kernel-4.18.0-553.30.1.el8_10

エラータID: AXSA:2024-9050:39

リリース日: 
2024/12/06 Friday - 17:41
題名: 
kernel-4.18.0-553.30.1.el8_10
影響のあるチャネル: 
Asianux Server 8 for x86_64
Severity: 
Moderate
Description: 

以下項目について対処しました。

[Security Fix]
- drivers/media/dvb-core/dvbdev.c の
dvb_register_device() 関数には、メモリ領域の解放後利用
の問題があるため、ローカルの攻撃者により、サービス拒否
攻撃を可能とする脆弱性が存在します。(CVE-2024-27043)

- net/bluetooth/l2cap_core.c の l2cap_chan_timeout()
関数には、チェック処理の欠落に起因した NULL ポインタ
デリファレンスの問題があるため、ローカルの攻撃者により、
サービス拒否攻撃を可能とする脆弱性が存在します。
(CVE-2024-27399)

- kernel/bpf/syscall.c の
bpf_prog_attach_check_attach_type() 関数には、
attach_type_to_prog_type() 関数を用いて取得したアタッチ
タイプのチェック処理が欠落しているため、ローカルの攻撃者
により、サービス拒否攻撃を可能とする脆弱性が存在します。
(CVE-2024-38564)

- net/mptcp/pm_netlink.c には、レースコンディションに
起因したメモリ領域の解放後利用の問題があるため、ローカル
の攻撃者により、サービス拒否攻撃を可能とする脆弱性が存在
します。(CVE-2024-46858)

解決策: 

パッケージをアップデートしてください。

CVE: 
CVE-2024-27043
In the Linux kernel, the following vulnerability has been resolved: media: edia: dvbdev: fix a use-after-free In dvb_register_device, *pdvbdev is set equal to dvbdev, which is freed in several error-handling paths. However, *pdvbdev is not set to NULL after dvbdev's deallocation, causing use-after-frees in many places, for example, in the following call chain: budget_register |-> dvb_dmxdev_init |-> dvb_register_device |-> dvb_dmxdev_release |-> dvb_unregister_device |-> dvb_remove_device |-> dvb_device_put |-> kref_put When calling dvb_unregister_device, dmxdev->dvbdev (i.e. *pdvbdev in dvb_register_device) could point to memory that had been freed in dvb_register_device. Thereafter, this pointer is transferred to kref_put and triggering a use-after-free.
CVE-2024-27399
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: l2cap: fix null-ptr-deref in l2cap_chan_timeout There is a race condition between l2cap_chan_timeout() and l2cap_chan_del(). When we use l2cap_chan_del() to delete the channel, the chan->conn will be set to null. But the conn could be dereferenced again in the mutex_lock() of l2cap_chan_timeout(). As a result the null pointer dereference bug will happen. The KASAN report triggered by POC is shown below: [ 472.074580] ================================================================== [ 472.075284] BUG: KASAN: null-ptr-deref in mutex_lock+0x68/0xc0 [ 472.075308] Write of size 8 at addr 0000000000000158 by task kworker/0:0/7 [ 472.075308] [ 472.075308] CPU: 0 PID: 7 Comm: kworker/0:0 Not tainted 6.9.0-rc5-00356-g78c0094a146b #36 [ 472.075308] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu4 [ 472.075308] Workqueue: events l2cap_chan_timeout [ 472.075308] Call Trace: [ 472.075308] [ 472.075308] dump_stack_lvl+0x137/0x1a0 [ 472.075308] print_report+0x101/0x250 [ 472.075308] ? __virt_addr_valid+0x77/0x160 [ 472.075308] ? mutex_lock+0x68/0xc0 [ 472.075308] kasan_report+0x139/0x170 [ 472.075308] ? mutex_lock+0x68/0xc0 [ 472.075308] kasan_check_range+0x2c3/0x2e0 [ 472.075308] mutex_lock+0x68/0xc0 [ 472.075308] l2cap_chan_timeout+0x181/0x300 [ 472.075308] process_one_work+0x5d2/0xe00 [ 472.075308] worker_thread+0xe1d/0x1660 [ 472.075308] ? pr_cont_work+0x5e0/0x5e0 [ 472.075308] kthread+0x2b7/0x350 [ 472.075308] ? pr_cont_work+0x5e0/0x5e0 [ 472.075308] ? kthread_blkcg+0xd0/0xd0 [ 472.075308] ret_from_fork+0x4d/0x80 [ 472.075308] ? kthread_blkcg+0xd0/0xd0 [ 472.075308] ret_from_fork_asm+0x11/0x20 [ 472.075308] [ 472.075308] ================================================================== [ 472.094860] Disabling lock debugging due to kernel taint [ 472.096136] BUG: kernel NULL pointer dereference, address: 0000000000000158 [ 472.096136] #PF: supervisor write access in kernel mode [ 472.096136] #PF: error_code(0x0002) - not-present page [ 472.096136] PGD 0 P4D 0 [ 472.096136] Oops: 0002 [#1] PREEMPT SMP KASAN NOPTI [ 472.096136] CPU: 0 PID: 7 Comm: kworker/0:0 Tainted: G B 6.9.0-rc5-00356-g78c0094a146b #36 [ 472.096136] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu4 [ 472.096136] Workqueue: events l2cap_chan_timeout [ 472.096136] RIP: 0010:mutex_lock+0x88/0xc0 [ 472.096136] Code: be 08 00 00 00 e8 f8 23 1f fd 4c 89 f7 be 08 00 00 00 e8 eb 23 1f fd 42 80 3c 23 00 74 08 48 88 [ 472.096136] RSP: 0018:ffff88800744fc78 EFLAGS: 00000246 [ 472.096136] RAX: 0000000000000000 RBX: 1ffff11000e89f8f RCX: ffffffff8457c865 [ 472.096136] RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffff88800744fc78 [ 472.096136] RBP: 0000000000000158 R08: ffff88800744fc7f R09: 1ffff11000e89f8f [ 472.096136] R10: dffffc0000000000 R11: ffffed1000e89f90 R12: dffffc0000000000 [ 472.096136] R13: 0000000000000158 R14: ffff88800744fc78 R15: ffff888007405a00 [ 472.096136] FS: 0000000000000000(0000) GS:ffff88806d200000(0000) knlGS:0000000000000000 [ 472.096136] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 472.096136] CR2: 0000000000000158 CR3: 000000000da32000 CR4: 00000000000006f0 [ 472.096136] Call Trace: [ 472.096136] [ 472.096136] ? __die_body+0x8d/0xe0 [ 472.096136] ? page_fault_oops+0x6b8/0x9a0 [ 472.096136] ? kernelmode_fixup_or_oops+0x20c/0x2a0 [ 472.096136] ? do_user_addr_fault+0x1027/0x1340 [ 472.096136] ? _printk+0x7a/0xa0 [ 472.096136] ? mutex_lock+0x68/0xc0 [ 472.096136] ? add_taint+0x42/0xd0 [ 472.096136] ? exc_page_fault+0x6a/0x1b0 [ 472.096136] ? asm_exc_page_fault+0x26/0x30 [ 472.096136] ? mutex_lock+0x75/0xc0 [ 472.096136] ? mutex_lock+0x88/0xc0 [ 472.096136] ? mutex_lock+0x75/0xc0 [ 472.096136] l2cap_chan_timeo ---truncated---
CVE-2024-38564
In the Linux kernel, the following vulnerability has been resolved: bpf: Add BPF_PROG_TYPE_CGROUP_SKB attach type enforcement in BPF_LINK_CREATE bpf_prog_attach uses attach_type_to_prog_type to enforce proper attach type for BPF_PROG_TYPE_CGROUP_SKB. link_create uses bpf_prog_get and relies on bpf_prog_attach_check_attach_type to properly verify prog_type <> attach_type association. Add missing attach_type enforcement for the link_create case. Otherwise, it's currently possible to attach cgroup_skb prog types to other cgroup hooks.
CVE-2024-46858
In the Linux kernel, the following vulnerability has been resolved: mptcp: pm: Fix uaf in __timer_delete_sync There are two paths to access mptcp_pm_del_add_timer, result in a race condition: CPU1 CPU2 ==== ==== net_rx_action napi_poll netlink_sendmsg __napi_poll netlink_unicast process_backlog netlink_unicast_kernel __netif_receive_skb genl_rcv __netif_receive_skb_one_core netlink_rcv_skb NF_HOOK genl_rcv_msg ip_local_deliver_finish genl_family_rcv_msg ip_protocol_deliver_rcu genl_family_rcv_msg_doit tcp_v4_rcv mptcp_pm_nl_flush_addrs_doit tcp_v4_do_rcv mptcp_nl_remove_addrs_list tcp_rcv_established mptcp_pm_remove_addrs_and_subflows tcp_data_queue remove_anno_list_by_saddr mptcp_incoming_options mptcp_pm_del_add_timer mptcp_pm_del_add_timer kfree(entry) In remove_anno_list_by_saddr(running on CPU2), after leaving the critical zone protected by "pm.lock", the entry will be released, which leads to the occurrence of uaf in the mptcp_pm_del_add_timer(running on CPU1). Keeping a reference to add_timer inside the lock, and calling sk_stop_timer_sync() with this reference, instead of "entry->add_timer". Move list_del(&entry->list) to mptcp_pm_del_add_timer and inside the pm lock, do not directly access any members of the entry outside the pm lock, which can avoid similar "entry->x" uaf.
追加情報: 

N/A

ダウンロード: 

SRPMS
  1. kernel-4.18.0-553.30.1.el8_10.src.rpm
    MD5: ba37e853882ac26f2b2ce4f65b23b732
    SHA-256: 79d2cf0354057bca6f08b264142b02998a5b7dac69fbca916e05a88d0ea368f4
    Size: 132.20 MB

Asianux Server 8 for x86_64
  1. bpftool-4.18.0-553.30.1.el8_10.x86_64.rpm
    MD5: 361283157e84e852277f560f04526288
    SHA-256: 5d5979a525f1873bdf06ac961a39ee8108c5bdb9b8060c7a0988c10729027473
    Size: 11.19 MB
  2. kernel-4.18.0-553.30.1.el8_10.x86_64.rpm
    MD5: 91b2811e4f87520277e2f8afa48c6864
    SHA-256: d32c78fbc58854aa65ea1d836ea447021fa849802400f6be1c209f7cbf490633
    Size: 10.47 MB
  3. kernel-abi-stablelists-4.18.0-553.30.1.el8_10.noarch.rpm
    MD5: c23857d159303738a135f439c61d8b27
    SHA-256: d5a412910a7d3fc8b35bde4570c7fbe505d86c6831f2b3b82de9954691eb3bb1
    Size: 10.48 MB
  4. kernel-core-4.18.0-553.30.1.el8_10.x86_64.rpm
    MD5: 0a307a88c5379c2869768b3c6a030dc8
    SHA-256: 350672059962ea931e2faf8bdf51e0cdb7c6c140913e6073575360b2df2821c8
    Size: 43.49 MB
  5. kernel-cross-headers-4.18.0-553.30.1.el8_10.x86_64.rpm
    MD5: 7e83c7496a93e7c9baf01f8e0380efd1
    SHA-256: da2b64b80e1e177587fa8b8928013800e525b4d1a74b57857bd667e443914f61
    Size: 15.81 MB
  6. kernel-debug-4.18.0-553.30.1.el8_10.x86_64.rpm
    MD5: 713141bf5058fb4622b5e5160a5518df
    SHA-256: 530dcfd60a32fa6127780b7fc36676e3b9da355b44a4997b0cb3f4ec179fdd7d
    Size: 10.47 MB
  7. kernel-debug-core-4.18.0-553.30.1.el8_10.x86_64.rpm
    MD5: ca793dcadd612d37a5971767606bc1bd
    SHA-256: 8b4b5bc16bb088f0d9a809382e4f408a134f520713e5cf8072e1fa39e25e5609
    Size: 72.77 MB
  8. kernel-debug-devel-4.18.0-553.30.1.el8_10.x86_64.rpm
    MD5: a32bd274044fe481776793e8bbf94cc1
    SHA-256: a51c989a386158e818b8363464b065f7c9104407465faedb4a1b75e4474015e8
    Size: 24.30 MB
  9. kernel-debug-modules-4.18.0-553.30.1.el8_10.x86_64.rpm
    MD5: e18d72753f11c60773df226794f66baa
    SHA-256: 6e56bc011ce9b92966f1b29faafbf9645046567ca26fe1c7aa54a40c1530867e
    Size: 65.89 MB
  10. kernel-debug-modules-extra-4.18.0-553.30.1.el8_10.x86_64.rpm
    MD5: 5c738aca8f0bde5dcba699203c9c5e08
    SHA-256: 81739e95dd3680a4d227bca224b4c8f5d21f3cbf0290d794a2749287f58d1c78
    Size: 11.84 MB
  11. kernel-devel-4.18.0-553.30.1.el8_10.x86_64.rpm
    MD5: 92d0f935266c45b54eb1f049b5567e9d
    SHA-256: 75ba0dea3e86f05fe0b9954d03be9c0283f652f13dc6568099b414fc58475a20
    Size: 24.09 MB
  12. kernel-doc-4.18.0-553.30.1.el8_10.noarch.rpm
    MD5: 3943181d856ca53d5a7f68cfb4dd96bb
    SHA-256: 38b28ddded0dd98406528effd40e91d8e1e5b6155f0678a0e427984ef07bbd92
    Size: 28.33 MB
  13. kernel-headers-4.18.0-553.30.1.el8_10.x86_64.rpm
    MD5: bbee14e5ff67106d28d9ab47609dfd62
    SHA-256: c413c6f9637dcbf3d2a41221933ebf83029c8f3ed8572cf8fa59929fbbe8279d
    Size: 11.82 MB
  14. kernel-modules-4.18.0-553.30.1.el8_10.x86_64.rpm
    MD5: f2f06e0fd44c9058cfff11485c685bbd
    SHA-256: 21a7c21f08127ca38f08ba6843564758d82d34018a19e9b1f9b6ea8a4c8e1da9
    Size: 36.27 MB
  15. kernel-modules-extra-4.18.0-553.30.1.el8_10.x86_64.rpm
    MD5: 4eef0d9d8cf608fa26bdaa05dc5e002a
    SHA-256: 42178a25eefaea0a32a947e542fed7107c35ea4d61e7dfc030eeb398d1d16415
    Size: 11.16 MB
  16. kernel-tools-4.18.0-553.30.1.el8_10.x86_64.rpm
    MD5: 97bcb1550ff9ab1da532870b0aeccf9f
    SHA-256: d4b6d8e7ed832cf94638d9863e24cc1cea750f67711c68fcfe11a36d75c6e1d6
    Size: 10.69 MB
  17. kernel-tools-libs-4.18.0-553.30.1.el8_10.x86_64.rpm
    MD5: 45019782dd173edc8a60adabec44a19b
    SHA-256: 5d99d00c1f61ae57a2f6b5befdbe2f8724e4bdfcb8ead2af82e6c639cf91970b
    Size: 10.48 MB
  18. kernel-tools-libs-devel-4.18.0-553.30.1.el8_10.x86_64.rpm
    MD5: 471f73c0be521480fd81dc7c9fa96a61
    SHA-256: af74f1e7111495fc67455a831441ecadd0655b0ac012b2f5523f44dbed265365
    Size: 10.47 MB
  19. perf-4.18.0-553.30.1.el8_10.x86_64.rpm
    MD5: c5ac50e6936b3d1b74a461f505bb040d
    SHA-256: 81a6e95bdf7355d276444eb71d0a6f44a6f6df4a82a7ac5944f99ff7b460e872
    Size: 12.79 MB
  20. python3-perf-4.18.0-553.30.1.el8_10.x86_64.rpm
    MD5: 5f76793b963ed70533219e39c7d5e796
    SHA-256: 26a881db63ece5da82f61a8c7817a598ad0fd1255d278ea8239a17f88b66bba6
    Size: 10.59 MB