A Denial of Service vulnerability exists in jhead 3.04 and 3.05 due to a wild address read in the Get16u function in exif.c in will cause segmentation fault via a crafted_file.

Description of problem:

Multiple Segmentation fault in jhead via a crafted jpg file

Version-Release number of selected component (if applicable):

I tested the following version:  
Jhead version: 3.05  
Jhead version: 3.04

How reproducible:

git clone --depth=1 https://github.com/Matthias-Wandel/jhead.git && cd jhead && make CC="clang" -e CFLAGS="-g -fsanitize=address" -e LDFLAGS="-g -fsanitize=address"

Steps to Reproduce:  
1.just run the following command

Segmentation fault in ProcessCanonMakerNoteDir

    ./jhead -v ./tests_61418.jpg
    

Segmentation fault in Get16u

    ./jhead -v ./tests_61761.jpg
    

Segmentation fault in Get32s

    ./jhead -v ./tests_61763.jpg
    

poc：  
jhead-multi-seg.zip

They are all because of wild-addr-read.

Actual results:

Segmentation fault in ProcessCanonMakerNoteDir

    $ ./jhead -v ./tests_61418.jpg
    Exif header 7166 bytes long
    Exif section in Intel order
    (dir has 9 entries)
        Make = "Canon"
        Model = "Canon DIGITAL IXUS?"
        Orientation = 1
        XResolution = 180/1
        YResolution = 180/1
        ResolutionUnit = 2
        DateTime = "2001:06:09 15:17:32"
        YCbCrPositioning = 1
        ExifOffset = 184
        Exif Dir:(dir has 27 entries)
            ExposureTime = 1/350
            FNumber = 40/10
            ExifVersion = "0210"
            DateTimeOriginal = "2001:06:09 15:17:32"
            DateTimeDigitized = "2001:06:09 15:17:32"
            ComponentsConfiguration = "?"
            CompressedBitsPerPixel = 3/1
            ShutterSpeedValue = 553859/65536
            ApertureValue = 262144/65536
            ExposureBiasValue = 0/3
            MaxApertureValue = 194698/65536
            SubjectDistance = 3750/1000
            MeteringMode = 2
            Flash = 0
            FocalLength = 346/32
            Maker note: (dir has 10 entries)
                Canon maker tag 0001 Value = 0, 1024, 6, 0, 9728, 512, 0, 768, 256, 0, 0, 256, 0, 256, 512, 256, ...
                Canon maker tag 0002 Value = 0, 0, 0, 256
                Canon maker tag 0003 Value = 512, 23040, 54017, 40448
                Canon maker tag 0004 Value = 0, 0, 0, 0, 7680, 0, 35840, 512, 32769, 3584, 1, 0, 0, 256, 1024
                Canon maker tag 0000 Value = 0, 0, 0, 512, 48, 0
                Canon maker tag 0006 Value = "IMG:JPEG file"
    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==25461==ERROR: AddressSanitizer: SEGV on unknown address 0x624100002100 (pc 0x0000004dfa3c bp 0x7ffe87baf3b0 sp 0x7ffe87baf2d0 T0)
    ==25461==The signal is caused by a READ memory access.
        #0 0x4dfa3c in ProcessCanonMakerNoteDir /root/fuzz/jhead/makernote.c:105:29
        #1 0x4df3ea in ProcessMakerNote /root/fuzz/jhead/makernote.c:189:9
        #2 0x4d57e9 in ProcessExifDir /root/fuzz/jhead/exif.c:559:13
        #3 0x4d7adf in ProcessExifDir /root/fuzz/jhead/exif.c:851:25
        #4 0x4d494a in process_EXIF /root/fuzz/jhead/exif.c:1040:5
        #5 0x4cf08d in ReadJpegSections /root/fuzz/jhead/jpgfile.c:289:25
        #6 0x4cfd96 in ReadJpegFile /root/fuzz/jhead/jpgfile.c:381:11
        #7 0x4c8850 in ProcessFile /root/fuzz/jhead/jhead.c:908:10
        #8 0x4c74e5 in main /root/fuzz/jhead/jhead.c:1759:13
        #9 0x7fb2b1d2083f in __libc_start_main /build/glibc-e6zv40/glibc-2.23/csu/../csu/libc-start.c:291
        #10 0x41b858 in _start (/root/fuzz/jhead/jhead+0x41b858)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /root/fuzz/jhead/makernote.c:105:29 in ProcessCanonMakerNoteDir
    ==25461==ABORTING
    

Segmentation fault in Get16u

    $ ./jhead -v ./tests_61761.jpg
    Exif header 7166 bytes long
    Exif section in Intel order
    (dir has 213 entries)
        Make = "Canon"
    
    Nonfatal Error : './tests_61761.jpg' Illegal value pointer for tag 0110 in Exif
        Unknown Tag 6112 Value = 1
    
    Nonfatal Error : './tests_61761.jpg' Illegal value pointer for tag e21a in Exif
    
    Nonfatal Error : './tests_61761.jpg' Illegal value pointer for tag 011b in Exif
        Unknown Tag 9e28 Value = 2
        DateTime = "2001:06:09 1>:17:32"
        YCbCrPositioning = 1
        ExifOffset = 184
    ............
    ............
    ............
    ............
    ............
    ............
    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==25463==ERROR: AddressSanitizer: SEGV on unknown address 0x6241000011b7 (pc 0x0000004d399c bp 0x7ffc7716b130 sp 0x7ffc7716b0e0 T0)
    ==25463==The signal is caused by a READ memory access.
        #0 0x4d399c in Get16u /root/fuzz/jhead/exif.c:323:17
        #1 0x4d40e1 in PrintFormatNumber /root/fuzz/jhead/exif.c:378:45
        #2 0x4dfbdd in ProcessCanonMakerNoteDir /root/fuzz/jhead/makernote.c:123:21
        #3 0x4df3ea in ProcessMakerNote /root/fuzz/jhead/makernote.c:189:9
        #4 0x4d57e9 in ProcessExifDir /root/fuzz/jhead/exif.c:559:13
        #5 0x4d7adf in ProcessExifDir /root/fuzz/jhead/exif.c:851:25
        #6 0x4d7adf in ProcessExifDir /root/fuzz/jhead/exif.c:851:25
        #7 0x4d494a in process_EXIF /root/fuzz/jhead/exif.c:1040:5
        #8 0x4cf08d in ReadJpegSections /root/fuzz/jhead/jpgfile.c:289:25
        #9 0x4cfd96 in ReadJpegFile /root/fuzz/jhead/jpgfile.c:381:11
        #10 0x4c8850 in ProcessFile /root/fuzz/jhead/jhead.c:908:10
        #11 0x4c74e5 in main /root/fuzz/jhead/jhead.c:1759:13
        #12 0x7f45bf8ba83f in __libc_start_main /build/glibc-e6zv40/glibc-2.23/csu/../csu/libc-start.c:291
        #13 0x41b858 in _start (/root/fuzz/jhead/jhead+0x41b858)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /root/fuzz/jhead/exif.c:323:17 in Get16u
    ==25463==ABORTING
    

Segmentation fault in Get32s

    $ ./jhead -v ./tests_61763.jpg
    Exif header 7166 bytes long
    Exif section in Intel order
    (dir has 42 entries)
        Make = "Canon"
        Model = "?anon DIGITAL IXUS?"
        Orientation = 1
        XResolution = 180/1
        YResolution = 180/1
        ResolutionUnit = 2
        DateTime = "2001:06:09 15:17:32"
        YCbCrPositioning = 1
        ExifOffset = 184
        Exif Dir:(dir has 27 e
    ............
    ............
    ............
    ............
    ............
    ............
    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==25465==ERROR: AddressSanitizer: SEGV on unknown address 0x62410000200b (pc 0x0000004d3bc8 bp 0x7ffe1275af10 sp 0x7ffe1275ae80 T0)
    ==25465==The signal is caused by a READ memory access.
        #0 0x4d3bc8 in Get32s /root/fuzz/jhead/exif.c:336:18
        #1 0x4d419b in PrintFormatNumber /root/fuzz/jhead/exif.c:388:32
        #2 0x4dfbdd in ProcessCanonMakerNoteDir /root/fuzz/jhead/makernote.c:123:21
        #3 0x4df3ea in ProcessMakerNote /root/fuzz/jhead/makernote.c:189:9
        #4 0x4d57e9 in ProcessExifDir /root/fuzz/jhead/exif.c:559:13
        #5 0x4d7adf in ProcessExifDir /root/fuzz/jhead/exif.c:851:25
        #6 0x4d494a in process_EXIF /root/fuzz/jhead/exif.c:1040:5
        #7 0x4cf08d in ReadJpegSections /root/fuzz/jhead/jpgfile.c:289:25
        #8 0x4cfd96 in ReadJpegFile /root/fuzz/jhead/jpgfile.c:381:11
        #9 0x4c8850 in ProcessFile /root/fuzz/jhead/jhead.c:908:10
        #10 0x4c74e5 in main /root/fuzz/jhead/jhead.c:1759:13
        #11 0x7f88040ac83f in __libc_start_main /build/glibc-e6zv40/glibc-2.23/csu/../csu/libc-start.c:291
        #12 0x41b858 in _start (/root/fuzz/jhead/jhead+0x41b858)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /root/fuzz/jhead/exif.c:336:18 in Get32s
    ==25465==ABORTING
    
    

Additional info:

Founder: giantbranch of NSFOCUS Security Team

CVE-2021-28275: Multiple Segmentation fault in jhead via a crafted jpg file · Issue #17 · Matthias-Wandel/jhead

A Denial of Service vulnerability exists in jhead 3.04 and 3.05 via a wild address read in the ProcessCanonMakerNoteDir function in makernote.c.

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2021-28276: Update makefile by alexmyczko · Pull Request #1 · Matthias-Wandel/jhead

A vulnerability was found in btrfs_alloc_tree_b in fs/btrfs/extent-tree.c in the Linux kernel due to an improper lock operation in btrfs. In this flaw, a user with a local privilege may cause a denial of service (DOS) due to a deadlock problem.

From

Date

Tue, 14 Sep 2021 10:28:09 +0800

Subject

WARNING: lock held when returning to user space in \_\_btrfs\_tree\_lock

Hello,

When using Healer to fuzz the latest Linux kernel, the following crash  
was triggered.

HEAD commit: 6880fa6c5660 Linux 5.15-rc1  
git tree: upstream  
console output:  
https://drive.google.com/file/d/1BfaOcSWIkWUpQAgEj9p2zYVWsQxxacVl/view?usp=sharing  
kernel config: https://drive.google.com/file/d/1rUzyMbe5vcs6khA3tL9EHTLJvsUdWcgB/view?usp=sharing  
C reproducer: https://drive.google.com/file/d/1HOZwnXJ42eEmVFS7n85zRcpXCFRHTFxi/view?usp=sharing  
Syzlang reproducer:  
https://drive.google.com/file/d/1-OULR4sFWY4qF4KvdLpehrlsZn9mMO7V/view?usp=sharing

If you fix this issue, please add the following tag to the commit:  
Reported-by: Hao Sun <sunhao.th@gmail.com>

loop0: detected capacity change from 0 to 32768  
BTRFS info (device loop0): disk space caching is enabled  
BTRFS info (device loop0): has skinny extents  
BTRFS info (device loop0): enabling ssd optimizations  
FAULT\_INJECTION: forcing a failure.  
name failslab, interval 1, probability 0, space 0, times 0  
CPU: 0 PID: 7579 Comm: syz-executor Not tainted 5.15.0-rc1 #16  
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS  
rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014  
Call Trace:  
 \_\_dump\_stack lib/dump\_stack.c:88 \[inline\]  
 dump\_stack\_lvl+0x8d/0xcf lib/dump\_stack.c:106  
 fail\_dump lib/fault-inject.c:52 \[inline\]  
 should\_fail+0x13c/0x160 lib/fault-inject.c:146  
 should\_failslab+0x5/0x10 mm/slab\_common.c:1328  
 slab\_pre\_alloc\_hook.constprop.99+0x4e/0xc0 mm/slab.h:494  
 slab\_alloc\_node mm/slub.c:3120 \[inline\]  
 slab\_alloc mm/slub.c:3214 \[inline\]  
 kmem\_cache\_alloc+0x44/0x280 mm/slub.c:3219  
 btrfs\_alloc\_delayed\_extent\_op fs/btrfs/delayed-ref.h:299 \[inline\]  
 btrfs\_alloc\_tree\_block+0x38c/0x670 fs/btrfs/extent-tree.c:4833  
 \_\_btrfs\_cow\_block+0x16f/0x7d0 fs/btrfs/ctree.c:415  
 btrfs\_cow\_block+0x12a/0x300 fs/btrfs/ctree.c:570  
 btrfs\_search\_slot+0x6b0/0xee0 fs/btrfs/ctree.c:1768  
 btrfs\_insert\_empty\_items+0x80/0xf0 fs/btrfs/ctree.c:3905  
 btrfs\_new\_inode+0x311/0xa60 fs/btrfs/inode.c:6530  
 btrfs\_create+0x12b/0x270 fs/btrfs/inode.c:6783  
 lookup\_open+0x660/0x780 fs/namei.c:3282  
 open\_last\_lookups fs/namei.c:3352 \[inline\]  
 path\_openat+0x465/0xe20 fs/namei.c:3557  
 do\_filp\_open+0xe3/0x170 fs/namei.c:3588  
 do\_sys\_openat2+0x357/0x4a0 fs/open.c:1200  
 do\_sys\_open+0x87/0xd0 fs/open.c:1216  
 do\_syscall\_x64 arch/x86/entry/common.c:50 \[inline\]  
 do\_syscall\_64+0x34/0xb0 arch/x86/entry/common.c:80  
 entry\_SYSCALL\_64\_after\_hwframe+0x44/0xae  
RIP: 0033:0x46ae99  
Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48  
89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d  
01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48  
RSP: 002b:00007f46711b9c48 EFLAGS: 00000246 ORIG\_RAX: 0000000000000055  
RAX: ffffffffffffffda RBX: 000000000078c0a0 RCX: 000000000046ae99  
RDX: 0000000000000000 RSI: 00000000000000a1 RDI: 0000000020005800  
RBP: 00007f46711b9c80 R08: 0000000000000000 R09: 0000000000000000  
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000017  
R13: 0000000000000000 R14: 000000000078c0a0 R15: 00007ffc129da6e0

\================================================  
WARNING: lock held when returning to user space!  
5.15.0-rc1 #16 Not tainted  
\------------------------------------------------  
syz-executor/7579 is leaving the kernel with locks still held!  
1 lock held by syz-executor/7579:  
 #0: ffff888104b73da8 (btrfs-tree-01/1){+.+.}-{3:3}, at:  
\_\_btrfs\_tree\_lock+0x2e/0x1a0 fs/btrfs/locking.c:112

CVE-2021-4149: lock held when returning to user space in __btrfs_tree_lock

A use-after-free vulnerability was found in the virtio-net device of QEMU. It could occur when the descriptor's address belongs to the non direct access region, due to num_buffers being set after the virtqueue elem has been unmapped. A malicious guest could use this flaw to crash QEMU, resulting in a denial of service condition, or potentially execute code on the host with the privileges of the QEMU process.

Permalink

Browse files

virtio-net: fix use after unmap/free for sg

When mergeable buffer is enabled, we try to set the num\_buffers after
the virtqueue elem has been unmapped. This will lead several issues,
E.g a use after free when the descriptor has an address which belongs
to the non direct access region. In this case we use bounce buffer
that is allocated during address\_space\_map() and freed during
address\_space\_unmap().

Fixing this by storing the elems temporarily in an array and delay the
unmap after we set the the num\_buffers.

This addresses CVE-2021-3748.

Reported-by: Alexander Bulekov <alxndr@bu.edu>
Fixes: fbe78f4 ("virtio-net support")
Cc: qemu-stable@nongnu.org
Signed-off-by: Jason Wang <jasowang@redhat.com>

*   Loading branch information

CVE-2021-3748: virtio-net: fix use after unmap/free for sg · qemu/qemu@bedd7e9

A use-after-free flaw was found in the add_partition in block/partitions/core.c in the Linux kernel. A local attacker with user privileges could cause a denial of service on the system. The issue results from the lack of code cleanup when device_add call fails when adding a partition to the disk.

Messages in this thread

*   First message in thread
*   Hao Sun
    *   Hao Sun
        *   Zqiang
            *   Christoph Hellwig
                *   Zqiang

From

Date

Tue, 7 Sep 2021 09:22:03 +0800

Subject

WARNING in \_\_init\_work

Hello,

When using Healer to fuzz the latest Linux kernel, the following crash  
was triggered.

HEAD commit: 27151f177827 Merge tag 'perf-tools-for-v5.15-2021-09-04'  
git tree: upstream  
console output:  
https://drive.google.com/file/d/1M5oyA\_IcWSDB2XpnoX8SDmKJA3JhKltz/view?usp=sharing  
kernel config: https://drive.google.com/file/d/1ZMVJ2vNe0EiIEeWNVyrGb7hBdOG5Uj3e/view?usp=sharing  
C reproducer: https://drive.google.com/file/d/1AtDNXl8XEBfglKXsKsAH2NuXBcrp8Zp9/view?usp=sharing  
Syzlang reproducer:  
https://drive.google.com/file/d/1R\_XD\_cyMNS0Q\_SGSqomRy\_LIClOrd-gI/view?usp=sharing

If you fix this issue, please add the following tag to the commit:  
Reported-by: Hao Sun <sunhao.th@gmail.com>

ODEBUG: object ffffc9000073cda0 is NOT on stack ffffc90005f34000, but annotated.  
\------------\[ cut here \]------------  
WARNING: CPU: 2 PID: 27648 at lib/debugobjects.c:548  
debug\_object\_is\_on\_stack lib/debugobjects.c:545 \[inline\]  
WARNING: CPU: 2 PID: 27648 at lib/debugobjects.c:548  
\_\_debug\_object\_init+0x224/0x520 lib/debugobjects.c:607  
Modules linked in:  
CPU: 2 PID: 27648 Comm: syz-executor Not tainted 5.14.0+ #13  
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS  
rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014  
RIP: 0010:debug\_object\_is\_on\_stack lib/debugobjects.c:545 \[inline\]  
RIP: 0010:\_\_debug\_object\_init+0x224/0x520 lib/debugobjects.c:607  
Code: 84 ca fe ff ff 83 c0 01 4c 89 f6 48 c7 c7 f8 b0 3c 85 89 05 7e  
c2 56 06 65 48 8b 04 25 40 70 01 00 48 8b 50 20 e8 05 9b f5 01 <0f> 0b  
e9 9e fe ff ff 89 05 87 4d e3 03 e9 c4 fe ff ff 48 c7 c7 e0  
RSP: 0018:ffffc9000073ccf0 EFLAGS: 00010282  
RAX: 0000000000000050 RBX: ffff88810cf2f398 RCX: 0000000000000100  
RDX: 0000000000000000 RSI: ffffffff812cf85c RDI: 00000000ffffffff  
RBP: ffffffff88868538 R08: 0000000000000000 R09: 0000000000000001  
R10: ffffc9000073cc80 R11: 0000000000000005 R12: 0000000000000203  
R13: 0000000000054450 R14: ffffc9000073cda0 R15: ffff88807dd264f0  
FS:  0000000002ad0940(0000) GS:ffff88807dd00000(0000) knlGS:0000000000000000  
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033  
CR2: 00000000005061ec CR3: 0000000100da5000 CR4: 0000000000750ee0  
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000  
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400  
PKRU: 55555554  
Call Trace:  
 <IRQ>  
 \_\_init\_work+0x3f/0x50 kernel/workqueue.c:519  
 synchronize\_rcu\_expedited+0x26a/0x460 kernel/rcu/tree\_exp.h:847  
 bdi\_remove\_from\_list mm/backing-dev.c:938 \[inline\]  
 bdi\_unregister+0x97/0x270 mm/backing-dev.c:946  
 release\_bdi+0x4a/0x70 mm/backing-dev.c:968  
 kref\_put include/linux/kref.h:65 \[inline\]  
 bdi\_put+0x47/0x70 mm/backing-dev.c:976  
 bdev\_free\_inode+0x59/0xc0 fs/block\_dev.c:819  
 i\_callback+0x24/0x50 fs/inode.c:224  
 rcu\_do\_batch kernel/rcu/tree.c:2508 \[inline\]  
 rcu\_core+0x2d6/0x9f0 kernel/rcu/tree.c:2743  
 \_\_do\_softirq+0xe9/0x561 kernel/softirq.c:558  
 invoke\_softirq kernel/softirq.c:432 \[inline\]  
 \_\_irq\_exit\_rcu kernel/softirq.c:636 \[inline\]  
 irq\_exit\_rcu+0xe2/0x100 kernel/softirq.c:648  
 sysvec\_apic\_timer\_interrupt+0x9e/0xc0 arch/x86/kernel/apic/apic.c:1097  
 </IRQ>  
 asm\_sysvec\_apic\_timer\_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:638  
RIP: 0010:\_\_sanitizer\_cov\_trace\_pc+0x37/0x60 kernel/kcov.c:197  
Code: 65 48 8b 14 25 40 70 01 00 81 e1 00 01 00 00 a9 00 01 ff 00 74  
0e 85 c9 74 35 8b 82 34 15 00 00 85 c0 74 2b 8b 82 10 15 00 00 <83> f8  
02 75 20 48 8b 8a 18 15 00 00 8b 92 14 15 00 00 48 8b 01 48  
RSP: 0018:ffffc90005f37b78 EFLAGS: 00000246  
RAX: 0000000000000000 RBX: 0000000000000006 RCX: 0000000000000000  
RDX: ffff888109448000 RSI: ffffffff8212a28c RDI: ffffc90005f37d30  
RBP: 0000000000000006 R08: 0000000000000d40 R09: ffff8880165fc5e0  
R10: ffffc90005f37cd0 R11: 0000000000000003 R12: 0000000000000375  
R13: ffff888107597b40 R14: ffffc90005f37d30 R15: ffff8880174b0ea0  
 tomoyo\_domain\_quota\_is\_ok+0xac/0x150 security/tomoyo/util.c:1092  
 tomoyo\_supervisor+0x228/0x7f0 security/tomoyo/common.c:2089  
 tomoyo\_audit\_path\_log security/tomoyo/file.c:168 \[inline\]  
 tomoyo\_path\_permission+0xa0/0xf0 security/tomoyo/file.c:587  
 tomoyo\_path\_perm+0x22f/0x2d0 security/tomoyo/file.c:838  
 tomoyo\_path\_symlink+0x43/0x70 security/tomoyo/tomoyo.c:199  
 security\_path\_symlink+0x48/0x80 security/security.c:1164  
 do\_symlinkat+0x75/0x120 fs/namei.c:4274  
 \_\_do\_sys\_symlink fs/namei.c:4301 \[inline\]  
 \_\_se\_sys\_symlink fs/namei.c:4299 \[inline\]  
 \_\_x64\_sys\_symlink+0x3a/0x40 fs/namei.c:4299  
 do\_syscall\_x64 arch/x86/entry/common.c:50 \[inline\]  
 do\_syscall\_64+0x34/0xb0 arch/x86/entry/common.c:80  
 entry\_SYSCALL\_64\_after\_hwframe+0x44/0xae  
RIP: 0033:0x46a597  
Code: 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66  
2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 58 00 00 00 0f 05 <48> 3d  
01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48  
RSP: 002b:00007ffd09085778 EFLAGS: 00000206 ORIG\_RAX: 0000000000000058  
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000046a597  
RDX: 0000000000000000 RSI: 00000000004e40f9 RDI: 00007ffd09085810  
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000014  
R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000000000  
R13: 0000000000000000 R14: 00007ffd09085810 R15: 00007ffd090857cc  
\----------------  
Code disassembly (best guess):  
   0: 65 48 8b 14 25 40 70 mov    %gs:0x17040,%rdx  
   7: 01 00  
   9: 81 e1 00 01 00 00    and    $0x100,%ecx  
   f: a9 00 01 ff 00        test   $0xff0100,%eax  
  14: 74 0e                je     0x24  
  16: 85 c9                test   %ecx,%ecx  
  18: 74 35                je     0x4f  
  1a: 8b 82 34 15 00 00    mov    0x1534(%rdx),%eax  
  20: 85 c0                test   %eax,%eax  
  22: 74 2b                je     0x4f  
  24: 8b 82 10 15 00 00    mov    0x1510(%rdx),%eax  
\* 2a: 83 f8 02              cmp    $0x2,%eax <-- trapping instruction  
  2d: 75 20                jne    0x4f  
  2f: 48 8b 8a 18 15 00 00 mov    0x1518(%rdx),%rcx  
  36: 8b 92 14 15 00 00    mov    0x1514(%rdx),%edx  
  3c: 48 8b 01              mov    (%rcx),%rax  
  3f: 48                    rex.W%

CVE-2021-4150: LKML: Hao Sun: WARNING in __init_work

Certain HP Print devices may be vulnerable to potential information disclosure, denial of service, or remote code execution.

**hp-concentra-wrapper-portlet**

 ![](https://support.hp.com/wps/themeModules/themes/html/dynamicSpots/icons/blank.gif) Actions

Certain HP Print devices may be vulnerable to potential information disclosure, denial of service, or remote code execution.

Severity

Critical

HP Reference

HPSBPI03781 rev. 1

Release date

March 21, 2022

Last updated

March 21, 2022

Category

Print

Potential Security Impact

Information disclosure, denial of service, buffer overflow

**Relevant Common Vulnerabilities and Exposures (CVE) List**

Reported by: Trend Micro – Zero Day Initiative Team

List of CVE IDs    

CVE ID

CVSS

Severity

Vector

CVE-2022-24291

7.5

High

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2022-24292

9.8

Critical

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE-2022-24293

9.8

Critical

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Learn more about CVSS 3.0 base metrics, which range from 0 to 10.

PSR-2021-0179

**Resolution**

Update your printer firmware.

HP has provided firmware updates for potentially affected products listed in the table below. To obtain the updated firmware listed below, go to the HP Software and Driver Downloads, and then search for your printer model.

**Affected products**

Find the products affected and the firmware version that resolves the vulnerabilities.

**Affected products**

Identify the affected products in the tables below.

HP LaserJet Pro printers    

Product Name

Product Number

Updated Firmware Version

HP Color LaserJet Pro M453 - M454

W1Y40A, W1Y41A, W1Y46A, W1Y47A, W1Y44A, W1Y45A, W1Y43A

002\_2208A or higher

HP Color LaserJet Pro MFP M2XX

Remediation pending

HP Color LaserJet Pro MFP M478, M479

W1A75A, W1A76A, W1A77A, W1A81A, W1A82A, W1A79A, W1A80A, W1A78A

002\_2208A or higher

HP LaserJet Pro M304, M305

W1A66A, W1A46A, W1A47A, W1A48A

002\_2208A or higher

HP LaserJet Pro M404, M405

W1A51A, W1A53A, W1A56A, W1A63A, W1A52A, 93M22A, W1A58A, W1A59A, W1A60A, W1A57A

002\_2208A or higher

HP LaserJet Pro MFP M428, M429

W1A28A, W1A31A, W1A33A

002\_2208A or higher

HP LaserJet Pro MFP M428, M429 F

W1A29A, W1A32A, W1A30A, W1A38A, W1A34A, W1A35A

002\_2208A or higher

HP PageWide Pro printers    

Product Name

Product Number

Updated Firmware Version

HP PageWide 352dw Printer

J6U57A

2205D or higher

HP PageWide 377dw Multifunction Printer

J9V80A

2205D or higher

HP PageWide Managed P55250dw Printer series

J6U55A, J6U51B, J6U55B

2205D or higher

HP PageWide Managed P57750dw Multifunction Printer

J9V82A

2205D or higher

HP PageWide Pro 452dn Printer series

D3Q15A

2205D or higher

HP PageWide Pro 452dw Printer series

D3Q16A

2205D or higher2205D or higher

HP PageWide Pro 477dn Multifunction Printer series

D3Q19A

2205D or higher

HP PageWide Pro 477dw Multifunction Printer series

D3Q20A

2205D or higher

HP PageWide Pro 552dw Printer series

D3Q17A

2205D or higher

HP PageWide Pro 577 Multifunction Printer series

D3Q21A, K9Z76A

2205D or higher

HP OfficeJet printers    

Product Name

Product Number

Updated Firmware Version

HP OfficeJet Pro 8210 Printer series

D9L63A, D9L64A, J3P65A, J3P66A, J3P67A, J3P68A

001.2210B or higher

HP OfficeJet Pro 8216 Printer series

T0G70A

001.2210B or higher

HP OfficeJet Pro 8730 All-in-One Printer

D9L20A, K7S32A

001.2207C or higher

HP OfficeJet Pro 8740 All-in-One Printer series

D9L21A, K7S42A, T0G65A, K7S39A, J6X83A, K7S43A, K7S40A, K7S41A

001.2207C or higher

**Revision history**

This document has been revised according to the information below.

List of versions   

Version

Description

Date

1

Initial Release

March 21, 2022

**Additional information**

Follow these links for additional information.

Third-party security patches

Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.

Support

For issues about implementing the recommendations of this Security Bulletin, visit http://www.hp.com/go/contacthp to learn about your HP support options.

Report

To report a potential security vulnerability with any HP supported product, send email to: hp-security-alert@hp.com.

Subscribe

To initiate a subscription to receive future HP Security Bulletin alerts via email, visit https://h41369.www4.hp.com/alerts-signup.php?lang=en&cc=US&jumpid=hpsc\_profile.

Security bulletin archive

To view released Security Bulletins, visit https://support.hp.com/security-bulletins.

It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information.

Download HP’s security-alert PGP key

**Legal information**

System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions.

HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Security Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Security Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement.

© Copyright 2022 HP Development Company, L.P.

HP Inc. (HP) shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP nor its affiliates, subcontractors or suppliers will be liable for incidental, special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. "HP Inc.," "HP" and the names of HP products referenced herein are trademarks of HP Inc. or its affiliates in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.

CVE-2022-24293: Certain HP Print Products – Potential information disclosure, denial of service, remote code execution

@@ -1746,10 +1746,13 @@ static ssize\_t virtio\_net\_receive\_rcu(NetClientState \*nc, const uint8\_t \*buf, VirtIONet \*n = qemu\_get\_nic\_opaque(nc); VirtIONetQueue \*q = virtio\_net\_get\_subqueue(nc); VirtIODevice \*vdev = VIRTIO\_DEVICE(n); VirtQueueElement \*elems\[VIRTQUEUE\_MAX\_SIZE\]; size\_t lens\[VIRTQUEUE\_MAX\_SIZE\]; struct iovec mhdr\_sg\[VIRTQUEUE\_MAX\_SIZE\]; struct virtio\_net\_hdr\_mrg\_rxbuf mhdr; unsigned mhdr\_cnt = 0; size\_t offset, i, guest\_offset; size\_t offset, i, guest\_offset, j; ssize\_t err;  
if (!virtio\_net\_can\_receive(nc)) { return -1; @@ -1780,6 +1783,12 @@ static ssize\_t virtio\_net\_receive\_rcu(NetClientState \*nc, const uint8\_t \*buf,  
total = 0;  
if (i == VIRTQUEUE\_MAX\_SIZE) { virtio\_error(vdev, "virtio-net unexpected long buffer chain"); err = size; goto err; }  
elem = virtqueue\_pop(q->rx\_vq, sizeof(VirtQueueElement)); if (!elem) { if (i) { @@ -1791,15 +1800,17 @@ static ssize\_t virtio\_net\_receive\_rcu(NetClientState \*nc, const uint8\_t \*buf, n->guest\_hdr\_len, n->host\_hdr\_len, vdev->guest\_features); } return -1; err = -1; goto err; }  
if (elem->in\_num < 1) { virtio\_error(vdev, "virtio-net receive queue contains no in buffers"); virtqueue\_detach\_element(q->rx\_vq, elem, 0); g\_free(elem); return -1; err = -1; goto err; }  
sg = elem->in\_sg; @@ -1836,12 +1847,13 @@ static ssize\_t virtio\_net\_receive\_rcu(NetClientState \*nc, const uint8\_t \*buf, if (!n->mergeable\_rx\_bufs && offset < size) { virtqueue\_unpop(q->rx\_vq, elem, total); g\_free(elem); return size; err = size; goto err; }  
/\* signal other side \*/ virtqueue\_fill(q->rx\_vq, elem, total, i++); g\_free(elem); elems\[i\] = elem; lens\[i\] = total; i++; }  
if (mhdr\_cnt) { @@ -1851,10 +1863,23 @@ static ssize\_t virtio\_net\_receive\_rcu(NetClientState \*nc, const uint8\_t \*buf, &mhdr.num\_buffers, sizeof mhdr.num\_buffers); }  
for (j = 0; j < i; j++) { /\* signal other side \*/ virtqueue\_fill(q->rx\_vq, elems\[j\], lens\[j\], j); g\_free(elems\[j\]); }  
virtqueue\_flush(q->rx\_vq, i); virtio\_notify(vdev, q->rx\_vq);  
return size;  
err: for (j = 0; j < i; j++) { g\_free(elems\[j\]); }  
return err; }  
static ssize\_t virtio\_net\_do\_receive(NetClientState \*nc, const uint8\_t \*buf,

A vulnerability was found in the Linux kernel's block_invalidatepage in fs/buffer.c in the filesystem. A missing sanity check may allow a local attacker with user privilege to cause a denial of service (DOS) problem.

Messages in this thread

*   First message in thread
*   Hao Sun
    *   Christoph Hellwig
        *   Hao Sun
            *   Christoph Hellwig
                *   Yang Shi

![/](https://lkml.org/images/icornerl.gif)

From

Date

Mon, 13 Sep 2021 10:00:27 +0800

Subject

general protection fault in wb\_timer\_fn

Hello,

When using Healer to fuzz the latest Linux kernel, the following crash  
was triggered.

HEAD commit:  4b93c544e90e-thunderbolt: test: split up test cases  
git tree: upstream  
console output:  
https://drive.google.com/file/d/1naN-5p-rFgKpHrshO\_kQr5f\_KlhvFGGU/view?usp=sharing  
kernel config: https://drive.google.com/file/d/1c0u2EeRDhRO-ZCxr9MP2VvAtJd6kfg-p/view?usp=sharing  
C reproducer: https://drive.google.com/file/d/19EDhssGw\_V1oO2vWOPrgQqve0TdFSgvh/view?usp=sharing  
Syzlang reproducer:  
https://drive.google.com/file/d/13EGCCoaMe9oitrQCfy44BkGVLbKKFP6X/view?usp=sharing  
Similar report:  
https://groups.google.com/g/syzkaller-bugs/c/H7fKH\_5GVSE/m/-1aj5-d1BAAJ

If you fix this issue, please add the following tag to the commit:  
Reported-by: Hao Sun <sunhao.th@gmail.com>

general protection fault, probably for non-canonical address  
0xdffffc0000000029: 0000 \[#1\] PREEMPT SMP KASAN  
KASAN: null-ptr-deref in range \[0x0000000000000148-0x000000000000014f\]  
CPU: 2 PID: 8539 Comm: syz-executor Not tainted 5.14.0+ #1  
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS  
1.13.0-1ubuntu1.1 04/01/2014  
RIP: 0010:latency\_exceeded block/blk-wbt.c:237 \[inline\]  
RIP: 0010:wb\_timer\_fn+0x149/0x2080 block/blk-wbt.c:360  
Code: 03 80 3c 02 00 0f 85 08 1c 00 00 48 8b 9b b0 00 00 00 48 b8 00  
00 00 00 00 fc ff df 48 8d bb 48 01 00 00 48 89 fa 48 c1 ea 03 <80> 3c  
02 00 0f 85 d5 1b 00 00 48 8b 83 48 01 00 00 48 8d 7d 28 48  
RSP: 0018:ffffc90000848cd0 EFLAGS: 00010212  
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffff888014e79c80  
RDX: 0000000000000029 RSI: ffff888014e79c80 RDI: 0000000000000148  
RBP: ffff88801e2adc00 R08: ffffffff83de2dfd R09: 0000000000000003  
R10: 0000000000000005 R11: ffffed1003c55bb0 R12: 0000000000000003  
R13: 0000000000000000 R14: ffff8881053bc800 R15: ffff88801e2adcd0  
FS:  0000000003176940(0000) GS:ffff888063f00000(0000) knlGS:0000000000000000  
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033  
CR2: 00000000014d53ad CR3: 000000002e5ff000 CR4: 0000000000350ee0  
Call Trace:  
 <IRQ>  
 call\_timer\_fn+0x1a5/0x6b0 kernel/time/timer.c:1421  
 expire\_timers kernel/time/timer.c:1466 \[inline\]  
 \_\_run\_timers.part.0+0x6b0/0xa90 kernel/time/timer.c:1734  
 \_\_run\_timers kernel/time/timer.c:1715 \[inline\]  
 run\_timer\_softirq+0xb6/0x1d0 kernel/time/timer.c:1747  
 \_\_do\_softirq+0x1d7/0x93b kernel/softirq.c:558  
 invoke\_softirq kernel/softirq.c:432 \[inline\]  
 \_\_irq\_exit\_rcu kernel/softirq.c:636 \[inline\]  
 irq\_exit\_rcu+0xf2/0x130 kernel/softirq.c:648  
 sysvec\_apic\_timer\_interrupt+0x93/0xc0 arch/x86/kernel/apic/apic.c:1097  
 </IRQ>  
 asm\_sysvec\_apic\_timer\_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:638  
RIP: 0010:get\_current arch/x86/include/asm/current.h:15 \[inline\]  
RIP: 0010:write\_comp\_data+0xe/0x70 kernel/kcov.c:217  
Code: 00 8b 89 1c 15 00 00 48 8b 02 48 83 c0 01 48 39 c1 76 07 4c 89  
04 c2 48 89 02 c3 90 49 89 fa bf 03 00 00 00 49 89 f1 49 89 d0 <65> 48  
8b 34 25 40 f0 01 00 e8 34 ff ff ff 84 c0 74 44 48 8b 86 20  
RSP: 0018:ffffc9000106f7f8 EFLAGS: 00000246  
RAX: 000000000d0444bb RBX: 80000000fd589217 RCX: ffffffff81ac95bd  
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003  
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000  
R10: 0000000000000007 R11: ffffed100247709c R12: 0000000000000000  
R13: 0000000000000001 R14: dffffc0000000000 R15: ffff88802e806788  
 copy\_present\_pte mm/memory.c:976 \[inline\]  
 copy\_pte\_range mm/memory.c:1070 \[inline\]  
 copy\_pmd\_range mm/memory.c:1156 \[inline\]  
 copy\_pud\_range mm/memory.c:1193 \[inline\]  
 copy\_p4d\_range mm/memory.c:1217 \[inline\]  
 copy\_page\_range+0xf4d/0x4750 mm/memory.c:1290  
 dup\_mmap kernel/fork.c:610 \[inline\]  
 dup\_mm+0xa50/0x13d0 kernel/fork.c:1454  
 copy\_mm kernel/fork.c:1506 \[inline\]  
 copy\_process+0x6c23/0x73d0 kernel/fork.c:2195  
 kernel\_clone+0xe7/0x10d0 kernel/fork.c:2585  
 \_\_do\_sys\_clone+0xc8/0x110 kernel/fork.c:2702  
 do\_syscall\_x64 arch/x86/entry/common.c:50 \[inline\]  
 do\_syscall\_64+0x35/0xb0 arch/x86/entry/common.c:80  
 entry\_SYSCALL\_64\_after\_hwframe+0x44/0xae  
RIP: 0033:0x471f0f  
Code: ed 0f 85 64 01 00 00 64 4c 8b 0c 25 10 00 00 00 45 31 c0 4d 8d  
91 d0 02 00 00 31 d2 31 f6 bf 11 00 20 01 b8 38 00 00 00 0f 05 <48> 3d  
00 f0 ff ff 0f 87 f5 00 00 00 41 89 c5 85 c0 0f 85 fc 00 00  
RSP: 002b:00007ffc62d06000 EFLAGS: 00000246 ORIG\_RAX: 0000000000000038  
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000471f0f  
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000001200011  
RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000003176940  
R10: 0000000003176c10 R11: 0000000000000246 R12: 0000000000000001  
R13: 0000000000000005 R14: 00007ffc62d060b0 R15: 00007ffc62d0606c  
Modules linked in:  
Dumping ftrace buffer:  
   (ftrace buffer empty)  
\---\[ end trace ef2331b2238dd17a \]---  
RIP: 0010:latency\_exceeded block/blk-wbt.c:237 \[inline\]  
RIP: 0010:wb\_timer\_fn+0x149/0x2080 block/blk-wbt.c:360  
Code: 03 80 3c 02 00 0f 85 08 1c 00 00 48 8b 9b b0 00 00 00 48 b8 00  
00 00 00 00 fc ff df 48 8d bb 48 01 00 00 48 89 fa 48 c1 ea 03 <80> 3c  
02 00 0f 85 d5 1b 00 00 48 8b 83 48 01 00 00 48 8d 7d 28 48  
RSP: 0018:ffffc90000848cd0 EFLAGS: 00010212  
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffff888014e79c80  
RDX: 0000000000000029 RSI: ffff888014e79c80 RDI: 0000000000000148  
RBP: ffff88801e2adc00 R08: ffffffff83de2dfd R09: 0000000000000003  
R10: 0000000000000005 R11: ffffed1003c55bb0 R12: 0000000000000003  
R13: 0000000000000000 R14: ffff8881053bc800 R15: ffff88801e2adcd0  
FS:  0000000003176940(0000) GS:ffff888063f00000(0000) knlGS:0000000000000000  
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033  
CR2: 00000000014d53ad CR3: 000000002e5ff000 CR4: 0000000000350ee0  
\----------------  
Code disassembly (best guess):  
   0: 03 80 3c 02 00 0f    add    0xf00023c(%rax),%eax  
   6: 85 08                test   %ecx,(%rax)  
   8: 1c 00                sbb    $0x0,%al  
   a: 00 48 8b              add    %cl,-0x75(%rax)  
   d: 9b                    fwait  
   e: b0 00                mov    $0x0,%al  
  10: 00 00                add    %al,(%rax)  
  12: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax  
  19: fc ff df  
  1c: 48 8d bb 48 01 00 00 lea    0x148(%rbx),%rdi  
  23: 48 89 fa              mov    %rdi,%rdx  
  26: 48 c1 ea 03          shr    $0x3,%rdx  
\* 2a: 80 3c 02 00          cmpb   $0x0,(%rdx,%rax,1) <-- trapping instruction  
  2e: 0f 85 d5 1b 00 00    jne    0x1c09  
  34: 48 8b 83 48 01 00 00 mov    0x148(%rbx),%rax  
  3b: 48 8d 7d 28          lea    0x28(%rbp),%rdi  
  3f: 48                    rex.W%

![\](https://lkml.org/images/icornerr.gif)

Tag

#dos