Vulnerabilidades

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> scsi: qla2xxx: Fix improper freeing of purex item<br /> <br /> In qla2xxx_process_purls_iocb(), an item is allocated via<br /> qla27xx_copy_multiple_pkt(), which internally calls<br /> qla24xx_alloc_purex_item().<br /> <br /> The qla24xx_alloc_purex_item() function may return a pre-allocated item<br /> from a per-adapter pool for small allocations, instead of dynamically<br /> allocating memory with kzalloc().<br /> <br /> An error handling path in qla2xxx_process_purls_iocb() incorrectly uses<br /> kfree() to release the item. If the item was from the pre-allocated<br /> pool, calling kfree() on it is a bug that can lead to memory corruption.<br /> <br /> Fix this by using the correct deallocation function,<br /> qla24xx_free_purex_item(), which properly handles both dynamically<br /> allocated and pre-allocated items.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf: Fix invalid prog-&gt;stats access when update_effective_progs fails<br /> <br /> Syzkaller triggers an invalid memory access issue following fault<br /> injection in update_effective_progs. The issue can be described as<br /> follows:<br /> <br /> __cgroup_bpf_detach<br /> update_effective_progs<br /> compute_effective_progs<br /> bpf_prog_array_alloc items[index] = &amp;dummy_bpf_prog.prog<br /> <br /> ---softirq start---<br /> __do_softirq<br /> ...<br /> __cgroup_bpf_run_filter_skb<br /> __bpf_prog_run_save_cb<br /> bpf_prog_run<br /> stats = this_cpu_ptr(prog-&gt;stats)<br /> /* invalid memory access */<br /> flags = u64_stats_update_begin_irqsave(&amp;stats-&gt;syncp)<br /> ---softirq end---<br /> <br /> static_branch_dec(&amp;cgroup_bpf_enabled_key[atype])<br /> <br /> The reason is that fault injection caused update_effective_progs to fail<br /> and then changed the original prog into dummy_bpf_prog.prog in<br /> purge_effective_progs. Then a softirq came, and accessing the members of<br /> dummy_bpf_prog.prog in the softirq triggers invalid mem access.<br /> <br /> To fix it, skip updating stats when stats is NULL.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf: Free special fields when update [lru_,]percpu_hash maps<br /> <br /> As [lru_,]percpu_hash maps support BPF_KPTR_{REF,PERCPU}, missing<br /> calls to &amp;#39;bpf_obj_free_fields()&amp;#39; in &amp;#39;pcpu_copy_value()&amp;#39; could cause the<br /> memory referenced by BPF_KPTR_{REF,PERCPU} fields to be held until the<br /> map gets freed.<br /> <br /> Fix this by calling &amp;#39;bpf_obj_free_fields()&amp;#39; after<br /> &amp;#39;copy_map_value[,_long]()&amp;#39; in &amp;#39;pcpu_copy_value()&amp;#39;.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> spi: tegra210-quad: Fix timeout handling<br /> <br /> When the CPU that the QSPI interrupt handler runs on (typically CPU 0)<br /> is excessively busy, it can lead to rare cases of the IRQ thread not<br /> running before the transfer timeout is reached.<br /> <br /> While handling the timeouts, any pending transfers are cleaned up and<br /> the message that they correspond to is marked as failed, which leaves<br /> the curr_xfer field pointing at stale memory.<br /> <br /> To avoid this, clear curr_xfer to NULL upon timeout and check for this<br /> condition when the IRQ thread is finally run.<br /> <br /> While at it, also make sure to clear interrupts on failure so that new<br /> interrupts can be run.<br /> <br /> A better, more involved, fix would move the interrupt clearing into a<br /> hard IRQ handler. Ideally we would also want to signal that the IRQ<br /> thread no longer needs to be run after the timeout is hit to avoid the<br /> extra check for a valid transfer.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> accel/ivpu: Fix race condition when unbinding BOs<br /> <br /> Fix &amp;#39;Memory manager not clean during takedown&amp;#39; warning that occurs<br /> when ivpu_gem_bo_free() removes the BO from the BOs list before it<br /> gets unmapped. Then file_priv_unbind() triggers a warning in<br /> drm_mm_takedown() during context teardown.<br /> <br /> Protect the unmapping sequence with bo_list_lock to ensure the BO is<br /> always fully unmapped when removed from the list. This ensures the BO<br /> is either fully unmapped at context teardown time or present on the<br /> list and unmapped by file_priv_unbind().

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/panthor: Prevent potential UAF in group creation<br /> <br /> This commit prevents the possibility of a use after free issue in the<br /> GROUP_CREATE ioctl function, which arose as pointer to the group is<br /> accessed in that ioctl function after storing it in the Xarray.<br /> A malicious userspace can second guess the handle of a group and try<br /> to call GROUP_DESTROY ioctl from another thread around the same time<br /> as GROUP_CREATE ioctl.<br /> <br /> To prevent the use after free exploit, this commit uses a mark on an<br /> entry of group pool Xarray which is added just before returning from<br /> the GROUP_CREATE ioctl function. The mark is checked for all ioctls<br /> that specify the group handle and so userspace won&amp;#39;t be abe to delete<br /> a group that isn&amp;#39;t marked yet.<br /> <br /> v2: Add R-bs and fixes tags

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> arm64/pageattr: Propagate return value from __change_memory_common<br /> <br /> The rodata=on security measure requires that any code path which does<br /> vmalloc -&gt; set_memory_ro/set_memory_rox must protect the linear map alias<br /> too. Therefore, if such a call fails, we must abort set_memory_* and caller<br /> must take appropriate action; currently we are suppressing the error, and<br /> there is a real chance of such an error arising post commit a166563e7ec3<br /> ("arm64: mm: support large block mapping when rodata=full"). Therefore,<br /> propagate any error to the caller.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: mt76: mt7996: fix null pointer deref in mt7996_conf_tx()<br /> <br /> If a link does not have an assigned channel yet, mt7996_vif_link returns<br /> NULL. We still need to store the updated queue settings in that case, and<br /> apply them later.<br /> Move the location of the queue params to within struct mt7996_vif_link.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> PM / devfreq: hisi: Fix potential UAF in OPP handling<br /> <br /> Ensure all required data is acquired before calling dev_pm_opp_put(opp)<br /> to maintain correct resource acquisition and release order.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ima: Handle error code returned by ima_filter_rule_match()<br /> <br /> In ima_match_rules(), if ima_filter_rule_match() returns -ENOENT due to<br /> the rule being NULL, the function incorrectly skips the &amp;#39;if (!rc)&amp;#39; check<br /> and sets &amp;#39;result = true&amp;#39;. The LSM rule is considered a match, causing<br /> extra files to be measured by IMA.<br /> <br /> This issue can be reproduced in the following scenario:<br /> After unloading the SELinux policy module via &amp;#39;semodule -d&amp;#39;, if an IMA<br /> measurement is triggered before ima_lsm_rules is updated,<br /> in ima_match_rules(), the first call to ima_filter_rule_match() returns<br /> -ESTALE. This causes the code to enter the &amp;#39;if (rc == -ESTALE &amp;&amp;<br /> !rule_reinitialized)&amp;#39; block, perform ima_lsm_copy_rule() and retry. In<br /> ima_lsm_copy_rule(), since the SELinux module has been removed, the rule<br /> becomes NULL, and the second call to ima_filter_rule_match() returns<br /> -ENOENT. This bypasses the &amp;#39;if (!rc)&amp;#39; check and results in a false match.<br /> <br /> Call trace:<br /> selinux_audit_rule_match+0x310/0x3b8<br /> security_audit_rule_match+0x60/0xa0<br /> ima_match_rules+0x2e4/0x4a0<br /> ima_match_policy+0x9c/0x1e8<br /> ima_get_action+0x48/0x60<br /> process_measurement+0xf8/0xa98<br /> ima_bprm_check+0x98/0xd8<br /> security_bprm_check+0x5c/0x78<br /> search_binary_handler+0x6c/0x318<br /> exec_binprm+0x58/0x1b8<br /> bprm_execve+0xb8/0x130<br /> do_execveat_common.isra.0+0x1a8/0x258<br /> __arm64_sys_execve+0x48/0x68<br /> invoke_syscall+0x50/0x128<br /> el0_svc_common.constprop.0+0xc8/0xf0<br /> do_el0_svc+0x24/0x38<br /> el0_svc+0x44/0x200<br /> el0t_64_sync_handler+0x100/0x130<br /> el0t_64_sync+0x3c8/0x3d0<br /> <br /> Fix this by changing &amp;#39;if (!rc)&amp;#39; to &amp;#39;if (rc

*** Pendiente de traducción *** Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in WPXPO PostX ultimate-post allows Retrieve Embedded Sensitive Data.This issue affects PostX: from n/a through

*** Pendiente de traducción *** Missing Authorization vulnerability in DeluxeThemes Userpro userpro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Userpro: from n/a through