Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> brcmfmac: return error when getting invalid max_flowrings from dongle<br /> <br /> When firmware hit trap at initialization, host will read abnormal<br /> max_flowrings number from dongle, and it will cause kernel panic when<br /> doing iowrite to initialize dongle ring.<br /> To detect this error at early stage, we directly return error when getting<br /> invalid max_flowrings(&gt;256).

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> media: cx88: Fix a null-ptr-deref bug in buffer_prepare()<br /> <br /> When the driver calls cx88_risc_buffer() to prepare the buffer, the<br /> function call may fail, resulting in a empty buffer and null-ptr-deref<br /> later in buffer_queue().<br /> <br /> The following log can reveal it:<br /> <br /> [ 41.822762] general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN PTI<br /> [ 41.824488] KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]<br /> [ 41.828027] RIP: 0010:buffer_queue+0xc2/0x500<br /> [ 41.836311] Call Trace:<br /> [ 41.836945] __enqueue_in_driver+0x141/0x360<br /> [ 41.837262] vb2_start_streaming+0x62/0x4a0<br /> [ 41.838216] vb2_core_streamon+0x1da/0x2c0<br /> [ 41.838516] __vb2_init_fileio+0x981/0xbc0<br /> [ 41.839141] __vb2_perform_fileio+0xbf9/0x1120<br /> [ 41.840072] vb2_fop_read+0x20e/0x400<br /> [ 41.840346] v4l2_read+0x215/0x290<br /> [ 41.840603] vfs_read+0x162/0x4c0<br /> <br /> Fix this by checking the return value of cx88_risc_buffer()<br /> <br /> [hverkuil: fix coding style issues]

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/msm/dp: fix aux-bus EP lifetime<br /> <br /> Device-managed resources allocated post component bind must be tied to<br /> the lifetime of the aggregate DRM device or they will not necessarily be<br /> released when binding of the aggregate device is deferred.<br /> <br /> This can lead resource leaks or failure to bind the aggregate device<br /> when binding is later retried and a second attempt to allocate the<br /> resources is made.<br /> <br /> For the DP aux-bus, an attempt to populate the bus a second time will<br /> simply fail ("DP AUX EP device already populated").<br /> <br /> Fix this by tying the lifetime of the EP device to the DRM device rather<br /> than DP controller platform device.<br /> <br /> Patchwork: https://patchwork.freedesktop.org/patch/502672/

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: wilc1000: add missing unregister_netdev() in wilc_netdev_ifc_init()<br /> <br /> Fault injection test reports this issue:<br /> <br /> kernel BUG at net/core/dev.c:10731!<br /> invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI<br /> Call Trace:<br /> <br /> wilc_netdev_ifc_init+0x19f/0x220 [wilc1000 884bf126e9e98af6a708f266a8dffd53f99e4bf5]<br /> wilc_cfg80211_init+0x30c/0x380 [wilc1000 884bf126e9e98af6a708f266a8dffd53f99e4bf5]<br /> wilc_bus_probe+0xad/0x2b0 [wilc1000_spi 1520a7539b6589cc6cde2ae826a523a33f8bacff]<br /> spi_probe+0xe4/0x140<br /> really_probe+0x17e/0x3f0<br /> __driver_probe_device+0xe3/0x170<br /> driver_probe_device+0x49/0x120<br /> <br /> The root case here is alloc_ordered_workqueue() fails, but<br /> cfg80211_unregister_netdevice() or unregister_netdev() not be called in<br /> error handling path. To fix add unregister_netdev goto lable to add the<br /> unregister operation in error handling path.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> dmaengine: hisilicon: Add multi-thread support for a DMA channel<br /> <br /> When we get a DMA channel and try to use it in multiple threads it<br /> will cause oops and hanging the system.<br /> <br /> % echo 100 &gt; /sys/module/dmatest/parameters/threads_per_chan<br /> % echo 100 &gt; /sys/module/dmatest/parameters/iterations<br /> % echo 1 &gt; /sys/module/dmatest/parameters/run<br /> [383493.327077] Unable to handle kernel paging request at virtual<br /> address dead000000000108<br /> [383493.335103] Mem abort info:<br /> [383493.335103] ESR = 0x96000044<br /> [383493.335105] EC = 0x25: DABT (current EL), IL = 32 bits<br /> [383493.335107] SET = 0, FnV = 0<br /> [383493.335108] EA = 0, S1PTW = 0<br /> [383493.335109] FSC = 0x04: level 0 translation fault<br /> [383493.335110] Data abort info:<br /> [383493.335111] ISV = 0, ISS = 0x00000044<br /> [383493.364739] CM = 0, WnR = 1<br /> [383493.367793] [dead000000000108] address between user and kernel<br /> address ranges<br /> [383493.375021] Internal error: Oops: 96000044 [#1] PREEMPT SMP<br /> [383493.437574] CPU: 63 PID: 27895 Comm: dma0chan0-copy2 Kdump:<br /> loaded Tainted: GO 5.17.0-rc4+ #2<br /> [383493.457851] pstate: 204000c9 (nzCv daIF +PAN -UAO -TCO -DIT<br /> -SSBS BTYPE=--)<br /> [383493.465331] pc : vchan_tx_submit+0x64/0xa0<br /> [383493.469957] lr : vchan_tx_submit+0x34/0xa0<br /> <br /> This occurs because the transmission timed out, and that&amp;#39;s due<br /> to data race. Each thread rewrite channels&amp;#39;s descriptor as soon as<br /> device_issue_pending is called. It leads to the situation that<br /> the driver thinks that it uses the right descriptor in interrupt<br /> handler while channels&amp;#39;s descriptor has been changed by other<br /> thread. The descriptor which in fact reported interrupt will not<br /> be handled any more, as well as its tx-&gt;callback.<br /> That&amp;#39;s why timeout reports.<br /> <br /> With current fixes channels&amp;#39; descriptor changes it&amp;#39;s value only<br /> when it has been used. A new descriptor is acquired from<br /> vc-&gt;desc_issued queue that is already filled with descriptors<br /> that are ready to be sent. Threads have no direct access to DMA<br /> channel descriptor. In case of channel&amp;#39;s descriptor is busy, try<br /> to submit to HW again when a descriptor is completed. In this case,<br /> vc-&gt;desc_issued may be empty when hisi_dma_start_transfer is called,<br /> so delete error reporting on this. Now it is just possible to queue<br /> a descriptor for further processing.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mmc: wmt-sdmmc: fix return value check of mmc_add_host()<br /> <br /> mmc_add_host() may return error, if we ignore its return value, the memory<br /> that allocated in mmc_alloc_host() will be leaked and it will lead a kernel<br /> crash because of deleting not added device in the remove path.<br /> <br /> So fix this by checking the return value and goto error path which will call<br /> mmc_free_host(), besides, clk_disable_unprepare() also needs be called.

Jenkins 2.527 and earlier, LTS 2.516.2 and earlier does not perform a permission check for the authenticated user profile dropdown menu, allowing attackers without Overall/Read permission to obtain limited information about the Jenkins configuration by listing available options in this menu (e.g., whether Credentials Plugin is installed).

Jenkins 2.527 and earlier, LTS 2.516.2 and earlier does not restrict or transform the characters that can be inserted from user-specified content in log messages, allowing attackers able to control log message contents to insert line break characters, followed by forged log messages that may mislead administrators reviewing log output.

Jenkins 2.527 and earlier, LTS 2.516.2 and earlier does not perform a permission check in the sidepanel of a page intentionally accessible to users lacking Overall/Read permission, allowing attackers without Overall/Read permission to list agent names through its sidepanel executors widget.

Open5GS v2.7.5, prior to commit 67ba7f92bbd7a378954895d96d9d7b05d5b64615, is vulnerable to a NULL pointer dereference when a multipart/related HTTP POST request with an empty HTTP body is sent to the SBI of either AMF, AUSF, BSF, NRF, NSSF, PCF, SMF, UDM, or UDR, resulting in a denial of service. This occurs in the parse_multipart function in lib/sbi/message.c.

An issue in Perplexity AI GPT-4 allows a remote attacker to obtain sensitive information via a GET parameter

A flaw has been found in SourceCodester Online Student File Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/delete_student.php. Executing manipulation of the argument stud_id can lead to sql injection. It is possible to launch the attack remotely. The exploit has been published and may be used.