Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> dm: fix mempool NULL pointer race when completing IO<br /> <br /> dm_io_dec_pending() calls end_io_acct() first and will then dec md<br /> in-flight pending count. But if a task is swapping DM table at same<br /> time this can result in a crash due to mempool-&gt;elements being NULL:<br /> <br /> task1 task2<br /> do_resume<br /> -&gt;do_suspend<br /> -&gt;dm_wait_for_completion<br /> bio_endio<br /> -&gt;clone_endio<br /> -&gt;dm_io_dec_pending<br /> -&gt;end_io_acct<br /> -&gt;wakeup task1<br /> -&gt;dm_swap_table<br /> -&gt;__bind<br /> -&gt;__bind_mempools<br /> -&gt;bioset_exit<br /> -&gt;mempool_exit<br /> -&gt;free_io<br /> <br /> [ 67.330330] Unable to handle kernel NULL pointer dereference at<br /> virtual address 0000000000000000<br /> ......<br /> [ 67.330494] pstate: 80400085 (Nzcv daIf +PAN -UAO)<br /> [ 67.330510] pc : mempool_free+0x70/0xa0<br /> [ 67.330515] lr : mempool_free+0x4c/0xa0<br /> [ 67.330520] sp : ffffff8008013b20<br /> [ 67.330524] x29: ffffff8008013b20 x28: 0000000000000004<br /> [ 67.330530] x27: ffffffa8c2ff40a0 x26: 00000000ffff1cc8<br /> [ 67.330535] x25: 0000000000000000 x24: ffffffdada34c800<br /> [ 67.330541] x23: 0000000000000000 x22: ffffffdada34c800<br /> [ 67.330547] x21: 00000000ffff1cc8 x20: ffffffd9a1304d80<br /> [ 67.330552] x19: ffffffdada34c970 x18: 000000b312625d9c<br /> [ 67.330558] x17: 00000000002dcfbf x16: 00000000000006dd<br /> [ 67.330563] x15: 000000000093b41e x14: 0000000000000010<br /> [ 67.330569] x13: 0000000000007f7a x12: 0000000034155555<br /> [ 67.330574] x11: 0000000000000001 x10: 0000000000000001<br /> [ 67.330579] x9 : 0000000000000000 x8 : 0000000000000000<br /> [ 67.330585] x7 : 0000000000000000 x6 : ffffff80148b5c1a<br /> [ 67.330590] x5 : ffffff8008013ae0 x4 : 0000000000000001<br /> [ 67.330596] x3 : ffffff80080139c8 x2 : ffffff801083bab8<br /> [ 67.330601] x1 : 0000000000000000 x0 : ffffffdada34c970<br /> [ 67.330609] Call trace:<br /> [ 67.330616] mempool_free+0x70/0xa0<br /> [ 67.330627] bio_put+0xf8/0x110<br /> [ 67.330638] dec_pending+0x13c/0x230<br /> [ 67.330644] clone_endio+0x90/0x180<br /> [ 67.330649] bio_endio+0x198/0x1b8<br /> [ 67.330655] dec_pending+0x190/0x230<br /> [ 67.330660] clone_endio+0x90/0x180<br /> [ 67.330665] bio_endio+0x198/0x1b8<br /> [ 67.330673] blk_update_request+0x214/0x428<br /> [ 67.330683] scsi_end_request+0x2c/0x300<br /> [ 67.330688] scsi_io_completion+0xa0/0x710<br /> [ 67.330695] scsi_finish_command+0xd8/0x110<br /> [ 67.330700] scsi_softirq_done+0x114/0x148<br /> [ 67.330708] blk_done_softirq+0x74/0xd0<br /> [ 67.330716] __do_softirq+0x18c/0x374<br /> [ 67.330724] irq_exit+0xb4/0xb8<br /> [ 67.330732] __handle_domain_irq+0x84/0xc0<br /> [ 67.330737] gic_handle_irq+0x148/0x1b0<br /> [ 67.330744] el1_irq+0xe8/0x190<br /> [ 67.330753] lpm_cpuidle_enter+0x4f8/0x538<br /> [ 67.330759] cpuidle_enter_state+0x1fc/0x398<br /> [ 67.330764] cpuidle_enter+0x18/0x20<br /> [ 67.330772] do_idle+0x1b4/0x290<br /> [ 67.330778] cpu_startup_entry+0x20/0x28<br /> [ 67.330786] secondary_start_kernel+0x160/0x170<br /> <br /> Fix this by:<br /> 1) Establishing pointers to &amp;#39;struct dm_io&amp;#39; members in<br /> dm_io_dec_pending() so that they may be passed into end_io_acct()<br /> _after_ free_io() is called.<br /> 2) Moving end_io_acct() after free_io().

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> usb: musb: dsps: Fix the probe error path<br /> <br /> Commit 7c75bde329d7 ("usb: musb: musb_dsps: request_irq() after<br /> initializing musb") has inverted the calls to<br /> dsps_setup_optional_vbus_irq() and dsps_create_musb_pdev() without<br /> updating correctly the error path. dsps_create_musb_pdev() allocates and<br /> registers a new platform device which must be unregistered and freed<br /> with platform_device_unregister(), and this is missing upon<br /> dsps_setup_optional_vbus_irq() error.<br /> <br /> While on the master branch it seems not to trigger any issue, I observed<br /> a kernel crash because of a NULL pointer dereference with a v5.10.70<br /> stable kernel where the patch mentioned above was backported. With this<br /> kernel version, -EPROBE_DEFER is returned the first time<br /> dsps_setup_optional_vbus_irq() is called which triggers the probe to<br /> error out without unregistering the platform device. Unfortunately, on<br /> the Beagle Bone Black Wireless, the platform device still living in the<br /> system is being used by the USB Ethernet gadget driver, which during the<br /> boot phase triggers the crash.<br /> <br /> My limited knowledge of the musb world prevents me to revert this commit<br /> which was sent to silence a robot warning which, as far as I understand,<br /> does not make sense. The goal of this patch was to prevent an IRQ to<br /> fire before the platform device being registered. I think this cannot<br /> ever happen due to the fact that enabling the interrupts is done by the<br /> -&gt;enable() callback of the platform musb device, and this platform<br /> device must be already registered in order for the core or any other<br /> user to use this callback.<br /> <br /> Hence, I decided to fix the error path, which might prevent future<br /> errors on mainline kernels while also fixing older ones.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> iio: adis16475: fix deadlock on frequency set<br /> <br /> With commit 39c024b51b560<br /> ("iio: adis16475: improve sync scale mode handling"), two deadlocks were<br /> introduced:<br /> 1) The call to &amp;#39;adis_write_reg_16()&amp;#39; was not changed to it&amp;#39;s unlocked<br /> version.<br /> 2) The lock was not being released on the success path of the function.<br /> <br /> This change fixes both these issues.

The Elegant Addons for elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin&amp;#39;s Switcher, Slider, and Iconbox widgets in all versions up to, and including, 1.0.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

The Business Directory Plugin – Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based SQL Injection via the ‘listingfields’ parameter in all versions up to, and including, 6.4.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘id’ parameter in all versions up to, and including, 4.2.6.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

The Toolbar Extras for Elementor &amp; More – WordPress Admin Bar Enhanced plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin&amp;#39;s &amp;#39;tbex-version&amp;#39; shortcode in all versions up to, and including, 1.4.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

TP-Link Tether versions prior to 4.5.13 and TP-Link Tapo versions prior to 3.3.6 do not properly validate certificates, which may allow a remote unauthenticated attacker to eavesdrop on an encrypted communication via a man-in-the-middle attack.

Path traversal vulnerability exists in Download Plugins and Themes from Dashboard versions prior to 1.8.6. If this vulnerability is exploited, a remote authenticated attacker with "switch_themes" privilege may obtain arbitrary files on the server.

The Elegant Addons for elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin&amp;#39;s widgets in all versions up to, and including, 1.0.8 due to insufficient input sanitization and output escaping on user supplied tag attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Dell BSAFE Crypto-C Micro Edition, versions before 4.1.5, and Dell BSAFE Micro Edition Suite, versions before 4.6, contain an Observable Timing Discrepancy Vulnerability.

Directory traversal vulnerability exists in a-blog cms Ver.3.1.x series versions prior to Ver.3.1.12, Ver.3.0.x series versions prior to Ver.3.0.32, Ver.2.11.x series versions prior to Ver.2.11.61, Ver.2.10.x series versions prior to Ver.2.10.53, and Ver.2.9 and earlier versions. If this vulnerability is exploited, a user with an editor or higher privilege who can log in to the product may obtain arbitrary files on the server.