kernel-5.14.0-503.22.1.el9_5

エラータID: AXSA:2025-9586:08

リリース日: 
2025/01/29 Wednesday - 09:47
題名: 
kernel-5.14.0-503.22.1.el9_5
影響のあるチャネル: 
MIRACLE LINUX 9 for x86_64
Severity: 
Moderate
Description: 

以下項目について対処しました。

[Security Fix]
- net/ipv4/inet_connection_sock.c には、レースコンディション
に起因するメモリ領域の解放後利用の問題があるため、ローカル
の攻撃者により、サービス拒否攻撃を可能とする脆弱性が存在
します。(CVE-2024-50154)

- i40e ネットワークデバイスドライバーには、レース
コンディションに起因した MAC/VLAN フィルターデータの
破損およびリークの問題があるため、ローカルの攻撃者により、
サービス拒否攻撃可能とする脆弱性が存在します。
(CVE-2024-53088)

解決策: 

パッケージをアップデートしてください。

CVE: 
CVE-2024-50154
In the Linux kernel, the following vulnerability has been resolved: tcp/dccp: Don't use timer_pending() in reqsk_queue_unlink(). Martin KaFai Lau reported use-after-free [0] in reqsk_timer_handler(). """ We are seeing a use-after-free from a bpf prog attached to trace_tcp_retransmit_synack. The program passes the req->sk to the bpf_sk_storage_get_tracing kernel helper which does check for null before using it. """ The commit 83fccfc3940c ("inet: fix potential deadlock in reqsk_queue_unlink()") added timer_pending() in reqsk_queue_unlink() not to call del_timer_sync() from reqsk_timer_handler(), but it introduced a small race window. Before the timer is called, expire_timers() calls detach_timer(timer, true) to clear timer->entry.pprev and marks it as not pending. If reqsk_queue_unlink() checks timer_pending() just after expire_timers() calls detach_timer(), TCP will miss del_timer_sync(); the reqsk timer will continue running and send multiple SYN+ACKs until it expires. The reported UAF could happen if req->sk is close()d earlier than the timer expiration, which is 63s by default. The scenario would be 1. inet_csk_complete_hashdance() calls inet_csk_reqsk_queue_drop(), but del_timer_sync() is missed 2. reqsk timer is executed and scheduled again 3. req->sk is accept()ed and reqsk_put() decrements rsk_refcnt, but reqsk timer still has another one, and inet_csk_accept() does not clear req->sk for non-TFO sockets 4. sk is close()d 5. reqsk timer is executed again, and BPF touches req->sk Let's not use timer_pending() by passing the caller context to __inet_csk_reqsk_queue_drop(). Note that reqsk timer is pinned, so the issue does not happen in most use cases. [1] [0] BUG: KFENCE: use-after-free read in bpf_sk_storage_get_tracing+0x2e/0x1b0 Use-after-free read at 0x00000000a891fb3a (in kfence-#1): bpf_sk_storage_get_tracing+0x2e/0x1b0 bpf_prog_5ea3e95db6da0438_tcp_retransmit_synack+0x1d20/0x1dda bpf_trace_run2+0x4c/0xc0 tcp_rtx_synack+0xf9/0x100 reqsk_timer_handler+0xda/0x3d0 run_timer_softirq+0x292/0x8a0 irq_exit_rcu+0xf5/0x320 sysvec_apic_timer_interrupt+0x6d/0x80 asm_sysvec_apic_timer_interrupt+0x16/0x20 intel_idle_irq+0x5a/0xa0 cpuidle_enter_state+0x94/0x273 cpu_startup_entry+0x15e/0x260 start_secondary+0x8a/0x90 secondary_startup_64_no_verify+0xfa/0xfb kfence-#1: 0x00000000a72cc7b6-0x00000000d97616d9, size=2376, cache=TCPv6 allocated by task 0 on cpu 9 at 260507.901592s: sk_prot_alloc+0x35/0x140 sk_clone_lock+0x1f/0x3f0 inet_csk_clone_lock+0x15/0x160 tcp_create_openreq_child+0x1f/0x410 tcp_v6_syn_recv_sock+0x1da/0x700 tcp_check_req+0x1fb/0x510 tcp_v6_rcv+0x98b/0x1420 ipv6_list_rcv+0x2258/0x26e0 napi_complete_done+0x5b1/0x2990 mlx5e_napi_poll+0x2ae/0x8d0 net_rx_action+0x13e/0x590 irq_exit_rcu+0xf5/0x320 common_interrupt+0x80/0x90 asm_common_interrupt+0x22/0x40 cpuidle_enter_state+0xfb/0x273 cpu_startup_entry+0x15e/0x260 start_secondary+0x8a/0x90 secondary_startup_64_no_verify+0xfa/0xfb freed by task 0 on cpu 9 at 260507.927527s: rcu_core_si+0x4ff/0xf10 irq_exit_rcu+0xf5/0x320 sysvec_apic_timer_interrupt+0x6d/0x80 asm_sysvec_apic_timer_interrupt+0x16/0x20 cpuidle_enter_state+0xfb/0x273 cpu_startup_entry+0x15e/0x260 start_secondary+0x8a/0x90 secondary_startup_64_no_verify+0xfa/0xfb
CVE-2024-50275
In the Linux kernel, the following vulnerability has been resolved: arm64/sve: Discard stale CPU state when handling SVE traps The logic for handling SVE traps manipulates saved FPSIMD/SVE state incorrectly, and a race with preemption can result in a task having TIF_SVE set and TIF_FOREIGN_FPSTATE clear even though the live CPU state is stale (e.g. with SVE traps enabled). This has been observed to result in warnings from do_sve_acc() where SVE traps are not expected while TIF_SVE is set: | if (test_and_set_thread_flag(TIF_SVE)) | WARN_ON(1); /* SVE access shouldn't have trapped */ Warnings of this form have been reported intermittently, e.g. https://lore.kernel.org/linux-arm-kernel/CA+G9fYtEGe_DhY2Ms7+L7NKsLYUomGsgqpdBj+QwDLeSg=JhGg@mail.gmail.com/ https://lore.kernel.org/linux-arm-kernel/000000000000511e9a060ce5a45c@google.com/ The race can occur when the SVE trap handler is preempted before and after manipulating the saved FPSIMD/SVE state, starting and ending on the same CPU, e.g. | void do_sve_acc(unsigned long esr, struct pt_regs *regs) | { | // Trap on CPU 0 with TIF_SVE clear, SVE traps enabled | // task->fpsimd_cpu is 0. | // per_cpu_ptr(&fpsimd_last_state, 0) is task. | | ... | | // Preempted; migrated from CPU 0 to CPU 1. | // TIF_FOREIGN_FPSTATE is set. | | get_cpu_fpsimd_context(); | | if (test_and_set_thread_flag(TIF_SVE)) | WARN_ON(1); /* SVE access shouldn't have trapped */ | | sve_init_regs() { | if (!test_thread_flag(TIF_FOREIGN_FPSTATE)) { | ... | } else { | fpsimd_to_sve(current); | current->thread.fp_type = FP_STATE_SVE; | } | } | | put_cpu_fpsimd_context(); | | // Preempted; migrated from CPU 1 to CPU 0. | // task->fpsimd_cpu is still 0 | // If per_cpu_ptr(&fpsimd_last_state, 0) is still task then: | // - Stale HW state is reused (with SVE traps enabled) | // - TIF_FOREIGN_FPSTATE is cleared | // - A return to userspace skips HW state restore | } Fix the case where the state is not live and TIF_FOREIGN_FPSTATE is set by calling fpsimd_flush_task_state() to detach from the saved CPU state. This ensures that a subsequent context switch will not reuse the stale CPU state, and will instead set TIF_FOREIGN_FPSTATE, forcing the new state to be reloaded from memory prior to a return to userspace.
CVE-2024-53088
In the Linux kernel, the following vulnerability has been resolved: i40e: fix race condition by adding filter's intermediate sync state Fix a race condition in the i40e driver that leads to MAC/VLAN filters becoming corrupted and leaking. Address the issue that occurs under heavy load when multiple threads are concurrently modifying MAC/VLAN filters by setting mac and port VLAN. 1. Thread T0 allocates a filter in i40e_add_filter() within i40e_ndo_set_vf_port_vlan(). 2. Thread T1 concurrently frees the filter in __i40e_del_filter() within i40e_ndo_set_vf_mac(). 3. Subsequently, i40e_service_task() calls i40e_sync_vsi_filters(), which refers to the already freed filter memory, causing corruption. Reproduction steps: 1. Spawn multiple VFs. 2. Apply a concurrent heavy load by running parallel operations to change MAC addresses on the VFs and change port VLANs on the host. 3. Observe errors in dmesg: "Error I40E_AQ_RC_ENOSPC adding RX filters on VF XX, please set promiscuous on manually for VF XX". Exact code for stable reproduction Intel can't open-source now. The fix involves implementing a new intermediate filter state, I40E_FILTER_NEW_SYNC, for the time when a filter is on a tmp_add_list. These filters cannot be deleted from the hash list directly but must be removed using the full process.
追加情報: 

N/A

ダウンロード: 

SRPMS
  1. kernel-5.14.0-503.22.1.el9_5.src.rpm
    MD5: 250fbaa0eb6572faad56504de156c9f0
    SHA-256: 5e92d9e0b0228909cd284ae7d8e70004c1dd948da6dc6fc4d55ff6f296216a2f
    Size: 139.61 MB

Asianux Server 9 for x86_64
  1. bpftool-7.4.0-503.22.1.el9_5.x86_64.rpm
    MD5: 6efb60a93567cd30e6a37ec0dd334b74
    SHA-256: b36c87dd60fa64984cc4ebe71d0a45e8ef458c3a664d52535154388bbca619cd
    Size: 2.79 MB
  2. kernel-5.14.0-503.22.1.el9_5.x86_64.rpm
    MD5: 70ab7bf49b197ab21fdf73db9bce4826
    SHA-256: 7ee664bc2c0d252bd72eefd3f74f87bc21808db3f3ad200224948ab6f05df8d5
    Size: 2.03 MB
  3. kernel-abi-stablelists-5.14.0-503.22.1.el9_5.noarch.rpm
    MD5: c1d87ef2241e4721f93fb88558eb43f8
    SHA-256: deb4abc2d80aeb285d5a5047d34571e1c46ef3e25e66625f019c962e9f576475
    Size: 2.05 MB
  4. kernel-core-5.14.0-503.22.1.el9_5.x86_64.rpm
    MD5: 6572b03a5076da9406a54975724a56e0
    SHA-256: 6ea3be89ea416bd4f935503be653a0c90c83c26d57519a434831fc05971a2456
    Size: 17.64 MB
  5. kernel-cross-headers-5.14.0-503.22.1.el9_5.x86_64.rpm
    MD5: 7f5b87bf0a7dde1e859071b01a5eabe2
    SHA-256: 14438f43670ade1bea8a7de5bf7949fd223aff52ec07e11b25b603bccb4435f0
    Size: 8.78 MB
  6. kernel-debug-5.14.0-503.22.1.el9_5.x86_64.rpm
    MD5: 33ef4c0d9073977115e6b3c01629ec35
    SHA-256: 9ac1f3993f29a2d53704cba30ff0c95d0be9a8d72ab5093be03b93c9b60aaee8
    Size: 2.03 MB
  7. kernel-debug-core-5.14.0-503.22.1.el9_5.x86_64.rpm
    MD5: 6dca8f3f9e0d0f2852da30aa1ee71fee
    SHA-256: 6d748925062e2cdd376ea9fbfca4ddb14ee4410aac3a87001c6933b95986afee
    Size: 30.71 MB
  8. kernel-debug-devel-5.14.0-503.22.1.el9_5.x86_64.rpm
    MD5: bf3303e3b72eb644faeee40603469183
    SHA-256: 5f099ce866a3c92c59717df4ad86e0eacdba0c8201f0cb91167b9f6fe06557bc
    Size: 21.75 MB
  9. kernel-debug-devel-matched-5.14.0-503.22.1.el9_5.x86_64.rpm
    MD5: 0a5ac32dbbe082016d94b8aaf1355ee6
    SHA-256: 6423c26acb71b9d04f535487dbf084c9460a83c75991ec3ea01bf2f572b40539
    Size: 2.03 MB
  10. kernel-debug-modules-5.14.0-503.22.1.el9_5.x86_64.rpm
    MD5: 16bc45625d7d3dabbe5d42b3d303361a
    SHA-256: 3bc56dca8c8568ce2204c61be00a132c5f5d614076603bc6980bba2ebb6f6251
    Size: 62.65 MB
  11. kernel-debug-modules-core-5.14.0-503.22.1.el9_5.x86_64.rpm
    MD5: 75fbde3100585a724e3f4c029ab5189c
    SHA-256: 51790287e8b481a0d4f399ceacb5c00677c0f53a99aebad0f07269d8714232bf
    Size: 47.99 MB
  12. kernel-debug-modules-extra-5.14.0-503.22.1.el9_5.x86_64.rpm
    MD5: 29f3d95464bca12fd7eac7a55f7e1bf3
    SHA-256: 073d417a86d6f8ae5a10ea4f4ec11f2c7c279f26d8d22f0c963471fbd70dc981
    Size: 2.88 MB
  13. kernel-debug-uki-virt-5.14.0-503.22.1.el9_5.x86_64.rpm
    MD5: 5cee8e9b466d47699d2b147592408613
    SHA-256: f119c7bb644df6fa16f4e8d0eca9e89a7341bf53d1ecda2d4ef09faf82a44486
    Size: 81.30 MB
  14. kernel-devel-5.14.0-503.22.1.el9_5.x86_64.rpm
    MD5: b209ead9a7f346dab597be654063b172
    SHA-256: 3ac99804f134c7d5f2f1e057dc1296e85b61e45fd599de914788923724728c3b
    Size: 21.56 MB
  15. kernel-devel-matched-5.14.0-503.22.1.el9_5.x86_64.rpm
    MD5: e2efa3a0ae8acdf2d206dd7175ee93f9
    SHA-256: 25ee45cacfb42872a0c669c73a7ea80e74259cbe540bafe13f049baaf2f8daa3
    Size: 2.03 MB
  16. kernel-doc-5.14.0-503.22.1.el9_5.noarch.rpm
    MD5: 470d1e0edbe1726ef1a5c9b3918ebab4
    SHA-256: c3f80b9bf9dace364729c5fdb3e6d4ec714ee2201b9a38c8b8f7ba79093cfee8
    Size: 37.42 MB
  17. kernel-headers-5.14.0-503.22.1.el9_5.x86_64.rpm
    MD5: 7200e83700da1da49caefd6b0ddf755f
    SHA-256: 16f6011d01fb384baef61fdb9b1a1d8f5ec3e4926a3009f53e325d94e76b3e03
    Size: 3.74 MB
  18. kernel-modules-5.14.0-503.22.1.el9_5.x86_64.rpm
    MD5: e1630492f3527938ad0e6d23f4f9d912
    SHA-256: 50f00decdd0b92656cd64c4e29c795f111e158128b6dbd53d6a458bb81404789
    Size: 36.55 MB
  19. kernel-modules-core-5.14.0-503.22.1.el9_5.x86_64.rpm
    MD5: 7bceb7803bcca2bb8ea3551faacbc7ee
    SHA-256: 5019fe4a39a4b8149ed14bf70d3862dcdcc2e02586814a2c484450308502092d
    Size: 30.44 MB
  20. kernel-modules-extra-5.14.0-503.22.1.el9_5.x86_64.rpm
    MD5: 49fd96bec44f0115f236c43471d58101
    SHA-256: 2dfcdacfe39c69a811f68bc7b4348628ca75246035ef0a2b899f378fa01e9128
    Size: 2.50 MB
  21. kernel-tools-5.14.0-503.22.1.el9_5.x86_64.rpm
    MD5: c2462bf90cfa820bc67f201a46f5ea93
    SHA-256: 2a1560e71b73921498e17bf58a5f866a89b1b9341e833f8f1c978e8b91d0928b
    Size: 2.29 MB
  22. kernel-tools-libs-5.14.0-503.22.1.el9_5.x86_64.rpm
    MD5: cff9262389fc91491394f8d71c019010
    SHA-256: 4adfbf327cd52f177af7bb40707ec3f2b0e2bebcf40f4024b1865dfb92087679
    Size: 2.04 MB
  23. kernel-tools-libs-devel-5.14.0-503.22.1.el9_5.x86_64.rpm
    MD5: b1989c223d7d1cb10290de3b6ec53cf6
    SHA-256: c9482cbc6f13ae0ceb2cde49f3c41a49f4c9a7617396bbfc6ef1b96ef8af6f4f
    Size: 2.03 MB
  24. kernel-uki-virt-5.14.0-503.22.1.el9_5.x86_64.rpm
    MD5: 32c1897a60389906a3c8939898d969fe
    SHA-256: 75e181d5ec749f735629cc59da9a897b66c22eefc5bc30f53928737754d5b003
    Size: 60.50 MB
  25. kernel-uki-virt-addons-5.14.0-503.22.1.el9_5.x86_64.rpm
    MD5: a5d9851dbac6bf03b2386effe26c2c73
    SHA-256: fd4d350957990aa68c2d7318a626b5a80dae8d9630c7e91f9b08b65fc54ed14e
    Size: 2.04 MB
  26. libperf-5.14.0-503.22.1.el9_5.x86_64.rpm
    MD5: 8c42200d3275cac0d9c331606b8d7116
    SHA-256: 7f176ddc3ec690b0752c0140834e8413c355fe0dc66f38209607492602ea0204
    Size: 2.05 MB
  27. perf-5.14.0-503.22.1.el9_5.x86_64.rpm
    MD5: 6f3278dacb26e4ddfffb65bea0072f0c
    SHA-256: 2ef77ec2153e1b2ff13619bc6bf5e02bea83f4f750e38b2521a58c8485b6ff6e
    Size: 4.20 MB
  28. python3-perf-5.14.0-503.22.1.el9_5.x86_64.rpm
    MD5: 97ffe77442dcf5848074cc6a699c9693
    SHA-256: fbd2551172707c194ccfb13053488160840c7daf0701c8b0ff7dd9ff7bb06ff5
    Size: 2.13 MB
  29. rtla-5.14.0-503.22.1.el9_5.x86_64.rpm
    MD5: 7d2e36815c057ea34c8656b943723de4
    SHA-256: c97bc3f20269711ce067d5b2809fc71827841438036af0e48c0cbd74bdb83a74
    Size: 2.08 MB
  30. rv-5.14.0-503.22.1.el9_5.x86_64.rpm
    MD5: f71435d64ce67b4fe9956f846dc22d03
    SHA-256: 23a15d01c15aec2c0a2071f8bbc4a522d061f0d1b69f6dacbca97027730934df
    Size: 2.04 MB