kernel-4.18.0-553.53.1.el8_10
エラータID: AXSA:2025-9967:33
リリース日:
2025/05/29 Thursday - 10:25
題名:
kernel-4.18.0-553.53.1.el8_10
影響のあるチャネル:
Asianux Server 8 for x86_64
Severity:
High
Description:
以下項目について対処しました。
[Security Fix]
- drivers/net/ethernet/mellanox/mlx5/core/main.c の
mlx5_function_teardown() 関数には、teardown_hca() 関数の失敗時
のヘルスタイマーの停止漏れに起因したメモリ領域の解放後利用の
問題があるため、ローカルの攻撃者により、サービス拒否攻撃
(セグメンテーションフォルトの発生) を可能とする脆弱性が存在
します。(CVE-2024-40906)
- drivers/net/ethernet/mellanox/mlx5/core/en_rx.c の
mlx5e_handle_rx_cqe_mpwrq_shampo() 関数には、特定のケースに
おいて内部のリンクリストを破損させてしまう問題があるため、
ローカルの攻撃者により、サービス拒否攻撃を可能とする脆弱性が
存在します。(CVE-2024-44970)
- net/vmw_vsock/af_vsock.c には、トランスポートの再割り当て中に
誤ってソケットのバインドを解放してしまうことに起因した SLAB 領域
の解放後利用の問題があるため、ローカルの攻撃者により、情報の漏洩、
データ破壊、およびサービス拒否攻撃を可能とする脆弱性が存在します。
(CVE-2025-21756)
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2024-40906
In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Always stop health timer during driver removal Currently, if teardown_hca fails to execute during driver removal, mlx5 does not stop the health timer. Afterwards, mlx5 continue with driver teardown. This may lead to a UAF bug, which results in page fault Oops[1], since the health timer invokes after resources were freed. Hence, stop the health monitor even if teardown_hca fails. [1] mlx5_core 0000:18:00.0: E-Switch: Unload vfs: mode(LEGACY), nvfs(0), necvfs(0), active vports(0) mlx5_core 0000:18:00.0: E-Switch: Disable: mode(LEGACY), nvfs(0), necvfs(0), active vports(0) mlx5_core 0000:18:00.0: E-Switch: Disable: mode(LEGACY), nvfs(0), necvfs(0), active vports(0) mlx5_core 0000:18:00.0: E-Switch: cleanup mlx5_core 0000:18:00.0: wait_func:1155:(pid 1967079): TEARDOWN_HCA(0x103) timeout. Will cause a leak of a command resource mlx5_core 0000:18:00.0: mlx5_function_close:1288:(pid 1967079): tear_down_hca failed, skip cleanup BUG: unable to handle page fault for address: ffffa26487064230 PGD 100c00067 P4D 100c00067 PUD 100e5a067 PMD 105ed7067 PTE 0 Oops: 0000 [#1] PREEMPT SMP PTI CPU: 0 PID: 0 Comm: swapper/0 Tainted: G OE ------- --- 6.7.0-68.fc38.x86_64 #1 Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0013.121520200651 12/15/2020 RIP: 0010:ioread32be+0x34/0x60 RSP: 0018:ffffa26480003e58 EFLAGS: 00010292 RAX: ffffa26487064200 RBX: ffff9042d08161a0 RCX: ffff904c108222c0 RDX: 000000010bbf1b80 RSI: ffffffffc055ddb0 RDI: ffffa26487064230 RBP: ffff9042d08161a0 R08: 0000000000000022 R09: ffff904c108222e8 R10: 0000000000000004 R11: 0000000000000441 R12: ffffffffc055ddb0 R13: ffffa26487064200 R14: ffffa26480003f00 R15: ffff904c108222c0 FS: 0000000000000000(0000) GS:ffff904c10800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffa26487064230 CR3: 00000002c4420006 CR4: 00000000007706f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: ? __die+0x23/0x70 ? page_fault_oops+0x171/0x4e0 ? exc_page_fault+0x175/0x180 ? asm_exc_page_fault+0x26/0x30 ? __pfx_poll_health+0x10/0x10 [mlx5_core] ? __pfx_poll_health+0x10/0x10 [mlx5_core] ? ioread32be+0x34/0x60 mlx5_health_check_fatal_sensors+0x20/0x100 [mlx5_core] ? __pfx_poll_health+0x10/0x10 [mlx5_core] poll_health+0x42/0x230 [mlx5_core] ? __next_timer_interrupt+0xbc/0x110 ? __pfx_poll_health+0x10/0x10 [mlx5_core] call_timer_fn+0x21/0x130 ? __pfx_poll_health+0x10/0x10 [mlx5_core] __run_timers+0x222/0x2c0 run_timer_softirq+0x1d/0x40 __do_softirq+0xc9/0x2c8 __irq_exit_rcu+0xa6/0xc0 sysvec_apic_timer_interrupt+0x72/0x90 asm_sysvec_apic_timer_interrupt+0x1a/0x20 RIP: 0010:cpuidle_enter_state+0xcc/0x440 ? cpuidle_enter_state+0xbd/0x440 cpuidle_enter+0x2d/0x40 do_idle+0x20d/0x270 cpu_startup_entry+0x2a/0x30 rest_init+0xd0/0xd0 arch_call_rest_init+0xe/0x30 start_kernel+0x709/0xa90 x86_64_start_reservations+0x18/0x30 x86_64_start_kernel+0x96/0xa0 secondary_startup_64_no_verify+0x18f/0x19b ---[ end trace 0000000000000000 ]---
In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Always stop health timer during driver removal Currently, if teardown_hca fails to execute during driver removal, mlx5 does not stop the health timer. Afterwards, mlx5 continue with driver teardown. This may lead to a UAF bug, which results in page fault Oops[1], since the health timer invokes after resources were freed. Hence, stop the health monitor even if teardown_hca fails. [1] mlx5_core 0000:18:00.0: E-Switch: Unload vfs: mode(LEGACY), nvfs(0), necvfs(0), active vports(0) mlx5_core 0000:18:00.0: E-Switch: Disable: mode(LEGACY), nvfs(0), necvfs(0), active vports(0) mlx5_core 0000:18:00.0: E-Switch: Disable: mode(LEGACY), nvfs(0), necvfs(0), active vports(0) mlx5_core 0000:18:00.0: E-Switch: cleanup mlx5_core 0000:18:00.0: wait_func:1155:(pid 1967079): TEARDOWN_HCA(0x103) timeout. Will cause a leak of a command resource mlx5_core 0000:18:00.0: mlx5_function_close:1288:(pid 1967079): tear_down_hca failed, skip cleanup BUG: unable to handle page fault for address: ffffa26487064230 PGD 100c00067 P4D 100c00067 PUD 100e5a067 PMD 105ed7067 PTE 0 Oops: 0000 [#1] PREEMPT SMP PTI CPU: 0 PID: 0 Comm: swapper/0 Tainted: G OE ------- --- 6.7.0-68.fc38.x86_64 #1 Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0013.121520200651 12/15/2020 RIP: 0010:ioread32be+0x34/0x60 RSP: 0018:ffffa26480003e58 EFLAGS: 00010292 RAX: ffffa26487064200 RBX: ffff9042d08161a0 RCX: ffff904c108222c0 RDX: 000000010bbf1b80 RSI: ffffffffc055ddb0 RDI: ffffa26487064230 RBP: ffff9042d08161a0 R08: 0000000000000022 R09: ffff904c108222e8 R10: 0000000000000004 R11: 0000000000000441 R12: ffffffffc055ddb0 R13: ffffa26487064200 R14: ffffa26480003f00 R15: ffff904c108222c0 FS: 0000000000000000(0000) GS:ffff904c10800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffa26487064230 CR3: 00000002c4420006 CR4: 00000000007706f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace:
CVE-2024-44970
In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: SHAMPO, Fix invalid WQ linked list unlink When all the strides in a WQE have been consumed, the WQE is unlinked from the WQ linked list (mlx5_wq_ll_pop()). For SHAMPO, it is possible to receive CQEs with 0 consumed strides for the same WQE even after the WQE is fully consumed and unlinked. This triggers an additional unlink for the same wqe which corrupts the linked list. Fix this scenario by accepting 0 sized consumed strides without unlinking the WQE again.
In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: SHAMPO, Fix invalid WQ linked list unlink When all the strides in a WQE have been consumed, the WQE is unlinked from the WQ linked list (mlx5_wq_ll_pop()). For SHAMPO, it is possible to receive CQEs with 0 consumed strides for the same WQE even after the WQE is fully consumed and unlinked. This triggers an additional unlink for the same wqe which corrupts the linked list. Fix this scenario by accepting 0 sized consumed strides without unlinking the WQE again.
CVE-2025-21756
In the Linux kernel, the following vulnerability has been resolved: vsock: Keep the binding until socket destruction Preserve sockets bindings; this includes both resulting from an explicit bind() and those implicitly bound through autobind during connect(). Prevents socket unbinding during a transport reassignment, which fixes a use-after-free: 1. vsock_create() (refcnt=1) calls vsock_insert_unbound() (refcnt=2) 2. transport->release() calls vsock_remove_bound() without checking if sk was bound and moved to bound list (refcnt=1) 3. vsock_bind() assumes sk is in unbound list and before __vsock_insert_bound(vsock_bound_sockets()) calls __vsock_remove_bound() which does: list_del_init(&vsk->bound_table); // nop sock_put(&vsk->sk); // refcnt=0 BUG: KASAN: slab-use-after-free in __vsock_bind+0x62e/0x730 Read of size 4 at addr ffff88816b46a74c by task a.out/2057 dump_stack_lvl+0x68/0x90 print_report+0x174/0x4f6 kasan_report+0xb9/0x190 __vsock_bind+0x62e/0x730 vsock_bind+0x97/0xe0 __sys_bind+0x154/0x1f0 __x64_sys_bind+0x6e/0xb0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e Allocated by task 2057: kasan_save_stack+0x1e/0x40 kasan_save_track+0x10/0x30 __kasan_slab_alloc+0x85/0x90 kmem_cache_alloc_noprof+0x131/0x450 sk_prot_alloc+0x5b/0x220 sk_alloc+0x2c/0x870 __vsock_create.constprop.0+0x2e/0xb60 vsock_create+0xe4/0x420 __sock_create+0x241/0x650 __sys_socket+0xf2/0x1a0 __x64_sys_socket+0x6e/0xb0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e Freed by task 2057: kasan_save_stack+0x1e/0x40 kasan_save_track+0x10/0x30 kasan_save_free_info+0x37/0x60 __kasan_slab_free+0x4b/0x70 kmem_cache_free+0x1a1/0x590 __sk_destruct+0x388/0x5a0 __vsock_bind+0x5e1/0x730 vsock_bind+0x97/0xe0 __sys_bind+0x154/0x1f0 __x64_sys_bind+0x6e/0xb0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e refcount_t: addition on 0; use-after-free. WARNING: CPU: 7 PID: 2057 at lib/refcount.c:25 refcount_warn_saturate+0xce/0x150 RIP: 0010:refcount_warn_saturate+0xce/0x150 __vsock_bind+0x66d/0x730 vsock_bind+0x97/0xe0 __sys_bind+0x154/0x1f0 __x64_sys_bind+0x6e/0xb0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e refcount_t: underflow; use-after-free. WARNING: CPU: 7 PID: 2057 at lib/refcount.c:28 refcount_warn_saturate+0xee/0x150 RIP: 0010:refcount_warn_saturate+0xee/0x150 vsock_remove_bound+0x187/0x1e0 __vsock_release+0x383/0x4a0 vsock_release+0x90/0x120 __sock_release+0xa3/0x250 sock_close+0x14/0x20 __fput+0x359/0xa80 task_work_run+0x107/0x1d0 do_exit+0x847/0x2560 do_group_exit+0xb8/0x250 __x64_sys_exit_group+0x3a/0x50 x64_sys_call+0xfec/0x14f0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e
In the Linux kernel, the following vulnerability has been resolved: vsock: Keep the binding until socket destruction Preserve sockets bindings; this includes both resulting from an explicit bind() and those implicitly bound through autobind during connect(). Prevents socket unbinding during a transport reassignment, which fixes a use-after-free: 1. vsock_create() (refcnt=1) calls vsock_insert_unbound() (refcnt=2) 2. transport->release() calls vsock_remove_bound() without checking if sk was bound and moved to bound list (refcnt=1) 3. vsock_bind() assumes sk is in unbound list and before __vsock_insert_bound(vsock_bound_sockets()) calls __vsock_remove_bound() which does: list_del_init(&vsk->bound_table); // nop sock_put(&vsk->sk); // refcnt=0 BUG: KASAN: slab-use-after-free in __vsock_bind+0x62e/0x730 Read of size 4 at addr ffff88816b46a74c by task a.out/2057 dump_stack_lvl+0x68/0x90 print_report+0x174/0x4f6 kasan_report+0xb9/0x190 __vsock_bind+0x62e/0x730 vsock_bind+0x97/0xe0 __sys_bind+0x154/0x1f0 __x64_sys_bind+0x6e/0xb0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e Allocated by task 2057: kasan_save_stack+0x1e/0x40 kasan_save_track+0x10/0x30 __kasan_slab_alloc+0x85/0x90 kmem_cache_alloc_noprof+0x131/0x450 sk_prot_alloc+0x5b/0x220 sk_alloc+0x2c/0x870 __vsock_create.constprop.0+0x2e/0xb60 vsock_create+0xe4/0x420 __sock_create+0x241/0x650 __sys_socket+0xf2/0x1a0 __x64_sys_socket+0x6e/0xb0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e Freed by task 2057: kasan_save_stack+0x1e/0x40 kasan_save_track+0x10/0x30 kasan_save_free_info+0x37/0x60 __kasan_slab_free+0x4b/0x70 kmem_cache_free+0x1a1/0x590 __sk_destruct+0x388/0x5a0 __vsock_bind+0x5e1/0x730 vsock_bind+0x97/0xe0 __sys_bind+0x154/0x1f0 __x64_sys_bind+0x6e/0xb0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e refcount_t: addition on 0; use-after-free. WARNING: CPU: 7 PID: 2057 at lib/refcount.c:25 refcount_warn_saturate+0xce/0x150 RIP: 0010:refcount_warn_saturate+0xce/0x150 __vsock_bind+0x66d/0x730 vsock_bind+0x97/0xe0 __sys_bind+0x154/0x1f0 __x64_sys_bind+0x6e/0xb0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e refcount_t: underflow; use-after-free. WARNING: CPU: 7 PID: 2057 at lib/refcount.c:28 refcount_warn_saturate+0xee/0x150 RIP: 0010:refcount_warn_saturate+0xee/0x150 vsock_remove_bound+0x187/0x1e0 __vsock_release+0x383/0x4a0 vsock_release+0x90/0x120 __sock_release+0xa3/0x250 sock_close+0x14/0x20 __fput+0x359/0xa80 task_work_run+0x107/0x1d0 do_exit+0x847/0x2560 do_group_exit+0xb8/0x250 __x64_sys_exit_group+0x3a/0x50 x64_sys_call+0xfec/0x14f0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e
追加情報:
N/A
ダウンロード:
SRPMS
- kernel-4.18.0-553.53.1.el8_10.src.rpm
MD5: 360570693ca09d73b8061bbae5574163
SHA-256: 6fb425b7c696c70f3ac6c0369e2c81db46aa7c1da82ff6e5d3cebcba979919ac
Size: 132.22 MB
Asianux Server 8 for x86_64
- bpftool-4.18.0-553.53.1.el8_10.x86_64.rpm
MD5: 2ccee95b616d4d7770dc781efdace80d
SHA-256: 26d2040eba500b5a2f6107fda80a9b658f1ddfe810472962ad3adf5c81f6987e
Size: 11.21 MB - kernel-4.18.0-553.53.1.el8_10.x86_64.rpm
MD5: ddb2b3e4f86e93edb4eced044c989ad1
SHA-256: 95683ca83d81c73ef4e84bdef6fd61d141a51ad1ef44b0627b81cac000348a66
Size: 10.49 MB - kernel-abi-stablelists-4.18.0-553.53.1.el8_10.noarch.rpm
MD5: 31347bac7d1ba4c62599a5000d8ae11e
SHA-256: 334a8d3c3ab118edc68ccd0ffb95758296a2dcf34ad5f425e94fa2526fa16cdc
Size: 10.50 MB - kernel-core-4.18.0-553.53.1.el8_10.x86_64.rpm
MD5: 01c80e3bcfe03acb9793d4c76f687123
SHA-256: 45a8312305ba78e972700ac4fd3b2714c9d7ade378a7ff1541cf88f36035a076
Size: 43.52 MB - kernel-cross-headers-4.18.0-553.53.1.el8_10.x86_64.rpm
MD5: 2af12de01d4f44c65d3a6943ab24afa5
SHA-256: dd13e11523c7fccdc931685dfad22e933720e30b7e8edd667db4e1ccadb55600
Size: 15.83 MB - kernel-debug-4.18.0-553.53.1.el8_10.x86_64.rpm
MD5: 75fdcd63781746df7dba9e564a3ae31c
SHA-256: b48e5e38ca689130ac67d1b78defb930e997baed95c105af2701cbb7d0faf6cd
Size: 10.48 MB - kernel-debug-core-4.18.0-553.53.1.el8_10.x86_64.rpm
MD5: 5743baec6ef6b30db5832cc131729f63
SHA-256: 2eae78251f976e0d177f3c73647fd6434641983067c4fc33a3be4f54057395cd
Size: 72.80 MB - kernel-debug-devel-4.18.0-553.53.1.el8_10.x86_64.rpm
MD5: 10828b4d6a972a4d846ce8da35ab2054
SHA-256: 50788eeb1a8380aa5d275a2f56a270500b0291a228d95765e7c801e12740fefd
Size: 24.31 MB - kernel-debug-modules-4.18.0-553.53.1.el8_10.x86_64.rpm
MD5: 07933038e783573738728af0d39be579
SHA-256: 87d3640ac2b239a622be364b4b27bb63e867f0e04f72d1451ffdae341e035181
Size: 65.91 MB - kernel-debug-modules-extra-4.18.0-553.53.1.el8_10.x86_64.rpm
MD5: 1dab7453456bdbd2f7e95c5da3c06315
SHA-256: c3739ad41c8d544432f6572bfd72e14f066f0f6a2c175d94786ce1115de4ff68
Size: 11.86 MB - kernel-devel-4.18.0-553.53.1.el8_10.x86_64.rpm
MD5: 6d9700b23ac907f9818a200675cca423
SHA-256: a4f74c3f78bc124c15fa3740c5bc2e7da5afde452b6f3f5f7d7fd6bbecb12bbf
Size: 24.11 MB - kernel-doc-4.18.0-553.53.1.el8_10.noarch.rpm
MD5: 8502f332fb080ee72cf32dd956329be3
SHA-256: 1ba4092798894ae26cf29430c703af53cee12e1b724603cb31b3eeca19bab87f
Size: 28.35 MB - kernel-headers-4.18.0-553.53.1.el8_10.x86_64.rpm
MD5: aaf9a8ade5998252e55d3295b91db798
SHA-256: d11029b1d0252cd0449e8f10537c4d095a2dff0000a37532fc5680cc2e4a28af
Size: 11.84 MB - kernel-modules-4.18.0-553.53.1.el8_10.x86_64.rpm
MD5: 8b3fffcb3c24130dcc5b157f348423bd
SHA-256: afd7da17589daa4c0abd37fcda7d504266c4216d63f967a6c6de418251f9753b
Size: 36.30 MB - kernel-modules-extra-4.18.0-553.53.1.el8_10.x86_64.rpm
MD5: 15d8b5ad9f3bc03f550576e424980877
SHA-256: a7bf47959a4a96aff2287b7c71b62474f1e2f2c47293e0e1d21fc5180616ee37
Size: 11.17 MB - kernel-tools-4.18.0-553.53.1.el8_10.x86_64.rpm
MD5: 7aba207af335cf39593b5e7548081447
SHA-256: 37f4ca420826d27c3a5c433d4c4fc7972722e7c01508c144efbb4722722715d9
Size: 10.70 MB - kernel-tools-libs-4.18.0-553.53.1.el8_10.x86_64.rpm
MD5: 610dccd4b6ea776362448d38e639944a
SHA-256: 06b6af9729c12a5824dfd06e3944d52b93e9fb929f5035c5e926d9591f8502b4
Size: 10.49 MB - kernel-tools-libs-devel-4.18.0-553.53.1.el8_10.x86_64.rpm
MD5: 372a50541493803a037f43a5f216e1ad
SHA-256: 9367c9da57fa6d5ce9201e1e39b0a31f77347395af9245fcd30f9487d4c18adf
Size: 10.49 MB - perf-4.18.0-553.53.1.el8_10.x86_64.rpm
MD5: 00aea82d25c5362da816369fc8529069
SHA-256: 3bd168dc10454d27e7bcca2714dee685bd07eac125bc896b18afb9aa63f3ac32
Size: 12.80 MB - python3-perf-4.18.0-553.53.1.el8_10.x86_64.rpm
MD5: 87249ed9ccfb5240ac249582da513ad6
SHA-256: a0d80d36b108f9e7c93863434ae9f5fa5129b102d4c4bf64be5a16b1669c958d
Size: 10.61 MB
English