Latest vulnerabilities [Tuesday, February 27, 2024]

Latest vulnerabilities [Tuesday, February 27, 2024]
{{titre}}

Last update performed on 02/27/2024 at 11:57:08 PM

(4) CRITICAL VULNERABILITIES [9.0, 10.0]

Source : progress.com

Vulnerability ID : CVE-2024-1403

First published on : 27-02-2024 16:15:45
Last modified on : 27-02-2024 16:15:45

Description :
In OpenEdge Authentication Gateway and AdminServer prior to 11.7.19, 12.2.14, 12.8.1 on all platforms supported by the OpenEdge product, an authentication bypass vulnerability has been identified. The vulnerability is a bypass to authentication based on a failure to properly handle username and password. Certain unexpected content passed into the credentials can lead to unauthorized access without proper authentication.

CVE ID : CVE-2024-1403
Source : security@progress.com
CVSS Score : 10.0

References :
https://community.progress.com/s/article/Important-Critical-Alert-for-OpenEdge-Authentication-Gateway-and-AdminServer | source : security@progress.com
https://www.progress.com/openedge | source : security@progress.com

Vulnerability : CWE-305


Source : wordfence.com

Vulnerability ID : CVE-2024-1698

First published on : 27-02-2024 06:15:46
Last modified on : 27-02-2024 14:20:06

Description :
The NotificationX โ€“ Best FOMO, Social Proof, WooCommerce Sales Popup & Notification Bar Plugin With Elementor plugin for WordPress is vulnerable to SQL Injection via the 'type' parameter in all versions up to, and including, 2.8.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

CVE ID : CVE-2024-1698
Source : security@wordfence.com
CVSS Score : 9.8

References :
https://plugins.trac.wordpress.org/changeset/3040809/notificationx/trunk/includes/Core/Database.php | source : security@wordfence.com
https://plugins.trac.wordpress.org/changeset/3040809/notificationx/trunk/includes/Core/Rest/Analytics.php | source : security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/e110ea99-e2fa-4558-bcf3-942a35af0b91?source=cve | source : security@wordfence.com


Source : github.com

Vulnerability ID : CVE-2024-27099

First published on : 27-02-2024 19:04:07
Last modified on : 27-02-2024 19:04:07

Description :
The uAMQP is a C library for AMQP 1.0 communication to Azure Cloud Services. When processing an incorrect `AMQP_VALUE` failed state, may cause a double free problem. This may cause a RCE. Update submodule with commit 2ca42b6e4e098af2d17e487814a91d05f6ae4987.

CVE ID : CVE-2024-27099
Source : security-advisories@github.com
CVSS Score : 9.8

References :
https://github.com/Azure/azure-uamqp-c/commit/2ca42b6e4e098af2d17e487814a91d05f6ae4987 | source : security-advisories@github.com
https://github.com/Azure/azure-uamqp-c/security/advisories/GHSA-6rh4-fj44-v4jj | source : security-advisories@github.com

Vulnerability : CWE-415


Source : huntr.dev

Vulnerability ID : CVE-2024-0759

First published on : 27-02-2024 06:15:45
Last modified on : 27-02-2024 14:20:06

Description :
Should an instance of AnythingLLM be hosted on an internal network and the attacked be explicitly granted a permission level of manager or admin, they could link-scrape internally resolving IPs of other services that are on the same network as AnythingLLM. This would require the attacker also be able to guess these internal IPs as `/*` ranging is not possible, but could be brute forced. There is a duty of care that other services on the same network would not be fully open and accessible via a simple CuRL with zero authentication as it is not possible to set headers or access via the link collector.

CVE ID : CVE-2024-0759
Source : security@huntr.dev
CVSS Score : 9.6

References :
https://github.com/mintplex-labs/anything-llm/commit/0db6c3b2aa1787a7054ffdaba975474f122c20eb | source : security@huntr.dev
https://huntr.com/bounties/9a978edd-ac94-41fc-8e3e-c35441bdd12b | source : security@huntr.dev

Vulnerability : CWE-918


(13) HIGH VULNERABILITIES [7.0, 8.9]

Source : huntr.dev

Vulnerability ID : CVE-2024-0763

First published on : 27-02-2024 22:15:14
Last modified on : 27-02-2024 22:15:14

Description :
Any user can delete an arbitrary folder (recursively) on a remote server due to bad input sanitization leading to path traversal. The attacker would need access to the server at some privilege level since this endpoint is protected and requires authorization.

CVE ID : CVE-2024-0763
Source : security@huntr.dev
CVSS Score : 8.1

References :
https://github.com/mintplex-labs/anything-llm/commit/8a7324d0e77a15186e1ad5e5119fca4fb224c39c | source : security@huntr.dev
https://huntr.com/bounties/25a2f487-5a9c-4c7f-a2d3-b0527db73ea5 | source : security@huntr.dev

Vulnerability : CWE-20


Vulnerability ID : CVE-2024-0551

First published on : 27-02-2024 14:15:27
Last modified on : 27-02-2024 14:19:41

Description :
Enable exports of the database and associated exported information of the system via the default user role. The attacked would have to have been granted access to the system prior to the attack. It is worth noting that the deterministic nature of the export name is lower risk as the UI for exporting would start the download at the same time, which once downloaded - deletes the export from the system. The endpoint for exporting should simply be patched to a higher privilege level.

CVE ID : CVE-2024-0551
Source : security@huntr.dev
CVSS Score : 7.1

References :
https://github.com/mintplex-labs/anything-llm/commit/7aaa4b38e7112a6cd879c1238310c56b1844c6d8 | source : security@huntr.dev
https://huntr.com/bounties/f114c787-ab5f-4f83-afa5-c000435efb78 | source : security@huntr.dev

Vulnerability : CWE-284


Source : thalesgroup.com

Vulnerability ID : CVE-2023-5993

First published on : 27-02-2024 11:15:07
Last modified on : 27-02-2024 14:19:41

Description :
A flaw in the Windows Installer in Thales SafeNet Authentication Client prior to 10.8 R10 on Windows allows an attacker to escalate their privilege level via local access.

CVE ID : CVE-2023-5993
Source : psirt@thalesgroup.com
CVSS Score : 7.8

References :
https://supportportal.thalesgroup.com | source : psirt@thalesgroup.com

Vulnerability : CWE-269


Vulnerability ID : CVE-2023-7016

First published on : 27-02-2024 11:15:07
Last modified on : 27-02-2024 14:19:41

Description :
A flaw in Thales SafeNet Authentication Client prior to 10.8 R10 on Windows allows an attacker to execute code at a SYSTEM level via local access.

CVE ID : CVE-2023-7016
Source : psirt@thalesgroup.com
CVSS Score : 7.8

References :
https://supportportal.thalesgroup.com | source : psirt@thalesgroup.com

Vulnerability : CWE-269


Vulnerability ID : CVE-2024-0197

First published on : 27-02-2024 13:15:45
Last modified on : 27-02-2024 14:19:41

Description :
A flaw in the installer for Thales SafeNet Sentinel HASP LDK prior to 9.16 on Windows allows an attacker to escalate their privilege level via local access.

CVE ID : CVE-2024-0197
Source : psirt@thalesgroup.com
CVSS Score : 7.8

References :
https://supportportal.thalesgroup.com | source : psirt@thalesgroup.com

Vulnerability : CWE-269


Source : github.com

Vulnerability ID : CVE-2024-26142

First published on : 27-02-2024 16:15:46
Last modified on : 27-02-2024 16:15:46

Description :
Rails is a web-application framework. Starting in version 7.1.0, there is a possible ReDoS vulnerability in the Accept header parsing routines of Action Dispatch. This vulnerability is patched in 7.1.3.1. Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected.

CVE ID : CVE-2024-26142
Source : security-advisories@github.com
CVSS Score : 7.5

References :
https://discuss.rubyonrails.org/t/possible-redos-vulnerability-in-accept-header-parsing-in-action-dispatch/84946 | source : security-advisories@github.com
https://github.com/rails/rails/commit/b4d3bfb5ed8a5b5a90aad3a3b28860c7a931e272 | source : security-advisories@github.com
https://github.com/rails/rails/security/advisories/GHSA-jjhx-jhvp-74wq | source : security-advisories@github.com
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-26142.yml | source : security-advisories@github.com

Vulnerability : CWE-1333


Vulnerability ID : CVE-2024-26143

First published on : 27-02-2024 16:15:46
Last modified on : 27-02-2024 16:15:46

Description :
Rails is a web-application framework. There is a possible XSS vulnerability when using the translation helpers in Action Controller. Applications using translation methods like translate, or t on a controller, with a key ending in "_html", a :default key which contains untrusted user input, and the resulting string is used in a view, may be susceptible to an XSS vulnerability. The vulnerability is fixed in 7.1.3.1 and 7.0.8.1.

CVE ID : CVE-2024-26143
Source : security-advisories@github.com
CVSS Score : 7.2

References :
https://discuss.rubyonrails.org/t/possible-xss-vulnerability-in-action-controller/84947 | source : security-advisories@github.com
https://github.com/rails/rails/commit/4c83b331092a79d58e4adffe4be5f250fa5782cc | source : security-advisories@github.com
https://github.com/rails/rails/commit/5187a9ef51980ad1b8e81945ebe0462d28f84f9e | source : security-advisories@github.com
https://github.com/rails/rails/security/advisories/GHSA-9822-6m93-xqf4 | source : security-advisories@github.com
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-26143.yml | source : security-advisories@github.com

Vulnerability : CWE-79


Source : teamviewer.com

Vulnerability ID : CVE-2024-0819

First published on : 27-02-2024 14:15:27
Last modified on : 27-02-2024 14:19:41

Description :
Improper initialization of default settings in TeamViewer Remote Client prior version 15.51.5 for Windows, Linux and macOS, allow a low privileged user to elevate privileges by changing the personal password setting and establishing a remote connection to a logged-in admin account.

CVE ID : CVE-2024-0819
Source : psirt@teamviewer.com
CVSS Score : 7.3

References :
https://www.teamviewer.com/en/trust-center/security-bulletins/tv-2024-1001/ | source : psirt@teamviewer.com

Vulnerability : CWE-269


Source : hpe.com

Vulnerability ID : CVE-2024-26294

First published on : 27-02-2024 22:15:14
Last modified on : 27-02-2024 22:15:14

Description :
Vulnerabilities in the ClearPass Policy Manager web-based management interface allow remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as root on the underlying operating system leading to complete system compromise.

CVE ID : CVE-2024-26294
Source : security-alert@hpe.com
CVSS Score : 7.2

References :
https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2024-001.txt | source : security-alert@hpe.com


Vulnerability ID : CVE-2024-26295

First published on : 27-02-2024 22:15:15
Last modified on : 27-02-2024 22:15:15

Description :
Vulnerabilities in the ClearPass Policy Manager web-based management interface allow remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as root on the underlying operating system leading to complete system compromise.

CVE ID : CVE-2024-26295
Source : security-alert@hpe.com
CVSS Score : 7.2

References :
https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2024-001.txt | source : security-alert@hpe.com


Vulnerability ID : CVE-2024-26296

First published on : 27-02-2024 22:15:15
Last modified on : 27-02-2024 22:15:15

Description :
Vulnerabilities in the ClearPass Policy Manager web-based management interface allow remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as root on the underlying operating system leading to complete system compromise.

CVE ID : CVE-2024-26296
Source : security-alert@hpe.com
CVSS Score : 7.2

References :
https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2024-001.txt | source : security-alert@hpe.com


Vulnerability ID : CVE-2024-26297

First published on : 27-02-2024 22:15:15
Last modified on : 27-02-2024 22:15:15

Description :
Vulnerabilities in the ClearPass Policy Manager web-based management interface allow remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as root on the underlying operating system leading to complete system compromise.

CVE ID : CVE-2024-26297
Source : security-alert@hpe.com
CVSS Score : 7.2

References :
https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2024-001.txt | source : security-alert@hpe.com


Vulnerability ID : CVE-2024-26298

First published on : 27-02-2024 22:15:15
Last modified on : 27-02-2024 22:15:15

Description :
Vulnerabilities in the ClearPass Policy Manager web-based management interface allow remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as root on the underlying operating system leading to complete system compromise.

CVE ID : CVE-2024-26298
Source : security-alert@hpe.com
CVSS Score : 7.2

References :
https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2024-001.txt | source : security-alert@hpe.com


(24) MEDIUM VULNERABILITIES [4.0, 6.9]

Source : hpe.com

Vulnerability ID : CVE-2024-26299

First published on : 27-02-2024 22:15:15
Last modified on : 27-02-2024 22:15:15

Description :
A vulnerability in the web-based management interface of ClearPass Policy Manager could allow an authenticated remote attacker to conduct a stored cross-site scripting (XSS) attack against an administrative user of the interface. A successful exploit allows an attacker to execute arbitrary script code in a victim's browser in the context of the affected interface.

CVE ID : CVE-2024-26299
Source : security-alert@hpe.com
CVSS Score : 6.6

References :
https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2024-001.txt | source : security-alert@hpe.com


Source : wordfence.com

Vulnerability ID : CVE-2024-1323

First published on : 27-02-2024 05:15:08
Last modified on : 27-02-2024 14:20:06

Description :
The Orbit Fox by ThemeIsle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Post Type Grid Widget Title in all versions up to, and including, 2.10.30 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVE ID : CVE-2024-1323
Source : security@wordfence.com
CVSS Score : 6.4

References :
https://plugins.trac.wordpress.org/changeset/3040304/themeisle-companion/tags/2.10.32/vendor/codeinwp/elementor-extra-widgets/class-elementor-extra-widgets.php | source : security@wordfence.com
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3038451%40themeisle-companion&new=3038451%40themeisle-companion&sfp_email=&sfph_mail= | source : security@wordfence.com
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3040304%40themeisle-companion&new=3040304%40themeisle-companion&sfp_email=&sfph_mail= | source : security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/0241a9fc-ce42-4a97-9f33-f07cf53c0f52?source=cve | source : security@wordfence.com


Vulnerability ID : CVE-2024-1687

First published on : 27-02-2024 06:15:45
Last modified on : 27-02-2024 14:20:06

Description :
The Thank You Page Customizer for WooCommerce โ€“ Increase Your Sales plugin for WordPress is vulnerable to unauthorized execution of shortcodes due to a missing capability check on the get_text_editor_content() function in all versions up to, and including, 1.1.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to execute arbitrary shortcodes.

CVE ID : CVE-2024-1687
Source : security@wordfence.com
CVSS Score : 5.4

References :
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3041096%40woo-thank-you-page-customizer&new=3041096%40woo-thank-you-page-customizer&sfp_email=&sfph_mail= | source : security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/310afe02-3a51-4633-b359-65ae58d0c032?source=cve | source : security@wordfence.com


Vulnerability ID : CVE-2024-1686

First published on : 27-02-2024 06:15:45
Last modified on : 27-02-2024 14:20:06

Description :
The Thank You Page Customizer for WooCommerce โ€“ Increase Your Sales plugin for WordPress is vulnerable to missing authorization e in all versions up to, and including, 1.1.2 via the apply_layout function due to a missing capability check. This makes it possible for authenticated attackers, with subscriber-level access and above, to retrieve arbitrary order data which may contain PII.

CVE ID : CVE-2024-1686
Source : security@wordfence.com
CVSS Score : 5.3

References :
https://plugins.trac.wordpress.org/changeset/3041096/woo-thank-you-page-customizer/trunk/frontend/frontend.php | source : security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/2e7ebc0c-6936-4632-a602-7131c7d8bd6a?source=cve | source : security@wordfence.com


Vulnerability ID : CVE-2024-1649

First published on : 27-02-2024 11:15:08
Last modified on : 27-02-2024 14:19:41

Description :
The Categorify plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the categorifyAjaxDeleteCategory function in all versions up to, and including, 1.0.7.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete categories.

CVE ID : CVE-2024-1649
Source : security@wordfence.com
CVSS Score : 4.3

References :
https://plugins.trac.wordpress.org/changeset/3034410/categorify | source : security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/c63ddc62-a4f1-4da4-a65e-4573369d6c30?source=cve | source : security@wordfence.com


Vulnerability ID : CVE-2024-1650

First published on : 27-02-2024 11:15:08
Last modified on : 27-02-2024 14:19:41

Description :
The Categorify plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the categorifyAjaxRenameCategory function in all versions up to, and including, 1.0.7.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to rename categories.

CVE ID : CVE-2024-1650
Source : security@wordfence.com
CVSS Score : 4.3

References :
https://plugins.trac.wordpress.org/changeset/3034410/categorify | source : security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/f9a3dc87-5309-41fe-bfc3-60b5878b6c57?source=cve | source : security@wordfence.com


Vulnerability ID : CVE-2024-1652

First published on : 27-02-2024 11:15:08
Last modified on : 27-02-2024 14:19:41

Description :
The Categorify plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the categorifyAjaxClearCategory function in all versions up to, and including, 1.0.7.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to clear categories.

CVE ID : CVE-2024-1652
Source : security@wordfence.com
CVSS Score : 4.3

References :
https://plugins.trac.wordpress.org/changeset/3034410/categorify | source : security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/acccc6ae-553d-4ed5-8ba9-06a9061d725c?source=cve | source : security@wordfence.com


Vulnerability ID : CVE-2024-1653

First published on : 27-02-2024 11:15:08
Last modified on : 27-02-2024 14:19:41

Description :
The Categorify plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the categorifyAjaxUpdateFolderPosition in all versions up to, and including, 1.0.7.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to update the folder position of categories as well as update the metadata of other taxonomies.

CVE ID : CVE-2024-1653
Source : security@wordfence.com
CVSS Score : 4.3

References :
https://plugins.trac.wordpress.org/changeset/3034410/categorify | source : security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/45badd20-1ba8-44be-8a7c-2ce21261e208?source=cve | source : security@wordfence.com


Vulnerability ID : CVE-2024-1906

First published on : 27-02-2024 11:15:08
Last modified on : 27-02-2024 14:19:41

Description :
The Categorify plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.7.4. This is due to missing or incorrect nonce validation on the categorifyAjaxAddCategory function. This makes it possible for unauthenticated attackers to add categories via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVE ID : CVE-2024-1906
Source : security@wordfence.com
CVSS Score : 4.3

References :
https://plugins.trac.wordpress.org/changeset/3034410/categorify | source : security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/78422a30-bdc6-4e7c-a018-c3dc4b4be6a0?source=cve | source : security@wordfence.com


Vulnerability ID : CVE-2024-1907

First published on : 27-02-2024 11:15:09
Last modified on : 27-02-2024 14:19:41

Description :
The Categorify plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.7.4. This is due to missing or incorrect nonce validation on the categorifyAjaxDeleteCategory function. This makes it possible for unauthenticated attackers to delete categories via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVE ID : CVE-2024-1907
Source : security@wordfence.com
CVSS Score : 4.3

References :
https://plugins.trac.wordpress.org/changeset/3034410/categorify | source : security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/08c79118-9dad-44fd-b683-7950276d3808?source=cve | source : security@wordfence.com


Vulnerability ID : CVE-2024-1909

First published on : 27-02-2024 11:15:09
Last modified on : 27-02-2024 14:19:41

Description :
The Categorify plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.7.4. This is due to missing or incorrect nonce validation on the categorifyAjaxRenameCategory function. This makes it possible for unauthenticated attackers to rename categories via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVE ID : CVE-2024-1909
Source : security@wordfence.com
CVSS Score : 4.3

References :
https://plugins.trac.wordpress.org/changeset/3034410/categorify | source : security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/58b29729-e9c3-4d57-affd-6142dfa8cc6f?source=cve | source : security@wordfence.com


Vulnerability ID : CVE-2024-1910

First published on : 27-02-2024 11:15:09
Last modified on : 27-02-2024 14:19:41

Description :
The Categorify plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.7.4. This is due to missing or incorrect nonce validation on the categorifyAjaxClearCategory function. This makes it possible for unauthenticated attackers to clear categories via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVE ID : CVE-2024-1910
Source : security@wordfence.com
CVSS Score : 4.3

References :
https://plugins.trac.wordpress.org/changeset/3034410/categorify | source : security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/b1c2712d-0865-4759-98da-1e11a26f2466?source=cve | source : security@wordfence.com


Vulnerability ID : CVE-2024-1912

First published on : 27-02-2024 11:15:09
Last modified on : 27-02-2024 14:19:41

Description :
The Categorify plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.7.4. This is due to missing or incorrect nonce validation on the categorifyAjaxUpdateFolderPosition function. This makes it possible for unauthenticated attackers to update the folder position of categories as well as update the metadata of other taxonomies via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVE ID : CVE-2024-1912
Source : security@wordfence.com
CVSS Score : 4.3

References :
https://plugins.trac.wordpress.org/changeset/3034410/categorify | source : security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/6ca28c91-f75e-4691-91cf-459cc9da5ad8?source=cve | source : security@wordfence.com


Source : vuldb.com

Vulnerability ID : CVE-2024-1923

First published on : 27-02-2024 16:15:46
Last modified on : 27-02-2024 16:15:46

Description :
A vulnerability was found in SourceCodester Simple Student Attendance System 1.0 and classified as critical. Affected by this issue is the function delete_class of the file /ajax-api.php of the component List of Classes Page. The manipulation of the argument id with the input 1337'+or+1=1;--+ leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-254858 is the identifier assigned to this vulnerability.

CVE ID : CVE-2024-1923
Source : cna@vuldb.com
CVSS Score : 6.3

References :
https://github.com/smurf-reigz/security/blob/main/proof-of-concepts/SOURCECODESTER%20%5BSimple%20Student%20Attendance%20System%20using%20PHP%20and%20MySQL%5D%20SQLi%20on%20ajax-api.php%3Faction=delete_class.md | source : cna@vuldb.com
https://vuldb.com/?ctiid.254858 | source : cna@vuldb.com
https://vuldb.com/?id.254858 | source : cna@vuldb.com

Vulnerability : CWE-89


Vulnerability ID : CVE-2024-1924

First published on : 27-02-2024 17:15:11
Last modified on : 27-02-2024 17:15:11

Description :
A vulnerability was found in CodeAstro Membership Management System 1.0. It has been classified as critical. This affects an unknown part of the file /get_membership_amount.php. The manipulation of the argument membershipTypeId leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-254859.

CVE ID : CVE-2024-1924
Source : cna@vuldb.com
CVSS Score : 6.3

References :
https://github.com/1testnew/CVE_Hunter/blob/main/SQLi-1.md | source : cna@vuldb.com
https://vuldb.com/?ctiid.254859 | source : cna@vuldb.com
https://vuldb.com/?id.254859 | source : cna@vuldb.com

Vulnerability : CWE-89


Vulnerability ID : CVE-2024-1926

First published on : 27-02-2024 17:15:11
Last modified on : 27-02-2024 17:15:11

Description :
A vulnerability was found in SourceCodester Free and Open Source Inventory Management System 1.0. It has been rated as critical. This issue affects some unknown processing of the file /app/ajax/search_sales_report.php. The manipulation of the argument customer leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-254861 was assigned to this vulnerability.

CVE ID : CVE-2024-1926
Source : cna@vuldb.com
CVSS Score : 6.3

References :
https://github.com/xiahao90/CVEproject/blob/main/xiahao.webray.com.cn/Free%20and%20Open%20Source%20inventory%20management%20system-SQLi.md | source : cna@vuldb.com
https://vuldb.com/?ctiid.254861 | source : cna@vuldb.com
https://vuldb.com/?id.254861 | source : cna@vuldb.com

Vulnerability : CWE-89


Vulnerability ID : CVE-2024-1920

First published on : 27-02-2024 14:15:27
Last modified on : 27-02-2024 14:19:41

Description :
A vulnerability, which was classified as critical, has been found in osuuu LightPicture up to 1.2.2. This issue affects the function handle of the file /app/middleware/TokenVerify.php. The manipulation leads to use of hard-coded cryptographic key . The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-254855.

CVE ID : CVE-2024-1920
Source : cna@vuldb.com
CVSS Score : 5.6

References :
https://note.zhaoj.in/share/gKyCbSSdJ5fY | source : cna@vuldb.com
https://vuldb.com/?ctiid.254855 | source : cna@vuldb.com
https://vuldb.com/?id.254855 | source : cna@vuldb.com

Vulnerability : CWE-321


Vulnerability ID : CVE-2024-1925

First published on : 27-02-2024 17:15:11
Last modified on : 27-02-2024 17:15:11

Description :
A vulnerability was found in Ctcms 2.1.2. It has been declared as critical. This vulnerability affects unknown code of the file ctcms/apps/controllers/admin/Upsys.php. The manipulation leads to unrestricted upload. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-254860.

CVE ID : CVE-2024-1925
Source : cna@vuldb.com
CVSS Score : 5.0

References :
https://docs.qq.com/doc/DQkVmRXBlbGNPZmlL | source : cna@vuldb.com
https://vuldb.com/?ctiid.254860 | source : cna@vuldb.com
https://vuldb.com/?id.254860 | source : cna@vuldb.com

Vulnerability : CWE-434


Vulnerability ID : CVE-2024-1918

First published on : 27-02-2024 13:15:45
Last modified on : 27-02-2024 14:19:41

Description :
A vulnerability has been found in Beijing Baichuo Smart S42 Management Platform up to 20240219 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /useratte/userattestation.php. The manipulation of the argument hidwel leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-254839. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

CVE ID : CVE-2024-1918
Source : cna@vuldb.com
CVSS Score : 4.7

References :
https://github.com/Echosssy/CVE/blob/main/%E5%85%B3%E4%BA%8ESmart%20S42%E7%AE%A1%E7%90%86%E5%B9%B3%E5%8F%B0%E5%AD%98%E5%9C%A8%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%BC%8F%E6%B4%9E%E7%9A%84%E6%83%85%E5%86%B5%E9%80%9A%E6%8A%A5-userattestation.php.docx | source : cna@vuldb.com
https://vuldb.com/?ctiid.254839 | source : cna@vuldb.com
https://vuldb.com/?id.254839 | source : cna@vuldb.com

Vulnerability : CWE-434


Vulnerability ID : CVE-2024-1921

First published on : 27-02-2024 15:15:07
Last modified on : 27-02-2024 15:15:07

Description :
A vulnerability, which was classified as critical, was found in osuuu LightPicture up to 1.2.2. Affected is an unknown function of the file /app/controller/Setup.php. The manipulation leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-254856.

CVE ID : CVE-2024-1921
Source : cna@vuldb.com
CVSS Score : 4.7

References :
https://note.zhaoj.in/share/FeCRflSHPLbj | source : cna@vuldb.com
https://vuldb.com/?ctiid.254856 | source : cna@vuldb.com
https://vuldb.com/?id.254856 | source : cna@vuldb.com

Vulnerability : CWE-434


Source : acronis.com

Vulnerability ID : CVE-2023-48682

First published on : 27-02-2024 17:15:11
Last modified on : 27-02-2024 17:15:11

Description :
Stored cross-site scripting (XSS) vulnerability in unit name. The following products are affected: Acronis Cyber Protect 16 (Linux, Windows) before build 37391.

CVE ID : CVE-2023-48682
Source : security@acronis.com
CVSS Score : 6.1

References :
https://security-advisory.acronis.com/advisories/SEC-5901 | source : security@acronis.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-48678

First published on : 27-02-2024 17:15:10
Last modified on : 27-02-2024 17:15:10

Description :
Sensitive information disclosure due to insecure folder permissions. The following products are affected: Acronis Cyber Protect 16 (Linux, Windows) before build 37391.

CVE ID : CVE-2023-48678
Source : security@acronis.com
CVSS Score : 5.5

References :
https://security-advisory.acronis.com/advisories/SEC-2319 | source : security@acronis.com

Vulnerability : CWE-276


Source : yd.MitsubishiElectric.co.jp

Vulnerability ID : CVE-2023-7033

First published on : 27-02-2024 04:15:06
Last modified on : 27-02-2024 14:20:06

Description :
Insufficient Resource Pool vulnerability in Ethernet function of Mitsubishi Electric Corporation MELSEC iQ-F Series CPU modules allows a remote attacker to cause a temporary Denial of Service condition for a certain period of time in Ethernet communication of the products by performing TCP SYN Flood attack.

CVE ID : CVE-2023-7033
Source : Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp
CVSS Score : 5.3

References :
https://jvn.jp/vu/JVNVU96145466/index.html | source : Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp
https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2023-023_en.pdf | source : Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp

Vulnerability : CWE-410


Source : github.com

Vulnerability ID : CVE-2024-26144

First published on : 27-02-2024 16:15:46
Last modified on : 27-02-2024 16:15:46

Description :
Rails is a web-application framework. Starting with version 5.2.0, there is a possible sensitive session information leak in Active Storage. By default, Active Storage sends a Set-Cookie header along with the user's session cookie when serving blobs. It also sets Cache-Control to public. Certain proxies may cache the Set-Cookie, leading to an information leak. The vulnerability is fixed in 7.0.8.1 and 6.1.7.7.

CVE ID : CVE-2024-26144
Source : security-advisories@github.com
CVSS Score : 5.3

References :
https://discuss.rubyonrails.org/t/possible-sensitive-session-information-leak-in-active-storage/84945 | source : security-advisories@github.com
https://github.com/rails/rails/commit/723f54566023e91060a67b03353e7c03e7436433 | source : security-advisories@github.com
https://github.com/rails/rails/commit/78fe149509fac5b05e54187aaaef216fbb5fd0d3 | source : security-advisories@github.com
https://github.com/rails/rails/security/advisories/GHSA-8h22-8cf7-hq6g | source : security-advisories@github.com
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activestorage/CVE-2024-26144.yml | source : security-advisories@github.com

Vulnerability : CWE-200


(5) LOW VULNERABILITIES [0.1, 3.9]

Source : vuldb.com

Vulnerability ID : CVE-2024-1919

First published on : 27-02-2024 14:15:27
Last modified on : 27-02-2024 14:19:41

Description :
A vulnerability classified as problematic was found in SourceCodester Online Job Portal 1.0. This vulnerability affects unknown code of the file /Employer/ManageWalkin.php of the component Manage Walkin Page. The manipulation of the argument Job Title leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-254854 is the identifier assigned to this vulnerability.

CVE ID : CVE-2024-1919
Source : cna@vuldb.com
CVSS Score : 3.5

References :
https://prnt.sc/1W0g0F8vv2mw | source : cna@vuldb.com
https://vuldb.com/?ctiid.254854 | source : cna@vuldb.com
https://vuldb.com/?id.254854 | source : cna@vuldb.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2024-1922

First published on : 27-02-2024 16:15:45
Last modified on : 27-02-2024 16:15:45

Description :
A vulnerability has been found in SourceCodester Online Job Portal 1.0 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /Employer/ManageJob.php of the component Manage Job Page. The manipulation of the argument Qualification/Description leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-254857 was assigned to this vulnerability.

CVE ID : CVE-2024-1922
Source : cna@vuldb.com
CVSS Score : 3.5

References :
https://prnt.sc/WD3nof5FsEBv | source : cna@vuldb.com
https://prnt.sc/zw3SnPnfpKGu | source : cna@vuldb.com
https://vuldb.com/?ctiid.254857 | source : cna@vuldb.com
https://vuldb.com/?id.254857 | source : cna@vuldb.com

Vulnerability : CWE-79


Source : acronis.com

Vulnerability ID : CVE-2023-48680

First published on : 27-02-2024 17:15:10
Last modified on : 27-02-2024 17:15:10

Description :
Sensitive information disclosure due to excessive collection of system information. The following products are affected: Acronis Cyber Protect 16 (macOS, Windows) before build 37391.

CVE ID : CVE-2023-48680
Source : security@acronis.com
CVSS Score : 3.3

References :
https://security-advisory.acronis.com/advisories/SEC-5392 | source : security@acronis.com

Vulnerability : CWE-200


Vulnerability ID : CVE-2023-48679

First published on : 27-02-2024 17:15:10
Last modified on : 27-02-2024 17:15:10

Description :
Stored cross-site scripting (XSS) vulnerability due to missing origin validation in postMessage. The following products are affected: Acronis Cyber Protect 16 (Linux, Windows) before build 37391.

CVE ID : CVE-2023-48679
Source : security@acronis.com
CVSS Score : 3.1

References :
https://security-advisory.acronis.com/advisories/SEC-3469 | source : security@acronis.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-48681

First published on : 27-02-2024 17:15:10
Last modified on : 27-02-2024 17:15:10

Description :
Self cross-site scripting (XSS) vulnerability in storage nodes search field. The following products are affected: Acronis Cyber Protect 16 (Linux, Windows) before build 37391.

CVE ID : CVE-2023-48681
Source : security@acronis.com
CVSS Score : 1.9

References :
https://security-advisory.acronis.com/advisories/SEC-5900 | source : security@acronis.com

Vulnerability : CWE-79


(118) NO SCORE VULNERABILITIES [0.0, 0.0]

Source : mitre.org

Vulnerability ID : CVE-2024-24721

First published on : 27-02-2024 00:15:06
Last modified on : 27-02-2024 14:20:06

Description :
An issue was discovered on Innovaphone PBX before 14r1 devices. The password form, used to authenticate, allows a Brute Force Attack through which an attacker may be able to access the administration panel

CVE ID : CVE-2024-24721
Source : cve@mitre.org
CVSS Score : /

References :
https://excellium-services.com/cert-xlm-advisory/CVE-2024-24721 | source : cve@mitre.org


Vulnerability ID : CVE-2024-22543

First published on : 27-02-2024 01:15:06
Last modified on : 27-02-2024 14:20:06

Description :
An issue was discovered in Linksys Router E1700 1.0.04 (build 3), allows authenticated attackers to escalate privileges via a crafted GET request to the /goform/* URI or via the ExportSettings function.

CVE ID : CVE-2024-22543
Source : cve@mitre.org
CVSS Score : /

References :
https://mat4mee.notion.site/Leaked-SessionID-can-lead-to-authentication-bypass-on-the-Linksys-Router-E1700-f56f9c4b15e7443fa237bd1b101a18d2 | source : cve@mitre.org


Vulnerability ID : CVE-2024-22544

First published on : 27-02-2024 01:15:07
Last modified on : 27-02-2024 14:20:06

Description :
An issue was discovered in Linksys Router E1700 version 1.0.04 (build 3), allows authenticated attackers to execute arbitrary code via the setDateTime function.

CVE ID : CVE-2024-22544
Source : cve@mitre.org
CVSS Score : /

References :
https://mat4mee.notion.site/Remote-Code-Execution-RCE-on-the-Linksys-Router-E1700-765c9bbf6a7f4171b670bc778bf9b005 | source : cve@mitre.org


Vulnerability ID : CVE-2024-24720

First published on : 27-02-2024 01:15:07
Last modified on : 27-02-2024 14:20:06

Description :
An issue was discovered on Innovaphone PBX before 14r1 devices. It provides different responses to incoming requests in a way that reveals information to an attacker.

CVE ID : CVE-2024-24720
Source : cve@mitre.org
CVSS Score : /

References :
https://excellium-services.com/cert-xlm-advisory/CVE-2024-24720 | source : cve@mitre.org


Vulnerability ID : CVE-2024-25166

First published on : 27-02-2024 01:15:07
Last modified on : 27-02-2024 14:20:06

Description :
Cross Site Scripting vulnerability in 71CMS v.1.0.0 allows a remote attacker to execute arbitrary code via the uploadfile action parameter in the controller.php file.

CVE ID : CVE-2024-25166
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/xiaocheng-keji/71cms/issues/1 | source : cve@mitre.org


Vulnerability ID : CVE-2024-27356

First published on : 27-02-2024 01:15:07
Last modified on : 27-02-2024 14:20:06

Description :
An issue was discovered on certain GL-iNet devices. Attackers can download files such as logs via commands, potentially obtaining critical user information. This affects MT6000 4.5.5, XE3000 4.4.4, X3000 4.4.5, MT3000 4.5.0, MT2500 4.5.0, AXT1800 4.5.0, AX1800 4.5.0, A1300 4.5.0, S200 4.1.4-0300, X750 4.3.7, SFT1200 4.3.7, XE300 4.3.7, MT1300 4.3.10, AR750 4.3.10, AR750S 4.3.10, AR300M 4.3.10, AR300M16 4.3.10, B1300 4.3.10, MT300N-v2 4.3.10, X300B 3.217, S1300 3.216, SF1200 3.216, MV1000 3.216, N300 3.216, B2200 3.216, and X1200 3.203.

CVE ID : CVE-2024-27356
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/gl-inet/CVE-issues/blob/main/4.0.0/Download_file_vulnerability.md | source : cve@mitre.org
https://gl-inet.com | source : cve@mitre.org


Vulnerability ID : CVE-2023-41506

First published on : 27-02-2024 02:15:06
Last modified on : 27-02-2024 14:20:06

Description :
An arbitrary file upload vulnerability in the Update/Edit Student's Profile Picture function of Student Enrollment In PHP v1.0 allows attackers to execute arbitrary code via uploading a crafted PHP file.

CVE ID : CVE-2023-41506
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/ASR511-OO7/CVE-2023-41506/blob/main/CVE-23 | source : cve@mitre.org


Vulnerability ID : CVE-2024-22917

First published on : 27-02-2024 02:15:06
Last modified on : 27-02-2024 14:20:06

Description :
SQL injection vulnerability in Dynamic Lab Management System Project in PHP v.1.0 allows a remote attacker to execute arbitrary code via a crafted script.

CVE ID : CVE-2024-22917
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/ASR511-OO7/CVE-2024-22917/blob/main/CVE-22 | source : cve@mitre.org


Vulnerability ID : CVE-2024-24095

First published on : 27-02-2024 02:15:06
Last modified on : 27-02-2024 14:20:06

Description :
Code-projects Simple Stock System 1.0 is vulnerable to SQL Injection.

CVE ID : CVE-2024-24095
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/ASR511-OO7/CVE-2024-24095/blob/main/CVE-21 | source : cve@mitre.org


Vulnerability ID : CVE-2024-24096

First published on : 27-02-2024 02:15:06
Last modified on : 27-02-2024 14:20:06

Description :
Code-projects Computer Book Store 1.0 is vulnerable to SQL Injection via BookSBIN.

CVE ID : CVE-2024-24096
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/ASR511-OO7/CVE-2024-24096/blob/main/CVE-20 | source : cve@mitre.org


Vulnerability ID : CVE-2024-24099

First published on : 27-02-2024 02:15:06
Last modified on : 27-02-2024 14:20:06

Description :
Code-projects Scholars Tracking System 1.0 is vulnerable to SQL Injection under Employment Status Information Update.

CVE ID : CVE-2024-24099
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/ASR511-OO7/CVE-2024-24099/blob/main/CVE-19 | source : cve@mitre.org


Vulnerability ID : CVE-2024-24100

First published on : 27-02-2024 02:15:06
Last modified on : 27-02-2024 14:20:06

Description :
Code-projects Computer Book Store 1.0 is vulnerable to SQL Injection via PublisherID.

CVE ID : CVE-2024-24100
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/ASR511-OO7/CVE-2024-24100/blob/main/CVE-18 | source : cve@mitre.org


Vulnerability ID : CVE-2024-25711

First published on : 27-02-2024 02:15:06
Last modified on : 27-02-2024 14:20:06

Description :
diffoscope before 256 allows directory traversal via an embedded filename in a GPG file. Contents of any file, such as ../.ssh/id_rsa, may be disclosed to an attacker. This occurs because the value of the gpg --use-embedded-filenames option is trusted.

CVE ID : CVE-2024-25711
Source : cve@mitre.org
CVSS Score : /

References :
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OUNBANAWD6TZH2NRRV4YUIAXEHLUJQ47/ | source : cve@mitre.org
https://salsa.debian.org/reproducible-builds/diffoscope/-/commit/dfed769904c27d66a14a5903823d9c8c5aae860e | source : cve@mitre.org
https://salsa.debian.org/reproducible-builds/diffoscope/-/issues/361 | source : cve@mitre.org


Vulnerability ID : CVE-2024-25723

First published on : 27-02-2024 15:15:07
Last modified on : 27-02-2024 16:15:46

Description :
ZenML Server in the ZenML machine learning package before 0.46.7 for Python allows remote privilege escalation because the /api/v1/users/{user_name_or_id}/activate REST API endpoint allows access on the basis of a valid username along with a new password in the request body. These are also patched versions: 0.44.4, 0.43.1, and 0.42.2.

CVE ID : CVE-2024-25723
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/zenml-io/zenml | source : cve@mitre.org
https://github.com/zenml-io/zenml/compare/0.42.1...0.42.2 | source : cve@mitre.org
https://github.com/zenml-io/zenml/compare/0.43.0...0.43.1 | source : cve@mitre.org
https://github.com/zenml-io/zenml/compare/0.44.3...0.44.4 | source : cve@mitre.org
https://www.zenml.io/blog/critical-security-update-for-zenml-users | source : cve@mitre.org


Vulnerability ID : CVE-2024-27507

First published on : 27-02-2024 15:15:07
Last modified on : 27-02-2024 15:15:07

Description :
libLAS 1.8.1 contains a memory leak vulnerability in /libLAS/apps/ts2las.cpp.

CVE ID : CVE-2024-27507
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/LuMingYinDetect/libLAS_defects/blob/main/libLAS_detect_1.md | source : cve@mitre.org


Vulnerability ID : CVE-2024-25398

First published on : 27-02-2024 16:15:46
Last modified on : 27-02-2024 16:15:46

Description :
In Srelay (the SOCKS proxy and Relay) v.0.4.8p3, a specially crafted network payload can trigger a denial of service condition and disrupt the service.

CVE ID : CVE-2024-25398
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/Nivedita-22/SRELAY-exploit-writeup/blob/main/Srelay.md | source : cve@mitre.org
https://sourceforge.net/projects/socks-relay/ | source : cve@mitre.org


Vulnerability ID : CVE-2024-25399

First published on : 27-02-2024 16:15:46
Last modified on : 27-02-2024 16:15:46

Description :
Subrion CMS 4.2.1 is vulnerable to Cross Site Scripting (XSS) via adminer.php.

CVE ID : CVE-2024-25399
Source : cve@mitre.org
CVSS Score : /

References :
https://cwe.mitre.org/data/definitions/79 | source : cve@mitre.org


Vulnerability ID : CVE-2024-25400

First published on : 27-02-2024 16:15:46
Last modified on : 27-02-2024 16:15:46

Description :
Subrion CMS 4.2.1 is vulnerable to SQL Injection via ia.core.mysqli.php.

CVE ID : CVE-2024-25400
Source : cve@mitre.org
CVSS Score : /

References :
https://cwe.mitre.org/data/definitions/89.html | source : cve@mitre.org
https://github.com/intelliants/subrion/issues/910 | source : cve@mitre.org
https://subrion.org/ | source : cve@mitre.org


Vulnerability ID : CVE-2024-26464

First published on : 27-02-2024 16:15:47
Last modified on : 27-02-2024 16:15:47

Description :
net-snmp 5.9.4 contains a memory leak vulnerability in /net-snmp/apps/snmpvacm.c.

CVE ID : CVE-2024-26464
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/LuMingYinDetect/net-snmp_defects/blob/main/net-snmp_detect_1.md | source : cve@mitre.org


Vulnerability ID : CVE-2024-27508

First published on : 27-02-2024 16:15:47
Last modified on : 27-02-2024 16:15:47

Description :
Atheme 7.2.12 contains a memory leak vulnerability in /atheme/src/crypto-benchmark/main.c.

CVE ID : CVE-2024-27508
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/LuMingYinDetect/Atheme_defects/blob/main/Atheme_detect_1.md | source : cve@mitre.org


Vulnerability ID : CVE-2024-24323

First published on : 27-02-2024 17:15:12
Last modified on : 27-02-2024 17:15:12

Description :
SQL injection vulnerability in linlinjava litemall v.1.8.0 allows a remote attacker to obtain sensitive information via the nickname, consignee, orderSN, orderStatusArray parameters of the AdminOrdercontroller.java component.

CVE ID : CVE-2024-24323
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/lousix/exp/blob/main/CVE-2024-24323/CVE-2024-24323.md | source : cve@mitre.org


Vulnerability ID : CVE-2024-25840

First published on : 27-02-2024 17:15:12
Last modified on : 27-02-2024 17:15:12

Description :
In the module "Account Manager | Sales Representative & Dealers | CRM" (prestasalesmanager) up to 9.0 from Presta World for PrestaShop, a guest can download personal information without restriction by performing a path traversal attack.

CVE ID : CVE-2024-25840
Source : cve@mitre.org
CVSS Score : /

References :
https://addons.prestashop.com/en/third-party-data-integrations-crm-erp/90816-account-manager-sales-representative-dealers-crm.html | source : cve@mitre.org
https://security.friendsofpresta.org/modules/2024/02/27/prestasalesmanager.html | source : cve@mitre.org


Vulnerability ID : CVE-2024-25841

First published on : 27-02-2024 17:15:12
Last modified on : 27-02-2024 17:15:12

Description :
In the module "So Flexibilite" (soflexibilite) from Common-Services for PrestaShop < 4.1.26, a guest (authenticated customer) can perform Cross Site Scripting (XSS) injection.

CVE ID : CVE-2024-25841
Source : cve@mitre.org
CVSS Score : /

References :
https://addons.prestashop.com/fr/transporteurs/2704-colissimo-domicile-et-points-de-retrait.html | source : cve@mitre.org
https://security.friendsofpresta.org/modules/2024/02/27/soflexibilite.html | source : cve@mitre.org


Vulnerability ID : CVE-2024-25843

First published on : 27-02-2024 17:15:12
Last modified on : 27-02-2024 17:15:12

Description :
In the module "Import/Update Bulk Product from any Csv/Excel File Pro" (ba_importer) up to version 1.1.28 from Buy Addons for PrestaShop, a guest can perform SQL injection in affected versions.

CVE ID : CVE-2024-25843
Source : cve@mitre.org
CVSS Score : /

References :
https://addons.prestashop.com/en/data-import-export/20579-import-update-bulk-product-from-any-csv-excel-file-pro.html | source : cve@mitre.org
https://security.friendsofpresta.org/modules/2024/02/27/ba_importer.html | source : cve@mitre.org


Vulnerability ID : CVE-2024-25846

First published on : 27-02-2024 17:15:12
Last modified on : 27-02-2024 17:15:12

Description :
In the module "Product Catalog (CSV, Excel) Import" (simpleimportproduct) <= 6.7.0 from MyPrestaModules for PrestaShop, a guest can upload files with extensions .php.

CVE ID : CVE-2024-25846
Source : cve@mitre.org
CVSS Score : /

References :
https://addons.prestashop.com/fr/import-export-de-donnees/19091-catalogue-de-produits-csv-excel-dimportation.html | source : cve@mitre.org
https://security.friendsofpresta.org/modules/2024/02/27/simpleimportproduct.html | source : cve@mitre.org


Vulnerability ID : CVE-2024-24027

First published on : 27-02-2024 21:15:47
Last modified on : 27-02-2024 21:15:47

Description :
SQL Injection vulnerability in Likeshop before 2.5.7 allows attackers to run abitrary SQL commands via the function DistributionMemberLogic::getFansLists.

CVE ID : CVE-2024-24027
Source : cve@mitre.org
CVSS Score : /

References :
https://samyueru.substack.com/p/cve-2024-24027-sql-injection-trong-likeshop | source : cve@mitre.org


Vulnerability ID : CVE-2024-26542

First published on : 27-02-2024 22:15:15
Last modified on : 27-02-2024 22:15:15

Description :
Cross Site Scripting vulnerability in Bonitasoft, S.A v.7.14. and fixed in v.9.0.2, 8.0.3, 7.15.7, 7.14.8 allows attackers to execute arbitrary code via a crafted payload to the Groups Display name field.

CVE ID : CVE-2024-26542
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/c0d3x27/CVEs/blob/main/CVE-2024-26542/README.md | source : cve@mitre.org


Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67

Vulnerability ID : CVE-2021-46907

First published on : 27-02-2024 07:15:06
Last modified on : 27-02-2024 14:20:06

Description :
In the Linux kernel, the following vulnerability has been resolved: KVM: VMX: Don't use vcpu->run->internal.ndata as an array index __vmx_handle_exit() uses vcpu->run->internal.ndata as an index for an array access. Since vcpu->run is (can be) mapped to a user address space with a writer permission, the 'ndata' could be updated by the user process at anytime (the user process can set it to outside the bounds of the array). So, it is not safe that __vmx_handle_exit() uses the 'ndata' that way.

CVE ID : CVE-2021-46907
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/04c4f2ee3f68c9a4bf1653d15f1a9a435ae33f7a | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/7f64753835a78c7d2cc2932a5808ef3b7fd4c050 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/ce541d7b59566a0d94c7c99bfb5d34b050e6af70 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-46908

First published on : 27-02-2024 07:15:06
Last modified on : 27-02-2024 14:20:06

Description :
In the Linux kernel, the following vulnerability has been resolved: bpf: Use correct permission flag for mixed signed bounds arithmetic We forbid adding unknown scalars with mixed signed bounds due to the spectre v1 masking mitigation. Hence this also needs bypass_spec_v1 flag instead of allow_ptr_leaks.

CVE ID : CVE-2021-46908
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/4ccdc6c6cae38b91c871293fb0ed8c6845a61b51 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/4f3ff11204eac0ee23acf64deecb3bad7b0db0c6 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/9601148392520e2e134936e76788fc2a6371e7be | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-46909

First published on : 27-02-2024 07:15:07
Last modified on : 27-02-2024 14:20:06

Description :
In the Linux kernel, the following vulnerability has been resolved: ARM: footbridge: fix PCI interrupt mapping Since commit 30fdfb929e82 ("PCI: Add a call to pci_assign_irq() in pci_device_probe()"), the PCI code will call the IRQ mapping function whenever a PCI driver is probed. If these are marked as __init, this causes an oops if a PCI driver is loaded or bound after the kernel has initialised.

CVE ID : CVE-2021-46909
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/1fc087fdb98d556b416c82ed6e3964a30885f47a | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/2643da6aa57920d9159a1a579fb04f89a2b0d29a | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/30e3b4f256b4e366a61658c294f6a21b8626dda7 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/532747fd5c7aaa17ee5cf79f3e947c31eb0e35cf | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/871b569a3e67f570df9f5ba195444dc7c621293b | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/c3efce8cc9807339633ee30e39882f4c8626ee1d | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-46910

First published on : 27-02-2024 07:15:07
Last modified on : 27-02-2024 14:20:06

Description :
In the Linux kernel, the following vulnerability has been resolved: ARM: 9063/1: mm: reduce maximum number of CPUs if DEBUG_KMAP_LOCAL is enabled The debugging code for kmap_local() doubles the number of per-CPU fixmap slots allocated for kmap_local(), in order to use half of them as guard regions. This causes the fixmap region to grow downwards beyond the start of its reserved window if the supported number of CPUs is large, and collide with the newly added virtual DT mapping right below it, which is obviously not good. One manifestation of this is EFI boot on a kernel built with NR_CPUS=32 and CONFIG_DEBUG_KMAP_LOCAL=y, which may pass the FDT in highmem, resulting in block entries below the fixmap region that the fixmap code misidentifies as fixmap table entries, and subsequently tries to dereference using a phys-to-virt translation that is only valid for lowmem. This results in a cryptic splat such as the one below. ftrace: allocating 45548 entries in 89 pages 8<--- cut here --- Unable to handle kernel paging request at virtual address fc6006f0 pgd = (ptrval) [fc6006f0] *pgd=80000040207003, *pmd=00000000 Internal error: Oops: a06 [#1] SMP ARM Modules linked in: CPU: 0 PID: 0 Comm: swapper Not tainted 5.11.0+ #382 Hardware name: Generic DT based system PC is at cpu_ca15_set_pte_ext+0x24/0x30 LR is at __set_fixmap+0xe4/0x118 pc : [<c041ac9c>] lr : [<c04189d8>] psr: 400000d3 sp : c1601ed8 ip : 00400000 fp : 00800000 r10: 0000071f r9 : 00421000 r8 : 00c00000 r7 : 00c00000 r6 : 0000071f r5 : ffade000 r4 : 4040171f r3 : 00c00000 r2 : 4040171f r1 : c041ac78 r0 : fc6006f0 Flags: nZcv IRQs off FIQs off Mode SVC_32 ISA ARM Segment none Control: 30c5387d Table: 40203000 DAC: 00000001 Process swapper (pid: 0, stack limit = 0x(ptrval)) So let's limit CONFIG_NR_CPUS to 16 when CONFIG_DEBUG_KMAP_LOCAL=y. Also, fix the BUILD_BUG_ON() check that was supposed to catch this, by checking whether the region grows below the start address rather than above the end address.

CVE ID : CVE-2021-46910
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/5965ac11b1d5fcb38464728931649cd9df79c7c9 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/d624833f5984d484c5e3196f34b926f9e71dafee | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-46911

First published on : 27-02-2024 07:15:07
Last modified on : 27-02-2024 14:20:06

Description :
In the Linux kernel, the following vulnerability has been resolved: ch_ktls: Fix kernel panic Taking page refcount is not ideal and causes kernel panic sometimes. It's better to take tx_ctx lock for the complete skb transmit, to avoid page cleanup if ACK received in middle.

CVE ID : CVE-2021-46911
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/1a73e427b824133940c2dd95ebe26b6dce1cbf10 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/8348665d4181c68b0ca1205b48e1753d78bc810f | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/8d5a9dbd2116a852f8f0f91f6fbc42a0afe1091f | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-46912

First published on : 27-02-2024 07:15:07
Last modified on : 27-02-2024 14:20:06

Description :
In the Linux kernel, the following vulnerability has been resolved: net: Make tcp_allowed_congestion_control readonly in non-init netns Currently, tcp_allowed_congestion_control is global and writable; writing to it in any net namespace will leak into all other net namespaces. tcp_available_congestion_control and tcp_allowed_congestion_control are the only sysctls in ipv4_net_table (the per-netns sysctl table) with a NULL data pointer; their handlers (proc_tcp_available_congestion_control and proc_allowed_congestion_control) have no other way of referencing a struct net. Thus, they operate globally. Because ipv4_net_table does not use designated initializers, there is no easy way to fix up this one "bad" table entry. However, the data pointer updating logic shouldn't be applied to NULL pointers anyway, so we instead force these entries to be read-only. These sysctls used to exist in ipv4_table (init-net only), but they were moved to the per-net ipv4_net_table, presumably without realizing that tcp_allowed_congestion_control was writable and thus introduced a leak. Because the intent of that commit was only to know (i.e. read) "which congestion algorithms are available or allowed", this read-only solution should be sufficient. The logic added in recent commit 31c4d2f160eb: ("net: Ensure net namespace isolation of sysctls") does not and cannot check for NULL data pointers, because other table entries (e.g. /proc/sys/net/netfilter/nf_log/) have .data=NULL but use other methods (.extra2) to access the struct net.

CVE ID : CVE-2021-46912
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/1ccdf1bed140820240e383ba0accc474ffc7f006 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/35d7491e2f77ce480097cabcaf93ed409e916e12 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/97684f0970f6e112926de631fdd98d9693c7e5c1 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-46913

First published on : 27-02-2024 07:15:07
Last modified on : 27-02-2024 14:20:06

Description :
In the Linux kernel, the following vulnerability has been resolved: netfilter: nftables: clone set element expression template memcpy() breaks when using connlimit in set elements. Use nft_expr_clone() to initialize the connlimit expression list, otherwise connlimit garbage collector crashes when walking on the list head copy. [ 493.064656] Workqueue: events_power_efficient nft_rhash_gc [nf_tables] [ 493.064685] RIP: 0010:find_or_evict+0x5a/0x90 [nf_conncount] [ 493.064694] Code: 2b 43 40 83 f8 01 77 0d 48 c7 c0 f5 ff ff ff 44 39 63 3c 75 df 83 6d 18 01 48 8b 43 08 48 89 de 48 8b 13 48 8b 3d ee 2f 00 00 <48> 89 42 08 48 89 10 48 b8 00 01 00 00 00 00 ad de 48 89 03 48 83 [ 493.064699] RSP: 0018:ffffc90000417dc0 EFLAGS: 00010297 [ 493.064704] RAX: 0000000000000000 RBX: ffff888134f38410 RCX: 0000000000000000 [ 493.064708] RDX: 0000000000000000 RSI: ffff888134f38410 RDI: ffff888100060cc0 [ 493.064711] RBP: ffff88812ce594a8 R08: ffff888134f38438 R09: 00000000ebb9025c [ 493.064714] R10: ffffffff8219f838 R11: 0000000000000017 R12: 0000000000000001 [ 493.064718] R13: ffffffff82146740 R14: ffff888134f38410 R15: 0000000000000000 [ 493.064721] FS: 0000000000000000(0000) GS:ffff88840e440000(0000) knlGS:0000000000000000 [ 493.064725] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 493.064729] CR2: 0000000000000008 CR3: 00000001330aa002 CR4: 00000000001706e0 [ 493.064733] Call Trace: [ 493.064737] nf_conncount_gc_list+0x8f/0x150 [nf_conncount] [ 493.064746] nft_rhash_gc+0x106/0x390 [nf_tables]

CVE ID : CVE-2021-46913
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/47d8de3c226574a3ddb8b87d0c152028d1bafef4 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/4d8f9065830e526c83199186c5f56a6514f457d2 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/e51ff3ffc316377cca21de8b80404eed0c37b3c3 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-46914

First published on : 27-02-2024 07:15:07
Last modified on : 27-02-2024 14:20:06

Description :
In the Linux kernel, the following vulnerability has been resolved: ixgbe: fix unbalanced device enable/disable in suspend/resume pci_disable_device() called in __ixgbe_shutdown() decreases dev->enable_cnt by 1. pci_enable_device_mem() which increases dev->enable_cnt by 1, was removed from ixgbe_resume() in commit 6f82b2558735 ("ixgbe: use generic power management"). This caused unbalanced increase/decrease. So add pci_enable_device_mem() back. Fix the following call trace. ixgbe 0000:17:00.1: disabling already-disabled device Call Trace: __ixgbe_shutdown+0x10a/0x1e0 [ixgbe] ixgbe_suspend+0x32/0x70 [ixgbe] pci_pm_suspend+0x87/0x160 ? pci_pm_freeze+0xd0/0xd0 dpm_run_callback+0x42/0x170 __device_suspend+0x114/0x460 async_suspend+0x1f/0xa0 async_run_entry_fn+0x3c/0xf0 process_one_work+0x1dd/0x410 worker_thread+0x34/0x3f0 ? cancel_delayed_work+0x90/0x90 kthread+0x14c/0x170 ? kthread_park+0x90/0x90 ret_from_fork+0x1f/0x30

CVE ID : CVE-2021-46914
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/be07581aacae7cd0a073afae8e8862032f794309 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/debb9df311582c83fe369baa35fa4b92e8a9c58a | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/f1b4be4a753caa4056496f679d70550d0c11a264 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-46915

First published on : 27-02-2024 07:15:08
Last modified on : 27-02-2024 14:20:06

Description :
In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_limit: avoid possible divide error in nft_limit_init div_u64() divides u64 by u32. nft_limit_init() wants to divide u64 by u64, use the appropriate math function (div64_u64) divide error: 0000 [#1] PREEMPT SMP KASAN CPU: 1 PID: 8390 Comm: syz-executor188 Not tainted 5.12.0-rc4-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:div_u64_rem include/linux/math64.h:28 [inline] RIP: 0010:div_u64 include/linux/math64.h:127 [inline] RIP: 0010:nft_limit_init+0x2a2/0x5e0 net/netfilter/nft_limit.c:85 Code: ef 4c 01 eb 41 0f 92 c7 48 89 de e8 38 a5 22 fa 4d 85 ff 0f 85 97 02 00 00 e8 ea 9e 22 fa 4c 0f af f3 45 89 ed 31 d2 4c 89 f0 <49> f7 f5 49 89 c6 e8 d3 9e 22 fa 48 8d 7d 48 48 b8 00 00 00 00 00 RSP: 0018:ffffc90009447198 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 0000200000000000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffffff875152e6 RDI: 0000000000000003 RBP: ffff888020f80908 R08: 0000200000000000 R09: 0000000000000000 R10: ffffffff875152d8 R11: 0000000000000000 R12: ffffc90009447270 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 FS: 000000000097a300(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000200001c4 CR3: 0000000026a52000 CR4: 00000000001506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: nf_tables_newexpr net/netfilter/nf_tables_api.c:2675 [inline] nft_expr_init+0x145/0x2d0 net/netfilter/nf_tables_api.c:2713 nft_set_elem_expr_alloc+0x27/0x280 net/netfilter/nf_tables_api.c:5160 nf_tables_newset+0x1997/0x3150 net/netfilter/nf_tables_api.c:4321 nfnetlink_rcv_batch+0x85a/0x21b0 net/netfilter/nfnetlink.c:456 nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:580 [inline] nfnetlink_rcv+0x3af/0x420 net/netfilter/nfnetlink.c:598 netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline] netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1338 netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1927 sock_sendmsg_nosec net/socket.c:654 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:674 ____sys_sendmsg+0x6e8/0x810 net/socket.c:2350 ___sys_sendmsg+0xf3/0x170 net/socket.c:2404 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2433 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xae

CVE ID : CVE-2021-46915
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/01fb1626b620cb37a65ad08e0f626489e8f042ef | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/1bb3ee4259936cc3b2d80a4a480bbb4868575071 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/9065ccb9ec92c5120e7e97958397ebdb454f23d6 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/b895bdf5d643b6feb7c60856326dd4feb6981560 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/dc1732baa9da5b68621586bf8636ebbc27dc62d2 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/fadd3c4afdf3d4c21f4d138502f8b76334987e26 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-46916

First published on : 27-02-2024 07:15:08
Last modified on : 27-02-2024 14:20:06

Description :
In the Linux kernel, the following vulnerability has been resolved: ixgbe: Fix NULL pointer dereference in ethtool loopback test The ixgbe driver currently generates a NULL pointer dereference when performing the ethtool loopback test. This is due to the fact that there isn't a q_vector associated with the test ring when it is setup as interrupts are not normally added to the test rings. To address this I have added code that will check for a q_vector before returning a napi_id value. If a q_vector is not present it will return a value of 0.

CVE ID : CVE-2021-46916
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/31166efb1cee348eb6314e9c0095d84cbeb66b9d | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/758d19098df4b0bbca9f40d6ae6c82c9c18b9bba | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-46917

First published on : 27-02-2024 07:15:08
Last modified on : 27-02-2024 14:20:06

Description :
In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: fix wq cleanup of WQCFG registers A pre-release silicon erratum workaround where wq reset does not clear WQCFG registers was leaked into upstream code. Use wq reset command instead of blasting the MMIO region. This also address an issue where we clobber registers in future devices.

CVE ID : CVE-2021-46917
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/e5eb9757fe4c2392e069246ae78badc573af1833 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/ea9aadc06a9f10ad20a90edc0a484f1147d88a7a | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/f7dc8f5619165e1fa3383d0c2519f502d9e2a1a9 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-46918

First published on : 27-02-2024 07:15:08
Last modified on : 27-02-2024 14:20:06

Description :
In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: clear MSIX permission entry on shutdown Add disabling/clearing of MSIX permission entries on device shutdown to mirror the enabling of the MSIX entries on probe. Current code left the MSIX enabled and the pasid entries still programmed at device shutdown.

CVE ID : CVE-2021-46918
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/6df0e6c57dfc064af330071f372f11aa8c584997 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/c84b8982d7aa9b4717dc36a1c6cbc93ee153b500 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-46919

First published on : 27-02-2024 07:15:08
Last modified on : 27-02-2024 14:20:06

Description :
In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: fix wq size store permission state WQ size can only be changed when the device is disabled. Current code allows change when device is enabled but wq is disabled. Change the check to detect device state.

CVE ID : CVE-2021-46919
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/05b7791c4c4aa8304368fdc55ae911f6b34e7281 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/0fff71c5a311e1264988179f7dcc217fda15fadd | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/4ecf25595273203010bc8318c4aee60ad64037ae | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-46920

First published on : 27-02-2024 07:15:08
Last modified on : 27-02-2024 14:20:06

Description :
In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: Fix clobbering of SWERR overflow bit on writeback Current code blindly writes over the SWERR and the OVERFLOW bits. Write back the bits actually read instead so the driver avoids clobbering the OVERFLOW bit that comes after the register is read.

CVE ID : CVE-2021-46920
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/02981a44a0e402089775416371bd2e0c935685f8 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/a5ad12d5d69c63af289a37f05187a0c6fe93553d | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/ea941ac294d75d0ace50797aebf0056f6f8f7a7f | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-46921

First published on : 27-02-2024 10:15:06
Last modified on : 27-02-2024 14:20:06

Description :
In the Linux kernel, the following vulnerability has been resolved: locking/qrwlock: Fix ordering in queued_write_lock_slowpath() While this code is executed with the wait_lock held, a reader can acquire the lock without holding wait_lock. The writer side loops checking the value with the atomic_cond_read_acquire(), but only truly acquires the lock when the compare-and-exchange is completed successfully which isnโ€™t ordered. This exposes the window between the acquire and the cmpxchg to an A-B-A problem which allows reads following the lock acquisition to observe values speculatively before the write lock is truly acquired. We've seen a problem in epoll where the reader does a xchg while holding the read lock, but the writer can see a value change out from under it. Writer | Reader -------------------------------------------------------------------------------- ep_scan_ready_list() | |- write_lock_irq() | |- queued_write_lock_slowpath() | |- atomic_cond_read_acquire() | | read_lock_irqsave(&ep->lock, flags); --> (observes value before unlock) | chain_epi_lockless() | | epi->next = xchg(&ep->ovflist, epi); | | read_unlock_irqrestore(&ep->lock, flags); | | | atomic_cmpxchg_relaxed() | |-- READ_ONCE(ep->ovflist); | A core can order the read of the ovflist ahead of the atomic_cmpxchg_relaxed(). Switching the cmpxchg to use acquire semantics addresses this issue at which point the atomic_cond_read can be switched to use relaxed semantics. [peterz: use try_cmpxchg()]

CVE ID : CVE-2021-46921
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/5902f9453a313be8fe78cbd7e7ca9dba9319fc6e | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/82808cc026811fbc3ecf0c0b267a12a339eead56 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/82fa9ced35d88581cffa4a1c856fc41fca96d80a | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/84a24bf8c52e66b7ac89ada5e3cfbe72d65c1896 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/d558fcdb17139728347bccc60a16af3e639649d2 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-46922

First published on : 27-02-2024 10:15:07
Last modified on : 27-02-2024 14:20:06

Description :
In the Linux kernel, the following vulnerability has been resolved: KEYS: trusted: Fix TPM reservation for seal/unseal The original patch 8c657a0590de ("KEYS: trusted: Reserve TPM for seal and unseal operations") was correct on the mailing list: https://lore.kernel.org/linux-integrity/20210128235621.127925-4-jarkko@kernel.org/ But somehow got rebased so that the tpm_try_get_ops() in tpm2_seal_trusted() got lost. This causes an imbalanced put of the TPM ops and causes oopses on TIS based hardware. This fix puts back the lost tpm_try_get_ops()

CVE ID : CVE-2021-46922
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/39c8d760d44cb3fa0d67e8cd505df81cf4d80999 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/bf84ef2dd2ccdcd8f2658476d34b51455f970ce4 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-46923

First published on : 27-02-2024 10:15:07
Last modified on : 27-02-2024 14:20:06

Description :
In the Linux kernel, the following vulnerability has been resolved: fs/mount_setattr: always cleanup mount_kattr Make sure that finish_mount_kattr() is called after mount_kattr was succesfully built in both the success and failure case to prevent leaking any references we took when we built it. We returned early if path lookup failed thereby risking to leak an additional reference we took when building mount_kattr when an idmapped mount was requested.

CVE ID : CVE-2021-46923
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/012e332286e2bb9f6ac77d195f17e74b2963d663 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/47b5d0a7532d39e42a938f81e3904268145c341d | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-46924

First published on : 27-02-2024 10:15:07
Last modified on : 27-02-2024 14:20:06

Description :
In the Linux kernel, the following vulnerability has been resolved: NFC: st21nfca: Fix memory leak in device probe and remove 'phy->pending_skb' is alloced when device probe, but forgot to free in the error handling path and remove path, this cause memory leak as follows: unreferenced object 0xffff88800bc06800 (size 512): comm "8", pid 11775, jiffies 4295159829 (age 9.032s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<00000000d66c09ce>] __kmalloc_node_track_caller+0x1ed/0x450 [<00000000c93382b3>] kmalloc_reserve+0x37/0xd0 [<000000005fea522c>] __alloc_skb+0x124/0x380 [<0000000019f29f9a>] st21nfca_hci_i2c_probe+0x170/0x8f2 Fix it by freeing 'pending_skb' in error and remove.

CVE ID : CVE-2021-46924
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/1b9dadba502234eea7244879b8d5d126bfaf9f0c | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/1cd4063dbc91cf7965d73a6a3855e2028cd4613b | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/238920381b8925d070d32d73cd9ce52ab29896fe | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/38c3e320e7ff46f2dc67bc5045333e63d9f8918d | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/a1e0080a35a16ce3808f7040fe0c3a8fdb052349 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/e553265ea56482da5700f56319fda9ff53e7dcb4 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-46925

First published on : 27-02-2024 10:15:07
Last modified on : 27-02-2024 14:20:06

Description :
In the Linux kernel, the following vulnerability has been resolved: net/smc: fix kernel panic caused by race of smc_sock A crash occurs when smc_cdc_tx_handler() tries to access smc_sock but smc_release() has already freed it. [ 4570.695099] BUG: unable to handle page fault for address: 000000002eae9e88 [ 4570.696048] #PF: supervisor write access in kernel mode [ 4570.696728] #PF: error_code(0x0002) - not-present page [ 4570.697401] PGD 0 P4D 0 [ 4570.697716] Oops: 0002 [#1] PREEMPT SMP NOPTI [ 4570.698228] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.16.0-rc4+ #111 [ 4570.699013] Hardware name: Alibaba Cloud Alibaba Cloud ECS, BIOS 8c24b4c 04/0 [ 4570.699933] RIP: 0010:_raw_spin_lock+0x1a/0x30 <...> [ 4570.711446] Call Trace: [ 4570.711746] <IRQ> [ 4570.711992] smc_cdc_tx_handler+0x41/0xc0 [ 4570.712470] smc_wr_tx_tasklet_fn+0x213/0x560 [ 4570.712981] ? smc_cdc_tx_dismisser+0x10/0x10 [ 4570.713489] tasklet_action_common.isra.17+0x66/0x140 [ 4570.714083] __do_softirq+0x123/0x2f4 [ 4570.714521] irq_exit_rcu+0xc4/0xf0 [ 4570.714934] common_interrupt+0xba/0xe0 Though smc_cdc_tx_handler() checked the existence of smc connection, smc_release() may have already dismissed and released the smc socket before smc_cdc_tx_handler() further visits it. smc_cdc_tx_handler() |smc_release() if (!conn) | | |smc_cdc_tx_dismiss_slots() | smc_cdc_tx_dismisser() | |sock_put(&smc->sk) <- last sock_put, | smc_sock freed bh_lock_sock(&smc->sk) (panic) | To make sure we won't receive any CDC messages after we free the smc_sock, add a refcount on the smc_connection for inflight CDC message(posted to the QP but haven't received related CQE), and don't release the smc_connection until all the inflight CDC messages haven been done, for both success or failed ones. Using refcount on CDC messages brings another problem: when the link is going to be destroyed, smcr_link_clear() will reset the QP, which then remove all the pending CQEs related to the QP in the CQ. To make sure all the CQEs will always come back so the refcount on the smc_connection can always reach 0, smc_ib_modify_qp_reset() was replaced by smc_ib_modify_qp_error(). And remove the timeout in smc_wr_tx_wait_no_pending_sends() since we need to wait for all pending WQEs done, or we may encounter use-after- free when handling CQEs. For IB device removal routine, we need to wait for all the QPs on that device been destroyed before we can destroy CQs on the device, or the refcount on smc_connection won't reach 0 and smc_sock cannot be released.

CVE ID : CVE-2021-46925
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/349d43127dac00c15231e8ffbcaabd70f7b0e544 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/b85f751d71ae8e2a15e9bda98852ea9af35282eb | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/e8a5988a85c719ce7205cb00dcf0716dcf611332 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-46926

First published on : 27-02-2024 10:15:07
Last modified on : 27-02-2024 14:20:06

Description :
In the Linux kernel, the following vulnerability has been resolved: ALSA: hda: intel-sdw-acpi: harden detection of controller The existing code currently sets a pointer to an ACPI handle before checking that it's actually a SoundWire controller. This can lead to issues where the graph walk continues and eventually fails, but the pointer was set already. This patch changes the logic so that the information provided to the caller is set when a controller is found.

CVE ID : CVE-2021-46926
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/385f287f9853da402d94278e59f594501c1d1dad | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/cce476954401e3421afafb25bbaa926050688b1d | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-46927

First published on : 27-02-2024 10:15:07
Last modified on : 27-02-2024 14:20:06

Description :
In the Linux kernel, the following vulnerability has been resolved: nitro_enclaves: Use get_user_pages_unlocked() call to handle mmap assert After commit 5b78ed24e8ec ("mm/pagemap: add mmap_assert_locked() annotations to find_vma*()"), the call to get_user_pages() will trigger the mmap assert. static inline void mmap_assert_locked(struct mm_struct *mm) { lockdep_assert_held(&mm->mmap_lock); VM_BUG_ON_MM(!rwsem_is_locked(&mm->mmap_lock), mm); } [ 62.521410] kernel BUG at include/linux/mmap_lock.h:156! ........................................................... [ 62.538938] RIP: 0010:find_vma+0x32/0x80 ........................................................... [ 62.605889] Call Trace: [ 62.608502] <TASK> [ 62.610956] ? lock_timer_base+0x61/0x80 [ 62.614106] find_extend_vma+0x19/0x80 [ 62.617195] __get_user_pages+0x9b/0x6a0 [ 62.620356] __gup_longterm_locked+0x42d/0x450 [ 62.623721] ? finish_wait+0x41/0x80 [ 62.626748] ? __kmalloc+0x178/0x2f0 [ 62.629768] ne_set_user_memory_region_ioctl.isra.0+0x225/0x6a0 [nitro_enclaves] [ 62.635776] ne_enclave_ioctl+0x1cf/0x6d7 [nitro_enclaves] [ 62.639541] __x64_sys_ioctl+0x82/0xb0 [ 62.642620] do_syscall_64+0x3b/0x90 [ 62.645642] entry_SYSCALL_64_after_hwframe+0x44/0xae Use get_user_pages_unlocked() when setting the enclave memory regions. That's a similar pattern as mmap_read_lock() used together with get_user_pages().

CVE ID : CVE-2021-46927
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/3a0152b219523227c2a62a0a122cf99608287176 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/90d2beed5e753805c5eab656b8d48257638fe543 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-46928

First published on : 27-02-2024 10:15:07
Last modified on : 27-02-2024 14:20:06

Description :
In the Linux kernel, the following vulnerability has been resolved: parisc: Clear stale IIR value on instruction access rights trap When a trap 7 (Instruction access rights) occurs, this means the CPU couldn't execute an instruction due to missing execute permissions on the memory region. In this case it seems the CPU didn't even fetched the instruction from memory and thus did not store it in the cr19 (IIR) register before calling the trap handler. So, the trap handler will find some random old stale value in cr19. This patch simply overwrites the stale IIR value with a constant magic "bad food" value (0xbaadf00d), in the hope people don't start to try to understand the various random IIR values in trap 7 dumps.

CVE ID : CVE-2021-46928
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/484730e5862f6b872dca13840bed40fd7c60fa26 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/d01e9ce1af6116f812491d3d3873d204f10ae0b8 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/e96373f0a5f484bc1e193f9951dcb3adf24bf3f7 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-46929

First published on : 27-02-2024 10:15:07
Last modified on : 27-02-2024 14:20:06

Description :
In the Linux kernel, the following vulnerability has been resolved: sctp: use call_rcu to free endpoint This patch is to delay the endpoint free by calling call_rcu() to fix another use-after-free issue in sctp_sock_dump(): BUG: KASAN: use-after-free in __lock_acquire+0x36d9/0x4c20 Call Trace: __lock_acquire+0x36d9/0x4c20 kernel/locking/lockdep.c:3218 lock_acquire+0x1ed/0x520 kernel/locking/lockdep.c:3844 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:135 [inline] _raw_spin_lock_bh+0x31/0x40 kernel/locking/spinlock.c:168 spin_lock_bh include/linux/spinlock.h:334 [inline] __lock_sock+0x203/0x350 net/core/sock.c:2253 lock_sock_nested+0xfe/0x120 net/core/sock.c:2774 lock_sock include/net/sock.h:1492 [inline] sctp_sock_dump+0x122/0xb20 net/sctp/diag.c:324 sctp_for_each_transport+0x2b5/0x370 net/sctp/socket.c:5091 sctp_diag_dump+0x3ac/0x660 net/sctp/diag.c:527 __inet_diag_dump+0xa8/0x140 net/ipv4/inet_diag.c:1049 inet_diag_dump+0x9b/0x110 net/ipv4/inet_diag.c:1065 netlink_dump+0x606/0x1080 net/netlink/af_netlink.c:2244 __netlink_dump_start+0x59a/0x7c0 net/netlink/af_netlink.c:2352 netlink_dump_start include/linux/netlink.h:216 [inline] inet_diag_handler_cmd+0x2ce/0x3f0 net/ipv4/inet_diag.c:1170 __sock_diag_cmd net/core/sock_diag.c:232 [inline] sock_diag_rcv_msg+0x31d/0x410 net/core/sock_diag.c:263 netlink_rcv_skb+0x172/0x440 net/netlink/af_netlink.c:2477 sock_diag_rcv+0x2a/0x40 net/core/sock_diag.c:274 This issue occurs when asoc is peeled off and the old sk is freed after getting it by asoc->base.sk and before calling lock_sock(sk). To prevent the sk free, as a holder of the sk, ep should be alive when calling lock_sock(). This patch uses call_rcu() and moves sock_put and ep free into sctp_endpoint_destroy_rcu(), so that it's safe to try to hold the ep under rcu_read_lock in sctp_transport_traverse_process(). If sctp_endpoint_hold() returns true, it means this ep is still alive and we have held it and can continue to dump it; If it returns false, it means this ep is dead and can be freed after rcu_read_unlock, and we should skip it. In sctp_sock_dump(), after locking the sk, if this ep is different from tsp->asoc->ep, it means during this dumping, this asoc was peeled off before calling lock_sock(), and the sk should be skipped; If this ep is the same with tsp->asoc->ep, it means no peeloff happens on this asoc, and due to lock_sock, no peeloff will happen either until release_sock. Note that delaying endpoint free won't delay the port release, as the port release happens in sctp_endpoint_destroy() before calling call_rcu(). Also, freeing endpoint by call_rcu() makes it safe to access the sk by asoc->base.sk in sctp_assocs_seq_show() and sctp_rcv(). Thanks Jones to bring this issue up. v1->v2: - improve the changelog. - add kfree(ep) into sctp_endpoint_destroy_rcu(), as Jakub noticed.

CVE ID : CVE-2021-46929
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/5ec7d18d1813a5bead0b495045606c93873aecbb | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/75799e71df1da11394740b43ae5686646179561d | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/769d14abd35e0e153b5149c3e1e989a9d719e3ff | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/831de271452b87657fcf8d715ee20519b79caef5 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/8873140f95d4977bf37e4cf0d5c5e3f6e34cdd3e | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/af6e6e58f7ebf86b4e7201694b1e4f3a62cbc3ec | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-46930

First published on : 27-02-2024 10:15:07
Last modified on : 27-02-2024 14:20:06

Description :
In the Linux kernel, the following vulnerability has been resolved: usb: mtu3: fix list_head check warning This is caused by uninitialization of list_head. BUG: KASAN: use-after-free in __list_del_entry_valid+0x34/0xe4 Call trace: dump_backtrace+0x0/0x298 show_stack+0x24/0x34 dump_stack+0x130/0x1a8 print_address_description+0x88/0x56c __kasan_report+0x1b8/0x2a0 kasan_report+0x14/0x20 __asan_load8+0x9c/0xa0 __list_del_entry_valid+0x34/0xe4 mtu3_req_complete+0x4c/0x300 [mtu3] mtu3_gadget_stop+0x168/0x448 [mtu3] usb_gadget_unregister_driver+0x204/0x3a0 unregister_gadget_item+0x44/0xa4

CVE ID : CVE-2021-46930
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/249ddfbe00570d6dc76208e88017937d4d374c79 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/3b6efe0b7ba03cc2acf0694b46d6ff33c5b4c295 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/585e2b244dda7ea733274e4b8fa27853d625d3bf | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/8c313e3bfd9adae8d5c4ba1cc696dcbc86fbf9bf | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-46931

First published on : 27-02-2024 10:15:07
Last modified on : 27-02-2024 14:20:06

Description :
In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Wrap the tx reporter dump callback to extract the sq Function mlx5e_tx_reporter_dump_sq() casts its void * argument to struct mlx5e_txqsq *, but in TX-timeout-recovery flow the argument is actually of type struct mlx5e_tx_timeout_ctx *. mlx5_core 0000:08:00.1 enp8s0f1: TX timeout detected mlx5_core 0000:08:00.1 enp8s0f1: TX timeout on queue: 1, SQ: 0x11ec, CQ: 0x146d, SQ Cons: 0x0 SQ Prod: 0x1, usecs since last trans: 21565000 BUG: stack guard page was hit at 0000000093f1a2de (stack is 00000000b66ea0dc..000000004d932dae) kernel stack overflow (page fault): 0000 [#1] SMP NOPTI CPU: 5 PID: 95 Comm: kworker/u20:1 Tainted: G W OE 5.13.0_mlnx #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 Workqueue: mlx5e mlx5e_tx_timeout_work [mlx5_core] RIP: 0010:mlx5e_tx_reporter_dump_sq+0xd3/0x180 [mlx5_core] Call Trace: mlx5e_tx_reporter_dump+0x43/0x1c0 [mlx5_core] devlink_health_do_dump.part.91+0x71/0xd0 devlink_health_report+0x157/0x1b0 mlx5e_reporter_tx_timeout+0xb9/0xf0 [mlx5_core] ? mlx5e_tx_reporter_err_cqe_recover+0x1d0/0x1d0 [mlx5_core] ? mlx5e_health_queue_dump+0xd0/0xd0 [mlx5_core] ? update_load_avg+0x19b/0x550 ? set_next_entity+0x72/0x80 ? pick_next_task_fair+0x227/0x340 ? finish_task_switch+0xa2/0x280 mlx5e_tx_timeout_work+0x83/0xb0 [mlx5_core] process_one_work+0x1de/0x3a0 worker_thread+0x2d/0x3c0 ? process_one_work+0x3a0/0x3a0 kthread+0x115/0x130 ? kthread_park+0x90/0x90 ret_from_fork+0x1f/0x30 --[ end trace 51ccabea504edaff ]--- RIP: 0010:mlx5e_tx_reporter_dump_sq+0xd3/0x180 PKRU: 55555554 Kernel panic - not syncing: Fatal exception Kernel Offset: disabled end Kernel panic - not syncing: Fatal exception To fix this bug add a wrapper for mlx5e_tx_reporter_dump_sq() which extracts the sq from struct mlx5e_tx_timeout_ctx and set it as the TX-timeout-recovery flow dump callback.

CVE ID : CVE-2021-46931
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/07f13d58a8ecc3baf9a488588fb38c5cb0db484f | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/73665165b64a8f3c5b3534009a69be55bb744f05 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/918fc3855a6507a200e9cf22c20be852c0982687 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-46932

First published on : 27-02-2024 10:15:07
Last modified on : 27-02-2024 14:20:06

Description :
In the Linux kernel, the following vulnerability has been resolved: Input: appletouch - initialize work before device registration Syzbot has reported warning in __flush_work(). This warning is caused by work->func == NULL, which means missing work initialization. This may happen, since input_dev->close() calls cancel_work_sync(&dev->work), but dev->work initalization happens _after_ input_register_device() call. So this patch moves dev->work initialization before registering input device

CVE ID : CVE-2021-46932
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/292d2ac61fb0d9276a0f7b7ce4f50426f2a1c99f | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/975774ea7528b489930b76a77ffc4d5379b95ff2 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/9f329d0d6c91142cf0ad08d23c72dd195db2633c | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/9f3ccdc3f6ef10084ceb3a47df0961bec6196fd0 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/a02e1404e27855089d2b0a0acc4652c2ce65fe46 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/d1962f263a176f493400b8f91bfbf2bfedce951e | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/d2cb2bf39a6d17ef4bdc0e59c1a35cf5751ad8f4 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/e79ff8c68acb1eddf709d3ac84716868f2a91012 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-46933

First published on : 27-02-2024 10:15:07
Last modified on : 27-02-2024 14:20:06

Description :
In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_fs: Clear ffs_eventfd in ffs_data_clear. ffs_data_clear is indirectly called from both ffs_fs_kill_sb and ffs_ep0_release, so it ends up being called twice when userland closes ep0 and then unmounts f_fs. If userland provided an eventfd along with function's USB descriptors, it ends up calling eventfd_ctx_put as many times, causing a refcount underflow. NULL-ify ffs_eventfd to prevent these extraneous eventfd_ctx_put calls. Also, set epfiles to NULL right after de-allocating it, for readability. For completeness, ffs_data_clear actually ends up being called thrice, the last call being before the whole ffs structure gets freed, so when this specific sequence happens there is a second underflow happening (but not being reported): /sys/kernel/debug/tracing# modprobe usb_f_fs /sys/kernel/debug/tracing# echo ffs_data_clear > set_ftrace_filter /sys/kernel/debug/tracing# echo function > current_tracer /sys/kernel/debug/tracing# echo 1 > tracing_on (setup gadget, run and kill function userland process, teardown gadget) /sys/kernel/debug/tracing# echo 0 > tracing_on /sys/kernel/debug/tracing# cat trace smartcard-openp-436 [000] ..... 1946.208786: ffs_data_clear <-ffs_data_closed smartcard-openp-431 [000] ..... 1946.279147: ffs_data_clear <-ffs_data_closed smartcard-openp-431 [000] .n... 1946.905512: ffs_data_clear <-ffs_data_put Warning output corresponding to above trace: [ 1946.284139] WARNING: CPU: 0 PID: 431 at lib/refcount.c:28 refcount_warn_saturate+0x110/0x15c [ 1946.293094] refcount_t: underflow; use-after-free. [ 1946.298164] Modules linked in: usb_f_ncm(E) u_ether(E) usb_f_fs(E) hci_uart(E) btqca(E) btrtl(E) btbcm(E) btintel(E) bluetooth(E) nls_ascii(E) nls_cp437(E) vfat(E) fat(E) bcm2835_v4l2(CE) bcm2835_mmal_vchiq(CE) videobuf2_vmalloc(E) videobuf2_memops(E) sha512_generic(E) videobuf2_v4l2(E) sha512_arm(E) videobuf2_common(E) videodev(E) cpufreq_dt(E) snd_bcm2835(CE) brcmfmac(E) mc(E) vc4(E) ctr(E) brcmutil(E) snd_soc_core(E) snd_pcm_dmaengine(E) drbg(E) snd_pcm(E) snd_timer(E) snd(E) soundcore(E) drm_kms_helper(E) cec(E) ansi_cprng(E) rc_core(E) syscopyarea(E) raspberrypi_cpufreq(E) sysfillrect(E) sysimgblt(E) cfg80211(E) max17040_battery(OE) raspberrypi_hwmon(E) fb_sys_fops(E) regmap_i2c(E) ecdh_generic(E) rfkill(E) ecc(E) bcm2835_rng(E) rng_core(E) vchiq(CE) leds_gpio(E) libcomposite(E) fuse(E) configfs(E) ip_tables(E) x_tables(E) autofs4(E) ext4(E) crc16(E) mbcache(E) jbd2(E) crc32c_generic(E) sdhci_iproc(E) sdhci_pltfm(E) sdhci(E) [ 1946.399633] CPU: 0 PID: 431 Comm: smartcard-openp Tainted: G C OE 5.15.0-1-rpi #1 Debian 5.15.3-1 [ 1946.417950] Hardware name: BCM2835 [ 1946.425442] Backtrace: [ 1946.432048] [<c08d60a0>] (dump_backtrace) from [<c08d62ec>] (show_stack+0x20/0x24) [ 1946.448226] r7:00000009 r6:0000001c r5:c04a948c r4:c0a64e2c [ 1946.458412] [<c08d62cc>] (show_stack) from [<c08d9ae0>] (dump_stack+0x28/0x30) [ 1946.470380] [<c08d9ab8>] (dump_stack) from [<c0123500>] (__warn+0xe8/0x154) [ 1946.482067] r5:c04a948c r4:c0a71dc8 [ 1946.490184] [<c0123418>] (__warn) from [<c08d6948>] (warn_slowpath_fmt+0xa0/0xe4) [ 1946.506758] r7:00000009 r6:0000001c r5:c0a71dc8 r4:c0a71e04 [ 1946.517070] [<c08d68ac>] (warn_slowpath_fmt) from [<c04a948c>] (refcount_warn_saturate+0x110/0x15c) [ 1946.535309] r8:c0100224 r7:c0dfcb84 r6:ffffffff r5:c3b84c00 r4:c24a17c0 [ 1946.546708] [<c04a937c>] (refcount_warn_saturate) from [<c0380134>] (eventfd_ctx_put+0x48/0x74) [ 1946.564476] [<c03800ec>] (eventfd_ctx_put) from [<bf5464e8>] (ffs_data_clear+0xd0/0x118 [usb_f_fs]) [ 1946.582664] r5:c3b84c00 r4:c2695b00 [ 1946.590668] [<bf546418>] (ffs_data_clear [usb_f_fs]) from [<bf547cc0>] (ffs_data_closed+0x9c/0x150 [usb_f_fs]) [ 1946.609608] r5:bf54d014 r4:c2695b00 [ 1946.617522] [<bf547c24>] (ffs_data_closed [usb_f_fs]) from [<bf547da0>] (ffs_fs_kill_sb+0x2c/0x30 [usb_f_fs]) [ 1946.636217] r7:c0dfcb ---truncated---

CVE ID : CVE-2021-46933
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/1c4ace3e6b8575745c50dca9e76e0021e697d645 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/240fc586e83d645912accce081a48aa63a45f6ee | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/33f6a0cbb7772146e1c11f38028fffbfed14728b | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/52500239e3f2d6fc77b6f58632a9fb98fe74ac09 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/b1e0887379422975f237d43d8839b751a6bcf154 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/cc8c8028c21b2a3842a1e98e99e55028df275919 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/ebef2aa29f370b5096c16020c104e393192ef684 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/f976dd7011150244a7ba820f2c331e9fb253befa | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-46934

First published on : 27-02-2024 10:15:07
Last modified on : 27-02-2024 14:20:06

Description :
In the Linux kernel, the following vulnerability has been resolved: i2c: validate user data in compat ioctl Wrong user data may cause warning in i2c_transfer(), ex: zero msgs. Userspace should not be able to trigger warnings, so this patch adds validation checks for user data in compact ioctl to prevent reported warnings

CVE ID : CVE-2021-46934
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/407c8708fb1bf2d4afc5337ef50635cf540c364b | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/8d31cbab4c295d7010ebb729e9d02d0e9cece18f | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/9e4a3f47eff476097e0c7faac04d1831fc70237d | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/bb436283e25aaf1533ce061605d23a9564447bdf | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/f68599581067e8a5a8901ba9eb270b4519690e26 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-46935

First published on : 27-02-2024 10:15:07
Last modified on : 27-02-2024 14:20:06

Description :
In the Linux kernel, the following vulnerability has been resolved: binder: fix async_free_space accounting for empty parcels In 4.13, commit 74310e06be4d ("android: binder: Move buffer out of area shared with user space") fixed a kernel structure visibility issue. As part of that patch, sizeof(void *) was used as the buffer size for 0-length data payloads so the driver could detect abusive clients sending 0-length asynchronous transactions to a server by enforcing limits on async_free_size. Unfortunately, on the "free" side, the accounting of async_free_space did not add the sizeof(void *) back. The result was that up to 8-bytes of async_free_space were leaked on every async transaction of 8-bytes or less. These small transactions are uncommon, so this accounting issue has gone undetected for several years. The fix is to use "buffer_size" (the allocated buffer size) instead of "size" (the logical buffer size) when updating the async_free_space during the free operation. These are the same except for this corner case of asynchronous transactions with payloads < 8 bytes.

CVE ID : CVE-2021-46935
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/103b16a8c51f96d5fe063022869ea906c256e5da | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/17691bada6b2f1d5f1c0f6d28cd9d0727023b0ff | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/1cb8444f3114f0bb2f6e3bcadcf09aa4a28425d4 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/2d2df539d05205fd83c404d5f2dff48d36f9b495 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/7c7064402609aeb6fb11be1b4ec10673ff17b593 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/cfd0d84ba28c18b531648c9d4a35ecca89ad9901 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-46936

First published on : 27-02-2024 10:15:08
Last modified on : 27-02-2024 14:19:41

Description :
In the Linux kernel, the following vulnerability has been resolved: net: fix use-after-free in tw_timer_handler A real world panic issue was found as follow in Linux 5.4. BUG: unable to handle page fault for address: ffffde49a863de28 PGD 7e6fe62067 P4D 7e6fe62067 PUD 7e6fe63067 PMD f51e064067 PTE 0 RIP: 0010:tw_timer_handler+0x20/0x40 Call Trace: <IRQ> call_timer_fn+0x2b/0x120 run_timer_softirq+0x1ef/0x450 __do_softirq+0x10d/0x2b8 irq_exit+0xc7/0xd0 smp_apic_timer_interrupt+0x68/0x120 apic_timer_interrupt+0xf/0x20 This issue was also reported since 2017 in the thread [1], unfortunately, the issue was still can be reproduced after fixing DCCP. The ipv4_mib_exit_net is called before tcp_sk_exit_batch when a net namespace is destroyed since tcp_sk_ops is registered befrore ipv4_mib_ops, which means tcp_sk_ops is in the front of ipv4_mib_ops in the list of pernet_list. There will be a use-after-free on net->mib.net_statistics in tw_timer_handler after ipv4_mib_exit_net if there are some inflight time-wait timers. This bug is not introduced by commit f2bf415cfed7 ("mib: add net to NET_ADD_STATS_BH") since the net_statistics is a global variable instead of dynamic allocation and freeing. Actually, commit 61a7e26028b9 ("mib: put net statistics on struct net") introduces the bug since it put net statistics on struct net and free it when net namespace is destroyed. Moving init_ipv4_mibs() to the front of tcp_init() to fix this bug and replace pr_crit() with panic() since continuing is meaningless when init_ipv4_mibs() fails. [1] https://groups.google.com/g/syzkaller/c/p1tn-_Kc6l4/m/smuL_FMAAgAJ?pli=1

CVE ID : CVE-2021-46936
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/08eacbd141e2495d2fcdde84358a06c4f95cbb13 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/15579e1301f856ad9385d720c9267c11032a5022 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/2386e81a1d277f540e1285565c9d41d531bb69d4 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/5c2fe20ad37ff56070ae0acb34152333976929b4 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/a8e1944b44f94f5c5f530e434c5eaee787254566 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/e22e45fc9e41bf9fcc1e92cfb78eb92786728ef0 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/e73164e89d1be561228a4534e1091369ee4ba41a | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/fe5838c22b986c1190f1dce9aa09bf6a491c1a69 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-46937

First published on : 27-02-2024 10:15:08
Last modified on : 27-02-2024 14:19:41

Description :
In the Linux kernel, the following vulnerability has been resolved: mm/damon/dbgfs: fix 'struct pid' leaks in 'dbgfs_target_ids_write()' DAMON debugfs interface increases the reference counts of 'struct pid's for targets from the 'target_ids' file write callback ('dbgfs_target_ids_write()'), but decreases the counts only in DAMON monitoring termination callback ('dbgfs_before_terminate()'). Therefore, when 'target_ids' file is repeatedly written without DAMON monitoring start/termination, the reference count is not decreased and therefore memory for the 'struct pid' cannot be freed. This commit fixes this issue by decreasing the reference counts when 'target_ids' is written.

CVE ID : CVE-2021-46937
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/ebb3f994dd92f8fb4d70c7541091216c1e10cb71 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/ffe4a1ba1a82c416a6b3a09d46594f6a885ae141 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2020-36776

First published on : 27-02-2024 19:04:05
Last modified on : 27-02-2024 19:04:05

Description :
In the Linux kernel, the following vulnerability has been resolved: thermal/drivers/cpufreq_cooling: Fix slab OOB issue Slab OOB issue is scanned by KASAN in cpu_power_to_freq(). If power is limited below the power of OPP0 in EM table, it will cause slab out-of-bound issue with negative array index. Return the lowest frequency if limited power cannot found a suitable OPP in EM table to fix this issue. Backtrace: [<ffffffd02d2a37f0>] die+0x104/0x5ac [<ffffffd02d2a5630>] bug_handler+0x64/0xd0 [<ffffffd02d288ce4>] brk_handler+0x160/0x258 [<ffffffd02d281e5c>] do_debug_exception+0x248/0x3f0 [<ffffffd02d284488>] el1_dbg+0x14/0xbc [<ffffffd02d75d1d4>] __kasan_report+0x1dc/0x1e0 [<ffffffd02d75c2e0>] kasan_report+0x10/0x20 [<ffffffd02d75def8>] __asan_report_load8_noabort+0x18/0x28 [<ffffffd02e6fce5c>] cpufreq_power2state+0x180/0x43c [<ffffffd02e6ead80>] power_actor_set_power+0x114/0x1d4 [<ffffffd02e6fac24>] allocate_power+0xaec/0xde0 [<ffffffd02e6f9f80>] power_allocator_throttle+0x3ec/0x5a4 [<ffffffd02e6ea888>] handle_thermal_trip+0x160/0x294 [<ffffffd02e6edd08>] thermal_zone_device_check+0xe4/0x154 [<ffffffd02d351cb4>] process_one_work+0x5e4/0xe28 [<ffffffd02d352f44>] worker_thread+0xa4c/0xfac [<ffffffd02d360124>] kthread+0x33c/0x358 [<ffffffd02d289940>] ret_from_fork+0xc/0x18

CVE ID : CVE-2020-36776
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/34ab17cc6c2c1ac93d7e5d53bb972df9a968f085 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/6bf443acf6ca4f666d0e4225614ba9993a3aa1a9 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/876a5f33e5d961d879c5436987c09b3d9ef70379 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/c24a20912eef00587416628149c438e885eb1304 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2020-36777

First published on : 27-02-2024 19:04:05
Last modified on : 27-02-2024 19:04:05

Description :
In the Linux kernel, the following vulnerability has been resolved: media: dvbdev: Fix memory leak in dvb_media_device_free() dvb_media_device_free() is leaking memory. Free `dvbdev->adapter->conn` before setting it to NULL, as documented in include/media/media-device.h: "The media_entity instance itself must be freed explicitly by the driver if required."

CVE ID : CVE-2020-36777
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/06854b943e0571ccbd7ad0a529babed1a98ff275 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/32168ca1f123316848fffb85d059860adf3c409f | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/43263fd43083e412311fa764cd04a727b0c6a749 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/9185b3b1c143b8da409c19ac5a785aa18d67a81b | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/9ad15e214fcd73694ea51967d86055f47b802066 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/bf9a40ae8d722f281a2721779595d6df1c33a0bf | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/cd89f79be5d553c78202f686e8e4caa5fbe94e98 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/cede24d13be6c2a62be6d7ceea63c2719b0cfa82 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-46938

First published on : 27-02-2024 19:04:05
Last modified on : 27-02-2024 19:04:05

Description :
In the Linux kernel, the following vulnerability has been resolved: dm rq: fix double free of blk_mq_tag_set in dev remove after table load fails When loading a device-mapper table for a request-based mapped device, and the allocation/initialization of the blk_mq_tag_set for the device fails, a following device remove will cause a double free. E.g. (dmesg): device-mapper: core: Cannot initialize queue for request-based dm-mq mapped device device-mapper: ioctl: unable to set up device queue for new table. Unable to handle kernel pointer dereference in virtual kernel address space Failing address: 0305e098835de000 TEID: 0305e098835de803 Fault in home space mode while using kernel ASCE. AS:000000025efe0007 R3:0000000000000024 Oops: 0038 ilc:3 [#1] SMP Modules linked in: ... lots of modules ... Supported: Yes, External CPU: 0 PID: 7348 Comm: multipathd Kdump: loaded Tainted: G W X 5.3.18-53-default #1 SLE15-SP3 Hardware name: IBM 8561 T01 7I2 (LPAR) Krnl PSW : 0704e00180000000 000000025e368eca (kfree+0x42/0x330) R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:2 PM:0 RI:0 EA:3 Krnl GPRS: 000000000000004a 000000025efe5230 c1773200d779968d 0000000000000000 000000025e520270 000000025e8d1b40 0000000000000003 00000007aae10000 000000025e5202a2 0000000000000001 c1773200d779968d 0305e098835de640 00000007a8170000 000003ff80138650 000000025e5202a2 000003e00396faa8 Krnl Code: 000000025e368eb8: c4180041e100 lgrl %r1,25eba50b8 000000025e368ebe: ecba06b93a55 risbg %r11,%r10,6,185,58 #000000025e368ec4: e3b010000008 ag %r11,0(%r1) >000000025e368eca: e310b0080004 lg %r1,8(%r11) 000000025e368ed0: a7110001 tmll %r1,1 000000025e368ed4: a7740129 brc 7,25e369126 000000025e368ed8: e320b0080004 lg %r2,8(%r11) 000000025e368ede: b904001b lgr %r1,%r11 Call Trace: [<000000025e368eca>] kfree+0x42/0x330 [<000000025e5202a2>] blk_mq_free_tag_set+0x72/0xb8 [<000003ff801316a8>] dm_mq_cleanup_mapped_device+0x38/0x50 [dm_mod] [<000003ff80120082>] free_dev+0x52/0xd0 [dm_mod] [<000003ff801233f0>] __dm_destroy+0x150/0x1d0 [dm_mod] [<000003ff8012bb9a>] dev_remove+0x162/0x1c0 [dm_mod] [<000003ff8012a988>] ctl_ioctl+0x198/0x478 [dm_mod] [<000003ff8012ac8a>] dm_ctl_ioctl+0x22/0x38 [dm_mod] [<000000025e3b11ee>] ksys_ioctl+0xbe/0xe0 [<000000025e3b127a>] __s390x_sys_ioctl+0x2a/0x40 [<000000025e8c15ac>] system_call+0xd8/0x2c8 Last Breaking-Event-Address: [<000000025e52029c>] blk_mq_free_tag_set+0x6c/0xb8 Kernel panic - not syncing: Fatal exception: panic_on_oops When allocation/initialization of the blk_mq_tag_set fails in dm_mq_init_request_queue(), it is uninitialized/freed, but the pointer is not reset to NULL; so when dev_remove() later gets into dm_mq_cleanup_mapped_device() it sees the pointer and tries to uninitialize and free it again. Fix this by setting the pointer to NULL in dm_mq_init_request_queue() error-handling. Also set it to NULL in dm_mq_cleanup_mapped_device().

CVE ID : CVE-2021-46938
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/1cb02dc76f4c0a2749a02b26469512d6984252e9 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/6086f957416a6e87236c06079fcaba7a3998aeca | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/772b9f59657665af3b68d24d12b9d172d31f0dfb | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/8ae0185255eaf05bd66f4215c81e99bf01140fd9 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/8e947c8f4a5620df77e43c9c75310dc510250166 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/a992a283c0b77d0a7c2c348add0e6a21fb1dab67 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/b42c0a33dfdd451d9be62dd5de58c39f2750b6e3 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/d757bf4c69cda3c3ab7f775dfabbf5a80e2f6f9d | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-46939

First published on : 27-02-2024 19:04:05
Last modified on : 27-02-2024 19:04:05

Description :
In the Linux kernel, the following vulnerability has been resolved: tracing: Restructure trace_clock_global() to never block It was reported that a fix to the ring buffer recursion detection would cause a hung machine when performing suspend / resume testing. The following backtrace was extracted from debugging that case: Call Trace: trace_clock_global+0x91/0xa0 __rb_reserve_next+0x237/0x460 ring_buffer_lock_reserve+0x12a/0x3f0 trace_buffer_lock_reserve+0x10/0x50 __trace_graph_return+0x1f/0x80 trace_graph_return+0xb7/0xf0 ? trace_clock_global+0x91/0xa0 ftrace_return_to_handler+0x8b/0xf0 ? pv_hash+0xa0/0xa0 return_to_handler+0x15/0x30 ? ftrace_graph_caller+0xa0/0xa0 ? trace_clock_global+0x91/0xa0 ? __rb_reserve_next+0x237/0x460 ? ring_buffer_lock_reserve+0x12a/0x3f0 ? trace_event_buffer_lock_reserve+0x3c/0x120 ? trace_event_buffer_reserve+0x6b/0xc0 ? trace_event_raw_event_device_pm_callback_start+0x125/0x2d0 ? dpm_run_callback+0x3b/0xc0 ? pm_ops_is_empty+0x50/0x50 ? platform_get_irq_byname_optional+0x90/0x90 ? trace_device_pm_callback_start+0x82/0xd0 ? dpm_run_callback+0x49/0xc0 With the following RIP: RIP: 0010:native_queued_spin_lock_slowpath+0x69/0x200 Since the fix to the recursion detection would allow a single recursion to happen while tracing, this lead to the trace_clock_global() taking a spin lock and then trying to take it again: ring_buffer_lock_reserve() { trace_clock_global() { arch_spin_lock() { queued_spin_lock_slowpath() { /* lock taken */ (something else gets traced by function graph tracer) ring_buffer_lock_reserve() { trace_clock_global() { arch_spin_lock() { queued_spin_lock_slowpath() { /* DEAD LOCK! */ Tracing should *never* block, as it can lead to strange lockups like the above. Restructure the trace_clock_global() code to instead of simply taking a lock to update the recorded "prev_time" simply use it, as two events happening on two different CPUs that calls this at the same time, really doesn't matter which one goes first. Use a trylock to grab the lock for updating the prev_time, and if it fails, simply try again the next time. If it failed to be taken, that means something else is already updating it. Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=212761

CVE ID : CVE-2021-46939
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/1fca00920327be96f3318224f502e4d5460f9545 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/2a1bd74b8186d7938bf004f5603f25b84785f63e | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/6e2418576228eeb12e7ba82edb8f9500623942ff | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/859b47a43f5a0e5b9a92b621dc6ceaad39fb5c8b | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/91ca6f6a91f679c8645d7f3307e03ce86ad518c4 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/a33614d52e97fc8077eb0b292189ca7d964cc534 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/aafe104aa9096827a429bc1358f8260ee565b7cc | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/c64da3294a7d59a4bf6874c664c13be892f15f44 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/d43d56dbf452ccecc1ec735cd4b6840118005d7c | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-46940

First published on : 27-02-2024 19:04:05
Last modified on : 27-02-2024 19:04:05

Description :
In the Linux kernel, the following vulnerability has been resolved: tools/power turbostat: Fix offset overflow issue in index converting The idx_to_offset() function returns type int (32-bit signed), but MSR_PKG_ENERGY_STAT is u32 and would be interpreted as a negative number. The end result is that it hits the if (offset < 0) check in update_msr_sum() which prevents the timer callback from updating the stat in the background when long durations are used. The similar issue exists in offset_to_idx() and update_msr_sum(). Fix this issue by converting the 'int' to 'off_t' accordingly.

CVE ID : CVE-2021-46940
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/13a779de4175df602366d129e41782ad7168cef0 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/337b1546cde87fb8588ddaedf0201b769baa572a | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/dbdf22fc825fdb1d97f23230064e0f9819471628 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/ea6803ff2cd1a2d7d880256bf562172b708a76ff | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-46941

First published on : 27-02-2024 19:04:05
Last modified on : 27-02-2024 19:04:05

Description :
In the Linux kernel, the following vulnerability has been resolved: usb: dwc3: core: Do core softreset when switch mode According to the programming guide, to switch mode for DRD controller, the driver needs to do the following. To switch from device to host: 1. Reset controller with GCTL.CoreSoftReset 2. Set GCTL.PrtCapDir(host mode) 3. Reset the host with USBCMD.HCRESET 4. Then follow up with the initializing host registers sequence To switch from host to device: 1. Reset controller with GCTL.CoreSoftReset 2. Set GCTL.PrtCapDir(device mode) 3. Reset the device with DCTL.CSftRst 4. Then follow up with the initializing registers sequence Currently we're missing step 1) to do GCTL.CoreSoftReset and step 3) of switching from host to device. John Stult reported a lockup issue seen with HiKey960 platform without these steps[1]. Similar issue is observed with Ferry's testing platform[2]. So, apply the required steps along with some fixes to Yu Chen's and John Stultz's version. The main fixes to their versions are the missing wait for clocks synchronization before clearing GCTL.CoreSoftReset and only apply DCTL.CSftRst when switching from host to device. [1] https://lore.kernel.org/linux-usb/20210108015115.27920-1-john.stultz@linaro.org/ [2] https://lore.kernel.org/linux-usb/0ba7a6ba-e6a7-9cd4-0695-64fc927e01f1@gmail.com/

CVE ID : CVE-2021-46941
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/1c10fd60c8595ea7ff7e29d3cf1fa88069941da3 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/800f58217626c8b147aa40660e572ed8a0d56e3b | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/f88359e1588b85cf0e8209ab7d6620085f3441d9 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/fce7bbcd07d59ac30dba8ce225316b3b4c1c7b50 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-46942

First published on : 27-02-2024 19:04:06
Last modified on : 27-02-2024 19:04:06

Description :
In the Linux kernel, the following vulnerability has been resolved: io_uring: fix shared sqpoll cancellation hangs [ 736.982891] INFO: task iou-sqp-4294:4295 blocked for more than 122 seconds. [ 736.982897] Call Trace: [ 736.982901] schedule+0x68/0xe0 [ 736.982903] io_uring_cancel_sqpoll+0xdb/0x110 [ 736.982908] io_sqpoll_cancel_cb+0x24/0x30 [ 736.982911] io_run_task_work_head+0x28/0x50 [ 736.982913] io_sq_thread+0x4e3/0x720 We call io_uring_cancel_sqpoll() one by one for each ctx either in sq_thread() itself or via task works, and it's intended to cancel all requests of a specified context. However the function uses per-task counters to track the number of inflight requests, so it counts more requests than available via currect io_uring ctx and goes to sleep for them to appear (e.g. from IRQ), that will never happen. Cancel a bit more than before, i.e. all ctxs that share sqpoll and continue to use shared counters. Don't forget that we should not remove ctx from the list before running that task_work sqpoll-cancel, otherwise the function wouldn't be able to find the context and will hang.

CVE ID : CVE-2021-46942
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/734551df6f9bedfbefcd113ede665945e9de0b99 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/cb5e0b3d0f993a6268c1a2c7ede2f9aa0c17ef68 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-46943

First published on : 27-02-2024 19:04:06
Last modified on : 27-02-2024 19:04:06

Description :
In the Linux kernel, the following vulnerability has been resolved: media: staging/intel-ipu3: Fix set_fmt error handling If there in an error during a set_fmt, do not overwrite the previous sizes with the invalid config. Without this patch, v4l2-compliance ends up allocating 4GiB of RAM and causing the following OOPs [ 38.662975] ipu3-imgu 0000:00:05.0: swiotlb buffer is full (sz: 4096 bytes) [ 38.662980] DMA: Out of SW-IOMMU space for 4096 bytes at device 0000:00:05.0 [ 38.663010] general protection fault: 0000 [#1] PREEMPT SMP

CVE ID : CVE-2021-46943
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/34892ea938387d83ffcfb7775ec55f0f80767916 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/6fb617e37a39db0a3eca4489431359d0bdf3b9bc | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/a03fb1e8a110658215a4cefc3e2ad53279e496a6 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/ad91849996f9dd79741a961fd03585a683b08356 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/c6b81b897f6f9445d57f8d47c4e060ec21556137 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-46944

First published on : 27-02-2024 19:04:06
Last modified on : 27-02-2024 19:04:06

Description :
In the Linux kernel, the following vulnerability has been resolved: media: staging/intel-ipu3: Fix memory leak in imu_fmt We are losing the reference to an allocated memory if try. Change the order of the check to avoid that.

CVE ID : CVE-2021-46944
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/14d0e99c3ef6b0648535a31bf2eaabb4eff97b9e | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/3630901933afba1d16c462b04d569b7576339223 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/517f6f570566a863c2422b843c8b7d099474f6a9 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/74ba0adb5e983503b18a96121d965cad34ac7ce3 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/ff792ae52005c85a2d829c153e08d99a356e007d | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-46945

First published on : 27-02-2024 19:04:06
Last modified on : 27-02-2024 19:04:06

Description :
In the Linux kernel, the following vulnerability has been resolved: ext4: always panic when errors=panic is specified Before commit 014c9caa29d3 ("ext4: make ext4_abort() use __ext4_error()"), the following series of commands would trigger a panic: 1. mount /dev/sda -o ro,errors=panic test 2. mount /dev/sda -o remount,abort test After commit 014c9caa29d3, remounting a file system using the test mount option "abort" will no longer trigger a panic. This commit will restore the behaviour immediately before commit 014c9caa29d3. (However, note that the Linux kernel's behavior has not been consistent; some previous kernel versions, including 5.4 and 4.19 similarly did not panic after using the mount option "abort".) This also makes a change to long-standing behaviour; namely, the following series commands will now cause a panic, when previously it did not: 1. mount /dev/sda -o ro,errors=panic test 2. echo test > /sys/fs/ext4/sda/trigger_fs_error However, this makes ext4's behaviour much more consistent, so this is a good thing.

CVE ID : CVE-2021-46945
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/1e9ea8f4637026b8e965128953f2da061ccae9c4 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/64e1eebe2131183174f4fbb6b1491355f96c6cde | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/ac2f7ca51b0929461ea49918f27c11b680f28995 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-46946

First published on : 27-02-2024 19:04:06
Last modified on : 27-02-2024 19:04:06

Description :
In the Linux kernel, the following vulnerability has been resolved: ext4: fix check to prevent false positive report of incorrect used inodes Commit <50122847007> ("ext4: fix check to prevent initializing reserved inodes") check the block group zero and prevent initializing reserved inodes. But in some special cases, the reserved inode may not all belong to the group zero, it may exist into the second group if we format filesystem below. mkfs.ext4 -b 4096 -g 8192 -N 1024 -I 4096 /dev/sda So, it will end up triggering a false positive report of a corrupted file system. This patch fix it by avoid check reserved inodes if no free inode blocks will be zeroed.

CVE ID : CVE-2021-46946
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/098b257563b959f4ca6c1d82fde0ee727792cb19 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/539ba4ebc467260225898e67ea53cbb73308f894 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/7687f5aba0f50c7ff8040e506bae184e59c8e7b8 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/9c61387630a54e35b96a90608aafd369ffb86f39 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/a149d2a5cabbf6507a7832a1c4fd2593c55fd450 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/d2e121be8d318524a61e13ca15b5bfab2d0b63c7 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/e18d76a12b34791bc0318a0e0c0fa5863cd8dabf | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/e70db6e43286a17c3dfc840fcee662de183b6a81 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/f42789ee5f96743cdb5f69445cab3609458733f7 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-46947

First published on : 27-02-2024 19:04:06
Last modified on : 27-02-2024 19:04:06

Description :
In the Linux kernel, the following vulnerability has been resolved: sfc: adjust efx->xdp_tx_queue_count with the real number of initialized queues efx->xdp_tx_queue_count is initially initialized to num_possible_cpus() and is later used to allocate and traverse efx->xdp_tx_queues lookup array. However, we may end up not initializing all the array slots with real queues during probing. This results, for example, in a NULL pointer dereference, when running "# ethtool -S <iface>", similar to below [2570283.664955][T4126959] BUG: kernel NULL pointer dereference, address: 00000000000000f8 [2570283.681283][T4126959] #PF: supervisor read access in kernel mode [2570283.695678][T4126959] #PF: error_code(0x0000) - not-present page [2570283.710013][T4126959] PGD 0 P4D 0 [2570283.721649][T4126959] Oops: 0000 [#1] SMP PTI [2570283.734108][T4126959] CPU: 23 PID: 4126959 Comm: ethtool Tainted: G O 5.10.20-cloudflare-2021.3.1 #1 [2570283.752641][T4126959] Hardware name: <redacted> [2570283.781408][T4126959] RIP: 0010:efx_ethtool_get_stats+0x2ca/0x330 [sfc] [2570283.796073][T4126959] Code: 00 85 c0 74 39 48 8b 95 a8 0f 00 00 48 85 d2 74 2d 31 c0 eb 07 48 8b 95 a8 0f 00 00 48 63 c8 49 83 c4 08 83 c0 01 48 8b 14 ca <48> 8b 92 f8 00 00 00 49 89 54 24 f8 39 85 a0 0f 00 00 77 d7 48 8b [2570283.831259][T4126959] RSP: 0018:ffffb79a77657ce8 EFLAGS: 00010202 [2570283.845121][T4126959] RAX: 0000000000000019 RBX: ffffb799cd0c9280 RCX: 0000000000000018 [2570283.860872][T4126959] RDX: 0000000000000000 RSI: ffff96dd970ce000 RDI: 0000000000000005 [2570283.876525][T4126959] RBP: ffff96dd86f0a000 R08: ffff96dd970ce480 R09: 000000000000005f [2570283.892014][T4126959] R10: ffffb799cd0c9fff R11: ffffb799cd0c9000 R12: ffffb799cd0c94f8 [2570283.907406][T4126959] R13: ffffffffc11b1090 R14: ffff96dd970ce000 R15: ffffffffc11cd66c [2570283.922705][T4126959] FS: 00007fa7723f8740(0000) GS:ffff96f51fac0000(0000) knlGS:0000000000000000 [2570283.938848][T4126959] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [2570283.952524][T4126959] CR2: 00000000000000f8 CR3: 0000001a73e6e006 CR4: 00000000007706e0 [2570283.967529][T4126959] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [2570283.982400][T4126959] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [2570283.997308][T4126959] PKRU: 55555554 [2570284.007649][T4126959] Call Trace: [2570284.017598][T4126959] dev_ethtool+0x1832/0x2830 Fix this by adjusting efx->xdp_tx_queue_count after probing to reflect the true value of initialized slots in efx->xdp_tx_queues.

CVE ID : CVE-2021-46947
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/99ba0ea616aabdc8e26259fd722503e012199a76 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/ebeac958b690123a0b40aa61f688f2f170035fad | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-46948

First published on : 27-02-2024 19:04:06
Last modified on : 27-02-2024 19:04:06

Description :
In the Linux kernel, the following vulnerability has been resolved: sfc: farch: fix TX queue lookup in TX event handling We're starting from a TXQ label, not a TXQ type, so efx_channel_get_tx_queue() is inappropriate (and could return NULL, leading to panics).

CVE ID : CVE-2021-46948
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/35c7a83ad1bb1d48ae249346e61b1132bcbf9052 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/83b09a1807415608b387c7bc748d329fefc5617e | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/bf2b941d0a6f2d3b9f5fa3c4c21bdd54f71ce253 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/e531db1ea6f98c9612cb2de093a107c7eadfb96c | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-46949

First published on : 27-02-2024 19:04:06
Last modified on : 27-02-2024 19:04:06

Description :
In the Linux kernel, the following vulnerability has been resolved: sfc: farch: fix TX queue lookup in TX flush done handling We're starting from a TXQ instance number ('qid'), not a TXQ type, so efx_get_tx_queue() is inappropriate (and could return NULL, leading to panics).

CVE ID : CVE-2021-46949
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/5b1faa92289b53cad654123ed2bc8e10f6ddd4ac | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/98d91180748986bfb6dfb3e72765f3225719a647 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/a1570985ec04116cc665b760faf666a104154170 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/fb791572d6747ef385f628450f8d57cd132e6e5a | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-46950

First published on : 27-02-2024 19:04:06
Last modified on : 27-02-2024 19:04:06

Description :
In the Linux kernel, the following vulnerability has been resolved: md/raid1: properly indicate failure when ending a failed write request This patch addresses a data corruption bug in raid1 arrays using bitmaps. Without this fix, the bitmap bits for the failed I/O end up being cleared. Since we are in the failure leg of raid1_end_write_request, the request either needs to be retried (R1BIO_WriteError) or failed (R1BIO_Degraded).

CVE ID : CVE-2021-46950
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/12216d0919b64ee2ea5dc7a50e455670f44383d5 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/2417b9869b81882ab90fd5ed1081a1cb2d4db1dd | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/538244fba59fde17186322776247cd9c05be86dd | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/59452e551784b7a57a45d971727e9db63b192515 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/661061a45e32d8b2cc0e306da9f169ad44011382 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/6920cef604fa57f9409e3960413e9cc11f5c5a40 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/a6e17cab00fc5bf85472434c52ac751426257c6f | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-46951

First published on : 27-02-2024 19:04:06
Last modified on : 27-02-2024 19:04:06

Description :
In the Linux kernel, the following vulnerability has been resolved: tpm: efi: Use local variable for calculating final log size When tpm_read_log_efi is called multiple times, which happens when one loads and unloads a TPM2 driver multiple times, then the global variable efi_tpm_final_log_size will at some point become a negative number due to the subtraction of final_events_preboot_size occurring each time. Use a local variable to avoid this integer underflow. The following issue is now resolved: Mar 8 15:35:12 hibinst kernel: Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 Mar 8 15:35:12 hibinst kernel: Workqueue: tpm-vtpm vtpm_proxy_work [tpm_vtpm_proxy] Mar 8 15:35:12 hibinst kernel: RIP: 0010:__memcpy+0x12/0x20 Mar 8 15:35:12 hibinst kernel: Code: 00 b8 01 00 00 00 85 d2 74 0a c7 05 44 7b ef 00 0f 00 00 00 c3 cc cc cc 66 66 90 66 90 48 89 f8 48 89 d1 48 c1 e9 03 83 e2 07 <f3> 48 a5 89 d1 f3 a4 c3 66 0f 1f 44 00 00 48 89 f8 48 89 d1 f3 a4 Mar 8 15:35:12 hibinst kernel: RSP: 0018:ffff9ac4c0fcfde0 EFLAGS: 00010206 Mar 8 15:35:12 hibinst kernel: RAX: ffff88f878cefed5 RBX: ffff88f878ce9000 RCX: 1ffffffffffffe0f Mar 8 15:35:12 hibinst kernel: RDX: 0000000000000003 RSI: ffff9ac4c003bff9 RDI: ffff88f878cf0e4d Mar 8 15:35:12 hibinst kernel: RBP: ffff9ac4c003b000 R08: 0000000000001000 R09: 000000007e9d6073 Mar 8 15:35:12 hibinst kernel: R10: ffff9ac4c003b000 R11: ffff88f879ad3500 R12: 0000000000000ed5 Mar 8 15:35:12 hibinst kernel: R13: ffff88f878ce9760 R14: 0000000000000002 R15: ffff88f77de7f018 Mar 8 15:35:12 hibinst kernel: FS: 0000000000000000(0000) GS:ffff88f87bd00000(0000) knlGS:0000000000000000 Mar 8 15:35:12 hibinst kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 Mar 8 15:35:12 hibinst kernel: CR2: ffff9ac4c003c000 CR3: 00000001785a6004 CR4: 0000000000060ee0 Mar 8 15:35:12 hibinst kernel: Call Trace: Mar 8 15:35:12 hibinst kernel: tpm_read_log_efi+0x152/0x1a7 Mar 8 15:35:12 hibinst kernel: tpm_bios_log_setup+0xc8/0x1c0 Mar 8 15:35:12 hibinst kernel: tpm_chip_register+0x8f/0x260 Mar 8 15:35:12 hibinst kernel: vtpm_proxy_work+0x16/0x60 [tpm_vtpm_proxy] Mar 8 15:35:12 hibinst kernel: process_one_work+0x1b4/0x370 Mar 8 15:35:12 hibinst kernel: worker_thread+0x53/0x3e0 Mar 8 15:35:12 hibinst kernel: ? process_one_work+0x370/0x370

CVE ID : CVE-2021-46951
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/2f12258b5224cfaa808c54fd29345f3c1cbfca76 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/3818b753277f5ca0c170bf5b98e0a5a225542fcb | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/48cff270b037022e37835d93361646205ca25101 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/60a01ecc9f68067e4314a0b55148e39e5d58a51b | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/ac07c557ca12ec9276c0375517bac7ae5be4e50c | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-46952

First published on : 27-02-2024 19:04:06
Last modified on : 27-02-2024 19:04:06

Description :
In the Linux kernel, the following vulnerability has been resolved: NFS: fs_context: validate UDP retrans to prevent shift out-of-bounds Fix shift out-of-bounds in xprt_calc_majortimeo(). This is caused by a garbage timeout (retrans) mount option being passed to nfs mount, in this case from syzkaller. If the protocol is XPRT_TRANSPORT_UDP, then 'retrans' is a shift value for a 64-bit long integer, so 'retrans' cannot be >= 64. If it is >= 64, fail the mount and return an error.

CVE ID : CVE-2021-46952
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/2f3380121d49e829fb73ba86240c181bc32ad897 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/3d0163821c035040a46d816a42c0780f0f0a30a8 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/96fa26b74cdcf9f5c98996bf36bec9fb5b19ffe2 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/c09f11ef35955785f92369e25819bf0629df2e59 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-46953

First published on : 27-02-2024 19:04:06
Last modified on : 27-02-2024 19:04:06

Description :
In the Linux kernel, the following vulnerability has been resolved: ACPI: GTDT: Don't corrupt interrupt mappings on watchdow probe failure When failing the driver probe because of invalid firmware properties, the GTDT driver unmaps the interrupt that it mapped earlier. However, it never checks whether the mapping of the interrupt actially succeeded. Even more, should the firmware report an illegal interrupt number that overlaps with the GIC SGI range, this can result in an IPI being unmapped, and subsequent fireworks (as reported by Dann Frazier). Rework the driver to have a slightly saner behaviour and actually check whether the interrupt has been mapped before unmapping things.

CVE ID : CVE-2021-46953
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/1ecd5b129252249b9bc03d7645a7bda512747277 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/42e69521ee1fa5abf21f478d147d06bbfe6bf6a8 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/504632a3577a049dd9bb7aabae5b4476f9c586b4 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/596e079c362ac17ed02aa1b99fdc444d62072a01 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/7b2162db1498c71962a4bb2f776fa4e76d4d305b | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/c3385a9122f8db15b453e07bfc88117fce7f3724 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/e0f2d86481eaa83df33b0793f75212919db7a19d | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-46954

First published on : 27-02-2024 19:04:06
Last modified on : 27-02-2024 19:04:06

Description :
In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_frag: fix stack OOB read while fragmenting IPv4 packets when 'act_mirred' tries to fragment IPv4 packets that had been previously re-assembled using 'act_ct', splats like the following can be observed on kernels built with KASAN: BUG: KASAN: stack-out-of-bounds in ip_do_fragment+0x1b03/0x1f60 Read of size 1 at addr ffff888147009574 by task ping/947 CPU: 0 PID: 947 Comm: ping Not tainted 5.12.0-rc6+ #418 Hardware name: Red Hat KVM, BIOS 1.11.1-4.module+el8.1.0+4066+0f1aadab 04/01/2014 Call Trace: <IRQ> dump_stack+0x92/0xc1 print_address_description.constprop.7+0x1a/0x150 kasan_report.cold.13+0x7f/0x111 ip_do_fragment+0x1b03/0x1f60 sch_fragment+0x4bf/0xe40 tcf_mirred_act+0xc3d/0x11a0 [act_mirred] tcf_action_exec+0x104/0x3e0 fl_classify+0x49a/0x5e0 [cls_flower] tcf_classify_ingress+0x18a/0x820 __netif_receive_skb_core+0xae7/0x3340 __netif_receive_skb_one_core+0xb6/0x1b0 process_backlog+0x1ef/0x6c0 __napi_poll+0xaa/0x500 net_rx_action+0x702/0xac0 __do_softirq+0x1e4/0x97f do_softirq+0x71/0x90 </IRQ> __local_bh_enable_ip+0xdb/0xf0 ip_finish_output2+0x760/0x2120 ip_do_fragment+0x15a5/0x1f60 __ip_finish_output+0x4c2/0xea0 ip_output+0x1ca/0x4d0 ip_send_skb+0x37/0xa0 raw_sendmsg+0x1c4b/0x2d00 sock_sendmsg+0xdb/0x110 __sys_sendto+0x1d7/0x2b0 __x64_sys_sendto+0xdd/0x1b0 do_syscall_64+0x33/0x40 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f82e13853eb Code: 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 f3 0f 1e fa 48 8d 05 75 42 2c 00 41 89 ca 8b 00 85 c0 75 14 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 75 c3 0f 1f 40 00 41 57 4d 89 c7 41 56 41 89 RSP: 002b:00007ffe01fad888 EFLAGS: 00000246 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 00005571aac13700 RCX: 00007f82e13853eb RDX: 0000000000002330 RSI: 00005571aac13700 RDI: 0000000000000003 RBP: 0000000000002330 R08: 00005571aac10500 R09: 0000000000000010 R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffe01faefb0 R13: 00007ffe01fad890 R14: 00007ffe01fad980 R15: 00005571aac0f0a0 The buggy address belongs to the page: page:000000001dff2e03 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x147009 flags: 0x17ffffc0001000(reserved) raw: 0017ffffc0001000 ffffea00051c0248 ffffea00051c0248 0000000000000000 raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888147009400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff888147009480: f1 f1 f1 f1 04 f2 f2 f2 f2 f2 f2 f2 00 00 00 00 >ffff888147009500: 00 00 00 00 00 00 00 00 00 00 f2 f2 f2 f2 f2 f2 ^ ffff888147009580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff888147009600: 00 00 00 00 00 00 00 00 00 00 00 00 00 f2 f2 f2 for IPv4 packets, sch_fragment() uses a temporary struct dst_entry. Then, in the following call graph: ip_do_fragment() ip_skb_dst_mtu() ip_dst_mtu_maybe_forward() ip_mtu_locked() the pointer to struct dst_entry is used as pointer to struct rtable: this turns the access to struct members like rt_mtu_locked into an OOB read in the stack. Fix this changing the temporary variable used for IPv4 packets in sch_fragment(), similarly to what is done for IPv6 few lines below.

CVE ID : CVE-2021-46954
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/018bb8da5b5888e19585f9b802f036afe643fcef | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/31fe34a0118e0acc958c802e830ad5d37ef6b1d3 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/8e6dfb7beeb6489ac1365b8a71052e737f5da76e | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-46955

First published on : 27-02-2024 19:04:06
Last modified on : 27-02-2024 19:04:06

Description :
In the Linux kernel, the following vulnerability has been resolved: openvswitch: fix stack OOB read while fragmenting IPv4 packets running openvswitch on kernels built with KASAN, it's possible to see the following splat while testing fragmentation of IPv4 packets: BUG: KASAN: stack-out-of-bounds in ip_do_fragment+0x1b03/0x1f60 Read of size 1 at addr ffff888112fc713c by task handler2/1367 CPU: 0 PID: 1367 Comm: handler2 Not tainted 5.12.0-rc6+ #418 Hardware name: Red Hat KVM, BIOS 1.11.1-4.module+el8.1.0+4066+0f1aadab 04/01/2014 Call Trace: dump_stack+0x92/0xc1 print_address_description.constprop.7+0x1a/0x150 kasan_report.cold.13+0x7f/0x111 ip_do_fragment+0x1b03/0x1f60 ovs_fragment+0x5bf/0x840 [openvswitch] do_execute_actions+0x1bd5/0x2400 [openvswitch] ovs_execute_actions+0xc8/0x3d0 [openvswitch] ovs_packet_cmd_execute+0xa39/0x1150 [openvswitch] genl_family_rcv_msg_doit.isra.15+0x227/0x2d0 genl_rcv_msg+0x287/0x490 netlink_rcv_skb+0x120/0x380 genl_rcv+0x24/0x40 netlink_unicast+0x439/0x630 netlink_sendmsg+0x719/0xbf0 sock_sendmsg+0xe2/0x110 ____sys_sendmsg+0x5ba/0x890 ___sys_sendmsg+0xe9/0x160 __sys_sendmsg+0xd3/0x170 do_syscall_64+0x33/0x40 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f957079db07 Code: c3 66 90 41 54 41 89 d4 55 48 89 f5 53 89 fb 48 83 ec 10 e8 eb ec ff ff 44 89 e2 48 89 ee 89 df 41 89 c0 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 48 89 44 24 08 e8 24 ed ff ff 48 RSP: 002b:00007f956ce35a50 EFLAGS: 00000293 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 0000000000000019 RCX: 00007f957079db07 RDX: 0000000000000000 RSI: 00007f956ce35ae0 RDI: 0000000000000019 RBP: 00007f956ce35ae0 R08: 0000000000000000 R09: 00007f9558006730 R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000 R13: 00007f956ce37308 R14: 00007f956ce35f80 R15: 00007f956ce35ae0 The buggy address belongs to the page: page:00000000af2a1d93 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x112fc7 flags: 0x17ffffc0000000() raw: 0017ffffc0000000 0000000000000000 dead000000000122 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected addr ffff888112fc713c is located in stack of task handler2/1367 at offset 180 in frame: ovs_fragment+0x0/0x840 [openvswitch] this frame has 2 objects: [32, 144) 'ovs_dst' [192, 424) 'ovs_rt' Memory state around the buggy address: ffff888112fc7000: f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff888112fc7080: 00 f1 f1 f1 f1 00 00 00 00 00 00 00 00 00 00 00 >ffff888112fc7100: 00 00 00 f2 f2 f2 f2 f2 f2 00 00 00 00 00 00 00 ^ ffff888112fc7180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff888112fc7200: 00 00 00 00 00 00 f2 f2 f2 00 00 00 00 00 00 00 for IPv4 packets, ovs_fragment() uses a temporary struct dst_entry. Then, in the following call graph: ip_do_fragment() ip_skb_dst_mtu() ip_dst_mtu_maybe_forward() ip_mtu_locked() the pointer to struct dst_entry is used as pointer to struct rtable: this turns the access to struct members like rt_mtu_locked into an OOB read in the stack. Fix this changing the temporary variable used for IPv4 packets in ovs_fragment(), similarly to what is done for IPv6 few lines below.

CVE ID : CVE-2021-46955
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/23e17ec1a5eb53fe39cc34fa5592686d5acd0dac | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/490ad0a2390442d0a7b8c00972a83dbb09cab142 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/5a52fa8ad45b5a593ed416adf326538638454ff1 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/7c0ea5930c1c211931819d83cfb157bff1539a4c | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/a1478374b0bda89b4277a8afd39208271faad4be | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/b1d7280f9ba1bfdbc3af5bdb82e51f014854f26f | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/b3502b04e84ac5349be95fc033c17bd701d2787a | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/d841d3cf5297fde4ce6a41ff35451d0e82917f3e | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/df9e900de24637be41879e2c50afb713ec4e8b2e | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-46956

First published on : 27-02-2024 19:04:06
Last modified on : 27-02-2024 19:04:06

Description :
In the Linux kernel, the following vulnerability has been resolved: virtiofs: fix memory leak in virtio_fs_probe() When accidentally passing twice the same tag to qemu, kmemleak ended up reporting a memory leak in virtiofs. Also, looking at the log I saw the following error (that's when I realised the duplicated tag): virtiofs: probe of virtio5 failed with error -17 Here's the kmemleak log for reference: unreferenced object 0xffff888103d47800 (size 1024): comm "systemd-udevd", pid 118, jiffies 4294893780 (age 18.340s) hex dump (first 32 bytes): 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... ff ff ff ff ff ff ff ff 80 90 02 a0 ff ff ff ff ................ backtrace: [<000000000ebb87c1>] virtio_fs_probe+0x171/0x7ae [virtiofs] [<00000000f8aca419>] virtio_dev_probe+0x15f/0x210 [<000000004d6baf3c>] really_probe+0xea/0x430 [<00000000a6ceeac8>] device_driver_attach+0xa8/0xb0 [<00000000196f47a7>] __driver_attach+0x98/0x140 [<000000000b20601d>] bus_for_each_dev+0x7b/0xc0 [<00000000399c7b7f>] bus_add_driver+0x11b/0x1f0 [<0000000032b09ba7>] driver_register+0x8f/0xe0 [<00000000cdd55998>] 0xffffffffa002c013 [<000000000ea196a2>] do_one_initcall+0x64/0x2e0 [<0000000008f727ce>] do_init_module+0x5c/0x260 [<000000003cdedab6>] __do_sys_finit_module+0xb5/0x120 [<00000000ad2f48c6>] do_syscall_64+0x33/0x40 [<00000000809526b5>] entry_SYSCALL_64_after_hwframe+0x44/0xae

CVE ID : CVE-2021-46956
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/310efc95c72c13faf855c692d19cd4d054d827c8 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/5116e79fc6e6725b8acdad8b7e928a83ab7b47e6 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/9b9d60c0eb8ada99cce2a9ab5c15dffc523b01ae | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/c79c5e0178922a9e092ec8fed026750f39dcaef4 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/d19555ff225d0896a33246a49279e6d578095f15 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-46957

First published on : 27-02-2024 19:04:06
Last modified on : 27-02-2024 19:04:06

Description :
In the Linux kernel, the following vulnerability has been resolved: riscv/kprobe: fix kernel panic when invoking sys_read traced by kprobe The execution of sys_read end up hitting a BUG_ON() in __find_get_block after installing kprobe at sys_read, the BUG message like the following: [ 65.708663] ------------[ cut here ]------------ [ 65.709987] kernel BUG at fs/buffer.c:1251! [ 65.711283] Kernel BUG [#1] [ 65.712032] Modules linked in: [ 65.712925] CPU: 0 PID: 51 Comm: sh Not tainted 5.12.0-rc4 #1 [ 65.714407] Hardware name: riscv-virtio,qemu (DT) [ 65.715696] epc : __find_get_block+0x218/0x2c8 [ 65.716835] ra : __getblk_gfp+0x1c/0x4a [ 65.717831] epc : ffffffe00019f11e ra : ffffffe00019f56a sp : ffffffe002437930 [ 65.719553] gp : ffffffe000f06030 tp : ffffffe0015abc00 t0 : ffffffe00191e038 [ 65.721290] t1 : ffffffe00191e038 t2 : 000000000000000a s0 : ffffffe002437960 [ 65.723051] s1 : ffffffe00160ad00 a0 : ffffffe00160ad00 a1 : 000000000000012a [ 65.724772] a2 : 0000000000000400 a3 : 0000000000000008 a4 : 0000000000000040 [ 65.726545] a5 : 0000000000000000 a6 : ffffffe00191e000 a7 : 0000000000000000 [ 65.728308] s2 : 000000000000012a s3 : 0000000000000400 s4 : 0000000000000008 [ 65.730049] s5 : 000000000000006c s6 : ffffffe00240f800 s7 : ffffffe000f080a8 [ 65.731802] s8 : 0000000000000001 s9 : 000000000000012a s10: 0000000000000008 [ 65.733516] s11: 0000000000000008 t3 : 00000000000003ff t4 : 000000000000000f [ 65.734434] t5 : 00000000000003ff t6 : 0000000000040000 [ 65.734613] status: 0000000000000100 badaddr: 0000000000000000 cause: 0000000000000003 [ 65.734901] Call Trace: [ 65.735076] [<ffffffe00019f11e>] __find_get_block+0x218/0x2c8 [ 65.735417] [<ffffffe00020017a>] __ext4_get_inode_loc+0xb2/0x2f6 [ 65.735618] [<ffffffe000201b6c>] ext4_get_inode_loc+0x3a/0x8a [ 65.735802] [<ffffffe000203380>] ext4_reserve_inode_write+0x2e/0x8c [ 65.735999] [<ffffffe00020357a>] __ext4_mark_inode_dirty+0x4c/0x18e [ 65.736208] [<ffffffe000206bb0>] ext4_dirty_inode+0x46/0x66 [ 65.736387] [<ffffffe000192914>] __mark_inode_dirty+0x12c/0x3da [ 65.736576] [<ffffffe000180dd2>] touch_atime+0x146/0x150 [ 65.736748] [<ffffffe00010d762>] filemap_read+0x234/0x246 [ 65.736920] [<ffffffe00010d834>] generic_file_read_iter+0xc0/0x114 [ 65.737114] [<ffffffe0001f5d7a>] ext4_file_read_iter+0x42/0xea [ 65.737310] [<ffffffe000163f2c>] new_sync_read+0xe2/0x15a [ 65.737483] [<ffffffe000165814>] vfs_read+0xca/0xf2 [ 65.737641] [<ffffffe000165bae>] ksys_read+0x5e/0xc8 [ 65.737816] [<ffffffe000165c26>] sys_read+0xe/0x16 [ 65.737973] [<ffffffe000003972>] ret_from_syscall+0x0/0x2 [ 65.738858] ---[ end trace fe93f985456c935d ]--- A simple reproducer looks like: echo 'p:myprobe sys_read fd=%a0 buf=%a1 count=%a2' > /sys/kernel/debug/tracing/kprobe_events echo 1 > /sys/kernel/debug/tracing/events/kprobes/myprobe/enable cat /sys/kernel/debug/tracing/trace Here's what happens to hit that BUG_ON(): 1) After installing kprobe at entry of sys_read, the first instruction is replaced by 'ebreak' instruction on riscv64 platform. 2) Once kernel reach the 'ebreak' instruction at the entry of sys_read, it trap into the riscv breakpoint handler, where it do something to setup for coming single-step of origin instruction, including backup the 'sstatus' in pt_regs, followed by disable interrupt during single stepping via clear 'SIE' bit of 'sstatus' in pt_regs. 3) Then kernel restore to the instruction slot contains two instructions, one is original instruction at entry of sys_read, the other is 'ebreak'. Here it trigger a 'Instruction page fault' exception (value at 'scause' is '0xc'), if PF is not filled into PageTabe for that slot yet. 4) Again kernel trap into page fault exception handler, where it choose different policy according to the state of running kprobe. Because afte 2) the state is KPROBE_HIT_SS, so kernel reset the current kp ---truncated---

CVE ID : CVE-2021-46957
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/b1ebaa0e1318494a7637099a26add50509e37964 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/fd0f06590d35c99f98d12c7984897ec4201a6263 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-46958

First published on : 27-02-2024 19:04:06
Last modified on : 27-02-2024 19:04:06

Description :
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix race between transaction aborts and fsyncs leading to use-after-free There is a race between a task aborting a transaction during a commit, a task doing an fsync and the transaction kthread, which leads to an use-after-free of the log root tree. When this happens, it results in a stack trace like the following: BTRFS info (device dm-0): forced readonly BTRFS warning (device dm-0): Skipping commit of aborted transaction. BTRFS: error (device dm-0) in cleanup_transaction:1958: errno=-5 IO failure BTRFS warning (device dm-0): lost page write due to IO error on /dev/mapper/error-test (-5) BTRFS warning (device dm-0): Skipping commit of aborted transaction. BTRFS warning (device dm-0): direct IO failed ino 261 rw 0,0 sector 0xa4e8 len 4096 err no 10 BTRFS error (device dm-0): error writing primary super block to device 1 BTRFS warning (device dm-0): direct IO failed ino 261 rw 0,0 sector 0x12e000 len 4096 err no 10 BTRFS warning (device dm-0): direct IO failed ino 261 rw 0,0 sector 0x12e008 len 4096 err no 10 BTRFS warning (device dm-0): direct IO failed ino 261 rw 0,0 sector 0x12e010 len 4096 err no 10 BTRFS: error (device dm-0) in write_all_supers:4110: errno=-5 IO failure (1 errors while writing supers) BTRFS: error (device dm-0) in btrfs_sync_log:3308: errno=-5 IO failure general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6b68: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC PTI CPU: 2 PID: 2458471 Comm: fsstress Not tainted 5.12.0-rc5-btrfs-next-84 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 RIP: 0010:__mutex_lock+0x139/0xa40 Code: c0 74 19 (...) RSP: 0018:ffff9f18830d7b00 EFLAGS: 00010202 RAX: 6b6b6b6b6b6b6b68 RBX: 0000000000000001 RCX: 0000000000000002 RDX: ffffffffb9c54d13 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ffff9f18830d7bc0 R08: 0000000000000000 R09: 0000000000000000 R10: ffff9f18830d7be0 R11: 0000000000000001 R12: ffff8c6cd199c040 R13: ffff8c6c95821358 R14: 00000000fffffffb R15: ffff8c6cbcf01358 FS: 00007fa9140c2b80(0000) GS:ffff8c6fac600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fa913d52000 CR3: 000000013d2b4003 CR4: 0000000000370ee0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: ? __btrfs_handle_fs_error+0xde/0x146 [btrfs] ? btrfs_sync_log+0x7c1/0xf20 [btrfs] ? btrfs_sync_log+0x7c1/0xf20 [btrfs] btrfs_sync_log+0x7c1/0xf20 [btrfs] btrfs_sync_file+0x40c/0x580 [btrfs] do_fsync+0x38/0x70 __x64_sys_fsync+0x10/0x20 do_syscall_64+0x33/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7fa9142a55c3 Code: 8b 15 09 (...) RSP: 002b:00007fff26278d48 EFLAGS: 00000246 ORIG_RAX: 000000000000004a RAX: ffffffffffffffda RBX: 0000563c83cb4560 RCX: 00007fa9142a55c3 RDX: 00007fff26278cb0 RSI: 00007fff26278cb0 RDI: 0000000000000005 RBP: 0000000000000005 R08: 0000000000000001 R09: 00007fff26278d5c R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000340 R13: 00007fff26278de0 R14: 00007fff26278d96 R15: 0000563c83ca57c0 Modules linked in: btrfs dm_zero dm_snapshot dm_thin_pool (...) ---[ end trace ee2f1b19327d791d ]--- The steps that lead to this crash are the following: 1) We are at transaction N; 2) We have two tasks with a transaction handle attached to transaction N. Task A and Task B. Task B is doing an fsync; 3) Task B is at btrfs_sync_log(), and has saved fs_info->log_root_tree into a local variable named 'log_root_tree' at the top of btrfs_sync_log(). Task B is about to call write_all_supers(), but before that... 4) Task A calls btrfs_commit_transaction(), and after it sets the transaction state to TRANS_STATE_COMMIT_START, an error happens before it w ---truncated---

CVE ID : CVE-2021-46958
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/061dde8245356d8864d29e25207aa4daa0be4d3c | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/633f7f216663587f17601eaa1cf2ac3d5654874c | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/a4794be7b00b7eda4b45fffd283ab7d76df7e5d6 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/e2da98788369bfba1138bada72765c47989a4338 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-46960

First published on : 27-02-2024 19:04:06
Last modified on : 27-02-2024 19:04:06

Description :
In the Linux kernel, the following vulnerability has been resolved: cifs: Return correct error code from smb2_get_enc_key Avoid a warning if the error percolates back up: [440700.376476] CIFS VFS: \\otters.example.com crypt_message: Could not get encryption key [440700.386947] ------------[ cut here ]------------ [440700.386948] err = 1 [440700.386977] WARNING: CPU: 11 PID: 2733 at /build/linux-hwe-5.4-p6lk6L/linux-hwe-5.4-5.4.0/lib/errseq.c:74 errseq_set+0x5c/0x70 ... [440700.397304] CPU: 11 PID: 2733 Comm: tar Tainted: G OE 5.4.0-70-generic #78~18.04.1-Ubuntu ... [440700.397334] Call Trace: [440700.397346] __filemap_set_wb_err+0x1a/0x70 [440700.397419] cifs_writepages+0x9c7/0xb30 [cifs] [440700.397426] do_writepages+0x4b/0xe0 [440700.397444] __filemap_fdatawrite_range+0xcb/0x100 [440700.397455] filemap_write_and_wait+0x42/0xa0 [440700.397486] cifs_setattr+0x68b/0xf30 [cifs] [440700.397493] notify_change+0x358/0x4a0 [440700.397500] utimes_common+0xe9/0x1c0 [440700.397510] do_utimes+0xc5/0x150 [440700.397520] __x64_sys_utimensat+0x88/0xd0

CVE ID : CVE-2021-46960
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/83728cbf366e334301091d5b808add468ab46b27 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/93f3339b22ba17e66f0808737467b70ba087eaec | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/aaa0faa5c28a91c362352d6b35dc3ed10df56fb0 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/b399c1a3ea0b9d10047ff266d65533df7f15532f | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/e486f8397f3f14a7cadc166138141fdb14379a54 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/e94851629c49c65b4fbb29a5725ddfd7988f8f20 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/f59a9242942fef0de7b926e438ba4eae65d4b4dd | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-46961

First published on : 27-02-2024 19:04:06
Last modified on : 27-02-2024 19:04:06

Description :
In the Linux kernel, the following vulnerability has been resolved: irqchip/gic-v3: Do not enable irqs when handling spurious interrups We triggered the following error while running our 4.19 kernel with the pseudo-NMI patches backported to it: [ 14.816231] ------------[ cut here ]------------ [ 14.816231] kernel BUG at irq.c:99! [ 14.816232] Internal error: Oops - BUG: 0 [#1] SMP [ 14.816232] Process swapper/0 (pid: 0, stack limit = 0x(____ptrval____)) [ 14.816233] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G O 4.19.95.aarch64 #14 [ 14.816233] Hardware name: evb (DT) [ 14.816234] pstate: 80400085 (Nzcv daIf +PAN -UAO) [ 14.816234] pc : asm_nmi_enter+0x94/0x98 [ 14.816235] lr : asm_nmi_enter+0x18/0x98 [ 14.816235] sp : ffff000008003c50 [ 14.816235] pmr_save: 00000070 [ 14.816237] x29: ffff000008003c50 x28: ffff0000095f56c0 [ 14.816238] x27: 0000000000000000 x26: ffff000008004000 [ 14.816239] x25: 00000000015e0000 x24: ffff8008fb916000 [ 14.816240] x23: 0000000020400005 x22: ffff0000080817cc [ 14.816241] x21: ffff000008003da0 x20: 0000000000000060 [ 14.816242] x19: 00000000000003ff x18: ffffffffffffffff [ 14.816243] x17: 0000000000000008 x16: 003d090000000000 [ 14.816244] x15: ffff0000095ea6c8 x14: ffff8008fff5ab40 [ 14.816244] x13: ffff8008fff58b9d x12: 0000000000000000 [ 14.816245] x11: ffff000008c8a200 x10: 000000008e31fca5 [ 14.816246] x9 : ffff000008c8a208 x8 : 000000000000000f [ 14.816247] x7 : 0000000000000004 x6 : ffff8008fff58b9e [ 14.816248] x5 : 0000000000000000 x4 : 0000000080000000 [ 14.816249] x3 : 0000000000000000 x2 : 0000000080000000 [ 14.816250] x1 : 0000000000120000 x0 : ffff0000095f56c0 [ 14.816251] Call trace: [ 14.816251] asm_nmi_enter+0x94/0x98 [ 14.816251] el1_irq+0x8c/0x180 (IRQ C) [ 14.816252] gic_handle_irq+0xbc/0x2e4 [ 14.816252] el1_irq+0xcc/0x180 (IRQ B) [ 14.816253] arch_timer_handler_virt+0x38/0x58 [ 14.816253] handle_percpu_devid_irq+0x90/0x240 [ 14.816253] generic_handle_irq+0x34/0x50 [ 14.816254] __handle_domain_irq+0x68/0xc0 [ 14.816254] gic_handle_irq+0xf8/0x2e4 [ 14.816255] el1_irq+0xcc/0x180 (IRQ A) [ 14.816255] arch_cpu_idle+0x34/0x1c8 [ 14.816255] default_idle_call+0x24/0x44 [ 14.816256] do_idle+0x1d0/0x2c8 [ 14.816256] cpu_startup_entry+0x28/0x30 [ 14.816256] rest_init+0xb8/0xc8 [ 14.816257] start_kernel+0x4c8/0x4f4 [ 14.816257] Code: 940587f1 d5384100 b9401001 36a7fd01 (d4210000) [ 14.816258] Modules linked in: start_dp(O) smeth(O) [ 15.103092] ---[ end trace 701753956cb14aa8 ]--- [ 15.103093] Kernel panic - not syncing: Fatal exception in interrupt [ 15.103099] SMP: stopping secondary CPUs [ 15.103100] Kernel Offset: disabled [ 15.103100] CPU features: 0x36,a2400218 [ 15.103100] Memory Limit: none which is cause by a 'BUG_ON(in_nmi())' in nmi_enter(). From the call trace, we can find three interrupts (noted A, B, C above): interrupt (A) is preempted by (B), which is further interrupted by (C). Subsequent investigations show that (B) results in nmi_enter() being called, but that it actually is a spurious interrupt. Furthermore, interrupts are reenabled in the context of (B), and (C) fires with NMI priority. We end-up with a nested NMI situation, something we definitely do not want to (and cannot) handle. The bug here is that spurious interrupts should never result in any state change, and we should just return to the interrupted context. Moving the handling of spurious interrupts as early as possible in the GICv3 handler fixes this issue. [maz: rewrote commit message, corrected Fixes: tag]

CVE ID : CVE-2021-46961
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/3f72d3709f53af72835af7dc8b15ba61611a0e36 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/7be4db5c2b59fa77071c93ca4329876fb9777202 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/a97709f563a078e259bf0861cd259aa60332890a | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/e7ea8e46e3b777be26aa855fe07778c415f24926 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/ea817ac1014c04f47885532b55f5d0898deadfba | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-46962

First published on : 27-02-2024 19:04:06
Last modified on : 27-02-2024 19:04:06

Description :
In the Linux kernel, the following vulnerability has been resolved: mmc: uniphier-sd: Fix a resource leak in the remove function A 'tmio_mmc_host_free()' call is missing in the remove function, in order to balance a 'tmio_mmc_host_alloc()' call in the probe. This is done in the error handling path of the probe, but not in the remove function. Add the missing call.

CVE ID : CVE-2021-46962
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/0d8941b9b2d3e7b3481fdf43b1a6189d162175b7 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/25ac6ce65f1ab458982d15ec1caf441acd37106a | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/d6e7fda496978f2763413b5523557b38dc2bf6c2 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/e29c84857e2d51aa017ce04284b962742fb97d9e | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/ebe0f12cf4c044f812c6d17011531582f9ac8bb3 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-46963

First published on : 27-02-2024 19:04:07
Last modified on : 27-02-2024 19:04:07

Description :
In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Fix crash in qla2xxx_mqueuecommand() RIP: 0010:kmem_cache_free+0xfa/0x1b0 Call Trace: qla2xxx_mqueuecommand+0x2b5/0x2c0 [qla2xxx] scsi_queue_rq+0x5e2/0xa40 __blk_mq_try_issue_directly+0x128/0x1d0 blk_mq_request_issue_directly+0x4e/0xb0 Fix incorrect call to free srb in qla2xxx_mqueuecommand(), as srb is now allocated by upper layers. This fixes smatch warning of srb unintended free.

CVE ID : CVE-2021-46963
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/6641df81ab799f28a5d564f860233dd26cca0d93 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/702cdaa2c6283c135ef16d52e0e4e3c1005aa538 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/77509a238547863040a42d57c72403f7d4c89a8f | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/80ef24175df2cba3860d0369d1c662b49ee2de56 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/a73208e3244127ef9f2cdf24e4adb947aaa32053 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/c5ab9b67d8b061de74e2ca51bf787ee599bd7f89 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-46964

First published on : 27-02-2024 19:04:07
Last modified on : 27-02-2024 19:04:07

Description :
In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Reserve extra IRQ vectors Commit a6dcfe08487e ("scsi: qla2xxx: Limit interrupt vectors to number of CPUs") lowers the number of allocated MSI-X vectors to the number of CPUs. That breaks vector allocation assumptions in qla83xx_iospace_config(), qla24xx_enable_msix() and qla2x00_iospace_config(). Either of the functions computes maximum number of qpairs as: ha->max_qpairs = ha->msix_count - 1 (MB interrupt) - 1 (default response queue) - 1 (ATIO, in dual or pure target mode) max_qpairs is set to zero in case of two CPUs and initiator mode. The number is then used to allocate ha->queue_pair_map inside qla2x00_alloc_queues(). No allocation happens and ha->queue_pair_map is left NULL but the driver thinks there are queue pairs available. qla2xxx_queuecommand() tries to find a qpair in the map and crashes: if (ha->mqenable) { uint32_t tag; uint16_t hwq; struct qla_qpair *qpair = NULL; tag = blk_mq_unique_tag(cmd->request); hwq = blk_mq_unique_tag_to_hwq(tag); qpair = ha->queue_pair_map[hwq]; # <- HERE if (qpair) return qla2xxx_mqueuecommand(host, cmd, qpair); } BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] SMP PTI CPU: 0 PID: 72 Comm: kworker/u4:3 Tainted: G W 5.10.0-rc1+ #25 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.0.0-prebuilt.qemu-project.org 04/01/2014 Workqueue: scsi_wq_7 fc_scsi_scan_rport [scsi_transport_fc] RIP: 0010:qla2xxx_queuecommand+0x16b/0x3f0 [qla2xxx] Call Trace: scsi_queue_rq+0x58c/0xa60 blk_mq_dispatch_rq_list+0x2b7/0x6f0 ? __sbitmap_get_word+0x2a/0x80 __blk_mq_sched_dispatch_requests+0xb8/0x170 blk_mq_sched_dispatch_requests+0x2b/0x50 __blk_mq_run_hw_queue+0x49/0xb0 __blk_mq_delay_run_hw_queue+0xfb/0x150 blk_mq_sched_insert_request+0xbe/0x110 blk_execute_rq+0x45/0x70 __scsi_execute+0x10e/0x250 scsi_probe_and_add_lun+0x228/0xda0 __scsi_scan_target+0xf4/0x620 ? __pm_runtime_resume+0x4f/0x70 scsi_scan_target+0x100/0x110 fc_scsi_scan_rport+0xa1/0xb0 [scsi_transport_fc] process_one_work+0x1ea/0x3b0 worker_thread+0x28/0x3b0 ? process_one_work+0x3b0/0x3b0 kthread+0x112/0x130 ? kthread_park+0x80/0x80 ret_from_fork+0x22/0x30 The driver should allocate enough vectors to provide every CPU it's own HW queue and still handle reserved (MB, RSP, ATIO) interrupts. The change fixes the crash on dual core VM and prevents unbalanced QP allocation where nr_hw_queues is two less than the number of CPUs.

CVE ID : CVE-2021-46964
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/0f86d66b38501e3ac66cf2d9f9f8ad6838bad0e6 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/4ecd42dec858b6632c5f024fe13e9ad6c30f2734 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/f02d4086a8f36a0e1aaebf559b54cf24a177a486 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-46965

First published on : 27-02-2024 19:04:07
Last modified on : 27-02-2024 19:04:07

Description :
In the Linux kernel, the following vulnerability has been resolved: mtd: physmap: physmap-bt1-rom: Fix unintentional stack access Cast &data to (char *) in order to avoid unintentionally accessing the stack. Notice that data is of type u32, so any increment to &data will be in the order of 4-byte chunks, and this piece of code is actually intended to be a byte offset. Addresses-Coverity-ID: 1497765 ("Out-of-bounds access")

CVE ID : CVE-2021-46965
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/34ec706bf0b7c4ca249a729c1bcb91f706c7a7be | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/4d786870e3262ec098a3b4ed10b895176bc66ecb | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/4e4ebb827bf09311469ffd9d0c14ed40ed9747aa | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/683313993dbe1651c7aa00bb42a041d70e914925 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-46966

First published on : 27-02-2024 19:04:07
Last modified on : 27-02-2024 19:04:07

Description :
In the Linux kernel, the following vulnerability has been resolved: ACPI: custom_method: fix potential use-after-free issue In cm_write(), buf is always freed when reaching the end of the function. If the requested count is less than table.length, the allocated buffer will be freed but subsequent calls to cm_write() will still try to access it. Remove the unconditional kfree(buf) at the end of the function and set the buf to NULL in the -EINVAL error path to match the rest of function.

CVE ID : CVE-2021-46966
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/1d53ca5d131074c925ce38361fb0376d3bf7e394 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/62dc2440ebb552aa0d7f635e1697e077d9d21203 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/72814a94c38a33239793f7622cec6ace1e540c4b | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/8b04d57f30caf76649d0567551589af9a66ca9be | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/90575d1d9311b753cf1718f4ce9061ddda7dfd23 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/a5b26a2e362f572d87e9fd35435680e557052a17 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/b7a5baaae212a686ceb812c32fceed79c03c0234 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/e483bb9a991bdae29a0caa4b3a6d002c968f94aa | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/f16737caf41fc06cfe6e49048becb09657074d4b | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-46967

First published on : 27-02-2024 19:04:07
Last modified on : 27-02-2024 19:04:07

Description :
In the Linux kernel, the following vulnerability has been resolved: vhost-vdpa: fix vm_flags for virtqueue doorbell mapping The virtqueue doorbell is usually implemented via registeres but we don't provide the necessary vma->flags like VM_PFNMAP. This may cause several issues e.g when userspace tries to map the doorbell via vhost IOTLB, kernel may panic due to the page is not backed by page structure. This patch fixes this by setting the necessary vm_flags. With this patch, try to map doorbell via IOTLB will fail with bad address.

CVE ID : CVE-2021-46967
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/3a3e0fad16d40a2aa68ddf7eea4acdf48b22dd44 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/3b8b6399666a29daa30b0bb3f5c9e3fc81c5a6a6 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/93dbbf20e3ffad14f04227a0b7105f6e6f0387ce | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/940230a5c31e2714722aee04c521a21f484b4df7 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-46968

First published on : 27-02-2024 19:04:07
Last modified on : 27-02-2024 19:04:07

Description :
In the Linux kernel, the following vulnerability has been resolved: s390/zcrypt: fix zcard and zqueue hot-unplug memleak Tests with kvm and a kmemdebug kernel showed, that on hot unplug the zcard and zqueue structs for the unplugged card or queue are not properly freed because of a mismatch with get/put for the embedded kref counter. This fix now adjusts the handling of the kref counters. With init the kref counter starts with 1. This initial value needs to drop to zero with the unregister of the card or queue to trigger the release and free the object.

CVE ID : CVE-2021-46968
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/026499a9c2e002e621ad568d1378324ae97e5524 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/055a063a18bcd19b93709e3eac8078d6b2f04599 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/70fac8088cfad9f3b379c9082832b4d7532c16c2 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/971dc8706cee47393d393905d294ea47e39503d3 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-46969

First published on : 27-02-2024 19:04:07
Last modified on : 27-02-2024 19:04:07

Description :
In the Linux kernel, the following vulnerability has been resolved: bus: mhi: core: Fix invalid error returning in mhi_queue mhi_queue returns an error when the doorbell is not accessible in the current state. This can happen when the device is in non M0 state, like M3, and needs to be waken-up prior ringing the DB. This case is managed earlier by triggering an asynchronous M3 exit via controller resume/suspend callbacks, that in turn will cause M0 transition and DB update. So, since it's not an error but just delaying of doorbell update, there is no reason to return an error. This also fixes a use after free error for skb case, indeed a caller queuing skb will try to free the skb if the queueing fails, but in that case queueing has been done.

CVE ID : CVE-2021-46969
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/0ecc1c70dcd32c0f081b173a1a5d89952686f271 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/a99b661c3187365f81026d89b1133a76cd2652b3 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-46970

First published on : 27-02-2024 19:04:07
Last modified on : 27-02-2024 19:04:07

Description :
In the Linux kernel, the following vulnerability has been resolved: bus: mhi: pci_generic: Remove WQ_MEM_RECLAIM flag from state workqueue A recent change created a dedicated workqueue for the state-change work with WQ_HIGHPRI (no strong reason for that) and WQ_MEM_RECLAIM flags, but the state-change work (mhi_pm_st_worker) does not guarantee forward progress under memory pressure, and will even wait on various memory allocations when e.g. creating devices, loading firmware, etc... The work is then not part of a memory reclaim path... Moreover, this causes a warning in check_flush_dependency() since we end up in code that flushes a non-reclaim workqueue: [ 40.969601] workqueue: WQ_MEM_RECLAIM mhi_hiprio_wq:mhi_pm_st_worker [mhi] is flushing !WQ_MEM_RECLAIM events_highpri:flush_backlog [ 40.969612] WARNING: CPU: 4 PID: 158 at kernel/workqueue.c:2607 check_flush_dependency+0x11c/0x140 [ 40.969733] Call Trace: [ 40.969740] __flush_work+0x97/0x1d0 [ 40.969745] ? wake_up_process+0x15/0x20 [ 40.969749] ? insert_work+0x70/0x80 [ 40.969750] ? __queue_work+0x14a/0x3e0 [ 40.969753] flush_work+0x10/0x20 [ 40.969756] rollback_registered_many+0x1c9/0x510 [ 40.969759] unregister_netdevice_queue+0x94/0x120 [ 40.969761] unregister_netdev+0x1d/0x30 [ 40.969765] mhi_net_remove+0x1a/0x40 [mhi_net] [ 40.969770] mhi_driver_remove+0x124/0x250 [mhi] [ 40.969776] device_release_driver_internal+0xf0/0x1d0 [ 40.969778] device_release_driver+0x12/0x20 [ 40.969782] bus_remove_device+0xe1/0x150 [ 40.969786] device_del+0x17b/0x3e0 [ 40.969791] mhi_destroy_device+0x9a/0x100 [mhi] [ 40.969796] ? mhi_unmap_single_use_bb+0x50/0x50 [mhi] [ 40.969799] device_for_each_child+0x5e/0xa0 [ 40.969804] mhi_pm_st_worker+0x921/0xf50 [mhi]

CVE ID : CVE-2021-46970
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/0fccbf0a3b690b162f53b13ed8bc442ea33437dc | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/abd1510c08a13c88d24b622a83c82e87ff1d3135 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/ed541cff35cbdb695f0c98ef506dd7218883fc07 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-46971

First published on : 27-02-2024 19:04:07
Last modified on : 27-02-2024 19:04:07

Description :
In the Linux kernel, the following vulnerability has been resolved: perf/core: Fix unconditional security_locked_down() call Currently, the lockdown state is queried unconditionally, even though its result is used only if the PERF_SAMPLE_REGS_INTR bit is set in attr.sample_type. While that doesn't matter in case of the Lockdown LSM, it causes trouble with the SELinux's lockdown hook implementation. SELinux implements the locked_down hook with a check whether the current task's type has the corresponding "lockdown" class permission ("integrity" or "confidentiality") allowed in the policy. This means that calling the hook when the access control decision would be ignored generates a bogus permission check and audit record. Fix this by checking sample_type first and only calling the hook when its result would be honored.

CVE ID : CVE-2021-46971
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/08ef1af4de5fe7de9c6d69f1e22e51b66e385d9b | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/4348d3b5027bc3ff6336368b6c60605d4ef8e1ce | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/b246759284d6a2bc5b6f1009caeeb3abce2ec9ff | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/c7b0208ee370b89d20486fae71cd9abb759819c1 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/f5809ca4c311b71bfaba6d13f4e39eab0557895e | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-46972

First published on : 27-02-2024 19:04:07
Last modified on : 27-02-2024 19:04:07

Description :
In the Linux kernel, the following vulnerability has been resolved: ovl: fix leaked dentry Since commit 6815f479ca90 ("ovl: use only uppermetacopy state in ovl_lookup()"), overlayfs doesn't put temporary dentry when there is a metacopy error, which leads to dentry leaks when shutting down the related superblock: overlayfs: refusing to follow metacopy origin for (/file0) ... BUG: Dentry (____ptrval____){i=3f33,n=file3} still in use (1) [unmount of overlay overlay] ... WARNING: CPU: 1 PID: 432 at umount_check.cold+0x107/0x14d CPU: 1 PID: 432 Comm: unmount-overlay Not tainted 5.12.0-rc5 #1 ... RIP: 0010:umount_check.cold+0x107/0x14d ... Call Trace: d_walk+0x28c/0x950 ? dentry_lru_isolate+0x2b0/0x2b0 ? __kasan_slab_free+0x12/0x20 do_one_tree+0x33/0x60 shrink_dcache_for_umount+0x78/0x1d0 generic_shutdown_super+0x70/0x440 kill_anon_super+0x3e/0x70 deactivate_locked_super+0xc4/0x160 deactivate_super+0xfa/0x140 cleanup_mnt+0x22e/0x370 __cleanup_mnt+0x1a/0x30 task_work_run+0x139/0x210 do_exit+0xb0c/0x2820 ? __kasan_check_read+0x1d/0x30 ? find_held_lock+0x35/0x160 ? lock_release+0x1b6/0x660 ? mm_update_next_owner+0xa20/0xa20 ? reacquire_held_locks+0x3f0/0x3f0 ? __sanitizer_cov_trace_const_cmp4+0x22/0x30 do_group_exit+0x135/0x380 __do_sys_exit_group.isra.0+0x20/0x20 __x64_sys_exit_group+0x3c/0x50 do_syscall_64+0x45/0x70 entry_SYSCALL_64_after_hwframe+0x44/0xae ... VFS: Busy inodes after unmount of overlay. Self-destruct in 5 seconds. Have a nice day... This fix has been tested with a syzkaller reproducer.

CVE ID : CVE-2021-46972
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/71d58457a8afc650da5d3292a7f7029317654d95 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/cf3e3330bc5719fa9d658e3e2f596bde89344a94 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/d587cfaef72b1b6f4b2774827123bce91f497cc8 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/eaab1d45cdb4bb0c846bd23c3d666d5b90af7b41 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-46973

First published on : 27-02-2024 19:04:07
Last modified on : 27-02-2024 19:04:07

Description :
In the Linux kernel, the following vulnerability has been resolved: net: qrtr: Avoid potential use after free in MHI send It is possible that the MHI ul_callback will be invoked immediately following the queueing of the skb for transmission, leading to the callback decrementing the refcount of the associated sk and freeing the skb. As such the dereference of skb and the increment of the sk refcount must happen before the skb is queued, to avoid the skb to be used after free and potentially the sk to drop its last refcount..

CVE ID : CVE-2021-46973
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/03c649dee8b1eb5600212a249542a70f47a5ab40 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/47a017f33943278570c072bc71681809b2567b3a | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/48ec949ac979b4b42d740f67b6177797af834f80 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/ea474054c2cc6e1284604b21361f475c7cc8c0a0 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-46974

First published on : 27-02-2024 19:04:07
Last modified on : 27-02-2024 19:04:07

Description :
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix masking negation logic upon negative dst register The negation logic for the case where the off_reg is sitting in the dst register is not correct given then we cannot just invert the add to a sub or vice versa. As a fix, perform the final bitwise and-op unconditionally into AX from the off_reg, then move the pointer from the src to dst and finally use AX as the source for the original pointer arithmetic operation such that the inversion yields a correct result. The single non-AX mov in between is possible given constant blinding is retaining it as it's not an immediate based operation.

CVE ID : CVE-2021-46974
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/0e2dfdc74a7f4036127356d42ea59388f153f42c | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/2cfa537674cd1051a3b8111536d77d0558f33d5d | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/4d542ddb88fb2f39bf7f14caa2902f3e8d06f6ba | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/53e0db429b37a32b8fc706d0d90eb4583ad13848 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/6eba92a4d4be8feb4dc33976abac544fa99d6ecc | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/7cf64d8679ca1cb20cf57d6a88bfee79a0922a66 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/b9b34ddbe2076ade359cd5ce7537d5ed019e9807 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Vulnerability ID : CVE-2021-46975

First published on : 27-02-2024 19:04:07
Last modified on : 27-02-2024 19:04:07

Description :
In the Linux kernel, the following vulnerability has been resolved: netfilter: conntrack: Make global sysctls readonly in non-init netns These sysctls point to global variables: - NF_SYSCTL_CT_MAX (&nf_conntrack_max) - NF_SYSCTL_CT_EXPECT_MAX (&nf_ct_expect_max) - NF_SYSCTL_CT_BUCKETS (&nf_conntrack_htable_size_user) Because their data pointers are not updated to point to per-netns structures, they must be marked read-only in a non-init_net ns. Otherwise, changes in any net namespace are reflected in (leaked into) all other net namespaces. This problem has existed since the introduction of net namespaces. The current logic marks them read-only only if the net namespace is owned by an unprivileged user (other than init_user_ns). Commit d0febd81ae77 ("netfilter: conntrack: re-visit sysctls in unprivileged namespaces") "exposes all sysctls even if the namespace is unpriviliged." Since we need to mark them readonly in any case, we can forego the unprivileged user check altogether.

CVE ID : CVE-2021-46975
Source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Score : /

References :
https://git.kernel.org/stable/c/2671fa4dc0109d3fb581bc3078fdf17b5d9080f6 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/671c54ea8c7ff47bd88444f3fffb65bf9799ce43 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/68122479c128a929f8f7bdd951cfdc8dd0e75b8f | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/9b288479f7a901a14ce703938596438559d7df55 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/baea536cf51f8180ab993e374cb134b5edad25e2 | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/d3598eb3915cc0c0d8cab42f4a6258ff44c4033e | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/da50f56e826e1db141693297afb99370ebc160dd | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/fbf85a34ce17c4cf0a37ee253f4c582bbfb8231b | source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67


Source : apache.org

Vulnerability ID : CVE-2023-50379

First published on : 27-02-2024 09:15:36
Last modified on : 27-02-2024 14:20:06

Description :
Malicious code injection in Apache Ambari in prior to 2.7.8. Users are recommended to upgrade to version 2.7.8, which fixes this issue. Impact: A Cluster Operator can manipulate the request by adding a malicious code injection and gain a root over the cluster main host.

CVE ID : CVE-2023-50379
Source : security@apache.org
CVSS Score : /

References :
http://www.openwall.com/lists/oss-security/2024/02/27/1 | source : security@apache.org
https://lists.apache.org/thread/jglww6h6ngxpo1r6r5fx7ff7z29lnvv8 | source : security@apache.org

Vulnerability : CWE-94


Vulnerability ID : CVE-2023-51518

First published on : 27-02-2024 09:15:36
Last modified on : 27-02-2024 14:20:06

Description :
Apache James prior to version 3.7.5 and 3.8.0 exposes a JMX endpoint on localhost subject to pre-authentication deserialisation of untrusted data. Given a deserialisation gadjet, this could be leveraged as part of an exploit chain that could result in privilege escalation. Note that by default JMX endpoint is only bound locally. We recommend users to: - Upgrade to a non-vulnerable Apache James version - Run Apache James isolated from other processes (docker - dedicated virtual machine) - If possible turn off JMX

CVE ID : CVE-2023-51518
Source : security@apache.org
CVSS Score : /

References :
https://lists.apache.org/thread/wbdm61ch6l0kzjn6nnfmyqlng82qz0or | source : security@apache.org

Vulnerability : CWE-502


Vulnerability ID : CVE-2023-51747

First published on : 27-02-2024 14:15:27
Last modified on : 27-02-2024 15:15:07

Description :
Apache James prior to versions 3.8.1 and 3.7.5 is vulnerable to SMTP smuggling. A lenient behaviour in line delimiter handling might create a difference of interpretation between the sender and the receiver which can be exploited by an attacker to forge an SMTP envelop, allowing for instance to bypass SPF checks. The patch implies enforcement of CRLF as a line delimiter as part of the DATA transaction. We recommend James users to upgrade to non vulnerable versions.

CVE ID : CVE-2023-51747
Source : security@apache.org
CVSS Score : /

References :
http://www.openwall.com/lists/oss-security/2024/02/27/4 | source : security@apache.org
https://lists.apache.org/thread/rxkwbkh9vgbl9rzx1fkllyk3krhgydko | source : security@apache.org
https://postfix.org/smtp-smuggling.html | source : security@apache.org
https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/ | source : security@apache.org

Vulnerability : CWE-20


Vulnerability ID : CVE-2024-27905

First published on : 27-02-2024 15:15:07
Last modified on : 27-02-2024 15:15:07

Description :
** UNSUPPORTED WHEN ASSIGNED ** Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Aurora. An endpoint exposing internals to unauthenticated users can be used as a "padding oracle" allowing an anonymous attacker to construct a valid authentication cookie. Potentially this could be combined with vulnerabilities in other components to achieve remote code execution. As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

CVE ID : CVE-2024-27905
Source : security@apache.org
CVSS Score : /

References :
http://www.openwall.com/lists/oss-security/2024/02/27/3 | source : security@apache.org
https://lists.apache.org/thread/564kbv3wqdzkscmdn2bg4vlk48qymryp | source : security@apache.org

Vulnerability : CWE-200


Vulnerability ID : CVE-2023-50380

First published on : 27-02-2024 17:15:11
Last modified on : 27-02-2024 19:15:09

Description :
XML External Entity injection in apache ambari versions <= 2.7.7, Users are recommended to upgrade to version 2.7.8, which fixes this issue. More Details: Oozie Workflow Scheduler had a vulnerability that allowed for root-level file reading and privilege escalation from low-privilege users. The vulnerability was caused through lack of proper user input validation. This vulnerability is known as an XML External Entity (XXE) injection attack. Attackers can exploit XXE vulnerabilities to read arbitrary files on the server, including sensitive system files. In theory, it might be possible to use this to escalate privileges.

CVE ID : CVE-2023-50380
Source : security@apache.org
CVSS Score : /

References :
http://www.openwall.com/lists/oss-security/2024/02/27/6 | source : security@apache.org
https://lists.apache.org/thread/qrt7mq7v7zyrh1qsh1gkg1m7clysvy32 | source : security@apache.org

Vulnerability : CWE-611


Vulnerability ID : CVE-2024-21742

First published on : 27-02-2024 17:15:12
Last modified on : 27-02-2024 17:15:12

Description :
Improper input validation allows for header injection in MIME4J library when using MIME4J DOM for composing message. This can be exploited by an attacker to add unintended headers to MIME messages.

CVE ID : CVE-2024-21742
Source : security@apache.org
CVSS Score : /

References :
https://lists.apache.org/thread/nrqzg93219wdj056pqfszsd33dc54kfy | source : security@apache.org

Vulnerability : CWE-20


Source : wpscan.com

Vulnerability ID : CVE-2023-6584

First published on : 27-02-2024 09:15:37
Last modified on : 27-02-2024 14:20:06

Description :
The WP JobSearch WordPress plugin before 2.3.4 does not prevent attackers from logging-in as any users with the only knowledge of that user's email address.

CVE ID : CVE-2023-6584
Source : contact@wpscan.com
CVSS Score : /

References :
https://wpscan.com/vulnerability/e528e3cd-a45c-4bf7-a37a-101f5c257acd/ | source : contact@wpscan.com


Vulnerability ID : CVE-2023-6585

First published on : 27-02-2024 09:15:37
Last modified on : 27-02-2024 14:20:06

Description :
The WP JobSearch WordPress plugin before 2.3.4 does not validate files to be uploaded, which could allow unauthenticated attackers to upload arbitrary files such as PHP on the server

CVE ID : CVE-2023-6585
Source : contact@wpscan.com
CVSS Score : /

References :
https://wpscan.com/vulnerability/757412f4-e4f8-4007-8e3b-639a72b33180/ | source : contact@wpscan.com


Vulnerability ID : CVE-2023-7115

First published on : 27-02-2024 09:15:37
Last modified on : 27-02-2024 14:20:06

Description :
The Page Builder: Pagelayer WordPress plugin before 1.8.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

CVE ID : CVE-2023-7115
Source : contact@wpscan.com
CVSS Score : /

References :
https://wpscan.com/vulnerability/6ddd1a9e-3f96-4020-9b2b-f818a4d5ba58/ | source : contact@wpscan.com


Vulnerability ID : CVE-2023-7165

First published on : 27-02-2024 09:15:37
Last modified on : 27-02-2024 14:20:06

Description :
The JetBackup WordPress plugin before 2.0.9.9 doesn't use index files to prevent public directory listing of sensitive directories in certain configurations, which allows malicious actors to leak backup files.

CVE ID : CVE-2023-7165
Source : contact@wpscan.com
CVSS Score : /

References :
https://wpscan.com/vulnerability/ad1ef4c5-60c1-4729-81dd-f626aa0ce3fe/ | source : contact@wpscan.com


Vulnerability ID : CVE-2023-7167

First published on : 27-02-2024 09:15:37
Last modified on : 27-02-2024 14:20:06

Description :
The Persian Fonts WordPress plugin through 1.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

CVE ID : CVE-2023-7167
Source : contact@wpscan.com
CVSS Score : /

References :
https://wpscan.com/vulnerability/6a2eb871-6b6e-4dbb-99f0-dd74d6c61e83/ | source : contact@wpscan.com


Vulnerability ID : CVE-2023-7198

First published on : 27-02-2024 09:15:37
Last modified on : 27-02-2024 14:20:06

Description :
The WP Dashboard Notes WordPress plugin before 1.0.11 is vulnerable to Insecure Direct Object References (IDOR) in post_id= parameter. Authenticated users are able to delete private notes associated with different user accounts. This poses a significant security risk as it violates the principle of least privilege and compromises the integrity and privacy of user data.

CVE ID : CVE-2023-7198
Source : contact@wpscan.com
CVSS Score : /

References :
https://wpscan.com/vulnerability/75fbee63-d622-441f-8675-082907b0b1e6/ | source : contact@wpscan.com


Vulnerability ID : CVE-2023-7202

First published on : 27-02-2024 09:15:37
Last modified on : 27-02-2024 14:20:06

Description :
The Fatal Error Notify WordPress plugin before 1.5.3 does not have authorisation and CSRF checks in its test_error AJAX action, allowing any authenticated users, such as subscriber to call it and spam the admin email address with error messages. The issue is also exploitable via CSRF

CVE ID : CVE-2023-7202
Source : contact@wpscan.com
CVSS Score : /

References :
https://research.cleantalk.org/cve-2023-7202-fatal-error-notify-error-email-sending-csrf/ | source : contact@wpscan.com
https://wpscan.com/vulnerability/d923ba5b-1c20-40ee-ac69-cd0bb65b375a/ | source : contact@wpscan.com


Vulnerability ID : CVE-2023-7203

First published on : 27-02-2024 09:15:37
Last modified on : 27-02-2024 14:20:06

Description :
The Smart Forms WordPress plugin before 2.6.87 does not have authorisation in various AJAX actions, which could allow users with a role as low as subscriber to call them and perform unauthorised actions such as deleting entries. The plugin also lacks CSRF checks in some places which could allow attackers to make logged in users perform unwanted actions via CSRF attacks such as deleting entries.

CVE ID : CVE-2023-7203
Source : contact@wpscan.com
CVSS Score : /

References :
https://wpscan.com/vulnerability/b514b631-c3e3-4793-ab5d-35ed0c38b011/ | source : contact@wpscan.com


Vulnerability ID : CVE-2024-0855

First published on : 27-02-2024 09:15:37
Last modified on : 27-02-2024 14:20:06

Description :
The Spiffy Calendar WordPress plugin before 4.9.9 doesn't check the event_author parameter, and allows any user to alter it when creating an event, leading to deceiving users/admins that a page was created by a Contributor+.

CVE ID : CVE-2024-0855
Source : contact@wpscan.com
CVSS Score : /

References :
https://wpscan.com/vulnerability/5d5da91e-3f34-46b0-8db2-354a88bdf934/ | source : contact@wpscan.com


Vulnerability ID : CVE-2024-1106

First published on : 27-02-2024 09:15:37
Last modified on : 27-02-2024 14:20:06

Description :
The Shariff Wrapper WordPress plugin before 4.6.10 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

CVE ID : CVE-2024-1106
Source : contact@wpscan.com
CVSS Score : /

References :
https://wpscan.com/vulnerability/0672f8af-33e2-459c-ac8a-7351247a8a26/ | source : contact@wpscan.com


Source : wordfence.com

Vulnerability ID : CVE-2023-5947

First published on : 27-02-2024 15:15:07
Last modified on : 27-02-2024 15:15:07

Description :
Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2023-7247. Reason: This candidate is a duplicate of CVE-2023-7247. Notes: All CVE users should reference CVE-2023-7247 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.

CVE ID : CVE-2023-5947
Source : security@wordfence.com
CVSS Score : /

References :


Vulnerability ID : CVE-2024-1423

First published on : 27-02-2024 15:15:07
Last modified on : 27-02-2024 15:15:07

Description :
Rejected reason: Accidental Request

CVE ID : CVE-2024-1423
Source : security@wordfence.com
CVSS Score : /

References :


Vulnerability ID : CVE-2024-1864

First published on : 27-02-2024 22:15:14
Last modified on : 27-02-2024 22:15:14

Description :
Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2023-2813. Reason: This candidate is a duplicate of CVE-2023-2813. Notes: All CVE users should reference CVE-2023-2813 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.

CVE ID : CVE-2024-1864
Source : security@wordfence.com
CVSS Score : /

References :


Vulnerability ID : CVE-2024-1865

First published on : 27-02-2024 22:15:14
Last modified on : 27-02-2024 22:15:14

Description :
Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2023-2813. Reason: This candidate is a duplicate of CVE-2023-2813. Notes: All CVE users should reference CVE-2023-2813 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.

CVE ID : CVE-2024-1865
Source : security@wordfence.com
CVSS Score : /

References :


Vulnerability ID : CVE-2024-1866

First published on : 27-02-2024 22:15:14
Last modified on : 27-02-2024 22:15:14

Description :
Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2023-2813. Reason: This candidate is a duplicate of CVE-2023-2813. Notes: All CVE users should reference CVE-2023-2813 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.

CVE ID : CVE-2024-1866
Source : security@wordfence.com
CVSS Score : /

References :


This website uses the NVD API, but is not approved or certified by it.

About the author
Julien B.

Securitricks

Up-to-Date Cybersecurity Insights & Malware Reports

Securitricks

Great! Youโ€™ve successfully signed up.

Welcome back! You've successfully signed in.

You've successfully subscribed to Securitricks.

Success! Check your email for magic link to sign-in.

Success! Your billing info has been updated.

Your billing was not updated.