Vulnerabilities

A vulnerability in the Dedicated XML Agent feature of Cisco IOS XR Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) on XML TCP listen port 38751.<br /> <br /> This vulnerability is due to a lack of proper error validation of ingress XML packets. An attacker could exploit this vulnerability by sending a sustained, crafted stream of XML traffic to a targeted device. A successful exploit could allow the attacker to cause XML TCP port 38751 to become unreachable while the attack traffic persists.

A vulnerability in the CLI of Cisco IOS XR Software could allow an authenticated, local attacker to obtain read/write file system access on the underlying operating system of an affected device.<br /> <br /> This vulnerability is due to insufficient validation of user arguments that are passed to specific CLI commands. An attacker with a low-privileged account could exploit this vulnerability by using crafted commands at the prompt. A successful exploit could allow the attacker to elevate privileges to root.

A vulnerability in the multicast traceroute version 2 (Mtrace2) feature of Cisco IOS XR Software could allow an unauthenticated, remote attacker to exhaust the UDP packet memory of an affected device.<br /> <br /> This vulnerability exists because the Mtrace2 code does not properly handle packet memory. An attacker could exploit this vulnerability by sending crafted packets to an affected device. A successful exploit could allow the attacker to exhaust the incoming UDP packet memory. The affected device would not be able to process higher-level UDP-based protocols packets, possibly causing a denial of service (DoS) condition.<br /> Note: This vulnerability can be exploited using IPv4 or IPv6.

The Samsung Universal Print Driver for Windows is potentially vulnerable to escalation of privilege allowing the creation of a reverse shell in the tool. This is only applicable for products in the application released or manufactured before 2018.

URL Redirection to Untrusted Site (&amp;#39;Open Redirect&amp;#39;) vulnerability in Payara Platform Payara Server (REST Management Interface modules) allows Session Hijacking.This issue affects Payara Server: from 6.0.0 before 6.18.0, from 6.2022.1 before 6.2024.9, from 5.2020.2 before 5.2022.5, from 5.20.0 before 5.67.0, from 4.1.2.191.0 before 4.1.2.191.50.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf: Fix a kernel verifier crash in stacksafe()<br /> <br /> Daniel Hodges reported a kernel verifier crash when playing with sched-ext.<br /> Further investigation shows that the crash is due to invalid memory access<br /> in stacksafe(). More specifically, it is the following code:<br /> <br /> if (exact != NOT_EXACT &amp;&amp;<br /> old-&gt;stack[spi].slot_type[i % BPF_REG_SIZE] !=<br /> cur-&gt;stack[spi].slot_type[i % BPF_REG_SIZE])<br /> return false;<br /> <br /> The &amp;#39;i&amp;#39; iterates old-&gt;allocated_stack.<br /> If cur-&gt;allocated_stack allocated_stack the out-of-bound<br /> access will happen.<br /> <br /> To fix the issue add &amp;#39;i &gt;= cur-&gt;allocated_stack&amp;#39; check such that if<br /> the condition is true, stacksafe() should fail. Otherwise,<br /> cur-&gt;stack[spi].slot_type[i % BPF_REG_SIZE] memory access is legal.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> md/raid1: Fix data corruption for degraded array with slow disk<br /> <br /> read_balance() will avoid reading from slow disks as much as possible,<br /> however, if valid data only lands in slow disks, and a new normal disk<br /> is still in recovery, unrecovered data can be read:<br /> <br /> raid1_read_request<br /> read_balance<br /> raid1_should_read_first<br /> -&gt; return false<br /> choose_best_rdev<br /> -&gt; normal disk is not recovered, return -1<br /> choose_bb_rdev<br /> -&gt; missing the checking of recovery, return the normal disk<br /> -&gt; read unrecovered data<br /> <br /> Root cause is that the checking of recovery is missing in<br /> choose_bb_rdev(). Hence add such checking to fix the problem.<br /> <br /> Also fix similar problem in choose_slow_rdev().

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mm/hugetlb: fix hugetlb vs. core-mm PT locking<br /> <br /> We recently made GUP&amp;#39;s common page table walking code to also walk hugetlb<br /> VMAs without most hugetlb special-casing, preparing for the future of<br /> having less hugetlb-specific page table walking code in the codebase. <br /> Turns out that we missed one page table locking detail: page table locking<br /> for hugetlb folios that are not mapped using a single PMD/PUD.<br /> <br /> Assume we have hugetlb folio that spans multiple PTEs (e.g., 64 KiB<br /> hugetlb folios on arm64 with 4 KiB base page size). GUP, as it walks the<br /> page tables, will perform a pte_offset_map_lock() to grab the PTE table<br /> lock.<br /> <br /> However, hugetlb that concurrently modifies these page tables would<br /> actually grab the mm-&gt;page_table_lock: with USE_SPLIT_PTE_PTLOCKS, the<br /> locks would differ. Something similar can happen right now with hugetlb<br /> folios that span multiple PMDs when USE_SPLIT_PMD_PTLOCKS.<br /> <br /> This issue can be reproduced [1], for example triggering:<br /> <br /> [ 3105.936100] ------------[ cut here ]------------<br /> [ 3105.939323] WARNING: CPU: 31 PID: 2732 at mm/gup.c:142 try_grab_folio+0x11c/0x188<br /> [ 3105.944634] Modules linked in: [...]<br /> [ 3105.974841] CPU: 31 PID: 2732 Comm: reproducer Not tainted 6.10.0-64.eln141.aarch64 #1<br /> [ 3105.980406] Hardware name: QEMU KVM Virtual Machine, BIOS edk2-20240524-4.fc40 05/24/2024<br /> [ 3105.986185] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)<br /> [ 3105.991108] pc : try_grab_folio+0x11c/0x188<br /> [ 3105.994013] lr : follow_page_pte+0xd8/0x430<br /> [ 3105.996986] sp : ffff80008eafb8f0<br /> [ 3105.999346] x29: ffff80008eafb900 x28: ffffffe8d481f380 x27: 00f80001207cff43<br /> [ 3106.004414] x26: 0000000000000001 x25: 0000000000000000 x24: ffff80008eafba48<br /> [ 3106.009520] x23: 0000ffff9372f000 x22: ffff7a54459e2000 x21: ffff7a546c1aa978<br /> [ 3106.014529] x20: ffffffe8d481f3c0 x19: 0000000000610041 x18: 0000000000000001<br /> [ 3106.019506] x17: 0000000000000001 x16: ffffffffffffffff x15: 0000000000000000<br /> [ 3106.024494] x14: ffffb85477fdfe08 x13: 0000ffff9372ffff x12: 0000000000000000<br /> [ 3106.029469] x11: 1fffef4a88a96be1 x10: ffff7a54454b5f0c x9 : ffffb854771b12f0<br /> [ 3106.034324] x8 : 0008000000000000 x7 : ffff7a546c1aa980 x6 : 0008000000000080<br /> [ 3106.038902] x5 : 00000000001207cf x4 : 0000ffff9372f000 x3 : ffffffe8d481f000<br /> [ 3106.043420] x2 : 0000000000610041 x1 : 0000000000000001 x0 : 0000000000000000<br /> [ 3106.047957] Call trace:<br /> [ 3106.049522] try_grab_folio+0x11c/0x188<br /> [ 3106.051996] follow_pmd_mask.constprop.0.isra.0+0x150/0x2e0<br /> [ 3106.055527] follow_page_mask+0x1a0/0x2b8<br /> [ 3106.058118] __get_user_pages+0xf0/0x348<br /> [ 3106.060647] faultin_page_range+0xb0/0x360<br /> [ 3106.063651] do_madvise+0x340/0x598<br /> <br /> Let&amp;#39;s make huge_pte_lockptr() effectively use the same PT locks as any<br /> core-mm page table walker would. Add ptep_lockptr() to obtain the PTE<br /> page table lock using a pte pointer -- unfortunately we cannot convert<br /> pte_lockptr() because virt_to_page() doesn&amp;#39;t work with kmap&amp;#39;ed page tables<br /> we can have with CONFIG_HIGHPTE.<br /> <br /> Handle CONFIG_PGTABLE_LEVELS correctly by checking in reverse order, such<br /> that when e.g., CONFIG_PGTABLE_LEVELS==2 with<br /> PGDIR_SIZE==P4D_SIZE==PUD_SIZE==PMD_SIZE will work as expected. Document<br /> why that works.<br /> <br /> There is one ugly case: powerpc 8xx, whereby we have an 8 MiB hugetlb<br /> folio being mapped using two PTE page tables. While hugetlb wants to take<br /> the PMD table lock, core-mm would grab the PTE table lock of one of both<br /> PTE page tables. In such corner cases, we have to make sure that both<br /> locks match, which is (fortunately!) currently guaranteed for 8xx as it<br /> does not support SMP and consequently doesn&amp;#39;t use split PT locks.<br /> <br /> [1] https://lore.kernel.org/all/1bbfcc7f-f222-45a5-ac44-c5a1381c596d@redhat.com/

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> usb: xhci: Check for xhci-&gt;interrupters being allocated in xhci_mem_clearup()<br /> <br /> If xhci_mem_init() fails, it calls into xhci_mem_cleanup() to mop<br /> up the damage. If it fails early enough, before xhci-&gt;interrupters<br /> is allocated but after xhci-&gt;max_interrupters has been set, which<br /> happens in most (all?) cases, things get uglier, as xhci_mem_cleanup()<br /> unconditionally derefences xhci-&gt;interrupters. With prejudice.<br /> <br /> Gate the interrupt freeing loop with a check on xhci-&gt;interrupters<br /> being non-NULL.<br /> <br /> Found while debugging a DMA allocation issue that led the XHCI driver<br /> on this exact path.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> igb: cope with large MAX_SKB_FRAGS<br /> <br /> Sabrina reports that the igb driver does not cope well with large<br /> MAX_SKB_FRAG values: setting MAX_SKB_FRAG to 45 causes payload<br /> corruption on TX.<br /> <br /> An easy reproducer is to run ssh to connect to the machine. With<br /> MAX_SKB_FRAGS=17 it works, with MAX_SKB_FRAGS=45 it fails. This has<br /> been reported originally in<br /> https://bugzilla.redhat.com/show_bug.cgi?id=2265320<br /> <br /> The root cause of the issue is that the driver does not take into<br /> account properly the (possibly large) shared info size when selecting<br /> the ring layout, and will try to fit two packets inside the same 4K<br /> page even when the 1st fraglist will trump over the 2nd head.<br /> <br /> Address the issue by checking if 2K buffers are insufficient.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: brcmfmac: cfg80211: Handle SSID based pmksa deletion<br /> <br /> wpa_supplicant 2.11 sends since 1efdba5fdc2c ("Handle PMKSA flush in the<br /> driver for SAE/OWE offload cases") SSID based PMKSA del commands.<br /> brcmfmac is not prepared and tries to dereference the NULL bssid and<br /> pmkid pointers in cfg80211_pmksa. PMKID_V3 operations support SSID based<br /> updates so copy the SSID.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> memcg_write_event_control(): fix a user-triggerable oops<br /> <br /> we are *not* guaranteed that anything past the terminating NUL<br /> is mapped (let alone initialized with anything sane).