kernel-4.18.0-553.60.1.el8_10
エラータID: AXSA:2025-10492:41
リリース日:
2025/07/16 Wednesday - 15:00
題名:
kernel-4.18.0-553.60.1.el8_10
影響のあるチャネル:
Asianux Server 8 for x86_64
Severity:
High
Description:
以下項目について対処しました。
[Security Fix]
- kernel の bluetooth の HCI ドライバには、メモリ領域の解放後
利用の問題があるため、ローカルの攻撃者により、情報の漏洩、データ
破壊、およびサービス拒否攻撃を可能とする脆弱性が存在します。
(CVE-2022-49111)
- kernel の bluetooth の HCI ドライバには、メモリ領域の解放後
利用の問題があるため、ローカルの攻撃者により、情報の漏洩、データ
破壊、およびサービス拒否攻撃を可能とする脆弱性が存在します。
(CVE-2022-49136)
- kernel の UDF ファイルシステムには、メモリ領域の範囲外書き込み
の問題があるため、ローカルの攻撃者により、データ破壊、および
サービス拒否攻撃を可能とする脆弱性が存在します。(CVE-2022-49846)
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2022-49111
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Fix use after free in hci_send_acl This fixes the following trace caused by receiving HCI_EV_DISCONN_PHY_LINK_COMPLETE which does call hci_conn_del without first checking if conn->type is in fact AMP_LINK and in case it is do properly cleanup upper layers with hci_disconn_cfm: ================================================================== BUG: KASAN: use-after-free in hci_send_acl+0xaba/0xc50 Read of size 8 at addr ffff88800e404818 by task bluetoothd/142 CPU: 0 PID: 142 Comm: bluetoothd Not tainted 5.17.0-rc5-00006-gda4022eeac1a #7 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 Call Trace: dump_stack_lvl+0x45/0x59 print_address_description.constprop.0+0x1f/0x150 kasan_report.cold+0x7f/0x11b hci_send_acl+0xaba/0xc50 l2cap_do_send+0x23f/0x3d0 l2cap_chan_send+0xc06/0x2cc0 l2cap_sock_sendmsg+0x201/0x2b0 sock_sendmsg+0xdc/0x110 sock_write_iter+0x20f/0x370 do_iter_readv_writev+0x343/0x690 do_iter_write+0x132/0x640 vfs_writev+0x198/0x570 do_writev+0x202/0x280 do_syscall_64+0x38/0x90 entry_SYSCALL_64_after_hwframe+0x44/0xae RSP: 002b:00007ffce8a099b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000014 Code: 0f 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 14 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 89 74 24 10 RDX: 0000000000000001 RSI: 00007ffce8a099e0 RDI: 0000000000000015 RAX: ffffffffffffffda RBX: 00007ffce8a099e0 RCX: 00007f788fc3cf77 R10: 00007ffce8af7080 R11: 0000000000000246 R12: 000055e4ccf75580 RBP: 0000000000000015 R08: 0000000000000002 R09: 0000000000000001 R13: 000055e4ccf754a0 R14: 000055e4ccf75cd0 R15: 000055e4ccf4a6b0 Allocated by task 45: kasan_save_stack+0x1e/0x40 __kasan_kmalloc+0x81/0xa0 hci_chan_create+0x9a/0x2f0 l2cap_conn_add.part.0+0x1a/0xdc0 l2cap_connect_cfm+0x236/0x1000 le_conn_complete_evt+0x15a7/0x1db0 hci_le_conn_complete_evt+0x226/0x2c0 hci_le_meta_evt+0x247/0x450 hci_event_packet+0x61b/0xe90 hci_rx_work+0x4d5/0xc50 process_one_work+0x8fb/0x15a0 worker_thread+0x576/0x1240 kthread+0x29d/0x340 ret_from_fork+0x1f/0x30 Freed by task 45: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 kasan_set_free_info+0x20/0x30 __kasan_slab_free+0xfb/0x130 kfree+0xac/0x350 hci_conn_cleanup+0x101/0x6a0 hci_conn_del+0x27e/0x6c0 hci_disconn_phylink_complete_evt+0xe0/0x120 hci_event_packet+0x812/0xe90 hci_rx_work+0x4d5/0xc50 process_one_work+0x8fb/0x15a0 worker_thread+0x576/0x1240 kthread+0x29d/0x340 ret_from_fork+0x1f/0x30 The buggy address belongs to the object at ffff88800c0f0500 The buggy address is located 24 bytes inside of which belongs to the cache kmalloc-128 of size 128 The buggy address belongs to the page: 128-byte region [ffff88800c0f0500, ffff88800c0f0580) flags: 0x100000000000200(slab|node=0|zone=1) page:00000000fe45cd86 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xc0f0 raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 raw: 0100000000000200 ffffea00003a2c80 dead000000000004 ffff8880078418c0 page dumped because: kasan: bad access detected ffff88800c0f0400: 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc Memory state around the buggy address: >ffff88800c0f0500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88800c0f0480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88800c0f0580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ---truncated---
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Fix use after free in hci_send_acl This fixes the following trace caused by receiving HCI_EV_DISCONN_PHY_LINK_COMPLETE which does call hci_conn_del without first checking if conn->type is in fact AMP_LINK and in case it is do properly cleanup upper layers with hci_disconn_cfm: ================================================================== BUG: KASAN: use-after-free in hci_send_acl+0xaba/0xc50 Read of size 8 at addr ffff88800e404818 by task bluetoothd/142 CPU: 0 PID: 142 Comm: bluetoothd Not tainted 5.17.0-rc5-00006-gda4022eeac1a #7 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 Call Trace:
CVE-2022-49136
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_sync: Fix queuing commands when HCI_UNREGISTER is set hci_cmd_sync_queue shall return an error if HCI_UNREGISTER flag has been set as that means hci_unregister_dev has been called so it will likely cause a uaf after the timeout as the hdev will be freed.
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_sync: Fix queuing commands when HCI_UNREGISTER is set hci_cmd_sync_queue shall return an error if HCI_UNREGISTER flag has been set as that means hci_unregister_dev has been called so it will likely cause a uaf after the timeout as the hdev will be freed.
CVE-2022-49846
In the Linux kernel, the following vulnerability has been resolved: udf: Fix a slab-out-of-bounds write bug in udf_find_entry() Syzbot reported a slab-out-of-bounds Write bug: loop0: detected capacity change from 0 to 2048 ================================================================== BUG: KASAN: slab-out-of-bounds in udf_find_entry+0x8a5/0x14f0 fs/udf/namei.c:253 Write of size 105 at addr ffff8880123ff896 by task syz-executor323/3610 CPU: 0 PID: 3610 Comm: syz-executor323 Not tainted 6.1.0-rc2-syzkaller-00105-gb229b6ca5abb #0 Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 10/11/2022 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x1b1/0x28e lib/dump_stack.c:106 print_address_description+0x74/0x340 mm/kasan/report.c:284 print_report+0x107/0x1f0 mm/kasan/report.c:395 kasan_report+0xcd/0x100 mm/kasan/report.c:495 kasan_check_range+0x2a7/0x2e0 mm/kasan/generic.c:189 memcpy+0x3c/0x60 mm/kasan/shadow.c:66 udf_find_entry+0x8a5/0x14f0 fs/udf/namei.c:253 udf_lookup+0xef/0x340 fs/udf/namei.c:309 lookup_open fs/namei.c:3391 [inline] open_last_lookups fs/namei.c:3481 [inline] path_openat+0x10e6/0x2df0 fs/namei.c:3710 do_filp_open+0x264/0x4f0 fs/namei.c:3740 do_sys_openat2+0x124/0x4e0 fs/open.c:1310 do_sys_open fs/open.c:1326 [inline] __do_sys_creat fs/open.c:1402 [inline] __se_sys_creat fs/open.c:1396 [inline] __x64_sys_creat+0x11f/0x160 fs/open.c:1396 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7ffab0d164d9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffe1a7e6bb8 EFLAGS: 00000246 ORIG_RAX: 0000000000000055 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007ffab0d164d9 RDX: 00007ffab0d164d9 RSI: 0000000000000000 RDI: 0000000020000180 RBP: 00007ffab0cd5a10 R08: 0000000000000000 R09: 0000000000000000 R10: 00005555573552c0 R11: 0000000000000246 R12: 00007ffab0cd5aa0 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 Allocated by task 3610: kasan_save_stack mm/kasan/common.c:45 [inline] kasan_set_track+0x3d/0x60 mm/kasan/common.c:52 ____kasan_kmalloc mm/kasan/common.c:371 [inline] __kasan_kmalloc+0x97/0xb0 mm/kasan/common.c:380 kmalloc include/linux/slab.h:576 [inline] udf_find_entry+0x7b6/0x14f0 fs/udf/namei.c:243 udf_lookup+0xef/0x340 fs/udf/namei.c:309 lookup_open fs/namei.c:3391 [inline] open_last_lookups fs/namei.c:3481 [inline] path_openat+0x10e6/0x2df0 fs/namei.c:3710 do_filp_open+0x264/0x4f0 fs/namei.c:3740 do_sys_openat2+0x124/0x4e0 fs/open.c:1310 do_sys_open fs/open.c:1326 [inline] __do_sys_creat fs/open.c:1402 [inline] __se_sys_creat fs/open.c:1396 [inline] __x64_sys_creat+0x11f/0x160 fs/open.c:1396 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd The buggy address belongs to the object at ffff8880123ff800 which belongs to the cache kmalloc-256 of size 256 The buggy address is located 150 bytes inside of 256-byte region [ffff8880123ff800, ffff8880123ff900) The buggy address belongs to the physical page: page:ffffea000048ff80 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x123fe head:ffffea000048ff80 order:1 compound_mapcount:0 compound_pincount:0 flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000010200 ffffea00004b8500 dead000000000003 ffff888012041b40 raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x0(), pid 1, tgid 1 (swapper/0), ts 1841222404, free_ts 0 create_dummy_stack mm/page_owner.c: ---truncated---
In the Linux kernel, the following vulnerability has been resolved: udf: Fix a slab-out-of-bounds write bug in udf_find_entry() Syzbot reported a slab-out-of-bounds Write bug: loop0: detected capacity change from 0 to 2048 ================================================================== BUG: KASAN: slab-out-of-bounds in udf_find_entry+0x8a5/0x14f0 fs/udf/namei.c:253 Write of size 105 at addr ffff8880123ff896 by task syz-executor323/3610 CPU: 0 PID: 3610 Comm: syz-executor323 Not tainted 6.1.0-rc2-syzkaller-00105-gb229b6ca5abb #0 Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 10/11/2022 Call Trace:
追加情報:
N/A
ダウンロード:
SRPMS
- kernel-4.18.0-553.60.1.el8_10.src.rpm
MD5: 39814bf1657e2cdece70c7810f2a49f9
SHA-256: 30f61e512d2ee51c63118c2e7fbdbbda945fa1006d2939a5d30c5274bdfb5e8d
Size: 132.23 MB
Asianux Server 8 for x86_64
- bpftool-4.18.0-553.60.1.el8_10.x86_64.rpm
MD5: ef40c929bfd8fece17ae19906e1027fa
SHA-256: 1cdfdee8d8344cc822110dfc9f0d60b20899eead454aea0f940cfa51874f1116
Size: 11.22 MB - kernel-4.18.0-553.60.1.el8_10.x86_64.rpm
MD5: 23374b3a98064bc560a194400b3af68f
SHA-256: 261cfd75d4677d86d5d6abc64d3a63ee9009313ec96256aa0f73662b2bab33d9
Size: 10.49 MB - kernel-abi-stablelists-4.18.0-553.60.1.el8_10.noarch.rpm
MD5: 4cc4ee233896f792a8708612261d7332
SHA-256: 5a3efde1aa656e91eb0af4916b6edc5c9c57bb98d1f67e64efdb92ff516d4492
Size: 10.51 MB - kernel-core-4.18.0-553.60.1.el8_10.x86_64.rpm
MD5: a61f24b5e7b2d3baecd1f7f9f0a54527
SHA-256: 9bd770672649f11091138329bd546565b77ccaa8f3115a7975949fdb25aaf76b
Size: 43.51 MB - kernel-cross-headers-4.18.0-553.60.1.el8_10.x86_64.rpm
MD5: 21e927dba103f3847ce0e81fbcde8efe
SHA-256: 01843de9a44dd083b3b6ee1c686d4ce94f7b239930187b212e22fb3fea6c6b96
Size: 15.84 MB - kernel-debug-4.18.0-553.60.1.el8_10.x86_64.rpm
MD5: 29d3d95fa69351a5c9e538df4276053b
SHA-256: 7ce413cdf15cb4f2b2a5bd7ebd70ecb011b695030d4ea1901b60dc42b3f1056b
Size: 10.49 MB - kernel-debug-core-4.18.0-553.60.1.el8_10.x86_64.rpm
MD5: 75d107c9fd829c98313a1f5d8f445086
SHA-256: 17de3fce1372c28e3878111cc6736cca4dbc6ebfd9b97c4688a39697c707e110
Size: 72.80 MB - kernel-debug-devel-4.18.0-553.60.1.el8_10.x86_64.rpm
MD5: 2adac5bbf06f5cc41607676478fbabe2
SHA-256: f885af852b869145e6c802b1856b872a66c0dae1a54ede11debd53fc611da528
Size: 24.32 MB - kernel-debug-modules-4.18.0-553.60.1.el8_10.x86_64.rpm
MD5: d106a4325c377f69c718abfeaeff7c72
SHA-256: 30d421faadb50b02248028273a0e1d4a5e42150da89623059a075e04fe08f567
Size: 65.91 MB - kernel-debug-modules-extra-4.18.0-553.60.1.el8_10.x86_64.rpm
MD5: 2efe3904534232fd881faf6d3d07715f
SHA-256: edefd93dc549a82d4ce420d22ed36c075b10d23efade504079a0e3d8274505d4
Size: 11.87 MB - kernel-devel-4.18.0-553.60.1.el8_10.x86_64.rpm
MD5: 132b717f87202af1583ae4649a17f4c6
SHA-256: ef68a3335846c35254ab0b0020a5a2e33ee2b9078aa77b070797159c00a38f1a
Size: 24.12 MB - kernel-doc-4.18.0-553.60.1.el8_10.noarch.rpm
MD5: 9fcc89c790a1e2039633cd3dbe2b7712
SHA-256: f641e6738c605237d9b7509496db8461e51c16983fd1201c4b28fa7e1305e4e9
Size: 28.35 MB - kernel-headers-4.18.0-553.60.1.el8_10.x86_64.rpm
MD5: 4f5c2fcdcf5d517528b918f4a284df03
SHA-256: b9e7e6a15074470aca74403cb588f369423ad200bc602bb159cf39a0c4c8eac1
Size: 11.84 MB - kernel-modules-4.18.0-553.60.1.el8_10.x86_64.rpm
MD5: 9d2c4c8ceb25ce32b4d9bc974644872d
SHA-256: 48fce06489e9e76306df8e289ff3298d2dfcad2edb17b93c8a2e38364d7c6856
Size: 36.30 MB - kernel-modules-extra-4.18.0-553.60.1.el8_10.x86_64.rpm
MD5: c6b771b18c5de07c3b4e1941f6389450
SHA-256: a9f3a4b49e2568b670cf56e7400f8a645e5fda375bb5aff79fc0772326e26f8e
Size: 11.18 MB - kernel-tools-4.18.0-553.60.1.el8_10.x86_64.rpm
MD5: 85879b343fb70d218170fa12f119bc94
SHA-256: 537f2537690f2489c93f28779e7c1efe1f1f497e306af62d014a59cb15f6aba2
Size: 10.71 MB - kernel-tools-libs-4.18.0-553.60.1.el8_10.x86_64.rpm
MD5: a2720f11bda572d6b3546c5fa00aedc9
SHA-256: c816fea2ce62fd25f67dfdda9d585da54afef83b88ce1d69a1333776705d7b4a
Size: 10.50 MB - kernel-tools-libs-devel-4.18.0-553.60.1.el8_10.x86_64.rpm
MD5: eff8f9b66dfe90f8d4f5d0f44ec9d4d2
SHA-256: 47b1c42d843b28ae3366ab3d96a22f1e8794f6c5f5871f02bf8c5c5453ded9a4
Size: 10.49 MB - perf-4.18.0-553.60.1.el8_10.x86_64.rpm
MD5: 0ba9962ba39f3c17b03ddec6ea24112c
SHA-256: 3e9dc1866beb48a9f2c02950cf7f2703afccdc72ab744262e25616d8da0b2f5a
Size: 12.81 MB - python3-perf-4.18.0-553.60.1.el8_10.x86_64.rpm
MD5: 250679bc8e005acfb479dfa2e1452d42
SHA-256: 8fc9628cfb43d0bd193d4ca551874832fbe55be2872537924881f6040648da61
Size: 10.62 MB