Vulnerabilidades

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> hsr: hold rcu and dev lock for hsr_get_port_ndev<br /> <br /> hsr_get_port_ndev calls hsr_for_each_port, which need to hold rcu lock.<br /> On the other hand, before return the port device, we need to hold the<br /> device reference to avoid UaF in the caller function.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> dmaengine: idxd: Remove improper idxd_free<br /> <br /> The call to idxd_free() introduces a duplicate put_device() leading to a<br /> reference count underflow:<br /> refcount_t: underflow; use-after-free.<br /> WARNING: CPU: 15 PID: 4428 at lib/refcount.c:28 refcount_warn_saturate+0xbe/0x110<br /> ...<br /> Call Trace:<br /> <br /> idxd_remove+0xe4/0x120 [idxd]<br /> pci_device_remove+0x3f/0xb0<br /> device_release_driver_internal+0x197/0x200<br /> driver_detach+0x48/0x90<br /> bus_remove_driver+0x74/0xf0<br /> pci_unregister_driver+0x2e/0xb0<br /> idxd_exit_module+0x34/0x7a0 [idxd]<br /> __do_sys_delete_module.constprop.0+0x183/0x280<br /> do_syscall_64+0x54/0xd70<br /> entry_SYSCALL_64_after_hwframe+0x76/0x7e<br /> <br /> The idxd_unregister_devices() which is invoked at the very beginning of<br /> idxd_remove(), already takes care of the necessary put_device() through the<br /> following call path:<br /> idxd_unregister_devices() -&gt; device_unregister() -&gt; put_device()<br /> <br /> In addition, when CONFIG_DEBUG_KOBJECT_RELEASE is enabled, put_device() may<br /> trigger asynchronous cleanup via schedule_delayed_work(). If idxd_free() is<br /> called immediately after, it can result in a use-after-free.<br /> <br /> Remove the improper idxd_free() to avoid both the refcount underflow and<br /> potential memory corruption during module unload.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> macsec: sync features on RTM_NEWLINK<br /> <br /> Syzkaller managed to lock the lower device via ETHTOOL_SFEATURES:<br /> <br /> netdev_lock include/linux/netdevice.h:2761 [inline]<br /> netdev_lock_ops include/net/netdev_lock.h:42 [inline]<br /> netdev_sync_lower_features net/core/dev.c:10649 [inline]<br /> __netdev_update_features+0xcb1/0x1be0 net/core/dev.c:10819<br /> netdev_update_features+0x6d/0xe0 net/core/dev.c:10876<br /> macsec_notify+0x2f5/0x660 drivers/net/macsec.c:4533<br /> notifier_call_chain+0x1b3/0x3e0 kernel/notifier.c:85<br /> call_netdevice_notifiers_extack net/core/dev.c:2267 [inline]<br /> call_netdevice_notifiers net/core/dev.c:2281 [inline]<br /> netdev_features_change+0x85/0xc0 net/core/dev.c:1570<br /> __dev_ethtool net/ethtool/ioctl.c:3469 [inline]<br /> dev_ethtool+0x1536/0x19b0 net/ethtool/ioctl.c:3502<br /> dev_ioctl+0x392/0x1150 net/core/dev_ioctl.c:759<br /> <br /> It happens because lower features are out of sync with the upper:<br /> <br /> __dev_ethtool (real_dev)<br /> netdev_lock_ops(real_dev)<br /> ETHTOOL_SFEATURES<br /> __netdev_features_change<br /> netdev_sync_upper_features<br /> disable LRO on the lower<br /> if (old_features != dev-&gt;features)<br /> netdev_features_change<br /> fires NETDEV_FEAT_CHANGE<br /> macsec_notify<br /> NETDEV_FEAT_CHANGE<br /> netdev_update_features (for each macsec dev)<br /> netdev_sync_lower_features<br /> if (upper_features != lower_features)<br /> netdev_lock_ops(lower) # lower == real_dev<br /> stuck<br /> ...<br /> <br /> netdev_unlock_ops(real_dev)<br /> <br /> Per commit af5f54b0ef9e ("net: Lock lower level devices when updating<br /> features"), we elide the lock/unlock when the upper and lower features<br /> are synced. Makes sure the lower (real_dev) has proper features after<br /> the macsec link has been created. This makes sure we never hit the<br /> situation where we need to sync upper flags to the lower.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> igb: Fix NULL pointer dereference in ethtool loopback test<br /> <br /> The igb driver currently causes a NULL pointer dereference when executing<br /> the ethtool loopback test. This occurs because there is no associated<br /> q_vector for the test ring when it is set up, as interrupts are typically<br /> not added to the test rings.<br /> <br /> Since commit 5ef44b3cb43b removed the napi_id assignment in<br /> __xdp_rxq_info_reg(), there is no longer a need to pass a napi_id to it.<br /> Therefore, simply use 0 as the last parameter.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> can: xilinx_can: xcan_write_frame(): fix use-after-free of transmitted SKB<br /> <br /> can_put_echo_skb() takes ownership of the SKB and it may be freed<br /> during or after the call.<br /> <br /> However, xilinx_can xcan_write_frame() keeps using SKB after the call.<br /> <br /> Fix that by only calling can_put_echo_skb() after the code is done<br /> touching the SKB.<br /> <br /> The tx_lock is held for the entire xcan_write_frame() execution and<br /> also on the can_get_echo_skb() side so the order of operations does not<br /> matter.<br /> <br /> An earlier fix commit 3d3c817c3a40 ("can: xilinx_can: Fix usage of skb<br /> memory") did not move the can_put_echo_skb() call far enough.<br /> <br /> [mkl: add "commit" in front of sha1 in patch description]<br /> [mkl: fix indention]

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> dmaengine: idxd: Fix double free in idxd_setup_wqs()<br /> <br /> The clean up in idxd_setup_wqs() has had a couple bugs because the error<br /> handling is a bit subtle. It&amp;#39;s simpler to just re-write it in a cleaner<br /> way. The issues here are:<br /> <br /> 1) If "idxd-&gt;max_wqs" is

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> dmaengine: ti: edma: Fix memory allocation size for queue_priority_map<br /> <br /> Fix a critical memory allocation bug in edma_setup_from_hw() where<br /> queue_priority_map was allocated with insufficient memory. The code<br /> declared queue_priority_map as s8 (*)[2] (pointer to array of 2 s8),<br /> but allocated memory using sizeof(s8) instead of the correct size.<br /> <br /> This caused out-of-bounds memory writes when accessing:<br /> queue_priority_map[i][0] = i;<br /> queue_priority_map[i][1] = i;<br /> <br /> The bug manifested as kernel crashes with "Oops - undefined instruction"<br /> on ARM platforms (BeagleBoard-X15) during EDMA driver probe, as the<br /> memory corruption triggered kernel hardening features on Clang.<br /> <br /> Change the allocation to use sizeof(*queue_priority_map) which<br /> automatically gets the correct size for the 2D array structure.

*** Pendiente de traducción *** A vulnerability was detected in code-projects Online Bidding System 1.0. Affected is an unknown function of the file /administrator/wew.php. Performing manipulation of the argument ID results in sql injection. The attack may be initiated remotely. The exploit is now public and may be used.

*** Pendiente de traducción *** Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

*** Pendiente de traducción *** A flaw has been found in Reservation Online Hotel Reservation System 1.0. Affected by this vulnerability is an unknown functionality of the file /reservation/paypalpayout.php. Executing manipulation of the argument confirm can lead to sql injection. The attack may be launched remotely. The exploit has been published and may be used.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> erofs: fix runtime warning on truncate_folio_batch_exceptionals()<br /> <br /> Commit 0e2f80afcfa6("fs/dax: ensure all pages are idle prior to<br /> filesystem unmount") introduced the WARN_ON_ONCE to capture whether<br /> the filesystem has removed all DAX entries or not and applied the<br /> fix to xfs and ext4.<br /> <br /> Apply the missed fix on erofs to fix the runtime warning:<br /> <br /> [ 5.266254] ------------[ cut here ]------------<br /> [ 5.266274] WARNING: CPU: 6 PID: 3109 at mm/truncate.c:89 truncate_folio_batch_exceptionals+0xff/0x260<br /> [ 5.266294] Modules linked in:<br /> [ 5.266999] CPU: 6 UID: 0 PID: 3109 Comm: umount Tainted: G S 6.16.0+ #6 PREEMPT(voluntary)<br /> [ 5.267012] Tainted: [S]=CPU_OUT_OF_SPEC<br /> [ 5.267017] Hardware name: Dell Inc. OptiPlex 5000/05WXFV, BIOS 1.5.1 08/24/2022<br /> [ 5.267024] RIP: 0010:truncate_folio_batch_exceptionals+0xff/0x260<br /> [ 5.267076] Code: 00 00 41 39 df 7f 11 eb 78 83 c3 01 49 83 c4 08 41 39 df 74 6c 48 63 f3 48 83 fe 1f 0f 83 3c 01 00 00 43 f6 44 26 08 01 74 df 0b 4a 8b 34 22 4c 89 ef 48 89 55 90 e8 ff 54 1f 00 48 8b 55 90<br /> [ 5.267083] RSP: 0018:ffffc900013f36c8 EFLAGS: 00010202<br /> [ 5.267095] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000<br /> [ 5.267101] RDX: ffffc900013f3790 RSI: 0000000000000000 RDI: ffff8882a1407898<br /> [ 5.267108] RBP: ffffc900013f3740 R08: 0000000000000000 R09: 0000000000000000<br /> [ 5.267113] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000<br /> [ 5.267119] R13: ffff8882a1407ab8 R14: ffffc900013f3888 R15: 0000000000000001<br /> [ 5.267125] FS: 00007aaa8b437800(0000) GS:ffff88850025b000(0000) knlGS:0000000000000000<br /> [ 5.267132] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [ 5.267138] CR2: 00007aaa8b3aac10 CR3: 000000024f764000 CR4: 0000000000f52ef0<br /> [ 5.267144] PKRU: 55555554<br /> [ 5.267150] Call Trace:<br /> [ 5.267154] <br /> [ 5.267181] truncate_inode_pages_range+0x118/0x5e0<br /> [ 5.267193] ? save_trace+0x54/0x390<br /> [ 5.267296] truncate_inode_pages_final+0x43/0x60<br /> [ 5.267309] evict+0x2a4/0x2c0<br /> [ 5.267339] dispose_list+0x39/0x80<br /> [ 5.267352] evict_inodes+0x150/0x1b0<br /> [ 5.267376] generic_shutdown_super+0x41/0x180<br /> [ 5.267390] kill_block_super+0x1b/0x50<br /> [ 5.267402] erofs_kill_sb+0x81/0x90 [erofs]<br /> [ 5.267436] deactivate_locked_super+0x32/0xb0<br /> [ 5.267450] deactivate_super+0x46/0x60<br /> [ 5.267460] cleanup_mnt+0xc3/0x170<br /> [ 5.267475] __cleanup_mnt+0x12/0x20<br /> [ 5.267485] task_work_run+0x5d/0xb0<br /> [ 5.267499] exit_to_user_mode_loop+0x144/0x170<br /> [ 5.267512] do_syscall_64+0x2b9/0x7c0<br /> [ 5.267523] ? __lock_acquire+0x665/0x2ce0<br /> [ 5.267535] ? __lock_acquire+0x665/0x2ce0<br /> [ 5.267560] ? lock_acquire+0xcd/0x300<br /> [ 5.267573] ? find_held_lock+0x31/0x90<br /> [ 5.267582] ? mntput_no_expire+0x97/0x4e0<br /> [ 5.267606] ? mntput_no_expire+0xa1/0x4e0<br /> [ 5.267625] ? mntput+0x24/0x50<br /> [ 5.267634] ? path_put+0x1e/0x30<br /> [ 5.267647] ? do_faccessat+0x120/0x2f0<br /> [ 5.267677] ? do_syscall_64+0x1a2/0x7c0<br /> [ 5.267686] ? from_kgid_munged+0x17/0x30<br /> [ 5.267703] ? from_kuid_munged+0x13/0x30<br /> [ 5.267711] ? __do_sys_getuid+0x3d/0x50<br /> [ 5.267724] ? do_syscall_64+0x1a2/0x7c0<br /> [ 5.267732] ? irqentry_exit+0x77/0xb0<br /> [ 5.267743] ? clear_bhb_loop+0x30/0x80<br /> [ 5.267752] ? clear_bhb_loop+0x30/0x80<br /> [ 5.267765] entry_SYSCALL_64_after_hwframe+0x76/0x7e<br /> [ 5.267772] RIP: 0033:0x7aaa8b32a9fb<br /> [ 5.267781] Code: c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 f3 0f 1e fa 31 f6 e9 05 00 00 00 0f 1f 44 00 00 f3 0f 1e fa b8 a6 00 00 00 0f 05 3d 00 f0 ff ff 77 05 c3 0f 1f 40 00 48 8b 15 e9 83 0d 00 f7 d8<br /> [ 5.267787] RSP: 002b:00007ffd7c4c9468 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6<br /> [ 5.267796] RAX: 0000000000000000 RBX: 00005a61592a8b00 RCX: 00007aaa8b32a9fb<br /> [ 5.267802] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00005a61592b2080<br /> [ 5.267806] RBP: 00007ffd7c4c9540 R08: 00007aaa8b403b20 R09: 0000000000000020<br /> [ 5.267812] R10: 0000000000000001 R11: 0000000000000246 R12: 00005a61592a8c00<br /> [ 5.267817] R13: 00000000<br /> ---truncated---

*** Pendiente de traducción *** A security vulnerability has been detected in code-projects Online Bidding System 1.0. This impacts an unknown function of the file /administrator/weweee.php. Such manipulation of the argument ID leads to sql injection. The attack can be launched remotely. The exploit has been disclosed publicly and may be used.