Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amd/display: Fix variable deferencing before NULL check in edp_setup_replay()<br /> <br /> In edp_setup_replay(), &amp;#39;struct dc *dc&amp;#39; &amp; &amp;#39;struct dmub_replay *replay&amp;#39;<br /> was dereferenced before the pointer &amp;#39;link&amp;#39; &amp; &amp;#39;replay&amp;#39; NULL check.<br /> <br /> Fixes the below:<br /> drivers/gpu/drm/amd/amdgpu/../display/dc/link/protocols/link_edp_panel_control.c:947 edp_setup_replay() warn: variable dereferenced before check &amp;#39;link&amp;#39; (see line 933)

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amdgpu: Fix the null pointer when load rlc firmware<br /> <br /> If the RLC firmware is invalid because of wrong header size,<br /> the pointer to the rlc firmware is released in function<br /> amdgpu_ucode_request. There will be a null pointer error<br /> in subsequent use. So skip validation to fix it.

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

A vulnerability was found in Tenda AC7 15.03.06.44. It has been declared as critical. This vulnerability affects the function formWifiWpsOOB of the file /goform/WifiWpsOOB. The manipulation of the argument index leads to stack-based buffer overflow. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-257938 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> thermal: intel: hfi: Add syscore callbacks for system-wide PM<br /> <br /> The kernel allocates a memory buffer and provides its location to the<br /> hardware, which uses it to update the HFI table. This allocation occurs<br /> during boot and remains constant throughout runtime.<br /> <br /> When resuming from hibernation, the restore kernel allocates a second<br /> memory buffer and reprograms the HFI hardware with the new location as<br /> part of a normal boot. The location of the second memory buffer may<br /> differ from the one allocated by the image kernel.<br /> <br /> When the restore kernel transfers control to the image kernel, its HFI<br /> buffer becomes invalid, potentially leading to memory corruption if the<br /> hardware writes to it (the hardware continues to use the buffer from the<br /> restore kernel).<br /> <br /> It is also possible that the hardware "forgets" the address of the memory<br /> buffer when resuming from "deep" suspend. Memory corruption may also occur<br /> in such a scenario.<br /> <br /> To prevent the described memory corruption, disable HFI when preparing to<br /> suspend or hibernate. Enable it when resuming.<br /> <br /> Add syscore callbacks to handle the package of the boot CPU (packages of<br /> non-boot CPUs are handled via CPU offline). Syscore ops always run on the<br /> boot CPU. Additionally, HFI only needs to be disabled during "deep" suspend<br /> and hibernation. Syscore ops only run in these cases.<br /> <br /> [ rjw: Comment adjustment, subject and changelog edits ]

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amd/display: Refactor DMCUB enter/exit idle interface<br /> <br /> [Why]<br /> We can hang in place trying to send commands when the DMCUB isn&amp;#39;t<br /> powered on.<br /> <br /> [How]<br /> We need to exit out of the idle state prior to sending a command,<br /> but the process that performs the exit also invokes a command itself.<br /> <br /> Fixing this issue involves the following:<br /> <br /> 1. Using a software state to track whether or not we need to start<br /> the process to exit idle or notify idle.<br /> <br /> It&amp;#39;s possible for the hardware to have exited an idle state without<br /> driver knowledge, but entering one is always restricted to a driver<br /> allow - which makes the SW state vs HW state mismatch issue purely one<br /> of optimization, which should seldomly be hit, if at all.<br /> <br /> 2. Refactor any instances of exit/notify idle to use a single wrapper<br /> that maintains this SW state.<br /> <br /> This works simialr to dc_allow_idle_optimizations, but works at the<br /> DMCUB level and makes sure the state is marked prior to any notify/exit<br /> idle so we don&amp;#39;t enter an infinite loop.<br /> <br /> 3. Make sure we exit out of idle prior to sending any commands or<br /> waiting for DMCUB idle.<br /> <br /> This patch takes care of 1/2. A future patch will take care of wrapping<br /> DMCUB command submission with calls to this new interface.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/mlx5e: Fix operation precedence bug in port timestamping napi_poll context<br /> <br /> Indirection (*) is of lower precedence than postfix increment (++). Logic<br /> in napi_poll context would cause an out-of-bound read by first increment<br /> the pointer address by byte address space and then dereference the value.<br /> Rather, the intended logic was to dereference first and then increment the<br /> underlying value.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> iio: adc: ad7091r: Allow users to configure device events<br /> <br /> AD7091R-5 devices are supported by the ad7091r-5 driver together with<br /> the ad7091r-base driver. Those drivers declared iio events for notifying<br /> user space when ADC readings fall bellow the thresholds of low limit<br /> registers or above the values set in high limit registers.<br /> However, to configure iio events and their thresholds, a set of callback<br /> functions must be implemented and those were not present until now.<br /> The consequence of trying to configure ad7091r-5 events without the<br /> proper callback functions was a null pointer dereference in the kernel<br /> because the pointers to the callback functions were not set.<br /> <br /> Implement event configuration callbacks allowing users to read/write<br /> event thresholds and enable/disable event generation.<br /> <br /> Since the event spec structs are generic to AD7091R devices, also move<br /> those from the ad7091r-5 driver the base driver so they can be reused<br /> when support for ad7091r-2/-4/-8 be added.

It is possible for a user in a different organization from the owner of a snapshot to bypass authorization and delete a snapshot by issuing a DELETE request to /api/snapshots/ using its view key. This functionality is intended to only be available to individuals with the permission to write/edit to the snapshot in question, but due to a bug in the authorization logic, deletion requests issued by an unprivileged user in a different organization than the snapshot owner are treated as authorized.<br /> <br /> Grafana Labs would like to thank Ravid Mazon and Jay Chen of Palo <br /> Alto Research for discovering and disclosing this vulnerability.<br /> <br /> This issue affects Grafana: from 9.5.0 before 9.5.18, from 10.0.0 before 10.0.13, from 10.1.0 before 10.1.9, from 10.2.0 before 10.2.6, from 10.3.0 before 10.3.5.

Insertion of Sensitive Information into Log File vulnerability in GSheetConnector CF7 Google Sheets Connector.This issue affects CF7 Google Sheets Connector: from n/a through 5.0.5.<br /> <br />

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ext4: avoid online resizing failures due to oversized flex bg<br /> <br /> When we online resize an ext4 filesystem with a oversized flexbg_size,<br /> <br /> mkfs.ext4 -F -G 67108864 $dev -b 4096 100M<br /> mount $dev $dir<br /> resize2fs $dev 16G<br /> <br /> the following WARN_ON is triggered:<br /> ==================================================================<br /> WARNING: CPU: 0 PID: 427 at mm/page_alloc.c:4402 __alloc_pages+0x411/0x550<br /> Modules linked in: sg(E)<br /> CPU: 0 PID: 427 Comm: resize2fs Tainted: G E 6.6.0-rc5+ #314<br /> RIP: 0010:__alloc_pages+0x411/0x550<br /> Call Trace:<br /> <br /> __kmalloc_large_node+0xa2/0x200<br /> __kmalloc+0x16e/0x290<br /> ext4_resize_fs+0x481/0xd80<br /> __ext4_ioctl+0x1616/0x1d90<br /> ext4_ioctl+0x12/0x20<br /> __x64_sys_ioctl+0xf0/0x150<br /> do_syscall_64+0x3b/0x90<br /> ==================================================================<br /> <br /> This is because flexbg_size is too large and the size of the new_group_data<br /> array to be allocated exceeds MAX_ORDER. Currently, the minimum value of<br /> MAX_ORDER is 8, the minimum value of PAGE_SIZE is 4096, the corresponding<br /> maximum number of groups that can be allocated is:<br /> <br /> (PAGE_SIZE

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amd/display: Wake DMCUB before executing GPINT commands<br /> <br /> [Why]<br /> DMCUB can be in idle when we attempt to interface with the HW through<br /> the GPINT mailbox resulting in a system hang.<br /> <br /> [How]<br /> Add dc_wake_and_execute_gpint() to wrap the wake, execute, sleep<br /> sequence.<br /> <br /> If the GPINT executes successfully then DMCUB will be put back into<br /> sleep after the optional response is returned.<br /> <br /> It functions similar to the inbox command interface.