ISHACK AI BOT

SUSE: CVE-2024-41991: SUSE Linux Security Advisory Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 08/07/2024 Created 08/08/2024 Added 08/08/2024 Modified 01/28/2025 Description An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The urlize and urlizetrunc template filters, and the AdminURLFieldWidget widget, are subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters. Solution(s) suse-upgrade-python3-django suse-upgrade-python311-django References https://attackerkb.com/topics/cve-2024-41991 CVE - 2024-41991

FreeBSD: VID-DB8FA362-0CCB-4AA8-9220-72B7763E9A4A (CVE-2024-43044): jenkins -- multiple vulnerabilities Severity 9 CVSS (AV:N/AC:L/Au:S/C:C/I:C/A:C) Published 08/07/2024 Created 08/10/2024 Added 08/08/2024 Modified 01/28/2025 Description Jenkins 2.470 and earlier, LTS 2.452.3 and earlier allows agent processes to read arbitrary files from the Jenkins controller file system by using the `ClassLoaderProxy#fetchJar` method in the Remoting library. Solution(s) freebsd-upgrade-package-jenkins freebsd-upgrade-package-jenkins-lts References CVE-2024-43044

Debian: CVE-2024-42238: linux, linux-6.1 -- security update Severity 5 CVSS (AV:L/AC:L/Au:S/C:N/I:N/A:C) Published 08/07/2024 Created 09/03/2024 Added 09/02/2024 Modified 01/30/2025 Description In the Linux kernel, the following vulnerability has been resolved: firmware: cs_dsp: Return error if block header overflows file Return an error from cs_dsp_power_up() if a block header is longer than the amount of data left in the file. The previous code in cs_dsp_load() and cs_dsp_load_coeff() would loop while there was enough data left in the file for a valid region. This protected against overrunning the end of the file data, but it didn't abort the file processing with an error. Solution(s) debian-upgrade-linux debian-upgrade-linux-6-1 References https://attackerkb.com/topics/cve-2024-42238 CVE - 2024-42238 DLA-4008-1

Debian: CVE-2024-42236: linux, linux-6.1 -- security update Severity 5 CVSS (AV:L/AC:L/Au:S/C:N/I:N/A:C) Published 08/07/2024 Created 08/14/2024 Added 08/14/2024 Modified 01/30/2025 Description In the Linux kernel, the following vulnerability has been resolved: usb: gadget: configfs: Prevent OOB read/write in usb_string_copy() Userspace provided string 's' could trivially have the length zero. Left unchecked this will firstly result in an OOB read in the form `if (str[0 - 1] == '\n') followed closely by an OOB write in the form `str[0 - 1] = '\0'`. There is already a validating check to catch strings that are too long. Let's supply an additional check for invalid strings that are too short. Solution(s) debian-upgrade-linux debian-upgrade-linux-6-1 References https://attackerkb.com/topics/cve-2024-42236 CVE - 2024-42236 DSA-5747-1

Debian: CVE-2024-42237: linux, linux-6.1 -- security update Severity 5 CVSS (AV:L/AC:L/Au:S/C:N/I:N/A:C) Published 08/07/2024 Created 09/03/2024 Added 09/02/2024 Modified 01/28/2025 Description In the Linux kernel, the following vulnerability has been resolved: firmware: cs_dsp: Validate payload length before processing block Move the payload length check in cs_dsp_load() and cs_dsp_coeff_load() to be done before the block is processed. The check that the length of a block payload does not exceed the number of remaining bytes in the firwmware file buffer was being done near the end of the loop iteration. However, some code before that check used the length field without validating it. Solution(s) debian-upgrade-linux debian-upgrade-linux-6-1 References https://attackerkb.com/topics/cve-2024-42237 CVE - 2024-42237 DLA-4008-1

Amazon Linux 2023: CVE-2024-42252: Important priority package update for kernel Severity 5 CVSS (AV:L/AC:L/Au:S/C:N/I:N/A:C) Published 08/08/2024 Created 02/05/2025 Added 02/14/2025 Modified 02/14/2025 Description In the Linux kernel, the following vulnerability has been resolved: closures: Change BUG_ON() to WARN_ON() If a BUG_ON() can be hit in the wild, it shouldn't be a BUG_ON() For reference, this has popped up once in the CI, and we'll need more info to debug it: 03240 ------------[ cut here ]------------ 03240 kernel BUG at lib/closure.c:21! 03240 kernel BUG at lib/closure.c:21! 03240 Internal error: Oops - BUG: 00000000f2000800 [#1] SMP 03240 Modules linked in: 03240 CPU: 15 PID: 40534 Comm: kworker/u80:1 Not tainted 6.10.0-rc4-ktest-ga56da69799bd #25570 03240 Hardware name: linux,dummy-virt (DT) 03240 Workqueue: btree_update btree_interior_update_work 03240 pstate: 00001005 (nzcv daif -PAN -UAO -TCO -DIT +SSBS BTYPE=--) 03240 pc : closure_put+0x224/0x2a0 03240 lr : closure_put+0x24/0x2a0 03240 sp : ffff0000d12071c0 03240 x29: ffff0000d12071c0 x28: dfff800000000000 x27: ffff0000d1207360 03240 x26: 0000000000000040 x25: 0000000000000040 x24: 0000000000000040 03240 x23: ffff0000c1f20180 x22: 0000000000000000 x21: ffff0000c1f20168 03240 x20: 0000000040000000 x19: ffff0000c1f20140 x18: 0000000000000001 03240 x17: 0000000000003aa0 x16: 0000000000003ad0 x15: 1fffe0001c326974 03240 x14: 0000000000000a1e x13: 0000000000000000 x12: 1fffe000183e402d 03240 x11: ffff6000183e402d x10: dfff800000000000 x9 : ffff6000183e402e 03240 x8 : 0000000000000001 x7 : 00009fffe7c1bfd3 x6 : ffff0000c1f2016b 03240 x5 : ffff0000c1f20168 x4 : ffff6000183e402e x3 : ffff800081391954 03240 x2 : 0000000000000001 x1 : 0000000000000000 x0 : 00000000a8000000 03240 Call trace: 03240closure_put+0x224/0x2a0 03240bch2_check_for_deadlock+0x910/0x1028 03240bch2_six_check_for_deadlock+0x1c/0x30 03240six_lock_slowpath.isra.0+0x29c/0xed0 03240six_lock_ip_waiter+0xa8/0xf8 03240__bch2_btree_node_lock_write+0x14c/0x298 03240bch2_trans_lock_write+0x6d4/0xb10 03240__bch2_trans_commit+0x135c/0x5520 03240btree_interior_update_work+0x1248/0x1c10 03240process_scheduled_works+0x53c/0xd90 03240worker_thread+0x370/0x8c8 03240kthread+0x258/0x2e8 03240ret_from_fork+0x10/0x20 03240 Code: aa1303e0 d63f0020 a94363f7 17ffff8c (d4210000) 03240 ---[ end trace 0000000000000000 ]--- 03240 Kernel panic - not syncing: Oops - BUG: Fatal exception 03240 SMP: stopping secondary CPUs 03241 SMP: failed to stop secondary CPUs 13,15 03241 Kernel Offset: disabled 03241 CPU features: 0x00,00000003,80000008,4240500b 03241 Memory Limit: none 03241 ---[ end Kernel panic - not syncing: Oops - BUG: Fatal exception ]--- 03246 ========= FAILED TIMEOUT copygc_torture_no_checksum in 7200s Solution(s) amazon-linux-2023-upgrade-bpftool amazon-linux-2023-upgrade-bpftool-debuginfo amazon-linux-2023-upgrade-kernel amazon-linux-2023-upgrade-kernel-debuginfo amazon-linux-2023-upgrade-kernel-debuginfo-common-aarch64 amazon-linux-2023-upgrade-kernel-debuginfo-common-x86-64 amazon-linux-2023-upgrade-kernel-devel amazon-linux-2023-upgrade-kernel-headers amazon-linux-2023-upgrade-kernel-libbpf amazon-linux-2023-upgrade-kernel-libbpf-devel amazon-linux-2023-upgrade-kernel-libbpf-static amazon-linux-2023-upgrade-kernel-livepatch-6-1-124-134-200 amazon-linux-2023-upgrade-kernel-modules-extra amazon-linux-2023-upgrade-kernel-modules-extra-common amazon-linux-2023-upgrade-kernel-tools amazon-linux-2023-upgrade-kernel-tools-debuginfo amazon-linux-2023-upgrade-kernel-tools-devel amazon-linux-2023-upgrade-perf amazon-linux-2023-upgrade-perf-debuginfo amazon-linux-2023-upgrade-python3-perf amazon-linux-2023-upgrade-python3-perf-debuginfo References https://attackerkb.com/topics/cve-2024-42252 CVE - 2024-42252 https://alas.aws.amazon.com/AL2023/ALAS-2025-809.html

Debian: CVE-2024-42252: linux -- security update Severity 5 CVSS (AV:L/AC:L/Au:S/C:N/I:N/A:C) Published 08/08/2024 Created 01/14/2025 Added 01/13/2025 Modified 01/30/2025 Description In the Linux kernel, the following vulnerability has been resolved: closures: Change BUG_ON() to WARN_ON() If a BUG_ON() can be hit in the wild, it shouldn't be a BUG_ON() For reference, this has popped up once in the CI, and we'll need more info to debug it: 03240 ------------[ cut here ]------------ 03240 kernel BUG at lib/closure.c:21! 03240 kernel BUG at lib/closure.c:21! 03240 Internal error: Oops - BUG: 00000000f2000800 [#1] SMP 03240 Modules linked in: 03240 CPU: 15 PID: 40534 Comm: kworker/u80:1 Not tainted 6.10.0-rc4-ktest-ga56da69799bd #25570 03240 Hardware name: linux,dummy-virt (DT) 03240 Workqueue: btree_update btree_interior_update_work 03240 pstate: 00001005 (nzcv daif -PAN -UAO -TCO -DIT +SSBS BTYPE=--) 03240 pc : closure_put+0x224/0x2a0 03240 lr : closure_put+0x24/0x2a0 03240 sp : ffff0000d12071c0 03240 x29: ffff0000d12071c0 x28: dfff800000000000 x27: ffff0000d1207360 03240 x26: 0000000000000040 x25: 0000000000000040 x24: 0000000000000040 03240 x23: ffff0000c1f20180 x22: 0000000000000000 x21: ffff0000c1f20168 03240 x20: 0000000040000000 x19: ffff0000c1f20140 x18: 0000000000000001 03240 x17: 0000000000003aa0 x16: 0000000000003ad0 x15: 1fffe0001c326974 03240 x14: 0000000000000a1e x13: 0000000000000000 x12: 1fffe000183e402d 03240 x11: ffff6000183e402d x10: dfff800000000000 x9 : ffff6000183e402e 03240 x8 : 0000000000000001 x7 : 00009fffe7c1bfd3 x6 : ffff0000c1f2016b 03240 x5 : ffff0000c1f20168 x4 : ffff6000183e402e x3 : ffff800081391954 03240 x2 : 0000000000000001 x1 : 0000000000000000 x0 : 00000000a8000000 03240 Call trace: 03240closure_put+0x224/0x2a0 03240bch2_check_for_deadlock+0x910/0x1028 03240bch2_six_check_for_deadlock+0x1c/0x30 03240six_lock_slowpath.isra.0+0x29c/0xed0 03240six_lock_ip_waiter+0xa8/0xf8 03240__bch2_btree_node_lock_write+0x14c/0x298 03240bch2_trans_lock_write+0x6d4/0xb10 03240__bch2_trans_commit+0x135c/0x5520 03240btree_interior_update_work+0x1248/0x1c10 03240process_scheduled_works+0x53c/0xd90 03240worker_thread+0x370/0x8c8 03240kthread+0x258/0x2e8 03240ret_from_fork+0x10/0x20 03240 Code: aa1303e0 d63f0020 a94363f7 17ffff8c (d4210000) 03240 ---[ end trace 0000000000000000 ]--- 03240 Kernel panic - not syncing: Oops - BUG: Fatal exception 03240 SMP: stopping secondary CPUs 03241 SMP: failed to stop secondary CPUs 13,15 03241 Kernel Offset: disabled 03241 CPU features: 0x00,00000003,80000008,4240500b 03241 Memory Limit: none 03241 ---[ end Kernel panic - not syncing: Oops - BUG: Fatal exception ]--- 03246 ========= FAILED TIMEOUT copygc_torture_no_checksum in 7200s Solution(s) debian-upgrade-linux References https://attackerkb.com/topics/cve-2024-42252 CVE - 2024-42252

FreeBSD: VID-48E6D514-5568-11EF-AF48-6CC21735F730 (CVE-2024-7348): PostgreSQL -- Prevent unauthorized code execution during pg_dump Severity 9 CVSS (AV:N/AC:M/Au:S/C:C/I:C/A:C) Published 08/08/2024 Created 08/10/2024 Added 08/08/2024 Modified 01/28/2025 Description Time-of-check Time-of-use (TOCTOU) race condition in pg_dump in PostgreSQL allows an object creator to execute arbitrary SQL functions as the user running pg_dump, which is often a superuser. The attack involves replacing another relation type with a view or foreign table. The attack requires waiting for pg_dump to start, but winning the race condition is trivial if the attacker retains an open transaction. Versions before PostgreSQL 16.4, 15.8, 14.13, 13.16, and 12.20 are affected. Solution(s) freebsd-upgrade-package-postgresql12-client freebsd-upgrade-package-postgresql12-server freebsd-upgrade-package-postgresql13-client freebsd-upgrade-package-postgresql13-server freebsd-upgrade-package-postgresql14-client freebsd-upgrade-package-postgresql14-server freebsd-upgrade-package-postgresql15-client freebsd-upgrade-package-postgresql15-server freebsd-upgrade-package-postgresql16-client freebsd-upgrade-package-postgresql16-server References CVE-2024-7348

Asterisk AMI Originate Authenticated RCE Disclosed 08/08/2024 Created 12/02/2024 Description On Asterisk, prior to versions 18.24.2, 20.9.2, and 21.4.2 and certified-asterisk versions 18.9-cert11 and 20.7-cert2, an AMI user with 'write=originate' may change all configuration files in the '/etc/asterisk/' directory. Writing a new extension can be created which performs a system command to achieve RCE as the asterisk service user (typically asterisk). Default parking lot in FreePBX is called "Default lot" on the website interface, however its actually 'parkedcalls'. Tested against Asterisk 19.8.0 and 18.16.0 on Freepbx SNG7-PBX16-64bit-2302-1. Author(s) Brendan Coles <[email protected]> h00die NielsGaljaard Platform Unix Development Source Code History

Alma Linux: CVE-2024-7348: Important: postgresql:16 security update (Multiple Advisories) Severity 9 CVSS (AV:N/AC:M/Au:S/C:C/I:C/A:C) Published 08/08/2024 Created 08/31/2024 Added 08/30/2024 Modified 02/11/2025 Description Time-of-check Time-of-use (TOCTOU) race condition in pg_dump in PostgreSQL allows an object creator to execute arbitrary SQL functions as the user running pg_dump, which is often a superuser. The attack involves replacing another relation type with a view or foreign table. The attack requires waiting for pg_dump to start, but winning the race condition is trivial if the attacker retains an open transaction. Versions before PostgreSQL 16.4, 15.8, 14.13, 13.16, and 12.20 are affected. Solution(s) alma-upgrade-pg_repack alma-upgrade-pgaudit alma-upgrade-postgres-decoderbufs alma-upgrade-postgresql alma-upgrade-postgresql-contrib alma-upgrade-postgresql-docs alma-upgrade-postgresql-plperl alma-upgrade-postgresql-plpython3 alma-upgrade-postgresql-pltcl alma-upgrade-postgresql-private-devel alma-upgrade-postgresql-private-libs alma-upgrade-postgresql-server alma-upgrade-postgresql-server-devel alma-upgrade-postgresql-static alma-upgrade-postgresql-test alma-upgrade-postgresql-test-rpm-macros alma-upgrade-postgresql-upgrade alma-upgrade-postgresql-upgrade-devel References https://attackerkb.com/topics/cve-2024-7348 CVE - 2024-7348 https://errata.almalinux.org/8/ALSA-2024-5927.html https://errata.almalinux.org/8/ALSA-2024-6000.html https://errata.almalinux.org/8/ALSA-2024-6001.html https://errata.almalinux.org/8/ALSA-2024-6018.html https://errata.almalinux.org/9/ALSA-2024-5929.html https://errata.almalinux.org/9/ALSA-2024-5999.html https://errata.almalinux.org/9/ALSA-2024-6020.html View more

Alpine Linux: CVE-2024-7348: Time-of-check Time-of-use (TOCTOU) Race Condition Severity 9 CVSS (AV:N/AC:L/Au:S/C:C/I:C/A:C) Published 08/08/2024 Created 10/02/2024 Added 10/01/2024 Modified 10/14/2024 Description Time-of-check Time-of-use (TOCTOU) race condition in pg_dump in PostgreSQL allows an object creator to execute arbitrary SQL functions as the user running pg_dump, which is often a superuser. The attack involves replacing another relation type with a view or foreign table. The attack requires waiting for pg_dump to start, but winning the race condition is trivial if the attacker retains an open transaction. Versions before PostgreSQL 16.4, 15.8, 14.13, 13.16, and 12.20 are affected. Solution(s) alpine-linux-upgrade-postgresql14 alpine-linux-upgrade-postgresql15 alpine-linux-upgrade-postgresql12 alpine-linux-upgrade-postgresql13 alpine-linux-upgrade-postgresql16 References https://attackerkb.com/topics/cve-2024-7348 CVE - 2024-7348 https://security.alpinelinux.org/vuln/CVE-2024-7348

Debian: CVE-2024-7348: postgresql-13, postgresql-15 -- security update Severity 9 CVSS (AV:N/AC:M/Au:S/C:C/I:C/A:C) Published 08/08/2024 Created 08/13/2024 Added 08/12/2024 Modified 01/28/2025 Description Time-of-check Time-of-use (TOCTOU) race condition in pg_dump in PostgreSQL allows an object creator to execute arbitrary SQL functions as the user running pg_dump, which is often a superuser. The attack involves replacing another relation type with a view or foreign table. The attack requires waiting for pg_dump to start, but winning the race condition is trivial if the attacker retains an open transaction. Versions before PostgreSQL 16.4, 15.8, 14.13, 13.16, and 12.20 are affected. Solution(s) debian-upgrade-postgresql-13 debian-upgrade-postgresql-15 References https://attackerkb.com/topics/cve-2024-7348 CVE - 2024-7348 DSA-5745-1 DSA-5746-1

Jenkins Advisory 2024-08-07: CVE-2024-43044: Arbitrary file read vulnerability through agent connections can lead to RCE Severity 9 CVSS (AV:N/AC:L/Au:S/C:C/I:C/A:C) Published 08/08/2024 Created 08/08/2024 Added 08/08/2024 Modified 01/28/2025 Description Jenkins 2.470 and earlier, LTS 2.452.3 and earlier allows agent processes to read arbitrary files from the Jenkins controller file system by using the `ClassLoaderProxy#fetchJar` method in the Remoting library. Solution(s) jenkins-lts-upgrade-2_452_4 jenkins-upgrade-2_471 References https://attackerkb.com/topics/cve-2024-43044 CVE - 2024-43044 https://jenkins.io/security/advisory/2024-08-07/

Jenkins Advisory 2024-08-07: CVE-2024-43045: Missing permission check allows accessing other users' "My Views" Severity 7 CVSS (AV:N/AC:L/Au:S/C:P/I:P/A:P) Published 08/08/2024 Created 08/08/2024 Added 08/08/2024 Modified 01/30/2025 Description Jenkins 2.470 and earlier, LTS 2.452.3 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to access other users' "My Views". Solution(s) jenkins-lts-upgrade-2_452_4 jenkins-upgrade-2_471 References https://attackerkb.com/topics/cve-2024-43045 CVE - 2024-43045 https://jenkins.io/security/advisory/2024-08-07/

SUSE: CVE-2024-7348: SUSE Linux Security Advisory Severity 9 CVSS (AV:N/AC:M/Au:S/C:C/I:C/A:C) Published 08/08/2024 Created 12/31/2024 Added 12/30/2024 Modified 01/28/2025 Description Time-of-check Time-of-use (TOCTOU) race condition in pg_dump in PostgreSQL allows an object creator to execute arbitrary SQL functions as the user running pg_dump, which is often a superuser. The attack involves replacing another relation type with a view or foreign table. The attack requires waiting for pg_dump to start, but winning the race condition is trivial if the attacker retains an open transaction. Versions before PostgreSQL 16.4, 15.8, 14.13, 13.16, and 12.20 are affected. Solution(s) suse-upgrade-libecpg6 suse-upgrade-libecpg6-32bit suse-upgrade-libpq5 suse-upgrade-libpq5-32bit suse-upgrade-postgresql12 suse-upgrade-postgresql12-contrib suse-upgrade-postgresql12-devel suse-upgrade-postgresql12-docs suse-upgrade-postgresql12-llvmjit suse-upgrade-postgresql12-llvmjit-devel suse-upgrade-postgresql12-plperl suse-upgrade-postgresql12-plpython suse-upgrade-postgresql12-pltcl suse-upgrade-postgresql12-server suse-upgrade-postgresql12-server-devel suse-upgrade-postgresql12-test suse-upgrade-postgresql13 suse-upgrade-postgresql13-contrib suse-upgrade-postgresql13-devel suse-upgrade-postgresql13-docs suse-upgrade-postgresql13-llvmjit suse-upgrade-postgresql13-llvmjit-devel suse-upgrade-postgresql13-plperl suse-upgrade-postgresql13-plpython suse-upgrade-postgresql13-pltcl suse-upgrade-postgresql13-server suse-upgrade-postgresql13-server-devel suse-upgrade-postgresql13-test suse-upgrade-postgresql14 suse-upgrade-postgresql14-contrib suse-upgrade-postgresql14-devel suse-upgrade-postgresql14-docs suse-upgrade-postgresql14-llvmjit suse-upgrade-postgresql14-llvmjit-devel suse-upgrade-postgresql14-plperl suse-upgrade-postgresql14-plpython suse-upgrade-postgresql14-pltcl suse-upgrade-postgresql14-server suse-upgrade-postgresql14-server-devel suse-upgrade-postgresql14-test suse-upgrade-postgresql15 suse-upgrade-postgresql15-contrib suse-upgrade-postgresql15-devel suse-upgrade-postgresql15-docs suse-upgrade-postgresql15-llvmjit suse-upgrade-postgresql15-llvmjit-devel suse-upgrade-postgresql15-plperl suse-upgrade-postgresql15-plpython suse-upgrade-postgresql15-pltcl suse-upgrade-postgresql15-server suse-upgrade-postgresql15-server-devel suse-upgrade-postgresql15-test suse-upgrade-postgresql16 suse-upgrade-postgresql16-contrib suse-upgrade-postgresql16-devel suse-upgrade-postgresql16-devel-mini suse-upgrade-postgresql16-docs suse-upgrade-postgresql16-llvmjit suse-upgrade-postgresql16-llvmjit-devel suse-upgrade-postgresql16-plperl suse-upgrade-postgresql16-plpython suse-upgrade-postgresql16-pltcl suse-upgrade-postgresql16-server suse-upgrade-postgresql16-server-devel suse-upgrade-postgresql16-test References https://attackerkb.com/topics/cve-2024-7348 CVE - 2024-7348

Red Hat: CVE-2024-42243: kernel: mm/filemap: make MAX_PAGECACHE_ORDER acceptable to xarray (Multiple Advisories) Severity 5 CVSS (AV:L/AC:L/Au:S/C:N/I:N/A:C) Published 08/07/2024 Created 09/20/2024 Added 09/19/2024 Modified 02/10/2025 Description In the Linux kernel, the following vulnerability has been resolved: mm/filemap: make MAX_PAGECACHE_ORDER acceptable to xarray Patch series "mm/filemap: Limit page cache size to that supported by xarray", v2. Currently, xarray can't support arbitrary page cache size.More details can be found from the WARN_ON() statement in xas_split_alloc().In our test whose code is attached below, we hit the WARN_ON() on ARM64 system where the base page size is 64KB and huge page size is 512MB.The issue was reported long time ago and some discussions on it can be found here [1]. [1] https://www.spinics.net/lists/linux-xfs/msg75404.html In order to fix the issue, we need to adjust MAX_PAGECACHE_ORDER to one supported by xarray and avoid PMD-sized page cache if needed.The code changes are suggested by David Hildenbrand. PATCH[1] adjusts MAX_PAGECACHE_ORDER to that supported by xarray PATCH[2-3] avoids PMD-sized page cache in the synchronous readahead path PATCH[4] avoids PMD-sized page cache for shmem files if needed Test program ============ # cat test.c #define _GNU_SOURCE #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <string.h> #include <fcntl.h> #include <errno.h> #include <sys/syscall.h> #include <sys/mman.h> #define TEST_XFS_FILENAME "/tmp/data" #define TEST_SHMEM_FILENAME "/dev/shm/data" #define TEST_MEM_SIZE 0x20000000 int main(int argc, char **argv) { const char *filename; int fd = 0; void *buf = (void *)-1, *p; int pgsize = getpagesize(); int ret; if (pgsize != 0x10000) { fprintf(stderr, "64KB base page size is required\n"); return -EPERM; } system("echo force > /sys/kernel/mm/transparent_hugepage/shmem_enabled"); system("rm -fr /tmp/data"); system("rm -fr /dev/shm/data"); system("echo 1 > /proc/sys/vm/drop_caches"); /* Open xfs or shmem file */ filename = TEST_XFS_FILENAME; if (argc > 1 && !strcmp(argv[1], "shmem")) filename = TEST_SHMEM_FILENAME; fd = open(filename, O_CREAT | O_RDWR | O_TRUNC); if (fd < 0) { fprintf(stderr, "Unable to open <%s>\n", filename); return -EIO; } /* Extend file size */ ret = ftruncate(fd, TEST_MEM_SIZE); if (ret) { fprintf(stderr, "Error %d to ftruncate()\n", ret); goto cleanup; } /* Create VMA */ buf = mmap(NULL, TEST_MEM_SIZE, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0); if (buf == (void *)-1) { fprintf(stderr, "Unable to mmap <%s>\n", filename); goto cleanup; } fprintf(stdout, "mapped buffer at 0x%p\n", buf); ret = madvise(buf, TEST_MEM_SIZE, MADV_HUGEPAGE); if (ret) { fprintf(stderr, "Unable to madvise(MADV_HUGEPAGE)\n"); goto cleanup; } /* Populate VMA */ ret = madvise(buf, TEST_MEM_SIZE, MADV_POPULATE_WRITE); if (ret) { fprintf(stderr, "Error %d to madvise(MADV_POPULATE_WRITE)\n", ret); goto cleanup; } /* Punch the file to enforce xarray split */ ret = fallocate(fd, FALLOC_FL_KEEP_SIZE | FALLOC_FL_PUNCH_HOLE, TEST_MEM_SIZE - pgsize, pgsize); if (ret) fprintf(stderr, "Error %d to fallocate()\n", ret); cleanup: if (buf != (void *)-1) munmap(buf, TEST_MEM_SIZE); if (fd > 0) close(fd); return 0; } # gcc test.c -o test # cat /proc/1/smaps | grep KernelPageSize | head -n 1 KernelPageSize: 64 kB # ./test shmem : ------------[ cut here ]------------ WARNING: CPU: 17 PID: 5253 at lib/xarray.c:1025 xas_split_alloc+0xf8/0x128 Modules linked in: nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib\ nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct\ nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4\ ip_set nf_tables rfkill nfnetlink vfat fat virtio_balloon\ drm fuse xfs libcrc32c crct10dif_ce ghash_ce sha2_ce sha256_arm64\ virtio_net sha1_ce net_failover failover virtio_console virtio_blk \ dimlib virtio_mmio CPU: 17 PID: 5253 Comm: test Kdump: loaded Tainted: G W 6.10.0-rc5-gavin+ #12 Hardware name: QEMU KVM Virtual Machine, BIOS edk2-20240524-1.el9 05/24/2024 pstate: 83400005 (Nzcv daif +PAN -UAO +TC ---truncated--- Solution(s) redhat-upgrade-kernel redhat-upgrade-kernel-rt References CVE-2024-42243 RHSA-2024:10771 RHSA-2024:6744 RHSA-2024:6745

Red Hat: CVE-2024-42237: kernel: firmware: cs_dsp: Validate payload length before processing block (Multiple Advisories) Severity 5 CVSS (AV:L/AC:L/Au:S/C:N/I:N/A:C) Published 08/07/2024 Created 09/26/2024 Added 09/25/2024 Modified 02/10/2025 Description In the Linux kernel, the following vulnerability has been resolved: firmware: cs_dsp: Validate payload length before processing block Move the payload length check in cs_dsp_load() and cs_dsp_coeff_load() to be done before the block is processed. The check that the length of a block payload does not exceed the number of remaining bytes in the firwmware file buffer was being done near the end of the loop iteration. However, some code before that check used the length field without validating it. Solution(s) redhat-upgrade-kernel redhat-upgrade-kernel-rt References CVE-2024-42237 RHSA-2024:10771 RHSA-2024:7000 RHSA-2024:7001 RHSA-2024:9315

Red Hat: CVE-2024-42245: kernel: Revert "sched/fair: Make sure to try to detach at least one movable task" (Multiple Advisories) Severity 5 CVSS (AV:L/AC:L/Au:S/C:N/I:N/A:C) Published 08/07/2024 Created 12/06/2024 Added 12/05/2024 Modified 12/05/2024 Description In the Linux kernel, the following vulnerability has been resolved: Revert "sched/fair: Make sure to try to detach at least one movable task" This reverts commit b0defa7ae03ecf91b8bfd10ede430cff12fcbd06. b0defa7ae03ec changed the load balancing logic to ignore env.max_loop if all tasks examined to that point were pinned. The goal of the patch was to make it more likely to be able to detach a task buried in a long list of pinned tasks. However, this has the unfortunate side effect of creating an O(n) iteration in detach_tasks(), as we now must fully iterate every task on a cpu if all or most are pinned. Since this load balance code is done with rq lock held, and often in softirq context, it is very easy to trigger hard lockups. We observed such hard lockups with a user who affined O(10k) threads to a single cpu. When I discussed this with Vincent he initially suggested that we keep the limit on the number of tasks to detach, but increase the number of tasks we can search. However, after some back and forth on the mailing list, he recommended we instead revert the original patch, as it seems likely no one was actually getting hit by the original issue. Solution(s) redhat-upgrade-kernel redhat-upgrade-kernel-rt References CVE-2024-42245 RHSA-2024:9315

Red Hat: CVE-2024-42244: kernel: USB: serial: mos7840: fix crash on resume (Multiple Advisories) Severity 4 CVSS (AV:L/AC:L/Au:M/C:N/I:N/A:C) Published 08/07/2024 Created 11/07/2024 Added 11/06/2024 Modified 02/10/2025 Description In the Linux kernel, the following vulnerability has been resolved: USB: serial: mos7840: fix crash on resume Since commit c49cfa917025 ("USB: serial: use generic method if no alternative is provided in usb serial layer"), USB serial core calls the generic resume implementation when the driver has not provided one. This can trigger a crash on resume with mos7840 since support for multiple read URBs was added back in 2011. Specifically, both port read URBs are now submitted on resume for open ports, but the context pointer of the second URB is left set to the core rather than mos7840 port structure. Fix this by implementing dedicated suspend and resume functions for mos7840. Tested with Delock 87414 USB 2.0 to 4x serial adapter. [ johan: analyse crash and rewrite commit message; set busy flag on resume; drop bulk-in check; drop unnecessary usb_kill_urb() ] Solution(s) redhat-upgrade-kernel redhat-upgrade-kernel-rt References CVE-2024-42244 RHSA-2024:10274 RHSA-2024:10771 RHSA-2024:8856 RHSA-2024:8870

Red Hat: CVE-2024-42241: kernel: mm/shmem: disable PMD-sized page cache if needed (Multiple Advisories) Severity 5 CVSS (AV:L/AC:L/Au:S/C:N/I:N/A:C) Published 08/07/2024 Created 09/20/2024 Added 09/19/2024 Modified 02/10/2025 Description In the Linux kernel, the following vulnerability has been resolved: mm/shmem: disable PMD-sized page cache if needed For shmem files, it's possible that PMD-sized page cache can't be supported by xarray.For example, 512MB page cache on ARM64 when the base page size is 64KB can't be supported by xarray.It leads to errors as the following messages indicate when this sort of xarray entry is split. WARNING: CPU: 34 PID: 7578 at lib/xarray.c:1025 xas_split_alloc+0xf8/0x128 Modules linked in: binfmt_misc nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 \ nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject\ nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4\ ip_set rfkill nf_tables nfnetlink vfat fat virtio_balloon drm fuse xfs\ libcrc32c crct10dif_ce ghash_ce sha2_ce sha256_arm64 sha1_ce virtio_net \ net_failover virtio_console virtio_blk failover dimlib virtio_mmio CPU: 34 PID: 7578 Comm: test Kdump: loaded Tainted: G W 6.10.0-rc5-gavin+ #9 Hardware name: QEMU KVM Virtual Machine, BIOS edk2-20240524-1.el9 05/24/2024 pstate: 83400005 (Nzcv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--) pc : xas_split_alloc+0xf8/0x128 lr : split_huge_page_to_list_to_order+0x1c4/0x720 sp : ffff8000882af5f0 x29: ffff8000882af5f0 x28: ffff8000882af650 x27: ffff8000882af768 x26: 0000000000000cc0 x25: 000000000000000d x24: ffff00010625b858 x23: ffff8000882af650 x22: ffffffdfc0900000 x21: 0000000000000000 x20: 0000000000000000 x19: ffffffdfc0900000 x18: 0000000000000000 x17: 0000000000000000 x16: 0000018000000000 x15: 52f8004000000000 x14: 0000e00000000000 x13: 0000000000002000 x12: 0000000000000020 x11: 52f8000000000000 x10: 52f8e1c0ffff6000 x9 : ffffbeb9619a681c x8 : 0000000000000003 x7 : 0000000000000000 x6 : ffff00010b02ddb0 x5 : ffffbeb96395e378 x4 : 0000000000000000 x3 : 0000000000000cc0 x2 : 000000000000000d x1 : 000000000000000c x0 : 0000000000000000 Call trace: xas_split_alloc+0xf8/0x128 split_huge_page_to_list_to_order+0x1c4/0x720 truncate_inode_partial_folio+0xdc/0x160 shmem_undo_range+0x2bc/0x6a8 shmem_fallocate+0x134/0x430 vfs_fallocate+0x124/0x2e8 ksys_fallocate+0x4c/0xa0 __arm64_sys_fallocate+0x24/0x38 invoke_syscall.constprop.0+0x7c/0xd8 do_el0_svc+0xb4/0xd0 el0_svc+0x44/0x1d8 el0t_64_sync_handler+0x134/0x150 el0t_64_sync+0x17c/0x180 Fix it by disabling PMD-sized page cache when HPAGE_PMD_ORDER is larger than MAX_PAGECACHE_ORDER.As Matthew Wilcox pointed, the page cache in a shmem file isn't represented by a multi-index entry and doesn't have this limitation when the xarry entry is split until commit 6b24ca4a1a8d ("mm: Use multi-index entries in the page cache"). Solution(s) redhat-upgrade-kernel redhat-upgrade-kernel-rt References CVE-2024-42241 RHSA-2024:10771 RHSA-2024:6744 RHSA-2024:6745

VMware Photon OS: CVE-2024-42246 Severity 5 CVSS (AV:L/AC:L/Au:S/C:N/I:N/A:C) Published 08/07/2024 Created 01/21/2025 Added 01/20/2025 Modified 02/04/2025 Description In the Linux kernel, the following vulnerability has been resolved: net, sunrpc: Remap EPERM in case of connection failure in xs_tcp_setup_socket When using a BPF program on kernel_connect(), the call can return -EPERM. This causes xs_tcp_setup_socket() to loop forever, filling up the syslog and causing the kernel to potentially freeze up. Neil suggested: This will propagate -EPERM up into other layers which might not be ready to handle it. It might be safer to map EPERM to an error we would be more likely to expect from the network system - such as ECONNREFUSED or ENETDOWN. ECONNREFUSED as error seems reasonable. For programs setting a different error can be out of reach (see handling in 4fbac77d2d09) in particular on kernels which do not have f10d05966196 ("bpf: Make BPF_PROG_RUN_ARRAY return -err instead of allow boolean"), thus given that it is better to simply remap for consistent behavior. UDP does handle EPERM in xs_udp_send_request(). Solution(s) vmware-photon_os_update_tdnf References https://attackerkb.com/topics/cve-2024-42246 CVE - 2024-42246

Red Hat: CVE-2024-42238: kernel: firmware: cs_dsp: Return error if block header overflows file (Multiple Advisories) Severity 5 CVSS (AV:L/AC:L/Au:S/C:N/I:N/A:C) Published 08/07/2024 Created 09/26/2024 Added 09/25/2024 Modified 02/10/2025 Description In the Linux kernel, the following vulnerability has been resolved: firmware: cs_dsp: Return error if block header overflows file Return an error from cs_dsp_power_up() if a block header is longer than the amount of data left in the file. The previous code in cs_dsp_load() and cs_dsp_load_coeff() would loop while there was enough data left in the file for a valid region. This protected against overrunning the end of the file data, but it didn't abort the file processing with an error. Solution(s) redhat-upgrade-kernel redhat-upgrade-kernel-rt References CVE-2024-42238 RHSA-2024:10771 RHSA-2024:7000 RHSA-2024:7001 RHSA-2024:9315

Oracle Linux: CVE-2024-42240: ELSA-2024-7000:kernel security update (IMPORTANT) (Multiple Advisories) Severity 5 CVSS (AV:L/AC:L/Au:S/C:N/I:N/A:C) Published 08/07/2024 Created 10/24/2024 Added 10/16/2024 Modified 12/10/2024 Description In the Linux kernel, the following vulnerability has been resolved: x86/bhi: Avoid warning in #DB handler due to BHI mitigation When BHI mitigation is enabled, if SYSENTER is invoked with the TF flag set then entry_SYSENTER_compat() uses CLEAR_BRANCH_HISTORY and calls the clear_bhb_loop() before the TF flag is cleared. This causes the #DB handler (exc_debug_kernel()) to issue a warning because single-step is used outside the entry_SYSENTER_compat() function. To address this issue, entry_SYSENTER_compat() should use CLEAR_BRANCH_HISTORY after making sure the TF flag is cleared. The problem can be reproduced with the following sequence: $ cat sysenter_step.c int main() { asm(&quot;pushf; pop %ax; bts $8,%ax; push %ax; popf; sysenter&quot;); } $ gcc -o sysenter_step sysenter_step.c $ ./sysenter_step Segmentation fault (core dumped) The program is expected to crash, and the #DB handler will issue a warning. Kernel log: WARNING: CPU: 27 PID: 7000 at arch/x86/kernel/traps.c:1009 exc_debug_kernel+0xd2/0x160 ... RIP: 0010:exc_debug_kernel+0xd2/0x160 ... Call Trace: &lt;#DB&gt; ? show_regs+0x68/0x80 ? __warn+0x8c/0x140 ? exc_debug_kernel+0xd2/0x160 ? report_bug+0x175/0x1a0 ? handle_bug+0x44/0x90 ? exc_invalid_op+0x1c/0x70 ? asm_exc_invalid_op+0x1f/0x30 ? exc_debug_kernel+0xd2/0x160 exc_debug+0x43/0x50 asm_exc_debug+0x1e/0x40 RIP: 0010:clear_bhb_loop+0x0/0xb0 ... &lt;/#DB&gt; &lt;TASK&gt; ? entry_SYSENTER_compat_after_hwframe+0x6e/0x8d &lt;/TASK&gt; [ bp: Massage commit message. ] Solution(s) oracle-linux-upgrade-kernel References https://attackerkb.com/topics/cve-2024-42240 CVE - 2024-42240 ELSA-2024-7000

Google Chrome Vulnerability: CVE-2024-7532 Out of bounds memory access in ANGLE Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 08/07/2024 Created 08/08/2024 Added 08/07/2024 Modified 01/28/2025 Description Out of bounds memory access in ANGLE in Google Chrome prior to 127.0.6533.99 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Critical) Solution(s) google-chrome-upgrade-latest References https://attackerkb.com/topics/cve-2024-7532 CVE - 2024-7532

Gentoo Linux: GLSA 202408-04: Levenshtein: Remote Code Execution Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 08/07/2024 Created 08/08/2024 Added 08/08/2024 Modified 08/08/2024 Description Fixed handling of numerous possible wraparounds in calculating the sizeof memory allocations; incorrect handling of which could cause denial of service or even possible remote code execution. Solution(s) gentoo-linux-upgrade-dev-python-levenshtein References 202408-04