Vulnerabilidades

*** Pendiente de traducción *** A vulnerability has been identified in RUGGEDCOM ROX MX5000 (All versions

*** Pendiente de traducción *** A vulnerability has been identified in RUGGEDCOM ROX MX5000 (All versions

*** Pendiente de traducción *** A vulnerability has been identified in RUGGEDCOM ROX MX5000 (All versions

*** Pendiente de traducción *** A vulnerability has been identified in RUGGEDCOM ROX MX5000 (All versions

*** Pendiente de traducción *** A vulnerability has been identified in RUGGEDCOM ROX MX5000 (All versions

*** Pendiente de traducción *** IBM QRadar SIEM 7.5 - 7.5.0 UP14 IF01 is affected by an information disclosure vulnerability involving exposure of directory information. IBM has addressed this vulnerability in the latest update.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ASoC: soc-compress: Reposition and add pcm_mutex<br /> <br /> If panic_on_warn is set and compress stream(DPCM) is started,<br /> then kernel panic occurred because card-&gt;pcm_mutex isn&amp;#39;t held appropriately.<br /> In the following functions, warning were issued at this line<br /> "snd_soc_dpcm_mutex_assert_held".<br /> <br /> static int dpcm_be_connect(struct snd_soc_pcm_runtime *fe,<br /> struct snd_soc_pcm_runtime *be, int stream)<br /> {<br /> ...<br /> snd_soc_dpcm_mutex_assert_held(fe);<br /> ...<br /> }<br /> <br /> void dpcm_be_disconnect(struct snd_soc_pcm_runtime *fe, int stream)<br /> {<br /> ...<br /> snd_soc_dpcm_mutex_assert_held(fe);<br /> ...<br /> }<br /> <br /> void snd_soc_runtime_action(struct snd_soc_pcm_runtime *rtd,<br /> int stream, int action)<br /> {<br /> ...<br /> snd_soc_dpcm_mutex_assert_held(rtd);<br /> ...<br /> }<br /> <br /> int dpcm_dapm_stream_event(struct snd_soc_pcm_runtime *fe, int dir,<br /> int event)<br /> {<br /> ...<br /> snd_soc_dpcm_mutex_assert_held(fe);<br /> ...<br /> }<br /> <br /> These functions are called by soc_compr_set_params_fe, soc_compr_open_fe<br /> and soc_compr_free_fe<br /> without pcm_mutex locking. And this is call stack.<br /> <br /> [ 414.527841][ T2179] pc : dpcm_process_paths+0x5a4/0x750<br /> [ 414.527848][ T2179] lr : dpcm_process_paths+0x37c/0x750<br /> [ 414.527945][ T2179] Call trace:<br /> [ 414.527949][ T2179] dpcm_process_paths+0x5a4/0x750<br /> [ 414.527955][ T2179] soc_compr_open_fe+0xb0/0x2cc<br /> [ 414.527972][ T2179] snd_compr_open+0x180/0x248<br /> [ 414.527981][ T2179] snd_open+0x15c/0x194<br /> [ 414.528003][ T2179] chrdev_open+0x1b0/0x220<br /> [ 414.528023][ T2179] do_dentry_open+0x30c/0x594<br /> [ 414.528045][ T2179] vfs_open+0x34/0x44<br /> [ 414.528053][ T2179] path_openat+0x914/0xb08<br /> [ 414.528062][ T2179] do_filp_open+0xc0/0x170<br /> [ 414.528068][ T2179] do_sys_openat2+0x94/0x18c<br /> [ 414.528076][ T2179] __arm64_sys_openat+0x78/0xa4<br /> [ 414.528084][ T2179] invoke_syscall+0x48/0x10c<br /> [ 414.528094][ T2179] el0_svc_common+0xbc/0x104<br /> [ 414.528099][ T2179] do_el0_svc+0x34/0xd8<br /> [ 414.528103][ T2179] el0_svc+0x34/0xc4<br /> [ 414.528125][ T2179] el0t_64_sync_handler+0x8c/0xfc<br /> [ 414.528133][ T2179] el0t_64_sync+0x1a0/0x1a4<br /> [ 414.528142][ T2179] Kernel panic - not syncing: panic_on_warn set ...<br /> <br /> So, I reposition and add pcm_mutex to resolve lockdep error.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netlink: do not hard code device address lenth in fdb dumps<br /> <br /> syzbot reports that some netdev devices do not have a six bytes<br /> address [1]<br /> <br /> Replace ETH_ALEN by dev-&gt;addr_len.<br /> <br /> [1] (Case of a device where dev-&gt;addr_len = 4)<br /> <br /> BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]<br /> BUG: KMSAN: kernel-infoleak in copyout+0xb8/0x100 lib/iov_iter.c:169<br /> instrument_copy_to_user include/linux/instrumented.h:114 [inline]<br /> copyout+0xb8/0x100 lib/iov_iter.c:169<br /> _copy_to_iter+0x6d8/0x1d00 lib/iov_iter.c:536<br /> copy_to_iter include/linux/uio.h:206 [inline]<br /> simple_copy_to_iter+0x68/0xa0 net/core/datagram.c:513<br /> __skb_datagram_iter+0x123/0xdc0 net/core/datagram.c:419<br /> skb_copy_datagram_iter+0x5c/0x200 net/core/datagram.c:527<br /> skb_copy_datagram_msg include/linux/skbuff.h:3960 [inline]<br /> netlink_recvmsg+0x4ae/0x15a0 net/netlink/af_netlink.c:1970<br /> sock_recvmsg_nosec net/socket.c:1019 [inline]<br /> sock_recvmsg net/socket.c:1040 [inline]<br /> ____sys_recvmsg+0x283/0x7f0 net/socket.c:2722<br /> ___sys_recvmsg+0x223/0x840 net/socket.c:2764<br /> do_recvmmsg+0x4f9/0xfd0 net/socket.c:2858<br /> __sys_recvmmsg net/socket.c:2937 [inline]<br /> __do_sys_recvmmsg net/socket.c:2960 [inline]<br /> __se_sys_recvmmsg net/socket.c:2953 [inline]<br /> __x64_sys_recvmmsg+0x397/0x490 net/socket.c:2953<br /> do_syscall_x64 arch/x86/entry/common.c:50 [inline]<br /> do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80<br /> entry_SYSCALL_64_after_hwframe+0x63/0xcd<br /> <br /> Uninit was stored to memory at:<br /> __nla_put lib/nlattr.c:1009 [inline]<br /> nla_put+0x1c6/0x230 lib/nlattr.c:1067<br /> nlmsg_populate_fdb_fill+0x2b8/0x600 net/core/rtnetlink.c:4071<br /> nlmsg_populate_fdb net/core/rtnetlink.c:4418 [inline]<br /> ndo_dflt_fdb_dump+0x616/0x840 net/core/rtnetlink.c:4456<br /> rtnl_fdb_dump+0x14ff/0x1fc0 net/core/rtnetlink.c:4629<br /> netlink_dump+0x9d1/0x1310 net/netlink/af_netlink.c:2268<br /> netlink_recvmsg+0xc5c/0x15a0 net/netlink/af_netlink.c:1995<br /> sock_recvmsg_nosec+0x7a/0x120 net/socket.c:1019<br /> ____sys_recvmsg+0x664/0x7f0 net/socket.c:2720<br /> ___sys_recvmsg+0x223/0x840 net/socket.c:2764<br /> do_recvmmsg+0x4f9/0xfd0 net/socket.c:2858<br /> __sys_recvmmsg net/socket.c:2937 [inline]<br /> __do_sys_recvmmsg net/socket.c:2960 [inline]<br /> __se_sys_recvmmsg net/socket.c:2953 [inline]<br /> __x64_sys_recvmmsg+0x397/0x490 net/socket.c:2953<br /> do_syscall_x64 arch/x86/entry/common.c:50 [inline]<br /> do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80<br /> entry_SYSCALL_64_after_hwframe+0x63/0xcd<br /> <br /> Uninit was created at:<br /> slab_post_alloc_hook+0x12d/0xb60 mm/slab.h:716<br /> slab_alloc_node mm/slub.c:3451 [inline]<br /> __kmem_cache_alloc_node+0x4ff/0x8b0 mm/slub.c:3490<br /> kmalloc_trace+0x51/0x200 mm/slab_common.c:1057<br /> kmalloc include/linux/slab.h:559 [inline]<br /> __hw_addr_create net/core/dev_addr_lists.c:60 [inline]<br /> __hw_addr_add_ex+0x2e5/0x9e0 net/core/dev_addr_lists.c:118<br /> __dev_mc_add net/core/dev_addr_lists.c:867 [inline]<br /> dev_mc_add+0x9a/0x130 net/core/dev_addr_lists.c:885<br /> igmp6_group_added+0x267/0xbc0 net/ipv6/mcast.c:680<br /> ipv6_mc_up+0x296/0x3b0 net/ipv6/mcast.c:2754<br /> ipv6_mc_remap+0x1e/0x30 net/ipv6/mcast.c:2708<br /> addrconf_type_change net/ipv6/addrconf.c:3731 [inline]<br /> addrconf_notify+0x4d3/0x1d90 net/ipv6/addrconf.c:3699<br /> notifier_call_chain kernel/notifier.c:93 [inline]<br /> raw_notifier_call_chain+0xe4/0x430 kernel/notifier.c:461<br /> call_netdevice_notifiers_info net/core/dev.c:1935 [inline]<br /> call_netdevice_notifiers_extack net/core/dev.c:1973 [inline]<br /> call_netdevice_notifiers+0x1ee/0x2d0 net/core/dev.c:1987<br /> bond_enslave+0xccd/0x53f0 drivers/net/bonding/bond_main.c:1906<br /> do_set_master net/core/rtnetlink.c:2626 [inline]<br /> rtnl_newlink_create net/core/rtnetlink.c:3460 [inline]<br /> __rtnl_newlink net/core/rtnetlink.c:3660 [inline]<br /> rtnl_newlink+0x378c/0x40e0 net/core/rtnetlink.c:3673<br /> rtnetlink_rcv_msg+0x16a6/0x1840 net/core/rtnetlink.c:6395<br /> netlink_rcv_skb+0x371/0x650 net/netlink/af_netlink.c:2546<br /> rtnetlink_rcv+0x34/0x40 net/core/rtnetlink.c:6413<br /> netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline]<br /> netlink_unicast+0xf28/0x1230 net/netlink/af_<br /> ---truncated---

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/mxsfb: Disable overlay plane in mxsfb_plane_overlay_atomic_disable()<br /> <br /> When disabling overlay plane in mxsfb_plane_overlay_atomic_update(),<br /> overlay plane&amp;#39;s framebuffer pointer is NULL. So, dereferencing it would<br /> cause a kernel Oops(NULL pointer dereferencing). Fix the issue by<br /> disabling overlay plane in mxsfb_plane_overlay_atomic_disable() instead.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> btrfs: fix warning when putting transaction with qgroups enabled after abort<br /> <br /> If we have a transaction abort with qgroups enabled we get a warning<br /> triggered when doing the final put on the transaction, like this:<br /> <br /> [552.6789] ------------[ cut here ]------------<br /> [552.6815] WARNING: CPU: 4 PID: 81745 at fs/btrfs/transaction.c:144 btrfs_put_transaction+0x123/0x130 [btrfs]<br /> [552.6817] Modules linked in: btrfs blake2b_generic xor (...)<br /> [552.6819] CPU: 4 PID: 81745 Comm: btrfs-transacti Tainted: G W 6.4.0-rc6-btrfs-next-134+ #1<br /> [552.6819] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014<br /> [552.6819] RIP: 0010:btrfs_put_transaction+0x123/0x130 [btrfs]<br /> [552.6821] Code: bd a0 01 00 (...)<br /> [552.6821] RSP: 0018:ffffa168c0527e28 EFLAGS: 00010286<br /> [552.6821] RAX: ffff936042caed00 RBX: ffff93604a3eb448 RCX: 0000000000000000<br /> [552.6821] RDX: ffff93606421b028 RSI: ffffffff92ff0878 RDI: ffff93606421b010<br /> [552.6821] RBP: ffff93606421b000 R08: 0000000000000000 R09: ffffa168c0d07c20<br /> [552.6821] R10: 0000000000000000 R11: ffff93608dc52950 R12: ffffa168c0527e70<br /> [552.6821] R13: ffff93606421b000 R14: ffff93604a3eb420 R15: ffff93606421b028<br /> [552.6821] FS: 0000000000000000(0000) GS:ffff93675fb00000(0000) knlGS:0000000000000000<br /> [552.6821] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [552.6821] CR2: 0000558ad262b000 CR3: 000000014feda005 CR4: 0000000000370ee0<br /> [552.6822] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> [552.6822] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> [552.6822] Call Trace:<br /> [552.6822] <br /> [552.6822] ? __warn+0x80/0x130<br /> [552.6822] ? btrfs_put_transaction+0x123/0x130 [btrfs]<br /> [552.6824] ? report_bug+0x1f4/0x200<br /> [552.6824] ? handle_bug+0x42/0x70<br /> [552.6824] ? exc_invalid_op+0x14/0x70<br /> [552.6824] ? asm_exc_invalid_op+0x16/0x20<br /> [552.6824] ? btrfs_put_transaction+0x123/0x130 [btrfs]<br /> [552.6826] btrfs_cleanup_transaction+0xe7/0x5e0 [btrfs]<br /> [552.6828] ? _raw_spin_unlock_irqrestore+0x23/0x40<br /> [552.6828] ? try_to_wake_up+0x94/0x5e0<br /> [552.6828] ? __pfx_process_timeout+0x10/0x10<br /> [552.6828] transaction_kthread+0x103/0x1d0 [btrfs]<br /> [552.6830] ? __pfx_transaction_kthread+0x10/0x10 [btrfs]<br /> [552.6832] kthread+0xee/0x120<br /> [552.6832] ? __pfx_kthread+0x10/0x10<br /> [552.6832] ret_from_fork+0x29/0x50<br /> [552.6832] <br /> [552.6832] ---[ end trace 0000000000000000 ]---<br /> <br /> This corresponds to this line of code:<br /> <br /> void btrfs_put_transaction(struct btrfs_transaction *transaction)<br /> {<br /> (...)<br /> WARN_ON(!RB_EMPTY_ROOT(<br /> &amp;transaction-&gt;delayed_refs.dirty_extent_root));<br /> (...)<br /> }<br /> <br /> The warning happens because btrfs_qgroup_destroy_extent_records(), called<br /> in the transaction abort path, we free all entries from the rbtree<br /> "dirty_extent_root" with rbtree_postorder_for_each_entry_safe(), but we<br /> don&amp;#39;t actually empty the rbtree - it&amp;#39;s still pointing to nodes that were<br /> freed.<br /> <br /> So set the rbtree&amp;#39;s root node to NULL to avoid this warning (assign<br /> RB_ROOT).

*** Pendiente de traducción *** EDK2 contains a vulnerability in BIOS where an attacker may cause “Exposure of Sensitive Information to an Unauthorized Actor” by local access. Successful exploitation of this vulnerability will lead to <br /> <br /> possible information disclosure or escalation of privilege<br /> <br /> and impact Confidentiality.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ASoC: mediatek: mt8186: Fix use-after-free in driver remove path<br /> <br /> When devm runs function in the "remove" path for a device it runs them<br /> in the reverse order. That means that if you have parts of your driver<br /> that aren&amp;#39;t using devm or are using "roll your own" devm w/<br /> devm_add_action_or_reset() you need to keep that in mind.<br /> <br /> The mt8186 audio driver didn&amp;#39;t quite get this right. Specifically, in<br /> mt8186_init_clock() it called mt8186_audsys_clk_register() and then<br /> went on to call a bunch of other devm function. The caller of<br /> mt8186_init_clock() used devm_add_action_or_reset() to call<br /> mt8186_deinit_clock() but, because of the intervening devm functions,<br /> the order was wrong.<br /> <br /> Specifically at probe time, the order was:<br /> 1. mt8186_audsys_clk_register()<br /> 2. afe_priv-&gt;clk = devm_kcalloc(...)<br /> 3. afe_priv-&gt;clk[i] = devm_clk_get(...)<br /> <br /> At remove time, the order (which should have been 3, 2, 1) was:<br /> 1. mt8186_audsys_clk_unregister()<br /> 3. Free all of afe_priv-&gt;clk[i]<br /> 2. Free afe_priv-&gt;clk<br /> <br /> The above seemed to be causing a use-after-free. Luckily, it&amp;#39;s easy to<br /> fix this by simply using devm more correctly. Let&amp;#39;s move the<br /> devm_add_action_or_reset() to the right place. In addition to fixing<br /> the use-after-free, code inspection shows that this fixes a leak<br /> (missing call to mt8186_audsys_clk_unregister()) that would have<br /> happened if any of the syscon_regmap_lookup_by_phandle() calls in<br /> mt8186_init_clock() had failed.