Vulnerabilidades

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> io_uring/rw: ensure allocated iovec gets cleared for early failure<br /> <br /> A previous commit reused the recyling infrastructure for early cleanup,<br /> but this is not enough for the case where our internal caches have<br /> overflowed. If this happens, then the allocated iovec can get leaked if<br /> the request is also aborted early.<br /> <br /> Reinstate the previous forced free of the iovec for that situation.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> cifs: client: fix memory leak in smb3_fs_context_parse_param<br /> <br /> The user calls fsconfig twice, but when the program exits, free() only<br /> frees ctx-&gt;source for the second fsconfig, not the first.<br /> Regarding fc-&gt;source, there is no code in the fs context related to its<br /> memory reclamation.<br /> <br /> To fix this memory leak, release the source memory corresponding to ctx<br /> or fc before each parsing.<br /> <br /> syzbot reported:<br /> BUG: memory leak<br /> unreferenced object 0xffff888128afa360 (size 96):<br /> backtrace (crc 79c9c7ba):<br /> kstrdup+0x3c/0x80 mm/util.c:84<br /> smb3_fs_context_parse_param+0x229b/0x36c0 fs/smb/client/fs_context.c:1444<br /> <br /> BUG: memory leak<br /> unreferenced object 0xffff888112c7d900 (size 96):<br /> backtrace (crc 79c9c7ba):<br /> smb3_fs_context_fullpath+0x70/0x1b0 fs/smb/client/fs_context.c:629<br /> smb3_fs_context_parse_param+0x2266/0x36c0 fs/smb/client/fs_context.c:1438

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mm, swap: fix potential UAF issue for VMA readahead<br /> <br /> Since commit 78524b05f1a3 ("mm, swap: avoid redundant swap device<br /> pinning"), the common helper for allocating and preparing a folio in the<br /> swap cache layer no longer tries to get a swap device reference<br /> internally, because all callers of __read_swap_cache_async are already<br /> holding a swap entry reference. The repeated swap device pinning isn&amp;#39;t<br /> needed on the same swap device.<br /> <br /> Caller of VMA readahead is also holding a reference to the target entry&amp;#39;s<br /> swap device, but VMA readahead walks the page table, so it might encounter<br /> swap entries from other devices, and call __read_swap_cache_async on<br /> another device without holding a reference to it.<br /> <br /> So it is possible to cause a UAF when swapoff of device A raced with<br /> swapin on device B, and VMA readahead tries to read swap entries from<br /> device A. It&amp;#39;s not easy to trigger, but in theory, it could cause real<br /> issues.<br /> <br /> Make VMA readahead try to get the device reference first if the swap<br /> device is a different one from the target entry.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> fs/proc: fix uaf in proc_readdir_de()<br /> <br /> Pde is erased from subdir rbtree through rb_erase(), but not set the node<br /> to EMPTY, which may result in uaf access. We should use RB_CLEAR_NODE()<br /> set the erased node to EMPTY, then pde_subdir_next() will return NULL to<br /> avoid uaf access.<br /> <br /> We found an uaf issue while using stress-ng testing, need to run testcase<br /> getdent and tun in the same time. The steps of the issue is as follows:<br /> <br /> 1) use getdent to traverse dir /proc/pid/net/dev_snmp6/, and current<br /> pde is tun3;<br /> <br /> 2) in the [time windows] unregister netdevice tun3 and tun2, and erase<br /> them from rbtree. erase tun3 first, and then erase tun2. the<br /> pde(tun2) will be released to slab;<br /> <br /> 3) continue to getdent process, then pde_subdir_next() will return<br /> pde(tun2) which is released, it will case uaf access.<br /> <br /> CPU 0 | CPU 1<br /> -------------------------------------------------------------------------<br /> traverse dir /proc/pid/net/dev_snmp6/ | unregister_netdevice(tun-&gt;dev) //tun3 tun2<br /> sys_getdents64() |<br /> iterate_dir() |<br /> proc_readdir() |<br /> proc_readdir_de() | snmp6_unregister_dev()<br /> pde_get(de); | proc_remove()<br /> read_unlock(&amp;proc_subdir_lock); | remove_proc_subtree()<br /> | write_lock(&amp;proc_subdir_lock);<br /> [time window] | rb_erase(&amp;root-&gt;subdir_node, &amp;parent-&gt;subdir);<br /> | write_unlock(&amp;proc_subdir_lock);<br /> read_lock(&amp;proc_subdir_lock); |<br /> next = pde_subdir_next(de); |<br /> pde_put(de); |<br /> de = next; //UAF |<br /> <br /> rbtree of dev_snmp6<br /> |<br /> pde(tun3)<br /> / \<br /> NULL pde(tun2)

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mm/secretmem: fix use-after-free race in fault handler<br /> <br /> When a page fault occurs in a secret memory file created with<br /> `memfd_secret(2)`, the kernel will allocate a new folio for it, mark the<br /> underlying page as not-present in the direct map, and add it to the file<br /> mapping.<br /> <br /> If two tasks cause a fault in the same page concurrently, both could end<br /> up allocating a folio and removing the page from the direct map, but only<br /> one would succeed in adding the folio to the file mapping. The task that<br /> failed undoes the effects of its attempt by (a) freeing the folio again<br /> and (b) putting the page back into the direct map. However, by doing<br /> these two operations in this order, the page becomes available to the<br /> allocator again before it is placed back in the direct mapping.<br /> <br /> If another task attempts to allocate the page between (a) and (b), and the<br /> kernel tries to access it via the direct map, it would result in a<br /> supervisor not-present page fault.<br /> <br /> Fix the ordering to restore the direct map before the folio is freed.

*** Pendiente de traducción *** A flaw has been found in UTT 进取 520W 1.7.7-180627. The impacted element is the function strcpy of the file /goform/formArpBindConfig. Executing manipulation of the argument pools can lead to buffer overflow. The attack may be performed from remote. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

*** Pendiente de traducción *** A vulnerability was detected in UTT 进取 520W 1.7.7-180627. The affected element is the function strcpy of the file /goform/websHostFilter. Performing manipulation of the argument addHostFilter results in buffer overflow. The attack is possible to be carried out remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

*** Pendiente de traducción *** A security vulnerability has been detected in UTT 进取 520W 1.7.7-180627. Impacted is the function strcpy of the file /goform/formConfigDnsFilterGlobal. Such manipulation of the argument timeRangeName leads to buffer overflow. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

*** Pendiente de traducción *** A security flaw has been discovered in Linksys RE6500, RE6250, RE6300, RE6350, RE7000 and RE9000 1.0.013.001/1.0.04.001/1.0.04.002/1.1.05.003/1.2.07.001. This vulnerability affects the function RE2000v2Repeater_get_wired_clientlist_setClientsName of the file mod_form.so. The manipulation of the argument clientsname_0 results in stack-based buffer overflow. The attack may be launched remotely. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way.

*** Pendiente de traducción *** A vulnerability was identified in Linksys RE6500, RE6250, RE6300, RE6350, RE7000 and RE9000 1.0.013.001/1.0.04.001/1.0.04.002/1.1.05.003/1.2.07.001. This affects the function AP_get_wired_clientlist_setClientsName of the file mod_form.so. The manipulation of the argument clientsname_0 leads to stack-based buffer overflow. The attack may be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

Se determinó una vulnerabilidad en Linksys RE6500, RE6250, RE6300, RE6350, RE7000 y RE9000 1.0.013.001/1.0.04.001/1.0.04.002/1.1.05.003/1.2.07.001. Afectada por este problema es la función RE2000v2Repeater_get_wireless_clientlist_setClientsName del archivo mod_form.so. La ejecución de la manipulación del argumento clientsname_0 puede conducir a un desbordamiento de búfer basado en pila. El ataque puede lanzarse de forma remota. El exploit ha sido divulgado públicamente y puede ser utilizado. Se contactó al proveedor con antelación sobre esta divulgación, pero no respondió de ninguna manera.

*** Pendiente de traducción *** A vulnerability was found in Linksys RE6500, RE6250, RE6300, RE6350, RE7000 and RE9000 1.0.013.001/1.0.04.001/1.0.04.002/1.1.05.003/1.2.07.001. Affected by this vulnerability is the function AP_get_wireless_clientlist_setClientsName of the file mod_form.so. Performing manipulation of the argument clientsname_0 results in stack-based buffer overflow. The attack can be initiated remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.