Whatsapp iOS 2.19.80 and prior and Android 2.19.222 and prior user interface does not properly represent URI messages to the user, which results in URI spoofing via specially crafted messages.

**CWE-451: User Interface (UI) Misrepresentation of Critical Information.**

> _The user interface does not properly represent critical information to the user, allowing the information to be spoofed. This is often a component in online scams, phishing and disinformation propagation._

When a message contains a valid URL, it is highlighted and marked as hyperlink. However, this is printed to screen before sanitizing Unicode Control Characters, which results in URI spoofing via specially crafted messages.

`Affects all recent distributions of iOS iMessage, WhatsApp, Instagram, and Facebook Messenger as of 2019.8.15`

WhatsApp

Instagram DM

![POCW](https://github.com/zadewg/RIUS/raw/master/whatsapp.gif)

![POCI](https://github.com/zadewg/RIUS/raw/master/instagram.gif)

**mapez** - telegram

CVE-2020-20096: GitHub - zadewg/RIUS: RTLO Injection URI Spoofing

wpsupdater.exe in Kingsoft WPS Office through 11.2.0.10382 allows remote code execution by modifying HKEY_CURRENT_USER in the registry.

**All in One, One for All**

![WPS Writer](https://website-prod.cache.wpscdn.com/img/writer_palette.42f3d2a.svg) ![WPS Writer](https://website-prod.cache.wpscdn.com/img/writer_tubularis.534bd31.svg)

![](https://website-prod.cache.wpscdn.com/img/writer_annotate.6af4b11.svg)

**All in One, One for All**

As an industry-leading office software provider, WPS Office brings convenience and professional support for people in business, education, and home scenarios.

Our office suite is also fully compatible with common products, such as Microsoft Office and Google Docs. The four components of WPS Office are Writer, Spreadsheet, Presentation, and PDF, which can meet your daily work and study requirements. You can use WPS Office exactly the same way you would use Microsoft Word, Excel, and PowerPoint.

![WPS Writer user reviews](https://website-prod.cache.wpscdn.com/img/p1.7d1a212.png)

Patricia Pavel

WPS meets my needs, because I use my mobile phone and iPad when I'm out and use a computer when I'm working. With WPS, I don't need to spend a lot of time transferring files between the computer and the mobile phone. Anyway, it is a free and amazing alternative to Microsoft Office, giving me better experience than MS Office. I like it very much.

CVE-2022-24934: WPS Office - Free Office Download for PC & Mobile, Alternative to MS Office

A vulnerability was found in btrfs_alloc_tree_b in fs/btrfs/extent-tree.c in the Linux kernel due to an improper lock operation in btrfs. In this flaw, a user with a local privilege may cause a denial of service (DOS) due to a deadlock problem.

From

Date

Tue, 14 Sep 2021 10:28:09 +0800

Subject

WARNING: lock held when returning to user space in \_\_btrfs\_tree\_lock

Hello,

When using Healer to fuzz the latest Linux kernel, the following crash  
was triggered.

HEAD commit: 6880fa6c5660 Linux 5.15-rc1  
git tree: upstream  
console output:  
https://drive.google.com/file/d/1BfaOcSWIkWUpQAgEj9p2zYVWsQxxacVl/view?usp=sharing  
kernel config: https://drive.google.com/file/d/1rUzyMbe5vcs6khA3tL9EHTLJvsUdWcgB/view?usp=sharing  
C reproducer: https://drive.google.com/file/d/1HOZwnXJ42eEmVFS7n85zRcpXCFRHTFxi/view?usp=sharing  
Syzlang reproducer:  
https://drive.google.com/file/d/1-OULR4sFWY4qF4KvdLpehrlsZn9mMO7V/view?usp=sharing

If you fix this issue, please add the following tag to the commit:  
Reported-by: Hao Sun <sunhao.th@gmail.com>

loop0: detected capacity change from 0 to 32768  
BTRFS info (device loop0): disk space caching is enabled  
BTRFS info (device loop0): has skinny extents  
BTRFS info (device loop0): enabling ssd optimizations  
FAULT\_INJECTION: forcing a failure.  
name failslab, interval 1, probability 0, space 0, times 0  
CPU: 0 PID: 7579 Comm: syz-executor Not tainted 5.15.0-rc1 #16  
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS  
rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014  
Call Trace:  
 \_\_dump\_stack lib/dump\_stack.c:88 \[inline\]  
 dump\_stack\_lvl+0x8d/0xcf lib/dump\_stack.c:106  
 fail\_dump lib/fault-inject.c:52 \[inline\]  
 should\_fail+0x13c/0x160 lib/fault-inject.c:146  
 should\_failslab+0x5/0x10 mm/slab\_common.c:1328  
 slab\_pre\_alloc\_hook.constprop.99+0x4e/0xc0 mm/slab.h:494  
 slab\_alloc\_node mm/slub.c:3120 \[inline\]  
 slab\_alloc mm/slub.c:3214 \[inline\]  
 kmem\_cache\_alloc+0x44/0x280 mm/slub.c:3219  
 btrfs\_alloc\_delayed\_extent\_op fs/btrfs/delayed-ref.h:299 \[inline\]  
 btrfs\_alloc\_tree\_block+0x38c/0x670 fs/btrfs/extent-tree.c:4833  
 \_\_btrfs\_cow\_block+0x16f/0x7d0 fs/btrfs/ctree.c:415  
 btrfs\_cow\_block+0x12a/0x300 fs/btrfs/ctree.c:570  
 btrfs\_search\_slot+0x6b0/0xee0 fs/btrfs/ctree.c:1768  
 btrfs\_insert\_empty\_items+0x80/0xf0 fs/btrfs/ctree.c:3905  
 btrfs\_new\_inode+0x311/0xa60 fs/btrfs/inode.c:6530  
 btrfs\_create+0x12b/0x270 fs/btrfs/inode.c:6783  
 lookup\_open+0x660/0x780 fs/namei.c:3282  
 open\_last\_lookups fs/namei.c:3352 \[inline\]  
 path\_openat+0x465/0xe20 fs/namei.c:3557  
 do\_filp\_open+0xe3/0x170 fs/namei.c:3588  
 do\_sys\_openat2+0x357/0x4a0 fs/open.c:1200  
 do\_sys\_open+0x87/0xd0 fs/open.c:1216  
 do\_syscall\_x64 arch/x86/entry/common.c:50 \[inline\]  
 do\_syscall\_64+0x34/0xb0 arch/x86/entry/common.c:80  
 entry\_SYSCALL\_64\_after\_hwframe+0x44/0xae  
RIP: 0033:0x46ae99  
Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48  
89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d  
01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48  
RSP: 002b:00007f46711b9c48 EFLAGS: 00000246 ORIG\_RAX: 0000000000000055  
RAX: ffffffffffffffda RBX: 000000000078c0a0 RCX: 000000000046ae99  
RDX: 0000000000000000 RSI: 00000000000000a1 RDI: 0000000020005800  
RBP: 00007f46711b9c80 R08: 0000000000000000 R09: 0000000000000000  
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000017  
R13: 0000000000000000 R14: 000000000078c0a0 R15: 00007ffc129da6e0

\================================================  
WARNING: lock held when returning to user space!  
5.15.0-rc1 #16 Not tainted  
\------------------------------------------------  
syz-executor/7579 is leaving the kernel with locks still held!  
1 lock held by syz-executor/7579:  
 #0: ffff888104b73da8 (btrfs-tree-01/1){+.+.}-{3:3}, at:  
\_\_btrfs\_tree\_lock+0x2e/0x1a0 fs/btrfs/locking.c:112

CVE-2021-4149: lock held when returning to user space in __btrfs_tree_lock

A use-after-free flaw was found in the add_partition in block/partitions/core.c in the Linux kernel. A local attacker with user privileges could cause a denial of service on the system. The issue results from the lack of code cleanup when device_add call fails when adding a partition to the disk.

Messages in this thread

*   First message in thread
*   Hao Sun
    *   Hao Sun
        *   Zqiang
            *   Christoph Hellwig
                *   Zqiang

From

Date

Tue, 7 Sep 2021 09:22:03 +0800

Subject

WARNING in \_\_init\_work

Hello,

When using Healer to fuzz the latest Linux kernel, the following crash  
was triggered.

HEAD commit: 27151f177827 Merge tag 'perf-tools-for-v5.15-2021-09-04'  
git tree: upstream  
console output:  
https://drive.google.com/file/d/1M5oyA\_IcWSDB2XpnoX8SDmKJA3JhKltz/view?usp=sharing  
kernel config: https://drive.google.com/file/d/1ZMVJ2vNe0EiIEeWNVyrGb7hBdOG5Uj3e/view?usp=sharing  
C reproducer: https://drive.google.com/file/d/1AtDNXl8XEBfglKXsKsAH2NuXBcrp8Zp9/view?usp=sharing  
Syzlang reproducer:  
https://drive.google.com/file/d/1R\_XD\_cyMNS0Q\_SGSqomRy\_LIClOrd-gI/view?usp=sharing

If you fix this issue, please add the following tag to the commit:  
Reported-by: Hao Sun <sunhao.th@gmail.com>

ODEBUG: object ffffc9000073cda0 is NOT on stack ffffc90005f34000, but annotated.  
\------------\[ cut here \]------------  
WARNING: CPU: 2 PID: 27648 at lib/debugobjects.c:548  
debug\_object\_is\_on\_stack lib/debugobjects.c:545 \[inline\]  
WARNING: CPU: 2 PID: 27648 at lib/debugobjects.c:548  
\_\_debug\_object\_init+0x224/0x520 lib/debugobjects.c:607  
Modules linked in:  
CPU: 2 PID: 27648 Comm: syz-executor Not tainted 5.14.0+ #13  
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS  
rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014  
RIP: 0010:debug\_object\_is\_on\_stack lib/debugobjects.c:545 \[inline\]  
RIP: 0010:\_\_debug\_object\_init+0x224/0x520 lib/debugobjects.c:607  
Code: 84 ca fe ff ff 83 c0 01 4c 89 f6 48 c7 c7 f8 b0 3c 85 89 05 7e  
c2 56 06 65 48 8b 04 25 40 70 01 00 48 8b 50 20 e8 05 9b f5 01 <0f> 0b  
e9 9e fe ff ff 89 05 87 4d e3 03 e9 c4 fe ff ff 48 c7 c7 e0  
RSP: 0018:ffffc9000073ccf0 EFLAGS: 00010282  
RAX: 0000000000000050 RBX: ffff88810cf2f398 RCX: 0000000000000100  
RDX: 0000000000000000 RSI: ffffffff812cf85c RDI: 00000000ffffffff  
RBP: ffffffff88868538 R08: 0000000000000000 R09: 0000000000000001  
R10: ffffc9000073cc80 R11: 0000000000000005 R12: 0000000000000203  
R13: 0000000000054450 R14: ffffc9000073cda0 R15: ffff88807dd264f0  
FS:  0000000002ad0940(0000) GS:ffff88807dd00000(0000) knlGS:0000000000000000  
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033  
CR2: 00000000005061ec CR3: 0000000100da5000 CR4: 0000000000750ee0  
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000  
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400  
PKRU: 55555554  
Call Trace:  
 <IRQ>  
 \_\_init\_work+0x3f/0x50 kernel/workqueue.c:519  
 synchronize\_rcu\_expedited+0x26a/0x460 kernel/rcu/tree\_exp.h:847  
 bdi\_remove\_from\_list mm/backing-dev.c:938 \[inline\]  
 bdi\_unregister+0x97/0x270 mm/backing-dev.c:946  
 release\_bdi+0x4a/0x70 mm/backing-dev.c:968  
 kref\_put include/linux/kref.h:65 \[inline\]  
 bdi\_put+0x47/0x70 mm/backing-dev.c:976  
 bdev\_free\_inode+0x59/0xc0 fs/block\_dev.c:819  
 i\_callback+0x24/0x50 fs/inode.c:224  
 rcu\_do\_batch kernel/rcu/tree.c:2508 \[inline\]  
 rcu\_core+0x2d6/0x9f0 kernel/rcu/tree.c:2743  
 \_\_do\_softirq+0xe9/0x561 kernel/softirq.c:558  
 invoke\_softirq kernel/softirq.c:432 \[inline\]  
 \_\_irq\_exit\_rcu kernel/softirq.c:636 \[inline\]  
 irq\_exit\_rcu+0xe2/0x100 kernel/softirq.c:648  
 sysvec\_apic\_timer\_interrupt+0x9e/0xc0 arch/x86/kernel/apic/apic.c:1097  
 </IRQ>  
 asm\_sysvec\_apic\_timer\_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:638  
RIP: 0010:\_\_sanitizer\_cov\_trace\_pc+0x37/0x60 kernel/kcov.c:197  
Code: 65 48 8b 14 25 40 70 01 00 81 e1 00 01 00 00 a9 00 01 ff 00 74  
0e 85 c9 74 35 8b 82 34 15 00 00 85 c0 74 2b 8b 82 10 15 00 00 <83> f8  
02 75 20 48 8b 8a 18 15 00 00 8b 92 14 15 00 00 48 8b 01 48  
RSP: 0018:ffffc90005f37b78 EFLAGS: 00000246  
RAX: 0000000000000000 RBX: 0000000000000006 RCX: 0000000000000000  
RDX: ffff888109448000 RSI: ffffffff8212a28c RDI: ffffc90005f37d30  
RBP: 0000000000000006 R08: 0000000000000d40 R09: ffff8880165fc5e0  
R10: ffffc90005f37cd0 R11: 0000000000000003 R12: 0000000000000375  
R13: ffff888107597b40 R14: ffffc90005f37d30 R15: ffff8880174b0ea0  
 tomoyo\_domain\_quota\_is\_ok+0xac/0x150 security/tomoyo/util.c:1092  
 tomoyo\_supervisor+0x228/0x7f0 security/tomoyo/common.c:2089  
 tomoyo\_audit\_path\_log security/tomoyo/file.c:168 \[inline\]  
 tomoyo\_path\_permission+0xa0/0xf0 security/tomoyo/file.c:587  
 tomoyo\_path\_perm+0x22f/0x2d0 security/tomoyo/file.c:838  
 tomoyo\_path\_symlink+0x43/0x70 security/tomoyo/tomoyo.c:199  
 security\_path\_symlink+0x48/0x80 security/security.c:1164  
 do\_symlinkat+0x75/0x120 fs/namei.c:4274  
 \_\_do\_sys\_symlink fs/namei.c:4301 \[inline\]  
 \_\_se\_sys\_symlink fs/namei.c:4299 \[inline\]  
 \_\_x64\_sys\_symlink+0x3a/0x40 fs/namei.c:4299  
 do\_syscall\_x64 arch/x86/entry/common.c:50 \[inline\]  
 do\_syscall\_64+0x34/0xb0 arch/x86/entry/common.c:80  
 entry\_SYSCALL\_64\_after\_hwframe+0x44/0xae  
RIP: 0033:0x46a597  
Code: 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66  
2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 58 00 00 00 0f 05 <48> 3d  
01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48  
RSP: 002b:00007ffd09085778 EFLAGS: 00000206 ORIG\_RAX: 0000000000000058  
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000046a597  
RDX: 0000000000000000 RSI: 00000000004e40f9 RDI: 00007ffd09085810  
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000014  
R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000000000  
R13: 0000000000000000 R14: 00007ffd09085810 R15: 00007ffd090857cc  
\----------------  
Code disassembly (best guess):  
   0: 65 48 8b 14 25 40 70 mov    %gs:0x17040,%rdx  
   7: 01 00  
   9: 81 e1 00 01 00 00    and    $0x100,%ecx  
   f: a9 00 01 ff 00        test   $0xff0100,%eax  
  14: 74 0e                je     0x24  
  16: 85 c9                test   %ecx,%ecx  
  18: 74 35                je     0x4f  
  1a: 8b 82 34 15 00 00    mov    0x1534(%rdx),%eax  
  20: 85 c0                test   %eax,%eax  
  22: 74 2b                je     0x4f  
  24: 8b 82 10 15 00 00    mov    0x1510(%rdx),%eax  
\* 2a: 83 f8 02              cmp    $0x2,%eax <-- trapping instruction  
  2d: 75 20                jne    0x4f  
  2f: 48 8b 8a 18 15 00 00 mov    0x1518(%rdx),%rcx  
  36: 8b 92 14 15 00 00    mov    0x1514(%rdx),%edx  
  3c: 48 8b 01              mov    (%rcx),%rax  
  3f: 48                    rex.W%

CVE-2021-4150: LKML: Hao Sun: WARNING in __init_work

A vulnerability was found in the Linux kernel's block_invalidatepage in fs/buffer.c in the filesystem. A missing sanity check may allow a local attacker with user privilege to cause a denial of service (DOS) problem.

Messages in this thread

*   First message in thread
*   Hao Sun
    *   Christoph Hellwig
        *   Hao Sun
            *   Christoph Hellwig
                *   Yang Shi

![/](https://lkml.org/images/icornerl.gif)

From

Date

Mon, 13 Sep 2021 10:00:27 +0800

Subject

general protection fault in wb\_timer\_fn

Hello,

When using Healer to fuzz the latest Linux kernel, the following crash  
was triggered.

HEAD commit:  4b93c544e90e-thunderbolt: test: split up test cases  
git tree: upstream  
console output:  
https://drive.google.com/file/d/1naN-5p-rFgKpHrshO\_kQr5f\_KlhvFGGU/view?usp=sharing  
kernel config: https://drive.google.com/file/d/1c0u2EeRDhRO-ZCxr9MP2VvAtJd6kfg-p/view?usp=sharing  
C reproducer: https://drive.google.com/file/d/19EDhssGw\_V1oO2vWOPrgQqve0TdFSgvh/view?usp=sharing  
Syzlang reproducer:  
https://drive.google.com/file/d/13EGCCoaMe9oitrQCfy44BkGVLbKKFP6X/view?usp=sharing  
Similar report:  
https://groups.google.com/g/syzkaller-bugs/c/H7fKH\_5GVSE/m/-1aj5-d1BAAJ

If you fix this issue, please add the following tag to the commit:  
Reported-by: Hao Sun <sunhao.th@gmail.com>

general protection fault, probably for non-canonical address  
0xdffffc0000000029: 0000 \[#1\] PREEMPT SMP KASAN  
KASAN: null-ptr-deref in range \[0x0000000000000148-0x000000000000014f\]  
CPU: 2 PID: 8539 Comm: syz-executor Not tainted 5.14.0+ #1  
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS  
1.13.0-1ubuntu1.1 04/01/2014  
RIP: 0010:latency\_exceeded block/blk-wbt.c:237 \[inline\]  
RIP: 0010:wb\_timer\_fn+0x149/0x2080 block/blk-wbt.c:360  
Code: 03 80 3c 02 00 0f 85 08 1c 00 00 48 8b 9b b0 00 00 00 48 b8 00  
00 00 00 00 fc ff df 48 8d bb 48 01 00 00 48 89 fa 48 c1 ea 03 <80> 3c  
02 00 0f 85 d5 1b 00 00 48 8b 83 48 01 00 00 48 8d 7d 28 48  
RSP: 0018:ffffc90000848cd0 EFLAGS: 00010212  
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffff888014e79c80  
RDX: 0000000000000029 RSI: ffff888014e79c80 RDI: 0000000000000148  
RBP: ffff88801e2adc00 R08: ffffffff83de2dfd R09: 0000000000000003  
R10: 0000000000000005 R11: ffffed1003c55bb0 R12: 0000000000000003  
R13: 0000000000000000 R14: ffff8881053bc800 R15: ffff88801e2adcd0  
FS:  0000000003176940(0000) GS:ffff888063f00000(0000) knlGS:0000000000000000  
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033  
CR2: 00000000014d53ad CR3: 000000002e5ff000 CR4: 0000000000350ee0  
Call Trace:  
 <IRQ>  
 call\_timer\_fn+0x1a5/0x6b0 kernel/time/timer.c:1421  
 expire\_timers kernel/time/timer.c:1466 \[inline\]  
 \_\_run\_timers.part.0+0x6b0/0xa90 kernel/time/timer.c:1734  
 \_\_run\_timers kernel/time/timer.c:1715 \[inline\]  
 run\_timer\_softirq+0xb6/0x1d0 kernel/time/timer.c:1747  
 \_\_do\_softirq+0x1d7/0x93b kernel/softirq.c:558  
 invoke\_softirq kernel/softirq.c:432 \[inline\]  
 \_\_irq\_exit\_rcu kernel/softirq.c:636 \[inline\]  
 irq\_exit\_rcu+0xf2/0x130 kernel/softirq.c:648  
 sysvec\_apic\_timer\_interrupt+0x93/0xc0 arch/x86/kernel/apic/apic.c:1097  
 </IRQ>  
 asm\_sysvec\_apic\_timer\_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:638  
RIP: 0010:get\_current arch/x86/include/asm/current.h:15 \[inline\]  
RIP: 0010:write\_comp\_data+0xe/0x70 kernel/kcov.c:217  
Code: 00 8b 89 1c 15 00 00 48 8b 02 48 83 c0 01 48 39 c1 76 07 4c 89  
04 c2 48 89 02 c3 90 49 89 fa bf 03 00 00 00 49 89 f1 49 89 d0 <65> 48  
8b 34 25 40 f0 01 00 e8 34 ff ff ff 84 c0 74 44 48 8b 86 20  
RSP: 0018:ffffc9000106f7f8 EFLAGS: 00000246  
RAX: 000000000d0444bb RBX: 80000000fd589217 RCX: ffffffff81ac95bd  
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003  
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000  
R10: 0000000000000007 R11: ffffed100247709c R12: 0000000000000000  
R13: 0000000000000001 R14: dffffc0000000000 R15: ffff88802e806788  
 copy\_present\_pte mm/memory.c:976 \[inline\]  
 copy\_pte\_range mm/memory.c:1070 \[inline\]  
 copy\_pmd\_range mm/memory.c:1156 \[inline\]  
 copy\_pud\_range mm/memory.c:1193 \[inline\]  
 copy\_p4d\_range mm/memory.c:1217 \[inline\]  
 copy\_page\_range+0xf4d/0x4750 mm/memory.c:1290  
 dup\_mmap kernel/fork.c:610 \[inline\]  
 dup\_mm+0xa50/0x13d0 kernel/fork.c:1454  
 copy\_mm kernel/fork.c:1506 \[inline\]  
 copy\_process+0x6c23/0x73d0 kernel/fork.c:2195  
 kernel\_clone+0xe7/0x10d0 kernel/fork.c:2585  
 \_\_do\_sys\_clone+0xc8/0x110 kernel/fork.c:2702  
 do\_syscall\_x64 arch/x86/entry/common.c:50 \[inline\]  
 do\_syscall\_64+0x35/0xb0 arch/x86/entry/common.c:80  
 entry\_SYSCALL\_64\_after\_hwframe+0x44/0xae  
RIP: 0033:0x471f0f  
Code: ed 0f 85 64 01 00 00 64 4c 8b 0c 25 10 00 00 00 45 31 c0 4d 8d  
91 d0 02 00 00 31 d2 31 f6 bf 11 00 20 01 b8 38 00 00 00 0f 05 <48> 3d  
00 f0 ff ff 0f 87 f5 00 00 00 41 89 c5 85 c0 0f 85 fc 00 00  
RSP: 002b:00007ffc62d06000 EFLAGS: 00000246 ORIG\_RAX: 0000000000000038  
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000471f0f  
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000001200011  
RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000003176940  
R10: 0000000003176c10 R11: 0000000000000246 R12: 0000000000000001  
R13: 0000000000000005 R14: 00007ffc62d060b0 R15: 00007ffc62d0606c  
Modules linked in:  
Dumping ftrace buffer:  
   (ftrace buffer empty)  
\---\[ end trace ef2331b2238dd17a \]---  
RIP: 0010:latency\_exceeded block/blk-wbt.c:237 \[inline\]  
RIP: 0010:wb\_timer\_fn+0x149/0x2080 block/blk-wbt.c:360  
Code: 03 80 3c 02 00 0f 85 08 1c 00 00 48 8b 9b b0 00 00 00 48 b8 00  
00 00 00 00 fc ff df 48 8d bb 48 01 00 00 48 89 fa 48 c1 ea 03 <80> 3c  
02 00 0f 85 d5 1b 00 00 48 8b 83 48 01 00 00 48 8d 7d 28 48  
RSP: 0018:ffffc90000848cd0 EFLAGS: 00010212  
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffff888014e79c80  
RDX: 0000000000000029 RSI: ffff888014e79c80 RDI: 0000000000000148  
RBP: ffff88801e2adc00 R08: ffffffff83de2dfd R09: 0000000000000003  
R10: 0000000000000005 R11: ffffed1003c55bb0 R12: 0000000000000003  
R13: 0000000000000000 R14: ffff8881053bc800 R15: ffff88801e2adcd0  
FS:  0000000003176940(0000) GS:ffff888063f00000(0000) knlGS:0000000000000000  
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033  
CR2: 00000000014d53ad CR3: 000000002e5ff000 CR4: 0000000000350ee0  
\----------------  
Code disassembly (best guess):  
   0: 03 80 3c 02 00 0f    add    0xf00023c(%rax),%eax  
   6: 85 08                test   %ecx,(%rax)  
   8: 1c 00                sbb    $0x0,%al  
   a: 00 48 8b              add    %cl,-0x75(%rax)  
   d: 9b                    fwait  
   e: b0 00                mov    $0x0,%al  
  10: 00 00                add    %al,(%rax)  
  12: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax  
  19: fc ff df  
  1c: 48 8d bb 48 01 00 00 lea    0x148(%rbx),%rdi  
  23: 48 89 fa              mov    %rdi,%rdx  
  26: 48 c1 ea 03          shr    $0x3,%rdx  
\* 2a: 80 3c 02 00          cmpb   $0x0,(%rdx,%rax,1) <-- trapping instruction  
  2e: 0f 85 d5 1b 00 00    jne    0x1c09  
  34: 48 8b 83 48 01 00 00 mov    0x148(%rbx),%rax  
  3b: 48 8d 7d 28          lea    0x28(%rbp),%rdi  
  3f: 48                    rex.W%

![\](https://lkml.org/images/icornerr.gif)

CVE-2021-4148: general protection fault in wb_timer_fn

An unprivileged write to the file handler flaw in the Linux kernel's control groups and namespaces subsystem was found in the way users have access to some less privileged process that are controlled by cgroups and have higher privileged parent process. It is actually both for cgroup2 and cgroup1 versions of control groups. A local user could use this flaw to crash the system or escalate their privileges on the system.

**Note:** If your use of the APIs is failing with an error titled 'API access must use the Authorization header' then you need to read the API Authentication changes announcement

*   
*   
*   
*   
*   
*   

**Bug 2035652** (CVE-2021-4197) - CVE-2021-4197 kernel: cgroup: Use open-time creds and namespace for migration perm checks

Summary: CVE-2021-4197 kernel: cgroup: Use open-time creds and namespace for migration...

Keywords:

Status:

NEW

Alias:

CVE-2021-4197

Product:

Security Response

Classification:

Other

Component:

vulnerability

Sub Component:

Version:

unspecified

Hardware:

All

OS:

Linux

Priority:

medium

Severity:

medium

Target Milestone:

\---

Assignee:

Red Hat Product Security

QA Contact:

Docs Contact:

URL:

Whiteboard:

Depends On:

2035766 2035767 2035768 2035668

Blocks:

2030983 2036691

TreeView+

depends on / blocked

Reported:

2021-12-26 13:49 UTC by Alex

Modified:

2022-01-24 18:59 UTC (History)

CC List:

46 users (show)

Fixed In Version:

Linux kernel 5.17-rc1

Doc Type:

If docs needed, set a value

Doc Text:

An unprivileged write to the file handler flaw in the Linux kernel's control groups and namespaces subsystem was found in the way users have access to some less privileged process that are controlled by cgroups and have higher privileged parent process. It is actually both for cgroup2 and cgroup1 versions of control groups. A local user could use this flaw to crash the system or escalate their privileges on the system.

Clone Of:

Environment:

Last Closed:

  

Attachments

(Terms of Use)

Add an attachment (proposed patch, testcase, etc.)

  

Description Alex 2021-12-26 13:49:57 UTC

In cgroups (control groups) functionality of Linux Kernel found potential security weakness that may allow scenarios where a less privileged process tricks a more privileged one into writing into a fd that it created. This could lead to local escalation of privilege for the containers or other processes that uses cgroups in such a way. User interaction is not needed for exploitation.

Reference and upstream patch:
https://lore.kernel.org/lkml/20211209214707.805617-1-tj@kernel.org/T/

Comment 3 Alex 2021-12-26 16:48:08 UTC

Created kernel tracking bugs for this issue:

Affects: fedora-all \[bug 2035668\]

Note You need to log in before you can comment on or make changes to this bug.

*   
*   
*   
*   
*   
*

CVE-2021-4197: Use open-time creds and namespace for migration perm checks

Messages in this thread

*   First message in thread
*   Hao Sun
    *   Hao Sun
        *   Zqiang
            *   Christoph Hellwig
                *   Zqiang

![/](https://lkml.org/images/icornerl.gif)

From

Date

Tue, 7 Sep 2021 09:22:03 +0800

Subject

WARNING in \_\_init\_work

Hello,

When using Healer to fuzz the latest Linux kernel, the following crash  
was triggered.

HEAD commit: 27151f177827 Merge tag 'perf-tools-for-v5.15-2021-09-04'  
git tree: upstream  
console output:  
https://drive.google.com/file/d/1M5oyA\_IcWSDB2XpnoX8SDmKJA3JhKltz/view?usp=sharing  
kernel config: https://drive.google.com/file/d/1ZMVJ2vNe0EiIEeWNVyrGb7hBdOG5Uj3e/view?usp=sharing  
C reproducer: https://drive.google.com/file/d/1AtDNXl8XEBfglKXsKsAH2NuXBcrp8Zp9/view?usp=sharing  
Syzlang reproducer:  
https://drive.google.com/file/d/1R\_XD\_cyMNS0Q\_SGSqomRy\_LIClOrd-gI/view?usp=sharing

If you fix this issue, please add the following tag to the commit:  
Reported-by: Hao Sun <sunhao.th@gmail.com>

ODEBUG: object ffffc9000073cda0 is NOT on stack ffffc90005f34000, but annotated.  
\------------\[ cut here \]------------  
WARNING: CPU: 2 PID: 27648 at lib/debugobjects.c:548  
debug\_object\_is\_on\_stack lib/debugobjects.c:545 \[inline\]  
WARNING: CPU: 2 PID: 27648 at lib/debugobjects.c:548  
\_\_debug\_object\_init+0x224/0x520 lib/debugobjects.c:607  
Modules linked in:  
CPU: 2 PID: 27648 Comm: syz-executor Not tainted 5.14.0+ #13  
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS  
rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014  
RIP: 0010:debug\_object\_is\_on\_stack lib/debugobjects.c:545 \[inline\]  
RIP: 0010:\_\_debug\_object\_init+0x224/0x520 lib/debugobjects.c:607  
Code: 84 ca fe ff ff 83 c0 01 4c 89 f6 48 c7 c7 f8 b0 3c 85 89 05 7e  
c2 56 06 65 48 8b 04 25 40 70 01 00 48 8b 50 20 e8 05 9b f5 01 <0f> 0b  
e9 9e fe ff ff 89 05 87 4d e3 03 e9 c4 fe ff ff 48 c7 c7 e0  
RSP: 0018:ffffc9000073ccf0 EFLAGS: 00010282  
RAX: 0000000000000050 RBX: ffff88810cf2f398 RCX: 0000000000000100  
RDX: 0000000000000000 RSI: ffffffff812cf85c RDI: 00000000ffffffff  
RBP: ffffffff88868538 R08: 0000000000000000 R09: 0000000000000001  
R10: ffffc9000073cc80 R11: 0000000000000005 R12: 0000000000000203  
R13: 0000000000054450 R14: ffffc9000073cda0 R15: ffff88807dd264f0  
FS:  0000000002ad0940(0000) GS:ffff88807dd00000(0000) knlGS:0000000000000000  
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033  
CR2: 00000000005061ec CR3: 0000000100da5000 CR4: 0000000000750ee0  
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000  
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400  
PKRU: 55555554  
Call Trace:  
 <IRQ>  
 \_\_init\_work+0x3f/0x50 kernel/workqueue.c:519  
 synchronize\_rcu\_expedited+0x26a/0x460 kernel/rcu/tree\_exp.h:847  
 bdi\_remove\_from\_list mm/backing-dev.c:938 \[inline\]  
 bdi\_unregister+0x97/0x270 mm/backing-dev.c:946  
 release\_bdi+0x4a/0x70 mm/backing-dev.c:968  
 kref\_put include/linux/kref.h:65 \[inline\]  
 bdi\_put+0x47/0x70 mm/backing-dev.c:976  
 bdev\_free\_inode+0x59/0xc0 fs/block\_dev.c:819  
 i\_callback+0x24/0x50 fs/inode.c:224  
 rcu\_do\_batch kernel/rcu/tree.c:2508 \[inline\]  
 rcu\_core+0x2d6/0x9f0 kernel/rcu/tree.c:2743  
 \_\_do\_softirq+0xe9/0x561 kernel/softirq.c:558  
 invoke\_softirq kernel/softirq.c:432 \[inline\]  
 \_\_irq\_exit\_rcu kernel/softirq.c:636 \[inline\]  
 irq\_exit\_rcu+0xe2/0x100 kernel/softirq.c:648  
 sysvec\_apic\_timer\_interrupt+0x9e/0xc0 arch/x86/kernel/apic/apic.c:1097  
 </IRQ>  
 asm\_sysvec\_apic\_timer\_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:638  
RIP: 0010:\_\_sanitizer\_cov\_trace\_pc+0x37/0x60 kernel/kcov.c:197  
Code: 65 48 8b 14 25 40 70 01 00 81 e1 00 01 00 00 a9 00 01 ff 00 74  
0e 85 c9 74 35 8b 82 34 15 00 00 85 c0 74 2b 8b 82 10 15 00 00 <83> f8  
02 75 20 48 8b 8a 18 15 00 00 8b 92 14 15 00 00 48 8b 01 48  
RSP: 0018:ffffc90005f37b78 EFLAGS: 00000246  
RAX: 0000000000000000 RBX: 0000000000000006 RCX: 0000000000000000  
RDX: ffff888109448000 RSI: ffffffff8212a28c RDI: ffffc90005f37d30  
RBP: 0000000000000006 R08: 0000000000000d40 R09: ffff8880165fc5e0  
R10: ffffc90005f37cd0 R11: 0000000000000003 R12: 0000000000000375  
R13: ffff888107597b40 R14: ffffc90005f37d30 R15: ffff8880174b0ea0  
 tomoyo\_domain\_quota\_is\_ok+0xac/0x150 security/tomoyo/util.c:1092  
 tomoyo\_supervisor+0x228/0x7f0 security/tomoyo/common.c:2089  
 tomoyo\_audit\_path\_log security/tomoyo/file.c:168 \[inline\]  
 tomoyo\_path\_permission+0xa0/0xf0 security/tomoyo/file.c:587  
 tomoyo\_path\_perm+0x22f/0x2d0 security/tomoyo/file.c:838  
 tomoyo\_path\_symlink+0x43/0x70 security/tomoyo/tomoyo.c:199  
 security\_path\_symlink+0x48/0x80 security/security.c:1164  
 do\_symlinkat+0x75/0x120 fs/namei.c:4274  
 \_\_do\_sys\_symlink fs/namei.c:4301 \[inline\]  
 \_\_se\_sys\_symlink fs/namei.c:4299 \[inline\]  
 \_\_x64\_sys\_symlink+0x3a/0x40 fs/namei.c:4299  
 do\_syscall\_x64 arch/x86/entry/common.c:50 \[inline\]  
 do\_syscall\_64+0x34/0xb0 arch/x86/entry/common.c:80  
 entry\_SYSCALL\_64\_after\_hwframe+0x44/0xae  
RIP: 0033:0x46a597  
Code: 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66  
2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 58 00 00 00 0f 05 <48> 3d  
01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48  
RSP: 002b:00007ffd09085778 EFLAGS: 00000206 ORIG\_RAX: 0000000000000058  
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000046a597  
RDX: 0000000000000000 RSI: 00000000004e40f9 RDI: 00007ffd09085810  
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000014  
R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000000000  
R13: 0000000000000000 R14: 00007ffd09085810 R15: 00007ffd090857cc  
\----------------  
Code disassembly (best guess):  
   0: 65 48 8b 14 25 40 70 mov    %gs:0x17040,%rdx  
   7: 01 00  
   9: 81 e1 00 01 00 00    and    $0x100,%ecx  
   f: a9 00 01 ff 00        test   $0xff0100,%eax  
  14: 74 0e                je     0x24  
  16: 85 c9                test   %ecx,%ecx  
  18: 74 35                je     0x4f  
  1a: 8b 82 34 15 00 00    mov    0x1534(%rdx),%eax  
  20: 85 c0                test   %eax,%eax  
  22: 74 2b                je     0x4f  
  24: 8b 82 10 15 00 00    mov    0x1510(%rdx),%eax  
\* 2a: 83 f8 02              cmp    $0x2,%eax <-- trapping instruction  
  2d: 75 20                jne    0x4f  
  2f: 48 8b 8a 18 15 00 00 mov    0x1518(%rdx),%rcx  
  36: 8b 92 14 15 00 00    mov    0x1514(%rdx),%edx  
  3c: 48 8b 01              mov    (%rcx),%rax  
  3f: 48                    rex.W%

![\](https://lkml.org/images/icornerr.gif)

The security landscape is dynamic, changing often and as a result, attack surfaces evolve. MSRC receives a wide variety of cases spanning different products, bug types and exploit primitives. One particularly interesting primitive we see is an arbitrary kernel pointer read. These often happen when kernel mode code does not validate that pointers read from attacker-controlled input actually point to the user-mode portion of the Virtual Address Space (VAS).

Exploring a New Class of Kernel Exploit Primitive

BigAnt Software BigAnt Server v5.6.06 was discovered to contain a Cross-Site Request Forgery (CSRF).

**![logo](https://www.bigant.com/wp/wp-content/uploads/2014/03/logo.png)**

![](https://www.bigant.com/wp/wp-content/uploads/2015/07/l_ba.jpg)

**Support**

Comments? Queries? Having an issue? Contact Big Ant Support here.

![](https://www.bigant.com/wp/wp-content/uploads/2015/07/l_fb.jpg)

**Facebook**

Go to the Big Ant Facebook page for the latest news.

![](https://www.bigant.com/wp/wp-content/uploads/2015/07/l_t.jpg)

**Twitter**

Go to the Big Ant Twitter page for current updates.

**AO Tennis 2 is available now!**

BIGBEN and Big Ant Studios, Australia’s leading developer of sports titles, are delighted to announce their partnership for the publishing ...

**BIGANTFORUMS**

Join the Big Ant forums and keep up to date with the latest news and current hot topics.

Become part of the BigAnt community.

GO TO FORUMS

Tag

#ios