Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> class: fix use-after-free in class_register()<br /> <br /> The lock_class_key is still registered and can be found in<br /> lock_keys_hash hlist after subsys_private is freed in error<br /> handler path.A task who iterate over the lock_keys_hash<br /> later may cause use-after-free.So fix that up and unregister<br /> the lock_class_key before kfree(cp).<br /> <br /> On our platform, a driver fails to kset_register because of<br /> creating duplicate filename &amp;#39;/class/xxx&amp;#39;.With Kasan enabled,<br /> it prints a invalid-access bug report.<br /> <br /> KASAN bug report:<br /> <br /> BUG: KASAN: invalid-access in lockdep_register_key+0x19c/0x1bc<br /> Write of size 8 at addr 15ffff808b8c0368 by task modprobe/252<br /> Pointer tag: [15], memory tag: [fe]<br /> <br /> CPU: 7 PID: 252 Comm: modprobe Tainted: G W<br /> 6.6.0-mainline-maybe-dirty #1<br /> <br /> Call trace:<br /> dump_backtrace+0x1b0/0x1e4<br /> show_stack+0x2c/0x40<br /> dump_stack_lvl+0xac/0xe0<br /> print_report+0x18c/0x4d8<br /> kasan_report+0xe8/0x148<br /> __hwasan_store8_noabort+0x88/0x98<br /> lockdep_register_key+0x19c/0x1bc<br /> class_register+0x94/0x1ec<br /> init_module+0xbc/0xf48 [rfkill]<br /> do_one_initcall+0x17c/0x72c<br /> do_init_module+0x19c/0x3f8<br /> ...<br /> Memory state around the buggy address:<br /> ffffff808b8c0100: 8a 8a 8a 8a 8a 8a 8a 8a 8a 8a 8a 8a 8a 8a 8a 8a<br /> ffffff808b8c0200: 8a 8a 8a 8a 8a 8a 8a 8a fe fe fe fe fe fe fe fe<br /> &gt;ffffff808b8c0300: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe<br /> ^<br /> ffffff808b8c0400: 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03<br /> <br /> As CONFIG_KASAN_GENERIC is not set, Kasan reports invalid-access<br /> not use-after-free here.In this case, modprobe is manipulating<br /> the corrupted lock_keys_hash hlish where lock_class_key is already<br /> freed before.<br /> <br /> It&amp;#39;s worth noting that this only can happen if lockdep is enabled,<br /> which is not true for normal system.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drivers/amd/pm: fix a use-after-free in kv_parse_power_table<br /> <br /> When ps allocated by kzalloc equals to NULL, kv_parse_power_table<br /> frees adev-&gt;pm.dpm.ps that allocated before. However, after the control<br /> flow goes through the following call chains:<br /> <br /> kv_parse_power_table<br /> |-&gt; kv_dpm_init<br /> |-&gt; kv_dpm_sw_init<br /> |-&gt; kv_dpm_fini<br /> <br /> The adev-&gt;pm.dpm.ps is used in the for loop of kv_dpm_fini after its<br /> first free in kv_parse_power_table and causes a use-after-free bug.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/radeon: check the alloc_workqueue return value in radeon_crtc_init()<br /> <br /> check the alloc_workqueue return value in radeon_crtc_init()<br /> to avoid null-ptr-deref.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ice: Fix some null pointer dereference issues in ice_ptp.c<br /> <br /> devm_kasprintf() returns a pointer to dynamically allocated memory<br /> which can be NULL upon failure.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> crypto: rsa - add a check for allocation failure<br /> <br /> Static checkers insist that the mpi_alloc() allocation can fail so add<br /> a check to prevent a NULL dereference. Small allocations like this<br /> can&amp;#39;t actually fail in current kernels, but adding a check is very<br /> simple and makes the static checkers happy.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> thermal: core: Fix NULL pointer dereference in zone registration error path<br /> <br /> If device_register() in thermal_zone_device_register_with_trips()<br /> returns an error, the tz variable is set to NULL and subsequently<br /> dereferenced in kfree(tz-&gt;tzp).<br /> <br /> Commit adc8749b150c ("thermal/drivers/core: Use put_device() if<br /> device_register() fails") added the tz = NULL assignment in question to<br /> avoid a possible double-free after dropping the reference to the zone<br /> device. However, after commit 4649620d9404 ("thermal: core: Make<br /> thermal_zone_device_unregister() return after freeing the zone"), that<br /> assignment has become redundant, because dropping the reference to the<br /> zone device does not cause the zone object to be freed any more.<br /> <br /> Drop it to address the NULL pointer dereference.

A DLL hijacking vulnerability was identified in the Qognify VMS Client Viewer version 7.1 or higher, which allows local users to execute arbitrary code and obtain higher privileges via careful placement of a malicious DLL, if some specific pre-conditions are met.

In Indo-Sol PROFINET-INspektor NT through 2.4.0, a command injection vulnerability in the gedtupdater service of the firmware allows remote attackers to execute arbitrary system commands with root privileges via a crafted filename parameter in POST requests to the /api/updater/ctrl/start_update endpoint.

In Indo-Sol PROFINET-INspektor NT through 2.4.0, a path traversal vulnerability in the httpuploadd service of the firmware allows remote attackers to write to arbitrary files via a crafted filename parameter in requests to the /upload endpoint.

IBM Cognos Analytics 11.1.7, 11.2.4, and 12.0.0 could be vulnerable to information leakage due to unverified sources in messages sent between Windows objects of different origins. IBM X-Force ID: 254290.

IBM Cognos Analytics 11.1.7, 11.2.4, and 12.0.0 is vulnerable to form action hijacking where it is possible to modify the form action to reference an arbitrary path. IBM X-Force ID: 255898.

IBM Cognos Analytics 11.1.7, 11.2.4, and 12.0.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 260744.