kernel-4.18.0-553.63.1.el8_10

エラータID: AXSA:2025-10602:47

リリース日: 
2025/07/25 Friday - 18:49
題名: 
kernel-4.18.0-553.63.1.el8_10
影響のあるチャネル: 
Asianux Server 8 for x86_64
Severity: 
Moderate
Description: 

以下項目について対処しました。

[Security Fix]
- net/ipv4/inet_connection_sock.c には、レースコンディションに
起因するメモリ領域の解放後利用の問題があるため、ローカルの攻撃者
により、サービス拒否攻撃を可能とする脆弱性が存在します。
(CVE-2024-50154)

- kernel の CH9200 USB Ethernet ドライバには、データの初期化処理
が欠落しているため、ローカルの攻撃者により、情報の漏洩、データ破壊、
およびサービス拒否攻撃を可能とする脆弱性が存在します。
(CVE-2025-38086)

解決策: 

パッケージをアップデートしてください。

CVE: 
CVE-2024-50154
In the Linux kernel, the following vulnerability has been resolved: tcp/dccp: Don't use timer_pending() in reqsk_queue_unlink(). Martin KaFai Lau reported use-after-free [0] in reqsk_timer_handler(). """ We are seeing a use-after-free from a bpf prog attached to trace_tcp_retransmit_synack. The program passes the req->sk to the bpf_sk_storage_get_tracing kernel helper which does check for null before using it. """ The commit 83fccfc3940c ("inet: fix potential deadlock in reqsk_queue_unlink()") added timer_pending() in reqsk_queue_unlink() not to call del_timer_sync() from reqsk_timer_handler(), but it introduced a small race window. Before the timer is called, expire_timers() calls detach_timer(timer, true) to clear timer->entry.pprev and marks it as not pending. If reqsk_queue_unlink() checks timer_pending() just after expire_timers() calls detach_timer(), TCP will miss del_timer_sync(); the reqsk timer will continue running and send multiple SYN+ACKs until it expires. The reported UAF could happen if req->sk is close()d earlier than the timer expiration, which is 63s by default. The scenario would be 1. inet_csk_complete_hashdance() calls inet_csk_reqsk_queue_drop(), but del_timer_sync() is missed 2. reqsk timer is executed and scheduled again 3. req->sk is accept()ed and reqsk_put() decrements rsk_refcnt, but reqsk timer still has another one, and inet_csk_accept() does not clear req->sk for non-TFO sockets 4. sk is close()d 5. reqsk timer is executed again, and BPF touches req->sk Let's not use timer_pending() by passing the caller context to __inet_csk_reqsk_queue_drop(). Note that reqsk timer is pinned, so the issue does not happen in most use cases. [1] [0] BUG: KFENCE: use-after-free read in bpf_sk_storage_get_tracing+0x2e/0x1b0 Use-after-free read at 0x00000000a891fb3a (in kfence-#1): bpf_sk_storage_get_tracing+0x2e/0x1b0 bpf_prog_5ea3e95db6da0438_tcp_retransmit_synack+0x1d20/0x1dda bpf_trace_run2+0x4c/0xc0 tcp_rtx_synack+0xf9/0x100 reqsk_timer_handler+0xda/0x3d0 run_timer_softirq+0x292/0x8a0 irq_exit_rcu+0xf5/0x320 sysvec_apic_timer_interrupt+0x6d/0x80 asm_sysvec_apic_timer_interrupt+0x16/0x20 intel_idle_irq+0x5a/0xa0 cpuidle_enter_state+0x94/0x273 cpu_startup_entry+0x15e/0x260 start_secondary+0x8a/0x90 secondary_startup_64_no_verify+0xfa/0xfb kfence-#1: 0x00000000a72cc7b6-0x00000000d97616d9, size=2376, cache=TCPv6 allocated by task 0 on cpu 9 at 260507.901592s: sk_prot_alloc+0x35/0x140 sk_clone_lock+0x1f/0x3f0 inet_csk_clone_lock+0x15/0x160 tcp_create_openreq_child+0x1f/0x410 tcp_v6_syn_recv_sock+0x1da/0x700 tcp_check_req+0x1fb/0x510 tcp_v6_rcv+0x98b/0x1420 ipv6_list_rcv+0x2258/0x26e0 napi_complete_done+0x5b1/0x2990 mlx5e_napi_poll+0x2ae/0x8d0 net_rx_action+0x13e/0x590 irq_exit_rcu+0xf5/0x320 common_interrupt+0x80/0x90 asm_common_interrupt+0x22/0x40 cpuidle_enter_state+0xfb/0x273 cpu_startup_entry+0x15e/0x260 start_secondary+0x8a/0x90 secondary_startup_64_no_verify+0xfa/0xfb freed by task 0 on cpu 9 at 260507.927527s: rcu_core_si+0x4ff/0xf10 irq_exit_rcu+0xf5/0x320 sysvec_apic_timer_interrupt+0x6d/0x80 asm_sysvec_apic_timer_interrupt+0x16/0x20 cpuidle_enter_state+0xfb/0x273 cpu_startup_entry+0x15e/0x260 start_secondary+0x8a/0x90 secondary_startup_64_no_verify+0xfa/0xfb
CVE-2025-38086
In the Linux kernel, the following vulnerability has been resolved: net: ch9200: fix uninitialised access during mii_nway_restart In mii_nway_restart() the code attempts to call mii->mdio_read which is ch9200_mdio_read(). ch9200_mdio_read() utilises a local buffer called "buff", which is initialised with control_read(). However "buff" is conditionally initialised inside control_read(): if (err == size) { memcpy(data, buf, size); } If the condition of "err == size" is not met, then "buff" remains uninitialised. Once this happens the uninitialised "buff" is accessed and returned during ch9200_mdio_read(): return (buff[0] | buff[1] << 8); The problem stems from the fact that ch9200_mdio_read() ignores the return value of control_read(), leading to uinit-access of "buff". To fix this we should check the return value of control_read() and return early on error.
追加情報: 

N/A

ダウンロード: 

SRPMS
  1. kernel-4.18.0-553.63.1.el8_10.src.rpm
    MD5: 39ec707014ba70572d4af73f9a54ac83
    SHA-256: b9ebc97e73f6c93104d17370dc3f21f1c9acf44d5d7fdf43b0915c671e1b4a0e
    Size: 132.25 MB

Asianux Server 8 for x86_64
  1. bpftool-4.18.0-553.63.1.el8_10.x86_64.rpm
    MD5: 3d389e49d1c1fa4599b87ef67d671d82
    SHA-256: 7493524af76300018f54d08eb012177f09792ee54505754082da215e774930ce
    Size: 11.22 MB
  2. kernel-4.18.0-553.63.1.el8_10.x86_64.rpm
    MD5: d1ceb95a4477616b511f07a021a86556
    SHA-256: aba76d57df4c13abf48fd360b7aae3e1abe4bf23ba6678c06ac5a0d0ca258ada
    Size: 10.50 MB
  3. kernel-abi-stablelists-4.18.0-553.63.1.el8_10.noarch.rpm
    MD5: f72b536e33384aa71152f76800d1e15a
    SHA-256: 50e696770546da51d290f4de4e179c30865ae69d9e6cbffaaa806590d8aac4ed
    Size: 10.51 MB
  4. kernel-core-4.18.0-553.63.1.el8_10.x86_64.rpm
    MD5: 82f806850d289ebeb20577beda64df26
    SHA-256: 6ce3e8d12c72622a5ad4e74f5cf2f80c29a12ca5e77c2aaa21c923953ad4b8d2
    Size: 43.52 MB
  5. kernel-cross-headers-4.18.0-553.63.1.el8_10.x86_64.rpm
    MD5: 8eac55a28725e6feddf431056828f043
    SHA-256: 34d29a356f642219f67a08eaea73018e56772899bdac4ffce25e121dd7a639dd
    Size: 15.84 MB
  6. kernel-debug-4.18.0-553.63.1.el8_10.x86_64.rpm
    MD5: bae2f33bc3d48fde32900d6a7412f72e
    SHA-256: 5bada91aebef72741d0b9ceef3ed784883e2e27e9835549e4db8b4b817264f01
    Size: 10.50 MB
  7. kernel-debug-core-4.18.0-553.63.1.el8_10.x86_64.rpm
    MD5: c8ee51a9ff4c1312e19f29ec3c12c9a1
    SHA-256: e80365482e631cf0d4073d211185afc7a26cf7f5b9eb9bcaf25d1d1d2c2d9e42
    Size: 72.80 MB
  8. kernel-debug-devel-4.18.0-553.63.1.el8_10.x86_64.rpm
    MD5: 4bb7b11d215a06ee6ebbb62a2afd218a
    SHA-256: 2bf8a40cf3471acf95f00b7b9f7906579d9830736a5aa5dc3234cce0c4f8697d
    Size: 24.33 MB
  9. kernel-debug-modules-4.18.0-553.63.1.el8_10.x86_64.rpm
    MD5: f238cac4791fa78f660cea43783769ca
    SHA-256: 8c86dfda6cb29dc2eb3a48572aaab880387ada927d2f9acaa9fd5f21056c39c0
    Size: 65.91 MB
  10. kernel-debug-modules-extra-4.18.0-553.63.1.el8_10.x86_64.rpm
    MD5: c900f0d5ddb79195b078f75fbf9c8587
    SHA-256: 80038fc4233c02e900bef8a7c82bf6eb4ac8b0991663139c3def8dfee89abc86
    Size: 11.87 MB
  11. kernel-devel-4.18.0-553.63.1.el8_10.x86_64.rpm
    MD5: cdb8352e30f1503368c7c6d797771f8e
    SHA-256: c19b49a39efff766947159f42031af633e27ca97e229c1c2c4b4d06722ba08e7
    Size: 24.13 MB
  12. kernel-doc-4.18.0-553.63.1.el8_10.noarch.rpm
    MD5: d3b21f20d6980bb32e1e6dcfbcbe8574
    SHA-256: 64cc3ceb978f1d53aaf16d573600276ce538b39ef5f6f606ede9e5335323c7a5
    Size: 28.36 MB
  13. kernel-headers-4.18.0-553.63.1.el8_10.x86_64.rpm
    MD5: afae6a605e56a55824594b4fc1b09791
    SHA-256: d65ddec530bfac21bc512a77888963b86245ba8dddb3255e8278e6846b61f0fa
    Size: 11.85 MB
  14. kernel-modules-4.18.0-553.63.1.el8_10.x86_64.rpm
    MD5: 24edb0e17f9f74305854412ceb25bcea
    SHA-256: 4d9fb927909bc6fe951fae994b61bdf71b02118e58b52d290fd155a34ce8cb2e
    Size: 36.32 MB
  15. kernel-modules-extra-4.18.0-553.63.1.el8_10.x86_64.rpm
    MD5: bd64ced78e8db2896f3298caed94cde3
    SHA-256: d6962e0ce4eb5a85f76a28fb700f74400aa32897db16c9f2f3d4a8c3df32db8a
    Size: 11.18 MB
  16. kernel-tools-4.18.0-553.63.1.el8_10.x86_64.rpm
    MD5: 018cbcaf9a1f2a01e9e64e98dcdabf56
    SHA-256: 6777189b6a1164490d7000ac7596515ab38f8816be9d86c3d828f5798450ab42
    Size: 10.72 MB
  17. kernel-tools-libs-4.18.0-553.63.1.el8_10.x86_64.rpm
    MD5: f027a58d06305cdb722e185b6ba677da
    SHA-256: d1b9a85990edf504cda42d13eece807ace9689581aca0f1f409a6839772d3ed5
    Size: 10.51 MB
  18. kernel-tools-libs-devel-4.18.0-553.63.1.el8_10.x86_64.rpm
    MD5: bbc6d972f76c0e00774d2364c083f782
    SHA-256: 67247c9d784c6978c4eb0a1576693b78bf9aba2c65f7d86873053cdc4d36262a
    Size: 10.50 MB
  19. perf-4.18.0-553.63.1.el8_10.x86_64.rpm
    MD5: 54cd4cedc7165ba327198cc86be4ae43
    SHA-256: 141f8d22bda9b31d7f7d428a6fd67c51a60cfb9127569734a9af977bd04f6754
    Size: 12.82 MB
  20. python3-perf-4.18.0-553.63.1.el8_10.x86_64.rpm
    MD5: 69830b506aa104ae8c329452977c484e
    SHA-256: dc12dba07c8f6192126efdcb220e38d30a56f41b68643318c6e1730ad5763200
    Size: 10.62 MB