queue_priority_map[i][1] = i;<br /> <br /> The bug manifested as kernel crashes with "Oops - undefined instruction"<br /> on ARM platforms (BeagleBoard-X15) during EDMA driver probe, as the<br /> memory corruption triggered kernel hardening features on Clang.<br /> <br /> Change the allocation to use sizeof(*queue_priority_map) which<br /> automatically gets the correct size for the 2D array structure.

*** Pendiente de traducción *** A vulnerability was detected in code-projects Online Bidding System 1.0. Affected is an unknown function of the file /administrator/wew.php. Performing manipulation of the argument ID results in sql injection. The attack may be initiated remotely. The exploit is now public and may be used.

*** Pendiente de traducción *** Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.