Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> scsi: ufs: core: Set SDEV_OFFLINE when UFS is shut down<br /> <br /> There is a history of deadlock if reboot is performed at the beginning<br /> of booting. SDEV_QUIESCE was set for all LU&amp;#39;s scsi_devices by UFS<br /> shutdown, and at that time the audio driver was waiting on<br /> blk_mq_submit_bio() holding a mutex_lock while reading the fw binary.<br /> After that, a deadlock issue occurred while audio driver shutdown was<br /> waiting for mutex_unlock of blk_mq_submit_bio(). To solve this, set<br /> SDEV_OFFLINE for all LUs except WLUN, so that any I/O that comes down<br /> after a UFS shutdown will return an error.<br /> <br /> [ 31.907781]I[0: swapper/0: 0] 1 130705007 1651079834 11289729804 0 D( 2) 3 ffffff882e208000 * init [device_shutdown]<br /> [ 31.907793]I[0: swapper/0: 0] Mutex: 0xffffff8849a2b8b0: owner[0xffffff882e28cb00 kworker/6:0 :49]<br /> [ 31.907806]I[0: swapper/0: 0] Call trace:<br /> [ 31.907810]I[0: swapper/0: 0] __switch_to+0x174/0x338<br /> [ 31.907819]I[0: swapper/0: 0] __schedule+0x5ec/0x9cc<br /> [ 31.907826]I[0: swapper/0: 0] schedule+0x7c/0xe8<br /> [ 31.907834]I[0: swapper/0: 0] schedule_preempt_disabled+0x24/0x40<br /> [ 31.907842]I[0: swapper/0: 0] __mutex_lock+0x408/0xdac<br /> [ 31.907849]I[0: swapper/0: 0] __mutex_lock_slowpath+0x14/0x24<br /> [ 31.907858]I[0: swapper/0: 0] mutex_lock+0x40/0xec<br /> [ 31.907866]I[0: swapper/0: 0] device_shutdown+0x108/0x280<br /> [ 31.907875]I[0: swapper/0: 0] kernel_restart+0x4c/0x11c<br /> [ 31.907883]I[0: swapper/0: 0] __arm64_sys_reboot+0x15c/0x280<br /> [ 31.907890]I[0: swapper/0: 0] invoke_syscall+0x70/0x158<br /> [ 31.907899]I[0: swapper/0: 0] el0_svc_common+0xb4/0xf4<br /> [ 31.907909]I[0: swapper/0: 0] do_el0_svc+0x2c/0xb0<br /> [ 31.907918]I[0: swapper/0: 0] el0_svc+0x34/0xe0<br /> [ 31.907928]I[0: swapper/0: 0] el0t_64_sync_handler+0x68/0xb4<br /> [ 31.907937]I[0: swapper/0: 0] el0t_64_sync+0x1a0/0x1a4<br /> <br /> [ 31.908774]I[0: swapper/0: 0] 49 0 11960702 11236868007 0 D( 2) 6 ffffff882e28cb00 * kworker/6:0 [__bio_queue_enter]<br /> [ 31.908783]I[0: swapper/0: 0] Call trace:<br /> [ 31.908788]I[0: swapper/0: 0] __switch_to+0x174/0x338<br /> [ 31.908796]I[0: swapper/0: 0] __schedule+0x5ec/0x9cc<br /> [ 31.908803]I[0: swapper/0: 0] schedule+0x7c/0xe8<br /> [ 31.908811]I[0: swapper/0: 0] __bio_queue_enter+0xb8/0x178<br /> [ 31.908818]I[0: swapper/0: 0] blk_mq_submit_bio+0x194/0x67c<br /> [ 31.908827]I[0: swapper/0: 0] __submit_bio+0xb8/0x19c

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> arm64: probes: Remove broken LDR (literal) uprobe support<br /> <br /> The simulate_ldr_literal() and simulate_ldrsw_literal() functions are<br /> unsafe to use for uprobes. Both functions were originally written for<br /> use with kprobes, and access memory with plain C accesses. When uprobes<br /> was added, these were reused unmodified even though they cannot safely<br /> access user memory.<br /> <br /> There are three key problems:<br /> <br /> 1) The plain C accesses do not have corresponding extable entries, and<br /> thus if they encounter a fault the kernel will treat these as<br /> unintentional accesses to user memory, resulting in a BUG() which<br /> will kill the kernel thread, and likely lead to further issues (e.g.<br /> lockup or panic()).<br /> <br /> 2) The plain C accesses are subject to HW PAN and SW PAN, and so when<br /> either is in use, any attempt to simulate an access to user memory<br /> will fault. Thus neither simulate_ldr_literal() nor<br /> simulate_ldrsw_literal() can do anything useful when simulating a<br /> user instruction on any system with HW PAN or SW PAN.<br /> <br /> 3) The plain C accesses are privileged, as they run in kernel context,<br /> and in practice can access a small range of kernel virtual addresses.<br /> The instructions they simulate have a range of +/-1MiB, and since the<br /> simulated instructions must itself be a user instructions in the<br /> TTBR0 address range, these can address the final 1MiB of the TTBR1<br /> acddress range by wrapping downwards from an address in the first<br /> 1MiB of the TTBR0 address range.<br /> <br /> In contemporary kernels the last 8MiB of TTBR1 address range is<br /> reserved, and accesses to this will always fault, meaning this is no<br /> worse than (1).<br /> <br /> Historically, it was theoretically possible for the linear map or<br /> vmemmap to spill into the final 8MiB of the TTBR1 address range, but<br /> in practice this is extremely unlikely to occur as this would<br /> require either:<br /> <br /> * Having enough physical memory to fill the entire linear map all the<br /> way to the final 1MiB of the TTBR1 address range.<br /> <br /> * Getting unlucky with KASLR randomization of the linear map such<br /> that the populated region happens to overlap with the last 1MiB of<br /> the TTBR address range.<br /> <br /> ... and in either case if we were to spill into the final page there<br /> would be larger problems as the final page would alias with error<br /> pointers.<br /> <br /> Practically speaking, (1) and (2) are the big issues. Given there have<br /> been no reports of problems since the broken code was introduced, it<br /> appears that no-one is relying on probing these instructions with<br /> uprobes.<br /> <br /> Avoid these issues by not allowing uprobes on LDR (literal) and LDRSW<br /> (literal), limiting the use of simulate_ldr_literal() and<br /> simulate_ldrsw_literal() to kprobes. Attempts to place uprobes on LDR<br /> (literal) and LDRSW (literal) will be rejected as<br /> arm_probe_decode_insn() will return INSN_REJECTED. In future we can<br /> consider introducing working uprobes support for these instructions, but<br /> this will require more significant work.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> iommu/vt-d: Fix incorrect pci_for_each_dma_alias() for non-PCI devices<br /> <br /> Previously, the domain_context_clear() function incorrectly called<br /> pci_for_each_dma_alias() to set up context entries for non-PCI devices.<br /> This could lead to kernel hangs or other unexpected behavior.<br /> <br /> Add a check to only call pci_for_each_dma_alias() for PCI devices. For<br /> non-PCI devices, domain_context_clear_one() is called directly.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ASoC: qcom: Fix NULL Dereference in asoc_qcom_lpass_cpu_platform_probe()<br /> <br /> A devm_kzalloc() in asoc_qcom_lpass_cpu_platform_probe() could<br /> possibly return NULL pointer. NULL Pointer Dereference may be<br /> triggerred without addtional check.<br /> Add a NULL check for the returned pointer.

A potential vulnerability was discovered in certain Poly video conferencing devices. The firmware flaw does not properly sanitize user input. The exploitation of this vulnerability is dependent on a layered attack and cannot be exploited by itself.

An XML External Entity (XXE) vulnerability in HAPI FHIR before v6.4.0 allows attackers to access sensitive information or execute arbitrary code via supplying a crafted request containing malicious XML entities.

The LSC Smart Connect Indoor IP Camera V7.6.32 is vulnerable to an information disclosure issue where live camera footage can be accessed through the RTSP protocol on port 8554 without requiring authentication. This allows unauthorized users with network access to view the camera&amp;#39;s feed, potentially compromising user privacy and security. No credentials or special permissions are required, and access can be gained remotely over the network.

Substance3D - Painter versions 10.0.1 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/xe/oa: Fix overflow in oa batch buffer<br /> <br /> By default xe_bb_create_job() appends a MI_BATCH_BUFFER_END to batch<br /> buffer, this is not a problem if batch buffer is only used once but<br /> oa reuses the batch buffer for the same metric and at each call<br /> it appends a MI_BATCH_BUFFER_END, printing the warning below and then<br /> overflowing.<br /> <br /> [ 381.072016] ------------[ cut here ]------------<br /> [ 381.072019] xe 0000:00:02.0: [drm] Assertion `bb-&gt;len * 4 + bb_prefetch(q-&gt;gt)

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> dm vdo: don&amp;#39;t refer to dedupe_context after releasing it<br /> <br /> Clear the dedupe_context pointer in a data_vio whenever ownership of<br /> the context is lost, so that vdo can&amp;#39;t examine it accidentally.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: netconsole: fix wrong warning<br /> <br /> A warning is triggered when there is insufficient space in the buffer<br /> for userdata. However, this is not an issue since userdata will be sent<br /> in the next iteration.<br /> <br /> Current warning message:<br /> <br /> ------------[ cut here ]------------<br /> WARNING: CPU: 13 PID: 3013042 at drivers/net/netconsole.c:1122 write_ext_msg+0x3b6/0x3d0<br /> ? write_ext_msg+0x3b6/0x3d0<br /> console_flush_all+0x1e9/0x330<br /> <br /> The code incorrectly issues a warning when this_chunk is zero, which is<br /> a valid scenario. The warning should only be triggered when this_chunk<br /> is negative.