Vulnerabilities

in OpenHarmony v3.2.4 and prior versions allow a local attacker cause DOS through stack overflow.

An issue was discovered in seeyonOA version 8, allows remote attackers to execute arbitrary code via the importProcess method in WorkFlowDesignerController.class component.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> x86/lib: Revert to _ASM_EXTABLE_UA() for {get,put}_user() fixups<br /> <br /> During memory error injection test on kernels &gt;= v6.4, the kernel panics<br /> like below. However, this issue couldn&amp;#39;t be reproduced on kernels

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ppp_async: limit MRU to 64K<br /> <br /> syzbot triggered a warning [1] in __alloc_pages():<br /> <br /> WARN_ON_ONCE_GFP(order &gt; MAX_PAGE_ORDER, gfp)<br /> <br /> Willem fixed a similar issue in commit c0a2a1b0d631 ("ppp: limit MRU to 64K")<br /> <br /> Adopt the same sanity check for ppp_async_ioctl(PPPIOCSMRU)<br /> <br /> [1]:<br /> <br /> WARNING: CPU: 1 PID: 11 at mm/page_alloc.c:4543 __alloc_pages+0x308/0x698 mm/page_alloc.c:4543<br /> Modules linked in:<br /> CPU: 1 PID: 11 Comm: kworker/u4:0 Not tainted 6.8.0-rc2-syzkaller-g41bccc98fb79 #0<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023<br /> Workqueue: events_unbound flush_to_ldisc<br /> pstate: 204000c5 (nzCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)<br /> pc : __alloc_pages+0x308/0x698 mm/page_alloc.c:4543<br /> lr : __alloc_pages+0xc8/0x698 mm/page_alloc.c:4537<br /> sp : ffff800093967580<br /> x29: ffff800093967660 x28: ffff8000939675a0 x27: dfff800000000000<br /> x26: ffff70001272ceb4 x25: 0000000000000000 x24: ffff8000939675c0<br /> x23: 0000000000000000 x22: 0000000000060820 x21: 1ffff0001272ceb8<br /> x20: ffff8000939675e0 x19: 0000000000000010 x18: ffff800093967120<br /> x17: ffff800083bded5c x16: ffff80008ac97500 x15: 0000000000000005<br /> x14: 1ffff0001272cebc x13: 0000000000000000 x12: 0000000000000000<br /> x11: ffff70001272cec1 x10: 1ffff0001272cec0 x9 : 0000000000000001<br /> x8 : ffff800091c91000 x7 : 0000000000000000 x6 : 000000000000003f<br /> x5 : 00000000ffffffff x4 : 0000000000000000 x3 : 0000000000000020<br /> x2 : 0000000000000008 x1 : 0000000000000000 x0 : ffff8000939675e0<br /> Call trace:<br /> __alloc_pages+0x308/0x698 mm/page_alloc.c:4543<br /> __alloc_pages_node include/linux/gfp.h:238 [inline]<br /> alloc_pages_node include/linux/gfp.h:261 [inline]<br /> __kmalloc_large_node+0xbc/0x1fc mm/slub.c:3926<br /> __do_kmalloc_node mm/slub.c:3969 [inline]<br /> __kmalloc_node_track_caller+0x418/0x620 mm/slub.c:4001<br /> kmalloc_reserve+0x17c/0x23c net/core/skbuff.c:590<br /> __alloc_skb+0x1c8/0x3d8 net/core/skbuff.c:651<br /> __netdev_alloc_skb+0xb8/0x3e8 net/core/skbuff.c:715<br /> netdev_alloc_skb include/linux/skbuff.h:3235 [inline]<br /> dev_alloc_skb include/linux/skbuff.h:3248 [inline]<br /> ppp_async_input drivers/net/ppp/ppp_async.c:863 [inline]<br /> ppp_asynctty_receive+0x588/0x186c drivers/net/ppp/ppp_async.c:341<br /> tty_ldisc_receive_buf+0x12c/0x15c drivers/tty/tty_buffer.c:390<br /> tty_port_default_receive_buf+0x74/0xac drivers/tty/tty_port.c:37<br /> receive_buf drivers/tty/tty_buffer.c:444 [inline]<br /> flush_to_ldisc+0x284/0x6e4 drivers/tty/tty_buffer.c:494<br /> process_one_work+0x694/0x1204 kernel/workqueue.c:2633<br /> process_scheduled_works kernel/workqueue.c:2706 [inline]<br /> worker_thread+0x938/0xef4 kernel/workqueue.c:2787<br /> kthread+0x288/0x310 kernel/kthread.c:388<br /> ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> af_unix: Call kfree_skb() for dead unix_(sk)-&gt;oob_skb in GC.<br /> <br /> syzbot reported a warning [0] in __unix_gc() with a repro, which<br /> creates a socketpair and sends one socket&amp;#39;s fd to itself using the<br /> peer.<br /> <br /> socketpair(AF_UNIX, SOCK_STREAM, 0, [3, 4]) = 0<br /> sendmsg(4, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\360", iov_len=1}],<br /> msg_iovlen=1, msg_control=[{cmsg_len=20, cmsg_level=SOL_SOCKET,<br /> cmsg_type=SCM_RIGHTS, cmsg_data=[3]}],<br /> msg_controllen=24, msg_flags=0}, MSG_OOB|MSG_PROBE|MSG_DONTWAIT|MSG_ZEROCOPY) = 1<br /> <br /> This forms a self-cyclic reference that GC should finally untangle<br /> but does not due to lack of MSG_OOB handling, resulting in memory<br /> leak.<br /> <br /> Recently, commit 11498715f266 ("af_unix: Remove io_uring code for<br /> GC.") removed io_uring&amp;#39;s dead code in GC and revealed the problem.<br /> <br /> The code was executed at the final stage of GC and unconditionally<br /> moved all GC candidates from gc_candidates to gc_inflight_list.<br /> That papered over the reported problem by always making the following<br /> WARN_ON_ONCE(!list_empty(&amp;gc_candidates)) false.<br /> <br /> The problem has been there since commit 2aab4b969002 ("af_unix: fix<br /> struct pid leaks in OOB support") added full scm support for MSG_OOB<br /> while fixing another bug.<br /> <br /> To fix this problem, we must call kfree_skb() for unix_sk(sk)-&gt;oob_skb<br /> if the socket still exists in gc_candidates after purging collected skb.<br /> <br /> Then, we need to set NULL to oob_skb before calling kfree_skb() because<br /> it calls last fput() and triggers unix_release_sock(), where we call<br /> duplicate kfree_skb(u-&gt;oob_skb) if not NULL.<br /> <br /> Note that the leaked socket remained being linked to a global list, so<br /> kmemleak also could not detect it. We need to check /proc/net/protocol<br /> to notice the unfreed socket.<br /> <br /> [0]:<br /> WARNING: CPU: 0 PID: 2863 at net/unix/garbage.c:345 __unix_gc+0xc74/0xe80 net/unix/garbage.c:345<br /> Modules linked in:<br /> CPU: 0 PID: 2863 Comm: kworker/u4:11 Not tainted 6.8.0-rc1-syzkaller-00583-g1701940b1a02 #0<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024<br /> Workqueue: events_unbound __unix_gc<br /> RIP: 0010:__unix_gc+0xc74/0xe80 net/unix/garbage.c:345<br /> Code: 8b 5c 24 50 e9 86 f8 ff ff e8 f8 e4 22 f8 31 d2 48 c7 c6 30 6a 69 89 4c 89 ef e8 97 ef ff ff e9 80 f9 ff ff e8 dd e4 22 f8 90 0b 90 e9 7b fd ff ff 48 89 df e8 5c e7 7c f8 e9 d3 f8 ff ff e8<br /> RSP: 0018:ffffc9000b03fba0 EFLAGS: 00010293<br /> RAX: 0000000000000000 RBX: ffffc9000b03fc10 RCX: ffffffff816c493e<br /> RDX: ffff88802c02d940 RSI: ffffffff896982f3 RDI: ffffc9000b03fb30<br /> RBP: ffffc9000b03fce0 R08: 0000000000000001 R09: fffff52001607f66<br /> R10: 0000000000000003 R11: 0000000000000002 R12: dffffc0000000000<br /> R13: ffffc9000b03fc10 R14: ffffc9000b03fc10 R15: 0000000000000001<br /> FS: 0000000000000000(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 00005559c8677a60 CR3: 000000000d57a000 CR4: 00000000003506f0<br /> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> Call Trace:<br /> <br /> process_one_work+0x889/0x15e0 kernel/workqueue.c:2633<br /> process_scheduled_works kernel/workqueue.c:2706 [inline]<br /> worker_thread+0x8b9/0x12a0 kernel/workqueue.c:2787<br /> kthread+0x2c6/0x3b0 kernel/kthread.c:388<br /> ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147<br /> ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:242<br />

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> rxrpc: Fix delayed ACKs to not set the reference serial number<br /> <br /> Fix the construction of delayed ACKs to not set the reference serial number<br /> as they can&amp;#39;t be used as an RTT reference.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> x86/efistub: Use 1:1 file:memory mapping for PE/COFF .compat section<br /> <br /> The .compat section is a dummy PE section that contains the address of<br /> the 32-bit entrypoint of the 64-bit kernel image if it is bootable from<br /> 32-bit firmware (i.e., CONFIG_EFI_MIXED=y)<br /> <br /> This section is only 8 bytes in size and is only referenced from the<br /> loader, and so it is placed at the end of the memory view of the image,<br /> to avoid the need for padding it to 4k, which is required for sections<br /> appearing in the middle of the image.<br /> <br /> Unfortunately, this violates the PE/COFF spec, and even if most EFI<br /> loaders will work correctly (including the Tianocore reference<br /> implementation), PE loaders do exist that reject such images, on the<br /> basis that both the file and memory views of the file contents should be<br /> described by the section headers in a monotonically increasing manner<br /> without leaving any gaps.<br /> <br /> So reorganize the sections to avoid this issue. This results in a slight<br /> padding overhead (

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> inet: read sk-&gt;sk_family once in inet_recv_error()<br /> <br /> inet_recv_error() is called without holding the socket lock.<br /> <br /> IPv6 socket could mutate to IPv4 with IPV6_ADDRFORM<br /> socket option and trigger a KCSAN warning.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: atlantic: Fix DMA mapping for PTP hwts ring<br /> <br /> Function aq_ring_hwts_rx_alloc() maps extra AQ_CFG_RXDS_DEF bytes<br /> for PTP HWTS ring but then generic aq_ring_free() does not take this<br /> into account.<br /> Create and use a specific function to free HWTS ring to fix this<br /> issue.<br /> <br /> Trace:<br /> [ 215.351607] ------------[ cut here ]------------<br /> [ 215.351612] DMA-API: atlantic 0000:4b:00.0: device driver frees DMA memory with different size [device address=0x00000000fbdd0000] [map size=34816 bytes] [unmap size=32768 bytes]<br /> [ 215.351635] WARNING: CPU: 33 PID: 10759 at kernel/dma/debug.c:988 check_unmap+0xa6f/0x2360<br /> ...<br /> [ 215.581176] Call Trace:<br /> [ 215.583632] <br /> [ 215.585745] ? show_trace_log_lvl+0x1c4/0x2df<br /> [ 215.590114] ? show_trace_log_lvl+0x1c4/0x2df<br /> [ 215.594497] ? debug_dma_free_coherent+0x196/0x210<br /> [ 215.599305] ? check_unmap+0xa6f/0x2360<br /> [ 215.603147] ? __warn+0xca/0x1d0<br /> [ 215.606391] ? check_unmap+0xa6f/0x2360<br /> [ 215.610237] ? report_bug+0x1ef/0x370<br /> [ 215.613921] ? handle_bug+0x3c/0x70<br /> [ 215.617423] ? exc_invalid_op+0x14/0x50<br /> [ 215.621269] ? asm_exc_invalid_op+0x16/0x20<br /> [ 215.625480] ? check_unmap+0xa6f/0x2360<br /> [ 215.629331] ? mark_lock.part.0+0xca/0xa40<br /> [ 215.633445] debug_dma_free_coherent+0x196/0x210<br /> [ 215.638079] ? __pfx_debug_dma_free_coherent+0x10/0x10<br /> [ 215.643242] ? slab_free_freelist_hook+0x11d/0x1d0<br /> [ 215.648060] dma_free_attrs+0x6d/0x130<br /> [ 215.651834] aq_ring_free+0x193/0x290 [atlantic]<br /> [ 215.656487] aq_ptp_ring_free+0x67/0x110 [atlantic]<br /> ...<br /> [ 216.127540] ---[ end trace 6467e5964dd2640b ]---<br /> [ 216.132160] DMA-API: Mapped at:<br /> [ 216.132162] debug_dma_alloc_coherent+0x66/0x2f0<br /> [ 216.132165] dma_alloc_attrs+0xf5/0x1b0<br /> [ 216.132168] aq_ring_hwts_rx_alloc+0x150/0x1f0 [atlantic]<br /> [ 216.132193] aq_ptp_ring_alloc+0x1bb/0x540 [atlantic]<br /> [ 216.132213] aq_nic_init+0x4a1/0x760 [atlantic]

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netdevsim: avoid potential loop in nsim_dev_trap_report_work()<br /> <br /> Many syzbot reports include the following trace [1]<br /> <br /> If nsim_dev_trap_report_work() can not grab the mutex,<br /> it should rearm itself at least one jiffie later.<br /> <br /> [1]<br /> Sending NMI from CPU 1 to CPUs 0:<br /> NMI backtrace for cpu 0<br /> CPU: 0 PID: 32383 Comm: kworker/0:2 Not tainted 6.8.0-rc2-syzkaller-00031-g861c0981648f #0<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023<br /> Workqueue: events nsim_dev_trap_report_work<br /> RIP: 0010:bytes_is_nonzero mm/kasan/generic.c:89 [inline]<br /> RIP: 0010:memory_is_nonzero mm/kasan/generic.c:104 [inline]<br /> RIP: 0010:memory_is_poisoned_n mm/kasan/generic.c:129 [inline]<br /> RIP: 0010:memory_is_poisoned mm/kasan/generic.c:161 [inline]<br /> RIP: 0010:check_region_inline mm/kasan/generic.c:180 [inline]<br /> RIP: 0010:kasan_check_range+0x101/0x190 mm/kasan/generic.c:189<br /> Code: 07 49 39 d1 75 0a 45 3a 11 b8 01 00 00 00 7c 0b 44 89 c2 e8 21 ed ff ff 83 f0 01 5b 5d 41 5c c3 48 85 d2 74 4f 48 01 ea eb 09 83 c0 01 48 39 d0 74 41 80 38 00 74 f2 eb b6 41 bc 08 00 00 00<br /> RSP: 0018:ffffc90012dcf998 EFLAGS: 00000046<br /> RAX: fffffbfff258af1e RBX: fffffbfff258af1f RCX: ffffffff8168eda3<br /> RDX: fffffbfff258af1f RSI: 0000000000000004 RDI: ffffffff92c578f0<br /> RBP: fffffbfff258af1e R08: 0000000000000000 R09: fffffbfff258af1e<br /> R10: ffffffff92c578f3 R11: ffffffff8acbcbc0 R12: 0000000000000002<br /> R13: ffff88806db38400 R14: 1ffff920025b9f42 R15: ffffffff92c578e8<br /> FS: 0000000000000000(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 000000c00994e078 CR3: 000000002c250000 CR4: 00000000003506f0<br /> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> Call Trace:<br /> <br /> <br /> <br /> instrument_atomic_read include/linux/instrumented.h:68 [inline]<br /> atomic_read include/linux/atomic/atomic-instrumented.h:32 [inline]<br /> queued_spin_is_locked include/asm-generic/qspinlock.h:57 [inline]<br /> debug_spin_unlock kernel/locking/spinlock_debug.c:101 [inline]<br /> do_raw_spin_unlock+0x53/0x230 kernel/locking/spinlock_debug.c:141<br /> __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:150 [inline]<br /> _raw_spin_unlock_irqrestore+0x22/0x70 kernel/locking/spinlock.c:194<br /> debug_object_activate+0x349/0x540 lib/debugobjects.c:726<br /> debug_work_activate kernel/workqueue.c:578 [inline]<br /> insert_work+0x30/0x230 kernel/workqueue.c:1650<br /> __queue_work+0x62e/0x11d0 kernel/workqueue.c:1802<br /> __queue_delayed_work+0x1bf/0x270 kernel/workqueue.c:1953<br /> queue_delayed_work_on+0x106/0x130 kernel/workqueue.c:1989<br /> queue_delayed_work include/linux/workqueue.h:563 [inline]<br /> schedule_delayed_work include/linux/workqueue.h:677 [inline]<br /> nsim_dev_trap_report_work+0x9c0/0xc80 drivers/net/netdevsim/dev.c:842<br /> process_one_work+0x886/0x15d0 kernel/workqueue.c:2633<br /> process_scheduled_works kernel/workqueue.c:2706 [inline]<br /> worker_thread+0x8b9/0x1290 kernel/workqueue.c:2787<br /> kthread+0x2c6/0x3a0 kernel/kthread.c:388<br /> ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147<br /> ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242<br />

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: mac80211: improve CSA/ECSA connection refusal<br /> <br /> As mentioned in the previous commit, we pretty quickly found<br /> that some APs have ECSA elements stuck in their probe response,<br /> so using that to not attempt to connect while CSA is happening<br /> we never connect to such an AP.<br /> <br /> Improve this situation by checking more carefully and ignoring<br /> the ECSA if cfg80211 has previously detected the ECSA element<br /> being stuck in the probe response.<br /> <br /> Additionally, allow connecting to an AP that&amp;#39;s switching to a<br /> channel it&amp;#39;s already using, unless it&amp;#39;s using quiet mode. In<br /> this case, we may just have to adjust bandwidth later. If it&amp;#39;s<br /> actually switching channels, it&amp;#39;s better not to try to connect<br /> in the middle of that.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: cfg80211: detect stuck ECSA element in probe resp<br /> <br /> We recently added some validation that we don&amp;#39;t try to<br /> connect to an AP that is currently in a channel switch<br /> process, since that might want the channel to be quiet<br /> or we might not be able to connect in time to hear the<br /> switching in a beacon. This was in commit c09c4f31998b<br /> ("wifi: mac80211: don&amp;#39;t connect to an AP while it&amp;#39;s in<br /> a CSA process").<br /> <br /> However, we promptly got a report that this caused new<br /> connection failures, and it turns out that the AP that<br /> we now cannot connect to is permanently advertising an<br /> extended channel switch announcement, even with quiet.<br /> The AP in question was an Asus RT-AC53, with firmware<br /> 3.0.0.4.380_10760-g21a5898.<br /> <br /> As a first step, attempt to detect that we&amp;#39;re dealing<br /> with such a situation, so mac80211 can use this later.