Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ALSA: usb-audio: Fix potential overflow of PCM transfer buffer<br /> <br /> The PCM stream data in USB-audio driver is transferred over USB URB<br /> packet buffers, and each packet size is determined dynamically. The<br /> packet sizes are limited by some factors such as wMaxPacketSize USB<br /> descriptor. OTOH, in the current code, the actually used packet sizes<br /> are determined only by the rate and the PPS, which may be bigger than<br /> the size limit above. This results in a buffer overflow, as reported<br /> by syzbot.<br /> <br /> Basically when the limit is smaller than the calculated packet size,<br /> it implies that something is wrong, most likely a weird USB<br /> descriptor. So the best option would be just to return an error at<br /> the parameter setup time before doing any further operations.<br /> <br /> This patch introduces such a sanity check, and returns -EINVAL when<br /> the packet size is greater than maxpacksize. The comparison with<br /> ep-&gt;packsize[1] alone should suffice since it&amp;#39;s always equal or<br /> greater than ep-&gt;packsize[0].

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mm, swap: fix potential UAF issue for VMA readahead<br /> <br /> Since commit 78524b05f1a3 ("mm, swap: avoid redundant swap device<br /> pinning"), the common helper for allocating and preparing a folio in the<br /> swap cache layer no longer tries to get a swap device reference<br /> internally, because all callers of __read_swap_cache_async are already<br /> holding a swap entry reference. The repeated swap device pinning isn&amp;#39;t<br /> needed on the same swap device.<br /> <br /> Caller of VMA readahead is also holding a reference to the target entry&amp;#39;s<br /> swap device, but VMA readahead walks the page table, so it might encounter<br /> swap entries from other devices, and call __read_swap_cache_async on<br /> another device without holding a reference to it.<br /> <br /> So it is possible to cause a UAF when swapoff of device A raced with<br /> swapin on device B, and VMA readahead tries to read swap entries from<br /> device A. It&amp;#39;s not easy to trigger, but in theory, it could cause real<br /> issues.<br /> <br /> Make VMA readahead try to get the device reference first if the swap<br /> device is a different one from the target entry.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> fs/proc: fix uaf in proc_readdir_de()<br /> <br /> Pde is erased from subdir rbtree through rb_erase(), but not set the node<br /> to EMPTY, which may result in uaf access. We should use RB_CLEAR_NODE()<br /> set the erased node to EMPTY, then pde_subdir_next() will return NULL to<br /> avoid uaf access.<br /> <br /> We found an uaf issue while using stress-ng testing, need to run testcase<br /> getdent and tun in the same time. The steps of the issue is as follows:<br /> <br /> 1) use getdent to traverse dir /proc/pid/net/dev_snmp6/, and current<br /> pde is tun3;<br /> <br /> 2) in the [time windows] unregister netdevice tun3 and tun2, and erase<br /> them from rbtree. erase tun3 first, and then erase tun2. the<br /> pde(tun2) will be released to slab;<br /> <br /> 3) continue to getdent process, then pde_subdir_next() will return<br /> pde(tun2) which is released, it will case uaf access.<br /> <br /> CPU 0 | CPU 1<br /> -------------------------------------------------------------------------<br /> traverse dir /proc/pid/net/dev_snmp6/ | unregister_netdevice(tun-&gt;dev) //tun3 tun2<br /> sys_getdents64() |<br /> iterate_dir() |<br /> proc_readdir() |<br /> proc_readdir_de() | snmp6_unregister_dev()<br /> pde_get(de); | proc_remove()<br /> read_unlock(&amp;proc_subdir_lock); | remove_proc_subtree()<br /> | write_lock(&amp;proc_subdir_lock);<br /> [time window] | rb_erase(&amp;root-&gt;subdir_node, &amp;parent-&gt;subdir);<br /> | write_unlock(&amp;proc_subdir_lock);<br /> read_lock(&amp;proc_subdir_lock); |<br /> next = pde_subdir_next(de); |<br /> pde_put(de); |<br /> de = next; //UAF |<br /> <br /> rbtree of dev_snmp6<br /> |<br /> pde(tun3)<br /> / \<br /> NULL pde(tun2)

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mm/secretmem: fix use-after-free race in fault handler<br /> <br /> When a page fault occurs in a secret memory file created with<br /> `memfd_secret(2)`, the kernel will allocate a new folio for it, mark the<br /> underlying page as not-present in the direct map, and add it to the file<br /> mapping.<br /> <br /> If two tasks cause a fault in the same page concurrently, both could end<br /> up allocating a folio and removing the page from the direct map, but only<br /> one would succeed in adding the folio to the file mapping. The task that<br /> failed undoes the effects of its attempt by (a) freeing the folio again<br /> and (b) putting the page back into the direct map. However, by doing<br /> these two operations in this order, the page becomes available to the<br /> allocator again before it is placed back in the direct mapping.<br /> <br /> If another task attempts to allocate the page between (a) and (b), and the<br /> kernel tries to access it via the direct map, it would result in a<br /> supervisor not-present page fault.<br /> <br /> Fix the ordering to restore the direct map before the folio is freed.

A flaw has been found in UTT 进取 520W 1.7.7-180627. The impacted element is the function strcpy of the file /goform/formArpBindConfig. Executing manipulation of the argument pools can lead to buffer overflow. The attack may be performed from remote. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability was detected in UTT 进取 520W 1.7.7-180627. The affected element is the function strcpy of the file /goform/websHostFilter. Performing manipulation of the argument addHostFilter results in buffer overflow. The attack is possible to be carried out remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

A security vulnerability has been detected in UTT 进取 520W 1.7.7-180627. Impacted is the function strcpy of the file /goform/formConfigDnsFilterGlobal. Such manipulation of the argument timeRangeName leads to buffer overflow. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

A security flaw has been discovered in Linksys RE6500, RE6250, RE6300, RE6350, RE7000 and RE9000 1.0.013.001/1.0.04.001/1.0.04.002/1.1.05.003/1.2.07.001. This vulnerability affects the function RE2000v2Repeater_get_wired_clientlist_setClientsName of the file mod_form.so. The manipulation of the argument clientsname_0 results in stack-based buffer overflow. The attack may be launched remotely. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability was identified in Linksys RE6500, RE6250, RE6300, RE6350, RE7000 and RE9000 1.0.013.001/1.0.04.001/1.0.04.002/1.1.05.003/1.2.07.001. This affects the function AP_get_wired_clientlist_setClientsName of the file mod_form.so. The manipulation of the argument clientsname_0 leads to stack-based buffer overflow. The attack may be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability was determined in Linksys RE6500, RE6250, RE6300, RE6350, RE7000 and RE9000 1.0.013.001/1.0.04.001/1.0.04.002/1.1.05.003/1.2.07.001. Affected by this issue is the function RE2000v2Repeater_get_wireless_clientlist_setClientsName of the file mod_form.so. Executing manipulation of the argument clientsname_0 can lead to stack-based buffer overflow. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability was found in Linksys RE6500, RE6250, RE6300, RE6350, RE7000 and RE9000 1.0.013.001/1.0.04.001/1.0.04.002/1.1.05.003/1.2.07.001. Affected by this vulnerability is the function AP_get_wireless_clientlist_setClientsName of the file mod_form.so. Performing manipulation of the argument clientsname_0 results in stack-based buffer overflow. The attack can be initiated remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

The Starter Templates plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 4.4.41. This is due to insufficient file type validation detecting WXR files, allowing double extension files to bypass sanitization while being accepted as a valid WXR file. This makes it possible for authenticated attackers, with author-level access and above, to upload arbitrary files on the affected site&amp;#39;s server which may make remote code execution possible.