kernel-5.14.0-570.39.1.el9_6
エラータID: AXSA:2025-10838:66
リリース日:
2025/09/10 Wednesday - 08:44
題名:
kernel-5.14.0-570.39.1.el9_6
影響のあるチャネル:
MIRACLE LINUX 9 for x86_64
Severity:
High
Description:
以下項目について対処しました。
[Security Fix]
- kernel のネットワークスケジューラの実装には、メモリ領域の
解放後利用の問題があるため、ローカルの攻撃者により、情報の漏洩、
およびサービス拒否攻撃を可能とする脆弱性が存在します。
(CVE-2025-37823)
- kernel の i40e ドライバには、整数アンダーフローの問題が
あるため、ローカルの攻撃者により、情報の漏洩、データ破壊、および
サービス拒否攻撃を可能とする脆弱性が存在します。(CVE-2025-38200)
- kernel の iwcm ドライバには、メモリ領域の解放後利用の問題が
あるため、ローカルの攻撃者により、サービス拒否 (kernel panic)
攻撃を可能とする脆弱性が存在します。(CVE-2025-38211)
- kernel の qdisk の実装には、メモリ領域の解放後利用の問題が
あるため、ローカルの攻撃者により、情報の漏洩、データ破壊、および
サービス拒否攻撃を可能とする脆弱性が存在します。(CVE-2025-38350)
- kernel の vsock の実装には、ローカルの攻撃者により、情報の漏洩、
データ破壊、およびサービス拒否攻撃を可能とする脆弱性が存在します。
(CVE-2025-38461)
- kernel の TIPC の実装には、メモリ領域の解放後利用の問題が
あるため、ローカルの攻撃者により、情報の漏洩、データ破壊、および
サービス拒否攻撃を可能とする脆弱性が存在します。(CVE-2025-38464)
- kernel の xfrm の実装には、メモリ領域の解放後利用の問題が
あるため、ローカルの攻撃者により、情報の漏洩、データ破壊、および
サービス拒否攻撃を可能とする脆弱性が存在します。(CVE-2025-38500)
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2025-37823
In the Linux kernel, the following vulnerability has been resolved: net_sched: hfsc: Fix a potential UAF in hfsc_dequeue() too Similarly to the previous patch, we need to safe guard hfsc_dequeue() too. But for this one, we don't have a reliable reproducer.
In the Linux kernel, the following vulnerability has been resolved: net_sched: hfsc: Fix a potential UAF in hfsc_dequeue() too Similarly to the previous patch, we need to safe guard hfsc_dequeue() too. But for this one, we don't have a reliable reproducer.
CVE-2025-38200
In the Linux kernel, the following vulnerability has been resolved: i40e: fix MMIO write access to an invalid page in i40e_clear_hw When the device sends a specific input, an integer underflow can occur, leading to MMIO write access to an invalid page. Prevent the integer underflow by changing the type of related variables.
In the Linux kernel, the following vulnerability has been resolved: i40e: fix MMIO write access to an invalid page in i40e_clear_hw When the device sends a specific input, an integer underflow can occur, leading to MMIO write access to an invalid page. Prevent the integer underflow by changing the type of related variables.
CVE-2025-38211
In the Linux kernel, the following vulnerability has been resolved: RDMA/iwcm: Fix use-after-free of work objects after cm_id destruction The commit 59c68ac31e15 ("iw_cm: free cm_id resources on the last deref") simplified cm_id resource management by freeing cm_id once all references to the cm_id were removed. The references are removed either upon completion of iw_cm event handlers or when the application destroys the cm_id. This commit introduced the use-after-free condition where cm_id_private object could still be in use by event handler works during the destruction of cm_id. The commit aee2424246f9 ("RDMA/iwcm: Fix a use-after-free related to destroying CM IDs") addressed this use-after- free by flushing all pending works at the cm_id destruction. However, still another use-after-free possibility remained. It happens with the work objects allocated for each cm_id_priv within alloc_work_entries() during cm_id creation, and subsequently freed in dealloc_work_entries() once all references to the cm_id are removed. If the cm_id's last reference is decremented in the event handler work, the work object for the work itself gets removed, and causes the use- after-free BUG below: BUG: KASAN: slab-use-after-free in __pwq_activate_work+0x1ff/0x250 Read of size 8 at addr ffff88811f9cf800 by task kworker/u16:1/147091 CPU: 2 UID: 0 PID: 147091 Comm: kworker/u16:1 Not tainted 6.15.0-rc2+ #27 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014 Workqueue: 0x0 (iw_cm_wq) Call Trace: dump_stack_lvl+0x6a/0x90 print_report+0x174/0x554 ? __virt_addr_valid+0x208/0x430 ? __pwq_activate_work+0x1ff/0x250 kasan_report+0xae/0x170 ? __pwq_activate_work+0x1ff/0x250 __pwq_activate_work+0x1ff/0x250 pwq_dec_nr_in_flight+0x8c5/0xfb0 process_one_work+0xc11/0x1460 ? __pfx_process_one_work+0x10/0x10 ? assign_work+0x16c/0x240 worker_thread+0x5ef/0xfd0 ? __pfx_worker_thread+0x10/0x10 kthread+0x3b0/0x770 ? __pfx_kthread+0x10/0x10 ? rcu_is_watching+0x11/0xb0 ? _raw_spin_unlock_irq+0x24/0x50 ? rcu_is_watching+0x11/0xb0 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x30/0x70 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 Allocated by task 147416: kasan_save_stack+0x2c/0x50 kasan_save_track+0x10/0x30 __kasan_kmalloc+0xa6/0xb0 alloc_work_entries+0xa9/0x260 [iw_cm] iw_cm_connect+0x23/0x4a0 [iw_cm] rdma_connect_locked+0xbfd/0x1920 [rdma_cm] nvme_rdma_cm_handler+0x8e5/0x1b60 [nvme_rdma] cma_cm_event_handler+0xae/0x320 [rdma_cm] cma_work_handler+0x106/0x1b0 [rdma_cm] process_one_work+0x84f/0x1460 worker_thread+0x5ef/0xfd0 kthread+0x3b0/0x770 ret_from_fork+0x30/0x70 ret_from_fork_asm+0x1a/0x30 Freed by task 147091: kasan_save_stack+0x2c/0x50 kasan_save_track+0x10/0x30 kasan_save_free_info+0x37/0x60 __kasan_slab_free+0x4b/0x70 kfree+0x13a/0x4b0 dealloc_work_entries+0x125/0x1f0 [iw_cm] iwcm_deref_id+0x6f/0xa0 [iw_cm] cm_work_handler+0x136/0x1ba0 [iw_cm] process_one_work+0x84f/0x1460 worker_thread+0x5ef/0xfd0 kthread+0x3b0/0x770 ret_from_fork+0x30/0x70 ret_from_fork_asm+0x1a/0x30 Last potentially related work creation: kasan_save_stack+0x2c/0x50 kasan_record_aux_stack+0xa3/0xb0 __queue_work+0x2ff/0x1390 queue_work_on+0x67/0xc0 cm_event_handler+0x46a/0x820 [iw_cm] siw_cm_upcall+0x330/0x650 [siw] siw_cm_work_handler+0x6b9/0x2b20 [siw] process_one_work+0x84f/0x1460 worker_thread+0x5ef/0xfd0 kthread+0x3b0/0x770 ret_from_fork+0x30/0x70 ret_from_fork_asm+0x1a/0x30 This BUG is reproducible by repeating the blktests test case nvme/061 for the rdma transport and the siw driver. To avoid the use-after-free of cm_id_private work objects, ensure that the last reference to the cm_id is decremented not in the event handler works, but in the cm_id destruction context. For that purpose, mo ---truncated---
In the Linux kernel, the following vulnerability has been resolved: RDMA/iwcm: Fix use-after-free of work objects after cm_id destruction The commit 59c68ac31e15 ("iw_cm: free cm_id resources on the last deref") simplified cm_id resource management by freeing cm_id once all references to the cm_id were removed. The references are removed either upon completion of iw_cm event handlers or when the application destroys the cm_id. This commit introduced the use-after-free condition where cm_id_private object could still be in use by event handler works during the destruction of cm_id. The commit aee2424246f9 ("RDMA/iwcm: Fix a use-after-free related to destroying CM IDs") addressed this use-after- free by flushing all pending works at the cm_id destruction. However, still another use-after-free possibility remained. It happens with the work objects allocated for each cm_id_priv within alloc_work_entries() during cm_id creation, and subsequently freed in dealloc_work_entries() once all references to the cm_id are removed. If the cm_id's last reference is decremented in the event handler work, the work object for the work itself gets removed, and causes the use- after-free BUG below: BUG: KASAN: slab-use-after-free in __pwq_activate_work+0x1ff/0x250 Read of size 8 at addr ffff88811f9cf800 by task kworker/u16:1/147091 CPU: 2 UID: 0 PID: 147091 Comm: kworker/u16:1 Not tainted 6.15.0-rc2+ #27 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014 Workqueue: 0x0 (iw_cm_wq) Call Trace:
CVE-2025-38350
In the Linux kernel, the following vulnerability has been resolved: net/sched: Always pass notifications when child class becomes empty Certain classful qdiscs may invoke their classes' dequeue handler on an enqueue operation. This may unexpectedly empty the child qdisc and thus make an in-flight class passive via qlen_notify(). Most qdiscs do not expect such behaviour at this point in time and may re-activate the class eventually anyways which will lead to a use-after-free. The referenced fix commit attempted to fix this behavior for the HFSC case by moving the backlog accounting around, though this turned out to be incomplete since the parent's parent may run into the issue too. The following reproducer demonstrates this use-after-free: tc qdisc add dev lo root handle 1: drr tc filter add dev lo parent 1: basic classid 1:1 tc class add dev lo parent 1: classid 1:1 drr tc qdisc add dev lo parent 1:1 handle 2: hfsc def 1 tc class add dev lo parent 2: classid 2:1 hfsc rt m1 8 d 1 m2 0 tc qdisc add dev lo parent 2:1 handle 3: netem tc qdisc add dev lo parent 3:1 handle 4: blackhole echo 1 | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888 tc class delete dev lo classid 1:1 echo 1 | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888 Since backlog accounting issues leading to a use-after-frees on stale class pointers is a recurring pattern at this point, this patch takes a different approach. Instead of trying to fix the accounting, the patch ensures that qdisc_tree_reduce_backlog always calls qlen_notify when the child qdisc is empty. This solves the problem because deletion of qdiscs always involves a call to qdisc_reset() and / or qdisc_purge_queue() which ultimately resets its qlen to 0 thus causing the following qdisc_tree_reduce_backlog() to report to the parent. Note that this may call qlen_notify on passive classes multiple times. This is not a problem after the recent patch series that made all the classful qdiscs qlen_notify() handlers idempotent.
In the Linux kernel, the following vulnerability has been resolved: net/sched: Always pass notifications when child class becomes empty Certain classful qdiscs may invoke their classes' dequeue handler on an enqueue operation. This may unexpectedly empty the child qdisc and thus make an in-flight class passive via qlen_notify(). Most qdiscs do not expect such behaviour at this point in time and may re-activate the class eventually anyways which will lead to a use-after-free. The referenced fix commit attempted to fix this behavior for the HFSC case by moving the backlog accounting around, though this turned out to be incomplete since the parent's parent may run into the issue too. The following reproducer demonstrates this use-after-free: tc qdisc add dev lo root handle 1: drr tc filter add dev lo parent 1: basic classid 1:1 tc class add dev lo parent 1: classid 1:1 drr tc qdisc add dev lo parent 1:1 handle 2: hfsc def 1 tc class add dev lo parent 2: classid 2:1 hfsc rt m1 8 d 1 m2 0 tc qdisc add dev lo parent 2:1 handle 3: netem tc qdisc add dev lo parent 3:1 handle 4: blackhole echo 1 | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888 tc class delete dev lo classid 1:1 echo 1 | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888 Since backlog accounting issues leading to a use-after-frees on stale class pointers is a recurring pattern at this point, this patch takes a different approach. Instead of trying to fix the accounting, the patch ensures that qdisc_tree_reduce_backlog always calls qlen_notify when the child qdisc is empty. This solves the problem because deletion of qdiscs always involves a call to qdisc_reset() and / or qdisc_purge_queue() which ultimately resets its qlen to 0 thus causing the following qdisc_tree_reduce_backlog() to report to the parent. Note that this may call qlen_notify on passive classes multiple times. This is not a problem after the recent patch series that made all the classful qdiscs qlen_notify() handlers idempotent.
CVE-2025-38461
In the Linux kernel, the following vulnerability has been resolved: vsock: Fix transport_* TOCTOU Transport assignment may race with module unload. Protect new_transport from becoming a stale pointer. This also takes care of an insecure call in vsock_use_local_transport(); add a lockdep assert. BUG: unable to handle page fault for address: fffffbfff8056000 Oops: Oops: 0000 [#1] SMP KASAN RIP: 0010:vsock_assign_transport+0x366/0x600 Call Trace: vsock_connect+0x59c/0xc40 __sys_connect+0xe8/0x100 __x64_sys_connect+0x6e/0xc0 do_syscall_64+0x92/0x1c0 entry_SYSCALL_64_after_hwframe+0x4b/0x53
In the Linux kernel, the following vulnerability has been resolved: vsock: Fix transport_* TOCTOU Transport assignment may race with module unload. Protect new_transport from becoming a stale pointer. This also takes care of an insecure call in vsock_use_local_transport(); add a lockdep assert. BUG: unable to handle page fault for address: fffffbfff8056000 Oops: Oops: 0000 [#1] SMP KASAN RIP: 0010:vsock_assign_transport+0x366/0x600 Call Trace: vsock_connect+0x59c/0xc40 __sys_connect+0xe8/0x100 __x64_sys_connect+0x6e/0xc0 do_syscall_64+0x92/0x1c0 entry_SYSCALL_64_after_hwframe+0x4b/0x53
CVE-2025-38464
In the Linux kernel, the following vulnerability has been resolved: tipc: Fix use-after-free in tipc_conn_close(). syzbot reported a null-ptr-deref in tipc_conn_close() during netns dismantle. [0] tipc_topsrv_stop() iterates tipc_net(net)->topsrv->conn_idr and calls tipc_conn_close() for each tipc_conn. The problem is that tipc_conn_close() is called after releasing the IDR lock. At the same time, there might be tipc_conn_recv_work() running and it could call tipc_conn_close() for the same tipc_conn and release its last ->kref. Once we release the IDR lock in tipc_topsrv_stop(), there is no guarantee that the tipc_conn is alive. Let's hold the ref before releasing the lock and put the ref after tipc_conn_close() in tipc_topsrv_stop(). [0]: BUG: KASAN: use-after-free in tipc_conn_close+0x122/0x140 net/tipc/topsrv.c:165 Read of size 8 at addr ffff888099305a08 by task kworker/u4:3/435 CPU: 0 PID: 435 Comm: kworker/u4:3 Not tainted 4.19.204-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: netns cleanup_net Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1fc/0x2ef lib/dump_stack.c:118 print_address_description.cold+0x54/0x219 mm/kasan/report.c:256 kasan_report_error.cold+0x8a/0x1b9 mm/kasan/report.c:354 kasan_report mm/kasan/report.c:412 [inline] __asan_report_load8_noabort+0x88/0x90 mm/kasan/report.c:433 tipc_conn_close+0x122/0x140 net/tipc/topsrv.c:165 tipc_topsrv_stop net/tipc/topsrv.c:701 [inline] tipc_topsrv_exit_net+0x27b/0x5c0 net/tipc/topsrv.c:722 ops_exit_list+0xa5/0x150 net/core/net_namespace.c:153 cleanup_net+0x3b4/0x8b0 net/core/net_namespace.c:553 process_one_work+0x864/0x1570 kernel/workqueue.c:2153 worker_thread+0x64c/0x1130 kernel/workqueue.c:2296 kthread+0x33f/0x460 kernel/kthread.c:259 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415 Allocated by task 23: kmem_cache_alloc_trace+0x12f/0x380 mm/slab.c:3625 kmalloc include/linux/slab.h:515 [inline] kzalloc include/linux/slab.h:709 [inline] tipc_conn_alloc+0x43/0x4f0 net/tipc/topsrv.c:192 tipc_topsrv_accept+0x1b5/0x280 net/tipc/topsrv.c:470 process_one_work+0x864/0x1570 kernel/workqueue.c:2153 worker_thread+0x64c/0x1130 kernel/workqueue.c:2296 kthread+0x33f/0x460 kernel/kthread.c:259 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415 Freed by task 23: __cache_free mm/slab.c:3503 [inline] kfree+0xcc/0x210 mm/slab.c:3822 tipc_conn_kref_release net/tipc/topsrv.c:150 [inline] kref_put include/linux/kref.h:70 [inline] conn_put+0x2cd/0x3a0 net/tipc/topsrv.c:155 process_one_work+0x864/0x1570 kernel/workqueue.c:2153 worker_thread+0x64c/0x1130 kernel/workqueue.c:2296 kthread+0x33f/0x460 kernel/kthread.c:259 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415 The buggy address belongs to the object at ffff888099305a00 which belongs to the cache kmalloc-512 of size 512 The buggy address is located 8 bytes inside of 512-byte region [ffff888099305a00, ffff888099305c00) The buggy address belongs to the page: page:ffffea000264c140 count:1 mapcount:0 mapping:ffff88813bff0940 index:0x0 flags: 0xfff00000000100(slab) raw: 00fff00000000100 ffffea00028b6b88 ffffea0002cd2b08 ffff88813bff0940 raw: 0000000000000000 ffff888099305000 0000000100000006 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888099305900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888099305980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff888099305a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888099305a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888099305b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
In the Linux kernel, the following vulnerability has been resolved: tipc: Fix use-after-free in tipc_conn_close(). syzbot reported a null-ptr-deref in tipc_conn_close() during netns dismantle. [0] tipc_topsrv_stop() iterates tipc_net(net)->topsrv->conn_idr and calls tipc_conn_close() for each tipc_conn. The problem is that tipc_conn_close() is called after releasing the IDR lock. At the same time, there might be tipc_conn_recv_work() running and it could call tipc_conn_close() for the same tipc_conn and release its last ->kref. Once we release the IDR lock in tipc_topsrv_stop(), there is no guarantee that the tipc_conn is alive. Let's hold the ref before releasing the lock and put the ref after tipc_conn_close() in tipc_topsrv_stop(). [0]: BUG: KASAN: use-after-free in tipc_conn_close+0x122/0x140 net/tipc/topsrv.c:165 Read of size 8 at addr ffff888099305a08 by task kworker/u4:3/435 CPU: 0 PID: 435 Comm: kworker/u4:3 Not tainted 4.19.204-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: netns cleanup_net Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1fc/0x2ef lib/dump_stack.c:118 print_address_description.cold+0x54/0x219 mm/kasan/report.c:256 kasan_report_error.cold+0x8a/0x1b9 mm/kasan/report.c:354 kasan_report mm/kasan/report.c:412 [inline] __asan_report_load8_noabort+0x88/0x90 mm/kasan/report.c:433 tipc_conn_close+0x122/0x140 net/tipc/topsrv.c:165 tipc_topsrv_stop net/tipc/topsrv.c:701 [inline] tipc_topsrv_exit_net+0x27b/0x5c0 net/tipc/topsrv.c:722 ops_exit_list+0xa5/0x150 net/core/net_namespace.c:153 cleanup_net+0x3b4/0x8b0 net/core/net_namespace.c:553 process_one_work+0x864/0x1570 kernel/workqueue.c:2153 worker_thread+0x64c/0x1130 kernel/workqueue.c:2296 kthread+0x33f/0x460 kernel/kthread.c:259 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415 Allocated by task 23: kmem_cache_alloc_trace+0x12f/0x380 mm/slab.c:3625 kmalloc include/linux/slab.h:515 [inline] kzalloc include/linux/slab.h:709 [inline] tipc_conn_alloc+0x43/0x4f0 net/tipc/topsrv.c:192 tipc_topsrv_accept+0x1b5/0x280 net/tipc/topsrv.c:470 process_one_work+0x864/0x1570 kernel/workqueue.c:2153 worker_thread+0x64c/0x1130 kernel/workqueue.c:2296 kthread+0x33f/0x460 kernel/kthread.c:259 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415 Freed by task 23: __cache_free mm/slab.c:3503 [inline] kfree+0xcc/0x210 mm/slab.c:3822 tipc_conn_kref_release net/tipc/topsrv.c:150 [inline] kref_put include/linux/kref.h:70 [inline] conn_put+0x2cd/0x3a0 net/tipc/topsrv.c:155 process_one_work+0x864/0x1570 kernel/workqueue.c:2153 worker_thread+0x64c/0x1130 kernel/workqueue.c:2296 kthread+0x33f/0x460 kernel/kthread.c:259 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415 The buggy address belongs to the object at ffff888099305a00 which belongs to the cache kmalloc-512 of size 512 The buggy address is located 8 bytes inside of 512-byte region [ffff888099305a00, ffff888099305c00) The buggy address belongs to the page: page:ffffea000264c140 count:1 mapcount:0 mapping:ffff88813bff0940 index:0x0 flags: 0xfff00000000100(slab) raw: 00fff00000000100 ffffea00028b6b88 ffffea0002cd2b08 ffff88813bff0940 raw: 0000000000000000 ffff888099305000 0000000100000006 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888099305900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888099305980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff888099305a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888099305a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888099305b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
CVE-2025-38500
In the Linux kernel, the following vulnerability has been resolved: xfrm: interface: fix use-after-free after changing collect_md xfrm interface collect_md property on xfrm interfaces can only be set on device creation, thus xfrmi_changelink() should fail when called on such interfaces. The check to enforce this was done only in the case where the xi was returned from xfrmi_locate() which doesn't look for the collect_md interface, and thus the validation was never reached. Calling changelink would thus errornously place the special interface xi in the xfrmi_net->xfrmi hash, but since it also exists in the xfrmi_net->collect_md_xfrmi pointer it would lead to a double free when the net namespace was taken down [1]. Change the check to use the xi from netdev_priv which is available earlier in the function to prevent changes in xfrm collect_md interfaces. [1] resulting oops: [ 8.516540] kernel BUG at net/core/dev.c:12029! [ 8.516552] Oops: invalid opcode: 0000 [#1] SMP NOPTI [ 8.516559] CPU: 0 UID: 0 PID: 12 Comm: kworker/u80:0 Not tainted 6.15.0-virtme #5 PREEMPT(voluntary) [ 8.516565] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 8.516569] Workqueue: netns cleanup_net [ 8.516579] RIP: 0010:unregister_netdevice_many_notify+0x101/0xab0 [ 8.516590] Code: 90 0f 0b 90 48 8b b0 78 01 00 00 48 8b 90 80 01 00 00 48 89 56 08 48 89 32 4c 89 80 78 01 00 00 48 89 b8 80 01 00 00 eb ac 90 <0f> 0b 48 8b 45 00 4c 8d a0 88 fe ff ff 48 39 c5 74 5c 41 80 bc 24 [ 8.516593] RSP: 0018:ffffa93b8006bd30 EFLAGS: 00010206 [ 8.516598] RAX: ffff98fe4226e000 RBX: ffffa93b8006bd58 RCX: ffffa93b8006bc60 [ 8.516601] RDX: 0000000000000004 RSI: 0000000000000000 RDI: dead000000000122 [ 8.516603] RBP: ffffa93b8006bdd8 R08: dead000000000100 R09: ffff98fe4133c100 [ 8.516605] R10: 0000000000000000 R11: 00000000000003d2 R12: ffffa93b8006be00 [ 8.516608] R13: ffffffff96c1a510 R14: ffffffff96c1a510 R15: ffffa93b8006be00 [ 8.516615] FS: 0000000000000000(0000) GS:ffff98fee73b7000(0000) knlGS:0000000000000000 [ 8.516619] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 8.516622] CR2: 00007fcd2abd0700 CR3: 000000003aa40000 CR4: 0000000000752ef0 [ 8.516625] PKRU: 55555554 [ 8.516627] Call Trace: [ 8.516632] [ 8.516635] ? rtnl_is_locked+0x15/0x20 [ 8.516641] ? unregister_netdevice_queue+0x29/0xf0 [ 8.516650] ops_undo_list+0x1f2/0x220 [ 8.516659] cleanup_net+0x1ad/0x2e0 [ 8.516664] process_one_work+0x160/0x380 [ 8.516673] worker_thread+0x2aa/0x3c0 [ 8.516679] ? __pfx_worker_thread+0x10/0x10 [ 8.516686] kthread+0xfb/0x200 [ 8.516690] ? __pfx_kthread+0x10/0x10 [ 8.516693] ? __pfx_kthread+0x10/0x10 [ 8.516697] ret_from_fork+0x82/0xf0 [ 8.516705] ? __pfx_kthread+0x10/0x10 [ 8.516709] ret_from_fork_asm+0x1a/0x30 [ 8.516718]
In the Linux kernel, the following vulnerability has been resolved: xfrm: interface: fix use-after-free after changing collect_md xfrm interface collect_md property on xfrm interfaces can only be set on device creation, thus xfrmi_changelink() should fail when called on such interfaces. The check to enforce this was done only in the case where the xi was returned from xfrmi_locate() which doesn't look for the collect_md interface, and thus the validation was never reached. Calling changelink would thus errornously place the special interface xi in the xfrmi_net->xfrmi hash, but since it also exists in the xfrmi_net->collect_md_xfrmi pointer it would lead to a double free when the net namespace was taken down [1]. Change the check to use the xi from netdev_priv which is available earlier in the function to prevent changes in xfrm collect_md interfaces. [1] resulting oops: [ 8.516540] kernel BUG at net/core/dev.c:12029! [ 8.516552] Oops: invalid opcode: 0000 [#1] SMP NOPTI [ 8.516559] CPU: 0 UID: 0 PID: 12 Comm: kworker/u80:0 Not tainted 6.15.0-virtme #5 PREEMPT(voluntary) [ 8.516565] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 8.516569] Workqueue: netns cleanup_net [ 8.516579] RIP: 0010:unregister_netdevice_many_notify+0x101/0xab0 [ 8.516590] Code: 90 0f 0b 90 48 8b b0 78 01 00 00 48 8b 90 80 01 00 00 48 89 56 08 48 89 32 4c 89 80 78 01 00 00 48 89 b8 80 01 00 00 eb ac 90 <0f> 0b 48 8b 45 00 4c 8d a0 88 fe ff ff 48 39 c5 74 5c 41 80 bc 24 [ 8.516593] RSP: 0018:ffffa93b8006bd30 EFLAGS: 00010206 [ 8.516598] RAX: ffff98fe4226e000 RBX: ffffa93b8006bd58 RCX: ffffa93b8006bc60 [ 8.516601] RDX: 0000000000000004 RSI: 0000000000000000 RDI: dead000000000122 [ 8.516603] RBP: ffffa93b8006bdd8 R08: dead000000000100 R09: ffff98fe4133c100 [ 8.516605] R10: 0000000000000000 R11: 00000000000003d2 R12: ffffa93b8006be00 [ 8.516608] R13: ffffffff96c1a510 R14: ffffffff96c1a510 R15: ffffa93b8006be00 [ 8.516615] FS: 0000000000000000(0000) GS:ffff98fee73b7000(0000) knlGS:0000000000000000 [ 8.516619] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 8.516622] CR2: 00007fcd2abd0700 CR3: 000000003aa40000 CR4: 0000000000752ef0 [ 8.516625] PKRU: 55555554 [ 8.516627] Call Trace: [ 8.516632]
追加情報:
N/A
ダウンロード:
SRPMS
- kernel-5.14.0-570.39.1.el9_6.src.rpm
MD5: 3f2e86e0f6bd773eaf182f5fd2e89d8c
SHA-256: 7fffa577ba84ca1239b3f318e5db6bec3ff2a66e4fc8060a1d211b5914317e79
Size: 142.52 MB
Asianux Server 9 for x86_64
- kernel-5.14.0-570.39.1.el9_6.x86_64.rpm
MD5: c3d8e517fee9a6e67222f4920660713c
SHA-256: ebff6fb5ff1210dfe7f90fbacad787046ef46e941891097ab36318a38e3e6b50
Size: 1.80 MB - kernel-abi-stablelists-5.14.0-570.39.1.el9_6.noarch.rpm
MD5: d78c1c61e36b48467c410f79c2dd5ece
SHA-256: 200bc3a0754a8adf4e1c694895c555a79d9d757143b541c86e42da8a52a25e66
Size: 1.82 MB - kernel-core-5.14.0-570.39.1.el9_6.x86_64.rpm
MD5: 8acf2ddc919dfee2f95c5b18da0cb97f
SHA-256: 577677ee891c7f7055c064783ba2e85411fc3399a735a837aea62ad17a119fa5
Size: 17.87 MB - kernel-cross-headers-5.14.0-570.39.1.el9_6.x86_64.rpm
MD5: 50b8cd9452b837b3a6f3b01e066a40b0
SHA-256: c9ffee4504acd5ca5480dbcecdf3b618d675362f0c30504d2e6ba0a361620b58
Size: 8.66 MB - kernel-debug-5.14.0-570.39.1.el9_6.x86_64.rpm
MD5: 223956774e2a14a16e1c55143c077090
SHA-256: 8e7ecd4f608513a4d4a8a5495d881334ef962d7d5f35c5e2278bf00818c7a38f
Size: 1.80 MB - kernel-debug-core-5.14.0-570.39.1.el9_6.x86_64.rpm
MD5: 5a712f574d231e05d236b7110868d56f
SHA-256: c3dae845d2bf33b857f2447ed5c00edc4f5a6ae9aa5f9b75b320e6d7c074fe65
Size: 31.31 MB - kernel-debug-devel-5.14.0-570.39.1.el9_6.x86_64.rpm
MD5: 1be09663edb0c647ccaeb5873ae125d5
SHA-256: 943ec1883e441850a58b86daecba4c73e2094b521a014fb0f9e7ccb179a85ff8
Size: 21.79 MB - kernel-debug-devel-matched-5.14.0-570.39.1.el9_6.x86_64.rpm
MD5: ecd23921b96aa6b2fa910ef7db10ed9b
SHA-256: 68420ab167f16fbe765af8f861a64e9bb1d988b22edba96939a588a43e9be3d2
Size: 1.80 MB - kernel-debug-modules-5.14.0-570.39.1.el9_6.x86_64.rpm
MD5: 2ae19cdba32ae2c89ceb2572fea23764
SHA-256: b1027ed449e19c142faeb1748e6052a35c016c8e67ea81c5db0cfc30c55af1d2
Size: 67.43 MB - kernel-debug-modules-core-5.14.0-570.39.1.el9_6.x86_64.rpm
MD5: f643b73d77dea66ed906fe5a1a48914d
SHA-256: 8d570a9ac2c5d846f4424eff61023b8d56399c987addae75a1483c1d15dd7abe
Size: 48.92 MB - kernel-debug-modules-extra-5.14.0-570.39.1.el9_6.x86_64.rpm
MD5: f680b8ed27ab3aea6851618160eb5d83
SHA-256: 4d948e766931a38b75fb2e0ea88bf58c046352ee17e202e5c1ad27a4224f9a7a
Size: 2.57 MB - kernel-debug-uki-virt-5.14.0-570.39.1.el9_6.x86_64.rpm
MD5: 70fae71217982430e595ca6f75c6c7e0
SHA-256: dd79c4fc8b6208e91c01778371445044fe0b8c4645891c1a12fa665c95c9f33b
Size: 84.37 MB - kernel-devel-5.14.0-570.39.1.el9_6.x86_64.rpm
MD5: cab7fd5349234be45069bce2f709c2eb
SHA-256: 400b5cc6391773cad2170d3027416135deed8135f822d1f8a0c12a0078366eb9
Size: 21.62 MB - kernel-devel-matched-5.14.0-570.39.1.el9_6.x86_64.rpm
MD5: 25aae1a692a16f4a9132b0ad661960bb
SHA-256: 2eb128dc74b755d7b3198c8ec76f915cdd85fc450b748b15272971dd416af1e2
Size: 1.80 MB - kernel-doc-5.14.0-570.39.1.el9_6.noarch.rpm
MD5: 6ef5f4c092b5e59ed86a6da8a7d97c87
SHA-256: 2db789a0922086bae98dcc4c3567707ae8316b676f18bc351446ae19d5d8131e
Size: 37.94 MB - kernel-headers-5.14.0-570.39.1.el9_6.x86_64.rpm
MD5: 7eadc786d1f75f152c352df49a1d9fa1
SHA-256: 09daea36ce7bda4917038b5ee96d417ebc54fefe8e77c019fd3e72d90d1613a6
Size: 3.53 MB - kernel-modules-5.14.0-570.39.1.el9_6.x86_64.rpm
MD5: 872e83f5a67c336a7ac8493cd5537e72
SHA-256: 2158c19630a8c013dbb048881189441e1ff91c2c88ea74c2400742eb9fe6a6b1
Size: 38.98 MB - kernel-modules-core-5.14.0-570.39.1.el9_6.x86_64.rpm
MD5: 440fdea2cc261fa4cf33e7a1d6b88b27
SHA-256: 06554d0d10dbb952636de4e4cf3d1e52a03e916e22cac5404fa5a9f2b63d30a6
Size: 30.89 MB - kernel-modules-extra-5.14.0-570.39.1.el9_6.x86_64.rpm
MD5: e0d5404f44c8eaa119d5c345bf11402f
SHA-256: af2dc8946955caf2503c17d3569e626df02daa7e91ffc85f25f3e78bcec6af28
Size: 2.22 MB - kernel-rt-5.14.0-570.39.1.el9_6.x86_64.rpm
MD5: 1c11359f3fbb01acb19b988f954ba0d5
SHA-256: 5a093a1598694e4ac5781691bf8ab066e21c547b8f923cbf4504090e9f111f21
Size: 1.80 MB - kernel-rt-core-5.14.0-570.39.1.el9_6.x86_64.rpm
MD5: 1223b0058658bccb6bfe74bfd6df6723
SHA-256: 8f3d21e6ef23df3ddf1acbc2adadc2d25941ca1a369d032fc90d7c0c8d1575cf
Size: 17.77 MB - kernel-rt-debug-5.14.0-570.39.1.el9_6.x86_64.rpm
MD5: 6d421ba0a7788b784e874becb04f6bbe
SHA-256: 95de3212d9f67352cc77ef3c8c8edf06899501ed7ade8f780e08d44165dd9343
Size: 1.80 MB - kernel-rt-debug-core-5.14.0-570.39.1.el9_6.x86_64.rpm
MD5: 2abddfac21e09c64914d40694b587143
SHA-256: 142d23fd5f394da06382e4a63aa9b7180b5712f862d21bb383fc619657f7306a
Size: 19.17 MB - kernel-rt-debug-devel-5.14.0-570.39.1.el9_6.x86_64.rpm
MD5: d0c4ca2830fab29112f0566ea15aaacd
SHA-256: ec9c8b7ad43eb6d13e42ce17a0957da56517570914004f03c68ce7905458498e
Size: 21.75 MB - kernel-rt-debug-modules-5.14.0-570.39.1.el9_6.x86_64.rpm
MD5: 3a5295c4eec66f518dd72e390a75913f
SHA-256: 058e2bab7a4a6d654f66fb5c4e23d652da60b6a9c739fb2949f9c5be97ab600c
Size: 40.36 MB - kernel-rt-debug-modules-core-5.14.0-570.39.1.el9_6.x86_64.rpm
MD5: 821d9ad1102ee58d77228a12cede7d3e
SHA-256: cfeeea44a2ec2abd53d8a560a4afb965e65908fafdd34f9f934100b94d1a5bab
Size: 31.31 MB - kernel-rt-debug-modules-extra-5.14.0-570.39.1.el9_6.x86_64.rpm
MD5: 6816270413ee4480b28afae7fefa46d8
SHA-256: bdbb65350f8fdd77cb7a4f01997962127407d3fd34f530ce1b19db2945572a6d
Size: 2.24 MB - kernel-rt-devel-5.14.0-570.39.1.el9_6.x86_64.rpm
MD5: 1592e08224589cb62f70996e75dfe7d0
SHA-256: 690ba2a95f004fcd40dd07066c4de438e2702c410bff3a13a76f3dfb3c2145ce
Size: 21.60 MB - kernel-rt-modules-5.14.0-570.39.1.el9_6.x86_64.rpm
MD5: f0ea1f5e7cd5c9fdfcef433920fad1e5
SHA-256: def892a6c0c60164d104a8c90d92f00bdb5b0ac2be0a726ba836e0036d98085d
Size: 38.99 MB - kernel-rt-modules-core-5.14.0-570.39.1.el9_6.x86_64.rpm
MD5: a6d2099e32195ba4d104c5d17f615721
SHA-256: 3e8f8e00ec819867ec111db804934f4f36d31823947ed062da2ef4ae35aecd4b
Size: 30.27 MB - kernel-rt-modules-extra-5.14.0-570.39.1.el9_6.x86_64.rpm
MD5: 93f6ee1932d96adbf4e568ac5dab0a19
SHA-256: 7ee19ffbdd26b2c64d55dda5916ab35390b74eec7e3d251c8d482dcf47acaf0f
Size: 2.22 MB - kernel-tools-5.14.0-570.39.1.el9_6.x86_64.rpm
MD5: 89b8e08e68365d23d4b3d3406a171450
SHA-256: ba019146a9128e1c317139999b053ed9280c21ddff3174806ee3cb0553c5769c
Size: 2.08 MB - kernel-tools-libs-5.14.0-570.39.1.el9_6.x86_64.rpm
MD5: 6ca94cb6dd69f28e2be77a586734a1b5
SHA-256: c89f97ab8a033cb91b3f06cb55e6ddf6fc3de9b16ef9036f30cc655e99997209
Size: 1.81 MB - kernel-tools-libs-devel-5.14.0-570.39.1.el9_6.x86_64.rpm
MD5: 7f689537848689cab46fe2cd07c1d9a5
SHA-256: c45bc16040e8c3e0cae20dfa937fb313425d583ada560319906b5e5e676a3542
Size: 1.80 MB - kernel-uki-virt-5.14.0-570.39.1.el9_6.x86_64.rpm
MD5: 9ee282429ca294795b1e68e345fb7283
SHA-256: d3b965cc1eb36fc93cc65589e289d21c94b5fd2d0053a846397014a7808606c9
Size: 63.01 MB - kernel-uki-virt-addons-5.14.0-570.39.1.el9_6.x86_64.rpm
MD5: 7a816c74ed14124fce676f3ed14268d9
SHA-256: 14f507025420b721f3af953ea74ebd8d92cbe4dff1a2d013d640c4bba7e4ceb0
Size: 1.82 MB - libperf-5.14.0-570.39.1.el9_6.x86_64.rpm
MD5: ad74bc400ac85aedfa6d19f87fbfe8be
SHA-256: bb9e8c987b7a3cd1833bbff137d6c7e152b8c78c9d501707b9f047323aeaf19a
Size: 1.82 MB - perf-5.14.0-570.39.1.el9_6.x86_64.rpm
MD5: ba913926d65e2faec5b8de0bed82bef3
SHA-256: 73f9625493c4f6bcbf223e13917985d6ac9232a5dd686ec3924d4bffee46e0e8
Size: 4.03 MB - python3-perf-5.14.0-570.39.1.el9_6.x86_64.rpm
MD5: 754cc268e89e2fe810a886f01138bc09
SHA-256: 93f29c7ff2e721e74fa4383af3c19a5a1d70ed8bd58d39d767ab7f8761dae837
Size: 3.20 MB - rtla-5.14.0-570.39.1.el9_6.x86_64.rpm
MD5: 1b0f7b26a80c0d91a21a69bb45bff191
SHA-256: be399467c743eca5d131c08566cc6b467d719522eac9e5a8ca6ce54b1bf42297
Size: 1.85 MB - rv-5.14.0-570.39.1.el9_6.x86_64.rpm
MD5: a05ff54c58c3936566a11b10f3bf7f9c
SHA-256: 759ab336e1f0e470ca99c01e2b7bf4c698e9edd2172ddd1848e5e509c684b477
Size: 1.81 MB
English