kernel-4.18.0-553.62.1.el8_10

エラータID: AXSA:2025-10540:44

リリース日: 
2025/07/22 Tuesday - 16:55
題名: 
kernel-4.18.0-553.62.1.el8_10
影響のあるチャネル: 
Asianux Server 8 for x86_64
Severity: 
Moderate
Description: 

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es):

* kernel: cifs: potential buffer overflow in handling symlinks (CVE-2022-49058)
* kernel: media: uvcvideo: Remove dangling pointers (CVE-2024-58002)
* kernel: media: uvcvideo: Fix double free in error path (CVE-2024-57980)
* kernel: x86/microcode/AMD: Fix out-of-bounds on systems with CPU-less NUMA nodes (CVE-2025-21991)
* kernel: net: atm: fix use after free in lec_send() (CVE-2025-22004)
* kernel: ext4: fix off-by-one error in do_split (CVE-2025-23150)
* kernel: ext4: ignore xattrs past end (CVE-2025-37738)
* kernel: misc/vmw_vmci: fix an infoleak in vmci_host_do_receive_datagram() (CVE-2022-49788)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2022-49058
In the Linux kernel, the following vulnerability has been resolved: cifs: potential buffer overflow in handling symlinks Smatch printed a warning: arch/x86/crypto/poly1305_glue.c:198 poly1305_update_arch() error: __memcpy() 'dctx->buf' too small (16 vs u32max) It's caused because Smatch marks 'link_len' as untrusted since it comes from sscanf(). Add a check to ensure that 'link_len' is not larger than the size of the 'link_str' buffer.
CVE-2022-49788
In the Linux kernel, the following vulnerability has been resolved: misc/vmw_vmci: fix an infoleak in vmci_host_do_receive_datagram() `struct vmci_event_qp` allocated by qp_notify_peer() contains padding, which may carry uninitialized data to the userspace, as observed by KMSAN: BUG: KMSAN: kernel-infoleak in instrument_copy_to_user ./include/linux/instrumented.h:121 instrument_copy_to_user ./include/linux/instrumented.h:121 _copy_to_user+0x5f/0xb0 lib/usercopy.c:33 copy_to_user ./include/linux/uaccess.h:169 vmci_host_do_receive_datagram drivers/misc/vmw_vmci/vmci_host.c:431 vmci_host_unlocked_ioctl+0x33d/0x43d0 drivers/misc/vmw_vmci/vmci_host.c:925 vfs_ioctl fs/ioctl.c:51 ... Uninit was stored to memory at: kmemdup+0x74/0xb0 mm/util.c:131 dg_dispatch_as_host drivers/misc/vmw_vmci/vmci_datagram.c:271 vmci_datagram_dispatch+0x4f8/0xfc0 drivers/misc/vmw_vmci/vmci_datagram.c:339 qp_notify_peer+0x19a/0x290 drivers/misc/vmw_vmci/vmci_queue_pair.c:1479 qp_broker_attach drivers/misc/vmw_vmci/vmci_queue_pair.c:1662 qp_broker_alloc+0x2977/0x2f30 drivers/misc/vmw_vmci/vmci_queue_pair.c:1750 vmci_qp_broker_alloc+0x96/0xd0 drivers/misc/vmw_vmci/vmci_queue_pair.c:1940 vmci_host_do_alloc_queuepair drivers/misc/vmw_vmci/vmci_host.c:488 vmci_host_unlocked_ioctl+0x24fd/0x43d0 drivers/misc/vmw_vmci/vmci_host.c:927 ... Local variable ev created at: qp_notify_peer+0x54/0x290 drivers/misc/vmw_vmci/vmci_queue_pair.c:1456 qp_broker_attach drivers/misc/vmw_vmci/vmci_queue_pair.c:1662 qp_broker_alloc+0x2977/0x2f30 drivers/misc/vmw_vmci/vmci_queue_pair.c:1750 Bytes 28-31 of 48 are uninitialized Memory access of size 48 starts at ffff888035155e00 Data copied to user address 0000000020000100 Use memset() to prevent the infoleaks. Also speculatively fix qp_notify_peer_local(), which may suffer from the same problem.
CVE-2024-57980
In the Linux kernel, the following vulnerability has been resolved: media: uvcvideo: Fix double free in error path If the uvc_status_init() function fails to allocate the int_urb, it will free the dev->status pointer but doesn't reset the pointer to NULL. This results in the kfree() call in uvc_status_cleanup() trying to double-free the memory. Fix it by resetting the dev->status pointer to NULL after freeing it. Reviewed by: Ricardo Ribalda
CVE-2024-58002
In the Linux kernel, the following vulnerability has been resolved: media: uvcvideo: Remove dangling pointers When an async control is written, we copy a pointer to the file handle that started the operation. That pointer will be used when the device is done. Which could be anytime in the future. If the user closes that file descriptor, its structure will be freed, and there will be one dangling pointer per pending async control, that the driver will try to use. Clean all the dangling pointers during release(). To avoid adding a performance penalty in the most common case (no async operation), a counter has been introduced with some logic to make sure that it is properly handled.
CVE-2025-21991
In the Linux kernel, the following vulnerability has been resolved: x86/microcode/AMD: Fix out-of-bounds on systems with CPU-less NUMA nodes Currently, load_microcode_amd() iterates over all NUMA nodes, retrieves their CPU masks and unconditionally accesses per-CPU data for the first CPU of each mask. According to Documentation/admin-guide/mm/numaperf.rst: "Some memory may share the same node as a CPU, and others are provided as memory only nodes." Therefore, some node CPU masks may be empty and wouldn't have a "first CPU". On a machine with far memory (and therefore CPU-less NUMA nodes): - cpumask_of_node(nid) is 0 - cpumask_first(0) is CONFIG_NR_CPUS - cpu_data(CONFIG_NR_CPUS) accesses the cpu_info per-CPU array at an index that is 1 out of bounds This does not have any security implications since flashing microcode is a privileged operation but I believe this has reliability implications by potentially corrupting memory while flashing a microcode update. When booting with CONFIG_UBSAN_BOUNDS=y on an AMD machine that flashes a microcode update. I get the following splat: UBSAN: array-index-out-of-bounds in arch/x86/kernel/cpu/microcode/amd.c:X:Y index 512 is out of range for type 'unsigned long[512]' [...] Call Trace: dump_stack __ubsan_handle_out_of_bounds load_microcode_amd request_microcode_amd reload_store kernfs_fop_write_iter vfs_write ksys_write do_syscall_64 entry_SYSCALL_64_after_hwframe Change the loop to go over only NUMA nodes which have CPUs before determining whether the first CPU on the respective node needs microcode update. [ bp: Massage commit message, fix typo. ]
CVE-2025-22004
In the Linux kernel, the following vulnerability has been resolved: net: atm: fix use after free in lec_send() The ->send() operation frees skb so save the length before calling ->send() to avoid a use after free.
CVE-2025-23150
In the Linux kernel, the following vulnerability has been resolved: ext4: fix off-by-one error in do_split Syzkaller detected a use-after-free issue in ext4_insert_dentry that was caused by out-of-bounds access due to incorrect splitting in do_split. BUG: KASAN: use-after-free in ext4_insert_dentry+0x36a/0x6d0 fs/ext4/namei.c:2109 Write of size 251 at addr ffff888074572f14 by task syz-executor335/5847 CPU: 0 UID: 0 PID: 5847 Comm: syz-executor335 Not tainted 6.12.0-rc6-syzkaller-00318-ga9cda7c0ffed #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/30/2024 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 kasan_check_range+0x282/0x290 mm/kasan/generic.c:189 __asan_memcpy+0x40/0x70 mm/kasan/shadow.c:106 ext4_insert_dentry+0x36a/0x6d0 fs/ext4/namei.c:2109 add_dirent_to_buf+0x3d9/0x750 fs/ext4/namei.c:2154 make_indexed_dir+0xf98/0x1600 fs/ext4/namei.c:2351 ext4_add_entry+0x222a/0x25d0 fs/ext4/namei.c:2455 ext4_add_nondir+0x8d/0x290 fs/ext4/namei.c:2796 ext4_symlink+0x920/0xb50 fs/ext4/namei.c:3431 vfs_symlink+0x137/0x2e0 fs/namei.c:4615 do_symlinkat+0x222/0x3a0 fs/namei.c:4641 __do_sys_symlink fs/namei.c:4662 [inline] __se_sys_symlink fs/namei.c:4660 [inline] __x64_sys_symlink+0x7a/0x90 fs/namei.c:4660 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f The following loop is located right above 'if' statement. for (i = count-1; i >= 0; i--) { /* is more than half of this entry in 2nd half of the block? */ if (size + map[i].size/2 > blocksize/2) break; size += map[i].size; move++; } 'i' in this case could go down to -1, in which case sum of active entries wouldn't exceed half the block size, but previous behaviour would also do split in half if sum would exceed at the very last block, which in case of having too many long name files in a single block could lead to out-of-bounds access and following use-after-free. Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
CVE-2025-37738
In the Linux kernel, the following vulnerability has been resolved: ext4: ignore xattrs past end Once inside 'ext4_xattr_inode_dec_ref_all' we should ignore xattrs entries past the 'end' entry. This fixes the following KASAN reported issue: ================================================================== BUG: KASAN: slab-use-after-free in ext4_xattr_inode_dec_ref_all+0xb8c/0xe90 Read of size 4 at addr ffff888012c120c4 by task repro/2065 CPU: 1 UID: 0 PID: 2065 Comm: repro Not tainted 6.13.0-rc2+ #11 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 Call Trace: dump_stack_lvl+0x1fd/0x300 ? tcp_gro_dev_warn+0x260/0x260 ? _printk+0xc0/0x100 ? read_lock_is_recursive+0x10/0x10 ? irq_work_queue+0x72/0xf0 ? __virt_addr_valid+0x17b/0x4b0 print_address_description+0x78/0x390 print_report+0x107/0x1f0 ? __virt_addr_valid+0x17b/0x4b0 ? __virt_addr_valid+0x3ff/0x4b0 ? __phys_addr+0xb5/0x160 ? ext4_xattr_inode_dec_ref_all+0xb8c/0xe90 kasan_report+0xcc/0x100 ? ext4_xattr_inode_dec_ref_all+0xb8c/0xe90 ext4_xattr_inode_dec_ref_all+0xb8c/0xe90 ? ext4_xattr_delete_inode+0xd30/0xd30 ? __ext4_journal_ensure_credits+0x5f0/0x5f0 ? __ext4_journal_ensure_credits+0x2b/0x5f0 ? inode_update_timestamps+0x410/0x410 ext4_xattr_delete_inode+0xb64/0xd30 ? ext4_truncate+0xb70/0xdc0 ? ext4_expand_extra_isize_ea+0x1d20/0x1d20 ? __ext4_mark_inode_dirty+0x670/0x670 ? ext4_journal_check_start+0x16f/0x240 ? ext4_inode_is_fast_symlink+0x2f2/0x3a0 ext4_evict_inode+0xc8c/0xff0 ? ext4_inode_is_fast_symlink+0x3a0/0x3a0 ? do_raw_spin_unlock+0x53/0x8a0 ? ext4_inode_is_fast_symlink+0x3a0/0x3a0 evict+0x4ac/0x950 ? proc_nr_inodes+0x310/0x310 ? trace_ext4_drop_inode+0xa2/0x220 ? _raw_spin_unlock+0x1a/0x30 ? iput+0x4cb/0x7e0 do_unlinkat+0x495/0x7c0 ? try_break_deleg+0x120/0x120 ? 0xffffffff81000000 ? __check_object_size+0x15a/0x210 ? strncpy_from_user+0x13e/0x250 ? getname_flags+0x1dc/0x530 __x64_sys_unlinkat+0xc8/0xf0 do_syscall_64+0x65/0x110 entry_SYSCALL_64_after_hwframe+0x67/0x6f RIP: 0033:0x434ffd Code: 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 8 RSP: 002b:00007ffc50fa7b28 EFLAGS: 00000246 ORIG_RAX: 0000000000000107 RAX: ffffffffffffffda RBX: 00007ffc50fa7e18 RCX: 0000000000434ffd RDX: 0000000000000000 RSI: 0000000020000240 RDI: 0000000000000005 RBP: 00007ffc50fa7be0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 R13: 00007ffc50fa7e08 R14: 00000000004bbf30 R15: 0000000000000001 The buggy address belongs to the object at ffff888012c12000 which belongs to the cache filp of size 360 The buggy address is located 196 bytes inside of freed 360-byte region [ffff888012c12000, ffff888012c12168) The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x12c12 head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 flags: 0x40(head|node=0|zone=0) page_type: f5(slab) raw: 0000000000000040 ffff888000ad7640 ffffea0000497a00 dead000000000004 raw: 0000000000000000 0000000000100010 00000001f5000000 0000000000000000 head: 0000000000000040 ffff888000ad7640 ffffea0000497a00 dead000000000004 head: 0000000000000000 0000000000100010 00000001f5000000 0000000000000000 head: 0000000000000001 ffffea00004b0481 ffffffffffffffff 0000000000000000 head: 0000000000000002 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888012c11f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff888012c12000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > ffff888012c12080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888012c12100: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc ffff888012c12180: fc fc fc fc fc fc fc fc fc ---truncated---

解決策: 

Update packages.

追加情報: 

N/A

ダウンロード: 

SRPMS
  1. kernel-4.18.0-553.62.1.el8_10.src.rpm
    MD5: b08904711bdd840e16d3823333dabeed
    SHA-256: a598c461fbb4788fa0c6b50c48a5ae2a8532dddc63231068dabc4b1d13bdde02
    Size: 132.24 MB

Asianux Server 8 for x86_64
  1. bpftool-4.18.0-553.62.1.el8_10.x86_64.rpm
    MD5: 660146f3d812beec40aed310123de6d5
    SHA-256: f697111a476af97527e83d7818bc93173b6938dde50a62965dea05b34a89ea87
    Size: 11.22 MB
  2. kernel-4.18.0-553.62.1.el8_10.x86_64.rpm
    MD5: 9c3a2520150339915a6ac2a1a6acd763
    SHA-256: c202dc88285e24a577ef6eb9534426696e1a8225d18ebd21b7885f02eae7b5fb
    Size: 10.50 MB
  3. kernel-abi-stablelists-4.18.0-553.62.1.el8_10.noarch.rpm
    MD5: 8daf0fc8d12a8421062585c8b365e149
    SHA-256: 539846ba672f0403ee8c19556946aefe5722293ddae79c6edd67baf67385454e
    Size: 10.51 MB
  4. kernel-core-4.18.0-553.62.1.el8_10.x86_64.rpm
    MD5: c367b86a945cfe7a64b7a582b4c31369
    SHA-256: ddc07bf02f01ea096ec90f167f5356c8864ec88a0ba0250a6b60c511e38c707b
    Size: 43.52 MB
  5. kernel-cross-headers-4.18.0-553.62.1.el8_10.x86_64.rpm
    MD5: c542891806efd9363b0c7cfba04e6340
    SHA-256: 547d5fc5c4ba9c6a280cbb37db2fa46efab29f49250dcc1f66598c4e46ca80d3
    Size: 15.84 MB
  6. kernel-debug-4.18.0-553.62.1.el8_10.x86_64.rpm
    MD5: 12d7947fdb504017e0b338bd1c1a51e4
    SHA-256: 22270997305134bbbb37a7e9dec78600c5d273099623d6a4ef4afbf17412751c
    Size: 10.49 MB
  7. kernel-debug-core-4.18.0-553.62.1.el8_10.x86_64.rpm
    MD5: b88f4b8c36273557ee2bda961f7fa448
    SHA-256: 48152ae652242a080f47eab08dc976fce36bc8231ff89fb39a70cdf11b7fa555
    Size: 72.81 MB
  8. kernel-debug-devel-4.18.0-553.62.1.el8_10.x86_64.rpm
    MD5: 62e7a504c0f59573c6dd18c977cd5f30
    SHA-256: 808656128a8b63325a9256bc235a001110facaa3dbce5fae8bd6b4c099919e7a
    Size: 24.33 MB
  9. kernel-debug-modules-4.18.0-553.62.1.el8_10.x86_64.rpm
    MD5: 628983353ae5aa910dc446792e2436a9
    SHA-256: 69f1ea1f10974f383ceeb74b0ce10360155a6cb1360975843f0a1b5ee22a2f98
    Size: 65.92 MB
  10. kernel-debug-modules-extra-4.18.0-553.62.1.el8_10.x86_64.rpm
    MD5: 50a5609b1755dd1a1cfeba1449546c92
    SHA-256: 8547b6ad595d6e72e312091909c21b40bd0014c84f2a0bbcafa92eaf50360e5d
    Size: 11.87 MB
  11. kernel-devel-4.18.0-553.62.1.el8_10.x86_64.rpm
    MD5: 75d7e84e2656adf1c42aa6f766c82bde
    SHA-256: 0a6297b5c1d7495fcb5591c229204f4a70d0ae1361e4a0ed86c8073517a95f9d
    Size: 24.13 MB
  12. kernel-doc-4.18.0-553.62.1.el8_10.noarch.rpm
    MD5: 17a95d0d26b3c0c9f2417d0c29275002
    SHA-256: fc617c7ae67348ef8107f092f38bf880ff08cb3eb44e93e2137655ef1dfbe545
    Size: 28.36 MB
  13. kernel-headers-4.18.0-553.62.1.el8_10.x86_64.rpm
    MD5: e3048ac34915d89898389f8ed93c1556
    SHA-256: b1ad4e77c37428dd323fe73a126bd0226f957235eb6cf8e79c0992b83781be2e
    Size: 11.85 MB
  14. kernel-modules-4.18.0-553.62.1.el8_10.x86_64.rpm
    MD5: 13c5008f98929c446dd189555db834df
    SHA-256: 8b91087a4cd06dca4636427ba190699a4de3dae9fbcbad9077694aa56547b688
    Size: 36.32 MB
  15. kernel-modules-extra-4.18.0-553.62.1.el8_10.x86_64.rpm
    MD5: 2b3f946dce6e7fd7a14d7f222356c8ca
    SHA-256: 810916c8d8c2adc2e867f2fd8e4705c18409bb9647d0201644484fc6bad99bcb
    Size: 11.18 MB
  16. kernel-tools-4.18.0-553.62.1.el8_10.x86_64.rpm
    MD5: 577846a204707b13ddb762c7a56d69ad
    SHA-256: 529e11f366741ff50530739ea31db9e362934cc4ceb9d8c9be80c034cf777fae
    Size: 10.71 MB
  17. kernel-tools-libs-4.18.0-553.62.1.el8_10.x86_64.rpm
    MD5: 8c0208219a2adbd3997e4cacde7d0443
    SHA-256: f380fcb7f4e0aa8ffaae8422df911e5cfd051bce67731fd9ae362963abd763b1
    Size: 10.50 MB
  18. kernel-tools-libs-devel-4.18.0-553.62.1.el8_10.x86_64.rpm
    MD5: cf70bb00daf7c0e8224cd96a85f869cd
    SHA-256: 2425c17f30401c4cac964e838a441961be770b80283f3075fd06012e80259732
    Size: 10.50 MB
  19. perf-4.18.0-553.62.1.el8_10.x86_64.rpm
    MD5: a695cd2bced1f037cead3d7c08a6d25e
    SHA-256: 24d4252d8e4a28f683574df6b6ea7c2f4a13755acb3d0c05755daea131f542c5
    Size: 12.81 MB
  20. python3-perf-4.18.0-553.62.1.el8_10.x86_64.rpm
    MD5: c80eac6cb0acf9e3ce674ba2ad7c800d
    SHA-256: 91cb939e7ca51b83e5d31979dec52c981cb19121ed0cd4e1c5eb0530e2177a7b
    Size: 10.62 MB