An issue was discovered in Django 3.2 before 3.2.23, 4.1 before 4.1.13, and 4.2 before 4.2.7. The NFKC normalization is slow on Windows. As a consequence, django.contrib.auth.forms.UsernameField is subject to a potential DoS (denial of service) attack via certain inputs with a very large number of Unicode characters.

**Django potential denial of service vulnerability in UsernameField on Windows**

Moderate severity GitHub Reviewed Published Nov 2, 2023 to the GitHub Advisory Database • Updated Nov 2, 2023

GHSA-qmf9-6jqf-j8fq: Django potential denial of service vulnerability in UsernameField on Windows

Cross Site Scripting vulnerability in BigTree CMS v.4.5.7 allows a remote attacker to execute arbitrary code via the ID parameter in the Developer Settings functions.

**What's Next?**

**Install**

Follow these simple instructions to install and configure BigTree on your server.

Installation Instructions

**Customize**

BigTree is not a microwave meal; it's a gourmet meal from scratch. If you know PHP, you should be comfortable here.

Developer Guide

**Get Help, Help Others**

Post issues to the forum or help others by answering their questions.

BigTree Forums

**Looking For Older Versions?**

**Versions 4.0 and 4.1 of BigTree have reached end of life status and no longer receive security updates. Please update to BigTree 4.4 as soon as possible.**

BigTree 4.3 has reached **security updates only** status and security related releases will end on **January 15, 2020**.  
Download BigTree 4.3.4 or checkout the 4.3.x branch on GitHub.   **Release Notes**

BigTree 4.2 has reached **security updates only** status and security related releases will end on **November 1, 2019**.  
Download BigTree 4.2.24 or checkout the 4.2.x branch on GitHub.   **Release Notes**

BigTree 4.1 has reached **end of life** status and security related releases ended **January 1, 2017**.  
Download BigTree 4.1.18 or checkout the 4.1.x branch on GitHub.   **Release Notes**

BigTree 4.0 has reached **end of life** status and security related releases ended **January 1, 2016**.  
Download BigTree 4.0.13 or checkout the 4.0.x branch on GitHub.   **Release Notes**

CVE-2023-44954: Download BigTree CMS · BigTree CMS

Reflected Cross-Site Scripting (XSS) vulnerability in dmpop Mejiro Commit Versions Prior To 3096393 allows attackers to run arbitrary code via crafted string in metadata of uploaded images.

Expand Up

@@ -97,8 +97,8 @@ function read\_gps\_location($file)

$GPSLongitudeRef == 'w' ? $lon \*= -1 : '';

  

return array(

'lat' => $lat,

'lon' => $lon

'lat' => htmlentities($lat),

'lon' => htmlentities($lon)

);

}

}

Expand Down Expand Up

@@ -364,25 +364,25 @@ function show\_pagination($current\_page, $last\_page, $and\_d, $sub\_photo\_dir)

$gps = read\_gps\_location($file);

  

// Get aperture, exposure, iso, and datetime from EXIF

$aperture = (is\_null($exif\['COMPUTED'\]\['ApertureFNumber'\]) ? null : $exif\['COMPUTED'\]\['ApertureFNumber'\]);

$exposure = (is\_null($exif\['EXIF'\]\['ExposureTime'\]) ? null : $exif\['EXIF'\]\['ExposureTime'\]);

$aperture = htmlentities((is\_null($exif\['COMPUTED'\]\['ApertureFNumber'\]) ? null : $exif\['COMPUTED'\]\['ApertureFNumber'\]));

$exposure = htmlentities((is\_null($exif\['EXIF'\]\['ExposureTime'\]) ? null : $exif\['EXIF'\]\['ExposureTime'\]));

// Normalize exposure

// https://stackoverflow.com/questions/3049998/parsing-exifs-exposuretime-using-php

if (!is\_null($exposure)) {

$parts = explode("/", $exposure);

if (($parts\[1\] % $parts\[0\]) == 0 || $parts\[1\] == 1000000) {

$exposure = ' &bull; 1/' . round($parts\[1\] / $parts\[0\], 0);

$exposure = htmlentities(' &bull; 1/' . round($parts\[1\] / $parts\[0\], 0));

} else {

if ($parts\[1\] == 1) {

$exposure = ' &bull; ' . $parts\[0\];

$exposure = htmlentities(' &bull; ' . $parts\[0\]);

} else {

$exposure = ' &bull; ' . $parts\[0\] . '/' . $parts\[1\];

$exposure = htmlentities(' &bull; ' . $parts\[0\] . '/' . $parts\[1\]);

}

}

}

$iso = (is\_null($exif\['EXIF'\]\['ISOSpeedRatings'\]) ? null : " &bull; " . $exif\['EXIF'\]\['ISOSpeedRatings'\]);

$datetime = $exif\['EXIF'\]\['DateTimeOriginal'\] ?? null;

$comment = $exif\['COMMENT'\]\['0'\] ?? null;

$iso = htmlentities((is\_null($exif\['EXIF'\]\['ISOSpeedRatings'\]) ? null : " &bull; " . $exif\['EXIF'\]\['ISOSpeedRatings'\]));

$datetime = htmlentities($exif\['EXIF'\]\['DateTimeOriginal'\]) ?? null;

$comment = htmlentities($exif\['COMMENT'\]\['0'\]) ?? null;

  

// Concatenate $exif\_info

if (!is\_null($aperture) || !is\_null($exposure) || !is\_null($iso) || !is\_null($datetime)) {

Expand Down

CVE-2023-46448: Fix reflected XSS vulnerability · dmpop/mejiro@3096393

By Waqas
Mandiant Investigates Zero-Day Exploitation in Citrix Vulnerability, CVE-2023-4966.
This is a post from HackRead.com Read the original post: Mandiant Tracks Four Uncategorized Groups Exploiting Citrix Vulnerability

According to Mandiant, the Citrix vulnerability which specifically impacts NetScaler ADC and Gateway appliances, has been detected in the wild since late August 2023.

Citrix, a provider of NetScaler ADC and Gateway appliances, released a security bulletin on October 10, 2023, detailing a vulnerability (CVE-2023-4966) exposing sensitive information. Mandiant, a **Google-owned** prominent cybersecurity firm, has identified instances of both zero-day exploitation and subsequent exploitation of this vulnerability following Citrix’s disclosure.

The vulnerability specifically affects NetScaler ADC and Gateway appliances and has been observed in the wild since late August 2023, continuing after the release of the security advisory by the company.

Mandiant’s investigations revealed successful exploitation incidents, allowing threat actors to take control of legitimate user sessions on these Citrix appliances, bypassing authentication measures, including passwords and multi-factor authentication.

Mandiant’s findings shed light on factors that help in identifying exploitation activities and highlight various post-exploitation techniques witnessed during their incident response investigations.

**Vulnerable Endpoints**

When Citrix released firmware updates addressing **CVE-2023-4966**, Mandiant employed similar methods as **Assetnote**, an external attack surface management firm, to identify vulnerable functions and create a proof of concept (PoC). Prior to Citrix’s publication, Mandiant was already investigating session takeovers, which they believed were the result of zero-day exploitation.

With differential firmware analysis, they pinpointed the vulnerable endpoint by crafting an HTTP GET request with an extended Host header, causing a vulnerable appliance to expose system memory contents, potentially revealing a valid NetScaler AAA session cookie.

**Investigation Challenges**

A significant challenge in investigating these vulnerable appliances lies in the absence of request logging for the vulnerable endpoint on the appliance’s web server. Mandiant recommends relying on **web application firewalls (WAF)** or similar network appliances recording HTTP/S requests directed towards these NetScaler devices to identify attempted exploitations.

**Techniques for Identifying Exploitation**

Mandiant outlined several techniques to identify potential exploitation and subsequent session hijacking. These include scrutinizing WAF logs, identifying suspicious login patterns in NetScaler logs, checking Windows Registry keys, and analyzing memory core dump files.

**Post-Exploitation Activities**

Following successful exploitation, Mandiant observed several post-exploitation tactics, such as surveillance, credential harvesting, and lateral movement through RDP. Threat actors used various tools and techniques to gain access, including **Mimikatz** for dumping process memory and deploying remote monitoring and management (RMM) tools like Atera, **AnyDesk**, and **SplashTop**.

**Victimology and Attribution**

Mandiant’s investigation spans multiple sectors, including legal, professional services, technology, and government organizations in the Americas, EMEA, and APJ regions. They are tracking four distinct uncategorized (UNC) groups involved in exploiting this vulnerability.

> _“Mandiant is currently tracking four distinct uncategorized (UNC) groups involved in exploiting this vulnerability. We have observed some lower degrees of confidence overlaps in post-exploitation stages among these UNC groups, like using the same recon commands and utilities available on Windows. The common tools observed across multiple intrusions were: csvde.exe certutil.exe local.exe nbtscan.exe.”_
> 
> Mandiant

**Timothy Morris**, Chief Security Advisor at Tanium also commented on the issue and wanted that the Netscaler exploitation is at large scale right now. “Session Hijacking” could be low risk, however, it could also be extremely high-risk, depending upon the session being hijacked,” Morris said.

“It is important that customers patch immediately and do the necessary incident response threat hunting. In other words, don’t assume that “If I patch, I’m good.” That might prevent the next exploitation attempt (i.e. repairing the broken window) but doesn’t resolve what might have already happened (i.e. who is already in the house due to the previously broken window),” added Morris.

**Remediation Efforts**

Mandiant published a **blog post** offering remediation recommendations and guidance to mitigate this vulnerability.

In conclusion, this revelation provides insights into the exploitation and post-exploitation activities resulting from the Citrix vulnerability CVE-2023-4966. Mandiant’s ongoing investigation aims to understand the intricacies of the exploit and provide comprehensive guidance for remediation.

****_Editor’s note:_****

_The article includes limited technical details about the vulnerability, exploitation techniques, and detection methods. Please note that this is a summarization of the extensive information provided in the original blog post by Mandiant._

****_RELATED ARTICLES_****

1.  Critical RCE Vulnerability Puts 330,000 Fortinet Firewalls at Risk
2.  Cisco Catalyst SD-WAN Manager Systems Exposed to DoS Attacks
3.  JetBrains Patches TeamCity Flaw Allowing RCE and Server Hijacking
4.  iLeakage Attack: Theft of Sensitive Data from Apple’s Safari Browser
5.  Mozilla Rushes to Fix Critical Vulnerability in Firefox and Thunderbird

Mandiant Tracks Four Uncategorized Groups Exploiting Citrix Vulnerability

An arbitrary file upload vulnerability in HadSky v7.12.10 allows attackers to execute arbitrary code via a crafted file.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2023-46428: CVE/analyse.md at main · fenglon/CVE

The slow-motion implosion of Elon Musk’s X has given rise to a slew of competitors, where privacy invasions that ran rampant over the past decade still largely persist.

When Elon Musk took over Twitter in October 2022, experts warned that his proposed changes—including less content moderation and a subscription-based verification system—would lead to an exodus of users and advertisers. A year later, those predictions have largely borne out. Advertising revenue on the platform has declined 55 percent since Musk’s takeover, and the number of daily active users fell from 140 million to 121 million in the same time period, according to third-party analyses.

As users moved to other online spaces, the past year could have marked a moment for other social platforms to change the way they collect and protect user data. “Unfortunately, it just feels like no matter what their interest or cultural tone is from the outset of founding their company, it's just not enough to move an entire field further from a maximalist, voracious approach to our data,” says Jenna Ruddock, policy council at Free Press, a nonprofit media watchdog organization, and a lead author on a new report examining Bluesky, Mastodon, and Meta’s Threads, all of which have jockeyed to fill the void left by Twitter, which is now named X.

Companies like Google, X, and Meta collect vast amounts of user data, in part to better understand and improve their platforms but largely to be able to sell targeted advertising. But collection of sensitive information around users’ race, ethnicity, sexuality, or other identifiers can put people at risk. For instance, earlier this year, Meta and the US Department of Justice reached a settlement after it was found that the company’s algorithm allowed advertisers to exclude certain racial groups from seeing ads for things like housing, jobs, and financial services. In 2018, the company was slapped with a $5 billion fine—one of the largest in history—after a Federal Trade Commission probe found multiple instances of the company failing to protect user data, triggered by an investigation into data shared with British consulting firm Cambridge Analytica. (Meta has since made changes to some of these ad targeting options.)

“There’s a very strong corollary between the data that's collected about us and then the automated tools that platforms and other services use, which often produce discriminatory results,” says Nora Benavidez, director of digital justice and civil rights at Free Press. “And when that happens, there's really no recourse other than litigation.”

Even for users who want to opt out of ravenous data collection, privacy policies remain complicated and vague, and many users don’t have the time or knowledge of legalese to parse through them. At best, says Benavidez, users can figure out what data won’t be collected, “but either way, the onus is really on the users to sift through policies, trying to make sense of what's really happening with their data,” she says. “I worry these corporate practices and policies are nefarious enough and befuddling enough that people really don't understand the stakes.”

Mastodon, according to the report, offers users the most protection, because it doesn’t collect sensitive personal information or geo-location data and doesn’t track user activity off the platform, at least not on the platform’s default server. Other servers—or “instances,” in Mastodon parlance—can set their own privacy and moderation policies. Bluesky, founded by Twitter cofounder and former CEO Jack Dorsey, also doesn’t collect sensitive data but does track user behavior across other platforms. But there are no laws that require platforms like Bluesky and Mastodon to keep their privacy policies this way. “Folks can sign on with particular privacy expectations that they might feel satisfied by a privacy policy or disclosures,” says Ruddock. “And that can still change over time. And I think that's what we're going to see with some of these emerging platforms.”

Mastodon spokesperson Renaud Chaput told WIRED that the platform does not have any plans to change its privacy policies and noted that user data is only available on the server where a user’s account is hosted. Bluesky and Meta did not immediately respond to requests for comment. Meta spokesperson Emil Vazquez directed WIRED to a thread from the company’s deputy chief privacy officer, Rob Sherman, in which he said, “Meta’s privacy policy, and the Threads supplementary privacy policy, are the best resources to understand how Threads uses and collects data.”

Nazanin Andalibi, assistant professor of information at the University of Michigan, says that while privacy can be a competitive advantage for a newer platform, “people might still use a platform that they believe will not respect their privacy,” even if they have concerns. Mastodon has fewer than 3 million users, and Bluesky, which remains in beta, has just over 1 million. And greater privacy may not be enough to shift users’ behaviors away from bigger platforms like X and Meta’s Threads.

Unlike Bluesky and Mastodon, Threads largely abides by the same wide-reaching data collection policies as its parent company, which also owns Facebook and Instagram. Launched in July off the back of Instagram, the platform saw an initial spike in growth, followed by a plateau. But in its quarterly earnings call last week, Meta CEO Mark Zuckerberg said that Threads now has over 100 million monthly active users. “I’ve thought for a long time there should be a billion-person public conversations app that is a bit more positive,” Zuckerberg said. “I think that if we keep at this for a few more years, then I think we have a good chance of achieving our vision there.”

“Threads looks like they're collecting much more information than they actually need in order for the service to function. And some of the information they're collecting is pretty sensitive,” says Calli Schroeder, global privacy counsel at the Electronic Privacy Information Center, a nonprofit focused on privacy and free speech online. “I think this is just inextricably tied to the fact that behind Threads, Meta already holds just an absolutely obscene amount of information on individuals.”

Twitter, prior to Musk’s takeover, has had its own spotty history of protecting user data. In 2009, hackers compromised the platform twice, accessing users’ private information and, in some cases, taking over accounts. In 2011, the FTC issued a consent decree—a threat of legal action—against Twitter for failing to protect user data in relation to the 2009 hacks. As part of the settlement, “Twitter will be barred for 20 years from misleading consumers about the extent to which it protects the security, privacy, and confidentiality of nonpublic consumer information,” according to the FTC, with each violation carrying a $16,000 penalty.

So far, attempts to curtail the collection of users’ data has been piecemeal, largely driven by state-level laws and individual enforcement actions. The American Data Privacy and Protection Act, proposed in 2022, remains in congressional limbo.

“Regulation continues to be extraordinarily behind,” says Ruddock. “The companies are not going to change on their own.”

The New Era of Social Media Looks as Bad for Privacy as the Last One

A race condition occurred between the functions lmLogClose and txEnd in JFS, in the Linux Kernel, executed in different threads. This flaw allows a local attacker with normal user privileges to crash the system or leak internal kernel information.

Syzkaller reported an error "slab-use-after-free Write in txEnd".

crash report：

==================================================================
BUG: KASAN: slab-use-after-free in instrument\_atomic\_write include/linux/instrumented.h:87 \[inline\]
BUG: KASAN: slab-use-after-free in clear\_bit include/asm-generic/bitops/instrumented-atomic.h:41 \[inline\]
BUG: KASAN: slab-use-after-free in txEnd+0x2a3/0x5a0 fs/jfs/jfs\_txnmgr.c:535
Write of size 8 at addr ffff888021bee840 by task jfsCommit/130

CPU: 3 PID: 130 Comm: jfsCommit Not tainted 6.3.0-rc7-pasta #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
Call Trace:
 <TASK>
 \_\_dump\_stack lib/dump\_stack.c:88 \[inline\]
 dump\_stack\_lvl+0xd9/0x150 lib/dump\_stack.c:106
 print\_address\_description mm/kasan/report.c:319 \[inline\]
 print\_report+0xc1/0x5e0 mm/kasan/report.c:430
 kasan\_report+0xc0/0xf0 mm/kasan/report.c:536
 check\_region\_inline mm/kasan/generic.c:181 \[inline\]
 kasan\_check\_range+0x144/0x190 mm/kasan/generic.c:187
 instrument\_atomic\_write include/linux/instrumented.h:87 \[inline\]
 clear\_bit include/asm-generic/bitops/instrumented-atomic.h:41 \[inline\]
 txEnd+0x2a3/0x5a0 fs/jfs/jfs\_txnmgr.c:535
 txLazyCommit fs/jfs/jfs\_txnmgr.c:2679 \[inline\]
 jfs\_lazycommit+0x75f/0xb10 fs/jfs/jfs\_txnmgr.c:2727
 kthread+0x2e8/0x3a0 kernel/kthread.c:376
 ret\_from\_fork+0x1f/0x30 arch/x86/entry/entry\_64.S:308
 </TASK>

Allocated by task 86743:
 kasan\_save\_stack+0x22/0x40 mm/kasan/common.c:45
 kasan\_set\_track+0x25/0x30 mm/kasan/common.c:52
 \_\_\_\_kasan\_kmalloc mm/kasan/common.c:374 \[inline\]
 \_\_\_\_kasan\_kmalloc mm/kasan/common.c:333 \[inline\]
 \_\_kasan\_kmalloc+0xa3/0xb0 mm/kasan/common.c:383
 kmalloc include/linux/slab.h:580 \[inline\]
 kzalloc include/linux/slab.h:720 \[inline\]
 open\_inline\_log fs/jfs/jfs\_logmgr.c:1159 \[inline\]
 lmLogOpen+0x562/0x1430 fs/jfs/jfs\_logmgr.c:1069
 jfs\_mount\_rw+0x2f6/0x6d0 fs/jfs/jfs\_mount.c:257
 jfs\_fill\_super+0xa00/0xd40 fs/jfs/super.c:565
 mount\_bdev+0x351/0x410 fs/super.c:1380
 legacy\_get\_tree+0x109/0x220 fs/fs\_context.c:610
 vfs\_get\_tree+0x8d/0x350 fs/super.c:1510
 do\_new\_mount fs/namespace.c:3042 \[inline\]
 path\_mount+0x675/0x1e30 fs/namespace.c:3372
 do\_mount fs/namespace.c:3385 \[inline\]
 \_\_do\_sys\_mount fs/namespace.c:3594 \[inline\]
 \_\_se\_sys\_mount fs/namespace.c:3571 \[inline\]
 \_\_x64\_sys\_mount+0x283/0x300 fs/namespace.c:3571
 do\_syscall\_x64 arch/x86/entry/common.c:50 \[inline\]
 do\_syscall\_64+0x39/0xb0 arch/x86/entry/common.c:80
 entry\_SYSCALL\_64\_after\_hwframe+0x63/0xcd

Freed by task 16288:
 kasan\_save\_stack+0x22/0x40 mm/kasan/common.c:45
 kasan\_set\_track+0x25/0x30 mm/kasan/common.c:52
 kasan\_save\_free\_info+0x2b/0x40 mm/kasan/generic.c:521
 \_\_\_\_kasan\_slab\_free mm/kasan/common.c:236 \[inline\]
 \_\_\_\_kasan\_slab\_free+0x13b/0x1a0 mm/kasan/common.c:200
 kasan\_slab\_free include/linux/kasan.h:162 \[inline\]
 \_\_cache\_free mm/slab.c:3390 \[inline\]
 \_\_do\_kmem\_cache\_free mm/slab.c:3577 \[inline\]
 \_\_kmem\_cache\_free+0xcd/0x2c0 mm/slab.c:3584
 lmLogClose+0x595/0x720 fs/jfs/jfs\_logmgr.c:1461
 jfs\_umount+0x2ef/0x430 fs/jfs/jfs\_umount.c:114
 jfs\_put\_super+0x85/0x1d0 fs/jfs/super.c:194
 generic\_shutdown\_super+0x158/0x480 fs/super.c:500
 kill\_block\_super+0x9b/0xf0 fs/super.c:1407
 deactivate\_locked\_super+0x98/0x160 fs/super.c:331
 deactivate\_super+0xb1/0xd0 fs/super.c:362
 cleanup\_mnt+0x2ae/0x3d0 fs/namespace.c:1177
 task\_work\_run+0x168/0x260 kernel/task\_work.c:179
 resume\_user\_mode\_work include/linux/resume\_user\_mode.h:49 \[inline\]
 exit\_to\_user\_mode\_loop kernel/entry/common.c:171 \[inline\]
 exit\_to\_user\_mode\_prepare+0x210/0x240 kernel/entry/common.c:204
 \_\_syscall\_exit\_to\_user\_mode\_work kernel/entry/common.c:286 \[inline\]
 syscall\_exit\_to\_user\_mode+0x1d/0x50 kernel/entry/common.c:297
 do\_syscall\_64+0x46/0xb0 arch/x86/entry/common.c:86
 entry\_SYSCALL\_64\_after\_hwframe+0x63/0xcd

Last potentially related work creation:
 kasan\_save\_stack+0x22/0x40 mm/kasan/common.c:45
 \_\_kasan\_record\_aux\_stack+0x7b/0x90 mm/kasan/generic.c:491
 kvfree\_call\_rcu+0x70/0xad0 kernel/rcu/tree.c:3327
 neigh\_destroy+0x431/0x660 net/core/neighbour.c:941
 neigh\_release include/net/neighbour.h:449 \[inline\]
 neigh\_cleanup\_and\_release+0x1f8/0x280 net/core/neighbour.c:103
 neigh\_periodic\_work+0x60c/0xac0 net/core/neighbour.c:1025
 process\_one\_work+0x98a/0x15c0 kernel/workqueue.c:2390
 worker\_thread+0x669/0x1090 kernel/workqueue.c:2537
 kthread+0x2e8/0x3a0 kernel/kthread.c:376
 ret\_from\_fork+0x1f/0x30 arch/x86/entry/entry\_64.S:308

The buggy address belongs to the object at ffff888021bee800
 which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 64 bytes inside of
 freed 1024-byte region \[ffff888021bee800, ffff888021beec00)

The buggy address belongs to the physical page:
page:ffffea000086fb80 refcount:1 mapcount:0 mapping:0000000000000000
flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000200 ffff888012440700 ffffea0000583ed0 ffffea0000609790
raw: 0000000000000000 ffff888021bee000 0000000100000002 0000000000000000
page dumped because: kasan: bad access detected
page\_owner tracks the page as allocated
 prep\_new\_page mm/page\_alloc.c:2553 \[inline\]
 get\_page\_from\_freelist+0x119c/0x2d40 mm/page\_alloc.c:4326
 \_\_alloc\_pages+0x1cb/0x4a0 mm/page\_alloc.c:5592
 \_\_alloc\_pages\_node include/linux/gfp.h:237 \[inline\]
 kmem\_getpages mm/slab.c:1360 \[inline\]
 cache\_grow\_begin+0x9b/0x3b0 mm/slab.c:2570
 cache\_alloc\_refill+0x27e/0x380 mm/slab.c:2943
 \_\_\_\_cache\_alloc mm/slab.c:3019 \[inline\]
 \_\_\_\_cache\_alloc mm/slab.c:3002 \[inline\]
 \_\_do\_cache\_alloc mm/slab.c:3202 \[inline\]
 slab\_alloc\_node mm/slab.c:3250 \[inline\]
 \_\_kmem\_cache\_alloc\_node+0x360/0x3f0 mm/slab.c:3541
 \_\_do\_kmalloc\_node mm/slab\_common.c:966 \[inline\]
 \_\_kmalloc+0x4e/0x190 mm/slab\_common.c:980
 kmalloc include/linux/slab.h:584 \[inline\]
 kzalloc include/linux/slab.h:720 \[inline\]
 ieee802\_11\_parse\_elems\_full+0x106/0x1320 net/mac80211/util.c:1609
 ieee802\_11\_parse\_elems\_crc.constprop.0+0x99/0xd0
 net/mac80211/ieee80211\_i.h:2265
 ieee802\_11\_parse\_elems net/mac80211/ieee80211\_i.h:2272 \[inline\]
 ieee80211\_bss\_info\_update+0x410/0xb50 net/mac80211/scan.c:212
 ieee80211\_rx\_bss\_info net/mac80211/ibss.c:1120 \[inline\]
 ieee80211\_rx\_mgmt\_probe\_beacon net/mac80211/ibss.c:1609 \[inline\]
 ieee80211\_ibss\_rx\_queued\_mgmt+0x18b2/0x2d30 net/mac80211/ibss.c:1638
 ieee80211\_iface\_process\_skb net/mac80211/iface.c:1583 \[inline\]
 ieee80211\_iface\_work+0xa47/0xd60 net/mac80211/iface.c:1637
 process\_one\_work+0x98a/0x15c0 kernel/workqueue.c:2390
 worker\_thread+0x669/0x1090 kernel/workqueue.c:2537
 kthread+0x2e8/0x3a0 kernel/kthread.c:376
 ret\_from\_fork+0x1f/0x30 arch/x86/entry/entry\_64.S:308
page last free stack trace:
 reset\_page\_owner include/linux/page\_owner.h:24 \[inline\]
 free\_pages\_prepare mm/page\_alloc.c:1454 \[inline\]
 free\_pcp\_prepare+0x4e3/0x920 mm/page\_alloc.c:1504
 free\_unref\_page\_prepare mm/page\_alloc.c:3388 \[inline\]
 free\_unref\_page+0x1d/0x4e0 mm/page\_alloc.c:3483
 slab\_destroy mm/slab.c:1613 \[inline\]
 slabs\_destroy+0x85/0xc0 mm/slab.c:1633
 \_\_cache\_free\_alien mm/slab.c:773 \[inline\]
 cache\_free\_alien mm/slab.c:789 \[inline\]
 \_\_\_cache\_free+0x203/0x3e0 mm/slab.c:3417
 qlink\_free mm/kasan/quarantine.c:168 \[inline\]
 qlist\_free\_all+0x4f/0x1a0 mm/kasan/quarantine.c:187
 kasan\_quarantine\_reduce+0x188/0x1d0 mm/kasan/quarantine.c:294
 \_\_kasan\_slab\_alloc+0x63/0x90 mm/kasan/common.c:305
 kasan\_slab\_alloc include/linux/kasan.h:186 \[inline\]
 slab\_post\_alloc\_hook mm/slab.h:769 \[inline\]
 slab\_alloc\_node mm/slab.c:3257 \[inline\]
 slab\_alloc mm/slab.c:3266 \[inline\]
 \_\_kmem\_cache\_alloc\_lru mm/slab.c:3443 \[inline\]
 kmem\_cache\_alloc+0x1bd/0x3f0 mm/slab.c:3452
 vm\_area\_alloc+0x20/0x100 kernel/fork.c:458
 mmap\_region+0x389/0x2270 mm/mmap.c:2553
 do\_mmap+0x853/0xf20 mm/mmap.c:1364
 vm\_mmap\_pgoff+0x1af/0x280 mm/util.c:542
 ksys\_mmap\_pgoff+0x41f/0x5a0 mm/mmap.c:1410
 do\_syscall\_x64 arch/x86/entry/common.c:50 \[inline\]
 do\_syscall\_64+0x39/0xb0 arch/x86/entry/common.c:80
 entry\_SYSCALL\_64\_after\_hwframe+0x63/0xcd

Memory state around the buggy address:
 ffff888021bee700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff888021bee780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>_ffff888021bee800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb_
                                           ^
 ffff888021bee880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888021bee900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Through analysis, it was found that a race condition occurred between two
functions lmLogClose and txEnd, which were executed in different threads.
The possible sequence is as follows:

-------------------------------------------------------------------------
cpu1(free thread)        |        cpu2(use thread)
-------------------------------------------------------------------------
lmLogClose               |        txEnd
                         |        log = JFS\_SBI(tblk->sb)->log;
sbi->log = NULL;         |
kfree(log); \[1\] free log |
                         |        clear\_bit(log\_FLUSH, &log->flag); \[2\] UAF

Fix it by add a mutex lock between lmLogClose and txEnd:

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Zheng Wang <zyytlz.wz@xxxxxxx>
---
 fs/jfs/jfs\_debug.c  | 1 +
 fs/jfs/jfs\_debug.h  | 1 +
 fs/jfs/jfs\_logmgr.c | 2 ++
 fs/jfs/jfs\_txnmgr.c | 8 ++++++++
 4 files changed, 12 insertions(+)

diff --git a/fs/jfs/jfs\_debug.c b/fs/jfs/jfs\_debug.c
index 44b62b3c322e..a9c9266b222b 100644
--- a/fs/jfs/jfs\_debug.c
+++ b/fs/jfs/jfs\_debug.c
@@ -78,3 +78,4 @@ void jfs\_proc\_clean(void)
 }
 
 #endif /\* PROC\_FS\_JFS \*/
+DEFINE\_MUTEX(txEnd\_lmLogClose\_mutex);
\\ No newline at end of file
diff --git a/fs/jfs/jfs\_debug.h b/fs/jfs/jfs\_debug.h
index 48e2150c092e..25da8ee71f5e 100644
--- a/fs/jfs/jfs\_debug.h
+++ b/fs/jfs/jfs\_debug.h
@@ -107,3 +107,4 @@ int jfs\_xtstat\_proc\_show(struct seq\_file \*m, void \*v);
 #endif				/\* CONFIG\_JFS\_STATISTICS \*/
 
 #endif				/\* \_H\_JFS\_DEBUG \*/
+extern struct mutex txEnd\_lmLogClose\_mutex;
\\ No newline at end of file
diff --git a/fs/jfs/jfs\_logmgr.c b/fs/jfs/jfs\_logmgr.c
index 695415cbfe98..05c5391075db 100644
--- a/fs/jfs/jfs\_logmgr.c
+++ b/fs/jfs/jfs\_logmgr.c
@@ -1442,6 +1442,7 @@ int lmLogClose(struct super\_block \*sb)
 	jfs\_info("lmLogClose: log:0x%p", log);
 
 	mutex\_lock(&jfs\_log\_mutex);
+	mutex\_lock(&txEnd\_lmLogClose\_mutex);
 	LOG\_LOCK(log);
 	list\_del(&sbi->log\_list);
 	LOG\_UNLOCK(log);
@@ -1490,6 +1491,7 @@ int lmLogClose(struct super\_block \*sb)
 	kfree(log);
 
       out:
+	mutex\_unlock(&txEnd\_lmLogClose\_mutex);
 	mutex\_unlock(&jfs\_log\_mutex);
 	jfs\_info("lmLogClose: exit(%d)", rc);
 	return rc;
diff --git a/fs/jfs/jfs\_txnmgr.c b/fs/jfs/jfs\_txnmgr.c
index ffd4feece078..5b4351e59535 100644
--- a/fs/jfs/jfs\_txnmgr.c
+++ b/fs/jfs/jfs\_txnmgr.c
@@ -490,6 +490,7 @@ void txEnd(tid\_t tid)
 	struct jfs\_log \*log;
 
 	jfs\_info("txEnd: tid = %d", tid);
+	mutex\_lock(&txEnd\_lmLogClose\_mutex);
 	TXN\_LOCK();
 
 	/\*
@@ -500,6 +501,11 @@ void txEnd(tid\_t tid)
 
 	log = JFS\_SBI(tblk->sb)->log;
 
+	if (!log) {
+		mutex\_unlock(&txEnd\_lmLogClose\_mutex);
+		return;
+	}
+
 	/\*
 	 \* Lazy commit thread can't free this guy until we mark it UNLOCKED,
 	 \* otherwise, we would be left with a transaction that may have been
@@ -515,6 +521,7 @@ void txEnd(tid\_t tid)
 		spin\_lock\_irq(&log->gclock);	// LOGGC\_LOCK
 		tblk->flag |= tblkGC\_UNLOCKED;
 		spin\_unlock\_irq(&log->gclock);	// LOGGC\_UNLOCK
+		mutex\_unlock(&txEnd\_lmLogClose\_mutex);
 		return;
 	}
 
@@ -561,6 +568,7 @@ void txEnd(tid\_t tid)
 	 \* wakeup all waitors for a free tblock
 	 \*/
 	TXN\_WAKEUP(&TxAnchor.freewait);
+	mutex\_unlock(&txEnd\_lmLogClose\_mutex);
 }
 
 /\*
-- 
2.25.1

CVE-2023-3397: Linux Kernel: [PATCH] fs/jfs: Add a mutex named txEnd_lmLogClose_mutex to prevent a race  condition between txEnd and lmLogClose functions

SQL injection vulnerability in wuzhicms v.4.1.0 allows a remote attacker to execute arbitrary code via the Database Backup Functionality in the coreframe/app/database/admin/index.php component.

CVE-2023-46482: PHP/wuzhicms/WUZHI CMS v4.1.0 SQL Injection Vulnerability in Database Backup Functionality.md at main · XTo-o1/PHP

There is a Cross Site Scripting (XSS) vulnerability in the choose_style_tree.do interface of Jspxcms v10.2.0 backend.

访问http://localhost:8080/cmscp/core/web_file/choose_style_tree.do?d=1698139703231&id=1";</ScRiPt><ImG id='oWDhSaEG' src=1 onerror='prompt(1)'><ScRiPt>"：

CVE-2023-46911: Jspxcms v10.2.0 后台存在xss漏洞 · Issue #I8AK2H · jspxcms/Jspxcms - Gitee.com

GPAC 2.3-DEV-rev605-gfc9e29089-master contains a SEGV in gpac/MP4Box in gf_media_change_pl /afltest/gpac/src/media_tools/isom_tools.c:3293:42.

**SEGV in MP4Box****Description**

SEGV in gpac/MP4Box.

#0 0x7ffff6798224 in gf\_media\_change\_pl /afltest/gpac/src/media\_tools/isom\_tools.c:3293:42

**Version**

MP4Box - GPAC version 2.3-DEV-rev605-gfc9e29089-master
(c) 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io

Please cite our work in your research:
        GPAC Filters: https://doi.org/10.1145/3339825.3394929
        GPAC: https://doi.org/10.1145/1291233.1291452

GPAC Configuration:
Features: GPAC\_CONFIG\_LINUX GPAC\_64\_BITS GPAC\_HAS\_IPV6 GPAC\_HAS\_SSL GPAC\_HAS\_SOCK\_UN GPAC\_MINIMAL\_ODF GPAC\_HAS\_QJS GPAC\_HAS\_JPEG GPAC\_HAS\_PNG GPAC\_HAS\_FFMPEG GPAC\_HAS\_VORBIS GPAC\_HAS\_LINUX\_DVB

**ASAN Log**

./MP4Box -add self:svcmode=splitbase:negctts:compat=15 poc3gpac

AddressSanitizer:DEADLYSIGNAL
=================================================================
==3037861==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000002 (pc 0x7ffff6798224 bp 0x00000000000f sp 0x7ffffffec1c0 T0)
==3037861==The signal is caused by a WRITE memory access.
==3037861==Hint: address points to the zero page.
    #0 0x7ffff6798224 in gf\_media\_change\_pl /afltest/gpac/src/media\_tools/isom\_tools.c:3293:42
    #1 0x54edae in import\_file /afltest/gpac/applications/mp4box/fileimport.c:1767:8
    #2 0x4f7d1e in do\_add\_cat /afltest/gpac/applications/mp4box/mp4box.c
    #3 0x4f7d1e in mp4box\_main /afltest/gpac/applications/mp4box/mp4box.c:6196:13
    #4 0x7ffff58cc082 in \_\_libc\_start\_main /build/glibc-BHL3KM/glibc-2.31/csu/../csu/libc-start.c:308:16
    #5 0x42adad in \_start (/afltest/gpac/bin/gcc/MP4Box+0x42adad)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /afltest/gpac/src/media\_tools/isom\_tools.c:3293:42 in gf\_media\_change\_pl
==3037861==ABORTING

**Reproduction**

git clone https://github.com/gpac/gpac.git
cd gpac
./configure --enable-sanitizer
make -j24

./bin/gcc/MP4Box -add self:svcmode=splitbase:negctts:compat=15 poc3gpac

**PoC**

poc3gpac: https://github.com/Frank-Z7/z-vulnerabilitys/blob/main/poc3gpac

****Impact****

This vulnerability is capable of causing crashes.

**Reference**

https://github.com/gpac/gpac

**Environment**

    ubuntu:20.04
    gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.2)
    clang version 10.0.0-4ubuntu1
    afl-cc++4.09
    

**Credit**

Zeng Yunxiang

Song Jiaxuan

Tag

#git