New_entries

CVE-2020-36778

description

In the Linux kernel, the following vulnerability has been resolved: i2c: xiic: fix reference leak when pm_runtime_get_sync fails The PM reference count is not expected to be incremented on return in xiic_xfer and xiic_i2c_remove. However, pm_runtime_get_sync will increment the PM reference count even failed. Forgetting to putting operation will result in a reference leak here. Replace it with pm_runtime_resume_and_get to keep usage counter balanced.

description

在Linux内核中,已解决以下漏洞:i2c:xiic:修复pm_runtime_get_sync失败时的引用泄漏。在xiic_xfer和xiic_i2c_remove中,pm引用计数在返回时不应增加。但是,即使失败,pm_runtime_get_sync也会增加pm引用计数。忘记放置操作将导致此处的引用泄漏。将其替换为pm_runtime_resume_and_get,以保持使用计数器的平衡。

cvss epss percentile
None 0.04% 12.34%

references

CVE-2020-36779

description

In the Linux kernel, the following vulnerability has been resolved: i2c: stm32f7: fix reference leak when pm_runtime_get_sync fails The PM reference count is not expected to be incremented on return in these stm32f7_i2c_xx serious functions. However, pm_runtime_get_sync will increment the PM reference count even failed. Forgetting to putting operation will result in a reference leak here. Replace it with pm_runtime_resume_and_get to keep usage counter balanced.

description

在Linux内核中,已解决以下漏洞:i2c:stm32f7:修复pm_runtime_get_sync失败时的引用泄漏。在这些stm32f7_i2c_xx严重函数中,pm引用计数在返回时不应增加。但是,即使失败,pm_runtime_get_sync也会增加pm引用计数。忘记放置操作将导致此处的引用泄漏。将其替换为pm_runtime_resume_and_get,以保持使用计数器的平衡。

cvss epss percentile
None 0.04% 12.34%

references

CVE-2020-36780

description

In the Linux kernel, the following vulnerability has been resolved: i2c: sprd: fix reference leak when pm_runtime_get_sync fails The PM reference count is not expected to be incremented on return in sprd_i2c_master_xfer() and sprd_i2c_remove(). However, pm_runtime_get_sync will increment the PM reference count even failed. Forgetting to putting operation will result in a reference leak here. Replace it with pm_runtime_resume_and_get to keep usage counter balanced.

description

在Linux内核中,已解决以下漏洞:i2c:sprd:修复pm_runtime_get_sync失败时的引用泄漏。在sprd_i2c_master_xfer()和sprd_i2c_remove()中,pm引用计数在返回时不应增加。但是,即使失败,pm_runtime_get_sync也会增加pm引用计数。忘记放置操作将导致此处的引用泄漏。将其替换为pm_runtime_resume_and_get,以保持使用计数器的平衡。

cvss epss percentile
None 0.04% 12.34%

references

CVE-2020-36781

description

In the Linux kernel, the following vulnerability has been resolved: i2c: imx: fix reference leak when pm_runtime_get_sync fails In i2c_imx_xfer() and i2c_imx_remove(), the pm reference count is not expected to be incremented on return. However, pm_runtime_get_sync will increment pm reference count even failed. Forgetting to putting operation will result in a reference leak here. Replace it with pm_runtime_resume_and_get to keep usage counter balanced.

description

在Linux内核中,已解决以下漏洞:i2c:imx:修复pm_runtime_get_sync失败时的引用泄漏。在i2c_imx_xfer()和i2c_imx_remove()中,pm引用计数在返回时不应增加。但是,即使失败,pm_runtime_get_sync也会增加pm引用计数。忘记放置操作将导致此处的引用泄漏。将其替换为pm_runtime_resume_and_get,以保持使用计数器的平衡。

cvss epss percentile
None 0.04% 12.34%

references

CVE-2020-36782

description

In the Linux kernel, the following vulnerability has been resolved: i2c: imx-lpi2c: fix reference leak when pm_runtime_get_sync fails The PM reference count is not expected to be incremented on return in lpi2c_imx_master_enable. However, pm_runtime_get_sync will increment the PM reference count even failed. Forgetting to putting operation will result in a reference leak here. Replace it with pm_runtime_resume_and_get to keep usage counter balanced.

description

在Linux内核中,已解决以下漏洞:i2c:imx-lpi2c:修复pm_runtime_get_sync失败时的引用泄漏。在lpi2c_imx_master_enable中,pm引用计数在返回时不应增加。但是,即使失败,pm_runtime_get_sync也会增加pm引用计数。忘记放置操作将导致此处的引用泄漏。将其替换为pm_runtime_resume_and_get,以保持使用计数器的平衡。

cvss epss percentile
None 0.04% 12.34%

references

CVE-2020-36783

description

In the Linux kernel, the following vulnerability has been resolved: i2c: img-scb: fix reference leak when pm_runtime_get_sync fails The PM reference count is not expected to be incremented on return in functions img_i2c_xfer and img_i2c_init. However, pm_runtime_get_sync will increment the PM reference count even failed. Forgetting to putting operation will result in a reference leak here. Replace it with pm_runtime_resume_and_get to keep usage counter balanced.

description

在Linux内核中,已解决以下漏洞:i2c:img scb:修复pm_runtime_get_sync失败时的引用泄漏。在函数img_i2c_xfer和img_i2c_init中,pm引用计数在返回时不应增加。但是,即使失败,pm_runtime_get_sync也会增加pm引用计数。忘记放置操作将导致此处的引用泄漏。将其替换为pm_runtime_resume_and_get,以保持使用计数器的平衡。

cvss epss percentile
None 0.04% 12.34%

references

CVE-2020-36784

description

In the Linux kernel, the following vulnerability has been resolved: i2c: cadence: fix reference leak when pm_runtime_get_sync fails The PM reference count is not expected to be incremented on return in functions cdns_i2c_master_xfer and cdns_reg_slave. However, pm_runtime_get_sync will increment pm usage counter even failed. Forgetting to putting operation will result in a reference leak here. Replace it with pm_runtime_resume_and_get to keep usage counter balanced.

description

在Linux内核中,已解决以下漏洞:i2c:cardance:修复pm_runtime_get_sync失败时的引用泄漏。在函数cdns_i2c_master_xfer和cdns_reg_slave中,pm引用计数在返回时不应增加。但是,即使失败,pm_runtime_get_sync也会增加pm使用计数器。忘记放置操作将导致此处的引用泄漏。将其替换为pm_runtime_resume_and_get,以保持使用计数器的平衡。

cvss epss percentile
None 0.04% 12.34%

references

CVE-2020-36785

description

In the Linux kernel, the following vulnerability has been resolved: media: atomisp: Fix use after free in atomisp_alloc_css_stat_bufs() The “s3a_buf” is freed along with all the other items on the “asd->s3a_stats” list. It leads to a double free and a use after free.

description

在Linux内核中,已解决以下漏洞:media:atomistp:修复atomicsp_alloc_cs_stat_bufs()中释放后的使用问题“s3a_buf”与“asd->s3a_stats”列表中的所有其他项一起被释放。它导致双重免费和免费后使用。

cvss epss percentile
None 0.04% 12.34%

references

CVE-2020-36786

description

In the Linux kernel, the following vulnerability has been resolved: media: [next] staging: media: atomisp: fix memory leak of object flash In the case where the call to lm3554_platform_data_func returns an error there is a memory leak on the error return path of object flash. Fix this by adding an error return path that will free flash and rename labels fail2 to fail3 and fail1 to fail2.

description

在Linux内核中,已解决以下漏洞:media:[next]staging:media:atomistp:修复对象闪存的内存泄漏在对lm3554_platform_data_func的调用返回错误的情况下,对象闪存的错误返回路径上存在内存泄漏。通过添加一个错误返回路径来修复此问题,该路径将释放闪存,并将标签fail2重命名为fail3,将fail1重命名为fail2。

cvss epss percentile
None 0.04% 12.34%

references

CVE-2020-36787

description

In the Linux kernel, the following vulnerability has been resolved: media: aspeed: fix clock handling logic Video engine uses eclk and vclk for its clock sources and its reset control is coupled with eclk so the current clock enabling sequence works like below. Enable eclk De-assert Video Engine reset 10ms delay Enable vclk It introduces improper reset on the Video Engine hardware and eventually the hardware generates unexpected DMA memory transfers that can corrupt memory region in random and sporadic patterns. This issue is observed very rarely on some specific AST2500 SoCs but it causes a critical kernel panic with making a various shape of signature so its extremely hard to debug. Moreover, the issue is observed even when the video engine is not actively used because udevd turns on the video engine hardware for a short time to make a query in every boot. To fix this issue, this commit changes the clock handling logic to make the reset de-assertion triggered after enabling both eclk and vclk. Also, it adds clk_unprepare call for a case when probe fails. clk: ast2600: fix reset settings for eclk and vclk Video engine reset setting should be coupled with eclk to match it with the setting for previous Aspeed SoCs which is defined in clk-aspeed.c since all Aspeed SoCs are sharing a single video engine driver. Also, reset bit 6 is defined as Video Engine reset in datasheet so it should be de-asserted when eclk is enabled. This commit fixes the setting.

description

在Linux内核中,已解决以下漏洞:media:aspeed:fix时钟处理逻辑视频引擎使用eclk和vclk作为其时钟源,其重置控制与eclk耦合,因此当前的时钟启用顺序如下所示。Enable eclk De-assert Video Engine reset 10ms delay Enable vclk它在视频引擎硬件上引入了不正确的重置,最终硬件会产生意外的DMA内存传输,这些传输可能会以随机和偶发的模式破坏内存区域。在一些特定的AST2500 SoC上很少观察到这个问题,但它会导致关键的内核恐慌,产生各种形状的签名,因此极难调试。此外,即使在视频引擎没有被积极使用的情况下,也会观察到这个问题,因为udevd会在每次启动时短时间打开视频引擎硬件进行查询。为了解决此问题,此提交更改了时钟处理逻辑,使重置-取消断言在启用eclk和vclk后触发。此外,当探测失败时,它还会为一个案例添加clk_unpare调用。clk:ast2600:修复eclk和vclk的重置设置视频引擎重置设置应与eclk耦合,以使其与clk Aspeed.c中定义的以前的Aspeed SoC的设置相匹配,因为所有Aspeed SoCs都共享一个视频引擎驱动程序。此外,重置位6在数据表中被定义为视频引擎重置,因此在启用eclk时应取消断言。此提交修复了设置。

cvss epss percentile
None 0.04% 12.34%

references

CVE-2021-46976

description

In the Linux kernel, the following vulnerability has been resolved: drm/i915: Fix crash in auto_retire The retire logic uses the 2 lower bits of the pointer to the retire function to store flags. However, the auto_retire function is not guaranteed to be aligned to a multiple of 4, which causes crashes as we jump to the wrong address, for example like this: 2021-04-24T18:03:53.804300Z WARNING kernel: [ 516.876901] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI 2021-04-24T18:03:53.804310Z WARNING kernel: [ 516.876906] CPU: 7 PID: 146 Comm: kworker/u16:6 Tainted: G U 5.4.105-13595-g3cd84167b2df #1 2021-04-24T18:03:53.804311Z WARNING kernel: [ 516.876907] Hardware name: Google Volteer2/Volteer2, BIOS Google_Volteer2.13672.76.0 02/22/2021 2021-04-24T18:03:53.804312Z WARNING kernel: [ 516.876911] Workqueue: events_unbound active_work 2021-04-24T18:03:53.804313Z WARNING kernel: [ 516.876914] RIP: 0010:auto_retire+0x1/0x20 2021-04-24T18:03:53.804314Z WARNING kernel: [ 516.876916] Code: e8 01 f2 ff ff eb 02 31 db 48 89 d8 5b 5d c3 0f 1f 44 00 00 55 48 89 e5 f0 ff 87 c8 00 00 00 0f 88 ab 47 4a 00 31 c0 5d c3 0f <1f> 44 00 00 55 48 89 e5 f0 ff 8f c8 00 00 00 0f 88 9a 47 4a 00 74 2021-04-24T18:03:53.804319Z WARNING kernel: [ 516.876918] RSP: 0018:ffff9b4d809fbe38 EFLAGS: 00010286 2021-04-24T18:03:53.804320Z WARNING kernel: [ 516.876919] RAX: 0000000000000007 RBX: ffff927915079600 RCX: 0000000000000007 2021-04-24T18:03:53.804320Z WARNING kernel: [ 516.876921] RDX: ffff9b4d809fbe40 RSI: 0000000000000286 RDI: ffff927915079600 2021-04-24T18:03:53.804321Z WARNING kernel: [ 516.876922] RBP: ffff9b4d809fbe68 R08: 8080808080808080 R09: fefefefefefefeff 2021-04-24T18:03:53.804321Z WARNING kernel: [ 516.876924] R10: 0000000000000010 R11: ffffffff92e44bd8 R12: ffff9279150796a0 2021-04-24T18:03:53.804322Z WARNING kernel: [ 516.876925] R13: ffff92791c368180 R14: ffff927915079640 R15: 000000001c867605 2021-04-24T18:03:53.804323Z WARNING kernel: [ 516.876926] FS: 0000000000000000(0000) GS:ffff92791ffc0000(0000) knlGS:0000000000000000 2021-04-24T18:03:53.804323Z WARNING kernel: [ 516.876928] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 2021-04-24T18:03:53.804324Z WARNING kernel: [ 516.876929] CR2: 0000239514955000 CR3: 00000007f82da001 CR4: 0000000000760ee0 2021-04-24T18:03:53.804325Z WARNING kernel: [ 516.876930] PKRU: 55555554 2021-04-24T18:03:53.804325Z WARNING kernel: [ 516.876931] Call Trace: 2021-04-24T18:03:53.804326Z WARNING kernel: [ 516.876935] __active_retire+0x77/0xcf 2021-04-24T18:03:53.804326Z WARNING kernel: [ 516.876939] process_one_work+0x1da/0x394 2021-04-24T18:03:53.804327Z WARNING kernel: [ 516.876941] worker_thread+0x216/0x375 2021-04-24T18:03:53.804327Z WARNING kernel: [ 516.876944] kthread+0x147/0x156 2021-04-24T18:03:53.804335Z WARNING kernel: [ 516.876946] ? pr_cont_work+0x58/0x58 2021-04-24T18:03:53.804335Z WARNING kernel: [ 516.876948] ? kthread_blkcg+0x2e/0x2e 2021-04-24T18:03:53.804336Z WARNING kernel: [ 516.876950] ret_from_fork+0x1f/0x40 2021-04-24T18:03:53.804336Z WARNING kernel: [ 516.876952] Modules linked in: cdc_mbim cdc_ncm cdc_wdm xt_cgroup rfcomm cmac algif_hash algif_skcipher af_alg xt_MASQUERADE uinput snd_soc_rt5682_sdw snd_soc_rt5682 snd_soc_max98373_sdw snd_soc_max98373 snd_soc_rl6231 regmap_sdw snd_soc_sof_sdw snd_soc_hdac_hdmi snd_soc_dmic snd_hda_codec_hdmi snd_sof_pci snd_sof_intel_hda_common intel_ipu6_psys snd_sof_xtensa_dsp soundwire_intel soundwire_generic_allocation soundwire_cadence snd_sof_intel_hda snd_sof snd_soc_hdac_hda snd_soc_acpi_intel_match snd_soc_acpi snd_hda_ext_core soundwire_bus snd_hda_intel snd_intel_dspcfg snd_hda_codec snd_hwdep snd_hda_core intel_ipu6_isys videobuf2_dma_contig videobuf2_v4l2 videobuf2_common videobuf2_memops mei_hdcp intel_ipu6 ov2740 ov8856 at24 sx9310 dw9768 v4l2_fwnode cros_ec_typec intel_pmc_mux roles acpi_als typec fuse iio_trig_sysfs cros_ec_light_prox cros_ec_lid_angle cros_ec_sensors cros —truncated—

description

在Linux内核中,已解决以下漏洞:drm/i915:修复auto_retire中的崩溃。引退逻辑使用指向引退函数的指针的2个低位来存储标志。但是,auto_retire函数不能保证与4的倍数对齐,这会在我们跳到错误地址时导致崩溃,例如这样:2021-04-24T18:03:53.804300Z警告内核:[516.876901]无效操作码:0000[#1]PREEMPT SMP NOPTI 2021-04-2OT18:03:53.004310Z警告内核CPU:7 PID:146通信:kworker/u16:6受污染:G U 5.4.105-13595-g3cd84167b2df#1 2021-04-24T18:03:53.804311Z警告内核:[516.876907]硬件名称:Google Volteer2/Volteer2,BIOS Google_Volteer2.13672.76.0 2021年2月22日2021-04-22T18:03:53.004312Z警告内核:[516.876911]工作队列:events_unbound active_work 2021-04-244T18:03:53.804313Z警告内核RIP:0010:auto_retire+0x1/0x20 2021-04-24T18:03:53.804314Z警告内核:[516.876916]代码:e8 01 f2 ff eb 02 31 db 48 89 d8 5b 5d c3 0f 1f 44 00 55 48 89 e5 f0 ff 87 c8 00 00 00 00 0f 88 ab 47 4a 00 31 c0 5d c3 0f<1f>44 00 00 55 48 89e5 f0f 8f c8 00 0 0f 88 9a 47 4a 00 74 2021-04-21T18:03:53.004319Z警告内核RSP:0018:ffff9b4d809fbe38 EFLAGS:000010286 2021-04-24T18:03:53.804320Z警告内核:[516.876919]RAX:0000000000000000 7 RBX:fff927915079600 RCX:000000000000000 7 2021-04-24T18:03:53.804220Z警告核内核:[56.876921]RDX:fffff9bd809fbe40 RSI:0000000000000286 RDI:ffffff92791079600 2021-04-24P18:03:53.004320ZRBP:ffff9b4d809fbe68 R08:8080800808080 R09:fefefefeffeff 2021-04-24T18:03:53.804321Z警告内核:[516.876924]R10:00000000000000010 R11:ffffffff 92e44bd8 R12:ffffff9279150796a0 2021-04-244T18:03:53.804322Z警告内核:[516.876925]R13:ffff92792c368180 R14:ffff92795079640 R15:00000000 1c867605 2021-04-24P18:03:53.004323Z警告内核926]财务报表:0000000000000000(0000)GS:ffff92791ffc0000(0000)knlGS:0000000000000000 2021-04-24T18:03:53.804323Z警告内核:[516.876928]CS:0010 DS:0000 ES:0000 CR:000000000 80050033 2021-04-21T18:03:53.004324Z警告内核;[516.876929]CR2:00000239514955000 CR3:0000000 7f82da001 CR4:0000000000 760ee0 2021-04-24T18:03:53.804225Z警告内核PKRU:55555555 4 2021-04-24T18:03:53.804325Z警告内核:[516.876931]调用跟踪:2021-04-24T18:03:53.804226Z警告内核;[516.876935]__active_retire+0x77/0xcf 2021-04-24 T18:03:53.804326Z警告内核kthread+0x147/0x156 2021-04-24T18:03:53.804335Z内核警告:[516.876946]?pr_cont_work+0x58/0x58 2021-04-24T18:03:53.804335Z警告内核:[516.876948]?kthread_blkcg+0x2e/0x2e 2021-04-24T18:03:53.804336Z警告内核:[516.876950]ret_from_fork+0x1f/0x40 2021-04-21T18:03:53.004336Z警报内核:[51.6876952]链接在中的模块:cdc_mbim cdc_ncm cdc_wdm xt_cgroup rfcomm cmac algif_hash algif_skcipher af_alg xt_MASQUERADE uinput snd_soc_rt5682_sdw snd_soc_rt5682 snd_soc_max98373_sdw snd_soc_max98373 snd_soc-rl6231 regmap_sdw snd_soc_sof_sdw snd_soc_hdac_hdmi snd_soc_dmic snd_hda_cdec_hdmi snd_sof_pci snd_sof_intel_hda_common intel_pipu6_psys snd_sof_xtensa_dsp soundwire_intelsoundwire_generic_allocation soundwire_cances snd_sof_intel_hda snd_sof snd_soc_hdac_hda snd-soc_acpi_intel_match snd_soc_acpi snd_hda_ext_core soundwire_bus snd_hda.intel snd_intel_dpcfg snd_hda_dec snd_hwdep snd_hdad_core intel_inipu6_isys videobuf2_dma_contig videobuf2_v4l2 videobuf2_common videobuf2_memops mei_hdcp intel_inipu6 ov2740 ov8856 at 24 sx9310 dw9768 v4l2_fownode cros_ec_typecintel_pmc_mux角色acpi_als类型c保险丝iio_trig_sysfs cros_ec_light_prox cros_ec-lid_angle cros_ec_sensors cros–截断—

cvss epss percentile
None 0.04% 12.34%

references

CVE-2021-46977

description

In the Linux kernel, the following vulnerability has been resolved: KVM: VMX: Disable preemption when probing user return MSRs Disable preemption when probing a user return MSR via RDSMR/WRMSR. If the MSR holds a different value per logical CPU, the WRMSR could corrupt the hosts value if KVM is preempted between the RDMSR and WRMSR, and then rescheduled on a different CPU. Opportunistically land the helper in common x86, SVM will use the helper in a future commit.

description

在Linux内核中,已解决以下漏洞:KVM:VMX:探测用户返回MSR时禁用抢占通过RDSMR/WRMSR探测用户返回的MSR时禁止抢占。如果MSR为每个逻辑CPU保留不同的值,则如果KVM在RDMSR和WRMSR之间被抢占,然后在不同的CPU上重新调度,则WRMSR可能会损坏主机值。如果有机会将帮助程序放在公共x86中,SVM将在未来的提交中使用该帮助程序。

cvss epss percentile
None 0.04% 12.34%

references

CVE-2021-46978

description

In the Linux kernel, the following vulnerability has been resolved: KVM: nVMX: Always make an attempt to map eVMCS after migration When enlightened VMCS is in use and nested state is migrated with vmx_get_nested_state()/vmx_set_nested_state() KVM cant map evmcs page right away: evmcs gpa is not struct kvm_vmx_nested_state_hdr and we cant read it from VP assist page because userspace may decide to restore HV_X64_MSR_VP_ASSIST_PAGE after restoring nested state (and QEMU, for example, does exactly that). To make sure eVMCS is mapped /vmx_set_nested_state() raises KVM_REQ_GET_NESTED_STATE_PAGES request. Commit f2c7ef3ba955 (“KVM: nSVM: cancel KVM_REQ_GET_NESTED_STATE_PAGES on nested vmexit”) added KVM_REQ_GET_NESTED_STATE_PAGES clearing to nested_vmx_vmexit() to make sure MSR permission bitmap is not switched when an immediate exit from L2 to L1 happens right after migration (caused by a pending event, for example). Unfortunately, in the exact same situation we still need to have eVMCS mapped so nested_sync_vmcs12_to_shadow() reflects changes in VMCS12 to eVMCS. As a band-aid, restore nested_get_evmcs_page() when clearing KVM_REQ_GET_NESTED_STATE_PAGES in nested_vmx_vmexit(). The fix is far from being ideal as we cant easily propagate possible failures and even if we could, this is most likely already too late to do so. The whole KVM_REQ_GET_NESTED_STATE_PAGES idea for mapping eVMCS after migration seems to be fragile as we diverge too much from the native path when vmptr loading happens on vmx_set_nested_state().

description

在Linux内核中,已解决以下漏洞:KVM:nVMX:迁移后始终尝试映射eVMCS当使用开明的VMCS并且使用vmx_get_nested_state()/vmx_set_nested_state(KVM无法立即映射evmcs页面:evmcs gpa不是结构KVM_vmx_nested_state_hdr,我们无法从VP辅助页面读取它,因为用户空间可能会在恢复嵌套状态后决定恢复HV_X64_MSR_VP_assist_page(例如,QEMU正是这样做的)。为确保映射eVMCS,/vmx_set_nested_state()会引发KVM_REQ_GET_nested_state_PAGES请求。提交f2c7ef3ba955(“KVM:nSVM:取消嵌套vmexit上的KVM_REQ_GET_NESTED_STATE_PAGES”)将KVM_REQ_GET_NESTED_STATE_PAGE清除添加到嵌套vmx_vmexit(),以确保在迁移后立即从L2退出到L1时(例如,由挂起事件引起)MSR权限位图不会切换。不幸的是,在完全相同的情况下,我们仍然需要映射eVMCS,以便nested_sync_vmcs12_to_shadow()反映vmcs12到eVMCS的变化。作为创可贴,在清除nested_vmx_vexit()中的KVM_REQ_get_nested_STATE_PAGES时,恢复nested_get_evmcs_page()。该修复方案远非理想,因为我们无法轻松传播可能的故障,即使可以,也很可能已经太迟了。迁移后映射eVMCS的整个KVM_REQ_GET_NESTED_STATE_PAGES想法似乎很脆弱,因为当vmx_set_NESTED_STATE()上加载vmptr时,我们与本机路径偏离太多。

cvss epss percentile
None 0.04% 12.34%

references

CVE-2021-46979

description

In the Linux kernel, the following vulnerability has been resolved: iio: core: fix ioctl handlers removal Currently ioctl handlers are removed twice. For the first time during iio_device_unregister() then later on inside iio_device_unregister_eventset() and iio_buffers_free_sysfs_and_mask(). Double free leads to kernel panic. Fix this by not touching ioctl handlers list directly but rather letting code responsible for registration call the matching cleanup routine itself.

description

在Linux内核中,已解决以下漏洞:iio:core:fix ioctl处理程序删除当前ioctl处理器已删除两次。第一次是在iio_device_unregister()期间,然后在iio_device_unregister_eventset()和iio_buffers_free_sysfs_and_mask()内部。双重免费导致内核死机。通过不直接接触ioctl处理程序列表,而是让负责注册的代码调用匹配的清理例程本身来解决此问题。

cvss epss percentile
None 0.04% 12.34%

references

CVE-2021-46980

description

In the Linux kernel, the following vulnerability has been resolved: usb: typec: ucsi: Retrieve all the PDOs instead of just the first 4 commit 4dbc6a4ef06d (“usb: typec: ucsi: save power data objects in PD mode”) introduced retrieval of the PDOs when connected to a PD-capable source. But only the first 4 PDOs are received since that is the maximum number that can be fetched at a time given the MESSAGE_IN length limitation (16 bytes). However, as per the PD spec a connected source may advertise up to a maximum of 7 PDOs. If such a source is connected its possible the PPM could have negotiated a power contract with one of the PDOs at index greater than 4, and would be reflected in the request data objects (RDO) object position field. This would result in an out-of-bounds access when the rdo_index() is used to index into the src_pdos array in ucsi_psy_get_voltage_now(). With the help of the UBSAN -fsanitize=array-bounds checker enabled this exact issue is revealed when connecting to a PD source adapter that advertise 5 PDOs and the PPM enters a contract having selected the 5th one. [ 151.545106][ T70] Unexpected kernel BRK exception at EL1 [ 151.545112][ T70] Internal error: BRK handler: f2005512 [#1] PREEMPT SMP … [ 151.545499][ T70] pc : ucsi_psy_get_prop+0x208/0x20c [ 151.545507][ T70] lr : power_supply_show_property+0xc0/0x328 … [ 151.545542][ T70] Call trace: [ 151.545544][ T70] ucsi_psy_get_prop+0x208/0x20c [ 151.545546][ T70] power_supply_uevent+0x1a4/0x2f0 [ 151.545550][ T70] dev_uevent+0x200/0x384 [ 151.545555][ T70] kobject_uevent_env+0x1d4/0x7e8 [ 151.545557][ T70] power_supply_changed_work+0x174/0x31c [ 151.545562][ T70] process_one_work+0x244/0x6f0 [ 151.545564][ T70] worker_thread+0x3e0/0xa64 We can resolve this by instead retrieving and storing up to the maximum of 7 PDOs in the con->src_pdos array. This would involve two calls to the GET_PDOS command.

description

在Linux内核中,以下漏洞已得到解决:usb:typec:ucsi:检索所有PDO,而不是仅检索前4个提交4dbc6a4ef06d(“usb:type c:ucsi:在PD模式下保存电源数据对象”)在连接到具有PD功能的源时引入了对PDO的检索。但仅接收前4个PDO,因为这是给定MESSAGE_IN长度限制(16字节)时一次可以提取的最大数量。然而,根据PD规范,连接的源最多可以通告7个PDO。如果连接了这样的源,则PPM可能已经与索引大于4的PDO之一协商了电力合同,并且将反映在请求数据对象(RDO)对象位置字段中。当使用rdo_index()对ucsi_psy_get_voltage_now()中的src_pdos数组进行索引时,这将导致越界访问。在启用了UBSAN-fsanitize=阵列边界检查器的帮助下,当连接到发布5个PDO的PD源适配器时,就会发现这个确切的问题,并且PPM在选择了第五个PDO后签订了合同。[151.545106][T70]EL1处出现意外内核BRK异常[151.54512][T70]内部错误:BRK处理程序:f2005512[#1]PREEMPT SMP。。。[151.45499][T70]pc:ucsi_psy_get_prop+0x208/0x20c[151.545507][T70]lr:power_supply_show_property+0xc0/0x328。。。[151.545542][T70]调用跟踪:[151.545544][T70]ucsi_psy_get_prop+0x208/0x20c[151.545546][T70]power_supply_uevent+0x1a4/0x2f0[151.45550][T70]dev_uevent+0x200/0x384[151.45555][T70]kobject_uevent_env+0x1d4/0x7e8[151.45557][T70]power _supply_changed_work+0x174/0x31c[151.45562][T70]process_one_work+0x244/0x6f0[151.545564][T70]worker_thread+0x3e0/0xa64我们可以通过在con->src_PDOs数组中检索和存储最多7个PDO来解决此问题。这将涉及对GET_PDOS命令的两次调用。

cvss epss percentile
None 0.04% 12.34%

references

CVE-2021-46981

description

In the Linux kernel, the following vulnerability has been resolved: nbd: Fix NULL pointer in flush_workqueue Open /dev/nbdX first, the config_refs will be 1 and the pointers in nbd_device are still null. Disconnect /dev/nbdX, then reference a null recv_workq. The protection by config_refs in nbd_genl_disconnect is useless. [ 656.366194] BUG: kernel NULL pointer dereference, address: 0000000000000020 [ 656.368943] #PF: supervisor write access in kernel mode [ 656.369844] #PF: error_code(0x0002) - not-present page [ 656.370717] PGD 10cc87067 P4D 10cc87067 PUD 1074b4067 PMD 0 [ 656.371693] Oops: 0002 [#1] SMP [ 656.372242] CPU: 5 PID: 7977 Comm: nbd-client Not tainted 5.11.0-rc5-00040-g76c057c84d28 #1 [ 656.373661] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20190727_073836-buildvm-ppc64le-16.ppc.fedoraproject.org-3.fc31 04/01/2014 [ 656.375904] RIP: 0010:mutex_lock+0x29/0x60 [ 656.376627] Code: 00 0f 1f 44 00 00 55 48 89 fd 48 83 05 6f d7 fe 08 01 e8 7a c3 ff ff 48 83 05 6a d7 fe 08 01 31 c0 65 48 8b 14 25 00 6d 01 00 48 0f b1 55 d [ 656.378934] RSP: 0018:ffffc900005eb9b0 EFLAGS: 00010246 [ 656.379350] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 [ 656.379915] RDX: ffff888104cf2600 RSI: ffffffffaae8f452 RDI: 0000000000000020 [ 656.380473] RBP: 0000000000000020 R08: 0000000000000000 R09: ffff88813bd6b318 [ 656.381039] R10: 00000000000000c7 R11: fefefefefefefeff R12: ffff888102710b40 [ 656.381599] R13: ffffc900005eb9e0 R14: ffffffffb2930680 R15: ffff88810770ef00 [ 656.382166] FS: 00007fdf117ebb40(0000) GS:ffff88813bd40000(0000) knlGS:0000000000000000 [ 656.382806] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 656.383261] CR2: 0000000000000020 CR3: 0000000100c84000 CR4: 00000000000006e0 [ 656.383819] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 656.384370] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 656.384927] Call Trace: [ 656.385111] flush_workqueue+0x92/0x6c0 [ 656.385395] nbd_disconnect_and_put+0x81/0xd0 [ 656.385716] nbd_genl_disconnect+0x125/0x2a0 [ 656.386034] genl_family_rcv_msg_doit.isra.0+0x102/0x1b0 [ 656.386422] genl_rcv_msg+0xfc/0x2b0 [ 656.386685] ? nbd_ioctl+0x490/0x490 [ 656.386954] ? genl_family_rcv_msg_doit.isra.0+0x1b0/0x1b0 [ 656.387354] netlink_rcv_skb+0x62/0x180 [ 656.387638] genl_rcv+0x34/0x60 [ 656.387874] netlink_unicast+0x26d/0x590 [ 656.388162] netlink_sendmsg+0x398/0x6c0 [ 656.388451] ? netlink_rcv_skb+0x180/0x180 [ 656.388750] ____sys_sendmsg+0x1da/0x320 [ 656.389038] ? ____sys_recvmsg+0x130/0x220 [ 656.389334] ___sys_sendmsg+0x8e/0xf0 [ 656.389605] ? ___sys_recvmsg+0xa2/0xf0 [ 656.389889] ? handle_mm_fault+0x1671/0x21d0 [ 656.390201] __sys_sendmsg+0x6d/0xe0 [ 656.390464] __x64_sys_sendmsg+0x23/0x30 [ 656.390751] do_syscall_64+0x45/0x70 [ 656.391017] entry_SYSCALL_64_after_hwframe+0x44/0xa9 To fix it, just add if (nbd->recv_workq) to nbd_disconnect_and_put().

description

在Linux内核中,已解决以下漏洞:nbd:修复flush_workqueue中的NULL指针首先打开/dev/nbdX,config_refs将为1,nbd_device中的指针仍然为NULL。断开/dev/nbdX的连接,然后引用一个空的recv_workq。nbd_genl_disconnect中的config_refs保护是无用的。[6656.366194]BUG:内核NULL指针取消引用,地址:0000000000000020[6656.368943]#PF:内核模式下的主管写入访问[6656.369844]#PF:错误代码(0x0002)-不存在页面[6656.370717]PGD 10cc87067 P4D 10cc870 67 PUD 1074b4067 PMD 0[6656.371693]错误:0002[#1]SMP[6656.372242]CPU:5 PID:7977 Comm:nbd-client未受污染5.11.0-rc5-00040-g76c057c84d28#1[6656.373661]硬件名称:QEMU标准PC(i440FX+PIX,1996),BIOS-20190727_073836-buildvm-ppc64le-16.ppcfedoraproject.org-3.fc31/2014年1月4日【656.375904】RIP:0010:互斥锁+0x29/0x60【656.376627】代码:00 0f 1f 44 00 55 48 89 fd 48 83 05 6f d7 fe 08 01 e8 7a c3 ff 48 83 05 6a d7 fe 07 01 31 c0 65 48 8b 14 25 00 6d 01 0048 0f b1 55 d【656.378934】RSP:0018:ffffffc900005eb9b0 EFLAGS:000010246【656.379350]RAX:000000000000000000000000 RBX:00000000000000 RCX:0000000000000000000000000[656.379915]RDX:ffff888104cf2600 RSI:ffffffff aae8f452 RDI:0000000000000020[656.380473]RBP:0000000000000020 R08:0000000000000000 R09:ffffff88813bd6b318[656.381039]R10:000000000000000c7 R11:fefefefeffeff R12:ffffff888 102710b40[656.381599]R13:ffffc900005eb9e0 R14:fffffffff b2930680 R15:ff888107 70 ef00【656.382166】FS:00007fdf117ebb40(0000调用跟踪:【656.385111】flush_workqueue+0x92/0x6c0【656.385395】nbd_disconnect_and_put+0x81/0xd0【656.3585716】nbd_genl_disconnect+0x125/0x2a0【656.3686034】genl_family_rcv_msg_doit.isra.0+0x102/0x1b0【656.386422】genl_rcv_msg+0xfc/0x2b0【65.386685】?nbd_ioctl+0x490/0x490[656.386954]?genl_family_rcv_msg_doit.isra.0+0x1b0/0x1b0[656.387354]netlink_rcv_skb+0x62/0x180[656.387638]genl_rcv+0x34/0x60[656.387874]netlink_unicast+0x26d/0x590[656.388162]netlink_sendmsg+0x398/0x6c0[656.388451]?netlink_rcv_skb+0x180/0x180[656.388750]____sys_sendmsg+0x1da/0x320[656.38898]____sys_recvmsg+0x130/0x220【656.389334】___sys_sendmsg+0x8e/0xf0【656.389605】___sys_recvmsg+0xa2/0xf0[656.39889]?handle_mm_fault+0x1671/0x21d0[656.390201]__sys_sendmsg+0x6d/0xe0[656.3.90464]__x64_sys_sendmsg+0x23/0x30[656.397051]do_syscall_64+0x45/0x70[656.391017]entry_syscall_64_after_hwframe+0x44/0xa9要修复此问题,只需将if(nbd->recv_workq)添加到nbd_disconnect_and_put()中即可。

cvss epss percentile
None 0.04% 12.34%

references

CVE-2021-46982

description

In the Linux kernel, the following vulnerability has been resolved: f2fs: compress: fix race condition of overwrite vs truncate pos_fsstress testcase complains a panic as belew: ————[ cut here ]———— kernel BUG at fs/f2fs/compress.c:1082! invalid opcode: 0000 [#1] SMP PTI CPU: 4 PID: 2753477 Comm: kworker/u16:2 Tainted: G OE 5.12.0-rc1-custom #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014 Workqueue: writeback wb_workfn (flush-252:16) RIP: 0010:prepare_compress_overwrite+0x4c0/0x760 [f2fs] Call Trace: f2fs_prepare_compress_overwrite+0x5f/0x80 [f2fs] f2fs_write_cache_pages+0x468/0x8a0 [f2fs] f2fs_write_data_pages+0x2a4/0x2f0 [f2fs] do_writepages+0x38/0xc0 __writeback_single_inode+0x44/0x2a0 writeback_sb_inodes+0x223/0x4d0 __writeback_inodes_wb+0x56/0xf0 wb_writeback+0x1dd/0x290 wb_workfn+0x309/0x500 process_one_work+0x220/0x3c0 worker_thread+0x53/0x420 kthread+0x12f/0x150 ret_from_fork+0x22/0x30 The root cause is truncate() may race with overwrite as below, so that one reference count left in page can not guarantee the page attaching in mapping tree all the time, after truncation, later find_lock_page() may return NULL pointer. - prepare_compress_overwrite - f2fs_pagecache_get_page - unlock_page - f2fs_setattr - truncate_setsize - truncate_inode_page - delete_from_page_cache - find_lock_page Fix this by avoiding referencing updated page.

description

在Linux内核中,已解决以下漏洞:f2fs:compression:修复overwrite vs truncate pos_fsspress的竞争条件testcase报告了一个死机,如belew:—————[此处剪切]—————-fs/f2fs/compression处的内核BUG。c:1082!无效操作码:0000[#1]SMP PTI CPU:4 PID:2753477通信:kworker/u16:2损坏:G OE 5.12.0-rc1-custom#1硬件名称:QEMU标准PC(i440FX+PIX,1996),BIOS 1.14.0-2 2014年1月4日工作队列:写回wb_workfn(flush-252:16)RIP:0010:prepare_compress_overwrite+0x40/0x760[f2fs]调用跟踪:f2fs_preparepress_overwrite+0x5f/0x80[f2fs]f2fs_write_cache_pages+0x468/0x8a 0[f2fs]f2fs_write_data_pages+0x2a4/0x2f0[f2fs]do_writepages+0x38/0xc0 __writeback_single_inde+0x44/0x2a0 writeback_sb_inodes+0x223/0x4d0 __writebackup_inodes_wb+0x56/0xf0 wb_writeback+0x1dd/0x290 wb_workfn+0x309/0x500 process_one_work+0x220/0x3c0 worker_thread+0x53/0x420 kthread+0x2f/0x150 ret_from_fork+0x22/0x30根本原因是截断()可能与覆盖竞争如下所述,因此,页面中只剩下一个引用计数并不能保证页面一直附着在映射树中,截断后,稍后find_lock_page()可能会返回NULL指针。-prepare_compress_overwrite-f2fs_pageache_get_page-unlock_page-f2fs_setattr-truncate_setsize-truncate _ node_page-delete_from_page_cache-find_lock_page通过避免引用更新的页面来修复此问题。

cvss epss percentile
None 0.04% 12.34%

references

CVE-2021-46983

description

In the Linux kernel, the following vulnerability has been resolved: nvmet-rdma: Fix NULL deref when SEND is completed with error When running some traffic and taking down the link on peer, a retry counter exceeded error is received. This leads to nvmet_rdma_error_comp which tried accessing the cq_context to obtain the queue. The cq_context is no longer valid after the fix to use shared CQ mechanism and should be obtained similar to how it is obtained in other functions from the wc->qp. [ 905.786331] nvmet_rdma: SEND for CQE 0x00000000e3337f90 failed with status transport retry counter exceeded (12). [ 905.832048] BUG: unable to handle kernel NULL pointer dereference at 0000000000000048 [ 905.839919] PGD 0 P4D 0 [ 905.842464] Oops: 0000 1 SMP NOPTI [ 905.846144] CPU: 13 PID: 1557 Comm: kworker/13:1H Kdump: loaded Tainted: G OE ——— - - 4.18.0-304.el8.x86_64 #1 [ 905.872135] RIP: 0010:nvmet_rdma_error_comp+0x5/0x1b [nvmet_rdma] [ 905.878259] Code: 19 4f c0 e8 89 b3 a5 f6 e9 5b e0 ff ff 0f b7 75 14 4c 89 ea 48 c7 c7 08 1a 4f c0 e8 71 b3 a5 f6 e9 4b e0 ff ff 0f 1f 44 00 00 <48> 8b 47 48 48 85 c0 74 08 48 89 c7 e9 98 bf 49 00 e9 c3 e3 ff ff [ 905.897135] RSP: 0018:ffffab601c45fe28 EFLAGS: 00010246 [ 905.902387] RAX: 0000000000000065 RBX: ffff9e729ea2f800 RCX: 0000000000000000 [ 905.909558] RDX: 0000000000000000 RSI: ffff9e72df9567c8 RDI: 0000000000000000 [ 905.916731] RBP: ffff9e729ea2b400 R08: 000000000000074d R09: 0000000000000074 [ 905.923903] R10: 0000000000000000 R11: ffffab601c45fcc0 R12: 0000000000000010 [ 905.931074] R13: 0000000000000000 R14: 0000000000000010 R15: ffff9e729ea2f400 [ 905.938247] FS: 0000000000000000(0000) GS:ffff9e72df940000(0000) knlGS:0000000000000000 [ 905.938249] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 905.950067] nvmet_rdma: SEND for CQE 0x00000000c7356cca failed with status transport retry counter exceeded (12). [ 905.961855] CR2: 0000000000000048 CR3: 000000678d010004 CR4: 00000000007706e0 [ 905.961855] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 905.961856] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 905.961857] PKRU: 55555554 [ 906.010315] Call Trace: [ 906.012778] __ib_process_cq+0x89/0x170 [ib_core] [ 906.017509] ib_cq_poll_work+0x26/0x80 [ib_core] [ 906.022152] process_one_work+0x1a7/0x360 [ 906.026182] ? create_worker+0x1a0/0x1a0 [ 906.030123] worker_thread+0x30/0x390 [ 906.033802] ? create_worker+0x1a0/0x1a0 [ 906.037744] kthread+0x116/0x130 [ 906.040988] ? kthread_flush_work_fn+0x10/0x10 [ 906.045456] ret_from_fork+0x1f/0x40

description

在Linux内核中,已解决以下漏洞:nvmet rdma:Fix NULL deref when SEND completed with error当运行一些流量并关闭对等端上的链接时,会收到一个超过重试计数器的错误。这导致nvmet_rdma_error_comp尝试访问cq_context以获取队列。在修复后,cq_context不再有效以使用共享cq机制,并且应该类似于在其他函数中从wc->qp获取cq_context的方式来获取。[905.786331]nvmet_rdma:CQE 0x00000000e3337f90的SEND失败,超出了状态传输重试计数器(12)。【905.832048】BUG:无法处理0000000000000048处的内核NULL指针取消引用【905.839919】PGD 0 P4D 0【905.842464】错误:0000 1 SMP NOPTI【905.846144】CPU:13 PID:1557通信:kworker/13:1H Kdump:已加载损坏:G OE——–4.18.0-304.el8.x86_64#1【905.872135】RIP:0010:nvmet_rdma_error_comp+0x5/0x1b【nvmet_rdma】【905.878259】代码:19 4f c0 e8 89 b3 a5 f6 e9 5b e0 ff ff 0f b7 75 14 4c 89 ea 48 c7 c7 08 1a 4f c0 e8 71 b3 a5 f6 e9 4b e0 fff 1f 44 00<48>8b 47 48 85 c0 74 08 48 89 c7 e9 98 bf 49 00 e9 c3 e3 ff f[905.897135]RSP:0018:ffffab601c45fe28 EFLAGS:000010246[905.902387]RAX:0000000000000065 RBX:ffffffff9e729ea2f800 RCX:00000000000000000000000[905.09558]RDX:00000000000000006[905.909558]RDX:0000000000000000 RSI:ffff9e72df9567c8 RDI:000000000000000000000000[905.916731]RBP:ffffff9e 729ea2b400 R08:000000000000074d R09:0000000000000074[905.923903]R10:000000000000000000000000000000000R11:ffffab601c45fcc0 R12:0000000000000010[905.931074]R13:0000000000000000 R14:0000000000000010 R15:ffffff9 e729ea2f400[905.9338247]FS:00000000000000000(0000)GS:ffff9e72df940000(0000)knlGS:0000000000000000000000000[905.983249]CS:0010 DS:0000 ES:00000 CR:000000000 80050033[905.950067]nvmet_rdma:CQE 0x00000000c7356cca的SEND失败,超出状态传输重试计数器(12)。【905.961855】CR2:0000000000000048 CR3:000000678d010004 CR4:00000000007706e0【905.961155】DR0:00000000 DR1:00000000 DR2:00000000【905.961656】DR3:00000000 DR6:00000000 fffe0f0 DR7:0000000000000400【905.961557】PKRU:555555 4【906.010315】调用跟踪:【906.012778】__ib_process_cq+0x89/0x170【ib_core】【906.017509】ib_cq_poll_work+0x26/0x80【ib_coore][906.022152]process_one_work+0x1a7/0x360[906.02612]?create_worker+0x1a0/0x1a0[906.30123]worker_thread+0x30/0x390[906.03802]?create_worker+0x1a0/0x1a0[906.037744]k线程+0x116/0x130[906.040988]?kthread_flush_work_fn+0x10/0x10[906.04546]ret_from_fork+0x1f/0x40

cvss epss percentile
None 0.04% 12.34%

references

CVE-2021-46984

description

In the Linux kernel, the following vulnerability has been resolved: kyber: fix out of bounds access when preempted __blk_mq_sched_bio_merge() gets the ctx and hctx for the current CPU and passes the hctx to ->bio_merge(). kyber_bio_merge() then gets the ctx for the current CPU again and uses that to get the corresponding Kyber context in the passed hctx. However, the thread may be preempted between the two calls to blk_mq_get_ctx(), and the ctx returned the second time may no longer correspond to the passed hctx. This “works” accidentally most of the time, but it can cause us to read garbage if the second ctx came from an hctx with more ctxs than the first one (i.e., if ctx->index_hw[hctx->type] > hctx->nr_ctx). This manifested as this UBSAN array index out of bounds error reported by Jakub: UBSAN: array-index-out-of-bounds in ../kernel/locking/qspinlock.c:130:9 index 13106 is out of range for type long unsigned int [128] Call Trace: dump_stack+0xa4/0xe5 ubsan_epilogue+0x5/0x40 __ubsan_handle_out_of_bounds.cold.13+0x2a/0x34 queued_spin_lock_slowpath+0x476/0x480 do_raw_spin_lock+0x1c2/0x1d0 kyber_bio_merge+0x112/0x180 blk_mq_submit_bio+0x1f5/0x1100 submit_bio_noacct+0x7b0/0x870 submit_bio+0xc2/0x3a0 btrfs_map_bio+0x4f0/0x9d0 btrfs_submit_data_bio+0x24e/0x310 submit_one_bio+0x7f/0xb0 submit_extent_page+0xc4/0x440 __extent_writepage_io+0x2b8/0x5e0 __extent_writepage+0x28d/0x6e0 extent_write_cache_pages+0x4d7/0x7a0 extent_writepages+0xa2/0x110 do_writepages+0x8f/0x180 __writeback_single_inode+0x99/0x7f0 writeback_sb_inodes+0x34e/0x790 __writeback_inodes_wb+0x9e/0x120 wb_writeback+0x4d2/0x660 wb_workfn+0x64d/0xa10 process_one_work+0x53a/0xa80 worker_thread+0x69/0x5b0 kthread+0x20b/0x240 ret_from_fork+0x1f/0x30 Only Kyber uses the hctx, so fix it by passing the request_queue to ->bio_merge() instead. BFQ and mq-deadline just use that, and Kyber can map the queues itself to avoid the mismatch.

description

在Linux内核中,已解决以下漏洞:kyber:修复被抢占时的越界访问__blk_mq_sched_bio_merge()获取当前CPU的ctx和hctx,并将hctx传递给->bio_merger()。然后,kyber_bio_merge()再次获取当前CPU的ctx,并使用它在传递的hctx中获取相应的kyber上下文。然而,线程可能在对blk_mq_get_ctx()的两次调用之间被抢占,并且第二次返回的ctx可能不再对应于传递的hctx。大多数情况下,这种“工作”是偶然的,但如果第二个ctx来自一个ctx比第一个多的hctx(即,如果ctx->index_hw[hctx->type]>hctx->nr_ctx),它可能会导致我们读取垃圾。这表现为Jakub报告的此UBSAN阵列索引越界错误:UBSAN:中的阵列索引越界/kernel/locking/qspinlock.c:130:9索引13106超出了类型long unsigned int[128]的范围调用跟踪:dump_stack+0xa4/0xe5 ubsan_epilogue+0x5/0x40 __ubsan_handle_out_of_bounds。cold。13+0x2a/0x34 queued_spin_lock_slowpath+0x476/0x480 do_raw_spin_lock+0x1c2/0x1d0 kyber_bio_merge+0x112/0x180 blk_mq_submit_bio+0x1f5/0x1100 submit_bio_noact+0x7b0/0x870 submit_bio+0xc2/0x3a0 btrfs_map_bio+0x4f/0x9d0 btrfs_submit_data_b io+0x24e/0x310 submit_one_bio+0x7f/0xb0 submit_extent_page+0xc4/0x440__extent_writepage_io+0x2b8/0x5e0 __extent_writepage+0x28d/0x6e0 extent_write_cache_pages+0x4d7/0x7a0 extent_writepages+0xa2/0x110 do_writepages+0x8f/0x180 __writeback_single_inde+0x99/0x7f0 writeback_sb_inodes+0x34e/0x790__writeback_inodes_wb+0x9e/0x120 wb_writeback+0x4d2/0x660 wb_workfn+0x64d/0xa10 process_one_work+0x53a/0xa80 worker_线程+0x69/0x5b0 k线程+0x20b/0x240ret_from_fork+0x1f/0x30只有Kyber使用hctx,所以通过将request_queue传递到->bio_merge()来修复它。BFQ和mq deadline只是使用了这个,Kyber可以映射队列本身以避免不匹配。

cvss epss percentile
None 0.04% 12.34%

references

CVE-2021-46985

description

In the Linux kernel, the following vulnerability has been resolved: ACPI: scan: Fix a memory leak in an error handling path If acpi_device_set_name() fails, we must free acpi_device_bus_id->bus_id or there is a (potential) memory leak.

description

在Linux内核中,以下漏洞已被解决:ACPI:scan:修复错误处理路径中的内存泄漏如果ACPI_device_set_name()失败,我们必须释放ACPI_device_bus_id->bus_id,否则存在(潜在的)内存泄漏。

cvss epss percentile
None 0.04% 10.64%

references

CVE-2021-46986

description

In the Linux kernel, the following vulnerability has been resolved: usb: dwc3: gadget: Free gadget structure only after freeing endpoints As part of commit e81a7018d93a (“usb: dwc3: allocate gadget structure dynamically”) the dwc3_gadget_release() was added which will free the dwc->gadget structure upon the devices removal when usb_del_gadget_udc() is called in dwc3_gadget_exit(). However, simply freeing the gadget results a dangling pointer situation: the endpoints created in dwc3_gadget_init_endpoints() have their dep->endpoint.ep_list members chained off the list_head anchored at dwc->gadget->ep_list. Thus when dwc->gadget is freed, the first dwc3_ep in the list now has a dangling prev pointer and likewise for the next pointer of the dwc3_ep at the tail of the list. The dwc3_gadget_free_endpoints() that follows will result in a use-after-free when it calls list_del(). This was caught by enabling KASAN and performing a driver unbind. The recent commit 568262bf5492 (“usb: dwc3: core: Add shutdown callback for dwc3”) also exposes this as a panic during shutdown. There are a few possibilities to fix this. One could be to perform a list_del() of the gadget->ep_list itself which removes it from the rest of the dwc3_ep chain. Another approach is what this patch does, by splitting up the usb_del_gadget_udc() call into its separate “del” and “put” components. This allows dwc3_gadget_free_endpoints() to be called before the gadget is finally freed with usb_put_gadget().

description

在Linux内核中,已解决以下漏洞:usb:dwc3:gadget:仅在释放端点后才释放小工具结构作为提交e81a7018d93a(“usb:dwc3:动态分配小工具结构”)的一部分,添加了dwc3_gadget_release(),它将在设备删除时释放dwc->小工具结构,此时在dwc3_gad get_exit()中调用usb_del_gadget_udc()。然而,简单地释放小工具会导致悬挂指针的情况:在dwc3_gadget_init_endpoints()中创建的端点的dep->endpoint.ep_list成员被链接到位于dwc->gadget->ep_list的list_head。因此,当dwc->gadget被释放时,列表中的第一个dwc3_ep现在有一个悬空的prev指针,同样,对于列表尾部的dwc3_ep的下一个指针也是如此。后面的dwc3_gadget_free_endpoints()在调用list_del()时将导致释放后使用。这是通过启用KASAN并执行驱动程序解除绑定而捕获的。最近的提交568262bf5492(“usb:dwc3:core:Add shutdown callback for dwc3”)也将其暴露为关闭期间的恐慌。有几种可能性可以解决这个问题。一种方法是执行小工具->ep_list本身的list_del(),将其从dwc3_ep链的其余部分中删除。另一种方法是这个补丁所做的,通过将usb_del_gadget_udc()调用拆分为其单独的“del”和“put”组件。这允许在使用usb_put_gadget()最终释放小工具之前调用dwc3_gadget_free_endpoints()。

cvss epss percentile
None 0.04% 12.34%

references

CVE-2021-46987

description

In the Linux kernel, the following vulnerability has been resolved: btrfs: fix deadlock when cloning inline extents and using qgroups There are a few exceptional cases where cloning an inline extent needs to copy the inline extent data into a page of the destination inode. When this happens, we end up starting a transaction while having a dirty page for the destination inode and while having the range locked in the destinations inode iotree too. Because when reserving metadata space for a transaction we may need to flush existing delalloc in case there is not enough free space, we have a mechanism in place to prevent a deadlock, which was introduced in commit 3d45f221ce627d (“btrfs: fix deadlock when cloning inline extent and low on free metadata space”). However when using qgroups, a transaction also reserves metadata qgroup space, which can also result in flushing delalloc in case there is not enough available space at the moment. When this happens we deadlock, since flushing delalloc requires locking the file range in the inodes iotree and the range was already locked at the very beginning of the clone operation, before attempting to start the transaction. When this issue happens, stack traces like the following are reported: [72747.556262] task:kworker/u81:9 state:D stack: 0 pid: 225 ppid: 2 flags:0x00004000 [72747.556268] Workqueue: writeback wb_workfn (flush-btrfs-1142) [72747.556271] Call Trace: [72747.556273] __schedule+0x296/0x760 [72747.556277] schedule+0x3c/0xa0 [72747.556279] io_schedule+0x12/0x40 [72747.556284] __lock_page+0x13c/0x280 [72747.556287] ? generic_file_readonly_mmap+0x70/0x70 [72747.556325] extent_write_cache_pages+0x22a/0x440 [btrfs] [72747.556331] ? __set_page_dirty_nobuffers+0xe7/0x160 [72747.556358] ? set_extent_buffer_dirty+0x5e/0x80 [btrfs] [72747.556362] ? update_group_capacity+0x25/0x210 [72747.556366] ? cpumask_next_and+0x1a/0x20 [72747.556391] extent_writepages+0x44/0xa0 [btrfs] [72747.556394] do_writepages+0x41/0xd0 [72747.556398] __writeback_single_inode+0x39/0x2a0 [72747.556403] writeback_sb_inodes+0x1ea/0x440 [72747.556407] __writeback_inodes_wb+0x5f/0xc0 [72747.556410] wb_writeback+0x235/0x2b0 [72747.556414] ? get_nr_inodes+0x35/0x50 [72747.556417] wb_workfn+0x354/0x490 [72747.556420] ? newidle_balance+0x2c5/0x3e0 [72747.556424] process_one_work+0x1aa/0x340 [72747.556426] worker_thread+0x30/0x390 [72747.556429] ? create_worker+0x1a0/0x1a0 [72747.556432] kthread+0x116/0x130 [72747.556435] ? kthread_park+0x80/0x80 [72747.556438] ret_from_fork+0x1f/0x30 [72747.566958] Workqueue: btrfs-flush_delalloc btrfs_work_helper [btrfs] [72747.566961] Call Trace: [72747.566964] __schedule+0x296/0x760 [72747.566968] ? finish_wait+0x80/0x80 [72747.566970] schedule+0x3c/0xa0 [72747.566995] wait_extent_bit.constprop.68+0x13b/0x1c0 [btrfs] [72747.566999] ? finish_wait+0x80/0x80 [72747.567024] lock_extent_bits+0x37/0x90 [btrfs] [72747.567047] btrfs_invalidatepage+0x299/0x2c0 [btrfs] [72747.567051] ? find_get_pages_range_tag+0x2cd/0x380 [72747.567076] __extent_writepage+0x203/0x320 [btrfs] [72747.567102] extent_write_cache_pages+0x2bb/0x440 [btrfs] [72747.567106] ? update_load_avg+0x7e/0x5f0 [72747.567109] ? enqueue_entity+0xf4/0x6f0 [72747.567134] extent_writepages+0x44/0xa0 [btrfs] [72747.567137] ? enqueue_task_fair+0x93/0x6f0 [72747.567140] do_writepages+0x41/0xd0 [72747.567144] __filemap_fdatawrite_range+0xc7/0x100 [72747.567167] btrfs_run_delalloc_work+0x17/0x40 [btrfs] [72747.567195] btrfs_work_helper+0xc2/0x300 [btrfs] [72747.567200] process_one_work+0x1aa/0x340 [72747.567202] worker_thread+0x30/0x390 [72747.567205] ? create_worker+0x1a0/0x1a0 [72747.567208] kthread+0x116/0x130 [72747.567211] ? kthread_park+0x80/0x80 [72747.567214] ret_from_fork+0x1f/0x30 [72747.569686] task:fsstress state:D stack: —truncated—

description

在Linux内核中,已解决以下漏洞:btrfs:修复克隆内联扩展数据块和使用qgroups时的死锁在少数特殊情况下,克隆内联扩展需要将内联扩展数据复制到目标inode的页面中。当这种情况发生时,我们最终启动了一个事务,同时目标inode有一个脏页面,并且范围也锁定在目标inode iotree中。因为在为事务保留元数据空间时,如果没有足够的可用空间,我们可能需要刷新现有的delalloc,所以我们有一种机制来防止死锁,这是在commit 3d45f221ce627d中引入的(“btrfs:fix死锁when cloning inline extent and low on free metadata space”)。然而,当使用qgroup时,事务还保留元数据qgroup空间,这也可能导致在当前没有足够可用空间的情况下刷新delalloc。当这种情况发生时,我们会死锁,因为刷新delalloc需要锁定inodes iotree中的文件范围,并且在克隆操作开始时,在尝试启动事务之前,该范围已经锁定。当此问题发生时,将报告如下堆栈跟踪:[772747.556262]任务:kworker/u81:9状态:D堆栈:0 pid:225 ppid:2个标志:0x00004000[772747.55.268]工作队列:写回wb_workfn(flush-btrfs-1142)[772747.551271]调用跟踪:[77477.556273]__schedule+0x296/0x760[772747.5.56277]schedule+0x3c/0xa0[772747.55479]io_schedule+0x12/0x40[772747.553684]__lock_page+0x13c/0x280[772747.556287]?generic_file_readony_map+0x70/0x70[772747.556325]extent_write_cache_pages+0x22a/0x440[btrfs][72747.556331]__set_page_dirty_nobuffers+0xe7/0x160[772747.556358]?set_extent_bbuffer_dirty+0x5e/0x80[btrfs][72747.556362]?是否更新组容量+0x25/0x210[772747.556366]?cpumask_next_and+0x1a/0x20[772747.556391]扩展_写页面+0x44/0xa0[btrfs][72747.556394]do_writepages+0x41/0xd0[772747.551398]__writeback_single_inde+0x39/0x2a0[77274.7556403]写回_sb_inodes+0x1ea/0x440[772747.55407]__writeback _inodes_wb+0x5f/0xc0[7727475556410]wb_writeback+0x235/0x2b0[772747.553414]?get_nr_inodes+0x35/0x50[772747.556417]wb_workfn+0x354/0x490[772747.55.56420]?newidle_balance+0x2c5/0x3e0[772747.556424]process_one_work+0x1aa/0x340[772747.551426]worker_thread+0x30/0x390[772747.55429]?create_worker+0x1a0/0x1a0[772747.556432]k线程+0x116/0x130[772747.551435]?kthread_park+0x80/0x80[772747.556438]ret_from_fork+0x1f/0x30[772747.566958]工作队列:btrfs-flush_delalloc btrfs_work_helper[btrfs][72747.566961]调用跟踪:[772747.56.964]__schedule+0x296/0x760[772747.568968]?finish_wait+0x80/0x80[772747.566970]schedule+0x3c/0xa0[772747.564995]wait_extent_bit.constprop.68+0x13b/0x1c0[btrfs][72747.566999]?finish_wait+0x80/0x80[772747.567024]lock_extent_bits+0x37/0x90[btrfs][72747.567047]btrfs_invalidatepage+0x299/0x2c0[btrfs][7747.567051]?find_get_pages_range_tag+0x2cd/0x380[772747.567076]__extent_writepage+0x203/0x320[btrfs][72747.567102]extent_write_cache_pages+0x2b/0x440[btrfs][772747.56.567106]?update_load_avg+0x7e/0x5f0[772747.567109]?enqueue_entity+0xf4/0x6f0[772747.567134]extent_writepages+0x44/0xa0[btrfs][72747.567137]?enqueue_task_fair+0x93/0x6f0[772747.567140]do_writepages+0x41/0xd0[77274.7567144]__filemap_fdatawrite_range+0xc7/0x100[772747.56.567167]btrfs_run_delalloc_work+0x17/0x40[btrfs][772747.5.67195]btrfs_work_helper+0xc2/0x300[btrfs][77274.75.667200]process_one_work+0x1a/0x340[772747?create_worker+0x1a0/0x1a0[772747.567208]k线程+0x116/0x130[772747.563211]?kthread_park+0x80/0x80[772747.567214]ret_from_fork+0x1f/0x30[772747.569686]任务:fsstress状态:D堆栈:—截断—

cvss epss percentile
None 0.04% 12.34%

references

CVE-2021-46988

description

In the Linux kernel, the following vulnerability has been resolved: userfaultfd: release page in error path to avoid BUG_ON Consider the following sequence of events: 1. Userspace issues a UFFD ioctl, which ends up calling into shmem_mfill_atomic_pte(). We successfully account the blocks, we shmem_alloc_page(), but then the copy_from_user() fails. We return -ENOENT. We dont release the page we allocated. 2. Our caller detects this error code, tries the copy_from_user() after dropping the mmap_lock, and retries, calling back into shmem_mfill_atomic_pte(). 3. Meanwhile, lets say another process filled up the tmpfs being used. 4. So shmem_mfill_atomic_pte() fails to account blocks this time, and immediately returns - without releasing the page. This triggers a BUG_ON in our caller, which asserts that the page should always be consumed, unless -ENOENT is returned. To fix this, detect if we have such a “dangling” page when accounting fails, and if so, release it before returning.

description

在Linux内核中,已解决以下漏洞:userfaultfd:release page In error path to avoid BUG_ON请考虑以下事件序列:1。用户空间发出一个UFFD ioctl,最终调用shmem_mfill_atomic_pte()。我们成功地计算了块,我们shmem_alloc_page(),但随后copy_from_user()失败。我们回来了-ENOENT。我们不会发布我们分配的页面。2.我们的调用方检测到这个错误代码,在删除mmap_lock后尝试copy_from_user(),然后重试,调用回shmem_mfill_atomic_pte()。3.同时,假设另一个进程填满了正在使用的tmpfs。4.所以shmem_mfill_atomic_pte()这次无法计算块,并且立即返回-而不释放页面。这会在我们的调用程序中触发BUG_ON,它断言页面应该始终被使用,除非返回-ENOENT。要解决此问题,请在记帐失败时检测是否有这样一个“悬空”页面,如果有,请在返回之前释放它。

cvss epss percentile
None 0.04% 8.15%

references

CVE-2021-46989

description

In the Linux kernel, the following vulnerability has been resolved: hfsplus: prevent corruption in shrinking truncate I believe there are some issues introduced by commit 31651c607151 (“hfsplus: avoid deadlock on file truncation”) HFS+ has extent records which always contains 8 extents. In case the first extent record in catalog file gets full, new ones are allocated from extents overflow file. In case shrinking truncate happens to middle of an extent record which locates in extents overflow file, the logic in hfsplus_file_truncate() was changed so that call to hfs_brec_remove() is not guarded any more. Right action would be just freeing the extents that exceed the new size inside extent record by calling hfsplus_free_extents(), and then check if the whole extent record should be removed. However since the guard (blk_cnt > start) is now after the call to hfs_brec_remove(), this has unfortunate effect that the last matching extent record is removed unconditionally. To reproduce this issue, create a file which has at least 10 extents, and then perform shrinking truncate into middle of the last extent record, so that the number of remaining extents is not under or divisible by 8. This causes the last extent record (8 extents) to be removed totally instead of truncating into middle of it. Thus this causes corruption, and lost data. Fix for this is simply checking if the new truncated end is below the start of this extent record, making it safe to remove the full extent record. However call to hfs_brec_remove() cant be moved to its previous place since were dropping ->tree_lock and it can cause a race condition and the cached info being invalidated possibly corrupting the node data. Another issue is related to this one. When entering into the block (blk_cnt > start) we are not holding the ->tree_lock. We break out from the loop not holding the lock, but hfs_find_exit() does unlock it. Not sure if its possible for someone else to take the lock under our feet, but it can cause hard to debug errors and premature unlocking. Even if theres no real risk of it, the locking should still always be kept in balance. Thus taking the lock now just before the check.

description

在Linux内核中,以下漏洞已得到解决:hfsplus:防止收缩截断中的损坏我认为commit 31651c607151(“hfsplus:avoid死锁on file truncation”)引入了一些问题HFS+的扩展数据块记录总是包含8个扩展数据块。若目录文件中的第一个数据块记录已满,则会从数据块溢出文件中分配新的数据块记录。如果位于扩展数据块溢出文件中的扩展数据块记录的中间发生收缩截断,则hfsplus_file_runcate()中的逻辑已更改,因此不再保护对hfs_brec_remove()的调用。正确的操作是通过调用hfsplus_free_extents()来释放数据块记录内超过新大小的数据块,然后检查是否应该删除整个数据块记录。但是,由于保护(blk_cnt>start)现在位于对hfs_brec_remove()的调用之后,因此会无条件地删除最后一个匹配的数据块记录。要重现此问题,请创建一个至少有10个扩展数据块的文件,然后执行收缩截断到最后一个扩展数据段记录的中间,这样剩余的扩展数据块数就不会低于8或被8整除。这会导致最后一个数据块记录(8个数据块)被完全删除,而不是截断到它的中间。因此,这会导致损坏和数据丢失。解决此问题的方法是简单地检查新截断的末端是否低于此扩展数据块记录的起点,从而可以安全地删除完整的扩展数据块。然而,对hfs_brec_remove()的调用无法移动到其先前的位置,因为它们正在删除->tree_lock,这可能会导致竞争条件和缓存的信息无效,可能会损坏节点数据。另一个问题与此有关。当进入块(blk_cnt>start)时,我们没有持有->tree_lock。我们打破了没有锁的循环,但hfs_find_exit()确实解锁了它。不确定其他人是否有可能将锁置于我们脚下,但这可能会导致难以调试的错误和过早解锁。即使没有真正的风险,锁定仍然应该始终保持平衡。因此,就在检查之前取下了锁。

cvss epss percentile
None 0.04% 8.15%

references

CVE-2021-46990

description

In the Linux kernel, the following vulnerability has been resolved: powerpc/64s: Fix crashes when toggling entry flush barrier The entry flush mitigation can be enabled/disabled at runtime via a debugfs file (entry_flush), which causes the kernel to patch itself to enable/disable the relevant mitigations. However depending on which mitigation were using, it may not be safe to do that patching while other CPUs are active. For example the following crash: sleeper[15639]: segfault (11) at c000000000004c20 nip c000000000004c20 lr c000000000004c20 Shows that we returned to userspace with a corrupted LR that points into the kernel, due to executing the partially patched call to the fallback entry flush (ie. we missed the LR restore). Fix it by doing the patching under stop machine. The CPUs that arent doing the patching will be spinning in the core of the stop machine logic. That is currently sufficient for our purposes, because none of the patching we do is to that code or anywhere in the vicinity.

description

在Linux内核中,已解决以下漏洞:powerpc/64s:修复切换条目刷新屏障时的崩溃。可以在运行时通过debugfs文件(entry_flush)启用/禁用条目刷新缓解,这会导致内核自行修补以启用/禁用相关缓解。然而,根据使用的缓解措施,在其他CPU处于活动状态时进行修补可能不安全。例如,以下崩溃:sleeper[15639]:segfault(11)在c000000000004c20 nip c000000000004c20 lr c000000000004C 20显示,由于执行了对回退条目刷新的部分修补调用(即,我们错过了lr恢复),我们返回到用户空间时,lr已损坏,指向内核。通过在停止机器下进行修补来修复它。没有进行修补的CPU将在停止机器逻辑的核心中旋转。目前,这对我们的目的来说已经足够了,因为我们所做的修补都不是针对该代码或附近的任何地方。

cvss epss percentile
None 0.04% 10.64%

references

CVE-2021-46991

description

In the Linux kernel, the following vulnerability has been resolved: i40e: Fix use-after-free in i40e_client_subtask() Currently the call to i40e_client_del_instance frees the object pf->cinst, however pf->cinst->lan_info is being accessed after the free. Fix this by adding the missing return. Addresses-Coverity: (“Read from pointer after free”)

description

在Linux内核中,已解决以下漏洞:i40e:修复i40e_client_subtask()中释放后的使用。当前对i40e_client _del_instance的调用释放对象pf->cinst,但释放后访问pf->cinst->lan_info。通过添加缺失的返回来修复此问题。地址隐蔽性:(“空闲后从指针读取”)

cvss epss percentile
None 0.04% 8.15%

references

CVE-2021-46992

description

In the Linux kernel, the following vulnerability has been resolved: netfilter: nftables: avoid overflows in nft_hash_buckets() Number of buckets being stored in 32bit variables, we have to ensure that no overflows occur in nft_hash_buckets() syzbot injected a size == 0x40000000 and reported: UBSAN: shift-out-of-bounds in ./include/linux/log2.h:57:13 shift exponent 64 is too large for 64-bit type long unsigned int CPU: 1 PID: 29539 Comm: syz-executor.4 Not tainted 5.12.0-rc7-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x141/0x1d7 lib/dump_stack.c:120 ubsan_epilogue+0xb/0x5a lib/ubsan.c:148 __ubsan_handle_shift_out_of_bounds.cold+0xb1/0x181 lib/ubsan.c:327 __roundup_pow_of_two include/linux/log2.h:57 [inline] nft_hash_buckets net/netfilter/nft_set_hash.c:411 [inline] nft_hash_estimate.cold+0x19/0x1e net/netfilter/nft_set_hash.c:652 nft_select_set_ops net/netfilter/nf_tables_api.c:3586 [inline] nf_tables_newset+0xe62/0x3110 net/netfilter/nf_tables_api.c:4322 nfnetlink_rcv_batch+0xa09/0x24b0 net/netfilter/nfnetlink.c:488 nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:612 [inline] nfnetlink_rcv+0x3af/0x420 net/netfilter/nfnetlink.c:630 netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline] netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1338 netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1927 sock_sendmsg_nosec net/socket.c:654 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:674 ____sys_sendmsg+0x6e8/0x810 net/socket.c:2350 ___sys_sendmsg+0xf3/0x170 net/socket.c:2404 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2433 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46

description

在Linux内核中,以下漏洞已被解决:netfilter:nftables:avoid overflow In nft_hash_buckets()存储在32位变量中的存储桶数,我们必须确保nft_hash_buckets中没有发生溢出/include/linux/log2.h:57:13移位指数64对于64位类型的长无符号int CPU:1 PID:29539通信:syz executor.4未受污染5.12.0-rc7-syzkaller#0硬件名称:谷歌谷歌计算引擎/谷歌计算引擎,BIOS谷歌2011年1月1日调用跟踪:__dump_stack lib/dump_stack.c:79[inline]dumpstack+0x141/0x1d7 lib/dumpstack.c:120 ubsan_epilogue+0xb/0x5a lib/ubsan。c:148 __ubsan_handle_shift_out_of_bounded.ocold+0xb1/0x181 lib/ubsan。c:327 __roundup_pow_of_ftwo-include/linux/log2.h:57[inline]nft_hash_buckets net/nft_set_hash。c:411[inline]nft_hash_estimate.cold+0x19/0x1e net/nft-set_hash.c:652 nft_select_set_ops net/netfilter/nf_tables_api.c:3586[inline]nf_tables_newset+0xe62/0x3110 net/nf/tables_api。c:4322 nfnetlink_rcv_batch+0xa09/0x24b0 net/nfnetlink。c:488 nfnetlink_rcv_skb_batch net/nfpilter/nfnetlink。c:612[inline]nfnetlink-rcv+0x3af/0x420 net/nfpfilter/nfnetlink.c:630 netlink_unicast_kernel net/netlink/af_netlink。c:\1312[inline]netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1338 netlink_sendmsg+0x856/0xd90 net/netlink/af_net-link.c:21927 sock_sendmsg_nosec net/socket.c:654[inline]sock_send msg+0xcf/0x120 net/socket。c:674 ____sys_sendmsg+0.x6e8/0x810 net/socket-socket.c:2350 ___sys_send msg+0.xf3/0x170 net/sockets。c:2404 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2433 do_syscall_64+0x2d/0x70 arch/x6/entry/common.c:46

cvss epss percentile
None 0.04% 8.15%

references

CVE-2021-46993

description

In the Linux kernel, the following vulnerability has been resolved: sched: Fix out-of-bound access in uclamp Util-clamp places tasks in different buckets based on their clamp values for performance reasons. However, the size of buckets is currently computed using a rounding division, which can lead to an off-by-one error in some configurations. For instance, with 20 buckets, the bucket size will be 1024/20=51. A task with a clamp of 1024 will be mapped to bucket id 1024/51=20. Sadly, correct indexes are in range [0,19], hence leading to an out of bound memory access. Clamp the bucket id to fix the issue.

description

在Linux内核中,已解决以下漏洞:sched:修复uclamp中的越界访问。由于性能原因,Util clamp会根据任务的clamp值将任务放置在不同的存储桶中。然而,桶的大小目前是使用四舍五入除法计算的,这可能会在某些配置中导致一个误差。例如,对于20个bucket,bucket大小将为1024/20=51。箝位为1024的任务将映射到bucket id 1024/51=20。遗憾的是,正确的索引在[0,19]范围内,因此导致内存访问超出限制。夹紧bucket id以解决此问题。

cvss epss percentile
None 0.04% 12.34%

references

CVE-2021-46994

description

In the Linux kernel, the following vulnerability has been resolved: can: mcp251x: fix resume from sleep before interface was brought up Since 8ce8c0abcba3 the driver queues work via priv->restart_work when resuming after suspend, even when the interface was not previously enabled. This causes a null dereference error as the workqueue is only allocated and initialized in mcp251x_open(). To fix this we move the workqueue init to mcp251x_can_probe() as there is no reason to do it later and repeat it whenever mcp251x_open() is called. [mkl: fix error handling in mcp251x_stop()]

description

在Linux内核中,已解决以下漏洞:can:mcp251x:修复接口启动前从睡眠恢复的问题。自8ce8c0abcba3以来,即使接口之前未启用,挂起后恢复时,驱动程序队列也会通过priva->restart_work工作。这会导致null取消引用错误,因为工作队列仅在mcp251x_open()中分配和初始化。为了解决这个问题,我们将工作队列init移动到mcp251x_can_probe(),因为以后没有理由这样做,并在调用mcp251x_open()时重复它。[mkl:修复mcp251x_stop()中的错误处理]

cvss epss percentile
None 0.04% 12.34%

references

CVE-2021-46995

description

In the Linux kernel, the following vulnerability has been resolved: can: mcp251xfd: mcp251xfd_probe(): fix an error pointer dereference in probe When we converted this code to use dev_err_probe() we accidentally removed a return. It means that if devm_clk_get() it will lead to an Oops when we call clk_get_rate() on the next line.

description

在Linux内核中,以下漏洞已被解决:can:mcp251xfd:mcp251xfd_probe():修复probe中的错误指针取消引用当我们将此代码转换为使用dev_err_probe()时,我们意外地删除了一个返回。这意味着,如果devm_clk_get(),当我们在下一行调用clk_get_rate()时,它将导致一个Oops。

cvss epss percentile
None 0.04% 6.92%

references

CVE-2021-46996

description

In the Linux kernel, the following vulnerability has been resolved: netfilter: nftables: Fix a memleak from userdata error path in new objects Release object name if userdata allocation fails.

description

在Linux内核中,已解决以下漏洞:netfilter:nftables:Fix a memleak from userdata error path In new objects Release object name if userdata allocation failed。

cvss epss percentile
None 0.04% 12.34%

references

CVE-2021-46997

description

In the Linux kernel, the following vulnerability has been resolved: arm64: entry: always set GIC_PRIO_PSR_I_SET during entry Zenghui reports that booting a kernel with “irqchip.gicv3_pseudo_nmi=1” on the command line hits a warning during kernel entry, due to the way we manipulate the PMR. Early in the entry sequence, we call lockdep_hardirqs_off() to inform lockdep that interrupts have been masked (as the HW sets DAIF wqhen entering an exception). Architecturally PMR_EL1 is not affected by exception entry, and we dont set GIC_PRIO_PSR_I_SET in the PMR early in the exception entry sequence, so early in exception entry the PMR can indicate that interrupts are unmasked even though they are masked by DAIF. If DEBUG_LOCKDEP is selected, lockdep_hardirqs_off() will check that interrupts are masked, before we set GIC_PRIO_PSR_I_SET in any of the exception entry paths, and hence lockdep_hardirqs_off() will WARN() that something is amiss. We can avoid this by consistently setting GIC_PRIO_PSR_I_SET during exception entry so that kernel code sees a consistent environment. We must also update local_daif_inherit() to undo this, as currently only touches DAIF. For other paths, local_daif_restore() will update both DAIF and the PMR. With this done, we can remove the existing special cases which set this later in the entry code. We always use (GIC_PRIO_IRQON | GIC_PRIO_PSR_I_SET) for consistency with local_daif_save(), as this will warn if it ever encounters (GIC_PRIO_IRQOFF | GIC_PRIO_PSR_I_SET), and never sets this itself. This matches the gic_prio_kentry_setup that we have to retain for ret_to_user. The original splat from Zenghuis report was: | DEBUG_LOCKS_WARN_ON(!irqs_disabled()) | WARNING: CPU: 3 PID: 125 at kernel/locking/lockdep.c:4258 lockdep_hardirqs_off+0xd4/0xe8 | Modules linked in: | CPU: 3 PID: 125 Comm: modprobe Tainted: G W 5.12.0-rc8+ #463 | Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015 | pstate: 604003c5 (nZCv DAIF +PAN -UAO -TCO BTYPE=–) | pc : lockdep_hardirqs_off+0xd4/0xe8 | lr : lockdep_hardirqs_off+0xd4/0xe8 | sp : ffff80002a39bad0 | pmr_save: 000000e0 | x29: ffff80002a39bad0 x28: ffff0000de214bc0 | x27: ffff0000de1c0400 x26: 000000000049b328 | x25: 0000000000406f30 x24: ffff0000de1c00a0 | x23: 0000000020400005 x22: ffff8000105f747c | x21: 0000000096000044 x20: 0000000000498ef9 | x19: ffff80002a39bc88 x18: ffffffffffffffff | x17: 0000000000000000 x16: ffff800011c61eb0 | x15: ffff800011700a88 x14: 0720072007200720 | x13: 0720072007200720 x12: 0720072007200720 | x11: 0720072007200720 x10: 0720072007200720 | x9 : ffff80002a39bad0 x8 : ffff80002a39bad0 | x7 : ffff8000119f0800 x6 : c0000000ffff7fff | x5 : ffff8000119f07a8 x4 : 0000000000000001 | x3 : 9bcdab23f2432800 x2 : ffff800011730538 | x1 : 9bcdab23f2432800 x0 : 0000000000000000 | Call trace: | lockdep_hardirqs_off+0xd4/0xe8 | enter_from_kernel_mode.isra.5+0x7c/0xa8 | el1_abort+0x24/0x100 | el1_sync_handler+0x80/0xd0 | el1_sync+0x6c/0x100 | __arch_clear_user+0xc/0x90 | load_elf_binary+0x9fc/0x1450 | bprm_execve+0x404/0x880 | kernel_execve+0x180/0x188 | call_usermodehelper_exec_async+0xdc/0x158 | ret_from_fork+0x10/0x18

description

在Linux内核中,已解决以下漏洞:arm64:entry:在进入过程中始终设置GIC_PRIO_PSR_I_set增辉报告称,由于我们操作PMR的方式,在命令行上使用“irqchip.gicv3_pseudo_nmi=1”启动内核时,在内核进入过程中会遇到警告。在输入序列的早期,我们调用lockdep_hardirqs_off()来通知lockdep中断已被屏蔽(因为HW在输入异常时设置DAIF wqhen)。从体系结构上讲,PMR_EL1不受异常条目的影响,并且我们不会在异常条目序列的早期在PMR中设置GIC_PRIO_PSR_I_set,因此在异常条目的早期,PMR可以指示中断未被屏蔽,即使它们被DAIF屏蔽了。如果选择了DEBUG_LOCKDEP,则在我们在任何异常条目路径中设置GIC_PRIO_PSR_I_set之前,LOCKDEP_hardirqs_off()将检查中断是否被屏蔽,因此LOCKDEP_hard irqs_off[()]将警告()出现问题。我们可以通过在异常输入期间一致地设置GIC_PRIO_PSR_I_SET来避免这种情况,以便内核代码看到一致的环境。我们还必须更新local_dif_inherit()来撤消此操作,因为目前只接触daif。对于其他路径,local_dif_restore()将同时更新daif和PMR。完成此操作后,我们可以删除稍后在入口代码中设置的现有特殊情况。为了与local_dif_save()保持一致,我们总是使用(GIC_PRIO_IRQON|GIC_PRIO_2 PSR_I_SET),因为如果遇到(GIC_PRIO_IRQOFF|GIC_PRIO_2 PSR__I_SET),它会发出警告,并且从不自行设置。这与我们必须为ret_to_user保留的gic_prio_kentry_setup相匹配。Zenghuis报告的原始splat为:|DEBUG_LOCKS_WARN_ON(!irqs_disabled|pc:lockdep_hardirqs_off+0xd4/0xe8|lr:lockdep_hardirqs_off+0xd4/6xe8|sp:ffff80002a39bad0|pmr_save:000000e0|x29:ffff80002a39bad0 x28:ffff0000de214bc0|x27:ffff0000de 1c0400 x26:0000000000 49b328|x25:0000000000 406f30 x24:ff0000de1c00a0|x23:00000000 20400005 x22:ff8000105f747c|x21:00000000 96000044 x20:00000000000 498ef9 | x19:ffff80002a39bc88 x18:ffffffffff | x17:000000000000000000000000 x16:ffff800011c61eb0 | x15:ffff800011700a88 x14:0720072007200720 | x13:072007200720 x12:0720072007200720 |x11:072007200720x10:072007072007200720|x9:ffffff80002A39bad0 x8:fff80002a399bad0 | x7:fff8000119f0800 x6:c0000000fff7fff | x5:fff8000119 f07 a8 x4:0000000000000000 1|x3:9bcdab23f2432800 x2:fffff800011730538|x1:9bcdab3f2432800 x0:00000000000000000 |调用跟踪:|lockdep_hardirqs_off+0xd4/0xe8|enter_from_kernel_mode。isra.5+0x7c/0xa8|el1_abort+0x24/0x100|el1_sync_handler+0x80/0xd0|el1_sync+0x6c/0x100|__arch_clear_user+0xc/0x90|load_elf_binary+0x9fc/0x1450|bprm_execute+0x404/0x880|kernel_execute+0x180/0x188|call_usermodehelper_exec_async+0xdc/0x158|ret_from_fork+0x10/0x18

cvss epss percentile
None 0.04% 12.34%

references

CVE-2021-46998

description

In the Linux kernel, the following vulnerability has been resolved: ethernet:enic: Fix a use after free bug in enic_hard_start_xmit In enic_hard_start_xmit, it calls enic_queue_wq_skb(). Inside enic_queue_wq_skb, if some error happens, the skb will be freed by dev_kfree_skb(skb). But the freed skb is still used in skb_tx_timestamp(skb). My patch makes enic_queue_wq_skb() return error and goto spin_unlock() incase of error. The solution is provided by Govind. See https://lkml.org/lkml/2021/4/30/961.

description

在Linux内核中,已解决以下漏洞:ethernet:enic:修复enic_hard_start_xmit中的一个释放后使用漏洞。在enic_hard_start_xmit,它调用enic_queue_wq_skb()。在enic_queue_wq_skb中,如果发生一些错误,skb将由dev_kfree_skb(skb)释放。但是释放的skb仍然在skb_tx_timestamp(skb)中使用。我的补丁使enic_queue_wq_skb()返回错误,并在出现错误时转到spin_unlock()。该解决方案由Govind提供。看见https://lkml.org/lkml/2021/4/30/961.

cvss epss percentile
None 0.04% 8.15%

references

CVE-2021-46999

description

In the Linux kernel, the following vulnerability has been resolved: sctp: do asoc update earlier in sctp_sf_do_dupcook_a Theres a panic that occurs in a few of envs, the call trace is as below: [] general protection fault, … 0x29acd70f1000a: 0000 [#1] SMP PTI [] RIP: 0010:sctp_ulpevent_notify_peer_addr_change+0x4b/0x1fa [sctp] [] sctp_assoc_control_transport+0x1b9/0x210 [sctp] [] sctp_do_8_2_transport_strike.isra.16+0x15c/0x220 [sctp] [] sctp_cmd_interpreter.isra.21+0x1231/0x1a10 [sctp] [] sctp_do_sm+0xc3/0x2a0 [sctp] [] sctp_generate_timeout_event+0x81/0xf0 [sctp] This is caused by a transport use-after-free issue. When processing a duplicate COOKIE-ECHO chunk in sctp_sf_do_dupcook_a(), both COOKIE-ACK and SHUTDOWN chunks are allocated with the transort from the new asoc. However, later in the sideeffect machine, the old asoc is used to send them out and old asocs shutdown_last_sent_to is set to the transport that SHUTDOWN chunk attached to in sctp_cmd_setup_t2(), which actually belongs to the new asoc. After the new_asoc is freed and the old asoc T2 timeout, the old asocs shutdown_last_sent_to that is already freed would be accessed in sctp_sf_t2_timer_expire(). Thanks Alexander and Jere for helping dig into this issue. To fix it, this patch is to do the asoc update first, then allocate the COOKIE-ACK and SHUTDOWN chunks with the updated old asoc. This would make more sense, as a chunk from an asoc shouldnt be sent out with another asoc. We had fixed quite a few issues caused by this.

description

在Linux内核中,以下漏洞已被解决:sctp:do asoc update early In sctp_sf_do_dupcook_a少数环境中出现死机,调用跟踪如下:[]一般保护故障。。。0x29acd70f1000a:000[#1]SMP PTI[]RIP:0010:sctp_ulpevent_notify_peer_addr_change+0x4b/0x1fa[sctp][]sctp_assoc_control_transport+0x1b9/0x210[sctp][]sctp_do_8_2_transport_strike.isra.16+0x15c/0x220[sctp][]sctp_cmd_interpreter.isra.21+0x1231/0x1a10[sctp]]_generate_timeout_event+0x81/0xf0[sctp]这是由免费发布后的传输使用引起的。在sctp_sf_do_dupcook_a()中处理重复的COOKIE-ECHO块时,COOKIE-ACK和SHUTDOWN块都分配有来自新asoc的transort。然而,稍后在副作用机器中,旧的asoc用于发送它们,并且旧的asocs shutdown_last_sent_to被设置为在sctp_cmd_setup_t2()中附加的shutdown块的传输,该传输实际上属于新的asoc。在释放新的_asoc和旧的asoc T2超时之后,将在sctp_sf_T2_timer_expire()中访问已经释放的旧的asocs shutdown_rast_sent_to。感谢Alexander和Jere帮助深入研究这个问题。为了解决这个问题,这个补丁首先进行asoc更新,然后用更新的旧asoc分配COOKIE-ACK和SHUTDOWN块。这将更有意义,因为一个asoc中的一块不应该与另一个asoc一起发送。我们已经解决了许多由此引起的问题。

cvss epss percentile
None 0.04% 8.15%

references

CVE-2021-47000

description

In the Linux kernel, the following vulnerability has been resolved: ceph: fix inode leak on getattr error in __fh_to_dentry

description

在Linux内核中,已解决以下漏洞:ceph:修复__fh_to_entry中getattr错误的inode泄漏

cvss epss percentile
None 0.04% 12.34%

references

CVE-2021-47001

description

In the Linux kernel, the following vulnerability has been resolved: xprtrdma: Fix cwnd update ordering After a reconnect, the reply handler is opening the cwnd (and thus enabling more RPC Calls to be sent) /before/ rpcrdma_post_recvs() can post enough Receive WRs to receive their replies. This causes an RNR and the new connection is lost immediately. The race is most clearly exposed when KASAN and disconnect injection are enabled. This slows down rpcrdma_rep_create() enough to allow the send side to post a bunch of RPC Calls before the Receive completion handler can invoke ib_post_recv().

description

在Linux内核中,已解决以下漏洞:xprtrdma:修复cwnd更新顺序重新连接后,回复处理程序正在打开cwnd(从而允许发送更多RPC调用)/之前/rpcrdma_post_recvs()可以发布足够的接收WR以接收其回复。这会导致RNR,并且新的连接会立即丢失。当启用KASAN和断开连接注入时,竞争最为明显。这会减慢rpcrdma_rep_create()的速度,足以允许发送端在接收完成处理程序调用ib_post_recv()之前发布一堆RPC调用。

cvss epss percentile
None 0.04% 12.34%

references

CVE-2021-47002

description

In the Linux kernel, the following vulnerability has been resolved: SUNRPC: Fix null pointer dereference in svc_rqst_free() When alloc_pages_node() returns null in svc_rqst_alloc(), the null rq_scratch_page pointer will be dereferenced when calling put_page() in svc_rqst_free(). Fix it by adding a null check. Addresses-Coverity: (“Dereference after null check”)

description

在Linux内核中,已解决以下漏洞:SUNRPC:修复svc_rqst_free()中的null指针取消引用。当alloc_page_node()在svc_rqst_alloc()中返回null时,在svc_rqt_free()中调用put_page()时,null rq_scratch_page指针将被取消引用。通过添加一个空检查来修复它。地址隐蔽性:(“空检查后取消引用”)

cvss epss percentile
None 0.04% 12.34%

references

CVE-2021-47003

description

In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: Fix potential null dereference on pointer status There are calls to idxd_cmd_exec that pass a null status pointer however a recent commit has added an assignment to *status that can end up with a null pointer dereference. The function expects a null status pointer sometimes as there is a later assignment to *status where status is first null checked. Fix the issue by null checking status before making the assignment. Addresses-Coverity: (“Explicit null dereferenced”)

description

在Linux内核中,已解决以下漏洞:dmaengine:idxd:修复指针状态上潜在的null解引用对idxd_cmd_exec的调用传递了null状态指针,但最近的提交添加了对status的赋值,该赋值最终可能导致null指针解引用。该函数有时需要一个null状态指针,因为稍后会分配给状态为null的状态。在进行分配之前,通过空检查状态来解决问题。地址覆盖率:(“显式null取消引用”)

cvss epss percentile
None 0.04% 12.34%

references

CVE-2021-47004

description

In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid touching checkpointed data in get_victim() In CP disabling mode, there are two issues when using LFS or SSR | AT_SSR mode to select victim: 1. LFS is set to find source section during GC, the victim should have no checkpointed data, since after GC, section could not be set free for reuse. Previously, we only check valid chpt blocks in current segment rather than section, fix it. 2. SSR | AT_SSR are set to find target segment for writes which can be fully filled by checkpointed and newly written blocks, we should never select such segment, otherwise it can cause panic or data corruption during allocation, potential case is described as below: a) target segment has n (n < 512) ckpt valid blocks b) GC migrates n valid blocks to other segment (segment is still in dirty list) c) GC migrates 512 - n blocks to target segment (segment has n cp_vblocks and 512 - n vblocks) d) If GC selects target segment via {AT,}SSR allocator, however there is no free space in targe segment.

description

在Linux内核中,已解决以下漏洞:f2fs:fix以避免在get_victim()中触摸检查点数据。在CP禁用模式下,使用LFS或SSR|AT_SSR模式选择受害者时会出现两个问题:1。LFS被设置为在GC期间查找源节,受害者不应该有检查点数据,因为在GC之后,节不能被设置为可重用。以前,我们只检查当前段中的有效chpt块,而不是段,修复它。SSR|AT_SSR被设置为查找可以由检查点和新写入的块完全填充的写入目标段,我们永远不应该选择这样的段,否则它会在分配过程中导致恐慌或数据损坏,潜在情况如下所述:a)目标段有n个(n<512)ckpt有效块b)GC将n个有效块迁移到其他段(段仍在脏列表中)c)GC将512-n个块迁移到目标段(段具有n个cp_vblock和512-n个vblocks)d)如果GC通过{AT,}SSR分配器,但是targe段中没有可用空间。

cvss epss percentile
None 0.04% 12.34%

references

CVE-2021-47005

description

In the Linux kernel, the following vulnerability has been resolved: PCI: endpoint: Fix NULL pointer dereference for ->get_features() get_features ops of pci_epc_ops may return NULL, causing NULL pointer dereference in pci_epf_test_alloc_space function. Let us add a check for pci_epc_feature pointer in pci_epf_test_bind before we access it to avoid any such NULL pointer dereference and return -ENOTSUPP in case pci_epc_feature is not found. When the patch is not applied and EPC features is not implemented in the platform driver, we see the following dump due to kernel NULL pointer dereference. Call trace: pci_epf_test_bind+0xf4/0x388 pci_epf_bind+0x3c/0x80 pci_epc_epf_link+0xa8/0xcc configfs_symlink+0x1a4/0x48c vfs_symlink+0x104/0x184 do_symlinkat+0x80/0xd4 __arm64_sys_symlinkat+0x1c/0x24 el0_svc_common.constprop.3+0xb8/0x170 el0_svc_handler+0x70/0x88 el0_svc+0x8/0x640 Code: d2800581 b9403ab9 f9404ebb 8b394f60 (f9400400) —[ end trace a438e3c5a24f9df0 ]—

description

在Linux内核中,已解决以下漏洞:PCI:endpoint:修复PCI_epc_ops的->get_features()get_feature操作的NULL指针取消引用可能返回NULL,从而导致PCI_epf_test_alloc_space函数中的NULL指针解除引用。在访问pci_epf_test_bind之前,让我们在它中添加对pci_epc_feature指针的检查,以避免任何此类NULL指针取消引用,并在找不到pci_epc_feature的情况下返回-ENOTSUPP。当未应用补丁且平台驱动程序中未实现EPC功能时,由于内核NULL指针取消引用,我们会看到以下转储。调用跟踪:pci_epf_test_bind+0xf4/0x388 pci_epf _bind+0x3c/0x80 pci_epc_epf_link+0xa8/0xcc configfs_symlink+0x1a4/0x48c vfs_symlink+0x104/0x184 do_symlinkat+0x80/0xd4 __arm64_sys_symlinkat+0x1c/0x24 el0_svc_common.constprop.3+0xb8/0x170 el0_svc _ handler+0x70/0x88 el0_ssvc+0x8/0x640代码:d2800581 b9403ab9 f9404ebb 8b394b f60(f9400400)—[结束迹线a438e3c5a24f9df0]—

cvss epss percentile
None 0.04% 12.34%

references

CVE-2021-47006

description

In the Linux kernel, the following vulnerability has been resolved: ARM: 9064/1: hw_breakpoint: Do not directly check the events overflow_handler hook The commit 1879445dfa7b (“perf/core: Set events default ::overflow_handler()”) set a default event->overflow_handler in perf_event_alloc(), and replace the check event->overflow_handler with is_default_overflow_handler(), but one is missing. Currently, the bp->overflow_handler can not be NULL. As a result, enable_single_step() is always not invoked. Comments from Zhen Lei: https://patchwork.kernel.org/project/linux-arm-kernel/patch/20210207105934.2001-1-thunder.leizhen@huawei.com/

description

在Linux内核中,已解决以下漏洞:ARM:9064/1:hw_breakpoint:不直接检查事件overflow_handler挂钩commit 1879445dfa7b(“perf/core:Set events default::overlow_handler()”)在perf_event_alloc()中设置默认事件->overlow_hhandler,并用is_default_overflow_handle()替换检查事件->overflow _handler,但缺少一个。目前,bp->overflow_handler不能为NULL。因此,enable_single_step()始终不会被调用。甄磊点评:https://patchwork.kernel.org/project/linux-arm-kernel/patch/20210207105934.2001-1-thunder.leizhen@华为网/

cvss epss percentile
None 0.04% 10.64%

references

CVE-2021-47007

description

In the Linux kernel, the following vulnerability has been resolved: f2fs: fix panic during f2fs_resize_fs() f2fs_resize_fs() hangs in below callstack with testcase: - mkfs 16GB image & mount image - dd 8GB fileA - dd 8GB fileB - sync - rm fileA - sync - resize filesystem to 8GB kernel BUG at segment.c:2484! Call Trace: allocate_segment_by_default+0x92/0xf0 [f2fs] f2fs_allocate_data_block+0x44b/0x7e0 [f2fs] do_write_page+0x5a/0x110 [f2fs] f2fs_outplace_write_data+0x55/0x100 [f2fs] f2fs_do_write_data_page+0x392/0x850 [f2fs] move_data_page+0x233/0x320 [f2fs] do_garbage_collect+0x14d9/0x1660 [f2fs] free_segment_range+0x1f7/0x310 [f2fs] f2fs_resize_fs+0x118/0x330 [f2fs] __f2fs_ioctl+0x487/0x3680 [f2fs] __x64_sys_ioctl+0x8e/0xd0 do_syscall_64+0x33/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xa9 The root cause is we forgot to check that whether we have enough space in resized filesystem to store all valid blocks in before-resizing filesystem, then allocator will run out-of-space during block migration in free_segment_range().

description

在Linux内核中,以下漏洞已被解决:f2fs:修复f2fs_resize_fs()f2fs_resize _fs(!调用跟踪:allocate_segment_by_default+0x92/0xf0[f2fs]f2fs_allocate_data_block+0x44b/0x7e0[f2fs]do_write_page+0x5a/0x110[f2fs]f2 fs_outplace_write_data+0x55/0x100[f2fs]f2fs_do_write_data_page+x392/0x850[f2fs]move_data_paage+0x233/0x320[f2fs]do_garbage_coollect+0x14d9/0x1660[f2fs]free_segment_range+0x1f7/0x310[f2ffs]f2fs_resize_fs+0x118/0x330[f2fs]__f2fs_ioctl+0x487/0x3680[f2fs]__x64_sys_ioctl+0x8e/0xd0 do_syscall_64+0x33/0x80 entry_syscall_64_after_hwframe+0x44/0xa9根本原因是我们在调整文件系统大小之前忘记检查调整大小的文件系统中是否有足够的空间来存储所有有效块,那么分配器将在free_segment_range()中的块迁移过程中耗尽空间。

cvss epss percentile
None 0.04% 12.34%

references

CVE-2021-47008

description

In the Linux kernel, the following vulnerability has been resolved: KVM: SVM: Make sure GHCB is mapped before updating Access to the GHCB is mainly in the VMGEXIT path and it is known that the GHCB will be mapped. But there are two paths where it is possible the GHCB might not be mapped. The sev_vcpu_deliver_sipi_vector() routine will update the GHCB to inform the caller of the AP Reset Hold NAE event that a SIPI has been delivered. However, if a SIPI is performed without a corresponding AP Reset Hold, then the GHCB might not be mapped (depending on the previous VMEXIT), which will result in a NULL pointer dereference. The svm_complete_emulated_msr() routine will update the GHCB to inform the caller of a RDMSR/WRMSR operation about any errors. While it is likely that the GHCB will be mapped in this situation, add a safe guard in this path to be certain a NULL pointer dereference is not encountered.

description

在Linux内核中,以下漏洞已被解决:KVM:SVM:在更新之前确保GHCB已映射。对GHCB的访问主要在VMGEXIT路径中,并且已知GHCB将被映射。但有两条路径可能无法映射GHCB。sev_vcpu_deliver_spi_vector()例程将更新GHCB,以通知AP Reset Hold NAE事件的调用方sipi已送达。但是,如果在没有相应的AP Reset Hold的情况下执行SIPI,则GHCB可能不会被映射(取决于先前的VMEXIT),这将导致NULL指针解引用。svm_complete_emulated_msr()例程将更新GHCB,以将任何错误通知RDMSR/WRMSR操作的调用方。虽然在这种情况下可能会映射GHCB,但在此路径中添加一个安全保护,以确保不会遇到NULL指针解引用。

cvss epss percentile
None 0.04% 12.34%

references

CVE-2021-47009

description

In the Linux kernel, the following vulnerability has been resolved: KEYS: trusted: Fix memory leak on object td Two error return paths are neglecting to free allocated object td, causing a memory leak. Fix this by returning via the error return path that securely kfrees td. Fixes clang scan-build warning: security/keys/trusted-keys/trusted_tpm1.c:496:10: warning: Potential memory leak [unix.Malloc]

description

在Linux内核中,已解决以下漏洞:KEYS:trusted:修复对象td上的内存泄漏两个错误返回路径忽略释放已分配的对象td,导致内存泄漏。通过安全地kfrees td的错误返回路径返回修复此问题。修复clang扫描生成警告:security/keys/trusted-keys/trusted_tpm1.c:496:10:警告:潜在内存泄漏[unix.Malloc]

cvss epss percentile
None 0.04% 12.34%

references

CVE-2021-47010

description

In the Linux kernel, the following vulnerability has been resolved: net: Only allow init netns to set default tcp cong to a restricted algo tcp_set_default_congestion_control() is netns-safe in that it writes to &net->ipv4.tcp_congestion_control, but it also sets ca->flags |= TCP_CONG_NON_RESTRICTED which is not namespaced. This has the unintended side-effect of changing the global net.ipv4.tcp_allowed_congestion_control sysctl, despite the fact that it is read-only: 97684f0970f6 (“net: Make tcp_allowed_congestion_control readonly in non-init netns”) Resolve this netns “leak” by only allowing the init netns to set the default algorithm to one that is restricted. This restriction could be removed if tcp_allowed_congestion_control were namespace-ified in the future. This bug was uncovered with https://github.com/JonathonReinhart/linux-netns-sysctl-verify

description

在Linux内核中,以下漏洞已被解决:net:仅允许init netns将默认的tcp cong设置为受限制的算法tcp_set_default_congestion_control()是netns安全的,因为它写入&net->ipv4.tcp_congestion/control,但它也设置了ca->flags |=tcp_cong_NON_RESTRECTED,这是不带名称空间的。这有一个意想不到的副作用,即更改全局net.ipv4.tcp_allowed_congestion_control sysctl,尽管它是只读的:97684f0970f6(“net:使tcp_allowed _congestion-control在非初始化网络中只读”)通过只允许初始化网络将默认算法设置为受限制的算法来解决此网络“泄漏”。如果将来对tcp_allowed_contension_control进行命名空间化,则可以删除此限制。此错误是用发现的https://github.com/JonathonReinhart/linux-netns-sysctl-verify

cvss epss percentile
None 0.04% 8.15%

references

CVE-2021-47011

description

In the Linux kernel, the following vulnerability has been resolved: mm: memcontrol: slab: fix obtain a reference to a freeing memcg Patch series “Use obj_cgroup APIs to charge kmem pages”, v5. Since Romans series “The new cgroup slab memory controller” applied. All slab objects are charged with the new APIs of obj_cgroup. The new APIs introduce a struct obj_cgroup to charge slab objects. It prevents long-living objects from pinning the original memory cgroup in the memory. But there are still some corner objects (e.g. allocations larger than order-1 page on SLUB) which are not charged with the new APIs. Those objects (include the pages which are allocated from buddy allocator directly) are charged as kmem pages which still hold a reference to the memory cgroup. E.g. We know that the kernel stack is charged as kmem pages because the size of the kernel stack can be greater than 2 pages (e.g. 16KB on x86_64 or arm64). If we create a thread (suppose the thread stack is charged to memory cgroup A) and then move it from memory cgroup A to memory cgroup B. Because the kernel stack of the thread hold a reference to the memory cgroup A. The thread can pin the memory cgroup A in the memory even if we remove the cgroup A. If we want to see this scenario by using the following script. We can see that the system has added 500 dying cgroups (This is not a real world issue, just a script to show that the large kmallocs are charged as kmem pages which can pin the memory cgroup in the memory). #!/bin/bash cat /proc/cgroups | grep memory cd /sys/fs/cgroup/memory echo 1 > memory.move_charge_at_immigrate for i in range{1..500} do mkdir kmem_test echo $$ > kmem_test/cgroup.procs sleep 3600 & echo $$ > cgroup.procs echo cat kmem_test/cgroup.procs > cgroup.procs rmdir kmem_test done cat /proc/cgroups | grep memory This patchset aims to make those kmem pages to drop the reference to memory cgroup by using the APIs of obj_cgroup. Finally, we can see that the number of the dying cgroups will not increase if we run the above test script. This patch (of 7): The rcu_read_lock/unlock only can guarantee that the memcg will not be freed, but it cannot guarantee the success of css_get (which is in the refill_stock when cached memcg changed) to memcg. rcu_read_lock() memcg = obj_cgroup_memcg(old) __memcg_kmem_uncharge(memcg) refill_stock(memcg) if (stock->cached != memcg) // css_get can change the ref counter from 0 back to 1. css_get(&memcg->css) rcu_read_unlock() This fix is very like the commit: eefbfa7fd678 (“mm: memcg/slab: fix use after free in obj_cgroup_charge”) Fix this by holding a reference to the memcg which is passed to the __memcg_kmem_uncharge() before calling __memcg_kmem_uncharge().

description

在Linux内核中,已解决以下漏洞:mm:memcontrol:slab:fix获取对正在释放的memcg修补程序系列“使用obj_cgroup API向kmem页面收费”的引用,v5。自从罗马人系列“新的cgroupslab内存控制器”应用以来。所有slab对象都使用obj_cgroup的新API。新的API引入了一个结构obj_cgroup来向slab对象收费。它可以防止长寿对象将原始内存cgroup固定在内存中。但仍有一些角落对象(例如,SLUB上大于订单1页面的分配)不使用新API收费。这些对象(包括直接从伙伴分配器分配的页面)被收费为仍然保存对内存cgroup的引用的kmem页面。例如,我们知道内核堆栈按kmem页计费,因为内核堆栈的大小可以大于2页(例如x86_64或arm64上的16KB)。如果我们创建一个线程(假设线程堆栈被加载到内存cgroup a中),然后将其从内存cggroup a移动到内存cggroup B。因为线程的内核堆栈包含对内存cggroup a.的引用。即使我们删除了cgroup a.线程也可以将内存cgroupA固定在内存中。如果我们想使用以下脚本来查看此场景。我们可以看到,系统已经添加了500个垂死的cgroups(这不是现实世界中的问题,只是一个脚本,显示大型kmalloc作为kmem页收费,可以将内存cgroup固定在内存中)。#/bin/bash-cat/proc/cgroups|grep memory cd/sys/fs/cgroup/memory echo 1>memory.move_charge_at_migrate for i in range{1..500}do mkdir kmem_test echo$$>kmem_test/cgroup.procs sleep 3600&echo$$>cgroup.procs echocat kmem_ttest/cgroup.prcs>cgroup_procs rmdir kmem_test done cat/proc/cgroups|grep memory此补丁集旨在通过使用obj_cgroup的API使这些kmem页面删除对内存cgroup的引用。最后,我们可以看到,如果我们运行上面的测试脚本,垂死的cgroup的数量不会增加。这个补丁(共7个):rcu_read_lock/unlock只能保证memcg不会被释放,但它不能保证css_get(当缓存的memcg发生变化时,它在refresh_stock中)成功地释放到memcg。rcu_read_lock()memcg=obj_cgroup_memcg(旧)__memcg_kmem_uncharge(memcg)再填充_stock(memcg)if(stock->cached!=memcg!)//css_get可以将ref计数器从0更改回1。css_get(&memcg->css)rcu_read_unlock(。

cvss epss percentile
None 0.04% 12.34%

references

CVE-2021-47012

description

In the Linux kernel, the following vulnerability has been resolved: RDMA/siw: Fix a use after free in siw_alloc_mr Our code analyzer reported a UAF. In siw_alloc_mr(), it calls siw_mr_add_mem(mr,..). In the implementation of siw_mr_add_mem(), mem is assigned to mr->mem and then mem is freed via kfree(mem) if xa_alloc_cyclic() failed. Here, mr->mem still point to a freed object. After, the execution continue up to the err_out branch of siw_alloc_mr, and the freed mr->mem is used in siw_mr_drop_mem(mr). My patch moves “mr->mem = mem” behind the if (xa_alloc_cyclic(..)<0) {} section, to avoid the uaf.

description

在Linux内核中,已解决以下漏洞:RDMA/siw:修复siw_alloc_mr中释放后的使用问题我们的代码分析器报告了一个UAF。在siw_alloc_mr()中,它调用siw_mr_add_mem(mr,..)。在siw_mr_add_mem()的实现中,mem被分配给mr->mem,然后如果xa_alloc_cyclic()失败,则通过kfree(mem)释放mem。在这里,mr->mem仍然指向一个释放的对象。之后,执行继续到siw_alloc_mr的err_out分支,释放的mr->mem用于siw_mr_drop_mem(mr)。我的补丁将“mr->mem=mem”移到if(xa_alloc_cyclic(..)<0){}部分后面,以避免uaf。

cvss epss percentile
None 0.04% 12.34%

references

CVE-2021-47013

description

In the Linux kernel, the following vulnerability has been resolved: net:emac/emac-mac: Fix a use after free in emac_mac_tx_buf_send In emac_mac_tx_buf_send, it calls emac_tx_fill_tpd(..,skb,..). If some error happens in emac_tx_fill_tpd(), the skb will be freed via dev_kfree_skb(skb) in error branch of emac_tx_fill_tpd(). But the freed skb is still used via skb->len by netdev_sent_queue(,skb->len). As i observed that emac_tx_fill_tpd() havent modified the value of skb->len, thus my patch assigns skb->len to len before the possible free and use len instead of skb->len later.

description

在Linux内核中,已解决以下漏洞:net:emac/emac-mac:修复emac_mac_tx_buff_send中释放后的使用。在emac_mac_tx_buff_sed中,它调用emac_tx_fill_tpd(..,skb,..)。如果emac_tx_fill_tpd()中发生了一些错误,则skb将通过emac_tx_fill_tpd()的错误分支中的dev_kfree_skb(skb)释放。但是释放的skb仍然通过skb->len由netdev_sent_queue(,skb->len)使用。正如我所观察到的,emac_tx_fill_tpd()没有修改skb->len的值,因此我的补丁在可能的空闲之前将skb->len分配给len,然后使用len而不是skb->Allen。

cvss epss percentile
None 0.04% 10.64%

references

CVE-2021-47014

description

In the Linux kernel, the following vulnerability has been resolved: net/sched: act_ct: fix wild memory access when clearing fragments while testing re-assembly/re-fragmentation using act_ct, its possible to observe a crash like the following one: KASAN: maybe wild-memory-access in range [0x0001000000000448-0x000100000000044f] CPU: 50 PID: 0 Comm: swapper/50 Tainted: G S 5.12.0-rc7+ #424 Hardware name: Dell Inc. PowerEdge R730/072T6D, BIOS 2.4.3 01/17/2017 RIP: 0010:inet_frag_rbtree_purge+0x50/0xc0 Code: 00 fc ff df 48 89 c3 31 ed 48 89 df e8 a9 7a 38 ff 4c 89 fe 48 89 df 49 89 c6 e8 5b 3a 38 ff 48 8d 7b 40 48 89 f8 48 c1 e8 03 <42> 80 3c 20 00 75 59 48 8d bb d0 00 00 00 4c 8b 6b 40 48 89 f8 48 RSP: 0018:ffff888c31449db8 EFLAGS: 00010203 RAX: 0000200000000089 RBX: 000100000000040e RCX: ffffffff989eb960 RDX: 0000000000000140 RSI: ffffffff97cfb977 RDI: 000100000000044e RBP: 0000000000000900 R08: 0000000000000000 R09: ffffed1186289350 R10: 0000000000000003 R11: ffffed1186289350 R12: dffffc0000000000 R13: 000100000000040e R14: 0000000000000000 R15: ffff888155e02160 FS: 0000000000000000(0000) GS:ffff888c31440000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00005600cb70a5b8 CR3: 0000000a2c014005 CR4: 00000000003706e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: inet_frag_destroy+0xa9/0x150 call_timer_fn+0x2d/0x180 run_timer_softirq+0x4fe/0xe70 __do_softirq+0x197/0x5a0 irq_exit_rcu+0x1de/0x200 sysvec_apic_timer_interrupt+0x6b/0x80 when act_ct temporarily stores an IP fragment, restoring the skb qdisc cb results in putting random data in FRAG_CB(), and this causes those “wild” memory accesses later, when the rbtree is purged. Never overwrite the skb cb in case tcf_ct_handle_fragments() returns -EINPROGRESS.

description

在Linux内核中,已解决以下漏洞:net/sched:act_ct:修复在使用act_ct测试重新组装/重新碎片时清除碎片时的异常内存访问,可能会出现如下崩溃:KASAN:可能是范围为[0x001000000000448-00010000000044f]的异常内存访问CPU:50 PID:0通信:交换/50污染:G S 5.12.0-rc7+#424硬件名称:Dell股份有限公司PowerEdge R730/072T6D,BIOS 2.4.3 2017年1月17日RIP:0010:inet_frag_rbtree_purge+0x50/0xc0代码:00 fc ff df 48 89 c3 31 ed 48 89 df e8 a9 7a 38 ff 4c 89 fe 48 89 df 49 89 c6 e8 5b 3a 38 ff 48 8d 7b 40 48 89 f8 48 c1 e8 03<42>80 3c 20 00 75 59 48 8d bb d0 00 00 4c 8b 6b 40 48 89f8 48 RSP:00018:ffffffff888c31449db8 EFLAGS:000010203 RAX:00000200000000089 RBX:0000100000000040040 e RCX:fffffffff 989eb960 RDX:00000000000000140RSI:ffffffff 97cfb977 RDI:000100000000044e RBP:00000000000000900 R08:0000000000000000 R09:ffffed1186289350 R10:0000000000000000 3 R11:ffffed186289350 R12:dffffc0000000000 R13:000100000000040e R14:000000000000000000000000 R15:ffffff888155e02160 FS:00000000000000000(0000)GS:ffffff888 c31440000(0000)knlGS:0000000000000000 CS:0010 DS:0000 ES:0000 CR0:00000000 80050033 CR2:00005600cb70a5b8 CR3:0000000 a2c014005 CR4:0000000000 3706e0 DR0:0000000000000000 DR1:00000000 DR2:00000000 DR3:00000000 DR6:00000000 fffe0f0 DR7:0000000000000400调用跟踪:inet_frag_destroy+0xa9/0x150 Call_timer_fn+0x2d/0x180 run_timer_softirq+0x4f/0xe70 __do_softirq+0x197/0x5a0irq_exit_rcu+0x1de/0x200 sysvec_apic_timer_interrupt+0x6b/0x80当act_ct临时存储IP片段时,恢复skb qdisc-cb会导致将随机数据放入FRAG_cb()中,这会导致稍后在清除rbtree时进行“野生”内存访问。如果tcf_ct_handle_fragments()返回-EINPROGRESS,则永远不要覆盖skb-cb。

cvss epss percentile
None 0.04% 6.92%

references

CVE-2021-47015

description

In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Fix RX consumer index logic in the error path. In bnxt_rx_pkt(), the RX buffers are expected to complete in order. If the RX consumer index indicates an out of order buffer completion, it means we are hitting a hardware bug and the driver will abort all remaining RX packets and reset the RX ring. The RX consumer index that we pass to bnxt_discard_rx() is not correct. We should be passing the current index (tmp_raw_cons) instead of the old index (raw_cons). This bug can cause us to be at the wrong index when trying to abort the next RX packet. It can crash like this: #0 [ffff9bbcdf5c39a8] machine_kexec at ffffffff9b05e007 #1 [ffff9bbcdf5c3a00] __crash_kexec at ffffffff9b111232 #2 [ffff9bbcdf5c3ad0] panic at ffffffff9b07d61e #3 [ffff9bbcdf5c3b50] oops_end at ffffffff9b030978 #4 [ffff9bbcdf5c3b78] no_context at ffffffff9b06aaf0 #5 [ffff9bbcdf5c3bd8] __bad_area_nosemaphore at ffffffff9b06ae2e #6 [ffff9bbcdf5c3c28] bad_area_nosemaphore at ffffffff9b06af24 #7 [ffff9bbcdf5c3c38] __do_page_fault at ffffffff9b06b67e #8 [ffff9bbcdf5c3cb0] do_page_fault at ffffffff9b06bb12 #9 [ffff9bbcdf5c3ce0] page_fault at ffffffff9bc015c5 [exception RIP: bnxt_rx_pkt+237] RIP: ffffffffc0259cdd RSP: ffff9bbcdf5c3d98 RFLAGS: 00010213 RAX: 000000005dd8097f RBX: ffff9ba4cb11b7e0 RCX: ffffa923cf6e9000 RDX: 0000000000000fff RSI: 0000000000000627 RDI: 0000000000001000 RBP: ffff9bbcdf5c3e60 R8: 0000000000420003 R9: 000000000000020d R10: ffffa923cf6ec138 R11: ffff9bbcdf5c3e83 R12: ffff9ba4d6f928c0 R13: ffff9ba4cac28080 R14: ffff9ba4cb11b7f0 R15: ffff9ba4d5a30000 ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018

description

在Linux内核中,已解决以下漏洞:bnxt_en:修复错误路径中的RX消费者索引逻辑。在bnxt_rx_pkt()中,rx缓冲区应按顺序完成。如果RX消费者索引指示缓冲区完成不正常,则意味着我们遇到了硬件错误,驱动程序将中止所有剩余的RX数据包并重置RX环。我们传递给bnxt_diskard_RX()的RX消费者索引不正确。我们应该传递当前索引(tmp_raw_cons),而不是旧索引(raw_cons)。这个错误可能会导致我们在尝试中止下一个RX数据包时处于错误的索引。它可以像这样崩溃:#0[fffff9bbdf5c39a8]machine_kexec at ffffffff 9b05e007#1[fff9bbdcf5c3b00]__crash_keexec at ffffff 9 b11232[fff9bcdf5c3ad0]panic at fffff9b07d61e#3[fff9bfdcdf5c3b50]oops_end at ffffFFff 9b030978#4[fffffff9bf5c3b78]nocontext at ffff 9b06aaf0#5[fff9bddcf5c3c3bd8]__bad_a在ffffffff 9b06ae2e#6处的rea_nosemaphore[fffffff9bbcdf5c3c28]在ffffff 9b06af24#7处的bad_area_nosemphore[fffff9bbdf5c3c38]__do_page_fault在ffffffff 9 b06bb67e#8处的do_page_fault[fff9bbdcf5c3cb0]do_page_filault在ffff 9b06bb12#9处的page_fault[fffffff9bcdf5c3ce0]在fffff 9b015c5处的page_fault[例外RIP:bnxt_rx_pkt+237]RIP:ffffffff c0259cdd RSP:ffff9bbdf5c3d98 RFLAGS:000010213 RAX:0000000005dd8097f RBX:ffffff9ba4cb11b7e0 RCX:ffffa923cf6e9000 RDX:00000000000000 fff RSI:0000000000000627 RDI:000000000000 1000 RBP:ffff ff9bbdcf5c3e60 R8:00000000000 420003 R9:0000000000000020d R10:fffffa923cfg6ec138 R11:ffff9bdbcdf5c3e83 R12:ffff9b4d6f928c0 R13:ffff9b a4ca2080 R14:ffff9ba4cb11b7f0 R15:ffff9b4d5a30000 ORIG_RAX:ffffffffff ffffff CS:0010 SS:0018

cvss epss percentile
None 0.04% 12.34%

references

CVE-2021-47017

description

In the Linux kernel, the following vulnerability has been resolved: ath10k: Fix a use after free in ath10k_htc_send_bundle In ath10k_htc_send_bundle, the bundle_skb could be freed by dev_kfree_skb_any(bundle_skb). But the bundle_skb is used later by bundle_skb->len. As skb_len = bundle_skb->len, my patch replaces bundle_skb->len to skb_len after the bundle_skb was freed.

description

在Linux内核中,已解决以下漏洞:ath10k:修复ath10k_htc_send_bundle中释放后的使用。在ath10k_htcp_send_boundle中,bundle_skb可以由dev_kfree_skb_any(bundle_skb)释放。但是bundle_skb稍后被bundle_skb->len使用。由于skb_len=bundle_skb->len,在bundle_skb被释放后,我的补丁将bundle_skb->len替换为skb_len。

cvss epss percentile
None 0.04% 12.34%

references

CVE-2021-47018

description

In the Linux kernel, the following vulnerability has been resolved: powerpc/64: Fix the definition of the fixmap area At the time being, the fixmap area is defined at the top of the address space or just below KASAN. This definition is not valid for PPC64. For PPC64, use the top of the I/O space. Because of circular dependencies, it is not possible to include asm/fixmap.h in asm/book3s/64/pgtable.h , so define a fixed size AREA at the top of the I/O space for fixmap and ensure during build that the size is big enough.

description

在Linux内核中,已解决以下漏洞:powerpc/64:修复修复映射区域的定义目前,修复映射区域定义在地址空间的顶部或KASAN的正下方。此定义对PPC64无效。对于PPC64,请使用I/O空间的顶部。由于循环依赖关系,不可能在asm/book3s/64/pgtable.h中包含asm/fixmap.h,因此在fixmap的I/O空间顶部定义一个固定大小的AREA,并确保在构建过程中该大小足够大。

cvss epss percentile
None 0.04% 12.34%

references

CVE-2021-47019

description

In the Linux kernel, the following vulnerability has been resolved: mt76: mt7921: fix possible invalid register access Disable the interrupt and synchronze for the pending irq handlers to ensure the irq tasklet is not being scheduled after the suspend to avoid the possible invalid register access acts when the host pcie controller is suspended. [17932.910534] mt7921e 0000:01:00.0: pci_pm_suspend+0x0/0x22c returned 0 after 21375 usecs [17932.910590] pcieport 0000:00:00.0: calling pci_pm_suspend+0x0/0x22c @ 18565, parent: pci0000:00 [17932.910602] pcieport 0000:00:00.0: pci_pm_suspend+0x0/0x22c returned 0 after 8 usecs [17932.910671] mtk-pcie 11230000.pcie: calling platform_pm_suspend+0x0/0x60 @ 22783, parent: soc [17932.910674] mtk-pcie 11230000.pcie: platform_pm_suspend+0x0/0x60 returned 0 after 0 usecs … 17933.615352] x1 : 00000000000d4200 x0 : ffffff8269ca2300 [17933.620666] Call trace: [17933.623127] mt76_mmio_rr+0x28/0xf0 [mt76] [17933.627234] mt7921_rr+0x38/0x44 [mt7921e] [17933.631339] mt7921_irq_tasklet+0x54/0x1d8 [mt7921e] [17933.636309] tasklet_action_common+0x12c/0x16c [17933.640754] tasklet_action+0x24/0x2c [17933.644418] __do_softirq+0x16c/0x344 [17933.648082] irq_exit+0xa8/0xac [17933.651224] scheduler_ipi+0xd4/0x148 [17933.654890] handle_IPI+0x164/0x2d4 [17933.658379] gic_handle_irq+0x140/0x178 [17933.662216] el1_irq+0xb8/0x180 [17933.665361] cpuidle_enter_state+0xf8/0x204 [17933.669544] cpuidle_enter+0x38/0x4c [17933.673122] do_idle+0x1a4/0x2a8 [17933.676352] cpu_startup_entry+0x24/0x28 [17933.680276] rest_init+0xd4/0xe0 [17933.683508] arch_call_rest_init+0x10/0x18 [17933.687606] start_kernel+0x340/0x3b4 [17933.691279] Code: aa0003f5 d503201f f953eaa8 8b344108 (b9400113) [17933.697373] —[ end trace a24b8e26ffbda3c5 ]— [17933.767846] Kernel panic - not syncing: Fatal exception in interrupt

description

在Linux内核中,已解决以下漏洞:mt76:mt7921:修复可能的无效寄存器访问禁用挂起的irq处理程序的中断和同步,以确保irq tasklet不会在挂起后进行调度,从而避免主机pcie控制器挂起时可能发生的无效寄存器访问行为。[17932.910534]mt7921e 0000:01:00.0:pci_pm_uspend+0x0/0x22c在21375次使用后返回0[17932.9159]pcieport 0000:00:00.0:调用pci_pm_suspend+00x0/0x22c@18565,父级:pci0000:0[17932.910602]pcieport0000:00:00.0:pci_pm_suspend+0x%0x22c在8次使用后返0[1793.2910671]mtk pcie 11230000.pcie:调用平台_pm_suspend+0x0/0.x60@2783,父级;soc[17932.907674]mtk pcie 11230000.pcie:platform_pm_suspend+0x0/0x60在0使用后返回0。。。17933.615352]x1:000000000000 d4200 x0:fffffff 8269ca2300[1793.620666]调用跟踪:[17933.623127]mt76_mmio_rr+0x28/0xf0[mt76][17933.627234]mt7921_rr+0x38/0x44[mt7921e][17933.631339]mt7921-irq_tasklets+0x54/0x1d8[mt7921e][17933.636309]tasklet_action_common+0x12c/0x16c[17936.44054]tasklet_action+0x24/0x2c[179933.644418]__do_softirq+0x16c/0x344[17933.64082]irq_exit+0xa8/0xac[1793.651224]schedule_ipi+0xd4/0x148[1793.654890]handle_ipi+0x164/0x2d4[1793.658379]gic_handle_irq+0x140/0x178[1793.662116]el1_irq+0xb8/0x180[1793.666361]cpuidle_enter_state+0xf8/0x204[1793.669544]cpuide_enter+0x38/0x4c[1793.6673122]do_idle+0x1a4/0x2a8[1793.676352]cpu _startup_entry+0x24/0x28[1793.680276]rest_init+0xd4/0xe0[1793.638508]arch_call_rest_init+0x10/0x18[1793.687606]start_kernel+0x340/0x3b4[1793.691279]代码:aa0003f5 d503201f f953eaa8 8b344108(b9400113)[1793.697373]—[结束跟踪a24b8e26ffbda3c5]—[1793.776846]内核死机-未同步:中断中出现致命异常

cvss epss percentile
None 0.04% 6.92%

references

CVE-2021-47021

description

In the Linux kernel, the following vulnerability has been resolved: mt76: mt7915: fix memleak when mt7915_unregister_device() mt7915_tx_token_put() should get call before mt76_free_pending_txwi().

description

在Linux内核中,已解决以下漏洞:mt76:mt7915:修复mt7915_unregister_device()时的memleak mt7915_tx_token_put()应在mt76_free_pending_txwi()之前获得调用。

cvss epss percentile
None 0.04% 12.34%

references

CVE-2021-47022

description

In the Linux kernel, the following vulnerability has been resolved: mt76: mt7615: fix memleak when mt7615_unregister_device() mt7615_tx_token_put() should get call before mt76_free_pending_txwi().

description

在Linux内核中,已解决以下漏洞:mt76:mt7615:修复mt7615_unregister_device()时的memleak mt7615_tx_token_put()应在mt76_free_pending_txwi()之前获得调用。

cvss epss percentile
None 0.04% 12.34%

references

CVE-2021-47023

description

In the Linux kernel, the following vulnerability has been resolved: net: marvell: prestera: fix port event handling on init For some reason there might be a crash during ports creation if port events are handling at the same time because fw may send initial port event with down state. The crash points to cancel_delayed_work() which is called when port went is down. Currently I did not find out the real cause of the issue, so fixed it by cancel port stats work only if previous ports state was up & runnig. The following is the crash which can be triggered: [ 28.311104] Unable to handle kernel paging request at virtual address 000071775f776600 [ 28.319097] Mem abort info: [ 28.321914] ESR = 0x96000004 [ 28.324996] EC = 0x25: DABT (current EL), IL = 32 bits [ 28.330350] SET = 0, FnV = 0 [ 28.333430] EA = 0, S1PTW = 0 [ 28.336597] Data abort info: [ 28.339499] ISV = 0, ISS = 0x00000004 [ 28.343362] CM = 0, WnR = 0 [ 28.346354] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000100bf7000 [ 28.352842] [000071775f776600] pgd=0000000000000000, p4d=0000000000000000 [ 28.359695] Internal error: Oops: 96000004 [#1] PREEMPT SMP [ 28.365310] Modules linked in: prestera_pci(+) prestera uio_pdrv_genirq [ 28.372005] CPU: 0 PID: 1291 Comm: kworker/0:1H Not tainted 5.11.0-rc4 #1 [ 28.378846] Hardware name: DNI AmazonGo1 A7040 board (DT) [ 28.384283] Workqueue: prestera_fw_wq prestera_fw_evt_work_fn [prestera_pci] [ 28.391413] pstate: 60000085 (nZCv daIf -PAN -UAO -TCO BTYPE=–) [ 28.397468] pc : get_work_pool+0x48/0x60 [ 28.401442] lr : try_to_grab_pending+0x6c/0x1b0 [ 28.406018] sp : ffff80001391bc60 [ 28.409358] x29: ffff80001391bc60 x28: 0000000000000000 [ 28.414725] x27: ffff000104fc8b40 x26: ffff80001127de88 [ 28.420089] x25: 0000000000000000 x24: ffff000106119760 [ 28.425452] x23: ffff00010775dd60 x22: ffff00010567e000 [ 28.430814] x21: 0000000000000000 x20: ffff80001391bcb0 [ 28.436175] x19: ffff00010775deb8 x18: 00000000000000c0 [ 28.441537] x17: 0000000000000000 x16: 000000008d9b0e88 [ 28.446898] x15: 0000000000000001 x14: 00000000000002ba [ 28.452261] x13: 80a3002c00000002 x12: 00000000000005f4 [ 28.457622] x11: 0000000000000030 x10: 000000000000000c [ 28.462985] x9 : 000000000000000c x8 : 0000000000000030 [ 28.468346] x7 : ffff800014400000 x6 : ffff000106119758 [ 28.473708] x5 : 0000000000000003 x4 : ffff00010775dc60 [ 28.479068] x3 : 0000000000000000 x2 : 0000000000000060 [ 28.484429] x1 : 000071775f776600 x0 : ffff00010775deb8 [ 28.489791] Call trace: [ 28.492259] get_work_pool+0x48/0x60 [ 28.495874] cancel_delayed_work+0x38/0xb0 [ 28.500011] prestera_port_handle_event+0x90/0xa0 [prestera] [ 28.505743] prestera_evt_recv+0x98/0xe0 [prestera] [ 28.510683] prestera_fw_evt_work_fn+0x180/0x228 [prestera_pci] [ 28.516660] process_one_work+0x1e8/0x360 [ 28.520710] worker_thread+0x44/0x480 [ 28.524412] kthread+0x154/0x160 [ 28.527670] ret_from_fork+0x10/0x38 [ 28.531290] Code: a8c17bfd d50323bf d65f03c0 9278dc21 (f9400020) [ 28.537429] —[ end trace 5eced933df3a080b ]—

description

在Linux内核中,已解决以下漏洞:net:marvel:prestera:fix init上的端口事件处理。由于某些原因,如果端口事件同时处理,则在创建端口期间可能会崩溃,因为fw可能会发送处于关闭状态的初始端口事件。崩溃指向cancel_delayer_work(),当端口关闭时调用它。目前我还没有找到问题的真正原因,所以只有在以前的端口状态处于运行状态的情况下,才通过取消端口统计来解决问题。以下是可能触发的崩溃:[28.31104]无法处理虚拟地址000071775f776600[28.3319097]内存中止信息:[28.321914]ESR=0x96000004[28.324996]EC=0x25:DABT(当前EL),IL=32位[28.3330350]SET=0,FnV=0[28.333330]EA=0,S1PTW=0[28.336597]数据中止信息:[N8.3339499]ISV=0,ISS=0x0000004[28.3343362]CM=0,WnR=0[28.346354]用户pgtable:4k页,48位VA,pgdp=0000000 100bf7000[28.352842][000071775f776600]pgd=0000000000000000,p4d=00000000 00000000[28.359695]内部错误:错误:96000004[#1]PREEMPT SMP[28.365310]链接到的模块:prestera_ci(+)prestera-uio_pdrv_genirq[28.372005]CPU:0 PID:1291通信:kworker/0:1H未受污染5.11.0-rc4#1[28.378846]硬件名称:DNI AmazonGo1 A7040板(DT)【28.384283】工作队列:prestera_w_wq prestera_fw_evt_work_fn【prestera_ci】【28.391413】pstate:60000085(nZCv daIf-PAN-UAO-TCO BTYPE=-)【28.397468】pc:get_work_pool+0x48/0x60【28.401442】lr:try_to_grab_pending+0x6c/0x1b0【28.406018】sp:fffff80001391bc60【28.409358】x29:ffffff8000139 1bc60 x28:00000000 00000000【28.414725】x27:ffff000104fc8b40 x26:ffff80001127de88[28.442009]x25:0000000000000000 x24:ffffff000106119760[28.442552]x23:ffff00010775dd60 x22:ffff00010567e00[28.4430814]x21:000000000000000000000000 x20:ffffff80001391bc0[28.436175]x19:ffff000100775deb8 x18:00000000000000c0[28.4441537]x17:0000000000000000 x16:000000008d9b0e88[28.4446898]x15:000000000000000 1 x14:00000000 000002ba[28.452261]x13:80a3002c00000002 x12:00000000000005f4[28.457622]x11:0000000000000030 x10:000000000000000 c[28.462985]x9:000000000000000 c x8:0000000000000030[28.468346]x7:ffff800014400000 x6:ffff000106119758[28.4473708]x5:0000000000000000 3 x4:ffffff00010775dc60[28.479068]x3:000000000000000000000000000000000 x2:00000000000000060[28.448429]x1:000071775f776600 x0:ff00010775 deb8[28.489791]调用跟踪:[28.49259]get_work_pool+0x48/0x60[28.495874]cancel_delayerd_work+0x38/0xb0[28.500011]prestera\ort_handle_event+0x90/0x00[prestera][28.505743]prestera_vt_recv+0x98/0xe0[presterna][28.510683]presteron_w_evt_work_fn+0x180/0x228[prestera_ci][28.516660]process_one_work+0x1e8/0x360[28.520710]worker_thread+0x44/0x480[28.524412]kthread 0+0x154/0x160[28.527670]ret_from_fork+0x10/0x38[28.531290]代码:a8c17bfd d50323bf d65f03c0 9278dc21(f9400020)[28.537429]-[结束跟踪5eced933df3a080b]—

cvss epss percentile
None 0.04% 12.34%

references

CVE-2021-47024

description

In the Linux kernel, the following vulnerability has been resolved: vsock/virtio: free queued packets when closing socket As reported by syzbot [1], there is a memory leak while closing the socket. We partially solved this issue with commit ac03046ece2b (“vsock/virtio: free packets during the socket release”), but we forgot to drain the RX queue when the socket is definitely closed by the scheduled work. To avoid future issues, lets use the new virtio_transport_remove_sock() to drain the RX queue before removing the socket from the af_vsock lists calling vsock_remove_sock(). [1] https://syzkaller.appspot.com/bug?extid=24452624fc4c571eedd9

description

在Linux内核中,已解决以下漏洞:vsock/virtio:关闭套接字时释放排队的数据包如syzbot[1]所述,关闭套接字时内存泄漏。我们使用commit ac03046ece2b(“vsock/virtio:在套接字发布期间释放数据包”)部分解决了这个问题,但当套接字肯定被计划的工作关闭时,我们忘记了排出RX队列。为了避免将来的问题,让我们在调用vsock_remove_sock()从af_vsock列表中删除套接字之前,先使用新的virtio_transport_remove_sock。1.https://syzkaller.appspot.com/bug?extid=24452624fc4c571eedd9

cvss epss percentile
None 0.04% 12.34%

references

CVE-2021-47025

description

In the Linux kernel, the following vulnerability has been resolved: iommu/mediatek: Always enable the clk on resume In mtk_iommu_runtime_resume always enable the clk, even if m4u_dom is null. Otherwise the suspend cb might disable the clk which is already disabled causing the warning: [ 1.586104] infra_m4u already disabled [ 1.586133] WARNING: CPU: 0 PID: 121 at drivers/clk/clk.c:952 clk_core_disable+0xb0/0xb8 [ 1.594391] mtk-iommu 10205000.iommu: bound 18001000.larb (ops mtk_smi_larb_component_ops) [ 1.598108] Modules linked in: [ 1.598114] CPU: 0 PID: 121 Comm: kworker/0:2 Not tainted 5.12.0-rc5 #69 [ 1.609246] mtk-iommu 10205000.iommu: bound 14027000.larb (ops mtk_smi_larb_component_ops) [ 1.617487] Hardware name: Google Elm (DT) [ 1.617491] Workqueue: pm pm_runtime_work [ 1.620545] mtk-iommu 10205000.iommu: bound 19001000.larb (ops mtk_smi_larb_component_ops) [ 1.627229] pstate: 60000085 (nZCv daIf -PAN -UAO -TCO BTYPE=–) [ 1.659297] pc : clk_core_disable+0xb0/0xb8 [ 1.663475] lr : clk_core_disable+0xb0/0xb8 [ 1.667652] sp : ffff800011b9bbe0 [ 1.670959] x29: ffff800011b9bbe0 x28: 0000000000000000 [ 1.676267] x27: ffff800011448000 x26: ffff8000100cfd98 [ 1.681574] x25: ffff800011b9bd48 x24: 0000000000000000 [ 1.686882] x23: 0000000000000000 x22: ffff8000106fad90 [ 1.692189] x21: 000000000000000a x20: ffff0000c0048500 [ 1.697496] x19: ffff0000c0048500 x18: ffffffffffffffff [ 1.702804] x17: 0000000000000000 x16: 0000000000000000 [ 1.708112] x15: ffff800011460300 x14: fffffffffffe0000 [ 1.713420] x13: ffff8000114602d8 x12: 0720072007200720 [ 1.718727] x11: 0720072007200720 x10: 0720072007200720 [ 1.724035] x9 : ffff800011b9bbe0 x8 : ffff800011b9bbe0 [ 1.729342] x7 : 0000000000000009 x6 : ffff8000114b8328 [ 1.734649] x5 : 0000000000000000 x4 : 0000000000000000 [ 1.739956] x3 : 00000000ffffffff x2 : ffff800011460298 [ 1.745263] x1 : 1af1d7de276f4500 x0 : 0000000000000000 [ 1.750572] Call trace: [ 1.753010] clk_core_disable+0xb0/0xb8 [ 1.756840] clk_core_disable_lock+0x24/0x40 [ 1.761105] clk_disable+0x20/0x30 [ 1.764501] mtk_iommu_runtime_suspend+0x88/0xa8 [ 1.769114] pm_generic_runtime_suspend+0x2c/0x48 [ 1.773815] __rpm_callback+0xe0/0x178 [ 1.777559] rpm_callback+0x24/0x88 [ 1.781041] rpm_suspend+0xdc/0x470 [ 1.784523] rpm_idle+0x12c/0x170 [ 1.787831] pm_runtime_work+0xa8/0xc0 [ 1.791573] process_one_work+0x1e8/0x360 [ 1.795580] worker_thread+0x44/0x478 [ 1.799237] kthread+0x150/0x158 [ 1.802460] ret_from_fork+0x10/0x30 [ 1.806034] —[ end trace 82402920ef64573b ]— [ 1.810728] ————[ cut here ]———— In addition, we now dont need to enable the clock from the function mtk_iommu_hw_init since it is already enabled by the resume.

description

在Linux内核中,已解决以下漏洞:iommu/mediatek:始终在恢复时启用clk In mtk_iomu _runtime_resume始终启用clk,即使m4u_dom为null。否则,挂起cb可能会禁用已禁用的clk,从而导致警告:[1.586104]infra_m4u已禁用[1.586133]警告:CPU:0 PID:121 at drivers/clk/clk.c:952 clk_core_disable+0xb0/0xb8[1.594391]mtk iommu 10205000.iommu:bound 18001000.larb(ops mtk_smi_larb_component_ops)[1.598108]链接在中的模块:[1.598114]CPU:0 PID:121通信:kworker/0:2未受污染5.12.0-rc5#69[1.609246]mtk iommu 10205000.iommu:绑定14027000.arb(ops mtk_smi_larb_component_ops)[1.617487]硬件名称:Google Elm(DT)[1.6174 91]工作队列:pm pm_runtime_work[1.620545]mtk io mmu 10205000.iommu:绑定19001000.larb)[1.659297]pc:clk_core_disable+0xb0/0xb8[1.663475]lr:clk-core_disable+0bb0/0xb8[1.667652]sp:fff800011b9bbe0[1.670959]x29:ffff800011b 9bbe0 x28:0000000000000000[1.676267]x27:ffff800011448000 x26:ffff8000100cfd98[1.681574]x25:ff800011b-9bd48 x24:000000000000000000000000[11.686882]x23:0000000000000000 x22:ff8000106fad90[1.6921 89]x21:000000000000000 a x20:ffff0000c0048500[1.697496]x19:ffff0000c 0048500 x18:ffffffffff[1.702804]x17:0000000000000000 x16:0000000000000000[1.708112]x15:ffff800011460300 x14:ffffffofffffffff e000[1.713420]x13:ffffff8000114 602d8 x12:0720072007200720[1.718727]x11:07200720072007200720x10:0720200720[11.724035]x9:ffffff8000 11b9be0 x8:ffff800080008 11b9be0[1.729342]x7:000000000000000 9 x6:ffff8000114b8328[1.734649]x5:0000000000000000 x4:0000000000000000[1.739956]x3:00000000 ffffffff x2:ffff8000 11460298[1.745263]x1:1af1d7d276f4500 x0:0000000000000000[1.750572]调用跟踪:[1.753010]clk_core_disable+0xb0/0xb8[1.756840]clk-core_disable _lock+0x24/0x40[1.761105]clk_disable+0x20/0x30[1.764501]mtk_iommu_runtime_suspend+0x88/0xa8[1.769114]pm_generic_runtime_suspend+0x2c/0x48[1.773815]__rpm_callback+0xe0/0x178[1.777559]rpm_callback+0x24/0x88[1.781041]rpm_suspend+0xdc/0x470[1.784523]rpm_idle+0x2c/0x170[1.787831]pm_runtime_work+0xa8/0xc0[1.791573]process_one_work+0x1e8/0x360[1.795580]worker_thread+0x44/0x478[1.799237]k螺纹+0x150/0x158[1.802460]ret_from_fork+0x10/0x30[1.806034]—[结束跟踪82402920ef64573b]—[1.810728]—————-此处剪切]—————-此外,我们现在不需要从函数mtk_iomou_hw_init启用时钟,因为它已经被恢复程序启用。

cvss epss percentile
None 0.04% 6.92%

references

CVE-2021-47026

description

In the Linux kernel, the following vulnerability has been resolved: RDMA/rtrs-clt: destroy sysfs after removing session from active list A session can be removed dynamically by sysfs interface “remove_path” that eventually calls rtrs_clt_remove_path_from_sysfs function. The current rtrs_clt_remove_path_from_sysfs first removes the sysfs interfaces and frees sess->stats object. Second it removes the session from the active list. Therefore some functions could access non-connected session and access the freed sess->stats object even-if they check the session status before accessing the session. For instance rtrs_clt_request and get_next_path_min_inflight check the session status and try to send IO to the session. The session status could be changed when they are trying to send IO but they could not catch the change and update the statistics information in sess->stats object, and generate use-after-free problem. (see: “RDMA/rtrs-clt: Check state of the rtrs_clt_sess before reading its stats”) This patch changes the rtrs_clt_remove_path_from_sysfs to remove the session from the active session list and then destroy the sysfs interfaces. Each function still should check the session status because closing or error recovery paths can change the status.

description

在Linux内核中,已解决以下漏洞:RDMA/rtrs-clt:从活动列表中删除会话后销毁sysfs会话可以通过sysfs接口“remove_path”动态删除,该接口最终调用rtrs_clt_remove_path_from_sysfs函数。当前的rtrs_clt_remove_path_from_sysfs首先删除sysfs接口并释放sess->stats对象。其次,它将会话从活动列表中删除。因此,一些函数可以访问未连接的会话并访问释放的sess->stats对象,即使它们在访问会话之前检查会话状态也是如此。例如,rtrs_clt_request和get_next_path_min_inflight检查会话状态并尝试向会话发送IO。当他们试图发送IO时,会话状态可能会发生变化,但他们无法捕捉到变化并更新sess->stats对象中的统计信息,也无法生成“释放后使用”问题。(请参阅:“RDMA/rtrs-clt:在读取其统计信息之前检查rtrs_clt_sess的状态”)此修补程序更改rtrs_clt_remove_path_from_sysfs以从活动会话列表中删除会话,然后销毁sysfs接口。每个函数仍然应该检查会话状态,因为关闭或错误恢复路径可能会更改状态。

cvss epss percentile
None 0.04% 12.34%

references

CVE-2021-47027

description

In the Linux kernel, the following vulnerability has been resolved: mt76: mt7921: fix kernel crash when the firmware fails to download Fix kernel crash when the firmware is missing or fails to download. [ 9.444758] kernel BUG at drivers/pci/msi.c:375! [ 9.449363] Internal error: Oops - BUG: 0 [#1] PREEMPT SMP [ 9.501033] pstate: a0400009 (NzCv daif +PAN -UAO) [ 9.505814] pc : free_msi_irqs+0x180/0x184 [ 9.509897] lr : free_msi_irqs+0x40/0x184 [ 9.513893] sp : ffffffc015193870 [ 9.517194] x29: ffffffc015193870 x28: 00000000f0e94fa2 [ 9.522492] x27: 0000000000000acd x26: 000000000000009a [ 9.527790] x25: ffffffc0152cee58 x24: ffffffdbb383e0d8 [ 9.533087] x23: ffffffdbb38628d0 x22: 0000000000040200 [ 9.538384] x21: ffffff8cf7de7318 x20: ffffff8cd65a2480 [ 9.543681] x19: ffffff8cf7de7000 x18: 0000000000000000 [ 9.548979] x17: ffffff8cf9ca03b4 x16: ffffffdc13ad9a34 [ 9.554277] x15: 0000000000000000 x14: 0000000000080800 [ 9.559575] x13: ffffff8cd65a2980 x12: 0000000000000000 [ 9.564873] x11: ffffff8cfa45d820 x10: ffffff8cfa45d6d0 [ 9.570171] x9 : 0000000000000040 x8 : ffffff8ccef1b780 [ 9.575469] x7 : aaaaaaaaaaaaaaaa x6 : 0000000000000000 [ 9.580766] x5 : ffffffdc13824900 x4 : ffffff8ccefe0000 [ 9.586063] x3 : 0000000000000000 x2 : 0000000000000000 [ 9.591362] x1 : 0000000000000125 x0 : ffffff8ccefe0000 [ 9.596660] Call trace: [ 9.599095] free_msi_irqs+0x180/0x184 [ 9.602831] pci_disable_msi+0x100/0x130 [ 9.606740] pci_free_irq_vectors+0x24/0x30 [ 9.610915] mt7921_pci_probe+0xbc/0x250 [mt7921e] [ 9.615693] pci_device_probe+0xd4/0x14c [ 9.619604] really_probe+0x134/0x2ec [ 9.623252] driver_probe_device+0x64/0xfc [ 9.627335] device_driver_attach+0x4c/0x6c [ 9.631506] __driver_attach+0xac/0xc0 [ 9.635243] bus_for_each_dev+0x8c/0xd4 [ 9.639066] driver_attach+0x2c/0x38 [ 9.642628] bus_add_driver+0xfc/0x1d0 [ 9.646365] driver_register+0x64/0xf8 [ 9.650101] __pci_register_driver+0x6c/0x7c [ 9.654360] init_module+0x28/0xfdc [mt7921e] [ 9.658704] do_one_initcall+0x13c/0x2d0 [ 9.662615] do_init_module+0x58/0x1e8 [ 9.666351] load_module+0xd80/0xeb4 [ 9.669912] __arm64_sys_finit_module+0xa8/0xe0 [ 9.674430] el0_svc_common+0xa4/0x16c [ 9.678168] el0_svc_compat_handler+0x2c/0x40 [ 9.682511] el0_svc_compat+0x8/0x10 [ 9.686076] Code: a94257f6 f9400bf7 a8c47bfd d65f03c0 (d4210000) [ 9.692155] —[ end trace 7621f966afbf0a29 ]— [ 9.697385] Kernel panic - not syncing: Fatal exception [ 9.702599] SMP: stopping secondary CPUs [ 9.706549] Kernel Offset: 0x1c03600000 from 0xffffffc010000000 [ 9.712456] PHYS_OFFSET: 0xfffffff440000000 [ 9.716625] CPU features: 0x080026,2a80aa18 [ 9.720795] Memory Limit: none

description

在Linux内核中,已解决以下漏洞:mt76:mt7921:fix kernel crash when the firmware failed download fix kernel crash when thefirmware missing or failed download。[9.444758]内核BUG在drivers/pci/msi.c:375![9.449363]内部错误:Oops-BUG:0[#1]PREEMPT SMP[9.501033]pstate:a0400009(NzCv daif+PAN-UAO)[9.505814]pc:free_msi-irqs+0x180/0x184[9.509897]lr:free_msi irqs+0x40/0x184[9.913893]sp:fffff c015193870[9.517194]x29:ffff c015 193870 x28:00000000 f0e94fa2[9.522492]x27:0000000000000 acd x26:000000000000009a[9.527777]90]x25:ffffff c0152cee58 x24:ffffff dbb383e0d8[9.533087]x23:ffffff DBb38628d0 x22:0000000000040200[9.538384]x21:ffffff 8cf7de7318x20:fffff 8cd65a2480[9.543681]x19:ffffff 8Cf7de7000 x18:0000000000000000[9.548979]x17:ffffffff 8kf9ca03b4 x16:ffffff dc13ad9a334[9.554277]x15:0000000000000000 x14:0000000000080800[9.559575]x13:ffffff 8cd65a2980 x12:0000000000000000[9.564873]x11:ffffff 8Cfa45d820 x10:ffffff 8cfa45d6d0[9.570171]x9:0000000000000040 x8:ffffffff 8dcef1b780[9.575469]x7:aaaaaaaaaaa x6:000000000000000000000000【9.580766】x5:ffffFFF dc13824900 x4:ffffFF 8ccee000[9.586063]x3:0000000000000000000000 x2:000000000000000000000[9.591362]x1:00000000000000125 x0:fffffff 8ccefe000[9.596660]调用跟踪:[9.599095]free_msi-irqs+0x180/0x184[9.602831]pci_disable_msi+0x1000/0x130[9.606740]pci_free_irq_vectors+0x24/0x30[9.610915]mt7921_pci_probe+0xcc/0x250[mt7921e][9.615693]pci_device_probe+0xd4/0x14c[9.619604]really_probe+0x134/0x2ec[9.623252]driver_be_device+0x64/0x64/0x fc[9.627335]device_driver_attach+0x4c/0x6c[9.631506]__driver_attach+0xac/0xc0[9.635243]bus_for_each_dev+0x8c/0xd4[9.639066]driver_attach+0x2c/0x38[9.642628]bus_add_driver+0xfc/0x1d0[9.646365]driver_register+0x64/0xf8[9.650101]__pci_register_driver+0x6c/0x7c[9.654360]init_module+0x28/0xfdc[mt7921e][9.658704]do_one_initcall+0x13c/0x2d0[9.662615]do_init_module+0x58/0x1e8[9.666351]load_module+0xd80/0xeb4[9.669912]__arm64_sys_finit_module+0xa8/0xe0[9.674430]el0_svc_common+0xa4/0x16c[9.678168]el0_svc_compat_handler+0x2c/0x40[9.682511]el0.svc_compat+0x8/0x10[9.686076]代码:a94257f6 f9400bf7 a8c47bf d d65f03c0(d4210000)[9.992155]—[结束跟踪7621f966afbf0a29]—[9.697385]内核死机-未同步:致命异常[9.702599]SMP:停止辅助CPU[9.706549]内核偏移:0xffffffc010000000[9.712456]PHYS_Offset:0xffffffffff440000000[9.716625]CPU功能:0x080026,2a80aa18[9.720795]内存限制:无

cvss epss percentile
None 0.04% 6.92%

references

CVE-2021-47028

description

In the Linux kernel, the following vulnerability has been resolved: mt76: mt7915: fix txrate reporting Properly check rate_info to fix unexpected reporting. [ 1215.161863] Call trace: [ 1215.164307] cfg80211_calculate_bitrate+0x124/0x200 [cfg80211] [ 1215.170139] ieee80211s_update_metric+0x80/0xc0 [mac80211] [ 1215.175624] ieee80211_tx_status_ext+0x508/0x838 [mac80211] [ 1215.181190] mt7915_mcu_get_rx_rate+0x28c/0x8d0 [mt7915e] [ 1215.186580] mt7915_mac_tx_free+0x324/0x7c0 [mt7915e] [ 1215.191623] mt7915_queue_rx_skb+0xa8/0xd0 [mt7915e] [ 1215.196582] mt76_dma_cleanup+0x7b0/0x11d0 [mt76] [ 1215.201276] __napi_poll+0x38/0xf8 [ 1215.204668] napi_workfn+0x40/0x80 [ 1215.208062] process_one_work+0x1fc/0x390 [ 1215.212062] worker_thread+0x48/0x4d0 [ 1215.215715] kthread+0x120/0x128 [ 1215.218935] ret_from_fork+0x10/0x1c

description

在Linux内核中,已解决以下漏洞:mt76:mt7915:fix txrate reporting正确检查rate_info以修复意外报告。[12151.161863]调用跟踪:[12151.164307]cfg80211_calculate_bitrate+0x24/0x200[cfg80211][1215.170139]ieee80211s_update_metric+0x80/0xc0[mc80211][121 5.175624]ieee802 11_tx_status_ext+0x508/0x838[mc80211][1215.181190]mt7915_mcu_get_rx_rate+0x28c/0x8d0[mt7915e][1215.186580]mt7915-mac_tx_free+0x34/0x7c0[mt795e][121 5.1916916916 23]mt7915_queue_rx_skb+0xa8/0xd0[mt7915e][1215.196582]mt76_dma_cleanup+0x720/0x11d0[mt76][1215.201276]__napi_poll+0x38/0xf8[125.204668]napi_workfn+0x40/0x80[125.208062]process_one_work+0x1fc/0x390[125.212062]worker_thread+0x48/0x4d0[125.215715]kthread+0x120/0x128[125.218935]ret_from_fork+0x100/0x1c

cvss epss percentile
None 0.04% 12.34%

references

CVE-2021-47029

description

In the Linux kernel, the following vulnerability has been resolved: mt76: connac: fix kernel warning adding monitor interface Fix the following kernel warning adding a monitor interface in mt76_connac_mcu_uni_add_dev routine. [ 507.984882] ————[ cut here ]———— [ 507.989515] WARNING: CPU: 1 PID: 3017 at mt76_connac_mcu_uni_add_dev+0x178/0x190 [mt76_connac_lib] [ 508.059379] CPU: 1 PID: 3017 Comm: ifconfig Not tainted 5.4.98 #0 [ 508.065461] Hardware name: MT7622_MT7531 RFB (DT) [ 508.070156] pstate: 80000005 (Nzcv daif -PAN -UAO) [ 508.074939] pc : mt76_connac_mcu_uni_add_dev+0x178/0x190 [mt76_connac_lib] [ 508.081806] lr : mt7921_eeprom_init+0x1288/0x1cb8 [mt7921e] [ 508.087367] sp : ffffffc013a33930 [ 508.090671] x29: ffffffc013a33930 x28: ffffff801e628ac0 [ 508.095973] x27: ffffff801c7f1200 x26: ffffff801c7eb008 [ 508.101275] x25: ffffff801c7eaef0 x24: ffffff801d025610 [ 508.106577] x23: ffffff801d022990 x22: ffffff801d024de8 [ 508.111879] x21: ffffff801d0226a0 x20: ffffff801c7eaee8 [ 508.117181] x19: ffffff801d0226a0 x18: 000000005d00b000 [ 508.122482] x17: 00000000ffffffff x16: 0000000000000000 [ 508.127785] x15: 0000000000000080 x14: ffffff801d704000 [ 508.133087] x13: 0000000000000040 x12: 0000000000000002 [ 508.138389] x11: 000000000000000c x10: 0000000000000000 [ 508.143691] x9 : 0000000000000020 x8 : 0000000000000001 [ 508.148992] x7 : 0000000000000000 x6 : 0000000000000000 [ 508.154294] x5 : ffffff801c7eaee8 x4 : 0000000000000006 [ 508.159596] x3 : 0000000000000001 x2 : 0000000000000000 [ 508.164898] x1 : ffffff801c7eac08 x0 : ffffff801d0226a0 [ 508.170200] Call trace: [ 508.172640] mt76_connac_mcu_uni_add_dev+0x178/0x190 [mt76_connac_lib] [ 508.179159] mt7921_eeprom_init+0x1288/0x1cb8 [mt7921e] [ 508.184394] drv_add_interface+0x34/0x88 [mac80211] [ 508.189271] ieee80211_add_virtual_monitor+0xe0/0xb48 [mac80211] [ 508.195277] ieee80211_do_open+0x86c/0x918 [mac80211] [ 508.200328] ieee80211_do_open+0x900/0x918 [mac80211] [ 508.205372] __dev_open+0xcc/0x150 [ 508.208763] __dev_change_flags+0x134/0x198 [ 508.212937] dev_change_flags+0x20/0x60 [ 508.216764] devinet_ioctl+0x3e8/0x748 [ 508.220503] inet_ioctl+0x1e4/0x350 [ 508.223983] sock_do_ioctl+0x48/0x2a0 [ 508.227635] sock_ioctl+0x310/0x4f8 [ 508.231116] do_vfs_ioctl+0xa4/0xac0 [ 508.234681] ksys_ioctl+0x44/0x90 [ 508.237985] __arm64_sys_ioctl+0x1c/0x48 [ 508.241901] el0_svc_common.constprop.1+0x7c/0x100 [ 508.246681] el0_svc_handler+0x18/0x20 [ 508.250421] el0_svc+0x8/0x1c8 [ 508.253465] —[ end trace c7b90fee13d72c39 ]— [ 508.261278] ————[ cut here ]————

description

在Linux内核中,已解决以下漏洞:mt76:connac:fix kernel warning adding monitor interface修复以下内核警告在mt76_connac_mcu_uni_add_dev例程中添加监视器接口。[507.984882]—————[此处剪切]—————[507.989515]警告:CPU:1 PID:3017 at mt76_connac_mcu_uni_add_dev+0x178/0x190[mt76_connac_lib][508.059379]CPU:1 PID:3017通信:ifconfig未受污染5.4.98#0[508.065461]硬件名称:MT7622_MT7531 RFB(DT)[508.070156]pstate:80000005(Nzcv daif-PAN-UAO)[508.07.074939]pc:mt76_connac_mcu_uni_add_dev+0x178/0x190[mt76_connac_lib][508.081806]lr:mt7921_eeprom_init+0x1288/0x1cb8[mt7921e][508.087367]sp:fffff c013a33930[508.090671]x29:ffffff c013 a33930x28:ffffff 801e628ac0[508.95973]x27:ffff 801c7f1200 x26:ffff 801c 7eb008[508.10275]x25:ffff 801d 7eaef0 x24:ffff ffff 801d025610【508.106577】x23:ffffff 801d022990 x22:ffffff 801 d024de8[508.111879]x21:ffffff 803d0226a0x20:fffff 801c7eaee8[508.17181]x19:ffffff 80 d0226a0 x18:00000000 5d00b000[508.12482]x17:00000000 ffffffff x16:0000000000000000[508.127785]x15:0000000000000080 x14:fffffffff 801d704000[508.133087]x13:0000000000000040 x12:000000000000000002[508.138839]x11:000000000000000 c x10:000000000000000000000000[508.143691]x9:0000000000000020 x8:000000000000000 1[508.14892]x7:0000000000000000 x6:0000000000000000000000[508.154294]x5:ffffff 801c7eaee8 x4:0000000000000006[508.15956]x3:000000000000001 x2:000000000000000000000[508.164898]x1:ffffffff 801 c7eae08 x0:ffffiff 801d0226a0[508.170200]调用跟踪:[508.172640]mt76_connac_mcu_uni_add_dev+0x178/0x190[mt76_connac_lib][508.179159]mt7921_eeprom_init+0x1288/0x1cb8[mt7921e][508.18394]drv_add_interface+0x34/0x88[mc80211][508.189271]ieee80211_add_virtual_monitor+0xe0/0xb48[mc8021][508.19527]ieee802 11_do_open+0x86c/0x918[mc80212][508.200328]ieee80311_do_open+0x900/0x918[mac80211][508.205372]__dev_open+0xcc/0x150[508.208763]__dev_change_flags+0x134/0x198[508.212937]dev_change_flags+0x20/0x60[508.21679]devnet_ioctl+0x3e8/0x748[508.220503]inet_ioctl+0x1e4/0x350[508.223983]sock_do_ioctl+0x48/0x2a0[508.22635]sock_ioctl+0x310/0x4f8[508.23116]do_vfs_ioctl+0.xa4/0xac0[508.234681]ksys_ioctl=0x44/0x90[508.237985]__arm64_sys_ioctl+0x44/0x4f8 octl+0x1c/0x48[508.24101]el0_svc_common.constprop.1+0x7c/0x100[508.246681]el0_svc _handler+0x18/0x20[508.250421]el0.svc+0x8/0x1c8[508.253465]—[结束跟踪c7b90fee13d72c39]—[508.26128]————–[此处剪切]————

cvss epss percentile
None 0.04% 6.92%

references

CVE-2021-47030

description

In the Linux kernel, the following vulnerability has been resolved: mt76: mt7615: fix memory leak in mt7615_coredump_work Similar to the issue fixed in mt7921_coredump_work, fix a possible memory leak in mt7615_coredump_work routine.

description

在Linux内核中,以下漏洞已得到解决:mt76:mt7615:修复mt7615_coredump_work中的内存泄漏与mt7921_coredump_wwork中修复的问题类似,修复mt7615-coredump-work例程中可能存在的内存泄漏。

cvss epss percentile
None 0.04% 6.92%

references

CVE-2021-47031

description

In the Linux kernel, the following vulnerability has been resolved: mt76: mt7921: fix memory leak in mt7921_coredump_work Fix possible memory leak in mt7921_coredump_work.

description

在Linux内核中,已解决以下漏洞:mt76:mt7921:修复mt7921_coredump_work中的内存泄漏修复mt7921-coredump_wwork中可能的内存泄漏。

cvss epss percentile
None 0.04% 6.92%

references

CVE-2021-47032

description

In the Linux kernel, the following vulnerability has been resolved: mt76: mt7915: fix tx skb dma unmap The first pointer in the txp needs to be unmapped as well, otherwise it will leak DMA mapping entries

description

在Linux内核中,已解决以下漏洞:mt76:mt7915:fix tx skb dma unmap txp中的第一个指针也需要取消映射,否则会泄露dma映射项

cvss epss percentile
None 0.04% 12.34%

references

CVE-2021-47033

description

In the Linux kernel, the following vulnerability has been resolved: mt76: mt7615: fix tx skb dma unmap The first pointer in the txp needs to be unmapped as well, otherwise it will leak DMA mapping entries

description

在Linux内核中,已解决以下漏洞:mt76:mt7615:fix tx skb dma unmap txp中的第一个指针也需要取消映射,否则会泄露dma映射项

cvss epss percentile
None 0.04% 12.34%

references

CVE-2021-47034

description

In the Linux kernel, the following vulnerability has been resolved: powerpc/64s: Fix pte update for kernel memory on radix When adding a PTE a ptesync is needed to order the update of the PTE with subsequent accesses otherwise a spurious fault may be raised. radix__set_pte_at() does not do this for performance gains. For non-kernel memory this is not an issue as any faults of this kind are corrected by the page fault handler. For kernel memory these faults are not handled. The current solution is that there is a ptesync in flush_cache_vmap() which should be called when mapping from the vmalloc region. However, map_kernel_page() does not call flush_cache_vmap(). This is troublesome in particular for code patching with Strict RWX on radix. In do_patch_instruction() the page frame that contains the instruction to be patched is mapped and then immediately patched. With no ordering or synchronization between setting up the PTE and writing to the page it is possible for faults. As the code patching is done using __put_user_asm_goto() the resulting fault is obscured - but using a normal store instead it can be seen: BUG: Unable to handle kernel data access on write at 0xc008000008f24a3c Faulting instruction address: 0xc00000000008bd74 Oops: Kernel access of bad area, sig: 11 [#1] LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA PowerNV Modules linked in: nop_module(PO+) [last unloaded: nop_module] CPU: 4 PID: 757 Comm: sh Tainted: P O 5.10.0-rc5-01361-ge3c1b78c8440-dirty #43 NIP: c00000000008bd74 LR: c00000000008bd50 CTR: c000000000025810 REGS: c000000016f634a0 TRAP: 0300 Tainted: P O (5.10.0-rc5-01361-ge3c1b78c8440-dirty) MSR: 9000000000009033 <SF,HV,EE,ME,IR,DR,RI,LE> CR: 44002884 XER: 00000000 CFAR: c00000000007c68c DAR: c008000008f24a3c DSISR: 42000000 IRQMASK: 1 This results in the kind of issue reported here: https://lore.kernel.org/linuxppc-dev/15AC5B0E-A221-4B8C-9039-FA96B8EF7C88@lca.pw/ Chris Riedl suggested a reliable way to reproduce the issue: $ mount -t debugfs none /sys/kernel/debug $ (while true; do echo function > /sys/kernel/debug/tracing/current_tracer ; echo nop > /sys/kernel/debug/tracing/current_tracer ; done) & Turning ftrace on and off does a large amount of code patching which in usually less then 5min will crash giving a trace like: ftrace-powerpc: (ptrval): replaced (4b473b11) != old (60000000) ————[ ftrace bug ]———— ftrace failed to modify [] napi_busy_loop+0xc/0x390 actual: 11:3b:47:4b Setting ftrace call site to call ftrace function ftrace record flags: 80000001 (1) expected tramp: c00000000006c96c ————[ cut here ]———— WARNING: CPU: 4 PID: 809 at kernel/trace/ftrace.c:2065 ftrace_bug+0x28c/0x2e8 Modules linked in: nop_module(PO-) [last unloaded: nop_module] CPU: 4 PID: 809 Comm: sh Tainted: P O 5.10.0-rc5-01360-gf878ccaf250a #1 NIP: c00000000024f334 LR: c00000000024f330 CTR: c0000000001a5af0 REGS: c000000004c8b760 TRAP: 0700 Tainted: P O (5.10.0-rc5-01360-gf878ccaf250a) MSR: 900000000282b033 <SF,HV,VEC,VSX,EE,FP,ME,IR,DR,RI,LE> CR: 28008848 XER: 20040000 CFAR: c0000000001a9c98 IRQMASK: 0 GPR00: c00000000024f330 c000000004c8b9f0 c000000002770600 0000000000000022 GPR04: 00000000ffff7fff c000000004c8b6d0 0000000000000027 c0000007fe9bcdd8 GPR08: 0000000000000023 ffffffffffffffd8 0000000000000027 c000000002613118 GPR12: 0000000000008000 c0000007fffdca00 0000000000000000 0000000000000000 GPR16: 0000000023ec37c5 0000000000000000 0000000000000000 0000000000000008 GPR20: c000000004c8bc90 c0000000027a2d20 c000000004c8bcd0 c000000002612fe8 GPR24: 0000000000000038 0000000000000030 0000000000000028 0000000000000020 GPR28: c000000000ff1b68 c000000000bf8e5c c00000000312f700 c000000000fbb9b0 NIP ftrace_bug+0x28c/0x2e8 LR ftrace_bug+0x288/0x2e8 Call T —truncated—

description

在Linux内核中,已解决以下漏洞:powerpc/64s:修复基数上内核内存的pte更新。添加pte时,需要ptesync来通过后续访问命令pte的更新,否则可能会引发虚假故障。radix__set_pte_at()这样做并不是为了提高性能。对于非内核内存来说,这不是问题,因为任何此类错误都会由页面错误处理程序更正。对于内核内存,不处理这些故障。当前的解决方案是flush_cache_vmap()中有一个ptesync,当从vmalloc区域进行映射时应该调用它。但是,map_kernel_page()不调用flush_cache_vmap()。这很麻烦,尤其是对于在基数上使用严格RWX的代码修补。在do_patch_instruction()中,包含要修补的指令的页帧被映射,然后立即进行修补。在设置PTE和写入页面之间没有排序或同步的情况下,可能会出现故障。当使用__put_user_asm_goto()进行代码修补时,产生的故障被掩盖了,但使用正常存储可以看到:BUG:无法处理写入0xc008000008f24a3c时的内核数据访问故障指令地址:0xc00000000008bd74 Oops:坏区的内核访问,sig:11[#1]LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA PowerNV模块链接在:nop_module(PO+)[上次卸载:nop_module]CPU:4 PID:757 Comm:sh Tained:P O 5.10.0-rc5-01361-ge 3c1b78c8440-dirty#43 NIP:c00000000008bd74 LR:c00000000008bd50 CTR:c000000000025810 REGS:c000000016f634a0 TRAP:0300污损:P O(5.10.0-rc5-01361-ge3c1b78 c8440-dirty)MSR:90000009033<SF,HV,EE,ME,IR,DR,RI,LE>CR:4402084 XER:000000000 CFAR:c00000000007c68c DAR:c008000008f24a3c DSISR:4200000 IRQMASK:1这导致此处报告的问题类型:https://lore.kernel.org/linuxppc-dev/15AC5B0E-A221-4B8C-9039-FA96B8EF7C88@lca.pw/Chris Riedl提出了一种可靠的方法来重现这个问题:$mount-t debugfs none/sys/kernel/debug$old(60000000)—————[ftrace bug]—————ftrace无法修改[]napi_busy_lop+0xc/0x390实际值:11:3b:47:4b设置ftrace调用站点以调用ftrace函数ftrace记录标志:80000001(1)预期的tramp:c00000000006c96c—————[剪切此处]—————-警告:CPU:4 PID:809在内核/trace/ftrace上。c:2065 ftrace_bug+0x28c/0x2e8链接到的模块:nop_module(PO-)[上次卸载:nop_module]CPU:4 PID:809 Comm:sh污染:P O 5.10.0-rc5-01360-gf878ccaf250a#1 NIP:c00000000024f334 LR:c00000000024f330 CTR:c0000000001a5af0 REGS:c000000004c8b760 TRAP:0700污染:P奥(5.10.0-rc05-1360-gf87.8ccaf250)MSR:9000000082b033<SF、HV、VEC、VSX、EE、FP、ME、IR、DR、RI,LE>CR:280008848 XER:20040000 CFAR:c0000000001a9c98 IRQMASK:0 GPR00:c00000000024f330 c000000004c8b9f0 c000000002770600 0000000000000022 GPR04:00000000 ffffff7fff c000000004c8c8b6d0 0000000000000027 c0000007fe9bcdd8 GPR08:0000000000000023 ffffffffff ffffff d8 0000000000000027 c 000000002613118 GPR12:000000000000 8000 c0000007fffdca00 00000000000000000000000000000000 GPR16:0000000023ec37c5 0000000000000000000000000000008 GPR20:0000000004c8bcc 90 c0000000027a2d20 c000000004c8bd0 c000000002612fe8 GPR24:0000000000000038 0000000000000030 0000000000000028 0000000000000020 GPR28:c000000000ff1b68 c000000000bf8e5c c00000000312f700 c000000000bb9b0 NIP ftrace_bug+0x28c/0x2e8 LR ftrace_bug+0x288/0x2e8Call T–截断—

cvss epss percentile
None 0.04% 8.15%

references

CVE-2021-47035

description

In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Remove WO permissions on second-level paging entries When the first level page table is used for IOVA translation, it only supports Read-Only and Read-Write permissions. The Write-Only permission is not supported as the PRESENT bit (implying Read permission) should always set. When using second level, we still give separate permissions that allows WriteOnly which seems inconsistent and awkward. We want to have consistent behavior. After moving to 1st level, we dont want things to work sometimes, and break if we use 2nd level for the same mappings. Hence remove this configuration.

description

在Linux内核中,解决了以下漏洞:iommu/vt-d:删除二级分页项的WO权限当一级分页表用于IOVA翻译时,它只支持只读和读写权限。不支持“仅写”权限,因为应始终设置PRESENT位(意味着读取权限)。当使用第二级时,我们仍然提供单独的权限,允许WriteOnly,这看起来不一致且尴尬。我们希望有一致的行为。在移动到第一级之后,我们有时不希望事情正常工作,如果我们对相同的映射使用第二级,则会中断。因此,请删除此配置。

cvss epss percentile
None 0.04% 12.34%

references

CVE-2021-47036

description

In the Linux kernel, the following vulnerability has been resolved: udp: skip L4 aggregation for UDP tunnel packets If NETIF_F_GRO_FRAGLIST or NETIF_F_GRO_UDP_FWD are enabled, and there are UDP tunnels available in the system, udp_gro_receive() could end-up doing L4 aggregation (either SKB_GSO_UDP_L4 or SKB_GSO_FRAGLIST) at the outer UDP tunnel level for packets effectively carrying and UDP tunnel header. That could cause inner protocol corruption. If e.g. the relevant packets carry a vxlan header, different vxlan ids will be ignored/ aggregated to the same GSO packet. Inner headers will be ignored, too, so that e.g. TCP over vxlan push packets will be held in the GRO engine till the next flush, etc. Just skip the SKB_GSO_UDP_L4 and SKB_GSO_FRAGLIST code path if the current packet could land in a UDP tunnel, and let udp_gro_receive() do GRO via udp_sk(sk)->gro_receive. The check implemented in this patch is broader than what is strictly needed, as the existing UDP tunnel could be e.g. configured on top of a different device: we could end-up skipping GRO at-all for some packets. Anyhow, that is a very thin corner case and covering it will add quite a bit of complexity. v1 -> v2: - hopefully clarify the commit message

description

在Linux内核中,已解决以下漏洞:udp:跳过udp隧道数据包的L4聚合如果启用了NETIF_F_GRO_FRAGLIST或NETIF_F-GRO_udp_FWD,并且系统中有udp隧道可用,udp_GRO_receive()最终可能会执行L4聚合(SKB_GSO_udp_L4或SKB_GSO_2 FRAGLIST)在外部UDP隧道级别用于有效承载的分组和UDP隧道报头。这可能会导致内部协议损坏。例如,如果相关分组携带vxlan报头,则不同的vxlan id将被忽略/聚合到同一GSO分组。内部标头也将被忽略,因此,例如,TCP over vxlan推送数据包将被保存在GRO引擎中,直到下一次刷新,等等。如果当前数据包可以降落在UDP隧道中,请跳过SKB_GSO_UDP_L4和SKB_GSO_2 FRAGLIST代码路径,并让UDP_GRO_receive()通过UDP_sk(sk)->GRO_receive.执行GRO。此修补程序中实现的检查范围比严格需要的范围更广,因为现有的UDP隧道可以配置在不同的设备上:对于某些数据包,我们最终可能会跳过GRO。无论如何,这是一个非常薄的角壳,覆盖它会增加相当多的复杂性。v1->v2:-希望能澄清提交消息

cvss epss percentile
None 0.04% 6.92%

references

CVE-2021-47037

description

In the Linux kernel, the following vulnerability has been resolved: ASoC: q6afe-clocks: fix reprobing of the driver Q6afe-clocks driver can get reprobed. For example if the APR services are restarted after the firmware crash. However currently Q6afe-clocks driver will oops because hw.init will get cleared during first _probe call. Rewrite the driver to fill the clock data at runtime rather than using big static array of clocks.

description

在Linux内核中,已解决以下漏洞:ASoC:q6afe-clocks:修复驱动程序的重新编程q6afe-clocks驱动程序可能会被重新编程。例如,如果APR服务在固件崩溃后重新启动。然而,目前Q6afe时钟驱动程序将失效,因为hw.init将在第一次_probe调用期间被清除。重写驱动程序以在运行时填充时钟数据,而不是使用大的静态时钟阵列。

cvss epss percentile
None 0.04% 12.34%

references

CVE-2021-47038

description

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: avoid deadlock between hci_dev->lock and socket lock Commit eab2404ba798 (“Bluetooth: Add BT_PHY socket option”) added a dependency between socket lock and hci_dev->lock that could lead to deadlock. It turns out that hci_conn_get_phy() is not in any way relying on hdev being immutable during the runtime of this function, neither does it even look at any of the members of hdev, and as such there is no need to hold that lock. This fixes the lockdep splat below: ====================================================== WARNING: possible circular locking dependency detected 5.12.0-rc1-00026-g73d464503354 #10 Not tainted —————————————————— bluetoothd/1118 is trying to acquire lock: ffff8f078383c078 (&hdev->lock){+.+.}-{3:3}, at: hci_conn_get_phy+0x1c/0x150 [bluetooth] but task is already holding lock: ffff8f07e831d920 (sk_lock-AF_BLUETOOTH-BTPROTO_L2CAP){+.+.}-{0:0}, at: l2cap_sock_getsockopt+0x8b/0x610 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #3 (sk_lock-AF_BLUETOOTH-BTPROTO_L2CAP){+.+.}-{0:0}: lock_sock_nested+0x72/0xa0 l2cap_sock_ready_cb+0x18/0x70 [bluetooth] l2cap_config_rsp+0x27a/0x520 [bluetooth] l2cap_sig_channel+0x658/0x1330 [bluetooth] l2cap_recv_frame+0x1ba/0x310 [bluetooth] hci_rx_work+0x1cc/0x640 [bluetooth] process_one_work+0x244/0x5f0 worker_thread+0x3c/0x380 kthread+0x13e/0x160 ret_from_fork+0x22/0x30 -> #2 (&chan->lock#2/1){+.+.}-{3:3}: __mutex_lock+0xa3/0xa10 l2cap_chan_connect+0x33a/0x940 [bluetooth] l2cap_sock_connect+0x141/0x2a0 [bluetooth] __sys_connect+0x9b/0xc0 __x64_sys_connect+0x16/0x20 do_syscall_64+0x33/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xae -> #1 (&conn->chan_lock){+.+.}-{3:3}: __mutex_lock+0xa3/0xa10 l2cap_chan_connect+0x322/0x940 [bluetooth] l2cap_sock_connect+0x141/0x2a0 [bluetooth] __sys_connect+0x9b/0xc0 __x64_sys_connect+0x16/0x20 do_syscall_64+0x33/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xae -> #0 (&hdev->lock){+.+.}-{3:3}: __lock_acquire+0x147a/0x1a50 lock_acquire+0x277/0x3d0 __mutex_lock+0xa3/0xa10 hci_conn_get_phy+0x1c/0x150 [bluetooth] l2cap_sock_getsockopt+0x5a9/0x610 [bluetooth] __sys_getsockopt+0xcc/0x200 __x64_sys_getsockopt+0x20/0x30 do_syscall_64+0x33/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xae other info that might help us debug this: Chain exists of: &hdev->lock –> &chan->lock#2/1 –> sk_lock-AF_BLUETOOTH-BTPROTO_L2CAP Possible unsafe locking scenario: CPU0 CPU1 —- —- lock(sk_lock-AF_BLUETOOTH-BTPROTO_L2CAP); lock(&chan->lock#2/1); lock(sk_lock-AF_BLUETOOTH-BTPROTO_L2CAP); lock(&hdev->lock); *** DEADLOCK *** 1 lock held by bluetoothd/1118: #0: ffff8f07e831d920 (sk_lock-AF_BLUETOOTH-BTPROTO_L2CAP){+.+.}-{0:0}, at: l2cap_sock_getsockopt+0x8b/0x610 [bluetooth] stack backtrace: CPU: 3 PID: 1118 Comm: bluetoothd Not tainted 5.12.0-rc1-00026-g73d464503354 #10 Hardware name: LENOVO 20K5S22R00/20K5S22R00, BIOS R0IET38W (1.16 ) 05/31/2017 Call Trace: dump_stack+0x7f/0xa1 check_noncircular+0x105/0x120 ? __lock_acquire+0x147a/0x1a50 __lock_acquire+0x147a/0x1a50 lock_acquire+0x277/0x3d0 ? hci_conn_get_phy+0x1c/0x150 [bluetooth] ? __lock_acquire+0x2e1/0x1a50 ? lock_is_held_type+0xb4/0x120 ? hci_conn_get_phy+0x1c/0x150 [bluetooth] __mutex_lock+0xa3/0xa10 ? hci_conn_get_phy+0x1c/0x150 [bluetooth] ? lock_acquire+0x277/0x3d0 ? mark_held_locks+0x49/0x70 ? mark_held_locks+0x49/0x70 ? hci_conn_get_phy+0x1c/0x150 [bluetooth] hci_conn_get_phy+0x —truncated—

description

在Linux内核中,已解决以下漏洞:蓝牙:避免hci_dev->lock和套接字锁之间的死锁Commit eab2404ba798(“蓝牙:添加BT_PHY套接字选项”)添加了套接字锁和hci_dev->lock之间的依赖项,该依赖项可能导致死锁。事实证明,hci_conn_get_phy()在任何方面都不依赖于hdev在该函数的运行时是不可变的,它甚至不查看hdev的任何成员,因此不需要持有该锁。此操作修复了下面的lockdep splat:==============================================警告:检测到可能的循环锁定依赖项5.12.0-rc1-00026-g73d464050354#10未受污染——————————————————蓝牙d/1118正在尝试获取锁定:ffff8f078383c078(&hdev->lock){++.}-{3:3},位于:hci_conn_get_phy+0x1c/0x150[蓝牙],但任务已持有锁定:fff8f07e831d920(sk_lock-AF_bluetooth-BTPROTO_L2CAP){++}-{0:0},位于:L2CAP_sock_getsockoptit+0x8b/0x610哪个锁已经依赖于新锁。现有依赖链(按相反顺序)为:->#3(sk_lock-AF_BLUETOOTH-BTPROTO_L2CAP){++.}-{0:0}:lock_sock_nested+0x72/0xa0 L2CAP_sock_ready_cb+0x18/0x70[蓝牙]L2CAP_config_rsp+0x27a/0x520[蓝牙]L2CAP_sig_channel+0x658/0x1330[蓝牙]l2 cap_recv_frame+0x1ba/0x310[蓝牙]hci_rx_work+0x1cc/0x640[蓝牙]process_one_work+0x244/0x5f0 worker_thread+0x3c/0x380 kthread+0x13e/0x160 ret_from_fork+0x22/0x30->#2(&chan->lock#2/1){++.}-{3:3}:__mute_lock+0xa3/0xa10 L2CAP_chan_connect+0x3a/0x940[蓝牙]L2CAP_sock_connect+0x141/0x2a0[蓝牙]__sys_connect+0x9b/0xc0 __x64_sys_connect+0x16/0x20 do_syscall_64+0x33/0x80 entry_syscall_64_after_hwframe+0x44/0xae->#1(&conn->chan_lock){++.}-{3:3}:__mutute_lock+0xa3/0xa10 L2CAP_chan_connect+0x322/0x940[蓝牙]L2CAP_sock_connect+0x141/0x2a0[蓝牙]__sys_connect+0x9b/0xc0 __x64_sys_connect+0x16/0x20 do_syscall_64+0x33/0x80 entry_syscall_64_after_hwframe+0x44/0xae->#0(&hdev->lock){++.}-{3:3}:__lock_acquire+0x147a/0x1a50 lock_acqquire+0x277/0x3d0 __mute_lock+0x33/0xa10 hci_conn_get_phy+0x1c/0x150[蓝牙]l2cap_sock_getsockopt+0x5a9/0x610[蓝牙]__sys_getsockupt+0xcc/0x200 __x64_sys_getsockopt+0x20/0x30 do_syscall_64+0x33/0x80 entry_syscall_64_after_hwframe+0x44/0xae其他可能帮助我们调试的信息:存在以下链:&hdev->lock–>&chan->lock#2/1–>sk_lock-AF_bluetooth-BTPROTO_l2cap可能的不安全锁定场景:CPU0 CPU1—–锁定(sk_lock-AF_bluetooth-BTROTO_l2cap);锁定(&chan->lock#2/1);锁定(sk_lock-AF_BLUETOOTH-BTPROTO_L2CAP);锁定(&hdev->lock);DEADLOCK1锁由bluetoothd持有/1118:#0:fffff8f07e831d920(sk_lock-AF_BLUETOOTH-BTPROTO_L2CAP){++.}-{0:0},位于:L2CAP_sock_getsockoptit+0x8b/0x610[蓝牙]堆栈回溯:CPU:3 PID:1118通信:BLUETOOTH未受污染5.12.0-rc1-00026-g73d464050354#10硬件名称:LENOVO 20K5S22R00/20K5S21R00,BIOS R0IET38W(1.16)2017年5月31日调用跟踪:dump_stack+0x7f/0xa1检查_非圆形+0x105/0x120__lock_acquire+0x147a/0x1a50 __ lock_acqquire+0x147/0x1a50 lock_acquire+0x277/0x3d0?hci_conn_get_phy+0x1c/0x150[蓝牙]__lock_acquire+0x2e1/0x1a50?lock_is_held_type+0xb4/0x120?hci_conn_get_phy+0x1c/0x150[蓝牙]__mute_lock+0xa3/0xa10?hci_conn_get_phy+0x1c/0x150[蓝牙]?lock_acquire+0x277/0x3d0?mark_held_locks+0x49/0x70?mark_held_locks+0x49/0x70?hci_conn_get_phy+0x1c/0x150[蓝牙]hci_cont_get_phy=0x—截断—

cvss epss percentile
None 0.04% 12.34%

references

CVE-2021-47039

description

In the Linux kernel, the following vulnerability has been resolved: ataflop: potential out of bounds in do_format() The function uses “type” as an array index: q = unit[drive].disk[type]->queue; Unfortunately the bounds check on “type” isnt done until later in the function. Fix this by moving the bounds check to the start.

description

在Linux内核中,已解决以下漏洞:ataflop:do_format()中的潜在越界函数使用“type”作为数组索引:q=unit[drive].disk[type]->queue;不幸的是,直到函数的后面才对“type”进行边界检查。通过将边界检查移动到起点来解决此问题。

cvss epss percentile
None 0.04% 12.34%

references

CVE-2021-47040

description

In the Linux kernel, the following vulnerability has been resolved: io_uring: fix overflows checks in provide buffers Colin reported before possible overflow and sign extension problems in io_provide_buffers_prep(). As Linus pointed out previous attempt did nothing useful, see d81269fecb8ce (“io_uring: fix provide_buffers sign extension”). Do that with help of check__overflow helpers. And fix struct io_provide_buf::len type, as it doesnt make much sense to keep it signed.

description

在Linux内核中,以下漏洞已得到解决:io_uring:修复提供缓冲区中的溢出检查Colin在io_provide_buffers_rep()中报告的可能的溢出和符号扩展问题。正如Linus所指出的,之前的尝试没有任何用处,请参阅d81269fecb8ce(“io_uring:fix provide_buffers sign-extension”)。在check__overflow助手的帮助下执行此操作。并修复结构io_provide_buf::len类型,因为保持它的签名没有多大意义。

cvss epss percentile
None 0.04% 12.34%

references

CVE-2021-47041

description

In the Linux kernel, the following vulnerability has been resolved: nvmet-tcp: fix incorrect locking in state_change sk callback We are not changing anything in the TCP connection state so we should not take a write_lock but rather a read lock. This caused a deadlock when running nvmet-tcp and nvme-tcp on the same system, where state_change callbacks on the host and on the controller side have causal relationship and made lockdep report on this with blktests: ================================ WARNING: inconsistent lock state 5.12.0-rc3 #1 Tainted: G I ——————————– inconsistent {IN-SOFTIRQ-W} -> {SOFTIRQ-ON-R} usage. nvme/1324 [HC0[0]:SC0[0]:HE1:SE1] takes: ffff888363151000 (clock-AF_INET){++-?}-{2:2}, at: nvme_tcp_state_change+0x21/0x150 [nvme_tcp] {IN-SOFTIRQ-W} state was registered at: __lock_acquire+0x79b/0x18d0 lock_acquire+0x1ca/0x480 _raw_write_lock_bh+0x39/0x80 nvmet_tcp_state_change+0x21/0x170 [nvmet_tcp] tcp_fin+0x2a8/0x780 tcp_data_queue+0xf94/0x1f20 tcp_rcv_established+0x6ba/0x1f00 tcp_v4_do_rcv+0x502/0x760 tcp_v4_rcv+0x257e/0x3430 ip_protocol_deliver_rcu+0x69/0x6a0 ip_local_deliver_finish+0x1e2/0x2f0 ip_local_deliver+0x1a2/0x420 ip_rcv+0x4fb/0x6b0 __netif_receive_skb_one_core+0x162/0x1b0 process_backlog+0x1ff/0x770 __napi_poll.constprop.0+0xa9/0x5c0 net_rx_action+0x7b3/0xb30 __do_softirq+0x1f0/0x940 do_softirq+0xa1/0xd0 __local_bh_enable_ip+0xd8/0x100 ip_finish_output2+0x6b7/0x18a0 __ip_queue_xmit+0x706/0x1aa0 __tcp_transmit_skb+0x2068/0x2e20 tcp_write_xmit+0xc9e/0x2bb0 __tcp_push_pending_frames+0x92/0x310 inet_shutdown+0x158/0x300 __nvme_tcp_stop_queue+0x36/0x270 [nvme_tcp] nvme_tcp_stop_queue+0x87/0xb0 [nvme_tcp] nvme_tcp_teardown_admin_queue+0x69/0xe0 [nvme_tcp] nvme_do_delete_ctrl+0x100/0x10c [nvme_core] nvme_sysfs_delete.cold+0x8/0xd [nvme_core] kernfs_fop_write_iter+0x2c7/0x460 new_sync_write+0x36c/0x610 vfs_write+0x5c0/0x870 ksys_write+0xf9/0x1d0 do_syscall_64+0x33/0x40 entry_SYSCALL_64_after_hwframe+0x44/0xae irq event stamp: 10687 hardirqs last enabled at (10687): [] _raw_spin_unlock_irqrestore+0x2d/0x40 hardirqs last disabled at (10686): [] _raw_spin_lock_irqsave+0x68/0x90 softirqs last enabled at (10684): [] __do_softirq+0x608/0x940 softirqs last disabled at (10649): [] do_softirq+0xa1/0xd0 other info that might help us debug this: Possible unsafe locking scenario: CPU0 —- lock(clock-AF_INET); lock(clock-AF_INET); *** DEADLOCK *** 5 locks held by nvme/1324: #0: ffff8884a01fe470 (sb_writers#4){.+.+}-{0:0}, at: ksys_write+0xf9/0x1d0 #1: ffff8886e435c090 (&of->mutex){+.+.}-{3:3}, at: kernfs_fop_write_iter+0x216/0x460 #2: ffff888104d90c38 (kn->active#255){++++}-{0:0}, at: kernfs_remove_self+0x22d/0x330 #3: ffff8884634538d0 (&queue->queue_lock){+.+.}-{3:3}, at: nvme_tcp_stop_queue+0x52/0xb0 [nvme_tcp] #4: ffff888363150d30 (sk_lock-AF_INET){+.+.}-{0:0}, at: inet_shutdown+0x59/0x300 stack backtrace: CPU: 26 PID: 1324 Comm: nvme Tainted: G I 5.12.0-rc3 #1 Hardware name: Dell Inc. PowerEdge R640/06NR82, BIOS 2.10.0 11/12/2020 Call Trace: dump_stack+0x93/0xc2 mark_lock_irq.cold+0x2c/0xb3 ? verify_lock_unused+0x390/0x390 ? stack_trace_consume_entry+0x160/0x160 ? lock_downgrade+0x100/0x100 ? save_trace+0x88/0x5e0 ? _raw_spin_unlock_irqrestore+0x2d/0x40 mark_lock+0x530/0x1470 ? mark_lock_irq+0x1d10/0x1d10 ? enqueue_timer+0x660/0x660 mark_usage+0x215/0x2a0 __lock_acquire+0x79b/0x18d0 ? tcp_schedule_loss_probe.part.0+0x38c/0x520 lock_acquire+0x1ca/0x480 ? nvme_tcp_state_change+0x21/0x150 [nvme_tcp] ? rcu_read_unlock+0x40/0x40 ? tcp_mtu_probe+0x1ae0/0x1ae0 ? kmalloc_reserve+0xa0/0xa0 ? sysfs_file_ops+0x170/0x170 _raw_read_lock+0x3d/0xa0 ? nvme_tcp_state_change+0x21/0x150 [nvme_tcp] nvme_tcp_state_change+0x21/0x150 [nvme_tcp] ? sysfs_file_ops —truncated—

description

在Linux内核中,以下漏洞已被解决:nvmet tcp:修复state_change sk回调中的错误锁定我们不会更改tcp连接状态中的任何内容,因此我们不应使用write_lock,而应使用read lock。当在同一系统上运行nvmet tcp和nvme tcp时,这导致了死锁,其中主机和控制器端的state_change回调具有因果关系,并使lockdep用blktests对此进行了报告:==============================警告:不一致的锁定状态5.12.0-rc3#1损坏:G I——————————-不一致的{IN-SOFTIRQ-W}->{SOFTIRQ-on-R}使用。nvme/1324[HC0[0]:SC0[0]:HE1:SE1]取:ffff888363151000(clock-AF_INET){++?}-{2:2},在:nvme_tcp_state_change+0x21/0x150[nvme_tcp]{IN-SOFTIRQ-W}状态注册在:__lock_acquire+0x79b/0x18d0 lock_acqquire+0x1ca/0x480 _raw_write_lock_bh+0x39/0x80 nvmet_tcp_state _change+0x121/0x170[nvmet_tcp]tcp_filn+0x2a8/0x780 tcp_data_queue+0xf94/0x1f20 tcp_rcv_secured+0x6ba/0x1f00 tcp_v4_do_rcv+0x502/0x760 tcp_v4_rcv+0x257e/0x32330 ip_procol_delivery_rcu+0x69/0x6a0 ip_local_delivery_finish+0x1e2/0x2f0 ip_local_delivery+0x1a2/0x420 ip_rcv+0x4f/0x6b0 __netif_receive_skb_one_core+0x162/0x1b0 process_backlog+0x1ff/0x770 __napi_poll.constprop.0+0xa9/0x5c0 net_rx_action+0x7b30/0xb30__do_softirq+0x1f0/0x940 do_softir q+0xa1/0xd0 __local_bh_enable_ip+0xd8/0x100 ip_finish_output2+0x6b7/0x18a0 __ip_queue_xmit+0x706/0x1aa0 __tcp_transmit_skb+0x2068/0x2e20 tcp_write_xmit+0xc9e/0x2bb0 __tcp_pending_frames+0x92/0x310 inet_shutdown+0x158/0x300 __nvme_tcp_stop_queue+0x36/0x270[nvme_tcp]nvme_tcp op_queue+0x87/0xb0[nvme_tcp]nvme_tcp_tardown_admin_queue+0x69/0xe0[nvme_tcp]nvme_do_delete_ctrl+0x100/0x10c[nvme_core]nvme_sysfs_delete.cocold+0x8/0xd[nvme_cree]kernfs_fop_write_iter+0x2c7/0x460 new_sync_write+0x36c/0x610 vfs_write+0x5c0/0x870 ksys_write+0xf9/0x1d0 do_syscall_64+0x33/0x40 entry_syscall_64_after_hwframe+0x44/0xae-irq事件戳:10687 hardirq上次启用时间(10687):[<ffffffffff 9ec376bd»_raw_spin_unlock_irqrestore+0x2d/0x40 hardirqs最后一次禁用于(10686):[<ffffffffff 9ec374d8>]_raw_spin_lock_irqsave+0x68/0x90 softirqs上次启用于(10684):[<ffffffoff 9f000608>]__do_softirq+0x608/0x940 softirq最后一次停用于(10649):[>ffffffiffff 9cdedd31>]do_softir q+0xa1/0xd0其他可能有助于我们调试的信息:可能的不安全锁定场景:CP U0—-锁定(时钟-AF_INET)<中断>锁定(时钟-AF_INET);DEADLOCK由nvme/1324持有的5个锁:#0:fffff8884a01fe470(sb_writers#4){.+.+}-{0:0},位于:ksys_write+0xf9/0x1d0#1:fff8886e435c090(&of->mutex){+++.}-{3:3},位置:kernfs_fop_write_iter+0x216/0x460#2:ffff888104d90c38(knn->active#255){++++}-{0:0},位于:kernfs_remove_self+0x22 d/0x330#3:ffff8884634538d0(&queue->queue_lock){++.}-{3:3},位于:nvme_tcp_stop_queue+0x52/0xb0[nvme_tcp]#4:ffff888363150d30(sk_lock-AF_INET){+.+.}-{0:0},位于:INET_shutdown+0x59/0x300堆栈回溯:CPU:26 PID:1324通信:nvme Tained:G I 5.12.0-rc3#1硬件名称:Dell股份有限公司PowerEdge R640/06NR82,BIOS 2.10.0 11/12/2020调用跟踪:dump_stack+0x93/0xc2 mark_lock_irq.cold+0x2c/0xb3?verify_lock_unused+0x390/0x390?stack_trace_sume_entry+0x160/0x160?lock_downgrade+0x100/0x100?save_trace+0x88/0x5e0_raw_spin_unlock_irqrestore+0x2d/0x40 mark_lock+0x530/0x1470?mark_lock_irq+0x1d10/0x1d10?排队计时器+0x660/0x660标记使用+0x215/0x2a0__锁定获取+0x79b/0x18d0?tcp_schedule_loss_probe.part.0+0x38c/0x520 lock_acquire+0x1ca/0x480?nvme_tcp_state_change+0x21/0x150[nvme_tcp]?rcu_read_unlock+0x40/0x40?tcp_mtu_probe+0x1ae0/0x1ae0?kmalloc_reserve+0xa0/0xa0?sysfs_file_ops+0x170/0x170_raw_read_lock+0x3d/0xa0?nvme_tcp_state_change+0x21/0x150[nvme_tcp]nvme_tcp_state_change+0x21/0x1050[nvme_tcp]?sysfs_file_ops–截断—

cvss epss percentile
None 0.04% 12.34%

references

CVE-2021-47042

description

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Free local data after use Fixes the following memory leak in dc_link_construct(): unreferenced object 0xffffa03e81471400 (size 1024): comm “amd_module_load”, pid 2486, jiffies 4294946026 (age 10.544s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ……………. 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ……………. backtrace: [<000000000bdf5c4a>] kmem_cache_alloc_trace+0x30a/0x4a0 [<00000000e7c59f0e>] link_create+0xce/0xac0 [amdgpu] [<000000002fb6c072>] dc_create+0x370/0x720 [amdgpu] [<000000000094d1f3>] amdgpu_dm_init+0x18e/0x17a0 [amdgpu] [<00000000bec048fd>] dm_hw_init+0x12/0x20 [amdgpu] [<00000000a2bb7cf6>] amdgpu_device_init+0x1463/0x1e60 [amdgpu] [<0000000032d3bb13>] amdgpu_driver_load_kms+0x5b/0x330 [amdgpu] [<00000000a27834f9>] amdgpu_pci_probe+0x192/0x280 [amdgpu] [<00000000fec7d291>] local_pci_probe+0x47/0xa0 [<0000000055dbbfa7>] pci_device_probe+0xe3/0x180 [<00000000815da970>] really_probe+0x1c4/0x4e0 [<00000000b4b6974b>] driver_probe_device+0x62/0x150 [<000000000f9ecc61>] device_driver_attach+0x58/0x60 [<000000000f65c843>] __driver_attach+0xd6/0x150 [<000000002f5e3683>] bus_for_each_dev+0x6a/0xc0 [<00000000a1cfc897>] driver_attach+0x1e/0x20

description

在Linux内核中,已解决以下漏洞:drm/amd/display:使用后释放本地数据修复了dc_link_construct()中的以下内存泄漏:未引用的对象0xffffa03e81471400(大小1024):comm“amd_module _load”,pid 2486,jiffies 4294946026(年龄10.544s)十六进制转储(前32个字节):00 00 00 00 000 00 00 00。。。。。。。。。。。。。。。。00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ……………. 回溯:[<000000000bdf5c4a>]kmem_cache_alloc_trace+0x30a/0x4a0[<00000000e7c59f0e>]link_create+0xce/0xac0[amgpu][<000000002fb6c072>]dc_create+0370/0x720[amgpu][<00000000094d1f3>]amdgpu_dm_init+0x18e/0x17a0[amgpu][<00000000bec048fd>]dm_hw_init+0x12/0x20[amgpu][<00000000a2bb7cf6>]ammgpu _device_init+0x1463/0x1e60[amgpu][<00000000 32d3bb13>]amdgpu_driver_load_kms+0x5b/0x330[amgpu][<00000000 a27834f9>]ammgpu_pci_probe+0x192/0x280[amgpu][<00000000 fec7d291>]local_pci_probe+0x47/0xa0[<0000000055dbbfa7>]pci_device_probe+0xe3/0x180[<00000000815da970>]really_probe+00x1c4/0x4e0[<00000000b4b4b4b0>]6974b>]驱动程序_设备+0x62/0x150[<000000000 f9ecc61>]设备_驱动程序_附件+0x58/0x60[<000000000f65c843>]_驱动程序-附件+0xd6/0x150[<00000000 2f5e3683>]总线_每个设备+0x6a/0xc0[<00000000 a1cfc897>]驱动器-附件+0x1e/0x20

cvss epss percentile
None 0.04% 6.92%

references

CVE-2021-47043

description

In the Linux kernel, the following vulnerability has been resolved: media: venus: core: Fix some resource leaks in the error path of venus_probe() If an error occurs after a successful of_icc_get() call, it must be undone. Use devm_of_icc_get() instead of of_icc_get() to avoid the leak. Update the remove function accordingly and axe the now unneeded icc_put() calls.

description

在Linux内核中,已解决以下漏洞:media:venus:core:修复venus_probe()错误路径中的一些资源泄漏如果在成功调用of_icc_get()后发生错误,则必须将其撤消。使用devm_of_icc_get()而不是of_icc_get()来避免泄漏。相应地更新remove函数,并砍掉现在不需要的icc_put()调用。

cvss epss percentile
None 0.04% 12.34%

references

CVE-2021-47044

description

In the Linux kernel, the following vulnerability has been resolved: sched/fair: Fix shift-out-of-bounds in load_balance() Syzbot reported a handful of occurrences where an sd->nr_balance_failed can grow to much higher values than one would expect. A successful load_balance() resets it to 0; a failed one increments it. Once it gets to sd->cache_nice_tries + 3, this should trigger an active balance, which will either set it to sd->cache_nice_tries+1 or reset it to 0. However, in case the to-be-active-balanced task is not allowed to run on env->dst_cpu, then the increment is done without any further modification. This could then be repeated ad nauseam, and would explain the absurdly high values reported by syzbot (86, 149). VincentG noted there is value in letting sd->cache_nice_tries grow, so the shift itself should be fixed. That means preventing: """ If the value of the right operand is negative or is greater than or equal to the width of the promoted left operand, the behavior is undefined. """ Thus we need to cap the shift exponent to BITS_PER_TYPE(typeof(lefthand)) - 1. I had a look around for other similar cases via coccinelle: @expr@ position pos; expression E1; expression E2; @@ ( E1 » E2@pos | E1 » E2@pos ) @cst depends on expr@ position pos; expression expr.E1; constant cst; @@ ( E1 » cst@pos | E1 « cst@pos ) @script:python depends on !cst@ pos « expr.pos; exp « expr.E2; @@ # Dirty hack to ignore constexpr if exp.upper() != exp: coccilib.report.print_report(pos[0], “Possible UB shift here”) The only other match in kernel/sched is rq_clock_thermal() which employs sched_thermal_decay_shift, and that exponent is already capped to 10, so that one is fine.

description

在Linux内核中,以下漏洞已得到解决:sched/fair:修复load_balance()中的移位越界问题Syzbot报告了一些情况,其中sd->nr_balance_failed可能会增长到比预期高得多的值。成功的load_balance()将其重置为0;一个失败的将其递增。一旦它达到sd->cache_nice_tries+3,这个应该触发一个活动平衡,它将把它设置为sd->cache_name_tries+1或重置为0。但是,如果要激活的平衡任务不允许在env->dst_cpu上运行,那么增量将在没有任何进一步修改的情况下完成。然后,这可能会令人恶心地重复,并解释syzbot(86149)报告的高得离谱的数值。VincentG指出,让sd->cache_nice_tries增长是有价值的,所以这种转变本身应该是固定的。这意味着防止:“”“如果右操作数的值为负数或大于或等于提升的左操作数的宽度,则行为未定义。”“”“因此,我们需要将移位指数上限设置为BITS_PER_TYPE(typeof(lefthand))-1。”。我通过coccinelle:@epr@position pos环顾四周,寻找其他类似的病例;表达E1;表达式E2;@@(E1»E2@pos|E1»E2@pos)@cst取决于expr@position pos;表达式表达式。E1;常数cst;@@(E1»cst@pos|E1«cst@pos)@script:python依赖!cst@pos«expr.pos;exp«expr。E2;@@#如果exp.opper(),则忽略constexpr!=exp:cococilib.report.print_report(pos[0],“此处可能的UB移位”)kernel/sched中唯一的其他匹配项是rq_clock_thermal(),它使用了sched_thermal_decay_shift,并且该指数已经上限为10,所以1是可以的。

cvss epss percentile
None 0.04% 12.34%

references

CVE-2021-47045

description

In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Fix null pointer dereference in lpfc_prep_els_iocb() It is possible to call lpfc_issue_els_plogi() passing a did for which no matching ndlp is found. A call is then made to lpfc_prep_els_iocb() with a null pointer to a lpfc_nodelist structure resulting in a null pointer dereference. Fix by returning an error status if no valid ndlp is found. Fix up comments regarding ndlp reference counting.

description

在Linux内核中,已解决以下漏洞:scsi:lpfc:修复lpfc_prep_els_iocb()中的空指针取消引用。可以通过未找到匹配ndlp的did调用lpfc_issue_els_plogi()。然后使用指向lpfc_nodelist结构的空指针调用lpfc_prep_els_iocb(),从而导致空指针解引用。如果找不到有效的ndlp,则返回错误状态进行修复。修正有关ndlp引用计数的评论。

cvss epss percentile
None 0.04% 12.34%

references

CVE-2021-47046

description

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix off by one in hdmi_14_process_transaction() The hdcp_i2c_offsets[] array did not have an entry for HDCP_MESSAGE_ID_WRITE_CONTENT_STREAM_TYPE so it led to an off by one read overflow. I added an entry and copied the 0x0 value for the offset from similar code in drivers/gpu/drm/amd/display/modules/hdcp/hdcp_ddc.c. I also declared several of these arrays as having HDCP_MESSAGE_ID_MAX entries. This doesnt change the code, but its just a belt and suspenders approach to try future proof the code.

description

在Linux内核中,已解决以下漏洞:drm/amd/didisplay:修复hdmi_14_process_transaction()中的off-by-one。hdcp_i2c_offsets[]数组没有hdcp_MESSAGE_ID_WRITE_CONTENT_STREAM_TYPE的条目,因此导致off-by-one读取溢出。我添加了一个条目,并从driver/gpu/drm/amd/display/modules/hdcp/hdcp_ddc.c中的类似代码中复制了偏移量的0x0值。我还声明其中几个数组具有hdcp_MESSAGE_ID_MAX条目。这并没有改变代码,但它只是一种尝试未来验证代码的方法。

cvss epss percentile
None 0.04% 12.34%

references

CVE-2021-47047

description

In the Linux kernel, the following vulnerability has been resolved: spi: spi-zynqmp-gqspi: return -ENOMEM if dma_map_single fails The spi controller supports 44-bit address space on AXI in DMA mode, so set dma_addr_t width to 44-bit to avoid using a swiotlb mapping. In addition, if dma_map_single fails, it should return immediately instead of continuing doing the DMA operation which bases on invalid address. This fixes the following crash which occurs in reading a big block from flash: [ 123.633577] zynqmp-qspi ff0f0000.spi: swiotlb buffer is full (sz: 4194304 bytes), total 32768 (slots), used 0 (slots) [ 123.644230] zynqmp-qspi ff0f0000.spi: ERR:rxdma:memory not mapped [ 123.784625] Unable to handle kernel paging request at virtual address 00000000003fffc0 [ 123.792536] Mem abort info: [ 123.795313] ESR = 0x96000145 [ 123.798351] EC = 0x25: DABT (current EL), IL = 32 bits [ 123.803655] SET = 0, FnV = 0 [ 123.806693] EA = 0, S1PTW = 0 [ 123.809818] Data abort info: [ 123.812683] ISV = 0, ISS = 0x00000145 [ 123.816503] CM = 1, WnR = 1 [ 123.819455] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000805047000 [ 123.825887] [00000000003fffc0] pgd=0000000803b45003, p4d=0000000803b45003, pud=0000000000000000 [ 123.834586] Internal error: Oops: 96000145 [#1] PREEMPT SMP

description

在Linux内核中,以下漏洞已被解决:spi:spi zynqmp gqspi:return-ENOMEM if dma_map_single failed spi控制器在dma模式下支持AXI上的44位地址空间,因此将dma_addr_t width设置为44位以避免使用swiotlb映射。此外,如果dma_map_single失败,它应该立即返回,而不是继续执行基于无效地址的dma操作。这修复了从闪存读取大块时发生的以下崩溃:[123.633577]zynqmp qspi ff0f0000.spi:swiotlb缓冲区已满(sz:4194304字节),共32768个(插槽),使用了0个(槽)[123.644230]zynjmp qspi ff 0f0000.shpi:ERR:rxdma:内存未映射[123.784625]无法处理虚拟地址0000000000 3ffcc0[123.792536]内存中止信息:[123.795313]ESR=0x96000145[123.798351]EC=0x25:DABT(当前EL)处的内核分页请求。IL=32位[123.803655]SET=0,FnV=0[123.806693]EA=0,S1PTW=0[128.809818]数据中止信息:[123.812683]ISV=0,ISS=0x00000145[123.816503]CM=1,WnR=1[123.819455]用户pgtable:4k页,48位VA,pgdp=0000000 805047000[123.825887][000000000000 3ffcc0]pgd=0000000 803b45003,p4d=0000000 805b45003、pud=000000000000000000000000[123.834586]内部错误:错误:96000145[#1]PREEMPT SMP

cvss epss percentile
None 0.04% 12.34%

references

CVE-2021-47048

description

In the Linux kernel, the following vulnerability has been resolved: spi: spi-zynqmp-gqspi: fix use-after-free in zynqmp_qspi_exec_op When handling op->addr, it is using the buffer “tmpbuf” which has been freed. This will trigger a use-after-free KASAN warning. Lets use temporary variables to store op->addr.val and op->cmd.opcode to fix this issue.

description

在Linux内核中,已解决以下漏洞:spi:spi zynqmp gqspi:修复zynqmp_qspi_exec_op中释放后的使用。在处理op->addr时,它使用的是已释放的缓冲区“tmpbuf”。这将在免费KASAN警告后触发使用。让我们使用临时变量来存储op->addr.val和op->cmd.opcode来解决这个问题。

cvss epss percentile
None 0.04% 12.34%

references

CVE-2021-47049

description

In the Linux kernel, the following vulnerability has been resolved: Drivers: hv: vmbus: Use after free in __vmbus_open() The “open_info” variable is added to the &vmbus_connection.chn_msg_list, but the error handling frees “open_info” without removing it from the list. This will result in a use after free. First remove it from the list, and then free it.

description

在Linux内核中,已解决以下漏洞:驱动程序:hv:vmbus:__vmbus_open()中的释放后使用“open_info”变量已添加到&vmbus_connection.chn_msg_list,但错误处理释放了“open_ininfo”,而没有将其从列表中删除。这将导致免费后的使用。首先将其从列表中删除,然后释放它。

cvss epss percentile
None 0.04% 12.34%

references

CVE-2021-47050

description

In the Linux kernel, the following vulnerability has been resolved: memory: renesas-rpc-if: fix possible NULL pointer dereference of resource The platform_get_resource_byname() can return NULL which would be immediately dereferenced by resource_size(). Instead dereference it after validating the resource. Addresses-Coverity: Dereference null return value

description

在Linux内核中,已解决以下漏洞:memory:renesas-rpc-if-fix可能的资源的NULL指针取消引用platform_get_resource_byname()可以返回NULL,该值将立即被resource_size()取消引用。而是在验证资源后取消引用它。Addresses Coverity:取消引用null返回值

cvss epss percentile
None 0.04% 12.34%

references

CVE-2021-47051

description

In the Linux kernel, the following vulnerability has been resolved: spi: fsl-lpspi: Fix PM reference leak in lpspi_prepare_xfer_hardware() pm_runtime_get_sync will increment pm usage counter even it failed. Forgetting to putting operation will result in reference leak here. Fix it by replacing it with pm_runtime_resume_and_get to keep usage counter balanced.

description

在Linux内核中,已解决以下漏洞:spi:fsl lpspi:修复lpspi_prepare_xfer_hardware()中的PM引用泄漏PM_runtime_get_sync即使失败也会增加PM使用计数器。忘记放置操作将导致此处的引用泄漏。通过将其替换为pm_runtime_resume_and_get来修复它,以保持使用计数器的平衡。

cvss epss percentile
None 0.04% 12.34%

references

CVE-2021-47052

description

In the Linux kernel, the following vulnerability has been resolved: crypto: sa2ul - Fix memory leak of rxd There are two error return paths that are not freeing rxd and causing memory leaks. Fix these. Addresses-Coverity: (“Resource leak”)

description

在Linux内核中,已解决以下漏洞:crypto:sa2ul-修复rxd的内存泄漏有两个错误返回路径无法释放rxd并导致内存泄漏。修复这些。解决隐蔽性问题:(“资源泄漏”)

cvss epss percentile
None 0.04% 12.34%

references

CVE-2021-47053

description

In the Linux kernel, the following vulnerability has been resolved: crypto: sun8i-ss - Fix memory leak of pad It appears there are several failure return paths that dont seem to be freeing pad. Fix these. Addresses-Coverity: (“Resource leak”)

description

在Linux内核中,以下漏洞已被解决:crypto:sun8i-ss-修复pad的内存泄漏似乎有几个故障返回路径无法释放pad。修复这些。解决隐蔽性问题:(“资源泄漏”)

cvss epss percentile
None 0.04% 12.34%

references

CVE-2023-25922

description

IBM Security Guardium Key Lifecycle Manager 3.0, 3.0.1, 4.0, 4.1, and 4.1.1 allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the products environment. IBM X-Force ID: 247621.

description

IBM Security Guardium Key Lifecycle Manager 3.0、3.0.1、4.0、4.1和4.1.1允许攻击者上传或传输可以在产品环境中自动处理的危险类型的文件。IBM X-Force ID:247621。

cvss epss percentile
4.3 MEDIUM 0.04% 6.92%

references

CVE-2023-25925

description

IBM Security Guardium Key Lifecycle Manager 3.0, 3.0.1, 4.0, 4.1, and 4.1.1 could allow a remote authenticated attacker to execute arbitrary commands on the system by sending a specially crafted request. IBM X-Force ID: 247632.

description

IBM Security Guardium Key Lifecycle Manager 3.0、3.0.1、4.0、4.1和4.1.1可允许经过远程身份验证的攻击者通过发送特制的请求在系统上执行任意命令。IBM X-Force ID:247632。

cvss epss percentile
8.5 HIGH 0.04% 7.56%

references

CVE-2023-43769

description

An issue was discovered in Couchbase Server through 7.1.4 before 7.1.5 and before 7.2.1. There are Unauthenticated RMI Service Ports Exposed in Analytics.

description

通过7.1.4、7.1.5之前和7.2.1之前的版本,在Couchbase Server中发现了一个问题。分析中暴露了未经身份验证的RMI服务端口。

cvss epss percentile
None 0.04% 12.34%

references

CVE-2023-45859

description

In Hazelcast through 4.1.10, 4.2 through 4.2.8, 5.0 through 5.0.5, 5.1 through 5.1.7, 5.2 through 5.2.4, and 5.3 through 5.3.2, some client operations dont check permissions properly, allowing authenticated users to access data stored in the cluster.

description

在Hazelcast到4.1.10、4.2到4.2.8、5.0到5.0.5、5.1到5.1.7、5.2到5.2.4和5.3到5.3.2中,一些客户端操作没有正确检查权限,允许经过身份验证的用户访问存储在集群中的数据。

cvss epss percentile
None 0.04% 6.92%

references

CVE-2023-45873

description

An issue was discovered in Couchbase Server through 7.2.2. A data reader may cause a denial of service (application exist) because of the OOM killer.

description

通过7.2.2在Couchbase服务器中发现了一个问题。由于OOM杀手,数据读取器可能会导致拒绝服务(应用程序存在)。

cvss epss percentile
None 0.04% 12.34%

references

CVE-2023-45874

description

An issue was discovered in Couchbase Server through 7.2.2. A data reader may cause a denial of service (outage of reader threads).

description

通过7.2.2在Couchbase服务器中发现了一个问题。数据读取器可能会导致拒绝服务(读取器线程中断)。

cvss epss percentile
None 0.04% 12.34%

references

CVE-2023-49338

description

Couchbase Server 7.1.x and 7.2.x before 7.2.4 does not require authentication for the /admin/stats and /admin/vitals endpoints on TCP port 8093 of localhost.

description

7.2.4之前的Couchbase Server 7.1.x和7.2.x不需要对localhost的TCP端口8093上的/admin/stats和/admin/vitals端点进行身份验证。

cvss epss percentile
None 0.04% 12.34%

references

CVE-2023-49930

description

An issue was discovered in Couchbase Server before 7.2.4. cURL calls to /diag/eval are not sufficiently restricted.

description

在7.2.4之前的Couchbase服务器中发现了一个问题。对/diag/eval的cURL调用没有受到足够的限制。

cvss epss percentile
None 0.04% 12.34%

references

CVE-2023-49931

description

An issue was discovered in Couchbase Server before 7.2.4. SQL++ cURL calls to /diag/eval are not sufficiently restricted.

description

在7.2.4之前的Couchbase服务器中发现了一个问题。对/diag/eval的SQL++cURL调用没有受到足够的限制。

cvss epss percentile
None 0.04% 12.34%

references

CVE-2023-49932

description

An issue was discovered in Couchbase Server before 7.2.4. An attacker can bypass SQL++ N1QL cURL host restrictions.

description

在7.2.4之前的Couchbase服务器中发现了一个问题。攻击者可以绕过SQL++N1QL cURL主机限制。

cvss epss percentile
None 0.04% 12.34%

references

CVE-2023-50303

description

IBM InfoSphere Information Server 11.7 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 273333.

description

IBM InfoSphere Information Server 11.7易受跨站点脚本攻击。此漏洞允许用户在Web UI中嵌入任意JavaScript代码,从而更改预期功能,从而可能导致可信会话中的凭据泄露。IBM X-Force ID:273333。

cvss epss percentile
6.1 MEDIUM 0.04% 6.92%

references

CVE-2023-50436

description

An issue was discovered in Couchbase Server before 7.2.4. ns_server admin credentials are leaked in encoded form in the diag.log file. The earliest affected version is 7.1.5.

description

在7.2.4之前的Couchbase服务器中发现了一个问题。ns_server管理凭据在diag.log文件中以编码形式泄漏。最早受影响的版本是7.1.5。

cvss epss percentile
None 0.04% 12.34%

references

CVE-2023-50437

description

An issue was discovered in Couchbase Server before 7.2.x before 7.2.4. otpCookie is shown with full admin on pools/default/serverGroups and engageCluster2.

description

在7.2.4之前的7.2.x之前的Couchbase Server中发现了一个问题。otpCookie在pools/default/serverGroups和engageCluster2上显示为完全管理员。

cvss epss percentile
None 0.04% 12.34%

references

CVE-2023-50734

description

A buffer overflow vulnerability has been identified in PostScript interpreter in various Lexmark devices. The vulnerability can be leveraged by an attacker to execute arbitrary code.

description

已在各种Lexmark设备的PostScript解释器中发现缓冲区溢出漏洞。攻击者可以利用该漏洞执行任意代码。

cvss epss percentile
9.0 CRITICAL 0.07% 26.63%

references

CVE-2023-50735

description

A heap corruption vulnerability has been identified in PostScript interpreter in various Lexmark devices. The vulnerability can be leveraged by an attacker to execute arbitrary code.

description

在各种Lexmark设备的PostScript解释器中发现了堆损坏漏洞。攻击者可以利用该漏洞执行任意代码。

cvss epss percentile
9.0 CRITICAL 0.07% 26.63%

references

CVE-2023-50736

description

A memory corruption vulnerability has been identified in PostScript interpreter in various Lexmark devices. The vulnerability can be leveraged by an attacker to execute arbitrary code.

description

已在各种Lexmark设备的PostScript解释器中发现内存损坏漏洞。攻击者可以利用该漏洞执行任意代码。

cvss epss percentile
9.0 CRITICAL 0.07% 26.63%

references

CVE-2023-50737

description

The SE menu contains information used by Lexmark to diagnose device errors. A vulnerability in one of the SE menu routines can be leveraged by an attacker to execute arbitrary code.

description

SE菜单包含Lexmark用于诊断设备错误的信息。攻击者可以利用其中一个SE菜单例程中的漏洞执行任意代码。

cvss epss percentile
9.1 CRITICAL 0.07% 26.63%

references

CVE-2023-51533

description

Cross-Site Request Forgery (CSRF) vulnerability in Ecwid Ecommerce Ecwid Ecommerce Shopping Cart.This issue affects Ecwid Ecommerce Shopping Cart: from n/a through 6.12.4.

description

电子商务购物车中存在跨站点请求伪造(CSRF)漏洞。此问题影响Ecwid电子商务购物车:从n/a到6.12.4。

cvss epss percentile
5.4 MEDIUM 0.04% 6.92%

references

CVE-2023-51681

description

Cross-Site Request Forgery (CSRF) vulnerability in Duplicator Duplicator – WordPress Migration & Backup Plugin.This issue affects Duplicator – WordPress Migration & Backup Plugin: from n/a through 1.5.7.

description

Duplicater Duplicate中存在跨站点请求伪造(CSRF)漏洞&#8211;WordPress迁移和备份插件。此问题会影响Duplicate&#8211;WordPress迁移和备份插件:从n/a到1.5.7。

cvss epss percentile
6.5 MEDIUM 0.04% 6.92%

references

  • https://https://patchstack.com/database/vulnerability/duplicator/wordpress-duplicator-plugin-1-5-7-cross-site-request-forgery-csrf-vulnerability?_s_id=cve

CVE-2023-51683

description

Cross-Site Request Forgery (CSRF) vulnerability in Scott Paterson Easy PayPal & Stripe Buy Now Button.This issue affects Easy PayPal & Stripe Buy Now Button: from n/a through 1.8.1.

description

Scott Paterson Easy PayPal&Stripe Buy Now按钮中存在跨站点请求伪造(CSRF)漏洞。此问题影响Easy PayPal&Stripe立即购买按钮:从n/a到1.8.1。

cvss epss percentile
5.4 MEDIUM 0.04% 6.92%

references

CVE-2023-51692

description

Missing Authorization vulnerability in CusRev Customer Reviews for WooCommerce.This issue affects Customer Reviews for WooCommerce: from n/a through 5.38.1.

description

WooCommerce的CusRev客户评论中缺少授权漏洞。此问题影响WooCommerce的客户评论:从n/a到5.38.1。

cvss epss percentile
4.3 MEDIUM 0.04% 6.92%

references

CVE-2023-52047

description

Dedecms v5.7.112 was discovered to contain a Cross-Site Request Forgery (CSRF) in the file manager.

description

发现Dedecms v.7.112在文件管理器中包含跨站点请求伪造(CSRF)。

cvss epss percentile
None 0.04% 6.92%

references

CVE-2023-52048

description

RuoYi v4.7.8 was discovered to contain a cross-site scripting (XSS) vulnerability via the component /system/notice/.

description

RuoYi v4.7.8通过component/system/note/被发现包含一个跨站点脚本(XSS)漏洞。

cvss epss percentile
None 0.04% 6.92%

references

CVE-2023-52223

description

Cross-Site Request Forgery (CSRF) vulnerability in MailerLite MailerLite – WooCommerce integration.This issue affects MailerLite – WooCommerce integration: from n/a through 2.0.8.

description

MailerLite MailerLite中存在跨站点请求伪造(CSRF)漏洞&#8211;WooCommerce整合。此问题影响MailerLite&#8211;WooCommerce集成:从n/a到2.0.8。

cvss epss percentile
5.4 MEDIUM 0.04% 6.92%

references

CVE-2023-52226

description

Cross-Site Request Forgery (CSRF) vulnerability in Advanced Flamingo.This issue affects Advanced Flamingo: from n/a through 1.0.

description

Advanced Flamingo中存在跨站点请求伪造(CSRF)漏洞。此问题影响高级火烈鸟:从n/a到1.0。

cvss epss percentile
4.3 MEDIUM 0.04% 6.92%

references

CVE-2023-5617

description

Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.1.0.0 and 9.3.0.6, including 9.5.x and 8.3.x, display the version of Tomcat when a server error is encountered.

description

Hitachi Vantara Pentaho Data Integration&Analytics 10.1.0.0和9.3.0.6之前的版本,包括9.5.x和8.3.x,在遇到服务器错误时显示Tomcat的版本。

cvss epss percentile
5.3 MEDIUM 0.04% 6.92%

references

CVE-2023-6917

description

A vulnerability has been identified in the Performance Co-Pilot (PCP) package, stemming from the mixed privilege levels utilized by systemd services associated with PCP. While certain services operate within the confines of limited PCP user/group privileges, others are granted full root privileges. This disparity in privilege levels poses a risk when privileged root processes interact with directories or directory trees owned by unprivileged PCP users. Specifically, this vulnerability may lead to the compromise of PCP user isolation and facilitate local PCP-to-root exploits, particularly through symlink attacks. These vulnerabilities underscore the importance of maintaining robust privilege separation mechanisms within PCP to mitigate the potential for unauthorized privilege escalation.

description

在Performance Co-Pilot(PCP)软件包中发现了一个漏洞,该漏洞源于与PCP相关的systemd服务所使用的混合特权级别。虽然某些服务在有限的PCP用户/组权限范围内运行,但其他服务则被授予完全的root权限。当特权根进程与非特权PCP用户拥有的目录或目录树交互时,这种特权级别的差异会带来风险。具体而言,此漏洞可能会导致PCP用户隔离的危害,并促进本地PCP到root的漏洞利用,特别是通过符号链接攻击。这些漏洞强调了在PCP中维护强大的权限分离机制的重要性,以减少未经授权的权限升级的可能性。

cvss epss percentile
6.0 MEDIUM 0.04% 6.92%

references

CVE-2023-6922

description

The Under Construction / Maintenance Mode from Acurax plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 2.6 via the acx_csma_subscribe_ajax function. This can allow authenticated attackers to extract sensitive data such as names and email addresses of subscribed visitors.

description

WordPress的Acurax插件的在建/维护模式在2.6及以下版本中容易通过acx_csma_subscribe_ajax函数受到敏感信息暴露的影响。这使得经过身份验证的攻击者能够提取敏感数据,如订阅访问者的姓名和电子邮件地址。

cvss epss percentile
4.3 MEDIUM 0.04% 6.92%

references

CVE-2024-0431

description

The Gestpay for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 20221130. This is due to missing or incorrect nonce validation on the ajax_set_default_card function. This makes it possible for unauthenticated attackers to set the default card token for a user via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

description

WordPress的Gestpay for WooCommerce插件在20221130之前(包括20221130)的所有版本中都容易受到跨站点请求伪造的攻击。这是由于ajax_set_default_card函数的nonce验证缺失或不正确。这使得未经身份验证的攻击者有可能通过伪造的请求为用户设置默认的卡令牌,他们可以诱骗网站管理员执行诸如点击链接之类的操作。

cvss epss percentile
4.3 MEDIUM 0.04% 6.92%

references

CVE-2024-0432

description

The Gestpay for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 20221130. This is due to missing or incorrect nonce validation on the ajax_delete_card function. This makes it possible for unauthenticated attackers to delete the default card token for a user via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

description

WordPress的Gestpay for WooCommerce插件在20221130之前(包括20221130)的所有版本中都容易受到跨站点请求伪造的攻击。这是由于ajax_delete_card函数的nonce验证缺失或不正确。这使得未经身份验证的攻击者有可能通过伪造的请求删除用户的默认卡令牌。他们可以诱使网站管理员执行诸如单击链接之类的操作。

cvss epss percentile
4.3 MEDIUM 0.04% 6.92%

references

CVE-2024-0433

description

The Gestpay for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 20221130. This is due to missing or incorrect nonce validation on the ajax_unset_default_card function. This makes it possible for unauthenticated attackers to remove the default status of a card token for a user via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

description

WordPress的Gestpay for WooCommerce插件在20221130之前(包括20221130)的所有版本中都容易受到跨站点请求伪造的攻击。这是由于ajax_unset_default_card函数的nonce验证缺失或不正确。这使得未经身份验证的攻击者有可能通过伪造的请求删除用户的卡令牌的默认状态。他们可以诱使网站管理员执行诸如单击链接之类的操作。

cvss epss percentile
4.3 MEDIUM 0.04% 6.92%

references

CVE-2024-0550

description

A user who is privileged already manager or admin can set their profile picture via the frontend API using a relative filepath to then user the PFP GET API to download any valid files. The attacker would have to have been granted privileged permissions to the system before executing this attack.

description

已经是“管理员”或“管理员”特权的用户可以使用相对文件路径通过前端API设置他们的配置文件图片,然后使用PFP GET API下载任何有效文件。在执行此攻击之前,攻击者必须被授予系统的特权权限。

cvss epss percentile
9.6 CRITICAL 0.04% 6.92%

references

CVE-2024-0560

description

A vulnerability was found in 3Scale, when used with Keycloak 15 (or RHSSO 7.5.0) and superiors. When the auth_type is use_3scale_oidc_issuer_endpoint, the Token Introspection policy discovers the Token Introspection endpoint from the token_introspection_endpoint field, but the field was removed on RH-SSO 7.5. As a result, the policy doesnt inspect tokens, it determines that all tokens are valid.

description

在3Scale中发现一个漏洞,当与Keycloft 15(或RHSSO 7.5.0)和上级一起使用时。当auth_type为use_3scale_oidc_issuer_endpoint时,Token Introspection策略会从Token_Introspection_endpoint字段中发现Token Introsspection端点,但该字段已在RH-SSO 7.5中删除。因此,该策略不检查令牌,而是确定所有令牌都是有效的。

cvss epss percentile
6.3 MEDIUM 0.04% 12.34%

references

CVE-2024-0680

description

The WP Private Content Plus plugin for WordPress is vulnerable to information disclosure in all versions up to, and including, 3.6. This is due to the plugin not properly restricting access to posts via the REST API when a page has been made private. This makes it possible for unauthenticated attackers to view protected posts.

description

WordPress的WP Private Content Plus插件在3.6之前(包括3.6)的所有版本中都容易受到信息泄露的影响。这是因为当页面被设为私有时,插件没有正确地限制通过REST API访问帖子。这使得未经身份验证的攻击者有可能查看受保护的帖子。

cvss epss percentile
5.3 MEDIUM 0.04% 6.92%

references

CVE-2024-0682

description

The Page Restrict plugin for WordPress is vulnerable to information disclosure in all versions up to, and including, 2.5.5. This is due to the plugin not properly restricting access to posts via the REST API when a page has been made private. This makes it possible for unauthenticated attackers to view protected posts.

description

WordPress的页面限制插件在2.5.5之前(包括2.5.5)的所有版本中都容易受到信息泄露的攻击。这是因为当页面被设为私有时,插件没有正确地限制通过REST API访问帖子。这使得未经身份验证的攻击者有可能查看受保护的帖子。

cvss epss percentile
5.3 MEDIUM 0.04% 6.92%

references

CVE-2024-0766

description

The Envos Elementor Templates & Widgets for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the templates_ajax_request function in all versions up to, and including, 1.4.4. This makes it possible for subscribers and higher to create templates.

description

WordPress的Envos Elementor Templates&Widgets for WooCommerce插件很容易受到未经授权的数据修改,因为在1.4.4之前(包括1.4.4)的所有版本中,对Templates_ax_request函数缺少功能检查。这使得订阅者和更高级别的用户可以创建模板。

cvss epss percentile
4.3 MEDIUM 0.04% 6.92%

references

CVE-2024-0767

description

The Envos Elementor Templates & Widgets for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.4.4. This is due to missing or incorrect nonce validation on the ajax_plugin_activation function. This makes it possible for unauthenticated attackers to activate arbitrary installed plugins via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

description

WordPress的Envos Elementor Templates&Widgets for WooCommerce插件在1.4.4之前(含1.4.4)的版本中易受跨站点请求伪造的攻击。这是由于ajax_plugin_activation函数的nonce验证缺失或不正确。这使得未经身份验证的攻击者有可能通过伪造的请求激活任意安装的插件,他们可以诱骗网站管理员执行诸如点击链接之类的操作。

cvss epss percentile
4.3 MEDIUM 0.04% 6.92%

references

CVE-2024-0768

description

The Envos Elementor Templates & Widgets for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to and including 1.4.4. This is due to missing or incorrect nonce validation on the ajax_theme_activation function. This makes it possible for unauthenticated attackers to activate arbitrary installed themes via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

description

WordPress的Envos Elementor Templates&Widgets for WooCommerce插件在1.4.4之前(含1.4.4)的版本中易受跨站点请求伪造的攻击。这是由于ajax_theme_activation函数的nonce验证缺失或不正确。这使得未经身份验证的攻击者有可能通过伪造的请求激活任意安装的主题。他们可以诱骗网站管理员执行诸如单击链接之类的操作。

cvss epss percentile
4.3 MEDIUM 0.04% 6.92%

references

CVE-2024-0786

description

The Conversios – Google Analytics 4 (GA4), Meta Pixel & more Via Google Tag Manager For WooCommerce plugin for WordPress is vulnerable to time-based SQL Injection via the ee_syncProductCategory function using the parameters conditionData, valueData, productArray, exclude and include in all versions up to, and including, 6.9.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with subscriber access or higher, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

description

匡威;Google Analytics 4(GA4),Meta Pixel等通过Google Tag Manager For WooCommerce插件WordPress易受基于时间的SQL注入的影响,该插件通过ee_syncProductCategory函数使用参数conditionData,valueData,productArray,排除和包括在所有版本中,包括,6.9.1由于用户提供的参数转义不足,以及现有SQL查询准备不足。这使得具有订阅者访问权限或更高权限的经过身份验证的攻击者有可能将额外的SQL查询附加到现有查询中,这些查询可用于从数据库中提取敏感信息。

cvss epss percentile
8.8 HIGH 0.04% 6.92%

references

CVE-2024-0975

description

The WordPress Access Control plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.0.13 via the REST API. This makes it possible for unauthenticated attackers to bypass the plugins “Make Website Members Only” feature (when unset) and view restricted page and post content.

description

WordPress的WordPress访问控制插件在4.0.13之前(包括4.0.13)的所有版本中都容易通过REST API受到敏感信息暴露的影响。这使得未经身份验证的攻击者有可能绕过插件“仅限网站成员”功能(未设置时),查看受限页面和发布内容。

cvss epss percentile
5.3 MEDIUM 0.04% 6.92%

references

CVE-2024-1136

description

The Coming Soon Page & Maintenance Mode plugin for WordPress is vulnerable to unauthorized access of data due to an improperly implemented URL check in the wpsm_coming_soon_redirect function in all versions up to, and including, 2.2.1. This makes it possible for unauthenticated attackers to view a site with maintenance mode or coming-soon mode enabled to view the sites content.

description

WordPress的Coming Soon Page&Maintenance Mode插件很容易受到未经授权的数据访问,因为在2.2.1之前(包括2.2.1)的所有版本中,wpsm_Coming_Soon_redirect函数中的URL检查执行不当。这使得未经身份验证的攻击者有可能在启用维护模式或即将到来模式的情况下查看网站内容。

cvss epss percentile
5.3 MEDIUM 0.04% 6.92%

references

CVE-2024-1368

description

The Page Duplicator plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the duplicate_dat_page() function in all versions up to, and including, 0.1.1. This makes it possible for unauthenticated attackers to duplicate arbitrary posts and pages.

description

WordPress的页面复制器插件很容易受到未经授权的数据修改,因为在0.1.1之前(包括0.1.1)的所有版本中,对duplicate_dat_Page()函数缺少功能检查。这使得未经身份验证的攻击者有可能复制任意帖子和页面。

cvss epss percentile
5.3 MEDIUM 0.04% 6.92%

references

CVE-2024-1388

description

The Yuki theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the reset_customizer_options() function in all versions up to, and including, 1.3.13. This makes it possible for authenticated attackers, with subscriber-level access and above, to reset the themes settings.

description

WordPress的Yuki主题很容易受到未经授权的数据修改,因为在1.3.13之前(包括1.3.13)的所有版本中,reset_customizer_options()函数缺少功能检查。这使得具有订户级及以上访问权限的经过身份验证的攻击者有可能重置主题设置。

cvss epss percentile
4.3 MEDIUM 0.04% 6.92%

references

CVE-2024-1476

description

The Under Construction / Maintenance Mode from Acurax plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.6 via the REST API. This makes it possible for unauthenticated attackers to obtain the contents of posts and pages when maintenance mode is active thus bypassing the protection provided by the plugin.

description

Acurax WordPress插件的构建中/维护模式在所有版本中都容易受到敏感信息暴露的影响,包括通过REST API发布的2.6版本。这使得未经身份验证的攻击者有可能在维护模式处于活动状态时获取帖子和页面的内容,从而绕过插件提供的保护。

cvss epss percentile
5.3 MEDIUM 0.04% 6.92%

references

CVE-2024-1514

description

The WP eCommerce plugin for WordPress is vulnerable to time-based blind SQL Injection via the cart_contents parameter in all versions up to, and including, 3.15.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

description

WordPress的WP电子商务插件在3.15.1之前(包括3.15.1)的所有版本中都容易通过cart_contents参数受到基于时间的盲SQL注入的攻击,原因是用户提供的参数转义不足,并且对现有SQL查询缺乏充分准备。这使得未经身份验证的攻击者有可能将其他SQL查询附加到现有查询中,这些查询可用于从数据库中提取敏感信息。

cvss epss percentile
9.8 CRITICAL 0.04% 6.92%

references

CVE-2024-1516

description

The WP eCommerce plugin for WordPress is vulnerable to unauthorized arbitrary post creation due to a missing capability check on the check_for_saas_push() function in all versions up to, and including, 3.15.1. This makes it possible for unauthenticated attackers to create arbitrary posts with arbitrary content.

description

WordPress的WP电子商务插件很容易受到未经授权的任意后期创建的攻击,因为在3.15.1之前(包括3.15.1)的所有版本中,check_for_saas_push()函数缺少功能检查。这使得未经身份验证的攻击者有可能创建具有任意内容的任意帖子。

cvss epss percentile
5.3 MEDIUM 0.04% 6.92%

references

CVE-2024-1566

description

The Redirects plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save function in all versions up to, and including, 1.2.1. This makes it possible for unauthenticated attackers to change redirects created with this plugin. This could lead to undesired redirection to phishing sites or malicious web pages.

description

WordPress的重定向插件很容易受到未经授权的数据修改,因为在1.2.1之前(包括1.2.1)的所有版本中,保存功能都缺少功能检查。这使得未经身份验证的攻击者有可能更改使用此插件创建的重定向。这可能会导致不希望的重定向到钓鱼网站或恶意网页。

cvss epss percentile
6.5 MEDIUM 0.04% 6.92%

references

CVE-2024-1568

description

The Seraphinite Accelerator plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.20.52 via the OnAdminApi_HtmlCheck function. This makes it possible for authenticated attackers, with subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.

description

WordPress的Seraphinite加速器插件在2.20.52之前(包括2.20.52)的所有版本中都容易通过OnAdminApi_HtmlCheck功能受到服务器端请求伪造的攻击。这使得具有订户级及以上访问权限的经过身份验证的攻击者有可能向源自web应用程序的任意位置发出web请求,并可用于查询和修改来自内部服务的信息。

cvss epss percentile
6.4 MEDIUM 0.04% 6.92%

references

CVE-2024-1632

description

Low-privileged users with access to the Sitefinity backend may obtain sensitive information from the sites administrative area.

description

访问Sitefinity后端的低特权用户可能会从站点管理区域获取敏感信息。

cvss epss percentile
8.8 HIGH 0.04% 6.92%

references

CVE-2024-1636

description

Potential Cross-Site Scripting (XSS) in the page editing area.

description

页面编辑区域中的潜在跨站点脚本(XSS)。

cvss epss percentile
8.0 HIGH 0.04% 6.92%

references

CVE-2024-1719

description

The Easy PayPal & Stripe Buy Now Button plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.8.3 and in Contact Form 7 – PayPal & Stripe Add-on all versions up to, and including 2.1. This is due to missing or incorrect nonce validation on the wpecpp_stripe_connect_completion function. This makes it possible for unauthenticated attackers to modify the plugins settings and chance the stripe connection via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

description

WordPress的Easy PayPal&Stripe立即购买按钮插件在1.8.3之前的所有版本(包括1.8.3)和联系表格7&#8211中都容易受到跨站点请求伪造的攻击;PayPal&Stripe添加到2.1之前的所有版本。这是由于wpecpp_stripe_connect_complementation函数的nonce验证缺失或不正确。这使得未经身份验证的攻击者有可能修改插件设置,并通过伪造的请求获得条带连接的机会。他们可以诱骗网站管理员执行诸如单击链接之类的操作。

cvss epss percentile
4.3 MEDIUM 0.04% 12.34%

references

CVE-2024-1791

description

The CodeMirror Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Code Mirror block in all versions up to, and including, 1.2.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

description

WordPress的CodeMirror Blocks插件在1.2.4之前(包括1.2.4)的所有版本中都容易通过代码镜像块受到存储的跨站点脚本攻击,原因是输入净化和输出转义不足。这使得具有贡献者级别及以上访问权限的经过身份验证的攻击者有可能在页面中注入任意web脚本,这些脚本将在用户访问注入的页面时执行。

cvss epss percentile
6.4 MEDIUM 0.04% 6.92%

references

CVE-2024-1808

description

The WP Shortcodes Plugin — Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugins su_qrcode shortcode in all versions up to, and including, 7.0.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

description

WP短代码插件&#8212;WordPress的Shortcodes Ultimate插件在7.0.3之前(包括7.0.3)的所有版本中都容易通过插件su_qrcode shortcode受到存储的跨站点脚本攻击,原因是用户提供的属性的输入净化和输出转义不足。这使得具有贡献者级别及以上访问权限的经过身份验证的攻击者有可能在页面中注入任意web脚本,这些脚本将在用户访问注入的页面时执行。

cvss epss percentile
6.4 MEDIUM 0.04% 6.92%

references

CVE-2024-1847

description

Heap-based Buffer Overflow, Memory Corruption, Out-Of-Bounds Read, Out-Of-Bounds Write, Stack-based Buffer Overflow, Type Confusion, Uninitialized Variable, Use-After-Free vulnerabilities exist in the file reading procedure in eDrawings from Release SOLIDWORKS 2023 through Release SOLIDWORKS 2024. These vulnerabilities could allow an attacker to execute arbitrary code while opening a specially crafted CATPART, DWG, DXF, IPT, JT, SAT, SLDDRW, SLDPRT, STL, STP, X_B or X_T file.

description

从Release SOLIDWORKS 2023到Release SOLIDWORKS 2024的eDrawings中的文件读取过程中存在基于堆的缓冲区溢出、内存损坏、越界读取、越界写入、基于堆栈的缓冲区溢流、类型混淆、未初始化变量、释放后使用漏洞。这些漏洞允许攻击者在打开特制的CATPART、DWG、DXF、IPT、JT、SAT、SLDDRW、SLDPRT、STL、STP、X_B或X_T文件时执行任意代码。

cvss epss percentile
7.8 HIGH 0.04% 6.92%

references

CVE-2024-1860

description

The Disable Json API, Login Lockdown, XMLRPC, Pingback, Stop User Enumeration Anti Hacker Scan plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the antihacker_add_whitelist() function in all versions up to, and including, 4.51. This makes it possible for unauthenticated attackers to add their IP Address to the whitelist circumventing protection

description

WordPress的Disable Json API、Login Lockdown、XMLRPC、Pingback、Stop User Enumeration Anti-Hacker Scan插件容易受到未经授权的数据修改,因为在4.51之前(包括4.51)的所有版本中,缺少对antihacker_add_whitelist()函数的功能检查。这使得未经身份验证的攻击者有可能将其IP地址添加到白名单中以规避保护

cvss epss percentile
6.5 MEDIUM 0.04% 6.92%

references

CVE-2024-1861

description

The Disable Json API, Login Lockdown, XMLRPC, Pingback, Stop User Enumeration Anti Hacker Scan plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the antihacker_truncate_scan_table() function in all versions up to, and including, 4.52. This makes it possible for authenticated attackers, with subscriber-level access and above, to truncate the scan table.

description

WordPress的Disable Json API、Login Lockdown、XMLRPC、Pingback、Stop User Enumeration Anti-Hacker Scan插件容易受到未经授权的数据修改,这是因为在4.52之前(包括4.52)的所有版本中,缺少对反acker_truncate_Scan_table()函数的功能检查。这使得具有订户级及以上访问权限的经过身份验证的攻击者有可能截断扫描表。

cvss epss percentile
4.3 MEDIUM 0.04% 6.92%

references

CVE-2024-1943

description

The Yuki theme for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including 1.3.14. This is due to missing or incorrect nonce validation on the reset_customizer_options() function. This makes it possible for unauthenticated attackers to reset the themes settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

description

WordPress的Yuki主题在1.3.14之前(包括1.3.14)的所有版本中都容易受到跨站点请求伪造的攻击。这是由于reset_customizer_options()函数的nonce验证缺失或不正确。这使得未经身份验证的攻击者有可能通过伪造的请求重置主题设置。他们可以诱使网站管理员执行诸如单击链接之类的操作。

cvss epss percentile
4.3 MEDIUM 0.04% 6.92%

references

CVE-2024-1954

description

The Oliver POS – A WooCommerce Point of Sale (POS) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.4.1.8. This is due to missing or incorrect nonce validation in the includes/class-pos-bridge-install.php file. This makes it possible for unauthenticated attackers to perform several unauthorized actions like deactivating the plugin, disconnecting the subscription, syncing the status and more via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

description

奥利弗POS;WordPress的WooCommerce销售点(POS)插件在2.4.1.8之前(包括2.4.1.8)的所有版本中都容易受到跨站点请求伪造的攻击。这是由于includes/class-pos-bridge-install.php文件中的nonce验证丢失或不正确。这使得未经身份验证的攻击者有可能通过伪造的请求执行多个未经授权的操作,如停用插件、断开订阅、同步状态等。他们可以诱骗网站管理员执行单击链接等操作。

cvss epss percentile
6.3 MEDIUM 0.04% 6.92%

references

CVE-2024-1965

description

Server-Side Request Forgery vulnerability in Haivisions Aviwest Manager and Aviwest Steamhub. This vulnerability could allow an attacker to enumerate internal network configuration without the need for credentials. An attacker could compromise an internal server and retrieve requests sent by other users.

description

Haivisions Aviwest Manager和Aviwest Steamhub中存在服务器端请求伪造漏洞。此漏洞允许攻击者在不需要凭据的情况下枚举内部网络配置。攻击者可以破坏内部服务器并检索其他用户发送的请求。

cvss epss percentile
6.5 MEDIUM 0.04% 6.92%

references

CVE-2024-1970

description

A vulnerability, which was classified as problematic, was found in SourceCodester Online Learning System V2 1.0. Affected is an unknown function of the file /index.php. The manipulation of the argument page leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-255126 is the identifier assigned to this vulnerability.

description

在SourceCodester在线学习系统V2 1.0中发现了一个被归类为有问题的漏洞。受影响的是文件/index.php的一个未知函数。参数页的操作会导致跨站点脚本编写。可以远程发起攻击。该漏洞已向公众公开,并可能被利用。VDB-255126是分配给此漏洞的标识符。

cvss epss percentile
4.3 MEDIUM 0.04% 12.34%

references

CVE-2024-1971

description

A vulnerability has been found in Surya2Developer Online Shopping System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file login.php of the component POST Parameter Handler. The manipulation of the argument password with the input nochizplz+or+1%3d1+limit+1%23 leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-255127.

description

在Surya2Developer在线购物系统1.0中发现一个漏洞,并将其归类为严重漏洞。受此漏洞影响的是组件POST参数处理程序的文件login.php的未知功能。使用输入nochizplz+或+1%3d1+limit+1%23操作参数密码会导致sql注入。可以远程发起攻击。该漏洞已向公众公开,并可能被利用。此漏洞的相关标识符为VDB-255127。

cvss epss percentile
7.3 HIGH 0.04% 12.34%

references

CVE-2024-1972

description

A vulnerability was found in SourceCodester Online Job Portal 1.0 and classified as problematic. Affected by this issue is some unknown functionality of the file /Employer/EditProfile.php. The manipulation of the argument Address leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-255128.

description

在SourceCodester Online Job Portal 1.0中发现一个漏洞,并将其归类为有问题。受此问题影响的是文件/EEmployer/EditProfile.php的一些未知功能。参数Address的操作会导致跨站点脚本编写。攻击可能是远程发起的。该漏洞已向公众公开,并可能被利用。此漏洞的标识符为VDB-255128。

cvss epss percentile
3.5 LOW 0.04% 12.34%

references

CVE-2024-20267

description

A vulnerability with the handling of MPLS traffic for Cisco NX-OS Software could allow an unauthenticated, remote attacker to cause the netstack process to unexpectedly restart, which could cause the device to stop processing network traffic or to reload. This vulnerability is due to lack of proper error checking when processing an ingress MPLS frame. An attacker could exploit this vulnerability by sending a crafted IPv6 packet that is encapsulated within an MPLS frame to an MPLS-enabled interface of the targeted device. A successful exploit could allow the attacker to cause a denial of service (DoS) condition. Note: The IPv6 packet can be generated multiple hops away from the targeted device and then encapsulated within MPLS. The DoS condition may occur when the NX-OS device processes the packet.

description

Cisco NX-OS软件处理MPLS流量时存在漏洞,未经身份验证的远程攻击者可能会导致网络堆栈进程意外重新启动,从而导致设备停止处理网络流量或重新加载。此漏洞是由于在处理入口MPLS帧时缺乏正确的错误检查造成的。攻击者可以通过将封装在MPLS帧中的特制IPv6数据包发送到目标设备的启用MPLS的接口来利用此漏洞。成功利用此漏洞可使攻击者造成拒绝服务(DoS)情况。注意:IPv6数据包可以在远离目标设备的多跳处生成,然后封装在MPLS中。当NX-OS设备处理数据包时,可能会出现DoS情况。

cvss epss percentile
8.6 HIGH 0.04% 6.92%

references

CVE-2024-20291

description

A vulnerability in the access control list (ACL) programming for port channel subinterfaces of Cisco Nexus 3000 and 9000 Series Switches in standalone NX-OS mode could allow an unauthenticated, remote attacker to send traffic that should be blocked through an affected device. This vulnerability is due to incorrect hardware programming that occurs when configuration changes are made to port channel member ports. An attacker could exploit this vulnerability by attempting to send traffic through an affected device. A successful exploit could allow the attacker to access network resources that should be protected by an ACL that was applied on port channel subinterfaces.

description

在独立NX-OS模式下,Cisco Nexus 3000和9000系列交换机的端口通道子接口的访问控制列表(ACL)编程中存在漏洞,可使未经身份验证的远程攻击者通过受影响的设备发送应被阻止的流量。此漏洞是由于对端口通道成员端口进行配置更改时发生的错误硬件编程造成的。攻击者可以通过尝试通过受影响的设备发送流量来利用此漏洞。成功利用此漏洞可能使攻击者能够访问应该由应用于端口通道子接口的ACL保护的网络资源。

cvss epss percentile
5.8 MEDIUM 0.04% 6.92%

references

CVE-2024-20294

description

A vulnerability in the Link Layer Discovery Protocol (LLDP) feature of Cisco FXOS Software and Cisco NX-OS Software could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to improper handling of specific fields in an LLDP frame. An attacker could exploit this vulnerability by sending a crafted LLDP packet to an interface of an affected device and having an authenticated user retrieve LLDP statistics from the affected device through CLI show commands or Simple Network Management Protocol (SNMP) requests. A successful exploit could allow the attacker to cause the LLDP service to crash and stop running on the affected device. In certain situations, the LLDP crash may result in a reload of the affected device. Note: LLDP is a Layer 2 link protocol. To exploit this vulnerability, an attacker would need to be directly connected to an interface of an affected device, either physically or logically (for example, through a Layer 2 Tunnel configured to transport the LLDP protocol).

description

Cisco FXOS软件和Cisco NX-OS软件的链路层发现协议(LLDP)功能中存在漏洞,允许未经身份验证的相邻攻击者在受影响的设备上造成拒绝服务(DoS)情况。此漏洞是由于LLDP帧中的特定字段处理不当造成的。攻击者可以通过向受影响设备的接口发送特制的LLDP数据包,并让经过身份验证的用户通过CLI show命令或简单网络管理协议(SNMP)请求从受影响设备检索LLDP统计信息,从而利用此漏洞。成功利用此漏洞可使攻击者导致LLDP服务崩溃并停止在受影响的设备上运行。在某些情况下,LLDP崩溃可能会导致受影响设备的重新加载。注:LLDP是第2层链路协议。要利用此漏洞,攻击者需要直接连接到受影响设备的接口,无论是物理连接还是逻辑连接(例如,通过配置为传输LLDP协议的第2层隧道)。

cvss epss percentile
6.6 MEDIUM 0.04% 6.92%

references

CVE-2024-20321

description

A vulnerability in the External Border Gateway Protocol (eBGP) implementation of Cisco NX-OS Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability exists because eBGP traffic is mapped to a shared hardware rate-limiter queue. An attacker could exploit this vulnerability by sending large amounts of network traffic with certain characteristics through an affected device. A successful exploit could allow the attacker to cause eBGP neighbor sessions to be dropped, leading to a DoS condition in the network.

description

Cisco NX-OS软件的外部边界网关协议(eBGP)实现中存在漏洞,未经身份验证的远程攻击者可以在受影响的设备上造成拒绝服务(DoS)情况。存在此漏洞是因为eBGP流量被映射到共享硬件速率限制器队列。攻击者可以通过受影响的设备发送具有特定特征的大量网络流量,从而利用此漏洞进行攻击。成功利用此漏洞,攻击者可能会导致eBGP邻居会话被丢弃,从而导致网络中出现DoS情况。

cvss epss percentile
8.6 HIGH 0.04% 6.92%

references

CVE-2024-20344

description

A vulnerability in system resource management in Cisco UCS 6400 and 6500 Series Fabric Interconnects that are in Intersight Managed Mode (IMM) could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on the Device Console UI of an affected device. This vulnerability is due to insufficient rate-limiting of TCP connections to an affected device. An attacker could exploit this vulnerability by sending a high number of TCP packets to the Device Console UI. A successful exploit could allow an attacker to cause the Device Console UI process to crash, resulting in a DoS condition. A manual reload of the fabric interconnect is needed to restore complete functionality.

description

Cisco UCS 6400和6500系列结构互连中的系统资源管理中存在漏洞,该漏洞处于系统间管理模式(IMM),可使未经身份验证的远程攻击者在受影响设备的设备控制台UI上造成拒绝服务(DoS)情况。此漏洞是由于到受影响设备的TCP连接的速率限制不足造成的。攻击者可以通过向设备控制台UI发送大量TCP数据包来利用此漏洞。攻击者成功利用此漏洞可导致设备控制台UI进程崩溃,从而导致DoS情况。需要手动重新加载结构互连以恢复完整的功能。

cvss epss percentile
5.3 MEDIUM 0.04% 6.92%

references

CVE-2024-21749

description

Cross-Site Request Forgery (CSRF) vulnerability in Atakan Au 1 click disable all.This issue affects 1 click disable all: from n/a through 1.0.1.

description

Atakan Au中的跨站点请求伪造(CSRF)漏洞1点击禁用所有。此问题影响1次点击禁用所有:从n/a到1.0.1。

cvss epss percentile
5.4 MEDIUM 0.04% 6.92%

references

CVE-2024-21798

description

ELECOM wireless LAN routers contain a cross-site scripting vulnerability. Assume that a malicious administrative user configures the affected product with specially crafted content. When another administrative user logs in and operates the product, an arbitrary script may be executed on the web browser. Affected products and versions are as follows: WRC-1167GS2-B v1.67 and earlier, WRC-1167GS2H-B v1.67 and earlier, WRC-2533GS2-B v1.62 and earlier, WRC-2533GS2-W v1.62 and earlier, and WRC-2533GS2V-B v1.62 and earlier.

description

ELECOM无线LAN路由器包含一个跨站点脚本漏洞。假设恶意管理用户使用特制的内容配置受影响的产品。当另一个管理用户登录并操作产品时,可以在web浏览器上执行任意脚本。受影响的产品和版本如下:WRC-1167GS2-B v1.67及更早版本、WRC-1167GS2H-B v1.67及其更早版本、WRC-2533GS2-B v1.62及更早版本,WRC-2533GS2-W v1.62及更低版本,以及WRC-2533GS2V-B v1.62及其更早版本。

cvss epss percentile
None 0.04% 6.92%

references

CVE-2024-21885

description

A flaw was found in X.Org server. In the XISendDeviceHierarchyEvent function, it is possible to exceed the allocated array length when certain new device IDs are added to the xXIHierarchyInfo struct. This can trigger a heap buffer overflow condition, which may lead to an application crash or remote code execution in SSH X11 forwarding environments.

description

在X.Org服务器中发现一个缺陷。在XISendDeviceHierarchyEvent函数中,当某些新设备ID添加到xXIHierarchyNfo结构中时,可能会超过分配的数组长度。这可能会触发堆缓冲区溢出情况,这可能导致应用程序崩溃或SSH X11转发环境中的远程代码执行。

cvss epss percentile
7.8 HIGH 0.05% 12.84%

references

CVE-2024-21886

description

A heap buffer overflow flaw was found in the DisableDevice function in the X.Org server. This issue may lead to an application crash or, in some circumstances, remote code execution in SSH X11 forwarding environments.

description

在X.Org服务器的DisableDevice函数中发现堆缓冲区溢出缺陷。这个问题可能会导致应用程序崩溃,或者在某些情况下,导致SSH X11转发环境中的远程代码执行。

cvss epss percentile
7.8 HIGH 0.05% 12.84%

references

CVE-2024-22459

description

Dell ECS, versions 3.6 through 3.6.2.5, and 3.7 through 3.7.0.6, and 3.8 through 3.8.0.4 versions, contain an improper access control vulnerability. A remote high privileged attacker could potentially exploit this vulnerability, leading to unauthorized access to all buckets and their data within a namespace

description

Dell ECS 3.6至3.6.2.5版本、3.7至3.7.0.6版本和3.8至3.8.0.4版本包含不正确的访问控制漏洞。远程高特权攻击者可能会利用此漏洞进行攻击,导致未经授权访问命名空间中的所有存储桶及其数据

cvss epss percentile
6.8 MEDIUM 0.04% 6.92%

references

CVE-2024-22532

description

Buffer Overflow vulnerability in XNSoft NConvert 7.163 (for Windows x86) allows attackers to cause a denial of service via crafted xwd file.

description

XNSoft NConvert 7.163(适用于Windows x86)中存在缓冲区溢出漏洞,攻击者可通过特制的xwd文件造成拒绝服务。

cvss epss percentile
None 0.07% 26.63%

references

CVE-2024-22723

description

Webtrees 2.1.18 is vulnerable to Directory Traversal. By manipulating the “media_folder” parameter in the URL, an attacker (in this case, an administrator) can navigate beyond the intended directory (the media/ directory) to access sensitive files in other parts of the applications file system.

description

Webtrees 2.1.18易受目录遍历攻击。通过操纵URL中的“media_folder”参数,攻击者(在本例中为管理员)可以导航到预期目录(媒体/目录)之外,以访问应用程序文件系统的其他部分中的敏感文件。

cvss epss percentile
None 0.04% 6.92%

references

CVE-2024-22983

description

SQL injection vulnerability in Projectworlds Visitor Management System in PHP v.1.0 allows a remote attacker to escalate privileges via the name parameter in the myform.php endpoint.

description

PHP v.1.0版Projectworlds访问者管理系统中存在SQL注入漏洞,远程攻击者可以通过myform.PHP端点中的name参数升级权限。

cvss epss percentile
None 0.04% 12.34%

references

CVE-2024-23302

description

Couchbase Server before 7.2.4 has a private key leak in goxdcr.log.

description

7.2.4之前的Couchbase Server在goxdcr.log中存在私钥泄漏。

cvss epss percentile
None 0.04% 12.34%

references

CVE-2024-23519

description

Cross-Site Request Forgery (CSRF) vulnerability in M&S Consulting Email Before Download.This issue affects Email Before Download: from n/a through 6.9.7.

description

下载前M&S咨询电子邮件中存在跨站点请求伪造(CSRF)漏洞。此问题影响下载前的电子邮件:从n/a到6.9.7。

cvss epss percentile
4.3 MEDIUM 0.04% 6.92%

references

CVE-2024-23807

description

The Apache Xerces C++ XML parser on versions 3.0.0 before 3.2.5 contains a use-after-free error triggered during the scanning of external DTDs. Users are recommended to upgrade to version 3.2.5 which fixes the issue, or mitigate the issue by disabling DTD processing. This can be accomplished via the DOM using a standard parser feature, or via SAX using the XERCES_DISABLE_DTD environment variable. This issue has been disclosed before as CVE-2018-1311, but unfortunately that advisory incorrectly stated the issue would be fixed in version 3.2.3 or 3.2.4.

description

3.2.5之前3.0.0版本的Apache Xerces C++XML解析器包含一个在扫描外部DTD时触发的释放后使用错误。建议用户升级到3.2.5版本,修复该问题,或通过禁用DTD处理来缓解该问题。这可以通过使用标准解析器功能的DOM来实现,也可以通过使用XERCES_DISABLE_DTD环境变量的SAX来实现。该问题以前曾被公开为CVE-2018-1311,但不幸的是,该公告错误地指出该问题将在3.2.3或3.2.4版本中修复。

cvss epss percentile
None 0.04% 6.92%

references

CVE-2024-23910

description

Cross-site request forgery (CSRF) vulnerability in ELECOM wireless LAN routers allows a remote unauthenticated attacker to hijack the authentication of administrators and to perform unintended operations to the affected product. Affected products and versions are as follows: WRC-1167GS2-B v1.67 and earlier, WRC-1167GS2H-B v1.67 and earlier, WRC-2533GS2-B v1.62 and earlier, WRC-2533GS2-W v1.62 and earlier, and WRC-2533GS2V-B v1.62 and earlier.

description

ELECOM无线LAN路由器中的跨站点请求伪造(CSRF)漏洞使未经身份验证的远程攻击者能够劫持管理员的身份验证,并对受影响的产品执行意外操作。受影响的产品和版本如下:WRC-1167GS2-B v1.67及更早版本、WRC-1167GS2H-B v1.67及其更早版本、WRC-2533GS2-B v1.62及更早版本,WRC-2533GS2-W v1.62及更低版本,以及WRC-2533GS2V-B v1.62及其更早版本。

cvss epss percentile
None 0.04% 6.92%

references

CVE-2024-23946

description

Possible path traversal in Apache OFBiz allowing file inclusion. Users are recommended to upgrade to version 18.12.12, that fixes the issue.

description

Apache OFBiz中允许包含文件的可能路径遍历。建议用户升级到18.12.12版本,以修复此问题。

cvss epss percentile
None 0.05% 12.84%

references

CVE-2024-24146

description

A memory leak issue discovered in parseSWF_DEFINEBUTTON in libming v0.4.8 allows attackers to cause s denial of service via a crafted SWF file.

description

在libming v0.4.8的parseSWF_DEFINEBUTTON中发现内存泄漏问题,攻击者可以通过特制的SWF文件导致拒绝服务。

cvss epss percentile
None 0.04% 6.92%

references

CVE-2024-24147

description

A memory leak issue discovered in parseSWF_FILLSTYLEARRAY in libming v0.4.8 allows attackers to cause s denial of service via a crafted SWF file.

description

在libming v0.4.8的parseSWF_FILSTYLEARRAY中发现内存泄漏问题,攻击者可以通过特制的SWF文件导致拒绝服务。

cvss epss percentile
None 0.04% 6.92%

references

CVE-2024-24148

description

A memory leak issue discovered in parseSWF_FREECHARACTER in libming v0.4.8 allows attackers to cause a denial of service via a crafted SWF file.

description

在libming v0.4.8的parseSWF_FREeCHARTER中发现内存泄漏问题,攻击者可以通过特制的SWF文件造成拒绝服务。

cvss epss percentile
None 0.04% 6.92%

references

CVE-2024-24149

description

A memory leak issue discovered in parseSWF_GLYPHENTRY in libming v0.4.8 allows attackers to cause a denial of service via a crafted SWF file.

description

在libming v0.4.8的parseSWF_GLYPENTRY中发现内存泄漏问题,攻击者可以通过特制的SWF文件造成拒绝服务。

cvss epss percentile
None 0.04% 6.92%

references

CVE-2024-24150

description

A memory leak issue discovered in parseSWF_TEXTRECORD in libming v0.4.8 allows attackers to cause a denial of service via a crafted SWF file.

description

在libming v0.4.8的parseSWF_TEXTRECORD中发现内存泄漏问题,攻击者可以通过特制的SWF文件造成拒绝服务。

cvss epss percentile
None 0.04% 6.92%

references

CVE-2024-24155

description

Bento4 v1.5.1-628 contains a Memory leak on AP4_Movie::AP4_Movie, parsing tracks and added into m_Tracks list, but mp42aac cannot correctly delete when we got an no audio track found error. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted mp4 file.

description

Bento4 v1.5.1-628包含AP4_Movie::AP4_Movie上的内存泄漏,解析曲目并添加到m_tracks列表中,但当我们收到未找到音频曲目的错误时,mp42aac无法正确删除。此漏洞允许攻击者通过特制的mp4文件导致拒绝服务(DoS)。

cvss epss percentile
None 0.04% 6.92%

references

CVE-2024-24701

description

Cross-Site Request Forgery (CSRF) vulnerability in Native Grid LLC A no-code page builder for beautiful performance-based content.This issue affects A no-code page builder for beautiful performance-based content: from n/a through 2.1.20.

description

Native Grid LLC中的跨站点请求伪造(CSRF)漏洞一个用于漂亮的基于性能的内容的无代码页面生成器。这个问题影响了基于性能的漂亮内容的无代码页面生成器:从n/A到2.1.20。

cvss epss percentile
4.3 MEDIUM 0.04% 6.92%

references

CVE-2024-24702

description

Cross-Site Request Forgery (CSRF) vulnerability in Matt Martz & Andy Stratton Page Restrict.This issue affects Page Restrict: from n/a through 2.5.5.

description

Matt Martz&Andy Stratton页面限制中存在跨站点请求伪造(CSRF)漏洞。此问题影响页面限制:从n/a到2.5.5。

cvss epss percentile
4.3 MEDIUM 0.04% 6.92%

references

CVE-2024-24705

description

Cross-Site Request Forgery (CSRF) vulnerability in Octa Code Accessibility.This issue affects Accessibility: from n/a through 1.0.6.

description

Octa代码可访问性中存在跨站点请求伪造(CSRF)漏洞。此问题影响可访问性:从n/a到1.0.6。

cvss epss percentile
5.4 MEDIUM 0.04% 6.92%

references

CVE-2024-24708

description

Cross-Site Request Forgery (CSRF) vulnerability in W3speedster W3SPEEDSTER.This issue affects W3SPEEDSTER: from n/a through 7.19.

description

W3speedster W3speedster中存在跨站点请求伪造(CSRF)漏洞。此问题影响W3SPEEDSTER:从n/a到7.19。

cvss epss percentile
4.3 MEDIUM 0.04% 6.92%

references

CVE-2024-24772

description

A guest user could exploit a chart data REST API and send arbitrary SQL statements that on error could leak information from the underlying analytics database.This issue affects Apache Superset: before 3.0.4, from 3.1.0 before 3.1.1. Users are recommended to upgrade to version 3.1.1 or 3.0.4, which fixes the issue.

description

来宾用户可以利用图表数据REST API发送任意SQL语句,这些语句一旦出错,可能会泄露底层分析数据库中的信息。此问题影响Apache Superset:3.0.4之前的版本,以及3.1.1之前的3.1.0版本。建议用户升级到3.1.1或3.0.4版本,这样可以修复此问题。

cvss epss percentile
4.3 MEDIUM 0.04% 6.92%

references

CVE-2024-24773

description

Improper parsing of nested SQL statements on SQLLab would allow authenticated users to surpass their data authorization scope. This issue affects Apache Superset: before 3.0.4, from 3.1.0 before 3.1.1. Users are recommended to upgrade to version 3.1.1, which fixes the issue.

description

在SQLLab上对嵌套的SQL语句进行不正确的解析会使经过身份验证的用户超出其数据授权范围。此问题影响Apache Superset:3.0.4之前的版本,以及3.1.1之前的3.1.0版本。建议用户升级到3.1.1版本,该版本修复了此问题。

cvss epss percentile
4.9 MEDIUM 0.04% 6.92%

references

CVE-2024-24779

description

Apache Superset with custom roles that include can write on dataset and without all data access permissions, allows for users to create virtual datasets to data they dont have access to. These users could then use those virtual datasets to get access to unauthorized data. This issue affects Apache Superset: before 3.0.4, from 3.1.0 before 3.1.1. Users are recommended to upgrade to version 3.1.1 or 3.0.4, which fixes the issue.

description

Apache Superset具有自定义角色,包括“可以在数据集上写入”,并且没有所有数据访问权限,允许用户为他们无权访问的数据创建虚拟数据集。然后,这些用户可以使用这些虚拟数据集访问未经授权的数据。此问题影响Apache Superset:3.0.4之前的版本,以及3.1.1之前的3.1.0版本。建议用户升级到3.1.1或3.0.4版本,这样可以修复此问题。

cvss epss percentile
5.0 MEDIUM 0.04% 6.92%

references

CVE-2024-24868

description

Improper Neutralization of Special Elements used in an SQL Command (SQL Injection) vulnerability in Smartypants SP Project & Document Manager.This issue affects SP Project & Document Manager: from n/a through 4.69.

description

Smartypants SP Project&Document Manager中的SQL命令(SQL注入)漏洞中使用的特殊元素的不正确中和。此问题影响SP项目和文档经理:从n/a到4.69。

cvss epss percentile
8.5 HIGH 0.04% 6.92%

references

CVE-2024-25065

description

Possible path traversal in Apache OFBiz allowing authentication bypass. Users are recommended to upgrade to version 18.12.12, that fixes the issue.

description

Apache OFBiz中允许绕过身份验证的可能路径遍历。建议用户升级到18.12.12版本,以修复此问题。

cvss epss percentile
None 0.04% 8.15%

references

CVE-2024-25126

description

Rack is a modular Ruby web server interface. Carefully crafted content type headers can cause Rack’s media type parser to take much longer than expected, leading to a possible denial of service vulnerability (ReDos 2nd degree polynomial). This vulnerability is patched in 3.0.9.1 and 2.2.8.1.

description

Rack是一个模块化Ruby web服务器接口。精心制作的内容类型标题可能会导致Rack&#8217;的媒体类型解析器花费的时间比预期的要长得多,这可能导致拒绝服务漏洞(ReDos二次多项式)。此漏洞在3.0.9.1和2.2.8.1中进行了修补。

cvss epss percentile
5.3 MEDIUM 0.04% 12.34%

references

CVE-2024-25128

description

Flask-AppBuilder is an application development framework, built on top of Flask. When Flask-AppBuilder is set to AUTH_TYPE AUTH_OID, it allows an attacker to forge an HTTP request, that could deceive the backend into using any requested OpenID service. This vulnerability could grant an attacker unauthorised privilege access if a custom OpenID service is deployed by the attacker and accessible by the backend. This vulnerability is only exploitable when the application is using the OpenID 2.0 authorization protocol. Upgrade to Flask-AppBuilder 4.3.11 to fix the vulnerability.

description

Flask-AppBuilder是一个应用程序开发框架,建立在Flask之上。当Flask AppBuilder设置为AUTH_TYPE AUTH_OID时,它允许攻击者伪造HTTP请求,从而欺骗后端使用任何请求的OpenID服务。如果攻击者部署了自定义OpenID服务并可通过后端访问,则此漏洞可能会授予攻击者未经授权的特权访问权限。只有当应用程序使用OpenID 2.0授权协议时,才可利用此漏洞。升级至Flask AppBuilder 4.3.11以修复该漏洞。

cvss epss percentile
9.1 CRITICAL 0.04% 6.92%

references

CVE-2024-25169

description

An issue in Mezzanine v6.0.0 allows attackers to bypass access control mechanisms in the admin panel via a crafted request.

description

Mezzanine v6.0.0中的一个问题允许攻击者通过特制的请求绕过管理面板中的访问控制机制。

cvss epss percentile
None 0.04% 12.34%

references

CVE-2024-25170

description

An issue in Mezzanine v6.0.0 allows attackers to bypass access controls via manipulating the Host header.

description

Mezzanine v6.0.0中的一个问题允许攻击者通过操纵主机标头绕过访问控制。

cvss epss percentile
None 0.04% 12.34%

references

CVE-2024-25202

description

Cross Site Scripting vulnerability in Phpgurukul User Registration & Login and User Management System 1.0 allows attackers to run arbitrary code via the search bar.

description

Phpgurukul用户注册和登录以及用户管理系统1.0中存在跨站点脚本漏洞,攻击者可以通过搜索栏运行任意代码。

cvss epss percentile
None 0.04% 6.92%

references

CVE-2024-25350

description

SQL Injection vulnerability in /zms/admin/edit-ticket.php in PHPGurukul Zoo Management System 1.0 via tickettype and tprice parameters.

description

PHPGurukul动物园管理系统1.0中的/zms/admin/edit-ticket.php中存在通过ticketype和tprice参数的SQL注入漏洞。

cvss epss percentile
None 0.04% 6.92%

references

CVE-2024-25351

description

SQL Injection vulnerability in /zms/admin/changeimage.php in PHPGurukul Zoo Management System 1.0 allows attackers to run arbitrary SQL commands via the editid parameter.

description

PHPGurukul Zoo Management System 1.0中/zms/admin/changeimage.php中存在SQL注入漏洞,攻击者可以通过editid参数运行任意SQL命令。

cvss epss percentile
None 0.04% 6.92%

references

CVE-2024-25422

description

SQL Injection vulnerability in SEMCMS v.4.8 allows a remote attacker to execute arbitrary code and obtain sensitive information via the SEMCMS_Menu.php component.

description

SEMCMS v.4.8中的SQL注入漏洞允许远程攻击者通过SEMCMS_Menu.php组件执行任意代码并获取敏感信息。

cvss epss percentile
None 0.04% 6.92%

references

CVE-2024-25435

description

A cross-site scripting (XSS) vulnerability in Md1health Md1patient v2.0.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Msg parameter.

description

Md1health Md1patient v2.0.0中存在跨站点脚本(XSS)漏洞,攻击者可以通过在Msg参数中注入特制的有效负载来执行任意web脚本或HTML。

cvss epss percentile
None 0.04% 6.92%

references

CVE-2024-25579

description

OS command injection vulnerability in ELECOM wireless LAN routers allows a network-adjacent attacker with an administrative privilege to execute arbitrary OS commands by sending a specially crafted request to the product. Affected products and versions are as follows: WRC-1167GS2-B v1.67 and earlier, WRC-1167GS2H-B v1.67 and earlier, WRC-2533GS2-B v1.62 and earlier, WRC-2533GS2-W v1.62 and earlier, and WRC-2533GS2V-B v1.62 and earlier.

description

ELECOM无线LAN路由器中的操作系统命令注入漏洞允许具有管理权限的网络相邻攻击者通过向产品发送特制的请求来执行任意操作系统命令。受影响的产品和版本如下:WRC-1167GS2-B v1.67及更早版本、WRC-1167GS2H-B v1.67及其更早版本、WRC-2533GS2-B v1.62及更早版本,WRC-2533GS2-W v1.62及更低版本,以及WRC-2533GS2V-B v1.62及其更早版本。

cvss epss percentile
None 0.04% 6.92%

references

CVE-2024-25830

description

F-logic DataCube3 v1.0 is vulnerable to Incorrect Access Control due to an improper directory access restriction. An unauthenticated, remote attacker can exploit this, by sending a URI that contains the path of the configuration file. A successful exploit could allow the attacker to extract the root and admin password.

description

由于目录访问限制不正确,F-logic DataCube3 v1.0容易受到不正确的访问控制。未经身份验证的远程攻击者可以通过发送包含配置文件路径的URI来利用此漏洞。成功利用此漏洞可使攻击者提取root和管理员密码。

cvss epss percentile
None 0.04% 6.92%

references

CVE-2024-25831

description

F-logic DataCube3 Version 1.0 is affected by a reflected cross-site scripting (XSS) vulnerability due to improper input sanitization. An authenticated, remote attacker can execute arbitrary JavaScript code in the web management interface.

description

F-logic DataCube3 1.0版受到一个反映的跨站点脚本(XSS)漏洞的影响,该漏洞是由于输入清理不当造成的。经过身份验证的远程攻击者可以在web管理界面中执行任意JavaScript代码。

cvss epss percentile
None 0.04% 6.92%

references

CVE-2024-25832

description

F-logic DataCube3 v1.0 is vulnerable to unrestricted file upload, which could allow an authenticated malicious actor to upload a file of dangerous type by manipulating the filename extension.

description

F-logic DataCube3 v1.0易受不受限制的文件上传的攻击,这可能允许经过身份验证的恶意行为者通过操纵文件扩展名来上传危险类型的文件。

cvss epss percentile
None 0.04% 6.92%

references

CVE-2024-25833

description

F-logic DataCube3 v1.0 is vulnerable to unauthenticated SQL injection, which could allow an unauthenticated malicious actor to execute arbitrary SQL queries in database.

description

F-logic DataCube3 v1.0易受未经身份验证的SQL注入的攻击,这可能允许未经身份认证的恶意行为者在数据库中执行任意SQL查询。

cvss epss percentile
None 0.04% 6.92%

references

CVE-2024-25859

description

A path traversal vulnerability in the /path/to/uploads/ directory of Blesta before v5.9.2 allows attackers to takeover user accounts and execute arbitrary code.

description

Blesta v.9.2之前版本的/path/to/uploads/目录中存在路径遍历漏洞,攻击者可以接管用户帐户并执行任意代码。

cvss epss percentile
None 0.04% 6.92%

references

CVE-2024-25866

description

A SQL Injection vulnerability in CodeAstro Membership Management System in PHP v.1.0 allows a remote attacker to execute arbitrary SQL commands via the email parameter in the index.php component.

description

PHP v.1.0中的CodeAstro Membership Management System中存在SQL注入漏洞,远程攻击者可以通过index.PHP组件中的电子邮件参数执行任意SQL命令。

cvss epss percentile
None 0.04% 6.92%

references

CVE-2024-25867

description

A SQL Injection vulnerability in CodeAstro Membership Management System in PHP v.1.0 allows a remote attacker to execute arbitrary SQL commands via the membershipType and membershipAmount parameters in the add_type.php component.

description

PHP v.1.0版的CodeAstro Membership Management System中存在SQL注入漏洞,远程攻击者可以通过add_type.PHP组件中的membershipType和membershipAmount参数执行任意SQL命令。

cvss epss percentile
None 0.04% 6.92%

references

CVE-2024-25868

description

A Cross Site Scripting (XSS) vulnerability in CodeAstro Membership Management System in PHP v.1.0 allows a remote attacker to execute arbitrary code via the membershipType parameter in the add_type.php component.

description

PHP v.1.0版的CodeAstro Membership Management System中存在跨站点脚本(XSS)漏洞,远程攻击者可以通过add_type.PHP组件中的membershipType参数执行任意代码。

cvss epss percentile
None 0.04% 6.92%

references

CVE-2024-25869

description

An Unrestricted File Upload vulnerability in CodeAstro Membership Management System in PHP v.1.0 allows a remote attacker to execute arbitrary code via upload of a crafted php file in the settings.php component.

description

PHP v.1.0中的CodeAstro Membership Management System中存在一个无限制文件上载漏洞,远程攻击者可以通过上载settings.PHP组件中特制的PHP文件来执行任意代码。

cvss epss percentile
None 0.04% 6.92%

references

CVE-2024-25902

description

Improper Neutralization of Special Elements used in an SQL Command (SQL Injection) vulnerability in miniorange Malware Scanner.This issue affects Malware Scanner: from n/a through 4.7.2.

description

miniorage恶意软件扫描程序中SQL命令(SQL注入)漏洞中使用的特殊元素的不正确中和。此问题影响恶意软件扫描程序:从n/a到4.7.2。

cvss epss percentile
7.6 HIGH 0.04% 6.92%

references

CVE-2024-25910

description

Improper Neutralization of Special Elements used in an SQL Command (SQL Injection) vulnerability in Skymoonlabs MoveTo.This issue affects MoveTo: from n/a through 6.2.

description

Skymoollabs MoveTo中的SQL命令(SQL注入)漏洞中使用的特殊元素的不正确中和。此问题影响MoveTo:从n/a到6.2。

cvss epss percentile
9.8 CRITICAL 0.04% 6.92%

references

CVE-2024-25927

description

Improper Neutralization of Special Elements used in an SQL Command (SQL Injection) vulnerability in Joel Starnes postMash – custom post order.This issue affects postMash – custom post order: from n/a through 1.2.0.

description

Joel Starnes postMash&#8211;中SQL命令(SQL注入)漏洞中使用的特殊元素的不当中和;自定义邮政订单。此问题影响postMash&#8211;自定义后期订单:从n/a到1.2.0。

cvss epss percentile
9.3 CRITICAL 0.04% 6.92%

references

CVE-2024-25930

description

Cross-Site Request Forgery (CSRF) vulnerability in Nuggethon Custom Order Statuses for WooCommerce.This issue affects Custom Order Statuses for WooCommerce: from n/a through 1.5.2.

description

WooCommerce的Nuggethon自定义订单状态中存在跨站点请求伪造(CSRF)漏洞。此问题影响WooCommerce的自定义订单状态:从n/a到1.5.2。

cvss epss percentile
4.3 MEDIUM 0.04% 6.92%

references

CVE-2024-25931

description

Cross-Site Request Forgery (CSRF) vulnerability in Heureka Group Heureka.This issue affects Heureka: from n/a through 1.0.8.

description

Heureka Group Heureka中存在跨站点请求伪造(CSRF)漏洞。此问题影响Heureka:从n/a到1.0.8。

cvss epss percentile
4.3 MEDIUM 0.04% 6.92%

references

CVE-2024-25932

description

Cross-Site Request Forgery (CSRF) vulnerability in Manish Kumar Agarwal Change Table Prefix.This issue affects Change Table Prefix: from n/a through 2.0.

description

Manish Kumar Agarwal变更表前缀中存在跨站点请求伪造(CSRF)漏洞。此问题影响更改表前缀:从n/a到2.0。

cvss epss percentile
4.3 MEDIUM 0.04% 6.92%

references

CVE-2024-26016

description

A low privilege authenticated user could import an existing dashboard or chart that they do not have access to and then modify its metadata, thereby gaining ownership of the object. However, its important to note that access to the analytical data of these charts and dashboards would still be subject to validation based on data access privileges. This issue affects Apache Superset: before 3.0.4, from 3.1.0 before 3.1.1.Users are recommended to upgrade to version 3.1.1, which fixes the issue.

description

经过低权限身份验证的用户可以导入他们无权访问的现有仪表板或图表,然后修改其元数据,从而获得对象的所有权。然而,需要注意的是,对这些图表和仪表板的分析数据的访问仍需根据数据访问权限进行验证。此问题影响Apache Superset:3.0.4之前版本,从3.1.0之前版本3.1.1。建议用户升级到3.1.1版本,该版本修复了此问题。

cvss epss percentile
4.3 MEDIUM 0.04% 6.92%

references

CVE-2024-26141

description

Rack is a modular Ruby web server interface. Carefully crafted Range headers can cause a server to respond with an unexpectedly large response. Responding with such large responses could lead to a denial of service issue. Vulnerable applications will use the Rack::File middleware or the Rack::Utils.byte_ranges methods (this includes Rails applications). The vulnerability is fixed in 3.0.9.1 and 2.2.8.1.

description

Rack是一个模块化Ruby web服务器接口。精心编制的Range标头可能会导致服务器以意外的大响应进行响应。以如此大的响应进行响应可能会导致拒绝服务问题。易受攻击的应用程序将使用“Rack::File”中间件或“Rack::Utils.byt_ranges”方法(包括Rails应用程序)。3.0.9.1和2.2.8.1中修复了该漏洞。

cvss epss percentile
5.8 MEDIUM 0.04% 12.34%

references

CVE-2024-26146

description

Rack is a modular Ruby web server interface. Carefully crafted headers can cause header parsing in Rack to take longer than expected resulting in a possible denial of service issue. Accept and Forwarded headers are impacted. Ruby 3.2 has mitigations for this problem, so Rack applications using Ruby 3.2 or newer are unaffected. This vulnerability is fixed in 2.0.9.4, 2.1.4.4, 2.2.8.1, and 3.0.9.1.

description

Rack是一个模块化Ruby web服务器接口。精心编制的标头可能会导致Rack中的标头解析时间比预期的要长,从而可能导致拒绝服务问题。Accept和Forwarded标头会受到影响。Ruby 3.2对此问题有缓解措施,因此使用Ruby 3.2或更新版本的Rack应用程序不受影响。该漏洞已在2.0.9.4、2.1.4.4、2.2.8.1和3.0.9.1中修复。

cvss epss percentile
5.3 MEDIUM 0.04% 8.15%

references

CVE-2024-26342

description

A Null pointer dereference in usr/sbin/httpd in ASUS AC68U 3.0.0.4.384.82230 allows remote attackers to trigger DoS via network packet.

description

ASUS AC68U 3.0.0.4.3384.82230中usr/sbin/httpd中的空指针取消引用允许远程攻击者通过网络数据包触发DoS。

cvss epss percentile
None 0.04% 6.92%

references

CVE-2024-26450

description

Cross Site Scripting vulnerability in Piwigo before v.14.2.0 allows a remote attacker to escalate privileges via the batch function on the admin page.

description

第14.2.0版之前Piwigo中的跨站点脚本漏洞允许远程攻击者通过管理页面上的批处理功能升级权限。

cvss epss percentile
None 0.04% 6.92%

references

CVE-2024-26476

description

An issue in open-emr before v.7.0.2 allows a remote attacker to escalate privileges via a crafted script to the formid parameter in the ereq_form.php component.

description

open emr v.7.0.2之前版本中的一个问题允许远程攻击者通过特制的脚本将权限提升到ereq_form.php组件中的formid参数。

cvss epss percentile
None 0.04% 6.92%

references

CVE-2024-26559

description

An issue in uverif v.2.0 allows a remote attacker to obtain sensitive information.

description

uverif v.2.0中的一个问题允许远程攻击者获取敏感信息。

cvss epss percentile
None 0.04% 6.92%

references

CVE-2024-27083

description

Flask-AppBuilder is an application development framework, built on top of Flask. A Cross-Site Scripting (XSS) vulnerability has been discovered on the OAuth login page. An attacker could trick a user to follow a specially crafted URL to the OAuth login page. This URL could inject and execute malicious javascript code that would get executed on the users browser. This issue was introduced on 4.1.4 and patched on 4.2.1.

description

Flask-AppBuilder是一个应用程序开发框架,建立在Flask之上。在OAuth登录页上发现了跨站点脚本(XSS)漏洞。攻击者可以诱使用户按照特制的URL访问OAuth登录页。此URL可能会注入并执行恶意javascript代码,这些代码将在用户浏览器上执行。该问题于4.1.4引入,并于4.2.1进行了修补。

cvss epss percentile
4.3 MEDIUM 0.04% 6.92%

references

CVE-2024-27103

description

Querybook is a Big Data Querying UI. When a user searches for their queries, datadocs, tables and lists, the search result is marked and highlighted, and this feature uses dangerouslySetInnerHTML which means that if the highlighted result has an XSS payload it will trigger. While the input to dangerouslySetInnerHTML is not sanitized for the data inside of queries which leads to an XSS vulnerability. During the “query auto-suggestion” the name of the suggested tables are set with innerHTML which leads to the XSS vulnerability. A patch to rectify this issue has been introduced in Querybook version 3.31.2.

description

Querybook是一个大数据查询界面。当用户搜索他们的查询、数据文档、表和列表时,搜索结果会被标记并突出显示,并且此功能使用dangerouslySetInnerHTML,这意味着如果突出显示的结果具有XSS负载,它将触发。而dangerouslySetInnerHTML的输入没有针对查询中的数据进行净化,这导致了XSS漏洞。在“查询自动建议”过程中,建议表的名称是用innerHTML设置的,这导致了XSS漏洞。Querybook版本3.31.2中引入了一个修正此问题的补丁。

cvss epss percentile
6.1 MEDIUM 0.04% 6.92%

references

CVE-2024-27284

description

cassandra-rs is a Cassandra (CQL) driver for Rust. Code that attempts to use an item (e.g., a row) returned by an iterator after the iterator has advanced to the next item will be accessing freed memory and experience undefined behaviour. The problem has been fixed in version 3.0.0.

description

cassandra rs是Rust的cassandra(CQL)驱动程序。在迭代器前进到下一个项之后,试图使用迭代器返回的项(例如,行)的代码将访问释放的内存,并经历未定义的行为。该问题已在3.0.0版本中修复。

cvss epss percentile
7.5 HIGH 0.04% 6.92%

references

CVE-2024-27285

description

YARD is a Ruby Documentation tool. The “frames.html” file within the Yard Docs generated documentation is vulnerable to Cross-Site Scripting (XSS) attacks due to inadequate sanitization of user input within the JavaScript segment of the “frames.erb” template file. This vulnerability is fixed in 0.9.35.

description

YARD是一个Ruby文档工具。Yard Docs生成的文档中的“frames.html”文件容易受到跨站点脚本(XSS)攻击,这是由于对“frames.erb”模板文件的JavaScript段中的用户输入处理不足。此漏洞已在0.9.35中修复。

cvss epss percentile
5.4 MEDIUM 0.04% 6.92%

references

CVE-2024-27315

description

An authenticated user with privileges to create Alerts on Alerts & Reports has the capability to generate a specially crafted SQL statement that triggers an error on the database. This error is not properly handled by Apache Superset and may inadvertently surface in the error log of the Alert exposing possibly sensitive data. This issue affects Apache Superset: before 3.0.4, from 3.1.0 before 3.1.1. Users are recommended to upgrade to version 3.1.1 or 3.0.4, which fixes the issue.

description

具有在警报和报告上创建警报的权限的经过身份验证的用户可以生成一个特制的SQL语句,该语句会触发数据库中的错误。Apache Superset没有正确处理此错误,可能会无意中出现在警报的错误日志中,从而暴露可能的敏感数据。此问题影响Apache Superset:3.0.4之前的版本,以及3.1.1之前的3.1.0版本。建议用户升级到3.1.1或3.0.4版本,这样可以修复此问题。

cvss epss percentile
4.3 MEDIUM 0.04% 6.92%

references

CVE-2024-27515

description

Osclass 5.1.2 is vulnerable to SQL Injection.

description

Osclass 5.1.2易受SQL注入攻击。

cvss epss percentile
None 0.04% 6.92%

references

CVE-2024-27516

description

livehelperchat 4.28v is vulnerable to Server-Side Template Injection (SSTI).

description

livehelperchat 4.28v易受服务器端模板注入(SSTI)攻击。

cvss epss percentile
None 0.04% 6.92%

references

CVE-2024-27517

description

Webasyst 2.9.9 has a Cross-Site Scripting (XSS) vulnerability, Attackers can create blogs containing malicious code after gaining blog permissions.

description

Webasyst 2.9.9存在跨站点脚本(XSS)漏洞,攻击者可以在获得博客权限后创建包含恶意代码的博客。

cvss epss percentile
None 0.04% 6.92%

references

CVE-2024-27913

description

ospf_te_parse_te in ospfd/ospf_te.c in FRRouting (FRR) through 9.1 allows remote attackers to cause a denial of service (ospfd daemon crash) via a malformed OSPF LSA packet, because of an attempted access to a missing attribute field.

description

FRRouting(FRR)到9.1中ospfd/ospf_te.c中的ospf_te_pass_te允许远程攻击者通过格式错误的ospf LSA数据包造成拒绝服务(ospfd-daemon崩溃),因为试图访问丢失的属性字段。

cvss epss percentile
None 0.04% 6.92%

references

CVE-2024-27948

description

Cross-Site Request Forgery (CSRF) vulnerability in bytesforall Atahualpa.This issue affects Atahualpa: from n/a through 3.7.24.

description

bytesforall Atawalpa中存在跨站点请求伪造(CSRF)漏洞。这个问题影响阿塔瓦尔帕:从n/a到3.7.24。

cvss epss percentile
5.4 MEDIUM 0.04% 6.92%

references

Modified_entries

CVE-2022-37599

description

A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the resourcePath variable in interpolateName.js.

description

通过interpoleName.js中的resourcePath变量,在webpack加载程序utils 2.0.0的interpoleName.js中发现Function interpoleNName存在正则表达式拒绝服务(ReDoS)缺陷。

cvss epss percentile
None 0.20% 56.76%

references

CVE-2023-26136

description

Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.

description

在rejectPublicSuffixes=false模式下使用CookieJar时,由于Cookies处理不当,4.1.3之前的包装强硬cookie版本容易受到原型污染。这个问题源于初始化对象的方式。

cvss epss percentile
6.5 MEDIUM 0.10% 40.62%

references

CVE-2023-40072

description

OS command injection vulnerability in ELECOM network devices allows an authenticated user to execute an arbitrary OS command by sending a specially crafted request. Affected products and versions are as follows: WAB-S600-PS all versions, WAB-S300 all versions, WAB-M1775-PS v1.1.21 and earlier, WAB-S1775 v1.1.9 and earlier, WAB-S1167 v1.0.7 and earlier, and WAB-M2133 v1.3.22 and earlier.

description

ELECOM网络设备中的操作系统命令注入漏洞允许经过身份验证的用户通过发送特制的请求来执行任意操作系统命令。受影响的产品和版本如下:WAB-S600-PS所有版本、WAB-S300所有版本、WAB-M1775-PS v1.12.1及更早版本、WAB-S1775 v1.1.9及更早版本,WAB-S1167 v1.0.7及更早版本和WAB-M2133 v13.22及更早版本。

cvss epss percentile
None 0.06% 23.64%

references

CVE-2023-46234

description

browserify-sign is a package to duplicate the functionality of nodes crypto public key functions, much of this is based on Fedor Indutnys work on indutny/tls.js. An upper bound check issue in dsaVerify function allows an attacker to construct signatures that can be successfully verified by any public key, thus leading to a signature forgery attack. All places in this project that involve DSA verification of user-input signatures will be affected by this vulnerability. This issue has been patched in version 4.2.2.

description

browserify-sign是一个复制节点加密公钥功能的包,其中大部分是基于Fedor Indutnys在indutny/tls.js上的工作。“dsaVerify”函数中的上界检查问题使攻击者能够构造可由任何公钥成功验证的签名,从而导致签名伪造攻击。此项目中所有涉及用户输入签名DSA验证的地方都将受到此漏洞的影响。此问题已在版本4.2.2中进行了修补。

cvss epss percentile
6.5 MEDIUM 0.06% 22.45%

references

CVE-2023-48974

description

Cross Site Scripting vulnerability in Axigen WebMail prior to 10.3.3.61 allows a remote attacker to escalate privileges via a crafted script to the serverName_input parameter.

description

10.3.3.61之前版本的Axigen WebMail中存在跨站点脚本漏洞,远程攻击者可以通过特制的脚本将权限提升到serverName_input参数。

cvss epss percentile
None 0.09% 37.48%

references

CVE-2023-52355

description

An out-of-memory flaw was found in libtiff that could be triggered by passing a crafted tiff file to the TIFFRasterScanlineSize64() API. This flaw allows a remote attacker to cause a denial of service via a crafted input with a size smaller than 379 KB.

description

在libtiff中发现内存不足缺陷,该缺陷可能是通过将精心编制的tiff文件传递给TIFRasterScanlineSize64()API而触发的。此漏洞允许远程攻击者通过特制的大小小于379 KB的输入造成拒绝服务。

cvss epss percentile
7.5 HIGH 0.12% 44.67%

references

CVE-2023-5972

description

A null pointer dereference flaw was found in the nft_inner.c functionality of netfilter in the Linux kernel. This issue could allow a local user to crash the system or escalate their privileges on the system.

description

在Linux内核中的netfilter的nft_inner.c功能中发现了一个空指针取消引用缺陷。此问题可能允许本地用户使系统崩溃或提升他们在系统上的权限。

cvss epss percentile
7.0 HIGH 0.04% 5.42%

references

CVE-2023-6270

description

A flaw was found in the ATA over Ethernet (AoE) driver in the Linux kernel. The aoecmd_cfg_pkts() function improperly updates the refcnt on struct net_device, and a use-after-free can be triggered by racing between the free on the struct and the access through the skbtxq global queue. This could lead to a denial of service condition or potential code execution.

description

在Linux内核中的以太网ATA(AoE)驱动程序中发现了一个缺陷。aoecmd_cfg_pkts()函数不正确地更新了“struct net_device”上的refcnt,释放后的使用可以通过在结构上的释放和通过“skbtxq”全局队列的访问之间进行竞争来触发。这可能导致拒绝服务条件或潜在的代码执行。

cvss epss percentile
7.0 HIGH 0.04% 5.42%

references

CVE-2023-6546

description

A race condition was found in the GSM 0710 tty multiplexor in the Linux kernel. This issue occurs when two threads execute the GSMIOC_SETCONF ioctl on the same tty file descriptor with the gsm line discipline enabled, and can lead to a use-after-free problem on a struct gsm_dlci while restarting the gsm mux. This could allow a local unprivileged user to escalate their privileges on the system.

description

在Linux内核中的GSM 0710 tty多路复用器中发现了竞争条件。当两个线程在启用gsm行规程的情况下对同一tty文件描述符执行GSMIOOC_SETCONF ioctl时,会出现此问题,并可能导致在重新启动gsm mux时结构gsm_dlci出现释放后使用问题。这可能允许本地无特权用户升级他们在系统上的特权。

cvss epss percentile
7.0 HIGH 0.04% 12.75%

references

CVE-2023-7033

description

Insufficient Resource Pool vulnerability in Ethernet function of Mitsubishi Electric Corporation MELSEC iQ-F Series CPU modules allows a remote attacker to cause a temporary Denial of Service condition for a certain period of time in Ethernet communication of the products by performing TCP SYN Flood attack.

description

三菱电机公司MELSEC iQ-F系列CPU模块的以太网功能中存在资源池不足漏洞,远程攻击者可以通过执行TCP SYN Flood攻击,在产品的以太网通信中造成一定时间内的临时拒绝服务条件。

cvss epss percentile
5.3 MEDIUM 0.04% 12.34%

references

CVE-2023-7216

description

A path traversal vulnerability was found in the CPIO utility. This issue could allow a remote unauthenticated attacker to trick a user into opening a specially crafted archive. During the extraction process, the archiver could follow symlinks outside of the intended directory, which could be utilized to run arbitrary commands on the target system.

description

在CPIO实用程序中发现路径遍历漏洞。此问题可能允许未经身份验证的远程攻击者诱骗用户打开特制的存档。在提取过程中,存档程序可以遵循预期目录之外的符号链接,这些符号链接可用于在目标系统上运行任意命令。

cvss epss percentile
8.8 HIGH 0.82% 81.41%

references

CVE-2024-0193

description

A use-after-free flaw was found in the netfilter subsystem of the Linux kernel. If the catchall element is garbage-collected when the pipapo set is removed, the element can be deactivated twice. This can cause a use-after-free issue on an NFT_CHAIN object or NFT_OBJECT object, allowing a local unprivileged user with CAP_NET_ADMIN capability to escalate their privileges on the system.

description

在Linux内核的网络过滤器子系统中发现了一个释放后使用的缺陷。如果在删除pipapo集时catchall元素被垃圾回收,则该元素可以被停用两次。这可能会导致NFT_CHAIN对象或NFT_object对象在释放后使用,从而允许具有CAP_NET_ADMIN功能的本地无特权用户升级其在系统上的权限。

cvss epss percentile
7.8 HIGH 0.04% 5.42%

references

CVE-2024-1082

description

A path traversal vulnerability was identified in GitHub Enterprise Server that allowed an attacker to gain unauthorized read permission to files by deploying arbitrary symbolic links to a GitHub Pages site with a specially crafted artifact tarball. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the GitHub Enterprise Server instance. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.12 and was fixed in versions 3.8.15, 3.9.10, 3.10.7, 3.11.5. This vulnerability was reported via the GitHub Bug Bounty program.

description

在GitHub Enterprise Server中发现了一个路径遍历漏洞,该漏洞使攻击者能够通过使用特制的工件tarball将任意符号链接部署到GitHub Pages网站来获得未经授权的文件读取权限。若要利用此漏洞,攻击者需要获得在GitHub Enterprise Server实例上创建和构建GitHub Pages网站的权限。此漏洞影响了3.12之前的所有版本的GitHub Enterprise Server,并在3.8.15、3.9.10、3.10.7和3.11.5版本中得到修复。此漏洞是通过GitHub Bug Bounty程序报告的。

cvss epss percentile
6.3 MEDIUM 0.04% 12.34%

references

CVE-2024-1354

description

A command injection vulnerability was identified in GitHub Enterprise Server that allowed an attacker with an editor role in the Management Console to gain admin SSH access to the appliance via the syslog-ng configuration file. Exploitation of this vulnerability required access to the GitHub Enterprise Server instance and access to the Management Console with the editor role. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.12 and was fixed in versions 3.11.5, 3.10.7, 3.9.10, and 3.8.15. This vulnerability was reported via the GitHub Bug Bounty program.

description

在GitHub Enterprise Server中发现了一个命令注入漏洞,该漏洞允许在管理控制台中担任编辑器角色的攻击者通过“syslog ng”配置文件获得对设备的管理员SSH访问权限。利用此漏洞需要访问GitHub Enterprise Server实例并使用编辑器角色访问管理控制台。此漏洞影响了3.12之前的所有版本的GitHub Enterprise Server,并在3.11.5、3.10.7、3.9.10和3.8.15版本中得到修复。此漏洞是通过GitHub Bug Bounty程序报告的。

cvss epss percentile
8.0 HIGH 0.04% 12.34%

references

CVE-2024-1355

description

A command injection vulnerability was identified in GitHub Enterprise Server that allowed an attacker with an editor role in the Management Console to gain admin SSH access to the appliance via the actions-console docker container while setting a service URL. Exploitation of this vulnerability required access to the GitHub Enterprise Server instance and access to the Management Console with the editor role. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.12 and was fixed in versions 3.11.5, 3.10.7, 3.9.10, and 3.8.15. This vulnerability was reported via the GitHub Bug Bounty program.

description

在GitHub Enterprise Server中发现了一个命令注入漏洞,该漏洞允许在管理控制台中具有编辑器角色的攻击者在设置服务URL时通过操作控制台docker容器获得对设备的管理员SSH访问权限。利用此漏洞需要访问GitHub Enterprise Server实例并使用编辑器角色访问管理控制台。此漏洞影响了3.12之前的所有版本的GitHub Enterprise Server,并在3.11.5、3.10.7、3.9.10和3.8.15版本中得到修复。此漏洞是通过GitHub Bug Bounty程序报告的。

cvss epss percentile
9.1 CRITICAL 0.04% 12.34%

references

CVE-2024-1359

description

A command injection vulnerability was identified in GitHub Enterprise Server that allowed an attacker with an editor role in the Management Console to gain admin SSH access to the appliance when setting up an HTTP proxy. Exploitation of this vulnerability required access to the GitHub Enterprise Server instance and access to the Management Console with the editor role. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.12 and was fixed in versions 3.11.5, 3.10.7, 3.9.10, and 3.8.15. This vulnerability was reported via the GitHub Bug Bounty program https://bounty.github.com .

description

在GitHub Enterprise Server中发现了一个命令注入漏洞,该漏洞允许在管理控制台中担任编辑器角色的攻击者在设置HTTP代理时获得对设备的管理员SSH访问权限。利用此漏洞需要访问GitHub Enterprise Server实例并使用编辑器角色访问管理控制台。此漏洞影响了3.12之前的所有版本的GitHub Enterprise Server,并在3.11.5、3.10.7、3.9.10和3.8.15版本中得到修复。此漏洞是通过GitHub Bug Bounty程序报告的https://bounty.github.com .

cvss epss percentile
9.1 CRITICAL 0.04% 12.34%

references

CVE-2024-1369

description

A command injection vulnerability was identified in GitHub Enterprise Server that allowed an attacker with an editor role in the Management Console to gain admin SSH access to the appliance when setting the username and password for collectd configurations. Exploitation of this vulnerability required access to the GitHub Enterprise Server instance and access to the Management Console with the editor role. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.12 and was fixed in versions 3.11.5, 3.10.7, 3.9.10, and 3.8.15. This vulnerability was reported via the GitHub Bug Bounty program https://bounty.github.com .

description

在GitHub Enterprise Server中发现了一个命令注入漏洞,该漏洞允许在管理控制台中具有编辑器角色的攻击者在设置收集配置的用户名和密码时获得对设备的管理员SSH访问权限。利用此漏洞需要访问GitHub Enterprise Server实例并使用编辑器角色访问管理控制台。此漏洞影响了3.12之前的所有版本的GitHub Enterprise Server,并在3.11.5、3.10.7、3.9.10和3.8.15版本中得到修复。此漏洞是通过GitHub Bug Bounty程序报告的https://bounty.github.com .

cvss epss percentile
9.1 CRITICAL 0.04% 12.34%

references

CVE-2024-1372

description

A command injection vulnerability was identified in GitHub Enterprise Server that allowed an attacker with an editor role in the Management Console to gain admin SSH access to the appliance when configuring SAML settings. Exploitation of this vulnerability required access to the GitHub Enterprise Server instance and access to the Management Console with the editor role. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.12 and was fixed in versions 3.11.5, 3.10.7, 3.9.10, and 3.8.15. This vulnerability was reported via the GitHub Bug Bounty program https://bounty.github.com .

description

在GitHub Enterprise Server中发现了一个命令注入漏洞,该漏洞允许在管理控制台中具有编辑器角色的攻击者在配置SAML设置时获得对设备的管理员SSH访问权限。利用此漏洞需要访问GitHub Enterprise Server实例并使用编辑器角色访问管理控制台。此漏洞影响了3.12之前的所有版本的GitHub Enterprise Server,并在3.11.5、3.10.7、3.9.10和3.8.15版本中得到修复。此漏洞是通过GitHub Bug Bounty程序报告的https://bounty.github.com .

cvss epss percentile
9.1 CRITICAL 0.04% 12.34%

references

CVE-2024-1374

description

A command injection vulnerability was identified in GitHub Enterprise Server that allowed an attacker with an editor role in the Management Console to gain admin SSH access to the appliance via nomad templates when configuring audit log forwarding. Exploitation of this vulnerability required access to the GitHub Enterprise Server instance and access to the Management Console with the editor role. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.12 and was fixed in versions 3.11.5, 3.10.7, 3.9.10, and 3.8.15. This vulnerability was reported via the GitHub Bug Bounty program https://bounty.github.com .

description

在GitHub Enterprise Server中发现了一个命令注入漏洞,该漏洞允许在管理控制台中担任编辑器角色的攻击者在配置审核日志转发时通过游牧模板获得对设备的管理员SSH访问权限。利用此漏洞需要访问GitHub Enterprise Server实例并使用编辑器角色访问管理控制台。此漏洞影响了3.12之前的所有版本的GitHub Enterprise Server,并在3.11.5、3.10.7、3.9.10和3.8.15版本中得到修复。此漏洞是通过GitHub Bug Bounty程序报告的https://bounty.github.com .

cvss epss percentile
9.1 CRITICAL 0.04% 12.34%

references

CVE-2024-1378

description

A command injection vulnerability was identified in GitHub Enterprise Server that allowed an attacker with an editor role in the Management Console to gain admin SSH access to the appliance via nomad templates when configuring SMTP options. Exploitation of this vulnerability required access to the GitHub Enterprise Server instance and access to the Management Console with the editor role. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.12 and was fixed in versions 3.11.5, 3.10.7, 3.9.10, and 3.8.15. This vulnerability was reported via the GitHub Bug Bounty program https://bounty.github.com .

description

在GitHub Enterprise Server中发现了一个命令注入漏洞,该漏洞允许在管理控制台中担任编辑器角色的攻击者在配置SMTP选项时通过游牧模板获得对设备的管理员SSH访问权限。利用此漏洞需要访问GitHub Enterprise Server实例并使用编辑器角色访问管理控制台。此漏洞影响了3.12之前的所有版本的GitHub Enterprise Server,并在3.11.5、3.10.7、3.9.10和3.8.15版本中得到修复。此漏洞是通过GitHub Bug Bounty程序报告的https://bounty.github.com .

cvss epss percentile
9.1 CRITICAL 0.04% 12.34%

references

CVE-2024-1485

description

A flaw was found in the decompression function of registry-support. This issue can be triggered if an unauthenticated remote attacker tricks a user into parsing a devfile which uses the parent or plugin keywords. This could download a malicious archive and cause the cleanup process to overwrite or delete files outside of the archive, which should not be allowed.

description

在注册表支持的解压缩功能中发现了一个缺陷。如果未经身份验证的远程攻击者诱骗用户解析使用“parent”或“plugin”关键字的开发文件,则可能会触发此问题。这可能会下载恶意存档,并导致清理过程覆盖或删除存档之外的文件,这是不允许的。

cvss epss percentile
8.0 HIGH 0.04% 12.34%

references

CVE-2024-1597

description

pgjdbc, the PostgreSQL JDBC Driver, allows attacker to inject SQL if using PreferQueryMode=SIMPLE. Note this is not the default. In the default mode there is no vulnerability. A placeholder for a numeric value must be immediately preceded by a minus. There must be a second placeholder for a string value after the first placeholder; both must be on the same line. By constructing a matching string payload, the attacker can inject SQL to alter the query,bypassing the protections that parameterized queries bring against SQL Injection attacks. Versions before 42.7.2, 42.6.1, 42.5.5, 42.4.4, 42.3.9, and 42.2.8 are affected.

description

pgjdbc,PostgreSQL JDBC驱动程序,允许攻击者在使用PreferQueryMode=SIMPLE时注入SQL。请注意,这不是默认设置。在默认模式下没有漏洞。数值的占位符前面必须紧跟一个减号。字符串值必须在第一个占位符之后有第二个占位符;两者必须在同一条线上。通过构造匹配的字符串负载,攻击者可以注入SQL来更改查询,从而绕过参数化查询对SQL注入攻击的保护。42.7.2、42.6.1、42.5.5、42.4.4、42.3.9和42.2.8之前的版本会受到影响。

cvss epss percentile
10.0 CRITICAL 0.04% 12.34%

references

CVE-2024-20667

description

Azure DevOps Server Remote Code Execution Vulnerability

description

Azure DevOps服务器远程代码执行漏洞

cvss epss percentile
7.5 HIGH 0.05% 12.91%

references

CVE-2024-20673

description

Microsoft Office Remote Code Execution Vulnerability

description

Microsoft Office远程代码执行漏洞

cvss epss percentile
7.8 HIGH 0.05% 16.53%

references

CVE-2024-20679

description

Azure Stack Hub Spoofing Vulnerability

description

Azure堆栈集线器欺骗漏洞

cvss epss percentile
6.5 MEDIUM 0.09% 37.66%

references

CVE-2024-20684

description

Windows Hyper-V Denial of Service Vulnerability

description

Windows Hyper-V拒绝服务漏洞

cvss epss percentile
6.5 MEDIUM 0.05% 14.42%

references

CVE-2024-20695

description

Skype for Business Information Disclosure Vulnerability

description

Skype for Business Information Disclosure漏洞

cvss epss percentile
5.7 MEDIUM 0.05% 14.42%

references

CVE-2024-21304

description

Trusted Compute Base Elevation of Privilege Vulnerability

description

权限漏洞的可信计算基础提升

cvss epss percentile
4.1 MEDIUM 0.05% 14.42%

references

CVE-2024-21315

description

Microsoft Defender for Endpoint Protection Elevation of Privilege Vulnerability

description

Microsoft Defender for Endpoint Protection提升权限漏洞

cvss epss percentile
7.8 HIGH 0.04% 6.92%

references

CVE-2024-21327

description

Microsoft Dynamics 365 Customer Engagement Cross-Site Scripting Vulnerability

description

Microsoft Dynamics 365客户参与跨站点脚本漏洞

cvss epss percentile
7.6 HIGH 0.04% 5.46%

references

CVE-2024-21328

description

Dynamics 365 Sales Spoofing Vulnerability

description

Dynamics 365销售欺骗漏洞

cvss epss percentile
7.6 HIGH 0.04% 5.46%

references

CVE-2024-21329

description

Azure Connected Machine Agent Elevation of Privilege Vulnerability

description

Azure连接的机器代理提升权限漏洞

cvss epss percentile
7.3 HIGH 0.05% 18.37%

references

CVE-2024-21338

description

Windows Kernel Elevation of Privilege Vulnerability

description

Windows内核权限提升漏洞

cvss epss percentile
7.8 HIGH 0.05% 14.42%

references

CVE-2024-21339

description

Windows USB Generic Parent Driver Remote Code Execution Vulnerability

description

Windows USB通用父驱动程序远程代码执行漏洞

cvss epss percentile
6.4 MEDIUM 0.05% 18.87%

references

CVE-2024-21340

description

Windows Kernel Information Disclosure Vulnerability

description

Windows内核信息泄露漏洞

cvss epss percentile
4.6 MEDIUM 0.05% 16.43%

references

CVE-2024-21341

description

Windows Kernel Remote Code Execution Vulnerability

description

Windows内核远程代码执行漏洞

cvss epss percentile
6.8 MEDIUM 0.05% 16.94%

references

CVE-2024-21342

description

Windows DNS Client Denial of Service Vulnerability

description

Windows DNS客户端拒绝服务漏洞

cvss epss percentile
7.5 HIGH 0.06% 24.82%

references

CVE-2024-21343

description

Windows Network Address Translation (NAT) Denial of Service Vulnerability

description

Windows网络地址转换(NAT)拒绝服务漏洞

cvss epss percentile
5.9 MEDIUM 0.06% 24.82%

references

CVE-2024-21344

description

Windows Network Address Translation (NAT) Denial of Service Vulnerability

description

Windows网络地址转换(NAT)拒绝服务漏洞

cvss epss percentile
5.9 MEDIUM 0.06% 24.82%

references

CVE-2024-21345

description

Windows Kernel Elevation of Privilege Vulnerability

description

Windows内核权限提升漏洞

cvss epss percentile
8.8 HIGH 0.05% 14.42%

references

CVE-2024-21346

description

Win32k Elevation of Privilege Vulnerability

description

Win32k特权漏洞提升

cvss epss percentile
7.8 HIGH 0.05% 14.42%

references

CVE-2024-21347

description

Microsoft ODBC Driver Remote Code Execution Vulnerability

description

Microsoft ODBC驱动程序远程代码执行漏洞

cvss epss percentile
7.5 HIGH 0.09% 37.48%

references

CVE-2024-21348

description

Internet Connection Sharing (ICS) Denial of Service Vulnerability

description

Internet连接共享(ICS)拒绝服务漏洞

cvss epss percentile
7.5 HIGH 0.05% 13.91%

references

CVE-2024-21349

description

Microsoft ActiveX Data Objects Remote Code Execution Vulnerability

description

Microsoft ActiveX数据对象远程代码执行漏洞

cvss epss percentile
8.8 HIGH 0.09% 37.48%

references

CVE-2024-21350

description

Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability

description

用于SQL Server的Microsoft WDAC OLE DB访问接口远程代码执行漏洞

cvss epss percentile
8.8 HIGH 0.09% 37.48%

references

CVE-2024-21351

description

Windows SmartScreen Security Feature Bypass Vulnerability

description

Windows SmartScreen安全功能绕过漏洞

cvss epss percentile
7.6 HIGH 0.57% 77.22%

references

CVE-2024-21352

description

Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability

description

用于SQL Server的Microsoft WDAC OLE DB访问接口远程代码执行漏洞

cvss epss percentile
8.8 HIGH 0.09% 37.48%

references

CVE-2024-21353

description

Microsoft WDAC ODBC Driver Remote Code Execution Vulnerability

description

Microsoft WDAC ODBC驱动程序远程代码执行漏洞

cvss epss percentile
8.8 HIGH 0.13% 47.35%

references

CVE-2024-21354

description

Microsoft Message Queuing (MSMQ) Elevation of Privilege Vulnerability

description

Microsoft消息队列(MSMQ)特权提升漏洞

cvss epss percentile
7.8 HIGH 0.04% 6.92%

references

CVE-2024-21355

description

Microsoft Message Queuing (MSMQ) Elevation of Privilege Vulnerability

description

Microsoft消息队列(MSMQ)特权提升漏洞

cvss epss percentile
7.0 HIGH 0.04% 6.92%

references

CVE-2024-21356

description

Windows Lightweight Directory Access Protocol (LDAP) Denial of Service Vulnerability

description

Windows轻型目录访问协议(LDAP)拒绝服务漏洞

cvss epss percentile
6.5 MEDIUM 0.04% 11.03%

references

CVE-2024-21357

description

Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability

description

Windows实用通用多播(PGM)远程代码执行漏洞

cvss epss percentile
8.1 HIGH 0.09% 37.48%

references

CVE-2024-21358

description

Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability

description

用于SQL Server的Microsoft WDAC OLE DB访问接口远程代码执行漏洞

cvss epss percentile
8.8 HIGH 0.09% 37.48%

references

CVE-2024-21359

description

Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability

description

用于SQL Server的Microsoft WDAC OLE DB访问接口远程代码执行漏洞

cvss epss percentile
8.8 HIGH 0.09% 37.48%

references

CVE-2024-21360

description

Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability

description

用于SQL Server的Microsoft WDAC OLE DB访问接口远程代码执行漏洞

cvss epss percentile
8.8 HIGH 0.09% 37.48%

references

CVE-2024-21361

description

Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability

description

用于SQL Server的Microsoft WDAC OLE DB访问接口远程代码执行漏洞

cvss epss percentile
8.8 HIGH 0.09% 37.48%

references

CVE-2024-21362

description

Windows Kernel Security Feature Bypass Vulnerability

description

Windows内核安全功能绕过漏洞

cvss epss percentile
5.5 MEDIUM 0.04% 6.92%

references

CVE-2024-21363

description

Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability

description

Microsoft消息队列(MSMQ)远程代码执行漏洞

cvss epss percentile
7.8 HIGH 0.04% 6.92%

references

CVE-2024-21364

description

Microsoft Azure Site Recovery Elevation of Privilege Vulnerability

description

Microsoft Azure站点恢复提升权限漏洞

cvss epss percentile
9.3 CRITICAL 0.05% 18.87%

references

CVE-2024-21365

description

Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability

description

用于SQL Server的Microsoft WDAC OLE DB访问接口远程代码执行漏洞

cvss epss percentile
8.8 HIGH 0.09% 37.48%

references

CVE-2024-21366

description

Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability

description

用于SQL Server的Microsoft WDAC OLE DB访问接口远程代码执行漏洞

cvss epss percentile
8.8 HIGH 0.09% 37.48%

references

CVE-2024-21367

description

Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability

description

用于SQL Server的Microsoft WDAC OLE DB访问接口远程代码执行漏洞

cvss epss percentile
8.8 HIGH 0.09% 37.48%

references

CVE-2024-21368

description

Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability

description

用于SQL Server的Microsoft WDAC OLE DB访问接口远程代码执行漏洞

cvss epss percentile
8.8 HIGH 0.09% 37.48%

references

CVE-2024-21369

description

Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability

description

用于SQL Server的Microsoft WDAC OLE DB访问接口远程代码执行漏洞

cvss epss percentile
8.8 HIGH 0.09% 37.48%

references

CVE-2024-21370

description

Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability

description

用于SQL Server的Microsoft WDAC OLE DB访问接口远程代码执行漏洞

cvss epss percentile
8.8 HIGH 0.09% 37.48%

references

CVE-2024-21371

description

Windows Kernel Elevation of Privilege Vulnerability

description

Windows内核权限提升漏洞

cvss epss percentile
7.0 HIGH 0.05% 14.42%

references

CVE-2024-21372

description

Windows OLE Remote Code Execution Vulnerability

description

Windows OLE远程代码执行漏洞

cvss epss percentile
8.8 HIGH 0.13% 47.35%

references

CVE-2024-21374

description

Microsoft Teams for Android Information Disclosure Vulnerability

description

Microsoft Teams for Android信息泄露漏洞

cvss epss percentile
5.0 MEDIUM 0.05% 18.37%

references

CVE-2024-21375

description

Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability

description

用于SQL Server的Microsoft WDAC OLE DB访问接口远程代码执行漏洞

cvss epss percentile
8.8 HIGH 0.09% 37.48%

references

CVE-2024-21376

description

Microsoft Azure Kubernetes Service Confidential Container Remote Code Execution Vulnerability

description

Microsoft Azure Kubernetes服务机密容器远程代码执行漏洞

cvss epss percentile
9.0 CRITICAL 0.09% 37.48%

references

CVE-2024-21377

description

Windows DNS Information Disclosure Vulnerability

description

Windows DNS信息泄露漏洞

cvss epss percentile
7.1 HIGH 0.04% 6.92%

references

CVE-2024-21378

description

Microsoft Outlook Remote Code Execution Vulnerability

description

Microsoft Outlook远程代码执行漏洞

cvss epss percentile
8.0 HIGH 0.05% 16.32%

references

CVE-2024-21379

description

Microsoft Word Remote Code Execution Vulnerability

description

Microsoft Word远程代码执行漏洞

cvss epss percentile
7.8 HIGH 0.06% 21.38%

references

CVE-2024-21380

description

Microsoft Dynamics Business Central/NAV Information Disclosure Vulnerability

description

Microsoft Dynamics Business Central/NAV信息泄露漏洞

cvss epss percentile
8.0 HIGH 0.05% 16.32%

references

CVE-2024-21381

description

Microsoft Azure Active Directory B2C Spoofing Vulnerability

description

Microsoft Azure Active Directory B2C欺骗漏洞

cvss epss percentile
6.8 MEDIUM 0.05% 12.91%

references

CVE-2024-21384

description

Microsoft Office OneNote Remote Code Execution Vulnerability

description

Microsoft Office OneNote远程代码执行漏洞

cvss epss percentile
7.8 HIGH 0.05% 16.53%

references

CVE-2024-21386

description

.NET Denial of Service Vulnerability

description

.NET拒绝服务漏洞

cvss epss percentile
7.5 HIGH 0.06% 24.82%

references

CVE-2024-21389

description

Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability

description

Microsoft Dynamics 365(内部部署)跨站点脚本漏洞

cvss epss percentile
7.6 HIGH 0.04% 5.46%

references

CVE-2024-21391

description

Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability

description

用于SQL Server的Microsoft WDAC OLE DB访问接口远程代码执行漏洞

cvss epss percentile
8.8 HIGH 0.09% 37.48%

references

CVE-2024-21393

description

Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability

description

Microsoft Dynamics 365(内部部署)跨站点脚本漏洞

cvss epss percentile
7.6 HIGH 0.04% 5.46%

references

CVE-2024-21394

description

Dynamics 365 Field Service Spoofing Vulnerability

description

Dynamics 365现场服务欺骗漏洞

cvss epss percentile
7.6 HIGH 0.04% 5.46%

references

CVE-2024-21395

description

Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability

description

Microsoft Dynamics 365(内部部署)跨站点脚本漏洞

cvss epss percentile
8.2 HIGH 0.11% 43.18%

references

CVE-2024-21396

description

Dynamics 365 Sales Spoofing Vulnerability

description

Dynamics 365销售欺骗漏洞

cvss epss percentile
7.6 HIGH 0.04% 5.46%

references

CVE-2024-21397

description

Microsoft Azure File Sync Elevation of Privilege Vulnerability

description

Microsoft Azure文件同步提升权限漏洞

cvss epss percentile
5.3 MEDIUM 0.05% 14.42%

references

CVE-2024-21399

description

Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability

description

Microsoft Edge(基于Chromium)远程代码执行漏洞

cvss epss percentile
8.3 HIGH 0.54% 76.77%

references

CVE-2024-21401

description

Microsoft Entra Jira Single-Sign-On Plugin Elevation of Privilege Vulnerability

description

Microsoft Entra Jira单一登录插件特权提升漏洞

cvss epss percentile
9.8 CRITICAL 0.14% 49.09%

references

CVE-2024-21402

description

Microsoft Outlook Elevation of Privilege Vulnerability

description

Microsoft Outlook特权提升漏洞

cvss epss percentile
7.1 HIGH 0.05% 14.42%

references

CVE-2024-21403

description

Microsoft Azure Kubernetes Service Confidential Container Elevation of Privilege Vulnerability

description

Microsoft Azure Kubernetes服务机密容器特权提升漏洞

cvss epss percentile
9.0 CRITICAL 0.09% 37.48%

references

CVE-2024-21404

description

.NET Denial of Service Vulnerability

description

.NET拒绝服务漏洞

cvss epss percentile
7.5 HIGH 0.06% 24.82%

references

CVE-2024-21405

description

Microsoft Message Queuing (MSMQ) Elevation of Privilege Vulnerability

description

Microsoft消息队列(MSMQ)特权提升漏洞

cvss epss percentile
7.0 HIGH 0.05% 14.42%

references

CVE-2024-21406

description

Windows Printing Service Spoofing Vulnerability

description

Windows打印服务欺骗漏洞

cvss epss percentile
7.5 HIGH 0.05% 14.68%

references

CVE-2024-21410

description

Microsoft Exchange Server Elevation of Privilege Vulnerability

description

Microsoft Exchange Server特权提升漏洞

cvss epss percentile
9.8 CRITICAL 2.32% 89.43%

references

CVE-2024-21412

description

Internet Shortcut Files Security Feature Bypass Vulnerability

description

Internet快捷方式文件安全功能绕过漏洞

cvss epss percentile
8.1 HIGH 0.88% 81.98%

references

CVE-2024-21413

description

Microsoft Outlook Remote Code Execution Vulnerability

description

Microsoft Outlook远程代码执行漏洞

cvss epss percentile
9.8 CRITICAL 0.60% 77.99%

references

CVE-2024-21420

description

Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability

description

用于SQL Server的Microsoft WDAC OLE DB访问接口远程代码执行漏洞

cvss epss percentile
8.8 HIGH 0.09% 37.48%

references

CVE-2024-21423

description

Microsoft Edge (Chromium-based) Information Disclosure Vulnerability

description

Microsoft Edge(基于Chromium)信息泄露漏洞

cvss epss percentile
4.8 MEDIUM 0.05% 13.91%

references

CVE-2024-23850

description

In btrfs_get_root_ref in fs/btrfs/disk-io.c in the Linux kernel through 6.7.1, there can be an assertion failure and crash because a subvolume can be read out too soon after its root item is inserted upon subvolume creation.

description

在Linux内核6.7.1版本的fs/btrfs/disk-io.c中的btrfs_get_root_ref中,可能会出现断言失败和崩溃,因为在创建子卷时插入其根项后,可能会过早地读取子卷。

cvss epss percentile
None 0.04% 5.42%

references

CVE-2024-23851

description

copy_params in drivers/md/dm-ioctl.c in the Linux kernel through 6.7.1 can attempt to allocate more than INT_MAX bytes, and crash, because of a missing param_kernel->data_size check. This is related to ctl_ioctl.

description

Linux内核6.7.1版本中drivers/md/dm ioctl.c中的copy_params可能会试图分配超过INT_MAX字节的内存,并由于缺少param_kernel->data_size检查而崩溃。这与ctl_ioctl有关。

cvss epss percentile
None 0.04% 5.42%

references

CVE-2024-26143

description

Rails is a web-application framework. There is a possible XSS vulnerability when using the translation helpers in Action Controller. Applications using translation methods like translate, or t on a controller, with a key ending in “_html”, a :default key which contains untrusted user input, and the resulting string is used in a view, may be susceptible to an XSS vulnerability. The vulnerability is fixed in 7.1.3.1 and 7.0.8.1.

description

Rails是一个web应用程序框架。在Action Controller中使用翻译助手时可能存在XSS漏洞。使用翻译方法(如控制器上的translate或t)的应用程序,其密钥以“_html”结尾,这是一个:默认密钥,包含不受信任的用户输入,并且生成的字符串在视图中使用,可能容易受到XSS漏洞的影响。该漏洞已在7.1.3.1和7.0.8.1中修复。

cvss epss percentile
6.1 MEDIUM 0.04% 12.34%

references

CVE-2024-26188

description

Microsoft Edge (Chromium-based) Spoofing Vulnerability

description

Microsoft Edge(基于Chromium)欺骗漏洞

cvss epss percentile
4.3 MEDIUM 0.05% 13.91%

references

CVE-2024-26192

description

Microsoft Edge (Chromium-based) Information Disclosure Vulnerability

description

Microsoft Edge(基于Chromium)信息泄露漏洞

cvss epss percentile
8.2 HIGH 0.09% 35.45%

references

CVE-2024-26464

description

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.

description

拒绝不要使用此候选号码。咨询ID:无。原因:此候选人已被其CNA撤回。进一步调查表明,这不是一个安全问题。注:无。

cvss epss percentile
None None None

CVE-2024-26582

description

In the Linux kernel, the following vulnerability has been resolved: net: tls: fix use-after-free with partial reads and async decrypt tls_decrypt_sg doesnt take a reference on the pages from clear_skb, so the put_page() in tls_decrypt_done releases them, and we trigger a use-after-free in process_rx_list when we try to read from the partially-read skb.

description

在Linux内核中,已经解决了以下漏洞:net:tls:修复了部分读取和异步解密的释放后使用tls_decrypt_sg在clear_skb的页面上没有引用,因此tls_decirpt_done中的put_page()释放了它们,当我们试图从部分读取的skb中读取时,我们在process_rx_list中触发释放后使用。

cvss epss percentile
None 0.04% 8.15%

references

CVE-2024-26583

description

In the Linux kernel, the following vulnerability has been resolved: tls: fix race between async notify and socket close The submitting thread (one which called recvmsg/sendmsg) may exit as soon as the async crypto handler calls complete() so any code past that point risks touching already freed data. Try to avoid the locking and extra flags altogether. Have the main thread hold an extra reference, this way we can depend solely on the atomic ref counter for synchronization. Dont futz with reiniting the completion, either, we are now tightly controlling when completion fires.

description

在Linux内核中,以下漏洞已被解决:tls:fix async notify和socket close之间的竞争异步加密处理程序调用complete()后,提交线程(调用recvmsg/sendmsg的线程)可能会立即退出,因此超过该点的任何代码都有可能触及已释放的数据。尽量避免锁定和额外的标志。让主线程持有一个额外的引用,这样我们就可以完全依赖于原子引用计数器进行同步。也不要再拖延竣工,我们现在正在严格控制竣工何时启动。

cvss epss percentile
None 0.04% 8.15%

references

CVE-2024-26584

description

In the Linux kernel, the following vulnerability has been resolved: net: tls: handle backlogging of crypto requests Since were setting the CRYPTO_TFM_REQ_MAY_BACKLOG flag on our requests to the crypto API, crypto_aead_{encrypt,decrypt} can return -EBUSY instead of -EINPROGRESS in valid situations. For example, when the cryptd queue for AESNI is full (easy to trigger with an artificially low cryptd.cryptd_max_cpu_qlen), requests will be enqueued to the backlog but still processed. In that case, the async callback will also be called twice: first with err == -EINPROGRESS, which it seems we can just ignore, then with err == 0. Compared to Sabrinas original patch this version uses the new tls_*crypt_async_wait() helpers and converts the EBUSY to EINPROGRESS to avoid having to modify all the error handling paths. The handling is identical.

description

在Linux内核中,已解决以下漏洞:net:tls:handle backlogging of crypto requests由于在我们对crypto API的请求上设置了crypto_TFM_REQ_MAY_BACKLOG标志,crypto_aead_{encrypt,decrypt}在有效情况下可以返回-EBUSY而不是-EINPROGRESS。例如,当AESNI的加密队列已满(很容易用人工低加密的.cryptd_max_cpu_qlen触发)时,请求将被排入积压工作,但仍在处理中。在这种情况下,异步回调也将被调用两次:第一次调用err==-EINPROGRESS,我们似乎可以忽略它,然后调用err==0。与Sabrinas的原始补丁相比,该版本使用了新的tls_*crypt_sync_wait()助手,并将EBUSY转换为EINPROGRESS,以避免修改所有错误处理路径。处理方式完全相同。

cvss epss percentile
None 0.04% 12.34%

references

CVE-2024-26585

description

In the Linux kernel, the following vulnerability has been resolved: tls: fix race between tx work scheduling and socket close Similarly to previous commit, the submitting thread (recvmsg/sendmsg) may exit as soon as the async crypto handler calls complete(). Reorder scheduling the work before calling complete(). This seems more logical in the first place, as its the inverse order of what the submitting thread will do.

description

在Linux内核中,已解决以下漏洞:tls:fix tx工作调度和socket关闭之间的竞争类似于以前的提交,提交线程(recvmsg/sendmsg)可能会在异步加密处理程序调用complete()后立即退出。在调用complete()之前,重新排序安排工作。首先,这似乎更符合逻辑,因为它与提交线程的操作顺序相反。

cvss epss percentile
None 0.04% 12.34%

references

CVE-2024-26593

description

In the Linux kernel, the following vulnerability has been resolved: i2c: i801: Fix block process call transactions According to the Intel datasheets, software must reset the block buffer index twice for block process call transactions: once before writing the outgoing data to the buffer, and once again before reading the incoming data from the buffer. The driver is currently missing the second reset, causing the wrong portion of the block buffer to be read.

description

在Linux内核中,以下漏洞已被解决:i2c:i801:修复块进程调用事务根据英特尔数据表,软件必须为块进程调用交易重置两次块缓冲区索引:一次是在将传出数据写入缓冲区之前,另一次是从缓冲区读取传入数据之前。驱动程序当前缺少第二次重置,导致读取块缓冲区的错误部分。

cvss epss percentile
None 0.04% 10.64%

references

CVE-2024-26603

description

In the Linux kernel, the following vulnerability has been resolved: x86/fpu: Stop relying on userspace for info to fault in xsave buffer Before this change, the expected size of the user space buffer was taken from fx_sw->xstate_size. fx_sw->xstate_size can be changed from user-space, so it is possible construct a sigreturn frame where: * fx_sw->xstate_size is smaller than the size required by valid bits in fx_sw->xfeatures. * user-space unmaps parts of the sigrame fpu buffer so that not all of the buffer required by xrstor is accessible. In this case, xrstor tries to restore and accesses the unmapped area which results in a fault. But fault_in_readable succeeds because buf + fx_sw->xstate_size is within the still mapped area, so it goes back and tries xrstor again. It will spin in this loop forever. Instead, fault in the maximum size which can be touched by XRSTOR (taken from fpstate->user_size). [ dhansen: tweak subject / changelog ]

description

在Linux内核中,已解决以下漏洞:x86/fpu:停止依赖用户空间来获取xsave缓冲区中的错误信息。在此更改之前,用户空间缓冲区的预期大小取自fx_sw->xstate_size。fx_sw->xstate_size可以从用户空间更改,因此可以构建一个sigreturn帧,其中:*fx_sw->xstate_sze小于fx_sw–>xfeatures中有效位所需的大小。*用户空间取消映射sigrame-fpu缓冲区的一部分,从而不是xrstor所需的所有缓冲区都可以访问。在这种情况下,xrstor会尝试恢复并访问导致故障的未映射区域。但是fault_in_readable成功了,因为buf+fx_sw->xstate_size在仍然映射的区域内,所以它返回并再次尝试xrstor。它将永远在这个循环中旋转。相反,XRSTOR可以触摸的最大尺寸出现故障(取自fpstate->user_size)。[dhansen:调整主题/更改日志]

cvss epss percentile
None 0.04% 8.15%

references

CVE-2024-26604

description

In the Linux kernel, the following vulnerability has been resolved: Revert “kobject: Remove redundant checks for whether ktype is NULL” This reverts commit 1b28cb81dab7c1eedc6034206f4e8d644046ad31. It is reported to cause problems, so revert it for now until the root cause can be found.

description

在Linux内核中,已解决以下漏洞:还原“kobject:删除对ktype是否为NULL的冗余检查”这将还原提交1b28cb81dab7c1eedc6034206f4e8d644046ad31。据报道,它会导致问题,因此暂时恢复它,直到找到根本原因。

cvss epss percentile
None 0.04% 12.34%

references

CVE-2024-26606

description

In the Linux kernel, the following vulnerability has been resolved: binder: signal epoll threads of self-work In (e)poll mode, threads often depend on I/O events to determine when data is ready for consumption. Within binder, a thread may initiate a command via BINDER_WRITE_READ without a read buffer and then make use of epoll_wait() or similar to consume any responses afterwards. It is then crucial that epoll threads are signaled via wakeup when they queue their own work. Otherwise, they risk waiting indefinitely for an event leaving their work unhandled. What is worse, subsequent commands wont trigger a wakeup either as the thread has pending work.

description

在Linux内核中,已解决以下漏洞:binder:信号epoll自工作线程在(e)轮询模式中,线程通常依赖I/O事件来确定数据何时可以使用。在绑定器中,线程可以在没有读取缓冲区的情况下通过binder_WRITE_READ启动命令,然后使用epoll_wait()或类似方法来消耗之后的任何响应。因此,至关重要的是,epoll线程在对自己的工作进行排队时,要通过唤醒来发出信号。否则,他们可能会无限期地等待事件,从而导致工作无法处理。更糟糕的是,后续命令也不会触发唤醒,因为线程有挂起的工作。

cvss epss percentile
None 0.04% 10.64%

references