Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> pds_core: Prevent possible adminq overflow/stuck condition<br /> <br /> The pds_core&amp;#39;s adminq is protected by the adminq_lock, which prevents<br /> more than 1 command to be posted onto it at any one time. This makes it<br /> so the client drivers cannot simultaneously post adminq commands.<br /> However, the completions happen in a different context, which means<br /> multiple adminq commands can be posted sequentially and all waiting<br /> on completion.<br /> <br /> On the FW side, the backing adminq request queue is only 16 entries<br /> long and the retry mechanism and/or overflow/stuck prevention is<br /> lacking. This can cause the adminq to get stuck, so commands are no<br /> longer processed and completions are no longer sent by the FW.<br /> <br /> As an initial fix, prevent more than 16 outstanding adminq commands so<br /> there&amp;#39;s no way to cause the adminq from getting stuck. This works<br /> because the backing adminq request queue will never have more than 16<br /> pending adminq commands, so it will never overflow. This is done by<br /> reducing the adminq depth to 16.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: brcm80211: fmac: Add error handling for brcmf_usb_dl_writeimage()<br /> <br /> The function brcmf_usb_dl_writeimage() calls the function<br /> brcmf_usb_dl_cmd() but dose not check its return value. The<br /> &amp;#39;state.state&amp;#39; and the &amp;#39;state.bytes&amp;#39; are uninitialized if the<br /> function brcmf_usb_dl_cmd() fails. It is dangerous to use<br /> uninitialized variables in the conditions.<br /> <br /> Add error handling for brcmf_usb_dl_cmd() to jump to error<br /> handling path if the brcmf_usb_dl_cmd() fails and the<br /> &amp;#39;state.state&amp;#39; and the &amp;#39;state.bytes&amp;#39; are uninitialized.<br /> <br /> Improve the error message to report more detailed error<br /> information.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> parisc: Fix double SIGFPE crash<br /> <br /> Camm noticed that on parisc a SIGFPE exception will crash an application with<br /> a second SIGFPE in the signal handler. Dave analyzed it, and it happens<br /> because glibc uses a double-word floating-point store to atomically update<br /> function descriptors. As a result of lazy binding, we hit a floating-point<br /> store in fpe_func almost immediately.<br /> <br /> When the T bit is set, an assist exception trap occurs when when the<br /> co-processor encounters *any* floating-point instruction except for a double<br /> store of register %fr0. The latter cancels all pending traps. Let&amp;#39;s fix this<br /> by clearing the Trap (T) bit in the FP status register before returning to the<br /> signal handler in userspace.<br /> <br /> The issue can be reproduced with this test program:<br /> <br /> root@parisc:~# cat fpe.c<br /> <br /> static void fpe_func(int sig, siginfo_t *i, void *v) {<br /> sigset_t set;<br /> sigemptyset(&amp;set);<br /> sigaddset(&amp;set, SIGFPE);<br /> sigprocmask(SIG_UNBLOCK, &amp;set, NULL);<br /> printf("GOT signal %d with si_code %ld\n", sig, i-&gt;si_code);<br /> }<br /> <br /> int main() {<br /> struct sigaction action = {<br /> .sa_sigaction = fpe_func,<br /> .sa_flags = SA_RESTART|SA_SIGINFO };<br /> sigaction(SIGFPE, &amp;action, 0);<br /> feenableexcept(FE_OVERFLOW);<br /> return printf("%lf\n",1.7976931348623158E308*1.7976931348623158E308);<br /> }<br /> <br /> root@parisc:~# gcc fpe.c -lm<br /> root@parisc:~# ./a.out<br /> Floating point exception<br /> <br /> root@parisc:~# strace -f ./a.out<br /> execve("./a.out", ["./a.out"], 0xf9ac7034 /* 20 vars */) = 0<br /> getrlimit(RLIMIT_STACK, {rlim_cur=8192*1024, rlim_max=RLIM_INFINITY}) = 0<br /> ...<br /> rt_sigaction(SIGFPE, {sa_handler=0x1110a, sa_mask=[], sa_flags=SA_RESTART|SA_SIGINFO}, NULL, 8) = 0<br /> --- SIGFPE {si_signo=SIGFPE, si_code=FPE_FLTOVF, si_addr=0x1078f} ---<br /> --- SIGFPE {si_signo=SIGFPE, si_code=FPE_FLTOVF, si_addr=0xf8f21237} ---<br /> +++ killed by SIGFPE +++<br /> Floating point exception

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> crypto: ecdsa - Harden against integer overflows in DIV_ROUND_UP()<br /> <br /> Herbert notes that DIV_ROUND_UP() may overflow unnecessarily if an ecdsa<br /> implementation&amp;#39;s -&gt;key_size() callback returns an unusually large value.<br /> Herbert instead suggests (for a division by 8):<br /> <br /> X / 8 + !!(X &amp; 7)<br /> <br /> Based on this formula, introduce a generic DIV_ROUND_UP_POW2() macro and<br /> use it in lieu of DIV_ROUND_UP() for -&gt;key_size() return values.<br /> <br /> Additionally, use the macro in ecc_digits_from_bytes(), whose "nbytes"<br /> parameter is a -&gt;key_size() return value in some instances, or a<br /> user-specified ASN.1 length in the case of ecdsa_get_signature_rs().

This High severity PrivEsc (Privilege Escalation) vulnerability was introduced in versions:<br /> <br /> 9.12.0, 10.3.0, 10.4.0, and 10.5.0 of Jira Core Data Center and Server<br /> <br /> 5.12.0, 10.3.0, 10.4.0, and 10.5.0 of Jira Service Management Data Center and Server<br /> <br /> This PrivEsc (Privilege Escalation) vulnerability, with a CVSS Score of 7.2, allows an attacker to perform actions as a higher-privileged user. <br /> <br /> Atlassian recommends that Jira Core Data Center and Server and Jira Service Management Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:<br /> <br /> Jira Core Data Center and Server 9.12: Upgrade to a release greater than or equal to 9.12.20<br /> <br /> Jira Service Management Data Center and Server 5.12: Upgrade to a release greater than or equal to 5.12.20<br /> <br /> Jira Core Data Center 10.3: Upgrade to a release greater than or equal to 10.3.5<br /> <br /> Jira Service Management Data Center 10.3: Upgrade to a release greater than or equal to 10.3.5<br /> <br /> Jira Core Data Center 10.4: Upgrade to a release greater than or equal to 10.6.0<br /> <br /> Jira Service Management Data Center 10.4: Upgrade to a release greater than or equal to 10.6.0<br /> <br /> Jira Core Data Center 10.5: Upgrade to a release greater than or equal to 10.5.1<br /> <br /> Jira Service Management Data Center 10.5: Upgrade to a release greater than or equal to 10.5.1<br /> <br /> See the release notes. You can download the latest version of Jira Core Data Center and Jira Service Management Data Center from the download center. <br /> <br /> This vulnerability was reported via our Atlassian (Internal) program.

D-link DI-8100 16.07.26A1 is vulnerable to Command Injection. An attacker can exploit this vulnerability by crafting specific HTTP requests, triggering the command execution flaw and gaining the highest privilege shell access to the firmware system.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> block: fix resource leak in blk_register_queue() error path<br /> <br /> When registering a queue fails after blk_mq_sysfs_register() is<br /> successful but the function later encounters an error, we need<br /> to clean up the blk_mq_sysfs resources.<br /> <br /> Add the missing blk_mq_sysfs_unregister() call in the error path<br /> to properly clean up these resources and prevent a memory leak.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> scsi: smartpqi: Use is_kdump_kernel() to check for kdump<br /> <br /> The smartpqi driver checks the reset_devices variable to determine<br /> whether special adjustments need to be made for kdump. This has the<br /> effect that after a regular kexec reboot, some driver parameters such as<br /> max_transfer_size are much lower than usual. More importantly, kexec<br /> reboot tests have revealed memory corruption caused by the driver log<br /> being written to system memory after a kexec.<br /> <br /> Fix this by testing is_kdump_kernel() rather than reset_devices where<br /> appropriate.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: wl1251: fix memory leak in wl1251_tx_work<br /> <br /> The skb dequeued from tx_queue is lost when wl1251_ps_elp_wakeup fails<br /> with a -ETIMEDOUT error. Fix that by queueing the skb back to tx_queue.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> riscv: module: Fix out-of-bounds relocation access<br /> <br /> The current code allows rel[j] to access one element past the end of the<br /> relocation section. Simplify to num_relocations which is equivalent to<br /> the existing size expression.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> scsi: ufs: exynos: Disable iocc if dma-coherent property isn&amp;#39;t set<br /> <br /> If dma-coherent property isn&amp;#39;t set then descriptors are non-cacheable<br /> and the iocc shareability bits should be disabled. Without this UFS can<br /> end up in an incompatible configuration and suffer from random cache<br /> related stability issues.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> block: integrity: Do not call set_page_dirty_lock()<br /> <br /> Placing multiple protection information buffers inside the same page<br /> can lead to oopses because set_page_dirty_lock() can&amp;#39;t be called from<br /> interrupt context.<br /> <br /> Since a protection information buffer is not backed by a file there is<br /> no point in setting its page dirty, there is nothing to synchronize.<br /> Drop the call to set_page_dirty_lock() and remove the last argument to<br /> bio_integrity_unpin_bvec().