mirror of
https://github.com/fkie-cad/nvd-json-data-feeds.git
synced 2025-05-06 18:52:58 +00:00
Auto-Update: 2024-05-12T02:00:30.069085+00:00
This commit is contained in:
cad-safe-bot
parent
639584b26d
commit
20629f304f
@ -8,6 +8,10 @@
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "A vulnerability classified as critical has been found in CherishSin klattr. This affects an unknown part. The manipulation leads to sql injection. The patch is named f8e4ecfbb83aef577011b0b4aebe96fb6ec557f1. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-217719."
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "Se ha encontrado una vulnerabilidad en CherishSin klattr y ha sido clasificada como cr\u00edtica. Esto afecta a una parte desconocida. La manipulaci\u00f3n conduce a la inyecci\u00f3n de SQL. El parche se llama f8e4ecfbb83aef577011b0b4aebe96fb6ec557f1. Se recomienda aplicar un parche para solucionar este problema. El identificador asociado de esta vulnerabilidad es VDB-217719."
|
||||
}
|
||||
],
|
||||
"metrics": {
|
||||
|
||||
@ -8,6 +8,10 @@
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "A vulnerability, which was classified as critical, has been found in glidernet ogn-live. This issue affects some unknown processing. The manipulation leads to sql injection. The patch is named bc0f19965f760587645583b7624d66a260946e01. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-217487."
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "Se ha encontrado una vulnerabilidad en glidernet ogn-live y se ha clasificado como cr\u00edtica. Este problema afecta alg\u00fan procesamiento desconocido. La manipulaci\u00f3n conduce a la inyecci\u00f3n SQL. El parche se llama bc0f19965f760587645583b7624d66a260946e01. Se recomienda aplicar un parche para solucionar este problema. El identificador asociado de esta vulnerabilidad es VDB-217487."
|
||||
}
|
||||
],
|
||||
"metrics": {
|
||||
|
||||
@ -8,6 +8,10 @@
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "A vulnerability, which was classified as problematic, was found in galaxy-data-resource up to 14.10.0. This affects an unknown part of the component Command Line Template. The manipulation leads to injection. Upgrading to version 14.10.1 is able to address this issue. The patch is named 50d65f45d3f5be5d1fbff2e45ac5cec075f07d42. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-218451."
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "Se ha encontrado una vulnerabilidad en galaxy-data-resource hasta 14.10.0 y se ha clasificado como problem\u00e1tica. Una parte desconocida del componente Command Line Template afecta a una parte desconocida. La manipulaci\u00f3n conduce a la inyecci\u00f3n. La actualizaci\u00f3n a la versi\u00f3n 14.10.1 puede solucionar este problema. El parche se llama 50d65f45d3f5be5d1fbff2e45ac5cec075f07d42. Se recomienda actualizar el componente afectado. El identificador asociado de esta vulnerabilidad es VDB-218451."
|
||||
}
|
||||
],
|
||||
"metrics": {
|
||||
|
||||
@ -8,6 +8,10 @@
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "A vulnerability was found in saemorris TheRadSystem and classified as critical. This issue affects the function redirect of the file _login.php. The manipulation of the argument user/pass leads to sql injection. The attack may be initiated remotely. The identifier of the patch is bfba26bd34af31648a11af35a0bb66f1948752a6. It is recommended to apply a patch to fix this issue. The identifier VDB-218453 was assigned to this vulnerability."
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "Se ha encontrado una vulnerabilidad en saemorris TheRadSystem y se ha clasificado como cr\u00edtica. Este problema afecta la funci\u00f3n de redirecci\u00f3n del archivo _login.php. La manipulaci\u00f3n del argumento usuario/contrase\u00f1a conduce a la inyecci\u00f3n SQL. El ataque puede iniciarse de forma remota. El identificador del parche es bfba26bd34af31648a11af35a0bb66f1948752a6. Se recomienda aplicar un parche para solucionar este problema. A esta vulnerabilidad se le asign\u00f3 el identificador VDB-218453."
|
||||
}
|
||||
],
|
||||
"metrics": {
|
||||
|
||||
@ -8,6 +8,10 @@
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "A vulnerability was found in VictorFerraresi pokemon-database-php. It has been declared as critical. Affected by this vulnerability is an unknown functionality. The manipulation leads to sql injection. The patch is named dd0e1e6cdf648d6a3deff441f515bcb1d7573d68. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-218455."
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "Se encontr\u00f3 una vulnerabilidad en VictorFerraresi pokemon-database-php. Ha sido declarada cr\u00edtica. Una funcionalidad desconocida es afectada por esta vulnerabilidad. La manipulaci\u00f3n conduce a la inyecci\u00f3n SQL. El parche se llama dd0e1e6cdf648d6a3deff441f515bcb1d7573d68. Se recomienda aplicar un parche para solucionar este problema. El identificador asociado de esta vulnerabilidad es VDB-218455."
|
||||
}
|
||||
],
|
||||
"metrics": {
|
||||
|
||||
@ -8,6 +8,10 @@
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "An information leak vulnerability was discovered in Samba's LDAP server. Due to missing access control checks, an authenticated but unprivileged attacker could discover the names and preserved attributes of deleted objects in the LDAP store."
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "Se descubri\u00f3 una vulnerabilidad de fuga de informaci\u00f3n en el servidor LDAP de Samba. Debido a la falta de comprobaciones de control de acceso, un atacante autenticado pero sin privilegios podr\u00eda descubrir los nombres y atributos conservados de los objetos eliminados en el almac\u00e9n LDAP."
|
||||
}
|
||||
],
|
||||
"metrics": {
|
||||
|
||||
@ -3,7 +3,7 @@
|
||||
"sourceIdentifier": "cve@mitre.org",
|
||||
"published": "2018-03-06T20:29:00.563",
|
||||
"lastModified": "2023-11-07T02:58:49.357",
|
||||
"vulnStatus": "Modified",
|
||||
"vulnStatus": "Undergoing Analysis",
|
||||
"descriptions": [
|
||||
{
|
||||
"lang": "en",
|
||||
|
||||
@ -3,7 +3,7 @@
|
||||
"sourceIdentifier": "cve@mitre.org",
|
||||
"published": "2018-03-06T20:29:00.657",
|
||||
"lastModified": "2023-11-07T02:58:49.433",
|
||||
"vulnStatus": "Modified",
|
||||
"vulnStatus": "Undergoing Analysis",
|
||||
"descriptions": [
|
||||
{
|
||||
"lang": "en",
|
||||
|
||||
@ -8,6 +8,10 @@
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "IBM Cognos Controller 10.4.1, 10.4.2, and 11.0.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 190837."
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "IBM Cognos Controller 10.4.1, 10.4.2 y 11.0.0 utiliza algoritmos criptogr\u00e1ficos m\u00e1s d\u00e9biles de lo esperado que podr\u00edan permitir a un atacante descifrar informaci\u00f3n altamente confidencial. ID de IBM X-Force: 190837."
|
||||
}
|
||||
],
|
||||
"metrics": {
|
||||
|
||||
@ -8,6 +8,10 @@
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "IBM Cognos Controller 10.4.1, 10.4.2, and 11.0.0 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic. IBM X-Force ID: 196640."
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "IBM Cognos Controller 10.4.1, 10.4.2 y 11.0.0 no establece el atributo seguro en los tokens de autorizaci\u00f3n ni en las cookies de sesi\u00f3n. Los atacantes pueden obtener los valores de las cookies enviando un enlace http:// a un usuario o colocando este enlace en un sitio al que accede el usuario. La cookie se enviar\u00e1 al enlace inseguro y el atacante podr\u00e1 obtener el valor de la cookie espiando el tr\u00e1fico. ID de IBM X-Force: 196640."
|
||||
}
|
||||
],
|
||||
"metrics": {
|
||||
|
||||
@ -8,6 +8,10 @@
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "IBM Cognos Controller 10.4.1, 10.4.2, and 11.0.0 is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 196643."
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "IBM Cognos Controller 10.4.1, 10.4.2 y 11.0.0 es vulnerable a la inyecci\u00f3n SQL. Un atacante remoto podr\u00eda enviar declaraciones SQL especialmente dise\u00f1adas, que podr\u00edan permitirle ver, agregar, modificar o eliminar informaci\u00f3n en la base de datos back-end. ID de IBM X-Force: 196643."
|
||||
}
|
||||
],
|
||||
"metrics": {
|
||||
|
||||
@ -8,6 +8,10 @@
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "IBM Cognos Controller 10.4.1, 10.4.2, and 11.0.0 could allow a remote user to enumerate usernames due to differentiating error messages on existing usernames. IBM X-Force ID: 199181."
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "IBM Cognos Controller 10.4.1, 10.4.2 y 11.0.0 podr\u00edan permitir que un usuario remoto enumere nombres de usuarios debido a mensajes de error diferenciadores en nombres de usuarios existentes. ID de IBM X-Force: 199181."
|
||||
}
|
||||
],
|
||||
"metrics": {
|
||||
|
||||
@ -8,6 +8,10 @@
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "HCL BigFix Mobile / Modern Client Management Admin and Config UI passwords can be brute-forced.\nUser should be locked out for multiple invalid attempts.\n\n"
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "Las contrase\u00f1as de interfaz de usuario de configuraci\u00f3n y administrador de HCL BigFix Mobile/Modern Client Management se pueden forzar por fuerza bruta. El usuario debe ser bloqueado por m\u00faltiples intentos no v\u00e1lidos."
|
||||
}
|
||||
],
|
||||
"metrics": {
|
||||
|
||||
@ -8,6 +8,10 @@
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "Cross Site Scripting (XSS) in Tasmota firmware 6.5.0 allows remote attackers to inject JavaScript code via a crafted string in the field \"Friendly Name 1\"."
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "Cross Site Scripting (XSS) en el firmware Tasmota 6.5.0 permite a atacantes remotos inyectar c\u00f3digo JavaScript a trav\u00e9s de una cadena manipulada en el campo \"Friendly Name 1\"."
|
||||
}
|
||||
],
|
||||
"metrics": {
|
||||
|
||||
@ -8,6 +8,10 @@
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "A vulnerability in the web-based management interface of Cisco Identity Services Engine could allow an authenticated, remote attacker to inject arbitrary commands on the underlying operating system.\r\n\r This vulnerability is due to improper validation of user input within requests as part of the web-based management interface. An attacker could exploit this vulnerability by manipulating requests to the web-based management interface to contain operating system commands. A successful exploit could allow the attacker to execute arbitrary operating system commands on the underlying operating system with the privileges of the web services user.\r\n\r Cisco has not yet released software updates that address this vulnerability. "
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "Una vulnerabilidad en la interfaz de administraci\u00f3n basada en web de Cisco Identity Services Engine podr\u00eda permitir que un atacante remoto autenticado inyecte comandos arbitrarios en el sistema operativo subyacente. Esta vulnerabilidad se debe a una validaci\u00f3n inadecuada de la entrada del usuario dentro de las solicitudes como parte de la interfaz de administraci\u00f3n basada en web. Un atacante podr\u00eda aprovechar esta vulnerabilidad manipulando las solicitudes a la interfaz de administraci\u00f3n basada en web para que contenga comandos del sistema operativo. Un exploit exitoso podr\u00eda permitir al atacante ejecutar comandos arbitrarios del sistema operativo en el sistema operativo subyacente con los privilegios del usuario de servicios web. Cisco a\u00fan no ha publicado actualizaciones de software que aborden esta vulnerabilidad."
|
||||
}
|
||||
],
|
||||
"metrics": {
|
||||
|
||||
@ -8,6 +8,10 @@
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "A vulnerability in the web-based management interface of Cisco Identity Services Engine could allow an authenticated, remote attacker to take privileges actions within the web-based management interface.\r\n\r This vulnerability is due to improper access control on a feature within the web-based management interface of the affected system. An attacker could exploit this vulnerability by accessing features through direct requests, bypassing checks within the application. A successful exploit could allow the attacker to take privileged actions within the web-based management interface that should be otherwise restricted.\r\n\r \r\n\r {{value}} [\"%7b%7bvalue%7d%7d\"])}]]\r\n"
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "Una vulnerabilidad en la interfaz de administraci\u00f3n basada en web de Cisco Identity Services Engine podr\u00eda permitir que un atacante remoto autenticado realice acciones de privilegios dentro de la interfaz de administraci\u00f3n basada en web. Esta vulnerabilidad se debe a un control de acceso inadecuado a una funci\u00f3n dentro de la interfaz de administraci\u00f3n basada en web del sistema afectado. Un atacante podr\u00eda aprovechar esta vulnerabilidad accediendo a funciones a trav\u00e9s de solicitudes directas, evitando las comprobaciones dentro de la aplicaci\u00f3n. Un exploit exitoso podr\u00eda permitir al atacante realizar acciones privilegiadas dentro de la interfaz de administraci\u00f3n basada en web que de otro modo deber\u00edan estar restringidas. {{valor}} [\"%7b%7bvalor%7d%7d\"])}]]"
|
||||
}
|
||||
],
|
||||
"metrics": {
|
||||
|
||||
@ -8,6 +8,10 @@
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "IBM Cognos Controller 10.4.1, 10.4.2, and 11.0.0 is vulnerable to external service interaction attack, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability to induce the application to perform server-side DNS lookups or HTTP requests to arbitrary domain names. By submitting suitable payloads, an attacker can cause the application server to attack other systems that it can interact with. IBM X-Force ID: 220903."
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "IBM Cognos Controller 10.4.1, 10.4.2 y 11.0.0 es vulnerable a ataques de interacci\u00f3n de servicios externos, causados por una validaci\u00f3n inadecuada de la entrada proporcionada por el usuario. Un atacante remoto podr\u00eda aprovechar esta vulnerabilidad para inducir a la aplicaci\u00f3n a realizar b\u00fasquedas de DNS en el lado del servidor o solicitudes HTTP a nombres de dominio arbitrarios. Al enviar cargas \u00fatiles adecuadas, un atacante puede hacer que el servidor de aplicaciones ataque otros sistemas con los que puede interactuar. ID de IBM X-Force: 220903."
|
||||
}
|
||||
],
|
||||
"metrics": {
|
||||
|
||||
@ -8,6 +8,10 @@
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "An incorrect authorization vulnerability was identified in GitHub Enterprise Server, allowing for escalation of privileges in GraphQL API requests from GitHub Apps. This vulnerability allowed an app installed on an organization to gain access to and modify most organization-level resources that are not tied to a repository regardless of granted permissions, such as users and organization-wide projects. Resources associated with repositories were not impacted, such as repository file content, repository-specific projects, issues, or pull requests. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.7.1 and was fixed in versions 3.3.16, 3.4.11, 3.5.8, 3.6.4, 3.7.1. This vulnerability was reported via the GitHub Bug Bounty program."
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "Se identific\u00f3 una vulnerabilidad de autorizaci\u00f3n incorrecta en GitHub Enterprise Server, lo que permite escalar privilegios en solicitudes de API GraphQL desde GitHub Apps. Esta vulnerabilidad permiti\u00f3 que una aplicaci\u00f3n instalada en una organizaci\u00f3n obtuviera acceso y modificara la mayor\u00eda de los recursos a nivel de la organizaci\u00f3n que no est\u00e1n vinculados a un repositorio, independientemente de los permisos otorgados, como usuarios y proyectos de toda la organizaci\u00f3n. Los recursos asociados con los repositorios no se vieron afectados, como el contenido de los archivos del repositorio, los proyectos espec\u00edficos del repositorio, los problemas o las solicitudes de extracci\u00f3n. Esta vulnerabilidad afect\u00f3 a todas las versiones de GitHub Enterprise Server anteriores a la 3.7.1 y se solucion\u00f3 en las versiones 3.3.16, 3.4.11, 3.5.8, 3.6.4, 3.7.1. Esta vulnerabilidad se inform\u00f3 a trav\u00e9s del programa GitHub Bug Bounty."
|
||||
}
|
||||
],
|
||||
"metrics": {
|
||||
|
||||
@ -8,6 +8,10 @@
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "Versions of the package servst before 2.0.3 are vulnerable to Directory Traversal due to improper sanitization of the filePath variable.\r\r"
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "Las versiones del paquete servst anteriores a la 2.0.3 son vulnerables a Directory Traversal debido a una sanitizaci\u00f3n inadecuada de la variable filePath."
|
||||
}
|
||||
],
|
||||
"metrics": {
|
||||
|
||||
@ -8,6 +8,10 @@
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "Versions of the package eta before 2.0.0 are vulnerable to Remote Code Execution (RCE) by overwriting template engine configuration variables with view options received from The Express render API.\r\r**Note:** This is exploitable only for users who are rendering templates with user-defined data.\r\r"
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "Las versiones del paquete eta anteriores a la 2.0.0 son vulnerables a la ejecuci\u00f3n remota de c\u00f3digo (RCE) al sobrescribir las variables de configuraci\u00f3n del motor de plantilla con las opciones de visualizaci\u00f3n recibidas de la API de renderizado Express. **Nota:** Esto solo es explotable para usuarios que renderizan plantillas con datos definidos por el usuario."
|
||||
}
|
||||
],
|
||||
"metrics": {
|
||||
|
||||
@ -8,6 +8,10 @@
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "A vulnerability has been reported to affect QNAP device running QuTS hero, QTS. If exploited, this vulnerability allows remote attackers to inject malicious code.\nWe have already fixed this vulnerability in the following versions of QuTS hero, QTS:\nQuTS hero h5.0.1.2248 build 20221215 and later\nQTS 5.0.1.2234 build 20221201 and later\n"
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "Se ha informado que una vulnerabilidad afecta al dispositivo QNAP que ejecuta QuTS hero, QTS. Si se explota, esta vulnerabilidad permite a atacantes remotos inyectar c\u00f3digo malicioso. Ya hemos solucionado esta vulnerabilidad en las siguientes versiones de QuTS hero, QTS: QuTS hero h5.0.1.2248 compilaci\u00f3n 20221215 y posteriores QTS 5.0.1.2234 compilaci\u00f3n 20221201 y posteriores"
|
||||
}
|
||||
],
|
||||
"metrics": {
|
||||
|
||||
@ -8,6 +8,10 @@
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "The WPQA Builder WordPress plugin before 5.9.3 (which is a companion plugin used with Discy and Himer Discy WordPress themes) incorrectly tries to validate that a user already follows another in the wpqa_following_you_ajax action, allowing a user to inflate their score on the site by having another user send repeated follow actions to them."
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "El complemento WPQA Builder de WordPress anterior a 5.9.3 (que es un complemento complementario utilizado con los temas de WordPress de Discy y Himer Discy) intenta validar incorrectamente que un usuario ya sigue a otro en la acci\u00f3n wpqa_following_you_ajax, lo que permite al usuario inflar su puntuaci\u00f3n en el sitio hacer que otro usuario les env\u00ede acciones de seguimiento repetidas."
|
||||
}
|
||||
],
|
||||
"metrics": {
|
||||
|
||||
@ -8,6 +8,10 @@
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "The WPtouch WordPress plugin before 4.3.45 does not properly validate images to be uploaded, allowing high privilege users such as admin to upload arbitrary files on the server even when they should not be allowed to (for example in multisite setup)"
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "El complemento WPtouch de WordPress anterior a 4.3.45 no valida correctamente las im\u00e1genes que se van a cargar, lo que permite a usuarios con privilegios elevados, como el administrador, cargar archivos arbitrarios en el servidor incluso cuando no se les deber\u00eda permitir (por ejemplo, en una configuraci\u00f3n multisitio)."
|
||||
}
|
||||
],
|
||||
"metrics": {
|
||||
|
||||
@ -8,6 +8,10 @@
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "The WPtouch WordPress plugin before 4.3.45 unserialises the content of an imported settings file, which could lead to PHP object injections issues when an user import (intentionally or not) a malicious settings file and a suitable gadget chain is present on the blog."
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "El complemento WPtouch de WordPress anterior a 4.3.45 deserializa el contenido de un archivo de configuraci\u00f3n importado, lo que podr\u00eda provocar problemas de inyecciones de objetos PHP cuando un usuario importa (intencionalmente o no) un archivo de configuraci\u00f3n malicioso y una cadena de gadgets adecuada est\u00e1 presente en el blog."
|
||||
}
|
||||
],
|
||||
"metrics": {
|
||||
|
||||
@ -8,6 +8,10 @@
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "A flaw was found in the bash package, where a heap-buffer overflow can occur in valid parameter_transform. This issue may lead to memory problems."
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "Se encontr\u00f3 una falla en el paquete bash, donde puede ocurrir un desbordamiento del b\u00fafer de almacenamiento din\u00e1mico en el par\u00e1metro_transform v\u00e1lido. Este problema puede provocar problemas de memoria."
|
||||
}
|
||||
],
|
||||
"metrics": {
|
||||
|
||||
@ -8,6 +8,10 @@
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "A flaw was found in the Linux kernel. A NULL pointer dereference may occur while a slip driver is in progress to detach in sl_tx_timeout in drivers/net/slip/slip.c. This issue could allow an attacker to crash the system or leak internal kernel information."
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "Se encontr\u00f3 una falla en el kernel de Linux. Puede ocurrir una desreferencia de puntero NULL mientras un controlador de deslizamiento est\u00e1 en progreso para desconectarse en sl_tx_timeout en drivers/net/slip/slip.c. Este problema podr\u00eda permitir que un atacante bloquee el sistema o filtre informaci\u00f3n interna del kernel."
|
||||
}
|
||||
],
|
||||
"metrics": {
|
||||
|
||||
@ -8,6 +8,10 @@
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "In freeradius, the EAP-PWD function compute_password_element() leaks information about the password which allows an attacker to substantially reduce the size of an offline dictionary attack."
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "En freeradius, la funci\u00f3n EAP-PWD Compute_password_element() filtra informaci\u00f3n sobre la contrase\u00f1a, lo que permite a un atacante reducir sustancialmente el tama\u00f1o de un ataque de diccionario fuera de l\u00ednea."
|
||||
}
|
||||
],
|
||||
"metrics": {
|
||||
|
||||
@ -8,6 +8,10 @@
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "In freeradius, when an EAP-SIM supplicant sends an unknown SIM option, the server will try to look that option up in the internal dictionaries. This lookup will fail, but the SIM code will not check for that failure. Instead, it will dereference a NULL pointer, and cause the server to crash."
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "En freeradius, cuando un solicitante de EAP-SIM env\u00eda una opci\u00f3n SIM desconocida, el servidor intentar\u00e1 buscar esa opci\u00f3n en los diccionarios internos. Esta b\u00fasqueda fallar\u00e1, pero el c\u00f3digo SIM no verificar\u00e1 ese error. En su lugar, eliminar\u00e1 la referencia a un puntero NULL y provocar\u00e1 que el servidor falle."
|
||||
}
|
||||
],
|
||||
"metrics": {
|
||||
|
||||
@ -8,6 +8,10 @@
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "A flaw was found in freeradius. A malicious RADIUS client or home server can send a malformed abinary attribute which can cause the server to crash."
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "Se encontr\u00f3 un defecto en freeradius. Un cliente RADIUS o un servidor dom\u00e9stico malicioso puede enviar un atributo binario con formato incorrecto que puede provocar que el servidor falle."
|
||||
}
|
||||
],
|
||||
"metrics": {
|
||||
|
||||
@ -8,6 +8,10 @@
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "In libetpan a null pointer dereference in mailimap_mailbox_data_status_free in low-level/imap/mailimap_types.c was found that could lead to a remote denial of service or other potential consequences."
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "En libetpan se encontr\u00f3 una desreferencia de puntero nulo en mailimap_mailbox_data_status_free en low-level/imap/mailimap_types.c que podr\u00eda provocar una denegaci\u00f3n remota de servicio u otras posibles consecuencias."
|
||||
}
|
||||
],
|
||||
"metrics": {
|
||||
|
||||
@ -8,6 +8,10 @@
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "NVIDIA BMC contains a vulnerability in IPMI handler, where an authorized attacker can cause a buffer overflow and cause a denial of service or gain code execution."
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "NVIDIA BMC contiene una vulnerabilidad en el controlador IPMI, donde un atacante autorizado puede provocar un desbordamiento del b\u00fafer y provocar una denegaci\u00f3n de servicio u obtener la ejecuci\u00f3n de c\u00f3digo."
|
||||
}
|
||||
],
|
||||
"metrics": {
|
||||
|
||||
@ -8,6 +8,10 @@
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "NVIDIA BMC stores user passwords in an obfuscated form in a database accessible by the host. This may lead to a credentials exposure."
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "NVIDIA BMC almacena las contrase\u00f1as de los usuarios de forma ofuscada en una base de datos a la que puede acceder el host. Esto puede provocar una exposici\u00f3n de las credenciales."
|
||||
}
|
||||
],
|
||||
"metrics": {
|
||||
|
||||
@ -8,6 +8,10 @@
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "DGX A100 SBIOS contains a vulnerability in the Pre-EFI Initialization (PEI)phase, where a privileged user can disable SPI flash protection, which may lead to denial of service, escalation of privileges, or data tampering."
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "DGX A100 SBIOS contiene una vulnerabilidad en la fase de inicializaci\u00f3n previa a EFI (PEI), donde un usuario privilegiado puede desactivar la protecci\u00f3n flash SPI, lo que puede provocar denegaci\u00f3n de servicio, escalada de privilegios o manipulaci\u00f3n de datos."
|
||||
}
|
||||
],
|
||||
"metrics": {
|
||||
|
||||
@ -8,6 +8,10 @@
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "DGX A100 SBIOS contains a vulnerability in Bds, which may lead to code execution, denial of service, or escalation of privileges."
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "DGX A100 SBIOS contiene una vulnerabilidad en Bds, que puede provocar la ejecuci\u00f3n de c\u00f3digo, denegaci\u00f3n de servicio o escalada de privilegios."
|
||||
}
|
||||
],
|
||||
"metrics": {
|
||||
|
||||
@ -8,6 +8,10 @@
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "NVIDIA BMC contains a vulnerability in IPMI handler, where an authorized attacker can upload and download arbitrary files under certain circumstances, which may lead to denial of service, escalation of privileges, information disclosure and data tampering."
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "NVIDIA BMC contiene una vulnerabilidad en el controlador IPMI, donde un atacante autorizado puede cargar y descargar archivos arbitrarios bajo ciertas circunstancias, lo que puede provocar denegaci\u00f3n de servicio, escalada de privilegios, divulgaci\u00f3n de informaci\u00f3n y manipulaci\u00f3n de datos."
|
||||
}
|
||||
],
|
||||
"metrics": {
|
||||
|
||||
@ -8,6 +8,10 @@
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "NVIDIA BMC contains a vulnerability in IPMI handler, where an unauthorized attacker can use certain oracles to guess a valid BMC username, which may lead to an information disclosure."
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "NVIDIA BMC contiene una vulnerabilidad en el controlador IPMI, donde un atacante no autorizado puede utilizar ciertos or\u00e1culos para adivinar un nombre de usuario de BMC v\u00e1lido, lo que puede dar lugar a una divulgaci\u00f3n de informaci\u00f3n."
|
||||
}
|
||||
],
|
||||
"metrics": {
|
||||
|
||||
@ -8,6 +8,10 @@
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "NVIDIA BMC contains a vulnerability in SPX REST API, where an authorized attacker can inject arbitrary shell commands, which may lead to code execution, denial of service, information disclosure and data tampering."
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "NVIDIA BMC contiene una vulnerabilidad en SPX REST API, donde un atacante autorizado puede inyectar comandos de shell arbitrarios, lo que puede provocar la ejecuci\u00f3n de c\u00f3digo, denegaci\u00f3n de servicio, divulgaci\u00f3n de informaci\u00f3n y manipulaci\u00f3n de datos."
|
||||
}
|
||||
],
|
||||
"metrics": {
|
||||
|
||||
@ -8,6 +8,10 @@
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "NVIDIA BMC contains a vulnerability in SPX REST API, where an authorized attacker can inject arbitrary shell commands, which may lead to code execution, denial of service, information disclosure and data tampering."
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "NVIDIA BMC contiene una vulnerabilidad en SPX REST API, donde un atacante autorizado puede inyectar comandos de shell arbitrarios, lo que puede provocar la ejecuci\u00f3n de c\u00f3digo, denegaci\u00f3n de servicio, divulgaci\u00f3n de informaci\u00f3n y manipulaci\u00f3n de datos."
|
||||
}
|
||||
],
|
||||
"metrics": {
|
||||
|
||||
@ -8,6 +8,10 @@
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "This vulnerability allows remote attackers to disclose sensitive information on affected installations of PDF-XChange Editor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of U3D files. Crafted data in a U3D file can trigger a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process. Was ZDI-CAN-18344."
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "Esta vulnerabilidad permite a atacantes remotos revelar informaci\u00f3n confidencial sobre las instalaciones afectadas de PDF-XChange Editor. Se requiere la interacci\u00f3n del usuario para aprovechar esta vulnerabilidad, ya que el objetivo debe visitar una p\u00e1gina maliciosa o abrir un archivo malicioso. La falla espec\u00edfica existe en el an\u00e1lisis de archivos U3D. Los datos manipulados en un archivo U3D pueden desencadenar una lectura m\u00e1s all\u00e1 del final de un b\u00fafer asignado. Un atacante puede aprovechar esto junto con otras vulnerabilidades para ejecutar c\u00f3digo arbitrario en el contexto del proceso actual. Era ZDI-CAN-18344."
|
||||
}
|
||||
],
|
||||
"metrics": {
|
||||
|
||||
@ -8,6 +8,10 @@
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of PDF-XChange Editor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of U3D files. Crafted data in a U3D file can trigger a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-18345."
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "Esta vulnerabilidad permite a atacantes remotos ejecutar c\u00f3digo arbitrario en instalaciones afectadas de PDF-XChange Editor. Se requiere la interacci\u00f3n del usuario para aprovechar esta vulnerabilidad, ya que el objetivo debe visitar una p\u00e1gina maliciosa o abrir un archivo malicioso. La falla espec\u00edfica existe en el an\u00e1lisis de archivos U3D. Los datos manipulados en un archivo U3D pueden desencadenar una escritura m\u00e1s all\u00e1 del final de un b\u00fafer asignado. Un atacante puede aprovechar esta vulnerabilidad para ejecutar c\u00f3digo en el contexto del proceso actual. Era ZDI-CAN-18345."
|
||||
}
|
||||
],
|
||||
"metrics": {
|
||||
|
||||
@ -8,6 +8,10 @@
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of PDF-XChange Editor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of U3D files. Crafted data in a U3D file can trigger a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-18346."
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "Esta vulnerabilidad permite a atacantes remotos ejecutar c\u00f3digo arbitrario en instalaciones afectadas de PDF-XChange Editor. Se requiere la interacci\u00f3n del usuario para aprovechar esta vulnerabilidad, ya que el objetivo debe visitar una p\u00e1gina maliciosa o abrir un archivo malicioso. La falla espec\u00edfica existe en el an\u00e1lisis de archivos U3D. Los datos manipulados en un archivo U3D pueden desencadenar una escritura m\u00e1s all\u00e1 del final de un b\u00fafer asignado. Un atacante puede aprovechar esta vulnerabilidad para ejecutar c\u00f3digo en el contexto del proceso actual. Era ZDI-CAN-18346."
|
||||
}
|
||||
],
|
||||
"metrics": {
|
||||
|
||||
@ -8,6 +8,10 @@
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of PDF-XChange Editor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of U3D files. Crafted data in a U3D file can trigger a read past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-18347."
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "Esta vulnerabilidad permite a atacantes remotos ejecutar c\u00f3digo arbitrario en instalaciones afectadas de PDF-XChange Editor. Se requiere la interacci\u00f3n del usuario para aprovechar esta vulnerabilidad, ya que el objetivo debe visitar una p\u00e1gina maliciosa o abrir un archivo malicioso. La falla espec\u00edfica existe en el an\u00e1lisis de archivos U3D. Los datos manipulados en un archivo U3D pueden desencadenar una lectura m\u00e1s all\u00e1 del final de un b\u00fafer asignado. Un atacante puede aprovechar esta vulnerabilidad para ejecutar c\u00f3digo en el contexto del proceso actual. Era ZDI-CAN-18347."
|
||||
}
|
||||
],
|
||||
"metrics": {
|
||||
|
||||
@ -8,6 +8,10 @@
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of PDF-XChange Editor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of U3D files. Crafted data in a U3D file can trigger a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-18402."
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "Esta vulnerabilidad permite a atacantes remotos ejecutar c\u00f3digo arbitrario en instalaciones afectadas de PDF-XChange Editor. Se requiere la interacci\u00f3n del usuario para aprovechar esta vulnerabilidad, ya que el objetivo debe visitar una p\u00e1gina maliciosa o abrir un archivo malicioso. La falla espec\u00edfica existe en el an\u00e1lisis de archivos U3D. Los datos manipulados en un archivo U3D pueden desencadenar una escritura m\u00e1s all\u00e1 del final de un b\u00fafer asignado. Un atacante puede aprovechar esta vulnerabilidad para ejecutar c\u00f3digo en el contexto del proceso actual. Era ZDI-CAN-18402."
|
||||
}
|
||||
],
|
||||
"metrics": {
|
||||
|
||||
@ -8,6 +8,10 @@
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of PDF-XChange Editor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of U3D files. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-18403."
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "Esta vulnerabilidad permite a atacantes remotos ejecutar c\u00f3digo arbitrario en instalaciones afectadas de PDF-XChange Editor. Se requiere la interacci\u00f3n del usuario para aprovechar esta vulnerabilidad, ya que el objetivo debe visitar una p\u00e1gina maliciosa o abrir un archivo malicioso. La falla espec\u00edfica existe en el an\u00e1lisis de archivos U3D. El problema surge de la falta de validaci\u00f3n de la existencia de un objeto antes de realizar operaciones sobre \u00e9l. Un atacante puede aprovechar esta vulnerabilidad para ejecutar c\u00f3digo en el contexto del proceso actual. Era ZDI-CAN-18403."
|
||||
}
|
||||
],
|
||||
"metrics": {
|
||||
|
||||
@ -8,6 +8,10 @@
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "This vulnerability allows remote attackers to disclose sensitive information on affected installations of PDF-XChange Editor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of U3D files. Crafted data in a U3D file can trigger a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process. Was ZDI-CAN-18404."
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "Esta vulnerabilidad permite a atacantes remotos revelar informaci\u00f3n confidencial sobre las instalaciones afectadas de PDF-XChange Editor. Se requiere la interacci\u00f3n del usuario para aprovechar esta vulnerabilidad, ya que el objetivo debe visitar una p\u00e1gina maliciosa o abrir un archivo malicioso. La falla espec\u00edfica existe en el an\u00e1lisis de archivos U3D. Los datos manipulados en un archivo U3D pueden desencadenar una lectura m\u00e1s all\u00e1 del final de un b\u00fafer asignado. Un atacante puede aprovechar esto junto con otras vulnerabilidades para ejecutar c\u00f3digo arbitrario en el contexto del proceso actual. Era ZDI-CAN-18404."
|
||||
}
|
||||
],
|
||||
"metrics": {
|
||||
|
||||
@ -8,6 +8,10 @@
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "This vulnerability allows remote attackers to disclose sensitive information on affected installations of PDF-XChange Editor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of U3D files. Crafted data in a U3D file can trigger a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process. Was ZDI-CAN-18529."
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "Esta vulnerabilidad permite a atacantes remotos revelar informaci\u00f3n confidencial sobre las instalaciones afectadas de PDF-XChange Editor. Se requiere la interacci\u00f3n del usuario para aprovechar esta vulnerabilidad, ya que el objetivo debe visitar una p\u00e1gina maliciosa o abrir un archivo malicioso. La falla espec\u00edfica existe en el an\u00e1lisis de archivos U3D. Los datos manipulados en un archivo U3D pueden desencadenar una lectura m\u00e1s all\u00e1 del final de un b\u00fafer asignado. Un atacante puede aprovechar esto junto con otras vulnerabilidades para ejecutar c\u00f3digo arbitrario en el contexto del proceso actual. Era ZDI-CAN-18529."
|
||||
}
|
||||
],
|
||||
"metrics": {
|
||||
|
||||
@ -8,6 +8,10 @@
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of PDF-XChange Editor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of U3D files. The issue results from the lack of proper validation of user-supplied data, which can result in a memory corruption condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-18630."
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "Esta vulnerabilidad permite a atacantes remotos ejecutar c\u00f3digo arbitrario en instalaciones afectadas de PDF-XChange Editor. Se requiere la interacci\u00f3n del usuario para aprovechar esta vulnerabilidad, ya que el objetivo debe visitar una p\u00e1gina maliciosa o abrir un archivo malicioso. La falla espec\u00edfica existe en el an\u00e1lisis de archivos U3D. El problema se debe a la falta de validaci\u00f3n adecuada de los datos proporcionados por el usuario, lo que puede provocar una condici\u00f3n de corrupci\u00f3n de la memoria. Un atacante puede aprovechar esta vulnerabilidad para ejecutar c\u00f3digo en el contexto del proceso actual. Era ZDI-CAN-18630."
|
||||
}
|
||||
],
|
||||
"metrics": {
|
||||
|
||||
@ -8,6 +8,10 @@
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of PDF-XChange Editor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of U3D files. Crafted data in a U3D file can trigger a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-18631."
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "Esta vulnerabilidad permite a atacantes remotos ejecutar c\u00f3digo arbitrario en instalaciones afectadas de PDF-XChange Editor. Se requiere la interacci\u00f3n del usuario para aprovechar esta vulnerabilidad, ya que el objetivo debe visitar una p\u00e1gina maliciosa o abrir un archivo malicioso. La falla espec\u00edfica existe en el an\u00e1lisis de archivos U3D. Los datos manipulados en un archivo U3D pueden desencadenar una escritura m\u00e1s all\u00e1 del final de un b\u00fafer asignado. Un atacante puede aprovechar esta vulnerabilidad para ejecutar c\u00f3digo en el contexto del proceso actual. Era ZDI-CAN-18631."
|
||||
}
|
||||
],
|
||||
"metrics": {
|
||||
|
||||
@ -8,6 +8,10 @@
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of PDF-XChange Editor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of U3D files. Crafted data in a U3D file can trigger a read past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-18648."
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "Esta vulnerabilidad permite a atacantes remotos ejecutar c\u00f3digo arbitrario en instalaciones afectadas de PDF-XChange Editor. Se requiere la interacci\u00f3n del usuario para aprovechar esta vulnerabilidad, ya que el objetivo debe visitar una p\u00e1gina maliciosa o abrir un archivo malicioso. La falla espec\u00edfica existe en el an\u00e1lisis de archivos U3D. Los datos manipulados en un archivo U3D pueden desencadenar una lectura m\u00e1s all\u00e1 del final de un b\u00fafer asignado. Un atacante puede aprovechar esta vulnerabilidad para ejecutar c\u00f3digo en el contexto del proceso actual. Era ZDI-CAN-18648."
|
||||
}
|
||||
],
|
||||
"metrics": {
|
||||
|
||||
@ -8,6 +8,10 @@
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "The All-in-One Addons for Elementor WordPress plugin before 2.4.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)"
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "El complemento All-in-One Addons for Elementor de WordPress anterior a 2.4.4 no sanitiza ni escapa a algunas de sus configuraciones, lo que podr\u00eda permitir a usuarios con privilegios elevados, como el administrador, realizar cross-site scripting almacenado incluso cuando la capacidad unfiltered_html no est\u00e1 permitida ( por ejemplo en configuraci\u00f3n multisitio)"
|
||||
}
|
||||
],
|
||||
"metrics": {
|
||||
|
||||
@ -8,6 +8,10 @@
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "The WP-Ban WordPress plugin before 1.69.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)."
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "El complemento WP-Ban de WordPress anterior a 1.69.1 no sanitiza ni escapa a algunas de sus configuraciones, lo que podr\u00eda permitir a usuarios con privilegios elevados, como el administrador, realizar cross-site scripting almacenado incluso cuando la capacidad unfiltered_html no est\u00e1 permitida (por ejemplo, en la configuraci\u00f3n de m\u00faltiples sitios)."
|
||||
}
|
||||
],
|
||||
"metrics": {
|
||||
|
||||
@ -8,6 +8,10 @@
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "The WP AutoComplete Search WordPress plugin through 1.0.4 does not sanitise and escape a parameter before using it in a SQL statement via an AJAX available to unauthenticated users, leading to an unauthenticated SQL injection"
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "El complemento WP AutoComplete Search de WordPress hasta la versi\u00f3n 1.0.4 no sanitiza ni escapa un par\u00e1metro antes de usarlo en una declaraci\u00f3n SQL a trav\u00e9s de un AJAX disponible para usuarios no autenticados, lo que lleva a una inyecci\u00f3n SQL no autenticado."
|
||||
}
|
||||
],
|
||||
"metrics": {
|
||||
|
||||
@ -8,6 +8,10 @@
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "The Wholesale Market WordPress plugin before 2.2.1 does not have authorisation check, as well as does not validate user input used to generate system path, allowing unauthenticated attackers to download arbitrary file from the server."
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "El complemento Wholesale Market de WordPress anterior a 2.2.1 no tiene verificaci\u00f3n de autorizaci\u00f3n y tampoco valida la entrada del usuario utilizada para generar la ruta del sistema, lo que permite a atacantes no autenticados descargar archivos arbitrarios desde el servidor."
|
||||
}
|
||||
],
|
||||
"metrics": {
|
||||
|
||||
@ -8,6 +8,10 @@
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "A buffer overflow vulnerability exists in Linksys WRT54GL Wireless-G Broadband Router with firmware <= 4.30.18.006. A stack-based buffer overflow in the Start_EPI function within the httpd binary allows an authenticated attacker with administrator privileges to execute arbitrary commands on the underlying Linux operating system as root. This vulnerablity can be triggered over the network via a malicious POST request to /apply.cgi."
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "Existe una vulnerabilidad de desbordamiento del b\u00fafer en el router Linksys WRT54GL Wireless-G Broadband con firmware <= 4.30.18.006. Un desbordamiento de b\u00fafer en la regi\u00f3n stack de la memoria en la funci\u00f3n Start_EPI dentro del binario httpd permite a un atacante autenticado con privilegios de administrador ejecutar comandos arbitrarios en el sistema operativo Linux subyacente como root. Esta vulnerabilidad se puede activar a trav\u00e9s de la red mediante una solicitud POST maliciosa a /apply.cgi."
|
||||
}
|
||||
],
|
||||
"metrics": {
|
||||
|
||||
@ -8,6 +8,10 @@
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "An arbitrary code exection vulnerability exists in Linksys WUMC710 Wireless-AC Universal Media Connector with firmware <= 1.0.02 (build3). The do_setNTP function within the httpd binary uses unvalidated user input in the construction of a system command. An authenticated attacker with administrator privileges can leverage this vulnerability over the network via a malicious GET or POST request to /setNTP.cgi to execute arbitrary commands on the underlying Linux operating system as root."
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "Existe una vulnerabilidad de ejecuci\u00f3n de c\u00f3digo arbitrario en Linksys WUMC710 Wireless-AC Universal Media Connector con firmware <= 1.0.02 (build3). La funci\u00f3n do_setNTP dentro del binario httpd utiliza entradas de usuario no validadas en la construcci\u00f3n de un comando del sistema. Un atacante autenticado con privilegios de administrador puede aprovechar esta vulnerabilidad en la red mediante una solicitud GET o POST maliciosa a /setNTP.cgi para ejecutar comandos arbitrarios en el sistema operativo Linux subyacente como root."
|
||||
}
|
||||
],
|
||||
"metrics": {
|
||||
|
||||
@ -8,6 +8,10 @@
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "A null pointer dereference vulnerability exists in Linksys WRT54GL Wireless-G Broadband Router with firmware <= 4.30.18.006. A null pointer dereference in the soap_action function within the upnp binary can be triggered by an unauthenticated attacker via a malicious POST request invoking the AddPortMapping action."
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "Existe una vulnerabilidad de desreferencia de puntero nulo en el router Linksys WRT54GL Wireless-G Broadband con firmware <= 4.30.18.006. Un atacante no autenticado puede desencadenar una desreferencia de puntero nulo en la funci\u00f3n SOAP_action dentro del binario upnp a trav\u00e9s de una solicitud POST maliciosa que invoca la acci\u00f3n AddPortMapping."
|
||||
}
|
||||
],
|
||||
"metrics": {
|
||||
|
||||
@ -8,6 +8,10 @@
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "An arbitrary code execution vulnerability exisits in Linksys WRT54GL Wireless-G Broadband Router with firmware <= 4.30.18.006. The Check_TSSI function within the httpd binary uses unvalidated user input in the construction of a system command. An authenticated attacker with administrator privileges can leverage this vulnerability over the network via a malicious POST request to /apply.cgi to execute arbitrary commands on the underlying Linux operating system as root."
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "Existe una vulnerabilidad de ejecuci\u00f3n de c\u00f3digo arbitrario en el router Linksys WRT54GL Wireless-G Broadband con firmware <= 4.30.18.006. La funci\u00f3n Check_TSSI dentro del binario httpd utiliza entradas de usuario no validadas en la construcci\u00f3n de un comando del sistema. Un atacante autenticado con privilegios de administrador puede aprovechar esta vulnerabilidad en la red mediante una solicitud POST maliciosa a /apply.cgi para ejecutar comandos arbitrarios en el sistema operativo Linux subyacente como root."
|
||||
}
|
||||
],
|
||||
"metrics": {
|
||||
|
||||
@ -8,6 +8,10 @@
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "The White Label CMS WordPress plugin before 2.5 unserializes user input provided via the settings, which could allow high-privilege users such as admin to perform PHP Object Injection when a suitable gadget is present."
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "El complemento White Label CMS de WordPress anterior a 2.5 deserializa la entrada del usuario proporcionada a trav\u00e9s de la configuraci\u00f3n, lo que podr\u00eda permitir a los usuarios con altos privilegios, como el administrador, realizar la inyecci\u00f3n de objetos PHP cuando hay un dispositivo adecuado presente."
|
||||
}
|
||||
],
|
||||
"metrics": {
|
||||
|
||||
@ -8,6 +8,10 @@
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "The Custom Field Template WordPress plugin before 2.5.8 unserialises the content of an imported file, which could lead to PHP object injections issues when a high privilege user import (intentionally or not) a malicious Customizer Styling file and a suitable gadget chain is present on the blog."
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "El complemento Custom Field Template de WordPress anterior a 2.5.8 deserializa el contenido de un archivo importado, lo que podr\u00eda provocar problemas de inyecciones de objetos PHP cuando un usuario con privilegios elevados importa (intencionalmente o no) un archivo de estilo de personalizador malicioso y una cadena de gadgets adecuada est\u00e1 presente en el blog."
|
||||
}
|
||||
],
|
||||
"metrics": {
|
||||
|
||||
@ -8,6 +8,10 @@
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "The Product list Widget for Woocommerce WordPress plugin through 1.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against both unauthenticated and authenticated users (such as high privilege one like admin)."
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "El complemento Product list Widget for Woocommerce de WordPress hasta la versi\u00f3n 1.0 no sanitiza ni escapa un par\u00e1metro antes de devolverlo a la p\u00e1gina, lo que genera un cross-site scripting reflejado que podr\u00eda usarse contra usuarios autenticados y no autenticados (como uno con privilegios altos como administraci\u00f3n)."
|
||||
}
|
||||
],
|
||||
"metrics": {
|
||||
|
||||
@ -8,6 +8,10 @@
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "The BookingPress WordPress plugin before 1.0.31 suffers from an Insecure Direct Object Reference (IDOR) vulnerability in it's thank you page, allowing any visitor to display information about any booking, including full name, date, time and service booked, by manipulating the appointment_id query parameter."
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "El complemento BookingPress de WordPress anterior a la versi\u00f3n 1.0.31 sufre una vulnerabilidad de Insecure Direct Object Reference (IDOR) en su p\u00e1gina de agradecimiento, lo que permite a cualquier visitante mostrar informaci\u00f3n sobre cualquier reserva, incluido el nombre completo, la fecha, la hora y el servicio reservado, manipulando el id de cita. par\u00e1metro de consulta."
|
||||
}
|
||||
],
|
||||
"metrics": {
|
||||
|
||||
@ -8,6 +8,10 @@
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "The Qe SEO Handyman WordPress plugin through 1.0 does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin"
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "El complemento Qe SEO Handyman de WordPress hasta la versi\u00f3n 1.0 no sanitiza ni escapa adecuadamente un par\u00e1metro antes de usarlo en una declaraci\u00f3n SQL, lo que genera una inyecci\u00f3n SQL explotable por usuarios con privilegios elevados, como el administrador."
|
||||
}
|
||||
],
|
||||
"metrics": {
|
||||
|
||||
@ -8,6 +8,10 @@
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "The Qe SEO Handyman WordPress plugin through 1.0 does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin"
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "El complemento Qe SEO Handyman de WordPress hasta la versi\u00f3n 1.0 no sanitiza ni escapa adecuadamente un par\u00e1metro antes de usarlo en una declaraci\u00f3n SQL, lo que genera una inyecci\u00f3n SQL explotable por usuarios con privilegios elevados, como el administrador."
|
||||
}
|
||||
],
|
||||
"metrics": {
|
||||
|
||||
@ -8,6 +8,10 @@
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "D-Link DIR-859 A1 1.05 was discovered to contain a command injection vulnerability via the service= variable in the soapcgi_main function."
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "Se descubri\u00f3 que D-Link DIR-859 A1 1.05 contiene una vulnerabilidad de inyecci\u00f3n de comandos a trav\u00e9s de la variable service= en la funci\u00f3n Soapcgi_main."
|
||||
}
|
||||
],
|
||||
"metrics": {
|
||||
|
||||
@ -8,6 +8,10 @@
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "GPAC version 2.1-DEV-rev505-gb9577e6ad-master was discovered to contain a memory leak via the gf_isom_box_parse_ex function at box_funcs.c."
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "Se descubri\u00f3 que la versi\u00f3n 2.1-DEV-rev505-gb9577e6ad-master de GPAC conten\u00eda una p\u00e9rdida de memoria a trav\u00e9s de la funci\u00f3n gf_isom_box_parse_ex en box_funcs.c."
|
||||
}
|
||||
],
|
||||
"metrics": {
|
||||
|
||||
@ -8,6 +8,10 @@
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "GPAC version 2.1-DEV-rev505-gb9577e6ad-master was discovered to contain a memory leak via the afrt_box_read function at box_code_adobe.c."
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "Se descubri\u00f3 que la versi\u00f3n 2.1-DEV-rev505-gb9577e6ad-master de GPAC conten\u00eda una p\u00e9rdida de memoria a trav\u00e9s de la funci\u00f3n afrt_box_read en box_code_adobe.c."
|
||||
}
|
||||
],
|
||||
"metrics": {
|
||||
|
||||
@ -8,6 +8,10 @@
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "Online Student Enrollment System v1.0 was discovered to contain a SQL injection vulnerability via the username parameter at /student_enrollment/admin/login.php."
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "Se descubri\u00f3 que Online Student Enrollment System v1.0 contiene una vulnerabilidad de inyecci\u00f3n SQL a trav\u00e9s del par\u00e1metro de nombre de usuario en /student_enrollment/admin/login.php."
|
||||
}
|
||||
],
|
||||
"metrics": {
|
||||
|
||||
@ -8,6 +8,10 @@
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "GPAC MP4Box v2.1-DEV-rev574-g9d5bb184b contains a segmentation violation via the function gf_sm_load_init_swf at scene_manager/swf_parse.c"
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "GPAC MP4Box v2.1-DEV-rev574-g9d5bb184b contiene una infracci\u00f3n de segmentaci\u00f3n a trav\u00e9s de la funci\u00f3n gf_sm_load_init_swf en scene_manager/swf_parse.c"
|
||||
}
|
||||
],
|
||||
"metrics": {
|
||||
|
||||
@ -8,6 +8,10 @@
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "GPAC MP4box 2.1-DEV-rev574-g9d5bb184b has a Buffer overflow in gf_vvc_read_pps_bs_internal function of media_tools/av_parsers.c"
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "GPAC MP4box 2.1-DEV-rev574-g9d5bb184b tiene un desbordamiento de b\u00fafer en la funci\u00f3n gf_vvc_read_pps_bs_internal de media_tools/av_parsers.c"
|
||||
}
|
||||
],
|
||||
"metrics": {
|
||||
|
||||
@ -8,6 +8,10 @@
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "GPAC MP4box 2.1-DEV-rev574-g9d5bb184b is vulnerable to Buffer Overflow."
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "GPAC MP4box 2.1-DEV-rev574-g9d5bb184b es vulnerable al desbordamiento del b\u00fafer."
|
||||
}
|
||||
],
|
||||
"metrics": {
|
||||
|
||||
@ -8,6 +8,10 @@
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "GPAC MP4box 2.1-DEV-rev574-g9d5bb184b is vulnerable to Buffer Overflow via gf_vvc_read_sps_bs_internal function of media_tools/av_parsers.c"
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "GPAC MP4box 2.1-DEV-rev574-g9d5bb184b es vulnerable al desbordamiento del b\u00fafer a trav\u00e9s de la funci\u00f3n gf_vvc_read_sps_bs_internal de media_tools/av_parsers.c"
|
||||
}
|
||||
],
|
||||
"metrics": {
|
||||
|
||||
@ -8,6 +8,10 @@
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "GPAC MP4box 2.1-DEV-rev574-g9d5bb184b is vulnerable to Buffer Overflow in gf_text_process_sub function of filters/load_text.c"
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "GPAC MP4box 2.1-DEV-rev574-g9d5bb184b es vulnerable al desbordamiento del b\u00fafer en la funci\u00f3n gf_text_process_sub de filters/load_text.c"
|
||||
}
|
||||
],
|
||||
"metrics": {
|
||||
|
||||
@ -8,6 +8,10 @@
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "GPAC MP4box 2.1-DEV-rev574-g9d5bb184b is contains an Integer overflow vulnerability in gf_hevc_read_sps_bs_internal function of media_tools/av_parsers.c:8316"
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "GPAC MP4box 2.1-DEV-rev574-g9d5bb184b contiene una vulnerabilidad de desbordamiento de enteros en la funci\u00f3n gf_hevc_read_sps_bs_internal de media_tools/av_parsers.c:8316"
|
||||
}
|
||||
],
|
||||
"metrics": {
|
||||
|
||||
@ -8,6 +8,10 @@
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "GNU Tar through 1.34 has a one-byte out-of-bounds read that results in use of uninitialized memory for a conditional jump. Exploitation to change the flow of control has not been demonstrated. The issue occurs in from_header in list.c via a V7 archive in which mtime has approximately 11 whitespace characters."
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "GNU Tar hasta 1.34 tiene una lectura fuera de los l\u00edmites de un byte que resulta en el uso de memoria no inicializada para un salto condicional. No se ha demostrado explotaci\u00f3n para cambiar el flujo de control. El problema ocurre en from_header en list.c a trav\u00e9s de un archivo V7 en el que mtime tiene aproximadamente 11 caracteres de espacio en blanco."
|
||||
}
|
||||
],
|
||||
"metrics": {
|
||||
|
||||
@ -3,11 +3,15 @@
|
||||
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
|
||||
"published": "2024-05-03T15:15:07.377",
|
||||
"lastModified": "2024-05-03T15:32:19.637",
|
||||
"vulnStatus": "Awaiting Analysis",
|
||||
"vulnStatus": "Undergoing Analysis",
|
||||
"descriptions": [
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npeci: cpu: Fix use-after-free in adev_release()\n\nWhen auxiliary_device_add() returns an error, auxiliary_device_uninit()\nis called, which causes refcount for device to be decremented and\n.release callback will be triggered.\n\nBecause adev_release() re-calls auxiliary_device_uninit(), it will cause\nuse-after-free:\n[ 1269.455172] WARNING: CPU: 0 PID: 14267 at lib/refcount.c:28 refcount_warn_saturate+0x110/0x15\n[ 1269.464007] refcount_t: underflow; use-after-free."
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: peci: cpu: corrige use-after-free en adev_release() Cuando auxiliar_device_add() devuelve un error, se llama a auxiliar_device_uninit(), lo que hace que se disminuya el recuento del dispositivo y . Se activar\u00e1 la devoluci\u00f3n de llamada de liberaci\u00f3n. Debido a que adev_release() vuelve a llamar a auxiliar_device_uninit(), provocar\u00e1 use-after-free: [1269.455172] ADVERTENCIA: CPU: 0 PID: 14267 en lib/refcount.c:28 refcount_warn_saturate+0x110/0x15 [1269.464007] refcount_t: underflow ; use-after-free."
|
||||
}
|
||||
],
|
||||
"metrics": {},
|
||||
|
||||
@ -3,11 +3,15 @@
|
||||
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
|
||||
"published": "2024-05-03T15:15:07.433",
|
||||
"lastModified": "2024-05-03T15:32:19.637",
|
||||
"vulnStatus": "Awaiting Analysis",
|
||||
"vulnStatus": "Undergoing Analysis",
|
||||
"descriptions": [
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncgroup: Add missing cpus_read_lock() to cgroup_attach_task_all()\n\nsyzbot is hitting percpu_rwsem_assert_held(&cpu_hotplug_lock) warning at\ncpuset_attach() [1], for commit 4f7e7236435ca0ab (\"cgroup: Fix\nthreadgroup_rwsem <-> cpus_read_lock() deadlock\") missed that\ncpuset_attach() is also called from cgroup_attach_task_all().\nAdd cpus_read_lock() like what cgroup_procs_write_start() does."
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: cgroup: agregue cpus_read_lock() faltante a cgroup_attach_task_all() syzbot est\u00e1 presionando la advertencia percpu_rwsem_assert_held(&cpu_hotplug_lock) en cpuset_attach() [1], para el commit 4f7e7236435ca0ab (\"cgroup: Fix threadgroup_rwsem <- > cpus_read_lock() deadlock\") se perdi\u00f3 que cpuset_attach() tambi\u00e9n se llama desde cgroup_attach_task_all(). Agregue cpus_read_lock() como lo hace cgroup_procs_write_start()."
|
||||
}
|
||||
],
|
||||
"metrics": {},
|
||||
|
||||
@ -3,11 +3,15 @@
|
||||
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
|
||||
"published": "2024-05-03T15:15:07.480",
|
||||
"lastModified": "2024-05-03T15:32:19.637",
|
||||
"vulnStatus": "Awaiting Analysis",
|
||||
"vulnStatus": "Undergoing Analysis",
|
||||
"descriptions": [
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nof: fdt: fix off-by-one error in unflatten_dt_nodes()\n\nCommit 78c44d910d3e (\"drivers/of: Fix depth when unflattening devicetree\")\nforgot to fix up the depth check in the loop body in unflatten_dt_nodes()\nwhich makes it possible to overflow the nps[] buffer...\n\nFound by Linux Verification Center (linuxtesting.org) with the SVACE static\nanalysis tool."
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: de: fdt: corrige el error uno por uno en unflatten_dt_nodes() Commit 78c44d910d3e (\"drivers/of: corrige la profundidad al desacoplar el \u00e1rbol de dispositivos\") olvid\u00f3 arreglar la comprobaci\u00f3n de profundidad el cuerpo del bucle en unflatten_dt_nodes() que permite desbordar el b\u00fafer nps[]... Encontrado por el Centro de verificaci\u00f3n de Linux (linuxtesting.org) con la herramienta de an\u00e1lisis est\u00e1tico SVACE."
|
||||
}
|
||||
],
|
||||
"metrics": {},
|
||||
|
||||
@ -3,11 +3,15 @@
|
||||
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
|
||||
"published": "2024-05-03T15:15:07.530",
|
||||
"lastModified": "2024-05-03T15:32:19.637",
|
||||
"vulnStatus": "Awaiting Analysis",
|
||||
"vulnStatus": "Undergoing Analysis",
|
||||
"descriptions": [
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: Fix possible access to freed memory in link clear\n\nAfter modifying the QP to the Error state, all RX WR would be completed\nwith WC in IB_WC_WR_FLUSH_ERR status. Current implementation does not\nwait for it is done, but destroy the QP and free the link group directly.\nSo there is a risk that accessing the freed memory in tasklet context.\n\nHere is a crash example:\n\n BUG: unable to handle page fault for address: ffffffff8f220860\n #PF: supervisor write access in kernel mode\n #PF: error_code(0x0002) - not-present page\n PGD f7300e067 P4D f7300e067 PUD f7300f063 PMD 8c4e45063 PTE 800ffff08c9df060\n Oops: 0002 [#1] SMP PTI\n CPU: 1 PID: 0 Comm: swapper/1 Kdump: loaded Tainted: G S OE 5.10.0-0607+ #23\n Hardware name: Inspur NF5280M4/YZMB-00689-101, BIOS 4.1.20 07/09/2018\n RIP: 0010:native_queued_spin_lock_slowpath+0x176/0x1b0\n Code: f3 90 48 8b 32 48 85 f6 74 f6 eb d5 c1 ee 12 83 e0 03 83 ee 01 48 c1 e0 05 48 63 f6 48 05 00 c8 02 00 48 03 04 f5 00 09 98 8e <48> 89 10 8b 42 08 85 c0 75 09 f3 90 8b 42 08 85 c0 74 f7 48 8b 32\n RSP: 0018:ffffb3b6c001ebd8 EFLAGS: 00010086\n RAX: ffffffff8f220860 RBX: 0000000000000246 RCX: 0000000000080000\n RDX: ffff91db1f86c800 RSI: 000000000000173c RDI: ffff91db62bace00\n RBP: ffff91db62bacc00 R08: 0000000000000000 R09: c00000010000028b\n R10: 0000000000055198 R11: ffffb3b6c001ea58 R12: ffff91db80e05010\n R13: 000000000000000a R14: 0000000000000006 R15: 0000000000000040\n FS: 0000000000000000(0000) GS:ffff91db1f840000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: ffffffff8f220860 CR3: 00000001f9580004 CR4: 00000000003706e0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n <IRQ>\n _raw_spin_lock_irqsave+0x30/0x40\n mlx5_ib_poll_cq+0x4c/0xc50 [mlx5_ib]\n smc_wr_rx_tasklet_fn+0x56/0xa0 [smc]\n tasklet_action_common.isra.21+0x66/0x100\n __do_softirq+0xd5/0x29c\n asm_call_irq_on_stack+0x12/0x20\n </IRQ>\n do_softirq_own_stack+0x37/0x40\n irq_exit_rcu+0x9d/0xa0\n sysvec_call_function_single+0x34/0x80\n asm_sysvec_call_function_single+0x12/0x20"
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net/smc: corrige el posible acceso a la memoria liberada al borrar el enlace. Despu\u00e9s de modificar el QP al estado de Error, todos los RX WR se completar\u00edan con WC en estado IB_WC_WR_FLUSH_ERR. La implementaci\u00f3n actual no espera a que est\u00e9 terminada, sino que destruye el QP y libera el grupo de enlaces directamente. Por lo tanto, existe el riesgo de acceder a la memoria liberada en el contexto del tasklet. Aqu\u00ed hay un ejemplo de falla: ERROR: no se puede manejar el error de p\u00e1gina para la direcci\u00f3n: ffffffff8f220860 #PF: acceso de escritura del supervisor en modo kernel #PF: error_code(0x0002) - p\u00e1gina no presente PGD f7300e067 P4D f7300e067 PUD f7300f063 PMD 8c4e45063 PTE 800ffff08c9df060 operaciones: 0002 [#1] SMP PTI CPU: 1 PID: 0 Comunicaciones: intercambiador/1 Kdump: cargado Contaminado: GS OE 5.10.0-0607+ #23 Nombre de hardware: Inspur NF5280M4/YZMB-00689-101, BIOS 4.1.20 07 /09/2018 RIP: 0010:native_queued_spin_lock_slowpath+0x176/0x1b0 C\u00f3digo: f3 90 48 8b 32 48 85 f6 74 f6 eb d5 c1 ee 12 83 e0 03 83 ee 01 48 c1 e0 05 48 63 f6 48 5 00 c8 02 00 48 03 04 f5 00 09 98 8e <48> 89 10 8b 42 08 85 c0 75 09 f3 90 8b 42 08 85 c0 74 f7 48 8b 32 RSP: 0018:ffffb3b6c001ebd8 EFLAGS: 00010086 RAX: ffffffff8f220860 RBX: 0000000000000246 RCX: 0000000000080000 RDX: ffff91db1f86c800 RSI: 000000000000173c RDI: ffff91db62bace00 RBP: ffff91db62bacc00 R08: 00000000000000000 R09: c00000010000028b R10: 0000000000055 198 R11: ffffb3b6c001ea58 R12: ffff91db80e05010 R13: 000000000000000a R14: 0000000000000006 R15: 0000000000000040 FS: 0000000000000000(0 000) GS:ffff91db1f840000(0000) knlGS:0000000000000000 CS : 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffffff8f220860 CR3: 00000001f9580004 CR4: 00000000003706e0 DR0: 0000000000000000 DR1: 0000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Seguimiento de llamadas: _raw_spin_lock_irqsave+0x30/0x40 _encuesta_cq +0x4c/0xc50 [mlx5_ib] smc_wr_rx_tasklet_fn+0x56/0xa0 [smc] tasklet_action_common.isra.21+0x66/0x100 __do_softirq+0xd5/0x29c asm_call_irq_on_stack+0x12/0x20 n_stack+0x37/0x40 irq_exit_rcu+0x9d/0xa0 sysvec_call_function_single+ 0x34/0x80 asm_sysvec_call_function_single+0x12/0x20"
|
||||
}
|
||||
],
|
||||
"metrics": {},
|
||||
|
||||
@ -3,11 +3,15 @@
|
||||
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
|
||||
"published": "2024-05-03T15:15:07.580",
|
||||
"lastModified": "2024-05-03T15:32:19.637",
|
||||
"vulnStatus": "Awaiting Analysis",
|
||||
"vulnStatus": "Undergoing Analysis",
|
||||
"descriptions": [
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nerofs: fix pcluster use-after-free on UP platforms\n\nDuring stress testing with CONFIG_SMP disabled, KASAN reports as below:\n\n==================================================================\nBUG: KASAN: use-after-free in __mutex_lock+0xe5/0xc30\nRead of size 8 at addr ffff8881094223f8 by task stress/7789\n\nCPU: 0 PID: 7789 Comm: stress Not tainted 6.0.0-rc1-00002-g0d53d2e882f9 #3\nHardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011\nCall Trace:\n <TASK>\n..\n __mutex_lock+0xe5/0xc30\n..\n z_erofs_do_read_page+0x8ce/0x1560\n..\n z_erofs_readahead+0x31c/0x580\n..\nFreed by task 7787\n kasan_save_stack+0x1e/0x40\n kasan_set_track+0x20/0x30\n kasan_set_free_info+0x20/0x40\n __kasan_slab_free+0x10c/0x190\n kmem_cache_free+0xed/0x380\n rcu_core+0x3d5/0xc90\n __do_softirq+0x12d/0x389\n\nLast potentially related work creation:\n kasan_save_stack+0x1e/0x40\n __kasan_record_aux_stack+0x97/0xb0\n call_rcu+0x3d/0x3f0\n erofs_shrink_workstation+0x11f/0x210\n erofs_shrink_scan+0xdc/0x170\n shrink_slab.constprop.0+0x296/0x530\n drop_slab+0x1c/0x70\n drop_caches_sysctl_handler+0x70/0x80\n proc_sys_call_handler+0x20a/0x2f0\n vfs_write+0x555/0x6c0\n ksys_write+0xbe/0x160\n do_syscall_64+0x3b/0x90\n\nThe root cause is that erofs_workgroup_unfreeze() doesn't reset to\norig_val thus it causes a race that the pcluster reuses unexpectedly\nbefore freeing.\n\nSince UP platforms are quite rare now, such path becomes unnecessary.\nLet's drop such specific-designed path directly instead."
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: erofs: corrige el use-after-free de pcluster en plataformas UP Durante las pruebas de estr\u00e9s con CONFIG_SMP deshabilitado, KASAN informa lo siguiente: ============== ==================================================== == ERROR: KASAN: use-after-free en __mutex_lock+0xe5/0xc30 Lectura de tama\u00f1o 8 en la direcci\u00f3n ffff8881094223f8 por tarea estr\u00e9s/7789 CPU: 0 PID: 7789 Comm: estr\u00e9s No contaminado 6.0.0-rc1-00002-g0d53d2e882f9 # 3 Nombre del hardware: Red Hat KVM, BIOS 0.5.1 01/01/2011 Seguimiento de llamadas: .. __mutex_lock+0xe5/0xc30 .. z_erofs_do_read_page+0x8ce/0x1560 .. z_erofs_readahead+0x31c/0x580 .. Liberado por la tarea 7787 kasan_save_stack+0x1e/0x40 kasan_set_track+0x20/0x30 kasan_set_free_info+0x20/0x40 __kasan_slab_free+0x10c/0x190 kmem_cache_free+0xed/0x380 rcu_core+0x3d5/0xc90 __do_softirq+0x12d/0x 389 \u00daltima creaci\u00f3n de trabajo potencialmente relacionado: kasan_save_stack+0x1e/0x40 __kasan_record_aux_stack+0x97/ 0xb0 call_rcu+0x3d/0x3f0 erofs_shrink_workstation+0x11f/0x210 erofs_shrink_scan+0xdc/0x170 retract_slab.constprop.0+0x296/0x530 drop_slab+0x1c/0x70 drop_caches_sysctl_handler+0x70/0x80 proc_sys_call_handler+0x20a/0x2f0 vfs_write+0x555/0x6c0 ksys_write+0xbe/0x160 do_syscall_64+0x3b/0x90 La causa principal es que erofs_workgroup_unfreeze() no se restablece a orig_val, por lo que provoca una carrera que el pcluster reutiliza inesperadamente antes de liberarse. Dado que las plataformas UP son bastante raras ahora, ese camino se vuelve innecesario. En su lugar, eliminemos directamente esa ruta manipulada espec\u00edficamente."
|
||||
}
|
||||
],
|
||||
"metrics": {},
|
||||
|
||||
@ -3,11 +3,15 @@
|
||||
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
|
||||
"published": "2024-05-03T15:15:07.627",
|
||||
"lastModified": "2024-05-03T15:32:19.637",
|
||||
"vulnStatus": "Awaiting Analysis",
|
||||
"vulnStatus": "Undergoing Analysis",
|
||||
"descriptions": [
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nIB/core: Fix a nested dead lock as part of ODP flow\n\nFix a nested dead lock as part of ODP flow by using mmput_async().\n\nFrom the below call trace [1] can see that calling mmput() once we have\nthe umem_odp->umem_mutex locked as required by\nib_umem_odp_map_dma_and_lock() might trigger in the same task the\nexit_mmap()->__mmu_notifier_release()->mlx5_ib_invalidate_range() which\nmay dead lock when trying to lock the same mutex.\n\nMoving to use mmput_async() will solve the problem as the above\nexit_mmap() flow will be called in other task and will be executed once\nthe lock will be available.\n\n[1]\n[64843.077665] task:kworker/u133:2 state:D stack: 0 pid:80906 ppid:\n2 flags:0x00004000\n[64843.077672] Workqueue: mlx5_ib_page_fault mlx5_ib_eqe_pf_action [mlx5_ib]\n[64843.077719] Call Trace:\n[64843.077722] <TASK>\n[64843.077724] __schedule+0x23d/0x590\n[64843.077729] schedule+0x4e/0xb0\n[64843.077735] schedule_preempt_disabled+0xe/0x10\n[64843.077740] __mutex_lock.constprop.0+0x263/0x490\n[64843.077747] __mutex_lock_slowpath+0x13/0x20\n[64843.077752] mutex_lock+0x34/0x40\n[64843.077758] mlx5_ib_invalidate_range+0x48/0x270 [mlx5_ib]\n[64843.077808] __mmu_notifier_release+0x1a4/0x200\n[64843.077816] exit_mmap+0x1bc/0x200\n[64843.077822] ? walk_page_range+0x9c/0x120\n[64843.077828] ? __cond_resched+0x1a/0x50\n[64843.077833] ? mutex_lock+0x13/0x40\n[64843.077839] ? uprobe_clear_state+0xac/0x120\n[64843.077860] mmput+0x5f/0x140\n[64843.077867] ib_umem_odp_map_dma_and_lock+0x21b/0x580 [ib_core]\n[64843.077931] pagefault_real_mr+0x9a/0x140 [mlx5_ib]\n[64843.077962] pagefault_mr+0xb4/0x550 [mlx5_ib]\n[64843.077992] pagefault_single_data_segment.constprop.0+0x2ac/0x560\n[mlx5_ib]\n[64843.078022] mlx5_ib_eqe_pf_action+0x528/0x780 [mlx5_ib]\n[64843.078051] process_one_work+0x22b/0x3d0\n[64843.078059] worker_thread+0x53/0x410\n[64843.078065] ? process_one_work+0x3d0/0x3d0\n[64843.078073] kthread+0x12a/0x150\n[64843.078079] ? set_kthread_struct+0x50/0x50\n[64843.078085] ret_from_fork+0x22/0x30\n[64843.078093] </TASK>"
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: IB/core: corrija un bloqueo anidado como parte del flujo ODP. Corrija un bloqueo anidado como parte del flujo ODP usando mmput_async(). En el siguiente seguimiento de llamadas [1] se puede ver que llamar a mmput() una vez que tenemos umem_odp->umem_mutex bloqueado como lo requiere ib_umem_odp_map_dma_and_lock() podr\u00eda desencadenar en la misma tarea exit_mmap()->__mmu_notifier_release()->mlx5_ib_invalidate_range() lo que puede bloquearse al intentar bloquear el mismo mutex. Pasar a utilizar mmput_async() resolver\u00e1 el problema ya que el flujo exit_mmap() anterior se llamar\u00e1 en otra tarea y se ejecutar\u00e1 una vez que el bloqueo est\u00e9 disponible. [1] [64843.077665] tarea:kworker/u133:2 estado:D pila: 0 pid:80906 ppid: 2 banderas:0x00004000 [64843.077672] Cola de trabajo: mlx5_ib_page_fault mlx5_ib_eqe_pf_action [mlx5_ib] 9] Seguimiento de llamadas: [64843.077722] [64843.077724] __schedule+0x23d/0x590 [64843.077729] Schedule+0x4e/0xb0 [64843.077735] Schedule_preempt_disabled+0xe/0x10 [64843.077740] __mutex_lock.constprop.0+0x263/0x 490 [64843.077747] __mutex_lock_slowpath+0x13/0x20 [64843.077752] mutex_lock+0x34 /0x40 [64843.077758] mlx5_ib_invalidate_range+0x48/0x270 [mlx5_ib] [64843.077808] __mmu_notifier_release+0x1a4/0x200 [64843.077816] exit_mmap+0x1bc/0x200 822] ? walk_page_range+0x9c/0x120 [64843.077828] ? __cond_resched+0x1a/0x50 [64843.077833] ? mutex_lock+0x13/0x40 [64843.077839] ? uprobe_clear_state+0xac/0x120 [64843.077860] mmput+0x5f/0x140 [64843.077867] ib_umem_odp_map_dma_and_lock+0x21b/0x580 [ib_core] [64843.077931] pagefault_real_mr+0x9a/0x 140 [mlx5_ib] [64843.077962] pagefault_mr+0xb4/0x550 [mlx5_ib] [64843.077992] pagefault_single_data_segment .constprop.0+0x2ac/0x560 [mlx5_ib] [64843.078022] mlx5_ib_eqe_pf_action+0x528/0x780 [mlx5_ib] [64843.078051] Process_one_work+0x22b/0x3d0 [64843.078059] x53/0x410 [64843.078065] ? proceso_one_work+0x3d0/0x3d0 [64843.078073] kthread+0x12a/0x150 [64843.078079] ? set_kthread_struct+0x50/0x50 [64843.078085] ret_from_fork+0x22/0x30 [64843.078093] "
|
||||
}
|
||||
],
|
||||
"metrics": {},
|
||||
|
||||
@ -3,11 +3,15 @@
|
||||
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
|
||||
"published": "2024-05-03T15:15:07.673",
|
||||
"lastModified": "2024-05-03T15:32:19.637",
|
||||
"vulnStatus": "Awaiting Analysis",
|
||||
"vulnStatus": "Undergoing Analysis",
|
||||
"descriptions": [
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme-tcp: fix UAF when detecting digest errors\n\nWe should also bail from the io_work loop when we set rd_enabled to true,\nso we don't attempt to read data from the socket when the TCP stream is\nalready out-of-sync or corrupted."
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: nvme-tcp: corrige UAF al detectar errores de resumen. Tambi\u00e9n debemos salir del bucle io_work cuando configuramos rd_enabled en verdadero, para no intentar leer datos del socket cuando el flujo TCP ya no est\u00e1 sincronizado o est\u00e1 da\u00f1ado."
|
||||
}
|
||||
],
|
||||
"metrics": {},
|
||||
|
||||
@ -3,11 +3,15 @@
|
||||
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
|
||||
"published": "2024-05-03T15:15:07.723",
|
||||
"lastModified": "2024-05-03T15:32:19.637",
|
||||
"vulnStatus": "Awaiting Analysis",
|
||||
"vulnStatus": "Undergoing Analysis",
|
||||
"descriptions": [
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: sr: fix out-of-bounds read when setting HMAC data.\n\nThe SRv6 layer allows defining HMAC data that can later be used to sign IPv6\nSegment Routing Headers. This configuration is realised via netlink through\nfour attributes: SEG6_ATTR_HMACKEYID, SEG6_ATTR_SECRET, SEG6_ATTR_SECRETLEN and\nSEG6_ATTR_ALGID. Because the SECRETLEN attribute is decoupled from the actual\nlength of the SECRET attribute, it is possible to provide invalid combinations\n(e.g., secret = \"\", secretlen = 64). This case is not checked in the code and\nwith an appropriately crafted netlink message, an out-of-bounds read of up\nto 64 bytes (max secret length) can occur past the skb end pointer and into\nskb_shared_info:\n\nBreakpoint 1, seg6_genl_sethmac (skb=<optimized out>, info=<optimized out>) at net/ipv6/seg6.c:208\n208\t\tmemcpy(hinfo->secret, secret, slen);\n(gdb) bt\n #0 seg6_genl_sethmac (skb=<optimized out>, info=<optimized out>) at net/ipv6/seg6.c:208\n #1 0xffffffff81e012e9 in genl_family_rcv_msg_doit (skb=skb@entry=0xffff88800b1f9f00, nlh=nlh@entry=0xffff88800b1b7600,\n extack=extack@entry=0xffffc90000ba7af0, ops=ops@entry=0xffffc90000ba7a80, hdrlen=4, net=0xffffffff84237580 <init_net>, family=<optimized out>,\n family=<optimized out>) at net/netlink/genetlink.c:731\n #2 0xffffffff81e01435 in genl_family_rcv_msg (extack=0xffffc90000ba7af0, nlh=0xffff88800b1b7600, skb=0xffff88800b1f9f00,\n family=0xffffffff82fef6c0 <seg6_genl_family>) at net/netlink/genetlink.c:775\n #3 genl_rcv_msg (skb=0xffff88800b1f9f00, nlh=0xffff88800b1b7600, extack=0xffffc90000ba7af0) at net/netlink/genetlink.c:792\n #4 0xffffffff81dfffc3 in netlink_rcv_skb (skb=skb@entry=0xffff88800b1f9f00, cb=cb@entry=0xffffffff81e01350 <genl_rcv_msg>)\n at net/netlink/af_netlink.c:2501\n #5 0xffffffff81e00919 in genl_rcv (skb=0xffff88800b1f9f00) at net/netlink/genetlink.c:803\n #6 0xffffffff81dff6ae in netlink_unicast_kernel (ssk=0xffff888010eec800, skb=0xffff88800b1f9f00, sk=0xffff888004aed000)\n at net/netlink/af_netlink.c:1319\n #7 netlink_unicast (ssk=ssk@entry=0xffff888010eec800, skb=skb@entry=0xffff88800b1f9f00, portid=portid@entry=0, nonblock=<optimized out>)\n at net/netlink/af_netlink.c:1345\n #8 0xffffffff81dff9a4 in netlink_sendmsg (sock=<optimized out>, msg=0xffffc90000ba7e48, len=<optimized out>) at net/netlink/af_netlink.c:1921\n...\n(gdb) p/x ((struct sk_buff *)0xffff88800b1f9f00)->head + ((struct sk_buff *)0xffff88800b1f9f00)->end\n$1 = 0xffff88800b1b76c0\n(gdb) p/x secret\n$2 = 0xffff88800b1b76c0\n(gdb) p slen\n$3 = 64 '@'\n\nThe OOB data can then be read back from userspace by dumping HMAC state. This\ncommit fixes this by ensuring SECRETLEN cannot exceed the actual length of\nSECRET."
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: ipv6: sr: corrige lectura fuera de los l\u00edmites al configurar datos HMAC. La capa SRv6 permite definir datos HMAC que luego pueden usarse para firmar encabezados de enrutamiento de segmentos IPv6. Esta configuraci\u00f3n se realiza v\u00eda netlink a trav\u00e9s de cuatro atributos: SEG6_ATTR_HMACKEYID, SEG6_ATTR_SECRET, SEG6_ATTR_SECRETLEN y SEG6_ATTR_ALGID. Debido a que el atributo SECRETLEN est\u00e1 desacoplado de la longitud real del atributo SECRET, es posible proporcionar combinaciones no v\u00e1lidas (por ejemplo, secret = \"\", secretlen = 64). Este caso no est\u00e1 marcado en el c\u00f3digo y con un mensaje netlink manipulado apropiadamente, puede ocurrir una lectura fuera de los l\u00edmites de hasta 64 bytes (longitud m\u00e1xima del secreto) m\u00e1s all\u00e1 del puntero final de skb y en skb_shared_info: Punto de interrupci\u00f3n 1, seg6_genl_sethmac (skb =, info=) en net/ipv6/seg6.c:208 208 memcpy(hinfo->secret, secret, slen); (gdb) bt #0 seg6_genl_sethmac (skb=, info=) en net/ipv6/seg6.c:208 #1 0xffffffff81e012e9 en genl_family_rcv_msg_doit (skb=skb@entry=0xffff88800b1f9f00, nlh=nlh@ entrada=0xffff88800b1b7600, extack=extack@entry=0xffffc90000ba7af0, ops=ops@entry=0xffffc90000ba7a80, hdrlen=4, net=0xffffffff84237580 , family=, familia=) en net/netlink/ genetlink.c:731 #2 0xffffffff81e01435 en genl_family_rcv_msg (extack=0xffffc90000ba7af0, nlh=0xffff88800b1b7600, skb=0xffff88800b1f9f00, family=0xffffffff82fef6c0 ) en net/netlink/genetlink.c:775 #3 genl_rcv_msg (skb=0xffff88800b1f9f00, nlh= 0xffff88800b1b7600, extack=0xffffc90000ba7af0) en net/netlink/genetlink.c:792 #4 0xffffffff81dfffc3 en netlink_rcv_skb (skb=skb@entry=0xffff88800b1f9f00, cb=cb@entry=0xffffffff81e013 50 ) en net/netlink/af_netlink.c: 2501 #5 0xffffffff81e00919 en genl_rcv (skb=0xffff88800b1f9f00) en net/netlink/genetlink.c:803 #6 0xffffffff81dff6ae en netlink_unicast_kernel (ssk=0xffff888010eec800, f9f00, sk=0xffff888004aed000) en net/netlink/af_netlink.c:1319 # 7 netlink_unicast (ssk=ssk@entry=0xffff888010eec800, skb=skb@entry=0xffff88800b1f9f00, portid=portid@entry=0, nonblock=) en net/netlink/af_netlink.c:1345 #8 0xffffffff81dff9a4 en ( sock=, msg=0xffffc90000ba7e48, len=) en net/netlink/af_netlink.c:1921 ... (gdb) p/x ((struct sk_buff *)0xffff88800b1f9f00)->head + ( (struct sk_buff *)0xffff88800b1f9f00)->end $1 = 0xffff88800b1b76c0 (gdb) p/x secret $2 = 0xffff88800b1b76c0 (gdb) p slen $3 = 64 '@' Los datos OOB se pueden volver a leer desde el espacio de usuario volcando el estado HMAC. Esta confirmaci\u00f3n soluciona este problema garantizando que SECRETLEN no pueda exceder la longitud real de SECRET."
|
||||
}
|
||||
],
|
||||
"metrics": {},
|
||||
|
||||
@ -3,11 +3,15 @@
|
||||
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
|
||||
"published": "2024-05-03T15:15:07.783",
|
||||
"lastModified": "2024-05-03T15:32:19.637",
|
||||
"vulnStatus": "Awaiting Analysis",
|
||||
"vulnStatus": "Undergoing Analysis",
|
||||
"descriptions": [
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ni40e: Fix kernel crash during module removal\n\nThe driver incorrectly frees client instance and subsequent\ni40e module removal leads to kernel crash.\n\nReproducer:\n1. Do ethtool offline test followed immediately by another one\nhost# ethtool -t eth0 offline; ethtool -t eth0 offline\n2. Remove recursively irdma module that also removes i40e module\nhost# modprobe -r irdma\n\nResult:\n[ 8675.035651] i40e 0000:3d:00.0 eno1: offline testing starting\n[ 8675.193774] i40e 0000:3d:00.0 eno1: testing finished\n[ 8675.201316] i40e 0000:3d:00.0 eno1: offline testing starting\n[ 8675.358921] i40e 0000:3d:00.0 eno1: testing finished\n[ 8675.496921] i40e 0000:3d:00.0: IRDMA hardware initialization FAILED init_state=2 status=-110\n[ 8686.188955] i40e 0000:3d:00.1: i40e_ptp_stop: removed PHC on eno2\n[ 8686.943890] i40e 0000:3d:00.1: Deleted LAN device PF1 bus=0x3d dev=0x00 func=0x01\n[ 8686.952669] i40e 0000:3d:00.0: i40e_ptp_stop: removed PHC on eno1\n[ 8687.761787] BUG: kernel NULL pointer dereference, address: 0000000000000030\n[ 8687.768755] #PF: supervisor read access in kernel mode\n[ 8687.773895] #PF: error_code(0x0000) - not-present page\n[ 8687.779034] PGD 0 P4D 0\n[ 8687.781575] Oops: 0000 [#1] PREEMPT SMP NOPTI\n[ 8687.785935] CPU: 51 PID: 172891 Comm: rmmod Kdump: loaded Tainted: G W I 5.19.0+ #2\n[ 8687.794800] Hardware name: Intel Corporation S2600WFD/S2600WFD, BIOS SE5C620.86B.0X.02.0001.051420190324 05/14/2019\n[ 8687.805222] RIP: 0010:i40e_lan_del_device+0x13/0xb0 [i40e]\n[ 8687.810719] Code: d4 84 c0 0f 84 b8 25 01 00 e9 9c 25 01 00 41 bc f4 ff ff ff eb 91 90 0f 1f 44 00 00 41 54 55 53 48 8b 87 58 08 00 00 48 89 fb <48> 8b 68 30 48 89 ef e8 21 8a 0f d5 48 89 ef e8 a9 78 0f d5 48 8b\n[ 8687.829462] RSP: 0018:ffffa604072efce0 EFLAGS: 00010202\n[ 8687.834689] RAX: 0000000000000000 RBX: ffff8f43833b2000 RCX: 0000000000000000\n[ 8687.841821] RDX: 0000000000000000 RSI: ffff8f4b0545b298 RDI: ffff8f43833b2000\n[ 8687.848955] RBP: ffff8f43833b2000 R08: 0000000000000001 R09: 0000000000000000\n[ 8687.856086] R10: 0000000000000000 R11: 000ffffffffff000 R12: ffff8f43833b2ef0\n[ 8687.863218] R13: ffff8f43833b2ef0 R14: ffff915103966000 R15: ffff8f43833b2008\n[ 8687.870342] FS: 00007f79501c3740(0000) GS:ffff8f4adffc0000(0000) knlGS:0000000000000000\n[ 8687.878427] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 8687.884174] CR2: 0000000000000030 CR3: 000000014276e004 CR4: 00000000007706e0\n[ 8687.891306] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 8687.898441] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 8687.905572] PKRU: 55555554\n[ 8687.908286] Call Trace:\n[ 8687.910737] <TASK>\n[ 8687.912843] i40e_remove+0x2c0/0x330 [i40e]\n[ 8687.917040] pci_device_remove+0x33/0xa0\n[ 8687.920962] device_release_driver_internal+0x1aa/0x230\n[ 8687.926188] driver_detach+0x44/0x90\n[ 8687.929770] bus_remove_driver+0x55/0xe0\n[ 8687.933693] pci_unregister_driver+0x2a/0xb0\n[ 8687.937967] i40e_exit_module+0xc/0xf48 [i40e]\n\nTwo offline tests cause IRDMA driver failure (ETIMEDOUT) and this\nfailure is indicated back to i40e_client_subtask() that calls\ni40e_client_del_instance() to free client instance referenced\nby pf->cinst and sets this pointer to NULL. During the module\nremoval i40e_remove() calls i40e_lan_del_device() that dereferences\npf->cinst that is NULL -> crash.\nDo not remove client instance when client open callbacks fails and\njust clear __I40E_CLIENT_INSTANCE_OPENED bit. The driver also needs\nto take care about this situation (when netdev is up and client\nis NOT opened) in i40e_notify_client_of_netdev_close() and\ncalls client close callback only when __I40E_CLIENT_INSTANCE_OPENED\nis set."
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: i40e: soluciona el fallo del kernel durante la eliminaci\u00f3n del m\u00f3dulo. El controlador libera incorrectamente la instancia del cliente y la posterior eliminaci\u00f3n del m\u00f3dulo i40e provoca un fallo del kernel. Reproductor: 1. Realice la prueba fuera de l\u00ednea de ethtool seguida inmediatamente por otro host# ethtool -t eth0 fuera de l\u00ednea; ethtool -t eth0 offline 2. Elimine recursivamente el m\u00f3dulo irdma que tambi\u00e9n elimina el m\u00f3dulo i40e host# modprobe -r irdma Resultado: [8675.035651] i40e 0000:3d:00.0 eno1: pruebas fuera de l\u00ednea iniciando [8675.193774] i40e 0000:3d:00.0 eno1: pruebas terminado [ 8675.201316] i40e 0000:3d:00.0 eno1: prueba fuera de l\u00ednea iniciando [ 8675.358921] i40e 0000:3d:00.0 eno1: prueba finalizada [ 8675.496921] i40e 0000:3d:00.0: inicializaci\u00f3n de hardware IRDMA FALLADA init_state=2 estado = -110 [ 8686.188955] i40e 0000:3d:00.1: i40e_ptp_stop: PHC eliminado en eno2 [ 8686.943890] i40e 0000:3d:00.1: Dispositivo LAN eliminado PF1 bus=0x3d dev=0x00 func=0x01 [ 8686.952669] 0e 0000:3d:00.0: i40e_ptp_stop: se elimin\u00f3 PHC en eno1 [8687.761787] ERROR: desreferencia del puntero NULL del kernel, direcci\u00f3n: 0000000000000030 [8687.768755] #PF: acceso de lectura de supervisor en modo kernel [8687.773895] #PF: error_code(0x0000) - p\u00e1gina no presente [8687.779034] P GD 0 P4D 0 [ 8687.781575] Ups: 0000 [#1] PREEMPT SMP NOPTI [ 8687.785935] CPU: 51 PID: 172891 Comm: rmmod Kdump: cargado Contaminado: GWI 5.19.0+ #2 [ 8687.794800] Nombre de hardware: Intel Corporation S2600WFD/S26 00WFD, BIOS SE5C620.86B.0X.02.0001.051420190324 14/05/2019 [8687.805222] RIP: 0010:i40e_lan_del_device+0x13/0xb0 [i40e] [8687.810719] C\u00f3digo: d4 84 c0 0f 84 b8 25 01 00 e9 9c 25 01 00 41 bc f4 ff ff ff eb 91 90 0f 1f 44 00 00 41 54 55 53 48 8b 87 58 08 00 00 48 89 fb <48> 8b 68 30 48 89 ef e8 21 8a 0f d5 48 89 ef e8 a9 0f d5 48 8b [8687.829462] RSP: 0018:ffffa604072efce0 EFLAGS: 00010202 [8687.834689] RAX: 00000000000000000 RBX: ffff8f43833b2000 RCX: 00000000000000 00 [ 8687.841821] RDX: 00000000000000000 RSI: ffff8f4b0545b298 RDI: ffff8f43833b2000 [ 8687.848955] RBP: ffff8f43833b2000 R08: 000000000000000 01 R09: 0000000000000000 [ 8687.856086 ] R10: 0000000000000000 R11: 000ffffffffff000 R12: ffff8f43833b2ef0 [ 8687.863218] R13: ffff8f43833b2ef0 R14: ffff915103966000 R15: 2008 [ 8687.870342] FS: 00007f79501c3740(0000) GS:ffff8f4adffc0000(0000) knlGS:000000000000000000 [ 8687.878427] CS: 0010 DS: 0000 ES : 0000 CR0: 0000000080050033 [ 8687.884174] CR2: 0000000000000030 CR3: 000000014276e004 CR4: 00000000007706e0 [ 8687.891306] DR0: 00000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 8687.898441] DR3: 00000000000000000 DR6: 00000000ffe0ff0 DR7: 0000000000000400 [ 8687.905572] PKRU: 55555554 [ 8687.908286] Seguimiento de llamadas: [8687.910737] [8687.912843] i40e_remove+0x2c0/0x330 [i40e] [8687.917040] pci_device_remove+0x33/0xa0 [8687.920962] device_release_driver_internal+0x1aa/ 0x230 [8687.926188] driver_detach+0x44/0x90 [8687.929770] bus_remove_driver+0x55 /0xe0 [ 8687.933693] pci_unregister_driver+0x2a/0xb0 [ 8687.937967] i40e_exit_module+0xc/0xf48 [i40e] Dos pruebas fuera de l\u00ednea causan una falla del controlador IRDMA (ETIMEDOUT) y esta falla se indica a i40e_client_subtask() que llama a i40e_client_del _instance() para liberar la instancia del cliente referenciado por pf->cinst y establece este puntero en NULL. Durante la eliminaci\u00f3n del m\u00f3dulo, i40e_remove() llama a i40e_lan_del_device() que desreferencia pf->cinst que es NULL -> crash. No elimine la instancia del cliente cuando las devoluciones de llamada abiertas del cliente fallan y simplemente borre el bit __I40E_CLIENT_INSTANCE_OPENED. El controlador tambi\u00e9n debe tener cuidado con esta situaci\u00f3n (cuando netdev est\u00e1 activo y el cliente NO est\u00e1 abierto) en i40e_notify_client_of_netdev_close() y llama a la devoluci\u00f3n de llamada de cierre del cliente solo cuando __I40E_CLIENT_INSTANCE_OPENED est\u00e1 configurado."
|
||||
}
|
||||
],
|
||||
"metrics": {},
|
||||
|
||||
@ -3,11 +3,15 @@
|
||||
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
|
||||
"published": "2024-05-03T15:15:07.833",
|
||||
"lastModified": "2024-05-03T15:32:19.637",
|
||||
"vulnStatus": "Awaiting Analysis",
|
||||
"vulnStatus": "Undergoing Analysis",
|
||||
"descriptions": [
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: TX zerocopy should not sense pfmemalloc status\n\nWe got a recent syzbot report [1] showing a possible misuse\nof pfmemalloc page status in TCP zerocopy paths.\n\nIndeed, for pages coming from user space or other layers,\nusing page_is_pfmemalloc() is moot, and possibly could give\nfalse positives.\n\nThere has been attempts to make page_is_pfmemalloc() more robust,\nbut not using it in the first place in this context is probably better,\nremoving cpu cycles.\n\nNote to stable teams :\n\nYou need to backport 84ce071e38a6 (\"net: introduce\n__skb_fill_page_desc_noacc\") as a prereq.\n\nRace is more probable after commit c07aea3ef4d4\n(\"mm: add a signature in struct page\") because page_is_pfmemalloc()\nis now using low order bit from page->lru.next, which can change\nmore often than page->index.\n\nLow order bit should never be set for lru.next (when used as an anchor\nin LRU list), so KCSAN report is mostly a false positive.\n\nBackporting to older kernel versions seems not necessary.\n\n[1]\nBUG: KCSAN: data-race in lru_add_fn / tcp_build_frag\n\nwrite to 0xffffea0004a1d2c8 of 8 bytes by task 18600 on cpu 0:\n__list_add include/linux/list.h:73 [inline]\nlist_add include/linux/list.h:88 [inline]\nlruvec_add_folio include/linux/mm_inline.h:105 [inline]\nlru_add_fn+0x440/0x520 mm/swap.c:228\nfolio_batch_move_lru+0x1e1/0x2a0 mm/swap.c:246\nfolio_batch_add_and_move mm/swap.c:263 [inline]\nfolio_add_lru+0xf1/0x140 mm/swap.c:490\nfilemap_add_folio+0xf8/0x150 mm/filemap.c:948\n__filemap_get_folio+0x510/0x6d0 mm/filemap.c:1981\npagecache_get_page+0x26/0x190 mm/folio-compat.c:104\ngrab_cache_page_write_begin+0x2a/0x30 mm/folio-compat.c:116\next4_da_write_begin+0x2dd/0x5f0 fs/ext4/inode.c:2988\ngeneric_perform_write+0x1d4/0x3f0 mm/filemap.c:3738\next4_buffered_write_iter+0x235/0x3e0 fs/ext4/file.c:270\next4_file_write_iter+0x2e3/0x1210\ncall_write_iter include/linux/fs.h:2187 [inline]\nnew_sync_write fs/read_write.c:491 [inline]\nvfs_write+0x468/0x760 fs/read_write.c:578\nksys_write+0xe8/0x1a0 fs/read_write.c:631\n__do_sys_write fs/read_write.c:643 [inline]\n__se_sys_write fs/read_write.c:640 [inline]\n__x64_sys_write+0x3e/0x50 fs/read_write.c:640\ndo_syscall_x64 arch/x86/entry/common.c:50 [inline]\ndo_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nread to 0xffffea0004a1d2c8 of 8 bytes by task 18611 on cpu 1:\npage_is_pfmemalloc include/linux/mm.h:1740 [inline]\n__skb_fill_page_desc include/linux/skbuff.h:2422 [inline]\nskb_fill_page_desc include/linux/skbuff.h:2443 [inline]\ntcp_build_frag+0x613/0xb20 net/ipv4/tcp.c:1018\ndo_tcp_sendpages+0x3e8/0xaf0 net/ipv4/tcp.c:1075\ntcp_sendpage_locked net/ipv4/tcp.c:1140 [inline]\ntcp_sendpage+0x89/0xb0 net/ipv4/tcp.c:1150\ninet_sendpage+0x7f/0xc0 net/ipv4/af_inet.c:833\nkernel_sendpage+0x184/0x300 net/socket.c:3561\nsock_sendpage+0x5a/0x70 net/socket.c:1054\npipe_to_sendpage+0x128/0x160 fs/splice.c:361\nsplice_from_pipe_feed fs/splice.c:415 [inline]\n__splice_from_pipe+0x222/0x4d0 fs/splice.c:559\nsplice_from_pipe fs/splice.c:594 [inline]\ngeneric_splice_sendpage+0x89/0xc0 fs/splice.c:743\ndo_splice_from fs/splice.c:764 [inline]\ndirect_splice_actor+0x80/0xa0 fs/splice.c:931\nsplice_direct_to_actor+0x305/0x620 fs/splice.c:886\ndo_splice_direct+0xfb/0x180 fs/splice.c:974\ndo_sendfile+0x3bf/0x910 fs/read_write.c:1249\n__do_sys_sendfile64 fs/read_write.c:1317 [inline]\n__se_sys_sendfile64 fs/read_write.c:1303 [inline]\n__x64_sys_sendfile64+0x10c/0x150 fs/read_write.c:1303\ndo_syscall_x64 arch/x86/entry/common.c:50 [inline]\ndo_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nvalue changed: 0x0000000000000000 -> 0xffffea0004a1d288\n\nReported by Kernel Concurrency Sanitizer on:\nCPU: 1 PID: 18611 Comm: syz-executor.4 Not tainted 6.0.0-rc2-syzkaller-00248-ge022620b5d05-dirty #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022"
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: tcp: TX zerocopy no deber\u00eda detectar el estado de pfmemalloc Recibimos un informe reciente de syzbot [1] que muestra un posible uso indebido del estado de la p\u00e1gina pfmemalloc en rutas de TCP zerocopy. De hecho, para p\u00e1ginas provenientes del espacio de usuario u otras capas, usar page_is_pfmemalloc() es discutible y posiblemente podr\u00eda dar falsos positivos. Ha habido intentos de hacer que page_is_pfmemalloc() sea m\u00e1s robusto, pero probablemente sea mejor no usarlo en primer lugar en este contexto, ya que elimina los ciclos de la CPU. Nota para los equipos estables: deben respaldar 84ce071e38a6 (\"net: introduzca __skb_fill_page_desc_noacc\") como requisito previo. La carrera es m\u00e1s probable despu\u00e9s de confirmar c07aea3ef4d4 (\"mm: agregar una firma en la p\u00e1gina de estructura\") porque page_is_pfmemalloc() ahora usa un bit de orden bajo de p\u00e1gina->lru.next, que puede cambiar con m\u00e1s frecuencia que p\u00e1gina->\u00edndice. El bit de orden bajo nunca debe configurarse para lru.next (cuando se usa como ancla en la lista LRU), por lo que el informe de KCSAN es en su mayor\u00eda un falso positivo. No parece necesario realizar backports a versiones anteriores del kernel. [1] ERROR: KCSAN: data-race en lru_add_fn/tcp_build_frag escribe en 0xffffea0004a1d2c8 de 8 bytes por tarea 18600 en la CPU 0: __list_add include/linux/list.h:73 [en l\u00ednea] list_add include/linux/list.h:88 [en l\u00ednea] lruvec_add_folio include/linux/mm_inline.h:105 [en l\u00ednea] lru_add_fn+0x440/0x520 mm/swap.c:228 folio_batch_move_lru+0x1e1/0x2a0 mm/swap.c:246 folio_batch_add_and_move mm/swap.c:263 linea ] folio_add_lru+0xf1/0x140 mm/swap.c:490 filemap_add_folio+0xf8/0x150 mm/filemap.c:948 __filemap_get_folio+0x510/0x6d0 mm/filemap.c:1981 pagecache_get_page+0x26/0x190 mm/folio-compat.c: 104 grab_cache_page_write_begin+0x2a/0x30 mm/folio-compat.c:116 ext4_da_write_begin+0x2dd/0x5f0 fs/ext4/inode.c:2988 generic_perform_write+0x1d4/0x3f0 mm/filemap.c:3738 ext4_buffered_write_iter+0x235/0x 3e0 fs/ext4/ file.c:270 ext4_file_write_iter+0x2e3/0x1210 call_write_iter include/linux/fs.h:2187 [en l\u00ednea] new_sync_write fs/read_write.c:491 [en l\u00ednea] vfs_write+0x468/0x760 fs/read_write.c:578 ksys_write+0xe8/ 0x1a0 fs/read_write.c:631 __do_sys_write fs/read_write.c:643 [en l\u00ednea] __se_sys_write fs/read_write.c:640 [en l\u00ednea] __x64_sys_write+0x3e/0x50 fs/read_write.c:640 do_syscall_x64 arch/x86/entry/common .c: 50 [en l\u00ednea] do_syscall_64+0x2b/0x70 arch/x86/entry/comunes.c: 80 entry_syscall_64_after_hwframe+0x63/0xcd lee a 0xffffea0004a1d2c8 de 8 bytes por tarea 18611 en la CPU 1: Page_is_pfmememememem 1740 [Inline] __skb_fill_page_desc incluyen/linux/skbuff.h: 2422 [en l\u00ednea] skb_fill_page_desc incluyen/linux/skbuff.h: 2443 [en l\u00ednea] 0 neto /ipv4/tcp.c:1075 tcp_sendpage_locked net/ipv4/tcp.c:1140 [en l\u00ednea] tcp_sendpage+0x89/0xb0 net/ipv4/tcp.c:1150 inet_sendpage+0x7f/0xc0 net/ipv4/af_inet.c:833 kernel_sendpage +0x184/0x300 net/socket.c:3561 sock_sendpage+0x5a/0x70 net/socket.c:1054 pipe_to_sendpage+0x128/0x160 fs/splice.c:361 splice_from_pipe_feed fs/splice.c:415 __splice_from_pipe+0x222 / 0x4d0 fs/splice.c:559 splice_from_pipe fs/splice.c:594 [en l\u00ednea] generic_splice_sendpage+0x89/0xc0 fs/splice.c:743 do_splice_from fs/splice.c:764 [en l\u00ednea] direct_splice_actor+0x80/0xa0 fs/splice .c:931 splice_direct_to_actor+0x305/0x620 fs/splice.c:886 do_splice_direct+0xfb/0x180 fs/splice.c:974 do_sendfile+0x3bf/0x910 fs/read_write.c:1249 __do_sys_sendfile64 fs/read_write.c:13 17 [en l\u00ednea ] __se_sys_sendfile64 fs/read_write.c:1303 [en l\u00ednea] __x64_sys_sendfile64+0x10c/0x150 fs/read_write.c:1303 do_syscall_x64 arch/x86/entry/common.c:50 [en l\u00ednea] do_syscall_64+0x2b/0x70 arch/ x86/entrada/ common.c:80 Entry_SYSCALL_64_after_hwframe+0x63/0xcd valor cambiado: 0x0000000000000000 -> 0xffffea0004a1d288 ----truncado----"
|
||||
}
|
||||
],
|
||||
"metrics": {},
|
||||
|
||||
@ -8,6 +8,10 @@
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: Fix DMA mappings leak\n\nFix leak, when user changes ring parameters.\nDuring reallocation of RX buffers, new DMA mappings are created for\nthose buffers. New buffers with different RX ring count should\nsubstitute older ones, but those buffers were freed in ice_vsi_cfg_rxq\nand reallocated again with ice_alloc_rx_buf. kfree on rx_buf caused\nleak of already mapped DMA.\nReallocate ZC with xdp_buf struct, when BPF program loads. Reallocate\nback to rx_buf, when BPF program unloads.\nIf BPF program is loaded/unloaded and XSK pools are created, reallocate\nRX queues accordingly in XDP_SETUP_XSK_POOL handler.\n\nSteps for reproduction:\nwhile :\ndo\n\tfor ((i=0; i<=8160; i=i+32))\n\tdo\n\t\tethtool -G enp130s0f0 rx $i tx $i\n\t\tsleep 0.5\n\t\tethtool -g enp130s0f0\n\tdone\ndone"
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: ice: Reparar fuga de asignaciones DMA. Reparar fuga cuando el usuario cambia los par\u00e1metros del anillo. Durante la reasignaci\u00f3n de b\u00faferes RX, se crean nuevas asignaciones DMA para esos b\u00faferes. Los nuevos b\u00faferes con diferente n\u00famero de anillos RX deber\u00edan sustituir a los m\u00e1s antiguos, pero esos b\u00faferes se liberaron en ice_vsi_cfg_rxq y se reasignaron nuevamente con ice_alloc_rx_buf. kfree en rx_buf provoc\u00f3 una fuga de DMA ya mapeado. Reasigne ZC con la estructura xdp_buf, cuando se cargue el programa BPF. Reasigne nuevamente a rx_buf, cuando se descargue el programa BPF. Si se carga/descarga el programa BPF y se crean grupos XSK, reasigne las colas RX en consecuencia en el controlador XDP_SETUP_XSK_POOL. Pasos para la reproducci\u00f3n: while: do for ((i=0; i<=8160; i=i+32)) do ethtool -G enp130s0f0 rx $i tx $i sleep 0.5 ethtool -g enp130s0f0 done done"
|
||||
}
|
||||
],
|
||||
"metrics": {},
|
||||
|
||||
@ -3,11 +3,15 @@
|
||||
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
|
||||
"published": "2024-05-03T15:15:07.887",
|
||||
"lastModified": "2024-05-03T15:32:19.637",
|
||||
"vulnStatus": "Awaiting Analysis",
|
||||
"vulnStatus": "Undergoing Analysis",
|
||||
"descriptions": [
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: clean up hook list when offload flags check fails\n\nsplice back the hook list so nft_chain_release_hook() has a chance to\nrelease the hooks.\n\nBUG: memory leak\nunreferenced object 0xffff88810180b100 (size 96):\n comm \"syz-executor133\", pid 3619, jiffies 4294945714 (age 12.690s)\n hex dump (first 32 bytes):\n 28 64 23 02 81 88 ff ff 28 64 23 02 81 88 ff ff (d#.....(d#.....\n 90 a8 aa 83 ff ff ff ff 00 00 b5 0f 81 88 ff ff ................\n backtrace:\n [<ffffffff83a8c59b>] kmalloc include/linux/slab.h:600 [inline]\n [<ffffffff83a8c59b>] nft_netdev_hook_alloc+0x3b/0xc0 net/netfilter/nf_tables_api.c:1901\n [<ffffffff83a9239a>] nft_chain_parse_netdev net/netfilter/nf_tables_api.c:1998 [inline]\n [<ffffffff83a9239a>] nft_chain_parse_hook+0x33a/0x530 net/netfilter/nf_tables_api.c:2073\n [<ffffffff83a9b14b>] nf_tables_addchain.constprop.0+0x10b/0x950 net/netfilter/nf_tables_api.c:2218\n [<ffffffff83a9c41b>] nf_tables_newchain+0xa8b/0xc60 net/netfilter/nf_tables_api.c:2593\n [<ffffffff83a3d6a6>] nfnetlink_rcv_batch+0xa46/0xd20 net/netfilter/nfnetlink.c:517\n [<ffffffff83a3db79>] nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:638 [inline]\n [<ffffffff83a3db79>] nfnetlink_rcv+0x1f9/0x220 net/netfilter/nfnetlink.c:656\n [<ffffffff83a13b17>] netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]\n [<ffffffff83a13b17>] netlink_unicast+0x397/0x4c0 net/netlink/af_netlink.c:1345\n [<ffffffff83a13fd6>] netlink_sendmsg+0x396/0x710 net/netlink/af_netlink.c:1921\n [<ffffffff83865ab6>] sock_sendmsg_nosec net/socket.c:714 [inline]\n [<ffffffff83865ab6>] sock_sendmsg+0x56/0x80 net/socket.c:734\n [<ffffffff8386601c>] ____sys_sendmsg+0x36c/0x390 net/socket.c:2482\n [<ffffffff8386a918>] ___sys_sendmsg+0xa8/0x110 net/socket.c:2536\n [<ffffffff8386aaa8>] __sys_sendmsg+0x88/0x100 net/socket.c:2565\n [<ffffffff845e5955>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n [<ffffffff845e5955>] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\n [<ffffffff84800087>] entry_SYSCALL_64_after_hwframe+0x63/0xcd"
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: netfilter: nf_tables: limpia la lista de ganchos cuando falla la verificaci\u00f3n de indicadores de descarga, vuelve a unir la lista de ganchos para que nft_chain_release_hook() tenga la oportunidad de liberar los ganchos. ERROR: p\u00e9rdida de memoria objeto sin referencia 0xffff88810180b100 (tama\u00f1o 96): comunicaci\u00f3n \"syz-executor133\", pid 3619, jiffies 4294945714 (edad 12.690 s) volcado hexadecimal (primeros 32 bytes): 28 64 23 02 81 88 ff ff 28 64 02 81 88 ff ff (d#.....(d#..... 90 a8 aa 83 ff ff ff ff 00 00 b5 0f 81 88 ff ff ................ retroceso : [] kmalloc include/linux/slab.h:600 [en l\u00ednea] [] nft_netdev_hook_alloc+0x3b/0xc0 net/netfilter/nf_tables_api.c:1901 [] netdev net/netfilter/nf_tables_api. c:1998 [en l\u00ednea] [] nft_chain_parse_hook+0x33a/0x530 net/netfilter/nf_tables_api.c:2073 [] nf_tables_addchain.constprop.0+0x10b/0x950 f_tables_api.c:2218 [< ffffffff83a9c41b>] nf_tables_newchain+0xa8b/0xc60 net/netfilter/nf_tables_api.c:2593 [] nfnetlink_rcv_batch+0xa46/0xd20 net/netfilter/nfnetlink.c:517 [] nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c: 638 [en l\u00ednea] [] nfnetlink_rcv+0x1f9/0x220 net/netfilter/nfnetlink.c:656 [] netlink_unicast_kernel net/netlink/af_netlink.c:1319 [en l\u00ednea] [] emitir+0x397/ 0x4c0 net/netlink/af_netlink.c:1345 [] netlink_sendmsg+0x396/0x710 net/netlink/af_netlink.c:1921 [] sock_sendmsg_nosec net/socket.c:714 [en l\u00ednea] 65ab6>] sock_sendmsg+0x56/0x80 net/socket.c:734 [] ____sys_sendmsg+0x36c/0x390 net/socket.c:2482 [] ___sys_sendmsg+0xa8/0x110 36 [ ] __sys_sendmsg+0x88/0x100 net/socket.c:2565 [] do_syscall_x64 arch/x86/entry/common.c:50 [en l\u00ednea] [] do_syscall_64+0x35/0xb0 arch/x86/ent ry/com\u00fan .c:80 [] entrada_SYSCALL_64_after_hwframe+0x63/0xcd"
|
||||
}
|
||||
],
|
||||
"metrics": {},
|
||||
|
||||
@ -3,11 +3,15 @@
|
||||
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
|
||||
"published": "2024-05-03T15:15:07.943",
|
||||
"lastModified": "2024-05-03T15:32:19.637",
|
||||
"vulnStatus": "Awaiting Analysis",
|
||||
"vulnStatus": "Undergoing Analysis",
|
||||
"descriptions": [
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/srp: Set scmnd->result only when scmnd is not NULL\n\nThis change fixes the following kernel NULL pointer dereference\nwhich is reproduced by blktests srp/007 occasionally.\n\nBUG: kernel NULL pointer dereference, address: 0000000000000170\nPGD 0 P4D 0\nOops: 0002 [#1] PREEMPT SMP NOPTI\nCPU: 0 PID: 9 Comm: kworker/0:1H Kdump: loaded Not tainted 6.0.0-rc1+ #37\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.15.0-29-g6a62e0cb0dfe-prebuilt.qemu.org 04/01/2014\nWorkqueue: 0x0 (kblockd)\nRIP: 0010:srp_recv_done+0x176/0x500 [ib_srp]\nCode: 00 4d 85 ff 0f 84 52 02 00 00 48 c7 82 80 02 00 00 00 00 00 00 4c 89 df 4c 89 14 24 e8 53 d3 4a f6 4c 8b 14 24 41 0f b6 42 13 <41> 89 87 70 01 00 00 41 0f b6 52 12 f6 c2 02 74 44 41 8b 42 1c b9\nRSP: 0018:ffffaef7c0003e28 EFLAGS: 00000282\nRAX: 0000000000000000 RBX: ffff9bc9486dea60 RCX: 0000000000000000\nRDX: 0000000000000102 RSI: ffffffffb76bbd0e RDI: 00000000ffffffff\nRBP: ffff9bc980099a00 R08: 0000000000000001 R09: 0000000000000001\nR10: ffff9bca53ef0000 R11: ffff9bc980099a10 R12: ffff9bc956e14000\nR13: ffff9bc9836b9cb0 R14: ffff9bc9557b4480 R15: 0000000000000000\nFS: 0000000000000000(0000) GS:ffff9bc97ec00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000170 CR3: 0000000007e04000 CR4: 00000000000006f0\nCall Trace:\n <IRQ>\n __ib_process_cq+0xb7/0x280 [ib_core]\n ib_poll_handler+0x2b/0x130 [ib_core]\n irq_poll_softirq+0x93/0x150\n __do_softirq+0xee/0x4b8\n irq_exit_rcu+0xf7/0x130\n sysvec_apic_timer_interrupt+0x8e/0xc0\n </IRQ>"
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: RDMA/srp: establezca scmnd->result solo cuando scmnd no sea NULL. Este cambio corrige la siguiente desreferencia del puntero NULL del kernel que blktests srp/007 reproduce ocasionalmente. ERROR: desreferencia del puntero NULL del kernel, direcci\u00f3n: 00000000000000170 PGD 0 P4D 0 Ups: 0002 [#1] PREEMPT SMP NOPTI CPU: 0 PID: 9 Comm: kworker/0:1H Kdump: cargado No contaminado 6.0.0-rc1+ #37 Hardware nombre: PC est\u00e1ndar QEMU (Q35 + ICH9, 2009), BIOS rel-1.15.0-29-g6a62e0cb0dfe-prebuilt.qemu.org 01/04/2014 Cola de trabajo: 0x0 (kblockd) RIP: 0010:srp_recv_done+0x176/0x500 [ ib_srp] C\u00f3digo: 00 4d 85 ff 0f 84 52 02 00 00 48 c7 82 80 02 00 00 00 00 00 00 4c 89 df 4c 89 14 24 e8 53 d3 4a f6 4c 8b 14 24 41 0f b6 2 13 <41> 89 87 70 01 00 00 41 0f b6 52 12 f6 c2 02 74 44 41 8b 42 1c b9 RSP: 0018:ffffaef7c0003e28 EFLAGS: 00000282 RAX: 0000000000000000 RBX: ffff9bc94 86dea60 RCX: 0000000000000000 RDX: 00000000000000102 RSI: ffffffffb76bbd0e RDI: 00000000ffffffff RBP: ffff9bc980099a00 R08 : 0000000000000001 R09: 0000000000000001 R10: ffff9bca53ef0000 R11: ffff9bc980099a10 R12: ffff9bc956e14000 R13: ffff9bc9836b9cb0 R14: 4480 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff9bc97ec00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 080050033 CR2: 0000000000000170 CR3: 0000000007e04000 CR4: 00000000000006f0 Seguimiento de llamadas: __ib_process_cq+0xb7/0x280 [ib_core] ib_poll_handler+0x2b/0x130 [ib_core] q+0x93/0x150 __do_softirq+0xee/0x4b8 irq_exit_rcu+0xf7/0x130 sysvec_apic_timer_interrupt+0x8e/ 0xc0"
|
||||
}
|
||||
],
|
||||
"metrics": {},
|
||||
|
||||
@ -3,11 +3,15 @@
|
||||
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
|
||||
"published": "2024-05-03T15:15:07.990",
|
||||
"lastModified": "2024-05-03T15:32:19.637",
|
||||
"vulnStatus": "Awaiting Analysis",
|
||||
"vulnStatus": "Undergoing Analysis",
|
||||
"descriptions": [
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoc: brcmstb: pm-arm: Fix refcount leak and __iomem leak bugs\n\nIn brcmstb_pm_probe(), there are two kinds of leak bugs:\n\n(1) we need to add of_node_put() when for_each__matching_node() breaks\n(2) we need to add iounmap() for each iomap in fail path"
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: soc: brcmstb: pm-arm: corrige los errores de fuga de refcount y __iomem En brcmstb_pm_probe(), hay dos tipos de errores de fuga: (1) necesitamos agregar of_node_put() cuando for_each__matching_node() se rompe (2) necesitamos agregar iounmap() para cada iomap en la ruta de error"
|
||||
}
|
||||
],
|
||||
"metrics": {},
|
||||
|
||||
@ -3,11 +3,15 @@
|
||||
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
|
||||
"published": "2024-05-03T15:15:08.040",
|
||||
"lastModified": "2024-05-03T15:32:19.637",
|
||||
"vulnStatus": "Awaiting Analysis",
|
||||
"vulnStatus": "Undergoing Analysis",
|
||||
"descriptions": [
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/irdma: Fix drain SQ hang with no completion\n\nSW generated completions for outstanding WRs posted on SQ\nafter QP is in error target the wrong CQ. This causes the\nib_drain_sq to hang with no completion.\n\nFix this to generate completions on the right CQ.\n\n[ 863.969340] INFO: task kworker/u52:2:671 blocked for more than 122 seconds.\n[ 863.979224] Not tainted 5.14.0-130.el9.x86_64 #1\n[ 863.986588] \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n[ 863.996997] task:kworker/u52:2 state:D stack: 0 pid: 671 ppid: 2 flags:0x00004000\n[ 864.007272] Workqueue: xprtiod xprt_autoclose [sunrpc]\n[ 864.014056] Call Trace:\n[ 864.017575] __schedule+0x206/0x580\n[ 864.022296] schedule+0x43/0xa0\n[ 864.026736] schedule_timeout+0x115/0x150\n[ 864.032185] __wait_for_common+0x93/0x1d0\n[ 864.037717] ? usleep_range_state+0x90/0x90\n[ 864.043368] __ib_drain_sq+0xf6/0x170 [ib_core]\n[ 864.049371] ? __rdma_block_iter_next+0x80/0x80 [ib_core]\n[ 864.056240] ib_drain_sq+0x66/0x70 [ib_core]\n[ 864.062003] rpcrdma_xprt_disconnect+0x82/0x3b0 [rpcrdma]\n[ 864.069365] ? xprt_prepare_transmit+0x5d/0xc0 [sunrpc]\n[ 864.076386] xprt_rdma_close+0xe/0x30 [rpcrdma]\n[ 864.082593] xprt_autoclose+0x52/0x100 [sunrpc]\n[ 864.088718] process_one_work+0x1e8/0x3c0\n[ 864.094170] worker_thread+0x50/0x3b0\n[ 864.099109] ? rescuer_thread+0x370/0x370\n[ 864.104473] kthread+0x149/0x170\n[ 864.109022] ? set_kthread_struct+0x40/0x40\n[ 864.114713] ret_from_fork+0x22/0x30"
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: RDMA/irdma: corrige el drenaje de SQ que se bloquea sin completarse. Las finalizaciones generadas por SW para los WR pendientes publicados en SQ despu\u00e9s de que QP tiene un error apuntan al CQ incorrecto. Esto hace que ib_drain_sq se cuelgue sin completarse. Solucione este problema para generar terminaciones en el CQ derecho. [863.969340] INFORMACI\u00d3N: tarea kworker/u52:2:671 bloqueada durante m\u00e1s de 122 segundos. [863.979224] No contaminado 5.14.0-130.el9.x86_64 #1 [863.986588] \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" desactiva este mensaje. [863.996997] tarea:kworker/u52:2 estado:D pila: 0 pid: 671 ppid: 2 banderas:0x00004000 [864.007272] Cola de trabajo: xprtiod xprt_autoclose [sunrpc] [864.014056] Seguimiento de llamadas: [864.017575] regla+0x206/0x580 [ 864.022296] programaci\u00f3n+0x43/0xa0 [ 864.026736] programaci\u00f3n_timeout+0x115/0x150 [ 864.032185] __wait_for_common+0x93/0x1d0 [ 864.037717] ? usleep_range_state+0x90/0x90 [864.043368] __ib_drain_sq+0xf6/0x170 [ib_core] [864.049371] ? __rdma_block_iter_next+0x80/0x80 [ib_core] [ 864.056240] ib_drain_sq+0x66/0x70 [ib_core] [ 864.062003] rpcrdma_xprt_disconnect+0x82/0x3b0 [rpcrdma] [ 864.069365] ? xprt_prepare_transmit+0x5d/0xc0 [sunrpc] [ 864.076386] xprt_rdma_close+0xe/0x30 [rpcrdma] [ 864.082593] xprt_autoclose+0x52/0x100 [sunrpc] [ 864.088718] x3c0 [864.094170] hilo_trabajador+0x50/0x3b0 [864.099109]? hilo_rescate+0x370/0x370 [ 864.104473] kthread+0x149/0x170 [ 864.109022] ? set_kthread_struct+0x40/0x40 [864.114713] ret_from_fork+0x22/0x30"
|
||||
}
|
||||
],
|
||||
"metrics": {},
|
||||
|
||||
@ -8,6 +8,10 @@
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: mpt3sas: Fix use-after-free warning\n\nFix the following use-after-free warning which is observed during\ncontroller reset:\n\nrefcount_t: underflow; use-after-free.\nWARNING: CPU: 23 PID: 5399 at lib/refcount.c:28 refcount_warn_saturate+0xa6/0xf0"
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: scsi: mpt3sas: Corrija la advertencia de use-after-free. Corrija la siguiente advertencia de use-after-free que se observa durante el reinicio del controlador: refcount_t: underflow; use-after-free. ADVERTENCIA: CPU: 23 PID: 5399 en lib/refcount.c:28 refcount_warn_saturate+0xa6/0xf0"
|
||||
}
|
||||
],
|
||||
"metrics": {},
|
||||
|
||||
@ -8,6 +8,10 @@
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nregmap: spi: Reserve space for register address/padding\n\nCurrently the max_raw_read and max_raw_write limits in regmap_spi struct\ndo not take into account the additional size of the transmitted register\naddress and padding. This may result in exceeding the maximum permitted\nSPI message size, which could cause undefined behaviour, e.g. data\ncorruption.\n\nFix regmap_get_spi_bus() to properly adjust the above mentioned limits\nby reserving space for the register address/padding as set in the regmap\nconfiguration."
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: regmap: spi: reserva de espacio para direcci\u00f3n/relleno de registro Actualmente, los l\u00edmites max_raw_read y max_raw_write en la estructura regmap_spi no tienen en cuenta el tama\u00f1o adicional de la direcci\u00f3n de registro transmitida y el relleno. Esto puede dar como resultado que se exceda el tama\u00f1o de mensaje SPI m\u00e1ximo permitido, lo que podr\u00eda causar un comportamiento indefinido, por ejemplo, corrupci\u00f3n de datos. Corrija regmap_get_spi_bus() para ajustar adecuadamente los l\u00edmites mencionados anteriormente reservando espacio para la direcci\u00f3n/relleno del registro como se establece en la configuraci\u00f3n de regmap."
|
||||
}
|
||||
],
|
||||
"metrics": {},
|
||||
|
||||
@ -8,6 +8,10 @@
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet: fix a use-after-free\n\nFix the following use-after-free complaint triggered by blktests nvme/004:\n\nBUG: KASAN: user-memory-access in blk_mq_complete_request_remote+0xac/0x350\nRead of size 4 at addr 0000607bd1835943 by task kworker/13:1/460\nWorkqueue: nvmet-wq nvme_loop_execute_work [nvme_loop]\nCall Trace:\n show_stack+0x52/0x58\n dump_stack_lvl+0x49/0x5e\n print_report.cold+0x36/0x1e2\n kasan_report+0xb9/0xf0\n __asan_load4+0x6b/0x80\n blk_mq_complete_request_remote+0xac/0x350\n nvme_loop_queue_response+0x1df/0x275 [nvme_loop]\n __nvmet_req_complete+0x132/0x4f0 [nvmet]\n nvmet_req_complete+0x15/0x40 [nvmet]\n nvmet_execute_io_connect+0x18a/0x1f0 [nvmet]\n nvme_loop_execute_work+0x20/0x30 [nvme_loop]\n process_one_work+0x56e/0xa70\n worker_thread+0x2d1/0x640\n kthread+0x183/0x1c0\n ret_from_fork+0x1f/0x30"
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: nvmet: corrige un use-after-free. Solucione la siguiente queja de use-after-free activada por blktests nvme/004: ERROR: KASAN: acceso a la memoria del usuario en blk_mq_complete_request_remote+0xac /0x350 Lectura de tama\u00f1o 4 en la direcci\u00f3n 0000607bd1835943 por tarea kworker/13:1/460 Cola de trabajo: nvmet-wq nvme_loop_execute_work [nvme_loop] Seguimiento de llamadas: show_stack+0x52/0x58 dump_stack_lvl+0x49/0x5e /0x1e2 informe_kasan+0xb9 /0xf0 __asan_load4+0x6b/0x80 blk_mq_complete_request_remote+0xac/0x350 nvme_loop_queue_response+0x1df/0x275 [nvme_loop] __nvmet_req_complete+0x132/0x4f0 [nvmet_req_complete+0x15/0x 40 [nvmet] nvmet_execute_io_connect+0x18a/0x1f0 [nvmet] nvme_loop_execute_work+0x20/0x30 [ nvme_loop] proceso_one_work+0x56e/0xa70 trabajador_thread+0x2d1/0x640 kthread+0x183/0x1c0 ret_from_fork+0x1f/0x30"
|
||||
}
|
||||
],
|
||||
"metrics": {},
|
||||
|
||||
@ -8,6 +8,10 @@
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: fix memory leak when using debugfs_lookup()\n\nWhen calling debugfs_lookup() the result must have dput() called on it,\notherwise the memory will leak over time. Fix this up by properly\ncalling dput()."
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: drm/amd/display: soluciona la p\u00e9rdida de memoria al usar debugfs_lookup() Al llamar a debugfs_lookup(), el resultado debe tener llamado dput(); de lo contrario, la memoria se perder\u00e1 con el tiempo. Solucione este problema llamando correctamente a dput()."
|
||||
}
|
||||
],
|
||||
"metrics": {},
|
||||
|
||||
@ -8,6 +8,10 @@
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched/debug: fix dentry leak in update_sched_domain_debugfs\n\nKuyo reports that the pattern of using debugfs_remove(debugfs_lookup())\nleaks a dentry and with a hotplug stress test, the machine eventually\nruns out of memory.\n\nFix this up by using the newly created debugfs_lookup_and_remove() call\ninstead which properly handles the dentry reference counting logic."
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: sched/debug: corrige la fuga de dentry en update_sched_domain_debugfs Kuyo informa que el patr\u00f3n de uso de debugfs_remove(debugfs_lookup()) pierde un dentry y con una prueba de estr\u00e9s de conexi\u00f3n en caliente, la m\u00e1quina eventualmente se queda sin memoria. Solucione este problema utilizando la llamada debugfs_lookup_and_remove() reci\u00e9n creada, que maneja adecuadamente la l\u00f3gica de conteo de referencias de dentry."
|
||||
}
|
||||
],
|
||||
"metrics": {},
|
||||
|
||||
@ -8,6 +8,10 @@
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvfio/type1: Unpin zero pages\n\nThere's currently a reference count leak on the zero page. We increment\nthe reference via pin_user_pages_remote(), but the page is later handled\nas an invalid/reserved page, therefore it's not accounted against the\nuser and not unpinned by our put_pfn().\n\nIntroducing special zero page handling in put_pfn() would resolve the\nleak, but without accounting of the zero page, a single user could\nstill create enough mappings to generate a reference count overflow.\n\nThe zero page is always resident, so for our purposes there's no reason\nto keep it pinned. Therefore, add a loop to walk pages returned from\npin_user_pages_remote() and unpin any zero pages."
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: vfio/type1: Desanclar p\u00e1ginas cero Actualmente hay una p\u00e9rdida de recuento de referencias en la p\u00e1gina cero. Incrementamos la referencia a trav\u00e9s de pin_user_pages_remote(), pero la p\u00e1gina luego se maneja como una p\u00e1gina no v\u00e1lida/reservada, por lo tanto, no se contabiliza contra el usuario y nuestro put_pfn() no la desancla. Introducir un manejo especial de la p\u00e1gina cero en put_pfn() resolver\u00eda la fuga, pero sin tener en cuenta la p\u00e1gina cero, un solo usuario a\u00fan podr\u00eda crear suficientes asignaciones para generar un desbordamiento del recuento de referencias. La p\u00e1gina cero siempre es residente, por lo que para nuestros prop\u00f3sitos no hay motivo para mantenerla fijada. Por lo tanto, agregue un bucle para recorrer las p\u00e1ginas devueltas desde pin_user_pages_remote() y desanclar las p\u00e1ginas cero."
|
||||
}
|
||||
],
|
||||
"metrics": {},
|
||||
|
||||
@ -8,6 +8,10 @@
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: usb-audio: Fix an out-of-bounds bug in __snd_usb_parse_audio_interface()\n\nThere may be a bad USB audio device with a USB ID of (0x04fa, 0x4201) and\nthe number of it's interfaces less than 4, an out-of-bounds read bug occurs\nwhen parsing the interface descriptor for this device.\n\nFix this by checking the number of interfaces."
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: ALSA: usb-audio: corrige un error fuera de los l\u00edmites en __snd_usb_parse_audio_interface() Puede haber un dispositivo de audio USB defectuoso con una ID de USB de (0x04fa, 0x4201) y el Si el n\u00famero de interfaces es inferior a 4, se produce un error de lectura fuera de l\u00edmites al analizar el descriptor de interfaz para este dispositivo. Solucione este problema verificando la cantidad de interfaces."
|
||||
}
|
||||
],
|
||||
"metrics": {},
|
||||
|
||||
@ -8,6 +8,10 @@
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: emu10k1: Fix out of bounds access in snd_emu10k1_pcm_channel_alloc()\n\nThe voice allocator sometimes begins allocating from near the end of the\narray and then wraps around, however snd_emu10k1_pcm_channel_alloc()\naccesses the newly allocated voices as if it never wrapped around.\n\nThis results in out of bounds access if the first voice has a high enough\nindex so that first_voice + requested_voice_count > NUM_G (64).\nThe more voices are requested, the more likely it is for this to occur.\n\nThis was initially discovered using PipeWire, however it can be reproduced\nby calling aplay multiple times with 16 channels:\naplay -r 48000 -D plughw:CARD=Live,DEV=3 -c 16 /dev/zero\n\nUBSAN: array-index-out-of-bounds in sound/pci/emu10k1/emupcm.c:127:40\nindex 65 is out of range for type 'snd_emu10k1_voice [64]'\nCPU: 1 PID: 31977 Comm: aplay Tainted: G W IOE 6.0.0-rc2-emu10k1+ #7\nHardware name: ASUSTEK COMPUTER INC P5W DH Deluxe/P5W DH Deluxe, BIOS 3002 07/22/2010\nCall Trace:\n<TASK>\ndump_stack_lvl+0x49/0x63\ndump_stack+0x10/0x16\nubsan_epilogue+0x9/0x3f\n__ubsan_handle_out_of_bounds.cold+0x44/0x49\nsnd_emu10k1_playback_hw_params+0x3bc/0x420 [snd_emu10k1]\nsnd_pcm_hw_params+0x29f/0x600 [snd_pcm]\nsnd_pcm_common_ioctl+0x188/0x1410 [snd_pcm]\n? exit_to_user_mode_prepare+0x35/0x170\n? do_syscall_64+0x69/0x90\n? syscall_exit_to_user_mode+0x26/0x50\n? do_syscall_64+0x69/0x90\n? exit_to_user_mode_prepare+0x35/0x170\nsnd_pcm_ioctl+0x27/0x40 [snd_pcm]\n__x64_sys_ioctl+0x95/0xd0\ndo_syscall_64+0x5c/0x90\n? do_syscall_64+0x69/0x90\n? do_syscall_64+0x69/0x90\nentry_SYSCALL_64_after_hwframe+0x63/0xcd"
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: ALSA: emu10k1: corrige el acceso fuera de los l\u00edmites en snd_emu10k1_pcm_channel_alloc() El asignador de voz a veces comienza a asignar desde cerca del final de la matriz y luego regresa, sin embargo, snd_emu10k1_pcm_channel_alloc() accede al nuevo asign\u00f3 voces como si nunca hubiera terminado. Esto da como resultado un acceso fuera de los l\u00edmites si la primera voz tiene un \u00edndice lo suficientemente alto como para que primera_voz + recuento_de_voces_solicitadas > NUM_G (64). Cuantas m\u00e1s voces se soliciten, m\u00e1s probabilidades habr\u00e1 de que esto ocurra. Esto se descubri\u00f3 inicialmente usando PipeWire, sin embargo, se puede reproducir llamando a aplay varias veces con 16 canales: aplay -r 48000 -D plughw:CARD=Live,DEV=3 -c 16 /dev/zero UBSAN: array-index-out -of-bounds en sound/pci/emu10k1/emupcm.c:127:40 el \u00edndice 65 est\u00e1 fuera de rango para el tipo 'snd_emu10k1_voice [64]' CPU: 1 PID: 31977 Comm: aplay Contaminado: GW IOE 6.0.0-rc2 -emu10k1+ #7 Nombre del hardware: ASUSTEK COMPUTER INC P5W DH Deluxe/P5W DH Deluxe, BIOS 3002 22/07/2010 Seguimiento de llamadas: dump_stack_lvl+0x49/0x63 dump_stack+0x10/0x16 ubsan_epilogue+0x9/0x3f __ubsan_handle_out_of_bounds.cold + 0x44/0x49 snd_emu10k1_playback_hw_params+0x3bc/0x420 [snd_emu10k1] snd_pcm_hw_params+0x29f/0x600 [snd_pcm] snd_pcm_common_ioctl+0x188/0x1410 [snd_pcm] ? exit_to_user_mode_prepare+0x35/0x170? do_syscall_64+0x69/0x90? syscall_exit_to_user_mode+0x26/0x50? do_syscall_64+0x69/0x90? exit_to_user_mode_prepare+0x35/0x170 snd_pcm_ioctl+0x27/0x40 [snd_pcm] __x64_sys_ioctl+0x95/0xd0 do_syscall_64+0x5c/0x90 ? do_syscall_64+0x69/0x90? do_syscall_64+0x69/0x90 entrada_SYSCALL_64_after_hwframe+0x63/0xcd"
|
||||
}
|
||||
],
|
||||
"metrics": {},
|
||||
|
||||
@ -8,6 +8,10 @@
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nthermal/int340x_thermal: handle data_vault when the value is ZERO_SIZE_PTR\n\nIn some case, the GDDV returns a package with a buffer which has\nzero length. It causes that kmemdup() returns ZERO_SIZE_PTR (0x10).\n\nThen the data_vault_read() got NULL point dereference problem when\naccessing the 0x10 value in data_vault.\n\n[ 71.024560] BUG: kernel NULL pointer dereference, address:\n0000000000000010\n\nThis patch uses ZERO_OR_NULL_PTR() for checking ZERO_SIZE_PTR or\nNULL value in data_vault."
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: Thermal/int340x_thermal: maneja data_vault cuando el valor es ZERO_SIZE_PTR. En algunos casos, el GDDV devuelve un paquete con un buffer que tiene longitud cero. Provoca que kmemdup() devuelva ZERO_SIZE_PTR (0x10). Luego, data_vault_read() tuvo un problema de desreferencia de punto NULL al acceder al valor 0x10 en data_vault. [71.024560] ERROR: desreferencia del puntero NULL del kernel, direcci\u00f3n: 00000000000000010 Este parche usa ZERO_OR_NULL_PTR() para verificar ZERO_SIZE_PTR o el valor NULL en data_vault."
|
||||
}
|
||||
],
|
||||
"metrics": {},
|
||||
|
||||
@ -8,6 +8,10 @@
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/radeon: add a force flush to delay work when radeon\n\nAlthough radeon card fence and wait for gpu to finish processing current batch rings,\nthere is still a corner case that radeon lockup work queue may not be fully flushed,\nand meanwhile the radeon_suspend_kms() function has called pci_set_power_state() to\nput device in D3hot state.\nPer PCI spec rev 4.0 on 5.3.1.4.1 D3hot State.\n> Configuration and Message requests are the only TLPs accepted by a Function in\n> the D3hot state. All other received Requests must be handled as Unsupported Requests,\n> and all received Completions may optionally be handled as Unexpected Completions.\nThis issue will happen in following logs:\nUnable to handle kernel paging request at virtual address 00008800e0008010\nCPU 0 kworker/0:3(131): Oops 0\npc = [<ffffffff811bea5c>] ra = [<ffffffff81240844>] ps = 0000 Tainted: G W\npc is at si_gpu_check_soft_reset+0x3c/0x240\nra is at si_dma_is_lockup+0x34/0xd0\nv0 = 0000000000000000 t0 = fff08800e0008010 t1 = 0000000000010000\nt2 = 0000000000008010 t3 = fff00007e3c00000 t4 = fff00007e3c00258\nt5 = 000000000000ffff t6 = 0000000000000001 t7 = fff00007ef078000\ns0 = fff00007e3c016e8 s1 = fff00007e3c00000 s2 = fff00007e3c00018\ns3 = fff00007e3c00000 s4 = fff00007fff59d80 s5 = 0000000000000000\ns6 = fff00007ef07bd98\na0 = fff00007e3c00000 a1 = fff00007e3c016e8 a2 = 0000000000000008\na3 = 0000000000000001 a4 = 8f5c28f5c28f5c29 a5 = ffffffff810f4338\nt8 = 0000000000000275 t9 = ffffffff809b66f8 t10 = ff6769c5d964b800\nt11= 000000000000b886 pv = ffffffff811bea20 at = 0000000000000000\ngp = ffffffff81d89690 sp = 00000000aa814126\nDisabling lock debugging due to kernel taint\nTrace:\n[<ffffffff81240844>] si_dma_is_lockup+0x34/0xd0\n[<ffffffff81119610>] radeon_fence_check_lockup+0xd0/0x290\n[<ffffffff80977010>] process_one_work+0x280/0x550\n[<ffffffff80977350>] worker_thread+0x70/0x7c0\n[<ffffffff80977410>] worker_thread+0x130/0x7c0\n[<ffffffff80982040>] kthread+0x200/0x210\n[<ffffffff809772e0>] worker_thread+0x0/0x7c0\n[<ffffffff80981f8c>] kthread+0x14c/0x210\n[<ffffffff80911658>] ret_from_kernel_thread+0x18/0x20\n[<ffffffff80981e40>] kthread+0x0/0x210\n Code: ad3e0008 43f0074a ad7e0018 ad9e0020 8c3001e8 40230101\n <88210000> 4821ed21\nSo force lockup work queue flush to fix this problem."
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: drm/radeon: agregue un vaciado forzado para retrasar el trabajo cuando radeon. Aunque la tarjeta radeon protege y espera a que la gpu termine de procesar los anillos de lotes actuales, todav\u00eda existe un caso de esquina en el que el bloqueo de radeon funciona. Es posible que la cola no se haya vaciado por completo y, mientras tanto, la funci\u00f3n radeon_suspend_kms() ha llamado a pci_set_power_state() para poner el dispositivo en estado D3hot. Seg\u00fan la especificaci\u00f3n PCI rev 4.0 en 5.3.1.4.1 D3hot State. > Las solicitudes de configuraci\u00f3n y mensajes son los \u00fanicos TLP aceptados por una funci\u00f3n en > el estado D3hot. Todas las dem\u00e1s Solicitudes recibidas deben manejarse como Solicitudes no admitidas y todas las Finalizaciones recibidas pueden, opcionalmente, manejarse como Finalizaciones inesperadas. Este problema ocurrir\u00e1 en los siguientes registros: No se puede manejar la solicitud de paginaci\u00f3n del kernel en la direcci\u00f3n virtual 00008800e0008010 CPU 0 kworker/0:3(131): Ups 0 pc = [] ra = [] ps = 0000 Contaminado: GW pc est\u00e1 en si_gpu_check_soft_reset+0x3c/0x240 ra est\u00e1 en si_dma_is_lockup+0x34/0xd0 v0 = 0000000000000000 t0 = fff08800e0008010 t1 = 000000000010000 t2 = 000000000000 8010 t3 = fff00007e3c00000 t4 = fff00007e3c00258 t5 = 000000000000ffff t6 = 0000000000000001 t7 = fff00007ef078000 s0 = fff00007e3c016e8 s1 = fff0000 7e3c00000 s2 = fff00007e3c00018 s3 = fff00007e3c00000 s4 = fff00007fff59d80 s5 = 0000000000000000 s6 = fff00007ef07bd98 a0 = fff00007e3c00000 a1 = fff00007 e3c016e8 a2 = 0000000000000008 a3 = 0000000000000001 a4 = 8f5c28f5c28f5c29 a5 = ffffffff810f4338 t8 = 0000000000000275 t9 = ffffffff809b66f8 ff6769c5d964b800 t11= 000000000000b886 pv = ffffffff811bea20 en = 0000000000000000 gp = ffffffff81d89690 sp = 00000000aa814126 Deshabilitando la depuraci\u00f3n de bloqueo debido a corrupci\u00f3n del kernel Seguimiento: [] si_dma_is_lockup+0x34/0xd0 [] _check_lockup+0xd0/0x290 [] proceso_one_work+0x280/0x550 [ ] hilo_trabajador+0x70/0x7c0 [] hilo_trabajador+0x130/0x7c0 [] kthread+0x200/0x210 [] hilo_trabajador+0x0/0x7c0 [] kthread+0x14c/0x210 [ ] ret_from_kernel_thread+0x18/0x20 [] kthread+0x0/0x210 C\u00f3digo: ad3e0008 43f0074a ad7e0018 ad9e0020 8c3001e8 40230101 <88210000> 4821ed21 Entonces forzar el bloqueo vaciar la cola de trabajo para solucionar este problema."
|
||||
}
|
||||
],
|
||||
"metrics": {},
|
||||
|
||||
@ -8,6 +8,10 @@
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: mt7921e: fix crash in chip reset fail\n\nIn case of drv own fail in reset, we may need to run mac_reset several\ntimes. The sequence would trigger system crash as the log below.\n\nBecause we do not re-enable/schedule \"tx_napi\" before disable it again,\nthe process would keep waiting for state change in napi_diable(). To\navoid the problem and keep status synchronize for each run, goto final\nresource handling if drv own failed.\n\n[ 5857.353423] mt7921e 0000:3b:00.0: driver own failed\n[ 5858.433427] mt7921e 0000:3b:00.0: Timeout for driver own\n[ 5859.633430] mt7921e 0000:3b:00.0: driver own failed\n[ 5859.633444] ------------[ cut here ]------------\n[ 5859.633446] WARNING: CPU: 6 at kernel/kthread.c:659 kthread_park+0x11d\n[ 5859.633717] Workqueue: mt76 mt7921_mac_reset_work [mt7921_common]\n[ 5859.633728] RIP: 0010:kthread_park+0x11d/0x150\n[ 5859.633736] RSP: 0018:ffff8881b676fc68 EFLAGS: 00010202\n......\n[ 5859.633766] Call Trace:\n[ 5859.633768] <TASK>\n[ 5859.633771] mt7921e_mac_reset+0x176/0x6f0 [mt7921e]\n[ 5859.633778] mt7921_mac_reset_work+0x184/0x3a0 [mt7921_common]\n[ 5859.633785] ? mt7921_mac_set_timing+0x520/0x520 [mt7921_common]\n[ 5859.633794] ? __kasan_check_read+0x11/0x20\n[ 5859.633802] process_one_work+0x7ee/0x1320\n[ 5859.633810] worker_thread+0x53c/0x1240\n[ 5859.633818] kthread+0x2b8/0x370\n[ 5859.633824] ? process_one_work+0x1320/0x1320\n[ 5859.633828] ? kthread_complete_and_exit+0x30/0x30\n[ 5859.633834] ret_from_fork+0x1f/0x30\n[ 5859.633842] </TASK>"
|
||||
},
|
||||
{
|
||||
"lang": "es",
|
||||
"value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: wifi: mt76: mt7921e: reparaci\u00f3n del fallo en el reinicio del chip. En caso de que el propio drv falle en el reinicio, es posible que necesitemos ejecutar mac_reset varias veces. La secuencia provocar\u00eda un fallo del sistema como se muestra en el siguiente registro. Debido a que no volvemos a habilitar/programar \"tx_napi\" antes de deshabilitarlo nuevamente, el proceso seguir\u00e1 esperando el cambio de estado en napi_diable(). Para evitar el problema y mantener el estado sincronizado para cada ejecuci\u00f3n, vaya al manejo de recursos finales si el propio drv falla. [ 5857.353423] mt7921e 0000:3b:00.0: el controlador propio fall\u00f3 [ 5858.433427] mt7921e 0000:3b:00.0: Tiempo de espera para el controlador propio [ 5859.633430] mt7921e 0000:3b:00.0: el controlador propio fall\u00f3 [ 5859. 633444] ------- -----[ cortar aqu\u00ed ]------------ [ 5859.633446] ADVERTENCIA: CPU: 6 en kernel/kthread.c:659 kthread_park+0x11d [ 5859.633717] Cola de trabajo: mt76 mt7921_mac_reset_work [mt7921_common] [ 5859.633728] RIP: 0010:kthread_park+0x11d/0x150 [ 5859.633736] RSP: 0018:ffff8881b676fc68 EFLAGS: 00010202 ...... [ 5859.633766] Seguimiento de llamadas: [ 5859.633768 ] [ 5859.633771] mt7921e_mac_reset+0x176/0x6f0 [ mt7921e] [5859.633778] mt7921_mac_reset_work+0x184/0x3a0 [mt7921_common] [5859.633785]? mt7921_mac_set_timing+0x520/0x520 [mt7921_common] [5859.633794]? __kasan_check_read+0x11/0x20 [ 5859.633802] proceso_one_work+0x7ee/0x1320 [ 5859.633810] trabajador_thread+0x53c/0x1240 [ 5859.633818] kthread+0x2b8/0x370 [ 5859.633824] ? proceso_one_work+0x1320/0x1320 [5859.633828]? kthread_complete_and_exit+0x30/0x30 [ 5859.633834] ret_from_fork+0x1f/0x30 [ 5859.633842] "
|
||||
}
|
||||
],
|
||||
"metrics": {},
|
||||
|
||||
Some files were not shown because too many files have changed in this diff Show More
Loading…
x
Reference in New Issue
Block a user