Preface: Race conditions are most commonly associated with computer science and programming. They occur when two computer program processes, or threads, attempt to access the same resource at the same time and cause problems in the system. Race conditions are considered a common issue for multithreaded applications.

Background: The kernel uses virtual memory areas to keep track of the process’s memory mappings; for example, a process has one VMA for its code, one VMA for each type of data, one VMA for each distinct memory mapping (if any), and so on. VMAs are processor-independent structures, with permissions and access control flags.

Vulnerability details: An issue was discovered in include/asm-generic/tlb[.]h in the Linux kernel before 5.19. Because of a race condition (unmap_mapping_range versus munmap), a device driver can free a page while it still has stale TLB entries. This only occurs in situations with VM_PFNMAP VMAs.

Summary found by Google project zero – There are drivers (in particular GPU drivers) that create VM_PFNMAP VMAs containing PTEs that point to normal pages from the page allocator. VM_PFNMAP means that the core kernel won’t track this using the page mapcounts.

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2022-39188

Preface: Don’t contempt this design weakness. Why? Red Hat Virtualization (RHV, previously known as Red Hat Enterprise Virtualization) is an enterprise virtualization product based on the KVM hypervisor.

Background: Avi Kivity began the development of KVM in mid-2006 at Qumranet, a technology startup company that was acquired by Red Hat in 2008. KVM surfaced in October, 2006 and was merged into the Linux kernel mainline in kernel version 2.6. 20, which was released on 5 February 2007. KVM is maintained by Paolo Bonzini.

• OpenShift Virtualization uses the Red Hat Enterprise Linux KVM hypervisor technology deployed using containers, allowing Kubernetes to deploy and manage VMs locally.
• KVM is a hypervisor, which is used to achieve full virtualization. Many of the cluster environments make use of KVM in order to achieve a cluster of virtual machines. In order to manage this type of cluster and the virtual machines therein, managing systems have been developed.

Vulnerability details: An issue was discovered the x86 KVM subsystem in the Linux kernel before 5.18.17. Unprivileged guest users can compromise the guest kernel because TLB flush operations are mishandled in certain KVM_VCPU_PREEMPTED situations.
As a consequence, KVM instruction emulation can access memory through stale translations when the guest kernel thinks it has flushed all
cached translations. This could potentially be used by unprivileged userspace inside a guest to compromise the guest kernel.

Refer to attached diagram. If a vCPU 0 is outside guest mode and is scheduled out, it might be in the process of making a memory access. A problem occurs if another vCPU (vcpu 1) uses the PV TLB flush feature during the period when the vCPU 0 is scheduled out. The problem is that a virtual address has already been translated but has not yet been accessed.
If such scenario occurs, the attacker can do attack not prevented by deployed defenses. Specifically, the attacks exploit the Return Stack Buffer (RSB) to cause speculative execution of the payload gadget that reads and exposes sensitive information.

Official announcement – Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2022-39189

Preface: What is the Slice() method in JavaScript? In any programming language, arrays play an important role in storing data and managing different types of data. Developers often need to filter out the array, merge multiple arrays, and push or pop elements from an array to fulfill the required tasks.The slice() method is used to get some specific elements of an array from a given starting index to the given ending index.

• slice() – The Blob interface’s slice() method creates and returns a new Blob object which contains data from a subset of the blob on which it’s called.

Background: Mojo is a collection of runtime libraries providing a platform-agnostic abstraction of common IPC primitives, a message IDL format, and a bindings library with code generation for multiple target languages to facilitate convenient message passing across arbitrary inter- and intra-process boundaries. By far the most commonly used API defined by Mojo, the C++ Bindings API exposes a robust set of features for interacting with message pipes via generated C++ bindings code.

Vulnerability details: Insufficient data validation in Mojo. Google has confirmed an exploit for the bug exists in the wild, making the vulnerability a zero-day security issue. Attacker can exploit the bug by feeding a malicious input.

Official announcement – Stable Channel Update for Desktop (Friday, September 2, 2022) – https://chromereleases.googleblog.com/2022/09/stable-channel-update-for-desktop.html

My observation: Refer to attached diagram. Is it possible to trigger the vulnerability in this situations?

Preface: The slogan in past stated that Linux is secure because vulnerability not often happen compare to Microsoft Windows OS. Perhaps the dream was broken. Linux like a free of charge Lego toys.
Since there are plenty of opensource driver and library around. As a result, it is hard to avoid the vulnerability happen.
Sometimes, when vulnerability occurs in Linux just do a minor modification in a C langauge written program file can fix.
Even through vulnerability occurs in Linux daily. But I still a Linux lover.

Background: XScale is a microarchitecture for central processing units initially designed by Intel implementing the ARM architecture (version 5) instruction set. XScale comprises several distinct families: IXP, IXC, IOP, PXA and CE (see more below), with some later models designed as SoCs. Intel sold the PXA family to Marvell Technology Group in June 2006.[1] Marvell then extended the brand to include processors with other microarchitectures, like ARM’s Cortex.
XScale processors are a range of reduced instruction set computer (RISC) CPUs. XScale is an advanced RISC machines (ARM) processor with a few extra features. Codenamed Monahan P, the PXA320 is the fastest processror in the PXA3xx familt and is designed to power high-end handheld devices like Smartphones, PDAs and even UMPCs.

Vulnerability details: An issue was discovered in the Linux kernel before 5.19. In pxa3xx_gcu_write in drivers/video/fbdev/pxa3xx-gcu[.]c, the count parameter has a type conflict of size_t versus int, causing an integer overflow and bypassing the size check. After that, because it is used as the third argument to copy_from_user(), a heap overflow may occur.
Ref 1: pxa3xx-gcu.c – Linux kernel module for PXA3xx graphics controllers. This driver needs a DirectFB counterpart in user space, communication is handled via mmap()ed memory areas and an ioctl.

Solution: video: fbdev: pxa3xx-gcu: Fix integer overflow in pxa3xx_gcu_write – https://github.com/torvalds/linux/commit/a09d2d00af53b43c6f11e6ab3cb58443c2cac8a7

Preface: Qualcomm has been a major player in the technology space, especially since the company saw the potential of IoT and mobile processing early on, so it’s been growing.

Background: Qualcomm enables programming of the Adreno GPU in its Snapdragon application processors via the open standard OpenCL language and API. OpenCL support enables programmers to offload computer vision algorithm kernels to the GPU, which in turn provides speed and power-consumption advantages over a CPU implementation.

The major functionality includes execution of the graphics shaders (e.g., vertex shader, fragment shader and compute shader), as well as the OpenCL kernels.

Texture processor (TP) and level-1 (L1) cache. Texture processor is an important engine in Adreno that handles many texture related operations for graphics and compute. Its primary function for OpenCL is to serve the request of SP to do texture operations such as sampling on image objects. The sampling could be point sampling or bi-linear filtering, which can be useful for down- or up-sampling. The image object could be of 1D, 2D, or 3D, and in different channel order, such as RGBA, RG, R, etc. TP in Adreno has a dedicated L1 cache, which is read-only cache and stores data fetched from level-2 (L2) cache for texture operations.

Vulnerability details: Memory corruption due to out of bound read while parsing a video file in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Industrial IOT, Snapdragon Mobile. The weakness was published 09/02/2022. The advisory is shared at qualcomm.com.

Vendor not disclosed the details, I suspected that an example will encountered out of bound vulnerability. (see attached diagram).
Convolution processes an image by weighting pixels in a neighborhood. The matrix of the weights is a filter.

• Since work group sizes are fixed, there may be more work items created than pixels to be computed.
• It need to ensure each work item is not reading out of bounds. Automatic bounds checking and handling cannot help in this regard.

The weakness was published 09/02/2022. The advisory is shared at https://www.qualcomm.com/company/product-security/bulletins/august-2022-bulletin

Preface: What is difference between underflow and overflow?
Buffer Overflow – When accessed memory is beyond the end of the buffer.
Buffer Underflow – When the accessed memory is before the beginning of a buffer.

Background: Zephyr is embedded RTOS, it compatible to support more than 350 CPU boards includes x86, ARM, ARC, MIPS, etc. The Zephyr Project has been one of the fastest growing RTOSes, with ambitious goals established in their charter for connected and constrained devices; but it is more than just an RTOS. It is an open-source and open-governance project with a full and growing ecosystem of drivers, communication stacks, hardware abstractions, low-power OS services, build system and application components that allow for the rapid creation of innovative applications.

About Control use of Explicit Congestion Notification (ECN) by TCP: ECN is used only when both ends of the TCP connection indicate support for it. This feature is useful in avoiding losses due to congestion by allowing supporting routers to signal congestion before having to drop packets.

Vulnerability details: In subsys/net/ip/tcp[.]c , function tcp_flags , when the incoming parameter flags is ECN or CWR , the buf will out-of-bounds write a byte zero.

When a malformed tcp packet is received, the tcp_flags function does not check the validity of the parameters, but directly parses the th_flags field in TCP header. When th_flags is ECN or CWR , in the tcp_flags function, len is always 0, and buf[0-1] will be
written ‘\0’ . This will modify other data on the stack.

On 20th May 2022, it was fix possible buffer underflow. It do the remedy in file (tcp[.]c). Details can be found at this link – https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-5c3j-p8cr-2pgh

Question: ECN is used only when both ends of the TCP connection indicate support for it. If it is not in use or ignore. Why do not disable it? Perhaps if it is disabled, it also avoid CVE-2022-1841 vulnerability.

Preface: Microsoft officials said a bug in Ubuntu 18/04 “will lead to DNS resolution errors”, and that “reports of this issue are confined to this single Ubuntu version.” 31st Aug 2022

Background: How to install Kubernetes on Ubuntu 18.04 Bionic Beaver Linux?

1. Install docker on every node (master and slave nodes). Execute the below linux command to install docker on all your Kubernetes nodes:
   $ sudo apt install docker[.]io
   Once the Docker is installed ensure that it is enabled to start after reboot:
   $ sudo systemctl enable docker
2. Install Kubernetes on all nodes (master & slave):
   Adding the Kubernetes signing key:
   $ curl -s https://packages[.]cloud[.]google.com/apt/doc/apt-key[].gpg | sudo apt-key add
3. Add the Kubernetes repository and install Kubernetes
   $ sudo apt-add-repository “deb http://apt[.]kubernetes[.]io/ kubernetes-xenial main”
   $ sudo apt install kubeadm
4. Disable swap memory on all your nodes (master & slave):
   $ sudo swapoff -a
5. Next, ensure that all your nodes have a unique host name. set the master node with the kubernetes-master hostname:
   $ sudo hostnamectl set-hostname kubernetes-master
   5.1 Set the slave node with the kubernetes-master hostname:
   $ sudo hostnamectl set-hostname kubernetes-slave
   6.Initialize the Kubernetes master node – Execute the following linux command on your master node:
   kubernetes-master:~$ sudo kubeadm init –pod-network-cidr=10[.]244[.]0[.]0/16
   6.1 Execute the bellow commands as a regular user to start using Kubernetes cluster:
   kubernetes-master:~$ mkdir -p $HOME/.kube
   kubernetes-master:~$ sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
   kubernetes-master:~$ sudo chown $(id -u):$(id -g) $HOME/.kube/config
   7.Deploy a pod network
   kubernetes-master:~$ kubectl apply -f https://raw[.]githubusercontent[.]com/coreos/flannel/master/Documentation/kube-flannel[.]yml
6. Join Kubernetes Cluster
   kubernetes-slave:~$ sudo kubeadm join 10[.]1[.]1[.]9:6443 –token qdjnpd[.]5glu39uxr92xarsj –discovery-token-ca-cert-hash sha256:ed0684156c718caf425ceae6c85a56c05f7b49037cde3a2f1fd57430a4f58f89
   Remark: Refer Step 6, copy the token hash from the screen display.

Vulnerability details: A use-after-free vulnerability was found in systemd. This issue occurs due to the on_stream_io() function and dns_stream_complete() function in ‘resolved-dns-stream[.]c’ not incrementing the reference counting for the DnsStream object. Therefore, other functions and callbacks called can dereference the DNSStream object, causing the use-after-free when the reference is still used later.

For headline news details, please refer to the link – https://www.theregister.com/2022/08/30/ubuntu_systemd_dns_update/

Preface: The vendor who transforming Linux kernel not limit to Apple computer. Oracle, they are also has it own Linux Kernel so called UEK (Unbreakable Enterprise Kernel).
So, who maintains software updates for Oracle Linux? It will depend on Oracle Linux yum server.

Background: Oracle Linux commes with a choice of two kernels, the UEK, which is installed and enabled by default, and the Red Hat Compatible Kernel. The Unbreakable Enterprise Kernel (UEK) is a Linux kernel built by Oracle and supported through Oracle Linux support. Its focus is performance, stability, and minimal backports by tracking the mainline source code as closely as is practical. The UEK 4 Cryptographic Module is a software only cryptographic module that provides general-purpose cyrptographic services to the remainder of the Linux kernel.

Vulnerability details: On 15th Nov, 2021, CVE reserved not disclose to public. Till 30th Aug 2022, the details of vulnerability exposed. A flaw in net_rds_alloc_sgs() in Oracle Linux kernels allows unprivileged local users to crash the machine.
Reliable Datagram Sockets (RDS) is a high-performance, low-latency, reliable connectionless protocol for delivery datagrams. It is development by Oracle Coporation. This new function come with Linux kernel 2.6.30. And released on 9th June 2009. The code was contributed by the openFabrics Alliance (OFA).

Official details: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ea010070d0a7497253d5a6f919f6dd107450b31a

Reference: So far by Oracle Linux design, RDS provides reliable, ordered datagram delivery by using a single reliable connection between two nodes in the cluster.
RDS supports a number of sysctls in/proc/sys/net/rds
Applications can ask the RDS kernel module to receive notifications via control message (for instance, there is a notification when a congestion update arrived, oe when a RDMA operation completes). These notifications are received through the msg[.]msg_control buffer of struct msghdr.

Suspect this is the start of the vulnerability story:
Perhaps such modifications potential driven this vulnerability occured (see below):
An enhancement improved memory usage in 2010. The enhancement is that copy rds_iovecs into kernel memory instead of rereading from userspace.
Implement stack-based storage for small numbers of iovecs, based on net/socket[.]c, to save an alloc in the extremely common case.
Although this time of enhancementis reduces iovec copies in cmsg_rdma_args to 1. However, it still require to do enhancement in rds_rdma_extra_size located in net/rds/rdma[.]c .
But this part will be difficult. So it need to implement in a separate patch.

Preface: The identification of this vulnerability is CVE-2022-1043 since 03/22/2022. On 21st Aug 2022 the problem was fixed (see below):
io_uring: fix xa_alloc_cycle() error return value check
We currently check for ret != 0 to indicate error, but ‘1’ is a valid return and just indicates that the allocation succeeded with a wrap. Correct the check to be for < 0, like it was before the xarray conversion.

Background: io_uring (previously known as aioring) is a Linux kernel system call interface for storage device asynchronous I/O operations addressing performance issues with similar interfaces provided by functions like read() / write() or aio_read() / aio_write() etc. for operations on data accessed by file descriptors.
On Linux, the set of file descriptors open in a process can be accessed under the path /proc/PID/fd/ , where PID is the process identifier. File descriptor /proc/PID/fd/0 is stdin , /proc/PID/fd/1 is stdout , and /proc/PID/fd/2 is stderr .
For example: In Fedora, the file descriptor is located at /dev

Vulnerability details: A flaw was found in the Linux kernel’s io_uring implementation. This flaw allows an attacker with a local account to corrupt system memory, crash the system or escalate privileges.
In some operating systems, including Unix and Linux, a pseudoterminal, pseudotty, or PTY is a pair of pseudo-device endpoints (files) which establish asynchronous, bidirectional communication (IPC) channel (with two ports) between two or more processes. For example, before starting SAP® Sybase® Adaptive Server Enterprise, system engineer need to verify there are sufficient system resources for kernel asynchronous I/O.
Therefore, if CVE-2022-1043 occurs, the impact will be huge. Maybe that’s why the announcement was delayed until after the fix.

Details of the official fix are shown in the link below:
https://github.com/torvalds/linux/commit/a30f895ad3239f45012e860d4f94c1a388b36d14

Official details: https://nvd.nist.gov/vuln/detail/CVE-2022-1043

Preface: A similar vulnerability to Dlink (CVE-2022-36524).The device vulnerable to Static Default Credentials via /etc/init0.d/S80telnetd[.]sh.

Background: According to Trendnet’s official announcement, TEW-733GR (version v1.0R) has been discontinued. Because not sure if the vendor is talking about hardware or firmware. In fact, you go through their portal. The firmware (Trendnet TEW733GR v1.03B01) is still available for download.

Vulnerability details:Trendnet TEW733GR v1.03B01 contains a Static Default Credential vulnerability in /etc/init0.d/S80telnetd[.]sh.
Coincidentally, DLink (CVE-2022-36524) encountered similar of design weakness.The device vulnerable to Static Default Credentials via /etc/init.d/S80 Telnetd[.]sh.

Observation: Once the attacker does small reverse engineering. This design weakness (the valid credentials stored by default) similarly helps them run scripts that download and install XorDdos on the target device with root privileges. Similar to the 2.4 Tbps DDoS attack Microsoft encountered in August 2021 will be happened again.

Due to the attack method of XorDdos, botnet attacks will be formed on victims in different regions. It’s hard to say that it can be avoided through a GRE tunnel. Or stop an ongoing attack by identifying patterns in traffic. If the remedy or mitation can do it quickly. It can avoid the unknown cyber attack. As we know, IoT and computing devices flaw happen hourly or daily. But it’s easy to forget. In fact, even if the fix is ready, the end user may not take immediate action. That’s what security experts feared a decade ago. When the Internet of Things was born, cybersecurity would make the digital world crazy.

Official announcement – Please refer to the link for details:

Trendnet CVE-2022-38556 – https://nvd.nist.gov/vuln/detail/CVE-2022-38556

DLink CVE-2022-36524 – https://nvd.nist.gov/vuln/detail/CVE-2022-36524