Vulnerabilidades

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfs: fix reference leak<br /> <br /> Commit 20d72b00ca81 ("netfs: Fix the request&amp;#39;s work item to not<br /> require a ref") modified netfs_alloc_request() to initialize the<br /> reference counter to 2 instead of 1. The rationale was that the<br /> requet&amp;#39;s "work" would release the second reference after completion<br /> (via netfs_{read,write}_collection_worker()). That works most of the<br /> time if all goes well.<br /> <br /> However, it leaks this additional reference if the request is released<br /> before the I/O operation has been submitted: the error code path only<br /> decrements the reference counter once and the work item will never be<br /> queued because there will never be a completion.<br /> <br /> This has caused outages of our whole server cluster today because<br /> tasks were blocked in netfs_wait_for_outstanding_io(), leading to<br /> deadlocks in Ceph (another bug that I will address soon in another<br /> patch). This was caused by a netfs_pgpriv2_begin_copy_to_cache() call<br /> which failed in fscache_begin_write_operation(). The leaked<br /> netfs_io_request was never completed, leaving `netfs_inode.io_count`<br /> with a positive value forever.<br /> <br /> All of this is super-fragile code. Finding out which code paths will<br /> lead to an eventual completion and which do not is hard to see:<br /> <br /> - Some functions like netfs_create_write_req() allocate a request, but<br /> will never submit any I/O.<br /> <br /> - netfs_unbuffered_read_iter_locked() calls netfs_unbuffered_read()<br /> and then netfs_put_request(); however, netfs_unbuffered_read() can<br /> also fail early before submitting the I/O request, therefore another<br /> netfs_put_request() call must be added there.<br /> <br /> A rule of thumb is that functions that return a `netfs_io_request` do<br /> not submit I/O, and all of their callers must be checked.<br /> <br /> For my taste, the whole netfs code needs an overhaul to make reference<br /> counting easier to understand and less fragile &amp; obscure. But to fix<br /> this bug here and now and produce a patch that is adequate for a<br /> stable backport, I tried a minimal approach that quickly frees the<br /> request object upon early failure.<br /> <br /> I decided against adding a second netfs_put_request() each time<br /> because that would cause code duplication which obscures the code<br /> further. Instead, I added the function netfs_put_failed_request()<br /> which frees such a failed request synchronously under the assumption<br /> that the reference count is exactly 2 (as initially set by<br /> netfs_alloc_request() and never touched), verified by a<br /> WARN_ON_ONCE(). It then deinitializes the request object (without<br /> going through the "cleanup_work" indirection) and frees the allocation<br /> (with RCU protection to protect against concurrent access by<br /> netfs_requests_seq_start()).<br /> <br /> All code paths that fail early have been changed to call<br /> netfs_put_failed_request() instead of netfs_put_request().<br /> Additionally, I have added a netfs_put_request() call to<br /> netfs_unbuffered_read() as explained above because the<br /> netfs_put_failed_request() approach does not work there.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> kmsan: fix out-of-bounds access to shadow memory<br /> <br /> Running sha224_kunit on a KMSAN-enabled kernel results in a crash in<br /> kmsan_internal_set_shadow_origin():<br /> <br /> BUG: unable to handle page fault for address: ffffbc3840291000<br /> #PF: supervisor read access in kernel mode<br /> #PF: error_code(0x0000) - not-present page<br /> PGD 1810067 P4D 1810067 PUD 192d067 PMD 3c17067 PTE 0<br /> Oops: 0000 [#1] SMP NOPTI<br /> CPU: 0 UID: 0 PID: 81 Comm: kunit_try_catch Tainted: G N 6.17.0-rc3 #10 PREEMPT(voluntary)<br /> Tainted: [N]=TEST<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014<br /> RIP: 0010:kmsan_internal_set_shadow_origin+0x91/0x100<br /> [...]<br /> Call Trace:<br /> <br /> __msan_memset+0xee/0x1a0<br /> sha224_final+0x9e/0x350<br /> test_hash_buffer_overruns+0x46f/0x5f0<br /> ? kmsan_get_shadow_origin_ptr+0x46/0xa0<br /> ? __pfx_test_hash_buffer_overruns+0x10/0x10<br /> kunit_try_run_case+0x198/0xa00<br /> <br /> This occurs when memset() is called on a buffer that is not 4-byte aligned<br /> and extends to the end of a guard page, i.e. the next page is unmapped.<br /> <br /> The bug is that the loop at the end of kmsan_internal_set_shadow_origin()<br /> accesses the wrong shadow memory bytes when the address is not 4-byte<br /> aligned. Since each 4 bytes are associated with an origin, it rounds the<br /> address and size so that it can access all the origins that contain the<br /> buffer. However, when it checks the corresponding shadow bytes for a<br /> particular origin, it incorrectly uses the original unrounded shadow<br /> address. This results in reads from shadow memory beyond the end of the<br /> buffer&amp;#39;s shadow memory, which crashes when that memory is not mapped.<br /> <br /> To fix this, correctly align the shadow address before accessing the 4<br /> shadow bytes corresponding to each origin.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> fs/proc/task_mmu: check p-&gt;vec_buf for NULL<br /> <br /> When the PAGEMAP_SCAN ioctl is invoked with vec_len = 0 reaches<br /> pagemap_scan_backout_range(), kernel panics with null-ptr-deref:<br /> <br /> [ 44.936808] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN NOPTI<br /> [ 44.937797] KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]<br /> [ 44.938391] CPU: 1 UID: 0 PID: 2480 Comm: reproducer Not tainted 6.17.0-rc6 #22 PREEMPT(none)<br /> [ 44.939062] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014<br /> [ 44.939935] RIP: 0010:pagemap_scan_thp_entry.isra.0+0x741/0xa80<br /> <br /> <br /> <br /> [ 44.946828] Call Trace:<br /> [ 44.947030] <br /> [ 44.949219] pagemap_scan_pmd_entry+0xec/0xfa0<br /> [ 44.952593] walk_pmd_range.isra.0+0x302/0x910<br /> [ 44.954069] walk_pud_range.isra.0+0x419/0x790<br /> [ 44.954427] walk_p4d_range+0x41e/0x620<br /> [ 44.954743] walk_pgd_range+0x31e/0x630<br /> [ 44.955057] __walk_page_range+0x160/0x670<br /> [ 44.956883] walk_page_range_mm+0x408/0x980<br /> [ 44.958677] walk_page_range+0x66/0x90<br /> [ 44.958984] do_pagemap_scan+0x28d/0x9c0<br /> [ 44.961833] do_pagemap_cmd+0x59/0x80<br /> [ 44.962484] __x64_sys_ioctl+0x18d/0x210<br /> [ 44.962804] do_syscall_64+0x5b/0x290<br /> [ 44.963111] entry_SYSCALL_64_after_hwframe+0x76/0x7e<br /> <br /> vec_len = 0 in pagemap_scan_init_bounce_buffer() means no buffers are<br /> allocated and p-&gt;vec_buf remains set to NULL.<br /> <br /> This breaks an assumption made later in pagemap_scan_backout_range(), that<br /> page_region is always allocated for p-&gt;vec_buf_index.<br /> <br /> Fix it by explicitly checking p-&gt;vec_buf for NULL before dereferencing.<br /> <br /> Other sites that might run into same deref-issue are already (directly or<br /> transitively) protected by checking p-&gt;vec_buf.<br /> <br /> Note:<br /> From PAGEMAP_SCAN man page, it seems vec_len = 0 is valid when no output<br /> is requested and it&amp;#39;s only the side effects caller is interested in,<br /> hence it passes check in pagemap_scan_get_args().<br /> <br /> This issue was found by syzkaller.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> afs: Fix potential null pointer dereference in afs_put_server<br /> <br /> afs_put_server() accessed server-&gt;debug_id before the NULL check, which<br /> could lead to a null pointer dereference. Move the debug_id assignment,<br /> ensuring we never dereference a NULL server pointer.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/gma500: Fix null dereference in hdmi teardown<br /> <br /> pci_set_drvdata sets the value of pdev-&gt;driver_data to NULL,<br /> after which the driver_data obtained from the same dev is<br /> dereferenced in oaktrail_hdmi_i2c_exit, and the i2c_dev is<br /> extracted from it. To prevent this, swap these calls.<br /> <br /> Found by Linux Verification Center (linuxtesting.org) with Svacer.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/smc: fix warning in smc_rx_splice() when calling get_page()<br /> <br /> smc_lo_register_dmb() allocates DMB buffers with kzalloc(), which are<br /> later passed to get_page() in smc_rx_splice(). Since kmalloc memory is<br /> not page-backed, this triggers WARN_ON_ONCE() in get_page() and prevents<br /> holding a refcount on the buffer. This can lead to use-after-free if<br /> the memory is released before splice_to_pipe() completes.<br /> <br /> Use folio_alloc() instead, ensuring DMBs are page-backed and safe for<br /> get_page().<br /> <br /> WARNING: CPU: 18 PID: 12152 at ./include/linux/mm.h:1330 smc_rx_splice+0xaf8/0xe20 [smc]<br /> CPU: 18 UID: 0 PID: 12152 Comm: smcapp Kdump: loaded Not tainted 6.17.0-rc3-11705-g9cf4672ecfee #10 NONE<br /> Hardware name: IBM 3931 A01 704 (z/VM 7.4.0)<br /> Krnl PSW : 0704e00180000000 000793161032696c (smc_rx_splice+0xafc/0xe20 [smc])<br /> R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:2 PM:0 RI:0 EA:3<br /> Krnl GPRS: 0000000000000000 001cee80007d3001 00077400000000f8 0000000000000005<br /> 0000000000000001 001cee80007d3006 0007740000001000 001c000000000000<br /> 000000009b0c99e0 0000000000001000 001c0000000000f8 001c000000000000<br /> 000003ffcc6f7c88 0007740003e98000 0007931600000005 000792969b2ff7b8<br /> Krnl Code: 0007931610326960: af000000 mc 0,0<br /> 0007931610326964: a7f4ff43 brc 15,00079316103267ea<br /> #0007931610326968: af000000 mc 0,0<br /> &gt;000793161032696c: a7f4ff3f brc 15,00079316103267ea<br /> 0007931610326970: e320f1000004 lg %r2,256(%r15)<br /> 0007931610326976: c0e53fd1b5f5 brasl %r14,000793168fd5d560<br /> 000793161032697c: a7f4fbb5 brc 15,00079316103260e6<br /> 0007931610326980: b904002b lgr %r2,%r11<br /> Call Trace:<br /> smc_rx_splice+0xafc/0xe20 [smc]<br /> smc_rx_splice+0x756/0xe20 [smc])<br /> smc_rx_recvmsg+0xa74/0xe00 [smc]<br /> smc_splice_read+0x1ce/0x3b0 [smc]<br /> sock_splice_read+0xa2/0xf0<br /> do_splice_read+0x198/0x240<br /> splice_file_to_pipe+0x7e/0x110<br /> do_splice+0x59e/0xde0<br /> __do_splice+0x11a/0x2d0<br /> __s390x_sys_splice+0x140/0x1f0<br /> __do_syscall+0x122/0x280<br /> system_call+0x6e/0x90<br /> Last Breaking-Event-Address:<br /> smc_rx_splice+0x960/0xe20 [smc]<br /> ---[ end trace 0000000000000000 ]---

*** Pendiente de traducción *** An issue was discovered in Samsung Mobile Processor, Wearable Processor, and Modem Exynos 980, 990, 850, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 9110, W920, W930, W1000, Modem 5123, Modem 5300, Modem 5400. The absence of a NULL check leads to a Denial of Service when an attacker sends malformed MM packets to the target.

*** Pendiente de traducción *** NetBird VPN when installed using vendor&amp;#39;s provided script failed to remove or change default password of an admin account created by ZITADEL.<br /> This issue affects instances installed using vendor&amp;#39;s provided script. This issue may affect instances created with Docker if the default password was not changed nor the user was removed.<br /> <br /> This issue has been fixed in version 0.57.0

*** Pendiente de traducción *** An issue was discovered in L2 in Samsung Mobile Processor, Wearable Processor, and Modem Exynos 9820, 9825, 980, 990, 850, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 9110, W920, W930, Modem 5123, and Modem 5300. Incorrect handling of RLC AM PDUs leads to a Denial of Service.

*** Pendiente de traducción *** An issue was discovered in L2 in Samsung Mobile Processor, Wearable Processor, and Modem Exynos 9820, 9825, 980, 990, 850, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 9110, W920, W930, Modem 5123, and Modem 5300. Incorrect handling of RLC AM PDUs leads to a Denial of Service.

*** Pendiente de traducción *** Authorization Bypass Through User-Controlled Key vulnerability in VHS Electronic Software Ltd. Co. ACE Center allows Privilege Abuse, Exploitation of Trusted Identifiers.This issue affects ACE Center: from 3.10.100.1768 before 3.10.161.2255.

*** Pendiente de traducción *** An arbitrary code execution vulnerability exists in the git functionality of Truffle Security Co. TruffleHog 3.90.2. A specially crafted repository can lead to a arbitrary code execution. An attacker can provide a malicious respository to trigger this vulnerability.