Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ALSA: usb-audio: Fix an out-of-bounds bug in __snd_usb_parse_audio_interface()<br /> <br /> There may be a bad USB audio device with a USB ID of (0x04fa, 0x4201) and<br /> the number of it&amp;#39;s interfaces less than 4, an out-of-bounds read bug occurs<br /> when parsing the interface descriptor for this device.<br /> <br /> Fix this by checking the number of interfaces.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ALSA: emu10k1: Fix out of bounds access in snd_emu10k1_pcm_channel_alloc()<br /> <br /> The voice allocator sometimes begins allocating from near the end of the<br /> array and then wraps around, however snd_emu10k1_pcm_channel_alloc()<br /> accesses the newly allocated voices as if it never wrapped around.<br /> <br /> This results in out of bounds access if the first voice has a high enough<br /> index so that first_voice + requested_voice_count &gt; NUM_G (64).<br /> The more voices are requested, the more likely it is for this to occur.<br /> <br /> This was initially discovered using PipeWire, however it can be reproduced<br /> by calling aplay multiple times with 16 channels:<br /> aplay -r 48000 -D plughw:CARD=Live,DEV=3 -c 16 /dev/zero<br /> <br /> UBSAN: array-index-out-of-bounds in sound/pci/emu10k1/emupcm.c:127:40<br /> index 65 is out of range for type &amp;#39;snd_emu10k1_voice [64]&amp;#39;<br /> CPU: 1 PID: 31977 Comm: aplay Tainted: G W IOE 6.0.0-rc2-emu10k1+ #7<br /> Hardware name: ASUSTEK COMPUTER INC P5W DH Deluxe/P5W DH Deluxe, BIOS 3002 07/22/2010<br /> Call Trace:<br /> <br /> dump_stack_lvl+0x49/0x63<br /> dump_stack+0x10/0x16<br /> ubsan_epilogue+0x9/0x3f<br /> __ubsan_handle_out_of_bounds.cold+0x44/0x49<br /> snd_emu10k1_playback_hw_params+0x3bc/0x420 [snd_emu10k1]<br /> snd_pcm_hw_params+0x29f/0x600 [snd_pcm]<br /> snd_pcm_common_ioctl+0x188/0x1410 [snd_pcm]<br /> ? exit_to_user_mode_prepare+0x35/0x170<br /> ? do_syscall_64+0x69/0x90<br /> ? syscall_exit_to_user_mode+0x26/0x50<br /> ? do_syscall_64+0x69/0x90<br /> ? exit_to_user_mode_prepare+0x35/0x170<br /> snd_pcm_ioctl+0x27/0x40 [snd_pcm]<br /> __x64_sys_ioctl+0x95/0xd0<br /> do_syscall_64+0x5c/0x90<br /> ? do_syscall_64+0x69/0x90<br /> ? do_syscall_64+0x69/0x90<br /> entry_SYSCALL_64_after_hwframe+0x63/0xcd

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> thermal/int340x_thermal: handle data_vault when the value is ZERO_SIZE_PTR<br /> <br /> In some case, the GDDV returns a package with a buffer which has<br /> zero length. It causes that kmemdup() returns ZERO_SIZE_PTR (0x10).<br /> <br /> Then the data_vault_read() got NULL point dereference problem when<br /> accessing the 0x10 value in data_vault.<br /> <br /> [ 71.024560] BUG: kernel NULL pointer dereference, address:<br /> 0000000000000010<br /> <br /> This patch uses ZERO_OR_NULL_PTR() for checking ZERO_SIZE_PTR or<br /> NULL value in data_vault.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> RDMA/irdma: Fix drain SQ hang with no completion<br /> <br /> SW generated completions for outstanding WRs posted on SQ<br /> after QP is in error target the wrong CQ. This causes the<br /> ib_drain_sq to hang with no completion.<br /> <br /> Fix this to generate completions on the right CQ.<br /> <br /> [ 863.969340] INFO: task kworker/u52:2:671 blocked for more than 122 seconds.<br /> [ 863.979224] Not tainted 5.14.0-130.el9.x86_64 #1<br /> [ 863.986588] "echo 0 &gt; /proc/sys/kernel/hung_task_timeout_secs" disables this message.<br /> [ 863.996997] task:kworker/u52:2 state:D stack: 0 pid: 671 ppid: 2 flags:0x00004000<br /> [ 864.007272] Workqueue: xprtiod xprt_autoclose [sunrpc]<br /> [ 864.014056] Call Trace:<br /> [ 864.017575] __schedule+0x206/0x580<br /> [ 864.022296] schedule+0x43/0xa0<br /> [ 864.026736] schedule_timeout+0x115/0x150<br /> [ 864.032185] __wait_for_common+0x93/0x1d0<br /> [ 864.037717] ? usleep_range_state+0x90/0x90<br /> [ 864.043368] __ib_drain_sq+0xf6/0x170 [ib_core]<br /> [ 864.049371] ? __rdma_block_iter_next+0x80/0x80 [ib_core]<br /> [ 864.056240] ib_drain_sq+0x66/0x70 [ib_core]<br /> [ 864.062003] rpcrdma_xprt_disconnect+0x82/0x3b0 [rpcrdma]<br /> [ 864.069365] ? xprt_prepare_transmit+0x5d/0xc0 [sunrpc]<br /> [ 864.076386] xprt_rdma_close+0xe/0x30 [rpcrdma]<br /> [ 864.082593] xprt_autoclose+0x52/0x100 [sunrpc]<br /> [ 864.088718] process_one_work+0x1e8/0x3c0<br /> [ 864.094170] worker_thread+0x50/0x3b0<br /> [ 864.099109] ? rescuer_thread+0x370/0x370<br /> [ 864.104473] kthread+0x149/0x170<br /> [ 864.109022] ? set_kthread_struct+0x40/0x40<br /> [ 864.114713] ret_from_fork+0x22/0x30

Insecure Permissions vulnerability in e-trust Horacius 1.0, 1.1, and 1.2 allows a local attacker to escalate privileges via the password reset function.

The &amp;#39;control&amp;#39; in Parrot ANAFI USA firmware 1.10.4 does not check the MAV_MISSION_TYPE(0, 1, 2, 255), which allows attacker to cut off the connection between a controller and the drone by sending MAVLink MISSION_COUNT command with a wrong MAV_MISSION_TYPE.

Mullvad VPN through 2024.1 on Android does not set a DNS server in the blocking state (after a hard failure to create a tunnel), and thus DNS traffic can leave the device. Data showing that the affected device was the origin of sensitive DNS requests may be observed and logged by operators of unintended DNS servers.

<br /> An improper export vulnerability was reported in the Motorola Enterprise MotoDpms Provider (com.motorola.server.enterprise.MotoDpmsProvider) that could allow a local attacker to read local data.

An Implicit intent vulnerability was reported in the Motorola framework that could allow an attacker to read telephony-related data.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> peci: cpu: Fix use-after-free in adev_release()<br /> <br /> When auxiliary_device_add() returns an error, auxiliary_device_uninit()<br /> is called, which causes refcount for device to be decremented and<br /> .release callback will be triggered.<br /> <br /> Because adev_release() re-calls auxiliary_device_uninit(), it will cause<br /> use-after-free:<br /> [ 1269.455172] WARNING: CPU: 0 PID: 14267 at lib/refcount.c:28 refcount_warn_saturate+0x110/0x15<br /> [ 1269.464007] refcount_t: underflow; use-after-free.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> cgroup: Add missing cpus_read_lock() to cgroup_attach_task_all()<br /> <br /> syzbot is hitting percpu_rwsem_assert_held(&amp;cpu_hotplug_lock) warning at<br /> cpuset_attach() [1], for commit 4f7e7236435ca0ab ("cgroup: Fix<br /> threadgroup_rwsem cpus_read_lock() deadlock") missed that<br /> cpuset_attach() is also called from cgroup_attach_task_all().<br /> Add cpus_read_lock() like what cgroup_procs_write_start() does.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> of: fdt: fix off-by-one error in unflatten_dt_nodes()<br /> <br /> Commit 78c44d910d3e ("drivers/of: Fix depth when unflattening devicetree")<br /> forgot to fix up the depth check in the loop body in unflatten_dt_nodes()<br /> which makes it possible to overflow the nps[] buffer...<br /> <br /> Found by Linux Verification Center (linuxtesting.org) with the SVACE static<br /> analysis tool.