Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> usb: typec: altmodes/displayport: create sysfs nodes as driver&amp;#39;s default device attribute group<br /> <br /> The DisplayPort driver&amp;#39;s sysfs nodes may be present to the userspace before<br /> typec_altmode_set_drvdata() completes in dp_altmode_probe. This means that<br /> a sysfs read can trigger a NULL pointer error by deferencing dp-&gt;hpd in<br /> hpd_show or dp-&gt;lock in pin_assignment_show, as dev_get_drvdata() returns<br /> NULL in those cases.<br /> <br /> Remove manual sysfs node creation in favor of adding attribute group as<br /> default for devices bound to the driver. The ATTRIBUTE_GROUPS() macro is<br /> not used here otherwise the path to the sysfs nodes is no longer compliant<br /> with the ABI.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ALSA: usb-audio: Stop parsing channels bits when all channels are found.<br /> <br /> If a usb audio device sets more bits than the amount of channels<br /> it could write outside of the map array.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: mac80211: check/clear fast rx for non-4addr sta VLAN changes<br /> <br /> When moving a station out of a VLAN and deleting the VLAN afterwards, the<br /> fast_rx entry still holds a pointer to the VLAN&amp;#39;s netdev, which can cause<br /> use-after-free bugs. Fix this by immediately calling ieee80211_check_fast_rx<br /> after the VLAN change.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> KVM: SVM: Flush pages under kvm-&gt;lock to fix UAF in svm_register_enc_region()<br /> <br /> Do the cache flush of converted pages in svm_register_enc_region() before<br /> dropping kvm-&gt;lock to fix use-after-free issues where region and/or its<br /> array of pages could be freed by a different task, e.g. if userspace has<br /> __unregister_enc_region_locked() already queued up for the region.<br /> <br /> Note, the "obvious" alternative of using local variables doesn&amp;#39;t fully<br /> resolve the bug, as region-&gt;pages is also dynamically allocated. I.e. the<br /> region structure itself would be fine, but region-&gt;pages could be freed.<br /> <br /> Flushing multiple pages under kvm-&gt;lock is unfortunate, but the entire<br /> flow is a rare slow path, and the manual flush is only needed on CPUs that<br /> lack coherency for encrypted memory.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> tee: optee: Fix kernel panic caused by incorrect error handling<br /> <br /> The error path while failing to register devices on the TEE bus has a<br /> bug leading to kernel panic as follows:<br /> <br /> [ 15.398930] Unable to handle kernel paging request at virtual address ffff07ed00626d7c<br /> [ 15.406913] Mem abort info:<br /> [ 15.409722] ESR = 0x0000000096000005<br /> [ 15.413490] EC = 0x25: DABT (current EL), IL = 32 bits<br /> [ 15.418814] SET = 0, FnV = 0<br /> [ 15.421878] EA = 0, S1PTW = 0<br /> [ 15.425031] FSC = 0x05: level 1 translation fault<br /> [ 15.429922] Data abort info:<br /> [ 15.432813] ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000<br /> [ 15.438310] CM = 0, WnR = 0, TnD = 0, TagAccess = 0<br /> [ 15.443372] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0<br /> [ 15.448697] swapper pgtable: 4k pages, 48-bit VAs, pgdp=00000000d9e3e000<br /> [ 15.455413] [ffff07ed00626d7c] pgd=1800000bffdf9003, p4d=1800000bffdf9003, pud=0000000000000000<br /> [ 15.464146] Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP<br /> <br /> Commit 7269cba53d90 ("tee: optee: Fix supplicant based device enumeration")<br /> lead to the introduction of this bug. So fix it appropriately.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> x86/mm: Ensure input to pfn_to_kaddr() is treated as a 64-bit type<br /> <br /> On 64-bit platforms, the pfn_to_kaddr() macro requires that the input<br /> value is 64 bits in order to ensure that valid address bits don&amp;#39;t get<br /> lost when shifting that input by PAGE_SHIFT to calculate the physical<br /> address to provide a virtual address for.<br /> <br /> One such example is in pvalidate_pages() (used by SEV-SNP guests), where<br /> the GFN in the struct used for page-state change requests is a 40-bit<br /> bit-field, so attempts to pass this GFN field directly into<br /> pfn_to_kaddr() ends up causing guest crashes when dealing with addresses<br /> above the 1TB range due to the above.<br /> <br /> Fix this issue with SEV-SNP guests, as well as any similar cases that<br /> might cause issues in current/future code, by using an inline function,<br /> instead of a macro, so that the input is implicitly cast to the<br /> expected 64-bit input type prior to performing the shift operation.<br /> <br /> While it might be argued that the issue is on the caller side, other<br /> archs/macros have taken similar approaches to deal with instances like<br /> this, such as ARM explicitly casting the input to phys_addr_t:<br /> <br /> e48866647b48 ("ARM: 8396/1: use phys_addr_t in pfn_to_kaddr()")<br /> <br /> A C inline function is even better though.<br /> <br /> [ mingo: Refined the changelog some more &amp; added __always_inline. ]

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> media: rkisp1: Fix IRQ handling due to shared interrupts<br /> <br /> The driver requests the interrupts as IRQF_SHARED, so the interrupt<br /> handlers can be called at any time. If such a call happens while the ISP<br /> is powered down, the SoC will hang as the driver tries to access the<br /> ISP registers.<br /> <br /> This can be reproduced even without the platform sharing the IRQ line:<br /> Enable CONFIG_DEBUG_SHIRQ and unload the driver, and the board will<br /> hang.<br /> <br /> Fix this by adding a new field, &amp;#39;irqs_enabled&amp;#39;, which is used to bail<br /> out from the interrupt handler when the ISP is not operational.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: ethernet: mtk_eth_soc: fix PPE hanging issue<br /> <br /> A patch to resolve an issue was found in MediaTek&amp;#39;s GPL-licensed SDK:<br /> In the mtk_ppe_stop() function, the PPE scan mode is not disabled before<br /> disabling the PPE. This can potentially lead to a hang during the process<br /> of disabling the PPE.<br /> <br /> Without this patch, the PPE may experience a hang during the reboot test.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> clk: mediatek: mt7622-apmixedsys: Fix an error handling path in clk_mt8135_apmixed_probe()<br /> <br /> &amp;#39;clk_data&amp;#39; is allocated with mtk_devm_alloc_clk_data(). So calling<br /> mtk_free_clk_data() explicitly in the remove function would lead to a<br /> double-free.<br /> <br /> Remove the redundant call.

Uncontrolled resource consumption vulnerability in XAMPP Windows, versions 7.3.2 and earlier. This vulnerability exists when XAMPP attempts to process many incomplete HTTP requests, resulting in resource consumption and system crashes.

A vulnerability was found in Emlog Pro 2.3.4. It has been classified as problematic. This affects an unknown part of the component Cookie Handler. The manipulation of the argument AuthCookie leads to improper authentication. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The identifier VDB-264741 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.