Vulnerabilidades

*** Pendiente de traducción *** A Java deserialisation vulnerability has been discovered in Jaspersoft Library. Improper handling of externally supplied data may allow attackers to execute arbitrary code remotely on systems that use the affected library

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> fs/ntfs3: Enhance sanity check while generating attr_list<br /> <br /> ni_create_attr_list uses WARN_ON to catch error cases while generating<br /> attribute list, which only prints out stack trace and may not be enough.<br /> This repalces them with more proper error handling flow.<br /> <br /> [ 59.666332] BUG: kernel NULL pointer dereference, address: 000000000000000e<br /> [ 59.673268] #PF: supervisor read access in kernel mode<br /> [ 59.678354] #PF: error_code(0x0000) - not-present page<br /> [ 59.682831] PGD 8000000005ff1067 P4D 8000000005ff1067 PUD 7dee067 PMD 0<br /> [ 59.688556] Oops: 0000 [#1] PREEMPT SMP KASAN PTI<br /> [ 59.692642] CPU: 0 PID: 198 Comm: poc Tainted: G B W 6.2.0-rc1+ #4<br /> [ 59.698868] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014<br /> [ 59.708795] RIP: 0010:ni_create_attr_list+0x505/0x860<br /> [ 59.713657] Code: 7e 10 e8 5e d0 d0 ff 45 0f b7 76 10 48 8d 7b 16 e8 00 d1 d0 ff 66 44 89 73 16 4d 8d 75 0e 4c 89 f7 e8 3f d0 d0 ff 4c 8d8<br /> [ 59.731559] RSP: 0018:ffff88800a56f1e0 EFLAGS: 00010282<br /> [ 59.735691] RAX: 0000000000000001 RBX: ffff88800b7b5088 RCX: ffffffffb83079fe<br /> [ 59.741792] RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffffffffbb7f9fc0<br /> [ 59.748423] RBP: ffff88800a56f3a8 R08: ffff88800b7b50a0 R09: fffffbfff76ff3f9<br /> [ 59.754654] R10: ffffffffbb7f9fc7 R11: fffffbfff76ff3f8 R12: ffff88800b756180<br /> [ 59.761552] R13: 0000000000000000 R14: 000000000000000e R15: 0000000000000050<br /> [ 59.768323] FS: 00007feaa8c96440(0000) GS:ffff88806d400000(0000) knlGS:0000000000000000<br /> [ 59.776027] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [ 59.781395] CR2: 00007f3a2e0b1000 CR3: 000000000a5bc000 CR4: 00000000000006f0<br /> [ 59.787607] Call Trace:<br /> [ 59.790271] <br /> [ 59.792488] ? __pfx_ni_create_attr_list+0x10/0x10<br /> [ 59.797235] ? kernel_text_address+0xd3/0xe0<br /> [ 59.800856] ? unwind_get_return_address+0x3e/0x60<br /> [ 59.805101] ? __kasan_check_write+0x18/0x20<br /> [ 59.809296] ? preempt_count_sub+0x1c/0xd0<br /> [ 59.813421] ni_ins_attr_ext+0x52c/0x5c0<br /> [ 59.817034] ? __pfx_ni_ins_attr_ext+0x10/0x10<br /> [ 59.821926] ? __vfs_setxattr+0x121/0x170<br /> [ 59.825718] ? __vfs_setxattr_noperm+0x97/0x300<br /> [ 59.829562] ? __vfs_setxattr_locked+0x145/0x170<br /> [ 59.833987] ? vfs_setxattr+0x137/0x2a0<br /> [ 59.836732] ? do_setxattr+0xce/0x150<br /> [ 59.839807] ? setxattr+0x126/0x140<br /> [ 59.842353] ? path_setxattr+0x164/0x180<br /> [ 59.845275] ? __x64_sys_setxattr+0x71/0x90<br /> [ 59.848838] ? do_syscall_64+0x3f/0x90<br /> [ 59.851898] ? entry_SYSCALL_64_after_hwframe+0x72/0xdc<br /> [ 59.857046] ? stack_depot_save+0x17/0x20<br /> [ 59.860299] ni_insert_attr+0x1ba/0x420<br /> [ 59.863104] ? __pfx_ni_insert_attr+0x10/0x10<br /> [ 59.867069] ? preempt_count_sub+0x1c/0xd0<br /> [ 59.869897] ? _raw_spin_unlock_irqrestore+0x2b/0x50<br /> [ 59.874088] ? __create_object+0x3ae/0x5d0<br /> [ 59.877865] ni_insert_resident+0xc4/0x1c0<br /> [ 59.881430] ? __pfx_ni_insert_resident+0x10/0x10<br /> [ 59.886355] ? kasan_save_alloc_info+0x1f/0x30<br /> [ 59.891117] ? __kasan_kmalloc+0x8b/0xa0<br /> [ 59.894383] ntfs_set_ea+0x90d/0xbf0<br /> [ 59.897703] ? __pfx_ntfs_set_ea+0x10/0x10<br /> [ 59.901011] ? kernel_text_address+0xd3/0xe0<br /> [ 59.905308] ? __kernel_text_address+0x16/0x50<br /> [ 59.909811] ? unwind_get_return_address+0x3e/0x60<br /> [ 59.914898] ? __pfx_stack_trace_consume_entry+0x10/0x10<br /> [ 59.920250] ? arch_stack_walk+0xa2/0x100<br /> [ 59.924560] ? filter_irq_stacks+0x27/0x80<br /> [ 59.928722] ntfs_setxattr+0x405/0x440<br /> [ 59.932512] ? __pfx_ntfs_setxattr+0x10/0x10<br /> [ 59.936634] ? kvmalloc_node+0x2d/0x120<br /> [ 59.940378] ? kasan_save_stack+0x41/0x60<br /> [ 59.943870] ? kasan_save_stack+0x2a/0x60<br /> [ 59.947719] ? kasan_set_track+0x29/0x40<br /> [ 59.951417] ? kasan_save_alloc_info+0x1f/0x30<br /> [ 59.955733] ? __kasan_kmalloc+0x8b/0xa0<br /> [ 59.959598] ? __kmalloc_node+0x68/0x150<br /> [ 59.963163] ? kvmalloc_node+0x2d/0x120<br /> [ 59.966490] ? vmemdup_user+0x2b/0xa0<br /> ---truncated---

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> workqueue: fix data race with the pwq-&gt;stats[] increment<br /> <br /> KCSAN has discovered a data race in kernel/workqueue.c:2598:<br /> <br /> [ 1863.554079] ==================================================================<br /> [ 1863.554118] BUG: KCSAN: data-race in process_one_work / process_one_work<br /> <br /> [ 1863.554142] write to 0xffff963d99d79998 of 8 bytes by task 5394 on cpu 27:<br /> [ 1863.554154] process_one_work (kernel/workqueue.c:2598)<br /> [ 1863.554166] worker_thread (./include/linux/list.h:292 kernel/workqueue.c:2752)<br /> [ 1863.554177] kthread (kernel/kthread.c:389)<br /> [ 1863.554186] ret_from_fork (arch/x86/kernel/process.c:145)<br /> [ 1863.554197] ret_from_fork_asm (arch/x86/entry/entry_64.S:312)<br /> <br /> [ 1863.554213] read to 0xffff963d99d79998 of 8 bytes by task 5450 on cpu 12:<br /> [ 1863.554224] process_one_work (kernel/workqueue.c:2598)<br /> [ 1863.554235] worker_thread (./include/linux/list.h:292 kernel/workqueue.c:2752)<br /> [ 1863.554247] kthread (kernel/kthread.c:389)<br /> [ 1863.554255] ret_from_fork (arch/x86/kernel/process.c:145)<br /> [ 1863.554266] ret_from_fork_asm (arch/x86/entry/entry_64.S:312)<br /> <br /> [ 1863.554280] value changed: 0x0000000000001766 -&gt; 0x000000000000176a<br /> <br /> [ 1863.554295] Reported by Kernel Concurrency Sanitizer on:<br /> [ 1863.554303] CPU: 12 PID: 5450 Comm: kworker/u64:1 Tainted: G L 6.5.0-rc6+ #44<br /> [ 1863.554314] Hardware name: ASRock X670E PG Lightning/X670E PG Lightning, BIOS 1.21 04/26/2023<br /> [ 1863.554322] Workqueue: btrfs-endio btrfs_end_bio_work [btrfs]<br /> [ 1863.554941] ==================================================================<br /> <br /> lockdep_invariant_state(true);<br /> → pwq-&gt;stats[PWQ_STAT_STARTED]++;<br /> trace_workqueue_execute_start(work);<br /> worker-&gt;current_func(work);<br /> <br /> Moving pwq-&gt;stats[PWQ_STAT_STARTED]++; before the line<br /> <br /> raw_spin_unlock_irq(&amp;pool-&gt;lock);<br /> <br /> resolves the data race without performance penalty.<br /> <br /> KCSAN detected at least one additional data race:<br /> <br /> [ 157.834751] ==================================================================<br /> [ 157.834770] BUG: KCSAN: data-race in process_one_work / process_one_work<br /> <br /> [ 157.834793] write to 0xffff9934453f77a0 of 8 bytes by task 468 on cpu 29:<br /> [ 157.834804] process_one_work (/home/marvin/linux/kernel/linux_torvalds/kernel/workqueue.c:2606)<br /> [ 157.834815] worker_thread (/home/marvin/linux/kernel/linux_torvalds/./include/linux/list.h:292 /home/marvin/linux/kernel/linux_torvalds/kernel/workqueue.c:2752)<br /> [ 157.834826] kthread (/home/marvin/linux/kernel/linux_torvalds/kernel/kthread.c:389)<br /> [ 157.834834] ret_from_fork (/home/marvin/linux/kernel/linux_torvalds/arch/x86/kernel/process.c:145)<br /> [ 157.834845] ret_from_fork_asm (/home/marvin/linux/kernel/linux_torvalds/arch/x86/entry/entry_64.S:312)<br /> <br /> [ 157.834859] read to 0xffff9934453f77a0 of 8 bytes by task 214 on cpu 7:<br /> [ 157.834868] process_one_work (/home/marvin/linux/kernel/linux_torvalds/kernel/workqueue.c:2606)<br /> [ 157.834879] worker_thread (/home/marvin/linux/kernel/linux_torvalds/./include/linux/list.h:292 /home/marvin/linux/kernel/linux_torvalds/kernel/workqueue.c:2752)<br /> [ 157.834890] kthread (/home/marvin/linux/kernel/linux_torvalds/kernel/kthread.c:389)<br /> [ 157.834897] ret_from_fork (/home/marvin/linux/kernel/linux_torvalds/arch/x86/kernel/process.c:145)<br /> [ 157.834907] ret_from_fork_asm (/home/marvin/linux/kernel/linux_torvalds/arch/x86/entry/entry_64.S:312)<br /> <br /> [ 157.834920] value changed: 0x000000000000052a -&gt; 0x0000000000000532<br /> <br /> [ 157.834933] Reported by Kernel Concurrency Sanitizer on:<br /> [ 157.834941] CPU: 7 PID: 214 Comm: kworker/u64:2 Tainted: G L 6.5.0-rc7-kcsan-00169-g81eaf55a60fc #4<br /> [ 157.834951] Hardware name: ASRock X670E PG Lightning/X670E PG Lightning, BIOS 1.21 04/26/2023<br /> [ 157.834958] Workqueue: btrfs-endio btrfs_end_bio_work [btrfs]<br /> [ 157.835567] ==================================================================<br /> <br /> in code:<br /> <br /> trace_workqueue_execute_end(work, worker-&gt;current_func);<br /> → pwq-&gt;stats[PWQ_STAT_COM<br /> ---truncated---

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> caif: fix memory leak in cfctrl_linkup_request()<br /> <br /> When linktype is unknown or kzalloc failed in cfctrl_linkup_request(),<br /> pkt is not released. Add release process to error path.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> pstore/ram: Check start of empty przs during init<br /> <br /> After commit 30696378f68a ("pstore/ram: Do not treat empty buffers as<br /> valid"), initialization would assume a prz was valid after seeing that<br /> the buffer_size is zero (regardless of the buffer start position). This<br /> unchecked start value means it could be outside the bounds of the buffer,<br /> leading to future access panics when written to:<br /> <br /> sysdump_panic_event+0x3b4/0x5b8<br /> atomic_notifier_call_chain+0x54/0x90<br /> panic+0x1c8/0x42c<br /> die+0x29c/0x2a8<br /> die_kernel_fault+0x68/0x78<br /> __do_kernel_fault+0x1c4/0x1e0<br /> do_bad_area+0x40/0x100<br /> do_translation_fault+0x68/0x80<br /> do_mem_abort+0x68/0xf8<br /> el1_da+0x1c/0xc0<br /> __raw_writeb+0x38/0x174<br /> __memcpy_toio+0x40/0xac<br /> persistent_ram_update+0x44/0x12c<br /> persistent_ram_write+0x1a8/0x1b8<br /> ramoops_pstore_write+0x198/0x1e8<br /> pstore_console_write+0x94/0xe0<br /> ...<br /> <br /> To avoid this, also check if the prz start is 0 during the initialization<br /> phase. If not, the next prz sanity check case will discover it (start &gt;<br /> size) and zap the buffer back to a sane state.<br /> <br /> [kees: update commit log with backtrace and clarifications]

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> genirq/ipi: Fix NULL pointer deref in irq_data_get_affinity_mask()<br /> <br /> If ipi_send_{mask|single}() is called with an invalid interrupt number, all<br /> the local variables there will be NULL. ipi_send_verify() which is invoked<br /> from these functions does verify its &amp;#39;data&amp;#39; parameter, resulting in a<br /> kernel oops in irq_data_get_affinity_mask() as the passed NULL pointer gets<br /> dereferenced.<br /> <br /> Add a missing NULL pointer check in ipi_send_verify()...<br /> <br /> Found by Linux Verification Center (linuxtesting.org) with the SVACE static<br /> analysis tool.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: conntrack: dccp: copy entire header to stack buffer, not just basic one<br /> <br /> Eric Dumazet says:<br /> nf_conntrack_dccp_packet() has an unique:<br /> <br /> dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &amp;_dh);<br /> <br /> And nothing more is &amp;#39;pulled&amp;#39; from the packet, depending on the content.<br /> dh-&gt;dccph_doff, and/or dh-&gt;dccph_x ...)<br /> So dccp_ack_seq() is happily reading stuff past the _dh buffer.<br /> <br /> BUG: KASAN: stack-out-of-bounds in nf_conntrack_dccp_packet+0x1134/0x11c0<br /> Read of size 4 at addr ffff000128f66e0c by task syz-executor.2/29371<br /> [..]<br /> <br /> Fix this by increasing the stack buffer to also include room for<br /> the extra sequence numbers and all the known dccp packet type headers,<br /> then pull again after the initial validation of the basic header.<br /> <br /> While at it, mark packets invalid that lack 48bit sequence bit but<br /> where RFC says the type MUST use them.<br /> <br /> Compile tested only.<br /> <br /> v2: first skb_header_pointer() now needs to adjust the size to<br /> only pull the generic header. (Eric)<br /> <br /> Heads-up: I intend to remove dccp conntrack support later this year.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> USB: chipidea: fix memory leak with using debugfs_lookup()<br /> <br /> When calling debugfs_lookup() the result must have dput() called on it,<br /> otherwise the memory will leak over time. To make things simpler, just<br /> call debugfs_lookup_and_remove() instead which handles all of the logic<br /> at once.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> scsi: mpi3mr: Fix issues in mpi3mr_get_all_tgt_info()<br /> <br /> The function mpi3mr_get_all_tgt_info() has four issues:<br /> <br /> 1) It calculates valid entry length in alltgt_info assuming the header part<br /> of the struct mpi3mr_device_map_info would equal to sizeof(u32). The<br /> correct size is sizeof(u64).<br /> <br /> 2) When it calculates the valid entry length kern_entrylen, it excludes one<br /> entry by subtracting 1 from num_devices.<br /> <br /> 3) It copies num_device by calling memcpy(). Substitution is enough.<br /> <br /> 4) It does not specify the calculated length to sg_copy_from_buffer().<br /> Instead, it specifies the payload length which is larger than the<br /> alltgt_info size. It causes "BUG: KASAN: slab-out-of-bounds".<br /> <br /> Fix the issues by using the correct header size, removing the subtraction<br /> from num_devices, replacing the memcpy() with substitution and specifying<br /> the correct length to sg_copy_from_buffer().

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: mac80211_hwsim: drop short frames<br /> <br /> While technically some control frames like ACK are shorter and<br /> end after Address 1, such frames shouldn&amp;#39;t be forwarded through<br /> wmediumd or similar userspace, so require the full 3-address<br /> header to avoid accessing invalid memory if shorter frames are<br /> passed in.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> scsi: qla2xxx: Wait for io return on terminate rport<br /> <br /> System crash due to use after free.<br /> Current code allows terminate_rport_io to exit before making<br /> sure all IOs has returned. For FCP-2 device, IO&amp;#39;s can hang<br /> on in HW because driver has not tear down the session in FW at<br /> first sign of cable pull. When dev_loss_tmo timer pops,<br /> terminate_rport_io is called and upper layer is about to<br /> free various resources. Terminate_rport_io trigger qla to do<br /> the final cleanup, but the cleanup might not be fast enough where it<br /> leave qla still holding on to the same resource.<br /> <br /> Wait for IO&amp;#39;s to return to upper layer before resources are freed.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ext2/dax: Fix ext2_setsize when len is page aligned<br /> <br /> PAGE_ALIGN(x) macro gives the next highest value which is multiple of<br /> pagesize. But if x is already page aligned then it simply returns x.<br /> So, if x passed is 0 in dax_zero_range() function, that means the<br /> length gets passed as 0 to -&gt;iomap_begin().<br /> <br /> In ext2 it then calls ext2_get_blocks -&gt; max_blocks as 0 and hits bug_on<br /> here in ext2_get_blocks().<br /> BUG_ON(maxblocks == 0);<br /> <br /> Instead we should be calling dax_truncate_page() here which takes<br /> care of it. i.e. it only calls dax_zero_range if the offset is not<br /> page/block aligned.<br /> <br /> This can be easily triggered with following on fsdax mounted pmem<br /> device.<br /> <br /> dd if=/dev/zero of=file count=1 bs=512<br /> truncate -s 0 file<br /> <br /> [79.525838] EXT2-fs (pmem0): DAX enabled. Warning: EXPERIMENTAL, use at your own risk<br /> [79.529376] ext2 filesystem being mounted at /mnt1/test supports timestamps until 2038 (0x7fffffff)<br /> [93.793207] ------------[ cut here ]------------<br /> [93.795102] kernel BUG at fs/ext2/inode.c:637!<br /> [93.796904] invalid opcode: 0000 [#1] PREEMPT SMP PTI<br /> [93.798659] CPU: 0 PID: 1192 Comm: truncate Not tainted 6.3.0-rc2-xfstests-00056-g131086faa369 #139<br /> [93.806459] RIP: 0010:ext2_get_blocks.constprop.0+0x524/0x610<br /> <br /> [93.835298] Call Trace:<br /> [93.836253] <br /> [93.837103] ? lock_acquire+0xf8/0x110<br /> [93.838479] ? d_lookup+0x69/0xd0<br /> [93.839779] ext2_iomap_begin+0xa7/0x1c0<br /> [93.841154] iomap_iter+0xc7/0x150<br /> [93.842425] dax_zero_range+0x6e/0xa0<br /> [93.843813] ext2_setsize+0x176/0x1b0<br /> [93.845164] ext2_setattr+0x151/0x200<br /> [93.846467] notify_change+0x341/0x4e0<br /> [93.847805] ? lock_acquire+0xf8/0x110<br /> [93.849143] ? do_truncate+0x74/0xe0<br /> [93.850452] ? do_truncate+0x84/0xe0<br /> [93.851739] do_truncate+0x84/0xe0<br /> [93.852974] do_sys_ftruncate+0x2b4/0x2f0<br /> [93.854404] do_syscall_64+0x3f/0x90<br /> [93.855789] entry_SYSCALL_64_after_hwframe+0x72/0xdc