kernel-5.14.0-503.26.1.el9_5
エラータID: AXSA:2025-9727:15
リリース日:
2025/03/07 Friday - 16:29
題名:
kernel-5.14.0-503.26.1.el9_5
影響のあるチャネル:
MIRACLE LINUX 9 for x86_64
Severity:
Moderate
Description:
以下項目について対処しました。
[Security Fix]
- メモリ管理サブシステムの mm/migrate.c には、ページの
移行処理中に誤ったページマッピングをしてしまう問題が
あるため、ローカルの攻撃者により、サービス拒否攻撃を
可能とする脆弱性が存在します。(CVE-2023-52490)
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2023-52490
In the Linux kernel, the following vulnerability has been resolved: mm: migrate: fix getting incorrect page mapping during page migration When running stress-ng testing, we found below kernel crash after a few hours: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 pc : dentry_name+0xd8/0x224 lr : pointer+0x22c/0x370 sp : ffff800025f134c0 ...... Call trace: dentry_name+0xd8/0x224 pointer+0x22c/0x370 vsnprintf+0x1ec/0x730 vscnprintf+0x2c/0x60 vprintk_store+0x70/0x234 vprintk_emit+0xe0/0x24c vprintk_default+0x3c/0x44 vprintk_func+0x84/0x2d0 printk+0x64/0x88 __dump_page+0x52c/0x530 dump_page+0x14/0x20 set_migratetype_isolate+0x110/0x224 start_isolate_page_range+0xc4/0x20c offline_pages+0x124/0x474 memory_block_offline+0x44/0xf4 memory_subsys_offline+0x3c/0x70 device_offline+0xf0/0x120 ...... After analyzing the vmcore, I found this issue is caused by page migration. The scenario is that, one thread is doing page migration, and we will use the target page's ->mapping field to save 'anon_vma' pointer between page unmap and page move, and now the target page is locked and refcount is 1. Currently, there is another stress-ng thread performing memory hotplug, attempting to offline the target page that is being migrated. It discovers that the refcount of this target page is 1, preventing the offline operation, thus proceeding to dump the page. However, page_mapping() of the target page may return an incorrect file mapping to crash the system in dump_mapping(), since the target page->mapping only saves 'anon_vma' pointer without setting PAGE_MAPPING_ANON flag. There are seveval ways to fix this issue: (1) Setting the PAGE_MAPPING_ANON flag for target page's ->mapping when saving 'anon_vma', but this can confuse PageAnon() for PFN walkers, since the target page has not built mappings yet. (2) Getting the page lock to call page_mapping() in __dump_page() to avoid crashing the system, however, there are still some PFN walkers that call page_mapping() without holding the page lock, such as compaction. (3) Using target page->private field to save the 'anon_vma' pointer and 2 bits page state, just as page->mapping records an anonymous page, which can remove the page_mapping() impact for PFN walkers and also seems a simple way. So I choose option 3 to fix this issue, and this can also fix other potential issues for PFN walkers, such as compaction.
In the Linux kernel, the following vulnerability has been resolved: mm: migrate: fix getting incorrect page mapping during page migration When running stress-ng testing, we found below kernel crash after a few hours: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 pc : dentry_name+0xd8/0x224 lr : pointer+0x22c/0x370 sp : ffff800025f134c0 ...... Call trace: dentry_name+0xd8/0x224 pointer+0x22c/0x370 vsnprintf+0x1ec/0x730 vscnprintf+0x2c/0x60 vprintk_store+0x70/0x234 vprintk_emit+0xe0/0x24c vprintk_default+0x3c/0x44 vprintk_func+0x84/0x2d0 printk+0x64/0x88 __dump_page+0x52c/0x530 dump_page+0x14/0x20 set_migratetype_isolate+0x110/0x224 start_isolate_page_range+0xc4/0x20c offline_pages+0x124/0x474 memory_block_offline+0x44/0xf4 memory_subsys_offline+0x3c/0x70 device_offline+0xf0/0x120 ...... After analyzing the vmcore, I found this issue is caused by page migration. The scenario is that, one thread is doing page migration, and we will use the target page's ->mapping field to save 'anon_vma' pointer between page unmap and page move, and now the target page is locked and refcount is 1. Currently, there is another stress-ng thread performing memory hotplug, attempting to offline the target page that is being migrated. It discovers that the refcount of this target page is 1, preventing the offline operation, thus proceeding to dump the page. However, page_mapping() of the target page may return an incorrect file mapping to crash the system in dump_mapping(), since the target page->mapping only saves 'anon_vma' pointer without setting PAGE_MAPPING_ANON flag. There are seveval ways to fix this issue: (1) Setting the PAGE_MAPPING_ANON flag for target page's ->mapping when saving 'anon_vma', but this can confuse PageAnon() for PFN walkers, since the target page has not built mappings yet. (2) Getting the page lock to call page_mapping() in __dump_page() to avoid crashing the system, however, there are still some PFN walkers that call page_mapping() without holding the page lock, such as compaction. (3) Using target page->private field to save the 'anon_vma' pointer and 2 bits page state, just as page->mapping records an anonymous page, which can remove the page_mapping() impact for PFN walkers and also seems a simple way. So I choose option 3 to fix this issue, and this can also fix other potential issues for PFN walkers, such as compaction.
追加情報:
N/A
ダウンロード:
SRPMS
- kernel-5.14.0-503.26.1.el9_5.src.rpm
MD5: 0001886889c04ac4d843a7bc89d8a3fc
SHA-256: 01adca196569888ac4ed5ff617f2dcfb406427a5f9ead1b7926a23fff8d26145
Size: 139.62 MB
Asianux Server 9 for x86_64
- bpftool-7.4.0-503.26.1.el9_5.x86_64.rpm
MD5: 6d1ab71511a6cf8fab6cb962d49805fe
SHA-256: ffd0c1dfb38415bfcfc20875e52feab506177c13520b2dd638407a70727537e3
Size: 2.80 MB - kernel-5.14.0-503.26.1.el9_5.x86_64.rpm
MD5: 3ae70975ef1b8e9c40ed8e14af5a9407
SHA-256: b727a1c24c37a1f07be657eeb9390235499ec70d1aa8cccdb500efbc345ddd50
Size: 2.03 MB - kernel-abi-stablelists-5.14.0-503.26.1.el9_5.noarch.rpm
MD5: 99e752c62402855109e4562587f80361
SHA-256: be080c3d65d933783b841112024e4f86d4aa7fc93870ff0bf6281b46d7980d62
Size: 2.05 MB - kernel-core-5.14.0-503.26.1.el9_5.x86_64.rpm
MD5: 5dec4feb0c655623a20ef6949a9be0b8
SHA-256: 1455b3234c238a82984066d5519a97b9a5da7372b4911409d0d6416a42352e14
Size: 17.64 MB - kernel-cross-headers-5.14.0-503.26.1.el9_5.x86_64.rpm
MD5: 21b6b35891c5b1b495cc6abc281faa44
SHA-256: bf0250d0a12d251bdc7126c0deeecc0b8700a50b3250e4d7446215ff70872dd3
Size: 8.78 MB - kernel-debug-5.14.0-503.26.1.el9_5.x86_64.rpm
MD5: fcd3e3444e8d1c7130ff72b9fbcbb522
SHA-256: 0defc680997e71747aaca8562c22ff8d900694f4a989c35d533c77e8e198c0e3
Size: 2.03 MB - kernel-debug-core-5.14.0-503.26.1.el9_5.x86_64.rpm
MD5: e6feb6ffa56078ecf41060413d17a591
SHA-256: 6db3df6707963bcf1f5a93d91afa57c1733aea2de63b686c7b078d95b870e54c
Size: 30.71 MB - kernel-debug-devel-5.14.0-503.26.1.el9_5.x86_64.rpm
MD5: 587d71317594f769f380f528e38e737d
SHA-256: 7f994dcc8c6a3a236da017e83edd2619646dfd40525979cb2513adf7cd8d955d
Size: 21.75 MB - kernel-debug-devel-matched-5.14.0-503.26.1.el9_5.x86_64.rpm
MD5: b42ad9a7a91822e5992c7cadf79a12cd
SHA-256: 5fe51016733dbbbbfa921fa76a25f56d4a978cfa680b389b5769b7f558ce80ca
Size: 2.03 MB - kernel-debug-modules-5.14.0-503.26.1.el9_5.x86_64.rpm
MD5: ee98031f9ee13515e292f56fb06651e8
SHA-256: f574a73757cff7fc03b6633e7c773b8ba9c673f7cc5483c72fa588cf1f91a9de
Size: 62.66 MB - kernel-debug-modules-core-5.14.0-503.26.1.el9_5.x86_64.rpm
MD5: 8da473b9867999887c120a562d37d788
SHA-256: 1dbb8f2ca9ebcf541d24a1feeaf5d074945955807038703ccc94e5d9d53b625a
Size: 47.99 MB - kernel-debug-modules-extra-5.14.0-503.26.1.el9_5.x86_64.rpm
MD5: 24f88d863add3c1024759d571e437162
SHA-256: e2a4adacd3817a8f40a83d613e7aebc5272b79f7f717f9c96904c20abf83031e
Size: 2.89 MB - kernel-debug-uki-virt-5.14.0-503.26.1.el9_5.x86_64.rpm
MD5: d1314dcbb0b2eb6d888b1fd98c8dba2b
SHA-256: 2896ce7a3ec95d72c73cdfad8d502199bb587bb852e1d1150e667689628ebc41
Size: 81.30 MB - kernel-devel-5.14.0-503.26.1.el9_5.x86_64.rpm
MD5: 1af6640a0969545d70174421c5ca8f66
SHA-256: 990314a1902c8c5e158bf7dcc5b2cdccec8dcff315254922651c4f245379a261
Size: 21.56 MB - kernel-devel-matched-5.14.0-503.26.1.el9_5.x86_64.rpm
MD5: c5f4e70d94647885b9a252b1bc636fe1
SHA-256: 46ef84966f26751a9802ce51eec18db79c53a7c749a3ab864f7d4640bd6baf80
Size: 2.03 MB - kernel-doc-5.14.0-503.26.1.el9_5.noarch.rpm
MD5: a1751b129ac7b0dde8bd882511147204
SHA-256: 036a84a20315f8b3c36a270ac7e3173ba392b5cf74369d885a09a1b15a8d8c64
Size: 37.43 MB - kernel-headers-5.14.0-503.26.1.el9_5.x86_64.rpm
MD5: 9e8ff5215b7ce85eb340b60a12492a99
SHA-256: e299e0ad22076a2c50b36bec01d7f693740cc77f886cbb380124d10f3afe91db
Size: 3.74 MB - kernel-modules-5.14.0-503.26.1.el9_5.x86_64.rpm
MD5: b92344beab1a33acb0b226a669cfdfcd
SHA-256: ef8dd72d5746e0684ab0f5cb39aa22bacc0a97ae4c2f111b80e3e45a0c10bc18
Size: 36.51 MB - kernel-modules-core-5.14.0-503.26.1.el9_5.x86_64.rpm
MD5: 43aad472f1df5c694f9c474cb74c69a3
SHA-256: 3cd975704f7dbe733cf05fc758133690acc389de7c79269ab096bf88ab0c9414
Size: 30.46 MB - kernel-modules-extra-5.14.0-503.26.1.el9_5.x86_64.rpm
MD5: 7783680c7df9e9659ceeb9f1593c0fdd
SHA-256: badfa84083d2ac51d29e3d00994a6d0a4c39e179505677a916c552c345b06b5c
Size: 2.50 MB - kernel-tools-5.14.0-503.26.1.el9_5.x86_64.rpm
MD5: cddf13b11857dbab92036215f84f545d
SHA-256: 8c84eb0e487dc15613f5f8716763bd7df7a1e11b4bf1c563c9c301d0d4e6a710
Size: 2.29 MB - kernel-tools-libs-5.14.0-503.26.1.el9_5.x86_64.rpm
MD5: 4932e8008a6b4992d36730a7dd466878
SHA-256: bc1cee5d9906ffd59412625580152c0e956ece9ac390df0634303a5471287231
Size: 2.04 MB - kernel-tools-libs-devel-5.14.0-503.26.1.el9_5.x86_64.rpm
MD5: d396113a42e8d5ec413a7507f26e6fbb
SHA-256: e56b76e66a83eba244baa56fc462f54909fbbbc6a49c39f7ae9da184fe35eedc
Size: 2.03 MB - kernel-uki-virt-5.14.0-503.26.1.el9_5.x86_64.rpm
MD5: 618fed6b19ae246baff9fce010e53f40
SHA-256: 8b0c125844a339dbaa5ec7246cd69043e3d2efe64240e47b71681a2dcd5ed38d
Size: 60.49 MB - kernel-uki-virt-addons-5.14.0-503.26.1.el9_5.x86_64.rpm
MD5: e1d78d1b594dcb9cac046bcf2a6eacf9
SHA-256: 137cd4decbf0a1a37032b1b135e61ebc15b6d55215d2f7e23ec616584a9a0119
Size: 2.05 MB - libperf-5.14.0-503.26.1.el9_5.x86_64.rpm
MD5: b808dbc3cb590a3be7b509ce5ebf5172
SHA-256: 982faa8a7b2da2ad949bd333da344182ef41638baf8e0482414634629b3f3fe4
Size: 2.05 MB - perf-5.14.0-503.26.1.el9_5.x86_64.rpm
MD5: 99f8bdc5ba9fe955d897284235b77790
SHA-256: 83ccb7f49eef427657d377bb3d1b5885174498ed21bdd09522e1587538cec5a0
Size: 4.21 MB - python3-perf-5.14.0-503.26.1.el9_5.x86_64.rpm
MD5: 0e7654e94e52375da3259587a1834755
SHA-256: 358f9ed1b5999b8962ec955975685f0e90405851d5b4236b18e647deed940012
Size: 2.13 MB - rtla-5.14.0-503.26.1.el9_5.x86_64.rpm
MD5: 6cfff32eb040f821f5724dabca466031
SHA-256: 93728112b9e30446cc78a40ca0d6488b826a39b1c279f1c5a9e4ba9a43cb5306
Size: 2.08 MB - rv-5.14.0-503.26.1.el9_5.x86_64.rpm
MD5: 261254f23307b9e5eb4f6e08f142bc2c
SHA-256: dba7d723dcf1d178dc57305a5cee945a33d4ab5fcca882297eb6957cf31cc8b9
Size: 2.04 MB
English