Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mlxsw: spectrum_buffers: Fix memory corruptions on Spectrum-4 systems<br /> <br /> The following two shared buffer operations make use of the Shared Buffer<br /> Status Register (SBSR):<br /> <br /> # devlink sb occupancy snapshot pci/0000:01:00.0<br /> # devlink sb occupancy clearmax pci/0000:01:00.0<br /> <br /> The register has two masks of 256 bits to denote on which ingress /<br /> egress ports the register should operate on. Spectrum-4 has more than<br /> 256 ports, so the register was extended by cited commit with a new<br /> &amp;#39;port_page&amp;#39; field.<br /> <br /> However, when filling the register&amp;#39;s payload, the driver specifies the<br /> ports as absolute numbers and not relative to the first port of the port<br /> page, resulting in memory corruptions [1].<br /> <br /> Fix by specifying the ports relative to the first port of the port page.<br /> <br /> [1]<br /> BUG: KASAN: slab-use-after-free in mlxsw_sp_sb_occ_snapshot+0xb6d/0xbc0<br /> Read of size 1 at addr ffff8881068cb00f by task devlink/1566<br /> [...]<br /> Call Trace:<br /> <br /> dump_stack_lvl+0xc6/0x120<br /> print_report+0xce/0x670<br /> kasan_report+0xd7/0x110<br /> mlxsw_sp_sb_occ_snapshot+0xb6d/0xbc0<br /> mlxsw_devlink_sb_occ_snapshot+0x75/0xb0<br /> devlink_nl_sb_occ_snapshot_doit+0x1f9/0x2a0<br /> genl_family_rcv_msg_doit+0x20c/0x300<br /> genl_rcv_msg+0x567/0x800<br /> netlink_rcv_skb+0x170/0x450<br /> genl_rcv+0x2d/0x40<br /> netlink_unicast+0x547/0x830<br /> netlink_sendmsg+0x8d4/0xdb0<br /> __sys_sendto+0x49b/0x510<br /> __x64_sys_sendto+0xe5/0x1c0<br /> do_syscall_64+0xc1/0x1d0<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> [...]<br /> Allocated by task 1:<br /> kasan_save_stack+0x33/0x60<br /> kasan_save_track+0x14/0x30<br /> __kasan_kmalloc+0x8f/0xa0<br /> copy_verifier_state+0xbc2/0xfb0<br /> do_check_common+0x2c51/0xc7e0<br /> bpf_check+0x5107/0x9960<br /> bpf_prog_load+0xf0e/0x2690<br /> __sys_bpf+0x1a61/0x49d0<br /> __x64_sys_bpf+0x7d/0xc0<br /> do_syscall_64+0xc1/0x1d0<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> <br /> Freed by task 1:<br /> kasan_save_stack+0x33/0x60<br /> kasan_save_track+0x14/0x30<br /> kasan_save_free_info+0x3b/0x60<br /> poison_slab_object+0x109/0x170<br /> __kasan_slab_free+0x14/0x30<br /> kfree+0xca/0x2b0<br /> free_verifier_state+0xce/0x270<br /> do_check_common+0x4828/0xc7e0<br /> bpf_check+0x5107/0x9960<br /> bpf_prog_load+0xf0e/0x2690<br /> __sys_bpf+0x1a61/0x49d0<br /> __x64_sys_bpf+0x7d/0xc0<br /> do_syscall_64+0xc1/0x1d0<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: can: j1939: Initialize unused data in j1939_send_one()<br /> <br /> syzbot reported kernel-infoleak in raw_recvmsg() [1]. j1939_send_one()<br /> creates full frame including unused data, but it doesn&amp;#39;t initialize<br /> it. This causes the kernel-infoleak issue. Fix this by initializing<br /> unused data.<br /> <br /> [1]<br /> BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]<br /> BUG: KMSAN: kernel-infoleak in copy_to_user_iter lib/iov_iter.c:24 [inline]<br /> BUG: KMSAN: kernel-infoleak in iterate_ubuf include/linux/iov_iter.h:29 [inline]<br /> BUG: KMSAN: kernel-infoleak in iterate_and_advance2 include/linux/iov_iter.h:245 [inline]<br /> BUG: KMSAN: kernel-infoleak in iterate_and_advance include/linux/iov_iter.h:271 [inline]<br /> BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185<br /> instrument_copy_to_user include/linux/instrumented.h:114 [inline]<br /> copy_to_user_iter lib/iov_iter.c:24 [inline]<br /> iterate_ubuf include/linux/iov_iter.h:29 [inline]<br /> iterate_and_advance2 include/linux/iov_iter.h:245 [inline]<br /> iterate_and_advance include/linux/iov_iter.h:271 [inline]<br /> _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185<br /> copy_to_iter include/linux/uio.h:196 [inline]<br /> memcpy_to_msg include/linux/skbuff.h:4113 [inline]<br /> raw_recvmsg+0x2b8/0x9e0 net/can/raw.c:1008<br /> sock_recvmsg_nosec net/socket.c:1046 [inline]<br /> sock_recvmsg+0x2c4/0x340 net/socket.c:1068<br /> ____sys_recvmsg+0x18a/0x620 net/socket.c:2803<br /> ___sys_recvmsg+0x223/0x840 net/socket.c:2845<br /> do_recvmmsg+0x4fc/0xfd0 net/socket.c:2939<br /> __sys_recvmmsg net/socket.c:3018 [inline]<br /> __do_sys_recvmmsg net/socket.c:3041 [inline]<br /> __se_sys_recvmmsg net/socket.c:3034 [inline]<br /> __x64_sys_recvmmsg+0x397/0x490 net/socket.c:3034<br /> x64_sys_call+0xf6c/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:300<br /> do_syscall_x64 arch/x86/entry/common.c:52 [inline]<br /> do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> <br /> Uninit was created at:<br /> slab_post_alloc_hook mm/slub.c:3804 [inline]<br /> slab_alloc_node mm/slub.c:3845 [inline]<br /> kmem_cache_alloc_node+0x613/0xc50 mm/slub.c:3888<br /> kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:577<br /> __alloc_skb+0x35b/0x7a0 net/core/skbuff.c:668<br /> alloc_skb include/linux/skbuff.h:1313 [inline]<br /> alloc_skb_with_frags+0xc8/0xbf0 net/core/skbuff.c:6504<br /> sock_alloc_send_pskb+0xa81/0xbf0 net/core/sock.c:2795<br /> sock_alloc_send_skb include/net/sock.h:1842 [inline]<br /> j1939_sk_alloc_skb net/can/j1939/socket.c:878 [inline]<br /> j1939_sk_send_loop net/can/j1939/socket.c:1142 [inline]<br /> j1939_sk_sendmsg+0xc0a/0x2730 net/can/j1939/socket.c:1277<br /> sock_sendmsg_nosec net/socket.c:730 [inline]<br /> __sock_sendmsg+0x30f/0x380 net/socket.c:745<br /> ____sys_sendmsg+0x877/0xb60 net/socket.c:2584<br /> ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638<br /> __sys_sendmsg net/socket.c:2667 [inline]<br /> __do_sys_sendmsg net/socket.c:2676 [inline]<br /> __se_sys_sendmsg net/socket.c:2674 [inline]<br /> __x64_sys_sendmsg+0x307/0x4a0 net/socket.c:2674<br /> x64_sys_call+0xc4b/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:47<br /> do_syscall_x64 arch/x86/entry/common.c:52 [inline]<br /> do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> <br /> Bytes 12-15 of 16 are uninitialized<br /> Memory access of size 16 starts at ffff888120969690<br /> Data copied to user address 00000000200017c0<br /> <br /> CPU: 1 PID: 5050 Comm: syz-executor198 Not tainted 6.9.0-rc5-syzkaller-00031-g71b1543c83d6 #0<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: nf_tables: fully validate NFT_DATA_VALUE on store to data registers<br /> <br /> register store validation for NFT_DATA_VALUE is conditional, however,<br /> the datatype is always either NFT_DATA_VALUE or NFT_DATA_VERDICT. This<br /> only requires a new helper function to infer the register type from the<br /> set datatype so this conditional check can be removed. Otherwise,<br /> pointer to chain object can be leaked through the registers.

Note Mark is a web-based Markdown notes app. A stored cross-site scripting (XSS) vulnerability in Note Mark allows attackers to execute arbitrary web scripts via a crafted payload injected into the URL value of a link in the markdown content. This vulnerability is fixed in 0.13.1.

Twisted is an event-based framework for internet applications, supporting Python 3.6+. The `twisted.web.util.redirectTo` function contains an HTML injection vulnerability. If application code allows an attacker to control the redirect URL this vulnerability may result in Reflected Cross-Site Scripting (XSS) in the redirect response HTML body. This vulnerability is fixed in 24.7.0rc1.

ImageMagick is a free and open-source software suite, used for editing and manipulating digital images. The `AppImage` version `ImageMagick` might use an empty path when setting `MAGICK_CONFIGURE_PATH` and `LD_LIBRARY_PATH` environment variables while executing, which might lead to arbitrary code execution by loading malicious configuration files or shared libraries in the current working directory while executing `ImageMagick`. The vulnerability is fixed in 7.11-36.

fast-xml-parser is an open source, pure javascript xml parser. a ReDOS exists on currency.js. This vulnerability is fixed in 4.4.1.

Cross Site Scripting (XSS) vulnerability in AML Surety Eco up to 3.5 allows an attacker to run arbitrary code via crafted GET request using the id parameter.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bcachefs: Fix sb_field_downgrade validation<br /> <br /> - bch2_sb_downgrade_validate() wasn&amp;#39;t checking for a downgrade entry<br /> extending past the end of the superblock section<br /> <br /> - for_each_downgrade_entry() is used in to_text() and needs to work on<br /> malformed input; it also was missing a check for a field extending<br /> past the end of the section

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/fbdev-dma: Only set smem_start is enable per module option<br /> <br /> Only export struct fb_info.fix.smem_start if that is required by the<br /> user and the memory does not come from vmalloc().<br /> <br /> Setting struct fb_info.fix.smem_start breaks systems where DMA<br /> memory is backed by vmalloc address space. An example error is<br /> shown below.<br /> <br /> [ 3.536043] ------------[ cut here ]------------<br /> [ 3.540716] virt_to_phys used for non-linear address: 000000007fc4f540 (0xffff800086001000)<br /> [ 3.552628] WARNING: CPU: 4 PID: 61 at arch/arm64/mm/physaddr.c:12 __virt_to_phys+0x68/0x98<br /> [ 3.565455] Modules linked in:<br /> [ 3.568525] CPU: 4 PID: 61 Comm: kworker/u12:5 Not tainted 6.6.23-06226-g4986cc3e1b75-dirty #250<br /> [ 3.577310] Hardware name: NXP i.MX95 19X19 board (DT)<br /> [ 3.582452] Workqueue: events_unbound deferred_probe_work_func<br /> [ 3.588291] pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)<br /> [ 3.595233] pc : __virt_to_phys+0x68/0x98<br /> [ 3.599246] lr : __virt_to_phys+0x68/0x98<br /> [ 3.603276] sp : ffff800083603990<br /> [ 3.677939] Call trace:<br /> [ 3.680393] __virt_to_phys+0x68/0x98<br /> [ 3.684067] drm_fbdev_dma_helper_fb_probe+0x138/0x238<br /> [ 3.689214] __drm_fb_helper_initial_config_and_unlock+0x2b0/0x4c0<br /> [ 3.695385] drm_fb_helper_initial_config+0x4c/0x68<br /> [ 3.700264] drm_fbdev_dma_client_hotplug+0x8c/0xe0<br /> [ 3.705161] drm_client_register+0x60/0xb0<br /> [ 3.709269] drm_fbdev_dma_setup+0x94/0x148<br /> <br /> Additionally, DMA memory is assumed to by contiguous in physical<br /> address space, which is not guaranteed by vmalloc().<br /> <br /> Resolve this by checking the module flag drm_leak_fbdev_smem when<br /> DRM allocated the instance of struct fb_info. Fbdev-dma then only<br /> sets smem_start only if required (via FBINFO_HIDE_SMEM_START). Also<br /> guarantee that the framebuffer is not located in vmalloc address<br /> space.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ata: libata-core: Fix double free on error<br /> <br /> If e.g. the ata_port_alloc() call in ata_host_alloc() fails, we will jump<br /> to the err_out label, which will call devres_release_group().<br /> devres_release_group() will trigger a call to ata_host_release().<br /> ata_host_release() calls kfree(host), so executing the kfree(host) in<br /> ata_host_alloc() will lead to a double free:<br /> <br /> kernel BUG at mm/slub.c:553!<br /> Oops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI<br /> CPU: 11 PID: 599 Comm: (udev-worker) Not tainted 6.10.0-rc5 #47<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014<br /> RIP: 0010:kfree+0x2cf/0x2f0<br /> Code: 5d 41 5e 41 5f 5d e9 80 d6 ff ff 4d 89 f1 41 b8 01 00 00 00 48 89 d9 48 89 da<br /> RSP: 0018:ffffc90000f377f0 EFLAGS: 00010246<br /> RAX: ffff888112b1f2c0 RBX: ffff888112b1f2c0 RCX: ffff888112b1f320<br /> RDX: 000000000000400b RSI: ffffffffc02c9de5 RDI: ffff888112b1f2c0<br /> RBP: ffffc90000f37830 R08: 0000000000000000 R09: 0000000000000000<br /> R10: ffffc90000f37610 R11: 617461203a736b6e R12: ffffea00044ac780<br /> R13: ffff888100046400 R14: ffffffffc02c9de5 R15: 0000000000000006<br /> FS: 00007f2f1cabe980(0000) GS:ffff88813b380000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 00007f2f1c3acf75 CR3: 0000000111724000 CR4: 0000000000750ef0<br /> PKRU: 55555554<br /> Call Trace:<br /> <br /> ? __die_body.cold+0x19/0x27<br /> ? die+0x2e/0x50<br /> ? do_trap+0xca/0x110<br /> ? do_error_trap+0x6a/0x90<br /> ? kfree+0x2cf/0x2f0<br /> ? exc_invalid_op+0x50/0x70<br /> ? kfree+0x2cf/0x2f0<br /> ? asm_exc_invalid_op+0x1a/0x20<br /> ? ata_host_alloc+0xf5/0x120 [libata]<br /> ? ata_host_alloc+0xf5/0x120 [libata]<br /> ? kfree+0x2cf/0x2f0<br /> ata_host_alloc+0xf5/0x120 [libata]<br /> ata_host_alloc_pinfo+0x14/0xa0 [libata]<br /> ahci_init_one+0x6c9/0xd20 [ahci]<br /> <br /> Ensure that we will not call kfree(host) twice, by performing the kfree()<br /> only if the devres_open_group() call failed.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> can: mcp251xfd: fix infinite loop when xmit fails<br /> <br /> When the mcp251xfd_start_xmit() function fails, the driver stops<br /> processing messages, and the interrupt routine does not return,<br /> running indefinitely even after killing the running application.<br /> <br /> Error messages:<br /> [ 441.298819] mcp251xfd spi2.0 can0: ERROR in mcp251xfd_start_xmit: -16<br /> [ 441.306498] mcp251xfd spi2.0 can0: Transmit Event FIFO buffer not empty. (seq=0x000017c7, tef_tail=0x000017cf, tef_head=0x000017d0, tx_head=0x000017d3).<br /> ... and repeat forever.<br /> <br /> The issue can be triggered when multiple devices share the same SPI<br /> interface. And there is concurrent access to the bus.<br /> <br /> The problem occurs because tx_ring-&gt;head increments even if<br /> mcp251xfd_start_xmit() fails. Consequently, the driver skips one TX<br /> package while still expecting a response in<br /> mcp251xfd_handle_tefif_one().<br /> <br /> Resolve the issue by starting a workqueue to write the tx obj<br /> synchronously if err = -EBUSY. In case of another error, decrement<br /> tx_ring-&gt;head, remove skb from the echo stack, and drop the message.<br /> <br /> [mkl: use more imperative wording in patch description]