Описание
Security update for the Linux Kernel
The SUSE Linux Enterprise 11 SP4 kernel was updated to receive various security bugfixes.
The following security bugs were fixed:
- CVE-2021-47104: Fixed memory leak in qib_user_sdma_queue_pkts() (bsc#1220960).
- CVE-2021-47321: Fixed possible use-after-free by calling del_timer_sync() (bsc#1225060).
- CVE-2021-47324: Fixed possible use-after-free in wdt_startup() (bsc#1225030).
- CVE-2021-47323: Fixed possible use-after-free in wdt_turnoff() (bsc#1225026).
- CVE-2021-47383: Fiedx out-of-bound vmalloc access in imageblit (bsc#1225208).
- CVE-2021-47511: Fixed negative period/buffer sizes (bsc#1225411).
- CVE-2021-47391: Ensure rdma_addr_cancel() happens before issuing more requests (bsc#1225318)
- CVE-2021-47347: Fixed possible buffer overflow in wl1251_cmd_scan (bsc#1225177).
Список пакетов
SUSE Linux Enterprise Server 11 SP4 LTSS EXTREME CORE
Ссылки
- Link for SUSE-SU-2024:1978-1
- E-Mail link for SUSE-SU-2024:1978-1
- SUSE Security Ratings
- SUSE Bug 1220960
- SUSE Bug 1222619
- SUSE Bug 1224904
- SUSE Bug 1225026
- SUSE Bug 1225030
- SUSE Bug 1225060
- SUSE Bug 1225177
- SUSE Bug 1225208
- SUSE Bug 1225318
- SUSE Bug 1225411
- SUSE CVE CVE-2021-47104 page
- SUSE CVE CVE-2021-47321 page
- SUSE CVE CVE-2021-47323 page
- SUSE CVE CVE-2021-47324 page
- SUSE CVE CVE-2021-47347 page
- SUSE CVE CVE-2021-47383 page
- SUSE CVE CVE-2021-47391 page
Описание
In the Linux kernel, the following vulnerability has been resolved: IB/qib: Fix memory leak in qib_user_sdma_queue_pkts() The wrong goto label was used for the error case and missed cleanup of the pkt allocation. Addresses-Coverity-ID: 1493352 ("Resource leak")
Затронутые продукты
Ссылки
- CVE-2021-47104
- SUSE Bug 1220960
Описание
In the Linux kernel, the following vulnerability has been resolved: watchdog: Fix possible use-after-free by calling del_timer_sync() This driver's remove path calls del_timer(). However, that function does not wait until the timer handler finishes. This means that the timer handler may still be running after the driver's remove function has finished, which would result in a use-after-free. Fix by calling del_timer_sync(), which makes sure the timer handler has finished, and unable to re-schedule itself.
Затронутые продукты
Ссылки
- CVE-2021-47321
- SUSE Bug 1225060
Описание
In the Linux kernel, the following vulnerability has been resolved: watchdog: sc520_wdt: Fix possible use-after-free in wdt_turnoff() This module's remove path calls del_timer(). However, that function does not wait until the timer handler finishes. This means that the timer handler may still be running after the driver's remove function has finished, which would result in a use-after-free. Fix by calling del_timer_sync(), which makes sure the timer handler has finished, and unable to re-schedule itself.
Затронутые продукты
Ссылки
- CVE-2021-47323
- SUSE Bug 1225026
- SUSE Bug 1227557
Описание
In the Linux kernel, the following vulnerability has been resolved: watchdog: Fix possible use-after-free in wdt_startup() This module's remove path calls del_timer(). However, that function does not wait until the timer handler finishes. This means that the timer handler may still be running after the driver's remove function has finished, which would result in a use-after-free. Fix by calling del_timer_sync(), which makes sure the timer handler has finished, and unable to re-schedule itself.
Затронутые продукты
Ссылки
- CVE-2021-47324
- SUSE Bug 1225030
- SUSE Bug 1225038
Описание
In the Linux kernel, the following vulnerability has been resolved: wl1251: Fix possible buffer overflow in wl1251_cmd_scan Function wl1251_cmd_scan calls memcpy without checking the length. Harden by checking the length is within the maximum allowed size.
Затронутые продукты
Ссылки
- CVE-2021-47347
- SUSE Bug 1225177
- SUSE Bug 1225305
Описание
In the Linux kernel, the following vulnerability has been resolved: tty: Fix out-of-bound vmalloc access in imageblit This issue happens when a userspace program does an ioctl FBIOPUT_VSCREENINFO passing the fb_var_screeninfo struct containing only the fields xres, yres, and bits_per_pixel with values. If this struct is the same as the previous ioctl, the vc_resize() detects it and doesn't call the resize_screen(), leaving the fb_var_screeninfo incomplete. And this leads to the updatescrollmode() calculates a wrong value to fbcon_display->vrows, which makes the real_y() return a wrong value of y, and that value, eventually, causes the imageblit to access an out-of-bound address value. To solve this issue I made the resize_screen() be called even if the screen does not need any resizing, so it will "fix and fill" the fb_var_screeninfo independently.
Затронутые продукты
Ссылки
- CVE-2021-47383
- SUSE Bug 1225208
- SUSE Bug 1225211
Описание
In the Linux kernel, the following vulnerability has been resolved: RDMA/cma: Ensure rdma_addr_cancel() happens before issuing more requests The FSM can run in a circle allowing rdma_resolve_ip() to be called twice on the same id_priv. While this cannot happen without going through the work, it violates the invariant that the same address resolution background request cannot be active twice. CPU 1 CPU 2 rdma_resolve_addr(): RDMA_CM_IDLE -> RDMA_CM_ADDR_QUERY rdma_resolve_ip(addr_handler) #1 process_one_req(): for #1 addr_handler(): RDMA_CM_ADDR_QUERY -> RDMA_CM_ADDR_BOUND mutex_unlock(&id_priv->handler_mutex); [.. handler still running ..] rdma_resolve_addr(): RDMA_CM_ADDR_BOUND -> RDMA_CM_ADDR_QUERY rdma_resolve_ip(addr_handler) !! two requests are now on the req_list rdma_destroy_id(): destroy_id_handler_unlock(): _destroy_id(): cma_cancel_operation(): rdma_addr_cancel() // process_one_req() self removes it spin_lock_bh(&lock); cancel_delayed_work(&req->work); if (!list_empty(&req->list)) == true ! rdma_addr_cancel() returns after process_on_req #1 is done kfree(id_priv) process_one_req(): for #2 addr_handler(): mutex_lock(&id_priv->handler_mutex); !! Use after free on id_priv rdma_addr_cancel() expects there to be one req on the list and only cancels the first one. The self-removal behavior of the work only happens after the handler has returned. This yields a situations where the req_list can have two reqs for the same "handle" but rdma_addr_cancel() only cancels the first one. The second req remains active beyond rdma_destroy_id() and will use-after-free id_priv once it inevitably triggers. Fix this by remembering if the id_priv has called rdma_resolve_ip() and always cancel before calling it again. This ensures the req_list never gets more than one item in it and doesn't cost anything in the normal flow that never uses this strange error path.
Затронутые продукты
Ссылки
- CVE-2021-47391
- SUSE Bug 1225318
- SUSE Bug 1225319
Описание
In the Linux kernel, the following vulnerability has been resolved: IB/qib: Protect from buffer overflow in struct qib_user_sdma_pkt fields Overflowing either addrlimit or bytes_togo can allow userspace to trigger a buffer overflow of kernel memory. Check for overflows in all the places doing math on user controlled buffers.
Затронутые продукты
Ссылки
- CVE-2021-47485
- SUSE Bug 1224904
Описание
In the Linux kernel, the following vulnerability has been resolved: ALSA: pcm: oss: Fix negative period/buffer sizes The period size calculation in OSS layer may receive a negative value as an error, but the code there assumes only the positive values and handle them with size_t. Due to that, a too big value may be passed to the lower layers. This patch changes the code to handle with ssize_t and adds the proper error checks appropriately.
Затронутые продукты
Ссылки
- CVE-2021-47511
- SUSE Bug 1225411
- SUSE Bug 1227700
Описание
In the Linux kernel, the following vulnerability has been resolved: tty: n_gsm: require CAP_NET_ADMIN to attach N_GSM0710 ldisc Any unprivileged user can attach N_GSM0710 ldisc, but it requires CAP_NET_ADMIN to create a GSM network anyway. Require initial namespace CAP_NET_ADMIN to do that.
Затронутые продукты
Ссылки
- CVE-2023-52880
- SUSE Bug 1222619
Описание
** REJECT ** This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
Затронутые продукты
Ссылки
- CVE-2024-26929
- SUSE Bug 1223715
- SUSE Bug 1223716
Описание
In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Fix double free of the ha->vp_map pointer Coverity scan reported potential risk of double free of the pointer ha->vp_map. ha->vp_map was freed in qla2x00_mem_alloc(), and again freed in function qla2x00_mem_free(ha). Assign NULL to vp_map and kfree take care of NULL.
Затронутые продукты
Ссылки
- CVE-2024-26930
- SUSE Bug 1223626
- SUSE Bug 1223681