Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> media: mediatek: vcodec: Only free buffer VA that is not NULL<br /> <br /> In the MediaTek vcodec driver, while mtk_vcodec_mem_free() is mostly<br /> called only when the buffer to free exists, there are some instances<br /> that didn&amp;#39;t do the check and triggered warnings in practice.<br /> <br /> We believe those checks were forgotten unintentionally. Add the checks<br /> back to fix the warnings.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> s390/dasd: Fix invalid dereferencing of indirect CCW data pointer<br /> <br /> Fix invalid dereferencing of indirect CCW data pointer in<br /> dasd_eckd_dump_sense() that leads to a kernel panic in error cases.<br /> <br /> When using indirect addressing for DASD CCWs (IDAW) the CCW CDA pointer<br /> does not contain the data address itself but a pointer to the IDAL.<br /> This needs to be translated from physical to virtual as well before<br /> using it.<br /> <br /> This dereferencing is also used for dasd_page_cache and also fixed<br /> although it is very unlikely that this code path ever gets used.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> clk: sunxi-ng: common: Don&amp;#39;t call hw_to_ccu_common on hw without common<br /> <br /> In order to set the rate range of a hw sunxi_ccu_probe calls<br /> hw_to_ccu_common() assuming all entries in desc-&gt;ccu_clks are contained<br /> in a ccu_common struct. This assumption is incorrect and, in<br /> consequence, causes invalid pointer de-references.<br /> <br /> Remove the faulty call. Instead, add one more loop that iterates over<br /> the ccu_clks and sets the rate range, if required.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/nouveau: fix null pointer dereference in nouveau_connector_get_modes<br /> <br /> In nouveau_connector_get_modes(), the return value of drm_mode_duplicate()<br /> is assigned to mode, which will lead to a possible NULL pointer<br /> dereference on failure of drm_mode_duplicate(). Add a check to avoid npd.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Revert "mm/writeback: fix possible divide-by-zero in wb_dirty_limits(), again"<br /> <br /> Patch series "mm: Avoid possible overflows in dirty throttling".<br /> <br /> Dirty throttling logic assumes dirty limits in page units fit into<br /> 32-bits. This patch series makes sure this is true (see patch 2/2 for<br /> more details).<br /> <br /> <br /> This patch (of 2):<br /> <br /> This reverts commit 9319b647902cbd5cc884ac08a8a6d54ce111fc78.<br /> <br /> The commit is broken in several ways. Firstly, the removed (u64) cast<br /> from the multiplication will introduce a multiplication overflow on 32-bit<br /> archs if wb_thresh * bg_thresh &gt;= 1

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> btrfs: fix adding block group to a reclaim list and the unused list during reclaim<br /> <br /> There is a potential parallel list adding for retrying in<br /> btrfs_reclaim_bgs_work and adding to the unused list. Since the block<br /> group is removed from the reclaim list and it is on a relocation work,<br /> it can be added into the unused list in parallel. When that happens,<br /> adding it to the reclaim list will corrupt the list head and trigger<br /> list corruption like below.<br /> <br /> Fix it by taking fs_info-&gt;unused_bgs_lock.<br /> <br /> [177.504][T2585409] BTRFS error (device nullb1): error relocating ch= unk 2415919104<br /> [177.514][T2585409] list_del corruption. next-&gt;prev should be ff1100= 0344b119c0, but was ff11000377e87c70. (next=3Dff110002390cd9c0)<br /> [177.529][T2585409] ------------[ cut here ]------------<br /> [177.537][T2585409] kernel BUG at lib/list_debug.c:65!<br /> [177.545][T2585409] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI<br /> [177.555][T2585409] CPU: 9 PID: 2585409 Comm: kworker/u128:2 Tainted: G W 6.10.0-rc5-kts #1<br /> [177.568][T2585409] Hardware name: Supermicro SYS-520P-WTR/X12SPW-TF, BIOS 1.2 02/14/2022<br /> [177.579][T2585409] Workqueue: events_unbound btrfs_reclaim_bgs_work[btrfs]<br /> [177.589][T2585409] RIP: 0010:__list_del_entry_valid_or_report.cold+0x70/0x72<br /> [177.624][T2585409] RSP: 0018:ff11000377e87a70 EFLAGS: 00010286<br /> [177.633][T2585409] RAX: 000000000000006d RBX: ff11000344b119c0 RCX:0000000000000000<br /> [177.644][T2585409] RDX: 000000000000006d RSI: 0000000000000008 RDI:ffe21c006efd0f40<br /> [177.655][T2585409] RBP: ff110002e0509f78 R08: 0000000000000001 R09:ffe21c006efd0f08<br /> [177.665][T2585409] R10: ff11000377e87847 R11: 0000000000000000 R12:ff110002390cd9c0<br /> [177.676][T2585409] R13: ff11000344b119c0 R14: ff110002e0508000 R15:dffffc0000000000<br /> [177.687][T2585409] FS: 0000000000000000(0000) GS:ff11000fec880000(0000) knlGS:0000000000000000<br /> [177.700][T2585409] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [177.709][T2585409] CR2: 00007f06bc7b1978 CR3: 0000001021e86005 CR4:0000000000771ef0<br /> [177.720][T2585409] DR0: 0000000000000000 DR1: 0000000000000000 DR2:0000000000000000<br /> [177.731][T2585409] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:0000000000000400<br /> [177.742][T2585409] PKRU: 55555554<br /> [177.748][T2585409] Call Trace:<br /> [177.753][T2585409] <br /> [177.759][T2585409] ? __die_body.cold+0x19/0x27<br /> [177.766][T2585409] ? die+0x2e/0x50<br /> [177.772][T2585409] ? do_trap+0x1ea/0x2d0<br /> [177.779][T2585409] ? __list_del_entry_valid_or_report.cold+0x70/0x72<br /> [177.788][T2585409] ? do_error_trap+0xa3/0x160<br /> [177.795][T2585409] ? __list_del_entry_valid_or_report.cold+0x70/0x72<br /> [177.805][T2585409] ? handle_invalid_op+0x2c/0x40<br /> [177.812][T2585409] ? __list_del_entry_valid_or_report.cold+0x70/0x72<br /> [177.820][T2585409] ? exc_invalid_op+0x2d/0x40<br /> [177.827][T2585409] ? asm_exc_invalid_op+0x1a/0x20<br /> [177.834][T2585409] ? __list_del_entry_valid_or_report.cold+0x70/0x72<br /> [177.843][T2585409] btrfs_delete_unused_bgs+0x3d9/0x14c0 [btrfs]<br /> <br /> There is a similar retry_list code in btrfs_delete_unused_bgs(), but it is<br /> safe, AFAICS. Since the block group was in the unused list, the used bytes<br /> should be 0 when it was added to the unused list. Then, it checks<br /> block_group-&gt;{used,reserved,pinned} are still 0 under the<br /> block_group-&gt;lock. So, they should be still eligible for the unused list,<br /> not the reclaim list.<br /> <br /> The reason it is safe there it&amp;#39;s because because we&amp;#39;re holding<br /> space_info-&gt;groups_sem in write mode.<br /> <br /> That means no other task can allocate from the block group, so while we<br /> are at deleted_unused_bgs() it&amp;#39;s not possible for other tasks to<br /> allocate and deallocate extents from the block group, so it can&amp;#39;t be<br /> added to the unused list or the reclaim list by anyone else.<br /> <br /> The bug can be reproduced by btrfs/166 after a few rounds. In practice<br /> this can be hit when relocation cannot find more chunk space and ends<br /> with ENOSPC.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nilfs2: add missing check for inode numbers on directory entries<br /> <br /> Syzbot reported that mounting and unmounting a specific pattern of<br /> corrupted nilfs2 filesystem images causes a use-after-free of metadata<br /> file inodes, which triggers a kernel bug in lru_add_fn().<br /> <br /> As Jan Kara pointed out, this is because the link count of a metadata file<br /> gets corrupted to 0, and nilfs_evict_inode(), which is called from iput(),<br /> tries to delete that inode (ifile inode in this case).<br /> <br /> The inconsistency occurs because directories containing the inode numbers<br /> of these metadata files that should not be visible in the namespace are<br /> read without checking.<br /> <br /> Fix this issue by treating the inode numbers of these internal files as<br /> errors in the sanity check helper when reading directory folios/pages.<br /> <br /> Also thanks to Hillf Danton and Matthew Wilcox for their initial mm-layer<br /> analysis.

The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin&amp;#39;s bt_bb_button shortcode in all versions up to, and including, 5.0.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

A vulnerability, which was classified as critical, was found in SourceCodester Lot Reservation Management System 1.0. Affected is an unknown function of the file /home.php. The manipulation of the argument type leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-272802 is the identifier assigned to this vulnerability.

A vulnerability was determined in SourceCodester/Campcodes School Log Management System 1.0. This affects an unknown part of the file /admin/manage_user.php. This manipulation of the argument ID causes sql injection. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized.

GraphQL Java (aka graphql-java) before 21.5 does not properly consider ExecutableNormalizedFields (ENFs) as part of preventing denial of service via introspection queries. 20.9 and 19.11 are also fixed versions.

The Zephyr Project Manager WordPress plugin before 3.3.99 does not sanitise and escape some of its settings, which could allow high privilege users such as editors and admins to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)