Описание
ELSA-2025-12746: kernel security update (IMPORTANT)
[5.14.0-570.32.1.0.1_6.OL9]
- nvme-pci: remove two deallocate zeroes quirks [Orabug: 37756650]
- Disable UKI signing [Orabug: 36571828]
- Update Oracle Linux certificates (Kevin Lyons)
- Disable signing for aarch64 (Ilya Okomin)
- Oracle Linux RHCK Module Signing Key was added to the kernel trusted keys list (olkmod_signing_key.pem) [Orabug: 29539237]
- Update x509.genkey [Orabug: 24817676]
- Conflict with shim-ia32 and shim-x64 <= 15.3-1.0.5
- Remove upstream reference during boot (Kevin Lyons) [Orabug: 34729535]
- Add Oracle Linux IMA certificates
- Add new Oracle Linux Driver Signing (key 1) certificate [Orabug: 37985764]
[5.14.0-570.32.1_6]
- net_sched: hfsc: Address reentrant enqueue adding class to eltree twice (Davide Caratti) [RHEL-97522] {CVE-2025-38001 CVE-2025-37890}
- sch_hfsc: Fix qlen accounting bug when using peek in hfsc_enqueue() (Davide Caratti) [RHEL-97522] {CVE-2025-38000}
- net_sched: hfsc: Fix a UAF vulnerability in class with netem as child qdisc (Davide Caratti) [RHEL-97522] {CVE-2025-37890}
- sch_hfsc: make hfsc_qlen_notify() idempotent (Ivan Vecera) [RHEL-97522]
- HID: intel-ish-hid: Fix use-after-free issue in ishtp_hid_remove() (CKI Backport Bot) [RHEL-98847] {CVE-2025-21928}
- HID: intel-ish-hid: Fix use-after-free issue in hid_ishtp_cl_remove() (CKI Backport Bot) [RHEL-98871] {CVE-2025-21929}
[5.14.0-570.31.1_6]
- Bluetooth: btusb: avoid NULL pointer dereference in skb_dequeue() (David Marlin) [RHEL-95324] {CVE-2025-37918}
- memstick: rtsx_usb_ms: Fix slab-use-after-free in rtsx_usb_ms_drv_remove (Desnes Nunes) [RHEL-99029] {CVE-2025-22020}
- misc/vmw_vmci: fix an infoleak in vmci_host_do_receive_datagram() (John W. Linville) [RHEL-97499] {CVE-2022-49788}
- net: tipc: fix refcount warning in tipc_aead_encrypt (Xin Long) [RHEL-103087]
- net/tipc: fix slab-use-after-free Read in tipc_aead_encrypt_done (CKI Backport Bot) [RHEL-103087] {CVE-2025-38052}
- md/raid1: Add check for missing source disk in process_checks() (CKI Backport Bot) [RHEL-97439]
- net/sched: fix use-after-free in taprio_dev_notifier (CKI Backport Bot) [RHEL-101317] {CVE-2025-38087}
- padata: avoid UAF for reorder_work (Rafael Aquini) [RHEL-97031] {CVE-2025-21727 CVE-2025-21726}
- padata: fix UAF in padata_reorder (Rafael Aquini) [RHEL-97031] {CVE-2025-21727}
- padata: add pd get/put refcnt helper (Rafael Aquini) [RHEL-97031] {CVE-2025-21727}
- padata: fix sysfs store callback check (Rafael Aquini) [RHEL-97031] {CVE-2025-21727}
- padata: Clean up in padata_do_multithreaded() (Rafael Aquini) [RHEL-97031] {CVE-2025-21727}
- platform/x86: dell_rbu: Fix list usage (David Arcari) [RHEL-100908]
- cifs: Fix integer overflow while processing closetimeo mount option (CKI Backport Bot) [RHEL-87900] {CVE-2025-21962}
Обновленные пакеты
Oracle Linux 9
Oracle Linux aarch64
kernel-cross-headers
5.14.0-570.32.1.0.1.el9_6
kernel-tools-libs-devel
5.14.0-570.32.1.0.1.el9_6
kernel-headers
5.14.0-570.32.1.0.1.el9_6
perf
5.14.0-570.32.1.0.1.el9_6
rtla
5.14.0-570.32.1.0.1.el9_6
rv
5.14.0-570.32.1.0.1.el9_6
kernel-tools
5.14.0-570.32.1.0.1.el9_6
kernel-tools-libs
5.14.0-570.32.1.0.1.el9_6
python3-perf
5.14.0-570.32.1.0.1.el9_6
Oracle Linux x86_64
kernel-debug-devel
5.14.0-570.32.1.0.1.el9_6
kernel-debug-devel-matched
5.14.0-570.32.1.0.1.el9_6
kernel-devel
5.14.0-570.32.1.0.1.el9_6
kernel-devel-matched
5.14.0-570.32.1.0.1.el9_6
kernel-doc
5.14.0-570.32.1.0.1.el9_6
kernel-headers
5.14.0-570.32.1.0.1.el9_6
perf
5.14.0-570.32.1.0.1.el9_6
rtla
5.14.0-570.32.1.0.1.el9_6
rv
5.14.0-570.32.1.0.1.el9_6
kernel-cross-headers
5.14.0-570.32.1.0.1.el9_6
kernel-tools-libs-devel
5.14.0-570.32.1.0.1.el9_6
libperf
5.14.0-570.32.1.0.1.el9_6
kernel
5.14.0-570.32.1.0.1.el9_6
kernel-abi-stablelists
5.14.0-570.32.1.0.1.el9_6
kernel-core
5.14.0-570.32.1.0.1.el9_6
kernel-debug
5.14.0-570.32.1.0.1.el9_6
kernel-debug-core
5.14.0-570.32.1.0.1.el9_6
kernel-debug-modules
5.14.0-570.32.1.0.1.el9_6
kernel-debug-modules-core
5.14.0-570.32.1.0.1.el9_6
kernel-debug-modules-extra
5.14.0-570.32.1.0.1.el9_6
kernel-debug-uki-virt
5.14.0-570.32.1.0.1.el9_6
kernel-modules
5.14.0-570.32.1.0.1.el9_6
kernel-modules-core
5.14.0-570.32.1.0.1.el9_6
kernel-modules-extra
5.14.0-570.32.1.0.1.el9_6
kernel-tools
5.14.0-570.32.1.0.1.el9_6
kernel-tools-libs
5.14.0-570.32.1.0.1.el9_6
kernel-uki-virt
5.14.0-570.32.1.0.1.el9_6
kernel-uki-virt-addons
5.14.0-570.32.1.0.1.el9_6
python3-perf
5.14.0-570.32.1.0.1.el9_6
Ссылки на источники
Связанные уязвимости
In the Linux kernel, the following vulnerability has been resolved: padata: fix UAF in padata_reorder A bug was found when run ltp test: BUG: KASAN: slab-use-after-free in padata_find_next+0x29/0x1a0 Read of size 4 at addr ffff88bbfe003524 by task kworker/u113:2/3039206 CPU: 0 PID: 3039206 Comm: kworker/u113:2 Kdump: loaded Not tainted 6.6.0+ Workqueue: pdecrypt_parallel padata_parallel_worker Call Trace: <TASK> dump_stack_lvl+0x32/0x50 print_address_description.constprop.0+0x6b/0x3d0 print_report+0xdd/0x2c0 kasan_report+0xa5/0xd0 padata_find_next+0x29/0x1a0 padata_reorder+0x131/0x220 padata_parallel_worker+0x3d/0xc0 process_one_work+0x2ec/0x5a0 If 'mdelay(10)' is added before calling 'padata_find_next' in the 'padata_reorder' function, this issue could be reproduced easily with ltp test (pcrypt_aead01). This can be explained as bellow: pcrypt_aead_encrypt ... padata_do_parallel refcount_inc(&pd->refcnt); // add refcnt ... padata_do_serial padata_reorder // pd while (1) { padata_fin...
In the Linux kernel, the following vulnerability has been resolved: padata: fix UAF in padata_reorder A bug was found when run ltp test: BUG: KASAN: slab-use-after-free in padata_find_next+0x29/0x1a0 Read of size 4 at addr ffff88bbfe003524 by task kworker/u113:2/3039206 CPU: 0 PID: 3039206 Comm: kworker/u113:2 Kdump: loaded Not tainted 6.6.0+ Workqueue: pdecrypt_parallel padata_parallel_worker Call Trace: <TASK> dump_stack_lvl+0x32/0x50 print_address_description.constprop.0+0x6b/0x3d0 print_report+0xdd/0x2c0 kasan_report+0xa5/0xd0 padata_find_next+0x29/0x1a0 padata_reorder+0x131/0x220 padata_parallel_worker+0x3d/0xc0 process_one_work+0x2ec/0x5a0 If 'mdelay(10)' is added before calling 'padata_find_next' in the 'padata_reorder' function, this issue could be reproduced easily with ltp test (pcrypt_aead01). This can be explained as bellow: pcrypt_aead_encrypt ... padata_do_parallel refcount_inc(&pd->refcnt); // add refcnt ... padata_do_serial padata_reorder // pd while (1) { padata_fin...
In the Linux kernel, the following vulnerability has been resolved: padata: fix UAF in padata_reorder A bug was found when run ltp test: BUG: KASAN: slab-use-after-free in padata_find_next+0x29/0x1a0 Read of size 4 at addr ffff88bbfe003524 by task kworker/u113:2/3039206 CPU: 0 PID: 3039206 Comm: kworker/u113:2 Kdump: loaded Not tainted 6.6.0+ Workqueue: pdecrypt_parallel padata_parallel_worker Call Trace: <TASK> dump_stack_lvl+0x32/0x50 print_address_description.constprop.0+0x6b/0x3d0 print_report+0xdd/0x2c0 kasan_report+0xa5/0xd0 padata_find_next+0x29/0x1a0 padata_reorder+0x131/0x220 padata_parallel_worker+0x3d/0xc0 process_one_work+0x2ec/0x5a0 If 'mdelay(10)' is added before calling 'padata_find_next' in the 'padata_reorder' function, this issue could be reproduced easily with ltp test (pcrypt_aead01). This can be explained as bellow: pcrypt_aead_encrypt ... padata_do_parallel refcount_inc(&pd->refcnt); // add refcnt ... padata_do_serial padata_reorder // pd while (1) { padata
In the Linux kernel, the following vulnerability has been resolved: p ...