Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mm/zone_device: do not touch device folio after calling -&gt;folio_free()<br /> <br /> The contents of a device folio can immediately change after calling<br /> -&gt;folio_free(), as the folio may be reallocated by a driver with a<br /> different order. Instead of touching the folio again to extract the<br /> pgmap, use the local stack variable when calling percpu_ref_put_many().

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/imagination: Fix segfault when updating ftrace mask<br /> <br /> Fix invalid data access by passing right data for debugfs entry.<br /> <br /> [ 171.549793] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000<br /> [ 171.559248] Mem abort info:<br /> [ 171.562173] ESR = 0x0000000096000044<br /> [ 171.566227] EC = 0x25: DABT (current EL), IL = 32 bits<br /> [ 171.573108] SET = 0, FnV = 0<br /> [ 171.576448] EA = 0, S1PTW = 0<br /> [ 171.579745] FSC = 0x04: level 0 translation fault<br /> [ 171.584760] Data abort info:<br /> [ 171.588012] ISV = 0, ISS = 0x00000044, ISS2 = 0x00000000<br /> [ 171.593734] CM = 0, WnR = 1, TnD = 0, TagAccess = 0<br /> [ 171.598962] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0<br /> [ 171.604471] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000083837000<br /> [ 171.611358] [0000000000000000] pgd=0000000000000000, p4d=0000000000000000<br /> [ 171.618500] Internal error: Oops: 0000000096000044 [#1] SMP<br /> [ 171.624222] Modules linked in: powervr drm_shmem_helper drm_gpuvm...<br /> [ 171.656580] CPU: 0 UID: 0 PID: 549 Comm: bash Not tainted 7.0.0-rc2-g730b257ba723-dirty #13 PREEMPT<br /> [ 171.665773] Hardware name: BeagleBoard.org BeaglePlay (DT)<br /> [ 171.671296] pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)<br /> [ 171.678306] pc : pvr_fw_trace_mask_set+0x78/0x154 [powervr]<br /> [ 171.683959] lr : pvr_fw_trace_mask_set+0x4c/0x154 [powervr]<br /> [ 171.689593] sp : ffff8000835ebb90<br /> [ 171.692929] x29: ffff8000835ebc00 x28: ffff000005c60f80 x27: 0000000000000000<br /> [ 171.700130] x26: 0000000000000000 x25: ffff00000504af28 x24: 0000000000000000<br /> [ 171.707324] x23: ffff00000504af50 x22: 0000000000000203 x21: 0000000000000000<br /> [ 171.714518] x20: ffff000005c44a80 x19: ffff000005c457b8 x18: 0000000000000000<br /> [ 171.721715] x17: 0000000000000000 x16: 0000000000000000 x15: 0000aaaae8887580<br /> [ 171.728908] x14: 0000000000000000 x13: 0000000000000000 x12: ffff8000835ebc30<br /> [ 171.736095] x11: ffff00000504af2a x10: ffff00008504af29 x9 : 0fffffffffffffff<br /> [ 171.743286] x8 : ffff8000835ebbf8 x7 : 0000000000000000 x6 : 000000000000002a<br /> [ 171.750479] x5 : ffff00000504af2e x4 : 0000000000000000 x3 : 0000000000000010<br /> [ 171.757674] x2 : 0000000000000203 x1 : 0000000000000000 x0 : ffff8000835ebba0<br /> [ 171.764871] Call trace:<br /> [ 171.767342] pvr_fw_trace_mask_set+0x78/0x154 [powervr] (P)<br /> [ 171.772984] simple_attr_write_xsigned.isra.0+0xe0/0x19c<br /> [ 171.778341] simple_attr_write+0x18/0x24<br /> [ 171.782296] debugfs_attr_write+0x50/0x98<br /> [ 171.786341] full_proxy_write+0x6c/0xa8<br /> [ 171.790208] vfs_write+0xd4/0x350<br /> [ 171.793561] ksys_write+0x70/0x108<br /> [ 171.796995] __arm64_sys_write+0x1c/0x28<br /> [ 171.800952] invoke_syscall+0x48/0x10c<br /> [ 171.804740] el0_svc_common.constprop.0+0x40/0xe0<br /> [ 171.809487] do_el0_svc+0x1c/0x28<br /> [ 171.812834] el0_svc+0x34/0x108<br /> [ 171.816013] el0t_64_sync_handler+0xa0/0xe4<br /> [ 171.820237] el0t_64_sync+0x198/0x19c<br /> [ 171.823939] Code: 32000262 b90ac293 1a931056 9134e293 (b9000036)<br /> [ 171.830073] ---[ end trace 0000000000000000 ]---

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mm/alloc_tag: clear codetag for pages allocated before page_ext initialization<br /> <br /> Due to initialization ordering, page_ext is allocated and initialized<br /> relatively late during boot. Some pages have already been allocated and<br /> freed before page_ext becomes available, leaving their codetag<br /> uninitialized.<br /> <br /> A clear example is in init_section_page_ext(): alloc_page_ext() calls<br /> kmemleak_alloc(). If the slab cache has no free objects, it falls back to<br /> the buddy allocator to allocate memory. However, at this point page_ext<br /> is not yet fully initialized, so these newly allocated pages have no<br /> codetag set. These pages may later be reclaimed by KASAN, which causes<br /> the warning to trigger when they are freed because their codetag ref is<br /> still empty.<br /> <br /> Use a global array to track pages allocated before page_ext is fully<br /> initialized. The array size is fixed at 8192 entries, and will emit a<br /> warning if this limit is exceeded. When page_ext initialization<br /> completes, set their codetag to empty to avoid warnings when they are<br /> freed later.<br /> <br /> This warning is only observed with CONFIG_MEM_ALLOC_PROFILING_DEBUG=Y and<br /> mem_profiling_compressed disabled:<br /> <br /> [ 9.582133] ------------[ cut here ]------------<br /> [ 9.582137] alloc_tag was not set<br /> [ 9.582139] WARNING: ./include/linux/alloc_tag.h:164 at __pgalloc_tag_sub+0x40f/0x550, CPU#5: systemd/1<br /> [ 9.582190] CPU: 5 UID: 0 PID: 1 Comm: systemd Not tainted 7.0.0-rc4 #1 PREEMPT(lazy)<br /> [ 9.582192] Hardware name: Red Hat KVM, BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014<br /> [ 9.582194] RIP: 0010:__pgalloc_tag_sub+0x40f/0x550<br /> [ 9.582196] Code: 00 00 4c 29 e5 48 8b 05 1f 88 56 05 48 8d 4c ad 00 48 8d 2c c8 e9 87 fd ff ff 0f 0b 0f 0b e9 f3 fe ff ff 48 8d 3d 61 2f ed 03 48 0f b9 3a e9 b3 fd ff ff 0f 0b eb e4 e8 5e cd 14 02 4c 89 c7<br /> [ 9.582197] RSP: 0018:ffffc9000001f940 EFLAGS: 00010246<br /> [ 9.582200] RAX: dffffc0000000000 RBX: 1ffff92000003f2b RCX: 1ffff110200d806c<br /> [ 9.582201] RDX: ffff8881006c0360 RSI: 0000000000000004 RDI: ffffffff9bc7b460<br /> [ 9.582202] RBP: 0000000000000000 R08: 0000000000000000 R09: fffffbfff3a62324<br /> [ 9.582203] R10: ffffffff9d311923 R11: 0000000000000000 R12: ffffea0004001b00<br /> [ 9.582204] R13: 0000000000002000 R14: ffffea0000000000 R15: ffff8881006c0360<br /> [ 9.582206] FS: 00007ffbbcf2d940(0000) GS:ffff888450479000(0000) knlGS:0000000000000000<br /> [ 9.582208] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [ 9.582210] CR2: 000055ee3aa260d0 CR3: 0000000148b67005 CR4: 0000000000770ef0<br /> [ 9.582211] PKRU: 55555554<br /> [ 9.582212] Call Trace:<br /> [ 9.582213] <br /> [ 9.582214] ? __pfx___pgalloc_tag_sub+0x10/0x10<br /> [ 9.582216] ? check_bytes_and_report+0x68/0x140<br /> [ 9.582219] __free_frozen_pages+0x2e4/0x1150<br /> [ 9.582221] ? __free_slab+0xc2/0x2b0<br /> [ 9.582224] qlist_free_all+0x4c/0xf0<br /> [ 9.582227] kasan_quarantine_reduce+0x15d/0x180<br /> [ 9.582229] __kasan_slab_alloc+0x69/0x90<br /> [ 9.582232] kmem_cache_alloc_noprof+0x14a/0x500<br /> [ 9.582234] do_getname+0x96/0x310<br /> [ 9.582237] do_readlinkat+0x91/0x2f0<br /> [ 9.582239] ? __pfx_do_readlinkat+0x10/0x10<br /> [ 9.582240] ? get_random_bytes_user+0x1df/0x2c0<br /> [ 9.582244] __x64_sys_readlinkat+0x96/0x100<br /> [ 9.582246] do_syscall_64+0xce/0x650<br /> [ 9.582250] ? __x64_sys_getrandom+0x13a/0x1e0<br /> [ 9.582252] ? __pfx___x64_sys_getrandom+0x10/0x10<br /> [ 9.582254] ? do_syscall_64+0x114/0x650<br /> [ 9.582255] ? ksys_read+0xfc/0x1d0<br /> [ 9.582258] ? __pfx_ksys_read+0x10/0x10<br /> [ 9.582260] ? do_syscall_64+0x114/0x650<br /> [ 9.582262] ? do_syscall_64+0x114/0x650<br /> [ 9.582264] ? __pfx_fput_close_sync+0x10/0x10<br /> [ 9.582266] ? file_close_fd_locked+0x178/0x2a0<br /> [ 9.582268] ? __x64_sys_faccessat2+0x96/0x100<br /> [ 9.582269] ? __x64_sys_close+0x7d/0xd0<br /> [ 9.582271] ? do_syscall_64+0x114/0x650<br /> [ 9.582273] ? do_syscall_64+0x114/0x650<br /> [ 9.582275] ? clear_bhb_loop+0x50/0xa0<br /> [ 9.582277] ? clear_bhb_l<br /> ---truncated---

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> lib: test_hmm: evict device pages on file close to avoid use-after-free<br /> <br /> Patch series "Minor hmm_test fixes and cleanups".<br /> <br /> Two bugfixes a cleanup for the HMM kernel selftests. These were mostly<br /> reported by Zenghui Yu with special thanks to Lorenzo for analysing and<br /> pointing out the problems.<br /> <br /> <br /> This patch (of 3):<br /> <br /> When dmirror_fops_release() is called it frees the dmirror struct but<br /> doesn&amp;#39;t migrate device private pages back to system memory first. This<br /> leaves those pages with a dangling zone_device_data pointer to the freed<br /> dmirror.<br /> <br /> If a subsequent fault occurs on those pages (eg. during coredump) the<br /> dmirror_devmem_fault() callback dereferences the stale pointer causing a<br /> kernel panic. This was reported [1] when running mm/ksft_hmm.sh on arm64,<br /> where a test failure triggered SIGABRT and the resulting coredump walked<br /> the VMAs faulting in the stale device private pages.<br /> <br /> Fix this by calling dmirror_device_evict_chunk() for each devmem chunk in<br /> dmirror_fops_release() to migrate all device private pages back to system<br /> memory before freeing the dmirror struct. The function is moved earlier<br /> in the file to avoid a forward declaration.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> vmalloc: fix buffer overflow in vrealloc_node_align()<br /> <br /> Commit 4c5d3365882d ("mm/vmalloc: allow to set node and align in<br /> vrealloc") added the ability to force a new allocation if the current<br /> pointer is on the wrong NUMA node, or if an alignment constraint is not<br /> met, even if the user is shrinking the allocation.<br /> <br /> On this path (need_realloc), the code allocates a new object of &amp;#39;size&amp;#39;<br /> bytes and then memcpy()s &amp;#39;old_size&amp;#39; bytes into it. If the request is to<br /> shrink the object (size

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> iio: frequency: admv1013: fix NULL pointer dereference on str<br /> <br /> When device_property_read_string() fails, str is left uninitialized<br /> but the code falls through to strcmp(str, ...), dereferencing a garbage<br /> pointer. Replace manual read/strcmp with<br /> device_property_match_property_string() and consolidate the SE mode<br /> enums into a single sequential enum, mapping to hardware register<br /> values via a switch consistent with other bitfields in the driver.<br /> <br /> Several cleanup patches have been applied to this driver recently so<br /> this will need a manual backport.

fabric-chaincode-java is a Java based implementation of Hyperledger Fabric chaincode shim APIs. From version 2.3.1 to before version 2.5.10, when chaincode is deployed in chaincode-as-a-service mode with TLS enabled, the chaincode server INFO level logging includes the TLS private key password in plaintext. An attacker with access to the chaincode server logs could recover the TLS private key password. If the attacker can also obtain the TLS private key, they could impersonate the chaincode server. This issue has been patched in version 2.5.10.

Improper Neutralization of CRLF Sequences in HTTP Headers (&amp;#39;HTTP Request/Response Splitting&amp;#39;) vulnerability in ninenines cowlib allows HTTP response splitting via non-VCHAR bytes in structured-fields string values.<br /> <br /> cow_http_struct_hd:escape_string/2 in cowlib only escapes \ and ", passing all other bytes through verbatim. This creates an encoder/decoder asymmetry: the matching parser accepts only printable ASCII (0x20–0x7E, excluding " and \), but the encoder emits any byte including CR and LF. An application that builds a structured HTTP header via cow_http_struct_hd:item/1 (or a higher-level wrapper such as cow_http_hd:wt_protocol/1) from attacker-controlled input can have \r\n injected into the serialized header value. Once on the wire, the injected CRLF terminates the current header and any following bytes are interpreted as a new header, enabling HTTP response splitting.<br /> <br /> This issue affects cowlib from 2.9.0.

OpenBullet2 through version 0.3.2 on Windows contains a credential disclosure vulnerability that allows remote attackers to capture the NTLMv2 hash of the process user by configuring a job proxy source with a UNC path pointing to an attacker-controlled server. When the job starts, the application attempts to load proxies from the UNC path, triggering an SMB authentication attempt that discloses the NTLMv2 hash, which can then be relayed or cracked offline.

STACKIT IaaS API contains a missing authorization check vulnerability that allows authenticated, low-privileged attackers to escalate privileges to full organization compromise by attaching arbitrary service accounts to virtual machines they control. Attackers can exploit the unvalidated PUT servers service-accounts endpoint to attach high-privileged service accounts and query the Instance Metadata Service to retrieve OAuth2 tokens, bypassing tenant boundaries and gaining unauthorized control over the entire organization environment.

AdGuard Home, when started with the --glinet flag, contains an authentication bypass vulnerability that allows unauthenticated attackers to gain full admin access by supplying a path traversal sequence in the Admin-Token cookie, exploiting unsanitized string concatenation in the token file path construction within the authglinet middleware. Attackers can craft a request with a traversal payload in the Admin-Token header to redirect file reads to arbitrary paths.

OpenBullet2 through version 0.3.2 contains an authentication bypass vulnerability in the API key authentication middleware that allows unauthenticated attackers to gain admin access by supplying an empty X-Api-Key header value. Attackers can exploit the middleware&amp;#39;s comparison of the supplied header against an empty AdminApiKey default string to access the admin console and all API endpoints without valid credentials.