kernel-3.10.0-1160.119.1.0.6.el7.AXS7
エラータID: AXSA:2024-9046:38
リリース日:
2024/12/04 Wednesday - 15:23
題名:
kernel-3.10.0-1160.119.1.0.6.el7.AXS7
影響のあるチャネル:
Asianux Server 7 for x86_64
Severity:
High
Description:
以下項目について対処しました。
[Security Fix]
- sound サブシステムには、hw_free の ioctl(2) または同様の
競合状態による解放後利用の問題があるため、ローカルの攻撃者
により、PCM の hw_params() の同時呼び出しを介して、システム
のクラッシュや特権昇格を可能とする脆弱性が存在します。
(CVE-2022-1048)
- networking サブシステムには、境界外アクセスの問題がある
ため、CAP_NET_RAW ケーパビリティを持つローカルの攻撃者に
より、PACKET_COPY_THRESH オプションを指定した RAW パケット
ソケット (AF_PACKET) による mmap オペレーションを介して、
バッファオーバーフローをトリガーにシステムのクラッシュや
特権昇格を可能とする脆弱性が存在します。(CVE-2022-20368)
- KVM: nVMX には、投機的実行機能を持つ CPU に対するサイド
チャネル攻撃を可能とするリグレッションの問題があるため、
ネストされたゲスト OS 上の攻撃者により、ゲスト OS に対する
Spectre v2 攻撃を可能とする脆弱性が存在します。
(CVE-2022-2196)
- drivers/net/ethernet/mellanox/mlx5/core/cmd.c の
cmd_comp_notifier() 関数には、デバイスが内部エラーの状態下
で処理の完了通知を受信した際にデータ領域の解放後利用の問題
があるため、ローカルの攻撃者により、サービス拒否攻撃を可能
とする脆弱性が存在します。(CVE-2024-38555)
- drivers/net/ethernet/mellanox/mlx5/core/en_rx.c の
mlx5e_handle_rx_cqe_mpwrq_shampo() 関数には、特定のケース
において内部のリンクリストを破損させてしまう問題があるため、
ローカルの攻撃者により、サービス拒否攻撃を可能とする脆弱性
が存在します。(CVE-2024-44970)
- drivers/pci/pci.c には、ブリッジのロック処理が欠落して
いるため、ローカルの攻撃者により、サービス拒否攻撃を可能と
する脆弱性が存在します。(CVE-2024-46750)
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2022-1048
A use-after-free flaw was found in the Linux kernel’s sound subsystem in the way a user triggers concurrent calls of PCM hw_params. The hw_free ioctls or similar race condition happens inside ALSA PCM for other ioctls. This flaw allows a local user to crash or potentially escalate their privileges on the system.
A use-after-free flaw was found in the Linux kernel’s sound subsystem in the way a user triggers concurrent calls of PCM hw_params. The hw_free ioctls or similar race condition happens inside ALSA PCM for other ioctls. This flaw allows a local user to crash or potentially escalate their privileges on the system.
CVE-2022-20368
Product: AndroidVersions: Android kernelAndroid ID: A-224546354References: Upstream kernel
Product: AndroidVersions: Android kernelAndroid ID: A-224546354References: Upstream kernel
CVE-2022-2196
A regression exists in the Linux Kernel within KVM: nVMX that allowed for speculative execution attacks. L2 can carry out Spectre v2 attacks on L1 due to L1 thinking it doesn't need retpolines or IBPB after running L2 due to KVM (L0) advertising eIBRS support to L1. An attacker at L2 with code execution can execute code on an indirect branch on the host machine. We recommend upgrading to Kernel 6.2 or past commit 2e7eab81425a
A regression exists in the Linux Kernel within KVM: nVMX that allowed for speculative execution attacks. L2 can carry out Spectre v2 attacks on L1 due to L1 thinking it doesn't need retpolines or IBPB after running L2 due to KVM (L0) advertising eIBRS support to L1. An attacker at L2 with code execution can execute code on an indirect branch on the host machine. We recommend upgrading to Kernel 6.2 or past commit 2e7eab81425a
CVE-2024-38555
In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Discard command completions in internal error Fix use after free when FW completion arrives while device is in internal error state. Avoid calling completion handler in this case, since the device will flush the command interface and trigger all completions manually. Kernel log: ------------[ cut here ]------------ refcount_t: underflow; use-after-free. ... RIP: 0010:refcount_warn_saturate+0xd8/0xe0 ... Call Trace: ? __warn+0x79/0x120 ? refcount_warn_saturate+0xd8/0xe0 ? report_bug+0x17c/0x190 ? handle_bug+0x3c/0x60 ? exc_invalid_op+0x14/0x70 ? asm_exc_invalid_op+0x16/0x20 ? refcount_warn_saturate+0xd8/0xe0 cmd_ent_put+0x13b/0x160 [mlx5_core] mlx5_cmd_comp_handler+0x5f9/0x670 [mlx5_core] cmd_comp_notifier+0x1f/0x30 [mlx5_core] notifier_call_chain+0x35/0xb0 atomic_notifier_call_chain+0x16/0x20 mlx5_eq_async_int+0xf6/0x290 [mlx5_core] notifier_call_chain+0x35/0xb0 atomic_notifier_call_chain+0x16/0x20 irq_int_handler+0x19/0x30 [mlx5_core] __handle_irq_event_percpu+0x4b/0x160 handle_irq_event+0x2e/0x80 handle_edge_irq+0x98/0x230 __common_interrupt+0x3b/0xa0 common_interrupt+0x7b/0xa0 asm_common_interrupt+0x22/0x40
In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Discard command completions in internal error Fix use after free when FW completion arrives while device is in internal error state. Avoid calling completion handler in this case, since the device will flush the command interface and trigger all completions manually. Kernel log: ------------[ cut here ]------------ refcount_t: underflow; use-after-free. ... RIP: 0010:refcount_warn_saturate+0xd8/0xe0 ... Call Trace:
CVE-2024-44970
In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: SHAMPO, Fix invalid WQ linked list unlink When all the strides in a WQE have been consumed, the WQE is unlinked from the WQ linked list (mlx5_wq_ll_pop()). For SHAMPO, it is possible to receive CQEs with 0 consumed strides for the same WQE even after the WQE is fully consumed and unlinked. This triggers an additional unlink for the same wqe which corrupts the linked list. Fix this scenario by accepting 0 sized consumed strides without unlinking the WQE again.
In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: SHAMPO, Fix invalid WQ linked list unlink When all the strides in a WQE have been consumed, the WQE is unlinked from the WQ linked list (mlx5_wq_ll_pop()). For SHAMPO, it is possible to receive CQEs with 0 consumed strides for the same WQE even after the WQE is fully consumed and unlinked. This triggers an additional unlink for the same wqe which corrupts the linked list. Fix this scenario by accepting 0 sized consumed strides without unlinking the WQE again.
CVE-2024-46750
In the Linux kernel, the following vulnerability has been resolved: PCI: Add missing bridge lock to pci_bus_lock() One of the true positives that the cfg_access_lock lockdep effort identified is this sequence: WARNING: CPU: 14 PID: 1 at drivers/pci/pci.c:4886 pci_bridge_secondary_bus_reset+0x5d/0x70 RIP: 0010:pci_bridge_secondary_bus_reset+0x5d/0x70 Call Trace: ? __warn+0x8c/0x190 ? pci_bridge_secondary_bus_reset+0x5d/0x70 ? report_bug+0x1f8/0x200 ? handle_bug+0x3c/0x70 ? exc_invalid_op+0x18/0x70 ? asm_exc_invalid_op+0x1a/0x20 ? pci_bridge_secondary_bus_reset+0x5d/0x70 pci_reset_bus+0x1d8/0x270 vmd_probe+0x778/0xa10 pci_device_probe+0x95/0x120 Where pci_reset_bus() users are triggering unlocked secondary bus resets. Ironically pci_bus_reset(), several calls down from pci_reset_bus(), uses pci_bus_lock() before issuing the reset which locks everything *but* the bridge itself. For the same motivation as adding: bridge = pci_upstream_bridge(dev); if (bridge) pci_dev_lock(bridge); to pci_reset_function() for the "bus" and "cxl_bus" reset cases, add pci_dev_lock() for @bus->self to pci_bus_lock(). [bhelgaas: squash in recursive locking deadlock fix from Keith Busch: https://lore.kernel.org/r/20240711193650.701834-1-kbusch@meta.com]
In the Linux kernel, the following vulnerability has been resolved: PCI: Add missing bridge lock to pci_bus_lock() One of the true positives that the cfg_access_lock lockdep effort identified is this sequence: WARNING: CPU: 14 PID: 1 at drivers/pci/pci.c:4886 pci_bridge_secondary_bus_reset+0x5d/0x70 RIP: 0010:pci_bridge_secondary_bus_reset+0x5d/0x70 Call Trace:
追加情報:
N/A
ダウンロード:
Asianux Server 7 for x86_64
- bpftool-3.10.0-1160.119.1.0.6.el7.AXS7.x86_64.rpm
MD5: a33335b9d40acd3e69a4f9d48c283e8c
SHA-256: 705e77026c4c39b81a4753384a2690b5224fe31a604d8b31f367d9a1b7875244
Size: 8.54 MB - kernel-3.10.0-1160.119.1.0.6.el7.AXS7.x86_64.rpm
MD5: 9f2b8b025cd68f08f597c3ad469e186a
SHA-256: 6fe726904d24b92204193a6fcbe954c9377ff3fa78e12842380c140a6e72d944
Size: 51.75 MB - kernel-abi-whitelists-3.10.0-1160.119.1.0.6.el7.AXS7.noarch.rpm
MD5: a6c02d8dc7e1f747ac37e9bc641a96f1
SHA-256: ca80314c2ac0d7205ce913951b0c72b3ce7d3d61a17a2e3b68da90434576c737
Size: 8.11 MB - kernel-debug-3.10.0-1160.119.1.0.6.el7.AXS7.x86_64.rpm
MD5: deff1ee406232c0f2d2a4f832f76b7ef
SHA-256: 8bdf12a7b16c15851edeca12374dd0e0b56b75e049fd99c2ada296ca2167b17a
Size: 54.05 MB - kernel-debug-devel-3.10.0-1160.119.1.0.6.el7.AXS7.x86_64.rpm
MD5: 2ab12649784bed4e8ba4897cf15290a4
SHA-256: a82be5ab10cdf974a53eaeffdead3a7a86e2b0747e50187e6a026219b7d1e867
Size: 18.14 MB - kernel-devel-3.10.0-1160.119.1.0.6.el7.AXS7.x86_64.rpm
MD5: 5f0e25052fb6e766cdef417586cb623d
SHA-256: 66177f0b8b4dd6cf31a063d906b5862c50cd1c40ca2cc793b84b1577f7cd2446
Size: 18.07 MB - kernel-doc-3.10.0-1160.119.1.0.6.el7.AXS7.noarch.rpm
MD5: 24eb742d1310175c55aa8453d4451742
SHA-256: 8a31d755d530d4b5210c20dcfce0b362a7b4efe48f114ba0327369580b299e9f
Size: 19.57 MB - kernel-headers-3.10.0-1160.119.1.0.6.el7.AXS7.x86_64.rpm
MD5: ee35fed4f6647fc49e716628197d0866
SHA-256: 3fe9916640dd241c49f09063a92cecca06f2811744d6331e1812fc782daabed8
Size: 9.10 MB - kernel-tools-3.10.0-1160.119.1.0.6.el7.AXS7.x86_64.rpm
MD5: a12d0499cc470f449d89321b223cbb2d
SHA-256: 01e14bf7a756c3d7f6a7b219c0f0e7a724311855a70775aefe6b392950ae8c6a
Size: 8.21 MB - kernel-tools-libs-3.10.0-1160.119.1.0.6.el7.AXS7.x86_64.rpm
MD5: d2895fbe93ea1fcbb2b32a093283bc34
SHA-256: 588c4dae1863a2ab35c72c4940729a8c3ba2d7539c02276e4a1eedc1bc656afd
Size: 8.10 MB - perf-3.10.0-1160.119.1.0.6.el7.AXS7.x86_64.rpm
MD5: ac289b376e449c4f1924a682cc0c0294
SHA-256: 9f2ab162a3b60d56186dc9ba04987fbdfbbf65be9f406b7d418ce86cfe212997
Size: 9.75 MB - python-perf-3.10.0-1160.119.1.0.6.el7.AXS7.x86_64.rpm
MD5: eac1789ea15dd239613d4dcf8392c2ca
SHA-256: c3b38d19ecab94415882a1e440fe02f24959a494850d6ef74eb920aaf15119b7
Size: 8.19 MB
English