Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> media: mceusb: Use new usb_control_msg_*() routines<br /> <br /> Automatic kernel fuzzing led to a WARN about invalid pipe direction in<br /> the mceusb driver:<br /> <br /> ------------[ cut here ]------------<br /> usb 6-1: BOGUS control dir, pipe 80000380 doesn&amp;#39;t match bRequestType 40<br /> WARNING: CPU: 0 PID: 2465 at drivers/usb/core/urb.c:410<br /> usb_submit_urb+0x1326/0x1820 drivers/usb/core/urb.c:410<br /> Modules linked in:<br /> CPU: 0 PID: 2465 Comm: kworker/0:2 Not tainted 5.19.0-rc4-00208-g69cb6c6556ad #1<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS<br /> 1.13.0-1ubuntu1.1 04/01/2014<br /> Workqueue: usb_hub_wq hub_event<br /> RIP: 0010:usb_submit_urb+0x1326/0x1820 drivers/usb/core/urb.c:410<br /> Code: 7c 24 40 e8 ac 23 91 fd 48 8b 7c 24 40 e8 b2 70 1b ff 45 89 e8<br /> 44 89 f1 4c 89 e2 48 89 c6 48 c7 c7 a0 30 a9 86 e8 48 07 11 02 0b<br /> e9 1c f0 ff ff e8 7e 23 91 fd 0f b6 1d 63 22 83 05 31 ff 41<br /> RSP: 0018:ffffc900032becf0 EFLAGS: 00010282<br /> RAX: 0000000000000000 RBX: ffff8881100f3058 RCX: 0000000000000000<br /> RDX: ffffc90004961000 RSI: ffff888114c6d580 RDI: fffff52000657d90<br /> RBP: ffff888105ad90f0 R08: ffffffff812c3638 R09: 0000000000000000<br /> R10: 0000000000000005 R11: ffffed1023504ef1 R12: ffff888105ad9000<br /> R13: 0000000000000040 R14: 0000000080000380 R15: ffff88810ba96500<br /> FS: 0000000000000000(0000) GS:ffff88811a800000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 00007ffe810bda58 CR3: 000000010b720000 CR4: 0000000000350ef0<br /> Call Trace:<br /> <br /> usb_start_wait_urb+0x101/0x4c0 drivers/usb/core/message.c:58<br /> usb_internal_control_msg drivers/usb/core/message.c:102 [inline]<br /> usb_control_msg+0x31c/0x4a0 drivers/usb/core/message.c:153<br /> mceusb_gen1_init drivers/media/rc/mceusb.c:1431 [inline]<br /> mceusb_dev_probe+0x258e/0x33f0 drivers/media/rc/mceusb.c:1807<br /> <br /> The reason for the warning is clear enough; the driver sends an<br /> unusual read request on endpoint 0 but does not set the USB_DIR_IN bit<br /> in the bRequestType field.<br /> <br /> More importantly, the whole situation can be avoided and the driver<br /> simplified by converting it over to the relatively new<br /> usb_control_msg_recv() and usb_control_msg_send() routines. That&amp;#39;s<br /> what this fix does.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> cifs: fix small mempool leak in SMB2_negotiate()<br /> <br /> In some cases of failure (dialect mismatches) in SMB2_negotiate(), after<br /> the request is sent, the checks would return -EIO when they should be<br /> rather setting rc = -EIO and jumping to neg_exit to free the response<br /> buffer from mempool.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: mac80211: Fix UAF in ieee80211_scan_rx()<br /> <br /> ieee80211_scan_rx() tries to access scan_req-&gt;flags after a<br /> null check, but a UAF is observed when the scan is completed<br /> and __ieee80211_scan_completed() executes, which then calls<br /> cfg80211_scan_done() leading to the freeing of scan_req.<br /> <br /> Since scan_req is rcu_dereference()&amp;#39;d, prevent the racing in<br /> __ieee80211_scan_completed() by ensuring that from mac80211&amp;#39;s<br /> POV it is no longer accessed from an RCU read critical section<br /> before we call cfg80211_scan_done().

The Target Video Easy Publish plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘width’ parameter in all versions up to, and including, 3.8.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

The CSV Me plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the &amp;#39;csv_me_options_page&amp;#39; function in all versions up to, and including, 2.0. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site&amp;#39;s server which may make remote code execution possible.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> alloc_tag: allocate percpu counters for module tags dynamically<br /> <br /> When a module gets unloaded it checks whether any of its tags are still in<br /> use and if so, we keep the memory containing module&amp;#39;s allocation tags<br /> alive until all tags are unused. However percpu counters referenced by<br /> the tags are freed by free_module(). This will lead to UAF if the memory<br /> allocated by a module is accessed after module was unloaded.<br /> <br /> To fix this we allocate percpu counters for module allocation tags<br /> dynamically and we keep it alive for tags which are still in use after<br /> module unloading. This also removes the requirement of a larger<br /> PERCPU_MODULE_RESERVE when memory allocation profiling is enabled because<br /> percpu memory for counters does not need to be reserved anymore.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amd/display: Increase block_sequence array size<br /> <br /> [Why]<br /> It&amp;#39;s possible to generate more than 50 steps in hwss_build_fast_sequence,<br /> for example with a 6-pipe asic where all pipes are in one MPC chain. This<br /> overflows the block_sequence buffer and corrupts block_sequence_steps,<br /> causing a crash.<br /> <br /> [How]<br /> Expand block_sequence to 100 items. A naive upper bound on the possible<br /> number of steps for a 6-pipe asic, ignoring the potential for steps to be<br /> mutually exclusive, is 91 with current code, therefore 100 is sufficient.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> spi-rockchip: Fix register out of bounds access<br /> <br /> Do not write native chip select stuff for GPIO chip selects.<br /> GPIOs can be numbered much higher than native CS.<br /> Also, it makes no sense.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> gpio: virtuser: fix potential out-of-bound write<br /> <br /> If the caller wrote more characters, count is truncated to the max<br /> available space in "simple_write_to_buffer". Check that the input<br /> size does not exceed the buffer size. Write a zero termination<br /> afterwards.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> crypto: algif_hash - fix double free in hash_accept<br /> <br /> If accept(2) is called on socket type algif_hash with<br /> MSG_MORE flag set and crypto_ahash_import fails,<br /> sk2 is freed. However, it is also freed in af_alg_release,<br /> leading to slab-use-after-free error.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ALSA: pcm: Fix race of buffer access at PCM OSS layer<br /> <br /> The PCM OSS layer tries to clear the buffer with the silence data at<br /> initialization (or reconfiguration) of a stream with the explicit call<br /> of snd_pcm_format_set_silence() with runtime-&gt;dma_area. But this may<br /> lead to a UAF because the accessed runtime-&gt;dma_area might be freed<br /> concurrently, as it&amp;#39;s performed outside the PCM ops.<br /> <br /> For avoiding it, move the code into the PCM core and perform it inside<br /> the buffer access lock, so that it won&amp;#39;t be changed during the<br /> operation.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> platform/x86: dell-wmi-sysman: Avoid buffer overflow in current_password_store()<br /> <br /> If the &amp;#39;buf&amp;#39; array received from the user contains an empty string, the<br /> &amp;#39;length&amp;#39; variable will be zero. Accessing the &amp;#39;buf&amp;#39; array element with<br /> index &amp;#39;length - 1&amp;#39; will result in a buffer overflow.<br /> <br /> Add a check for an empty string.<br /> <br /> Found by Linux Verification Center (linuxtesting.org) with SVACE.