Vulnerabilidades

*** Pendiente de traducción *** Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WPJobBoard allows Blind SQL Injection.This issue affects WPJobBoard: from n/a through 5.9.0.

*** Pendiente de traducción *** Missing Authorization vulnerability in Jewel Theme Master Addons for Elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Master Addons for Elementor: from n/a through 2.0.5.3.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> iommufd: Do not add the same hwpt to the ioas-&gt;hwpt_list twice<br /> <br /> The hwpt is added to the hwpt_list only during its creation, it is never<br /> added again. This hunk is some missed leftover from rework. Adding it<br /> twice will corrupt the linked list in some cases.<br /> <br /> It effects HWPT specific attachment, which is something the test suite<br /> cannot cover until we can create a legitimate struct device with a<br /> non-system iommu "driver" (ie we need the bus removed from the iommu code)

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netdevsim: fix memory leak in nsim_bus_dev_new()<br /> <br /> If device_register() failed in nsim_bus_dev_new(), the value of reference<br /> in nsim_bus_dev-&gt;dev is 1. obj-&gt;name in nsim_bus_dev-&gt;dev will not be<br /> released.<br /> <br /> unreferenced object 0xffff88810352c480 (size 16):<br /> comm "echo", pid 5691, jiffies 4294945921 (age 133.270s)<br /> hex dump (first 16 bytes):<br /> 6e 65 74 64 65 76 73 69 6d 31 00 00 00 00 00 00 netdevsim1......<br /> backtrace:<br /> [] __kmalloc_node_track_caller+0x3a/0xb0<br /> [] kvasprintf+0xc3/0x160<br /> [] kvasprintf_const+0x55/0x180<br /> [] kobject_set_name_vargs+0x56/0x150<br /> [] dev_set_name+0xbb/0xf0<br /> [] device_add+0x1f8/0x1cb0<br /> [] new_device_store+0x3b6/0x5e0<br /> [] bus_attr_store+0x72/0xa0<br /> [] sysfs_kf_write+0x106/0x160<br /> [] kernfs_fop_write_iter+0x3a8/0x5a0<br /> [] vfs_write+0x8f0/0xc80<br /> [] ksys_write+0x106/0x210<br /> [] do_syscall_64+0x35/0x80<br /> [] entry_SYSCALL_64_after_hwframe+0x46/0xb0

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ALSA: mts64: fix possible null-ptr-defer in snd_mts64_interrupt<br /> <br /> I got a null-ptr-defer error report when I do the following tests<br /> on the qemu platform:<br /> <br /> make defconfig and CONFIG_PARPORT=m, CONFIG_PARPORT_PC=m,<br /> CONFIG_SND_MTS64=m<br /> <br /> Then making test scripts:<br /> cat&gt;test_mod1.sh

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> crypto: qat - fix DMA transfer direction<br /> <br /> When CONFIG_DMA_API_DEBUG is selected, while running the crypto self<br /> test on the QAT crypto algorithms, the function add_dma_entry() reports<br /> a warning similar to the one below, saying that overlapping mappings<br /> are not supported. This occurs in tests where the input and the output<br /> scatter list point to the same buffers (i.e. two different scatter lists<br /> which point to the same chunks of memory).<br /> <br /> The logic that implements the mapping uses the flag DMA_BIDIRECTIONAL<br /> for both the input and the output scatter lists which leads to<br /> overlapped write mappings. These are not supported by the DMA layer.<br /> <br /> Fix by specifying the correct DMA transfer directions when mapping<br /> buffers. For in-place operations where the input scatter list<br /> matches the output scatter list, buffers are mapped once with<br /> DMA_BIDIRECTIONAL, otherwise input buffers are mapped using the flag<br /> DMA_TO_DEVICE and output buffers are mapped with DMA_FROM_DEVICE.<br /> Overlapping a read mapping with a write mapping is a valid case in<br /> dma-coherent devices like QAT.<br /> The function that frees and unmaps the buffers, qat_alg_free_bufl()<br /> has been changed accordingly to the changes to the mapping function.<br /> <br /> DMA-API: 4xxx 0000:06:00.0: cacheline tracking EEXIST, overlapping mappings aren&amp;#39;t supported<br /> WARNING: CPU: 53 PID: 4362 at kernel/dma/debug.c:570 add_dma_entry+0x1e9/0x270<br /> ...<br /> Call Trace:<br /> dma_map_page_attrs+0x82/0x2d0<br /> ? preempt_count_add+0x6a/0xa0<br /> qat_alg_sgl_to_bufl+0x45b/0x990 [intel_qat]<br /> qat_alg_aead_dec+0x71/0x250 [intel_qat]<br /> crypto_aead_decrypt+0x3d/0x70<br /> test_aead_vec_cfg+0x649/0x810<br /> ? number+0x310/0x3a0<br /> ? vsnprintf+0x2a3/0x550<br /> ? scnprintf+0x42/0x70<br /> ? valid_sg_divisions.constprop.0+0x86/0xa0<br /> ? test_aead_vec+0xdf/0x120<br /> test_aead_vec+0xdf/0x120<br /> alg_test_aead+0x185/0x400<br /> alg_test+0x3d8/0x500<br /> ? crypto_acomp_scomp_free_ctx+0x30/0x30<br /> ? __schedule+0x32a/0x12a0<br /> ? ttwu_queue_wakelist+0xbf/0x110<br /> ? _raw_spin_unlock_irqrestore+0x23/0x40<br /> ? try_to_wake_up+0x83/0x570<br /> ? _raw_spin_unlock_irqrestore+0x23/0x40<br /> ? __set_cpus_allowed_ptr_locked+0xea/0x1b0<br /> ? crypto_acomp_scomp_free_ctx+0x30/0x30<br /> cryptomgr_test+0x27/0x50<br /> kthread+0xe6/0x110<br /> ? kthread_complete_and_exit+0x20/0x20<br /> ret_from_fork+0x1f/0x30

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> RDMA/hns: Fix refcount leak in hns_roce_mmap<br /> <br /> rdma_user_mmap_entry_get_pgoff() takes the reference.<br /> Add missing rdma_user_mmap_entry_put() to release the reference.<br /> <br /> Acked-by Haoyue Xu

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> clk: st: Fix memory leak in st_of_quadfs_setup()<br /> <br /> If st_clk_register_quadfs_pll() fails, @lock should be freed before goto<br /> @err_exit, otherwise will cause meory leak issue, fix it.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: phy: xgmiitorgmii: Fix refcount leak in xgmiitorgmii_probe<br /> <br /> of_phy_find_device() return device node with refcount incremented.<br /> Call put_device() to relese it when not needed anymore.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> fortify: Fix __compiletime_strlen() under UBSAN_BOUNDS_LOCAL<br /> <br /> With CONFIG_FORTIFY=y and CONFIG_UBSAN_LOCAL_BOUNDS=y enabled, we observe<br /> a runtime panic while running Android&amp;#39;s Compatibility Test Suite&amp;#39;s (CTS)<br /> android.hardware.input.cts.tests. This is stemming from a strlen()<br /> call in hidinput_allocate().<br /> <br /> __compiletime_strlen() is implemented in terms of __builtin_object_size(),<br /> then does an array access to check for NUL-termination. A quirk of<br /> __builtin_object_size() is that for strings whose values are runtime<br /> dependent, __builtin_object_size(str, 1 or 0) returns the maximum size<br /> of possible values when those sizes are determinable at compile time.<br /> Example:<br /> <br /> static const char *v = "FOO BAR";<br /> static const char *y = "FOO BA";<br /> unsigned long x (int z) {<br /> // Returns 8, which is:<br /> // max(__builtin_object_size(v, 1), __builtin_object_size(y, 1))<br /> return __builtin_object_size(z ? v : y, 1);<br /> }<br /> <br /> So when FORTIFY_SOURCE is enabled, the current implementation of<br /> __compiletime_strlen() will try to access beyond the end of y at runtime<br /> using the size of v. Mixed with UBSAN_LOCAL_BOUNDS we get a fault.<br /> <br /> hidinput_allocate() has a local C string whose value is control flow<br /> dependent on a switch statement, so __builtin_object_size(str, 1)<br /> evaluates to the maximum string length, making all other cases fault on<br /> the last character check. hidinput_allocate() could be cleaned up to<br /> avoid runtime calls to strlen() since the local variable can only have<br /> literal values, so there&amp;#39;s no benefit to trying to fortify the strlen<br /> call site there.<br /> <br /> Perform a __builtin_constant_p() check against index 0 earlier in the<br /> macro to filter out the control-flow-dependant case. Add a KUnit test<br /> for checking the expected behavioral characteristics of FORTIFY_SOURCE<br /> internals.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> orangefs: Fix kmemleak in orangefs_prepare_debugfs_help_string()<br /> <br /> When insert and remove the orangefs module, then debug_help_string will<br /> be leaked:<br /> <br /> unreferenced object 0xffff8881652ba000 (size 4096):<br /> comm "insmod", pid 1701, jiffies 4294893639 (age 13218.530s)<br /> hex dump (first 32 bytes):<br /> 43 6c 69 65 6e 74 20 44 65 62 75 67 20 4b 65 79 Client Debug Key<br /> 77 6f 72 64 73 20 61 72 65 20 75 6e 6b 6e 6f 77 words are unknow<br /> backtrace:<br /> [] kmalloc_trace+0x27/0xa0<br /> [] orangefs_prepare_debugfs_help_string+0x5e/0x480 [orangefs]<br /> [] _sub_I_65535_1+0x57/0xf70 [crc_itu_t]<br /> [] do_one_initcall+0x87/0x2a0<br /> [] do_init_module+0xdf/0x320<br /> [] load_module+0x2f98/0x3330<br /> [] __do_sys_finit_module+0x113/0x1b0<br /> [] do_syscall_64+0x35/0x80<br /> [] entry_SYSCALL_64_after_hwframe+0x46/0xb0<br /> <br /> When remove the module, should always free debug_help_string. Should<br /> always free the allocated buffer when change the free_debug_help_string.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: fix UAF issue in nfqnl_nf_hook_drop() when ops_init() failed<br /> <br /> When the ops_init() interface is invoked to initialize the net, but<br /> ops-&gt;init() fails, data is released. However, the ptr pointer in<br /> net-&gt;gen is invalid. In this case, when nfqnl_nf_hook_drop() is invoked<br /> to release the net, invalid address access occurs.<br /> <br /> The process is as follows:<br /> setup_net()<br /> ops_init()<br /> data = kzalloc(...) ---&gt; alloc "data"<br /> net_assign_generic() ---&gt; assign "date" to ptr in net-&gt;gen<br /> ...<br /> ops-&gt;init() ---&gt; failed<br /> ...<br /> kfree(data); ---&gt; ptr in net-&gt;gen is invalid<br /> ...<br /> ops_exit_list()<br /> ...<br /> nfqnl_nf_hook_drop()<br /> *q = nfnl_queue_pernet(net) ---&gt; q is invalid<br /> <br /> The following is the Call Trace information:<br /> BUG: KASAN: use-after-free in nfqnl_nf_hook_drop+0x264/0x280<br /> Read of size 8 at addr ffff88810396b240 by task ip/15855<br /> Call Trace:<br /> <br /> dump_stack_lvl+0x8e/0xd1<br /> print_report+0x155/0x454<br /> kasan_report+0xba/0x1f0<br /> nfqnl_nf_hook_drop+0x264/0x280<br /> nf_queue_nf_hook_drop+0x8b/0x1b0<br /> __nf_unregister_net_hook+0x1ae/0x5a0<br /> nf_unregister_net_hooks+0xde/0x130<br /> ops_exit_list+0xb0/0x170<br /> setup_net+0x7ac/0xbd0<br /> copy_net_ns+0x2e6/0x6b0<br /> create_new_namespaces+0x382/0xa50<br /> unshare_nsproxy_namespaces+0xa6/0x1c0<br /> ksys_unshare+0x3a4/0x7e0<br /> __x64_sys_unshare+0x2d/0x40<br /> do_syscall_64+0x35/0x80<br /> entry_SYSCALL_64_after_hwframe+0x46/0xb0<br /> <br /> <br /> Allocated by task 15855:<br /> kasan_save_stack+0x1e/0x40<br /> kasan_set_track+0x21/0x30<br /> __kasan_kmalloc+0xa1/0xb0<br /> __kmalloc+0x49/0xb0<br /> ops_init+0xe7/0x410<br /> setup_net+0x5aa/0xbd0<br /> copy_net_ns+0x2e6/0x6b0<br /> create_new_namespaces+0x382/0xa50<br /> unshare_nsproxy_namespaces+0xa6/0x1c0<br /> ksys_unshare+0x3a4/0x7e0<br /> __x64_sys_unshare+0x2d/0x40<br /> do_syscall_64+0x35/0x80<br /> entry_SYSCALL_64_after_hwframe+0x46/0xb0<br /> <br /> Freed by task 15855:<br /> kasan_save_stack+0x1e/0x40<br /> kasan_set_track+0x21/0x30<br /> kasan_save_free_info+0x2a/0x40<br /> ____kasan_slab_free+0x155/0x1b0<br /> slab_free_freelist_hook+0x11b/0x220<br /> __kmem_cache_free+0xa4/0x360<br /> ops_init+0xb9/0x410<br /> setup_net+0x5aa/0xbd0<br /> copy_net_ns+0x2e6/0x6b0<br /> create_new_namespaces+0x382/0xa50<br /> unshare_nsproxy_namespaces+0xa6/0x1c0<br /> ksys_unshare+0x3a4/0x7e0<br /> __x64_sys_unshare+0x2d/0x40<br /> do_syscall_64+0x35/0x80<br /> entry_SYSCALL_64_after_hwframe+0x46/0xb0