kernel-3.10.0-1160.139.1.0.1.el7.AXS7
エラータID: AXSA:2025-11327:91
リリース日:
2025/12/02 Tuesday - 09:48
題名:
kernel-3.10.0-1160.139.1.0.1.el7.AXS7
影響のあるチャネル:
Asianux Server 7 for x86_64
Severity:
High
Description:
以下項目について対処しました。
[Security Fix]
- ext4 には、潜在的なメモリの解放後利用の問題があるため、
ローカルの攻撃者により、巧妙に細工されたファイルシステムを
介して、サービス拒否攻撃を可能とする脆弱性が存在します。
(CVE-2021-47342)
- drivers/net/virtio_net.c には、データのバリデーションが欠けて
いることを起因としてデータの破壊に繋がる問題があるため、ローカル
の攻撃者により、巧妙に細工されたデバイスを介して、サービス妨害を
可能とする脆弱性が存在します。(CVE-2021-47352)
- kernel の ALSA USB オーディオドライバには、メモリ領域の範囲外
読み取りの問題があるため、物理的にマシンの操作が可能な攻撃者により、
情報の漏洩、およびサービス拒否攻撃を可能とする脆弱性が存在します。
(CVE-2022-48701)
- kernel の namespace 機能には、メモリ領域の解放後利用の問題が
あるため、ローカルの攻撃者により、情報の漏洩、およびサービス拒否
攻撃を可能とする脆弱性が存在します。(CVE-2024-56658)
- kernel の QFQ スケジューラ (sch_qfq) の実装には、メモリ領域の
解放後利用の問題があるため、ローカルの攻撃者により、情報の漏洩、
データ破壊、およびサービス拒否攻撃を可能とする脆弱性が存在します。
(CVE-2025-38477)
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2021-47342
In the Linux kernel, the following vulnerability has been resolved: ext4: fix possible UAF when remounting r/o a mmp-protected file system After commit 618f003199c6 ("ext4: fix memory leak in ext4_fill_super"), after the file system is remounted read-only, there is a race where the kmmpd thread can exit, causing sbi->s_mmp_tsk to point at freed memory, which the call to ext4_stop_mmpd() can trip over. Fix this by only allowing kmmpd() to exit when it is stopped via ext4_stop_mmpd(). Bug-Report-Link: <20210629143603.2166962-1-yebin10@huawei.com>
In the Linux kernel, the following vulnerability has been resolved: ext4: fix possible UAF when remounting r/o a mmp-protected file system After commit 618f003199c6 ("ext4: fix memory leak in ext4_fill_super"), after the file system is remounted read-only, there is a race where the kmmpd thread can exit, causing sbi->s_mmp_tsk to point at freed memory, which the call to ext4_stop_mmpd() can trip over. Fix this by only allowing kmmpd() to exit when it is stopped via ext4_stop_mmpd(). Bug-Report-Link: <20210629143603.2166962-1-yebin10@huawei.com>
CVE-2022-48701
In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix an out-of-bounds bug in __snd_usb_parse_audio_interface() There may be a bad USB audio device with a USB ID of (0x04fa, 0x4201) and the number of it's interfaces less than 4, an out-of-bounds read bug occurs when parsing the interface descriptor for this device. Fix this by checking the number of interfaces.
In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix an out-of-bounds bug in __snd_usb_parse_audio_interface() There may be a bad USB audio device with a USB ID of (0x04fa, 0x4201) and the number of it's interfaces less than 4, an out-of-bounds read bug occurs when parsing the interface descriptor for this device. Fix this by checking the number of interfaces.
CVE-2024-56658
In the Linux kernel, the following vulnerability has been resolved: net: defer final 'struct net' free in netns dismantle Ilya reported a slab-use-after-free in dst_destroy [1] Issue is in xfrm6_net_init() and xfrm4_net_init() : They copy xfrm[46]_dst_ops_template into net->xfrm.xfrm[46]_dst_ops. But net structure might be freed before all the dst callbacks are called. So when dst_destroy() calls later : if (dst->ops->destroy) dst->ops->destroy(dst); dst->ops points to the old net->xfrm.xfrm[46]_dst_ops, which has been freed. See a relevant issue fixed in : ac888d58869b ("net: do not delay dst_entries_add() in dst_release()") A fix is to queue the 'struct net' to be freed after one another cleanup_net() round (and existing rcu_barrier()) [1] BUG: KASAN: slab-use-after-free in dst_destroy (net/core/dst.c:112) Read of size 8 at addr ffff8882137ccab0 by task swapper/37/0 Dec 03 05:46:18 kernel: CPU: 37 UID: 0 PID: 0 Comm: swapper/37 Kdump: loaded Not tainted 6.12.0 #67 Hardware name: Red Hat KVM/RHEL, BIOS 1.16.1-1.el9 04/01/2014 Call Trace: dump_stack_lvl (lib/dump_stack.c:124) print_address_description.constprop.0 (mm/kasan/report.c:378) ? dst_destroy (net/core/dst.c:112) print_report (mm/kasan/report.c:489) ? dst_destroy (net/core/dst.c:112) ? kasan_addr_to_slab (mm/kasan/common.c:37) kasan_report (mm/kasan/report.c:603) ? dst_destroy (net/core/dst.c:112) ? rcu_do_batch (kernel/rcu/tree.c:2567) dst_destroy (net/core/dst.c:112) rcu_do_batch (kernel/rcu/tree.c:2567) ? __pfx_rcu_do_batch (kernel/rcu/tree.c:2491) ? lockdep_hardirqs_on_prepare (kernel/locking/lockdep.c:4339 kernel/locking/lockdep.c:4406) rcu_core (kernel/rcu/tree.c:2825) handle_softirqs (kernel/softirq.c:554) __irq_exit_rcu (kernel/softirq.c:589 kernel/softirq.c:428 kernel/softirq.c:637) irq_exit_rcu (kernel/softirq.c:651) sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1049 arch/x86/kernel/apic/apic.c:1049) asm_sysvec_apic_timer_interrupt (./arch/x86/include/asm/idtentry.h:702) RIP: 0010:default_idle (./arch/x86/include/asm/irqflags.h:37 ./arch/x86/include/asm/irqflags.h:92 arch/x86/kernel/process.c:743) Code: 00 4d 29 c8 4c 01 c7 4c 29 c2 e9 6e ff ff ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 66 90 0f 00 2d c7 c9 27 00 fb f4 c3 cc cc cc cc 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 90 RSP: 0018:ffff888100d2fe00 EFLAGS: 00000246 RAX: 00000000001870ed RBX: 1ffff110201a5fc2 RCX: ffffffffb61a3e46 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffffb3d4d123 RBP: 0000000000000000 R08: 0000000000000001 R09: ffffed11c7e1835d R10: ffff888e3f0c1aeb R11: 0000000000000000 R12: 0000000000000000 R13: ffff888100d20000 R14: dffffc0000000000 R15: 0000000000000000 ? ct_kernel_exit.constprop.0 (kernel/context_tracking.c:148) ? cpuidle_idle_call (kernel/sched/idle.c:186) default_idle_call (./include/linux/cpuidle.h:143 kernel/sched/idle.c:118) cpuidle_idle_call (kernel/sched/idle.c:186) ? __pfx_cpuidle_idle_call (kernel/sched/idle.c:168) ? lock_release (kernel/locking/lockdep.c:467 kernel/locking/lockdep.c:5848) ? lockdep_hardirqs_on_prepare (kernel/locking/lockdep.c:4347 kernel/locking/lockdep.c:4406) ? tsc_verify_tsc_adjust (arch/x86/kernel/tsc_sync.c:59) do_idle (kernel/sched/idle.c:326) cpu_startup_entry (kernel/sched/idle.c:423 (discriminator 1)) start_secondary (arch/x86/kernel/smpboot.c:202 arch/x86/kernel/smpboot.c:282) ? __pfx_start_secondary (arch/x86/kernel/smpboot.c:232) ? soft_restart_cpu (arch/x86/kernel/head_64.S:452) common_startup_64 (arch/x86/kernel/head_64.S:414) Dec 03 05:46:18 kernel: Allocated by task 12184: kasan_save_stack (mm/kasan/common.c:48) kasan_save_track (./arch/x86/include/asm/current.h:49 mm/kasan/common.c:60 mm/kasan/common.c:69) __kasan_slab_alloc (mm/kasan/common.c:319 mm/kasan/common.c:345) kmem_cache_alloc_noprof (mm/slub.c:4085 mm/slub.c:4134 mm/slub.c:4141) copy_net_ns (net/core/net_namespace.c:421 net/core/net_namespace.c:480) create_new_namespaces ---truncated---
In the Linux kernel, the following vulnerability has been resolved: net: defer final 'struct net' free in netns dismantle Ilya reported a slab-use-after-free in dst_destroy [1] Issue is in xfrm6_net_init() and xfrm4_net_init() : They copy xfrm[46]_dst_ops_template into net->xfrm.xfrm[46]_dst_ops. But net structure might be freed before all the dst callbacks are called. So when dst_destroy() calls later : if (dst->ops->destroy) dst->ops->destroy(dst); dst->ops points to the old net->xfrm.xfrm[46]_dst_ops, which has been freed. See a relevant issue fixed in : ac888d58869b ("net: do not delay dst_entries_add() in dst_release()") A fix is to queue the 'struct net' to be freed after one another cleanup_net() round (and existing rcu_barrier()) [1] BUG: KASAN: slab-use-after-free in dst_destroy (net/core/dst.c:112) Read of size 8 at addr ffff8882137ccab0 by task swapper/37/0 Dec 03 05:46:18 kernel: CPU: 37 UID: 0 PID: 0 Comm: swapper/37 Kdump: loaded Not tainted 6.12.0 #67 Hardware name: Red Hat KVM/RHEL, BIOS 1.16.1-1.el9 04/01/2014 Call Trace:
CVE-2025-38477
In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_qfq: Fix race condition on qfq_aggregate A race condition can occur when 'agg' is modified in qfq_change_agg (called during qfq_enqueue) while other threads access it concurrently. For example, qfq_dump_class may trigger a NULL dereference, and qfq_delete_class may cause a use-after-free. This patch addresses the issue by: 1. Moved qfq_destroy_class into the critical section. 2. Added sch_tree_lock protection to qfq_dump_class and qfq_dump_class_stats.
In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_qfq: Fix race condition on qfq_aggregate A race condition can occur when 'agg' is modified in qfq_change_agg (called during qfq_enqueue) while other threads access it concurrently. For example, qfq_dump_class may trigger a NULL dereference, and qfq_delete_class may cause a use-after-free. This patch addresses the issue by: 1. Moved qfq_destroy_class into the critical section. 2. Added sch_tree_lock protection to qfq_dump_class and qfq_dump_class_stats.
CVE-2021-47352
In the Linux kernel, the following vulnerability has been resolved: virtio-net: Add validation for used length This adds validation for used length (might come from an untrusted device) to avoid data corruption or loss.
In the Linux kernel, the following vulnerability has been resolved: virtio-net: Add validation for used length This adds validation for used length (might come from an untrusted device) to avoid data corruption or loss.
追加情報:
N/A
ダウンロード:
Asianux Server 7 for x86_64
- bpftool-3.10.0-1160.139.1.0.1.el7.AXS7.x86_64.rpm
MD5: eced0d33d2690ec146bffb880afe124d
SHA-256: e2316fca1635974f3361c8632518070d44b33b1f5e1c6b24b939597e382ac887
Size: 8.57 MB - kernel-3.10.0-1160.139.1.0.1.el7.AXS7.x86_64.rpm
MD5: 201607ec77a37a33308b28627cd745ee
SHA-256: 58f148ff58571b36417045e75c49ca956af19e0f458c2f236f649a7fe402d79b
Size: 51.78 MB - kernel-abi-whitelists-3.10.0-1160.139.1.0.1.el7.AXS7.noarch.rpm
MD5: 776b985a25abebe21d411c8be7176ea5
SHA-256: 70b6755c14d162f8df64fdc3c0b9762d1ce91bbcac7dffd05396cdd0ad188330
Size: 8.14 MB - kernel-debug-3.10.0-1160.139.1.0.1.el7.AXS7.x86_64.rpm
MD5: 5dcc887a362f8c07f463106c17eda948
SHA-256: bddfb1b5f9cd841804334d8e8286ce1477bb5315c968d215b08a5f7ff987fb28
Size: 54.09 MB - kernel-debug-devel-3.10.0-1160.139.1.0.1.el7.AXS7.x86_64.rpm
MD5: 1635cd7da1c8d4bb78df2d3e12e24262
SHA-256: 6aa7d12f6b3e470c076a7a487888e14793d2954407db2ce3225a6f871b935501
Size: 18.17 MB - kernel-devel-3.10.0-1160.139.1.0.1.el7.AXS7.x86_64.rpm
MD5: a1037ef5b38870ea1c1514777fc8aa57
SHA-256: 9b39c0052d986ada523e976e55bdd9bf7d0fc5015af749825fa4cec0919f8705
Size: 18.11 MB - kernel-doc-3.10.0-1160.139.1.0.1.el7.AXS7.noarch.rpm
MD5: 132079fd6d23eeab39c81c036c62c56c
SHA-256: ca19701cc05fccb071a2c63b57d30298d9f8bcaa307beeda537b8a725a79a1a2
Size: 19.60 MB - kernel-headers-3.10.0-1160.139.1.0.1.el7.AXS7.x86_64.rpm
MD5: 8bf42a9fe837e9d8da4e51f725442343
SHA-256: 7233ff2f8e1b0dc7d8e498b5228ac4fc64ff77d5ce704b1a3016602333e0c984
Size: 9.13 MB - kernel-tools-3.10.0-1160.139.1.0.1.el7.AXS7.x86_64.rpm
MD5: 733ef09443f66dcbdeeddaf7921d9b94
SHA-256: 61177d1bc781ca1c2ac09c4afc404a6d943d516208f22c0307d30e3025bf2c5e
Size: 8.24 MB - kernel-tools-libs-3.10.0-1160.139.1.0.1.el7.AXS7.x86_64.rpm
MD5: 8608b9bd1be1e8726692b11a3ba9b88d
SHA-256: 75c460aed9bcfb5d5c7ba42b9d39a105e87fae485d0b0be99e64b49f8538e2a8
Size: 8.13 MB - perf-3.10.0-1160.139.1.0.1.el7.AXS7.x86_64.rpm
MD5: 4516307b30edd3513345279a8cc5544d
SHA-256: 147ee2b7231a5d076436972f6c672f1830b9fca10511dd67401d2fcc3e462967
Size: 9.78 MB - python-perf-3.10.0-1160.139.1.0.1.el7.AXS7.x86_64.rpm
MD5: 2a743b6e54ce92931861e740102625a1
SHA-256: 835ef815d4992851eb5541097aec2525542a146e589cdf7b94b293ed4ac1207e
Size: 8.23 MB
English