Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> thermal: intel: int340x: processor: Fix warning during module unload<br /> <br /> The processor_thermal driver uses pcim_device_enable() to enable a PCI<br /> device, which means the device will be automatically disabled on driver<br /> detach. Thus there is no need to call pci_disable_device() again on it.<br /> <br /> With recent PCI device resource management improvements, e.g. commit<br /> f748a07a0b64 ("PCI: Remove legacy pcim_release()"), this problem is<br /> exposed and triggers the warining below.<br /> <br /> [ 224.010735] proc_thermal_pci 0000:00:04.0: disabling already-disabled device<br /> [ 224.010747] WARNING: CPU: 8 PID: 4442 at drivers/pci/pci.c:2250 pci_disable_device+0xe5/0x100<br /> ...<br /> [ 224.010844] Call Trace:<br /> [ 224.010845] <br /> [ 224.010847] ? show_regs+0x6d/0x80<br /> [ 224.010851] ? __warn+0x8c/0x140<br /> [ 224.010854] ? pci_disable_device+0xe5/0x100<br /> [ 224.010856] ? report_bug+0x1c9/0x1e0<br /> [ 224.010859] ? handle_bug+0x46/0x80<br /> [ 224.010862] ? exc_invalid_op+0x1d/0x80<br /> [ 224.010863] ? asm_exc_invalid_op+0x1f/0x30<br /> [ 224.010867] ? pci_disable_device+0xe5/0x100<br /> [ 224.010869] ? pci_disable_device+0xe5/0x100<br /> [ 224.010871] ? kfree+0x21a/0x2b0<br /> [ 224.010873] pcim_disable_device+0x20/0x30<br /> [ 224.010875] devm_action_release+0x16/0x20<br /> [ 224.010878] release_nodes+0x47/0xc0<br /> [ 224.010880] devres_release_all+0x9f/0xe0<br /> [ 224.010883] device_unbind_cleanup+0x12/0x80<br /> [ 224.010885] device_release_driver_internal+0x1ca/0x210<br /> [ 224.010887] driver_detach+0x4e/0xa0<br /> [ 224.010889] bus_remove_driver+0x6f/0xf0<br /> [ 224.010890] driver_unregister+0x35/0x60<br /> [ 224.010892] pci_unregister_driver+0x44/0x90<br /> [ 224.010894] proc_thermal_pci_driver_exit+0x14/0x5f0 [processor_thermal_device_pci]<br /> ...<br /> [ 224.010921] ---[ end trace 0000000000000000 ]---<br /> <br /> Remove the excess pci_disable_device() calls.<br /> <br /> [ rjw: Subject and changelog edits ]

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> RDMA/mad: Improve handling of timed out WRs of mad agent<br /> <br /> Current timeout handler of mad agent acquires/releases mad_agent_priv<br /> lock for every timed out WRs. This causes heavy locking contention<br /> when higher no. of WRs are to be handled inside timeout handler.<br /> <br /> This leads to softlockup with below trace in some use cases where<br /> rdma-cm path is used to establish connection between peer nodes<br /> <br /> Trace:<br /> -----<br /> BUG: soft lockup - CPU#4 stuck for 26s! [kworker/u128:3:19767]<br /> CPU: 4 PID: 19767 Comm: kworker/u128:3 Kdump: loaded Tainted: G OE<br /> ------- --- 5.14.0-427.13.1.el9_4.x86_64 #1<br /> Hardware name: Dell Inc. PowerEdge R740/01YM03, BIOS 2.4.8 11/26/2019<br /> Workqueue: ib_mad1 timeout_sends [ib_core]<br /> RIP: 0010:__do_softirq+0x78/0x2ac<br /> RSP: 0018:ffffb253449e4f98 EFLAGS: 00000246<br /> RAX: 00000000ffffffff RBX: 0000000000000000 RCX: 000000000000001f<br /> RDX: 000000000000001d RSI: 000000003d1879ab RDI: fff363b66fd3a86b<br /> RBP: ffffb253604cbcd8 R08: 0000009065635f3b R09: 0000000000000000<br /> R10: 0000000000000040 R11: ffffb253449e4ff8 R12: 0000000000000000<br /> R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000040<br /> FS: 0000000000000000(0000) GS:ffff8caa1fc80000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 00007fd9ec9db900 CR3: 0000000891934006 CR4: 00000000007706e0<br /> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> PKRU: 55555554<br /> Call Trace:<br /> <br /> ? show_trace_log_lvl+0x1c4/0x2df<br /> ? show_trace_log_lvl+0x1c4/0x2df<br /> ? __irq_exit_rcu+0xa1/0xc0<br /> ? watchdog_timer_fn+0x1b2/0x210<br /> ? __pfx_watchdog_timer_fn+0x10/0x10<br /> ? __hrtimer_run_queues+0x127/0x2c0<br /> ? hrtimer_interrupt+0xfc/0x210<br /> ? __sysvec_apic_timer_interrupt+0x5c/0x110<br /> ? sysvec_apic_timer_interrupt+0x37/0x90<br /> ? asm_sysvec_apic_timer_interrupt+0x16/0x20<br /> ? __do_softirq+0x78/0x2ac<br /> ? __do_softirq+0x60/0x2ac<br /> __irq_exit_rcu+0xa1/0xc0<br /> sysvec_call_function_single+0x72/0x90<br /> <br /> <br /> asm_sysvec_call_function_single+0x16/0x20<br /> RIP: 0010:_raw_spin_unlock_irq+0x14/0x30<br /> RSP: 0018:ffffb253604cbd88 EFLAGS: 00000247<br /> RAX: 000000000001960d RBX: 0000000000000002 RCX: ffff8cad2a064800<br /> RDX: 000000008020001b RSI: 0000000000000001 RDI: ffff8cad5d39f66c<br /> RBP: ffff8cad5d39f600 R08: 0000000000000001 R09: 0000000000000000<br /> R10: ffff8caa443e0c00 R11: ffffb253604cbcd8 R12: ffff8cacb8682538<br /> R13: 0000000000000005 R14: ffffb253604cbd90 R15: ffff8cad5d39f66c<br /> cm_process_send_error+0x122/0x1d0 [ib_cm]<br /> timeout_sends+0x1dd/0x270 [ib_core]<br /> process_one_work+0x1e2/0x3b0<br /> ? __pfx_worker_thread+0x10/0x10<br /> worker_thread+0x50/0x3a0<br /> ? __pfx_worker_thread+0x10/0x10<br /> kthread+0xdd/0x100<br /> ? __pfx_kthread+0x10/0x10<br /> ret_from_fork+0x29/0x50<br /> <br /> <br /> Simplified timeout handler by creating local list of timed out WRs<br /> and invoke send handler post creating the list. The new method acquires/<br /> releases lock once to fetch the list and hence helps to reduce locking<br /> contetiong when processing higher no. of WRs

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nouveau/dmem: Fix vulnerability in migrate_to_ram upon copy error<br /> <br /> The `nouveau_dmem_copy_one` function ensures that the copy push command is<br /> sent to the device firmware but does not track whether it was executed<br /> successfully.<br /> <br /> In the case of a copy error (e.g., firmware or hardware failure), the<br /> copy push command will be sent via the firmware channel, and<br /> `nouveau_dmem_copy_one` will likely report success, leading to the<br /> `migrate_to_ram` function returning a dirty HIGH_USER page to the user.<br /> <br /> This can result in a security vulnerability, as a HIGH_USER page that may<br /> contain sensitive or corrupted data could be returned to the user.<br /> <br /> To prevent this vulnerability, we allocate a zero page. Thus, in case of<br /> an error, a non-dirty (zero) page will be returned to the user.

Waybox Enel X web management application could be used to execute arbitrary OS commands and provide administrator’s privileges over the Waybox system.

Waybox Enel TCF Agent service could be used to get administrator’s privileges over the Waybox system.

Under certain conditions, access to service libraries is granted to account they should not have access to.

A heap buffer overflow could be triggered by sending a specific packet to TCP port 7700.

The Waybox Enel X web management application contains a PHP-type juggling vulnerability that may allow a brute force process and under certain conditions bypass authentication.

Under certain conditions, through a request directed to the Waybox Enel X web management application, information like Waybox OS version or service configuration details could be obtained.

Waybox Enel X web management API authentication could be bypassed and provide administrator’s privileges over the Waybox system.

Waybox Enel X web management application could execute arbitrary requests on the internal database via /admin/versions.php.

Waybox Enel X web management application could execute arbitrary requests on the internal database via /admin/dbstore.php.