kernel-4.18.0-553.64.1.el8_10
エラータID: AXSA:2025-10660:50
リリース日:
2025/07/31 Thursday - 16:01
題名:
kernel-4.18.0-553.64.1.el8_10
影響のあるチャネル:
Asianux Server 8 for x86_64
Severity:
Moderate
Description:
以下項目について対処しました。
[Security Fix]
- kernel の ftrace の実装には、NULL ポインタデリファレンスの問題
があるため、ローカルの攻撃者により、情報の漏洩、データ破壊、および
サービス拒否攻撃を可能とする脆弱性が存在します。(CVE-2022-49977)
- kernel の iwlwifi ドライバには、メモリ領域の範囲外読み取りの
問題があるため、ローカルの攻撃者により、情報の漏洩、およびサービス
拒否攻撃を可能とする脆弱性が存在します。(CVE-2025-21905)
- kernel のスケジューラーの実装には、メモリ領域の範囲外書き込み
の問題があるため、ローカルの攻撃者により、情報の漏洩、データ破壊、
およびサービス拒否攻撃を可能とする脆弱性が存在します。
(CVE-2025-21919)
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2022-49977
In the Linux kernel, the following vulnerability has been resolved: ftrace: Fix NULL pointer dereference in is_ftrace_trampoline when ftrace is dead ftrace_startup does not remove ops from ftrace_ops_list when ftrace_startup_enable fails: register_ftrace_function ftrace_startup __register_ftrace_function ... add_ftrace_ops(&ftrace_ops_list, ops) ... ... ftrace_startup_enable // if ftrace failed to modify, ftrace_disabled is set to 1 ... return 0 // ops is in the ftrace_ops_list. When ftrace_disabled = 1, unregister_ftrace_function simply returns without doing anything: unregister_ftrace_function ftrace_shutdown if (unlikely(ftrace_disabled)) return -ENODEV; // return here, __unregister_ftrace_function is not executed, // as a result, ops is still in the ftrace_ops_list __unregister_ftrace_function ... If ops is dynamically allocated, it will be free later, in this case, is_ftrace_trampoline accesses NULL pointer: is_ftrace_trampoline ftrace_ops_trampoline do_for_each_ftrace_op(op, ftrace_ops_list) // OOPS! op may be NULL! Syzkaller reports as follows: [ 1203.506103] BUG: kernel NULL pointer dereference, address: 000000000000010b [ 1203.508039] #PF: supervisor read access in kernel mode [ 1203.508798] #PF: error_code(0x0000) - not-present page [ 1203.509558] PGD 800000011660b067 P4D 800000011660b067 PUD 130fb8067 PMD 0 [ 1203.510560] Oops: 0000 [#1] SMP KASAN PTI [ 1203.511189] CPU: 6 PID: 29532 Comm: syz-executor.2 Tainted: G B W 5.10.0 #8 [ 1203.512324] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 [ 1203.513895] RIP: 0010:is_ftrace_trampoline+0x26/0xb0 [ 1203.514644] Code: ff eb d3 90 41 55 41 54 49 89 fc 55 53 e8 f2 00 fd ff 48 8b 1d 3b 35 5d 03 e8 e6 00 fd ff 48 8d bb 90 00 00 00 e8 2a 81 26 00 <48> 8b ab 90 00 00 00 48 85 ed 74 1d e8 c9 00 fd ff 48 8d bb 98 00 [ 1203.518838] RSP: 0018:ffffc900012cf960 EFLAGS: 00010246 [ 1203.520092] RAX: 0000000000000000 RBX: 000000000000007b RCX: ffffffff8a331866 [ 1203.521469] RDX: 0000000000000000 RSI: 0000000000000008 RDI: 000000000000010b [ 1203.522583] RBP: 0000000000000000 R08: 0000000000000000 R09: ffffffff8df18b07 [ 1203.523550] R10: fffffbfff1be3160 R11: 0000000000000001 R12: 0000000000478399 [ 1203.524596] R13: 0000000000000000 R14: ffff888145088000 R15: 0000000000000008 [ 1203.525634] FS: 00007f429f5f4700(0000) GS:ffff8881daf00000(0000) knlGS:0000000000000000 [ 1203.526801] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 1203.527626] CR2: 000000000000010b CR3: 0000000170e1e001 CR4: 00000000003706e0 [ 1203.528611] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 1203.529605] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Therefore, when ftrace_startup_enable fails, we need to rollback registration process and remove ops from ftrace_ops_list.
In the Linux kernel, the following vulnerability has been resolved: ftrace: Fix NULL pointer dereference in is_ftrace_trampoline when ftrace is dead ftrace_startup does not remove ops from ftrace_ops_list when ftrace_startup_enable fails: register_ftrace_function ftrace_startup __register_ftrace_function ... add_ftrace_ops(&ftrace_ops_list, ops) ... ... ftrace_startup_enable // if ftrace failed to modify, ftrace_disabled is set to 1 ... return 0 // ops is in the ftrace_ops_list. When ftrace_disabled = 1, unregister_ftrace_function simply returns without doing anything: unregister_ftrace_function ftrace_shutdown if (unlikely(ftrace_disabled)) return -ENODEV; // return here, __unregister_ftrace_function is not executed, // as a result, ops is still in the ftrace_ops_list __unregister_ftrace_function ... If ops is dynamically allocated, it will be free later, in this case, is_ftrace_trampoline accesses NULL pointer: is_ftrace_trampoline ftrace_ops_trampoline do_for_each_ftrace_op(op, ftrace_ops_list) // OOPS! op may be NULL! Syzkaller reports as follows: [ 1203.506103] BUG: kernel NULL pointer dereference, address: 000000000000010b [ 1203.508039] #PF: supervisor read access in kernel mode [ 1203.508798] #PF: error_code(0x0000) - not-present page [ 1203.509558] PGD 800000011660b067 P4D 800000011660b067 PUD 130fb8067 PMD 0 [ 1203.510560] Oops: 0000 [#1] SMP KASAN PTI [ 1203.511189] CPU: 6 PID: 29532 Comm: syz-executor.2 Tainted: G B W 5.10.0 #8 [ 1203.512324] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 [ 1203.513895] RIP: 0010:is_ftrace_trampoline+0x26/0xb0 [ 1203.514644] Code: ff eb d3 90 41 55 41 54 49 89 fc 55 53 e8 f2 00 fd ff 48 8b 1d 3b 35 5d 03 e8 e6 00 fd ff 48 8d bb 90 00 00 00 e8 2a 81 26 00 <48> 8b ab 90 00 00 00 48 85 ed 74 1d e8 c9 00 fd ff 48 8d bb 98 00 [ 1203.518838] RSP: 0018:ffffc900012cf960 EFLAGS: 00010246 [ 1203.520092] RAX: 0000000000000000 RBX: 000000000000007b RCX: ffffffff8a331866 [ 1203.521469] RDX: 0000000000000000 RSI: 0000000000000008 RDI: 000000000000010b [ 1203.522583] RBP: 0000000000000000 R08: 0000000000000000 R09: ffffffff8df18b07 [ 1203.523550] R10: fffffbfff1be3160 R11: 0000000000000001 R12: 0000000000478399 [ 1203.524596] R13: 0000000000000000 R14: ffff888145088000 R15: 0000000000000008 [ 1203.525634] FS: 00007f429f5f4700(0000) GS:ffff8881daf00000(0000) knlGS:0000000000000000 [ 1203.526801] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 1203.527626] CR2: 000000000000010b CR3: 0000000170e1e001 CR4: 00000000003706e0 [ 1203.528611] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 1203.529605] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Therefore, when ftrace_startup_enable fails, we need to rollback registration process and remove ops from ftrace_ops_list.
CVE-2025-21905
In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: limit printed string from FW file There's no guarantee here that the file is always with a NUL-termination, so reading the string may read beyond the end of the TLV. If that's the last TLV in the file, it can perhaps even read beyond the end of the file buffer. Fix that by limiting the print format to the size of the buffer we have.
In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: limit printed string from FW file There's no guarantee here that the file is always with a NUL-termination, so reading the string may read beyond the end of the TLV. If that's the last TLV in the file, it can perhaps even read beyond the end of the file buffer. Fix that by limiting the print format to the size of the buffer we have.
CVE-2025-21919
In the Linux kernel, the following vulnerability has been resolved: sched/fair: Fix potential memory corruption in child_cfs_rq_on_list child_cfs_rq_on_list attempts to convert a 'prev' pointer to a cfs_rq. This 'prev' pointer can originate from struct rq's leaf_cfs_rq_list, making the conversion invalid and potentially leading to memory corruption. Depending on the relative positions of leaf_cfs_rq_list and the task group (tg) pointer within the struct, this can cause a memory fault or access garbage data. The issue arises in list_add_leaf_cfs_rq, where both cfs_rq->leaf_cfs_rq_list and rq->leaf_cfs_rq_list are added to the same leaf list. Also, rq->tmp_alone_branch can be set to rq->leaf_cfs_rq_list. This adds a check `if (prev == &rq->leaf_cfs_rq_list)` after the main conditional in child_cfs_rq_on_list. This ensures that the container_of operation will convert a correct cfs_rq struct. This check is sufficient because only cfs_rqs on the same CPU are added to the list, so verifying the 'prev' pointer against the current rq's list head is enough. Fixes a potential memory corruption issue that due to current struct layout might not be manifesting as a crash but could lead to unpredictable behavior when the layout changes.
In the Linux kernel, the following vulnerability has been resolved: sched/fair: Fix potential memory corruption in child_cfs_rq_on_list child_cfs_rq_on_list attempts to convert a 'prev' pointer to a cfs_rq. This 'prev' pointer can originate from struct rq's leaf_cfs_rq_list, making the conversion invalid and potentially leading to memory corruption. Depending on the relative positions of leaf_cfs_rq_list and the task group (tg) pointer within the struct, this can cause a memory fault or access garbage data. The issue arises in list_add_leaf_cfs_rq, where both cfs_rq->leaf_cfs_rq_list and rq->leaf_cfs_rq_list are added to the same leaf list. Also, rq->tmp_alone_branch can be set to rq->leaf_cfs_rq_list. This adds a check `if (prev == &rq->leaf_cfs_rq_list)` after the main conditional in child_cfs_rq_on_list. This ensures that the container_of operation will convert a correct cfs_rq struct. This check is sufficient because only cfs_rqs on the same CPU are added to the list, so verifying the 'prev' pointer against the current rq's list head is enough. Fixes a potential memory corruption issue that due to current struct layout might not be manifesting as a crash but could lead to unpredictable behavior when the layout changes.
追加情報:
N/A
ダウンロード:
SRPMS
- kernel-4.18.0-553.64.1.el8_10.src.rpm
MD5: 337c121546316fbe95a2318b0d17a74c
SHA-256: a67185be429c497882345a35b030d72da0176e9495e4d7ef2b2e008e9537d22a
Size: 132.25 MB
Asianux Server 8 for x86_64
- bpftool-4.18.0-553.64.1.el8_10.x86_64.rpm
MD5: 1ef30c45ee55b80db063bb50f9d04d1b
SHA-256: bb309717add4c822e9b6a52ff3e7c482020183126e4e29b54786fb47fdbc4a06
Size: 11.22 MB - kernel-4.18.0-553.64.1.el8_10.x86_64.rpm
MD5: 3ea127d789c5075c27fb57538430038f
SHA-256: 33d29f4f2f29ad0b611438f5f3192f6641ed978434859f476dc20c078be7ec01
Size: 10.50 MB - kernel-abi-stablelists-4.18.0-553.64.1.el8_10.noarch.rpm
MD5: 2b31a8a40df3f00f8bfc467f22a8fa82
SHA-256: d45542ca74c745cabf2a5b09c053ddd1fddfaafa51435cdb7917672c2b59e424
Size: 10.51 MB - kernel-core-4.18.0-553.64.1.el8_10.x86_64.rpm
MD5: d3fa183c20a0591be4e2839e9b850753
SHA-256: 3a2475bce2899ec20f6e0346c2f528b546e7148e3e02499c789d21bf70c01911
Size: 43.53 MB - kernel-cross-headers-4.18.0-553.64.1.el8_10.x86_64.rpm
MD5: 90317d8838df780991e776481db477c8
SHA-256: fa08afa8fbbc7effb717eb416309c199fb3b3414ec26a7db0f75d1a2536334b2
Size: 15.84 MB - kernel-debug-4.18.0-553.64.1.el8_10.x86_64.rpm
MD5: 9ebe384fd895bca72ede1897fcd3e559
SHA-256: ea5a757bc7734708e024bd37fca065460247a4b4dc0d4b026d9c6020ca2252ad
Size: 10.50 MB - kernel-debug-core-4.18.0-553.64.1.el8_10.x86_64.rpm
MD5: 5dac4b8f24ad2c7efa4cbd4414445781
SHA-256: 4fa693ce086276c1c221df51ee081e9db47a6d451c137a342cb49f0cc3fd3368
Size: 72.82 MB - kernel-debug-devel-4.18.0-553.64.1.el8_10.x86_64.rpm
MD5: 7375ac35e2759945042cc7abf7881a21
SHA-256: 2af831d8017e5bc24ec4c07177cd581f87e6708b859d2e46e07ba3b5b4d190ea
Size: 24.33 MB - kernel-debug-modules-4.18.0-553.64.1.el8_10.x86_64.rpm
MD5: 8bfca6521262ad0db31b15fc3c7fe3e8
SHA-256: 66a71f16bf0367ecaeed14e93961e8efdf4db3913b45672092ab4bde257010ac
Size: 65.94 MB - kernel-debug-modules-extra-4.18.0-553.64.1.el8_10.x86_64.rpm
MD5: 7f86e9556d81ba449d5cbeeb16f1bcfd
SHA-256: 735abc8f5ec51a5b654ba900e5b7cfd6ec01c191fd9644f1ab48f3ecae5519a1
Size: 11.87 MB - kernel-devel-4.18.0-553.64.1.el8_10.x86_64.rpm
MD5: 861a649dbb38395d691228394e088a00
SHA-256: 8f33f2533781cc10ce94286c900d204d272aa3a83d8057ff1ce0bee037e3d73d
Size: 24.13 MB - kernel-doc-4.18.0-553.64.1.el8_10.noarch.rpm
MD5: 22f9f2236587548322023201b03e6de7
SHA-256: 415bf09820607c2b7b62773910d882435a12ff93be888e190e45c955efb3cb52
Size: 28.36 MB - kernel-headers-4.18.0-553.64.1.el8_10.x86_64.rpm
MD5: 658cc19e8463e18a0c607db0e7d981a1
SHA-256: 19a530ac465d41cba07343719e9850777e34dd4c725c84d9cf99270cf7cade40
Size: 11.85 MB - kernel-modules-4.18.0-553.64.1.el8_10.x86_64.rpm
MD5: 127eff77b80f7482dcaf8ec6b27ac6a1
SHA-256: 6bc7edea8a3cd9e7aebab0de38265b8758646cc9f93454616b1d2c508bdb22be
Size: 36.32 MB - kernel-modules-extra-4.18.0-553.64.1.el8_10.x86_64.rpm
MD5: 3ed3a60f6c3a2b5ac9fe03103b0bf4c1
SHA-256: 752974db2ee213235fe4f082a2e703f9068623478c8d7a3801af1100a42d7f8c
Size: 11.19 MB - kernel-tools-4.18.0-553.64.1.el8_10.x86_64.rpm
MD5: 71cd78f4951760a49113089dda8fe545
SHA-256: 6fd3d3d07c3db6a5b8d1ff3e103bfa1cf5a3928a9b6308b74ac095649a188c7e
Size: 10.72 MB - kernel-tools-libs-4.18.0-553.64.1.el8_10.x86_64.rpm
MD5: a54b2a3b156e8e33bd8700cf829cf8b7
SHA-256: e880e6e7022895f445d87308002d98bc6ebdf7659856c03bcb8d58a0e3abd57a
Size: 10.51 MB - kernel-tools-libs-devel-4.18.0-553.64.1.el8_10.x86_64.rpm
MD5: 72983e1a1773b14f230245ca465a4b73
SHA-256: 823a5aa542a3641ddb26dc1315de9b7026fb2f20cf023b4131d3de571c6c431c
Size: 10.50 MB - perf-4.18.0-553.64.1.el8_10.x86_64.rpm
MD5: a98d82c48ce45ca75e35e9c194b6fd96
SHA-256: 5a92f1689617c5f1a5091a8ace2aee25bcce8c0bb51e98a45ccb92e667bcb467
Size: 12.82 MB - python3-perf-4.18.0-553.64.1.el8_10.x86_64.rpm
MD5: 8f92b6d2e6876d0d598eb30724346a44
SHA-256: df5b2ade2acad70ea38ce12d48c2d97c29461bd9bc3cebbae0aba6713ddb6c34
Size: 10.62 MB