kernel-4.18.0-553.83.1.el8_10
エラータID: AXSA:2025-11098:88
リリース日:
2025/11/17 Monday - 18:45
題名:
kernel-4.18.0-553.83.1.el8_10
影響のあるチャネル:
Asianux Server 8 for x86_64
Severity:
Moderate
Description:
以下項目について対処しました。
[Security Fix]
- kernel の inode の実装には、メモリ領域の解放後利用の問題が
あるため、ローカルの攻撃者により、情報の漏洩、データ破壊、および
サービス拒否攻撃を可能とする脆弱性が存在します。(CVE-2022-50367)
- kernel の zswap 機能には、競合状態に至る問題があるため、ローカル
の攻撃者により、情報の漏洩、データ破壊、およびサービス拒否攻撃を
可能とする脆弱性が存在します。(CVE-2023-53178)
- kernel の VMSCAPE の実装には、ローカルの攻撃者により、
情報の漏洩を可能とする脆弱性が存在します。(CVE-2025-40300)
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2022-50367
In the Linux kernel, the following vulnerability has been resolved: fs: fix UAF/GPF bug in nilfs_mdt_destroy In alloc_inode, inode_init_always() could return -ENOMEM if security_inode_alloc() fails, which causes inode->i_private uninitialized. Then nilfs_is_metadata_file_inode() returns true and nilfs_free_inode() wrongly calls nilfs_mdt_destroy(), which frees the uninitialized inode->i_private and leads to crashes(e.g., UAF/GPF). Fix this by moving security_inode_alloc just prior to this_cpu_inc(nr_inodes)
In the Linux kernel, the following vulnerability has been resolved: fs: fix UAF/GPF bug in nilfs_mdt_destroy In alloc_inode, inode_init_always() could return -ENOMEM if security_inode_alloc() fails, which causes inode->i_private uninitialized. Then nilfs_is_metadata_file_inode() returns true and nilfs_free_inode() wrongly calls nilfs_mdt_destroy(), which frees the uninitialized inode->i_private and leads to crashes(e.g., UAF/GPF). Fix this by moving security_inode_alloc just prior to this_cpu_inc(nr_inodes)
CVE-2023-53178
In the Linux kernel, the following vulnerability has been resolved: mm: fix zswap writeback race condition The zswap writeback mechanism can cause a race condition resulting in memory corruption, where a swapped out page gets swapped in with data that was written to a different page. The race unfolds like this: 1. a page with data A and swap offset X is stored in zswap 2. page A is removed off the LRU by zpool driver for writeback in zswap-shrink work, data for A is mapped by zpool driver 3. user space program faults and invalidates page entry A, offset X is considered free 4. kswapd stores page B at offset X in zswap (zswap could also be full, if so, page B would then be IOed to X, then skip step 5.) 5. entry A is replaced by B in tree->rbroot, this doesn't affect the local reference held by zswap-shrink work 6. zswap-shrink work writes back A at X, and frees zswap entry A 7. swapin of slot X brings A in memory instead of B The fix: Once the swap page cache has been allocated (case ZSWAP_SWAPCACHE_NEW), zswap-shrink work just checks that the local zswap_entry reference is still the same as the one in the tree. If it's not the same it means that it's either been invalidated or replaced, in both cases the writeback is aborted because the local entry contains stale data. Reproducer: I originally found this by running `stress` overnight to validate my work on the zswap writeback mechanism, it manifested after hours on my test machine. The key to make it happen is having zswap writebacks, so whatever setup pumps /sys/kernel/debug/zswap/written_back_pages should do the trick. In order to reproduce this faster on a vm, I setup a system with ~100M of available memory and a 500M swap file, then running `stress --vm 1 --vm-bytes 300000000 --vm-stride 4000` makes it happen in matter of tens of minutes. One can speed things up even more by swinging /sys/module/zswap/parameters/max_pool_percent up and down between, say, 20 and 1; this makes it reproduce in tens of seconds. It's crucial to set `--vm-stride` to something other than 4096 otherwise `stress` won't realize that memory has been corrupted because all pages would have the same data.
In the Linux kernel, the following vulnerability has been resolved: mm: fix zswap writeback race condition The zswap writeback mechanism can cause a race condition resulting in memory corruption, where a swapped out page gets swapped in with data that was written to a different page. The race unfolds like this: 1. a page with data A and swap offset X is stored in zswap 2. page A is removed off the LRU by zpool driver for writeback in zswap-shrink work, data for A is mapped by zpool driver 3. user space program faults and invalidates page entry A, offset X is considered free 4. kswapd stores page B at offset X in zswap (zswap could also be full, if so, page B would then be IOed to X, then skip step 5.) 5. entry A is replaced by B in tree->rbroot, this doesn't affect the local reference held by zswap-shrink work 6. zswap-shrink work writes back A at X, and frees zswap entry A 7. swapin of slot X brings A in memory instead of B The fix: Once the swap page cache has been allocated (case ZSWAP_SWAPCACHE_NEW), zswap-shrink work just checks that the local zswap_entry reference is still the same as the one in the tree. If it's not the same it means that it's either been invalidated or replaced, in both cases the writeback is aborted because the local entry contains stale data. Reproducer: I originally found this by running `stress` overnight to validate my work on the zswap writeback mechanism, it manifested after hours on my test machine. The key to make it happen is having zswap writebacks, so whatever setup pumps /sys/kernel/debug/zswap/written_back_pages should do the trick. In order to reproduce this faster on a vm, I setup a system with ~100M of available memory and a 500M swap file, then running `stress --vm 1 --vm-bytes 300000000 --vm-stride 4000` makes it happen in matter of tens of minutes. One can speed things up even more by swinging /sys/module/zswap/parameters/max_pool_percent up and down between, say, 20 and 1; this makes it reproduce in tens of seconds. It's crucial to set `--vm-stride` to something other than 4096 otherwise `stress` won't realize that memory has been corrupted because all pages would have the same data.
CVE-2025-40300
In the Linux kernel, the following vulnerability has been resolved: x86/vmscape: Add conditional IBPB mitigation VMSCAPE is a vulnerability that exploits insufficient branch predictor isolation between a guest and a userspace hypervisor (like QEMU). Existing mitigations already protect kernel/KVM from a malicious guest. Userspace can additionally be protected by flushing the branch predictors after a VMexit. Since it is the userspace that consumes the poisoned branch predictors, conditionally issue an IBPB after a VMexit and before returning to userspace. Workloads that frequently switch between hypervisor and userspace will incur the most overhead from the new IBPB. This new IBPB is not integrated with the existing IBPB sites. For instance, a task can use the existing speculation control prctl() to get an IBPB at context switch time. With this implementation, the IBPB is doubled up: one at context switch and another before running userspace. The intent is to integrate and optimize these cases post-embargo. [ dhansen: elaborate on suboptimal IBPB solution ]
In the Linux kernel, the following vulnerability has been resolved: x86/vmscape: Add conditional IBPB mitigation VMSCAPE is a vulnerability that exploits insufficient branch predictor isolation between a guest and a userspace hypervisor (like QEMU). Existing mitigations already protect kernel/KVM from a malicious guest. Userspace can additionally be protected by flushing the branch predictors after a VMexit. Since it is the userspace that consumes the poisoned branch predictors, conditionally issue an IBPB after a VMexit and before returning to userspace. Workloads that frequently switch between hypervisor and userspace will incur the most overhead from the new IBPB. This new IBPB is not integrated with the existing IBPB sites. For instance, a task can use the existing speculation control prctl() to get an IBPB at context switch time. With this implementation, the IBPB is doubled up: one at context switch and another before running userspace. The intent is to integrate and optimize these cases post-embargo. [ dhansen: elaborate on suboptimal IBPB solution ]
追加情報:
N/A
ダウンロード:
SRPMS
- kernel-4.18.0-553.83.1.el8_10.src.rpm
MD5: 997697fdb20eae6c4b79a054f1ed7508
SHA-256: 34923aa5f8b9390d7ad85975b5c9835c9161e43d154087ec37607dd13b6b05e3
Size: 132.32 MB
Asianux Server 8 for x86_64
- bpftool-4.18.0-553.83.1.el8_10.x86_64.rpm
MD5: ff9ff7e867fbae2dd84977a02b37490d
SHA-256: 3567cbcc5a257bb651957f63d65db3da84dd9e0cfda7e707bf5f6c677b3b0f3f
Size: 11.26 MB - kernel-4.18.0-553.83.1.el8_10.x86_64.rpm
MD5: 2e7eb0c8cc4febe7837a909f45f58481
SHA-256: 67a0a321c869662eaac60858d4be3300a53058e1dad3c506504b8525503913ec
Size: 10.54 MB - kernel-abi-stablelists-4.18.0-553.83.1.el8_10.noarch.rpm
MD5: 9ad56aa98eaacbe3505399517a43551a
SHA-256: 194a4063da0b88b30c93c4b18cc309f43fa4a6fa966713d15be00ca70787d73e
Size: 10.55 MB - kernel-core-4.18.0-553.83.1.el8_10.x86_64.rpm
MD5: aa3dc1c01dd74148992d0a4e053999b2
SHA-256: e0292ba5dc9850fb852482e528c1b2d9202df2d2ee6141eb7febd234299176f1
Size: 43.57 MB - kernel-cross-headers-4.18.0-553.83.1.el8_10.x86_64.rpm
MD5: ba4c4bfcb90795b5d01e5aa727478a08
SHA-256: 407b25703c912971ea27f36c5768a6ae554c049290b5588c8a175e8176246895
Size: 15.88 MB - kernel-debug-4.18.0-553.83.1.el8_10.x86_64.rpm
MD5: 25bd4d8146780c84bcb004d5a8fb14a5
SHA-256: ac09171684700f7a1659e2acfe3c7ad1d6652a22bf579d7f88764a841ae888c9
Size: 10.54 MB - kernel-debug-core-4.18.0-553.83.1.el8_10.x86_64.rpm
MD5: 292a44b4282e2af8bae8baf017063d8c
SHA-256: f3a779142ee5701ee38e85ee19a44032da30b567dc17d54dc533b1ff50418de6
Size: 72.86 MB - kernel-debug-devel-4.18.0-553.83.1.el8_10.x86_64.rpm
MD5: 7ec72b58f429a23a33c5ce148035f247
SHA-256: 1270f4baa6fa59d3149e035cebe55e603ac9d691710b3c3ebec4532c4edac5db
Size: 24.37 MB - kernel-debug-modules-4.18.0-553.83.1.el8_10.x86_64.rpm
MD5: 563b19c04f471e3f875adab96beddd31
SHA-256: 59e70de462bcf7d83607e29c3971cabd0d3a309d00191d2a37a961601bbdc1ac
Size: 66.00 MB - kernel-debug-modules-extra-4.18.0-553.83.1.el8_10.x86_64.rpm
MD5: 10db2cdb497e3f5088298f4ad533cc8b
SHA-256: 606b3d048df273354b74455ce46d795ecfbd5106ef6561b54f382188cb96be6e
Size: 11.91 MB - kernel-devel-4.18.0-553.83.1.el8_10.x86_64.rpm
MD5: 90d42bfda3afd861bf9e41544347cfd3
SHA-256: a013fd8f4d61bd6e2de1fa4352dc7892c7b02ca07812d6987d967080e904c201
Size: 24.17 MB - kernel-doc-4.18.0-553.83.1.el8_10.noarch.rpm
MD5: e477f67f112d72c07b48274c7adb45c3
SHA-256: 781229077319a39d3b172ce93e52b926a01cdef441ccc2349b97230e10b51701
Size: 28.41 MB - kernel-headers-4.18.0-553.83.1.el8_10.x86_64.rpm
MD5: fef4d33c4b5fcdccf4106c39d1492bdc
SHA-256: 0f7aa4e0916dfde12fd0f4ff6d4bf9da89f59fe254e40e65d8c049bf26fb3008
Size: 11.89 MB - kernel-modules-4.18.0-553.83.1.el8_10.x86_64.rpm
MD5: 4d427c4daf440349bd0581eade4d660c
SHA-256: 715461919f14656a5565b175b2b6f32f4067d62c3a7b62ba952f98ad0bae9723
Size: 36.37 MB - kernel-modules-extra-4.18.0-553.83.1.el8_10.x86_64.rpm
MD5: ed9695a3fe16e2ba69e8d959d5852a1b
SHA-256: 0cd7ef8b4c13ddaa145e775ace561163c9911a07d7691c2c36a0878ee22d35c3
Size: 11.22 MB - kernel-tools-4.18.0-553.83.1.el8_10.x86_64.rpm
MD5: ad00624ac264b597a7d2d0fb7fcfc8c9
SHA-256: cdead92fe3d29cf68efdc366fb90d2e14aaf3cc557b1817516c082428fb83d63
Size: 10.76 MB - kernel-tools-libs-4.18.0-553.83.1.el8_10.x86_64.rpm
MD5: 9c14ea09092fd5f78d1cde1776ae567f
SHA-256: 0e61cf85d1d0b09c77b97979c267172cdb3a5cf4df96edff2a4119cc722addc3
Size: 10.54 MB - kernel-tools-libs-devel-4.18.0-553.83.1.el8_10.x86_64.rpm
MD5: d00d80a2243095780adc3fc04e1b2139
SHA-256: 487c1cd802805e7a6bc1fce7f0c36c73e104f3f340fa80873da283d15810044e
Size: 10.54 MB - perf-4.18.0-553.83.1.el8_10.x86_64.rpm
MD5: 73164329a6f74aee285ebe0338aefcc4
SHA-256: dac27dfe0fb9b6319986e05935f221617f4d729a523b8b71f7892f716b478824
Size: 12.86 MB - python3-perf-4.18.0-553.83.1.el8_10.x86_64.rpm
MD5: e4dec91152e08b624263b8f376aa1ace
SHA-256: 8d2c5cbf98c5bf37fd6a14f828b2349062c2e98868aef0b444496d932fc4e886
Size: 10.66 MB
English