kernel-4.18.0-553.89.1.el8_10
エラータID: AXSA:2025-11529:98
リリース日:
2025/12/15 Monday - 15:40
題名:
kernel-4.18.0-553.89.1.el8_10
影響のあるチャネル:
Asianux Server 8 for x86_64
Severity:
Moderate
Description:
以下項目について対処しました。
[Security Fix]
- kernel の RXE ドライバには、ローカルの攻撃者により、情報の漏洩、
データ破壊、およびサービス拒否攻撃を可能とする脆弱性が存在します。
(CVE-2022-50543)
- kernel のメモリ管理機能には、NULL ポインタデリファレンス、および
競合状態に至る問題があるため、ローカルの攻撃者により、情報の漏洩、
データ破壊、およびサービス拒否攻撃を可能とする脆弱性が存在します。
(CVE-2023-53401)
- kernel の RXE ドライバには、ローカルの攻撃者により、情報の漏洩、
データ破壊、およびサービス拒否攻撃を可能とする脆弱性が存在します。
(CVE-2023-53539)
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2022-50543
In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Fix mr->map double free rxe_mr_cleanup() which tries to free mr->map again will be called when rxe_mr_init_user() fails: CPU: 0 PID: 4917 Comm: rdma_flush_serv Kdump: loaded Not tainted 6.1.0-rc1-roce-flush+ #25 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 Call Trace: dump_stack_lvl+0x45/0x5d panic+0x19e/0x349 end_report.part.0+0x54/0x7c kasan_report.cold+0xa/0xf rxe_mr_cleanup+0x9d/0xf0 [rdma_rxe] __rxe_cleanup+0x10a/0x1e0 [rdma_rxe] rxe_reg_user_mr+0xb7/0xd0 [rdma_rxe] ib_uverbs_reg_mr+0x26a/0x480 [ib_uverbs] ib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0x1a2/0x250 [ib_uverbs] ib_uverbs_cmd_verbs+0x1397/0x15a0 [ib_uverbs] This issue was firstly exposed since commit b18c7da63fcb ("RDMA/rxe: Fix memory leak in error path code") and then we fixed it in commit 8ff5f5d9d8cf ("RDMA/rxe: Prevent double freeing rxe_map_set()") but this fix was reverted together at last by commit 1e75550648da (Revert "RDMA/rxe: Create duplicate mapping tables for FMRs") Simply let rxe_mr_cleanup() always handle freeing the mr->map once it is successfully allocated.
In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Fix mr->map double free rxe_mr_cleanup() which tries to free mr->map again will be called when rxe_mr_init_user() fails: CPU: 0 PID: 4917 Comm: rdma_flush_serv Kdump: loaded Not tainted 6.1.0-rc1-roce-flush+ #25 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 Call Trace:
CVE-2023-53401
In the Linux kernel, the following vulnerability has been resolved: mm: kmem: fix a NULL pointer dereference in obj_stock_flush_required() KCSAN found an issue in obj_stock_flush_required(): stock->cached_objcg can be reset between the check and dereference: ================================================================== BUG: KCSAN: data-race in drain_all_stock / drain_obj_stock write to 0xffff888237c2a2f8 of 8 bytes by task 19625 on cpu 0: drain_obj_stock+0x408/0x4e0 mm/memcontrol.c:3306 refill_obj_stock+0x9c/0x1e0 mm/memcontrol.c:3340 obj_cgroup_uncharge+0xe/0x10 mm/memcontrol.c:3408 memcg_slab_free_hook mm/slab.h:587 [inline] __cache_free mm/slab.c:3373 [inline] __do_kmem_cache_free mm/slab.c:3577 [inline] kmem_cache_free+0x105/0x280 mm/slab.c:3602 __d_free fs/dcache.c:298 [inline] dentry_free fs/dcache.c:375 [inline] __dentry_kill+0x422/0x4a0 fs/dcache.c:621 dentry_kill+0x8d/0x1e0 dput+0x118/0x1f0 fs/dcache.c:913 __fput+0x3bf/0x570 fs/file_table.c:329 ____fput+0x15/0x20 fs/file_table.c:349 task_work_run+0x123/0x160 kernel/task_work.c:179 resume_user_mode_work include/linux/resume_user_mode.h:49 [inline] exit_to_user_mode_loop+0xcf/0xe0 kernel/entry/common.c:171 exit_to_user_mode_prepare+0x6a/0xa0 kernel/entry/common.c:203 __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline] syscall_exit_to_user_mode+0x26/0x140 kernel/entry/common.c:296 do_syscall_64+0x4d/0xc0 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x63/0xcd read to 0xffff888237c2a2f8 of 8 bytes by task 19632 on cpu 1: obj_stock_flush_required mm/memcontrol.c:3319 [inline] drain_all_stock+0x174/0x2a0 mm/memcontrol.c:2361 try_charge_memcg+0x6d0/0xd10 mm/memcontrol.c:2703 try_charge mm/memcontrol.c:2837 [inline] mem_cgroup_charge_skmem+0x51/0x140 mm/memcontrol.c:7290 sock_reserve_memory+0xb1/0x390 net/core/sock.c:1025 sk_setsockopt+0x800/0x1e70 net/core/sock.c:1525 udp_lib_setsockopt+0x99/0x6c0 net/ipv4/udp.c:2692 udp_setsockopt+0x73/0xa0 net/ipv4/udp.c:2817 sock_common_setsockopt+0x61/0x70 net/core/sock.c:3668 __sys_setsockopt+0x1c3/0x230 net/socket.c:2271 __do_sys_setsockopt net/socket.c:2282 [inline] __se_sys_setsockopt net/socket.c:2279 [inline] __x64_sys_setsockopt+0x66/0x80 net/socket.c:2279 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd value changed: 0xffff8881382d52c0 -> 0xffff888138893740 Reported by Kernel Concurrency Sanitizer on: CPU: 1 PID: 19632 Comm: syz-executor.0 Not tainted 6.3.0-rc2-syzkaller-00387-g534293368afa #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023 Fix it by using READ_ONCE()/WRITE_ONCE() for all accesses to stock->cached_objcg.
In the Linux kernel, the following vulnerability has been resolved: mm: kmem: fix a NULL pointer dereference in obj_stock_flush_required() KCSAN found an issue in obj_stock_flush_required(): stock->cached_objcg can be reset between the check and dereference: ================================================================== BUG: KCSAN: data-race in drain_all_stock / drain_obj_stock write to 0xffff888237c2a2f8 of 8 bytes by task 19625 on cpu 0: drain_obj_stock+0x408/0x4e0 mm/memcontrol.c:3306 refill_obj_stock+0x9c/0x1e0 mm/memcontrol.c:3340 obj_cgroup_uncharge+0xe/0x10 mm/memcontrol.c:3408 memcg_slab_free_hook mm/slab.h:587 [inline] __cache_free mm/slab.c:3373 [inline] __do_kmem_cache_free mm/slab.c:3577 [inline] kmem_cache_free+0x105/0x280 mm/slab.c:3602 __d_free fs/dcache.c:298 [inline] dentry_free fs/dcache.c:375 [inline] __dentry_kill+0x422/0x4a0 fs/dcache.c:621 dentry_kill+0x8d/0x1e0 dput+0x118/0x1f0 fs/dcache.c:913 __fput+0x3bf/0x570 fs/file_table.c:329 ____fput+0x15/0x20 fs/file_table.c:349 task_work_run+0x123/0x160 kernel/task_work.c:179 resume_user_mode_work include/linux/resume_user_mode.h:49 [inline] exit_to_user_mode_loop+0xcf/0xe0 kernel/entry/common.c:171 exit_to_user_mode_prepare+0x6a/0xa0 kernel/entry/common.c:203 __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline] syscall_exit_to_user_mode+0x26/0x140 kernel/entry/common.c:296 do_syscall_64+0x4d/0xc0 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x63/0xcd read to 0xffff888237c2a2f8 of 8 bytes by task 19632 on cpu 1: obj_stock_flush_required mm/memcontrol.c:3319 [inline] drain_all_stock+0x174/0x2a0 mm/memcontrol.c:2361 try_charge_memcg+0x6d0/0xd10 mm/memcontrol.c:2703 try_charge mm/memcontrol.c:2837 [inline] mem_cgroup_charge_skmem+0x51/0x140 mm/memcontrol.c:7290 sock_reserve_memory+0xb1/0x390 net/core/sock.c:1025 sk_setsockopt+0x800/0x1e70 net/core/sock.c:1525 udp_lib_setsockopt+0x99/0x6c0 net/ipv4/udp.c:2692 udp_setsockopt+0x73/0xa0 net/ipv4/udp.c:2817 sock_common_setsockopt+0x61/0x70 net/core/sock.c:3668 __sys_setsockopt+0x1c3/0x230 net/socket.c:2271 __do_sys_setsockopt net/socket.c:2282 [inline] __se_sys_setsockopt net/socket.c:2279 [inline] __x64_sys_setsockopt+0x66/0x80 net/socket.c:2279 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd value changed: 0xffff8881382d52c0 -> 0xffff888138893740 Reported by Kernel Concurrency Sanitizer on: CPU: 1 PID: 19632 Comm: syz-executor.0 Not tainted 6.3.0-rc2-syzkaller-00387-g534293368afa #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023 Fix it by using READ_ONCE()/WRITE_ONCE() for all accesses to stock->cached_objcg.
CVE-2023-53539
In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Fix incomplete state save in rxe_requester If a send packet is dropped by the IP layer in rxe_requester() the call to rxe_xmit_packet() can fail with err == -EAGAIN. To recover, the state of the wqe is restored to the state before the packet was sent so it can be resent. However, the routines that save and restore the state miss a significnt part of the variable state in the wqe, the dma struct which is used to process through the sge table. And, the state is not saved before the packet is built which modifies the dma struct. Under heavy stress testing with many QPs on a fast node sending large messages to a slow node dropped packets are observed and the resent packets are corrupted because the dma struct was not restored. This patch fixes this behavior and allows the test cases to succeed.
In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Fix incomplete state save in rxe_requester If a send packet is dropped by the IP layer in rxe_requester() the call to rxe_xmit_packet() can fail with err == -EAGAIN. To recover, the state of the wqe is restored to the state before the packet was sent so it can be resent. However, the routines that save and restore the state miss a significnt part of the variable state in the wqe, the dma struct which is used to process through the sge table. And, the state is not saved before the packet is built which modifies the dma struct. Under heavy stress testing with many QPs on a fast node sending large messages to a slow node dropped packets are observed and the resent packets are corrupted because the dma struct was not restored. This patch fixes this behavior and allows the test cases to succeed.
追加情報:
N/A
ダウンロード:
SRPMS
- kernel-4.18.0-553.89.1.el8_10.src.rpm
MD5: f8709abe9ced96f0bbe2a4d31037c86f
SHA-256: 6d31694176d46586e484a98822eb10dd2bd85d3a4da3f8ea0b9ce19a3360997b
Size: 132.32 MB
Asianux Server 8 for x86_64
- bpftool-4.18.0-553.89.1.el8_10.x86_64.rpm
MD5: 7cbe0eb4f9790b48867ec5215fc68fe0
SHA-256: 8b515710dc49bd62e7835b8774da3d838a485f51dd7f05b48f7ff9e24dbbb39b
Size: 11.27 MB - kernel-4.18.0-553.89.1.el8_10.x86_64.rpm
MD5: 6014c1f273d91648945ca99231d41082
SHA-256: 6bee7c0182f4e5c662e7720e03918894c87a433e2bca18a1e7f8be0716a48f8b
Size: 10.54 MB - kernel-abi-stablelists-4.18.0-553.89.1.el8_10.noarch.rpm
MD5: 40b5fc89b922232dd01264b4828a7d25
SHA-256: 856548aa3e399ea60f09227efa039d754007ec8b78c97a2328d8b405398668eb
Size: 10.56 MB - kernel-core-4.18.0-553.89.1.el8_10.x86_64.rpm
MD5: 4cd2a4f3567ae20dbdc12be169582cdf
SHA-256: 1cc0e9922b509d2168d1f8c26526b5c3db95b3fb6197a77067f1d2cdd2936e0e
Size: 43.57 MB - kernel-cross-headers-4.18.0-553.89.1.el8_10.x86_64.rpm
MD5: a4538cc513543bf9dd3b8d88b3f07f82
SHA-256: e87fb27be136759bc103754a7847a3563013a6e8f2d849cb6e46b62df1d6bb8a
Size: 15.89 MB - kernel-debug-4.18.0-553.89.1.el8_10.x86_64.rpm
MD5: 75d438debda20c2422edf644550c4405
SHA-256: 26a90f030085c382d63aaf87c945ce1b8765a68dcadee4eb20c193c447e4cff6
Size: 10.54 MB - kernel-debug-core-4.18.0-553.89.1.el8_10.x86_64.rpm
MD5: b0aa9137d66b6a1eeabd21b045e5dd11
SHA-256: cff5b004a45e56f2e0ead28a26d86073ab5cec62345e569b755c75d637e6f114
Size: 72.86 MB - kernel-debug-devel-4.18.0-553.89.1.el8_10.x86_64.rpm
MD5: fbb4f9f3284bef9ffa2981b87416886a
SHA-256: 0f13fe65e5a98aecf1ac3851c356aeb545f36ab4381c28a5b90772d2f452eb01
Size: 24.37 MB - kernel-debug-modules-4.18.0-553.89.1.el8_10.x86_64.rpm
MD5: 61aa54b3b4267a5305b27943eda9f02d
SHA-256: f21f6507026d757d79a2103b0b5e2acd3441f979295af4e8b44cd35003100fec
Size: 65.99 MB - kernel-debug-modules-extra-4.18.0-553.89.1.el8_10.x86_64.rpm
MD5: 7932fe1d20637beba001c5edd0eddc02
SHA-256: 717ffef0e775f7f3bb06d55825c552ba35875b968499305374dd8ba3eae97b46
Size: 11.92 MB - kernel-devel-4.18.0-553.89.1.el8_10.x86_64.rpm
MD5: b2adc277ea5cfa592f22172f3fc25d41
SHA-256: 8855863bcce545955215587fa960d00480e08f780fc699a4d5438ea10c6ea3ad
Size: 24.17 MB - kernel-doc-4.18.0-553.89.1.el8_10.noarch.rpm
MD5: 71ffc8eb2447d9c9cf43f8a492ef8022
SHA-256: f6436814c1f8e04ff2d529164a564882d1eb27b220a5777d6f0c1ba4f52f35f4
Size: 28.41 MB - kernel-headers-4.18.0-553.89.1.el8_10.x86_64.rpm
MD5: ce1c014e4c8751cc439c63749edd34e1
SHA-256: 90a8d219e01a582de4e36ba0ca0087daf7687b879ff41ae07337242015320fe2
Size: 11.89 MB - kernel-modules-4.18.0-553.89.1.el8_10.x86_64.rpm
MD5: 2d777e5b1225fbcf6a5978f146edfd56
SHA-256: 16a0de76143ba3b300590015d14fd27121aad226cbbc9b686bad402029adc12c
Size: 36.37 MB - kernel-modules-extra-4.18.0-553.89.1.el8_10.x86_64.rpm
MD5: 42034d51754c6aa40daa2b093a5dad83
SHA-256: ab77ed084fed6c3ecc734e986470aabedf78aaec838fddef0b1237ca28822076
Size: 11.23 MB - kernel-tools-4.18.0-553.89.1.el8_10.x86_64.rpm
MD5: a1d574fb1491e7ccccb57630c20b5b32
SHA-256: 6f1465acb06293a09325dba7832313cc162250040f569c861734a18999070cc1
Size: 10.76 MB - kernel-tools-libs-4.18.0-553.89.1.el8_10.x86_64.rpm
MD5: e2ce8b5032f7e96b5c9138b6517d00f9
SHA-256: 06aa77926f33375b490e8d9b93aa812ef9679508948f520281e68672f8f52049
Size: 10.55 MB - kernel-tools-libs-devel-4.18.0-553.89.1.el8_10.x86_64.rpm
MD5: 26159569bb3518ef42ec20a7e3e413f6
SHA-256: eea045a972ed72da8d45468ec9bedb8b5c889a35c8e169782879eecb541e0e79
Size: 10.54 MB - perf-4.18.0-553.89.1.el8_10.x86_64.rpm
MD5: d56a717b820c449db09f7be4a3157279
SHA-256: 33d49df48d0995effed889d0630f3a8e6138f7f9c6dc79e025a875dc656cda5d
Size: 12.86 MB - python3-perf-4.18.0-553.89.1.el8_10.x86_64.rpm
MD5: 03ab72e7332534a724f501a6ef05af22
SHA-256: 37f634f749e9ff19ac66b0b7f2dd608665ff1b4cb7c70fee90cae3c274e30f26
Size: 10.67 MB
English