Vulnerabilities

Draytek devices Vigor 165/166 prior to v4.2.6 , Vigor 2620/LTE200 prior to v3.9.8.8, Vigor 2860/2925 prior to v3.9.7, Vigor 2862/2926 prior to v3.9.9.4, Vigor 2133/2762/2832 prior to v3.9.8, Vigor 2135/2765/2766 prior to v4.4.5.1, Vigor 2865/2866/2927 prior to v4.4.5.3, Vigor 2962/3910 prior to v4.3.2.7, Vigor 3912 prior to v4.3.5.2, and Vigor 2925 up to v3.9.6 were discovered to utilize insecure versions of the functions strcmp and memcmp, allowing attackers to possibly obtain sensitive information via timing attacks.

Draytek devices Vigor 165/166 prior to v4.2.6 , Vigor 2620/LTE200 prior to v3.9.8.8, Vigor 2860/2925 prior to v3.9.7, Vigor 2862/2926 prior to v3.9.9.4, Vigor 2133/2762/2832 prior to v3.9.8, Vigor 2135/2765/2766 prior to v4.4.5.1, Vigor 2865/2866/2927 prior to v4.4.5.3, Vigor 2962/3910 prior to v4.3.2.7, Vigor 3912 prior to v4.3.5.2, and Vigor 2925 up to v3.9.6 were discovered to store passwords in plaintext.

A NULL pointer dereference in Draytek devices Vigor 165/166 prior to v4.2.6 , Vigor 2620/LTE200 prior to v3.9.8.8, Vigor 2860/2925 prior to v3.9.7, Vigor 2862/2926 prior to v3.9.9.4, Vigor 2133/2762/2832 prior to v3.9.8, Vigor 2135/2765/2766 prior to v4.4.5.1, Vigor 2865/2866/2927 prior to v4.4.5.3, Vigor 2962/3910 prior to v4.3.2.7, Vigor 3912 prior to v4.3.5.2, and Vigor 2925 up to v3.9.6 allows attackers to cause a Denial of Service (DoS) via a crafted DHCP request.

An issue in the CGI endpoint used to upload configurations in Draytek devices Vigor 165/166 prior to v4.2.6 , Vigor 2620/LTE200 prior to v3.9.8.8, Vigor 2860/2925 prior to v3.9.7, Vigor 2862/2926 prior to v3.9.9.4, Vigor 2133/2762/2832 prior to v3.9.8, Vigor 2135/2765/2766 prior to v4.4.5.1, Vigor 2865/2866/2927 prior to v4.4.5.3, Vigor 2962/3910 prior to v4.3.2.7, Vigor 3912 prior to v4.3.5.2, and Vigor 2925 up to v3.9.6 allows attackers to upload a crafted kernel module, allowing for arbitrary code execution.

An issue in Draytek devices Vigor 165/166 prior to v4.2.6 , Vigor 2620/LTE200 prior to v3.9.8.8, Vigor 2860/2925 prior to v3.9.7, Vigor 2862/2926 prior to v3.9.9.4, Vigor 2133/2762/2832 prior to v3.9.8, Vigor 2135/2765/2766 prior to v4.4.5.1, Vigor 2865/2866/2927 prior to v4.4.5.3, Vigor 2962/3910 prior to v4.3.2.7, Vigor 3912 prior to v4.3.5.2, and Vigor 2925 up to v3.9.6 allows attackers to upload crafted APP Enforcement modules, leading to arbitrary code execution.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> tty: xilinx_uartps: split sysrq handling<br /> <br /> lockdep detects the following circular locking dependency:<br /> <br /> CPU 0 CPU 1<br /> ========================== ============================<br /> cdns_uart_isr() printk()<br /> uart_port_lock(port) console_lock()<br /> cdns_uart_console_write()<br /> if (!port-&gt;sysrq)<br /> uart_port_lock(port)<br /> uart_handle_break()<br /> port-&gt;sysrq = ...<br /> uart_handle_sysrq_char()<br /> printk()<br /> console_lock()<br /> <br /> The fixed commit attempts to avoid this situation by only taking the<br /> port lock in cdns_uart_console_write if port-&gt;sysrq unset. However, if<br /> (as shown above) cdns_uart_console_write runs before port-&gt;sysrq is set,<br /> then it will try to take the port lock anyway. This may result in a<br /> deadlock.<br /> <br /> Fix this by splitting sysrq handling into two parts. We use the prepare<br /> helper under the port lock and defer handling until we release the lock.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> batman-adv: Drop unmanaged ELP metric worker<br /> <br /> The ELP worker needs to calculate new metric values for all neighbors<br /> "reachable" over an interface. Some of the used metric sources require<br /> locks which might need to sleep. This sleep is incompatible with the RCU<br /> list iterator used for the recorded neighbors. The initial approach to work<br /> around of this problem was to queue another work item per neighbor and then<br /> run this in a new context.<br /> <br /> Even when this solved the RCU vs might_sleep() conflict, it has a major<br /> problems: Nothing was stopping the work item in case it is not needed<br /> anymore - for example because one of the related interfaces was removed or<br /> the batman-adv module was unloaded - resulting in potential invalid memory<br /> accesses.<br /> <br /> Directly canceling the metric worker also has various problems:<br /> <br /> * cancel_work_sync for a to-be-deactivated interface is called with<br /> rtnl_lock held. But the code in the ELP metric worker also tries to use<br /> rtnl_lock() - which will never return in this case. This also means that<br /> cancel_work_sync would never return because it is waiting for the worker<br /> to finish.<br /> * iterating over the neighbor list for the to-be-deactivated interface is<br /> currently done using the RCU specific methods. Which means that it is<br /> possible to miss items when iterating over it without the associated<br /> spinlock - a behaviour which is acceptable for a periodic metric check<br /> but not for a cleanup routine (which must "stop" all still running<br /> workers)<br /> <br /> The better approch is to get rid of the per interface neighbor metric<br /> worker and handle everything in the interface worker. The original problems<br /> are solved by:<br /> <br /> * creating a list of neighbors which require new metric information inside<br /> the RCU protected context, gathering the metric according to the new list<br /> outside the RCU protected context<br /> * only use rcu_trylock inside metric gathering code to avoid a deadlock<br /> when the cancel_delayed_work_sync is called in the interface removal code<br /> (which is called with the rtnl_lock held)

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mm/compaction: fix UBSAN shift-out-of-bounds warning<br /> <br /> syzkaller reported a UBSAN shift-out-of-bounds warning of (1UL

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> block: mark GFP_NOIO around sysfs -&gt;store()<br /> <br /> sysfs -&gt;store is called with queue freezed, meantime we have several<br /> -&gt;store() callbacks(update_nr_requests, wbt, scheduler) to allocate<br /> memory with GFP_KERNEL which may run into direct reclaim code path,<br /> then potential deadlock can be caused.<br /> <br /> Fix the issue by marking NOIO around sysfs -&gt;store()

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Revert "drm/amd/display: Use HW lock mgr for PSR1"<br /> <br /> This reverts commit<br /> a2b5a9956269 ("drm/amd/display: Use HW lock mgr for PSR1")<br /> <br /> Because it may cause system hang while connect with two edp panel.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> fbdev: omap: use threaded IRQ for LCD DMA<br /> <br /> When using touchscreen and framebuffer, Nokia 770 crashes easily with:<br /> <br /> BUG: scheduling while atomic: irq/144-ads7846/82/0x00010000<br /> Modules linked in: usb_f_ecm g_ether usb_f_rndis u_ether libcomposite configfs omap_udc ohci_omap ohci_hcd<br /> CPU: 0 UID: 0 PID: 82 Comm: irq/144-ads7846 Not tainted 6.12.7-770 #2<br /> Hardware name: Nokia 770<br /> Call trace:<br /> unwind_backtrace from show_stack+0x10/0x14<br /> show_stack from dump_stack_lvl+0x54/0x5c<br /> dump_stack_lvl from __schedule_bug+0x50/0x70<br /> __schedule_bug from __schedule+0x4d4/0x5bc<br /> __schedule from schedule+0x34/0xa0<br /> schedule from schedule_preempt_disabled+0xc/0x10<br /> schedule_preempt_disabled from __mutex_lock.constprop.0+0x218/0x3b4<br /> __mutex_lock.constprop.0 from clk_prepare_lock+0x38/0xe4<br /> clk_prepare_lock from clk_set_rate+0x18/0x154<br /> clk_set_rate from sossi_read_data+0x4c/0x168<br /> sossi_read_data from hwa742_read_reg+0x5c/0x8c<br /> hwa742_read_reg from send_frame_handler+0xfc/0x300<br /> send_frame_handler from process_pending_requests+0x74/0xd0<br /> process_pending_requests from lcd_dma_irq_handler+0x50/0x74<br /> lcd_dma_irq_handler from __handle_irq_event_percpu+0x44/0x130<br /> __handle_irq_event_percpu from handle_irq_event+0x28/0x68<br /> handle_irq_event from handle_level_irq+0x9c/0x170<br /> handle_level_irq from generic_handle_domain_irq+0x2c/0x3c<br /> generic_handle_domain_irq from omap1_handle_irq+0x40/0x8c<br /> omap1_handle_irq from generic_handle_arch_irq+0x28/0x3c<br /> generic_handle_arch_irq from call_with_stack+0x1c/0x24<br /> call_with_stack from __irq_svc+0x94/0xa8<br /> Exception stack(0xc5255da0 to 0xc5255de8)<br /> 5da0: 00000001 c22fc620 00000000 00000000 c08384a8 c106fc00 00000000 c240c248<br /> 5dc0: c113a600 c3f6ec30 00000001 00000000 c22fc620 c5255df0 c22fc620 c0279a94<br /> 5de0: 60000013 ffffffff<br /> __irq_svc from clk_prepare_lock+0x4c/0xe4<br /> clk_prepare_lock from clk_get_rate+0x10/0x74<br /> clk_get_rate from uwire_setup_transfer+0x40/0x180<br /> uwire_setup_transfer from spi_bitbang_transfer_one+0x2c/0x9c<br /> spi_bitbang_transfer_one from spi_transfer_one_message+0x2d0/0x664<br /> spi_transfer_one_message from __spi_pump_transfer_message+0x29c/0x498<br /> __spi_pump_transfer_message from __spi_sync+0x1f8/0x2e8<br /> __spi_sync from spi_sync+0x24/0x40<br /> spi_sync from ads7846_halfd_read_state+0x5c/0x1c0<br /> ads7846_halfd_read_state from ads7846_irq+0x58/0x348<br /> ads7846_irq from irq_thread_fn+0x1c/0x78<br /> irq_thread_fn from irq_thread+0x120/0x228<br /> irq_thread from kthread+0xc8/0xe8<br /> kthread from ret_from_fork+0x14/0x28<br /> <br /> As a quick fix, switch to a threaded IRQ which provides a stable system.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ptp: vmclock: Set driver data before its usage<br /> <br /> If vmclock_ptp_register() fails during probing, vmclock_remove() is<br /> called to clean up the ptp clock and misc device.<br /> It uses dev_get_drvdata() to access the vmclock state.<br /> However the driver data is not yet set at this point.<br /> <br /> Assign the driver data earlier.