Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> HID: logitech-hidpp: Fix kernel crash on receiver USB disconnect<br /> <br /> hidpp_connect_event() has *four* time-of-check vs time-of-use (TOCTOU)<br /> races when it races with itself.<br /> <br /> hidpp_connect_event() primarily runs from a workqueue but it also runs<br /> on probe() and if a "device-connected" packet is received by the hw<br /> when the thread running hidpp_connect_event() from probe() is waiting on<br /> the hw, then a second thread running hidpp_connect_event() will be<br /> started from the workqueue.<br /> <br /> This opens the following races (note the below code is simplified):<br /> <br /> 1. Retrieving + printing the protocol (harmless race):<br /> <br /> if (!hidpp-&gt;protocol_major) {<br /> hidpp_root_get_protocol_version()<br /> hidpp-&gt;protocol_major = response.rap.params[0];<br /> }<br /> <br /> We can actually see this race hit in the dmesg in the abrt output<br /> attached to rhbz#2227968:<br /> <br /> [ 3064.624215] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected.<br /> [ 3064.658184] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected.<br /> <br /> Testing with extra logging added has shown that after this the 2 threads<br /> take turn grabbing the hw access mutex (send_mutex) so they ping-pong<br /> through all the other TOCTOU cases managing to hit all of them:<br /> <br /> 2. Updating the name to the HIDPP name (harmless race):<br /> <br /> if (hidpp-&gt;name == hdev-&gt;name) {<br /> ...<br /> hidpp-&gt;name = new_name;<br /> }<br /> <br /> 3. Initializing the power_supply class for the battery (problematic!):<br /> <br /> hidpp_initialize_battery()<br /> {<br /> if (hidpp-&gt;battery.ps)<br /> return 0;<br /> <br /> probe_battery(); /* Blocks, threads take turns executing this */<br /> <br /> hidpp-&gt;battery.desc.properties =<br /> devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL);<br /> <br /> hidpp-&gt;battery.ps =<br /> devm_power_supply_register(&amp;hidpp-&gt;hid_dev-&gt;dev,<br /> &amp;hidpp-&gt;battery.desc, cfg);<br /> }<br /> <br /> 4. Creating delayed input_device (potentially problematic):<br /> <br /> if (hidpp-&gt;delayed_input)<br /> return;<br /> <br /> hidpp-&gt;delayed_input = hidpp_allocate_input(hdev);<br /> <br /> The really big problem here is 3. Hitting the race leads to the following<br /> sequence:<br /> <br /> hidpp-&gt;battery.desc.properties =<br /> devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL);<br /> <br /> hidpp-&gt;battery.ps =<br /> devm_power_supply_register(&amp;hidpp-&gt;hid_dev-&gt;dev,<br /> &amp;hidpp-&gt;battery.desc, cfg);<br /> <br /> ...<br /> <br /> hidpp-&gt;battery.desc.properties =<br /> devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL);<br /> <br /> hidpp-&gt;battery.ps =<br /> devm_power_supply_register(&amp;hidpp-&gt;hid_dev-&gt;dev,<br /> &amp;hidpp-&gt;battery.desc, cfg);<br /> <br /> So now we have registered 2 power supplies for the same battery,<br /> which looks a bit weird from userspace&amp;#39;s pov but this is not even<br /> the really big problem.<br /> <br /> Notice how:<br /> <br /> 1. This is all devm-maganaged<br /> 2. The hidpp-&gt;battery.desc struct is shared between the 2 power supplies<br /> 3. hidpp-&gt;battery.desc.properties points to the result from the second<br /> devm_kmemdup()<br /> <br /> This causes a use after free scenario on USB disconnect of the receiver:<br /> 1. The last registered power supply class device gets unregistered<br /> 2. The memory from the last devm_kmemdup() call gets freed,<br /> hidpp-&gt;battery.desc.properties now points to freed memory<br /> 3. The first registered power supply class device gets unregistered,<br /> this involves sending a remove uevent to userspace which invokes<br /> power_supply_uevent() to fill the uevent data<br /> 4. power_supply_uevent() uses hidpp-&gt;battery.desc.properties which<br /> now points to freed memory leading to backtraces like this one:<br /> <br /> Sep 22 20:01:35 eric kernel: BUG: unable to handle page fault for address: ffffb2140e017f08<br /> ...<br /> Sep 22 20:01:35 eric kernel: Workqueue: usb_hub_wq hub_event<br /> Sep 22 20:01:35 eric kernel: RIP: 0010:power_supply_uevent+0xee/0x1d0<br /> ...<br /> Sep 22 20:01:35 eric kernel: ? asm_exc_page_fault+0x26/0x30<br /> Sep 22 20:01:35 eric kernel: ? power_supply_uevent+0xee/0x1d0<br /> Sep 22 20:01:35 eric kernel: ? power_supply_uevent+0x10d/0x1d0<br /> Sep 22 20:01:35 eric kernel: dev_uevent+0x10f/0x2d0<br /> Sep 22 20:01:35 eric kernel: kobject_uevent_env+0x291/0x680<br /> Sep 22 20:01:35 eric kernel: <br /> ---truncated---

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ksmbd: fix uaf in smb20_oplock_break_ack<br /> <br /> drop reference after use opinfo.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> perf/x86/lbr: Filter vsyscall addresses<br /> <br /> We found that a panic can occur when a vsyscall is made while LBR sampling<br /> is active. If the vsyscall is interrupted (NMI) for perf sampling, this<br /> call sequence can occur (most recent at top):<br /> <br /> __insn_get_emulate_prefix()<br /> insn_get_emulate_prefix()<br /> insn_get_prefixes()<br /> insn_get_opcode()<br /> decode_branch_type()<br /> get_branch_type()<br /> intel_pmu_lbr_filter()<br /> intel_pmu_handle_irq()<br /> perf_event_nmi_handler()<br /> <br /> Within __insn_get_emulate_prefix() at frame 0, a macro is called:<br /> <br /> peek_nbyte_next(insn_byte_t, insn, i)<br /> <br /> Within this macro, this dereference occurs:<br /> <br /> (insn)-&gt;next_byte<br /> <br /> Inspecting registers at this point, the value of the next_byte field is the<br /> address of the vsyscall made, for example the location of the vsyscall<br /> version of gettimeofday() at 0xffffffffff600000. The access to an address<br /> in the vsyscall region will trigger an oops due to an unhandled page fault.<br /> <br /> To fix the bug, filtering for vsyscalls can be done when<br /> determining the branch type. This patch will return<br /> a "none" branch if a kernel address if found to lie in the<br /> vsyscall region.

Cross-Site Request Forgery (CSRF) vulnerability in Thrive Themes Thrive Automator.This issue affects Thrive Automator: from n/a through 1.17.<br /> <br />

Cross-Site Request Forgery (CSRF) vulnerability in СleanTalk - Anti-Spam Protection Spam protection, Anti-Spam, FireWall by CleanTalk.This issue affects Spam protection, Anti-Spam, FireWall by CleanTalk: from n/a through 6.20.<br /> <br />

The Advanced iFrame plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin&amp;#39;s advanced_iframe shortcode in all versions up to, and including, 2024.1 due to the plugin allowing users to include JS files from external sources through the additional_js attribute. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Tainacan.Org Tainacan.This issue affects Tainacan: from n/a through 0.20.6.<br /> <br />

Cross-Site Request Forgery (CSRF) vulnerability in Senol Sahin AI Power: Complete AI Pack – Powered by GPT-4.This issue affects AI Power: Complete AI Pack – Powered by GPT-4: from n/a through 1.8.12.<br /> <br />

Cross-Site Request Forgery (CSRF) vulnerability in HasThemes HT Mega – Absolute Addons For Elementor.This issue affects HT Mega – Absolute Addons For Elementor: from n/a through 2.3.3.<br /> <br />

Cross-Site Request Forgery (CSRF) vulnerability in GS Plugins Logo Slider – Logo Showcase, Logo Carousel, Logo Gallery and Client Logo Presentation.This issue affects Logo Slider – Logo Showcase, Logo Carousel, Logo Gallery and Client Logo Presentation: from n/a through 3.5.1.<br /> <br />

The Avada | Website Builder For WordPress &amp; WooCommerce theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ajax_import_options() function in all versions up to, and including, 7.11.4. This makes it possible for authenticated attackers, with contributor-level access and above, to upload arbitrary files on the affected site&amp;#39;s server which may make remote code execution possible.

IBM Cloud Pak for Security (CP4S) 1.10.0.0 through 1.10.6.0 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques. IBM X-Force ID: 216388.