Vulnerabilities

OMFLOW from The SYSCOM Group has a vulnerability involving the exposure of sensitive data. This allows remote attackers who have logged into the system to obtain password hashes of all users and administrators.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> btrfs: fix qgroup reserve leaks in cow_file_range<br /> <br /> In the buffered write path, the dirty page owns the qgroup reserve until<br /> it creates an ordered_extent.<br /> <br /> Therefore, any errors that occur before the ordered_extent is created<br /> must free that reservation, or else the space is leaked. The fstest<br /> generic/475 exercises various IO error paths, and is able to trigger<br /> errors in cow_file_range where we fail to get to allocating the ordered<br /> extent. Note that because we *do* clear delalloc, we are likely to<br /> remove the inode from the delalloc list, so the inodes/pages to not have<br /> invalidate/launder called on them in the commit abort path.<br /> <br /> This results in failures at the unmount stage of the test that look like:<br /> <br /> BTRFS: error (device dm-8 state EA) in cleanup_transaction:2018: errno=-5 IO failure<br /> BTRFS: error (device dm-8 state EA) in btrfs_replace_file_extents:2416: errno=-5 IO failure<br /> BTRFS warning (device dm-8 state EA): qgroup 0/5 has unreleased space, type 0 rsv 28672<br /> ------------[ cut here ]------------<br /> WARNING: CPU: 3 PID: 22588 at fs/btrfs/disk-io.c:4333 close_ctree+0x222/0x4d0 [btrfs]<br /> Modules linked in: btrfs blake2b_generic libcrc32c xor zstd_compress raid6_pq<br /> CPU: 3 PID: 22588 Comm: umount Kdump: loaded Tainted: G W 6.10.0-rc7-gab56fde445b8 #21<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.16.3-1-1 04/01/2014<br /> RIP: 0010:close_ctree+0x222/0x4d0 [btrfs]<br /> RSP: 0018:ffffb4465283be00 EFLAGS: 00010202<br /> RAX: 0000000000000001 RBX: ffffa1a1818e1000 RCX: 0000000000000001<br /> RDX: 0000000000000000 RSI: ffffb4465283bbe0 RDI: ffffa1a19374fcb8<br /> RBP: ffffa1a1818e13c0 R08: 0000000100028b16 R09: 0000000000000000<br /> R10: 0000000000000003 R11: 0000000000000003 R12: ffffa1a18ad7972c<br /> R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000<br /> FS: 00007f9168312b80(0000) GS:ffffa1a4afcc0000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 00007f91683c9140 CR3: 000000010acaa000 CR4: 00000000000006f0<br /> Call Trace:<br /> <br /> ? close_ctree+0x222/0x4d0 [btrfs]<br /> ? __warn.cold+0x8e/0xea<br /> ? close_ctree+0x222/0x4d0 [btrfs]<br /> ? report_bug+0xff/0x140<br /> ? handle_bug+0x3b/0x70<br /> ? exc_invalid_op+0x17/0x70<br /> ? asm_exc_invalid_op+0x1a/0x20<br /> ? close_ctree+0x222/0x4d0 [btrfs]<br /> generic_shutdown_super+0x70/0x160<br /> kill_anon_super+0x11/0x40<br /> btrfs_kill_super+0x11/0x20 [btrfs]<br /> deactivate_locked_super+0x2e/0xa0<br /> cleanup_mnt+0xb5/0x150<br /> task_work_run+0x57/0x80<br /> syscall_exit_to_user_mode+0x121/0x130<br /> do_syscall_64+0xab/0x1a0<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> RIP: 0033:0x7f916847a887<br /> ---[ end trace 0000000000000000 ]---<br /> BTRFS error (device dm-8 state EA): qgroup reserved space leaked<br /> <br /> Cases 2 and 3 in the out_reserve path both pertain to this type of leak<br /> and must free the reserved qgroup data. Because it is already an error<br /> path, I opted not to handle the possible errors in<br /> btrfs_free_qgroup_data.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amd/pm: fix the Out-of-bounds read warning<br /> <br /> using index i - 1U may beyond element index<br /> for mc_data[] when i = 0.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amd/display: Assign linear_pitch_alignment even for VM<br /> <br /> [Description]<br /> Assign linear_pitch_alignment so we don&amp;#39;t cause a divide by 0<br /> error in VM environments

OS command injection vulnerability in multiple digital video recorders provided by TAKENAKA ENGINEERING CO., LTD. allows a remote authenticated attacker to execute an arbitrary OS command on the device or alter the device settings.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/xe: Don&amp;#39;t overmap identity VRAM mapping<br /> <br /> Overmapping the identity VRAM mapping is triggering hardware bugs on<br /> certain platforms. Use 2M pages for the last unaligned (to 1G) VRAM<br /> chunk.<br /> <br /> v2:<br /> - Always use 2M pages for last chunk (Fei Yang)<br /> - break loop when 2M pages are used<br /> - Add assert for usable_size being 2M aligned<br /> v3:<br /> - Fix checkpatch

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amd/display: Add otg_master NULL check within resource_log_pipe_topology_update<br /> <br /> [Why]<br /> Coverity reports NULL_RETURN warning.<br /> <br /> [How]<br /> Add otg_master NULL check.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amd/display: Check index for aux_rd_interval before using<br /> <br /> aux_rd_interval has size of 7 and should be checked.<br /> <br /> This fixes 3 OVERRUN and 1 INTEGER_OVERFLOW issues reported by Coverity.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amd/display: Fix incorrect size calculation for loop<br /> <br /> [WHY]<br /> fe_clk_en has size of 5 but sizeof(fe_clk_en) has byte size 20 which is<br /> lager than the array size.<br /> <br /> [HOW]<br /> Divide byte size 20 by its element size.<br /> <br /> This fixes 2 OVERRUN issues reported by Coverity.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amd/display: Skip wbscl_set_scaler_filter if filter is null<br /> <br /> Callers can pass null in filter (i.e. from returned from the function<br /> wbscl_get_filter_coeffs_16p) and a null check is added to ensure that is<br /> not the case.<br /> <br /> This fixes 4 NULL_RETURNS issues reported by Coverity.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> driver: iio: add missing checks on iio_info&amp;#39;s callback access<br /> <br /> Some callbacks from iio_info structure are accessed without any check, so<br /> if a driver doesn&amp;#39;t implement them trying to access the corresponding<br /> sysfs entries produce a kernel oops such as:<br /> <br /> [ 2203.527791] Unable to handle kernel NULL pointer dereference at virtual address 00000000 when execute<br /> [...]<br /> [ 2203.783416] Call trace:<br /> [ 2203.783429] iio_read_channel_info_avail from dev_attr_show+0x18/0x48<br /> [ 2203.789807] dev_attr_show from sysfs_kf_seq_show+0x90/0x120<br /> [ 2203.794181] sysfs_kf_seq_show from seq_read_iter+0xd0/0x4e4<br /> [ 2203.798555] seq_read_iter from vfs_read+0x238/0x2a0<br /> [ 2203.802236] vfs_read from ksys_read+0xa4/0xd4<br /> [ 2203.805385] ksys_read from ret_fast_syscall+0x0/0x54<br /> [ 2203.809135] Exception stack(0xe0badfa8 to 0xe0badff0)<br /> [ 2203.812880] dfa0: 00000003 b6f10f80 00000003 b6eab000 00020000 00000000<br /> [ 2203.819746] dfc0: 00000003 b6f10f80 7ff00000 00000003 00000003 00000000 00020000 00000000<br /> [ 2203.826619] dfe0: b6e1bc88 bed80958 b6e1bc94 b6e1bcb0<br /> [ 2203.830363] Code: bad PC value<br /> [ 2203.832695] ---[ end trace 0000000000000000 ]---

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> dmaengine: altera-msgdma: properly free descriptor in msgdma_free_descriptor<br /> <br /> Remove list_del call in msgdma_chan_desc_cleanup, this should be the role<br /> of msgdma_free_descriptor. In consequence replace list_add_tail with<br /> list_move_tail in msgdma_free_descriptor.<br /> <br /> This fixes the path:<br /> msgdma_free_chan_resources -&gt; msgdma_free_descriptors -&gt;<br /> msgdma_free_desc_list -&gt; msgdma_free_descriptor<br /> <br /> which does not correctly free the descriptors as first nodes were not<br /> removed from the list.