ISHACK AI BOT

Ubuntu: (Multiple Advisories) (CVE-2022-48938): Linux kernel vulnerabilities Severity 5 CVSS (AV:L/AC:L/Au:S/C:N/I:N/A:C) Published 08/22/2024 Created 11/21/2024 Added 11/19/2024 Modified 01/28/2025 Description In the Linux kernel, the following vulnerability has been resolved: CDC-NCM: avoid overflow in sanity checking A broken device may give an extreme offset like 0xFFF0 and a reasonable length for a fragment. In the sanity check as formulated now, this will create an integer overflow, defeating the sanity check. Both offset and offset + len need to be checked in such a manner that no overflow can occur. And those quantities should be unsigned. Solution(s) ubuntu-upgrade-linux-image-4-15-0-1137-oracle ubuntu-upgrade-linux-image-4-15-0-1158-kvm ubuntu-upgrade-linux-image-4-15-0-1168-gcp ubuntu-upgrade-linux-image-4-15-0-1175-aws ubuntu-upgrade-linux-image-4-15-0-1183-azure ubuntu-upgrade-linux-image-4-15-0-231-generic ubuntu-upgrade-linux-image-4-15-0-231-lowlatency ubuntu-upgrade-linux-image-4-4-0-1138-aws ubuntu-upgrade-linux-image-4-4-0-1139-kvm ubuntu-upgrade-linux-image-4-4-0-1176-aws ubuntu-upgrade-linux-image-4-4-0-261-generic ubuntu-upgrade-linux-image-4-4-0-261-lowlatency ubuntu-upgrade-linux-image-5-4-0-1045-iot ubuntu-upgrade-linux-image-5-4-0-1055-xilinx-zynqmp ubuntu-upgrade-linux-image-5-4-0-1083-ibm ubuntu-upgrade-linux-image-5-4-0-1096-bluefield ubuntu-upgrade-linux-image-5-4-0-1120-raspi ubuntu-upgrade-linux-image-5-4-0-1124-kvm ubuntu-upgrade-linux-image-5-4-0-1135-oracle ubuntu-upgrade-linux-image-5-4-0-1136-aws ubuntu-upgrade-linux-image-5-4-0-1140-gcp ubuntu-upgrade-linux-image-5-4-0-1142-azure ubuntu-upgrade-linux-image-5-4-0-202-generic ubuntu-upgrade-linux-image-5-4-0-202-generic-lpae ubuntu-upgrade-linux-image-5-4-0-202-lowlatency ubuntu-upgrade-linux-image-aws ubuntu-upgrade-linux-image-aws-hwe ubuntu-upgrade-linux-image-aws-lts-18-04 ubuntu-upgrade-linux-image-aws-lts-20-04 ubuntu-upgrade-linux-image-azure ubuntu-upgrade-linux-image-azure-lts-18-04 ubuntu-upgrade-linux-image-azure-lts-20-04 ubuntu-upgrade-linux-image-bluefield ubuntu-upgrade-linux-image-gcp ubuntu-upgrade-linux-image-gcp-lts-18-04 ubuntu-upgrade-linux-image-gcp-lts-20-04 ubuntu-upgrade-linux-image-generic ubuntu-upgrade-linux-image-generic-hwe-16-04 ubuntu-upgrade-linux-image-generic-hwe-18-04 ubuntu-upgrade-linux-image-generic-lpae ubuntu-upgrade-linux-image-generic-lts-xenial ubuntu-upgrade-linux-image-gke ubuntu-upgrade-linux-image-ibm ubuntu-upgrade-linux-image-ibm-lts-20-04 ubuntu-upgrade-linux-image-kvm ubuntu-upgrade-linux-image-lowlatency ubuntu-upgrade-linux-image-lowlatency-hwe-16-04 ubuntu-upgrade-linux-image-lowlatency-hwe-18-04 ubuntu-upgrade-linux-image-lowlatency-lts-xenial ubuntu-upgrade-linux-image-oem ubuntu-upgrade-linux-image-oem-osp1 ubuntu-upgrade-linux-image-oracle ubuntu-upgrade-linux-image-oracle-lts-18-04 ubuntu-upgrade-linux-image-oracle-lts-20-04 ubuntu-upgrade-linux-image-raspi ubuntu-upgrade-linux-image-raspi-hwe-18-04 ubuntu-upgrade-linux-image-raspi2 ubuntu-upgrade-linux-image-snapdragon-hwe-18-04 ubuntu-upgrade-linux-image-virtual ubuntu-upgrade-linux-image-virtual-hwe-16-04 ubuntu-upgrade-linux-image-virtual-hwe-18-04 ubuntu-upgrade-linux-image-virtual-lts-xenial ubuntu-upgrade-linux-image-xilinx-zynqmp References https://attackerkb.com/topics/cve-2022-48938 CVE - 2022-48938 USN-7121-1 USN-7121-2 USN-7121-3 USN-7148-1 USN-7159-1 USN-7159-2 USN-7159-3 USN-7159-4 USN-7159-5 USN-7195-1 USN-7195-2 https://git.kernel.org/linus/8d2b1a1ec9f559d30b724877da4ce592edc41fdc https://git.kernel.org/stable/c/49909c9f8458cacb5b241106cba65aba5a6d8f4c https://git.kernel.org/stable/c/69560efa001397ebb8dc1c3e6a3ce00302bb9f7f https://git.kernel.org/stable/c/7b737e47b87589031f0d4657f6d7b0b770474925 https://git.kernel.org/stable/c/8d2b1a1ec9f559d30b724877da4ce592edc41fdc https://www.cve.org/CVERecord?id=CVE-2022-48938 View more

Ubuntu: (CVE-2022-48901): linux-intel-iotg-5.15 vulnerability Severity 5 CVSS (AV:L/AC:L/Au:S/C:N/I:N/A:C) Published 08/22/2024 Created 11/21/2024 Added 11/19/2024 Modified 01/30/2025 Description In the Linux kernel, the following vulnerability has been resolved: btrfs: do not start relocation until in progress drops are done We hit a bug with a recovering relocation on mount for one of our file systems in production.I reproduced this locally by injecting errors into snapshot delete with balance running at the same time.This presented as an error while looking up an extent item WARNING: CPU: 5 PID: 1501 at fs/btrfs/extent-tree.c:866 lookup_inline_extent_backref+0x647/0x680 CPU: 5 PID: 1501 Comm: btrfs-balance Not tainted 5.16.0-rc8+ #8 RIP: 0010:lookup_inline_extent_backref+0x647/0x680 RSP: 0018:ffffae0a023ab960 EFLAGS: 00010202 RAX: 0000000000000001 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 000000000000000c RDI: 0000000000000000 RBP: ffff943fd2a39b60 R08: 0000000000000000 R09: 0000000000000001 R10: 0001434088152de0 R11: 0000000000000000 R12: 0000000001d05000 R13: ffff943fd2a39b60 R14: ffff943fdb96f2a0 R15: ffff9442fc923000 FS:0000000000000000(0000) GS:ffff944e9eb40000(0000) knlGS:0000000000000000 CS:0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f1157b1fca8 CR3: 000000010f092000 CR4: 0000000000350ee0 Call Trace: <TASK> insert_inline_extent_backref+0x46/0xd0 __btrfs_inc_extent_ref.isra.0+0x5f/0x200 ? btrfs_merge_delayed_refs+0x164/0x190 __btrfs_run_delayed_refs+0x561/0xfa0 ? btrfs_search_slot+0x7b4/0xb30 ? btrfs_update_root+0x1a9/0x2c0 btrfs_run_delayed_refs+0x73/0x1f0 ? btrfs_update_root+0x1a9/0x2c0 btrfs_commit_transaction+0x50/0xa50 ? btrfs_update_reloc_root+0x122/0x220 prepare_to_merge+0x29f/0x320 relocate_block_group+0x2b8/0x550 btrfs_relocate_block_group+0x1a6/0x350 btrfs_relocate_chunk+0x27/0xe0 btrfs_balance+0x777/0xe60 balance_kthread+0x35/0x50 ? btrfs_balance+0xe60/0xe60 kthread+0x16b/0x190 ? set_kthread_struct+0x40/0x40 ret_from_fork+0x22/0x30 </TASK> Normally snapshot deletion and relocation are excluded from running at the same time by the fs_info->cleaner_mutex.However if we had a pending balance waiting to get the ->cleaner_mutex, and a snapshot deletion was running, and then the box crashed, we would come up in a state where we have a half deleted snapshot. Again, in the normal case the snapshot deletion needs to complete before relocation can start, but in this case relocation could very well start before the snapshot deletion completes, as we simply add the root to the dead roots list and wait for the next time the cleaner runs to clean up the snapshot. Fix this by setting a bit on the fs_info if we have any DEAD_ROOT's that had a pending drop_progress key.If they do then we know we were in the middle of the drop operation and set a flag on the fs_info.Then balance can wait until this flag is cleared to start up again. If there are DEAD_ROOT's that don't have a drop_progress set then we're safe to start balance right away as we'll be properly protected by the cleaner_mutex. Solution(s) ubuntu-upgrade-linux-intel-iotg-5-15 References https://attackerkb.com/topics/cve-2022-48901 CVE - 2022-48901 https://git.kernel.org/linus/b4be6aefa73c9a6899ef3ba9c5faaa8a66e333ef https://git.kernel.org/stable/c/5e70bc827b563caf22e1203428cc3719643de5aa https://git.kernel.org/stable/c/6599d5e8bd758d897fd2ef4dc388ae50278b1f7e https://git.kernel.org/stable/c/b4be6aefa73c9a6899ef3ba9c5faaa8a66e333ef https://www.cve.org/CVERecord?id=CVE-2022-48901

Alma Linux: CVE-2022-48936: Moderate: kernel security update (Multiple Advisories) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 08/22/2024 Created 11/08/2024 Added 11/07/2024 Modified 11/07/2024 Description Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. Solution(s) alma-upgrade-bpftool alma-upgrade-kernel alma-upgrade-kernel-abi-stablelists alma-upgrade-kernel-core alma-upgrade-kernel-cross-headers alma-upgrade-kernel-debug alma-upgrade-kernel-debug-core alma-upgrade-kernel-debug-devel alma-upgrade-kernel-debug-modules alma-upgrade-kernel-debug-modules-extra alma-upgrade-kernel-devel alma-upgrade-kernel-doc alma-upgrade-kernel-headers alma-upgrade-kernel-modules alma-upgrade-kernel-modules-extra alma-upgrade-kernel-rt alma-upgrade-kernel-rt-core alma-upgrade-kernel-rt-debug alma-upgrade-kernel-rt-debug-core alma-upgrade-kernel-rt-debug-devel alma-upgrade-kernel-rt-debug-modules alma-upgrade-kernel-rt-debug-modules-extra alma-upgrade-kernel-rt-devel alma-upgrade-kernel-rt-modules alma-upgrade-kernel-rt-modules-extra alma-upgrade-kernel-tools alma-upgrade-kernel-tools-libs alma-upgrade-kernel-tools-libs-devel alma-upgrade-kernel-zfcpdump alma-upgrade-kernel-zfcpdump-core alma-upgrade-kernel-zfcpdump-devel alma-upgrade-kernel-zfcpdump-modules alma-upgrade-kernel-zfcpdump-modules-extra alma-upgrade-perf alma-upgrade-python3-perf References https://attackerkb.com/topics/cve-2022-48936 CVE - 2022-48936 https://errata.almalinux.org/8/ALSA-2024-8856.html https://errata.almalinux.org/8/ALSA-2024-8870.html

Debian: CVE-2022-48886: linux -- security update Severity 5 CVSS (AV:L/AC:L/Au:S/C:N/I:N/A:C) Published 08/22/2024 Created 08/23/2024 Added 08/22/2024 Modified 01/28/2025 Description In the Linux kernel, the following vulnerability has been resolved: ice: Add check for kzalloc Add the check for the return value of kzalloc in order to avoid NULL pointer dereference. Moreover, use the goto-label to share the clean code. Solution(s) debian-upgrade-linux References https://attackerkb.com/topics/cve-2022-48886 CVE - 2022-48886

Ubuntu: (Multiple Advisories) (CVE-2024-8088): Python vulnerabilities Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 08/22/2024 Created 09/18/2024 Added 09/17/2024 Modified 01/23/2025 Description There is a HIGH severity vulnerability affecting the CPython "zipfile" module affecting "zipfile.Path". Note that the more common API "zipfile.ZipFile" class is unaffected. When iterating over names of entries in a zip archive (for example, methods of "zipfile.Path" like "namelist()", "iterdir()", etc) the process can be put into an infinite loop with a maliciously crafted zip archive. This defect applies when reading only metadata or extracting the contents of the zip archive. Programs that are not handling user-controlled zip archives are not affected. Solution(s) ubuntu-upgrade-python3-10 ubuntu-upgrade-python3-10-minimal ubuntu-upgrade-python3-12 ubuntu-upgrade-python3-12-minimal ubuntu-upgrade-python3-8 ubuntu-upgrade-python3-8-minimal References https://attackerkb.com/topics/cve-2024-8088 CVE - 2024-8088 USN-7015-1 USN-7015-3 USN-7015-4 USN-7015-5 USN-7015-6

Debian: CVE-2022-48871: linux -- security update Severity 6 CVSS (AV:L/AC:L/Au:S/C:C/I:N/A:C) Published 08/22/2024 Created 08/23/2024 Added 08/22/2024 Modified 01/30/2025 Description In the Linux kernel, the following vulnerability has been resolved: tty: serial: qcom-geni-serial: fix slab-out-of-bounds on RX FIFO buffer Driver's probe allocates memory for RX FIFO (port->rx_fifo) based on default RX FIFO depth, e.g. 16.Later during serial startup the qcom_geni_serial_port_setup() updates the RX FIFO depth (port->rx_fifo_depth) to match real device capabilities, e.g. to 32. The RX UART handle code will read "port->rx_fifo_depth" number of words into "port->rx_fifo" buffer, thus exceeding the bounds.This can be observed in certain configurations with Qualcomm Bluetooth HCI UART device and KASAN: Bluetooth: hci0: QCA Product ID :0x00000010 Bluetooth: hci0: QCA SOC Version:0x400a0200 Bluetooth: hci0: QCA ROM Version:0x00000200 Bluetooth: hci0: QCA Patch Version:0x00000d2b Bluetooth: hci0: QCA controller version 0x02000200 Bluetooth: hci0: QCA Downloading qca/htbtfw20.tlv bluetooth hci0: Direct firmware load for qca/htbtfw20.tlv failed with error -2 Bluetooth: hci0: QCA Failed to request file: qca/htbtfw20.tlv (-2) Bluetooth: hci0: QCA Failed to download patch (-2) ================================================================== BUG: KASAN: slab-out-of-bounds in handle_rx_uart+0xa8/0x18c Write of size 4 at addr ffff279347d578c0 by task swapper/0/0 CPU: 0 PID: 0 Comm: swapper/0 Not tainted 6.1.0-rt5-00350-gb2450b7e00be-dirty #26 Hardware name: Qualcomm Technologies, Inc. Robotics RB5 (DT) Call trace: dump_backtrace.part.0+0xe0/0xf0 show_stack+0x18/0x40 dump_stack_lvl+0x8c/0xb8 print_report+0x188/0x488 kasan_report+0xb4/0x100 __asan_store4+0x80/0xa4 handle_rx_uart+0xa8/0x18c qcom_geni_serial_handle_rx+0x84/0x9c qcom_geni_serial_isr+0x24c/0x760 __handle_irq_event_percpu+0x108/0x500 handle_irq_event+0x6c/0x110 handle_fasteoi_irq+0x138/0x2cc generic_handle_domain_irq+0x48/0x64 If the RX FIFO depth changes after probe, be sure to resize the buffer. Solution(s) debian-upgrade-linux References https://attackerkb.com/topics/cve-2022-48871 CVE - 2022-48871

Oracle Linux: CVE-2024-8088: ELSA-2024-6961:python3.12 security update (MODERATE) (Multiple Advisories) Severity 5 CVSS (AV:N/AC:H/Au:N/C:N/I:N/A:C) Published 08/22/2024 Created 10/18/2024 Added 10/16/2024 Modified 01/07/2025 Description There is a HIGH severity vulnerability affecting the CPython &quot;zipfile&quot; module affecting &quot;zipfile.Path&quot;. Note that the more common API &quot;zipfile.ZipFile&quot; class is unaffected. When iterating over names of entries in a zip archive (for example, methods of &quot;zipfile.Path&quot; like &quot;namelist()&quot;, &quot;iterdir()&quot;, etc) the process can be put into an infinite loop with a maliciously crafted zip archive. This defect applies when reading only metadata or extracting the contents of the zip archive. Programs that are not handling user-controlled zip archives are not affected. A flaw was found in Python&apos;s zipfile module. When iterating over the entries of a zip archive, the process can enter into an infinite loop state and become unresponsive. This flaw allows an attacker to craft a malicious ZIP archive, leading to a denial of service from the application consuming the zipfile module. Only applications that handle user-controlled zip archives are affected by this vulnerability. Solution(s) oracle-linux-upgrade-python3 oracle-linux-upgrade-python3-11 oracle-linux-upgrade-python3-11-debug oracle-linux-upgrade-python3-11-devel oracle-linux-upgrade-python3-11-idle oracle-linux-upgrade-python3-11-libs oracle-linux-upgrade-python3-11-rpm-macros oracle-linux-upgrade-python3-11-test oracle-linux-upgrade-python3-11-tkinter oracle-linux-upgrade-python3-12 oracle-linux-upgrade-python3-12-debug oracle-linux-upgrade-python3-12-devel oracle-linux-upgrade-python3-12-idle oracle-linux-upgrade-python3-12-libs oracle-linux-upgrade-python3-12-rpm-macros oracle-linux-upgrade-python3-12-test oracle-linux-upgrade-python3-12-tkinter oracle-linux-upgrade-python39 oracle-linux-upgrade-python39-cffi oracle-linux-upgrade-python39-chardet oracle-linux-upgrade-python39-cryptography oracle-linux-upgrade-python39-debug oracle-linux-upgrade-python39-devel oracle-linux-upgrade-python39-idle oracle-linux-upgrade-python39-idna oracle-linux-upgrade-python39-libs oracle-linux-upgrade-python39-lxml oracle-linux-upgrade-python39-mod-wsgi oracle-linux-upgrade-python39-numpy oracle-linux-upgrade-python39-numpy-doc oracle-linux-upgrade-python39-numpy-f2py oracle-linux-upgrade-python39-pip oracle-linux-upgrade-python39-pip-wheel oracle-linux-upgrade-python39-ply oracle-linux-upgrade-python39-psutil oracle-linux-upgrade-python39-psycopg2 oracle-linux-upgrade-python39-psycopg2-doc oracle-linux-upgrade-python39-psycopg2-tests oracle-linux-upgrade-python39-pycparser oracle-linux-upgrade-python39-pymysql oracle-linux-upgrade-python39-pysocks oracle-linux-upgrade-python39-pyyaml oracle-linux-upgrade-python39-requests oracle-linux-upgrade-python39-rpm-macros oracle-linux-upgrade-python39-scipy oracle-linux-upgrade-python39-setuptools oracle-linux-upgrade-python39-setuptools-wheel oracle-linux-upgrade-python39-six oracle-linux-upgrade-python39-test oracle-linux-upgrade-python39-tkinter oracle-linux-upgrade-python39-toml oracle-linux-upgrade-python39-urllib3 oracle-linux-upgrade-python39-wheel oracle-linux-upgrade-python39-wheel-wheel oracle-linux-upgrade-python3-debug oracle-linux-upgrade-python3-devel oracle-linux-upgrade-python3-idle oracle-linux-upgrade-python3-libs oracle-linux-upgrade-python3-test oracle-linux-upgrade-python3-tkinter oracle-linux-upgrade-python-unversioned-command References https://attackerkb.com/topics/cve-2024-8088 CVE - 2024-8088 ELSA-2024-6961 ELSA-2024-6962 ELSA-2024-5962 ELSA-2024-9371 ELSA-2024-9190 ELSA-2024-9192 View more

Ubuntu: (CVE-2022-48919): linux vulnerability Severity 7 CVSS (AV:L/AC:L/Au:S/C:C/I:C/A:C) Published 08/22/2024 Created 11/21/2024 Added 11/19/2024 Modified 02/11/2025 Description In the Linux kernel, the following vulnerability has been resolved: cifs: fix double free race when mount fails in cifs_get_root() When cifs_get_root() fails during cifs_smb3_do_mount() we call deactivate_locked_super() which eventually will call delayed_free() which will free the context. In this situation we should not proceed to enter the out: section in cifs_smb3_do_mount() and free the same resources a second time. [Thu Feb 10 12:59:06 2022] BUG: KASAN: use-after-free in rcu_cblist_dequeue+0x32/0x60 [Thu Feb 10 12:59:06 2022] Read of size 8 at addr ffff888364f4d110 by task swapper/1/0 [Thu Feb 10 12:59:06 2022] CPU: 1 PID: 0 Comm: swapper/1 Tainted: G OE 5.17.0-rc3+ #4 [Thu Feb 10 12:59:06 2022] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.0 12/17/2019 [Thu Feb 10 12:59:06 2022] Call Trace: [Thu Feb 10 12:59:06 2022]<IRQ> [Thu Feb 10 12:59:06 2022]dump_stack_lvl+0x5d/0x78 [Thu Feb 10 12:59:06 2022]print_address_description.constprop.0+0x24/0x150 [Thu Feb 10 12:59:06 2022]? rcu_cblist_dequeue+0x32/0x60 [Thu Feb 10 12:59:06 2022]kasan_report.cold+0x7d/0x117 [Thu Feb 10 12:59:06 2022]? rcu_cblist_dequeue+0x32/0x60 [Thu Feb 10 12:59:06 2022]__asan_load8+0x86/0xa0 [Thu Feb 10 12:59:06 2022]rcu_cblist_dequeue+0x32/0x60 [Thu Feb 10 12:59:06 2022]rcu_core+0x547/0xca0 [Thu Feb 10 12:59:06 2022]? call_rcu+0x3c0/0x3c0 [Thu Feb 10 12:59:06 2022]? __this_cpu_preempt_check+0x13/0x20 [Thu Feb 10 12:59:06 2022]? lock_is_held_type+0xea/0x140 [Thu Feb 10 12:59:06 2022]rcu_core_si+0xe/0x10 [Thu Feb 10 12:59:06 2022]__do_softirq+0x1d4/0x67b [Thu Feb 10 12:59:06 2022]__irq_exit_rcu+0x100/0x150 [Thu Feb 10 12:59:06 2022]irq_exit_rcu+0xe/0x30 [Thu Feb 10 12:59:06 2022]sysvec_hyperv_stimer0+0x9d/0xc0 ... [Thu Feb 10 12:59:07 2022] Freed by task 58179: [Thu Feb 10 12:59:07 2022]kasan_save_stack+0x26/0x50 [Thu Feb 10 12:59:07 2022]kasan_set_track+0x25/0x30 [Thu Feb 10 12:59:07 2022]kasan_set_free_info+0x24/0x40 [Thu Feb 10 12:59:07 2022]____kasan_slab_free+0x137/0x170 [Thu Feb 10 12:59:07 2022]__kasan_slab_free+0x12/0x20 [Thu Feb 10 12:59:07 2022]slab_free_freelist_hook+0xb3/0x1d0 [Thu Feb 10 12:59:07 2022]kfree+0xcd/0x520 [Thu Feb 10 12:59:07 2022]cifs_smb3_do_mount+0x149/0xbe0 [cifs] [Thu Feb 10 12:59:07 2022]smb3_get_tree+0x1a0/0x2e0 [cifs] [Thu Feb 10 12:59:07 2022]vfs_get_tree+0x52/0x140 [Thu Feb 10 12:59:07 2022]path_mount+0x635/0x10c0 [Thu Feb 10 12:59:07 2022]__x64_sys_mount+0x1bf/0x210 [Thu Feb 10 12:59:07 2022]do_syscall_64+0x5c/0xc0 [Thu Feb 10 12:59:07 2022]entry_SYSCALL_64_after_hwframe+0x44/0xae [Thu Feb 10 12:59:07 2022] Last potentially related work creation: [Thu Feb 10 12:59:07 2022]kasan_save_stack+0x26/0x50 [Thu Feb 10 12:59:07 2022]__kasan_record_aux_stack+0xb6/0xc0 [Thu Feb 10 12:59:07 2022]kasan_record_aux_stack_noalloc+0xb/0x10 [Thu Feb 10 12:59:07 2022]call_rcu+0x76/0x3c0 [Thu Feb 10 12:59:07 2022]cifs_umount+0xce/0xe0 [cifs] [Thu Feb 10 12:59:07 2022]cifs_kill_sb+0xc8/0xe0 [cifs] [Thu Feb 10 12:59:07 2022]deactivate_locked_super+0x5d/0xd0 [Thu Feb 10 12:59:07 2022]cifs_smb3_do_mount+0xab9/0xbe0 [cifs] [Thu Feb 10 12:59:07 2022]smb3_get_tree+0x1a0/0x2e0 [cifs] [Thu Feb 10 12:59:07 2022]vfs_get_tree+0x52/0x140 [Thu Feb 10 12:59:07 2022]path_mount+0x635/0x10c0 [Thu Feb 10 12:59:07 2022]__x64_sys_mount+0x1bf/0x210 [Thu Feb 10 12:59:07 2022]do_syscall_64+0x5c/0xc0 [Thu Feb 10 12:59:07 2022]entry_SYSCALL_64_after_hwframe+0x44/0xae Solution(s) ubuntu-upgrade-linux ubuntu-upgrade-linux-aws ubuntu-upgrade-linux-aws-5-4 ubuntu-upgrade-linux-aws-fips ubuntu-upgrade-linux-aws-hwe ubuntu-upgrade-linux-azure ubuntu-upgrade-linux-azure-4-15 ubuntu-upgrade-linux-azure-5-4 ubuntu-upgrade-linux-azure-fips ubuntu-upgrade-linux-bluefield ubuntu-upgrade-linux-fips ubuntu-upgrade-linux-gcp ubuntu-upgrade-linux-gcp-4-15 ubuntu-upgrade-linux-gcp-5-4 ubuntu-upgrade-linux-gcp-fips ubuntu-upgrade-linux-gkeop ubuntu-upgrade-linux-hwe ubuntu-upgrade-linux-hwe-5-4 ubuntu-upgrade-linux-ibm ubuntu-upgrade-linux-ibm-5-4 ubuntu-upgrade-linux-intel-iotg-5-15 ubuntu-upgrade-linux-iot ubuntu-upgrade-linux-kvm ubuntu-upgrade-linux-oracle ubuntu-upgrade-linux-oracle-5-4 ubuntu-upgrade-linux-raspi ubuntu-upgrade-linux-raspi-5-4 References https://attackerkb.com/topics/cve-2022-48919 CVE - 2022-48919 https://git.kernel.org/linus/3d6cc9898efdfb062efb74dc18cfc700e082f5d5 https://git.kernel.org/stable/c/147a0e71ccf96df9fc8c2ac500829d8e423ef02c https://git.kernel.org/stable/c/2fe0e281f7ad0a62259649764228227dd6b2561d https://git.kernel.org/stable/c/3d6cc9898efdfb062efb74dc18cfc700e082f5d5 https://git.kernel.org/stable/c/546d60859ecf13380fcabcbeace53a5971493a2b https://git.kernel.org/stable/c/563431c1f3c8f2230e4a9c445fa23758742bc4f0 https://git.kernel.org/stable/c/da834d6c1147c7519a9e55b510a03b7055104749 https://git.kernel.org/stable/c/df9db1a2af37f39ad1653c7b9b0d275d72d0bc67 https://git.kernel.org/stable/c/e208668ef7ba23efcbf76a8200cab8deee501c4d https://www.cve.org/CVERecord?id=CVE-2022-48919 View more

Debian: CVE-2024-8088: python3.11, python3.9 -- security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 08/22/2024 Created 08/29/2024 Added 08/28/2024 Modified 08/28/2024 Description There is a HIGH severity vulnerability affecting the CPython "zipfile" module affecting "zipfile.Path". Note that the more common API "zipfile.ZipFile" class is unaffected. When iterating over names of entries in a zip archive (for example, methods of "zipfile.Path" like "namelist()", "iterdir()", etc) the process can be put into an infinite loop with a maliciously crafted zip archive. This defect applies when reading only metadata or extracting the contents of the zip archive. Programs that are not handling user-controlled zip archives are not affected. Solution(s) debian-upgrade-python3-11 debian-upgrade-python3-9 References https://attackerkb.com/topics/cve-2024-8088 CVE - 2024-8088 DSA-5759-1

Debian: CVE-2022-48942: linux -- security update Severity 5 CVSS (AV:L/AC:L/Au:S/C:N/I:N/A:C) Published 08/22/2024 Created 08/24/2024 Added 08/23/2024 Modified 01/28/2025 Description In the Linux kernel, the following vulnerability has been resolved: hwmon: Handle failure to register sensor with thermal zone correctly If an attempt is made to a sensor with a thermal zone and it fails, the call to devm_thermal_zone_of_sensor_register() may return -ENODEV. This may result in crashes similar to the following. Unable to handle kernel NULL pointer dereference at virtual address 00000000000003cd ... Internal error: Oops: 96000021 [#1] PREEMPT SMP ... pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : mutex_lock+0x18/0x60 lr : thermal_zone_device_update+0x40/0x2e0 sp : ffff800014c4fc60 x29: ffff800014c4fc60 x28: ffff365ee3f6e000 x27: ffffdde218426790 x26: ffff365ee3f6e000 x25: 0000000000000000 x24: ffff365ee3f6e000 x23: ffffdde218426870 x22: ffff365ee3f6e000 x21: 00000000000003cd x20: ffff365ee8bf3308 x19: ffffffffffffffed x18: 0000000000000000 x17: ffffdde21842689c x16: ffffdde1cb7a0b7c x15: 0000000000000040 x14: ffffdde21a4889a0 x13: 0000000000000228 x12: 0000000000000000 x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000 x8 : 0000000001120000 x7 : 0000000000000001 x6 : 0000000000000000 x5 : 0068000878e20f07 x4 : 0000000000000000 x3 : 00000000000003cd x2 : ffff365ee3f6e000 x1 : 0000000000000000 x0 : 00000000000003cd Call trace: mutex_lock+0x18/0x60 hwmon_notify_event+0xfc/0x110 0xffffdde1cb7a0a90 0xffffdde1cb7a0b7c irq_thread_fn+0x2c/0xa0 irq_thread+0x134/0x240 kthread+0x178/0x190 ret_from_fork+0x10/0x20 Code: d503201f d503201f d2800001 aa0103e4 (c8e47c02) Jon Hunter reports that the exact call sequence is: hwmon_notify_event() --> hwmon_thermal_notify() --> thermal_zone_device_update() --> update_temperature() --> mutex_lock() The hwmon core needs to handle all errors returned from calls to devm_thermal_zone_of_sensor_register(). If the call fails with -ENODEV, report that the sensor was not attached to a thermal zonebut continue to register the hwmon device. Solution(s) debian-upgrade-linux References https://attackerkb.com/topics/cve-2022-48942 CVE - 2022-48942

Debian: CVE-2022-48935: linux -- security update Severity 5 CVSS (AV:L/AC:L/Au:S/C:N/I:N/A:C) Published 08/22/2024 Created 08/24/2024 Added 08/23/2024 Modified 01/28/2025 Description In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: unregister flowtable hooks on netns exit Unregister flowtable hooks before they are releases via nf_tables_flowtable_destroy() otherwise hook core reports UAF. BUG: KASAN: use-after-free in nf_hook_entries_grow+0x5a7/0x700 net/netfilter/core.c:142 net/netfilter/core.c:142 Read of size 4 at addr ffff8880736f7438 by task syz-executor579/3666 CPU: 0 PID: 3666 Comm: syz-executor579 Not tainted 5.16.0-rc5-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] __dump_stack lib/dump_stack.c:88 [inline] lib/dump_stack.c:106 dump_stack_lvl+0x1dc/0x2d8 lib/dump_stack.c:106 lib/dump_stack.c:106 print_address_description+0x65/0x380 mm/kasan/report.c:247 mm/kasan/report.c:247 __kasan_report mm/kasan/report.c:433 [inline] __kasan_report mm/kasan/report.c:433 [inline] mm/kasan/report.c:450 kasan_report+0x19a/0x1f0 mm/kasan/report.c:450 mm/kasan/report.c:450 nf_hook_entries_grow+0x5a7/0x700 net/netfilter/core.c:142 net/netfilter/core.c:142 __nf_register_net_hook+0x27e/0x8d0 net/netfilter/core.c:429 net/netfilter/core.c:429 nf_register_net_hook+0xaa/0x180 net/netfilter/core.c:571 net/netfilter/core.c:571 nft_register_flowtable_net_hooks+0x3c5/0x730 net/netfilter/nf_tables_api.c:7232 net/netfilter/nf_tables_api.c:7232 nf_tables_newflowtable+0x2022/0x2cf0 net/netfilter/nf_tables_api.c:7430 net/netfilter/nf_tables_api.c:7430 nfnetlink_rcv_batch net/netfilter/nfnetlink.c:513 [inline] nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:634 [inline] nfnetlink_rcv_batch net/netfilter/nfnetlink.c:513 [inline] net/netfilter/nfnetlink.c:652 nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:634 [inline] net/netfilter/nfnetlink.c:652 nfnetlink_rcv+0x10e6/0x2550 net/netfilter/nfnetlink.c:652 net/netfilter/nfnetlink.c:652 __nft_release_hook() calls nft_unregister_flowtable_net_hooks() which only unregisters the hooks, then after RCU grace period, it is guaranteed that no packets add new entries to the flowtable (no flow offload rules and flowtable hooks are reachable from packet path), so it is safe to call nf_flow_table_free() which cleans up the remaining entries from the flowtable (both software and hardware) and it unbinds the flow_block. Solution(s) debian-upgrade-linux References https://attackerkb.com/topics/cve-2022-48935 CVE - 2022-48935

Red Hat: CVE-2022-48929: kernel: bpf: Fix crash due to out of bounds access into reg2btf_ids. (Multiple Advisories) Severity 7 CVSS (AV:L/AC:L/Au:M/C:C/I:C/A:C) Published 08/22/2024 Created 12/06/2024 Added 12/05/2024 Modified 02/10/2025 Description In the Linux kernel, the following vulnerability has been resolved: bpf: Fix crash due to out of bounds access into reg2btf_ids. When commit e6ac2450d6de ("bpf: Support bpf program calling kernel function") added kfunc support, it defined reg2btf_ids as a cheap way to translate the verifier reg type to the appropriate btf_vmlinux BTF ID, however commit c25b2ae13603 ("bpf: Replace PTR_TO_XXX_OR_NULL with PTR_TO_XXX | PTR_MAYBE_NULL") moved the __BPF_REG_TYPE_MAX from the last member of bpf_reg_type enum to after the base register types, and defined other variants using type flag composition. However, now, the direct usage of reg->type to index into reg2btf_ids may no longer fall into __BPF_REG_TYPE_MAX range, and hence lead to out of bounds access and kernel crash on dereference of bad pointer. Solution(s) redhat-upgrade-kernel redhat-upgrade-kernel-rt References CVE-2022-48929 RHSA-2024:10262 RHSA-2024:9315

Huawei EulerOS: CVE-2024-43398: ruby security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 08/22/2024 Created 11/12/2024 Added 11/11/2024 Modified 11/11/2024 Description REXML is an XML toolkit for Ruby. The REXML gem before 3.3.6 has a DoS vulnerability when it parses an XML that has many deep elements that have same local name attributes. If you need to parse untrusted XMLs with tree parser API like REXML::Document.new, you may be impacted to this vulnerability. If you use other parser APIs such as stream parser API and SAX2 parser API, this vulnerability is not affected. The REXML gem 3.3.6 or later include the patch to fix the vulnerability. Solution(s) huawei-euleros-2_0_sp10-upgrade-ruby huawei-euleros-2_0_sp10-upgrade-ruby-help huawei-euleros-2_0_sp10-upgrade-ruby-irb References https://attackerkb.com/topics/cve-2024-43398 CVE - 2024-43398 EulerOS-SA-2024-2914

Ubuntu: (CVE-2022-48922): linux-intel-iotg-5.15 vulnerability Severity 5 CVSS (AV:L/AC:L/Au:S/C:N/I:N/A:C) Published 08/22/2024 Created 11/21/2024 Added 11/19/2024 Modified 01/30/2025 Description In the Linux kernel, the following vulnerability has been resolved: riscv: fix oops caused by irqsoff latency tracer The trace_hardirqs_{on,off}() require the caller to setup frame pointer properly. This because these two functions use macro 'CALLER_ADDR1' (aka. __builtin_return_address(1)) to acquire caller info. If the $fp is used for other purpose, the code generated this macro (as below) could trigger memory access fault. 0xffffffff8011510e <+80>:lda1,-16(s0) 0xffffffff80115112 <+84>:lds2,-8(a1)# <-- paging fault here The oops message during booting if compiled with 'irqoff' tracer enabled: [0.039615][T0] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000f8 [0.041925][T0] Oops [#1] [0.042063][T0] Modules linked in: [0.042864][T0] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.17.0-rc1-00233-g9a20c48d1ed2 #29 [0.043568][T0] Hardware name: riscv-virtio,qemu (DT) [0.044343][T0] epc : trace_hardirqs_on+0x56/0xe2 [0.044601][T0]ra : restore_all+0x12/0x6e [0.044721][T0] epc : ffffffff80126a5c ra : ffffffff80003b94 sp : ffffffff81403db0 [0.044801][T0]gp : ffffffff8163acd8 tp : ffffffff81414880 t0 : 0000000000000020 [0.044882][T0]t1 : 0098968000000000 t2 : 0000000000000000 s0 : ffffffff81403de0 [0.044967][T0]s1 : 0000000000000000 a0 : 0000000000000001 a1 : 0000000000000100 [0.045046][T0]a2 : 0000000000000000 a3 : 0000000000000000 a4 : 0000000000000000 [0.045124][T0]a5 : 0000000000000000 a6 : 0000000000000000 a7 : 0000000054494d45 [0.045210][T0]s2 : ffffffff80003b94 s3 : ffffffff81a8f1b0 s4 : ffffffff80e27b50 [0.045289][T0]s5 : ffffffff81414880 s6 : ffffffff8160fa00 s7 : 00000000800120e8 [0.045389][T0]s8 : 0000000080013100 s9 : 000000000000007f s10: 0000000000000000 [0.045474][T0]s11: 0000000000000000 t3 : 7fffffffffffffff t4 : 0000000000000000 [0.045548][T0]t5 : 0000000000000000 t6 : ffffffff814aa368 [0.045620][T0] status: 0000000200000100 badaddr: 00000000000000f8 cause: 000000000000000d [0.046402][T0] [<ffffffff80003b94>] restore_all+0x12/0x6e This because the $fp(aka. $s0) register is not used as frame pointer in the assembly entry code. resume_kernel: REG_L s0, TASK_TI_PREEMPT_COUNT(tp) bnez s0, restore_all REG_L s0, TASK_TI_FLAGS(tp) andi s0, s0, _TIF_NEED_RESCHED beqz s0, restore_all call preempt_schedule_irq j restore_all To fix above issue, here we add one extra level wrapper for function trace_hardirqs_{on,off}() so they can be safely called by low level entry code. Solution(s) ubuntu-upgrade-linux-intel-iotg-5-15 References https://attackerkb.com/topics/cve-2022-48922 CVE - 2022-48922 https://git.kernel.org/linus/22e2100b1b07d6f5acc71cc1acb53f680c677d77 https://git.kernel.org/stable/c/1851b9a467065b18ec2cba156eea345206df1c8f https://git.kernel.org/stable/c/22e2100b1b07d6f5acc71cc1acb53f680c677d77 https://git.kernel.org/stable/c/9e2dbc31e367d08ee299a0d8aeb498cb2e12a1c3 https://git.kernel.org/stable/c/b5e180490db4af8c0f80c4b65ee482d333d0e8ee https://www.cve.org/CVERecord?id=CVE-2022-48922 View more

SolarWinds Web Help Desk: CVE-2024-28987: Web Help Desk Hardcoded Credential Vulnerability Severity 8 CVSS (AV:N/AC:L/Au:N/C:C/I:N/A:N) Published 08/22/2024 Created 10/09/2024 Added 08/27/2024 Modified 10/16/2024 Description The SolarWinds Web Help Desk (WHD) software is affected by a hardcoded credential vulnerability, allowing remote unauthenticated user to access internal functionality and modify data. Solution(s) solarwinds-web-help-desk-upgrade-latest References https://attackerkb.com/topics/cve-2024-28987 CVE - 2024-28987 https://www.solarwinds.com/trust-center/security-advisories/cve-2024-28987

Amazon Linux AMI 2: CVE-2022-48943: Security patch for kernel (ALASKERNEL-5.10-2022-012) Severity 7 CVSS (AV:L/AC:L/Au:S/C:C/I:C/A:C) Published 08/22/2024 Created 09/17/2024 Added 09/16/2024 Modified 01/30/2025 Description In the Linux kernel, the following vulnerability has been resolved: KVM: x86/mmu: make apf token non-zero to fix bug In current async pagefault logic, when a page is ready, KVM relies on kvm_arch_can_dequeue_async_page_present() to determine whether to deliver a READY event to the Guest. This function test token value of struct kvm_vcpu_pv_apf_data, which must be reset to zero by Guest kernel when a READY event is finished by Guest. If value is zero meaning that a READY event is done, so the KVM can deliver another. But the kvm_arch_setup_async_pf() may produce a valid token with zero value, which is confused with previous mention and may lead the loss of this READY event. This bug may cause task blocked forever in Guest: INFO: task stress:7532 blocked for more than 1254 seconds. Not tainted 5.10.0 #16 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:stressstate:D stack:0 pid: 7532 ppid:1409 flags:0x00000080 Call Trace: __schedule+0x1e7/0x650 schedule+0x46/0xb0 kvm_async_pf_task_wait_schedule+0xad/0xe0 ? exit_to_user_mode_prepare+0x60/0x70 __kvm_handle_async_pf+0x4f/0xb0 ? asm_exc_page_fault+0x8/0x30 exc_page_fault+0x6f/0x110 ? asm_exc_page_fault+0x8/0x30 asm_exc_page_fault+0x1e/0x30 RIP: 0033:0x402d00 RSP: 002b:00007ffd31912500 EFLAGS: 00010206 RAX: 0000000000071000 RBX: ffffffffffffffff RCX: 00000000021a32b0 RDX: 000000000007d011 RSI: 000000000007d000 RDI: 00000000021262b0 RBP: 00000000021262b0 R08: 0000000000000003 R09: 0000000000000086 R10: 00000000000000eb R11: 00007fefbdf2baa0 R12: 0000000000000000 R13: 0000000000000002 R14: 000000000007d000 R15: 0000000000001000 Solution(s) amazon-linux-ami-2-upgrade-bpftool amazon-linux-ami-2-upgrade-bpftool-debuginfo amazon-linux-ami-2-upgrade-kernel amazon-linux-ami-2-upgrade-kernel-debuginfo amazon-linux-ami-2-upgrade-kernel-debuginfo-common-aarch64 amazon-linux-ami-2-upgrade-kernel-debuginfo-common-x86_64 amazon-linux-ami-2-upgrade-kernel-devel amazon-linux-ami-2-upgrade-kernel-headers amazon-linux-ami-2-upgrade-kernel-livepatch-5-10-106-102-504 amazon-linux-ami-2-upgrade-kernel-tools amazon-linux-ami-2-upgrade-kernel-tools-debuginfo amazon-linux-ami-2-upgrade-kernel-tools-devel amazon-linux-ami-2-upgrade-perf amazon-linux-ami-2-upgrade-perf-debuginfo amazon-linux-ami-2-upgrade-python-perf amazon-linux-ami-2-upgrade-python-perf-debuginfo References https://attackerkb.com/topics/cve-2022-48943 AL2/ALASKERNEL-5.10-2022-012 CVE - 2022-48943

Debian: CVE-2023-52904: linux -- security update Severity 5 CVSS (AV:L/AC:L/Au:S/C:N/I:N/A:C) Published 08/22/2024 Created 08/23/2024 Added 08/22/2024 Modified 01/28/2025 Description In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix possible NULL pointer dereference in snd_usb_pcm_has_fixed_rate() The subs function argument may be NULL, so do not use it before the NULL check. Solution(s) debian-upgrade-linux References https://attackerkb.com/topics/cve-2023-52904 CVE - 2023-52904

Alpine Linux: CVE-2024-8088: Vulnerability in Multiple Components Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 08/22/2024 Created 10/02/2024 Added 10/01/2024 Modified 10/01/2024 Description There is a HIGH severity vulnerability affecting the CPython "zipfile" module affecting "zipfile.Path". Note that the more common API "zipfile.ZipFile" class is unaffected. When iterating over names of entries in a zip archive (for example, methods of "zipfile.Path" like "namelist()", "iterdir()", etc) the process can be put into an infinite loop with a maliciously crafted zip archive. This defect applies when reading only metadata or extracting the contents of the zip archive. Programs that are not handling user-controlled zip archives are not affected. Solution(s) alpine-linux-upgrade-python3 References https://attackerkb.com/topics/cve-2024-8088 CVE - 2024-8088 https://security.alpinelinux.org/vuln/CVE-2024-8088

Debian: CVE-2023-52894: linux -- security update Severity 5 CVSS (AV:L/AC:L/Au:S/C:N/I:N/A:C) Published 08/22/2024 Created 08/23/2024 Added 08/22/2024 Modified 01/30/2025 Description In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_ncm: fix potential NULL ptr deref in ncm_bitrate() In Google internal bug 265639009 we've received an (as yet) unreproducible crash report from an aarch64 GKI 5.10.149-android13 running device. AFAICT the source code is at: https://android.googlesource.com/kernel/common/+/refs/tags/ASB-2022-12-05_13-5.10 The call stack is: ncm_close() -> ncm_notify() -> ncm_do_notify() with the crash at: ncm_do_notify+0x98/0x270 Code: 79000d0b b9000a6c f940012a f9400269 (b9405d4b) Which I believe disassembles to (I don't know ARM assembly, but it looks sane enough to me...): // halfword (16-bit) store presumably to event->wLength (at offset 6 of struct usb_cdc_notification) 0B 0D 00 79strh w11, [x8, #6] // word (32-bit) store presumably to req->Length (at offset 8 of struct usb_request) 6C 0A 00 B9strw12, [x19, #8] // x10 (NULL) was read here from offset 0 of valid pointer x9 // IMHO we're reading 'cdev->gadget' and getting NULL // gadget is indeed at offset 0 of struct usb_composite_dev 2A 01 40 F9ldrx10, [x9] // loading req->buf pointer, which is at offset 0 of struct usb_request 69 02 40 F9ldrx9, [x19] // x10 is null, crash, appears to be attempt to read cdev->gadget->max_speed 4B 5D 40 B9ldrw11, [x10, #0x5c] which seems to line up with ncm_do_notify() case NCM_NOTIFY_SPEED code fragment: event->wLength = cpu_to_le16(8); req->length = NCM_STATUS_BYTECOUNT; /* SPEED_CHANGE data is up/down speeds in bits/sec */ data = req->buf + sizeof *event; data[0] = cpu_to_le32(ncm_bitrate(cdev->gadget)); My analysis of registers and NULL ptr deref crash offset (Unable to handle kernel NULL pointer dereference at virtual address 000000000000005c) heavily suggests that the crash is due to 'cdev->gadget' being NULL when executing: data[0] = cpu_to_le32(ncm_bitrate(cdev->gadget)); which calls: ncm_bitrate(NULL) which then calls: gadget_is_superspeed(NULL) which reads ((struct usb_gadget *)NULL)->max_speed and hits a panic. AFAICT, if I'm counting right, the offset of max_speed is indeed 0x5C. (remember there's a GKI KABI reservation of 16 bytes in struct work_struct) It's not at all clear to me how this is all supposed to work... but returning 0 seems much better than panic-ing... Solution(s) debian-upgrade-linux References https://attackerkb.com/topics/cve-2023-52894 CVE - 2023-52894

Google Chrome Vulnerability: CVE-2024-7965 Inappropriate implementation in V8 Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 08/22/2024 Created 08/23/2024 Added 08/22/2024 Modified 01/28/2025 Description Inappropriate implementation in V8 in Google Chrome prior to 128.0.6613.84 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) Solution(s) google-chrome-upgrade-latest References https://attackerkb.com/topics/cve-2024-7965 CVE - 2024-7965

Google Chrome Vulnerability: CVE-2024-7973 Heap buffer overflow in PDFium Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 08/22/2024 Created 08/23/2024 Added 08/22/2024 Modified 01/28/2025 Description Heap buffer overflow in PDFium in Google Chrome prior to 128.0.6613.84 allowed a remote attacker to perform an out of bounds memory read via a crafted PDF file. (Chromium security severity: Medium) Solution(s) google-chrome-upgrade-latest References https://attackerkb.com/topics/cve-2024-7973 CVE - 2024-7973

Debian: CVE-2022-48872: linux -- security update Severity 7 CVSS (AV:L/AC:M/Au:S/C:C/I:C/A:C) Published 08/22/2024 Created 08/23/2024 Added 08/22/2024 Modified 01/30/2025 Description In the Linux kernel, the following vulnerability has been resolved: misc: fastrpc: Fix use-after-free race condition for maps It is possible that in between calling fastrpc_map_get() until map->fl->lock is taken in fastrpc_free_map(), another thread can call fastrpc_map_lookup() and get a reference to a map that is about to be deleted. Rewrite fastrpc_map_get() to only increase the reference count of a map if it's non-zero. Propagate this to callers so they can know if a map is about to be deleted. Fixes this warning: refcount_t: addition on 0; use-after-free. WARNING: CPU: 5 PID: 10100 at lib/refcount.c:25 refcount_warn_saturate ... Call trace: refcount_warn_saturate [fastrpc_map_get inlined] [fastrpc_map_lookup inlined] fastrpc_map_create fastrpc_internal_invoke fastrpc_device_ioctl __arm64_sys_ioctl invoke_syscall Solution(s) debian-upgrade-linux References https://attackerkb.com/topics/cve-2022-48872 CVE - 2022-48872

Debian: CVE-2022-48870: linux -- security update Severity 5 CVSS (AV:L/AC:L/Au:S/C:N/I:N/A:C) Published 08/22/2024 Created 08/23/2024 Added 08/22/2024 Modified 01/28/2025 Description In the Linux kernel, the following vulnerability has been resolved: tty: fix possible null-ptr-defer in spk_ttyio_release Run the following tests on the qemu platform: syzkaller:~# modprobe speakup_audptr input: Speakup as /devices/virtual/input/input4 initialized device: /dev/synth, node (MAJOR 10, MINOR 125) speakup 3.1.6: initialized synth name on entry is: (null) synth probe spk_ttyio_initialise_ldisc failed because tty_kopen_exclusive returned failed (errno -16), then remove the module, we will get a null-ptr-defer problem, as follow: syzkaller:~# modprobe -r speakup_audptr releasing synth audptr BUG: kernel NULL pointer dereference, address: 0000000000000080 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page PGD 0 P4D 0 Oops: 0002 [#1] PREEMPT SMP PTI CPU: 2 PID: 204 Comm: modprobe Not tainted 6.1.0-rc6-dirty #1 RIP: 0010:mutex_lock+0x14/0x30 Call Trace: <TASK> spk_ttyio_release+0x19/0x70 [speakup] synth_release.part.6+0xac/0xc0 [speakup] synth_remove+0x56/0x60 [speakup] __x64_sys_delete_module+0x156/0x250 ? fpregs_assert_state_consistent+0x1d/0x50 do_syscall_64+0x37/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcd </TASK> Modules linked in: speakup_audptr(-) speakup Dumping ftrace buffer: in_synth->dev was not initialized during modprobe, so we add check for in_synth->dev to fix this bug. Solution(s) debian-upgrade-linux References https://attackerkb.com/topics/cve-2022-48870 CVE - 2022-48870

Debian: CVE-2022-48931: linux -- security update Severity 4 CVSS (AV:L/AC:M/Au:S/C:N/I:N/A:C) Published 08/22/2024 Created 08/24/2024 Added 08/23/2024 Modified 01/28/2025 Description In the Linux kernel, the following vulnerability has been resolved: configfs: fix a race in configfs_{,un}register_subsystem() When configfs_register_subsystem() or configfs_unregister_subsystem() is executing link_group() or unlink_group(), it is possible that two processes add or delete list concurrently. Some unfortunate interleavings of them can cause kernel panic. One of cases is: A --> B --> C --> D A <-- B <-- C <-- D delete list_head *B|delete list_head *C --------------------------------|----------------------------------- configfs_unregister_subsystem | configfs_unregister_subsystem unlink_group| unlink_group unlink_obj| unlink_obj list_del_init | list_del_init __list_del_entry| __list_del_entry __list_del| __list_del // next == C| next->prev = prev | | next->prev = prev prev->next = next | | // prev == B | prev->next = next Fix this by adding mutex when calling link_group() or unlink_group(), but parent configfs_subsystem is NULL when config_item is root. So I create a mutex configfs_subsystem_mutex. Solution(s) debian-upgrade-linux References https://attackerkb.com/topics/cve-2022-48931 CVE - 2022-48931

Rocky Linux: CVE-2022-48936: kernel-rt (Multiple Advisories) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 08/22/2024 Created 11/21/2024 Added 11/19/2024 Modified 11/19/2024 Description Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. Solution(s) rocky-upgrade-bpftool rocky-upgrade-bpftool-debuginfo rocky-upgrade-kernel rocky-upgrade-kernel-core rocky-upgrade-kernel-cross-headers rocky-upgrade-kernel-debug rocky-upgrade-kernel-debug-core rocky-upgrade-kernel-debug-debuginfo rocky-upgrade-kernel-debug-devel rocky-upgrade-kernel-debug-modules rocky-upgrade-kernel-debug-modules-extra rocky-upgrade-kernel-debuginfo rocky-upgrade-kernel-debuginfo-common-x86_64 rocky-upgrade-kernel-devel rocky-upgrade-kernel-headers rocky-upgrade-kernel-modules rocky-upgrade-kernel-modules-extra rocky-upgrade-kernel-rt rocky-upgrade-kernel-rt-core rocky-upgrade-kernel-rt-debug rocky-upgrade-kernel-rt-debug-core rocky-upgrade-kernel-rt-debug-debuginfo rocky-upgrade-kernel-rt-debug-devel rocky-upgrade-kernel-rt-debug-kvm rocky-upgrade-kernel-rt-debug-modules rocky-upgrade-kernel-rt-debug-modules-extra rocky-upgrade-kernel-rt-debuginfo rocky-upgrade-kernel-rt-debuginfo-common-x86_64 rocky-upgrade-kernel-rt-devel rocky-upgrade-kernel-rt-kvm rocky-upgrade-kernel-rt-modules rocky-upgrade-kernel-rt-modules-extra rocky-upgrade-kernel-tools rocky-upgrade-kernel-tools-debuginfo rocky-upgrade-kernel-tools-libs rocky-upgrade-kernel-tools-libs-devel rocky-upgrade-perf rocky-upgrade-perf-debuginfo rocky-upgrade-python3-perf rocky-upgrade-python3-perf-debuginfo References https://attackerkb.com/topics/cve-2022-48936 CVE - 2022-48936 https://errata.rockylinux.org/RLSA-2024:8856 https://errata.rockylinux.org/RLSA-2024:8870