Buffer Overflow vulnerability in DI-7003GV2.D1 v.23.08.25D1 and before, DI-7100G+V2.D1 v.23.08.23D1 and before, DI-7100GV2.D1 v.23.08.23D1, DI-7200G+V2.D1 v.23.08.23D1 and before, DI-7200GV2.E1 v.23.08.23E1 and before, DI-7300G+V2.D1 v.23.08.23D1, and DI-7400G+V2.D1 v.23.08.23D1 and before allows a remote attacker to execute arbitrary code via the fn parameter of the tgfile.htm function.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2023-45572: bug_submit/D-Link/DI-7xxxx/bug1.md at main · Archerber/bug_submit

Buffer Overflow vulnerability in DI-7003GV2.D1 v.23.08.25D1 and before, DI-7100G+V2.D1 v.23.08.23D1 and before, DI-7100GV2.D1 v.23.08.23D1, DI-7200G+V2.D1 v.23.08.23D1 and before, DI-7200GV2.E1 v.23.08.23E1 and before, DI-7300G+V2.D1 v.23.08.23D1, and DI-7400G+V2.D1 v.23.08.23D1 and before allows a remote attacker to execute arbitrary code via the ip parameter of the ip_position.asp function.

CVE-2023-45575: bug_submit/D-Link/DI-7xxxx/bug5.md at main · Archerber/bug_submit

TOTOLINK X5000R V9.1.0u.6118_B20201102 and TOTOLINK A7000R V9.1.0u.6115_B20201022 was discovered to contain a stack overflow via the File parameter in the function UploadCustomModule.

CVE-2023-36947: bug_submit/TOTOLINK/UploadCustomModule.md at main · Archerber/bug_submit

TOTOLINK NR1800X V9.1.0u.6279_B20210910 was discovered to contain a stack overflow via the http_host parameter in the function loginAuth.

CVE-2023-36340: bug_submit/TOTOLINK/TOTOLINK-NR1800X.md at main · Archerber/bug_submit

TOTOLINK CP300+ V5.2cu.7594_B20200910 was discovered to contain a stack overflow via the pingIp parameter in the function setDiagnosisCfg.

CVE-2023-36952: bug_submit/TOTOLINK/CP300+_1.md at main · Archerber/bug_submit

Threat actors have been observed serving malicious code by utilizing Binance's Smart Chain (BSC) contracts in what has been described as the "next level of bulletproof hosting."
The campaign, detected two months ago, has been codenamed EtherHiding by Guardio Labs.
The novel twist marks the latest iteration in an ongoing campaign that leverages compromised WordPress sites to serve unsuspecting

Threat actors have been observed serving malicious code by utilizing Binance's Smart Chain (BSC) contracts in what has been described as the "next level of bulletproof hosting."

The campaign, detected two months ago, has been codenamed **EtherHiding** by Guardio Labs.

The novel twist marks the latest iteration in an ongoing campaign that leverages compromised WordPress sites to serve unsuspecting visitors a fake warning to update their browsers before the sites can be accessed, ultimately leading to the deployment of information stealer malware such as Amadey, Lumma, or RedLine.

"While their initial method of hosting code on abused Cloudflare Worker hosts was taken down, they've quickly pivoted to take advantage of the decentralized, anonymous, and public nature of blockchain," security researchers Nati Tal and Oleg Zaytsev said.

"This campaign is up and harder than ever to detect and take down."

It's no surprise that threat actors have targeted WordPress sites via both malicious plugins, as well as take advantage of publicly disclosed security flaws in popular plugins to breach websites. This gives the ability to completely hijack infected websites at will.

In the latest set of attacks, the infected sites are injected with obfuscated Javascript designed to query the BNB Smart Chain by creating a smart contract with an attacker-controlled blockchain address.

The goal is to fetch a second-stage script that, in turn, retrieves a third-stage payload from a command-and-control (C2) server to serve the deceptive browser update notices.

Should a victim click the update button on the bogus overlay, they are redirected to download a malicious executable from Dropbox or other legitimate file hosting services.

While the address and the associated contract have been tagged as used in a phishing scheme, the consequence of hosting it on a decentralized service means that there is currently no way to intervene and disrupt the attack chain.

"As this is not an address used in any financial or other activity that victims can be lured to transfer funds or any other kind of Intellectual property to — visitors of compromised WordPress sites have no clue as to what is going on under the hood," the researchers explained.

"This contract, tagged as fake, malicious, or whatnot, is still online and delivers the malicious payload."

With plugins becoming a sizable attack surface for WordPress, it's recommended that users relying on the content management system (CMS) adhere to security best practices and keep their systems up-to-date with the latest patches, remove unwanted admin users, and enforce strong passwords.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Binance's Smart Chain Exploited in New 'EtherHiding' Malware Campaign

 SQL Injection in GitHub repository librenms/librenms prior to 23.10.0.

**SQL injection in librenms/librenms**

High severity GitHub Reviewed Published Oct 16, 2023 to the GitHub Advisory Database • Updated Oct 17, 2023

GHSA-mr6h-7x2m-rgmq: SQL injection in librenms/librenms

extract_user_to_sg in lib/scatterlist.c in the Linux kernel before 6.4.2 fails to unpin pages in a certain situation, as demonstrated by a WARNING for try_grab_page.

Hello,

When using Healer to fuzz the Linux kernel, the following crash  
was triggered on:

HEAD commit: fdf0eaf11452d72945af31804e2a1048ee1b574c (tag: v6.5-rc2)

git tree: upstream

I tried to reproduce this bug on v6.5-rc3(HEAD commit:  
6eaae198076080886b9e7d57f4ae06fa782f90ef), it still exists.

console output:  
https://drive.google.com/file/d/1Lq71bFwtEDix82PEf\_193CLG6uh1Pjj9/view?usp=drive\_link  
kernel config: https://drive.google.com/file/d/1dApy7OR4KDYdhF96ZUowZQ1r-uLYTd-0/view?usp=drive\_link  
C reproducer: https://drive.google.com/file/d/1Dkj31wwYP7p-AEJeemD3yrIUr7-VdBqF/view?usp=drive\_link  
Syzlang reproducer:  
https://drive.google.com/file/d/1ib6zTs4srKI1RnUcHG3mSZ5HeW7rZhnd/view?usp=drive\_link

If you fix this issue, please add the following tag to the commit:  
Reported-by: Yikebaer Aizezi <yikebaer61@gmail.com>

WARNING: CPU: 0 PID: 10232 at mm/gup.c:229 try\_grab\_page+0x2dd/0x3a0  
mm/gup.c:229  
Modules linked in:  
CPU: 0 PID: 10232 Comm: syz-executor Tainted: G B 6.5.0-rc2 #1  
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS  
rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014  
RIP: 0010:try\_grab\_page+0x2dd/0x3a0 mm/gup.c:229  
Code: ff be 04 00 00 00 4c 89 e7 e8 cf fa 13 00 f0 41 ff 04 24 e8 65  
96 cb ff 45 31 e4 5b 44 89 e0 5d 41 5c 41 5d c3 e8 53 96 cb ff <0f> 0b  
e8 4c 96 cb ff 41 bc f4 ff ff ff 5b 44 89 e0 5d 41 5c 41 5d  
RSP: 0018:ffffc9000e99f268 EFLAGS: 00010202  
RAX: 0000000000002f80 RBX: ffffea00003ae340 RCX: ffffc90002d79000  
RDX: 0000000000040000 RSI: ffffffff81ad81ed RDI: ffffea00003ae374  
RBP: ffffea00003ae340 R08: 0000000000000000 R09: fffff94000075c6e  
R10: ffffea00003ae377 R11: 0000000000000000 R12: ffffea00003ae374  
R13: 0000000000210052 R14: ffffea00003ae340 R15: 000000000eb8d225  
FS: 00007fc6339a4640(0000) GS:ffff888063e00000(0000) knlGS:0000000000000000  
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033  
CR2: 0000000000000000 CR3: 000000002c3ea000 CR4: 0000000000752ef0  
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000  
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400  
PKRU: 55555554  
Call Trace:  
<TASK>  
follow\_page\_pte+0x18c/0x1610 mm/gup.c:651  
follow\_pmd\_mask mm/gup.c:727 \[inline\]  
follow\_pud\_mask mm/gup.c:765 \[inline\]  
follow\_p4d\_mask mm/gup.c:782 \[inline\]  
follow\_page\_mask+0x2e4/0xbd0 mm/gup.c:839  
\_\_get\_user\_pages+0x3fa/0xcf0 mm/gup.c:1256  
\_\_get\_user\_pages\_locked mm/gup.c:1487 \[inline\]  
get\_user\_pages\_unlocked+0x183/0x580 mm/gup.c:2387  
hva\_to\_pfn\_slow arch/x86/kvm/../../../virt/kvm/kvm\_main.c:2536 \[inline\]  
hva\_to\_pfn+0x198/0xbc0 arch/x86/kvm/../../../virt/kvm/kvm\_main.c:2674  
\_\_gfn\_to\_pfn\_memslot+0x202/0x3e0 arch/x86/kvm/../../../virt/kvm/kvm\_main.c:2736  
\_\_kvm\_faultin\_pfn arch/x86/kvm/mmu/mmu.c:4329 \[inline\]  
kvm\_faultin\_pfn+0x21b/0x12d0 arch/x86/kvm/mmu/mmu.c:4365  
kvm\_tdp\_mmu\_page\_fault arch/x86/kvm/mmu/mmu.c:4503 \[inline\]  
kvm\_tdp\_page\_fault+0x167/0x4d0 arch/x86/kvm/mmu/mmu.c:4549  
kvm\_mmu\_do\_page\_fault arch/x86/kvm/mmu/mmu\_internal.h:320 \[inline\]  
kvm\_mmu\_page\_fault+0x2f4/0x1a40 arch/x86/kvm/mmu/mmu.c:5756  
handle\_ept\_violation+0x20a/0x620 arch/x86/kvm/vmx/vmx.c:5760  
\_\_vmx\_handle\_exit arch/x86/kvm/vmx/vmx.c:6539 \[inline\]  
vmx\_handle\_exit+0x4a1/0x18d0 arch/x86/kvm/vmx/vmx.c:6556  
vcpu\_enter\_guest arch/x86/kvm/x86.c:10848 \[inline\]  
vcpu\_run+0x24b6/0x44b0 arch/x86/kvm/x86.c:10951  
kvm\_arch\_vcpu\_ioctl\_run+0x416/0x1830 arch/x86/kvm/x86.c:11172  
kvm\_vcpu\_ioctl+0x4de/0xcc0 arch/x86/kvm/../../../virt/kvm/kvm\_main.c:4112  
vfs\_ioctl fs/ioctl.c:51 \[inline\]  
\_\_do\_sys\_ioctl fs/ioctl.c:870 \[inline\]  
\_\_se\_sys\_ioctl fs/ioctl.c:856 \[inline\]  
\_\_x64\_sys\_ioctl+0x173/0x1e0 fs/ioctl.c:856  
do\_syscall\_x64 arch/x86/entry/common.c:50 \[inline\]  
do\_syscall\_64+0x35/0xb0 arch/x86/entry/common.c:80  
entry\_SYSCALL\_64\_after\_hwframe+0x63/0xcd  
RIP: 0033:0x47959d  
Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48  
89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d  
01 f0 ff ff 73 01 c3 48 c7 c1 b4 ff ff ff f7 d8 64 89 01 48  
RSP: 002b:00007fc6339a4068 EFLAGS: 00000246 ORIG\_RAX: 0000000000000010  
RAX: ffffffffffffffda RBX: 000000000059c0a0 RCX: 000000000047959d  
RDX: 0000000000000000 RSI: 000000000000ae80 RDI: 0000000000000006  
RBP: 000000000059c0a0 R08: 0000000000000000 R09: 0000000000000000  
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000059c0ac  
R13: 000000000000000b R14: 0000000000437250 R15: 00007fc633984000  
</TASK>

Modules linked in:  
CPU: 0 PID: 10232 Comm: syz-executor Tainted: G B 6.5.0-rc2 #1  
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS  
rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014  
RIP: 0010:try\_grab\_page+0x2dd/0x3a0 mm/gup.c:229  
Code: ff be 04 00 00 00 4c 89 e7 e8 cf fa 13 00 f0 41 ff 04 24 e8 65  
96 cb ff 45 31 e4 5b 44 89 e0 5d 41 5c 41 5d c3 e8 53 96 cb ff <0f> 0b  
e8 4c 96 cb ff 41 bc f4 ff ff ff 5b 44 89 e0 5d 41 5c 41 5d  
RSP: 0018:ffffc9000e99f268 EFLAGS: 00010202  
RAX: 0000000000002f80 RBX: ffffea00003ae340 RCX: ffffc90002d79000  
RDX: 0000000000040000 RSI: ffffffff81ad81ed RDI: ffffea00003ae374  
RBP: ffffea00003ae340 R08: 0000000000000000 R09: fffff94000075c6e  
R10: ffffea00003ae377 R11: 0000000000000000 R12: ffffea00003ae374  
R13: 0000000000210052 R14: ffffea00003ae340 R15: 000000000eb8d225  
FS: 00007fc6339a4640(0000) GS:ffff888063e00000(0000) knlGS:0000000000000000  
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033  
CR2: 0000000000000000 CR3: 000000002c3ea000 CR4: 0000000000752ef0  
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000  
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400  
PKRU: 55555554  
Call Trace:  
<TASK>  
follow\_page\_pte+0x18c/0x1610 mm/gup.c:651  
follow\_pmd\_mask mm/gup.c:727 \[inline\]  
follow\_pud\_mask mm/gup.c:765 \[inline\]  
follow\_p4d\_mask mm/gup.c:782 \[inline\]  
follow\_page\_mask+0x2e4/0xbd0 mm/gup.c:839  
\_\_get\_user\_pages+0x3fa/0xcf0 mm/gup.c:1256  
\_\_get\_user\_pages\_locked mm/gup.c:1487 \[inline\]  
get\_user\_pages\_unlocked+0x183/0x580 mm/gup.c:2387  
hva\_to\_pfn\_slow arch/x86/kvm/../../../virt/kvm/kvm\_main.c:2536 \[inline\]  
hva\_to\_pfn+0x198/0xbc0 arch/x86/kvm/../../../virt/kvm/kvm\_main.c:2674  
\_\_gfn\_to\_pfn\_memslot+0x202/0x3e0 arch/x86/kvm/../../../virt/kvm/kvm\_main.c:2736  
\_\_kvm\_faultin\_pfn arch/x86/kvm/mmu/mmu.c:4329 \[inline\]  
kvm\_faultin\_pfn+0x21b/0x12d0 arch/x86/kvm/mmu/mmu.c:4365  
kvm\_tdp\_mmu\_page\_fault arch/x86/kvm/mmu/mmu.c:4503 \[inline\]  
kvm\_tdp\_page\_fault+0x167/0x4d0 arch/x86/kvm/mmu/mmu.c:4549  
kvm\_mmu\_do\_page\_fault arch/x86/kvm/mmu/mmu\_internal.h:320 \[inline\]  
kvm\_mmu\_page\_fault+0x2f4/0x1a40 arch/x86/kvm/mmu/mmu.c:5756  
handle\_ept\_violation+0x20a/0x620 arch/x86/kvm/vmx/vmx.c:5760  
\_\_vmx\_handle\_exit arch/x86/kvm/vmx/vmx.c:6539 \[inline\]  
vmx\_handle\_exit+0x4a1/0x18d0 arch/x86/kvm/vmx/vmx.c:6556  
vcpu\_enter\_guest arch/x86/kvm/x86.c:10848 \[inline\]  
vcpu\_run+0x24b6/0x44b0 arch/x86/kvm/x86.c:10951  
kvm\_arch\_vcpu\_ioctl\_run+0x416/0x1830 arch/x86/kvm/x86.c:11172  
kvm\_vcpu\_ioctl+0x4de/0xcc0 arch/x86/kvm/../../../virt/kvm/kvm\_main.c:4112  
vfs\_ioctl fs/ioctl.c:51 \[inline\]  
\_\_do\_sys\_ioctl fs/ioctl.c:870 \[inline\]  
\_\_se\_sys\_ioctl fs/ioctl.c:856 \[inline\]  
\_\_x64\_sys\_ioctl+0x173/0x1e0 fs/ioctl.c:856  
do\_syscall\_x64 arch/x86/entry/common.c:50 \[inline\]  
do\_syscall\_64+0x35/0xb0 arch/x86/entry/common.c:80  
entry\_SYSCALL\_64\_after\_hwframe+0x63/0xcd  
RIP: 0033:0x47959d  
Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48  
89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d  
01 f0 ff ff 73 01 c3 48 c7 c1 b4 ff ff ff f7 d8 64 89 01 48  
RSP: 002b:00007fc6339a4068 EFLAGS: 00000246 ORIG\_RAX: 0000000000000010  
RAX: ffffffffffffffda RBX: 000000000059c0a0 RCX: 000000000047959d  
RDX: 0000000000000000 RSI: 000000000000ae80 RDI: 0000000000000006  
RBP: 000000000059c0a0 R08: 0000000000000000 R09: 0000000000000000  
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000059c0ac  
R13: 000000000000000b R14: 0000000000437250 R15: 00007fc633984000  
</TASK>  
Kernel panic - not syncing: kernel: panic\_on\_warn set ...  
CPU: 0 PID: 10232 Comm: syz-executor Tainted: G B 6.5.0-rc2 #1  
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS  
rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014  
Call Trace:  
<TASK>  
\_\_dump\_stack lib/dump\_stack.c:88 \[inline\]  
dump\_stack\_lvl+0x92/0xf0 lib/dump\_stack.c:106  
panic+0x570/0x620 kernel/panic.c:340  
check\_panic\_on\_warn+0x8e/0x90 kernel/panic.c:236  
\_\_warn+0xee/0x340 kernel/panic.c:673  
\_\_report\_bug lib/bug.c:199 \[inline\]  
report\_bug+0x25d/0x460 lib/bug.c:219  
handle\_bug+0x3c/0x70 arch/x86/kernel/traps.c:324  
exc\_invalid\_op+0x14/0x40 arch/x86/kernel/traps.c:345  
asm\_exc\_invalid\_op+0x16/0x20 arch/x86/include/asm/idtentry.h:568  
RIP: 0010:try\_grab\_page+0x2dd/0x3a0 mm/gup.c:229  
Code: ff be 04 00 00 00 4c 89 e7 e8 cf fa 13 00 f0 41 ff 04 24 e8 65  
96 cb ff 45 31 e4 5b 44 89 e0 5d 41 5c 41 5d c3 e8 53 96 cb ff <0f> 0b  
e8 4c 96 cb ff 41 bc f4 ff ff ff 5b 44 89 e0 5d 41 5c 41 5d  
RSP: 0018:ffffc9000e99f268 EFLAGS: 00010202  
RAX: 0000000000002f80 RBX: ffffea00003ae340 RCX: ffffc90002d79000  
RDX: 0000000000040000 RSI: ffffffff81ad81ed RDI: ffffea00003ae374  
RBP: ffffea00003ae340 R08: 0000000000000000 R09: fffff94000075c6e  
R10: ffffea00003ae377 R11: 0000000000000000 R12: ffffea00003ae374  
R13: 0000000000210052 R14: ffffea00003ae340 R15: 000000000eb8d225  
follow\_page\_pte+0x18c/0x1610 mm/gup.c:651  
follow\_pmd\_mask mm/gup.c:727 \[inline\]  
follow\_pud\_mask mm/gup.c:765 \[inline\]  
follow\_p4d\_mask mm/gup.c:782 \[inline\]  
follow\_page\_mask+0x2e4/0xbd0 mm/gup.c:839  
\_\_get\_user\_pages+0x3fa/0xcf0 mm/gup.c:1256  
\_\_get\_user\_pages\_locked mm/gup.c:1487 \[inline\]  
get\_user\_pages\_unlocked+0x183/0x580 mm/gup.c:2387  
hva\_to\_pfn\_slow arch/x86/kvm/../../../virt/kvm/kvm\_main.c:2536 \[inline\]  
hva\_to\_pfn+0x198/0xbc0 arch/x86/kvm/../../../virt/kvm/kvm\_main.c:2674  
\_\_gfn\_to\_pfn\_memslot+0x202/0x3e0 arch/x86/kvm/../../../virt/kvm/kvm\_main.c:2736  
\_\_kvm\_faultin\_pfn arch/x86/kvm/mmu/mmu.c:4329 \[inline\]  
kvm\_faultin\_pfn+0x21b/0x12d0 arch/x86/kvm/mmu/mmu.c:4365  
kvm\_tdp\_mmu\_page\_fault arch/x86/kvm/mmu/mmu.c:4503 \[inline\]  
kvm\_tdp\_page\_fault+0x167/0x4d0 arch/x86/kvm/mmu/mmu.c:4549  
kvm\_mmu\_do\_page\_fault arch/x86/kvm/mmu/mmu\_internal.h:320 \[inline\]  
kvm\_mmu\_page\_fault+0x2f4/0x1a40 arch/x86/kvm/mmu/mmu.c:5756  
handle\_ept\_violation+0x20a/0x620 arch/x86/kvm/vmx/vmx.c:5760  
\_\_vmx\_handle\_exit arch/x86/kvm/vmx/vmx.c:6539 \[inline\]  
vmx\_handle\_exit+0x4a1/0x18d0 arch/x86/kvm/vmx/vmx.c:6556  
vcpu\_enter\_guest arch/x86/kvm/x86.c:10848 \[inline\]  
vcpu\_run+0x24b6/0x44b0 arch/x86/kvm/x86.c:10951  
kvm\_arch\_vcpu\_ioctl\_run+0x416/0x1830 arch/x86/kvm/x86.c:11172  
kvm\_vcpu\_ioctl+0x4de/0xcc0 arch/x86/kvm/../../../virt/kvm/kvm\_main.c:4112  
vfs\_ioctl fs/ioctl.c:51 \[inline\]  
\_\_do\_sys\_ioctl fs/ioctl.c:870 \[inline\]  
\_\_se\_sys\_ioctl fs/ioctl.c:856 \[inline\]  
\_\_x64\_sys\_ioctl+0x173/0x1e0 fs/ioctl.c:856  
do\_syscall\_x64 arch/x86/entry/common.c:50 \[inline\]  
do\_syscall\_64+0x35/0xb0 arch/x86/entry/common.c:80  
entry\_SYSCALL\_64\_after\_hwframe+0x63/0xcd  
RIP: 0033:0x47959d  
Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48  
89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d  
01 f0 ff ff 73 01 c3 48 c7 c1 b4 ff ff ff f7 d8 64 89 01 48  
RSP: 002b:00007fc6339a4068 EFLAGS: 00000246 ORIG\_RAX: 0000000000000010  
RAX: ffffffffffffffda RBX: 000000000059c0a0 RCX: 000000000047959d  
RDX: 0000000000000000 RSI: 000000000000ae80 RDI: 0000000000000006  
RBP: 000000000059c0a0 R08: 0000000000000000 R09: 0000000000000000  
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000059c0ac  
R13: 000000000000000b R14: 0000000000437250 R15: 00007fc633984000  
</TASK>  
Dumping ftrace buffer:  
(ftrace buffer empty)  
Kernel Offset: disabled  
Rebooting in 1 seconds..

CVE-2023-40791: LKML: Yikebaer Aizezi: WARNING in try_grab_page

** DISPUTED ** An issue was discovered in the Linux kernel through 6.5.7. kvm_arch_vcpu_ioctl_run in arch/x86/kvm/x86.c allows a WARN_ON_ONCE if userspace stuffs a nonsensical vCPU state.

Messages in this thread

*   First message in thread
*   Yikebaer Aizezi
    *   Sean Christopherson
        *   Yikebaer Aizezi

Patch in this message

*   Get diff 1

Date

Thu, 3 Aug 2023 20:46:35 +0000

Subject

Re: WARNING in kvm\_arch\_vcpu\_ioctl\_run

From

On Thu, Jul 27, 2023, Yikebaer Aizezi wrote:  
\> Hello, I'm sorry for the mistake in my previous email. I forgot to add  
\> a subject. This is my second attempt to send the message.  
\>   
\> When using Healer to fuzz the latest Linux kernel, the following crash  
\> was triggered.  
\>   
\> HEAD commit: fdf0eaf11452d72945af31804e2a1048ee1b574c (tag: v6.5-rc2)  
\>   
\> git tree: upstream  
\>   
\> console output:  
\> https://drive.google.com/file/d/1FiemC\_AWRT-6EGscpQJZNzYhXZty6BVr/view?usp=drive\_link  
\> kernel config: https://drive.google.com/file/d/1fgPLKOw7QbKzhK6ya5KUyKyFhumQgunw/view?usp=drive\_link  
\> C reproducer: https://drive.google.com/file/d/1SiLpYTZ7Du39ubgf1k1BIPlu9ZvMjiWZ/view?usp=drive\_link  
\> Syzlang reproducer:  
\> https://drive.google.com/file/d/1eWSmwvNGOlZNU-0-xsKhUgZ4WG2VLZL5/view?usp=drive\_link  
\> Similar report:  
\> https://groups.google.com/g/syzkaller-bugs/c/C2ud-S1Thh0/m/z4iI7l\_dAgAJ  
\>   
\> If you fix this issue, please add the following tag to the commit:  
\> Reported-by: Yikebaer Aizezi <yikebaer61@gmail.com>  
\>   
\> kvm: vcpu 129: requested lapic timer restore with starting count  
\> register 0x390=4241646265 (4241646265 ns) > initial count (296265111  
\> ns). Using initial count to start timer.  
\> ------------\[ cut here \]------------  
\> WARNING: CPU: 0 PID: 1977 at arch/x86/kvm/x86.c:11098  
\> kvm\_arch\_vcpu\_ioctl\_run+0x152f/0x1830 arch/x86/kvm/x86.c:11098

Well that's annoying.  The WARN is a sanity check that KVM doesn't somehow put  
the guest into an uninitialized state while emulating the guest's APIC timer, but  
I completely overlooked the fact that userspace can simply stuff the should-be-  
impossible guest state. \*sigh\*

Sadly, I think the most reasonable thing to do is to simply drop the sanity check :-(

diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c  
index 0145d844283b..e9e262b244b8 100644  
\--- a/arch/x86/kvm/x86.c  
+++ b/arch/x86/kvm/x86.c  
@@ -11091,12 +11091,17 @@ int kvm\_arch\_vcpu\_ioctl\_run(struct kvm\_vcpu \*vcpu)  
                        r = -EINTR;  
                        goto out;  
                }  
+  
                /\*  
\-                \* It should be impossible for the hypervisor timer to be in  
\-                \* use before KVM has ever run the vCPU.  
\+                \* Don't bother switching APIC timer emulation from the  
\+                \* hypervisor timer to the software timer, the only way for the  
\+                \* APIC timer to be active is if userspace stuffed vCPU state,  
\+                \* i.e. put the vCPU and into a nonsensical state.  The only  
\+                \* transition out of UNINITIALIZED (without more state stuffing  
\+                \* from userspace) is an INIT, which will reset the local APIC  
\+                \* and thus smother the timer anyways, i.e. APIC timer IRQs  
\+                \* will be dropped no matter what.  
                 \*/  
\-               WARN\_ON\_ONCE(kvm\_lapic\_hv\_timer\_in\_use(vcpu));  
\-  
                kvm\_vcpu\_srcu\_read\_unlock(vcpu);  
                kvm\_vcpu\_block(vcpu);  
                kvm\_vcpu\_srcu\_read\_lock(vcpu);

CVE-2023-40790: LKML: Sean Christopherson: Re: WARNING in kvm_arch_vcpu_ioctl_run

Expand Up @@ -37,7 +37,8 @@ } } elseif ($vars\['search\_type'\] == 'mac') { $sql = ' FROM \`ports\` AS I, \`devices\` AS D'; $sql .= " WHERE I.device\_id = D.device\_id AND \`ifPhysAddress\` LIKE '%" . trim(str\_replace(\[':', ' ', '-', '.', '0x'\], '', $vars\['address'\])) . "%' $where "; $sql .= " WHERE I.device\_id = D.device\_id AND \`ifPhysAddress\` LIKE ? $where "; $param\[\] = '%' . trim(str\_replace(\[':', ' ', '-', '.', '0x'\], '', $vars\['address'\])) . '%'; }//end if if (is\_numeric($vars\['device\_id'\])) { $sql .= ' AND I.device\_id = ?'; Expand Down

Tag

#git