Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/tls: Fix flipped sign in tls_err_abort() calls<br /> <br /> sk-&gt;sk_err appears to expect a positive value, a convention that ktls<br /> doesn&amp;#39;t always follow and that leads to memory corruption in other code.<br /> For instance,<br /> <br /> [kworker]<br /> tls_encrypt_done(..., err=)<br /> tls_err_abort(.., err)<br /> sk-&gt;sk_err = err;<br /> <br /> [task]<br /> splice_from_pipe_feed<br /> ...<br /> tls_sw_do_sendpage<br /> if (sk-&gt;sk_err) {<br /> ret = -sk-&gt;sk_err; // ret is positive<br /> <br /> splice_from_pipe_feed (continued)<br /> ret = actor(...) // ret is still positive and interpreted as bytes<br /> // written, resulting in underflow of buf-&gt;len and<br /> // sd-&gt;len, leading to huge buf-&gt;offset and bogus<br /> // addresses computed in later calls to actor()<br /> <br /> Fix all tls_err_abort() callers to pass a negative error code<br /> consistently and centralize the error-prone sign flip there, throwing in<br /> a warning to catch future misuse and uninlining the function so it<br /> really does only warn once.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nvmem: Fix shift-out-of-bound (UBSAN) with byte size cells<br /> <br /> If a cell has &amp;#39;nbits&amp;#39; equal to a multiple of BITS_PER_BYTE the logic<br /> <br /> *p &amp;= GENMASK((cell-&gt;nbits%BITS_PER_BYTE) - 1, 0);<br /> <br /> will become undefined behavior because nbits modulo BITS_PER_BYTE is 0, and we<br /> subtract one from that making a large number that is then shifted more than the<br /> number of bits that fit into an unsigned long.<br /> <br /> UBSAN reports this problem:<br /> <br /> UBSAN: shift-out-of-bounds in drivers/nvmem/core.c:1386:8<br /> shift exponent 64 is too large for 64-bit type &amp;#39;unsigned long&amp;#39;<br /> CPU: 6 PID: 7 Comm: kworker/u16:0 Not tainted 5.15.0-rc3+ #9<br /> Hardware name: Google Lazor (rev3+) with KB Backlight (DT)<br /> Workqueue: events_unbound deferred_probe_work_func<br /> Call trace:<br /> dump_backtrace+0x0/0x170<br /> show_stack+0x24/0x30<br /> dump_stack_lvl+0x64/0x7c<br /> dump_stack+0x18/0x38<br /> ubsan_epilogue+0x10/0x54<br /> __ubsan_handle_shift_out_of_bounds+0x180/0x194<br /> __nvmem_cell_read+0x1ec/0x21c<br /> nvmem_cell_read+0x58/0x94<br /> nvmem_cell_read_variable_common+0x4c/0xb0<br /> nvmem_cell_read_variable_le_u32+0x40/0x100<br /> a6xx_gpu_init+0x170/0x2f4<br /> adreno_bind+0x174/0x284<br /> component_bind_all+0xf0/0x264<br /> msm_drm_bind+0x1d8/0x7a0<br /> try_to_bring_up_master+0x164/0x1ac<br /> __component_add+0xbc/0x13c<br /> component_add+0x20/0x2c<br /> dp_display_probe+0x340/0x384<br /> platform_probe+0xc0/0x100<br /> really_probe+0x110/0x304<br /> __driver_probe_device+0xb8/0x120<br /> driver_probe_device+0x4c/0xfc<br /> __device_attach_driver+0xb0/0x128<br /> bus_for_each_drv+0x90/0xdc<br /> __device_attach+0xc8/0x174<br /> device_initial_probe+0x20/0x2c<br /> bus_probe_device+0x40/0xa4<br /> deferred_probe_work_func+0x7c/0xb8<br /> process_one_work+0x128/0x21c<br /> process_scheduled_works+0x40/0x54<br /> worker_thread+0x1ec/0x2a8<br /> kthread+0x138/0x158<br /> ret_from_fork+0x10/0x20<br /> <br /> Fix it by making sure there are any bits to mask out.

The ApplyOnline – Application Form Builder and Manager plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the aol_modal_box AJAX action in all versions up to, and including, 2.6. This makes it possible for authenticated attackers, with subscriber access or higher, to view Application submissions.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> dm rq: don&amp;#39;t queue request to blk-mq during DM suspend<br /> <br /> DM uses blk-mq&amp;#39;s quiesce/unquiesce to stop/start device mapper queue.<br /> <br /> But blk-mq&amp;#39;s unquiesce may come from outside events, such as elevator<br /> switch, updating nr_requests or others, and request may come during<br /> suspend, so simply ask for blk-mq to requeue it.<br /> <br /> Fixes one kernel panic issue when running updating nr_requests and<br /> dm-mpath suspend/resume stress test.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> RDMA/mlx5: Initialize the ODP xarray when creating an ODP MR<br /> <br /> Normally the zero fill would hide the missing initialization, but an<br /> errant set to desc_size in reg_create() causes a crash:<br /> <br /> BUG: unable to handle page fault for address: 0000000800000000<br /> PGD 0 P4D 0<br /> Oops: 0000 [#1] SMP PTI<br /> CPU: 5 PID: 890 Comm: ib_write_bw Not tainted 5.15.0-rc4+ #47<br /> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014<br /> RIP: 0010:mlx5_ib_dereg_mr+0x14/0x3b0 [mlx5_ib]<br /> Code: 48 63 cd 4c 89 f7 48 89 0c 24 e8 37 30 03 e1 48 8b 0c 24 eb a0 90 0f 1f 44 00 00 41 56 41 55 41 54 55 53 48 89 fb 48 83 ec 30 8b 2f 65 48 8b 04 25 28 00 00 00 48 89 44 24 28 31 c0 8b 87 c8<br /> RSP: 0018:ffff88811afa3a60 EFLAGS: 00010286<br /> RAX: 000000000000001c RBX: 0000000800000000 RCX: 0000000000000000<br /> RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000800000000<br /> RBP: 0000000800000000 R08: 0000000000000000 R09: c0000000fffff7ff<br /> R10: ffff88811afa38f8 R11: ffff88811afa38f0 R12: ffffffffa02c7ac0<br /> R13: 0000000000000000 R14: ffff88811afa3cd8 R15: ffff88810772fa00<br /> FS: 00007f47b9080740(0000) GS:ffff88852cd40000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 0000000800000000 CR3: 000000010761e003 CR4: 0000000000370ea0<br /> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> Call Trace:<br /> mlx5_ib_free_odp_mr+0x95/0xc0 [mlx5_ib]<br /> mlx5_ib_dereg_mr+0x128/0x3b0 [mlx5_ib]<br /> ib_dereg_mr_user+0x45/0xb0 [ib_core]<br /> ? xas_load+0x8/0x80<br /> destroy_hw_idr_uobject+0x1a/0x50 [ib_uverbs]<br /> uverbs_destroy_uobject+0x2f/0x150 [ib_uverbs]<br /> uobj_destroy+0x3c/0x70 [ib_uverbs]<br /> ib_uverbs_cmd_verbs+0x467/0xb00 [ib_uverbs]<br /> ? uverbs_finalize_object+0x60/0x60 [ib_uverbs]<br /> ? ttwu_queue_wakelist+0xa9/0xe0<br /> ? pty_write+0x85/0x90<br /> ? file_tty_write.isra.33+0x214/0x330<br /> ? process_echoes+0x60/0x60<br /> ib_uverbs_ioctl+0xa7/0x110 [ib_uverbs]<br /> __x64_sys_ioctl+0x10d/0x8e0<br /> ? vfs_write+0x17f/0x260<br /> do_syscall_64+0x3c/0x80<br /> entry_SYSCALL_64_after_hwframe+0x44/0xae<br /> <br /> Add the missing xarray initialization and remove the desc_size set.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: batman-adv: fix error handling<br /> <br /> Syzbot reported ODEBUG warning in batadv_nc_mesh_free(). The problem was<br /> in wrong error handling in batadv_mesh_init().<br /> <br /> Before this patch batadv_mesh_init() was calling batadv_mesh_free() in case<br /> of any batadv_*_init() calls failure. This approach may work well, when<br /> there is some kind of indicator, which can tell which parts of batadv are<br /> initialized; but there isn&amp;#39;t any.<br /> <br /> All written above lead to cleaning up uninitialized fields. Even if we hide<br /> ODEBUG warning by initializing bat_priv-&gt;nc.work, syzbot was able to hit<br /> GPF in batadv_nc_purge_paths(), because hash pointer in still NULL. [1]<br /> <br /> To fix these bugs we can unwind batadv_*_init() calls one by one.<br /> It is good approach for 2 reasons: 1) It fixes bugs on error handling<br /> path 2) It improves the performance, since we won&amp;#39;t call unneeded<br /> batadv_*_free() functions.<br /> <br /> So, this patch makes all batadv_*_init() clean up all allocated memory<br /> before returning with an error to no call correspoing batadv_*_free()<br /> and open-codes batadv_mesh_free() with proper order to avoid touching<br /> uninitialized fields.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> regmap: Fix possible double-free in regcache_rbtree_exit()<br /> <br /> In regcache_rbtree_insert_to_block(), when &amp;#39;present&amp;#39; realloc failed,<br /> the &amp;#39;blk&amp;#39; which is supposed to assign to &amp;#39;rbnode-&gt;block&amp;#39; will be freed,<br /> so &amp;#39;rbnode-&gt;block&amp;#39; points a freed memory, in the error handling path of<br /> regcache_rbtree_init(), &amp;#39;rbnode-&gt;block&amp;#39; will be freed again in<br /> regcache_rbtree_exit(), KASAN will report double-free as follows:<br /> <br /> BUG: KASAN: double-free or invalid-free in kfree+0xce/0x390<br /> Call Trace:<br /> slab_free_freelist_hook+0x10d/0x240<br /> kfree+0xce/0x390<br /> regcache_rbtree_exit+0x15d/0x1a0<br /> regcache_rbtree_init+0x224/0x2c0<br /> regcache_init+0x88d/0x1310<br /> __regmap_init+0x3151/0x4a80<br /> __devm_regmap_init+0x7d/0x100<br /> madera_spi_probe+0x10f/0x333 [madera_spi]<br /> spi_probe+0x183/0x210<br /> really_probe+0x285/0xc30<br /> <br /> To fix this, moving up the assignment of rbnode-&gt;block to immediately after<br /> the reallocation has succeeded so that the data structure stays valid even<br /> if the second reallocation fails.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> octeontx2-af: Fix possible null pointer dereference.<br /> <br /> This patch fixes possible null pointer dereference in files<br /> "rvu_debugfs.c" and "rvu_nix.c"

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> IB/qib: Protect from buffer overflow in struct qib_user_sdma_pkt fields<br /> <br /> Overflowing either addrlimit or bytes_togo can allow userspace to trigger<br /> a buffer overflow of kernel memory. Check for overflows in all the places<br /> doing math on user controlled buffers.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> riscv, bpf: Fix potential NULL dereference<br /> <br /> The bpf_jit_binary_free() function requires a non-NULL argument. When<br /> the RISC-V BPF JIT fails to converge in NR_JIT_ITERATIONS steps,<br /> jit_data-&gt;header will be NULL, which triggers a NULL<br /> dereference. Avoid this by checking the argument, prior calling the<br /> function.

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.