Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> i40e: Fix queues reservation for XDP<br /> <br /> When XDP was configured on a system with large number of CPUs<br /> and X722 NIC there was a call trace with NULL pointer dereference.<br /> <br /> i40e 0000:87:00.0: failed to get tracking for 256 queues for VSI 0 err -12<br /> i40e 0000:87:00.0: setup of MAIN VSI failed<br /> <br /> BUG: kernel NULL pointer dereference, address: 0000000000000000<br /> RIP: 0010:i40e_xdp+0xea/0x1b0 [i40e]<br /> Call Trace:<br /> ? i40e_reconfig_rss_queues+0x130/0x130 [i40e]<br /> dev_xdp_install+0x61/0xe0<br /> dev_xdp_attach+0x18a/0x4c0<br /> dev_change_xdp_fd+0x1e6/0x220<br /> do_setlink+0x616/0x1030<br /> ? ahci_port_stop+0x80/0x80<br /> ? ata_qc_issue+0x107/0x1e0<br /> ? lock_timer_base+0x61/0x80<br /> ? __mod_timer+0x202/0x380<br /> rtnl_setlink+0xe5/0x170<br /> ? bpf_lsm_binder_transaction+0x10/0x10<br /> ? security_capable+0x36/0x50<br /> rtnetlink_rcv_msg+0x121/0x350<br /> ? rtnl_calcit.isra.0+0x100/0x100<br /> netlink_rcv_skb+0x50/0xf0<br /> netlink_unicast+0x1d3/0x2a0<br /> netlink_sendmsg+0x22a/0x440<br /> sock_sendmsg+0x5e/0x60<br /> __sys_sendto+0xf0/0x160<br /> ? __sys_getsockname+0x7e/0xc0<br /> ? _copy_from_user+0x3c/0x80<br /> ? __sys_setsockopt+0xc8/0x1a0<br /> __x64_sys_sendto+0x20/0x30<br /> do_syscall_64+0x33/0x40<br /> entry_SYSCALL_64_after_hwframe+0x44/0xae<br /> RIP: 0033:0x7f83fa7a39e0<br /> <br /> This was caused by PF queue pile fragmentation due to<br /> flow director VSI queue being placed right after main VSI.<br /> Because of this main VSI was not able to resize its<br /> queue allocation for XDP resulting in no queues allocated<br /> for main VSI when XDP was turned on.<br /> <br /> Fix this by always allocating last queue in PF queue pile<br /> for a flow director VSI.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Bluetooth: refactor malicious adv data check<br /> <br /> Check for out-of-bound read was being performed at the end of while<br /> num_reports loop, and would fill journal with false positives. Added<br /> check to beginning of loop processing so that it doesn&amp;#39;t get checked<br /> after ptr has been advanced.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> tipc: improve size validations for received domain records<br /> <br /> The function tipc_mon_rcv() allows a node to receive and process<br /> domain_record structs from peer nodes to track their views of the<br /> network topology.<br /> <br /> This patch verifies that the number of members in a received domain<br /> record does not exceed the limit defined by MAX_MON_DOMAIN, something<br /> that may otherwise lead to a stack overflow.<br /> <br /> tipc_mon_rcv() is called from the function tipc_link_proto_rcv(), where<br /> we are reading a 32 bit message data length field into a uint16. To<br /> avert any risk of bit overflow, we add an extra sanity check for this in<br /> that function. We cannot see that happen with the current code, but<br /> future designers being unaware of this risk, may introduce it by<br /> allowing delivery of very large (&gt; 64k) sk buffers from the bearer<br /> layer. This potential problem was identified by Eric Dumazet.<br /> <br /> This fixes CVE-2022-0435

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ext4: fix error handling in ext4_fc_record_modified_inode()<br /> <br /> Current code does not fully takes care of krealloc() error case, which<br /> could lead to silent memory corruption or a kernel bug. This patch<br /> fixes that.<br /> <br /> Also it cleans up some duplicated error handling logic from various<br /> functions in fast_commit.c file.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> perf/x86/intel/pt: Fix crash with stop filters in single-range mode<br /> <br /> Add a check for !buf-&gt;single before calling pt_buffer_region_size in a<br /> place where a missing check can cause a kernel crash.<br /> <br /> Fixes a bug introduced by commit 670638477aed ("perf/x86/intel/pt:<br /> Opportunistically use single range output mode"), which added a<br /> support for PT single-range output mode. Since that commit if a PT<br /> stop filter range is hit while tracing, the kernel will crash because<br /> of a null pointer dereference in pt_handle_status due to calling<br /> pt_buffer_region_size without a ToPA configured.<br /> <br /> The commit which introduced single-range mode guarded almost all uses of<br /> the ToPA buffer variables with checks of the buf-&gt;single variable, but<br /> missed the case where tracing was stopped by the PT hardware, which<br /> happens when execution hits a configured stop filter.<br /> <br /> Tested that hitting a stop filter while PT recording successfully<br /> records a trace with this patch but crashes without this patch.

Stack-based buffer overflow vulnerability in the SonicOS HTTP server allows an authenticated remote attacker to cause Denial of Service (DoS) via sscanf function.

Heap-based buffer overflow vulnerability in the SonicOS SSL-VPN allows an authenticated remote attacker to cause Denial of Service (DoS) via memcpy function.

Improper Input Validation vulnerability in Apache Superset, allows for an authenticated attacker to create a MariaDB connection with local_infile enabled. If both the MariaDB server (off by default) and the local mysql client on the web server are set to allow for local infile, it&amp;#39;s possible for the attacker to execute a specific MySQL/MariaDB SQL command that is able to read files from the server and insert their content on a MariaDB database table.This issue affects Apache Superset: before 3.1.3 and version 4.0.0<br /> <br /> Users are recommended to upgrade to version 4.0.1 or 3.1.3, which fixes the issue.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Bluetooth: HCI: Remove HCI_AMP support<br /> <br /> Since BT_HS has been remove HCI_AMP controllers no longer has any use so<br /> remove it along with the capability of creating AMP controllers.<br /> <br /> Since we no longer need to differentiate between AMP and Primary<br /> controllers, as only HCI_PRIMARY is left, this also remove<br /> hdev-&gt;dev_type altogether.

There is an unauthorized access vulnerability in ZTE H388X. If H388X is caused by brute-force serial port cracking,attackers with common user permissions can use this vulnerability to obtain elevated permissions on the affected device by performing specific operations.

The Shariff Wrapper plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 4.6.13 via the shariff3uu_fetch_sharecounts function. This allows unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> usb-storage: alauda: Check whether the media is initialized<br /> <br /> The member "uzonesize" of struct alauda_info will remain 0<br /> if alauda_init_media() fails, potentially causing divide errors<br /> in alauda_read_data() and alauda_write_lba().<br /> - Add a member "media_initialized" to struct alauda_info.<br /> - Change a condition in alauda_check_media() to ensure the<br /> first initialization.<br /> - Add an error check for the return value of alauda_init_media().