New_entries

CVE-2021-47082

description

In the Linux kernel, the following vulnerability has been resolved: tun: avoid double free in tun_free_netdev Avoid double free in tun_free_netdev() by moving the dev->tstats and tun->security allocs to a new ndo_init routine (tun_net_init()) that will be called by register_netdevice(). ndo_init is paired with the desctructor (tun_free_netdev()), so if theres an error in register_netdevice() the destructor will handle the frees. BUG: KASAN: double-free or invalid-free in selinux_tun_dev_free_security+0x1a/0x20 security/selinux/hooks.c:5605 CPU: 0 PID: 25750 Comm: syz-executor416 Not tainted 5.16.0-rc2-syzk #1 Hardware name: Red Hat KVM, BIOS Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x89/0xb5 lib/dump_stack.c:106 print_address_description.constprop.9+0x28/0x160 mm/kasan/report.c:247 kasan_report_invalid_free+0x55/0x80 mm/kasan/report.c:372 ____kasan_slab_free mm/kasan/common.c:346 [inline] __kasan_slab_free+0x107/0x120 mm/kasan/common.c:374 kasan_slab_free include/linux/kasan.h:235 [inline] slab_free_hook mm/slub.c:1723 [inline] slab_free_freelist_hook mm/slub.c:1749 [inline] slab_free mm/slub.c:3513 [inline] kfree+0xac/0x2d0 mm/slub.c:4561 selinux_tun_dev_free_security+0x1a/0x20 security/selinux/hooks.c:5605 security_tun_dev_free_security+0x4f/0x90 security/security.c:2342 tun_free_netdev+0xe6/0x150 drivers/net/tun.c:2215 netdev_run_todo+0x4df/0x840 net/core/dev.c:10627 rtnl_unlock+0x13/0x20 net/core/rtnetlink.c:112 __tun_chr_ioctl+0x80c/0x2870 drivers/net/tun.c:3302 tun_chr_ioctl+0x2f/0x40 drivers/net/tun.c:3311 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:874 [inline] __se_sys_ioctl fs/ioctl.c:860 [inline] __x64_sys_ioctl+0x19d/0x220 fs/ioctl.c:860 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3a/0x80 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae

中文

在Linux内核中,已解决以下漏洞:tun:避免tun_free_netdev中的双重释放通过将dev->tstats和tun->security分配移动到将由register_netdevice()调用的新的ndo_init例程(tun_net_init()),避免tun_free _netdev()中的双重自由。ndo_init与destructor(tun_free_netdev())成对出现,因此如果register_netdevice()中出现错误,则destructor将处理释放。BUG:KASAN:selinux_tun_dev_free_security+0x1a/0x20 security/selinux/hook.c:5605 CPU:0 PID:25750 Comm:syz-executor416未受污染5.16.0-rc2-syzk#1硬件名称:Red Hat KVM,BIOS调用跟踪:__dump_tack lib/dump_tack.c:88[inline]dump_stack_lvl+0x89/0xb5 lib/dump_stack.c:106 print_addressDescription.constprop.9+0x28/0x160 mm/kasan/report.c:247 kasan_report_invalid_free+0x55/0x80 mm/kasan-report.c:372 ____kasan_slab_free mm/kasan/common.c:346[inline]__kasan_slab_free+0x107/0x120 mm/kasan/common.c:774 kasan_s拉布_free include/linux/kasan.h:235[inline]slab_free_hook mm/slub.c:1723[inline]slab_free_freelist_hook mm/slub.c:1749[inline]slab_free mm/slob.c:3513[inline]kfree+0xac/0x2d0 mm/slub。c:4561 selinux_tun_dev_free_security+0x1a/0x20 security/selinux/hooks。c:5605 security_tun_dev_ffree_security=0x4f/0x90 security/security.c:2342 tun_free_netdev+0xe6/0x150 drivers/net/tun。c:2215 netdev_run_todo+0x4df/0x840 net/core/dev.c:10627 rtnl_unlock+0x13/0x20 net/core/trtnlink.c:112 __tun_chr_ioctl+0x80c/0x2870个驱动程序/net/tun.c:3302 tun_chr_ioctl+0x2f/0x40drivers/net/tun.c:3311 vfs_ioctl fs/octl.c:51[inline]__do_sys_ioctl fs/octl.c:874[inline]__se_sys_ioctl fs/octl.c:860[inline][__x64_sys_ioctl+0x19d/0x220 fs/octl.c:860 do_syscall_x64 arch/x86/entry/common。c:50[iinline]do_syscall _64+0x3a/0x80 arch/x86/intry/common.c:80 entry_syscall_64_after_hwframe+0x44/0xae

cvss epss percentile
None 0.04% 12.47%

references

CVE-2021-47083

description

In the Linux kernel, the following vulnerability has been resolved: pinctrl: mediatek: fix global-out-of-bounds issue When eint virtual eint number is greater than gpio number, it maybe produce desc[eint_n] size globle-out-of-bounds issue.

中文

在Linux内核中,已解决以下漏洞:pinctrl:mediatek:fix全局越界问题当eint虚拟eint数大于gpio数时,可能会产生desc[eint_n]大小的globle越界问题。

cvss epss percentile
None 0.04% 12.47%

references

CVE-2021-47084

description

In the Linux kernel, the following vulnerability has been resolved: hamradio: defer ax25 kfree after unregister_netdev There is a possible race condition (use-after-free) like below (USE) | (FREE) ax25_sendmsg | ax25_queue_xmit | dev_queue_xmit | __dev_queue_xmit | __dev_xmit_skb | sch_direct_xmit | … xmit_one | netdev_start_xmit | tty_ldisc_kill __netdev_start_xmit | mkiss_close ax_xmit | kfree ax_encaps | | Even though there are two synchronization primitives before the kfree: 1. wait_for_completion(&ax->dead). This can prevent the race with routines from mkiss_ioctl. However, it cannot stop the routine coming from upper layer, i.e., the ax25_sendmsg. 2. netif_stop_queue(ax->dev). It seems that this line of code aims to halt the transmit queue but it fails to stop the routine that already being xmit. This patch reorder the kfree after the unregister_netdev to avoid the possible UAF as the unregister_netdev() is well synchronized and wont return if there is a running routine.

中文

在Linux内核中,已解决以下漏洞:hamradio:defer ax25 kfree after unregister_netdev可能存在如下竞争条件(释放后使用)(use)|(free)ax25_sendmsg | ax25_queue_xmit | dev_queue_xmit|__dev_queuex_mit | __dev_xmit_skb | sch_direct_xmit |。。。xmit_one | netdev_start_xmit | tty_ldisc_kill __netdev_start _xmit | mkiss_close ax_xmit | kfree ax_encaps ||即使在kfree之前有两个同步原语:1。wait_for_completion(&ax->dead)。这可以防止使用mkiss_ioctl中的例程进行竞赛。但是,它不能阻止来自上层的例程,即ax25_sendmsg。2.netif_top_queue(ax->dev)。这行代码似乎旨在停止传输队列,但未能停止已经是xmit的例程。此补丁将kfree重新排序在unregister_netdev之后,以避免可能的UAF,因为unregister.netdev()同步良好,如果有运行的例程,则不会返回。

cvss epss percentile
None 0.04% 10.73%

references

CVE-2021-47085

description

In the Linux kernel, the following vulnerability has been resolved: hamradio: improve the incomplete fix to avoid NPD The previous commit 3e0588c291d6 (“hamradio: defer ax25 kfree after unregister_netdev”) reorder the kfree operations and unregister_netdev operation to prevent UAF. This commit improves the previous one by also deferring the nullify of the ax->tty pointer. Otherwise, a NULL pointer dereference bug occurs. Partial of the stack trace is shown below. BUG: kernel NULL pointer dereference, address: 0000000000000538 RIP: 0010:ax_xmit+0x1f9/0x400 … Call Trace: dev_hard_start_xmit+0xec/0x320 sch_direct_xmit+0xea/0x240 __qdisc_run+0x166/0x5c0 __dev_queue_xmit+0x2c7/0xaf0 ax25_std_establish_data_link+0x59/0x60 ax25_connect+0x3a0/0x500 ? security_socket_connect+0x2b/0x40 __sys_connect+0x96/0xc0 ? __hrtimer_init+0xc0/0xc0 ? common_nsleep+0x2e/0x50 ? switch_fpu_return+0x139/0x1a0 __x64_sys_connect+0x11/0x20 do_syscall_64+0x33/0x40 entry_SYSCALL_64_after_hwframe+0x44/0xa9 The crash point is shown as below static void ax_encaps(…) { … set_bit(TTY_DO_WRITE_WAKEUP, &ax->tty->flags); // ax->tty = NULL! … } By placing the nullify action after the unregister_netdev, the ax->tty pointer wont be assigned as NULL net_device framework layer is well synchronized.

中文

在Linux内核中,以下漏洞已被解决:hamradio:改进不完整的修复以避免NPD之前的提交3e0588c291d6(“hamradio:defer ax25 kfree after unregister_netdev”)重新排序kfree操作和unregister-netdev操作以防止UAF。这次提交通过推迟ax->tty指针的无效来改进前一次提交。否则,将出现NULL指针取消引用错误。部分堆栈跟踪如下所示。BUG:内核NULL指针取消引用,地址:0000000000000538 RIP:0010:ax_xmit+0x1f9/0x400。。。调用跟踪:dev_hard_start_xmit+0xec/0x320 sch_direct_xmit+0xea/0x240 __qdisc_run+0x166/0x5c0 __dev_queue_xmit+0x2c7/0xaf0 ax25_std_establish_data_link+0x59/0x60 ax25_connect+0x3a0/0x500?安全插座连接+0x2b/0x40系统连接+0x96/0xc0__hrtimer_init+0xc0/0xc0?common_nsleep+0x2e/0x50?switch_fpu_return+0x139/0x1a0__x64_sys_connect+0x11/0x20do_syscall_64+0x33/0x40 entry_syscall_64_after_hwframe+0x44/0xa9崩溃点如下所示静态void ax_encaps(…){…set_bit(TTY_do_WRITE_WAKEUP,&ax->TTY->标志);//ax->TTY=NULL!…}通过将无效操作放在unregister_netdev之后,ax->TTY指针将不会被分配为NULL net_device框架层已完全同步。

cvss epss percentile
None 0.04% 10.73%

references

CVE-2021-47086

description

In the Linux kernel, the following vulnerability has been resolved: phonet/pep: refuse to enable an unbound pipe This ioctl() implicitly assumed that the socket was already bound to a valid local socket name, i.e. Phonet object. If the socket was not bound, two separate problems would occur: 1) Wed send an pipe enablement request with an invalid source object. 2) Later socket calls could BUG on the socket unexpectedly being connected yet not bound to a valid object.

中文

在Linux内核中,已解决以下漏洞:phonet/pep:reject to enable a unbound pipe This ioctl()隐式地假设套接字已绑定到有效的本地套接字名称,即phonet对象。如果套接字没有绑定,将出现两个单独的问题:1)我们发送一个具有无效源对象的管道启用请求。2) 稍后的套接字调用可能会在套接字意外连接但未绑定到有效对象时BUG。

cvss epss percentile
None 0.04% 10.73%

references

CVE-2021-47087

description

In the Linux kernel, the following vulnerability has been resolved: tee: optee: Fix incorrect page free bug Pointer to the allocated pages (struct page *page) has already progressed towards the end of allocation. It is incorrect to perform __free_pages(page, order) using this pointer as we would free any arbitrary pages. Fix this by stop modifying the page pointer.

中文

在Linux内核中,以下漏洞已得到解决:tee:optee:修复不正确的无页面错误指向已分配页面的指针(struct-page*page)已接近分配结束。使用此指针执行__free_pages(page,order)是不正确的,因为我们将释放任何任意页面。通过停止修改页面指针来解决此问题。

cvss epss percentile
None 0.04% 12.47%

references

CVE-2021-47088

description

In the Linux kernel, the following vulnerability has been resolved: mm/damon/dbgfs: protect targets destructions with kdamond_lock DAMON debugfs interface iterates current monitoring targets in dbgfs_target_ids_read() while holding the corresponding kdamond_lock. However, it also destructs the monitoring targets in dbgfs_before_terminate() without holding the lock. This can result in a use_after_free bug. This commit avoids the race by protecting the destruction with the corresponding kdamond_lock.

中文

在Linux内核中,已解决以下漏洞:mm/damon/dbgfs:protect targets destructions with kdamond_lock damon-debugfs interface在dbgfs_target_ids_read()中迭代当前监视目标,同时保持相应的kdamond_lock。但是,它也会在不持有锁的情况下破坏dbgfs_before_terminate()中的监视目标。这可能会导致use_after_free错误。此提交通过使用相应的kdamond_lock保护破坏来避免竞争。

cvss epss percentile
None 0.04% 7.00%

references

CVE-2021-47089

description

In the Linux kernel, the following vulnerability has been resolved: kfence: fix memory leak when cat kfence objects Hulk robot reported a kmemleak problem: unreferenced object 0xffff93d1d8cc02e8 (size 248): comm “cat”, pid 23327, jiffies 4624670141 (age 495992.217s) hex dump (first 32 bytes): 00 40 85 19 d4 93 ff ff 00 10 00 00 00 00 00 00 .@………….. 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ……………. backtrace: seq_open+0x2a/0x80 full_proxy_open+0x167/0x1e0 do_dentry_open+0x1e1/0x3a0 path_openat+0x961/0xa20 do_filp_open+0xae/0x120 do_sys_openat2+0x216/0x2f0 do_sys_open+0x57/0x80 do_syscall_64+0x33/0x40 entry_SYSCALL_64_after_hwframe+0x44/0xa9 unreferenced object 0xffff93d419854000 (size 4096): comm “cat”, pid 23327, jiffies 4624670141 (age 495992.217s) hex dump (first 32 bytes): 6b 66 65 6e 63 65 2d 23 32 35 30 3a 20 30 78 30 kfence-#250: 0x0 30 30 30 30 30 30 30 37 35 34 62 64 61 31 32 2d 0000000754bda12- backtrace: seq_read_iter+0x313/0x440 seq_read+0x14b/0x1a0 full_proxy_read+0x56/0x80 vfs_read+0xa5/0x1b0 ksys_read+0xa0/0xf0 do_syscall_64+0x33/0x40 entry_SYSCALL_64_after_hwframe+0x44/0xa9 I find that we can easily reproduce this problem with the following commands: cat /sys/kernel/debug/kfence/objects echo scan > /sys/kernel/debug/kmemleak cat /sys/kernel/debug/kmemleak The leaked memory is allocated in the stack below: do_syscall_64 do_sys_open do_dentry_open full_proxy_open seq_open —> alloc seq_file vfs_read full_proxy_read seq_read seq_read_iter traverse —> alloc seq_buf And it should have been released in the following process: do_syscall_64 syscall_exit_to_user_mode exit_to_user_mode_prepare task_work_run ____fput __fput full_proxy_release —> free here However, the release function corresponding to file_operations is not implemented in kfence. As a result, a memory leak occurs. Therefore, the solution to this problem is to implement the corresponding release function.

中文

在Linux内核中,已解决以下漏洞:kfence:修复cat kfence-objects Hulk robot报告kmemleak问题时的内存泄漏:未引用的对象0xffff93d1d8cc02e8(大小248):comm“cat”,pid 23327,jiffies 4624670141(年龄495992.217s)十六进制转储(前32个字节):00 40 85 19 d4 93 ff ff 00 10 00 00 00 00。@。。。。。。。。。。。。。。00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ……………. 回溯:seq_open+0x2a/0x80 full_proxy_pen+0x167/0x1e0 do_dentry_open+0x1e1/0x3a0 path_openat+0x961/0x20 do_filp_open+0xae/0x120 do_sys_openat2+0x216/0x2f0 do_sys_open+0x57/0x80 do_syscall_64+0x33/0x40 entry_syscall_64_after_hwframe+0x44/0xa9未引用对象0xffffff93d419854000(大小4096):comm“cat”,pid 23327,jiffies 4624670141(年龄495992.217s)十六进制转储(前32个字节):6b 66 65 6e 63 65 2d 23 32 35 30 3a 20 30 78 30 kfence-#250:0x0 30 30 30 30 3030 30 37 35 62 64 61 31 2d 0000000 754bda12-回溯:seq_read_iter+0x313/0x440 seq_read+0x14b/0x1a0 full_proxy_read+0x56/0x80 vfs_read+0xa5/0x1b0 ksys_read+0xa0/0xf0 do_syscall_64+0x33/0x40 entry_syscall_64_after_hwframe+0x44/0xa9我发现我们可以很容易地复制这一点以下命令的问题:cat/sys/kernel/debug/kfence/objects echo-scan>/sys/kenel/debug/kemleak cat/sys/kernel/debug/kemleake泄漏的内存在下面的堆栈中分配:do_syscall_64 do_sys_open do_dentry_open full_proxy_open seq_open—>alloc seq_file vfs_read full_proxy-read seq_read seq_read_iter traverse—->alloch seq_buf并且应该在以下过程中释放:do_sys call_64syscall_exit_to_user_mode exit_to_user_mode _prepare task_work_run _____fput __fput full_proxy_release—>此处为free。但是,文件操作对应的释放功能未在kfence中实现。结果,出现内存泄漏。因此,这个问题的解决方案是实现相应的发布功能。

cvss epss percentile
None 0.04% 7.00%

references

CVE-2021-47090

description

In the Linux kernel, the following vulnerability has been resolved: mm/hwpoison: clear MF_COUNT_INCREASED before retrying get_any_page() Hulk Robot reported a panic in put_page_testzero() when testing madvise() with MADV_SOFT_OFFLINE. The BUG() is triggered when retrying get_any_page(). This is because we keep MF_COUNT_INCREASED flag in second try but the refcnt is not increased. page dumped because: VM_BUG_ON_PAGE(page_ref_count(page) == 0) ————[ cut here ]———— kernel BUG at include/linux/mm.h:737! invalid opcode: 0000 [#1] PREEMPT SMP CPU: 5 PID: 2135 Comm: sshd Tainted: G B 5.16.0-rc6-dirty #373 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 RIP: release_pages+0x53f/0x840 Call Trace: free_pages_and_swap_cache+0x64/0x80 tlb_flush_mmu+0x6f/0x220 unmap_page_range+0xe6c/0x12c0 unmap_single_vma+0x90/0x170 unmap_vmas+0xc4/0x180 exit_mmap+0xde/0x3a0 mmput+0xa3/0x250 do_exit+0x564/0x1470 do_group_exit+0x3b/0x100 __do_sys_exit_group+0x13/0x20 __x64_sys_exit_group+0x16/0x20 do_syscall_64+0x34/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xae Modules linked in: —[ end trace e99579b570fe0649 ]— RIP: 0010:release_pages+0x53f/0x840

中文

在Linux内核中,已解决以下漏洞:mm/hwpoison:在重试get_any_page()之前清除MF_COUNT_INCREASED。Hulk Robot在使用MADV_SOFT_OFFLINE测试madvise()时报告put_page_testzero()出现死机。重试get_any_page()时会触发BUG()。这是因为我们在第二次尝试时保留了MF_COUNT_INCREASED标志,但refcnt没有增加。页面转储是因为:VM_BUG_ON_page(page_ref_count(page)==0)—————[此处剪切]—————-include/linux/mm.h:737处的内核BUG!无效操作码:0000[#1]PREEMPT SMP CPU:5 PID:2135通信:sshd损坏:G B 5.16.0-rc6-dirty#373硬件名称:QEMU标准PC(i440FX+PIX,1996),BIOS 1.13.0-1ubuntu1.14 04/01/2014 RIP:release_pages+0x53f/0x840调用跟踪:free_pages_and_swap_cache+0x64/0x80 tlb_flush_mu+0x6f/0x220 unmap_pages_range+0xe6c/0x12c0 unmap_single_vma+0x90/0x170 unmap_vmas+0xc4/0x180 exit_mma p+0xde/0x3a0 mmput+0xa3/0x250 do_exit+0x564/0x1470 do_group_exit+0x3b/0x100 __do_sys_exit_group+0x13/0x20 __x64_sys_exit_group+0x16/0x20 do_syscall_64+0x34/0x80 entry_syscall_64_after_hwframe+0x44/0xae模块链接在:—[结束跟踪e99579b570fe0649]-RIP:0010:释放页面+0x53f/0x840

cvss epss percentile
None 0.04% 12.47%

references

CVE-2021-47091

description

In the Linux kernel, the following vulnerability has been resolved: mac80211: fix locking in ieee80211_start_ap error path We need to hold the local->mtx to release the channel context, as even encoded by the lockdep_assert_held() there. Fix it.

中文

在Linux内核中,以下漏洞已被解决:mac80211:修复ieee80211_start_ap错误路径中的锁定我们需要保持local->mtx以释放通道上下文,甚至由那里的lockdep_assert_held()编码。修复它。

cvss epss percentile
None 0.04% 12.47%

references

CVE-2021-47092

description

In the Linux kernel, the following vulnerability has been resolved: KVM: VMX: Always clear vmx->fail on emulation_required Revert a relatively recent change that set vmx->fail if the vCPU is in L2 and emulation_required is true, as that behavior is completely bogus. Setting vmx->fail and synthesizing a VM-Exit is contradictory and wrong: (a) its impossible to have both a VM-Fail and VM-Exit (b) vmcs.EXIT_REASON is not modified on VM-Fail (c) emulation_required refers to guest state and guest state checks are always VM-Exits, not VM-Fails. For KVM specifically, emulation_required is handled before nested exits in __vmx_handle_exit(), thus setting vmx->fail has no immediate effect, i.e. KVM calls into handle_invalid_guest_state() and vmx->fail is ignored. Setting vmx->fail can ultimately result in a WARN in nested_vmx_vmexit() firing when tearing down the VM as KVM never expects vmx->fail to be set when L2 is active, KVM always reflects those errors into L1. ————[ cut here ]———— WARNING: CPU: 0 PID: 21158 at arch/x86/kvm/vmx/nested.c:4548 nested_vmx_vmexit+0x16bd/0x17e0 arch/x86/kvm/vmx/nested.c:4547 Modules linked in: CPU: 0 PID: 21158 Comm: syz-executor.1 Not tainted 5.16.0-rc3-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:nested_vmx_vmexit+0x16bd/0x17e0 arch/x86/kvm/vmx/nested.c:4547 Code: <0f> 0b e9 2e f8 ff ff e8 57 b3 5d 00 0f 0b e9 00 f1 ff ff 89 e9 80 Call Trace: vmx_leave_nested arch/x86/kvm/vmx/nested.c:6220 [inline] nested_vmx_free_vcpu+0x83/0xc0 arch/x86/kvm/vmx/nested.c:330 vmx_free_vcpu+0x11f/0x2a0 arch/x86/kvm/vmx/vmx.c:6799 kvm_arch_vcpu_destroy+0x6b/0x240 arch/x86/kvm/x86.c:10989 kvm_vcpu_destroy+0x29/0x90 arch/x86/kvm/../../../virt/kvm/kvm_main.c:441 kvm_free_vcpus arch/x86/kvm/x86.c:11426 [inline] kvm_arch_destroy_vm+0x3ef/0x6b0 arch/x86/kvm/x86.c:11545 kvm_destroy_vm arch/x86/kvm/../../../virt/kvm/kvm_main.c:1189 [inline] kvm_put_kvm+0x751/0xe40 arch/x86/kvm/../../../virt/kvm/kvm_main.c:1220 kvm_vcpu_release+0x53/0x60 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3489 __fput+0x3fc/0x870 fs/file_table.c:280 task_work_run+0x146/0x1c0 kernel/task_work.c:164 exit_task_work include/linux/task_work.h:32 [inline] do_exit+0x705/0x24f0 kernel/exit.c:832 do_group_exit+0x168/0x2d0 kernel/exit.c:929 get_signal+0x1740/0x2120 kernel/signal.c:2852 arch_do_signal_or_restart+0x9c/0x730 arch/x86/kernel/signal.c:868 handle_signal_work kernel/entry/common.c:148 [inline] exit_to_user_mode_loop kernel/entry/common.c:172 [inline] exit_to_user_mode_prepare+0x191/0x220 kernel/entry/common.c:207 __syscall_exit_to_user_mode_work kernel/entry/common.c:289 [inline] syscall_exit_to_user_mode+0x2e/0x70 kernel/entry/common.c:300 do_syscall_64+0x53/0xd0 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x44/0xae

中文

在Linux内核中,已解决以下漏洞:KVM:VMX:始终清除VMX->fail on similation_required如果vCPU处于L2并且similation-required为true,则还原设置VMX->fail的相对较新更改,因为该行为完全是假的。设置vmx->fail和合成VM Exit是矛盾和错误的:(a)不可能同时拥有VM fail和VM Exit(b)vmcs。EXIT_REASON不会在VM上修改Fail(c)similation_required指的是来宾状态,并且来宾状态检查始终是VM Exits,而不是VM Fails。具体来说,对于KVM,在__vmx_handle_exit()中嵌套退出之前会处理similation_required,因此设置vmx->fail不会立即生效,即KVM调用handle_invalid_guest_state()和vmx->fail被忽略。设置vmx->fail最终会导致在拆除VM时nested_vmx_vmexit()中触发WARN,因为KVM从不希望在L2处于活动状态时设置vmx->fail,KVM总是将这些错误反映到L1中————[剪切此处]—————警告:CPU:0 PID:21158 at arch/x86/kvm/vmx/nested。c:4548 nested_vmx_vmexit+0x16bd/0x17e0 arch/x86/kvm/vmx/nested。c:4547链接在中的模块:CPU:0 PID:21158 Comm:syz executor。1未受污染的5.16.0-rc3-syzkaller#0硬件名称:谷歌谷歌计算引擎/谷歌计算引擎,BIOS谷歌2011年1月1日RIP:0010:nested_vx_vmexit+0x16bd/0x17e0 rch/x86/kvm/vmx/neted。c:4547代码:<0f>0b e9 2e f8 ff ff e8 57 b3 5d 00 0f 0b e8 00 f1 ff 89 e9 80调用跟踪:vmx_leave_enested arch/x86/kvm/vmx/nnested。c:6220[inline]nested_vmx_free_vcpu+0x83/0xc0 arch/x86/kvm/vmx/innested。c:330 vmx_free_vcpu+0x11f/0x2a0 arch/x68/kvm/vmax/vmx。c:6799 kvm_arch_vcpu_destroy+0x6b/0x240 arch/x86/kvm/x86。c:10989 kvm_vcpu_destroy+0x29/0x90 arch/x6/kvm/../..//virt/kvm/kvm_main.c:441 kvm_free_vcpus arch/x86/kvm/x6.c:11426[inline]kvm_arch_destroy_vm+0x3ef/0x680 arch/x86/kvm/x6.c:111545 kvm_destroy_vm arch/x86/kvm/../..//virt/kvm/kvm_main.c:1189[inline]kvm_put_kvm+0x751/0xe40 arch/x86/kvm/../..//virt/kvm/kvm_main.c:1220 kvm_vcpu_release+0x53/0x60 arch/x86/kvm/..//virt/kvm/kvm_main.c:3489 __fput+0x3fc/0x870 fs/file_table。c:280 task_work_run+0x146/0x1c0 kernel/task_work。c:164 exit_task_work include/linux/task_work.h:32[inline]do_exit+0x705/0x24f0 kernel/exit。c:832 do_group_exit+0x168/0x2d0 kernel/exit。c:\929 get_signal+0x1740/0x2120 kernel/signal。c:2852 arch_do_signal_or_restart+0x9c/0x730 arch/x86/kernel/signal。c:868 handle_signal_work kernel/entry/common。c:148[inline]exit_to_user_mode_loop kernel/enentry/common。c:172[inline]exit_to_user_mode_prepare+0x191/0x220 kernel/intry/commont。c:207 __syscall_exit_to_user_mode_work kernel/inentry/common.c:289[inline]syscall_eexit_to-user_mode+0x2e/0x70 kernel/integy/common _64_after_hwframe+0x44/0xae

cvss epss percentile
None 0.04% 7.00%

references

CVE-2021-47093

description

In the Linux kernel, the following vulnerability has been resolved: platform/x86: intel_pmc_core: fix memleak on registration failure In case device registration fails during module initialisation, the platform device structure needs to be freed using platform_device_put() to properly free all resources (e.g. the device name).

中文

在Linux内核中,已解决以下漏洞:platform/x86:intel_pmc_core:修复注册失败时的memleak如果在模块初始化期间设备注册失败,则需要使用platform_device_put()释放平台设备结构,以正确释放所有资源(如设备名称)。

cvss epss percentile
None 0.04% 12.47%

references

CVE-2021-47094

description

In the Linux kernel, the following vulnerability has been resolved: KVM: x86/mmu: Dont advance iterator after restart due to yielding After dropping mmu_lock in the TDP MMU, restart the iterator during tdp_iter_next() and do not advance the iterator. Advancing the iterator results in skipping the top-level SPTE and all its children, which is fatal if any of the skipped SPTEs were not visited before yielding. When zapping all SPTEs, i.e. when min_level == root_level, restarting the iter and then invoking tdp_iter_next() is always fatal if the current gfn has as a valid SPTE, as advancing the iterator results in try_step_side() skipping the current gfn, which wasnt visited before yielding. Sprinkle WARNs on iter->yielded being true in various helpers that are often used in conjunction with yielding, and tag the helper with __must_check to reduce the probabily of improper usage. Failing to zap a top-level SPTE manifests in one of two ways. If a valid SPTE is skipped by both kvm_tdp_mmu_zap_all() and kvm_tdp_mmu_put_root(), the shadow page will be leaked and KVM will WARN accordingly. WARNING: CPU: 1 PID: 3509 at arch/x86/kvm/mmu/tdp_mmu.c:46 [kvm] RIP: 0010:kvm_mmu_uninit_tdp_mmu+0x3e/0x50 [kvm] Call Trace: kvm_arch_destroy_vm+0x130/0x1b0 [kvm] kvm_destroy_vm+0x162/0x2a0 [kvm] kvm_vcpu_release+0x34/0x60 [kvm] __fput+0x82/0x240 task_work_run+0x5c/0x90 do_exit+0x364/0xa10 ? futex_unqueue+0x38/0x60 do_group_exit+0x33/0xa0 get_signal+0x155/0x850 arch_do_signal_or_restart+0xed/0x750 exit_to_user_mode_prepare+0xc5/0x120 syscall_exit_to_user_mode+0x1d/0x40 do_syscall_64+0x48/0xc0 entry_SYSCALL_64_after_hwframe+0x44/0xae If kvm_tdp_mmu_zap_all() skips a gfn/SPTE but that SPTE is then zapped by kvm_tdp_mmu_put_root(), KVM triggers a use-after-free in the form of marking a struct page as dirty/accessed after it has been put back on the free list. This directly triggers a WARN due to encountering a page with page_count() == 0, but it can also lead to data corruption and additional errors in the kernel. WARNING: CPU: 7 PID: 1995658 at arch/x86/kvm/../../../virt/kvm/kvm_main.c:171 RIP: 0010:kvm_is_zone_device_pfn.part.0+0x9e/0xd0 [kvm] Call Trace: kvm_set_pfn_dirty+0x120/0x1d0 [kvm] __handle_changed_spte+0x92e/0xca0 [kvm] __handle_changed_spte+0x63c/0xca0 [kvm] __handle_changed_spte+0x63c/0xca0 [kvm] __handle_changed_spte+0x63c/0xca0 [kvm] zap_gfn_range+0x549/0x620 [kvm] kvm_tdp_mmu_put_root+0x1b6/0x270 [kvm] mmu_free_root_page+0x219/0x2c0 [kvm] kvm_mmu_free_roots+0x1b4/0x4e0 [kvm] kvm_mmu_unload+0x1c/0xa0 [kvm] kvm_arch_destroy_vm+0x1f2/0x5c0 [kvm] kvm_put_kvm+0x3b1/0x8b0 [kvm] kvm_vcpu_release+0x4e/0x70 [kvm] __fput+0x1f7/0x8c0 task_work_run+0xf8/0x1a0 do_exit+0x97b/0x2230 do_group_exit+0xda/0x2a0 get_signal+0x3be/0x1e50 arch_do_signal_or_restart+0x244/0x17f0 exit_to_user_mode_prepare+0xcb/0x120 syscall_exit_to_user_mode+0x1d/0x40 do_syscall_64+0x4d/0x90 entry_SYSCALL_64_after_hwframe+0x44/0xae Note, the underlying bug existed even before commit 1af4a96025b3 (“KVM: x86/mmu: Yield in TDU MMU iter even if no SPTES changed”) moved calls to tdp_mmu_iter_cond_resched() to the beginning of loops, as KVM could still incorrectly advance past a top-level entry when yielding on a lower-level entry. But with respect to leaking shadow pages, the bug was introduced by yielding before processing the current gfn. Alternatively, tdp_mmu_iter_cond_resched() could simply fall through, or callers could jump to their “retry” label. The downside of that approach is that tdp_mmu_iter_cond_resched() must be called before anything else in the loop, and theres no easy way to enfornce that requirement. Ideally, KVM would handling the cond_resched() fully within the iterator macro (the code is actually quite clean) and avoid this entire class of bugs, but that is extremely difficult do wh —truncated—

中文

在Linux内核中,已解决以下漏洞:KVM:x86/mmu:由于屈服,重新启动后不推进迭代器。在TDP mmu中丢弃mmu_lock后,在TDP_iter_text()期间重新启动迭代器,不推进迭代器。推进迭代器会导致跳过顶级SPTE及其所有子级,如果任何跳过的SPTE在屈服之前没有被访问,这将是致命的。当切换所有SPTE时,即当min_level==root_level时,如果当前gfn具有有效的SPTE,则重新启动iter然后调用tdp_iter_text()总是致命的,因为推进迭代器会导致try_step_side()跳过当前gfn,而当前gfn在屈服前未被访问。在iter->yield上撒上WARN,在经常与yield一起使用的各种助手中为true,并用__must_check标记助手,以减少不正确使用的可能性。未能摧毁顶级SPTE表现为以下两种方式之一。如果kvm_tdp_mmu_zap_all()和kvm_tdp_mmu_put_root()都跳过了有效的SPTE,则影子页面将被泄露,kvm将相应地发出警告。警告:CPU:1 PID:3509 at arch/x6/kvm/mmu/tdp_mmu。c:46[kvm]RIP:0010:kvm_mmu_uninit_tdp_mmu+0x3e/0x50[kvm]调用跟踪:kvm_arch_destroy_vm+0x130/0x1b0[kvm]kvm_destroy_vm+0x162/0x2a0[kvm]kvm_vcpu_release+0x34/0x60[kvm]__fput+0x82/0x240 TASK_work_run+0x5c/0x90 do_exit+0x364/0xa10?futex_unqueue+0x38/0x60 do_group_exit+0x33/0xa0 get_signal+0x155/0x850 arch_do_signal_or_restart+0xed/0x750 exit_to_user_mode_prepare+0xc5/0x120 syscall_exit_user_mode+0x1d/0x40 do_syscall_64+0x48/0xc0 entry_syscall_64_after_hwframe+0x44/0xae如果kvm_tdp_mmu_zap_all()跳过一个gfn/SPTE,但该SPTE随后被kvm_tdp_mmu_put_root()清除,KVM触发释放后使用,其形式是将结构页标记为脏/已访问,然后将其放回可用列表中。由于遇到page_count()==0的页面,这会直接触发WARN,但也可能导致数据损坏和内核中的其他错误。警告:CPU:7 PID:1995658在arch/x6/kvm/../..//virt/kvm/kvm_main.c:171 RIP:0010:kvm_is_zone_device_pfn.part:0+0x9e/0xd0[kvm]调用跟踪:kvm_set_pfn_dirty+0x120/0x1d0[km]__handle_changed_spte+0x92e/0xca0[kvm]__handle_changed_spte+0x63c/0xca0[kvm]handle_changed_spte+0x63c/0xca0[kvm] handle_changed-spte+0x63c/0xcao0[kvm]zap_gfn_range+0x549/0x620[kvm]kvm_tdp_mmu_put_root+0x1b6/0x270[kvm]mmu_free_root_page+0x219/0x2c0[kvm]kvm_mmu_free_roots+0x1b4/0x4e0[kvm]kvm_mmu_unload+0x1c/0xa0[kvm]kvm_arch_destroy_vm+0x1f2/0x5c0[kvm]kvm_put_kvm+0x3b1/0x8b0[kvm]kvm_vcpu_release+0x4e/0x70[kvm]__fput+0x1f7/0x8c0 task_work_run+0xf8/0x1a0 do_exit+0x97b/0x2230 do_group_exit+0xda/0x2a0 get_signal+0x3be/0x1e50 arch_do_signal_or_restart+0x244/0x17f0 exit_to_user_mode_prepare+0xcb/0x120 syscall_exit_to_uuser_mode+0x1d/0x40 do_syscall_64+0x4d/0x90 entry_syscall_64_after_hwframe+0x44/0xae注意,甚至在提交1af4a96025b3(“KVM:x86/mmu:Yield in TDU mmu iter,即使没有SPTES更改”)将对tdp_mmu_inter_cond_resched()的调用移动到循环的开始之前,潜在的错误就已经存在,因为KVM在较低级别的条目上让步时仍然可能错误地前进超过顶级条目。但是,关于泄漏的影子页,这个错误是在处理当前的gfn之前通过屈服引入的。或者,tdp_mmu_inter_cond_resched()可能会失败,或者调用方可能会跳到他们的“重试”标签。这种方法的缺点是,tdp_mmu_inter_cond_resched()_must_必须在循环中的任何其他内容之前调用,并且没有简单的方法来执行该要求。理想情况下,KVM将完全在迭代器宏中处理cond_resched()(代码实际上非常干净),并避免这类错误,但这非常困难—

cvss epss percentile
None 0.04% 7.00%

references

CVE-2021-47095

description

In the Linux kernel, the following vulnerability has been resolved: ipmi: ssif: initialize ssif_info->client early During probe ssif_info->client is dereferenced in error path. However, it is set when some of the error checking has already been done. This causes following kernel crash if an error path is taken: [ 30.645593][ T674] ipmi_ssif 0-000e: ipmi_ssif: Not probing, Interface already present [ 30.657616][ T674] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000088 … [ 30.657723][ T674] pc : __dev_printk+0x28/0xa0 [ 30.657732][ T674] lr : _dev_err+0x7c/0xa0 … [ 30.657772][ T674] Call trace: [ 30.657775][ T674] __dev_printk+0x28/0xa0 [ 30.657778][ T674] _dev_err+0x7c/0xa0 [ 30.657781][ T674] ssif_probe+0x548/0x900 [ipmi_ssif 62ce4b08badc1458fd896206d9ef69a3c31f3d3e] [ 30.657791][ T674] i2c_device_probe+0x37c/0x3c0 … Initialize ssif_info->client before any error path can be taken. Clear i2c_client data in the error path to prevent the dangling pointer from leaking.

中文

在Linux内核中,已解决以下漏洞:ipmi:ssif:initialize ssif_info->client early在探测期间ssif_info->client在错误路径中被取消引用。但是,它是在一些错误检查已经完成时设置的。如果采用错误路径,这将导致以下内核崩溃:[30.645593][T674]ipmi_ssif 0-000e:ipmi_sif:未探测,接口已存在[30.657616][T674]无法处理虚拟地址0000000000000088处的内核NULL指针取消引用。。。[30.6657723][T674]pc:__dev_printk+0x28/0xa0[30.6657732][T674]lr:_dev_err+0x7c/0xa0。。。[306657772][T674]调用跟踪:[306657775][T674]__dev_printk+0x28/0xa0[306657778][T674]-_dev_err+0x7c/0xa0[306657781][T674][ssif_probe+0x548/0x900[ipmi_sif 62ce4b08badc1458fd896206d9ef69a3c31f3de][30.657791][T674][i2c_device_probe+0x37c/0x3c0。。。在获取任何错误路径之前初始化ssif_info->客户端。清除错误路径中的i2c_client数据,以防止悬挂指针泄漏。

cvss epss percentile
None 0.04% 12.47%

references

CVE-2021-47096

description

In the Linux kernel, the following vulnerability has been resolved: ALSA: rawmidi - fix the uninitalized user_pversion The user_pversion was uninitialized for the user space file structure in the open function, because the file private structure use kmalloc for the allocation. The kernel ALSA sequencer code clears the file structure, so no additional fixes are required. BugLink: https://github.com/alsa-project/alsa-lib/issues/178

中文

在Linux内核中,已解决以下漏洞:ALSA:rawmidi-修复未初始化的user_pversion由于文件私有结构使用kmalloc进行分配,因此在打开函数中未初始化用户空间文件结构的user_persion。内核ALSA定序器代码清除了文件结构,因此不需要额外的修复。BugLink:https://github.com/alsa-project/alsa-lib/issues/178

cvss epss percentile
None 0.04% 7.00%

references

CVE-2021-47097

description

In the Linux kernel, the following vulnerability has been resolved: Input: elantech - fix stack out of bound access in elantech_change_report_id() The array param[] in elantech_change_report_id() must be at least 3 bytes, because elantech_read_reg_params() is calling ps2_command() with PSMOUSE_CMD_GETINFO, that is going to access 3 bytes from param[], but its defined in the stack as an array of 2 bytes, therefore we have a potential stack out-of-bounds access here, also confirmed by KASAN: [ 6.512374] BUG: KASAN: stack-out-of-bounds in __ps2_command+0x372/0x7e0 [ 6.512397] Read of size 1 at addr ffff8881024d77c2 by task kworker/2:1/118 [ 6.512416] CPU: 2 PID: 118 Comm: kworker/2:1 Not tainted 5.13.0-22-generic #22+arighi20211110 [ 6.512428] Hardware name: LENOVO 20T8000QGE/20T8000QGE, BIOS R1AET32W (1.08 ) 08/14/2020 [ 6.512436] Workqueue: events_long serio_handle_event [ 6.512453] Call Trace: [ 6.512462] show_stack+0x52/0x58 [ 6.512474] dump_stack+0xa1/0xd3 [ 6.512487] print_address_description.constprop.0+0x1d/0x140 [ 6.512502] ? __ps2_command+0x372/0x7e0 [ 6.512516] __kasan_report.cold+0x7d/0x112 [ 6.512527] ? _raw_write_lock_irq+0x20/0xd0 [ 6.512539] ? __ps2_command+0x372/0x7e0 [ 6.512552] kasan_report+0x3c/0x50 [ 6.512564] __asan_load1+0x6a/0x70 [ 6.512575] __ps2_command+0x372/0x7e0 [ 6.512589] ? ps2_drain+0x240/0x240 [ 6.512601] ? dev_printk_emit+0xa2/0xd3 [ 6.512612] ? dev_vprintk_emit+0xc5/0xc5 [ 6.512621] ? __kasan_check_write+0x14/0x20 [ 6.512634] ? mutex_lock+0x8f/0xe0 [ 6.512643] ? __mutex_lock_slowpath+0x20/0x20 [ 6.512655] ps2_command+0x52/0x90 [ 6.512670] elantech_ps2_command+0x4f/0xc0 [psmouse] [ 6.512734] elantech_change_report_id+0x1e6/0x256 [psmouse] [ 6.512799] ? elantech_report_trackpoint.constprop.0.cold+0xd/0xd [psmouse] [ 6.512863] ? ps2_command+0x7f/0x90 [ 6.512877] elantech_query_info.cold+0x6bd/0x9ed [psmouse] [ 6.512943] ? elantech_setup_ps2+0x460/0x460 [psmouse] [ 6.513005] ? psmouse_reset+0x69/0xb0 [psmouse] [ 6.513064] ? psmouse_attr_set_helper+0x2a0/0x2a0 [psmouse] [ 6.513122] ? phys_pmd_init+0x30e/0x521 [ 6.513137] elantech_init+0x8a/0x200 [psmouse] [ 6.513200] ? elantech_init_ps2+0xf0/0xf0 [psmouse] [ 6.513249] ? elantech_query_info+0x440/0x440 [psmouse] [ 6.513296] ? synaptics_send_cmd+0x60/0x60 [psmouse] [ 6.513342] ? elantech_query_info+0x440/0x440 [psmouse] [ 6.513388] ? psmouse_try_protocol+0x11e/0x170 [psmouse] [ 6.513432] psmouse_extensions+0x65d/0x6e0 [psmouse] [ 6.513476] ? psmouse_try_protocol+0x170/0x170 [psmouse] [ 6.513519] ? mutex_unlock+0x22/0x40 [ 6.513526] ? ps2_command+0x7f/0x90 [ 6.513536] ? psmouse_probe+0xa3/0xf0 [psmouse] [ 6.513580] psmouse_switch_protocol+0x27d/0x2e0 [psmouse] [ 6.513624] psmouse_connect+0x272/0x530 [psmouse] [ 6.513669] serio_driver_probe+0x55/0x70 [ 6.513679] really_probe+0x190/0x720 [ 6.513689] driver_probe_device+0x160/0x1f0 [ 6.513697] device_driver_attach+0x119/0x130 [ 6.513705] ? device_driver_attach+0x130/0x130 [ 6.513713] __driver_attach+0xe7/0x1a0 [ 6.513720] ? device_driver_attach+0x130/0x130 [ 6.513728] bus_for_each_dev+0xfb/0x150 [ 6.513738] ? subsys_dev_iter_exit+0x10/0x10 [ 6.513748] ? _raw_write_unlock_bh+0x30/0x30 [ 6.513757] driver_attach+0x2d/0x40 [ 6.513764] serio_handle_event+0x199/0x3d0 [ 6.513775] process_one_work+0x471/0x740 [ 6.513785] worker_thread+0x2d2/0x790 [ 6.513794] ? process_one_work+0x740/0x740 [ 6.513802] kthread+0x1b4/0x1e0 [ 6.513809] ? set_kthread_struct+0x80/0x80 [ 6.513816] ret_from_fork+0x22/0x30 [ 6.513832] The buggy address belongs to the page: [ 6.513838] page:00000000bc35e189 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1024d7 [ 6.513847] flags: 0x17ffffc0000000(node=0|zone=2|lastcpupid=0x1fffff) [ 6.513860] raw: 0 —truncated—

中文

在Linux内核中,已解决以下漏洞:输入:elantech-修复elantech_change_port_id()中堆栈越界访问elantech_change_port_id()中的数组param[]必须至少为3个字节,因为elantech_read_reg_params()正在用PSMOUSE_CMD_GETINFO调用ps2_command(),该函数将从param[]访问3个字节。但它在堆栈中定义为2个字节的数组,因此我们在此处有潜在的堆栈越界访问,KASAN:[6.512374]BUG:KASAN:__ps2_command中的堆栈越界+0x372/0x7e0[6.512397]由任务kworker/2:11/118[6.512416]CPU:2 PID:118读取地址ffffff8881024d77c2处的大小1通信:kworker/2:1未受污染5.13.0-22-generic#22+arighi2021110[6.512428]硬件名称:LENOVO 20T8000QGE/20T8000QGE,BIOS R1AET32W(1.08)08/14/2020[6.512436]工作队列:events_long-serio_handle_event[6.512453]调用跟踪:[6.512462]show_stack+0x52/0x58[6.512474]转储堆栈+0xa1/0xd3[6.512487]print_addressdescription.constprop.0+0x1d/0x140[6.512502]__ps2_command+0x372/0x7e0[6.512516]__kasan_report.cold+0x7d/0x112[6.512527]_raw_write_lock_irq+0x20/0xd0[6.512539]__ps2_command+0x372/0x7e0[6.512552]kasan_report+0x3c/0x50[6.512564]__asan_load1+0x6a/0x70[6.512575]__ps2_command+0x372/0x7e0[6.512589]?ps2_drain+0x240/0x240[6.512601]?dev_printk_emite+0xa2/0xd3[6.512612]?dev_vprintk_emite+0xc5/0xc5[6.512621]__kasan_check_write+0x14/0x20[6.512634]?互斥锁+0x8f/0xe0[6.512643]__mute_lock_slowpath+0x20/0x20[6.512655]ps2_command+0x52/0x90[6.512670]elantech_ps2_command+0x4f/0xc0[psmouse][6.512734]elantech _change_port_id+0x1e6/0x256[psmouse][6.512799]?elantech_report_trackpoint.constprop.0。cold+0xd/0xd[psmouse][6.512863]?ps2_command+0x7f/0x90[6.512877]elantech_query_info.cold+0x6bd/0x9ed[psmouse][6.512943]?elantech_setup_ps2+0x460/0x460[psmouse][6.513005]?psmouse_reset+0x69/0xb0[psmouse][6.513064]?psmouse_attr_set_helper+0x2a0/0x2a0[psmouse][6.513122]?phys_pmd_init+0x30e/0x521[6.513137]elantech_init+0x8a/0x200[psmouse][6.513200]?elantech_init_ps2+0xf0/0xf0[psmouse][6.513249]?elantech_query_info+0x440/0x440[psmouse][6.513296]?synaptics_send_cmd+0x60/0x60[psmouse][6.513342]?elantech_query_info+0x440/0x440[psmouse][6.513388]?psmouse_try_procol+0x11e/0x170[psmouse][6.513432]psmouse_extensions+0x65d/0x6e0[psmouse][6.513476]?psmouse_try_protocol+0x170/0x170[psmouse][6.513519]?互斥锁解锁+0x22/0x40[6.513526]?ps2_command+0x7f/0x90[6.513536]?psmouse_probe+0xa3/0xf0[psmouse][6.513580]psmouse_switch_procol+0x27d/0x2e0[psmoute][6.513624]psmoue_connect+0x272/0x530[psmouse][6.513669]serio_driver_be+0x55/0x70[6.513679]实际_probe+0x190/0x720[6.513689]driver_be_device+0x160/0x1f0[6.513697]device_driver_attach+0x119/0x130[6.513705]?device_driver_attach+0x130/0x130[6.513713]__driver_attach+0xe7/0x1a0[6.513720]?device_driver_attach+0x130/0x130[6.513728]总线_for_each_dev+0xfb/0x150[6.513738]?subsys_dev_iter_exit+0x10/0x10[6.513748]_raw_write_ulock_bh+0x30/0x30[6.513757]driver_attach+0x2d/0x40[6.513764]serio_handle_event+0x199/0x3d0[6.513775]process_one_work+0x471/0x740[6.5137 85]worker_thread+0x2d2/0x790[6.5137 94]?process_one_work+0x740/0x740[6.513802]k线程+0x1b4/0x1e0[6.513809]?set_kthread_struct+0x80/0x80[6.513816]ret_from_fork+0x22/0x30[6.513832]错误地址属于页面:[6.513838]页面:00000000 bc35e189 refcount:0 mapcount:0映射:0000000000000000索引:0x0 pfn:0x1024d7[6.513847]标志:0x17ffffffc0000000(节点=0 |区域=2 | lastcpupid=0x1fffffff)[6.513860]原始:0-截断—

cvss epss percentile
None 0.04% 12.47%

references

CVE-2021-47098

description

In the Linux kernel, the following vulnerability has been resolved: hwmon: (lm90) Prevent integer overflow/underflow in hysteresis calculations Commit b50aa49638c7 (“hwmon: (lm90) Prevent integer underflows of temperature calculations”) addressed a number of underflow situations when writing temperature limits. However, it missed one situation, seen when an attempt is made to set the hysteresis value to MAX_LONG and the critical temperature limit is negative. Use clamp_val() when setting the hysteresis temperature to ensure that the provided value can never overflow or underflow.

中文

在Linux内核中,已解决以下漏洞:hwmon:(lm90)防止滞后计算中的整数上溢/下溢Commit b50aa49638c7(“hwmon:“lm90”防止温度计算的整数下溢”)解决了写入温度限制时的许多下溢情况。然而,它错过了一种情况,当试图将滞后值设置为MAX_LONG并且临界温度极限为负时。设置滞后温度时请使用clamp_val(),以确保提供的值永远不会溢出或下溢。

cvss epss percentile
None 0.04% 7.00%

references

CVE-2021-47099

description

In the Linux kernel, the following vulnerability has been resolved: veth: ensure skb entering GRO are not cloned. After commit d3256efd8e8b (“veth: allow enabling NAPI even without XDP”), if GRO is enabled on a veth device and TSO is disabled on the peer device, TCP skbs will go through the NAPI callback. If there is no XDP program attached, the veth code does not perform any share check, and shared/cloned skbs could enter the GRO engine. Ignat reported a BUG triggered later-on due to the above condition: [ 53.970529][ C1] kernel BUG at net/core/skbuff.c:3574! [ 53.981755][ C1] invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI [ 53.982634][ C1] CPU: 1 PID: 19 Comm: ksoftirqd/1 Not tainted 5.16.0-rc5+ #25 [ 53.982634][ C1] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 [ 53.982634][ C1] RIP: 0010:skb_shift+0x13ef/0x23b0 [ 53.982634][ C1] Code: ea 03 0f b6 04 02 48 89 fa 83 e2 07 38 d0 7f 08 84 c0 0f 85 41 0c 00 00 41 80 7f 02 00 4d 8d b5 d0 00 00 00 0f 85 74 f5 ff ff <0f> 0b 4d 8d 77 20 be 04 00 00 00 4c 89 44 24 78 4c 89 f7 4c 89 8c [ 53.982634][ C1] RSP: 0018:ffff8881008f7008 EFLAGS: 00010246 [ 53.982634][ C1] RAX: 0000000000000000 RBX: ffff8881180b4c80 RCX: 0000000000000000 [ 53.982634][ C1] RDX: 0000000000000002 RSI: ffff8881180b4d3c RDI: ffff88810bc9cac2 [ 53.982634][ C1] RBP: ffff8881008f70b8 R08: ffff8881180b4cf4 R09: ffff8881180b4cf0 [ 53.982634][ C1] R10: ffffed1022999e5c R11: 0000000000000002 R12: 0000000000000590 [ 53.982634][ C1] R13: ffff88810f940c80 R14: ffff88810f940d50 R15: ffff88810bc9cac0 [ 53.982634][ C1] FS: 0000000000000000(0000) GS:ffff888235880000(0000) knlGS:0000000000000000 [ 53.982634][ C1] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 53.982634][ C1] CR2: 00007ff5f9b86680 CR3: 0000000108ce8004 CR4: 0000000000170ee0 [ 53.982634][ C1] Call Trace: [ 53.982634][ C1] [ 53.982634][ C1] tcp_sacktag_walk+0xaba/0x18e0 [ 53.982634][ C1] tcp_sacktag_write_queue+0xe7b/0x3460 [ 53.982634][ C1] tcp_ack+0x2666/0x54b0 [ 53.982634][ C1] tcp_rcv_established+0x4d9/0x20f0 [ 53.982634][ C1] tcp_v4_do_rcv+0x551/0x810 [ 53.982634][ C1] tcp_v4_rcv+0x22ed/0x2ed0 [ 53.982634][ C1] ip_protocol_deliver_rcu+0x96/0xaf0 [ 53.982634][ C1] ip_local_deliver_finish+0x1e0/0x2f0 [ 53.982634][ C1] ip_sublist_rcv_finish+0x211/0x440 [ 53.982634][ C1] ip_list_rcv_finish.constprop.0+0x424/0x660 [ 53.982634][ C1] ip_list_rcv+0x2c8/0x410 [ 53.982634][ C1] __netif_receive_skb_list_core+0x65c/0x910 [ 53.982634][ C1] netif_receive_skb_list_internal+0x5f9/0xcb0 [ 53.982634][ C1] napi_complete_done+0x188/0x6e0 [ 53.982634][ C1] gro_cell_poll+0x10c/0x1d0 [ 53.982634][ C1] __napi_poll+0xa1/0x530 [ 53.982634][ C1] net_rx_action+0x567/0x1270 [ 53.982634][ C1] __do_softirq+0x28a/0x9ba [ 53.982634][ C1] run_ksoftirqd+0x32/0x60 [ 53.982634][ C1] smpboot_thread_fn+0x559/0x8c0 [ 53.982634][ C1] kthread+0x3b9/0x490 [ 53.982634][ C1] ret_from_fork+0x22/0x30 [ 53.982634][ C1] Address the issue by skipping the GRO stage for shared or cloned skbs. To reduce the chance of OoO, try to unclone the skbs before giving up. v1 -> v2: - use avoid skb_copy and fallback to netif_receive_skb - Eric

中文

在Linux内核中,已解决以下漏洞:veth:确保进入GRO的skb未被克隆。在提交d3256efd8e8b(“veth:即使没有XDP也允许启用NAPI”)之后,如果在veth设备上启用了GRO,而在对等设备上禁用了TSO,则TCP skbs将通过NAPI回调。如果没有附加XDP程序,则veth代码不会执行任何共享检查,并且共享/克隆的skb可能会进入GRO引擎。Ignat报告称,由于上述情况,稍后触发了BUG:[53.970529][C1]内核BUG位于net/core/skbuff.c:3574![53.981755][C1]无效操作码:0000[#1]PREEMPT SMP KASAN PTI[53.982634][C1]CPU:1 PID:19通信:ksoftirqd/1未受污染5.16.0-rc5+#25[53.982664][C1]硬件名称:QEMU标准PC(Q35+ICH92009),BIOS 0.0.0 02/06/2015[53.986234][C1]RIP:0010:skb_shift+0x13ef/0x23b0[53.9982634][C1]代码:ea 03 0f b6 04 02 48 89 fa 83 e2 07 38 d0 7f 08 84 c0 0f 85 41 0c 00 00 41 80 7f 02 00 4d 8d b5 d0 00 00 00 0f 85 74 f5 ff<0f>0b 4d 8d 77 20为04 00 00 00 4c 89 44 24 78 4c 89 f7 4c 89 8c[53.982634][C1]RSP:0018:ffffffff8881008f7008 EFLAGS:000010246[53.982637][C1]RAX:000000000 RBX:ffffff 8881180b4c80 RCX:0000000000000000[53982634][C1]RDX:000000000000000 2 RSI:ffff8881180b4d3c RDI:ffff888 10bc9cac2[53.982634][C1]RBP:ffff888 1008f70b8 R08:ffff888 1180b4cf4 R09:ffffff888 1180b4cf0[53.9982634][C1]R10:ffffed1022999e5c R11:000000000000000 0 2 R12:0000000000000590[53.982664][C1]R13:ffffffff88810f940c80 R14:ffffffff 88810f940 d50 R15:ffff88810 c9cac0[53.982634][C1]FS:0000000000000000(0000)GS:ffff888235880000(0000)knlGS:0000000000000000[53.982634][C1]CS:0010 DS:0000 ES:0000 CR:000000000 80050033[53.982637][C1]CR2:00007ff5f9b86680 CR3:0000000 108ce8004 CR4:0000000000 170ee0[53.982664][C1]呼叫跟踪:[53.982674][C1][53.982636][C1]tcp_sacktag_walk+0xab/0x18e0[53.982643][C1]tcp_sacktag-write_queue+0xe7b/0x3460[53.9982634]2634][C1]tcp_ack+0x22666/0x54b0[53.982634][C1]tcp_rc_established+0x4d9/0x20f0[53.982634][C1]tcp_v4_do_rcv+0x551/0x810[53.9982634][C1]tcp_v4_rcv+0x22d/0x2ed0[53.9982334][C1]ip_procol_delivery_rcu+0x96/0xaf0[55.9982634][C1]ip_local_delivery_finish+0x1e0/0x2f0[53.9822634][C1]ip_sublic_rcv_finish+0x211/0x440[53.99826334][C1]ip_list_rcv_fini常量道具0+0x424/0x660[53.982634][C1]ip_list_rcv+0x2c8/0x410[53.982664][C1]__netif_areceive_skb_list_core+0x65c/0x910[53.982634][C1]netif_aceive_skb-list_internal+0x5f9/0xcb0[53.982637][C1]napi_complete_done+0x188/0x6e0[53.9982634][C1]gro_cell_poll+0x10c/0x1d0[53.986234][C1]__napi_poll+0xa1/0x530[53.9982634][C1]net_rx_action+0x567/0x1270[53.982674][C1]__do_softirq+0x28a/0x9b a[53.982634][C1]run_ksoftirqd+0x32/0x60[53.982664][C1]smpboot_thread_fn+0x559/0x8c0[53.982634][C1]kthread+0x3b9/0x490[53.9982634][C1]ret_from_fork+0x22/0x30[53.9982334][C1]通过跳过共享或克隆的skb的GRO阶段来解决此问题。为了减少OoO的机会,在放弃之前试着打开skb。v1->v2:-使用避免skb_copy并回退到netif_receive_skb-Eric

cvss epss percentile
None 0.04% 7.00%

references

CVE-2021-47100

description

In the Linux kernel, the following vulnerability has been resolved: ipmi: Fix UAF when uninstall ipmi_si and ipmi_msghandler module Hi, When testing install and uninstall of ipmi_si.ko and ipmi_msghandler.ko, the system crashed. The log as follows: [ 141.087026] BUG: unable to handle kernel paging request at ffffffffc09b3a5a [ 141.087241] PGD 8fe4c0d067 P4D 8fe4c0d067 PUD 8fe4c0f067 PMD 103ad89067 PTE 0 [ 141.087464] Oops: 0010 [#1] SMP NOPTI [ 141.087580] CPU: 67 PID: 668 Comm: kworker/67:1 Kdump: loaded Not tainted 4.18.0.x86_64 #47 [ 141.088009] Workqueue: events 0xffffffffc09b3a40 [ 141.088009] RIP: 0010:0xffffffffc09b3a5a [ 141.088009] Code: Bad RIP value. [ 141.088009] RSP: 0018:ffffb9094e2c3e88 EFLAGS: 00010246 [ 141.088009] RAX: 0000000000000000 RBX: ffff9abfdb1f04a0 RCX: 0000000000000000 [ 141.088009] RDX: 0000000000000000 RSI: 0000000000000246 RDI: 0000000000000246 [ 141.088009] RBP: 0000000000000000 R08: ffff9abfffee3cb8 R09: 00000000000002e1 [ 141.088009] R10: ffffb9094cb73d90 R11: 00000000000f4240 R12: ffff9abfffee8700 [ 141.088009] R13: 0000000000000000 R14: ffff9abfdb1f04a0 R15: ffff9abfdb1f04a8 [ 141.088009] FS: 0000000000000000(0000) GS:ffff9abfffec0000(0000) knlGS:0000000000000000 [ 141.088009] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 141.088009] CR2: ffffffffc09b3a30 CR3: 0000008fe4c0a001 CR4: 00000000007606e0 [ 141.088009] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 141.088009] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 141.088009] PKRU: 55555554 [ 141.088009] Call Trace: [ 141.088009] ? process_one_work+0x195/0x390 [ 141.088009] ? worker_thread+0x30/0x390 [ 141.088009] ? process_one_work+0x390/0x390 [ 141.088009] ? kthread+0x10d/0x130 [ 141.088009] ? kthread_flush_work_fn+0x10/0x10 [ 141.088009] ? ret_from_fork+0x35/0x40] BUG: unable to handle kernel paging request at ffffffffc0b28a5a [ 200.223240] PGD 97fe00d067 P4D 97fe00d067 PUD 97fe00f067 PMD a580cbf067 PTE 0 [ 200.223464] Oops: 0010 [#1] SMP NOPTI [ 200.223579] CPU: 63 PID: 664 Comm: kworker/63:1 Kdump: loaded Not tainted 4.18.0.x86_64 #46 [ 200.224008] Workqueue: events 0xffffffffc0b28a40 [ 200.224008] RIP: 0010:0xffffffffc0b28a5a [ 200.224008] Code: Bad RIP value. [ 200.224008] RSP: 0018:ffffbf3c8e2a3e88 EFLAGS: 00010246 [ 200.224008] RAX: 0000000000000000 RBX: ffffa0799ad6bca0 RCX: 0000000000000000 [ 200.224008] RDX: 0000000000000000 RSI: 0000000000000246 RDI: 0000000000000246 [ 200.224008] RBP: 0000000000000000 R08: ffff9fe43fde3cb8 R09: 00000000000000d5 [ 200.224008] R10: ffffbf3c8cb53d90 R11: 00000000000f4240 R12: ffff9fe43fde8700 [ 200.224008] R13: 0000000000000000 R14: ffffa0799ad6bca0 R15: ffffa0799ad6bca8 [ 200.224008] FS: 0000000000000000(0000) GS:ffff9fe43fdc0000(0000) knlGS:0000000000000000 [ 200.224008] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 200.224008] CR2: ffffffffc0b28a30 CR3: 00000097fe00a002 CR4: 00000000007606e0 [ 200.224008] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 200.224008] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 200.224008] PKRU: 55555554 [ 200.224008] Call Trace: [ 200.224008] ? process_one_work+0x195/0x390 [ 200.224008] ? worker_thread+0x30/0x390 [ 200.224008] ? process_one_work+0x390/0x390 [ 200.224008] ? kthread+0x10d/0x130 [ 200.224008] ? kthread_flush_work_fn+0x10/0x10 [ 200.224008] ? ret_from_fork+0x35/0x40 [ 200.224008] kernel fault(0x1) notification starting on CPU 63 [ 200.224008] kernel fault(0x1) notification finished on CPU 63 [ 200.224008] CR2: ffffffffc0b28a5a [ 200.224008] —[ end trace c82a412d93f57412 ]— The reason is as follows: T1: rmmod ipmi_si. ->ipmi_unregister_smi() -> ipmi_bmc_unregister() -> __ipmi_bmc_unregister() -> kref_put(&bmc->usecount, cleanup_bmc_device); -> schedule_work(&bmc->remove_work); T2: rmmod ipmi_msghandl —truncated—

中文

在Linux内核中,已解决以下漏洞:ipmi:在卸载ipmi_si和ipmi_msghandler模块时修复UAF嗨,在测试ipmi_si.ko和ipmi_msghandler.ko的安装和卸载时,系统崩溃。日志如下:[141.087026]BUG:无法处理ffffffff c09b3a5a[141.087241]PGD 8fe4c0d067 P4D 8fe4d0d067 PUD 8fe4c0f067 PMD 103ad89067 PTE 0[141.087464]错误:0010[#1]SMP NOPTI[141.087580]CPU:67 PID:668 Comm:kworker/67:1 Kdump:已加载未受污染4.18.0.x86_64#47[141.088009]工作队列:事件0xffffffffFFc09b3a40[141.08800-9]RIP:00010:0xffffffc09b3a5a[141.088009]代码:RIP值错误。[141.088009]RSP:0018:ffffb9094e2c3e88 EFLAGS:000010246[141.08800-9]RAX:00000000000000000 RBX:ffff9bfdb1f04a0 RCX:000000000000000[141.0880009]RDX:000000000 RSI:0000000000000246 RDI:0000000000000246[141.089009]RBP:0000000000000000000000000 R08:ffffff9afffee3cb8 R09:00000000000002e1[141.080008009]R10:fffffff9094cb73d90 R11:00000000000 f4240 R12:ff9bfffee8700[141.088009]R13:0000000000000000 R14:ffff9bfdb1f04a0 R15:ffff9affdb1f04a8[141.088009]FS:00000000000000000(0000)GS:ffff9af ffec0000(0000)knlGS:00000000000000000[141.080009]CS:0010 DS:00000 ES:00000 CR:00000000080050033[141.089009]CR2:ffffffffff c09b3a30 CR3:0000008fe4ca0001 CR4:00000000007606e0[141.08009]DR:0000000000000000000000000 DR1:0000000000000000.088009]DR3:0000000000000000 DR6:00000000 fffe0f0 DR7:0000000000000400[141.088009]PKRU:55555555 4[141.08800 9]调用跟踪:[141.088000 9]?process_one_work+0x195/0x390[141.088009]?worker_thread+0x30/0x390[141.088009]?process_one_work+0x30/0x390[141.088009]?k线程+0x10d/0x130[141.088009]?kthread_flush_work_fn+0x10/0x10[141.088009]?ret_from_fork+0x35/0x40]BUG:无法处理ffffffff c0b28a5a[200.223240]PGD 97fe00d067 P4D 97fe00 d067 PUD 97fe0f067 PMD a580cbf067 PTE 0[200.223464]错误:0010[#1]SMP NOPTI[200.223579]CPU:63 PID:664 Comm:kworker/63:1 Kdump:已加载未受污染4.18.0.x86_64#46[200.224008]工作队列:事件0xfffffffffc0b28a40[200.22400]4008]RIP:00010:0xffffffc0b28a5a[200.224008]代码:RIP值错误。[200.224008]RSP:0018:ffffbf3c8e2a3e88 EFLAGS:000010246[200.224008]RAX:00000000000000000 RBX:ffffa0799ad6bca0 RCX:000000000000000[200.224008%RDX:000000000 RSI:0000000000000246 RDI:0000000000000246[200.224008.RBP:0000000000000000000000000 R08:ffffff9fe43fde3cb8 R09:00000000000000d5[200.224008]R10:fffbf3c8cb53d90 R11:00000000000 f4240 R12:ffff9fe343fde8700[200.224008]R13:0000000000000000 R14:ffffa0799ad6bca0 R15:ffffa0799 ad6bca8[200.224008]FS:0000000000000000(0000)GS:ffffff9fe43fdc0000(0000)knlGS:000000000000000000000000[200.224008]CS:0010 DS:0000 ES:0000 CR0:00000000 80050033[200.224008]CR2:ffffffff c0b28a30 CR3:00000097fe00a002 CR4:00000000077606e0[200.22400]DR0:0000000000000000 DR1:0000000000000000 4008]DR3:0000000000000000 DR6:00000000 fffe0f0 DR7:0000000000000400[200.224008]PKRU:55555555 4[200.224008]调用跟踪:[200.224009]?process_one_work+0x195/0x390[200.224008]?worker_thread+0x30/0x390[200.224008]?process_one_work+0x30/0x390[200.224008]?k线程+0x10d/0x130[200.224008]?kthread_flush_work_fn+0x10/0x10[200.224008]?ret_from_fork+0x35/0x40[200.224008]内核故障(0x1)通知在CPU 63上启动[200.224008]内核故障(0x1)通知在CPU63上完成[200.224008%CR2:ffffffff c0b28a5a[200.224008~–[结束跟踪c82a412d93f57412]—原因如下:T1:rmmod ipmi_si.->ipmi_unregister_smi()->ipmi_bmc_unregist()->__ipmi_bmc_unregister()->kref_put(&bmc->使用计数,清理_bmc_device);->schedule_work(&bmc->remove_work);T2:rmmod ipmi_msghandl—截断—

cvss epss percentile
None 0.04% 12.47%

references

CVE-2021-47101

description

In the Linux kernel, the following vulnerability has been resolved: asix: fix uninit-value in asix_mdio_read() asix_read_cmd() may read less than sizeof(smsr) bytes and in this case smsr will be uninitialized. Fail log: BUG: KMSAN: uninit-value in asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline] BUG: KMSAN: uninit-value in asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline] drivers/net/usb/asix_common.c:497 BUG: KMSAN: uninit-value in asix_mdio_read+0x3c1/0xb00 drivers/net/usb/asix_common.c:497 drivers/net/usb/asix_common.c:497 asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline] asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline] drivers/net/usb/asix_common.c:497 asix_mdio_read+0x3c1/0xb00 drivers/net/usb/asix_common.c:497 drivers/net/usb/asix_common.c:497

中文

在Linux内核中,已解决以下漏洞:asix:fix修复asix_mdio_read()中的uninit值asix_read_cmd()读取的值可能小于(smsr)字节的大小,在这种情况下,smsr将被取消初始化。失败日志:BUG:KMSAN:asix_check_host_enable drivers/net/usb/asix_common.c:82[inline]BUG:KMSAN:asix_check_host-enable drivers/net/ubs/asix_common.c:82[inline]drivers/net/usb/asix_common.c:497 BUG:KMSAN:asix_mdio_read+0x3c1/0xb00 drivers/net-usb/asix_common.c:497 drivers/ne/usb/asix.common.c:477 asix_check_host_enable drivers/nt/usb/asix_common.c:82[inline]asix_check_host_enable-drivers/net/usb/aix_common.c:82[iinline]drivers/net/usb/asix_common.c:497 asix_mdio_read+0x3c1/0xb00 drivers/net-usb/asix_common.c:497 drivers/net/usb/assix_common.c:997

cvss epss percentile
None 0.04% 7.00%

references

CVE-2021-47102

description

In the Linux kernel, the following vulnerability has been resolved: net: marvell: prestera: fix incorrect structure access In line: upper = info->upper_dev; We access upper_dev field, which is related only for particular events (e.g. event == NETDEV_CHANGEUPPER). So, this line cause invalid memory access for another events, when ptr is not netdev_notifier_changeupper_info. The KASAN logs are as follows: [ 30.123165] BUG: KASAN: stack-out-of-bounds in prestera_netdev_port_event.constprop.0+0x68/0x538 [prestera] [ 30.133336] Read of size 8 at addr ffff80000cf772b0 by task udevd/778 [ 30.139866] [ 30.141398] CPU: 0 PID: 778 Comm: udevd Not tainted 5.16.0-rc3 #6 [ 30.147588] Hardware name: DNI AmazonGo1 A7040 board (DT) [ 30.153056] Call trace: [ 30.155547] dump_backtrace+0x0/0x2c0 [ 30.159320] show_stack+0x18/0x30 [ 30.162729] dump_stack_lvl+0x68/0x84 [ 30.166491] print_address_description.constprop.0+0x74/0x2b8 [ 30.172346] kasan_report+0x1e8/0x250 [ 30.176102] __asan_load8+0x98/0xe0 [ 30.179682] prestera_netdev_port_event.constprop.0+0x68/0x538 [prestera] [ 30.186847] prestera_netdev_event_handler+0x1b4/0x1c0 [prestera] [ 30.193313] raw_notifier_call_chain+0x74/0xa0 [ 30.197860] call_netdevice_notifiers_info+0x68/0xc0 [ 30.202924] register_netdevice+0x3cc/0x760 [ 30.207190] register_netdev+0x24/0x50 [ 30.211015] prestera_device_register+0x8a0/0xba0 [prestera]

中文

在Linux内核中,已解决以下漏洞:net:marvel:prestera:修复不正确的结构访问行:upper=info->upper_dev;我们访问upper_dev字段,该字段仅与特定事件相关(例如event==NETDEV_CHANGUPPER)。因此,当ptr不是netdev_notifier_changeupper_info时,这一行会导致其他事件的内存访问无效。KASAN日志如下:[30.1323165]BUG:KASAN:在prestera_netdev_port_event.constprop.0+0x68/0x538[presstera][30.133336]任务udevd/778[30.13986][30.141398]CPU:0 PID:778 Comm:udevd未受污染5.16.0-rc3#6[30.1347588]硬件名称:DNI AmazonGo1 A7040板(DT)[30.1353056]调用跟踪:[30.1355547]dump_backtrace+0x0/0x2c[30.559320]show_stack+0x18/0x30[30.162729]dump_stack_lvl+0x68/0x84[30.66491]print_addressDescription.constprop.0+0x74/0x2b8[30.1372346]kasan_report+0x1e8/0x250[30.76102]__asan_load8+0x98/0xe0[30.79682]prestera_netdev_port_event.constprop.0+0x68/0x538[prestera][30.186847]prestera_etdev_event_handler+0x1b4/0x1c0[前翅目][30.193313]raw_notifier_call_chain+0x74/0xa0[30197860]调用设备通知信息+0x68/0xc0[30.22924]寄存器设备+0x3cc/0x760[30.207190]寄存器设备+0x24/0x50[30.211015]prestera_device_register+0x8a0/0xba0[prestera]

cvss epss percentile
None 0.04% 7.00%

references

CVE-2021-47103

description

In the Linux kernel, the following vulnerability has been resolved: inet: fully convert sk->sk_rx_dst to RCU rules syzbot reported various issues around early demux, one being included in this changelog [1] sk->sk_rx_dst is using RCU protection without clearly documenting it. And following sequences in tcp_v4_do_rcv()/tcp_v6_do_rcv() are not following standard RCU rules. [a] dst_release(dst); [b] sk->sk_rx_dst = NULL; They look wrong because a delete operation of RCU protected pointer is supposed to clear the pointer before the call_rcu()/synchronize_rcu() guarding actual memory freeing. In some cases indeed, dst could be freed before [b] is done. We could cheat by clearing sk_rx_dst before calling dst_release(), but this seems the right time to stick to standard RCU annotations and debugging facilities. [1] BUG: KASAN: use-after-free in dst_check include/net/dst.h:470 [inline] BUG: KASAN: use-after-free in tcp_v4_early_demux+0x95b/0x960 net/ipv4/tcp_ipv4.c:1792 Read of size 2 at addr ffff88807f1cb73a by task syz-executor.5/9204 CPU: 0 PID: 9204 Comm: syz-executor.5 Not tainted 5.16.0-rc5-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_address_description.constprop.0.cold+0x8d/0x320 mm/kasan/report.c:247 __kasan_report mm/kasan/report.c:433 [inline] kasan_report.cold+0x83/0xdf mm/kasan/report.c:450 dst_check include/net/dst.h:470 [inline] tcp_v4_early_demux+0x95b/0x960 net/ipv4/tcp_ipv4.c:1792 ip_rcv_finish_core.constprop.0+0x15de/0x1e80 net/ipv4/ip_input.c:340 ip_list_rcv_finish.constprop.0+0x1b2/0x6e0 net/ipv4/ip_input.c:583 ip_sublist_rcv net/ipv4/ip_input.c:609 [inline] ip_list_rcv+0x34e/0x490 net/ipv4/ip_input.c:644 __netif_receive_skb_list_ptype net/core/dev.c:5508 [inline] __netif_receive_skb_list_core+0x549/0x8e0 net/core/dev.c:5556 __netif_receive_skb_list net/core/dev.c:5608 [inline] netif_receive_skb_list_internal+0x75e/0xd80 net/core/dev.c:5699 gro_normal_list net/core/dev.c:5853 [inline] gro_normal_list net/core/dev.c:5849 [inline] napi_complete_done+0x1f1/0x880 net/core/dev.c:6590 virtqueue_napi_complete drivers/net/virtio_net.c:339 [inline] virtnet_poll+0xca2/0x11b0 drivers/net/virtio_net.c:1557 __napi_poll+0xaf/0x440 net/core/dev.c:7023 napi_poll net/core/dev.c:7090 [inline] net_rx_action+0x801/0xb40 net/core/dev.c:7177 __do_softirq+0x29b/0x9c2 kernel/softirq.c:558 invoke_softirq kernel/softirq.c:432 [inline] __irq_exit_rcu+0x123/0x180 kernel/softirq.c:637 irq_exit_rcu+0x5/0x20 kernel/softirq.c:649 common_interrupt+0x52/0xc0 arch/x86/kernel/irq.c:240 asm_common_interrupt+0x1e/0x40 arch/x86/include/asm/idtentry.h:629 RIP: 0033:0x7f5e972bfd57 Code: 39 d1 73 14 0f 1f 80 00 00 00 00 48 8b 50 f8 48 83 e8 08 48 39 ca 77 f3 48 39 c3 73 3e 48 89 13 48 8b 50 f8 48 89 38 49 8b 0e <48> 8b 3e 48 83 c3 08 48 83 c6 08 eb bc 48 39 d1 72 9e 48 39 d0 73 RSP: 002b:00007fff8a413210 EFLAGS: 00000283 RAX: 00007f5e97108990 RBX: 00007f5e97108338 RCX: ffffffff81d3aa45 RDX: ffffffff81d3aa45 RSI: 00007f5e97108340 RDI: ffffffff81d3aa45 RBP: 00007f5e97107eb8 R08: 00007f5e97108d88 R09: 0000000093c2e8d9 R10: 0000000000000000 R11: 0000000000000000 R12: 00007f5e97107eb0 R13: 00007f5e97108338 R14: 00007f5e97107ea8 R15: 0000000000000019 Allocated by task 13: kasan_save_stack+0x1e/0x50 mm/kasan/common.c:38 kasan_set_track mm/kasan/common.c:46 [inline] set_alloc_info mm/kasan/common.c:434 [inline] __kasan_slab_alloc+0x90/0xc0 mm/kasan/common.c:467 kasan_slab_alloc include/linux/kasan.h:259 [inline] slab_post_alloc_hook mm/slab.h:519 [inline] slab_alloc_node mm/slub.c:3234 [inline] slab_alloc mm/slub.c:3242 [inline] kmem_cache_alloc+0x202/0x3a0 mm/slub.c:3247 dst_alloc+0x146/0x1f0 net/core/dst.c:92 rt_dst_alloc+0x73/0x430 net/ipv4/route.c:1613 ip_route_input_slow+0x1817/0x3a20 net/ipv4/route.c:234 —truncated—

中文

在Linux内核中,以下漏洞已被解决:inet:将sk->sk_rx_dst完全转换为RCU规则syzbot报告了早期去复用的各种问题,其中一个问题包含在该更改日志[1]中。sk->sk_rx_dst使用RCU保护,但没有明确记录。tcp_v4_do_rcv()/tcp_v6-do_rrv()中的以下序列不符合标准RCU规则。[a] dst_release(dst);[b] sk->sk_rx_dst=空;它们看起来是错误的,因为RCU保护指针的删除操作应该在保护实际内存释放的call_RCU()/synchronize_RCU(()之前清除指针。事实上,在某些情况下,dst可以在[b]完成之前被释放。我们可以通过在调用dst_release()之前清除sk_rx_dst来作弊,但现在似乎是坚持使用标准RCU注释和调试工具的合适时机。[1] BUG:KASAN:在dst_check中释放后使用include/net/dst.h:470[inline]BUG:KASAN:在tcp_v4_early_demux+0x95b/0x960 net/ipv4/tcp_ipv4.c:1792任务syz-executor在addr ffff88807f1cb73a读取大小2。5/9204 CPU:0 PID:9204 Comm:syz-executor.5未受污染5.16.0-rc5-syzkaller#0硬件名称:谷歌谷歌计算引擎/谷歌计算引擎,BIOS Google 2011年1月1日调用跟踪:__dumpstack-lib/dumpstack.c:88[inline]dump_stack_lvl+0xcd/0x134lib/dump_stack.c:106 print_addressDescription.constprop.0 cold+0x8d/0x320 mm/kasan/report.c:247 __kasan_report-mm/kasan/report c:433[inline]kasan_report cold+0x83/0xdf mm/kasan-report.c:450 dst_check-include/net/dst.h:470[inline]tcp_v4_early_demux+0x95b/0x960 net/ipv4/tcp_ipv4.c:1792 ip_rcv_finish_core.constprop.0+0x15d/0x1e80 net/ipv4/ip_input.c:340 ip_list_rcv_finish.constprop.0+0x10b2/0x6e0 net/ipv4-ip_input.c:583 ip_sublic_rcv net/ipv4/ip_input.c:609[inline]ip_list_rcv+0x34e/0x490 net/ipv4-ip_input.c:644 __netif_rereceive_skb_list_ptype net/core/dev.c:5508[inline]__netif_rereceive_skb_list_core+0x549/0x8e0 net/core/dev.c:5556__netif-rereceive_skb_list net/core/dev.c:5608[inline]netif-receive_skb-list_internal+0x75e/0xd80 net/core-dev.c:5699 gro_normal_list net/core/div.c:5853[inline]gro_normal_list net/core/dev.c:8849[inline]napi_complete_done+0x1f1/0x880 net/core/dev.c:6590 virtqueue_napi_complete drivers/net/virtio_n等c:339[内联]virtnet_poll+0xcca2/0x11b0 drivers/net/virtio_net.c:1557__napi_poll+0xaf/0x440 net/core/dev.c:7023 napi_poll net/core/dev.c:7090[inline]net_rx_action+0x801/0xb40 net/core-dev.c:7717__do_softirq+0x29b/0x9c2 kernel/softirq.c:558 invoke_softirq kernel/ssoftirq.c:432[inline]__irq_exit_rcu+0x123/0x180 kernel/softirq.c:637 irq_eexit_rcu=0x5/0x20 kernel/ssoftirq.c:649 common_interrupt+0x52/0xc0 arch/x86/kernel/irq.c:240 asm_common_intertrupt+0x1e/0x40 arch/x86/include/asm/idtenttry.h:629 RIP:003:00x7f5e972bfd57代码:39 d1 73 14 0f 1f 80 00 00 00 00 48 8b 50 f8 48 e8 08 48 39 ca 77 f3 48 c3 73 3e 48 89 13 48 8b 50 f8 48 89 38 49 8b 0e<48>8b 3e 48 83 c3 08 48 83c6 08 eb bc 48 39 d1 72 9e 48 39 d0 73 RSP:002b:00007fff8a413210 EFLAGS:000000283 RAX:00007f5e97108990 RBX:00007 f5e97208338 RCX:fffffffffff 81d3aa45 RDX:fffff 81D3aa45 RSI:00007 f5e 97108340 RDI:ffffffFFff 81d3aa 45 RBP:00007 f 5e97107eb8 R08:00007 f5 e97108d88 R09:00000000 93c2e8d9 R10:00000000000000000 R11:00000000 R12:00007 ff5e 97107eb0 R13:00007f5e9710838 R14:00007f5 e97107ea8 R15:0000000000000019由任务13分配:kasan_save_stack+0x1e/0x50 mm/kasan/common.c:38 kasan_set_track mm/kasan/common.c:46[inline]set_alloc_info mm/kasan-common.c:434[inline]__kasan_slab_alloc+0x90/0xc0 mm/kasan/common.c:667 kasan_slab_alloc include/linux/kasan.h:259[inline]-slab_post_alloc_hook mm/slab.h:519[inline][slab_alloc_node mm/slub.c:323 4[内联]slab_alloc mm/slub.c:3242[inline]kmem_cache_alloc+0x202/0x3a0 mm/slub.c:3247 dst_alloc+0x146/0x1f0 net/core/dst.c:92 rt_dst_alloc+0x73/0x430 net/ipv4/route.c:1613 ip_route_put_slow+0x1817/0x3a20 net/ipv4/route.c:234-截断—

cvss epss percentile
None 0.04% 8.24%

references

CVE-2021-47104

description

In the Linux kernel, the following vulnerability has been resolved: IB/qib: Fix memory leak in qib_user_sdma_queue_pkts() The wrong goto label was used for the error case and missed cleanup of the pkt allocation. Addresses-Coverity-ID: 1493352 (“Resource leak”)

中文

在Linux内核中,已解决以下漏洞:IB/qib:修复qib_user_sdma_queue_pkts()中的内存泄漏错误的goto标签用于错误情况,并错过了pkt分配的清理。地址隐蔽ID:1493352(“资源泄漏”)

cvss epss percentile
None 0.04% 10.73%

references

CVE-2021-47105

description

In the Linux kernel, the following vulnerability has been resolved: ice: xsk: return xsk buffers back to pool when cleaning the ring Currently we only NULL the xdp_buff pointer in the internal SW ring but we never give it back to the xsk buffer pool. This means that buffers can be leaked out of the buff pool and never be used again. Add missing xsk_buff_free() call to the routine that is supposed to clean the entries that are left in the ring so that these buffers in the umem can be used by other sockets. Also, only go through the space that is actually left to be cleaned instead of a whole ring.

中文

在Linux内核中,已经解决了以下漏洞:ice:xsk:在清理环时将xsk缓冲区返回到池当前,我们只将内部SW环中的xdp_buff指针设为NULL,但从不将其返回到xsk缓冲池。这意味着缓冲区可能会从缓冲池中泄漏出来,再也不会被使用。将缺少的xsk_buf_free()调用添加到例程中,该例程应该清理环中剩余的条目,以便umem中的这些缓冲区可以被其他套接字使用。此外,只穿过实际需要清洁的空间,而不是整个环。

cvss epss percentile
None 0.04% 7.00%

references

CVE-2021-47106

description

In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: fix use-after-free in nft_set_catchall_destroy() We need to use list_for_each_entry_safe() iterator because we can not access @catchall after kfree_rcu() call. syzbot reported: BUG: KASAN: use-after-free in nft_set_catchall_destroy net/netfilter/nf_tables_api.c:4486 [inline] BUG: KASAN: use-after-free in nft_set_destroy net/netfilter/nf_tables_api.c:4504 [inline] BUG: KASAN: use-after-free in nft_set_destroy+0x3fd/0x4f0 net/netfilter/nf_tables_api.c:4493 Read of size 8 at addr ffff8880716e5b80 by task syz-executor.3/8871 CPU: 1 PID: 8871 Comm: syz-executor.3 Not tainted 5.16.0-rc5-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_address_description.constprop.0.cold+0x8d/0x2ed mm/kasan/report.c:247 __kasan_report mm/kasan/report.c:433 [inline] kasan_report.cold+0x83/0xdf mm/kasan/report.c:450 nft_set_catchall_destroy net/netfilter/nf_tables_api.c:4486 [inline] nft_set_destroy net/netfilter/nf_tables_api.c:4504 [inline] nft_set_destroy+0x3fd/0x4f0 net/netfilter/nf_tables_api.c:4493 __nft_release_table+0x79f/0xcd0 net/netfilter/nf_tables_api.c:9626 nft_rcv_nl_event+0x4f8/0x670 net/netfilter/nf_tables_api.c:9688 notifier_call_chain+0xb5/0x200 kernel/notifier.c:83 blocking_notifier_call_chain kernel/notifier.c:318 [inline] blocking_notifier_call_chain+0x67/0x90 kernel/notifier.c:306 netlink_release+0xcb6/0x1dd0 net/netlink/af_netlink.c:788 __sock_release+0xcd/0x280 net/socket.c:649 sock_close+0x18/0x20 net/socket.c:1314 __fput+0x286/0x9f0 fs/file_table.c:280 task_work_run+0xdd/0x1a0 kernel/task_work.c:164 tracehook_notify_resume include/linux/tracehook.h:189 [inline] exit_to_user_mode_loop kernel/entry/common.c:175 [inline] exit_to_user_mode_prepare+0x27e/0x290 kernel/entry/common.c:207 __syscall_exit_to_user_mode_work kernel/entry/common.c:289 [inline] syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:300 do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f75fbf28adb Code: 0f 05 48 3d 00 f0 ff ff 77 45 c3 0f 1f 40 00 48 83 ec 18 89 7c 24 0c e8 63 fc ff ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 89 44 24 0c e8 a1 fc ff ff 8b 44 RSP: 002b:00007ffd8da7ec10 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 RAX: 0000000000000000 RBX: 0000000000000004 RCX: 00007f75fbf28adb RDX: 00007f75fc08e828 RSI: ffffffffffffffff RDI: 0000000000000003 RBP: 00007f75fc08a960 R08: 0000000000000000 R09: 00007f75fc08e830 R10: 00007ffd8da7ed10 R11: 0000000000000293 R12: 00000000002067c3 R13: 00007ffd8da7ed10 R14: 00007f75fc088f60 R15: 0000000000000032 Allocated by task 8886: kasan_save_stack+0x1e/0x50 mm/kasan/common.c:38 kasan_set_track mm/kasan/common.c:46 [inline] set_alloc_info mm/kasan/common.c:434 [inline] ____kasan_kmalloc mm/kasan/common.c:513 [inline] ____kasan_kmalloc mm/kasan/common.c:472 [inline] __kasan_kmalloc+0xa6/0xd0 mm/kasan/common.c:522 kasan_kmalloc include/linux/kasan.h:269 [inline] kmem_cache_alloc_trace+0x1ea/0x4a0 mm/slab.c:3575 kmalloc include/linux/slab.h:590 [inline] nft_setelem_catchall_insert net/netfilter/nf_tables_api.c:5544 [inline] nft_setelem_insert net/netfilter/nf_tables_api.c:5562 [inline] nft_add_set_elem+0x232e/0x2f40 net/netfilter/nf_tables_api.c:5936 nf_tables_newsetelem+0x6ff/0xbb0 net/netfilter/nf_tables_api.c:6032 nfnetlink_rcv_batch+0x1710/0x25f0 net/netfilter/nfnetlink.c:513 nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:634 [inline] nfnetlink_rcv+0x3af/0x420 net/netfilter/nfnetlink.c:652 netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline] netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1345 netlink_sendmsg+0x904/0xdf0 net/netlink/af_netlink.c:1921 sock_sendmsg_nosec net/ —truncated—

中文

在Linux内核中,已解决以下漏洞:netfilter:nf_tables:fix在nft_set_catchall_destroy()中修复释放后使用问题。我们需要使用list_for_each_entry_safe()迭代器,因为在kfree_rcu()调用后无法访问@catchall。syzbot报告:BUG:KASAN:在nft_set_catchall_destroy net/netfilter/nf_tables_api中释放后使用。c:4486[inline]BUG:KASAN:在nft_set_destroy net/netfiltr/nf_tables_api中释放前使用。c=4504[iinline]BUG:KASAN:在nft_set_destroy+0x3fd/0x4f0 net/netfilter/nf_tables_api中释放后使用。c:4443由任务syz-executor.3/8871 CPU:1 PID:8871 Comm:syz-executor。3未受污染的5.16.0-rc5-syzkaller#0硬件名称:谷歌谷歌计算引擎/谷歌计算引擎,BIOS谷歌2011年1月1日调用跟踪:__dump_stack lib/dump_stack.c:88[inline]dump_stack_lvl+0xcd/0x134 lib/dump_stack。c:106 print_addressDescription.constprop.0。cold+0x8d/0x2ed mm/kasan/report.c:247 __kasan_report-mm/kasan/report。c:433[inline]kasan_report。cold=0x83/0xdf mm/kasan-report.c:450 nft_set_catchall_destroy net/netfilter/nf_tables_api.c:4486[inline]nft_set_destroy net/netfilter/nf_tabless_api.c:4504[inline]nft_set_destroy+0x3fd/0x4f0 net/netfilter/nf_tables_api.c:4493__nft_release_table+0x79f/0xcd0 net/nftfilter/nf_tables_api.c:9626 nft_rcv_nl_event+0x4f8/0x670 net/netfilter/nf_tables_api.c:9688 notifier_call_chain+0xb5/0x200 kernel/notifier.c:83 blocking_notifier_call _chain kernel/nnotifier.c:318[inline]blocking_notifier_call_chain+0x67/0x90内核/通知程序。c:306 netlink_release+0xcb6/0x1dd0 net/netlink/af_netlink。c:788 __sock_release+0xcd/0x280 net/socket。c:649 sock_close+0x18/0x20 net/socket。c:1314 __fput+0x286/0x9f0 fs/file_table。c:280 task_work_run+0xdd/0x1a0内核/task_work。c:164 tracehook_notify_resume include/linux/tracehook.h:189[inline]exit_to_user_mode_loop kernel/entry/common。c:175[inline]exit_to_user_mode_prepare+0x27e/0x290 kernel/entury/common。c:207 __syscall_exit_to_user_mode_work kernel/intry/common.c:289[inline][inline]syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common。c:300 do_syscall_64+0x42/0xb0 arch/x86/entry/common。c:86 entry_syscall_64_after_hwframe+0x44/0xae RIP:003:00x7f75fbf28adb代码:0f 05 48 3d 00 f0 ff 77 45 c3 0f 1f 40 00 48 83 ec 18 89 7c 24 0c e8 63 fc ff 8b 7c 24 0 c 41 89 c0 b8 03 00 00 00 0f 05<48>3d 00 ff 77 35 44 89 c7 89 44 24 0c e8 a1 fc ff ff 8b 44 RSP:002b:00007ffd8da7ec10 EFLAGS:000000293 ORIG_RAX:0000000000000000 3 RAX:00000000000000000000000 RBX:00000000000000 4 RCX:000007f75fbf28adb RDX:00007f75fc08e828 RSI:ffffffffff ffffff RDI:000000000000003 RBP:00007f 75fc08a960 R08:000000000000000000000000 R09:00007f 75fc 08e830 R10:00007ff ffd8da 7ed10 R11:0000000000000293 R12:0000000000 2067c3 R13:00007ffd8da7ed10 R14:00007f75fc088f60 R15:0000000000000032由任务8886分配:kasan_save_stack+0x1e/0x50 mm/kasan/common。c:38 kasan_set_track mm/kasan/common。c:46[inline]set_alloc_info mm/kasan-common。c:\434[inline]____kasan_kmalloc mm/kasan/common。c:513[inline]____kasan-kmalloc mm/kasan/common。c:472[inline]-__kasan_km alloc+0xa6/0xd0 mm/kasan/conmmon。c=522 kasan_kpalloc include/linux/kasan.h:269[内联]kmem_cache_alloc_trace+0x1ea/0x4a0mm/slab。c:3575 kmalloc include/linux/slab。h:590[inline]nft_setelem_catchall_insert net/netfilter/nf_tables_api.c:5544[inline]nft_setelem_insert net/netfilter/nf_tables_api。c:5562[iinline]nft_add_set_elem+0x232e/0x2f40 net/nftfilter/nf_tables_api.c:5936 net_tables_newsetelem+0x6ff/0xbb0 net/nftfilter/nft_tables_api.c:6032 nfnetlink_rcv_batch+0x1710/0x25f0 net/nfcetlink.c:513 nfnetlink_rcv_skb_batch net/nfcilter/nfnetlink.c:634[inline]nfnetlink-rcv+0x3af/0x420 net/nfcfilter/nfnetlink.c:652 netlink_unicast_kernel net/nfclink/af_netlink.c:1319[inline]netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1345 netlink_sendmsg+0x904/0xdf0 net/net-link/af-netlink.c:1921 sock_sendmsg_nosec net/-截断—

cvss epss percentile
None 0.04% 7.00%

references

CVE-2021-47107

description

In the Linux kernel, the following vulnerability has been resolved: NFSD: Fix READDIR buffer overflow If a client sends a READDIR count argument that is too small (say, zero), then the buffer size calculation in the new init_dirlist helper functions results in an underflow, allowing the XDR stream functions to write beyond the actual buffer. This calculation has always been suspect. NFSD has never sanity- checked the READDIR count argument, but the old entry encoders managed the problem correctly. With the commits below, entry encoding changed, exposing the underflow to the pointer arithmetic in xdr_reserve_space(). Modern NFS clients attempt to retrieve as much data as possible for each READDIR request. Also, we have no unit tests that exercise the behavior of READDIR at the lower bound of @count values. Thus this case was missed during testing.

中文

在Linux内核中,以下漏洞已得到解决:NFSD:修复READDIR缓冲区溢出如果客户端发送的READDIR计数参数太小(例如,零),则新的init_dirlist-helper函数中的缓冲区大小计算会导致下溢,从而允许XDR流函数在实际缓冲区之外写入。这种计算一直令人怀疑。NFSD从未健全过-检查了READDIR计数参数,但旧的条目编码器正确地解决了问题。通过以下提交,条目编码发生了更改,将下溢暴露给xdr_reserve_space()中的指针算术。现代NFS客户端尝试为每个READDIR请求检索尽可能多的数据。此外,我们没有在@count值的下限处执行READDIR行为的单元测试。因此,在测试过程中遗漏了此案例。

cvss epss percentile
None 0.04% 7.00%

references

CVE-2021-47108

description

In the Linux kernel, the following vulnerability has been resolved: drm/mediatek: hdmi: Perform NULL pointer check for mtk_hdmi_conf In commit 41ca9caaae0b (“drm/mediatek: hdmi: Add check for CEA modes only”) a check for CEA modes was added to function mtk_hdmi_bridge_mode_valid() in order to address possible issues on MT8167; moreover, with commit c91026a938c2 (“drm/mediatek: hdmi: Add optional limit on maximal HDMI mode clock”) another similar check was introduced. Unfortunately though, at the time of writing, MT8173 does not provide any mtk_hdmi_conf structure and this is crashing the kernel with NULL pointer upon entering mtk_hdmi_bridge_mode_valid(), which happens as soon as a HDMI cable gets plugged in. To fix this regression, add a NULL pointer check for hdmi->conf in the said function, restoring HDMI functionality and avoiding NULL pointer kernel panics.

中文

在Linux内核中,已解决以下漏洞:drm/mediatek:hdmi:对mtk_hdmi_conf执行NULL指针检查在commit 41ca9caaae0b(“drm/mediatek:hdmi:Add check for CEA modes only”)中,为解决MT8167上可能出现的问题,向函数mtk_hdmin_bridge_mode_valid()添加了对CEA模式的检查;此外,对于commit c91026a938c2(“drm/mediatek:hdmi:添加对最大hdmi模式时钟的可选限制”),引入了另一种类似的检查。然而,不幸的是,在撰写本文时,MT8173没有提供任何mtk_hdmi_conf结构,这会在输入mtk_hdmin_bridge_mode_valid()时使用NULL指针破坏内核,只要插入hdmi电缆就会发生这种情况。要修复这种回归,请在所述函数中添加一个针对hdmi->conf的NULL指针检查,恢复HDMI功能并避免NULL指针内核死机。

cvss epss percentile
None 0.04% 7.00%

references

CVE-2022-43890

description

IBM Security Verify Privilege On-Premises 11.5 could disclose sensitive information through an HTTP request that could aid an attacker in further attacks against the system. IBM X-Force ID: 240453.

中文

IBM Security Verify Privilege On Premises 11.5可能会通过HTTP请求泄露敏感信息,从而帮助攻击者进一步攻击系统。IBM X-Force ID:240453。

cvss epss percentile
5.3 MEDIUM 0.04% 7.00%

references

CVE-2023-25176

description

in OpenHarmony v3.2.4 and prior versions allow a local attacker cause information leak through out-of-bounds Read.

中文

在OpenHarmony v4.2.4及以前的版本中,允许本地攻击者通过越界读取导致信息泄漏。

cvss epss percentile
2.9 LOW 0.04% 7.00%

references

CVE-2023-28578

description

Memory corruption in Core Services while executing the command for removing a single event listener.

中文

执行删除单个事件侦听器的命令时,核心服务内存损坏。

cvss epss percentile
9.3 CRITICAL 0.05% 18.96%

references

CVE-2023-28582

description

Memory corruption in Data Modem while verifying hello-verify message during the DTLS handshake.

中文

在DTLS握手期间验证hello-verify消息时,数据调制解调器内存损坏。

cvss epss percentile
9.8 CRITICAL 0.09% 37.52%

references

CVE-2023-32331

description

IBM Connect:Express for UNIX 1.5.0 is vulnerable to a buffer overflow that could allow a remote attacker to cause a denial of service through its browser UI. IBM X-Force ID: 254979.

中文

IBM Connect:Express for UNIX 1.5.0易受缓冲区溢出的攻击,远程攻击者可通过其浏览器UI造成拒绝服务。IBM X-Force ID:254979。

cvss epss percentile
7.5 HIGH 0.04% 7.00%

references

CVE-2023-33066

description

Memory corruption in Audio while processing RT proxy port register driver.

中文

处理RT代理端口寄存器驱动程序时,音频内存损坏。

cvss epss percentile
8.4 HIGH 0.04% 7.00%

references

CVE-2023-33078

description

Information Disclosure while processing IOCTL request in FastRPC.

中文

在FastRPC中处理IOCTL请求时信息泄露。

cvss epss percentile
5.1 MEDIUM 0.04% 7.00%

references

CVE-2023-33084

description

Transient DOS while processing IE fragments from server during DTLS handshake.

中文

DTLS握手期间处理来自服务器的IE片段时的瞬态DOS。

cvss epss percentile
7.5 HIGH 0.05% 14.03%

references

CVE-2023-33086

description

Transient DOS while processing multiple IKEV2 Informational Request to device from IPSEC server with different identifiers.

中文

在处理来自IPSEC服务器的具有不同标识符的设备的多个IKEV2信息请求时出现瞬态DOS。

cvss epss percentile
7.5 HIGH 0.05% 14.03%

references

CVE-2023-33090

description

Transient DOS while processing channel information for speaker protection v2 module in ADSP.

中文

处理ADSP中扬声器保护v2模块的通道信息时的瞬态DOS。

cvss epss percentile
5.5 MEDIUM 0.04% 7.00%

references

CVE-2023-33095

description

Transient DOS while processing multiple payload container type with incorrect container length received in DL NAS transport OTA in NR.

中文

在NR中处理DL NAS传输OTA中接收到的具有不正确容器长度的多个有效载荷容器类型时的瞬态DOS。

cvss epss percentile
7.5 HIGH 0.05% 14.03%

references

CVE-2023-33096

description

Transient DOS while processing DL NAS Transport message, as specified in 3GPP 24.501 v16.

中文

处理DL NAS传输消息时的瞬态DOS,如3GPP 24.501 v16中所规定。

cvss epss percentile
7.5 HIGH 0.05% 14.03%

references

CVE-2023-33103

description

Transient DOS while processing CAG info IE received from NW.

中文

处理从NW接收的CAG信息IE时的瞬态DOS。

cvss epss percentile
7.5 HIGH 0.05% 14.03%

references

CVE-2023-33104

description

Transient DOS while processing PDU Release command with a parameter PDU ID out of range.

中文

处理参数PDU ID超出范围的PDU释放命令时的瞬态DOS。

cvss epss percentile
7.5 HIGH 0.05% 14.03%

references

CVE-2023-33105

description

Transient DOS in WLAN Host and Firmware when large number of open authentication frames are sent with an invalid transaction sequence number.

中文

当使用无效事务序列号发送大量打开的身份验证帧时,WLAN主机和固件中的瞬态DOS。

cvss epss percentile
7.5 HIGH 0.05% 14.03%

references

CVE-2023-38360

description

IBM CICS TX Advanced 10.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 260769.

中文

IBM CICS TX Advanced 10.1易受跨站点脚本攻击。此漏洞允许用户在Web UI中嵌入任意JavaScript代码,从而更改预期功能,从而可能导致可信会话中的凭据泄露。IBM X-Force ID:260769。

cvss epss percentile
6.1 MEDIUM 0.04% 7.00%

references

CVE-2023-38362

description

IBM CICS TX Advanced 10.1 could disclose sensitive information to a remote attacker due to observable discrepancy in HTTP responses. IBM X-Force ID: 260814.

中文

由于HTTP响应存在明显差异,IBM CICS TX Advanced 10.1可能会向远程攻击者泄露敏感信息。IBM X-Force ID:260814。

cvss epss percentile
5.3 MEDIUM 0.04% 7.00%

references

CVE-2023-41827

description

An improper export vulnerability was reported in the Motorola OTA update application, that could allow a malicious, local application to inject an HTML-based message on screen UI.

中文

摩托罗拉OTA更新应用程序中报告了一个不正确的导出漏洞,该漏洞可能允许恶意的本地应用程序在屏幕UI上注入基于HTML的消息。

cvss epss percentile
5.1 MEDIUM 0.04% 10.60%

references

CVE-2023-41829

description

An improper export vulnerability was reported in the Motorola Carrier Services application that could allow a malicious, local application to read files without authorization.

中文

据报告,摩托罗拉运营商服务应用程序中存在一个不正确的导出漏洞,该漏洞可能允许恶意的本地应用程序在未经授权的情况下读取文件。

cvss epss percentile
5.0 MEDIUM 0.04% 7.00%

references

CVE-2023-43539

description

Transient DOS while processing an improperly formatted 802.11az Fine Time Measurement protocol frame.

中文

处理格式不正确的802.11az精细时间测量协议帧时的瞬态DOS。

cvss epss percentile
7.5 HIGH 0.05% 14.03%

references

CVE-2023-43540

description

Memory corruption while processing the IOCTL FM HCI WRITE request.

中文

处理IOCTL FM HCI WRITE请求时内存损坏。

cvss epss percentile
8.4 HIGH 0.05% 18.96%

references

CVE-2023-43541

description

Memory corruption while invoking the SubmitCommands call on Gfx engine during the graphics render.

中文

在图形渲染过程中调用Gfx引擎上的SubmitCommands调用时内存损坏。

cvss epss percentile
8.4 HIGH 0.04% 7.00%

references

CVE-2023-43546

description

Memory corruption while invoking HGSL IOCTL context create.

中文

调用HGSL IOCTL上下文创建时内存损坏。

cvss epss percentile
8.4 HIGH 0.05% 18.96%

references

CVE-2023-43547

description

Memory corruption while invoking IOCTLs calls in Automotive Multimedia.

中文

在汽车多媒体中调用IOCTL调用时内存损坏。

cvss epss percentile
8.4 HIGH 0.05% 18.96%

references

CVE-2023-43548

description

Memory corruption while parsing qcp clip with invalid chunk data size.

中文

分析块数据大小无效的qcp片段时内存损坏。

cvss epss percentile
7.3 HIGH 0.05% 14.03%

references

CVE-2023-43549

description

Memory corruption while processing TPC target power table in FTM TPC.

中文

在FTM TPC中处理TPC目标功率表时内存损坏。

cvss epss percentile
8.4 HIGH 0.05% 18.96%

references

CVE-2023-43550

description

Memory corruption while processing a QMI request for allocating memory from a DHMS supported subsystem.

中文

处理来自DHMS支持的子系统的分配内存的QMI请求时内存损坏。

cvss epss percentile
7.8 HIGH 0.04% 7.00%

references

CVE-2023-43552

description

Memory corruption while processing MBSSID beacon containing several subelement IE.

中文

处理包含多个子元素IE的MBSSID信标时内存损坏。

cvss epss percentile
9.8 CRITICAL 0.09% 37.52%

references

CVE-2023-43553

description

Memory corruption while parsing beacon/probe response frame when AP sends more supported links in MLIE.

中文

当AP在MLIE中发送更多受支持的链路时,解析信标/探测响应帧时内存损坏。

cvss epss percentile
9.8 CRITICAL 0.09% 37.52%

references

CVE-2023-4479

description

Stored XSS Vulnerability in M-Files Web versions before 23.8 allows attacker to execute script on users browser via stored HTML document within limited time period.

中文

23.8之前的M-Files Web版本中的存储XSS漏洞允许攻击者在有限的时间内通过存储的HTML文档在用户浏览器上执行脚本。

cvss epss percentile
7.3 HIGH 0.04% 7.00%

references

CVE-2023-46708

description

in OpenHarmony v3.2.4 and prior versions allow a local attacker arbitrary code execution in any apps through use after free.

中文

在OpenHarmony v4.2.4及之前的版本中,允许本地攻击者通过免费使用在任何应用程序中执行任意代码。

cvss epss percentile
4.3 MEDIUM 0.04% 7.00%

references

CVE-2023-49546

description

Customer Support System v1 was discovered to contain a SQL injection vulnerability via the email parameter at /customer_support/ajax.php.

中文

通过/Customer_Support/ajax.php上的电子邮件参数,发现客户支持系统v1包含SQL注入漏洞。

cvss epss percentile
None 0.04% 7.00%

references

CVE-2023-49547

description

Customer Support System v1 was discovered to contain a SQL injection vulnerability via the username parameter at /customer_support/ajax.php?action=login.

中文

通过/Customer_Support/ajax.php?上的username参数,发现客户支持系统v1包含SQL注入漏洞?action=登录。

cvss epss percentile
None 0.04% 7.00%

references

CVE-2023-49548

description

Customer Support System v1 was discovered to contain a SQL injection vulnerability via the lastname parameter at /customer_support/ajax.php?action=save_user.

中文

通过/Customer_Support/ajax.php?上的lastname参数,发现客户支持系统v1包含SQL注入漏洞?action=save_user。

cvss epss percentile
None 0.04% 7.00%

references

CVE-2023-49602

description

in OpenHarmony v3.2.4 and prior versions allow a local attacker cause apps crash through type confusion.

中文

在OpenHarmony v4.2.4及以前的版本中,允许本地攻击者通过类型混淆导致应用程序崩溃。

cvss epss percentile
2.9 LOW 0.04% 7.00%

references

CVE-2023-49968

description

Customer Support System v1 was discovered to contain a SQL injection vulnerability via the id parameter at /customer_support/manage_department.php.

中文

通过/Customer_Support/manage_department.php中的id参数,发现客户支持系统v1包含SQL注入漏洞。

cvss epss percentile
None 0.04% 7.00%

references

CVE-2023-49969

description

Customer Support System v1 was discovered to contain a SQL injection vulnerability via the id parameter at /customer_support/index.php?page=edit_customer.

中文

通过/Customer_Support/index.php处的id参数,发现客户支持系统v1包含SQL注入漏洞?page=编辑客户。

cvss epss percentile
None 0.04% 7.00%

references

CVE-2023-49970

description

Customer Support System v1 was discovered to contain a SQL injection vulnerability via the subject parameter at /customer_support/ajax.php?action=save_ticket.

中文

通过/Customer_Support/ajax.php?的主题参数,发现客户支持系统v1包含SQL注入漏洞?action=save_ticket。

cvss epss percentile
None 0.04% 7.00%

references

CVE-2023-5451

description

Forcepoint NGFW Security Management Center Management Server has SMC Downloads optional feature to offer standalone Management Client downloads and ECA configuration downloads. Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) vulnerability in Forcepoint Next Generation Firewall Security Management Center (SMC Downloads feature) allows Reflected XSS. This issue affects Next Generation Firewall Security Management Center : before 6.10.13, from 6.11.0 before 7.1.2.

中文

Forcepoint NGFW安全管理中心管理服务器具有SMC下载可选功能,可提供独立的管理客户端下载和ECA配置下载。Forcepoint下一代防火墙安全管理中心(SMC下载功能)中的网页生成期间输入的不当中和(跨站点脚本)漏洞允许反射XSS。此问题影响下一代防火墙安全管理中心:6.10.13之前,从6.11.0到7.1.2。

cvss epss percentile
6.1 MEDIUM 0.04% 7.00%

references

CVE-2023-6068

description

On affected 7130 Series FPGA platforms running MOS and recent versions of the MultiAccess FPGA, application of ACL’s may result in incorrect operation of the configured ACL for a port resulting in some packets that should be denied being permitted and some

中文

在受影响的7130系列FPGA平台上运行MOS和最新版本的MultiAccess FPGA,ACL的应用;s可能会导致端口的配置ACL操作不正确,从而导致一些应该被拒绝的数据包被允许

cvss epss percentile
3.1 LOW 0.04% 7.00%

references

CVE-2023-6143

description

Use After Free vulnerability in Arm Ltd Midgard GPU Kernel Driver, Arm Ltd Bifrost GPU Kernel Driver, Arm Ltd Valhall GPU Kernel Driver, Arm Ltd Arm 5th Gen GPU Architecture Kernel Driver allows a local non-privileged user to exploit a software race condition to perform improper memory processing operations. If the system’s memory is carefully prepared by the user and the system is under heavy load, then this in turn cause a use-after-free.This issue affects Midgard GPU Kernel Driver: from r13p0 through r32p0; Bifrost GPU Kernel Driver: from r1p0 through r18p0; Valhall GPU Kernel Driver: from r37p0 through r46p0; Arm 5th Gen GPU Architecture Kernel Driver: from r41p0 through r46p0.

中文

Arm Ltd Midgard GPU内核驱动程序、Arm Ltd Bifrost GPU内核驱动程、Arm有限Valhall GPU内核驱动程和Arm有限Arm第五代GPU架构内核驱动程中存在释放后使用漏洞,允许本地非特权用户利用软件竞争条件执行不正确的内存处理操作。如果系统&#8217;s的内存是由用户精心准备的,并且系统负载很重,这反过来又会导致免费后的使用。此问题影响Midgard GPU内核驱动程序:从r13p0到r32p0;Bifrost GPU内核驱动程序:从r1p0到r18p0;Valhall GPU内核驱动程序:从r37p0到r46p0;Arm第五代GPU架构内核驱动程序:从r41p0到r46p0。

cvss epss percentile
None 0.04% 7.00%

references

CVE-2023-6241

description

Use After Free vulnerability in Arm Ltd Midgard GPU Kernel Driver, Arm Ltd Bifrost GPU Kernel Driver, Arm Ltd Valhall GPU Kernel Driver, Arm Ltd Arm 5th Gen GPU Architecture Kernel Driver allows a local non-privileged user to exploit a software race condition to perform improper memory processing operations. If the system’s memory is carefully prepared by the user, then this in turn cause a use-after-free.This issue affects Midgard GPU Kernel Driver: from r13p0 through r32p0; Bifrost GPU Kernel Driver: from r11p0 through r25p0; Valhall GPU Kernel Driver: from r19p0 through r25p0, from r29p0 through r46p0; Arm 5th Gen GPU Architecture Kernel Driver: from r41p0 through r46p0.

中文

Arm Ltd Midgard GPU内核驱动程序、Arm Ltd Bifrost GPU内核驱动程、Arm有限Valhall GPU内核驱动程和Arm有限Arm第五代GPU架构内核驱动程中存在释放后使用漏洞,允许本地非特权用户利用软件竞争条件执行不正确的内存处理操作。如果系统&#8217;s的内存是由用户精心准备的,然后这反过来又会导致免费后的使用。此问题影响Midgard GPU内核驱动程序:从r13p0到r32p0;Bifrost GPU内核驱动程序:从r11p0到r25p0;Valhall GPU内核驱动程序:从r19p0到r25p0,从r29p0至r46p0;Arm第五代GPU架构内核驱动程序:从r41p0到r46p0。

cvss epss percentile
None 0.04% 7.00%

references

CVE-2024-0155

description

Dell Digital Delivery, versions prior to 5.0.86.0, contain a Use After Free Vulnerability. A local low privileged attacker could potentially exploit this vulnerability, leading to an application crash or execution of arbitrary code.

中文

Dell Digital Delivery 5.0.86.0之前的版本包含“释放后使用”漏洞。本地低特权攻击者可能利用此漏洞,导致应用程序崩溃或执行任意代码。

cvss epss percentile
7.0 HIGH 0.04% 7.00%

references

CVE-2024-0156

description

Dell Digital Delivery, versions prior to 5.0.86.0, contain a Buffer Overflow vulnerability. A local low privileged attacker could potentially exploit this vulnerability, leading to arbitrary code execution and/or privilege escalation.

中文

Dell Digital Delivery 5.0.86.0之前的版本包含缓冲区溢出漏洞。本地低特权攻击者可能会利用此漏洞,导致任意代码执行和/或权限提升。

cvss epss percentile
7.0 HIGH 0.04% 7.00%

references

CVE-2024-0686

description

** REJECT ** Incorrect assignment

中文

拒绝分配不正确

cvss epss percentile
None None None

CVE-2024-1316

description

The Event Tickets and Registration WordPress plugin before 5.8.1, Events Tickets Plus WordPress plugin before 5.9.1 does not prevent users with at least the contributor role from leaking the existence of certain events they shouldnt have access to. (e.g. draft, private, pending review, pw-protected, and trashed events).

中文

5.8.1之前的Event Tickets and Registration WordPress插件,5.9.1之前的Events Tickets Plus WordPress插件不能阻止至少具有贡献者角色的用户泄露他们不应该访问的某些事件的存在。

cvss epss percentile
None 0.04% 7.00%

references

CVE-2024-1319

description

The Events Tickets Plus WordPress plugin before 5.9.1 does not prevent users with at least the contributor role from leaking the attendees list on any post type regardless of status. (e.g. draft, private, pending review, password-protected, and trashed posts).

中文

5.9.1之前的Events Tickets Plus WordPress插件不会阻止至少具有贡献者角色的用户泄露任何帖子类型的与会者列表,无论其状态如何。(例如草稿、私人、待审查、受密码保护和垃圾帖子)。

cvss epss percentile
None 0.04% 7.00%

references

CVE-2024-1788

description

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2023-2813. Reason: This candidate is a duplicate of CVE-2023-2813. Notes: All CVE users should reference CVE-2023-2813 instead of this candidate.

中文

拒绝不要使用此候选号码。咨询编号:CVE-2023-2813。原因:此候选者是CVE-2023-2813的副本。注:所有CVE用户应参考CVE-2023-2813,而不是此候选者。

cvss epss percentile
None None None

CVE-2024-1936

description

The encrypted subject of an email message could be incorrectly and permanently assigned to an arbitrary other email message in Thunderbirds local cache. Consequently, when replying to the contaminated email message, the user might accidentally leak the confidential subject to a third party. While this update fixes the bug and avoids future message contamination, it does not automatically repair existing contaminations. Users are advised to use the repair folder functionality, which is available from the context menu of email folders, which will erase incorrect subject assignments. This vulnerability affects Thunderbird < 115.8.1.

中文

电子邮件的加密主题可能会被错误地永久分配给雷鸟本地缓存中的任意其他电子邮件。因此,在回复受污染的电子邮件消息时,用户可能会意外地将机密主题泄露给第三方。虽然此更新修复了错误并避免了未来的消息污染,但它不会自动修复现有的污染。建议用户使用修复文件夹功能,该功能可从电子邮件文件夹的上下文菜单中获得,这将删除不正确的主题分配。此漏洞影响Thunderbird<115.8.1。

cvss epss percentile
None 0.04% 7.00%

references

CVE-2024-20005

description

In da, there is a possible permission bypass due to a missing permission check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08355599; Issue ID: ALPS08355599.

中文

在da中,由于缺少权限检查,可能存在权限绕过。这可能导致权限的本地升级,并需要系统执行权限。利用此漏洞不需要用户交互。补丁ID:ALPS0835599;问题ID:ALPS0835599。

cvss epss percentile
None 0.04% 7.00%

references

CVE-2024-20017

description

In wlan service, there is a possible out of bounds write due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation Patch ID: WCNCR00350938; Issue ID: MSV-1132.

中文

在wlan服务中,由于不正确的输入验证,可能存在越界写入。这可能导致权限的本地升级,而不需要额外的执行权限。利用修补程序ID:WCNCR00350938不需要用户交互;问题ID:MSV-1132。

cvss epss percentile
None 0.04% 7.00%

references

CVE-2024-20018

description

In wlan driver, there is a possible out of bounds write due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00348479; Issue ID: MSV-1019.

中文

在wlan驱动程序中,由于输入验证不正确,可能会出现越界写入。这可能导致权限的本地升级,而不需要额外的执行权限。利用此漏洞不需要用户交互。补丁ID:WCNCR00348479;问题ID:MSV-1019。

cvss epss percentile
None 0.04% 7.00%

references

CVE-2024-20019

description

In wlan driver, there is a possible memory leak due to improper input handling. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00351241; Issue ID: MSV-1173.

中文

在wlan驱动程序中,由于输入处理不当,可能存在内存泄漏。这可能导致远程拒绝服务,而不需要额外的执行权限。利用此漏洞不需要用户交互。修补程序ID:WCNCR00351241;问题ID:MSV-1173。

cvss epss percentile
None 0.04% 7.00%

references

CVE-2024-20020

description

In OPTEE, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08522504; Issue ID: ALPS08522504.

中文

在OPTEE中,由于不正确的边界检查,可能会出现越界写入。这可能导致本地信息泄露,并需要系统执行权限。利用此漏洞不需要用户交互。补丁ID:ALPS08522504;问题ID:ALPS08522504。

cvss epss percentile
None 0.04% 7.00%

references

CVE-2024-20022

description

In lk, there is a possible escalation of privilege due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08528255; Issue ID: ALPS08528255.

中文

在lk中,由于缺少边界检查,可能会导致权限升级。这可能导致权限的本地升级,并需要系统执行权限。利用此漏洞不需要用户交互。补丁ID:ALPS08528255;问题ID:ALPS08528255。

cvss epss percentile
None 0.04% 7.00%

references

CVE-2024-20023

description

In flashc, there is a possible out of bounds write due to lack of valudation. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08541638; Issue ID: ALPS08541638.

中文

在flashc中,由于缺乏勇气,可能会出现越界的写作。这可能导致权限的本地升级,并需要系统执行权限。利用此漏洞不需要用户交互。修补程序ID:ALPS08541638;问题ID:ALPS0541638。

cvss epss percentile
None 0.04% 7.00%

references

CVE-2024-20024

description

In flashc, there is a possible out of bounds write due to lack of valudation. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08541635; Issue ID: ALPS08541635.

中文

在flashc中,由于缺乏勇气,可能会出现越界的写作。这可能导致权限的本地升级,并需要系统执行权限。利用此漏洞不需要用户交互。修补程序ID:ALPS08541635;问题ID:ALPS08541635。

cvss epss percentile
None 0.04% 7.00%

references

CVE-2024-20025

description

In da, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08541686; Issue ID: ALPS08541686.

中文

在da中,由于整数溢出,可能存在越界写入。这可能导致权限的本地升级,并需要系统执行权限。利用此漏洞不需要用户交互。修补程序ID:ALPS08541686;问题ID:ALPS08541686。

cvss epss percentile
None 0.04% 7.00%

references

CVE-2024-20026

description

In da, there is a possible information disclosure due to improper input validation. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08541632; Issue ID: ALPS08541632.

中文

在da中,由于输入验证不当,可能会导致信息泄露。这可能导致本地信息泄露,并需要系统执行权限。利用此漏洞不需要用户交互。修补程序ID:ALPS08541632;问题ID:ALPS0541632。

cvss epss percentile
None 0.04% 7.00%

references

CVE-2024-20027

description

In da, there is a possible out of bounds write due to improper input validation. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08541632; Issue ID: ALPS08541633.

中文

在da中,由于输入验证不正确,可能会出现越界写入。这可能导致权限的本地升级,并需要系统执行权限。利用此漏洞不需要用户交互。修补程序ID:ALPS08541632;问题ID:ALPS0541633。

cvss epss percentile
None 0.04% 7.00%

references

CVE-2024-20028

description

In da, there is a possible out of bounds write due to lack of valudation. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08541632; Issue ID: ALPS08541687.

中文

在da中,由于缺乏勇气,可能会出现越界写作。这可能导致权限的本地升级,并需要系统执行权限。利用此漏洞不需要用户交互。修补程序ID:ALPS08541632;问题ID:ALPS0541687。

cvss epss percentile
None 0.04% 7.00%

references

CVE-2024-20029

description

In wlan firmware, there is a possible out of bounds write due to improper input validation. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08477406; Issue ID: MSV-1010.

中文

在wlan固件中,由于输入验证不正确,可能存在越界写入。这可能导致权限的本地升级,并需要系统执行权限。利用此漏洞不需要用户交互。补丁ID:ALPS08477406;问题ID:MSV-1010。

cvss epss percentile
None 0.04% 7.00%

references

CVE-2024-20030

description

In da, there is a possible information disclosure due to improper input validation. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08541632; Issue ID: ALPS08541741.

中文

在da中,由于输入验证不当,可能会导致信息泄露。这可能导致本地信息泄露,并需要系统执行权限。利用此漏洞不需要用户交互。修补程序ID:ALPS08541632;问题ID:ALPS05541741。

cvss epss percentile
None 0.04% 7.00%

references

CVE-2024-20031

description

In da, there is a possible out of bounds write due to lack of valudation. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08541632; Issue ID: ALPS08541742.

中文

在da中,由于缺乏勇气,可能会出现越界写作。这可能导致权限的本地升级,并需要系统执行权限。利用此漏洞不需要用户交互。修补程序ID:ALPS08541632;问题ID:ALPS05541742。

cvss epss percentile
None 0.04% 7.00%

references

CVE-2024-20032

description

In aee, there is a possible permission bypass due to a missing permission check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08487630; Issue ID: MSV-1020.

中文

在aee中,由于缺少权限检查,可能存在权限绕过。这可能导致权限的本地升级,并需要系统执行权限。利用此漏洞不需要用户交互。补丁ID:ALPS0887630;问题ID:MSV-1020。

cvss epss percentile
None 0.04% 7.00%

references

CVE-2024-20033

description

In nvram, there is a possible information disclosure due to a missing bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08499945; Issue ID: ALPS08499945.

中文

在nvram中,由于缺少边界检查,可能存在信息泄露。这可能导致本地信息泄露,并需要系统执行权限。利用此漏洞不需要用户交互。补丁ID:ALPS0849945;问题ID:ALPS0849945。

cvss epss percentile
None 0.04% 7.00%

references

CVE-2024-20034

description

In battery, there is a possible escalation of privilege due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08488849; Issue ID: ALPS08488849.

中文

在电池中,由于缺少边界检查,可能会导致权限升级。这可能导致权限的本地升级,并需要系统执行权限。利用此漏洞不需要用户交互。补丁ID:ALPS0848849;问题ID:ALPS0848849。

cvss epss percentile
None 0.04% 7.00%

references

CVE-2024-20036

description

In vdec, there is a possible permission bypass due to a permissions bypass. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08509508; Issue ID: ALPS08509508.

中文

在vdec中,由于权限绕过,可能存在权限绕过。这可能导致本地信息泄露,并需要系统执行权限。利用此漏洞不需要用户交互。补丁ID:ALPS8509508;问题ID:ALPS8509508。

cvss epss percentile
None 0.04% 7.00%

references

CVE-2024-20037

description

In pq, there is a possible write-what-where condition due to an incorrect bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08495937; Issue ID: ALPS08495937.

中文

在pq中,可能存在由于不正确的边界检查而导致的写何处条件。这可能导致权限的本地升级,并需要系统执行权限。利用此漏洞不需要用户交互。补丁ID:ALPS0895937;问题ID:ALPS08495937。

cvss epss percentile
None 0.04% 7.00%

references

CVE-2024-20038

description

In pq, there is a possible out of bounds read due to an incorrect bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08495932; Issue ID: ALPS08495932.

中文

在pq中,由于不正确的边界检查,可能存在越界读取。这可能导致本地信息泄露,并需要系统执行权限。利用此漏洞不需要用户交互。补丁ID:ALPS08495932;问题ID:ALPS08495932。

cvss epss percentile
None 0.04% 7.00%

references

CVE-2024-2048

description

Vault and Vault Enterprise (“Vault”) TLS certificate auth method did not correctly validate client certificates when configured with a non-CA certificate as trusted certificate. In this configuration, an attacker may be able to craft a malicious certificate that could be used to bypass authentication. Fixed in Vault 1.15.5 and 1.14.10.

中文

将非CA证书配置为受信任证书时,Vault和Vault Enterprise(&#8220;Vault&#8221;)TLS证书身份验证方法未正确验证客户端证书。在此配置中,攻击者可能能够制作可用于绕过身份验证的恶意证书。固定在保险库1.15.5和1.14.10中。

cvss epss percentile
8.1 HIGH 0.04% 7.00%

references

CVE-2024-2153

description

A vulnerability, which was classified as critical, was found in SourceCodester Online Mobile Management Store 1.0. This affects an unknown part of the file /admin/orders/view_order.php. The manipulation of the argument id leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-255585 was assigned to this vulnerability.

中文

在SourceCodester Online Mobile Management Store 1.0中发现一个被归类为关键的漏洞。这会影响文件/admin/orders/view_order.php的未知部分。对参数id的操作导致sql注入。可以远程发起攻击。该漏洞已向公众公开,并可能被利用。标识符VDB-255585已分配给此漏洞。

cvss epss percentile
6.3 MEDIUM 0.04% 12.47%

references

CVE-2024-2154

description

A vulnerability has been found in SourceCodester Online Mobile Management Store 1.0 and classified as critical. This vulnerability affects unknown code of the file view_product.php. The manipulation of the argument id leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-255586 is the identifier assigned to this vulnerability.

中文

在SourceCodester Online Mobile Management Store 1.0中发现一个漏洞,该漏洞被归类为严重漏洞。此漏洞影响文件view_product.php的未知代码。对参数id的操作导致sql注入。可以远程发起攻击。该漏洞已向公众公开,并可能被利用。VDB-255586是分配给此漏洞的标识符。

cvss epss percentile
6.3 MEDIUM 0.04% 12.47%

references

CVE-2024-2155

description

A vulnerability was found in SourceCodester Best POS Management System 1.0 and classified as problematic. This issue affects some unknown processing of the file index.php. The manipulation of the argument page leads to file inclusion. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-255587.

中文

在SourceCodester Best POS Management System 1.0中发现一个漏洞,并将其归类为有问题。这个问题影响了对文件index.php的一些未知处理。参数页的操作会导致包含文件。攻击可以远程启动。该漏洞已向公众公开,并可能被利用。此漏洞的关联标识符为VDB-255587。

cvss epss percentile
4.3 MEDIUM 0.04% 12.47%

references

CVE-2024-2156

description

A vulnerability was found in SourceCodester Best POS Management System 1.0. It has been classified as critical. Affected is an unknown function of the file admin_class.php. The manipulation of the argument img leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-255588.

中文

在SourceCodester Best POS管理系统1.0中发现一个漏洞。它被列为关键。受影响的是文件admin_class.php的一个未知函数。参数img的操作导致sql注入。可以远程发起攻击。该漏洞已向公众公开,并可能被利用。此漏洞的标识符为VDB-255588。

cvss epss percentile
6.3 MEDIUM 0.04% 12.47%

references

CVE-2024-2167

description

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2024-2041. Reason: This candidate is a reservation duplicate of CVE-2024-2041. Notes: All CVE users should reference CVE-2024-2041 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.

中文

拒绝不要使用此候选号码。咨询编号:CVE-2024-2041。原因:此候选人是CVE-2024-2041的预订副本。注:所有CVE用户应参考CVE-2024-2041,而不是此候选者。已删除此候选者中的所有参考文献和描述,以防止意外使用。

cvss epss percentile
None None None

CVE-2024-2168

description

A vulnerability was found in SourceCodester Online Tours & Travels Management System 1.0. It has been classified as critical. Affected is an unknown function of the file /admin/operations/expense_category.php of the component HTTP POST Request Handler. The manipulation of the argument status leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-255678 is the identifier assigned to this vulnerability.

中文

在SourceCodester Online Tours&Travels Management System 1.0中发现一个漏洞。它被列为关键。受影响的是组件HTTP POST请求处理程序的文件/admin/operations/expense_category.php的一个未知函数。参数状态的操作导致sql注入。可以远程发起攻击。该漏洞已向公众公开,并可能被利用。VDB-255678是分配给此漏洞的标识符。

cvss epss percentile
4.7 MEDIUM 0.04% 12.47%

references

CVE-2024-21816

description

in OpenHarmony v4.0.0 and prior versions allow a local attacker cause information leak through improper preservation of permissions.

中文

在OpenHarmony v4.0.0及以前的版本中,允许本地攻击者通过不适当的权限保护导致信息泄露。

cvss epss percentile
4.0 MEDIUM 0.04% 7.00%

references

CVE-2024-21826

description

in OpenHarmony v3.2.4 and prior versions allow a local attacker cause sensitive information leak through insecure storage.

中文

在OpenHarmony v4.2.4及以前的版本中,允许本地攻击者通过不安全的存储导致敏感信息泄露。

cvss epss percentile
4.3 MEDIUM 0.04% 7.00%

references

CVE-2024-22452

description

Dell Display and Peripheral Manager for macOS prior to 1.3 contains an improper access control vulnerability. A low privilege user could potentially exploit this vulnerability by modifying files in the installation folder to execute arbitrary code, leading to privilege escalation.

中文

Dell Display and Peripheral Manager for macOS 1.3之前版本包含一个不正确的访问控制漏洞。低权限用户可能会通过修改安装文件夹中的文件以执行任意代码来利用此漏洞,从而导致权限提升。

cvss epss percentile
7.3 HIGH 0.04% 7.00%

references

CVE-2024-22463

description

Dell PowerScale OneFS 8.2.x through 9.6.0.x contains a use of a broken or risky cryptographic algorithm vulnerability. A remote unprivileged attacker could potentially exploit this vulnerability, leading to compromise of confidentiality and integrity of sensitive information

中文

Dell PowerScale OneFS 8.2.x至9.6.0.x包含使用损坏或有风险的加密算法漏洞。远程无特权攻击者可能会利用此漏洞,从而危及敏感信息的机密性和完整性

cvss epss percentile
7.4 HIGH 0.04% 7.00%

references

CVE-2024-24901

description

Dell PowerScale OneFS 8.2.x through 9.6.0.x contain an insufficient logging vulnerability. A local malicious user with high privileges could potentially exploit this vulnerability, causing audit messages lost and not recorded for a specific time period.

中文

Dell PowerScale OneFS 8.2.x至9.6.0.x包含日志记录不足漏洞。具有高权限的本地恶意用户可能会利用此漏洞,导致审核消息丢失且在特定时间段内未记录。

cvss epss percentile
3.0 LOW 0.04% 7.00%

references

CVE-2024-25164

description

iA Path Traversal vulnerability exists in iDURAR v2.0.0, that allows unauthenticated attackers to expose sensitive files via the download functionality.

中文

iDURAR v2.0.0中存在iA Path Traversal漏洞,允许未经身份验证的攻击者通过下载功能暴露敏感文件。

cvss epss percentile
None 0.04% 7.00%

references

CVE-2024-25731

description

The Elink Smart eSmartCam (com.cn.dq.ipc) application 2.1.5 for Android contains hardcoded AES encryption keys that can be extracted from a binary file. Thus, encryption can be defeated by an attacker who can observe packet data (e.g., over Wi-Fi).

中文

适用于Android的Elink Smart eSmartCam(com.cn.dq.ipc)应用程序2.1.5包含可以从二进制文件中提取的硬编码AES加密密钥。因此,加密可以被能够观察分组数据(例如,通过Wi-Fi)的攻击者击败。

cvss epss percentile
None 0.04% 7.00%

references

CVE-2024-26622

description

In the Linux kernel, the following vulnerability has been resolved: tomoyo: fix UAF write bug in tomoyo_write_control() Since tomoyo_write_control() updates head->write_buf when write() of long lines is requested, we need to fetch head->write_buf after head->io_sem is held. Otherwise, concurrent write() requests can cause use-after-free-write and double-free problems.

中文

在Linux内核中,以下漏洞已被解决:tomoyo:修复tomoyo_write_control()中的UAF写入错误。由于tomyo_write_control)在请求长行的write()时更新head->write_buf,因此我们需要在head->io_sem被持有后获取head->write_buf。否则,并发write()请求可能会导致释放后使用写入和双重释放问题。

cvss epss percentile
None 0.04% 7.00%

references

CVE-2024-27198

description

In JetBrains TeamCity before 2023.11.4 authentication bypass allowing to perform admin actions was possible

中文

在JetBrains TeamCity 2023.11.4之前,允许执行管理操作的身份验证绕过是可能的

cvss epss percentile
9.8 CRITICAL 0.04% 7.00%

references

CVE-2024-27199

description

In JetBrains TeamCity before 2023.11.4 path traversal allowing to perform limited admin actions was possible

中文

在JetBrains TeamCity 2023.11.4之前,允许执行有限管理操作的路径遍历是可能的

cvss epss percentile
7.3 HIGH 0.04% 7.00%

references

CVE-2024-27668

description

Flusity-CMS v2.33 is affected by: Cross Site Scripting (XSS) in Custom Blocks.

中文

Flusity CMS v2.33受以下因素影响:自定义块中的跨站点脚本(XSS)。

cvss epss percentile
None 0.04% 7.00%

references

CVE-2024-27680

description

Flusity-CMS v2.33 is vulnerable to Cross Site Scripting (XSS) in the “Contact form.”

中文

Flusity CMS v2.33易受“联系人表单”中的跨站点脚本(XSS)攻击

cvss epss percentile
None 0.04% 7.00%

CVE-2024-27684

description

A Cross-site scripting (XSS) vulnerability in dlapn.cgi, dldongle.cgi, dlcfg.cgi, fwup.cgi and seama.cgi in D-Link GORTAC750_A1_FW_v101b03 allows remote attackers to inject arbitrary web script or HTML via the url parameter.

中文

D-Link GORTAC750_A1_FW_v101b03中的dlapn.cgi、dldongle.cgi、dlcfg.cgi、fwup.cgi和seama.cgi中存在跨站点脚本(XSS)漏洞,远程攻击者可通过url参数注入任意web脚本或HTML。

cvss epss percentile
None 0.04% 7.00%

CVE-2024-27694

description

FlyCms v1.0 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via the /system/share/ztree_category_edit.

中文

FlyCms v1.0通过/system/share/ztree_category_edit被发现包含跨站点请求伪造(CSRF)漏洞。

cvss epss percentile
None 0.04% 7.00%

references

CVE-2024-27718

description

SQL Injection vulnerability in Baizhuo Network Smart s200 Management Platform v.S200 allows a local attacker to obtain sensitive information and escalate privileges via the /importexport.php component.

中文

百卓网络智能s200管理平台v.s200中存在SQL注入漏洞,本地攻击者可以通过/importexport.php组件获取敏感信息并升级权限。

cvss epss percentile
None 0.04% 7.00%

references

CVE-2024-27889

description

Multiple SQL Injection vulnerabilities exist in the reporting application of the Arista Edge Threat Management - Arista NG Firewall (NGFW). A user with advanced report application access rights can exploit the SQL injection, allowing them to execute commands on the underlying operating system with elevated privileges.

中文

Arista边缘威胁管理-Arista NG防火墙(NGFW)的报告应用程序中存在多个SQL注入漏洞。具有高级报表应用程序访问权限的用户可以利用SQL注入,从而允许他们以提升的权限在底层操作系统上执行命令。

cvss epss percentile
8.8 HIGH 0.04% 7.00%

references

  • https://https://www.arista.com/en/support/advisories-notices/security-advisory/19038-security-advisory-0093

Modified_entries

CVE-2023-42536

description

An improper input validation in saped_dec in libsaped prior to SMR Nov-2023 Release 1 allows local attackers to cause out-of-bounds read and write.

中文

SMR Nov-2023 Release 1之前的libsaped中的saped_dec中存在不正确的输入验证,本地攻击者可导致读写越界。

cvss epss percentile
8.4 HIGH 0.07% 28.86%

references

CVE-2023-42537

description

An improper input validation in get_head_crc in libsaped prior to SMR Nov-2023 Release 1 allows local attackers to cause out-of-bounds read and write.

中文

在SMR Nov-2023 Release 1之前的libsaped中,get_head_crc中的输入验证不正确,使本地攻击者能够导致越界读写。

cvss epss percentile
8.4 HIGH 0.07% 28.86%

references

CVE-2023-42538

description

An improper input validation in saped_rec_silence in libsaped prior to SMR Nov-2023 Release 1 allows local attackers to cause out-of-bounds read and write.

中文

在SMR Nov-2023 Release 1之前的libsaped中,saped_rec_size中的输入验证不正确,使本地攻击者能够导致读写越界。

cvss epss percentile
5.9 MEDIUM 0.07% 28.86%

references

CVE-2023-4408

description

The DNS message parsing code in named includes a section whose computational complexity is overly high. It does not cause problems for typical DNS traffic, but crafted queries and responses may cause excessive CPU load on the affected named instance by exploiting this flaw. This issue affects both authoritative servers and recursive resolvers. This issue affects BIND 9 versions 9.0.0 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.9.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.45-S1, and 9.18.11-S1 through 9.18.21-S1.

中文

“named”中的DNS消息解析代码包括计算复杂度过高的部分。它不会对典型的DNS流量造成问题,但精心编制的查询和响应可能会利用此缺陷导致受影响的“命名”实例的CPU负载过大。此问题同时影响权威服务器和递归解析器。此问题影响BIND 9版本9.0.0到9.16.45、9.18.0到9.18.21、9.19.0到9.19.19、9.9.3-S1到9.11.37-S1、9.16.8-S1到9.1 6.45-S1和9.18.11-S1到9.18.21-S1。

cvss epss percentile
7.5 HIGH 0.08% 33.26%

references

CVE-2023-50387

description

Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the “KeyTrap” issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.

中文

DNS协议的某些DNSSEC方面(在RFC 4033、4034、4035、6840和相关RFC中)允许远程攻击者通过一个或多个DNSSEC响应(也称为“密钥陷阱”问题)造成拒绝服务(CPU消耗)。其中一个问题是,当存在具有许多DNSKEY和RRSIG记录的区域时,协议规范意味着算法必须评估DNSKEY和RSMIG记录的所有组合。

cvss epss percentile
None 3.66% 91.43%

references

CVE-2023-50868

description

The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the “NSEC3” issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations.

中文

DNS协议的最紧密的防泄密方面(在RFC 5155中,当跳过RFC 9276指南时)允许远程攻击者在随机子域攻击中通过DNSSEC响应造成拒绝服务(SHA-1计算的CPU消耗),也称为“NSEC3”问题。RFC 5155规范暗示,在某些情况下,算法必须执行哈希函数的数千次迭代。

cvss epss percentile
None 0.05% 14.09%

references

CVE-2023-52579

description

** REJECT ** This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

中文

拒绝此CVE ID已被其CVE编号机构拒绝或撤回。

cvss epss percentile
None 0.04% 7.00%

CVE-2023-5517

description

A flaw in query-handling code can cause named to exit prematurely with an assertion failure when: - nxdomain-redirect <domain>; is configured, and - the resolver receives a PTR query for an RFC 1918 address that would normally result in an authoritative NXDOMAIN response. This issue affects BIND 9 versions 9.12.0 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.16.8-S1 through 9.16.45-S1, and 9.18.11-S1 through 9.18.21-S1.

中文

当出现以下情况时,查询处理代码中的缺陷可能导致“named”过早退出并导致断言失败:-nxdomain redirect<domain>;已配置,并且-解析程序接收对RFC 1918地址的PTR查询,该查询通常会导致权威的NXDOMAIN响应。此问题影响BIND 9版本9.12.0至9.16.45、9.18.0至9.18.21、9.19.0至9.19.19、9.16.8-S1至9.16.45-S1和9.18.11-S1至9.18.21-S1。

cvss epss percentile
7.5 HIGH 0.08% 33.26%

references

CVE-2023-5679

description

A bad interaction between DNS64 and serve-stale may cause named to crash with an assertion failure during recursive resolution, when both of these features are enabled. This issue affects BIND 9 versions 9.16.12 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.16.12-S1 through 9.16.45-S1, and 9.18.11-S1 through 9.18.21-S1.

中文

当这两个功能都启用时,DNS64和serve-stale之间的糟糕交互可能会导致“named”在递归解析过程中因断言失败而崩溃。此问题影响BIND 9版本9.16.12到9.16.45、9.18.0到9.18.21、9.19.0到9.19.19、9.16.12-S1到9.16.45-S1和9.18.11-S1到9.18.21-S1。

cvss epss percentile
7.5 HIGH 0.08% 33.26%

references

CVE-2023-6516

description

To keep its cache database efficient, named running as a recursive resolver occasionally attempts to clean up the database. It uses several methods, including some that are asynchronous: a small chunk of memory pointing to the cache element that can be cleaned up is first allocated and then queued for later processing. It was discovered that if the resolver is continuously processing query patterns triggering this type of cache-database maintenance, named may not be able to handle the cleanup events in a timely manner. This in turn enables the list of queued cleanup events to grow infinitely large over time, allowing the configured max-cache-size limit to be significantly exceeded. This issue affects BIND 9 versions 9.16.0 through 9.16.45 and 9.16.8-S1 through 9.16.45-S1.

中文

为了保持缓存数据库的效率,作为递归解析器运行的“named”偶尔会尝试清理数据库。它使用了几种方法,包括一些异步方法:首先分配指向可以清理的缓存元素的一小块内存,然后排队等待后续处理。人们发现,如果解析器持续处理触发这种类型的缓存数据库维护的查询模式,“命名”可能无法及时处理清理事件。这反过来又使排队的清理事件列表随着时间的推移变得无限大,从而允许大大超过配置的“最大缓存大小”限制。此问题影响BIND 9版本9.16.0到9.16.45以及9.16.8-S1到9.16.45-S1。

cvss epss percentile
7.5 HIGH 0.05% 17.58%

references

CVE-2023-6917

description

A vulnerability has been identified in the Performance Co-Pilot (PCP) package, stemming from the mixed privilege levels utilized by systemd services associated with PCP. While certain services operate within the confines of limited PCP user/group privileges, others are granted full root privileges. This disparity in privilege levels poses a risk when privileged root processes interact with directories or directory trees owned by unprivileged PCP users. Specifically, this vulnerability may lead to the compromise of PCP user isolation and facilitate local PCP-to-root exploits, particularly through symlink attacks. These vulnerabilities underscore the importance of maintaining robust privilege separation mechanisms within PCP to mitigate the potential for unauthorized privilege escalation.

中文

在Performance Co-Pilot(PCP)软件包中发现了一个漏洞,该漏洞源于与PCP相关的systemd服务所使用的混合特权级别。虽然某些服务在有限的PCP用户/组权限范围内运行,但其他服务则被授予完全的root权限。当特权根进程与非特权PCP用户拥有的目录或目录树交互时,这种特权级别的差异会带来风险。具体而言,此漏洞可能会导致PCP用户隔离的危害,并促进本地PCP到root的漏洞利用,特别是通过符号链接攻击。这些漏洞强调了在PCP中维护强大的权限分离机制的重要性,以减少未经授权的权限升级的可能性。

cvss epss percentile
6.0 MEDIUM 0.04% 7.00%

references

CVE-2024-1546

description

When storing and re-accessing data on a networking channel, the length of buffers may have been confused, resulting in an out-of-bounds memory read. This vulnerability affects Firefox < 123, Firefox ESR < 115.8, and Thunderbird < 115.8.

中文

当在网络通道上存储和重新访问数据时,缓冲区的长度可能被混淆,导致内存读取越界。此漏洞影响Firefox<123、Firefox ESR<115.8和Thunderbird<115.8。

cvss epss percentile
None 0.04% 8.24%

references

CVE-2024-1547

description

Through a series of API calls and redirects, an attacker-controlled alert dialog could have been displayed on another website (with the victim websites URL shown). This vulnerability affects Firefox < 123, Firefox ESR < 115.8, and Thunderbird < 115.8.

中文

通过一系列API调用和重定向,攻击者控制的警报对话框可能会显示在另一个网站上(显示受害者网站的URL)。此漏洞影响Firefox<123、Firefox ESR<115.8和Thunderbird<115.8。

cvss epss percentile
None 0.04% 8.24%

references

CVE-2024-1548

description

A website could have obscured the fullscreen notification by using a dropdown select input element. This could have led to user confusion and possible spoofing attacks. This vulnerability affects Firefox < 123, Firefox ESR < 115.8, and Thunderbird < 115.8.

中文

网站可能通过使用下拉选择输入元素来遮挡全屏通知。这可能会导致用户混淆和可能的欺骗攻击。此漏洞影响Firefox<123、Firefox ESR<115.8和Thunderbird<115.8。

cvss epss percentile
None 0.04% 8.24%

references

CVE-2024-1549

description

If a website set a large custom cursor, portions of the cursor could have overlapped with the permission dialog, potentially resulting in user confusion and unexpected granted permissions. This vulnerability affects Firefox < 123, Firefox ESR < 115.8, and Thunderbird < 115.8.

中文

如果网站设置了一个大的自定义光标,光标的部分可能与权限对话框重叠,可能会导致用户混淆和意外授予的权限。此漏洞影响Firefox<123、Firefox ESR<115.8和Thunderbird<115.8。

cvss epss percentile
None 0.04% 8.24%

references

CVE-2024-1550

description

A malicious website could have used a combination of exiting fullscreen mode and requestPointerLock to cause the users mouse to be re-positioned unexpectedly, which could have led to user confusion and inadvertently granting permissions they did not intend to grant. This vulnerability affects Firefox < 123, Firefox ESR < 115.8, and Thunderbird < 115.8.

中文

恶意网站可能使用退出全屏模式和“requestPointerLock”的组合,导致用户鼠标意外重新定位,这可能导致用户混淆,并无意中授予他们不打算授予的权限。此漏洞影响Firefox<123、Firefox ESR<115.8和Thunderbird<115.8。

cvss epss percentile
None 0.04% 8.24%

references

CVE-2024-1551

description

Set-Cookie response headers were being incorrectly honored in multipart HTTP responses. If an attacker could control the Content-Type response header, as well as control part of the response body, they could inject Set-Cookie response headers that would have been honored by the browser. This vulnerability affects Firefox < 123, Firefox ESR < 115.8, and Thunderbird < 115.8.

中文

Set Cookie响应标头在多部分HTTP响应中被错误地接受。如果攻击者能够控制Content-Type响应标头以及部分响应主体,则他们可以注入浏览器会接受的Set-Cookie响应标头。此漏洞影响Firefox<123、Firefox ESR<115.8和Thunderbird<115.8。

cvss epss percentile
None 0.04% 8.24%

references

CVE-2024-1552

description

Incorrect code generation could have led to unexpected numeric conversions and potential undefined behavior.Note: This issue only affects 32-bit ARM devices. This vulnerability affects Firefox < 123, Firefox ESR < 115.8, and Thunderbird < 115.8.

中文

错误的代码生成可能导致意外的数字转换和潜在的未定义行为。*注意:*此问题仅影响32位ARM设备。此漏洞影响Firefox<123、Firefox ESR<115.8和Thunderbird<115.8。

cvss epss percentile
None 0.04% 8.24%

references

CVE-2024-1553

description

Memory safety bugs present in Firefox 122, Firefox ESR 115.7, and Thunderbird 115.7. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 123, Firefox ESR < 115.8, and Thunderbird < 115.8.

中文

Firefox 122、Firefox ESR 115.7和Thunderbird 115.7中存在内存安全漏洞。其中一些错误显示出内存损坏的证据,我们推测,如果付出足够的努力,其中一些错误可能会被用来运行任意代码。此漏洞影响Firefox<123、Firefox ESR<115.8和Thunderbird<115.8。

cvss epss percentile
None 0.04% 8.24%

references

CVE-2024-1820

description

A vulnerability was found in code-projects Crime Reporting System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file inchargelogin.php. The manipulation of the argument email/password leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-254608.

中文

在代码项目犯罪报告系统1.0中发现了一个漏洞。它已被宣布为关键。此漏洞影响文件inchargelogin.php的未知代码。对参数电子邮件/密码的操作导致sql注入。可以远程发起攻击。该漏洞已向公众公开,并可能被利用。此漏洞的标识符为VDB-254608。

cvss epss percentile
7.3 HIGH 0.04% 12.47%

references

CVE-2024-1821

description

A vulnerability was found in code-projects Crime Reporting System 1.0. It has been rated as critical. This issue affects some unknown processing of the file police_add.php. The manipulation of the argument police_name/police_id/police_spec/password leads to sql injection. The exploit has been disclosed to the public and may be used. The identifier VDB-254609 was assigned to this vulnerability.

中文

在代码项目犯罪报告系统1.0中发现了一个漏洞。它被评为关键。此问题会影响police_add.php文件的某些未知处理。参数police_name/police_id/police_spec/password的操作导致sql注入。该漏洞已向公众公开,并可能被利用。标识符VDB-254609已分配给此漏洞。

cvss epss percentile
5.5 MEDIUM 0.04% 12.47%

references

CVE-2024-1826

description

A vulnerability has been found in code-projects Library System 1.0 and classified as critical. This vulnerability affects unknown code of the file Source/librarian/user/student/login.php. The manipulation of the argument username/password leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-254614 is the identifier assigned to this vulnerability.

中文

在代码项目Library System 1.0中发现一个漏洞,并将其归类为关键漏洞。此漏洞会影响文件Source/ulibrary/user/student/login.php的未知代码。参数username/password的操作导致sql注入。可以远程发起攻击。该漏洞已向公众公开,并可能被利用。VDB-254614是分配给此漏洞的标识符。

cvss epss percentile
7.3 HIGH 0.04% 12.47%

references

CVE-2024-1827

description

A vulnerability was found in code-projects Library System 1.0 and classified as critical. This issue affects some unknown processing of the file Source/librarian/user/teacher/login.php. The manipulation of the argument username/password leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-254615.

中文

在代码项目Library System 1.0中发现一个漏洞,并将其归类为关键漏洞。此问题影响了对文件Source/ulibrary/user/tacher/login.php的一些未知处理。参数username/password的操作导致sql注入。攻击可以远程启动。该漏洞已向公众公开,并可能被利用。此漏洞的相关标识符为VDB-254615。

cvss epss percentile
7.3 HIGH 0.04% 12.47%

references

CVE-2024-1828

description

A vulnerability was found in code-projects Library System 1.0. It has been classified as critical. Affected is an unknown function of the file Source/librarian/user/teacher/registration.php. The manipulation of the argument email/idno/phone/username leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-254616.

中文

在代码项目Library System 1.0中发现一个漏洞。它被列为关键。受影响的是文件Source/ulibrary/user/tacher/registration.php的一个未知功能。参数email/idno/phone/username的操作导致sql注入。可以远程发起攻击。该漏洞已向公众公开,并可能被利用。此漏洞的标识符为VDB-254616。

cvss epss percentile
7.3 HIGH 0.04% 12.47%

references

CVE-2024-1829

description

A vulnerability was found in code-projects Library System 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file Source/librarian/user/student/registration.php. The manipulation of the argument email/regno/phone/username leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-254617 was assigned to this vulnerability.

中文

在代码项目Library System 1.0中发现一个漏洞。它已被宣布为关键。受此漏洞影响的是文件Source/ulibrary/user/student/registration.php的一个未知功能。参数email/regno/phone/username的操作导致sql注入。可以远程发起攻击。该漏洞已向公众公开,并可能被利用。标识符VDB-254617已分配给此漏洞。

cvss epss percentile
7.3 HIGH 0.04% 12.47%

references

CVE-2024-1830

description

A vulnerability was found in code-projects Library System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file Source/librarian/user/student/lost-password.php. The manipulation of the argument email leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-254618 is the identifier assigned to this vulnerability.

中文

在代码项目Library System 1.0中发现一个漏洞。它被评为关键。受此问题影响的是文件Source/library/user/student/lost-password.php的一些未知功能。对参数电子邮件的操作导致sql注入。攻击可能是远程发起的。该漏洞已向公众公开,并可能被利用。VDB-254618是分配给此漏洞的标识符。

cvss epss percentile
7.3 HIGH 0.04% 12.47%

references

CVE-2024-22054

description

A malformed discovery packet sent by a malicious actor with preexisting access to the network could interrupt the functionality of device management and discovery. Affected Products: UniFi Access Points UniFi Switches UniFi LTE Backup UniFi Express (Only Mesh Mode, Router mode is not affected) Mitigation: Update UniFi Access Points to Version 6.6.55 or later. Update UniFi Switches to Version 6.6.61 or later. Update UniFi LTE Backup to Version 6.6.57 or later. Update UniFi Express to Version 3.2.5 or later.

中文

预先存在网络访问权限的恶意行为者发送的格式错误的发现数据包可能会中断设备管理和发现的功能。受影响的产品:UniFi接入点UniFi交换机UniFi LTE备份UniFi Express(仅网状模式,路由器模式不受影响)缓解措施:将UniFi访问点更新至6.6.55或更高版本。将UniFi Switches更新至6.6.61版或更高版本。将UniFi LTE Backup更新至6.6.57版或更高版本。将UniFi Express更新至3.2.5版或更高版本。

cvss epss percentile
None 0.04% 7.00%

references