| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| In the Linux kernel, the following vulnerability has been resolved:
wifi: ath9k: don't allow to overwrite ENDPOINT0 attributes
A bad USB device is able to construct a service connection response
message with target endpoint being ENDPOINT0 which is reserved for
HTC_CTRL_RSVD_SVC and should not be modified to be used for any other
services.
Reject such service connection responses.
Found by Linux Verification Center (linuxtesting.org) with Syzkaller. |
| In the Linux kernel, the following vulnerability has been resolved:
drm/amdgpu: fix amdgpu_irq_put call trace in gmc_v10_0_hw_fini
The gmc.ecc_irq is enabled by firmware per IFWI setting,
and the host driver is not privileged to enable/disable
the interrupt. So, it is meaningless to use the amdgpu_irq_put
function in gmc_v10_0_hw_fini, which also leads to the call
trace.
[ 82.340264] Call Trace:
[ 82.340265] <TASK>
[ 82.340269] gmc_v10_0_hw_fini+0x83/0xa0 [amdgpu]
[ 82.340447] gmc_v10_0_suspend+0xe/0x20 [amdgpu]
[ 82.340623] amdgpu_device_ip_suspend_phase2+0x127/0x1c0 [amdgpu]
[ 82.340789] amdgpu_device_ip_suspend+0x3d/0x80 [amdgpu]
[ 82.340955] amdgpu_device_pre_asic_reset+0xdd/0x2b0 [amdgpu]
[ 82.341122] amdgpu_device_gpu_recover.cold+0x4dd/0xbb2 [amdgpu]
[ 82.341359] amdgpu_debugfs_reset_work+0x4c/0x70 [amdgpu]
[ 82.341529] process_one_work+0x21d/0x3f0
[ 82.341535] worker_thread+0x1fa/0x3c0
[ 82.341538] ? process_one_work+0x3f0/0x3f0
[ 82.341540] kthread+0xff/0x130
[ 82.341544] ? kthread_complete_and_exit+0x20/0x20
[ 82.341547] ret_from_fork+0x22/0x30 |
| Permission control vulnerability in the file management module.
Impact: Successful exploitation of this vulnerability may affect service confidentiality. |
| Identity authentication bypass vulnerability in the Gallery app.
Impact: Successful exploitation of this vulnerability may affect service confidentiality. |
| Permission control vulnerability in the file management module.
Impact: Successful exploitation of this vulnerability may affect service confidentiality. |
| Permission control vulnerability in the Settings module.
Impact: Successful exploitation of this vulnerability may affect service confidentiality. |
| Configuration defect vulnerability in the file management module.
Impact: Successful exploitation of this vulnerability may affect app data confidentiality and integrity. |
| Denial of service (DoS) vulnerability in the office service.
Impact: Successful exploitation of this vulnerability may affect availability. |
| Permission control vulnerability in the Notepad module.
Impact: Successful exploitation of this vulnerability may affect service confidentiality. |
| DoS vulnerability in the video-related system service module.
Impact: Successful exploitation of this vulnerability may affect availability. |
| Permission control vulnerability in the Wi-Fi module.
Impact: Successful exploitation of this vulnerability may affect service confidentiality. |
| Permission control vulnerability in the App Lock module.
Impact: Successful exploitation of this vulnerability may affect availability. |
| Permission control vulnerability in the startup recovery module.
Impact: Successful exploitation of this vulnerability will affect availability and confidentiality. |
| Permission control vulnerability in the print module.
Impact: Successful exploitation of this vulnerability may affect service confidentiality. |
| In nr modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed |
| Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution. |
| Artemis Java Test Sandbox versions less than 1.7.6 are vulnerable to a sandbox escape when an attacker crafts a special subclass of InvocationTargetException. An attacker can abuse this issue to execute arbitrary Java when a victim executes the supposedly sandboxed code. |
| Artemis Java Test Sandbox versions before 1.8.0 are vulnerable to a sandbox escape when an attacker includes class files in a package that Ares trusts. An attacker can abuse this issue to execute arbitrary Java when a victim executes the supposedly sandboxed code. |
| The Sangfor Next-Gen Application Firewall version NGAF8.0.17 is vulnerable to an authenticated file disclosure vulnerability. A remote and authenticated attacker can read arbitrary system files using the svpn_html/loadfile.php endpoint. This issue is exploitable by a remote and unauthenticated attacker when paired with CVE-2023-30803. |
| In the Linux kernel, the following vulnerability has been resolved:
rcutorture: Fix ksoftirqd boosting timing and iteration
The RCU priority boosting can fail in two situations:
1) If (nr_cpus= > maxcpus=), which means if the total number of CPUs
is higher than those brought online at boot, then torture_onoff() may
later bring up CPUs that weren't online on boot. Now since rcutorture
initialization only boosts the ksoftirqds of the CPUs that have been
set online on boot, the CPUs later set online by torture_onoff won't
benefit from the boost, making RCU priority boosting fail.
2) The ksoftirqd kthreads are boosted after the creation of
rcu_torture_boost() kthreads, which opens a window large enough for these
rcu_torture_boost() kthreads to wait (despite running at FIFO priority)
for ksoftirqds that are still running at SCHED_NORMAL priority.
The issues can trigger for example with:
./kvm.sh --configs TREE01 --kconfig "CONFIG_RCU_BOOST=y"
[ 34.968561] rcu-torture: !!!
[ 34.968627] ------------[ cut here ]------------
[ 35.014054] WARNING: CPU: 4 PID: 114 at kernel/rcu/rcutorture.c:1979 rcu_torture_stats_print+0x5ad/0x610
[ 35.052043] Modules linked in:
[ 35.069138] CPU: 4 PID: 114 Comm: rcu_torture_sta Not tainted 5.18.0-rc1 #1
[ 35.096424] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.14.0-0-g155821a-rebuilt.opensuse.org 04/01/2014
[ 35.154570] RIP: 0010:rcu_torture_stats_print+0x5ad/0x610
[ 35.198527] Code: 63 1b 02 00 74 02 0f 0b 48 83 3d 35 63 1b 02 00 74 02 0f 0b 48 83 3d 21 63 1b 02 00 74 02 0f 0b 48 83 3d 0d 63 1b 02 00 74 02 <0f> 0b 83 eb 01 0f 8e ba fc ff ff 0f 0b e9 b3 fc ff f82
[ 37.251049] RSP: 0000:ffffa92a0050bdf8 EFLAGS: 00010202
[ 37.277320] rcu: De-offloading 8
[ 37.290367] RAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000001
[ 37.290387] RDX: 0000000000000000 RSI: 00000000ffffbfff RDI: 00000000ffffffff
[ 37.290398] RBP: 000000000000007b R08: 0000000000000000 R09: c0000000ffffbfff
[ 37.290407] R10: 000000000000002a R11: ffffa92a0050bc18 R12: ffffa92a0050be20
[ 37.290417] R13: ffffa92a0050be78 R14: 0000000000000000 R15: 000000000001bea0
[ 37.290427] FS: 0000000000000000(0000) GS:ffff96045eb00000(0000) knlGS:0000000000000000
[ 37.290448] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 37.290460] CR2: 0000000000000000 CR3: 000000001dc0c000 CR4: 00000000000006e0
[ 37.290470] Call Trace:
[ 37.295049] <TASK>
[ 37.295065] ? preempt_count_add+0x63/0x90
[ 37.295095] ? _raw_spin_lock_irqsave+0x12/0x40
[ 37.295125] ? rcu_torture_stats_print+0x610/0x610
[ 37.295143] rcu_torture_stats+0x29/0x70
[ 37.295160] kthread+0xe3/0x110
[ 37.295176] ? kthread_complete_and_exit+0x20/0x20
[ 37.295193] ret_from_fork+0x22/0x30
[ 37.295218] </TASK>
Fix this with boosting the ksoftirqds kthreads from the boosting
hotplug callback itself and before the boosting kthreads are created. |
