kernel-3.10.0-1160.119.1.0.2.el7.AXS7

エラータID: AXSA:2024-8820:28

Release date: 
Tuesday, September 24, 2024 - 10:55
Subject: 
kernel-3.10.0-1160.119.1.0.2.el7.AXS7
Affected Channels: 
Asianux Server 7 for x86_64
Severity: 
High
Description: 

The kernel package contains the Linux kernel (vmlinuz), the core of any Linux
operating system. The kernel handles the basic functions of the operating
system: memory allocation, process allocation, device input and output, etc.

Security Fix(es):

* net: ice: Fix potential NULL pointer dereference in ice_bridge_setlink()
{CVE-2024-26855}
* tty: Fix out-of-bound vmalloc access in imageblit {CVE-2021-47383}
* drm/vmwgfx: Fix invalid reads in fence signaled events {CVE-2024-36960}
* Revert: GFS2: Skip dlm_unlock calls during unmount {CVE-2024-38570}
* Revert: GFS2: ignore unlock failures after withdraw {CVE-2024-38570}
* Revert: GFS2: fix skip unlock condition {CVE-2024-38570}
* ima: Fix use-after-free on a dentry's dname.name {CVE-2024-39494}
* netfilter: nft_limit: reject configurations that cause integer overflow
{CVE-2024-26668}
* ipv6: remove max_size check inline with ipv4 {CVE-2023-52340}
* USB: core: Fix deadlock in usb_deauthorize_interface() {CVE-2024-26934}
* net: ip_tunnel: make sure to pull inner header in ip_tunnel_rcv()
{CVE-2024-26882}
* ip: validate header length on virtual device xmit
* ext4: improve error recovery code paths in __ext4_remount() {CVE-2024-0775}
* drivers/amd/pm: fix a use-after-free in kv_parse_power_table {CVE-2023-52469}
* drm/amdgpu: Using uninitialized value *size when calling amdgpu_vce_cs_reloc
{CVE-2024-42228}
* netfilter: nf_tables: Fix potential data-race in __nft_expr_type_get()
{CVE-2024-27020}
* af_unix: Fix garbage collector racing against connect() {CVE-2024-26923}
* md/raid5: fix atomicity violation in raid5_cache_count {CVE-2024-23307}

CVE(s):
CVE-2021-47383
In the Linux kernel, the following vulnerability has been resolved: tty: Fix out-of-bound vmalloc access in imageblit This issue happens when a userspace program does an ioctl FBIOPUT_VSCREENINFO passing the fb_var_screeninfo struct containing only the fields xres, yres, and bits_per_pixel with values. If this struct is the same as the previous ioctl, the vc_resize() detects it and doesn't call the resize_screen(), leaving the fb_var_screeninfo incomplete. And this leads to the updatescrollmode() calculates a wrong value to fbcon_display->vrows, which makes the real_y() return a wrong value of y, and that value, eventually, causes the imageblit to access an out-of-bound address value. To solve this issue I made the resize_screen() be called even if the screen does not need any resizing, so it will "fix and fill" the fb_var_screeninfo independently.
CVE-2024-0775
A use-after-free flaw was found in the __ext4_remount in fs/ext4/super.c in ext4 in the Linux kernel. This flaw allows a local user to cause an information leak problem while freeing the old quota file names before a potential failure, leading to a use-after-free.
CVE-2024-26855
In the Linux kernel, the following vulnerability has been resolved: net: ice: Fix potential NULL pointer dereference in ice_bridge_setlink() The function ice_bridge_setlink() may encounter a NULL pointer dereference if nlmsg_find_attr() returns NULL and br_spec is dereferenced subsequently in nla_for_each_nested(). To address this issue, add a check to ensure that br_spec is not NULL before proceeding with the nested attribute iteration.
CVE-2024-26882
In the Linux kernel, the following vulnerability has been resolved: net: ip_tunnel: make sure to pull inner header in ip_tunnel_rcv() Apply the same fix than ones found in : 8d975c15c0cd ("ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv()") 1ca1ba465e55 ("geneve: make sure to pull inner header in geneve_rx()") We have to save skb->network_header in a temporary variable in order to be able to recompute the network_header pointer after a pskb_inet_may_pull() call. pskb_inet_may_pull() makes sure the needed headers are in skb->head. syzbot reported: BUG: KMSAN: uninit-value in __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline] BUG: KMSAN: uninit-value in INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline] BUG: KMSAN: uninit-value in IP_ECN_decapsulate include/net/inet_ecn.h:302 [inline] BUG: KMSAN: uninit-value in ip_tunnel_rcv+0xed9/0x2ed0 net/ipv4/ip_tunnel.c:409 __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline] INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline] IP_ECN_decapsulate include/net/inet_ecn.h:302 [inline] ip_tunnel_rcv+0xed9/0x2ed0 net/ipv4/ip_tunnel.c:409 __ipgre_rcv+0x9bc/0xbc0 net/ipv4/ip_gre.c:389 ipgre_rcv net/ipv4/ip_gre.c:411 [inline] gre_rcv+0x423/0x19f0 net/ipv4/ip_gre.c:447 gre_rcv+0x2a4/0x390 net/ipv4/gre_demux.c:163 ip_protocol_deliver_rcu+0x264/0x1300 net/ipv4/ip_input.c:205 ip_local_deliver_finish+0x2b8/0x440 net/ipv4/ip_input.c:233 NF_HOOK include/linux/netfilter.h:314 [inline] ip_local_deliver+0x21f/0x490 net/ipv4/ip_input.c:254 dst_input include/net/dst.h:461 [inline] ip_rcv_finish net/ipv4/ip_input.c:449 [inline] NF_HOOK include/linux/netfilter.h:314 [inline] ip_rcv+0x46f/0x760 net/ipv4/ip_input.c:569 __netif_receive_skb_one_core net/core/dev.c:5534 [inline] __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5648 netif_receive_skb_internal net/core/dev.c:5734 [inline] netif_receive_skb+0x58/0x660 net/core/dev.c:5793 tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1556 tun_get_user+0x53b9/0x66e0 drivers/net/tun.c:2009 tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2055 call_write_iter include/linux/fs.h:2087 [inline] new_sync_write fs/read_write.c:497 [inline] vfs_write+0xb6b/0x1520 fs/read_write.c:590 ksys_write+0x20f/0x4c0 fs/read_write.c:643 __do_sys_write fs/read_write.c:655 [inline] __se_sys_write fs/read_write.c:652 [inline] __x64_sys_write+0x93/0xd0 fs/read_write.c:652 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b Uninit was created at: __alloc_pages+0x9a6/0xe00 mm/page_alloc.c:4590 alloc_pages_mpol+0x62b/0x9d0 mm/mempolicy.c:2133 alloc_pages+0x1be/0x1e0 mm/mempolicy.c:2204 skb_page_frag_refill+0x2bf/0x7c0 net/core/sock.c:2909 tun_build_skb drivers/net/tun.c:1686 [inline] tun_get_user+0xe0a/0x66e0 drivers/net/tun.c:1826 tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2055 call_write_iter include/linux/fs.h:2087 [inline] new_sync_write fs/read_write.c:497 [inline] vfs_write+0xb6b/0x1520 fs/read_write.c:590 ksys_write+0x20f/0x4c0 fs/read_write.c:643 __do_sys_write fs/read_write.c:655 [inline] __se_sys_write fs/read_write.c:652 [inline] __x64_sys_write+0x93/0xd0 fs/read_write.c:652 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b
CVE-2024-27020
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: Fix potential data-race in __nft_expr_type_get() nft_unregister_expr() can concurrent with __nft_expr_type_get(), and there is not any protection when iterate over nf_tables_expressions list in __nft_expr_type_get(). Therefore, there is potential data-race of nf_tables_expressions list entry. Use list_for_each_entry_rcu() to iterate over nf_tables_expressions list in __nft_expr_type_get(), and use rcu_read_lock() in the caller nft_expr_type_get() to protect the entire type query process.
CVE-2024-38570
In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix potential glock use-after-free on unmount When a DLM lockspace is released and there ares still locks in that lockspace, DLM will unlock those locks automatically. Commit fb6791d100d1b started exploiting this behavior to speed up filesystem unmount: gfs2 would simply free glocks it didn't want to unlock and then release the lockspace. This didn't take the bast callbacks for asynchronous lock contention notifications into account, which remain active until until a lock is unlocked or its lockspace is released. To prevent those callbacks from accessing deallocated objects, put the glocks that should not be unlocked on the sd_dead_glocks list, release the lockspace, and only then free those glocks. As an additional measure, ignore unexpected ast and bast callbacks if the receiving glock is dead.
CVE-2024-26923
In the Linux kernel, the following vulnerability has been resolved: af_unix: Fix garbage collector racing against connect() Garbage collector does not take into account the risk of embryo getting enqueued during the garbage collection. If such embryo has a peer that carries SCM_RIGHTS, two consecutive passes of scan_children() may see a different set of children. Leading to an incorrectly elevated inflight count, and then a dangling pointer within the gc_inflight_list. sockets are AF_UNIX/SOCK_STREAM S is an unconnected socket L is a listening in-flight socket bound to addr, not in fdtable V's fd will be passed via sendmsg(), gets inflight count bumped connect(S, addr) sendmsg(S, [V]); close(V) __unix_gc() ---------------- ------------------------- ----------- NS = unix_create1() skb1 = sock_wmalloc(NS) L = unix_find_other(addr) unix_state_lock(L) unix_peer(S) = NS // V count=1 inflight=0 NS = unix_peer(S) skb2 = sock_alloc() skb_queue_tail(NS, skb2[V]) // V became in-flight // V count=2 inflight=1 close(V) // V count=1 inflight=1 // GC candidate condition met for u in gc_inflight_list: if (total_refs == inflight_refs) add u to gc_candidates // gc_candidates={L, V} for u in gc_candidates: scan_children(u, dec_inflight) // embryo (skb1) was not // reachable from L yet, so V's // inflight remains unchanged __skb_queue_tail(L, skb1) unix_state_unlock(L) for u in gc_candidates: if (u.inflight) scan_children(u, inc_inflight_move_tail) // V count=1 inflight=2 (!) If there is a GC-candidate listening socket, lock/unlock its state. This makes GC wait until the end of any ongoing connect() to that socket. After flipping the lock, a possibly SCM-laden embryo is already enqueued. And if there is another embryo coming, it can not possibly carry SCM_RIGHTS. At this point, unix_inflight() can not happen because unix_gc_lock is already taken. Inflight graph remains unaffected.
CVE-2023-52469
In the Linux kernel, the following vulnerability has been resolved: drivers/amd/pm: fix a use-after-free in kv_parse_power_table When ps allocated by kzalloc equals to NULL, kv_parse_power_table frees adev->pm.dpm.ps that allocated before. However, after the control flow goes through the following call chains: kv_parse_power_table |-> kv_dpm_init |-> kv_dpm_sw_init |-> kv_dpm_fini The adev->pm.dpm.ps is used in the for loop of kv_dpm_fini after its first free in kv_parse_power_table and causes a use-after-free bug.
CVE-2023-52340
The IPv6 implementation in the Linux kernel before 6.3 has a net/ipv6/route.c max_size threshold that can be consumed easily, e.g., leading to a denial of service (network is unreachable errors) when IPv6 packets are sent in a loop via a raw socket.
CVE-2024-42228
In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Using uninitialized value *size when calling amdgpu_vce_cs_reloc Initialize the size before calling amdgpu_vce_cs_reloc, such as case 0x03000001. V2: To really improve the handling we would actually need to have a separate value of 0xffffffff.(Christian)
CVE-2024-26934
In the Linux kernel, the following vulnerability has been resolved: USB: core: Fix deadlock in usb_deauthorize_interface() Among the attribute file callback routines in drivers/usb/core/sysfs.c, the interface_authorized_store() function is the only one which acquires a device lock on an ancestor device: It calls usb_deauthorize_interface(), which locks the interface's parent USB device. The will lead to deadlock if another process already owns that lock and tries to remove the interface, whether through a configuration change or because the device has been disconnected. As part of the removal procedure, device_del() waits for all ongoing sysfs attribute callbacks to complete. But usb_deauthorize_interface() can't complete until the device lock has been released, and the lock won't be released until the removal has finished. The mechanism provided by sysfs to prevent this kind of deadlock is to use the sysfs_break_active_protection() function, which tells sysfs not to wait for the attribute callback. Reported-and-tested by: Yue Sun Reported by: xingwei lee
CVE-2024-23307Integer Overflow or Wraparound vulnerability in Linux Linux kernel kernel on Linux, x86, ARM (md, raid, raid5 modules) allows Forced Integer Overflow.
CVE-2024-23307
Integer Overflow or Wraparound vulnerability in Linux Linux kernel kernel on Linux, x86, ARM (md, raid, raid5 modules) allows Forced Integer Overflow.
CVE-2024-36960
In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx: Fix invalid reads in fence signaled events Correctly set the length of the drm_event to the size of the structure that's actually used. The length of the drm_event was set to the parent structure instead of to the drm_vmw_event_fence which is supposed to be read. drm_read uses the length parameter to copy the event to the user space thus resuling in oob reads.
CVE-2024-26668
In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_limit: reject configurations that cause integer overflow Reject bogus configs where internal token counter wraps around. This only occurs with very very large requests, such as 17gbyte/s. Its better to reject this rather than having incorrect ratelimit.
CVE-2024-39494
In the Linux kernel, the following vulnerability has been resolved: ima: Fix use-after-free on a dentry's dname.name ->d_name.name can change on rename and the earlier value can be freed; there are conditions sufficient to stabilize it (->d_lock on dentry, ->d_lock on its parent, ->i_rwsem exclusive on the parent's inode, rename_lock), but none of those are met at any of the sites. Take a stable snapshot of the name instead.

Solution: 

Update packages.

Additional Info: 

N/A

Download: 

Asianux Server 7 for x86_64
  1. bpftool-3.10.0-1160.119.1.0.2.el7.AXS7.x86_64.rpm
    MD5: ee48ce9b116723b06f8952c84cdb2326
    SHA-256: f47ede085c385e67e32b53e40ff1ecfffce9bf62431d6205f17f799a8c082c8a
    Size: 8.53 MB
  2. kernel-3.10.0-1160.119.1.0.2.el7.AXS7.x86_64.rpm
    MD5: 22cde79644d3f8b877df47c77cf686d9
    SHA-256: f09e863aac7735d40e38666c8d99cc576c2e83393602797cd3f2b41a4f5d7bea
    Size: 51.74 MB
  3. kernel-abi-whitelists-3.10.0-1160.119.1.0.2.el7.AXS7.noarch.rpm
    MD5: 91297a1fdcc3b66b129e8dd9fc614ac5
    SHA-256: 62069d1e605a35751dd57917a2a47e5404ab912347658cd467e42ed37165c154
    Size: 8.10 MB
  4. kernel-debug-3.10.0-1160.119.1.0.2.el7.AXS7.x86_64.rpm
    MD5: e89d3ea8ab18f8ccc3555a754e6da7f5
    SHA-256: 3fef5566b7537031222f99afa5d8d7e926e98b16a49e809a59168d401776e48a
    Size: 54.04 MB
  5. kernel-debug-devel-3.10.0-1160.119.1.0.2.el7.AXS7.x86_64.rpm
    MD5: 3d49788673597ed69eb481dd0e36ef5e
    SHA-256: 71ef7c8b88b324dbfb88562891dfbe3ef0b98f0b495b095e40857bb57be98b42
    Size: 18.13 MB
  6. kernel-devel-3.10.0-1160.119.1.0.2.el7.AXS7.x86_64.rpm
    MD5: 9213639727f2b3a9eee6ded9c4dd2d54
    SHA-256: 1da9a2d89e16638688de96c4323753344627dbeb5cfe3846f23e4491ae192739
    Size: 18.07 MB
  7. kernel-doc-3.10.0-1160.119.1.0.2.el7.AXS7.noarch.rpm
    MD5: 9cc412f1fe111402fe2967756892937e
    SHA-256: 306ddc7dc477eaedf1fab035504736800efe8795939eccf7dbaa3bc4cf606c33
    Size: 19.57 MB
  8. kernel-headers-3.10.0-1160.119.1.0.2.el7.AXS7.x86_64.rpm
    MD5: c223039964419829787f4adc6bcd9e26
    SHA-256: 4ab388ecd2dcf695f16704159da9fea64e7c878be4638f4884f7395e18a35110
    Size: 9.09 MB
  9. kernel-tools-3.10.0-1160.119.1.0.2.el7.AXS7.x86_64.rpm
    MD5: b3754462c3b8ff17c331081ff9dea259
    SHA-256: 702305f7cf678656dcc0852cb7ced9bc868739a0bd2f6d698f610184a90fbca4
    Size: 8.20 MB
  10. kernel-tools-libs-3.10.0-1160.119.1.0.2.el7.AXS7.x86_64.rpm
    MD5: 24bcd8a32487fce217291e852a71afc0
    SHA-256: 9e520b6525cc419275b1129de267d4c06c42eef3d302c100d5b1806d7e36060f
    Size: 8.10 MB
  11. perf-3.10.0-1160.119.1.0.2.el7.AXS7.x86_64.rpm
    MD5: 3d2473a06b4c2a08b000e22f4893aa14
    SHA-256: b7c9aa2b75fd07d87dcae76a0e4a4d8f475cb58d9664d6c53e66ffb8417870b3
    Size: 9.74 MB
  12. python-perf-3.10.0-1160.119.1.0.2.el7.AXS7.x86_64.rpm
    MD5: d0cc0271ead133c2f456321eb1efc82a
    SHA-256: 326295227f78d71213addbaa33f1b6983b73d542c62b074c7ec4ec0eab56a3f9
    Size: 8.19 MB