kernel-4.18.0-553.77.1.el8_10
エラータID: AXSA:2025-10931:75
リリース日:
2025/10/07 Tuesday - 10:04
題名:
kernel-4.18.0-553.77.1.el8_10
影響のあるチャネル:
Asianux Server 8 for x86_64
Severity:
Moderate
Description:
以下項目について対処しました。
[Security Fix]
- kernel の SCPI ドライバには、メモリ領域の解放後利用の問題が
あるため、ローカルの攻撃者により、情報の漏洩、データ破壊、および
サービス拒否攻撃を可能とする脆弱性が存在します。(CVE-2022-50087)
- kernel の NFSD の実装には、戻り値のチェック処理が欠落している
ため、ローカルの攻撃者により、情報の漏洩、およびサービス拒否攻撃
を可能とする脆弱性が存在します。(CVE-2025-22026)
- kernel の HFSC スケジューラーの実装には、メモリ領域の解放後
利用の問題があるため、ローカルの攻撃者により、情報の漏洩、データ
破壊、およびサービス拒否攻撃を可能とする脆弱性が存在します。
(CVE-2025-37797)
- kernel の SCTP の実装には、リモートの攻撃者により、サービス
拒否攻撃を可能とする脆弱性が存在します。(CVE-2025-38718)
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2022-50087
In the Linux kernel, the following vulnerability has been resolved: firmware: arm_scpi: Ensure scpi_info is not assigned if the probe fails When scpi probe fails, at any point, we need to ensure that the scpi_info is not set and will remain NULL until the probe succeeds. If it is not taken care, then it could result use-after-free as the value is exported via get_scpi_ops() and could refer to a memory allocated via devm_kzalloc() but freed when the probe fails.
In the Linux kernel, the following vulnerability has been resolved: firmware: arm_scpi: Ensure scpi_info is not assigned if the probe fails When scpi probe fails, at any point, we need to ensure that the scpi_info is not set and will remain NULL until the probe succeeds. If it is not taken care, then it could result use-after-free as the value is exported via get_scpi_ops() and could refer to a memory allocated via devm_kzalloc() but freed when the probe fails.
CVE-2025-22026
In the Linux kernel, the following vulnerability has been resolved: nfsd: don't ignore the return code of svc_proc_register() Currently, nfsd_proc_stat_init() ignores the return value of svc_proc_register(). If the procfile creation fails, then the kernel will WARN when it tries to remove the entry later. Fix nfsd_proc_stat_init() to return the same type of pointer as svc_proc_register(), and fix up nfsd_net_init() to check that and fail the nfsd_net construction if it occurs. svc_proc_register() can fail if the dentry can't be allocated, or if an identical dentry already exists. The second case is pretty unlikely in the nfsd_net construction codepath, so if this happens, return -ENOMEM.
In the Linux kernel, the following vulnerability has been resolved: nfsd: don't ignore the return code of svc_proc_register() Currently, nfsd_proc_stat_init() ignores the return value of svc_proc_register(). If the procfile creation fails, then the kernel will WARN when it tries to remove the entry later. Fix nfsd_proc_stat_init() to return the same type of pointer as svc_proc_register(), and fix up nfsd_net_init() to check that and fail the nfsd_net construction if it occurs. svc_proc_register() can fail if the dentry can't be allocated, or if an identical dentry already exists. The second case is pretty unlikely in the nfsd_net construction codepath, so if this happens, return -ENOMEM.
CVE-2025-37797
In the Linux kernel, the following vulnerability has been resolved: net_sched: hfsc: Fix a UAF vulnerability in class handling This patch fixes a Use-After-Free vulnerability in the HFSC qdisc class handling. The issue occurs due to a time-of-check/time-of-use condition in hfsc_change_class() when working with certain child qdiscs like netem or codel. The vulnerability works as follows: 1. hfsc_change_class() checks if a class has packets (q.qlen != 0) 2. It then calls qdisc_peek_len(), which for certain qdiscs (e.g., codel, netem) might drop packets and empty the queue 3. The code continues assuming the queue is still non-empty, adding the class to vttree 4. This breaks HFSC scheduler assumptions that only non-empty classes are in vttree 5. Later, when the class is destroyed, this can lead to a Use-After-Free The fix adds a second queue length check after qdisc_peek_len() to verify the queue wasn't emptied.
In the Linux kernel, the following vulnerability has been resolved: net_sched: hfsc: Fix a UAF vulnerability in class handling This patch fixes a Use-After-Free vulnerability in the HFSC qdisc class handling. The issue occurs due to a time-of-check/time-of-use condition in hfsc_change_class() when working with certain child qdiscs like netem or codel. The vulnerability works as follows: 1. hfsc_change_class() checks if a class has packets (q.qlen != 0) 2. It then calls qdisc_peek_len(), which for certain qdiscs (e.g., codel, netem) might drop packets and empty the queue 3. The code continues assuming the queue is still non-empty, adding the class to vttree 4. This breaks HFSC scheduler assumptions that only non-empty classes are in vttree 5. Later, when the class is destroyed, this can lead to a Use-After-Free The fix adds a second queue length check after qdisc_peek_len() to verify the queue wasn't emptied.
CVE-2025-38718
In the Linux kernel, the following vulnerability has been resolved: sctp: linearize cloned gso packets in sctp_rcv A cloned head skb still shares these frag skbs in fraglist with the original head skb. It's not safe to access these frag skbs. syzbot reported two use-of-uninitialized-memory bugs caused by this: BUG: KMSAN: uninit-value in sctp_inq_pop+0x15b7/0x1920 net/sctp/inqueue.c:211 sctp_inq_pop+0x15b7/0x1920 net/sctp/inqueue.c:211 sctp_assoc_bh_rcv+0x1a7/0xc50 net/sctp/associola.c:998 sctp_inq_push+0x2ef/0x380 net/sctp/inqueue.c:88 sctp_backlog_rcv+0x397/0xdb0 net/sctp/input.c:331 sk_backlog_rcv+0x13b/0x420 include/net/sock.h:1122 __release_sock+0x1da/0x330 net/core/sock.c:3106 release_sock+0x6b/0x250 net/core/sock.c:3660 sctp_wait_for_connect+0x487/0x820 net/sctp/socket.c:9360 sctp_sendmsg_to_asoc+0x1ec1/0x1f00 net/sctp/socket.c:1885 sctp_sendmsg+0x32b9/0x4a80 net/sctp/socket.c:2031 inet_sendmsg+0x25a/0x280 net/ipv4/af_inet.c:851 sock_sendmsg_nosec net/socket.c:718 [inline] and BUG: KMSAN: uninit-value in sctp_assoc_bh_rcv+0x34e/0xbc0 net/sctp/associola.c:987 sctp_assoc_bh_rcv+0x34e/0xbc0 net/sctp/associola.c:987 sctp_inq_push+0x2a3/0x350 net/sctp/inqueue.c:88 sctp_backlog_rcv+0x3c7/0xda0 net/sctp/input.c:331 sk_backlog_rcv+0x142/0x420 include/net/sock.h:1148 __release_sock+0x1d3/0x330 net/core/sock.c:3213 release_sock+0x6b/0x270 net/core/sock.c:3767 sctp_wait_for_connect+0x458/0x820 net/sctp/socket.c:9367 sctp_sendmsg_to_asoc+0x223a/0x2260 net/sctp/socket.c:1886 sctp_sendmsg+0x3910/0x49f0 net/sctp/socket.c:2032 inet_sendmsg+0x269/0x2a0 net/ipv4/af_inet.c:851 sock_sendmsg_nosec net/socket.c:712 [inline] This patch fixes it by linearizing cloned gso packets in sctp_rcv().
In the Linux kernel, the following vulnerability has been resolved: sctp: linearize cloned gso packets in sctp_rcv A cloned head skb still shares these frag skbs in fraglist with the original head skb. It's not safe to access these frag skbs. syzbot reported two use-of-uninitialized-memory bugs caused by this: BUG: KMSAN: uninit-value in sctp_inq_pop+0x15b7/0x1920 net/sctp/inqueue.c:211 sctp_inq_pop+0x15b7/0x1920 net/sctp/inqueue.c:211 sctp_assoc_bh_rcv+0x1a7/0xc50 net/sctp/associola.c:998 sctp_inq_push+0x2ef/0x380 net/sctp/inqueue.c:88 sctp_backlog_rcv+0x397/0xdb0 net/sctp/input.c:331 sk_backlog_rcv+0x13b/0x420 include/net/sock.h:1122 __release_sock+0x1da/0x330 net/core/sock.c:3106 release_sock+0x6b/0x250 net/core/sock.c:3660 sctp_wait_for_connect+0x487/0x820 net/sctp/socket.c:9360 sctp_sendmsg_to_asoc+0x1ec1/0x1f00 net/sctp/socket.c:1885 sctp_sendmsg+0x32b9/0x4a80 net/sctp/socket.c:2031 inet_sendmsg+0x25a/0x280 net/ipv4/af_inet.c:851 sock_sendmsg_nosec net/socket.c:718 [inline] and BUG: KMSAN: uninit-value in sctp_assoc_bh_rcv+0x34e/0xbc0 net/sctp/associola.c:987 sctp_assoc_bh_rcv+0x34e/0xbc0 net/sctp/associola.c:987 sctp_inq_push+0x2a3/0x350 net/sctp/inqueue.c:88 sctp_backlog_rcv+0x3c7/0xda0 net/sctp/input.c:331 sk_backlog_rcv+0x142/0x420 include/net/sock.h:1148 __release_sock+0x1d3/0x330 net/core/sock.c:3213 release_sock+0x6b/0x270 net/core/sock.c:3767 sctp_wait_for_connect+0x458/0x820 net/sctp/socket.c:9367 sctp_sendmsg_to_asoc+0x223a/0x2260 net/sctp/socket.c:1886 sctp_sendmsg+0x3910/0x49f0 net/sctp/socket.c:2032 inet_sendmsg+0x269/0x2a0 net/ipv4/af_inet.c:851 sock_sendmsg_nosec net/socket.c:712 [inline] This patch fixes it by linearizing cloned gso packets in sctp_rcv().
追加情報:
N/A
ダウンロード:
SRPMS
- kernel-4.18.0-553.77.1.el8_10.src.rpm
MD5: d2cc3e918fc1d0042eaea12b67bd8b7b
SHA-256: 8d2c9f4d59aa697beee0e2b1ff7f48498457086211b1e189ac3ec24a59f566dc
Size: 132.27 MB
Asianux Server 8 for x86_64
- bpftool-4.18.0-553.77.1.el8_10.x86_64.rpm
MD5: 4ba9f892e8530ea4071faaec680b4433
SHA-256: 8bbe3e6c90e3082ec884937456326564f07eaf608781425b2e041b42922dae6c
Size: 11.24 MB - kernel-4.18.0-553.77.1.el8_10.x86_64.rpm
MD5: b7d68152e0c44910654efb149d900e63
SHA-256: 2c69e308360d3c13c06ec22ac551aa5b8a3fecadff7fc7e46aac8374d4453b54
Size: 10.51 MB - kernel-abi-stablelists-4.18.0-553.77.1.el8_10.noarch.rpm
MD5: edf92b875ee6cc5f727fab157d0b4c43
SHA-256: 3534184c46dd1d5cf7f256002fee951bd69b7a6f403bd5fdc2f2f90af861e042
Size: 10.53 MB - kernel-core-4.18.0-553.77.1.el8_10.x86_64.rpm
MD5: c50bba9fb8ef8535ca4d7af31b023ebe
SHA-256: 947ea06bcc62f315dd79dae115aed4a64e02da0ff6389b7847c6fe71bbbb6266
Size: 43.54 MB - kernel-cross-headers-4.18.0-553.77.1.el8_10.x86_64.rpm
MD5: a9cf64f6fb859e943759ca3932658914
SHA-256: 3d732a80ab5e05004d19b67ce2bcc3d39400ff61f041fd5f812de6efbaff68ac
Size: 15.86 MB - kernel-debug-4.18.0-553.77.1.el8_10.x86_64.rpm
MD5: ed10b01ae2a3785982b2c1cacc2d8268
SHA-256: 5f0d4625111466bac4fa95bd933b7a4dbdbcdce0432c68313b9936d5355575aa
Size: 10.51 MB - kernel-debug-core-4.18.0-553.77.1.el8_10.x86_64.rpm
MD5: e24f8cb816cfc25bd523697c75098247
SHA-256: bf664481f16c4539154e77be521a8453992862230f1da2cf560a192d62efdb0d
Size: 72.84 MB - kernel-debug-devel-4.18.0-553.77.1.el8_10.x86_64.rpm
MD5: 0e25c273c839f92226669c4ee80ad7a0
SHA-256: 2e0465349a5d17973d296b9bffac366ab2312adb539102c109a9389fa049e31b
Size: 24.34 MB - kernel-debug-modules-4.18.0-553.77.1.el8_10.x86_64.rpm
MD5: be2e63a2ae4dd28d1dc6d8357c0ba218
SHA-256: e62646241160db971f7b9ca320eae5b30ef6cdfb220536f99c7ff15a34765dc9
Size: 65.94 MB - kernel-debug-modules-extra-4.18.0-553.77.1.el8_10.x86_64.rpm
MD5: 939b9fd41c6caba175dd704da49ab316
SHA-256: 8028fb9ba501ed33df8111686f4508ca834b3928e1c17c076a911623ad89834f
Size: 11.89 MB - kernel-devel-4.18.0-553.77.1.el8_10.x86_64.rpm
MD5: e707a8ae96302756cec6d3d478e1de29
SHA-256: 3cc594a4a51243d4bda261c186ca4afac93fe19fe4beebf49fa713f67a664371
Size: 24.14 MB - kernel-doc-4.18.0-553.77.1.el8_10.noarch.rpm
MD5: 29e62c86a5880825b6b298891fc72e39
SHA-256: 80112fdda6364326ea25d92fedd4cfb70ec0f2eb7f581ab88011ca42573c653e
Size: 28.37 MB - kernel-headers-4.18.0-553.77.1.el8_10.x86_64.rpm
MD5: 20144606b7cc5c417a68d965ee22cba8
SHA-256: eccdbf12e5cfe8ceb27eff7f97b2b1444eb8c0be8317fee1718b677e79027cc3
Size: 11.86 MB - kernel-modules-4.18.0-553.77.1.el8_10.x86_64.rpm
MD5: d8fcaa7b512a3331dabab096ce960085
SHA-256: 496ac93854a9ab9fb224f2eb48dee521dc39dc147f552944f67845fe2cdebd61
Size: 36.33 MB - kernel-modules-extra-4.18.0-553.77.1.el8_10.x86_64.rpm
MD5: 7069c8c07bc86086d4bb5525a1b84a86
SHA-256: 488e54795277c51ad5f2a1adcf48a020824d08576c7c7a749df7231935394c3c
Size: 11.20 MB - kernel-tools-4.18.0-553.77.1.el8_10.x86_64.rpm
MD5: ed2229d4c9e4dd69f22b200c9b6567d2
SHA-256: 205557982433fb6e42875d001833fc6e9ed1564d86c75309622af2e33f6ff9a1
Size: 10.73 MB - kernel-tools-libs-4.18.0-553.77.1.el8_10.x86_64.rpm
MD5: 21889901544e45465486053b5e96e4b8
SHA-256: 9fb7466999ad545415b1909ecacd12ba782d25661f25f5888495135911d08720
Size: 10.52 MB - kernel-tools-libs-devel-4.18.0-553.77.1.el8_10.x86_64.rpm
MD5: 8ca7535f8d194f69e536014b5869e7ee
SHA-256: db458f0a2cd0943097fb7c4628d1e89665528afc0f7803f99fd365b6897f83ab
Size: 10.51 MB - perf-4.18.0-553.77.1.el8_10.x86_64.rpm
MD5: 533cc54b8186ad57e7d733d6c6051084
SHA-256: 52dca264a9cc62baeefb01d3944746d63e032dbfa46df1d1ec910ca6daeff9dd
Size: 12.83 MB - python3-perf-4.18.0-553.77.1.el8_10.x86_64.rpm
MD5: f5d24e34e2029fd0312b1fb29022c73d
SHA-256: 476987efbb3ab98c7b82f848eb13b2c66245cd30c6c5622bdd5ce1ae8b711442
Size: 10.64 MB
English