Описание
ELSA-2024-12713: Unbreakable Enterprise kernel security update (IMPORTANT)
[5.15.0-300.163.18.1]
- vhost/scsi: null-ptr-dereference in vhost_scsi_get_req() (Haoran Zhang) [Orabug: 37132350]
Обновленные пакеты
Oracle Linux 8
Oracle Linux aarch64
bpftool
5.15.0-300.163.18.1.el8uek
kernel-uek
5.15.0-300.163.18.1.el8uek
kernel-uek-container
5.15.0-300.163.18.1.el8uek
kernel-uek-container-debug
5.15.0-300.163.18.1.el8uek
kernel-uek-core
5.15.0-300.163.18.1.el8uek
kernel-uek-debug
5.15.0-300.163.18.1.el8uek
kernel-uek-debug-core
5.15.0-300.163.18.1.el8uek
kernel-uek-debug-devel
5.15.0-300.163.18.1.el8uek
kernel-uek-debug-modules
5.15.0-300.163.18.1.el8uek
kernel-uek-debug-modules-extra
5.15.0-300.163.18.1.el8uek
kernel-uek-devel
5.15.0-300.163.18.1.el8uek
kernel-uek-doc
5.15.0-300.163.18.1.el8uek
kernel-uek-modules
5.15.0-300.163.18.1.el8uek
kernel-uek-modules-extra
5.15.0-300.163.18.1.el8uek
Oracle Linux x86_64
bpftool
5.15.0-300.163.18.1.el8uek
kernel-uek
5.15.0-300.163.18.1.el8uek
kernel-uek-container
5.15.0-300.163.18.1.el8uek
kernel-uek-container-debug
5.15.0-300.163.18.1.el8uek
kernel-uek-core
5.15.0-300.163.18.1.el8uek
kernel-uek-debug
5.15.0-300.163.18.1.el8uek
kernel-uek-debug-core
5.15.0-300.163.18.1.el8uek
kernel-uek-debug-devel
5.15.0-300.163.18.1.el8uek
kernel-uek-debug-modules
5.15.0-300.163.18.1.el8uek
kernel-uek-debug-modules-extra
5.15.0-300.163.18.1.el8uek
kernel-uek-devel
5.15.0-300.163.18.1.el8uek
kernel-uek-doc
5.15.0-300.163.18.1.el8uek
kernel-uek-modules
5.15.0-300.163.18.1.el8uek
kernel-uek-modules-extra
5.15.0-300.163.18.1.el8uek
Oracle Linux 9
Oracle Linux aarch64
bpftool
5.15.0-300.163.18.1.el9uek
kernel-uek
5.15.0-300.163.18.1.el9uek
kernel-uek-container
5.15.0-300.163.18.1.el9uek
kernel-uek-container-debug
5.15.0-300.163.18.1.el9uek
kernel-uek-core
5.15.0-300.163.18.1.el9uek
kernel-uek-debug
5.15.0-300.163.18.1.el9uek
kernel-uek-debug-core
5.15.0-300.163.18.1.el9uek
kernel-uek-debug-devel
5.15.0-300.163.18.1.el9uek
kernel-uek-debug-modules
5.15.0-300.163.18.1.el9uek
kernel-uek-debug-modules-extra
5.15.0-300.163.18.1.el9uek
kernel-uek-devel
5.15.0-300.163.18.1.el9uek
kernel-uek-doc
5.15.0-300.163.18.1.el9uek
kernel-uek-modules
5.15.0-300.163.18.1.el9uek
kernel-uek-modules-extra
5.15.0-300.163.18.1.el9uek
Oracle Linux x86_64
bpftool
5.15.0-300.163.18.1.el9uek
kernel-uek
5.15.0-300.163.18.1.el9uek
kernel-uek-container
5.15.0-300.163.18.1.el9uek
kernel-uek-container-debug
5.15.0-300.163.18.1.el9uek
kernel-uek-core
5.15.0-300.163.18.1.el9uek
kernel-uek-debug
5.15.0-300.163.18.1.el9uek
kernel-uek-debug-core
5.15.0-300.163.18.1.el9uek
kernel-uek-debug-devel
5.15.0-300.163.18.1.el9uek
kernel-uek-debug-modules
5.15.0-300.163.18.1.el9uek
kernel-uek-debug-modules-extra
5.15.0-300.163.18.1.el9uek
kernel-uek-devel
5.15.0-300.163.18.1.el9uek
kernel-uek-doc
5.15.0-300.163.18.1.el9uek
kernel-uek-modules
5.15.0-300.163.18.1.el9uek
kernel-uek-modules-extra
5.15.0-300.163.18.1.el9uek
Связанные CVE
Связанные уязвимости
In the Linux kernel, the following vulnerability has been resolved: vhost/scsi: null-ptr-dereference in vhost_scsi_get_req() Since commit 3f8ca2e115e5 ("vhost/scsi: Extract common handling code from control queue handler") a null pointer dereference bug can be triggered when guest sends an SCSI AN request. In vhost_scsi_ctl_handle_vq(), `vc.target` is assigned with `&v_req.tmf.lun[1]` within a switch-case block and is then passed to vhost_scsi_get_req() which extracts `vc->req` and `tpg`. However, for a `VIRTIO_SCSI_T_AN_*` request, tpg is not required, so `vc.target` is set to NULL in this branch. Later, in vhost_scsi_get_req(), `vc->target` is dereferenced without being checked, leading to a null pointer dereference bug. This bug can be triggered from guest. When this bug occurs, the vhost_worker process is killed while holding `vq->mutex` and the corresponding tpg will remain occupied indefinitely. Below is the KASAN report: Oops: general protection fault, probably for non-c...
In the Linux kernel, the following vulnerability has been resolved: vhost/scsi: null-ptr-dereference in vhost_scsi_get_req() Since commit 3f8ca2e115e5 ("vhost/scsi: Extract common handling code from control queue handler") a null pointer dereference bug can be triggered when guest sends an SCSI AN request. In vhost_scsi_ctl_handle_vq(), `vc.target` is assigned with `&v_req.tmf.lun[1]` within a switch-case block and is then passed to vhost_scsi_get_req() which extracts `vc->req` and `tpg`. However, for a `VIRTIO_SCSI_T_AN_*` request, tpg is not required, so `vc.target` is set to NULL in this branch. Later, in vhost_scsi_get_req(), `vc->target` is dereferenced without being checked, leading to a null pointer dereference bug. This bug can be triggered from guest. When this bug occurs, the vhost_worker process is killed while holding `vq->mutex` and the corresponding tpg will remain occupied indefinitely. Below is the KASAN report: Oops: general protection fault, probably for non-canoni...
In the Linux kernel, the following vulnerability has been resolved: vhost/scsi: null-ptr-dereference in vhost_scsi_get_req() Since commit 3f8ca2e115e5 ("vhost/scsi: Extract common handling code from control queue handler") a null pointer dereference bug can be triggered when guest sends an SCSI AN request. In vhost_scsi_ctl_handle_vq(), `vc.target` is assigned with `&v_req.tmf.lun[1]` within a switch-case block and is then passed to vhost_scsi_get_req() which extracts `vc->req` and `tpg`. However, for a `VIRTIO_SCSI_T_AN_*` request, tpg is not required, so `vc.target` is set to NULL in this branch. Later, in vhost_scsi_get_req(), `vc->target` is dereferenced without being checked, leading to a null pointer dereference bug. This bug can be triggered from guest. When this bug occurs, the vhost_worker process is killed while holding `vq->mutex` and the corresponding tpg will remain occupied indefinitely. Below is the KASAN report: Oops: general protection fault, probably for non-cano
In the Linux kernel, the following vulnerability has been resolved: v ...