kernel-5.14.0-570.30.1.el9_6
エラータID: AXSA:2025-10778:57
リリース日:
2025/08/25 Monday - 09:28
題名:
kernel-5.14.0-570.30.1.el9_6
影響のあるチャネル:
MIRACLE LINUX 9 for x86_64
Severity:
Moderate
Description:
以下項目について対処しました。
[Security Fix]
- kernel の UVC ドライバには、メモリ領域の二重解放の問題が
あるため、ローカルの攻撃者により、サービス拒否攻撃を可能とする
脆弱性が存在します。(CVE-2024-57980)
- kernel の iwlwifi ドライバには、メモリ領域の範囲外読み取りの
問題があるため、ローカルの攻撃者により、情報の漏洩、およびサービス
拒否攻撃を可能とする脆弱性が存在します。(CVE-2025-21905)
- kernel の RDMA の実装には、メモリ領域の解放後利用の問題が
あるため、ローカルの攻撃者により、情報の漏洩、データ破壊、および
サービス拒否攻撃を可能とする脆弱性が存在します。(CVE-2025-22085)
- kernel の mlx5 ドライバには、整数オーバーフローの問題が
あるため、ローカルの攻撃者により、情報の漏洩、データ破壊、および
サービス拒否攻撃を可能とする脆弱性が存在します。(CVE-2025-22091)
- kernel の ext4 ドライバには、ローカルの攻撃者により、情報の
漏洩、およびサービス拒否攻撃を可能とする脆弱性が存在します。
(CVE-2025-22113)
- kernel の ext4 ドライバには、メモリ領域の範囲外読み取りの問題が
あるため、ローカルの攻撃者により、情報の漏洩、およびサービス拒否
攻撃を可能とする脆弱性が存在します。(CVE-2025-22121)
- kernel の HFSC スケジューラーの実装には、メモリ領域の解放後
利用の問題があるため、ローカルの攻撃者により、情報の漏洩、データ
破壊、およびサービス拒否攻撃を可能とする脆弱性が存在します。
(CVE-2025-37797)
- kernel の Huge Pages 機能には、メモリ領域の解放後利用の問題が
あるため、ローカルの攻撃者により、情報の漏洩、データ破壊、および
サービス拒否攻撃を可能とする脆弱性が存在します。(CVE-2025-37958)
- kernel の CH9200 USB Ethernet ドライバには、データの初期化処理が
欠落しているため、ローカルの攻撃者により、情報の漏洩、データ破壊、
およびサービス拒否攻撃を可能とする脆弱性が存在します。
(CVE-2025-38086)
- kernel の mdio_bus ドライバ には、メモリ領域の範囲外アクセスの
問題があるため、ローカルの攻撃者により、情報の漏洩、データ破壊、
およびサービス拒否攻撃を可能とする脆弱性が存在します。
(CVE-2025-38110)
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2024-57980
In the Linux kernel, the following vulnerability has been resolved: media: uvcvideo: Fix double free in error path If the uvc_status_init() function fails to allocate the int_urb, it will free the dev->status pointer but doesn't reset the pointer to NULL. This results in the kfree() call in uvc_status_cleanup() trying to double-free the memory. Fix it by resetting the dev->status pointer to NULL after freeing it. Reviewed by: Ricardo Ribalda
In the Linux kernel, the following vulnerability has been resolved: media: uvcvideo: Fix double free in error path If the uvc_status_init() function fails to allocate the int_urb, it will free the dev->status pointer but doesn't reset the pointer to NULL. This results in the kfree() call in uvc_status_cleanup() trying to double-free the memory. Fix it by resetting the dev->status pointer to NULL after freeing it. Reviewed by: Ricardo Ribalda
CVE-2025-21905
In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: limit printed string from FW file There's no guarantee here that the file is always with a NUL-termination, so reading the string may read beyond the end of the TLV. If that's the last TLV in the file, it can perhaps even read beyond the end of the file buffer. Fix that by limiting the print format to the size of the buffer we have.
In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: limit printed string from FW file There's no guarantee here that the file is always with a NUL-termination, so reading the string may read beyond the end of the TLV. If that's the last TLV in the file, it can perhaps even read beyond the end of the file buffer. Fix that by limiting the print format to the size of the buffer we have.
CVE-2025-22085
In the Linux kernel, the following vulnerability has been resolved: RDMA/core: Fix use-after-free when rename device name Syzbot reported a slab-use-after-free with the following call trace: ================================================================== BUG: KASAN: slab-use-after-free in nla_put+0xd3/0x150 lib/nlattr.c:1099 Read of size 5 at addr ffff888140ea1c60 by task syz.0.988/10025 CPU: 0 UID: 0 PID: 10025 Comm: syz.0.988 Not tainted 6.14.0-rc4-syzkaller-00859-gf77f12010f67 #0 Hardware name: Google Compute Engine, BIOS Google 02/12/2025 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:408 [inline] print_report+0x16e/0x5b0 mm/kasan/report.c:521 kasan_report+0x143/0x180 mm/kasan/report.c:634 kasan_check_range+0x282/0x290 mm/kasan/generic.c:189 __asan_memcpy+0x29/0x70 mm/kasan/shadow.c:105 nla_put+0xd3/0x150 lib/nlattr.c:1099 nla_put_string include/net/netlink.h:1621 [inline] fill_nldev_handle+0x16e/0x200 drivers/infiniband/core/nldev.c:265 rdma_nl_notify_event+0x561/0xef0 drivers/infiniband/core/nldev.c:2857 ib_device_notify_register+0x22/0x230 drivers/infiniband/core/device.c:1344 ib_register_device+0x1292/0x1460 drivers/infiniband/core/device.c:1460 rxe_register_device+0x233/0x350 drivers/infiniband/sw/rxe/rxe_verbs.c:1540 rxe_net_add+0x74/0xf0 drivers/infiniband/sw/rxe/rxe_net.c:550 rxe_newlink+0xde/0x1a0 drivers/infiniband/sw/rxe/rxe.c:212 nldev_newlink+0x5ea/0x680 drivers/infiniband/core/nldev.c:1795 rdma_nl_rcv_skb drivers/infiniband/core/netlink.c:239 [inline] rdma_nl_rcv+0x6dd/0x9e0 drivers/infiniband/core/netlink.c:259 netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline] netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1339 netlink_sendmsg+0x8de/0xcb0 net/netlink/af_netlink.c:1883 sock_sendmsg_nosec net/socket.c:709 [inline] __sock_sendmsg+0x221/0x270 net/socket.c:724 ____sys_sendmsg+0x53a/0x860 net/socket.c:2564 ___sys_sendmsg net/socket.c:2618 [inline] __sys_sendmsg+0x269/0x350 net/socket.c:2650 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f42d1b8d169 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 ... RSP: 002b:00007f42d2960038 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007f42d1da6320 RCX: 00007f42d1b8d169 RDX: 0000000000000000 RSI: 00004000000002c0 RDI: 000000000000000c RBP: 00007f42d1c0e2a0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f42d1da6320 R15: 00007ffe399344a8 Allocated by task 10025: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:260 [inline] __do_kmalloc_node mm/slub.c:4294 [inline] __kmalloc_node_track_caller_noprof+0x28b/0x4c0 mm/slub.c:4313 __kmemdup_nul mm/util.c:61 [inline] kstrdup+0x42/0x100 mm/util.c:81 kobject_set_name_vargs+0x61/0x120 lib/kobject.c:274 dev_set_name+0xd5/0x120 drivers/base/core.c:3468 assign_name drivers/infiniband/core/device.c:1202 [inline] ib_register_device+0x178/0x1460 drivers/infiniband/core/device.c:1384 rxe_register_device+0x233/0x350 drivers/infiniband/sw/rxe/rxe_verbs.c:1540 rxe_net_add+0x74/0xf0 drivers/infiniband/sw/rxe/rxe_net.c:550 rxe_newlink+0xde/0x1a0 drivers/infiniband/sw/rxe/rxe.c:212 nldev_newlink+0x5ea/0x680 drivers/infiniband/core/nldev.c:1795 rdma_nl_rcv_skb drivers/infiniband/core/netlink.c:239 [inline] rdma_nl_rcv+0x6dd/0x9e0 drivers/infiniband/core/netlink.c:259 netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline] netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1339 netlink_sendmsg+0x8de/0xcb0 net ---truncated---
In the Linux kernel, the following vulnerability has been resolved: RDMA/core: Fix use-after-free when rename device name Syzbot reported a slab-use-after-free with the following call trace: ================================================================== BUG: KASAN: slab-use-after-free in nla_put+0xd3/0x150 lib/nlattr.c:1099 Read of size 5 at addr ffff888140ea1c60 by task syz.0.988/10025 CPU: 0 UID: 0 PID: 10025 Comm: syz.0.988 Not tainted 6.14.0-rc4-syzkaller-00859-gf77f12010f67 #0 Hardware name: Google Compute Engine, BIOS Google 02/12/2025 Call Trace:
CVE-2025-22091
In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx5: Fix page_size variable overflow Change all variables storing mlx5_umem_mkc_find_best_pgsz() result to unsigned long to support values larger than 31 and avoid overflow. For example: If we try to register 4GB of memory that is contiguous in physical memory, the driver will optimize the page_size and try to use an mkey with 4GB entity size. The 'unsigned int' page_size variable will overflow to '0' and we'll hit the WARN_ON() in alloc_cacheable_mr(). WARNING: CPU: 2 PID: 1203 at drivers/infiniband/hw/mlx5/mr.c:1124 alloc_cacheable_mr+0x22/0x580 [mlx5_ib] Modules linked in: mlx5_ib mlx5_core bonding ip6_gre ip6_tunnel tunnel6 ip_gre gre rdma_rxe rdma_ucm ib_uverbs ib_ipoib ib_umad rpcrdma ib_iser libiscsi scsi_transport_iscsi rdma_cm iw_cm ib_cm fuse ib_core [last unloaded: mlx5_core] CPU: 2 UID: 70878 PID: 1203 Comm: rdma_resource_l Tainted: G W 6.14.0-rc4-dirty #43 Tainted: [W]=WARN Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:alloc_cacheable_mr+0x22/0x580 [mlx5_ib] Code: 90 90 90 90 90 90 90 90 0f 1f 44 00 00 55 48 89 e5 41 57 41 56 41 55 41 54 41 52 53 48 83 ec 30 f6 46 28 04 4c 8b 77 08 75 21 <0f> 0b 49 c7 c2 ea ff ff ff 48 8d 65 d0 4c 89 d0 5b 41 5a 41 5c 41 RSP: 0018:ffffc900006ffac8 EFLAGS: 00010246 RAX: 0000000004c0d0d0 RBX: ffff888217a22000 RCX: 0000000000100001 RDX: 00007fb7ac480000 RSI: ffff8882037b1240 RDI: ffff8882046f0600 RBP: ffffc900006ffb28 R08: 0000000000000001 R09: 0000000000000000 R10: 00000000000007e0 R11: ffffea0008011d40 R12: ffff8882037b1240 R13: ffff8882046f0600 R14: ffff888217a22000 R15: ffffc900006ffe00 FS: 00007fb7ed013340(0000) GS:ffff88885fd00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fb7ed1d8000 CR3: 00000001fd8f6006 CR4: 0000000000772eb0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: ? __warn+0x81/0x130 ? alloc_cacheable_mr+0x22/0x580 [mlx5_ib] ? report_bug+0xfc/0x1e0 ? handle_bug+0x55/0x90 ? exc_invalid_op+0x17/0x70 ? asm_exc_invalid_op+0x1a/0x20 ? alloc_cacheable_mr+0x22/0x580 [mlx5_ib] create_real_mr+0x54/0x150 [mlx5_ib] ib_uverbs_reg_mr+0x17f/0x2a0 [ib_uverbs] ib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0xca/0x140 [ib_uverbs] ib_uverbs_run_method+0x6d0/0x780 [ib_uverbs] ? __pfx_ib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0x10/0x10 [ib_uverbs] ib_uverbs_cmd_verbs+0x19b/0x360 [ib_uverbs] ? walk_system_ram_range+0x79/0xd0 ? ___pte_offset_map+0x1b/0x110 ? __pte_offset_map_lock+0x80/0x100 ib_uverbs_ioctl+0xac/0x110 [ib_uverbs] __x64_sys_ioctl+0x94/0xb0 do_syscall_64+0x50/0x110 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7fb7ecf0737b Code: ff ff ff 85 c0 79 9b 49 c7 c4 ff ff ff ff 5b 5d 4c 89 e0 41 5c c3 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 7d 2a 0f 00 f7 d8 64 89 01 48 RSP: 002b:00007ffdbe03ecc8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007ffdbe03edb8 RCX: 00007fb7ecf0737b RDX: 00007ffdbe03eda0 RSI: 00000000c0181b01 RDI: 0000000000000003 RBP: 00007ffdbe03ed80 R08: 00007fb7ecc84010 R09: 00007ffdbe03eed4 R10: 0000000000000009 R11: 0000000000000246 R12: 00007ffdbe03eed4 R13: 000000000000000c R14: 000000000000000c R15: 00007fb7ecc84150
In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx5: Fix page_size variable overflow Change all variables storing mlx5_umem_mkc_find_best_pgsz() result to unsigned long to support values larger than 31 and avoid overflow. For example: If we try to register 4GB of memory that is contiguous in physical memory, the driver will optimize the page_size and try to use an mkey with 4GB entity size. The 'unsigned int' page_size variable will overflow to '0' and we'll hit the WARN_ON() in alloc_cacheable_mr(). WARNING: CPU: 2 PID: 1203 at drivers/infiniband/hw/mlx5/mr.c:1124 alloc_cacheable_mr+0x22/0x580 [mlx5_ib] Modules linked in: mlx5_ib mlx5_core bonding ip6_gre ip6_tunnel tunnel6 ip_gre gre rdma_rxe rdma_ucm ib_uverbs ib_ipoib ib_umad rpcrdma ib_iser libiscsi scsi_transport_iscsi rdma_cm iw_cm ib_cm fuse ib_core [last unloaded: mlx5_core] CPU: 2 UID: 70878 PID: 1203 Comm: rdma_resource_l Tainted: G W 6.14.0-rc4-dirty #43 Tainted: [W]=WARN Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:alloc_cacheable_mr+0x22/0x580 [mlx5_ib] Code: 90 90 90 90 90 90 90 90 0f 1f 44 00 00 55 48 89 e5 41 57 41 56 41 55 41 54 41 52 53 48 83 ec 30 f6 46 28 04 4c 8b 77 08 75 21 <0f> 0b 49 c7 c2 ea ff ff ff 48 8d 65 d0 4c 89 d0 5b 41 5a 41 5c 41 RSP: 0018:ffffc900006ffac8 EFLAGS: 00010246 RAX: 0000000004c0d0d0 RBX: ffff888217a22000 RCX: 0000000000100001 RDX: 00007fb7ac480000 RSI: ffff8882037b1240 RDI: ffff8882046f0600 RBP: ffffc900006ffb28 R08: 0000000000000001 R09: 0000000000000000 R10: 00000000000007e0 R11: ffffea0008011d40 R12: ffff8882037b1240 R13: ffff8882046f0600 R14: ffff888217a22000 R15: ffffc900006ffe00 FS: 00007fb7ed013340(0000) GS:ffff88885fd00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fb7ed1d8000 CR3: 00000001fd8f6006 CR4: 0000000000772eb0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace:
CVE-2025-22113
In the Linux kernel, the following vulnerability has been resolved: ext4: avoid journaling sb update on error if journal is destroying Presently we always BUG_ON if trying to start a transaction on a journal marked with JBD2_UNMOUNT, since this should never happen. However, while ltp running stress tests, it was observed that in case of some error handling paths, it is possible for update_super_work to start a transaction after the journal is destroyed eg: (umount) ext4_kill_sb kill_block_super generic_shutdown_super sync_filesystem /* commits all txns */ evict_inodes /* might start a new txn */ ext4_put_super flush_work(&sbi->s_sb_upd_work) /* flush the workqueue */ jbd2_journal_destroy journal_kill_thread journal->j_flags |= JBD2_UNMOUNT; jbd2_journal_commit_transaction jbd2_journal_get_descriptor_buffer jbd2_journal_bmap ext4_journal_bmap ext4_map_blocks ... ext4_inode_error ext4_handle_error schedule_work(&sbi->s_sb_upd_work) /* work queue kicks in */ update_super_work jbd2_journal_start start_this_handle BUG_ON(journal->j_flags & JBD2_UNMOUNT) Hence, introduce a new mount flag to indicate journal is destroying and only do a journaled (and deferred) update of sb if this flag is not set. Otherwise, just fallback to an un-journaled commit. Further, in the journal destroy path, we have the following sequence: 1. Set mount flag indicating journal is destroying 2. force a commit and wait for it 3. flush pending sb updates This sequence is important as it ensures that, after this point, there is no sb update that might be journaled so it is safe to update the sb outside the journal. (To avoid race discussed in 2d01ddc86606) Also, we don't need a similar check in ext4_grp_locked_error since it is only called from mballoc and AFAICT it would be always valid to schedule work here.
In the Linux kernel, the following vulnerability has been resolved: ext4: avoid journaling sb update on error if journal is destroying Presently we always BUG_ON if trying to start a transaction on a journal marked with JBD2_UNMOUNT, since this should never happen. However, while ltp running stress tests, it was observed that in case of some error handling paths, it is possible for update_super_work to start a transaction after the journal is destroyed eg: (umount) ext4_kill_sb kill_block_super generic_shutdown_super sync_filesystem /* commits all txns */ evict_inodes /* might start a new txn */ ext4_put_super flush_work(&sbi->s_sb_upd_work) /* flush the workqueue */ jbd2_journal_destroy journal_kill_thread journal->j_flags |= JBD2_UNMOUNT; jbd2_journal_commit_transaction jbd2_journal_get_descriptor_buffer jbd2_journal_bmap ext4_journal_bmap ext4_map_blocks ... ext4_inode_error ext4_handle_error schedule_work(&sbi->s_sb_upd_work) /* work queue kicks in */ update_super_work jbd2_journal_start start_this_handle BUG_ON(journal->j_flags & JBD2_UNMOUNT) Hence, introduce a new mount flag to indicate journal is destroying and only do a journaled (and deferred) update of sb if this flag is not set. Otherwise, just fallback to an un-journaled commit. Further, in the journal destroy path, we have the following sequence: 1. Set mount flag indicating journal is destroying 2. force a commit and wait for it 3. flush pending sb updates This sequence is important as it ensures that, after this point, there is no sb update that might be journaled so it is safe to update the sb outside the journal. (To avoid race discussed in 2d01ddc86606) Also, we don't need a similar check in ext4_grp_locked_error since it is only called from mballoc and AFAICT it would be always valid to schedule work here.
CVE-2025-22121
In the Linux kernel, the following vulnerability has been resolved: ext4: fix out-of-bound read in ext4_xattr_inode_dec_ref_all() There's issue as follows: BUG: KASAN: use-after-free in ext4_xattr_inode_dec_ref_all+0x6ff/0x790 Read of size 4 at addr ffff88807b003000 by task syz-executor.0/15172 CPU: 3 PID: 15172 Comm: syz-executor.0 Call Trace: __dump_stack lib/dump_stack.c:82 [inline] dump_stack+0xbe/0xfd lib/dump_stack.c:123 print_address_description.constprop.0+0x1e/0x280 mm/kasan/report.c:400 __kasan_report.cold+0x6c/0x84 mm/kasan/report.c:560 kasan_report+0x3a/0x50 mm/kasan/report.c:585 ext4_xattr_inode_dec_ref_all+0x6ff/0x790 fs/ext4/xattr.c:1137 ext4_xattr_delete_inode+0x4c7/0xda0 fs/ext4/xattr.c:2896 ext4_evict_inode+0xb3b/0x1670 fs/ext4/inode.c:323 evict+0x39f/0x880 fs/inode.c:622 iput_final fs/inode.c:1746 [inline] iput fs/inode.c:1772 [inline] iput+0x525/0x6c0 fs/inode.c:1758 ext4_orphan_cleanup fs/ext4/super.c:3298 [inline] ext4_fill_super+0x8c57/0xba40 fs/ext4/super.c:5300 mount_bdev+0x355/0x410 fs/super.c:1446 legacy_get_tree+0xfe/0x220 fs/fs_context.c:611 vfs_get_tree+0x8d/0x2f0 fs/super.c:1576 do_new_mount fs/namespace.c:2983 [inline] path_mount+0x119a/0x1ad0 fs/namespace.c:3316 do_mount+0xfc/0x110 fs/namespace.c:3329 __do_sys_mount fs/namespace.c:3540 [inline] __se_sys_mount+0x219/0x2e0 fs/namespace.c:3514 do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x67/0xd1 Memory state around the buggy address: ffff88807b002f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff88807b002f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff88807b003000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff88807b003080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff88807b003100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Above issue happens as ext4_xattr_delete_inode() isn't check xattr is valid if xattr is in inode. To solve above issue call xattr_check_inode() check if xattr if valid in inode. In fact, we can directly verify in ext4_iget_extra_inode(), so that there is no divergent verification.
In the Linux kernel, the following vulnerability has been resolved: ext4: fix out-of-bound read in ext4_xattr_inode_dec_ref_all() There's issue as follows: BUG: KASAN: use-after-free in ext4_xattr_inode_dec_ref_all+0x6ff/0x790 Read of size 4 at addr ffff88807b003000 by task syz-executor.0/15172 CPU: 3 PID: 15172 Comm: syz-executor.0 Call Trace: __dump_stack lib/dump_stack.c:82 [inline] dump_stack+0xbe/0xfd lib/dump_stack.c:123 print_address_description.constprop.0+0x1e/0x280 mm/kasan/report.c:400 __kasan_report.cold+0x6c/0x84 mm/kasan/report.c:560 kasan_report+0x3a/0x50 mm/kasan/report.c:585 ext4_xattr_inode_dec_ref_all+0x6ff/0x790 fs/ext4/xattr.c:1137 ext4_xattr_delete_inode+0x4c7/0xda0 fs/ext4/xattr.c:2896 ext4_evict_inode+0xb3b/0x1670 fs/ext4/inode.c:323 evict+0x39f/0x880 fs/inode.c:622 iput_final fs/inode.c:1746 [inline] iput fs/inode.c:1772 [inline] iput+0x525/0x6c0 fs/inode.c:1758 ext4_orphan_cleanup fs/ext4/super.c:3298 [inline] ext4_fill_super+0x8c57/0xba40 fs/ext4/super.c:5300 mount_bdev+0x355/0x410 fs/super.c:1446 legacy_get_tree+0xfe/0x220 fs/fs_context.c:611 vfs_get_tree+0x8d/0x2f0 fs/super.c:1576 do_new_mount fs/namespace.c:2983 [inline] path_mount+0x119a/0x1ad0 fs/namespace.c:3316 do_mount+0xfc/0x110 fs/namespace.c:3329 __do_sys_mount fs/namespace.c:3540 [inline] __se_sys_mount+0x219/0x2e0 fs/namespace.c:3514 do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x67/0xd1 Memory state around the buggy address: ffff88807b002f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff88807b002f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff88807b003000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff88807b003080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff88807b003100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Above issue happens as ext4_xattr_delete_inode() isn't check xattr is valid if xattr is in inode. To solve above issue call xattr_check_inode() check if xattr if valid in inode. In fact, we can directly verify in ext4_iget_extra_inode(), so that there is no divergent verification.
CVE-2025-37797
In the Linux kernel, the following vulnerability has been resolved: net_sched: hfsc: Fix a UAF vulnerability in class handling This patch fixes a Use-After-Free vulnerability in the HFSC qdisc class handling. The issue occurs due to a time-of-check/time-of-use condition in hfsc_change_class() when working with certain child qdiscs like netem or codel. The vulnerability works as follows: 1. hfsc_change_class() checks if a class has packets (q.qlen != 0) 2. It then calls qdisc_peek_len(), which for certain qdiscs (e.g., codel, netem) might drop packets and empty the queue 3. The code continues assuming the queue is still non-empty, adding the class to vttree 4. This breaks HFSC scheduler assumptions that only non-empty classes are in vttree 5. Later, when the class is destroyed, this can lead to a Use-After-Free The fix adds a second queue length check after qdisc_peek_len() to verify the queue wasn't emptied.
In the Linux kernel, the following vulnerability has been resolved: net_sched: hfsc: Fix a UAF vulnerability in class handling This patch fixes a Use-After-Free vulnerability in the HFSC qdisc class handling. The issue occurs due to a time-of-check/time-of-use condition in hfsc_change_class() when working with certain child qdiscs like netem or codel. The vulnerability works as follows: 1. hfsc_change_class() checks if a class has packets (q.qlen != 0) 2. It then calls qdisc_peek_len(), which for certain qdiscs (e.g., codel, netem) might drop packets and empty the queue 3. The code continues assuming the queue is still non-empty, adding the class to vttree 4. This breaks HFSC scheduler assumptions that only non-empty classes are in vttree 5. Later, when the class is destroyed, this can lead to a Use-After-Free The fix adds a second queue length check after qdisc_peek_len() to verify the queue wasn't emptied.
CVE-2025-37958
In the Linux kernel, the following vulnerability has been resolved: mm/huge_memory: fix dereferencing invalid pmd migration entry When migrating a THP, concurrent access to the PMD migration entry during a deferred split scan can lead to an invalid address access, as illustrated below. To prevent this invalid access, it is necessary to check the PMD migration entry and return early. In this context, there is no need to use pmd_to_swp_entry and pfn_swap_entry_to_page to verify the equality of the target folio. Since the PMD migration entry is locked, it cannot be served as the target. Mailing list discussion and explanation from Hugh Dickins: "An anon_vma lookup points to a location which may contain the folio of interest, but might instead contain another folio: and weeding out those other folios is precisely what the "folio != pmd_folio((*pmd)" check (and the "risk of replacing the wrong folio" comment a few lines above it) is for." BUG: unable to handle page fault for address: ffffea60001db008 CPU: 0 UID: 0 PID: 2199114 Comm: tee Not tainted 6.14.0+ #4 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:split_huge_pmd_locked+0x3b5/0x2b60 Call Trace: try_to_migrate_one+0x28c/0x3730 rmap_walk_anon+0x4f6/0x770 unmap_folio+0x196/0x1f0 split_huge_page_to_list_to_order+0x9f6/0x1560 deferred_split_scan+0xac5/0x12a0 shrinker_debugfs_scan_write+0x376/0x470 full_proxy_write+0x15c/0x220 vfs_write+0x2fc/0xcb0 ksys_write+0x146/0x250 do_syscall_64+0x6a/0x120 entry_SYSCALL_64_after_hwframe+0x76/0x7e The bug is found by syzkaller on an internal kernel, then confirmed on upstream.
In the Linux kernel, the following vulnerability has been resolved: mm/huge_memory: fix dereferencing invalid pmd migration entry When migrating a THP, concurrent access to the PMD migration entry during a deferred split scan can lead to an invalid address access, as illustrated below. To prevent this invalid access, it is necessary to check the PMD migration entry and return early. In this context, there is no need to use pmd_to_swp_entry and pfn_swap_entry_to_page to verify the equality of the target folio. Since the PMD migration entry is locked, it cannot be served as the target. Mailing list discussion and explanation from Hugh Dickins: "An anon_vma lookup points to a location which may contain the folio of interest, but might instead contain another folio: and weeding out those other folios is precisely what the "folio != pmd_folio((*pmd)" check (and the "risk of replacing the wrong folio" comment a few lines above it) is for." BUG: unable to handle page fault for address: ffffea60001db008 CPU: 0 UID: 0 PID: 2199114 Comm: tee Not tainted 6.14.0+ #4 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:split_huge_pmd_locked+0x3b5/0x2b60 Call Trace:
CVE-2025-38086
In the Linux kernel, the following vulnerability has been resolved: net: ch9200: fix uninitialised access during mii_nway_restart In mii_nway_restart() the code attempts to call mii->mdio_read which is ch9200_mdio_read(). ch9200_mdio_read() utilises a local buffer called "buff", which is initialised with control_read(). However "buff" is conditionally initialised inside control_read(): if (err == size) { memcpy(data, buf, size); } If the condition of "err == size" is not met, then "buff" remains uninitialised. Once this happens the uninitialised "buff" is accessed and returned during ch9200_mdio_read(): return (buff[0] | buff[1] << 8); The problem stems from the fact that ch9200_mdio_read() ignores the return value of control_read(), leading to uinit-access of "buff". To fix this we should check the return value of control_read() and return early on error.
In the Linux kernel, the following vulnerability has been resolved: net: ch9200: fix uninitialised access during mii_nway_restart In mii_nway_restart() the code attempts to call mii->mdio_read which is ch9200_mdio_read(). ch9200_mdio_read() utilises a local buffer called "buff", which is initialised with control_read(). However "buff" is conditionally initialised inside control_read(): if (err == size) { memcpy(data, buf, size); } If the condition of "err == size" is not met, then "buff" remains uninitialised. Once this happens the uninitialised "buff" is accessed and returned during ch9200_mdio_read(): return (buff[0] | buff[1] << 8); The problem stems from the fact that ch9200_mdio_read() ignores the return value of control_read(), leading to uinit-access of "buff". To fix this we should check the return value of control_read() and return early on error.
CVE-2025-38110
In the Linux kernel, the following vulnerability has been resolved: net/mdiobus: Fix potential out-of-bounds clause 45 read/write access When using publicly available tools like 'mdio-tools' to read/write data from/to network interface and its PHY via C45 (clause 45) mdiobus, there is no verification of parameters passed to the ioctl and it accepts any mdio address. Currently there is support for 32 addresses in kernel via PHY_MAX_ADDR define, but it is possible to pass higher value than that via ioctl. While read/write operation should generally fail in this case, mdiobus provides stats array, where wrong address may allow out-of-bounds read/write. Fix that by adding address verification before C45 read/write operation. While this excludes this access from any statistics, it improves security of read/write operation.
In the Linux kernel, the following vulnerability has been resolved: net/mdiobus: Fix potential out-of-bounds clause 45 read/write access When using publicly available tools like 'mdio-tools' to read/write data from/to network interface and its PHY via C45 (clause 45) mdiobus, there is no verification of parameters passed to the ioctl and it accepts any mdio address. Currently there is support for 32 addresses in kernel via PHY_MAX_ADDR define, but it is possible to pass higher value than that via ioctl. While read/write operation should generally fail in this case, mdiobus provides stats array, where wrong address may allow out-of-bounds read/write. Fix that by adding address verification before C45 read/write operation. While this excludes this access from any statistics, it improves security of read/write operation.
追加情報:
N/A
ダウンロード:
SRPMS
- kernel-5.14.0-570.30.1.el9_6.src.rpm
MD5: 1401d4bebafc75eea57005becc1c7150
SHA-256: 1d4c051f85e34e247d6fcb972ff8042faad893f82a8782573cce9fb25a3a1268
Size: 142.49 MB
Asianux Server 9 for x86_64
- kernel-5.14.0-570.30.1.el9_6.x86_64.rpm
MD5: b5e29589bed4baff2b45b4af1fb0305a
SHA-256: aab60541b376e8444c7ac548b495a6f2664b593bc4eff7719d619bcd5f2b6c2d
Size: 1.78 MB - kernel-abi-stablelists-5.14.0-570.30.1.el9_6.noarch.rpm
MD5: da71a05f5f62e9ea2402691e2a73a35e
SHA-256: 77b6a1207b3c0994a0a1b0dd8a480915bbb131e8e667d8f12516f8a9dc01a6b8
Size: 1.81 MB - kernel-core-5.14.0-570.30.1.el9_6.x86_64.rpm
MD5: 4b8ee754e6f7272dfc04282c5b31f14d
SHA-256: 91fd52f65d3da77d503968420a8175846d60b16faf5fb0e95e37f273b6878911
Size: 17.85 MB - kernel-cross-headers-5.14.0-570.30.1.el9_6.x86_64.rpm
MD5: b873320452c83bfa7ef910cdefe2bd81
SHA-256: 746ec9fd4ca5d18bd5ca97d324b63df413c6fa3f21c9eecb4c0b385d7bcadd59
Size: 8.65 MB - kernel-debug-5.14.0-570.30.1.el9_6.x86_64.rpm
MD5: d0b14dca6fded5b78053d8e5e98d08c0
SHA-256: 45d2401265f4712c44f8422c261a6df9230dddf373271c0c6ff6f191834d22da
Size: 1.78 MB - kernel-debug-core-5.14.0-570.30.1.el9_6.x86_64.rpm
MD5: 4fa2c4e0c543ac5467f80016fc90afb0
SHA-256: 85cae593d73769b72aff7ab5cc41ac63b5e56e9bfcad6895ada8e9eb7606b5f8
Size: 31.29 MB - kernel-debug-devel-5.14.0-570.30.1.el9_6.x86_64.rpm
MD5: 2da66a679a0f6fad656b6757ae7d9e8c
SHA-256: 0b9572e2ca0d03a1ccef9b7197d21658d6348d90c4e98be1ace221f16de484d0
Size: 21.78 MB - kernel-debug-devel-matched-5.14.0-570.30.1.el9_6.x86_64.rpm
MD5: e8d5a8fd7784719d91d372dd48d42e18
SHA-256: 0310d8b17879490eabcd17f00049f5e8f38d41ef289fa4012f9615034bc9ba08
Size: 1.78 MB - kernel-debug-modules-5.14.0-570.30.1.el9_6.x86_64.rpm
MD5: 54fa71337e140bea61906cdf546bfcee
SHA-256: ca734c211a5718b0d5d58076ee1a2643668d7eb4f6e54fb17fb63308c30ed84e
Size: 67.45 MB - kernel-debug-modules-core-5.14.0-570.30.1.el9_6.x86_64.rpm
MD5: a0de62bd3e629a1faefed0315e59a14b
SHA-256: 27b1b0f6551074af948d5a5e13974f1a86433752f8637fd2697f4e0046affe64
Size: 48.92 MB - kernel-debug-modules-extra-5.14.0-570.30.1.el9_6.x86_64.rpm
MD5: aa027d4f663aa02b0ee9e28fd2e7646f
SHA-256: 30088bfba6daec0645e83ce14d65e84bc257a5a6e6e7b558935ca8d4edb3a44f
Size: 2.56 MB - kernel-debug-uki-virt-5.14.0-570.30.1.el9_6.x86_64.rpm
MD5: 53c36e304bfdd016509d7acfccf84823
SHA-256: 2bcf4508f271dbf9eccb0f4ef901f479e85a0ffa326bac22ac2902e96bd83cc7
Size: 84.36 MB - kernel-devel-5.14.0-570.30.1.el9_6.x86_64.rpm
MD5: da817697664ba05a07144586c6935bce
SHA-256: 48735daa43b3844a51d82c4b0a614ba934c80827602db761ddfd56e2f492caae
Size: 21.60 MB - kernel-devel-matched-5.14.0-570.30.1.el9_6.x86_64.rpm
MD5: 230eba95e4d0a85c08063b16f736d0ea
SHA-256: 269391a57f2e220ef866789040ad060803b2f62a88b4bfc2361a2944993ca296
Size: 1.78 MB - kernel-doc-5.14.0-570.30.1.el9_6.noarch.rpm
MD5: d57694a6fb995d63e2f3f14144b40fd3
SHA-256: 49b66a9bc58353749d8005b57f8b5959d718afb05a646406e4cd50de4db8cd81
Size: 37.92 MB - kernel-headers-5.14.0-570.30.1.el9_6.x86_64.rpm
MD5: b2602366206159ad8b5eb74d044089d1
SHA-256: 5519d239f880e4332d37fd2185d2fb6aa7cdcd859eb743bf18bc4ab080e379bc
Size: 3.52 MB - kernel-modules-5.14.0-570.30.1.el9_6.x86_64.rpm
MD5: 24a6659f96a49d3073f52acfb6f86316
SHA-256: d2f8eb1bd04dff149ab3bcd3098eee88add3762efc6b53ae5d3bd92f4141c049
Size: 38.96 MB - kernel-modules-core-5.14.0-570.30.1.el9_6.x86_64.rpm
MD5: 8e0301a5dbd6b97c71573a9f61fe3bbc
SHA-256: b0e5682aad7f62a5e8929b5c84beee8be30058cea6975686481c352769de167a
Size: 30.88 MB - kernel-modules-extra-5.14.0-570.30.1.el9_6.x86_64.rpm
MD5: 3b4dccdfddad680d60b37fed111be0a5
SHA-256: 8d2088ea4ed4fa2f39e7795a362430658781ff30c2be1388ff18b908634fb84f
Size: 2.20 MB - kernel-rt-5.14.0-570.30.1.el9_6.x86_64.rpm
MD5: f20161ef77714f3f398334ae0ff0daba
SHA-256: a9bdb571996db737a904458180fd23157f6cfaa8a3afefd92e8465ef0ed5af37
Size: 1.78 MB - kernel-rt-core-5.14.0-570.30.1.el9_6.x86_64.rpm
MD5: 1b099c21a131be2938da0064e23cb5fd
SHA-256: b82f98a71e39306bee7da66d36c68139c0a620fce39e8e39204bb8d5e668731c
Size: 17.75 MB - kernel-rt-debug-5.14.0-570.30.1.el9_6.x86_64.rpm
MD5: e66788e2d1df228bf91e8c0b9d436504
SHA-256: 433f3943da841c6065a9298720262d6758c148a4ea3036831bcdb27778b96d43
Size: 1.78 MB - kernel-rt-debug-core-5.14.0-570.30.1.el9_6.x86_64.rpm
MD5: 4211b5068b709bc2cfa50f0183b988d1
SHA-256: 09d094fbd3671e3efa5e1978daae18f36e92a44aced73e3c2f9a62ddaa021173
Size: 19.15 MB - kernel-rt-debug-devel-5.14.0-570.30.1.el9_6.x86_64.rpm
MD5: 05bcac4865671edabadc3c3d8f13b71d
SHA-256: 7e044fb39fe1e52bd0e8b233bd6c6cb40d7bbce16b598f7e9e387409e81e93f9
Size: 21.73 MB - kernel-rt-debug-modules-5.14.0-570.30.1.el9_6.x86_64.rpm
MD5: dbf520d367a9cd6dc59f53852e784d1a
SHA-256: 3f3d97a7be2b965cb972ce5589af6373f3c2ca2aaca6ea26390d253d5be8fb91
Size: 40.36 MB - kernel-rt-debug-modules-core-5.14.0-570.30.1.el9_6.x86_64.rpm
MD5: fcc27f62e7cbe500668e5a05aa99a435
SHA-256: 4013ad56a993505e204b4247b3c38e82e611805b929b093ea9433b3fac547d15
Size: 31.31 MB - kernel-rt-debug-modules-extra-5.14.0-570.30.1.el9_6.x86_64.rpm
MD5: b82951d2a68a3a241873da80e3523986
SHA-256: d1ae875f05250ca0e91efa9b505c3e4ea0292b09fba30b45d5d3fc2852ff651a
Size: 2.23 MB - kernel-rt-devel-5.14.0-570.30.1.el9_6.x86_64.rpm
MD5: 9a0ed50b2674d21fb26626089db7a979
SHA-256: bb1d9eccb3558e1ace27ac309652a2bb196b8ed9726146c9b7a978b9cc83f88a
Size: 21.58 MB - kernel-rt-modules-5.14.0-570.30.1.el9_6.x86_64.rpm
MD5: 055728930ceef08d54bcd43b3b91e93a
SHA-256: 23247a0fb9613b07ae1c988a18b9238d16ebf3fc4c2300b69b7043499b5712f7
Size: 38.98 MB - kernel-rt-modules-core-5.14.0-570.30.1.el9_6.x86_64.rpm
MD5: 1bff94fa6529b699989b038a1041f23b
SHA-256: fd0f348c4ad48bfa7130a5a65090439ec3c9e4179e62108a11312110966e5e24
Size: 30.26 MB - kernel-rt-modules-extra-5.14.0-570.30.1.el9_6.x86_64.rpm
MD5: 3cdbe3df9565d963fd1c7523baeb6436
SHA-256: 2cfc6ef4a29963d56c6e0b89c544f22fd662be939283789ca8807f22d3208f7d
Size: 2.21 MB - kernel-tools-5.14.0-570.30.1.el9_6.x86_64.rpm
MD5: 2e11ecf703a76e6174e5d6176389b6c8
SHA-256: 7e199fe9f774bd284972f826f03b5c3df2b7a348b48b9e1c241a330c199d776e
Size: 2.06 MB - kernel-tools-libs-5.14.0-570.30.1.el9_6.x86_64.rpm
MD5: da22507790f0d46e7545cc5ecd0c44c3
SHA-256: e3bd0257c7d0a593d4051fe0c35a75dc2d8a340da66d6ff26b4aba27f001fc57
Size: 1.79 MB - kernel-tools-libs-devel-5.14.0-570.30.1.el9_6.x86_64.rpm
MD5: 4883827c62b5b0508d7ae0db8ac9f3e8
SHA-256: 71fa5ab39917486737415ae07fdcb2f94f350a5e67ded6746fbce768e637108d
Size: 1.78 MB - kernel-uki-virt-5.14.0-570.30.1.el9_6.x86_64.rpm
MD5: 9ffcde25f4f1a7fe1c2a56566e9bc747
SHA-256: 8beeb3284d082e7eac7b19d0987e9737895c3904f876ba674499b5df855a3a9c
Size: 62.99 MB - kernel-uki-virt-addons-5.14.0-570.30.1.el9_6.x86_64.rpm
MD5: bb0dc271ffbaef63fb96edfa887fe572
SHA-256: e98cd43c519d8a479257e4ed43f62810000b4dbba6b7c7ead8164583b33b3ec2
Size: 1.80 MB - libperf-5.14.0-570.30.1.el9_6.x86_64.rpm
MD5: ca760c9dcb878d9fe2d5e15b1982fef3
SHA-256: 2971bcfe793a748e68c376f16ec32dbf2781efc7c3bdb162618ce1430c70204c
Size: 1.80 MB - perf-5.14.0-570.30.1.el9_6.x86_64.rpm
MD5: 174b0a453e75d41645ba5eee1e5c2c0c
SHA-256: fb66a517d7cb1e27ae900edf218ca9fb0bb8724b9e50a0aa20b499086f9f20a9
Size: 4.01 MB - python3-perf-5.14.0-570.30.1.el9_6.x86_64.rpm
MD5: 90b571adbab7d5bbc86ba166b854efe9
SHA-256: 3a181d596b1c567f7d5c6582fa85525f56b22ba17a4939f8996a9a25575695e7
Size: 3.19 MB - rtla-5.14.0-570.30.1.el9_6.x86_64.rpm
MD5: 7b06130a1634e19b47759a7eea877581
SHA-256: c21a21ad05cb016451423490c3cccd894651ddfe1a58517b5fbf42959e4af23d
Size: 1.84 MB - rv-5.14.0-570.30.1.el9_6.x86_64.rpm
MD5: dccfb70852210beb1b46eb43fb07b36d
SHA-256: 0d62de49ab723064085ebda2229918ea4e6c392b7a6de10ace4c761bc4821676
Size: 1.80 MB
English