kernel-5.14.0-427.42.1.el9_4
エラータID: AXSA:2024-8960:35
以下項目について対処しました。
[Security Fix]
- drivers/tty/vt/vt.c の vc_do_resize() 関数には メモリ
の領域外アクセスの問題があるため、ローカルの攻撃者により、
ioctl() を介して、サービス拒否攻撃を可能とする脆弱性が存在
します。(CVE-2021-47383)
- 一部のインテル社製プロセッサには、Spectre V2 サイド
チャネル攻撃への緩和処置の実装が不完全である問題があるため、
ローカルの攻撃者により、情報の漏洩を可能とする脆弱性が存在
します。(CVE-2024-2201)
- net/ipv4/tcp.c の can_map_frag() 関数には、入力された
引数のチェック処理が欠落しているため、ローカルの攻撃者に
より、サービス拒否攻撃を可能とする脆弱性が存在します。
(CVE-2024-26640)
- net/mptcp/protocol.c の
__mptcp_retransmit_pending_data() 関数には、サブフロー
が古い場合のリカバリ処理時のチェックに問題があるため、
ローカルの攻撃者により、サービス拒否攻撃を可能とする脆弱性
が存在します。(CVE-2024-26826)
- net/unix/garbage.c の unix_gc() 関数には、connect(2)
システムコールとのレースコンディションに起因してリスト構造
の破壊に至る問題があるため、ローカルの攻撃者により、メモリ
破壊、およびサービス拒否攻撃などを可能とする脆弱性が存在
します。(CVE-2024-26923)
- drivers/scsi/hosts.c の scsi_host_dev_release() 関数
には、hostdir_rm() 関数を重複して呼び出してしまうことに
起因して意図しない警告メッセージが出力されてしまう問題が
あるため、ローカルの攻撃者により、サービス拒否攻撃を可能
とする脆弱性が存在します。(CVE-2024-26935)
- net/mac802154/llsec.c の mac802154_llsec_key_del()
関数には、RCU ルールを遵守せず直接キーのリソースを解放して
しまうことに起因した、当該リソースの解放後利用の問題がある
ため、ローカルの攻撃者により、サービス拒否攻撃を可能とする
脆弱性が存在します。(CVE-2024-26961)
- net/sched/sch_taprio.c の parse_taprio_schedule() 関数
には、最小の処理間隔のチェック条件に問題があるため、ローカル
の攻撃者により、サービス拒否攻撃を可能とする脆弱性が存在
します。(CVE-2024-36244)
- fs/xfs/xfs_log_recover.c の xlog_do_recovery_pass()
関数には、古いバージョンの xfsprogs や一部のサードパーティー
製のツールから参照される h_size の値の不備に起因したメモリ
領域の範囲外アクセスの問題があるため、ローカルの攻撃者に
より、サービス拒否攻撃を可能とする脆弱性が存在します。
(CVE-2024-39472)
- Netfilter サブシステムには、ペイロードとメタデータ内の
ネットリンク属性値のチェック処理の欠落に起因した NULL
ポインタデリファレンスの問題があるため、ローカルの攻撃者に
より、サービス拒否攻撃を可能とする脆弱性が存在します。
(CVE-2024-39504)
- drivers/usb/class/cdc-wdm.c の wdm_int_callback() 関数
には、処理方式の不備に起因して大量のログメッセージが出力
されてしまう問題があるため、ローカルの攻撃者により、サービス
拒否攻撃 (CPU ロックアップの発生) を可能とする脆弱性が存在
します。(CVE-2024-40904)
- net/mptcp/protocol.c の mptcp_stream_connect() 関数には、
メモリ領域の初期化処理の欠落に起因して意図しないパケットの
再送信を許容してしまう問題があるため、ローカルの攻撃者に
より、サービス拒否攻撃を可能とする脆弱性が存在します。
(CVE-2024-40931)
- net/ipv6/route.c の rt6_probe() 関数には、NULL ポインタ
デリファレンスを起こす問題があるため、ローカルの攻撃者に
よりサービス拒否攻撃を可能とする脆弱性が存在します。
(CVE-2024-40960)
- ext4 ファイルシステムには、EA ノードの作成処理の不備に
起因してデッドロックの発生に至る問題があるため、ローカルの
攻撃者により、サービス拒否攻撃を可能とする脆弱性が存在します。
(CVE-2024-40972)
- MediaTek 社製 mt76 無線 LAN デバイスドライバーの MT7921s
チップ向けの処理には、複数のカーネルスレッド間のロックおよび
待機処理の不備に起因したデッドロックの発生に至る問題がある
ため、ローカルの攻撃者により、サービス拒否攻撃を可能とする
脆弱性が存在します。(CVE-2024-40977)
- net/sched/act_api.c の tcf_idr_check_alloc() 関数には、
無限ループの発生に至る問題があるため、ローカルの攻撃者により、
同じインデックスを持つ複数のアクションを追加するリクエストの
送信を介して、サービス拒否攻撃を可能とする脆弱性が存在します。
(CVE-2024-40995)
- fs/ext4/super.c の __ext4_fill_super() 関数には、リソース
のロックを正しく初期化していない問題があるため、ローカルの
攻撃者により、巧妙に細工されたファイルシステムを介して、
サービス妨害を可能とする脆弱性が存在します。(CVE-2024-40998)
- net/core/netpoll.c の netpoll_owner_active() 関数には、
レースコンディションの問題があるため、ローカルの攻撃者により、
巧妙に細工されたデバイスを介して、サービス妨害を可能とする
脆弱性が存在します。(CVE-2024-41005)
- xfs には、サニティチェックの欠落によるメモリの境界外
アクセスの問題があるため、ローカルの攻撃者により、巧妙に
細工されたファイルシステムを介して、サービス妨害を可能と
する脆弱性が存在します。(CVE-2024-41013)
- xfs には、境界のチェックの欠落によるメモリの境界外アクセス
の問題があるため、ローカルの攻撃者により、ファイルシステムの
操作を介して、サービス妨害を可能とする脆弱性が存在します。
(CVE-2024-41014)
- block/bio-integrity.c の bio_integrity_prep() 関数には、
整合性にチェックに用いるバッファー領域をゼロクリアせずに
確保していることに起因して、カーネル空間のメモリ領域の内容
がメディアに書き出されてしまう問題があるため、ローカルの
攻撃者により、情報の漏洩を可能とする脆弱性が存在します。
(CVE-2024-43854)
- net/netfilter/nf_flow_table_offload.c の
nf_flow_offload_tuple() 関数には、extack データの初期化処理
が欠落しているため、ローカルの攻撃者により、サービス拒否
攻撃を可能とする脆弱性が存在します。(CVE-2024-45018)
パッケージをアップデートしてください。
In the Linux kernel, the following vulnerability has been resolved: tty: Fix out-of-bound vmalloc access in imageblit This issue happens when a userspace program does an ioctl FBIOPUT_VSCREENINFO passing the fb_var_screeninfo struct containing only the fields xres, yres, and bits_per_pixel with values. If this struct is the same as the previous ioctl, the vc_resize() detects it and doesn't call the resize_screen(), leaving the fb_var_screeninfo incomplete. And this leads to the updatescrollmode() calculates a wrong value to fbcon_display->vrows, which makes the real_y() return a wrong value of y, and that value, eventually, causes the imageblit to access an out-of-bound address value. To solve this issue I made the resize_screen() be called even if the screen does not need any resizing, so it will "fix and fill" the fb_var_screeninfo independently.
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
In the Linux kernel, the following vulnerability has been resolved: tcp: add sanity checks to rx zerocopy TCP rx zerocopy intent is to map pages initially allocated from NIC drivers, not pages owned by a fs. This patch adds to can_map_frag() these additional checks: - Page must not be a compound one. - page->mapping must be NULL. This fixes the panic reported by ZhangPeng. syzbot was able to loopback packets built with sendfile(), mapping pages owned by an ext4 file to TCP rx zerocopy. r3 = socket$inet_tcp(0x2, 0x1, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x12, r3, 0x0) r4 = socket$inet_tcp(0x2, 0x1, 0x0) bind$inet(r4, &(0x7f0000000000)={0x2, 0x4e24, @multicast1}, 0x10) connect$inet(r4, &(0x7f00000006c0)={0x2, 0x4e24, @empty}, 0x10) r5 = openat$dir(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\x00', 0x181e42, 0x0) fallocate(r5, 0x0, 0x0, 0x85b8) sendfile(r4, r5, 0x0, 0x8ba0) getsockopt$inet_tcp_TCP_ZEROCOPY_RECEIVE(r4, 0x6, 0x23, &(0x7f00000001c0)={&(0x7f0000ffb000/0x3000)=nil, 0x3000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, &(0x7f0000000440)=0x40) r6 = openat$dir(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\x00', 0x181e42, 0x0)
In the Linux kernel, the following vulnerability has been resolved: mptcp: fix data re-injection from stale subflow When the MPTCP PM detects that a subflow is stale, all the packet scheduler must re-inject all the mptcp-level unacked data. To avoid acquiring unneeded locks, it first try to check if any unacked data is present at all in the RTX queue, but such check is currently broken, as it uses TCP-specific helper on an MPTCP socket. Funnily enough fuzzers and static checkers are happy, as the accessed memory still belongs to the mptcp_sock struct, and even from a functional perspective the recovery completed successfully, as the short-cut test always failed. A recent unrelated TCP change - commit d5fed5addb2b ("tcp: reorganize tcp_sock fast path variables") - exposed the issue, as the tcp field reorganization makes the mptcp code always skip the re-inection. Fix the issue dropping the bogus call: we are on a slow path, the early optimization proved once again to be evil.
In the Linux kernel, the following vulnerability has been resolved: af_unix: Fix garbage collector racing against connect() Garbage collector does not take into account the risk of embryo getting enqueued during the garbage collection. If such embryo has a peer that carries SCM_RIGHTS, two consecutive passes of scan_children() may see a different set of children. Leading to an incorrectly elevated inflight count, and then a dangling pointer within the gc_inflight_list. sockets are AF_UNIX/SOCK_STREAM S is an unconnected socket L is a listening in-flight socket bound to addr, not in fdtable V's fd will be passed via sendmsg(), gets inflight count bumped connect(S, addr) sendmsg(S, [V]); close(V) __unix_gc() ---------------- ------------------------- ----------- NS = unix_create1() skb1 = sock_wmalloc(NS) L = unix_find_other(addr) unix_state_lock(L) unix_peer(S) = NS // V count=1 inflight=0 NS = unix_peer(S) skb2 = sock_alloc() skb_queue_tail(NS, skb2[V]) // V became in-flight // V count=2 inflight=1 close(V) // V count=1 inflight=1 // GC candidate condition met for u in gc_inflight_list: if (total_refs == inflight_refs) add u to gc_candidates // gc_candidates={L, V} for u in gc_candidates: scan_children(u, dec_inflight) // embryo (skb1) was not // reachable from L yet, so V's // inflight remains unchanged __skb_queue_tail(L, skb1) unix_state_unlock(L) for u in gc_candidates: if (u.inflight) scan_children(u, inc_inflight_move_tail) // V count=1 inflight=2 (!) If there is a GC-candidate listening socket, lock/unlock its state. This makes GC wait until the end of any ongoing connect() to that socket. After flipping the lock, a possibly SCM-laden embryo is already enqueued. And if there is another embryo coming, it can not possibly carry SCM_RIGHTS. At this point, unix_inflight() can not happen because unix_gc_lock is already taken. Inflight graph remains unaffected.
In the Linux kernel, the following vulnerability has been resolved: scsi: core: Fix unremoved procfs host directory regression Commit fc663711b944 ("scsi: core: Remove the /proc/scsi/${proc_name} directory earlier") fixed a bug related to modules loading/unloading, by adding a call to scsi_proc_hostdir_rm() on scsi_remove_host(). But that led to a potential duplicate call to the hostdir_rm() routine, since it's also called from scsi_host_dev_release(). That triggered a regression report, which was then fixed by commit be03df3d4bfe ("scsi: core: Fix a procfs host directory removal regression"). The fix just dropped the hostdir_rm() call from dev_release(). But it happens that this proc directory is created on scsi_host_alloc(), and that function "pairs" with scsi_host_dev_release(), while scsi_remove_host() pairs with scsi_add_host(). In other words, it seems the reason for removing the proc directory on dev_release() was meant to cover cases in which a SCSI host structure was allocated, but the call to scsi_add_host() didn't happen. And that pattern happens to exist in some error paths, for example. Syzkaller causes that by using USB raw gadget device, error'ing on usb-storage driver, at usb_stor_probe2(). By checking that path, we can see that the BadDevice label leads to a scsi_host_put() after a SCSI host allocation, but there's no call to scsi_add_host() in such path. That leads to messages like this in dmesg (and a leak of the SCSI host proc structure): usb-storage 4-1:87.51: USB Mass Storage device detected proc_dir_entry 'scsi/usb-storage' already registered WARNING: CPU: 1 PID: 3519 at fs/proc/generic.c:377 proc_register+0x347/0x4e0 fs/proc/generic.c:376 The proper fix seems to still call scsi_proc_hostdir_rm() on dev_release(), but guard that with the state check for SHOST_CREATED; there is even a comment in scsi_host_dev_release() detailing that: such conditional is meant for cases where the SCSI host was allocated but there was no calls to {add,remove}_host(), like the usb-storage case. This is what we propose here and with that, the error path of usb-storage does not trigger the warning anymore.
In the Linux kernel, the following vulnerability has been resolved: mac802154: fix llsec key resources release in mac802154_llsec_key_del mac802154_llsec_key_del() can free resources of a key directly without following the RCU rules for waiting before the end of a grace period. This may lead to use-after-free in case llsec_lookup_key() is traversing the list of keys in parallel with a key deletion: refcount_t: addition on 0; use-after-free. WARNING: CPU: 4 PID: 16000 at lib/refcount.c:25 refcount_warn_saturate+0x162/0x2a0 Modules linked in: CPU: 4 PID: 16000 Comm: wpan-ping Not tainted 6.7.0 #19 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 RIP: 0010:refcount_warn_saturate+0x162/0x2a0 Call Trace:
In the Linux kernel, the following vulnerability has been resolved: net/sched: taprio: extend minimum interval restriction to entire cycle too It is possible for syzbot to side-step the restriction imposed by the blamed commit in the Fixes: tag, because the taprio UAPI permits a cycle-time different from (and potentially shorter than) the sum of entry intervals. We need one more restriction, which is that the cycle time itself must be larger than N * ETH_ZLEN bit times, where N is the number of schedule entries. This restriction needs to apply regardless of whether the cycle time came from the user or was the implicit, auto-calculated value, so we move the existing "cycle == 0" check outside the "if "(!new->cycle_time)" branch. This way covers both conditions and scenarios. Add a selftest which illustrates the issue triggered by syzbot.
In the Linux kernel, the following vulnerability has been resolved: xfs: fix log recovery buffer allocation for the legacy h_size fixup Commit a70f9fe52daa ("xfs: detect and handle invalid iclog size set by mkfs") added a fixup for incorrect h_size values used for the initial umount record in old xfsprogs versions. Later commit 0c771b99d6c9 ("xfs: clean up calculation of LR header blocks") cleaned up the log reover buffer calculation, but stoped using the fixed up h_size value to size the log recovery buffer, which can lead to an out of bounds access when the incorrect h_size does not come from the old mkfs tool, but a fuzzer. Fix this by open coding xlog_logrec_hblks and taking the fixed h_size into account for this calculation.
In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_inner: validate mandatory meta and payload Check for mandatory netlink attributes in payload and meta expression when used embedded from the inner expression, otherwise NULL pointer dereference is possible from userspace.
In the Linux kernel, the following vulnerability has been resolved: USB: class: cdc-wdm: Fix CPU lockup caused by excessive log messages The syzbot fuzzer found that the interrupt-URB completion callback in the cdc-wdm driver was taking too long, and the driver's immediate resubmission of interrupt URBs with -EPROTO status combined with the dummy-hcd emulation to cause a CPU lockup: cdc_wdm 1-1:1.0: nonzero urb status received: -71 cdc_wdm 1-1:1.0: wdm_int_callback - 0 bytes watchdog: BUG: soft lockup - CPU#0 stuck for 26s! [syz-executor782:6625] CPU#0 Utilization every 4s during lockup: #1: 98% system, 0% softirq, 3% hardirq, 0% idle #2: 98% system, 0% softirq, 3% hardirq, 0% idle #3: 98% system, 0% softirq, 3% hardirq, 0% idle #4: 98% system, 0% softirq, 3% hardirq, 0% idle #5: 98% system, 1% softirq, 3% hardirq, 0% idle Modules linked in: irq event stamp: 73096 hardirqs last enabled at (73095): [
In the Linux kernel, the following vulnerability has been resolved: mptcp: ensure snd_una is properly initialized on connect This is strictly related to commit fb7a0d334894 ("mptcp: ensure snd_nxt is properly initialized on connect"). It turns out that syzkaller can trigger the retransmit after fallback and before processing any other incoming packet - so that snd_una is still left uninitialized. Address the issue explicitly initializing snd_una together with snd_nxt and write_seq.
In the Linux kernel, the following vulnerability has been resolved: ipv6: prevent possible NULL dereference in rt6_probe() syzbot caught a NULL dereference in rt6_probe() [1] Bail out if __in6_dev_get() returns NULL. [1] Oops: general protection fault, probably for non-canonical address 0xdffffc00000000cb: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000658-0x000000000000065f] CPU: 1 PID: 22444 Comm: syz-executor.0 Not tainted 6.10.0-rc2-syzkaller-00383-gb8481381d4e2 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024 RIP: 0010:rt6_probe net/ipv6/route.c:656 [inline] RIP: 0010:find_match+0x8c4/0xf50 net/ipv6/route.c:758 Code: 14 fd f7 48 8b 85 38 ff ff ff 48 c7 45 b0 00 00 00 00 48 8d b8 5c 06 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 19 RSP: 0018:ffffc900034af070 EFLAGS: 00010203 RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffc90004521000 RDX: 00000000000000cb RSI: ffffffff8990d0cd RDI: 000000000000065c RBP: ffffc900034af150 R08: 0000000000000005 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000002 R12: 000000000000000a R13: 1ffff92000695e18 R14: ffff8880244a1d20 R15: 0000000000000000 FS: 00007f4844a5a6c0(0000) GS:ffff8880b9300000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000001b31b27000 CR3: 000000002d42c000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace:
In the Linux kernel, the following vulnerability has been resolved: ext4: do not create EA inode under buffer lock ext4_xattr_set_entry() creates new EA inodes while holding buffer lock on the external xattr block. This is problematic as it nests all the allocation locking (which acquires locks on other buffers) under the buffer lock. This can even deadlock when the filesystem is corrupted and e.g. quota file is setup to contain xattr block as data block. Move the allocation of EA inode out of ext4_xattr_set_entry() into the callers.
In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7921s: fix potential hung tasks during chip recovery During chip recovery (e.g. chip reset), there is a possible situation that kernel worker reset_work is holding the lock and waiting for kernel thread stat_worker to be parked, while stat_worker is waiting for the release of the same lock. It causes a deadlock resulting in the dumping of hung tasks messages and possible rebooting of the device. This patch prevents the execution of stat_worker during the chip recovery.
In the Linux kernel, the following vulnerability has been resolved: net/sched: act_api: fix possible infinite loop in tcf_idr_check_alloc() syzbot found hanging tasks waiting on rtnl_lock [1] A reproducer is available in the syzbot bug. When a request to add multiple actions with the same index is sent, the second request will block forever on the first request. This holds rtnl_lock, and causes tasks to hang. Return -EAGAIN to prevent infinite looping, while keeping documented behavior. [1] INFO: task kworker/1:0:5088 blocked for more than 143 seconds. Not tainted 6.9.0-rc4-syzkaller-00173-g3cdb45594619 #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:kworker/1:0 state:D stack:23744 pid:5088 tgid:5088 ppid:2 flags:0x00004000 Workqueue: events_power_efficient reg_check_chans_work Call Trace:
In the Linux kernel, the following vulnerability has been resolved: ext4: fix uninitialized ratelimit_state->lock access in __ext4_fill_super() In the following concurrency we will access the uninitialized rs->lock: ext4_fill_super ext4_register_sysfs // sysfs registered msg_ratelimit_interval_ms // Other processes modify rs->interval to // non-zero via msg_ratelimit_interval_ms ext4_orphan_cleanup ext4_msg(sb, KERN_INFO, "Errors on filesystem, " __ext4_msg ___ratelimit(&(EXT4_SB(sb)->s_msg_ratelimit_state) if (!rs->interval) // do nothing if interval is 0 return 1; raw_spin_trylock_irqsave(&rs->lock, flags) raw_spin_trylock(lock) _raw_spin_trylock __raw_spin_trylock spin_acquire(&lock->dep_map, 0, 1, _RET_IP_) lock_acquire __lock_acquire register_lock_class assign_lock_key dump_stack(); ratelimit_state_init(&sbi->s_msg_ratelimit_state, 5 * HZ, 10); raw_spin_lock_init(&rs->lock); // init rs->lock here and get the following dump_stack: ========================================================= INFO: trying to register non-static key. The code is fine but needs lockdep annotation, or maybe you didn't initialize this object before use? turning off the locking correctness validator. CPU: 12 PID: 753 Comm: mount Tainted: G E 6.7.0-rc6-next-20231222 #504 [...] Call Trace: dump_stack_lvl+0xc5/0x170 dump_stack+0x18/0x30 register_lock_class+0x740/0x7c0 __lock_acquire+0x69/0x13a0 lock_acquire+0x120/0x450 _raw_spin_trylock+0x98/0xd0 ___ratelimit+0xf6/0x220 __ext4_msg+0x7f/0x160 [ext4] ext4_orphan_cleanup+0x665/0x740 [ext4] __ext4_fill_super+0x21ea/0x2b10 [ext4] ext4_fill_super+0x14d/0x360 [ext4] [...] ========================================================= Normally interval is 0 until s_msg_ratelimit_state is initialized, so ___ratelimit() does nothing. But registering sysfs precedes initializing rs->lock, so it is possible to change rs->interval to a non-zero value via the msg_ratelimit_interval_ms interface of sysfs while rs->lock is uninitialized, and then a call to ext4_msg triggers the problem by accessing an uninitialized rs->lock. Therefore register sysfs after all initializations are complete to avoid such problems.
In the Linux kernel, the following vulnerability has been resolved: netpoll: Fix race condition in netpoll_owner_active KCSAN detected a race condition in netpoll: BUG: KCSAN: data-race in net_rx_action / netpoll_send_skb write (marked) to 0xffff8881164168b0 of 4 bytes by interrupt on cpu 10: net_rx_action (./include/linux/netpoll.h:90 net/core/dev.c:6712 net/core/dev.c:6822)
In the Linux kernel, the following vulnerability has been resolved: xfs: don't walk off the end of a directory data block This adds sanity checks for xfs_dir2_data_unused and xfs_dir2_data_entry to make sure don't stray beyond valid memory region. Before patching, the loop simply checks that the start offset of the dup and dep is within the range. So in a crafted image, if last entry is xfs_dir2_data_unused, we can change dup->length to dup->length-1 and leave 1 byte of space. In the next traversal, this space will be considered as dup or dep. We may encounter an out of bound read when accessing the fixed members. In the patch, we make sure that the remaining bytes large enough to hold an unused entry before accessing xfs_dir2_data_unused and xfs_dir2_data_unused is XFS_DIR2_DATA_ALIGN byte aligned. We also make sure that the remaining bytes large enough to hold a dirent with a single-byte name before accessing xfs_dir2_data_entry.
In the Linux kernel, the following vulnerability has been resolved: xfs: add bounds checking to xlog_recover_process_data There is a lack of verification of the space occupied by fixed members of xlog_op_header in the xlog_recover_process_data. We can create a crafted image to trigger an out of bounds read by following these steps: 1) Mount an image of xfs, and do some file operations to leave records 2) Before umounting, copy the image for subsequent steps to simulate abnormal exit. Because umount will ensure that tail_blk and head_blk are the same, which will result in the inability to enter xlog_recover_process_data 3) Write a tool to parse and modify the copied image in step 2 4) Make the end of the xlog_op_header entries only 1 byte away from xlog_rec_header->h_size 5) xlog_rec_header->h_num_logops++ 6) Modify xlog_rec_header->h_crc Fix: Add a check to make sure there is sufficient space to access fixed members of xlog_op_header.
In the Linux kernel, the following vulnerability has been resolved: block: initialize integrity buffer to zero before writing it to media Metadata added by bio_integrity_prep is using plain kmalloc, which leads to random kernel memory being written media. For PI metadata this is limited to the app tag that isn't used by kernel generated metadata, but for non-PI metadata the entire buffer leaks kernel memory. Fix this by adding the __GFP_ZERO flag to allocations for writes.
In the Linux kernel, the following vulnerability has been resolved: netfilter: flowtable: initialise extack before use Fix missing initialisation of extack in flow offload.
N/A
SRPMS
- kernel-5.14.0-427.42.1.el9_4.src.rpm
MD5: fecb7de9e230f1637fa6aef710eabf59
SHA-256: 9666a1b6eadc83c2c8017880f0834e8a0eebc4f961cc59b944d9624a329ec858
Size: 137.72 MB
Asianux Server 9 for x86_64
- bpftool-7.3.0-427.42.1.el9_4.x86_64.rpm
MD5: 0513bc46dd3b5bab1c3acaf270082ff9
SHA-256: b5915a8661e527365fadd9d9f9de57d0f1b67dfd5822e7a93182d55374ba8404
Size: 5.00 MB - kernel-5.14.0-427.42.1.el9_4.x86_64.rpm
MD5: f05288caf3615516b01e25c17fde2fc1
SHA-256: 16ae5abe13d31f7032e12d0da62ac407bf7b3eb308694f908bf8ee8f0c5a23df
Size: 4.23 MB - kernel-abi-stablelists-5.14.0-427.42.1.el9_4.noarch.rpm
MD5: 8429d9a118a5c5ccf0f4f5b74ca7776c
SHA-256: 6b9f784d89518d80115f7683030db3c74eb82228cf53ec2e273c4221dc438606
Size: 4.25 MB - kernel-core-5.14.0-427.42.1.el9_4.x86_64.rpm
MD5: 8ecdec7d99c14eddd0c15f88f425c4bf
SHA-256: 61e5e2cb809a8693e4783171f20892305c7f482466f886b70829ecd7bfa57b92
Size: 19.10 MB - kernel-cross-headers-5.14.0-427.42.1.el9_4.x86_64.rpm
MD5: bf1d4feb43ac10dbcfd4c9e339891610
SHA-256: 7e0a12d3d83316dac8d4be8055525b0a063044a292c4a213e931b9672ec298ef
Size: 10.83 MB - kernel-debug-5.14.0-427.42.1.el9_4.x86_64.rpm
MD5: 73232ec079d4dbf4bec75fc534bfdbaf
SHA-256: f46c2388baddf4f8019761be2f6b1f758446d957b83f423b3bbf521c124600ca
Size: 4.23 MB - kernel-debug-core-5.14.0-427.42.1.el9_4.x86_64.rpm
MD5: fc9a05820da92362b25594138bfcd481
SHA-256: fbe542d4970e7d651b85eb18be8787e5de683aad9626a81fa0fb124ead9bab45
Size: 31.77 MB - kernel-debug-devel-5.14.0-427.42.1.el9_4.x86_64.rpm
MD5: 3cde7debe19f72e724881a011378e5f0
SHA-256: 94136dfc466be1433a95f9f6ff6287139cd55ace145f4a24151de840413705ca
Size: 23.70 MB - kernel-debug-devel-matched-5.14.0-427.42.1.el9_4.x86_64.rpm
MD5: 0fdd3efb096d11964078ddd23e839c63
SHA-256: dd64a2c0c034ad6f273e34ed876ba1a0e3f740cebafde8ee24ca4d6d09c28b57
Size: 4.23 MB - kernel-debug-modules-5.14.0-427.42.1.el9_4.x86_64.rpm
MD5: 01a1f8e7d0a81cb66bb8c7c658a21a6a
SHA-256: a29375193b37cf4fb66b4217bf83cb79990170784b2d0b975c293f54dda6e162
Size: 63.26 MB - kernel-debug-modules-core-5.14.0-427.42.1.el9_4.x86_64.rpm
MD5: cdccd7bdac9787e203c4a06efddb5eee
SHA-256: 3bca1f954c1cb091796d3cbcf833fadf60bd11c0a88372465e6c6983dd9821fd
Size: 49.40 MB - kernel-debug-modules-extra-5.14.0-427.42.1.el9_4.x86_64.rpm
MD5: c5e1862274d92f459a48547cbd8e2aa6
SHA-256: bbb18484ec3d83f3097e13a481f1cfbf7cd99c100f942f56c4c040856aac1866
Size: 5.07 MB - kernel-debug-uki-virt-5.14.0-427.42.1.el9_4.x86_64.rpm
MD5: b8db760d484389c031fcdbe52815cc43
SHA-256: 72aad8ed7a2199edfcef63d0507d909b94d5057b334c1177340383796c038d90
Size: 81.09 MB - kernel-devel-5.14.0-427.42.1.el9_4.x86_64.rpm
MD5: d1cabc2c37741608f0604ceb0bf7e90e
SHA-256: 695b66d8d3a8c57661a399007b099d78c7e680ff0d2561ddb597e154f182df3e
Size: 23.53 MB - kernel-devel-matched-5.14.0-427.42.1.el9_4.x86_64.rpm
MD5: c5cae2cbcb7d6ec8634e74ac17f13a01
SHA-256: 275dcaf95a706363c26a91b99a70b2434ad4130214f1824712f5fc467b82d7d3
Size: 4.23 MB - kernel-doc-5.14.0-427.42.1.el9_4.noarch.rpm
MD5: 43ae33eb47fba7656e80345741d4285b
SHA-256: 0bde587df1644e7ef53a1993d53595e2ef414bb84b0bcb800a326892258f1dd1
Size: 37.68 MB - kernel-headers-5.14.0-427.42.1.el9_4.x86_64.rpm
MD5: d7939e07ddfbd3fa3b1da4d98918719e
SHA-256: 754eb6c897c459e786b20745531683134b296ff49a38e161bf294e9a0158df3e
Size: 5.91 MB - kernel-modules-5.14.0-427.42.1.el9_4.x86_64.rpm
MD5: 23100a028e993029af6593795de21985
SHA-256: 91c3e9f55b7b5184cc0cefa2833c44a12781263828dfb843d400ba3914bfc1fb
Size: 37.89 MB - kernel-modules-core-5.14.0-427.42.1.el9_4.x86_64.rpm
MD5: e6e9f49a8ed5d2a1c201fee55a5f59fd
SHA-256: df023f8290a82daae9a7e0a4d14c688762a8d82317b79a46bb9317ae8dc2f3d8
Size: 32.05 MB - kernel-modules-extra-5.14.0-427.42.1.el9_4.x86_64.rpm
MD5: 90fce320b9adb70dbece209a4621ce2e
SHA-256: ed9689f2889c0f49c0366d4739962c76fb552ce761ecbbbd05be7d3445b6b382
Size: 4.69 MB - kernel-tools-5.14.0-427.42.1.el9_4.x86_64.rpm
MD5: fe80b19c4baf8a82cc484e3a835983a5
SHA-256: ffe6ba8d2976955545e533dcc5cadafe42cc460a59e13ce5a029c6a6b17a5156
Size: 4.49 MB - kernel-tools-libs-5.14.0-427.42.1.el9_4.x86_64.rpm
MD5: 4714a2e967b10dfad2d9d8d560173b39
SHA-256: 36b4b06b16d468841dbd65d0a28032720fb5a06eabd7fcce787a77e1e7d4b975
Size: 4.24 MB - kernel-tools-libs-devel-5.14.0-427.42.1.el9_4.x86_64.rpm
MD5: 7f1d0def6ddd2f463a497630e488e259
SHA-256: a22618acb235efd8fb4e612165e2259d33db2abe0f91959f4c26be3ee30a1125
Size: 4.23 MB - kernel-uki-virt-5.14.0-427.42.1.el9_4.x86_64.rpm
MD5: 42a89af7e6e02b725512ce30132a4b2a
SHA-256: d75263e88d33fbf14550021f4261ab578fb09f5a638009593adbe941e177b745
Size: 60.97 MB - libperf-5.14.0-427.42.1.el9_4.x86_64.rpm
MD5: ad7e336be9a340561fb8cdf038d7497a
SHA-256: 9d3bb09d38d78127a35b54489b58722a136c5d793dfd4fc1a00a51a448e210a2
Size: 4.25 MB - perf-5.14.0-427.42.1.el9_4.x86_64.rpm
MD5: 06cf32651321eb138c84ce3b634e07cd
SHA-256: 7d0afedb336575951ddc2510ea597d8516e4e31ae45836e2c7d61c233cf4958b
Size: 6.26 MB - python3-perf-5.14.0-427.42.1.el9_4.x86_64.rpm
MD5: ebc35994f150fb47b052d1255fe8b15e
SHA-256: 995cfaf60d130d81d0d71ba37881e057c49679f09ab6bd1c3d8506aa26ae86ae
Size: 4.33 MB - rtla-5.14.0-427.42.1.el9_4.x86_64.rpm
MD5: 7a5d6431cee29aad2de648422908db52
SHA-256: ee4572ee6e7a60a6d909886a55e9987d494e48eec9286ead622c6d39c3418a81
Size: 4.28 MB - rv-5.14.0-427.42.1.el9_4.x86_64.rpm
MD5: 7f166603f2fb23e599a3cc90275c44dd
SHA-256: f2f41dca6643ffab333378ff59d42fc0a791d544d798c33115a6001bf258b831
Size: 4.24 MB