Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: ice: Fix potential NULL pointer dereference in ice_bridge_setlink()<br /> <br /> The function ice_bridge_setlink() may encounter a NULL pointer dereference<br /> if nlmsg_find_attr() returns NULL and br_spec is dereferenced subsequently<br /> in nla_for_each_nested(). To address this issue, add a check to ensure that<br /> br_spec is not NULL before proceeding with the nested attribute iteration.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: sparx5: Fix use after free inside sparx5_del_mact_entry<br /> <br /> Based on the static analyzis of the code it looks like when an entry<br /> from the MAC table was removed, the entry was still used after being<br /> freed. More precise the vid of the mac_entry was used after calling<br /> devm_kfree on the mac_entry.<br /> The fix consists in first using the vid of the mac_entry to delete the<br /> entry from the HW and after that to free it.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> geneve: make sure to pull inner header in geneve_rx()<br /> <br /> syzbot triggered a bug in geneve_rx() [1]<br /> <br /> Issue is similar to the one I fixed in commit 8d975c15c0cd<br /> ("ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv()")<br /> <br /> We have to save skb-&gt;network_header in a temporary variable<br /> in order to be able to recompute the network_header pointer<br /> after a pskb_inet_may_pull() call.<br /> <br /> pskb_inet_may_pull() makes sure the needed headers are in skb-&gt;head.<br /> <br /> [1]<br /> BUG: KMSAN: uninit-value in IP_ECN_decapsulate include/net/inet_ecn.h:302 [inline]<br /> BUG: KMSAN: uninit-value in geneve_rx drivers/net/geneve.c:279 [inline]<br /> BUG: KMSAN: uninit-value in geneve_udp_encap_recv+0x36f9/0x3c10 drivers/net/geneve.c:391<br /> IP_ECN_decapsulate include/net/inet_ecn.h:302 [inline]<br /> geneve_rx drivers/net/geneve.c:279 [inline]<br /> geneve_udp_encap_recv+0x36f9/0x3c10 drivers/net/geneve.c:391<br /> udp_queue_rcv_one_skb+0x1d39/0x1f20 net/ipv4/udp.c:2108<br /> udp_queue_rcv_skb+0x6ae/0x6e0 net/ipv4/udp.c:2186<br /> udp_unicast_rcv_skb+0x184/0x4b0 net/ipv4/udp.c:2346<br /> __udp4_lib_rcv+0x1c6b/0x3010 net/ipv4/udp.c:2422<br /> udp_rcv+0x7d/0xa0 net/ipv4/udp.c:2604<br /> ip_protocol_deliver_rcu+0x264/0x1300 net/ipv4/ip_input.c:205<br /> ip_local_deliver_finish+0x2b8/0x440 net/ipv4/ip_input.c:233<br /> NF_HOOK include/linux/netfilter.h:314 [inline]<br /> ip_local_deliver+0x21f/0x490 net/ipv4/ip_input.c:254<br /> dst_input include/net/dst.h:461 [inline]<br /> ip_rcv_finish net/ipv4/ip_input.c:449 [inline]<br /> NF_HOOK include/linux/netfilter.h:314 [inline]<br /> ip_rcv+0x46f/0x760 net/ipv4/ip_input.c:569<br /> __netif_receive_skb_one_core net/core/dev.c:5534 [inline]<br /> __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5648<br /> process_backlog+0x480/0x8b0 net/core/dev.c:5976<br /> __napi_poll+0xe3/0x980 net/core/dev.c:6576<br /> napi_poll net/core/dev.c:6645 [inline]<br /> net_rx_action+0x8b8/0x1870 net/core/dev.c:6778<br /> __do_softirq+0x1b7/0x7c5 kernel/softirq.c:553<br /> do_softirq+0x9a/0xf0 kernel/softirq.c:454<br /> __local_bh_enable_ip+0x9b/0xa0 kernel/softirq.c:381<br /> local_bh_enable include/linux/bottom_half.h:33 [inline]<br /> rcu_read_unlock_bh include/linux/rcupdate.h:820 [inline]<br /> __dev_queue_xmit+0x2768/0x51c0 net/core/dev.c:4378<br /> dev_queue_xmit include/linux/netdevice.h:3171 [inline]<br /> packet_xmit+0x9c/0x6b0 net/packet/af_packet.c:276<br /> packet_snd net/packet/af_packet.c:3081 [inline]<br /> packet_sendmsg+0x8aef/0x9f10 net/packet/af_packet.c:3113<br /> sock_sendmsg_nosec net/socket.c:730 [inline]<br /> __sock_sendmsg net/socket.c:745 [inline]<br /> __sys_sendto+0x735/0xa10 net/socket.c:2191<br /> __do_sys_sendto net/socket.c:2203 [inline]<br /> __se_sys_sendto net/socket.c:2199 [inline]<br /> __x64_sys_sendto+0x125/0x1c0 net/socket.c:2199<br /> do_syscall_x64 arch/x86/entry/common.c:52 [inline]<br /> do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83<br /> entry_SYSCALL_64_after_hwframe+0x63/0x6b<br /> <br /> Uninit was created at:<br /> slab_post_alloc_hook mm/slub.c:3819 [inline]<br /> slab_alloc_node mm/slub.c:3860 [inline]<br /> kmem_cache_alloc_node+0x5cb/0xbc0 mm/slub.c:3903<br /> kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:560<br /> __alloc_skb+0x352/0x790 net/core/skbuff.c:651<br /> alloc_skb include/linux/skbuff.h:1296 [inline]<br /> alloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6394<br /> sock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2783<br /> packet_alloc_skb net/packet/af_packet.c:2930 [inline]<br /> packet_snd net/packet/af_packet.c:3024 [inline]<br /> packet_sendmsg+0x70c2/0x9f10 net/packet/af_packet.c:3113<br /> sock_sendmsg_nosec net/socket.c:730 [inline]<br /> __sock_sendmsg net/socket.c:745 [inline]<br /> __sys_sendto+0x735/0xa10 net/socket.c:2191<br /> __do_sys_sendto net/socket.c:2203 [inline]<br /> __se_sys_sendto net/socket.c:2199 [inline]<br /> __x64_sys_sendto+0x125/0x1c0 net/socket.c:2199<br /> do_syscall_x64 arch/x86/entry/common.c:52 [inline]<br /> do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83<br /> entry_SYSCALL_64_after_hwframe+0x63/0x6b

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/mlx5e: Use a memory barrier to enforce PTP WQ xmit submission tracking occurs after populating the metadata_map<br /> <br /> Just simply reordering the functions mlx5e_ptp_metadata_map_put and<br /> mlx5e_ptpsq_track_metadata in the mlx5e_txwqe_complete context is not good<br /> enough since both the compiler and CPU are free to reorder these two<br /> functions. If reordering does occur, the issue that was supposedly fixed by<br /> 7e3f3ba97e6c ("net/mlx5e: Track xmit submission to PTP WQ after populating<br /> metadata map") will be seen. This will lead to NULL pointer dereferences in<br /> mlx5e_ptpsq_mark_ts_cqes_undelivered in the NAPI polling context due to the<br /> tracking list being populated before the metadata map.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/bnx2x: Prevent access to a freed page in page_pool<br /> <br /> Fix race condition leading to system crash during EEH error handling<br /> <br /> During EEH error recovery, the bnx2x driver&amp;#39;s transmit timeout logic<br /> could cause a race condition when handling reset tasks. The<br /> bnx2x_tx_timeout() schedules reset tasks via bnx2x_sp_rtnl_task(),<br /> which ultimately leads to bnx2x_nic_unload(). In bnx2x_nic_unload()<br /> SGEs are freed using bnx2x_free_rx_sge_range(). However, this could<br /> overlap with the EEH driver&amp;#39;s attempt to reset the device using<br /> bnx2x_io_slot_reset(), which also tries to free SGEs. This race<br /> condition can result in system crashes due to accessing freed memory<br /> locations in bnx2x_free_rx_sge()<br /> <br /> 799 static inline void bnx2x_free_rx_sge(struct bnx2x *bp,<br /> 800 struct bnx2x_fastpath *fp, u16 index)<br /> 801 {<br /> 802 struct sw_rx_page *sw_buf = &amp;fp-&gt;rx_page_ring[index];<br /> 803 struct page *page = sw_buf-&gt;page;<br /> ....<br /> where sw_buf was set to NULL after the call to dma_unmap_page()<br /> by the preceding thread.<br /> <br /> EEH: Beginning: &amp;#39;slot_reset&amp;#39;<br /> PCI 0011:01:00.0#10000: EEH: Invoking bnx2x-&gt;slot_reset()<br /> bnx2x: [bnx2x_io_slot_reset:14228(eth1)]IO slot reset initializing...<br /> bnx2x 0011:01:00.0: enabling device (0140 -&gt; 0142)<br /> bnx2x: [bnx2x_io_slot_reset:14244(eth1)]IO slot reset --&gt; driver unload<br /> Kernel attempted to read user page (0) - exploit attempt? (uid: 0)<br /> BUG: Kernel NULL pointer dereference on read at 0x00000000<br /> Faulting instruction address: 0xc0080000025065fc<br /> Oops: Kernel access of bad area, sig: 11 [#1]<br /> .....<br /> Call Trace:<br /> [c000000003c67a20] [c00800000250658c] bnx2x_io_slot_reset+0x204/0x610 [bnx2x] (unreliable)<br /> [c000000003c67af0] [c0000000000518a8] eeh_report_reset+0xb8/0xf0<br /> [c000000003c67b60] [c000000000052130] eeh_pe_report+0x180/0x550<br /> [c000000003c67c70] [c00000000005318c] eeh_handle_normal_event+0x84c/0xa60<br /> [c000000003c67d50] [c000000000053a84] eeh_event_handler+0xf4/0x170<br /> [c000000003c67da0] [c000000000194c58] kthread+0x1c8/0x1d0<br /> [c000000003c67e10] [c00000000000cf64] ret_from_kernel_thread+0x5c/0x64<br /> <br /> To solve this issue, we need to verify page pool allocations before<br /> freeing.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> dm-integrity: fix a memory leak when rechecking the data<br /> <br /> Memory for the "checksums" pointer will leak if the data is rechecked<br /> after checksum failure (because the associated kfree won&amp;#39;t happen due<br /> to &amp;#39;goto skip_io&amp;#39;).<br /> <br /> Fix this by freeing the checksums memory before recheck, and just use<br /> the "checksum_onstack" memory for storing checksum during recheck.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wireguard: receive: annotate data-race around receiving_counter.counter<br /> <br /> Syzkaller with KCSAN identified a data-race issue when accessing<br /> keypair-&gt;receiving_counter.counter. Use READ_ONCE() and WRITE_ONCE()<br /> annotations to mark the data race as intentional.<br /> <br /> BUG: KCSAN: data-race in wg_packet_decrypt_worker / wg_packet_rx_poll<br /> <br /> write to 0xffff888107765888 of 8 bytes by interrupt on cpu 0:<br /> counter_validate drivers/net/wireguard/receive.c:321 [inline]<br /> wg_packet_rx_poll+0x3ac/0xf00 drivers/net/wireguard/receive.c:461<br /> __napi_poll+0x60/0x3b0 net/core/dev.c:6536<br /> napi_poll net/core/dev.c:6605 [inline]<br /> net_rx_action+0x32b/0x750 net/core/dev.c:6738<br /> __do_softirq+0xc4/0x279 kernel/softirq.c:553<br /> do_softirq+0x5e/0x90 kernel/softirq.c:454<br /> __local_bh_enable_ip+0x64/0x70 kernel/softirq.c:381<br /> __raw_spin_unlock_bh include/linux/spinlock_api_smp.h:167 [inline]<br /> _raw_spin_unlock_bh+0x36/0x40 kernel/locking/spinlock.c:210<br /> spin_unlock_bh include/linux/spinlock.h:396 [inline]<br /> ptr_ring_consume_bh include/linux/ptr_ring.h:367 [inline]<br /> wg_packet_decrypt_worker+0x6c5/0x700 drivers/net/wireguard/receive.c:499<br /> process_one_work kernel/workqueue.c:2633 [inline]<br /> ...<br /> <br /> read to 0xffff888107765888 of 8 bytes by task 3196 on cpu 1:<br /> decrypt_packet drivers/net/wireguard/receive.c:252 [inline]<br /> wg_packet_decrypt_worker+0x220/0x700 drivers/net/wireguard/receive.c:501<br /> process_one_work kernel/workqueue.c:2633 [inline]<br /> process_scheduled_works+0x5b8/0xa30 kernel/workqueue.c:2706<br /> worker_thread+0x525/0x730 kernel/workqueue.c:2787<br /> ...

Missing Authorization vulnerability in Layered If Menu.This issue affects If Menu: from n/a through 0.16.3.<br /> <br />

Missing Authorization vulnerability in Joris van Montfort JVM rich text icons.This issue affects JVM rich text icons: from n/a through 1.2.6.<br /> <br />

Improper Neutralization of Special Elements used in an SQL Command (&amp;#39;SQL Injection&amp;#39;) vulnerability in JS Help Desk JS Help Desk – Best Help Desk &amp; Support Plugin.This issue affects JS Help Desk – Best Help Desk &amp; Support Plugin: from n/a through 2.7.1.<br /> <br />

Improper Neutralization of Input During Web Page Generation (&amp;#39;Cross-site Scripting&amp;#39;) vulnerability in PressTigers Simple Testimonials Showcase allows Stored XSS.This issue affects Simple Testimonials Showcase: from n/a through 1.1.5.<br /> <br />

Improper Neutralization of Input During Web Page Generation (&amp;#39;Cross-site Scripting&amp;#39;) vulnerability in Everest themes GuCherry Blog allows Reflected XSS.This issue affects GuCherry Blog: from n/a through 1.1.8.<br /> <br />