kernel-3.10.0-1160.119.1.0.4.el7.AXS7
エラータID: AXSA:2024-8903:32
リリース日:
2024/10/17 Thursday - 09:09
題名:
kernel-3.10.0-1160.119.1.0.4.el7.AXS7
影響のあるチャネル:
Asianux Server 7 for x86_64
Severity:
High
Description:
以下項目について対処しました。
[Security Fix]
- DVB コアデバイスドライバーの drivers/media/dvb-core/dvb_net.c
には、.disconnect() 関数と dvb_device_open() 関数間のレース
コンディションに起因するメモリ領域の解放後利用の問題がある
ため、ローカルの攻撃者により、特権昇格、およびサービス拒否
攻撃 (クラッシュの発生) を可能とする脆弱性が存在します。
(CVE-2022-45886)
- DVB コアデバイスドライバーの dvb_ca_en50221_release() 関数
には、wait_event() 関数の呼び出しの欠落に起因したメモリ領域の
解放後利用の問題があるため、ローカルの攻撃者により、特権昇格、
およびサービス拒否攻撃 (クラッシュの発生) を可能とする脆弱性が
存在します。(CVE-2022-45919)
- ネットワークスタックの __dst_negative_advice() 関数には、
特定のデータを初期化する際に RCU ルールを遵守していないこと
に起因したメモリ領域の解放後利用の問題があるため、ローカルの
攻撃者により、特定のネットワークコネクションの動作に対する
不正な変更を可能とする脆弱性が存在します。(CVE-2024-36971)
- drivers/net/bonding/bond_options.c の
bond_option_arp_ip_targets_set() 関数には、メモリ領域の範囲外
読み取りの問題があるため、ローカルの攻撃者により、サービス
拒否攻撃を可能とする脆弱性が存在します。(CVE-2024-39487)
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2022-45886
An issue was discovered in the Linux kernel through 6.0.9. drivers/media/dvb-core/dvb_net.c has a .disconnect versus dvb_device_open race condition that leads to a use-after-free.
An issue was discovered in the Linux kernel through 6.0.9. drivers/media/dvb-core/dvb_net.c has a .disconnect versus dvb_device_open race condition that leads to a use-after-free.
CVE-2022-45919
An issue was discovered in the Linux kernel through 6.0.10. In drivers/media/dvb-core/dvb_ca_en50221.c, a use-after-free can occur is there is a disconnect after an open, because of the lack of a wait_event.
An issue was discovered in the Linux kernel through 6.0.10. In drivers/media/dvb-core/dvb_ca_en50221.c, a use-after-free can occur is there is a disconnect after an open, because of the lack of a wait_event.
CVE-2024-36971
In the Linux kernel, the following vulnerability has been resolved: net: fix __dst_negative_advice() race __dst_negative_advice() does not enforce proper RCU rules when sk->dst_cache must be cleared, leading to possible UAF. RCU rules are that we must first clear sk->sk_dst_cache, then call dst_release(old_dst). Note that sk_dst_reset(sk) is implementing this protocol correctly, while __dst_negative_advice() uses the wrong order. Given that ip6_negative_advice() has special logic against RTF_CACHE, this means each of the three ->negative_advice() existing methods must perform the sk_dst_reset() themselves. Note the check against NULL dst is centralized in __dst_negative_advice(), there is no need to duplicate it in various callbacks. Many thanks to Clement Lecigne for tracking this issue. This old bug became visible after the blamed commit, using UDP sockets.
In the Linux kernel, the following vulnerability has been resolved: net: fix __dst_negative_advice() race __dst_negative_advice() does not enforce proper RCU rules when sk->dst_cache must be cleared, leading to possible UAF. RCU rules are that we must first clear sk->sk_dst_cache, then call dst_release(old_dst). Note that sk_dst_reset(sk) is implementing this protocol correctly, while __dst_negative_advice() uses the wrong order. Given that ip6_negative_advice() has special logic against RTF_CACHE, this means each of the three ->negative_advice() existing methods must perform the sk_dst_reset() themselves. Note the check against NULL dst is centralized in __dst_negative_advice(), there is no need to duplicate it in various callbacks. Many thanks to Clement Lecigne for tracking this issue. This old bug became visible after the blamed commit, using UDP sockets.
CVE-2024-39487
In the Linux kernel, the following vulnerability has been resolved: bonding: Fix out-of-bounds read in bond_option_arp_ip_targets_set() In function bond_option_arp_ip_targets_set(), if newval->string is an empty string, newval->string+1 will point to the byte after the string, causing an out-of-bound read. BUG: KASAN: slab-out-of-bounds in strlen+0x7d/0xa0 lib/string.c:418 Read of size 1 at addr ffff8881119c4781 by task syz-executor665/8107 CPU: 1 PID: 8107 Comm: syz-executor665 Not tainted 6.7.0-rc7 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xd9/0x150 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:364 [inline] print_report+0xc1/0x5e0 mm/kasan/report.c:475 kasan_report+0xbe/0xf0 mm/kasan/report.c:588 strlen+0x7d/0xa0 lib/string.c:418 __fortify_strlen include/linux/fortify-string.h:210 [inline] in4_pton+0xa3/0x3f0 net/core/utils.c:130 bond_option_arp_ip_targets_set+0xc2/0x910 drivers/net/bonding/bond_options.c:1201 __bond_opt_set+0x2a4/0x1030 drivers/net/bonding/bond_options.c:767 __bond_opt_set_notify+0x48/0x150 drivers/net/bonding/bond_options.c:792 bond_opt_tryset_rtnl+0xda/0x160 drivers/net/bonding/bond_options.c:817 bonding_sysfs_store_option+0xa1/0x120 drivers/net/bonding/bond_sysfs.c:156 dev_attr_store+0x54/0x80 drivers/base/core.c:2366 sysfs_kf_write+0x114/0x170 fs/sysfs/file.c:136 kernfs_fop_write_iter+0x337/0x500 fs/kernfs/file.c:334 call_write_iter include/linux/fs.h:2020 [inline] new_sync_write fs/read_write.c:491 [inline] vfs_write+0x96a/0xd80 fs/read_write.c:584 ksys_write+0x122/0x250 fs/read_write.c:637 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b ---[ end trace ]--- Fix it by adding a check of string length before using it.
In the Linux kernel, the following vulnerability has been resolved: bonding: Fix out-of-bounds read in bond_option_arp_ip_targets_set() In function bond_option_arp_ip_targets_set(), if newval->string is an empty string, newval->string+1 will point to the byte after the string, causing an out-of-bound read. BUG: KASAN: slab-out-of-bounds in strlen+0x7d/0xa0 lib/string.c:418 Read of size 1 at addr ffff8881119c4781 by task syz-executor665/8107 CPU: 1 PID: 8107 Comm: syz-executor665 Not tainted 6.7.0-rc7 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Call Trace:
追加情報:
N/A
ダウンロード:
Asianux Server 7 for x86_64
- bpftool-3.10.0-1160.119.1.0.4.el7.AXS7.x86_64.rpm
MD5: 9afb14de47fc16a45d1930d655e8fd72
SHA-256: 54ff1d93e7603501992988f35b5877c96dd2e7cf9855d74733c3b2e196084b33
Size: 8.53 MB - kernel-3.10.0-1160.119.1.0.4.el7.AXS7.x86_64.rpm
MD5: 5aad7fa81b37f3afe7968c8ca64393a7
SHA-256: 02664dd0fda222edd220c2f596248a28aa0fac533726e343cbc1e3f83c947f48
Size: 51.73 MB - kernel-abi-whitelists-3.10.0-1160.119.1.0.4.el7.AXS7.noarch.rpm
MD5: 843ad4be2446a98f9f305b439a062d8a
SHA-256: 633f6131323179113d9909f8cf56c2426bad7f67add80152eee86b826575f5df
Size: 8.10 MB - kernel-debug-3.10.0-1160.119.1.0.4.el7.AXS7.x86_64.rpm
MD5: 8e727537004a37eee40fd82dc0e549b0
SHA-256: 35d5e905db84718584d9103cf3a6390364c970e64a206f4c37f31818d071db96
Size: 54.04 MB - kernel-debug-devel-3.10.0-1160.119.1.0.4.el7.AXS7.x86_64.rpm
MD5: 653fbf4ac5fda88bc279fea41b4c8179
SHA-256: 1d084a8bb28688e402269776a4fb3da869897185a5f777277d32c08525fce3bf
Size: 18.13 MB - kernel-devel-3.10.0-1160.119.1.0.4.el7.AXS7.x86_64.rpm
MD5: faa135e8dccb7f0a96ec12801ee4dce0
SHA-256: f2b3f52c43212d781f5f5535949cdc5c99c929cd5f79cf78acac77b2d9269f8e
Size: 18.07 MB - kernel-doc-3.10.0-1160.119.1.0.4.el7.AXS7.noarch.rpm
MD5: 6f1b808ef1f898c605579d7009ddc616
SHA-256: 9f83088297bc5727dea2d1cb628e4cc8ac8f786098befb047987eef54a4acad3
Size: 19.57 MB - kernel-headers-3.10.0-1160.119.1.0.4.el7.AXS7.x86_64.rpm
MD5: 3b11562b528189a19b5a126b73aa2220
SHA-256: 4009a2361ecf3d7bc2d1e7cc75d380d2742bda94d6fabe741098b23e62ef652e
Size: 9.09 MB - kernel-tools-3.10.0-1160.119.1.0.4.el7.AXS7.x86_64.rpm
MD5: c57a6b7d55d865f5d3753c7df94b461d
SHA-256: c7c24a5983aee1a6dae218acc88e3fc4ef900827f32fb12ff68bbc1e54e35e89
Size: 8.20 MB - kernel-tools-libs-3.10.0-1160.119.1.0.4.el7.AXS7.x86_64.rpm
MD5: b2e4fa73d4bea10c8d72fd07c7388bb2
SHA-256: 43f30f7f4be3ea5e69b3581fab9fa012367520758952bf99511015d7df1c3933
Size: 8.10 MB - perf-3.10.0-1160.119.1.0.4.el7.AXS7.x86_64.rpm
MD5: 1bb4a7279254774bbeb30ee3f9f08c0a
SHA-256: f1993b70d62d252b035e2a2a1cb91b8cbad778454f4f9212ccb13b6bfcfdd0d8
Size: 9.74 MB - python-perf-3.10.0-1160.119.1.0.4.el7.AXS7.x86_64.rpm
MD5: 9b3e27df9d7d8f439680672064f8bc57
SHA-256: 013fba472a73fc8d9931f7bc71999fba4b0c3304b9918cb0c4b9810cb38fd281
Size: 8.19 MB
English