SUSE-SU-2024:2939-1

Опубликовано: 16 авг. 2024

Источник: suse-cvrf

Описание

Security update for the Linux Kernel

The SUSE Linux Enterprise 15 SP5 kernel was updated to receive various security bugfixes.

The following security bugs were fixed:

CVE-2021-47086: phonet/pep: refuse to enable an unbound pipe (bsc#1220952).
CVE-2021-47089: kfence: fix memory leak when cat kfence objects (bsc#1220958).
CVE-2021-47103: net: sock: preserve kabi for sock (bsc#1221010).
CVE-2021-47186: tipc: check for null after calling kmemdup (bsc#1222702).
CVE-2021-47432: lib/generic-radix-tree.c: Do not overflow in peek() (bsc#1225391).
CVE-2021-47515: seg6: fix the iif in the IPv6 socket control block (bsc#1225426).
CVE-2021-47538: rxrpc: Fix rxrpc_local leak in rxrpc_lookup_peer() (bsc#1225448).
CVE-2021-47539: rxrpc: Fix rxrpc_peer leak in rxrpc_look_up_bundle() (bsc#1225452).
CVE-2021-47546: ipv6: fix memory leak in fib6_rule_suppress (bsc#1225504).
CVE-2021-47547: net: tulip: de4x5: fix the problem that the array 'lp->phy' may be out of bound (bsc#1225505).
CVE-2021-47555: net: vlan: fix underflow for the real_dev refcnt (bsc#1225467).
CVE-2021-47566: Fix clearing user buffer by properly using clear_user() (bsc#1225514).
CVE-2021-47571: staging: rtl8192e: Fix use after free in _rtl92e_pci_disconnect() (bsc#1225518).
CVE-2021-47572: net: nexthop: fix null pointer dereference when IPv6 is not enabled (bsc#1225389).
CVE-2021-47588: sit: do not call ipip6_dev_free() from sit_init_net() (bsc#1226568).
CVE-2021-47590: mptcp: fix deadlock in __mptcp_push_pending() (bsc#1226565).
CVE-2021-47591: mptcp: remove tcp ulp setsockopt support (bsc#1226570).
CVE-2021-47593: mptcp: clear 'kern' flag from fallback sockets (bsc#1226551).
CVE-2021-47598: sch_cake: do not call cake_destroy() from cake_init() (bsc#1226574).
CVE-2021-47599: btrfs: use latest_dev in btrfs_show_devname (bsc#1226571).
CVE-2021-47606: net: netlink: af_netlink: Prevent empty skb by adding a check on len. (bsc#1226555).
CVE-2021-47623: powerpc/fixmap: Fix VM debug warning on unmap (bsc#1227919).
CVE-2022-48716: ASoC: codecs: wcd938x: fix incorrect used of portid (bsc#1226678).
CVE-2022-48785: ipv6: mcast: use rcu-safe version of ipv6_get_lladdr() (bsc#1227927)
CVE-2022-48810: ipmr,ip6mr: acquire RTNL before calling ip[6]mr_free_table() on failure path (bsc#1227936).
CVE-2022-48850: net-sysfs: add check for netdevice being present to speed_show (bsc#1228071).
CVE-2022-48855: sctp: fix kernel-infoleak for SCTP sockets (bsc#1228003).
CVE-2023-24023: Bluetooth: Add more enc key size check (bsc#1218148).
CVE-2023-52435: net: prevent mss overflow in skb_segment() (bsc#1220138).
CVE-2023-52573: net: rds: Fix possible NULL-pointer dereference (bsc#1220869).
CVE-2023-52580: net/core: Fix ETH_P_1588 flow dissector (bsc#1220876).
CVE-2023-52622: ext4: avoid online resizing failures due to oversized flex bg (bsc#1222080).
CVE-2023-52658: Revert 'net/mlx5: Block entering switchdev mode with ns inconsistency' (bsc#1224719).
CVE-2023-52667: net/mlx5e: fix a potential double-free in fs_any_create_groups (bsc#1224603).
CVE-2023-52670: rpmsg: virtio: Free driver_override when rpmsg_remove() (bsc#1224696).
CVE-2023-52672: pipe: wakeup wr_wait after setting max_usage (bsc#1224614).
CVE-2023-52675: powerpc/imc-pmu: Add a null pointer check in update_events_in_group() (bsc#1224504).
CVE-2023-52735: bpf, sockmap: Don't let sock_map_{close,destroy,unhash} call itself (bsc#1225475).
CVE-2023-52737: btrfs: lock the inode in shared mode before starting fiemap (bsc#1225484).
CVE-2023-52751: smb: client: fix use-after-free in smb2_query_info_compound() (bsc#1225489).
CVE-2023-52752: smb: client: fix use-after-free bug in cifs_debug_data_proc_show() (bsc#1225487).
CVE-2023-52762: virtio-blk: fix implicit overflow on virtio_max_dma_size (bsc#1225573).
CVE-2023-52775: net/smc: avoid data corruption caused by decline (bsc#1225088).
CVE-2023-52784: bonding: stop the device in bond_setup_by_slave() (bsc#1224946).
CVE-2023-52787: blk-mq: make sure active queue usage is held for bio_integrity_prep() (bsc#1225105).
CVE-2023-52812: drm/amd: check num of link levels when update pcie param (bsc#1225564).
CVE-2023-52835: perf/core: Bail out early if the request AUX area is out of bound (bsc#1225602).
CVE-2023-52837: nbd: fix uaf in nbd_open (bsc#1224935).
CVE-2023-52843: llc: verify mac len before reading mac header (bsc#1224951).
CVE-2023-52845: tipc: Change nla_policy for bearer-related names to NLA_NUL_STRING (bsc#1225585).
CVE-2023-52846: hsr: Prevent use after free in prp_create_tagged_frame() (bsc#1225098).
CVE-2023-52857: drm/mediatek: Fix coverity issue with unintentional integer overflow (bsc#1225581).
CVE-2023-52863: hwmon: (axi-fan-control) Fix possible NULL pointer dereference (bsc#1225586).
CVE-2023-52869: pstore/platform: Add check for kstrdup (bsc#1225050).
CVE-2023-52881: tcp: do not accept ACK of bytes we never sent (bsc#1225611).
CVE-2023-52882: clk: sunxi-ng: h6: Reparent CPUX during PLL CPUX rate change (bsc#1225692).
CVE-2024-26615: net/smc: fix illegal rmb_desc access in SMC-D connection dump (bsc#1220942).
CVE-2024-26625: Call sock_orphan() at release time (bsc#1221086)
CVE-2024-26633: ip6_tunnel: fix NEXTHDR_FRAGMENT handling in ip6_tnl_parse_tlv_enc_lim() (bsc#1221647).
CVE-2024-26635: llc: Drop support for ETH_P_TR_802_2 (bsc#1221656).
CVE-2024-26636: llc: make llc_ui_sendmsg() more robust against bonding changes (bsc#1221659).
CVE-2024-26641: ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv() (bsc#1221654).
CVE-2024-26644: btrfs: do not abort filesystem when attempting to snapshot deleted subvolume (bsc#1221282, bsc#1222072).
CVE-2024-26661: drm/amd/display: Add NULL test for 'timing generator' in 'dcn21_set_pipe()' (bsc#1222323).
CVE-2024-26663: tipc: Check the bearer type before calling tipc_udp_nl_bearer_add() (bsc#1222326).
CVE-2024-26665: tunnels: fix out of bounds access when building IPv6 PMTU error (bsc#1222328).
CVE-2024-26720: mm: Avoid overflows in dirty throttling logic (bsc#1222364).
CVE-2024-26802: stmmac: Clear variable when destroying workqueue (bsc#1222799).
CVE-2024-26813: vfio/platform: Create persistent IRQ handlers (bsc#1222809).
CVE-2024-26814: vfio/fsl-mc: Block calling interrupt handler without trigger (bsc#1222810).
CVE-2024-26842: scsi: target: core: Add TMF to tmr_list handling (bsc#1223013).
CVE-2024-26845: scsi: target: core: Add TMF to tmr_list handling (bsc#1223018).
CVE-2024-26863: hsr: Fix uninit-value access in hsr_get_node() (bsc#1223021).
CVE-2024-26923: Fixed false-positive lockdep splat for spin_lock() in __unix_gc() (bsc#1223384).
CVE-2024-26961: mac802154: fix llsec key resources release in mac802154_llsec_key_del (bsc#1223652).
CVE-2024-26973: fat: fix uninitialized field in nostale filehandles (bsc#1223641).
CVE-2024-27015: netfilter: flowtable: incorrect pppoe tuple (bsc#1223806).
CVE-2024-27019: netfilter: nf_tables: Fix potential data-race in __nft_obj_type_get() (bsc#1223813)
CVE-2024-27020: netfilter: nf_tables: Fix potential data-race in __nft_expr_type_get() (bsc#1223815)
CVE-2024-27025: nbd: null check for nla_nest_start (bsc#1223778)
CVE-2024-27065: netfilter: nf_tables: do not compare internal table flags on updates (bsc#1223836).
CVE-2024-27402: phonet/pep: fix racy skb_queue_empty() use (bsc#1224414).
CVE-2024-27432: net: ethernet: mtk_eth_soc: fix PPE hanging issue (bsc#1224716).
CVE-2024-27437: vfio/pci: Disable auto-enable of exclusive INTx IRQ (bsc#1222625).
CVE-2024-35247: fpga: region: add owner module and take its refcount (bsc#1226948).
CVE-2024-35789: Check fast rx for non-4addr sta VLAN changes (bsc#1224749).
CVE-2024-35790: usb: typec: altmodes/displayport: create sysfs nodes as driver's default device attribute group (bsc#1224712).
CVE-2024-35805: dm snapshot: fix lockup in dm_exception_table_exit (bsc#1224743).
CVE-2024-35807: ext4: fix corruption during on-line resize (bsc#1224735).
CVE-2024-35819: soc: fsl: qbman: Use raw spinlock for cgr_lock (bsc#1224683).
CVE-2024-35835: net/mlx5e: fix a double-free in arfs_create_groups (bsc#1224605).
CVE-2024-35837: net: mvpp2: clear BM pool before initialization (bsc#1224500).
CVE-2024-35848: eeprom: at24: fix memory corruption race condition (bsc#1224612).
CVE-2024-35853: mlxsw: spectrum_acl_tcam: Fix memory leak during rehash (bsc#1224604).
CVE-2024-35857: icmp: prevent possible NULL dereferences from icmp_build_probe() (bsc#1224619).
CVE-2024-35861: Fixed potential UAF in cifs_signal_cifsd_for_reconnect() (bsc#1224766).
CVE-2024-35862: Fixed potential UAF in smb2_is_network_name_deleted() (bsc#1224764).
CVE-2024-35864: Fixed potential UAF in smb2_is_valid_lease_break() (bsc#1224765).
CVE-2024-35869: smb: client: guarantee refcounted children from parent session (bsc#1224679).
CVE-2024-35884: udp: do not accept non-tunnel GSO skbs landing in a tunnel (bsc#1224520).
CVE-2024-35886: ipv6: Fix infinite recursion in fib6_dump_done() (bsc#1224670).
CVE-2024-35889: idpf: fix kernel panic on unknown packet types (bsc#1224517).
CVE-2024-35890: gro: fix ownership transfer (bsc#1224516).
CVE-2024-35893: net/sched: act_skbmod: prevent kernel-infoleak (bsc#1224512)
CVE-2024-35898: netfilter: nf_tables: Fix potential data-race in __nft_flowtable_type_get() (bsc#1224498).
CVE-2024-35899: netfilter: nf_tables: flush pending destroy work before exit_net release (bsc#1224499)
CVE-2024-35900: netfilter: nf_tables: reject new basechain after table flag update (bsc#1224497).
CVE-2024-35925: block: prevent division by zero in blk_rq_stat_sum() (bsc#1224661).
CVE-2024-35934: net/smc: reduce rtnl pressure in smc_pnet_create_pnetids_list() (bsc#1224641)
CVE-2024-35949: btrfs: make sure that WRITTEN is set on all metadata blocks (bsc#1224700).
CVE-2024-35950: drm/client: Fully protect modes with dev->mode_config.mutex (bsc#1224703).
CVE-2024-35956: Fixed qgroup prealloc rsv leak in subvolume operations (bsc#1224674)
CVE-2024-35958: net: ena: Fix incorrect descriptor free behavior (bsc#1224677).
CVE-2024-35960: net/mlx5: Properly link new fs rules into the tree (bsc#1224588).
CVE-2024-35961: net/mlx5: Register devlink first under devlink lock (bsc#1224585).
CVE-2024-35979: raid1: fix use-after-free for original bio in raid1_write_request() (bsc#1224572).
CVE-2024-35995: ACPI: CPPC: Use access_width over bit_width for system memory accesses (bsc#1224557).
CVE-2024-35997: Remove I2C_HID_READ_PENDING flag to prevent lock-up (bsc#1224552).
CVE-2024-36000: mm/hugetlb: fix missing hugetlb_lock for resv uncharge (bsc#1224548).
CVE-2024-36004: i40e: Do not use WQ_MEM_RECLAIM flag for workqueue (bsc#1224545)
CVE-2024-36005: netfilter: nf_tables: honor table dormant flag from netdev release event path (bsc#1224539).
CVE-2024-36008: ipv4: check for NULL idev in ip_route_use_hint() (bsc#1224540).
CVE-2024-36017: rtnetlink: Correct nested IFLA_VF_VLAN_LIST attribute validation (bsc#1225681).
CVE-2024-36020: i40e: fix vf may be used uninitialized in this function warning (bsc#1225698).
CVE-2024-36021: net: hns3: fix kernel crash when devlink reload during pf initialization (bsc#1225699).
CVE-2024-36478: null_blk: fix null-ptr-dereference while configuring 'power' and 'submit_queues' (bsc#1226841).
CVE-2024-36479: fpga: bridge: add owner module and take its refcount (bsc#1226949).
CVE-2024-36890: mm/slab: make __free(kfree) accept error pointers (bsc#1225714).
CVE-2024-36894: usb: gadget: f_fs: Fix race between aio_cancel() and AIO request complete (bsc#1225749).
CVE-2024-36899: gpiolib: cdev: Fix use after free in lineinfo_changed_notify (bsc#1225737).
CVE-2024-36900: net: hns3: fix kernel crash when devlink reload during initialization (bsc#1225726).
CVE-2024-36901: ipv6: prevent NULL dereference in ip6_output() (bsc#1225711)
CVE-2024-36902: ipv6: fib6_rules: avoid possible NULL dereference in fib6_rule_action() (bsc#1225719).
CVE-2024-36904: tcp: Use refcount_inc_not_zero() in tcp_twsk_unique() (bsc#1225732).
CVE-2024-36909: Drivers: hv: vmbus: Do not free ring buffers that couldn't be re-encrypted (bsc#1225744).
CVE-2024-36910: uio_hv_generic: Do not free decrypted memory (bsc#1225717).
CVE-2024-36911: hv_netvsc: Do not free decrypted memory (bsc#1225745).
CVE-2024-36912: Drivers: hv: vmbus: Track decrypted status in vmbus_gpadl (bsc#1225752).
CVE-2024-36913: Drivers: hv: vmbus: Leak pages if set_memory_encrypted() fails (bsc#1225753).
CVE-2024-36914: drm/amd/display: Skip on writeback when it's not applicable (bsc#1225757).
CVE-2024-36915: nfc: llcp: fix nfc_llcp_setsockopt() unsafe copies (bsc#1225758).
CVE-2024-36916: blk-iocost: avoid out of bounds shift (bsc#1225759).
CVE-2024-36917: block: fix overflow in blk_ioctl_discard() (bsc#1225770).
CVE-2024-36919: scsi: bnx2fc: Remove spin_lock_bh while releasing resources after upload (bsc#1225767).
CVE-2024-36923: fs/9p: fix uninitialized values during inode evict (bsc#1225815).
CVE-2024-36934: bna: ensure the copied buf is NUL terminated (bsc#1225760).
CVE-2024-36937: xdp: use flags field to disambiguate broadcast redirect (bsc#1225834).
CVE-2024-36939: nfs: Handle error of rpc_proc_register() in nfs_net_init() (bsc#1225838).
CVE-2024-36940: pinctrl: core: delete incorrect free in pinctrl_enable() (bsc#1225840).
CVE-2024-36945: net/smc: fix neighbour and rtable leak in smc_ib_find_route() (bsc#1225823).
CVE-2024-36946: phonet: fix rtm_phonet_notify() skb allocation (bsc#1225851).
CVE-2024-36949: amd/amdkfd: sync all devices to wait all processes being evicted (bsc#1225872)
CVE-2024-36964: fs/9p: only translate RWX permissions for plain 9P2000 (bsc#1225866).
CVE-2024-36971: net: fix __dst_negative_advice() race (bsc#1226145).
CVE-2024-36974: net/sched: taprio: always validate TCA_TAPRIO_ATTR_PRIOMAP (bsc#1226519).
CVE-2024-36978: net: sched: sch_multiq: fix possible OOB write in multiq_tune() (bsc#1226514).
CVE-2024-37021: fpga: manager: add owner module and take its refcount (bsc#1226950).
CVE-2024-37078: nilfs2: fix potential kernel bug due to lack of writeback flag waiting (bsc#1227066).
CVE-2024-37354: btrfs: fix crash on racing fsync and size-extending write into prealloc (bsc#1227101).
CVE-2024-38545: RDMA/hns: Fix UAF for cq async event (bsc#1226595).
CVE-2024-38553: net: fec: remove .ndo_poll_controller to avoid deadlock (bsc#1226744).
CVE-2024-38555: net/mlx5: Discard command completions in internal error (bsc#1226607).
CVE-2024-38556: net/mlx5: Add a timeout to acquire the command queue semaphore (bsc#1226774).
CVE-2024-38557: net/mlx5: Reload only IB representors upon lag disable/enable (bsc#1226781).
CVE-2024-38558: net: openvswitch: fix overwriting ct original tuple for ICMPv6 (bsc#1226783).
CVE-2024-38559: scsi: qedf: Ensure the copied buf is NUL terminated (bsc#1226785).
CVE-2024-38560: scsi: bfa: Ensure the copied buf is NUL terminated (bsc#1226786).
CVE-2024-38564: bpf: Add BPF_PROG_TYPE_CGROUP_SKB attach type enforcement in BPF_LINK_CREATE (bsc#1226789).
CVE-2024-38568: drivers/perf: hisi: hns3: Fix out-of-bound access when valid event group (bsc#1226771).
CVE-2024-38570: gfs2: Fix potential glock use-after-free on unmount (bsc#1226775).
CVE-2024-38578: ecryptfs: Fix buffer size for tag 66 packet (bsc#1226634).
CVE-2024-38580: epoll: be better about file lifetimes (bsc#1226610).
CVE-2024-38586: r8169: Fix possible ring buffer corruption on fragmented Tx packets (bsc#1226750).
CVE-2024-38594: net: stmmac: move the EST lock to struct stmmac_priv (bsc#1226734).
CVE-2024-38597: eth: sungem: remove .ndo_poll_controller to avoid deadlocks (bsc#1226749).
CVE-2024-38598: md: fix resync softlockup when bitmap size is less than array size (bsc#1226757).
CVE-2024-38603: drivers/perf: hisi: hns3: Actually use devm_add_action_or_reset() (bsc#1226842).
CVE-2024-38608: net/mlx5e: Fix netif state handling (bsc#1226746).
CVE-2024-38627: stm class: Fix a double free in stm_register_device() (bsc#1226857).
CVE-2024-38628: usb: gadget: u_audio: Fix race condition use of controls after free during gadget unbind (bsc#1226911).
CVE-2024-38659: enic: Validate length of nl attributes in enic_set_vf_port (bsc#1226883).
CVE-2024-38661: s390/ap: Fix crash in AP internal function modify_bitmap() (bsc#1226996).
CVE-2024-38780: dma-buf/sw-sync: do not enable IRQ from sync_print_obj() (bsc#1226886).
CVE-2024-39276: ext4: fix mb_cache_entry's e_refcnt leak in ext4_xattr_block_cache_find() (bsc#1226993).
CVE-2024-39301: net/9p: fix uninit-value in p9_client_rpc() (bsc#1226994).
CVE-2024-39371: io_uring: check for non-NULL file pointer in io_file_can_poll() (bsc#1226990).
CVE-2024-39463: 9p: add missing locking around taking dentry fid list (bsc#1227090).
CVE-2024-39468: smb: client: fix deadlock in smb2_find_smb_tcon() (bsc#1227103).
CVE-2024-39469: nilfs2: fix nilfs_empty_dir() misjudgment and long loop on I/O errors (bsc#1226992).
CVE-2024-39472: xfs: fix log recovery buffer allocation for the legacy h_size fixup (bsc#1227432).
CVE-2024-39475: fbdev: savage: Handle err return when savagefb_check_var failed (bsc#1227435)
CVE-2024-39482: bcache: fix variable length array abuse in btree_iter (bsc#1227447).
CVE-2024-39487: bonding: Fix out-of-bounds read in bond_option_arp_ip_targets_set() (bsc#1227573)
CVE-2024-39490: ipv6: sr: fix missing sk_buff release in seg6_input_core (bsc#1227626).
CVE-2024-39493: crypto: qat - fix ADF_DEV_RESET_SYNC memory leak (bsc#1227620).
CVE-2024-39494: ima: Fix use-after-free on a dentry's dname.name (bsc#1227716).
CVE-2024-39497: drm/shmem-helper: fix BUG_ON() on mmap(PROT_WRITE, MAP_PRIVATE) (bsc#1227722).
CVE-2024-39502: ionic: fix use after netif_napi_del() (bsc#1227755).
CVE-2024-39506: liquidio: adjust a NULL pointer handling path in lio_vf_rep_copy_packet (bsc#1227729).
CVE-2024-39507: net: hns3: fix kernel crash problem in concurrent scenario (bsc#1227730).
CVE-2024-39508: io_uring/io-wq: use set_bit() and test_bit() at worker->flags (bsc#1227732).
CVE-2024-40901: scsi: mpt3sas: Avoid test/set_bit() operating in non-allocated memory (bsc#1227762).
CVE-2024-40906: net/mlx5: Always stop health timer during driver removal (bsc#1227763).
CVE-2024-40908: bpf: Set run context for rawtp test_run callback (bsc#1227783).
CVE-2024-40909: bpf: Fix a potential use-after-free in bpf_link_free() (bsc#1227798).
CVE-2024-40919: bnxt_en: Adjust logging of firmware messages in case of released token in __hwrm_send() (bsc#1227779).
CVE-2024-40923: vmxnet3: disable rx data ring on dma allocation failure (bsc#1227786).
CVE-2024-40931: mptcp: ensure snd_una is properly initialized on connect (bsc#1227780).
CVE-2024-40935: cachefiles: flush all requests after setting CACHEFILES_DEAD (bsc#1227797).
CVE-2024-40937: gve: Clear napi->skb before dev_kfree_skb_any() (bsc#1227836).
CVE-2024-40940: net/mlx5: Fix tainted pointer delete is case of flow rules creation fail (bsc#1227800).
CVE-2024-40943: ocfs2: fix races between hole punching and AIO+DIO (bsc#1227849).
CVE-2024-40953: KVM: Fix a data race on last_boosted_vcpu in kvm_vcpu_on_spin() (bsc#1227806).
CVE-2024-40954: net: do not leave a dangling sk pointer, when socket creation fails (bsc#1227808)
CVE-2024-40956: dmaengine: idxd: Fix possible Use-After-Free in irq_process_work_list (bsc#1227810).
CVE-2024-40958: netns: Make get_net_ns() handle zero refcount net (bsc#1227812).
CVE-2024-40959: xfrm6: check ip6_dst_idev() return value in xfrm6_get_saddr() (bsc#1227884).
CVE-2024-40960: ipv6: prevent possible NULL dereference in rt6_probe() (bsc#1227813).
CVE-2024-40961: ipv6: prevent possible NULL deref in fib6_nh_init() (bsc#1227814).
CVE-2024-40966: kABI: tty: add the option to have a tty reject a new ldisc (bsc#1227886).
CVE-2024-40967: serial: imx: Introduce timeout when waiting on transmitter empty (bsc#1227891).
CVE-2024-40970: Avoid hw_desc array overrun in dw-axi-dmac (bsc#1227899).
CVE-2024-40972: ext4: fold quota accounting into ext4_xattr_inode_lookup_create() (bsc#1227910).
CVE-2024-40977: wifi: mt76: mt7921s: fix potential hung tasks during chip recovery (bsc#1227950).
CVE-2024-40982: ssb: fix potential NULL pointer dereference in ssb_device_uevent() (bsc#1227865).
CVE-2024-40989: KVM: arm64: Disassociate vcpus from redistributor region on teardown (bsc#1227823).
CVE-2024-40994: ptp: fix integer overflow in max_vclocks_store (bsc#1227829).
CVE-2024-40998: ext4: fix uninitialized ratelimit_state->lock access in __ext4_fill_super() (bsc#1227866).
CVE-2024-40999: net: ena: Add validation for completion descriptors consistency (bsc#1227913).
CVE-2024-41006: netrom: Fix a memory leak in nr_heartbeat_expiry() (bsc#1227862).
CVE-2024-41009: bpf: Fix overrunning reservations in ringbuf (bsc#1228020).
CVE-2024-41011: drm/amdkfd: do not allow mapping the MMIO HDP page with large pages (bsc#1228114).
CVE-2024-41012: filelock: Remove locks reliably when fcntl/close race is detected (bsc#1228247).
CVE-2024-41013: xfs: do not walk off the end of a directory data block (bsc#1228405).
CVE-2024-41014: xfs: add bounds checking to xlog_recover_process_data (bsc#1228408).
CVE-2024-41015: ocfs2: add bounds checking to ocfs2_check_dir_entry() (bsc#1228409).
CVE-2024-41016: ocfs2: strict bound check before memcmp in ocfs2_xattr_find_entry() (bsc#1228410).
CVE-2024-41017: jfs: do not walk off the end of ealist (bsc#1228403).
CVE-2024-41040: net/sched: Fix UAF when resolving a clash (bsc#1228518).
CVE-2024-41041: udp: Set SOCK_RCU_FREE earlier in udp_lib_get_port() (bsc#1228520).
CVE-2024-41044: ppp: reject claimed-as-LCP but actually malformed packets (bsc#1228530).
CVE-2024-41048: skmsg: Skip zero length skb in sk_msg_recvmsg (bsc#1228565).
CVE-2024-41057: cachefiles: fix slab-use-after-free in cachefiles_withdraw_cookie() (bsc#1228462).
CVE-2024-41058: cachefiles: fix slab-use-after-free in fscache_withdraw_volume() (bsc#1228459).
CVE-2024-41059: hfsplus: fix uninit-value in copy_name (bsc#1228561).
CVE-2024-41063: bluetooth: hci_core: cancel all works upon hci_unregister_dev() (bsc#1228580).
CVE-2024-41064: powerpc/eeh: avoid possible crash when edev->pdev changes (bsc#1228599).
CVE-2024-41066: ibmvnic: add tx check to prevent skb leak (bsc#1228640).
CVE-2024-41069: ASoC: topology: Fix route memory corruption (bsc#1228644).
CVE-2024-41070: KVM: PPC: Book3S HV: Prevent UAF in kvm_spapr_tce_attach_iommu_group() (bsc#1228581).
CVE-2024-41071: wifi: mac80211: Avoid address calculations via out of bounds array indexing (bsc#1228625).
CVE-2024-41072: wifi: cfg80211: wext: add extra SIOCSIWSCAN data check (bsc#1228626).
CVE-2024-41076: NFSv4: Fix memory leak in nfs4_set_security_label (bsc#1228649).
CVE-2024-41078: btrfs: qgroup: fix quota root leak after quota disable failure (bsc#1228655).
CVE-2024-41081: ila: block BH in ila_output() (bsc#1228617).
CVE-2024-41090: tap: add missing verification for short frame (bsc#1228328).
CVE-2024-41091: tun: add missing verification for short frame (bsc#1228327).
CVE-2024-42070: netfilter: nf_tables: fully validate NFT_DATA_VALUE on store to data registers (bsc#1228470).
CVE-2024-42079: gfs2: Fix NULL pointer dereference in gfs2_log_flush (bsc#1228672).
CVE-2024-42093: net/dpaa2: Avoid explicit cpumask var allocation on stack (bsc#1228680).
CVE-2024-42096: x86: stop playing stack games in profile_pc() (bsc#1228633).
CVE-2024-42122: drm/amd/display: Add NULL pointer check for kzalloc (bsc#1228591).
CVE-2024-42124: scsi: qedf: Make qedf_execute_tmf() non-preemptible (bsc#1228705).
CVE-2024-42145: IB/core: Implement a limit on UMAD receive List (bsc#1228743)
CVE-2024-42161: bpf: avoid uninitialized value in BPF_CORE_READ_BITFIELD (bsc#1228756).
CVE-2024-42224: net: dsa: mv88e6xxx: Correct check for empty list (bsc#1228723).
CVE-2024-42230: powerpc/pseries: Fix scv instruction crash with kexec (bsc#1194869).

The following non-security bugs were fixed:

acpi: EC: Abort address space access upon error (stable-fixes).
acpi: EC: Avoid returning AE_OK on errors in address space handler (stable-fixes).
acpi: processor_idle: Fix invalid comparison with insertion sort for latency (git-fixes).
acpi: resource: Do IRQ override on TongFang GXxHRXx and GMxHGxx (stable-fixes).
acpi: video: Add backlight=native quirk for Lenovo Slim 7 16ARH7 (stable-fixes).
acpi: x86: Force StorageD3Enable on more products (stable-fixes).
acpi: x86: utils: Add Picasso to the list for forcing StorageD3Enable (stable-fixes).
acpica: Revert 'ACPICA: avoid Info: mapping multiple BARs. Your kernel is fine.' (git-fixes).
alsa: dmaengine_pcm: terminate dmaengine before synchronize (stable-fixes).
alsa: dmaengine: Synchronize dma channel after drop() (stable-fixes).
alsa: emux: improve patch ioctl data validation (stable-fixes).
alsa: Fix deadlocks with kctl removals at disconnection (stable-fixes).
alsa: hda: conexant: Fix headset auto detect fail in the polling mode (git-fixes).
alsa: hda: intel-dsp-config: harden I2C/I2S codec detection (stable-fixes).
alsa: hda/realtek: Add more codec ID to no shutup pins list (stable-fixes).
alsa: hda/realtek: add quirk for Clevo V5[46]0TU (stable-fixes).
alsa: hda/realtek: Add quirks for Lenovo 13X (stable-fixes).
alsa: hda/realtek: Adjust G814JZR to use SPI init for amp (git-fixes).
alsa: hda/realtek: Enable headset mic of JP-IK LEAP W502 with ALC897 (stable-fixes).
alsa: hda/realtek: Enable headset mic on IdeaPad 330-17IKB 81DM (git-fixes).
alsa: hda/realtek: Enable headset mic on Positivo SU C1400 (stable-fixes).
alsa: hda/realtek: Enable Mute LED on HP 250 G7 (stable-fixes).
alsa: hda/realtek: Fix conflicting quirk for PCI SSID 17aa:3820 (git-fixes).
alsa: hda/realtek: fix mute/micmute LEDs do not work for EliteBook 645/665 G11 (stable-fixes).
alsa: hda/realtek: fix mute/micmute LEDs do not work for ProBook 440/460 G11 (stable-fixes).
alsa: hda/realtek: fix mute/micmute LEDs do not work for ProBook 445/465 G11 (stable-fixes).
alsa: hda/realtek: Fix the speaker output on Samsung Galaxy Book Pro 360 (stable-fixes).
alsa: hda/realtek: Limit mic boost on N14AP7 (stable-fixes).
alsa: hda/realtek: Limit mic boost on VAIO PRO PX (stable-fixes).
alsa: hda/realtek: Remove Framework Laptop 16 from quirks (git-fixes).
alsa: hda/relatek: Enable Mute LED on HP Laptop 15-gw0xxx (stable-fixes).
alsa: pcm_dmaengine: Do not synchronize DMA channel when DMA is paused (git-fixes).
alsa: timer: Set lower bound of start tick time (stable-fixes).
alsa: usb-audio: Add a quirk for Sonix HD USB Camera (stable-fixes).
alsa: usb-audio: Correct surround channels in UAC1 channel map (git-fixes).
alsa: usb-audio: Fix microphone sound on HD webcam (stable-fixes).
alsa: usb-audio: Move HD Webcam quirk to the right place (git-fixes).
alsa/hda: intel-dsp-config: Document AVS as dsp_driver option (git-fixes).
arm64: asm-bug: Add .align 2 to the end of __BUG_ENTRY (git-fixes).
arm64: dts: allwinner: Pine H64: correctly remove reg_gmac_3v3 (git-fixes)
arm64: dts: hi3798cv200: fix the size of GICR (git-fixes)
arm64: dts: imx8qm-mek: fix gpio number for reg_usdhc2_vmmc (git-fixes)
arm64: dts: microchip: sparx5: fix mdio reg (git-fixes)
arm64: dts: rockchip: Add enable-strobe-pulldown to emmc phy on ROCK (git-fixes)
arm64: dts: rockchip: Add sound-dai-cells for RK3368 (git-fixes)
arm64: dts: rockchip: fix PMIC interrupt pin on ROCK Pi E (git-fixes)
arm64: mm: Batch dsb and isb when populating pgtables (jsc#PED-8690).
arm64: mm: do not acquire mutex when rewriting swapper (jsc#PED-8690).
arm64: mm: Do not remap pgtables for allocate vs populate (jsc#PED-8690).
arm64: mm: Do not remap pgtables per-cont(pte|pmd) block (jsc#PED-8690).
arm64: tegra: Correct Tegra132 I2C alias (git-fixes)
arm64/io: add constant-argument check (bsc#1226502 git-fixes)
arm64/io: Provide a WC friendly __iowriteXX_copy() (bsc#1226502)
asoc: amd: acp: add a null check for chip_pdev structure (git-fixes).
asoc: amd: acp: remove i2s configuration check in acp_i2s_probe() (git-fixes).
asoc: amd: Adjust error handling in case of absent codec device (git-fixes).
asoc: da7219-aad: fix usage of device_get_named_child_node() (stable-fixes).
asoc: fsl-asoc-card: set priv->pdev before using it (git-fixes).
asoc: max98088: Check for clk_prepare_enable() error (git-fixes).
asoc: rt5645: Fix the electric noise due to the CBJ contacts floating (stable-fixes).
asoc: rt715-sdca: volume step modification (stable-fixes).
asoc: rt715: add vendor clear control register (stable-fixes).
asoc: ti: davinci-mcasp: Set min period size using FIFO config (stable-fixes).
asoc: ti: omap-hdmi: Fix too long driver name (stable-fixes).
ata: ahci: Clean up sysfs file on error (git-fixes).
ata: libata-core: Fix double free on error (git-fixes).
ata: libata-core: Fix null pointer dereference on error (git-fixes).
batman-adv: bypass empty buckets in batadv_purge_orig_ref() (stable-fixes).
batman-adv: Do not accept TT entries for out-of-spec VIDs (git-fixes).
blk-cgroup: dropping parent refcount after pd_free_fn() is done (bsc#1224573).
block, loop: support partitions without scanning (bsc#1227162).
block: do not add partitions if GD_SUPPRESS_PART_SCAN is set (bsc#1227162).
bluetooth: ath3k: Fix multiple issues reported by checkpatch.pl (stable-fixes).
bluetooth: btqca: use le32_to_cpu for ver.soc_id (stable-fixes).
bluetooth: hci_core: cancel all works upon hci_unregister_dev() (stable-fixes).
bluetooth: hci_qca: mark OF related data as maybe unused (stable-fixes).
bluetooth: hci_sync: Fix suspending with wrong filter policy (git-fixes).
Bluetooth: L2CAP: Fix rejecting L2CAP_CONN_PARAM_UPDATE_REQ (git-fixes).
bluetooth: qca: Fix BT enable failure again for QCA6390 after warm reboot (git-fixes).
bnxt_re: Fix imm_data endianness (git-fixes)
bpf, sockmap: Check for any of tcp_bpf_prots when cloning a listener (git-fixes).
bpf: aggressively forget precise markings during state checkpointing (bsc#1225903).
bpf: allow precision tracking for programs with subprogs (bsc#1225903).
bpf: check bpf_func_state->callback_depth when pruning states (bsc#1225903).
bpf: clean up visit_insn()'s instruction processing (bsc#1225903).
bpf: correct loop detection for iterators convergence (bsc#1225903).
bpf: encapsulate precision backtracking bookkeeping (bsc#1225903).
bpf: ensure state checkpointing at iter_next() call sites (bsc#1225903).
bpf: exact states comparison for iterator convergence checks (bsc#1225903).
bpf: extract __check_reg_arg() utility function (bsc#1225903).
bpf: extract same_callsites() as utility function (bsc#1225903).
bpf: extract setup_func_entry() utility function (bsc#1225903).
bpf: fix calculation of subseq_idx during precision backtracking (bsc#1225903).
bpf: fix mark_all_scalars_precise use in mark_chain_precision (bsc#1225903).
bpf: Fix memory leaks in __check_func_call (bsc#1225903).
bpf: fix propagate_precision() logic for inner frames (bsc#1225903).
bpf: fix regs_exact() logic in regsafe() to remap IDs correctly (bsc#1225903).
bpf: Fix to preserve reg parent/live fields when copying range info (bsc#1225903).
bpf: generalize MAYBE_NULL vs non-MAYBE_NULL rule (bsc#1225903).
bpf: improve precision backtrack logging (bsc#1225903).
bpf: Improve verifier u32 scalar equality checking (bsc#1225903).
bpf: keep track of max number of bpf_loop callback iterations (bsc#1225903).
bpf: maintain bitmasks across all active frames in __mark_chain_precision (bsc#1225903).
bpf: mark relevant stack slots scratched for register read instructions (bsc#1225903).
bpf: move explored_state() closer to the beginning of verifier.c (bsc#1225903).
bpf: perform byte-by-byte comparison only when necessary in regsafe() (bsc#1225903).
bpf: print full verifier states on infinite loop detection (bsc#1225903).
bpf: regsafe() must not skip check_ids() (bsc#1225903).
bpf: reject non-exact register type matches in regsafe() (bsc#1225903).
bpf: Remove unused insn_cnt argument from visit_[func_call_]insn() (bsc#1225903).
bpf: reorganize struct bpf_reg_state fields (bsc#1225903).
bpf: Skip invalid kfunc call in backtrack_insn (bsc#1225903).
bpf: states_equal() must build idmap for all function frames (bsc#1225903).
bpf: stop setting precise in current state (bsc#1225903).
bpf: support precision propagation in the presence of subprogs (bsc#1225903).
bpf: take into account liveness when propagating precision (bsc#1225903).
bpf: teach refsafe() to take into account ID remapping (bsc#1225903).
bpf: unconditionally reset backtrack_state masks on global func exit (bsc#1225903).
bpf: use check_ids() for active_lock comparison (bsc#1225903).
bpf: Use scalar ids in mark_chain_precision() (bsc#1225903).
bpf: verify callbacks as if they are called unknown number of times (bsc#1225903).
bpf: Verify scalar ids mapping in regsafe() using check_ids() (bsc#1225903).
bpf: widening for callback iterators (bsc#1225903).
btrfs: add device major-minor info in the struct btrfs_device (bsc#1227162).
btrfs: avoid copying BTRFS_ROOT_SUBVOL_DEAD flag to snapshot of subvolume being deleted (bsc#1221282).
btrfs: harden identification of a stale device (bsc#1227162).
btrfs: match stale devices by dev_t (bsc#1227162).
btrfs: remove the cross file system checks from remap (bsc#1227157).
btrfs: use dev_t to match device in device_matched (bsc#1227162).
btrfs: validate device maj:min during open (bsc#1227162).
bytcr_rt5640 : inverse jack detect for Archos 101 cesium (stable-fixes).
cachefiles: add output string to cachefiles_obj_[get|put]_ondemand_fd (git-fixes).
cachefiles: remove requests from xarray during flushing requests (bsc#1226588).
can: kvaser_usb: Explicitly initialize family in leafimx driver_info struct (git-fixes).
can: kvaser_usb: fix return value for hif_usb_send_regout (stable-fixes).
ceph: add ceph_cap_unlink_work to fire check_caps() immediately (bsc#1226022).
ceph: always check dir caps asynchronously (bsc#1226022).
ceph: always queue a writeback when revoking the Fb caps (bsc#1226022).
ceph: break the check delayed cap loop every 5s (bsc#1226022).
ceph: fix incorrect kmalloc size of pagevec mempool (bsc#1228418).
ceph: switch to use cap_delay_lock for the unlink delay list (bsc#1226022).
cgroup: Add annotation for holding namespace_sem in current_cgns_cgroup_from_root() (bsc#1222254).
cgroup: Eliminate the need for cgroup_mutex in proc_cgroup_show() (bsc#1222254).
cgroup: Make operations on the cgroup root_list RCU safe (bsc#1222254).
cgroup: preserve KABI of cgroup_root (bsc#1222254).
cgroup: Remove unnecessary list_empty() (bsc#1222254).
cgroup/cpuset: Prevent UAF in proc_cpuset_show() (bsc#1228801).
check-for-config-changes: ignore also GCC_ASM_GOTO_OUTPUT_BROKEN .
checkpatch: really skip LONG_LINE_* when LONG_LINE is ignored (git-fixes).
cifs: fix hang in wait_for_response() (bsc#1220812, bsc#1220368).
cpufreq: amd-pstate: Fix the inconsistency in max frequency units (git-fixes).
crypto: aead,cipher - zeroize key buffer after use (stable-fixes).
crypto: ecdh - explicitly zeroize private_key (stable-fixes).
crypto: ecdsa - Fix the public key format description (git-fixes).
crypto: ecrdsa - Fix module auto-load on add_key (stable-fixes).
crypto: hisilicon/sec - Fix memory leak for sec resource release (stable-fixes).
csky: ftrace: Drop duplicate implementation of arch_check_ftrace_location() (git-fixes).
decompress_bunzip2: fix rare decompression failure (git-fixes).
devres: Fix devm_krealloc() wasting memory (git-fixes).
devres: Fix memory leakage caused by driver API devm_free_percpu() (git-fixes).
dma: fix call order in dmam_free_coherent (git-fixes).
dmaengine: idxd: Fix possible Use-After-Free in irq_process_work_list (git-fixes).
dmaengine: ioatdma: Fix missing kmem_cache_destroy() (git-fixes).
docs: crypto: async-tx-api: fix broken code example (git-fixes).
docs: Fix formatting of literal sections in fanotify docs (stable-fixes).
drivers: core: synchronize really_probe() and dev_uevent() (git-fixes).
drm: panel-orientation-quirks: Add quirk for Valve Galileo (stable-fixes).
drm/amd: Fix shutdown (again) on some SMU v13.0.4/11 platforms (git-fixes).
drm/amd/amdgpu: Fix style errors in amdgpu_drv.c & amdgpu_device.c (stable-fixes).
drm/amd/display: Account for cursor prefetch BW in DML1 mode support (stable-fixes).
drm/amd/display: Add dtbclk access to dcn315 (stable-fixes).
drm/amd/display: Add VCO speed parameter for DCN31 FPU (stable-fixes).
drm/amd/display: Check for NULL pointer (stable-fixes).
drm/amd/display: Check index msg_id before read or write (stable-fixes).
drm/amd/display: Check pipe offset before setting vblank (stable-fixes).
drm/amd/display: drop unnecessary NULL checks in debugfs (stable-fixes).
drm/amd/display: Exit idle optimizations before HDCP execution (stable-fixes).
drm/amd/display: revert Exit idle optimizations before HDCP execution (stable-fixes).
drm/amd/display: Set color_mgmt_changed to true on unsuspend (stable-fixes).
drm/amd/display: Skip finding free audio for unknown engine_id (stable-fixes).
drm/amd/pm: Fix aldebaran pcie speed reporting (git-fixes).
drm/amd/pm: remove logically dead code for renoir (git-fixes).
drm/amdgpu: add error handle to avoid out-of-bounds (stable-fixes).
drm/amdgpu: avoid using null object of framebuffer (stable-fixes).
drm/amdgpu: Check if NBIO funcs are NULL in amdgpu_device_baco_exit (git-fixes).
drm/amdgpu: Fix pci state save during mode-1 reset (git-fixes).
drm/amdgpu: Fix signedness bug in sdma_v4_0_process_trap_irq() (git-fixes).
drm/amdgpu: Fix the ring buffer size for queue VM flush (stable-fixes).
drm/amdgpu: fix UBSAN warning in kv_dpm.c (stable-fixes).
drm/amdgpu: fix uninitialized scalar variable warning (stable-fixes).
drm/amdgpu: Fix uninitialized variable warnings (stable-fixes).
drm/amdgpu: Initialize timestamp for some legacy SOCs (stable-fixes).
drm/amdgpu: Remove GC HW IP 9.3.0 from noretry=1 (git-fixes).
drm/amdgpu: Update BO eviction priorities (stable-fixes).
drm/amdgpu/atomfirmware: add intergrated info v2.3 table (stable-fixes).
drm/amdgpu/atomfirmware: fix parsing of vram_info (stable-fixes).
drm/amdgpu/atomfirmware: silence UBSAN warning (stable-fixes).
drm/amdgpu/mes: fix use-after-free issue (stable-fixes).
drm/amdgpu/sdma5.2: Update wptr registers as well as doorbell (stable-fixes).
drm/amdkfd: Flush the process wq before creating a kfd_process (stable-fixes).
drm/amdkfd: Rework kfd_locked handling (bsc#1225872)
drm/bridge/panel: Fix runtime warning on panel bridge release (git-fixes).
drm/dp_mst: Fix all mstb marked as not probed after suspend/resume (git-fixes).
drm/etnaviv: do not block scheduler when GPU is still active (stable-fixes).
drm/etnaviv: fix DMA direction handling for cached RW buffers (git-fixes).
drm/exynos: hdmi: report safe 640x480 mode as a fallback when no EDID found (git-fixes).
drm/exynos/vidi: fix memory leak in .get_modes() (stable-fixes).
drm/gma500: fix null pointer dereference in cdv_intel_lvds_get_modes (git-fixes).
drm/gma500: fix null pointer dereference in psb_intel_lvds_get_modes (git-fixes).
drm/i915/dpt: Make DPT object unshrinkable (git-fixes).
drm/i915/gt: Disarm breadcrumbs if engines are already idle (git-fixes).
drm/i915/gt: Do not consider preemption during execlists_dequeue for gen8 (git-fixes).
drm/i915/gt: Fix potential UAF by revoke of fence registers (git-fixes).
drm/i915/guc: avoid FIELD_PREP warning (git-fixes).
drm/i915/mso: using joiner is not possible with eDP MSO (git-fixes).
drm/komeda: check for error-valued pointer (git-fixes).
drm/lima: add mask irq callback to gp and pp (stable-fixes).
drm/lima: fix shared irq handling on driver remove (stable-fixes).
drm/lima: Mark simple_ondemand governor as softdep (git-fixes).
drm/lima: mask irqs in timeout path before hard reset (stable-fixes).
drm/mediatek: Add OVL compatible name for MT8195 (git-fixes).
drm/meson: fix canvas release in bind function (git-fixes).
drm/mgag200: Bind I2C lifetime to DRM device (git-fixes).
drm/mgag200: Set DDC timeout in milliseconds (git-fixes).
drm/mipi-dsi: Fix mipi_dsi_dcs_write_seq() macro definition format (stable-fixes).
drm/mipi-dsi: Fix theoretical int overflow in mipi_dsi_dcs_write_seq() (git-fixes).
drm/msm: Enable clamp_to_idle for 7c3 (stable-fixes).
drm/msm/a6xx: Avoid a nullptr dereference when speedbin setting fails (git-fixes).
drm/msm/dp: Avoid a long timeout for AUX transfer if nothing connected (git-fixes).
drm/msm/dp: Return IRQ_NONE for unhandled interrupts (stable-fixes).
drm/msm/dpu: drop validity checks for clear_pending_flush() ctl op (git-fixes).
drm/msm/mdp5: Remove MDP_CAP_SRC_SPLIT from msm8x53_config (git-fixes).
drm/nouveau: fix null pointer dereference in nouveau_connector_get_modes (git-fixes).
drm/nouveau: prime: fix refcount underflow (git-fixes).
drm/nouveau/dispnv04: fix null pointer dereference in nv17_tv_get_hd_modes (stable-fixes).
drm/nouveau/dispnv04: fix null pointer dereference in nv17_tv_get_ld_modes (stable-fixes).
drm/panel-samsung-atna33xc20: Use ktime_get_boottime for delays (stable-fixes).
drm/panel: boe-tv101wum-nl6: Check for errors on the NOP in prepare() (git-fixes).
drm/panel: boe-tv101wum-nl6: If prepare fails, disable GPIO before regulators (git-fixes).
drm/panel: ilitek-ili9881c: Fix warning with GPIO controllers that sleep (stable-fixes).
drm/panel: simple: Add missing display timing flags for KOE TX26D202VM0BWA (git-fixes).
drm/panfrost: Mark simple_ondemand governor as softdep (git-fixes).
drm/qxl: Add check for drm_cvt_mode (git-fixes).
drm/radeon: check bo_va->bo is non-NULL before using it (stable-fixes).
drm/radeon: fix UBSAN warning in kv_dpm.c (stable-fixes).
drm/radeon/radeon_display: Decrease the size of allocated memory (stable-fixes).
drm/vmwgfx: 3D disabled should not effect STDU memory limits (git-fixes).
drm/vmwgfx: Filter modes which exceed graphics memory (git-fixes).
drm/vmwgfx: Fix a deadlock in dma buf fence polling (git-fixes).
drm/vmwgfx: Fix missing HYPERVISOR_GUEST dependency (stable-fixes).
drm/vmwgfx: Fix overlay when using Screen Targets (git-fixes).
eeprom: digsy_mtc: Fix 93xx46 driver probe failure (git-fixes).
exfat: check if cluster num is valid (git-fixes).
exfat: simplify is_valid_cluster() (git-fixes).
filelock: add a new locks_inode_context accessor function (git-fixes).
firmware: cs_dsp: Fix overflow checking of wmfw header (git-fixes).
firmware: cs_dsp: Prevent buffer overrun when processing V2 alg headers (git-fixes).
firmware: cs_dsp: Return error if block header overflows file (git-fixes).
firmware: cs_dsp: Use strnlen() on name fields in V1 wmfw files (git-fixes).
firmware: cs_dsp: Validate payload length before processing block (git-fixes).
firmware: dmi: Stop decoding on broken entry (stable-fixes).
firmware: turris-mox-rwtm: Do not complete if there are no waiters (git-fixes).
firmware: turris-mox-rwtm: Fix checking return value of wait_for_completion_timeout() (git-fixes).
firmware: turris-mox-rwtm: Initialize completion before mailbox (git-fixes).
fs: allow cross-vfsmount reflink/dedupe (bsc#1227157).
ftrace: Fix possible use-after-free issue in ftrace_location() (git-fixes).
fuse: verify {g,u}id mount options correctly (bsc#1228191).
gpio: davinci: Validate the obtained number of IRQs (git-fixes).
gpio: mc33880: Convert comma to semicolon (git-fixes).
gpio: tqmx86: fix typo in Kconfig label (git-fixes).
gpio: tqmx86: introduce shadow register for GPIO output value (git-fixes).
gpiolib: cdev: Disallow reconfiguration without direction (uAPI v1) (git-fixes).
hfsplus: fix to avoid false alarm of circular locking (git-fixes).
hfsplus: fix uninit-value in copy_name (git-fixes).
hid: Add quirk for Logitech Casa touchpad (stable-fixes).
hid: core: remove unnecessary WARN_ON() in implement() (git-fixes).
hid: logitech-dj: Fix memory leak in logi_dj_recv_switch_to_dj_mode() (git-fixes).
hid: wacom: Modify pen IDs (git-fixes).
hpet: Support 32-bit userspace (git-fixes).
hwmon: (adt7475) Fix default duty on fan is disabled (git-fixes).
hwmon: (max6697) Fix swapped temp{1,8} critical alarms (git-fixes).
hwmon: (max6697) Fix underflow when writing limit attributes (git-fixes).
hwmon: (shtc1) Fix property misspelling (git-fixes).
i2c: at91: Fix the functionality flags of the slave-only interface (git-fixes).
i2c: designware: Fix the functionality flags of the slave-only interface (git-fixes).
i2c: mark HostNotify target address as used (git-fixes).
i2c: ocores: set IACK bit after core is enabled (git-fixes).
i2c: rcar: bring hardware to known state when probing (git-fixes).
i2c: tegra: Fix failure during probe deferral cleanup (git-fixes)
i2c: tegra: Share same DMA channel for RX and TX (bsc#1227661)
i2c: testunit: avoid re-issued work after read message (git-fixes).
i2c: testunit: correct Kconfig description (git-fixes).
i2c: testunit: discard write requests while old command is running (git-fixes).
i2c: testunit: do not erase registers after STOP (git-fixes).
iio: accel: fxls8962af: select IIO_BUFFER & IIO_KFIFO_BUF (git-fixes).
iio: adc: ad7266: Fix variable checking bug (git-fixes).
iio: adc: ad9467: fix scan type sign (git-fixes).
iio: chemical: bme680: Fix calibration data variable (git-fixes).
iio: chemical: bme680: Fix overflows in compensate() functions (git-fixes).
iio: chemical: bme680: Fix pressure value output (git-fixes).
iio: chemical: bme680: Fix sensor data read operation (git-fixes).
iio: dac: ad5592r: fix temperature channel scaling value (git-fixes).
iio: imu: inv_icm42600: delete unneeded update watermark call (git-fixes).
input: elan_i2c - do not leave interrupt disabled on suspend failure (git-fixes).
input: elantech - fix touchpad state on resume for Lenovo N24 (stable-fixes).
input: ff-core - prefer struct_size over open coded arithmetic (stable-fixes).
Input: ili210x - fix ili251x_read_touch_data() return value (git-fixes).
input: qt1050 - handle CHIP_ID reading error (git-fixes).
input: silead - Always support 10 fingers (stable-fixes).
intel_th: pci: Add Granite Rapids SOC support (stable-fixes).
intel_th: pci: Add Granite Rapids support (stable-fixes).
intel_th: pci: Add Lunar Lake support (stable-fixes).
intel_th: pci: Add Meteor Lake-S CPU support (stable-fixes).
intel_th: pci: Add Meteor Lake-S support (stable-fixes).
intel_th: pci: Add Sapphire Rapids SOC support (stable-fixes).
iommu: mtk: fix module autoloading (git-fixes).
iommu: Return right value in iommu_sva_bind_device() (git-fixes).
iommu/amd: Fix sysfs leak in iommu init (git-fixes).
iommu/arm-smmu-v3: Free MSIs in case of ENOMEM (git-fixes).
ionic: clean interrupt before enabling queue to avoid credit race (git-fixes).
ipvs: Fix checksumming on GSO of SCTP packets (bsc#1221958)
jffs2: Fix potential illegal address access in jffs2_free_inode (git-fixes).
jfs: Fix array-index-out-of-bounds in diFree (git-fixes).
jfs: xattr: fix buffer overflow for invalid xattr (bsc#1227383).
kabi: bpf: bpf_reg_state reorganization kABI workaround (bsc#1225903).
kabi: bpf: callback fixes kABI workaround (bsc#1225903).
kabi: bpf: struct bpf_{idmap,idset} kABI workaround (bsc#1225903).
kabi: bpf: tmp_str_buf kABI workaround (bsc#1225903).
kabi: rtas: Workaround false positive due to lost definition (bsc#1227487).
kabi: Use __iowriteXX_copy_inlined for in-kernel modules (bsc#1226502)
kabi/severities: ignore kABI for FireWire sound local symbols (bsc#1208783)
kabi/severities: Ignore tpm_tis_core_init (bsc#1082555).
kabi/severity: add nvme common code The nvme common code is also allowed to change the data structures, there are only internal users.
kbuild: do not include include/config/auto.conf from shell scripts (bsc#1227274).
kbuild: Install dtb files as 0644 in Makefile.dtbinst (git-fixes).
kconfig: doc: fix a typo in the note about 'imply' (git-fixes).
kconfig: fix comparison to constant symbols, 'm', 'n' (git-fixes).
kernel-binary: vdso: Own module_dir
kernel-doc: fix struct_group_tagged() parsing (git-fixes).
kernel/sched: Remove dl_boosted flag comment (git fixes (sched)).
knfsd: LOOKUP can return an illegal error value (git-fixes).
kobject_uevent: Fix OOB access within zap_modalias_env() (git-fixes).
kprobes: Make arch_check_ftrace_location static (git-fixes).
kvm: nVMX: Clear EXIT_QUALIFICATION when injecting an EPT Misconfig (git-fixes).
kvm: PPC: Book3S HV Nested: L2 LPCR should inherit L1 LPES setting (bsc#1194869).
kvm: PPC: Book3S HV: Fix 'rm_exit' entry in debugfs timings (bsc#1194869).
kvm: PPC: Book3S HV: Fix the set_one_reg for MMCR3 (bsc#1194869).
kvm: PPC: Book3S HV: remove extraneous asterisk from rm_host_ipi_action() comment (bsc#1194869).
kvm: PPC: Book3S: Suppress failed alloc warning in H_COPY_TOFROM_GUEST (bsc#1194869).
kvm: PPC: Book3S: Suppress warnings when allocating too big memory slots (bsc#1194869).
kvm: s390: fix LPSWEY handling (bsc#1227635 git-fixes).
kvm: SVM: Process ICR on AVIC IPI delivery failure due to invalid target (git-fixes).
kvm: VMX: Report up-to-date exit qualification to userspace (git-fixes).
kvm: x86: Add IBPB_BRTYPE support (bsc#1228079).
kvm: x86: Always sync PIR to IRR prior to scanning I/O APIC routes (git-fixes).
kvm: x86: Bail from kvm_recalculate_phys_map() if x2APIC ID is out-of-bounds (git-fixes).
kvm: x86: Disable APIC logical map if logical ID covers multiple MDAs (git-fixes).
kvm: x86: Disable APIC logical map if vCPUs are aliased in logical mode (git-fixes).
kvm: x86: Do not advertise guest.MAXPHYADDR as host.MAXPHYADDR in CPUID (git-fixes).
kvm: x86: Explicitly skip optimized logical map setup if vCPU's LDR==0 (git-fixes).
kvm: x86: Explicitly track all possibilities for APIC map's logical modes (git-fixes).
kvm: x86: Fix broken debugregs ABI for 32 bit kernels (git-fixes).
kvm: x86: Fix KVM_GET_MSRS stack info leak (git-fixes).
kvm: x86: Honor architectural behavior for aliased 8-bit APIC IDs (git-fixes).
kvm: x86: Purge 'highest ISR' cache when updating APICv state (git-fixes).
kvm: x86: Save/restore all NMIs when multiple NMIs are pending (git-fixes).
kvm: x86: Skip redundant x2APIC logical mode optimized cluster setup (git-fixes).
leds: ss4200: Convert PCIBIOS_* return codes to errnos (git-fixes).
leds: trigger: Unregister sysfs attributes before calling deactivate() (git-fixes).
leds: triggers: Flush pending brightness before activating trigger (git-fixes).
lib: memcpy_kunit: Fix an invalid format specifier in an assertion msg (git-fixes).
lib: objagg: Fix general protection fault (git-fixes).
lib: objagg: Fix spelling (git-fixes).
lib: test_objagg: Fix spelling (git-fixes).
libceph: fix race between delayed_work() and ceph_monc_stop() (bsc#1228190).
lockd: set missing fl_flags field when retrieving args (git-fixes).
lockd: use locks_inode_context helper (git-fixes).
Make AMD_HSMP=m and mark it unsupported in supported.conf (jsc#PED-8582)
media: dvb-frontends: tda10048: Fix integer overflow (stable-fixes).
media: dvb-frontends: tda18271c2dd: Remove casting during div (stable-fixes).
media: dvb-usb: dib0700_devices: Add missing release_firmware() (stable-fixes).
media: dvb-usb: Fix unexpected infinite loop in dvb_usb_read_remote_control() (git-fixes).
media: dvb: as102-fe: Fix as10x_register_addr packing (stable-fixes).
media: dvbdev: Initialize sbuf (stable-fixes).
media: dw2102: Do not translate i2c read into write (stable-fixes).
media: dw2102: fix a potential buffer overflow (git-fixes).
media: flexcop-usb: clean up endpoint sanity checks (stable-fixes).
media: flexcop-usb: fix sanity check of bNumEndpoints (git-fixes).
media: imon: Fix race getting ictx->lock (git-fixes).
media: ipu3-cio2: Use temporary storage for struct device pointer (stable-fixes).
media: lgdt3306a: Add a check against null-pointer-def (stable-fixes).
media: mxl5xx: Move xpt structures off stack (stable-fixes).
media: radio-shark2: Avoid led_names truncations (git-fixes).
media: s2255: Use refcount_t instead of atomic_t for num_channels (stable-fixes).
media: uvcvideo: Fix integer overflow calculating timestamp (git-fixes).
media: uvcvideo: Override default flags (git-fixes).
media: v4l2-core: hold videodev_lock until dev reg, finishes (stable-fixes).
media: venus: fix use after free in vdec_close (git-fixes).
media: venus: flush all buffers in output plane streamoff (git-fixes).
mei: demote client disconnect warning on suspend to debug (stable-fixes).
mei: me: release irq in mei_me_pci_resume error path (git-fixes).
mfd: omap-usb-tll: Use struct_size to allocate tll (git-fixes).
mkspec-dtb: add toplevel symlinks also on arm
mmc: core: Add mmc_gpiod_set_cd_config() function (stable-fixes).
mmc: core: Do not force a retune before RPMB switch (stable-fixes).
mmc: sdhci_am654: Add ITAPDLYSEL in sdhci_j721e_4bit_set_clock (git-fixes).
mmc: sdhci_am654: Add OTAP/ITAP delay enable (git-fixes).
mmc: sdhci_am654: Drop lookup for deprecated ti,otap-del-sel (stable-fixes).
mmc: sdhci_am654: Fix ITAPDLY for HS400 timing (git-fixes).
mmc: sdhci-acpi: Disable write protect detection on Toshiba WT10-A (stable-fixes).
mmc: sdhci-acpi: Fix Lenovo Yoga Tablet 2 Pro 1380 sdcard slot not working (stable-fixes).
mmc: sdhci-acpi: Sort DMI quirks alphabetically (stable-fixes).
mmc: sdhci-pci: Convert PCIBIOS_* return codes to errnos (git-fixes).
mmc: sdhci: Do not invert write-protect twice (git-fixes).
mmc: sdhci: Do not lock spinlock around mmc_gpio_get_ro() (git-fixes).
mtd: partitions: redboot: Added conversion of operands to a larger type (stable-fixes).
mtd: rawnand: Bypass a couple of sanity checks during NAND identification (git-fixes).
mtd: rawnand: Ensure ECC configuration is propagated to upper layers (git-fixes).
mtd: rawnand: rockchip: ensure NVDDR timings are rejected (git-fixes).
net: can: j1939: enhanced error handling for tightly received RTS messages in xtp_rx_rts_session_new (git-fixes).
net: can: j1939: Initialize unused data in j1939_send_one() (git-fixes).
net: can: j1939: recover socket queue on CAN bus error during BAM transmission (git-fixes).
net: ena: Fix redundant device NUMA node override (jsc#PED-8690).
net: mana: Enable MANA driver on ARM64 with 4K page size (jsc#PED-8491).
net: mana: Fix possible double free in error handling path (git-fixes).
net: mana: Fix the extra HZ in mana_hwc_send_request (git-fixes).
net: phy: Micrel KSZ8061: fix errata solution not taking effect problem (git-fixes).
net: phy: micrel: add Microchip KSZ 9477 to the device table (git-fixes).
net: usb: ax88179_178a: improve link status logs (git-fixes).
net: usb: ax88179_178a: improve reset check (git-fixes).
net: usb: qmi_wwan: add Telit FN912 compositions (git-fixes).
net: usb: qmi_wwan: add Telit FN920C04 compositions (stable-fixes).
net: usb: rtl8150 fix unintiatilzed variables in rtl8150_get_link_ksettings (git-fixes).
net: usb: smsc95xx: fix changing LED_SEL bit value updated from EEPROM (git-fixes).
net: usb: sr9700: fix uninitialized variable use in sr_mdio_read (git-fixes).
net/dcb: check for detached device before executing callbacks (bsc#1215587).
net/mlx5e: Fix a race in command alloc flow (git-fixes).
netfilter: conntrack: ignore overly delayed tcp packets (bsc#1223180).
netfilter: conntrack: prepare tcp_in_window for ternary return value (bsc#1223180).
netfilter: conntrack: remove pr_debug callsites from tcp tracker (bsc#1223180).
netfilter: conntrack: work around exceeded receive window (bsc#1223180).
netfs, fscache: export fscache_put_volume() and add fscache_try_get_volume() (bsc#1228459 bsc#1228462).
nfc/nci: Add the inconsistency check between the input data length and count (stable-fixes).
nfs: abort nfs_atomic_open_v23 if name is too long (bsc#1219847).
nfs: add atomic_open for NFSv3 to handle O_TRUNC correctly (bsc#1219847).
nfs: avoid infinite loop in pnfs_update_layout (bsc#1219633 bsc#1226226).
nfs: Fix READ_PLUS when server does not support OP_READ_PLUS (git-fixes).
nfs: fix undefined behavior in nfs_block_bits() (git-fixes).
nfs: keep server info for remounts (git-fixes).
nfs: Leave pages in the pagecache if readpage failed (git-fixes).
nfsd enforce filehandle check for source file in COPY (git-fixes).
nfsd: Add an nfsd_file_fsync tracepoint (git-fixes).
nfsd: Add an NFSD_FILE_GC flag to enable nfsd_file garbage collection (git-fixes).
nfsd: Add errno mapping for EREMOTEIO (git-fixes).
nfsd: Add nfsd_file_lru_dispose_list() helper (git-fixes).
nfsd: add some comments to nfsd_file_do_acquire (git-fixes).
nfsd: allow nfsd_file_get to sanely handle a NULL pointer (git-fixes).
nfsd: allow reaping files still under writeback (git-fixes).
nfsd: Avoid calling fh_drop_write() twice in do_nfsd_create() (git-fixes).
nfsd: Clean up nfsd_file_put() (git-fixes).
nfsd: Clean up nfsd_open_verified() (git-fixes).
nfsd: Clean up nfsd3_proc_create() (git-fixes).
nfsd: Clean up unused code after rhashtable conversion (git-fixes).
nfsd: Convert filecache to rhltable (git-fixes).
nfsd: Convert the filecache to use rhashtable (git-fixes).
nfsd: De-duplicate hash bucket indexing (git-fixes).
nfsd: do not free files unconditionally in __nfsd_file_cache_purge (git-fixes).
nfsd: do not fsync nfsd_files on last close (git-fixes).
nfsd: do not hand out delegation on setuid files being opened for write (git-fixes).
nfsd: do not kill nfsd_files because of lease break error (git-fixes).
nfsd: Do not leave work of closing files to a work queue (bsc#1228140).
nfsd: do not take/put an extra reference when putting a file (git-fixes).
nfsd: Ensure nf_inode is never dereferenced (git-fixes).
nfsd: fix handling of cached open files in nfsd4_open codepath (git-fixes).
nfsd: Fix licensing header in filecache.c (git-fixes).
nfsd: fix net-namespace logic in __nfsd_file_cache_purge (git-fixes).
nfsd: fix nfsd_file_unhash_and_dispose (git-fixes).
nfsd: Fix potential use-after-free in nfsd_file_put() (git-fixes).
nfsd: Fix problem of COMMIT and NFS4ERR_DELAY in infinite loop (git-fixes).
nfsd: Fix the filecache LRU shrinker (git-fixes).
nfsd: fix up the filecache laundrette scheduling (git-fixes).
nfsd: fix use-after-free in nfsd_file_do_acquire tracepoint (git-fixes).
nfsd: Flesh out a documenting comment for filecache.c (git-fixes).
nfsd: handle errors better in write_ports_addfd() (git-fixes).
nfsd: Instantiate a struct file when creating a regular NFSv4 file (git-fixes).
nfsd: Leave open files out of the filecache LRU (git-fixes).
nfsd: map EBADF (git-fixes).
nfsd: Move nfsd_file_trace_alloc() tracepoint (git-fixes).
nfsd: nfsd_file_hash_remove can compute hashval (git-fixes).
nfsd: NFSD_FILE_KEY_INODE only needs to find GC'ed entries (git-fixes).
nfsd: nfsd_file_put() can sleep (git-fixes).
nfsd: nfsd_file_unhash can compute hashval from nf->nf_inode (git-fixes).
nfsd: No longer record nf_hashval in the trace log (git-fixes).
nfsd: optimise recalculate_deny_mode() for a common case (bsc#1217912).
nfsd: Pass the target nfsd_file to nfsd_commit() (git-fixes).
nfsd: put the export reference in nfsd4_verify_deleg_dentry (git-fixes).
nfsd: Record number of flush calls (git-fixes).
nfsd: Refactor __nfsd_file_close_inode() (git-fixes).
nfsd: Refactor nfsd_create_setattr() (git-fixes).
nfsd: Refactor nfsd_file_gc() (git-fixes).
nfsd: Refactor nfsd_file_lru_scan() (git-fixes).
nfsd: Refactor NFSv3 CREATE (git-fixes).
nfsd: Refactor NFSv4 OPEN(CREATE) (git-fixes).
nfsd: Remove do_nfsd_create() (git-fixes).
nfsd: Remove lockdep assertion from unhash_and_release_locked() (git-fixes).
nfsd: Remove nfsd_file::nf_hashval (git-fixes).
nfsd: remove the pages_flushed statistic from filecache (git-fixes).
nfsd: reorganize filecache.c (git-fixes).
nfsd: Replace the 'init once' mechanism (git-fixes).
nfsd: Report average age of filecache items (git-fixes).
nfsd: Report count of calls to nfsd_file_acquire() (git-fixes).
nfsd: Report count of freed filecache items (git-fixes).
nfsd: Report filecache LRU size (git-fixes).
nfsd: Report the number of items evicted by the LRU walk (git-fixes).
nfsd: Retry once in nfsd_open on an -EOPENSTALE return (git-fixes).
nfsd: rework hashtable handling in nfsd_do_file_acquire (git-fixes).
nfsd: rework refcounting in filecache (git-fixes).
nfsd: Separate tracepoints for acquire and create (git-fixes).
nfsd: Set up an rhashtable for the filecache (git-fixes).
nfsd: silence extraneous printk on nfsd.ko insertion (git-fixes).
nfsd: simplify per-net file cache management (git-fixes).
nfsd: simplify test_bit return in NFSD_FILE_KEY_FULL comparator (git-fixes).
nfsd: simplify the delayed disposal list code (git-fixes).
nfsd: Trace filecache LRU activity (git-fixes).
nfsd: Trace filecache opens (git-fixes).
nfsd: update comment over __nfsd_file_cache_purge (git-fixes).
nfsd: verify the opened dentry after setting a delegation (git-fixes).
nfsd: WARN when freeing an item still linked via nf_lru (git-fixes).
nfsd: Write verifier might go backwards (git-fixes).
nfsd: Zero counters when the filecache is re-initialized (git-fixes).
nfsv4: by default serialize open/close operations (bsc#1223863 bsc#1227362)
nfsv4: Fixup smatch warning for ambiguous return (git-fixes).
nilfs2: add missing check for inode numbers on directory entries (git-fixes).
nilfs2: add missing check for inode numbers on directory entries (stable-fixes).
nilfs2: avoid undefined behavior in nilfs_cnt32_ge macro (git-fixes).
nilfs2: convert persistent object allocator to use kmap_local (git-fixes).
nilfs2: fix incorrect inode allocation from reserved inodes (git-fixes).
nilfs2: fix inode number range checks (git-fixes).
nilfs2: fix inode number range checks (stable-fixes).
nilfs2: fix potential hang in nilfs_detach_log_writer() (stable-fixes).
nvme-auth: alloc nvme_dhchap_key as single buffer (git-fixes).
nvme-auth: allow mixing of secret and hash lengths (git-fixes).
nvme-auth: use transformed key size to create resp (git-fixes).
nvme-multipath: find NUMA path only for online numa-node (git-fixes).
nvme-pci: add missing condition check for existence of mapped data (git-fixes).
nvme-pci: Fix the instructions for disabling power management (git-fixes).
nvme: adjust multiples of NVME_CTRL_PAGE_SIZE in offset (git-fixes).
nvme: avoid double free special payload (git-fixes).
nvme: ensure reset state check ordering (bsc#1215492).
nvme: find numa distance only if controller has valid numa id (git-fixes).
nvme: fixup comment for nvme RDMA Provider Type (git-fixes).
nvme: use ctrl state accessor (bsc#1215492).
nvmet-auth: fix nvmet_auth hash error handling (git-fixes).
nvmet-passthru: propagate status from id override functions (git-fixes).
nvmet: always initialize cqe.result (git-fixes).
nvmet: fix a possible leak when destroy a ctrl during qp establishment (git-fixes).
ocfs2: adjust enabling place for la window (bsc#1219224).
ocfs2: fix DIO failure due to insufficient transaction credits (bsc#1216834).
ocfs2: fix sparse warnings (bsc#1219224).
ocfs2: improve write IO performance when fragmentation is high (bsc#1219224).
ocfs2: remove redundant assignment to variable free_space (bsc#1228409).
ocfs2: speed up chain-list searching (bsc#1219224).
ocfs2: strict bound check before memcmp in ocfs2_xattr_find_entry() (bsc#1228410).
orangefs: fix out-of-bounds fsid access (git-fixes).
pci: Add PCI_ERROR_RESPONSE and related definitions (stable-fixes).
pci: Clear Secondary Status errors after enumeration (bsc#1226928)
pci: Extend ACS configurability (bsc#1228090).
pci: Fix resource double counting on remove & rescan (git-fixes).
pci: hv: Return zero, not garbage, when reading PCI_INTERRUPT_PIN (git-fixes).
pci: Introduce cleanup helpers for device reference counts and locks (git-fixes).
pci: Introduce cleanup helpers for device reference counts and locks (stable-fixes).
pci: keystone: Do not enable BAR 0 for AM654x (git-fixes).
pci: keystone: Fix NULL pointer dereference in case of DT error in ks_pcie_setup_rc_app_regs() (git-fixes).
pci: keystone: Relocate ks_pcie_set/clear_dbi_mode() (git-fixes).
pci: rockchip: Use GPIOD_OUT_LOW flag while requesting ep_gpio (git-fixes).
pci: tegra194: Set EP alignment restriction for inbound ATU (git-fixes).
pci/aspm: Update save_state when configuration changes (bsc#1226915)
pci/dpc: Fix use-after-free on concurrent DPC and hot-removal (git-fixes).
pci/pm: Avoid D3cold for HP Pavilion 17 PC/1972 PCIe Ports (git-fixes).
pci/pm: Avoid D3cold for HP Pavilion 17 PC/1972 PCIe Ports (stable-fixes).
pinctrl: core: fix possible memory leak when pinctrl_enable() fails (git-fixes).
pinctrl: fix deadlock in create_pinctrl() when handling -EPROBE_DEFER (git-fixes).
pinctrl: freescale: mxs: Fix refcount of child (git-fixes).
pinctrl: qcom: spmi-gpio: drop broken pm8008 support (git-fixes).
pinctrl: rockchip: fix pinmux bits for RK3328 GPIO2-B pins (git-fixes).
pinctrl: rockchip: fix pinmux bits for RK3328 GPIO3-B pins (git-fixes).
pinctrl: rockchip: fix pinmux reset in rockchip_pmx_set (git-fixes).
pinctrl: rockchip: update rk3308 iomux routes (git-fixes).
pinctrl: rockchip: use dedicated pinctrl type for RK3328 (git-fixes).
pinctrl: single: fix possible memory leak when pinctrl_enable() fails (git-fixes).
pinctrl: ti: ti-iodelay: fix possible memory leak when pinctrl_enable() fails (git-fixes).
platform/chrome: cros_ec_debugfs: fix wrong EC message version (git-fixes).
platform/chrome: cros_ec_proto: Lock device when updating MKBP version (git-fixes).
platform/x86: dell-smbios-base: Use sysfs_emit() (stable-fixes).
platform/x86: dell-smbios: Fix wrong token data in sysfs (git-fixes).
platform/x86: lg-laptop: Change ACPI device id (stable-fixes).
platform/x86: lg-laptop: Remove LGEX0815 hotkey handling (stable-fixes).
platform/x86: touchscreen_dmi: Add info for GlobalSpace SolT IVW 11.6' tablet (stable-fixes).
platform/x86: touchscreen_dmi: Add info for the EZpad 6s Pro (stable-fixes).
platform/x86: wireless-hotkey: Add support for LG Airplane Button (stable-fixes).
power: supply: cros_usbpd: provide ID table for avoiding fallback match (stable-fixes).
powerpc: fix a file leak in kvm_vcpu_ioctl_enable_cap() (bsc#1194869).
powerpc/cpuidle: Set CPUIDLE_FLAG_POLLING for snooze state (bsc#1227121 ltc#207129).
powerpc/kasan: Disable address sanitization in kexec paths (bsc#1194869).
powerpc/pseries: Fix scv instruction crash with kexec (bsc#1194869).
powerpc/rtas: clean up includes (bsc#1227487).
powerpc/rtas: Prevent Spectre v1 gadget construction in sys_rtas() (bsc#1227487).
pwm: stm32: Always do lazy disabling (git-fixes).
random: treat bootloader trust toggle the same way as cpu trust toggle (bsc#1226953).
ras/amd/atl: Fix MI300 bank hash (bsc#1225300).
ras/amd/atl: Use system settings for MI300 DRAM to normalized address translation (bsc#1225300).
rdma/cache: Release GID table even if leak is detected (git-fixes)
rdma/device: Return error earlier if port in not valid (git-fixes)
rdma/hns: Check atomic wr length (git-fixes)
rdma/hns: Fix incorrect sge nums calculation (git-fixes)
rdma/hns: Fix insufficient extend DB for VFs. (git-fixes)
rdma/hns: Fix mbx timing out before CMD execution is completed (git-fixes)
rdma/hns: Fix missing pagesize and alignment check in FRMR (git-fixes)
rdma/hns: Fix shift-out-bounds when max_inline_data is 0 (git-fixes)
rdma/hns: Fix soft lockup under heavy CEQE load (git-fixes)
rdma/hns: Fix undifined behavior caused by invalid max_sge (git-fixes)
rdma/hns: Fix unmatch exception handling when init eq table fails (git-fixes)
rdma/irdma: Drop unused kernel push code (git-fixes)
rdma/iwcm: Fix a use-after-free related to destroying CM IDs (git-fixes)
rdma/mana_ib: Ignore optional access flags for MRs (git-fixes).
rdma/mlx4: Fix truncated output warning in alias_GUID.c (git-fixes)
rdma/mlx4: Fix truncated output warning in mad.c (git-fixes)
rdma/mlx5: Add check for srq max_sge attribute (git-fixes)
rdma/mlx5: Set mkeys for dmabuf at PAGE_SIZE (git-fixes)
rdma/restrack: Fix potential invalid address access (git-fixes)
rdma/rxe: Do not set BTH_ACK_MASK for UC or UD QPs (git-fixes)
regmap-i2c: Subtract reg size from max_write (stable-fixes).
regulator: bd71815: fix ramp values (git-fixes).
regulator: core: Fix modpost error 'regulator_get_regmap' undefined (git-fixes).
regulator: irq_helpers: duplicate IRQ name (stable-fixes).
regulator: vqmmc-ipq4019: fix module autoloading (stable-fixes).
Revert 'Add remote for nfs maintainer'
Revert 'ALSA: firewire-lib: obsolete workqueue for period update' (bsc#1208783).
Revert 'ALSA: firewire-lib: operate for period elapse event in process context' (bsc#1208783).
Revert 'build initrd without systemd' (bsc#1195775)'.
Revert 'leds: led-core: Fix refcount leak in of_led_get()' (git-fixes).
Revert 'usb: musb: da8xx: Set phy in OTG mode by default' (stable-fixes).
rpcrdma: fix handling for RDMA_CM_EVENT_DEVICE_REMOVAL (git-fixes).
rpm/guards: fix precedence issue with control flow operator
rpm/kernel-obs-build.spec.in: Add iso9660 (bsc#1226212)
rpm/kernel-obs-build.spec.in: Add networking modules for docker (bsc#1226211)
rpm/kernel-obs-build.spec.in: Include algif_hash, aegis128 and xts modules afgif_hash is needed by some packages (e.g. iwd) for tests, xts is used for LUKS2 volumes by default and aegis128 is useful as AEAD cipher for LUKS2.
rpm/mkspec-dtb: dtbs have moved to vendor sub-directories in 6.5
rtc: cmos: Fix return value of nvmem callbacks (git-fixes).
rtc: interface: Add RTC offset to alarm after fix-up (git-fixes).
rtc: isl1208: Fix return value of nvmem callbacks (git-fixes).
rtlwifi: rtl8192de: Style clean-ups (stable-fixes).
s390: Implement __iowrite32_copy() (bsc#1226502)
s390: Stop using weak symbols for __iowrite64_copy() (bsc#1226502)
saa7134: Unchecked i2c_transfer function result fixed (git-fixes).
sched: Fix stop_one_cpu_nowait() vs hotplug (git fixes (sched)).
sched/core: Fix incorrect initialization of the 'burst' parameter in cpu_max_write() (bsc#1226791).
sched/fair: Do not balance task to its current running CPU (git fixes (sched)).
scsi: lpfc: Allow DEVICE_RECOVERY mode after RSCN receipt if in PRLI_ISSUE state (bsc#1228857).
scsi: lpfc: Cancel ELS WQE instead of issuing abort when SLI port is inactive (bsc#1228857).
scsi: lpfc: Fix handling of fully recovered fabric node in dev_loss callbk (bsc#1228857).
scsi: lpfc: Fix incorrect request len mbox field when setting trunking via sysfs (bsc#1228857).
scsi: lpfc: Handle mailbox timeouts in lpfc_get_sfp_info (bsc#1228857).
scsi: lpfc: Relax PRLI issue conditions after GID_FT response (bsc#1228857).
scsi: lpfc: Revise lpfc_prep_embed_io routine with proper endian macro usages (bsc#1228857).
scsi: lpfc: Update lpfc version to 14.4.0.3 (bsc#1228857).
scsi: qla2xxx: Avoid possible run-time warning with long model_num (bsc#1228850).
scsi: qla2xxx: Complete command early within lock (bsc#1228850).
scsi: qla2xxx: Convert comma to semicolon (bsc#1228850).
scsi: qla2xxx: Drop driver owner assignment (bsc#1228850).
scsi: qla2xxx: During vport delete send async logout explicitly (bsc#1228850).
scsi: qla2xxx: Fix debugfs output for fw_resource_count (bsc#1228850).
scsi: qla2xxx: Fix flash read failure (bsc#1228850).
scsi: qla2xxx: Fix for possible memory corruption (bsc#1228850).
scsi: qla2xxx: Fix optrom version displayed in FDMI (bsc#1228850).
scsi: qla2xxx: Indent help text (bsc#1228850).
scsi: qla2xxx: Reduce fabric scan duplicate code (bsc#1228850).
scsi: qla2xxx: Remove unused struct 'scsi_dif_tuple' (bsc#1228850).
scsi: qla2xxx: Return ENOBUFS if sg_cnt is more than one for ELS cmds (bsc#1228850).
scsi: qla2xxx: Unable to act on RSCN for port online (bsc#1228850).
scsi: qla2xxx: Update version to 10.02.09.300-k (bsc#1228850).
scsi: qla2xxx: Use QP lock to search for bsg (bsc#1228850).
scsi: qla2xxx: validate nvme_local_port correctly (bsc#1228850).
scsi: sd: Update DIX config every time sd_revalidate_disk() is called (bsc#1218570).
selftests/bpf: __imm_insn & __imm_const macro for bpf_misc.h (bsc#1225903).
selftests/bpf: Add a selftest for checking subreg equality (bsc#1225903).
selftests/bpf: add pre bpf_prog_test_run_opts() callback for test_loader (bsc#1225903).
selftests/bpf: add precision propagation tests in the presence of subprogs (bsc#1225903).
selftests/bpf: Add pruning test case for bpf_spin_lock (bsc#1225903).
selftests/bpf: Check if mark_chain_precision() follows scalar ids (bsc#1225903).
selftests/bpf: check if max number of bpf_loop iterations is tracked (bsc#1225903).
selftests/bpf: fix __retval() being always ignored (bsc#1225903).
selftests/bpf: fix unpriv_disabled check in test_verifier (bsc#1225903).
selftests/bpf: make test_align selftest more robust (bsc#1225903).
selftests/bpf: populate map_array_ro map for verifier_array_access test (bsc#1225903).
selftests/bpf: prog_tests entry point for migrated test_verifier tests (bsc#1225903).
selftests/bpf: Report program name on parse_test_spec error (bsc#1225903).
selftests/bpf: Support custom per-test flags and multiple expected messages (bsc#1225903).
selftests/bpf: test case for callback_depth states pruning logic (bsc#1225903).
selftests/bpf: test case for relaxed prunning of active_lock.id (bsc#1225903).
selftests/bpf: test cases for regsafe() bug skipping check_id() (bsc#1225903).
selftests/bpf: test widening for iterating callbacks (bsc#1225903).
selftests/bpf: Tests execution support for test_loader.c (bsc#1225903).
selftests/bpf: tests for iterating callbacks (bsc#1225903).
selftests/bpf: track string payload offset as scalar in strobemeta (bsc#1225903).
selftests/bpf: Unprivileged tests for test_loader.c (bsc#1225903).
selftests/bpf: Verify copy_register_state() preserves parent/live fields (bsc#1225903).
selftests/bpf: verify states_equal() maintains idmap across all frames (bsc#1225903).
selftests/bpf: Verify that check_ids() is used for scalars in regsafe() (bsc#1225903).
selftests/sigaltstack: Fix ppc64 GCC build (git-fixes).
smb: client: ensure to try all targets when finding nested links (bsc#1224020).
smb: client: guarantee refcounted children from parent session (bsc#1224679.
soc: ti: wkup_m3_ipc: Send NULL dummy message instead of pointer message (stable-fixes).
soundwire: cadence: fix invalid PDI offset (stable-fixes).
spi: imx: Do not expect DMA for i.MX{25,35,50,51,53} cspi devices (stable-fixes).
spi: mux: set ctlr->bits_per_word_mask (stable-fixes).
spi: stm32: Do not warn about spurious interrupts (git-fixes).
string.h: Introduce memtostr() and memtostr_pad() (bsc#1228850).
sunrpc: avoid soft lockup when transmitting UDP to reachable server (bsc#1225272).
sunrpc: Fix gss_free_in_token_pages() (git-fixes).
sunrpc: Fix loop termination condition in gss_free_in_token_pages() (git-fixes).
sunrpc: fix NFSACL RPC retry on soft mount (git-fixes).
sunrpc: return proper error from gss_wrap_req_priv (git-fixes).
supported.conf: Add APM X-Gene SoC hardware monitoring driver (bsc#1223265 jsc#PED-8570)
supported.conf: mark orangefs as optional We do not support orangefs at all (and it is already marked as such), but since there are no SLE consumers of it, mark it as optional.
supported.conf: mark ufs as unsupported UFS is an unsupported filesystem, mark it as such. We still keep it around (not marking as optional), to accommodate any potential migrations from BSD systems.
tpm_tis: Resend command to recover from data transfer errors (bsc#1082555).
tpm_tis: Use tpm_chip_{start,stop} decoration inside tpm_tis_resume (bsc#1082555).
tpm, tpm_tis: Avoid cache incoherency in test for interrupts (bsc#1082555).
tpm, tpm_tis: Claim locality before writing interrupt registers (bsc#1082555).
tpm, tpm_tis: Claim locality in interrupt handler (bsc#1082555).
tpm, tpm_tis: Claim locality when interrupts are reenabled on resume (bsc#1082555).
tpm, tpm_tis: correct tpm_tis_flags enumeration values (bsc#1082555).
tpm, tpm_tis: Do not skip reset of original interrupt vector (bsc#1082555).
tpm, tpm_tis: Only handle supported interrupts (bsc#1082555).
tpm, tpm: Implement usage counter for locality (bsc#1082555).
tpm: Allow system suspend to continue when TPM suspend fails (bsc#1082555).
tpm: Prevent hwrng from activating during resume (bsc#1082555).
tracing: Build event generation tests only as modules (git-fixes).
tracing/net_sched: NULL pointer dereference in perf_trace_qdisc_reset() (git-fixes).
tracing/osnoise: Add OSNOISE_WORKLOAD option (bsc#1228330)
tracing/osnoise: Add osnoise/options file (bsc#1228330)
tracing/osnoise: Do not follow tracing_cpumask (bsc#1228330)
tracing/osnoise: Fix notify new tracing_max_latency (bsc#1228330)
tracing/osnoise: Make osnoise_instances static (bsc#1228330)
tracing/osnoise: Split workload start from the tracer start (bsc#1228330)
tracing/osnoise: Support a list of trace_array *tr (bsc#1228330)
tracing/osnoise: Use built-in RCU list checking (bsc#1228330)
tracing/timerlat: Notify new max thread latency (bsc#1228330)
tty: mcf: MCF54418 has 10 UARTS (git-fixes).
usb-storage: alauda: Check whether the media is initialized (git-fixes).
usb: Add USB_QUIRK_NO_SET_INTF quirk for START BP-850k (stable-fixes).
usb: atm: cxacru: fix endpoint checking in cxacru_bind() (git-fixes).
usb: cdns3: allocate TX FIFO size according to composite EP number (git-fixes).
usb: cdns3: fix incorrect calculation of ep_buf_size when more than one config (git-fixes).
usb: cdns3: fix iso transfer error when mult is not zero (git-fixes).
usb: cdns3: improve handling of unaligned address case (git-fixes).
usb: cdns3: optimize OUT transfer by copying only actual received data (git-fixes).
usb: cdns3: skip set TRB_IOC when usb_request: no_interrupt is true (git-fixes).
usb: class: cdc-wdm: Fix CPU lockup caused by excessive log messages (git-fixes).
usb: core: Fix duplicate endpoint bug by clearing reserved bits in the descriptor (git-fixes).
usb: dwc3: core: remove lock of otg mode during gadget suspend/resume to avoid deadlock (git-fixes).
usb: dwc3: gadget: Do not delay End Transfer on delayed_status (git-fixes).
usb: dwc3: gadget: Force sending delayed status during soft disconnect (git-fixes).
usb: dwc3: gadget: Synchronize IRQ between soft connect/disconnect (git-fixes).
usb: fotg210-hcd: delete an incorrect bounds test (git-fixes).
usb: gadget: call usb_gadget_check_config() to verify UDC capability (git-fixes).
usb: gadget: configfs: Prevent OOB read/write in usb_string_copy() (stable-fixes).
usb: gadget: printer: fix races against disable (git-fixes).
usb: gadget: printer: SS+ support (stable-fixes).
usb: misc: uss720: check for incompatible versions of the Belkin F5U002 (stable-fixes).
usb: musb: da8xx: fix a resource leak in probe() (git-fixes).
usb: serial: mos7840: fix crash on resume (git-fixes).
usb: serial: option: add Fibocom FM350-GL (stable-fixes).
usb: serial: option: add Netprisma LCUK54 series modules (stable-fixes).
usb: serial: option: add Rolling RW350-GL variants (stable-fixes).
usb: serial: option: add support for Foxconn T99W651 (stable-fixes).
usb: serial: option: add Telit FN912 rmnet compositions (stable-fixes).
usb: serial: option: add Telit generic core-dump composition (stable-fixes).
usb: typec: tcpm: clear pd_event queue in PORT_RESET (git-fixes).
usb: typec: tcpm: fix use-after-free case in tcpm_register_source_caps (git-fixes).
usb: typec: tcpm: Ignore received Hard Reset in TOGGLING state (git-fixes).
usb: typec: ucsi: Ack also failed Get Error commands (git-fixes).
usb: typec: ucsi: Never send a lone connector change ack (git-fixes).
usb: xen-hcd: Traverse host/ when CONFIG_USB_XEN_HCD is selected (git-fixes).
usb: xhci-plat: Do not include xhci.h (git-fixes).
usb: xhci-plat: fix legacy PHY double init (git-fixes).
usb: xhci: address off-by-one in xhci_num_trbs_free() (git-fixes).
usb: xhci: Implement xhci_handshake_check_state() helper (git-fixes).
usb: xhci: improve debug message in xhci_ring_expansion_needed() (git-fixes).
watchdog: bd9576_wdt: switch to using devm_fwnode_gpiod_get() (stable-fixes).
watchdog: bd9576: Drop 'always-running' property (git-fixes).
wifi: ath11k: fix wrong handling of CCMP256 and GCMP ciphers (git-fixes).
wifi: brcmsmac: LCN PHY code is used for BCM4313 2G-only device (git-fixes).
wifi: cfg80211: fix the order of arguments for trace events of the tx_rx_evt class (stable-fixes).
wifi: cfg80211: fix typo in cfg80211_calculate_bitrate_he() (git-fixes).
wifi: cfg80211: handle 2x996 RU allocation in cfg80211_calculate_bitrate_he() (git-fixes).
wifi: cfg80211: Lock wiphy in cfg80211_get_station (git-fixes).
wifi: cfg80211: pmsr: use correct nla_get_uX functions (git-fixes).
wifi: cfg80211: restrict NL80211_ATTR_TXQ_QUANTUM values (git-fixes).
wifi: cfg80211: wext: add extra SIOCSIWSCAN data check (stable-fixes).
wifi: iwlwifi: dbg_ini: move iwl_dbg_tlv_free outside of debugfs ifdef (git-fixes).
wifi: iwlwifi: mvm: check n_ssids before accessing the ssids (git-fixes).
wifi: iwlwifi: mvm: d3: fix WoWLAN command version lookup (stable-fixes).
wifi: iwlwifi: mvm: do not read past the mfuart notifcation (git-fixes).
wifi: iwlwifi: mvm: Handle BIGTK cipher in kek_kck cmd (stable-fixes).
wifi: iwlwifi: mvm: properly set 6 GHz channel direct probe option (stable-fixes).
wifi: iwlwifi: mvm: revert gen2 TX A-MPDU size to 64 (git-fixes).
wifi: mac80211: correctly parse Spatial Reuse Parameter Set element (git-fixes).
wifi: mac80211: disable softirqs for queued frame handling (git-fixes).
wifi: mac80211: Fix deadlock in ieee80211_sta_ps_deliver_wakeup() (git-fixes).
wifi: mac80211: fix UBSAN noise in ieee80211_prep_hw_scan() (stable-fixes).
wifi: mac80211: handle tasklet frames before stopping (stable-fixes).
wifi: mac80211: mesh: Fix leak of mesh_preq_queue objects (git-fixes).
wifi: mac80211: mesh: init nonpeer_pm to active by default in mesh sdata (stable-fixes).
wifi: mt76: replace skb_put with skb_put_zero (stable-fixes).
wifi: mwifiex: Fix interface type change (git-fixes).
wifi: rtl8xxxu: Fix the TX power of RTL8192CU, RTL8723AU (stable-fixes).
wifi: rtlwifi: rtl8192de: Fix endianness issue in RX path (stable-fixes).
wifi: rtlwifi: rtl8192de: Fix low speed with WPA3-SAE (stable-fixes).
wifi: rtw89: Fix array index mistake in rtw89_sta_info_get_iter() (git-fixes).
wifi: wilc1000: fix ies_len type in connect path (git-fixes).
workqueue: Improve scalability of workqueue watchdog touch (bsc#1193454).
workqueue: wq_watchdog_touch is always called with valid CPU (bsc#1193454).
x.509: Fix the parser of extended key usage for length (bsc#1218820).
x86: Stop using weak symbols for __iowrite32_copy() (bsc#1226502)
x86/amd_nb: Use Family 19h Models 60h-7Fh Function 4 IDs (git-fixes).
x86/apic: Force native_apic_mem_read() to use the MOV instruction (git-fixes).
x86/bhi: Avoid warning in #DB handler due to BHI mitigation (git-fixes).
x86/bugs: Remove default case for fully switched enums (bsc#1227900).
x86/fpu: Fix AMD X86_BUG_FXSAVE_LEAK fixup (git-fixes).
x86/ibt,ftrace: Search for fentry location (git-fixes).
x86/Kconfig: Transmeta Crusoe is CPU family 5, not 6 (git-fixes).
x86/mce: Dynamically size space for machine check records (bsc#1222241).
x86/mm: Allow guest.enc_status_change_prepare() to fail (git-fixes).
x86/mm: Fix enc_status_change_finish_noop() (git-fixes).
x86/purgatory: Switch to the position-independent small code model (git-fixes).
x86/srso: Move retbleed IBPB check into existing 'has_microcode' code block (bsc#1227900).
x86/srso: Remove 'pred_cmd' label (bsc#1227900).
x86/tdx: Fix race between set_memory_encrypted() and load_unaligned_zeropad() (git-fixes).
x86/tsc: Trust initial offset in architectural TSC-adjust MSRs (bsc#1222015 bsc#1226962).
xfs: Add cond_resched to block unmap range and reflink remap path (bsc#1228226).
xfs: make sure sb_fdblocks is non-negative (bsc#1225419).
xhci: Apply broken streams quirk to Etron EJ188 xHCI host (stable-fixes).
xhci: Apply reset resume quirk to Etron EJ188 xHCI host (stable-fixes).
xhci: Fix failure to detect ring expansion need (git-fixes).
xhci: fix matching completion events with TDs (git-fixes).
xhci: Fix transfer ring expansion size calculation (git-fixes).
xhci: Handle TD clearing for multiple streams case (git-fixes).
xhci: remove unused stream_id parameter from xhci_handle_halted_endpoint() (git-fixes).
xhci: restre deleted trb fields for tracing (git-fixes).
xhci: retry Stop Endpoint on buggy NEC controllers (git-fixes).
xhci: Set correct transferred length for cancelled bulk transfers (stable-fixes).
xhci: Simplify event ring dequeue pointer update for port change events (git-fixes).
xhci: simplify event ring dequeue tracking for transfer events (git-fixes).
xhci: Stop unnecessary tracking of free trbs in a ring (git-fixes).
xhci: update event ring dequeue pointer position to controller correctly (git-fixes).

Список пакетов

Container bci/bci-sle15-kernel-module-devel:15.5

kernel-default-devel-5.14.21-150500.55.73.1

kernel-devel-5.14.21-150500.55.73.1

kernel-macros-5.14.21-150500.55.73.1

kernel-syms-5.14.21-150500.55.73.1

Container suse/sle-micro/base-5.5:latest

kernel-default-5.14.21-150500.55.73.1

Container suse/sle-micro/kvm-5.5:latest

kernel-default-base-5.14.21-150500.55.73.1.150500.6.33.8

Image SLES15-SP5-BYOS-Azure

kernel-default-5.14.21-150500.55.73.1

Image SLES15-SP5-BYOS-EC2

kernel-default-5.14.21-150500.55.73.1

Image SLES15-SP5-BYOS-GCE

kernel-default-5.14.21-150500.55.73.1

Image SLES15-SP5-CHOST-BYOS-Aliyun

kernel-default-5.14.21-150500.55.73.1

Image SLES15-SP5-CHOST-BYOS-Azure

kernel-default-5.14.21-150500.55.73.1

Image SLES15-SP5-CHOST-BYOS-EC2

kernel-default-5.14.21-150500.55.73.1

Image SLES15-SP5-CHOST-BYOS-GCE

kernel-default-5.14.21-150500.55.73.1

Image SLES15-SP5-CHOST-BYOS-GDC

kernel-default-5.14.21-150500.55.73.1

Image SLES15-SP5-CHOST-BYOS-SAP-CCloud

kernel-default-5.14.21-150500.55.73.1

Image SLES15-SP5-EC2

kernel-default-5.14.21-150500.55.73.1

Image SLES15-SP5-GCE

kernel-default-5.14.21-150500.55.73.1

Image SLES15-SP5-HPC-BYOS-Azure

kernel-default-5.14.21-150500.55.73.1

Image SLES15-SP5-HPC-BYOS-EC2

kernel-default-5.14.21-150500.55.73.1

Image SLES15-SP5-HPC-BYOS-GCE

kernel-default-5.14.21-150500.55.73.1

Image SLES15-SP5-Hardened-BYOS-Azure

kernel-default-5.14.21-150500.55.73.1

Image SLES15-SP5-Hardened-BYOS-EC2

kernel-default-5.14.21-150500.55.73.1

Image SLES15-SP5-Hardened-BYOS-GCE

kernel-default-5.14.21-150500.55.73.1

Image SLES15-SP5-Manager-Proxy-5-0-BYOS

kernel-default-5.14.21-150500.55.73.1

Image SLES15-SP5-Manager-Proxy-5-0-BYOS-Azure

kernel-default-5.14.21-150500.55.73.1

Image SLES15-SP5-Manager-Proxy-5-0-BYOS-EC2

kernel-default-5.14.21-150500.55.73.1

Image SLES15-SP5-Manager-Proxy-5-0-BYOS-GCE

kernel-default-5.14.21-150500.55.73.1

Image SLES15-SP5-Manager-Server-5-0

kernel-default-5.14.21-150500.55.73.1

Image SLES15-SP5-Manager-Server-5-0-Azure-llc

kernel-default-5.14.21-150500.55.73.1

Image SLES15-SP5-Manager-Server-5-0-Azure-ltd

kernel-default-5.14.21-150500.55.73.1

Image SLES15-SP5-Manager-Server-5-0-BYOS

kernel-default-5.14.21-150500.55.73.1

Image SLES15-SP5-Manager-Server-5-0-BYOS-Azure

kernel-default-5.14.21-150500.55.73.1

Image SLES15-SP5-Manager-Server-5-0-BYOS-EC2

kernel-default-5.14.21-150500.55.73.1

Image SLES15-SP5-Manager-Server-5-0-BYOS-GCE

kernel-default-5.14.21-150500.55.73.1

Image SLES15-SP5-Manager-Server-5-0-EC2-llc

kernel-default-5.14.21-150500.55.73.1

Image SLES15-SP5-Manager-Server-5-0-EC2-ltd

kernel-default-5.14.21-150500.55.73.1

Image SLES15-SP5-Micro-5-5

kernel-default-5.14.21-150500.55.73.1

Image SLES15-SP5-Micro-5-5-Azure

kernel-default-5.14.21-150500.55.73.1

Image SLES15-SP5-Micro-5-5-BYOS

kernel-default-5.14.21-150500.55.73.1

Image SLES15-SP5-Micro-5-5-BYOS-Azure

kernel-default-5.14.21-150500.55.73.1

Image SLES15-SP5-Micro-5-5-BYOS-EC2

kernel-default-5.14.21-150500.55.73.1

Image SLES15-SP5-Micro-5-5-BYOS-GCE

kernel-default-5.14.21-150500.55.73.1

Image SLES15-SP5-Micro-5-5-EC2

kernel-default-5.14.21-150500.55.73.1

Image SLES15-SP5-Micro-5-5-GCE

kernel-default-5.14.21-150500.55.73.1

Image SLES15-SP5-SAP-Azure-3P

cluster-md-kmp-default-5.14.21-150500.55.73.1

dlm-kmp-default-5.14.21-150500.55.73.1

gfs2-kmp-default-5.14.21-150500.55.73.1

kernel-default-5.14.21-150500.55.73.1

ocfs2-kmp-default-5.14.21-150500.55.73.1

Image SLES15-SP5-SAP-Azure-LI-BYOS

cluster-md-kmp-default-5.14.21-150500.55.73.1

dlm-kmp-default-5.14.21-150500.55.73.1

gfs2-kmp-default-5.14.21-150500.55.73.1

kernel-default-5.14.21-150500.55.73.1

ocfs2-kmp-default-5.14.21-150500.55.73.1

Image SLES15-SP5-SAP-Azure-LI-BYOS-Production

cluster-md-kmp-default-5.14.21-150500.55.73.1

dlm-kmp-default-5.14.21-150500.55.73.1

gfs2-kmp-default-5.14.21-150500.55.73.1

kernel-default-5.14.21-150500.55.73.1

ocfs2-kmp-default-5.14.21-150500.55.73.1

Image SLES15-SP5-SAP-Azure-VLI-BYOS

cluster-md-kmp-default-5.14.21-150500.55.73.1

dlm-kmp-default-5.14.21-150500.55.73.1

gfs2-kmp-default-5.14.21-150500.55.73.1

kernel-default-5.14.21-150500.55.73.1

ocfs2-kmp-default-5.14.21-150500.55.73.1

Image SLES15-SP5-SAP-Azure-VLI-BYOS-Production

cluster-md-kmp-default-5.14.21-150500.55.73.1

dlm-kmp-default-5.14.21-150500.55.73.1

gfs2-kmp-default-5.14.21-150500.55.73.1

kernel-default-5.14.21-150500.55.73.1

ocfs2-kmp-default-5.14.21-150500.55.73.1

Image SLES15-SP5-SAP-BYOS-Azure

cluster-md-kmp-default-5.14.21-150500.55.73.1

dlm-kmp-default-5.14.21-150500.55.73.1

gfs2-kmp-default-5.14.21-150500.55.73.1

kernel-default-5.14.21-150500.55.73.1

ocfs2-kmp-default-5.14.21-150500.55.73.1

Image SLES15-SP5-SAP-BYOS-EC2

cluster-md-kmp-default-5.14.21-150500.55.73.1

dlm-kmp-default-5.14.21-150500.55.73.1

gfs2-kmp-default-5.14.21-150500.55.73.1

kernel-default-5.14.21-150500.55.73.1

ocfs2-kmp-default-5.14.21-150500.55.73.1

Image SLES15-SP5-SAP-BYOS-GCE

cluster-md-kmp-default-5.14.21-150500.55.73.1

dlm-kmp-default-5.14.21-150500.55.73.1

gfs2-kmp-default-5.14.21-150500.55.73.1

kernel-default-5.14.21-150500.55.73.1

ocfs2-kmp-default-5.14.21-150500.55.73.1

Image SLES15-SP5-SAP-Hardened-Azure

cluster-md-kmp-default-5.14.21-150500.55.73.1

dlm-kmp-default-5.14.21-150500.55.73.1

gfs2-kmp-default-5.14.21-150500.55.73.1

kernel-default-5.14.21-150500.55.73.1

ocfs2-kmp-default-5.14.21-150500.55.73.1

Image SLES15-SP5-SAP-Hardened-BYOS-Azure

cluster-md-kmp-default-5.14.21-150500.55.73.1

dlm-kmp-default-5.14.21-150500.55.73.1

gfs2-kmp-default-5.14.21-150500.55.73.1

kernel-default-5.14.21-150500.55.73.1

ocfs2-kmp-default-5.14.21-150500.55.73.1

Image SLES15-SP5-SAP-Hardened-BYOS-EC2

cluster-md-kmp-default-5.14.21-150500.55.73.1

dlm-kmp-default-5.14.21-150500.55.73.1

gfs2-kmp-default-5.14.21-150500.55.73.1

kernel-default-5.14.21-150500.55.73.1

ocfs2-kmp-default-5.14.21-150500.55.73.1

Image SLES15-SP5-SAP-Hardened-BYOS-GCE

cluster-md-kmp-default-5.14.21-150500.55.73.1

dlm-kmp-default-5.14.21-150500.55.73.1

gfs2-kmp-default-5.14.21-150500.55.73.1

kernel-default-5.14.21-150500.55.73.1

ocfs2-kmp-default-5.14.21-150500.55.73.1

Image SLES15-SP5-SAP-Hardened-GCE

cluster-md-kmp-default-5.14.21-150500.55.73.1

dlm-kmp-default-5.14.21-150500.55.73.1

gfs2-kmp-default-5.14.21-150500.55.73.1

kernel-default-5.14.21-150500.55.73.1

ocfs2-kmp-default-5.14.21-150500.55.73.1

Image SLES15-SP5-SAPCAL-Azure

kernel-default-5.14.21-150500.55.73.1

Image SLES15-SP5-SAPCAL-EC2

kernel-default-5.14.21-150500.55.73.1

Image SLES15-SP5-SAPCAL-GCE

kernel-default-5.14.21-150500.55.73.1

SUSE Linux Enterprise High Availability Extension 15 SP5

cluster-md-kmp-default-5.14.21-150500.55.73.1

dlm-kmp-default-5.14.21-150500.55.73.1

gfs2-kmp-default-5.14.21-150500.55.73.1

ocfs2-kmp-default-5.14.21-150500.55.73.1

SUSE Linux Enterprise Live Patching 15 SP5

kernel-default-livepatch-5.14.21-150500.55.73.1

kernel-default-livepatch-devel-5.14.21-150500.55.73.1

kernel-livepatch-5_14_21-150500_55_73-default-1-150500.11.3.1

SUSE Linux Enterprise Micro 5.5

kernel-default-5.14.21-150500.55.73.1

kernel-default-base-5.14.21-150500.55.73.1.150500.6.33.8

SUSE Linux Enterprise Module for Basesystem 15 SP5

kernel-64kb-5.14.21-150500.55.73.1

kernel-64kb-devel-5.14.21-150500.55.73.1

kernel-default-5.14.21-150500.55.73.1

kernel-default-base-5.14.21-150500.55.73.1.150500.6.33.8

kernel-default-devel-5.14.21-150500.55.73.1

kernel-devel-5.14.21-150500.55.73.1

kernel-macros-5.14.21-150500.55.73.1

kernel-zfcpdump-5.14.21-150500.55.73.1

SUSE Linux Enterprise Module for Development Tools 15 SP5

kernel-docs-5.14.21-150500.55.73.2

kernel-obs-build-5.14.21-150500.55.73.1

kernel-source-5.14.21-150500.55.73.1

kernel-syms-5.14.21-150500.55.73.1

SUSE Linux Enterprise Module for Legacy 15 SP5

reiserfs-kmp-default-5.14.21-150500.55.73.1

SUSE Linux Enterprise Workstation Extension 15 SP5

kernel-default-extra-5.14.21-150500.55.73.1

openSUSE Leap 15.5

cluster-md-kmp-64kb-5.14.21-150500.55.73.1

cluster-md-kmp-default-5.14.21-150500.55.73.1

dlm-kmp-64kb-5.14.21-150500.55.73.1

dlm-kmp-default-5.14.21-150500.55.73.1

dtb-allwinner-5.14.21-150500.55.73.1

dtb-altera-5.14.21-150500.55.73.1

dtb-amazon-5.14.21-150500.55.73.1

dtb-amd-5.14.21-150500.55.73.1

dtb-amlogic-5.14.21-150500.55.73.1

dtb-apm-5.14.21-150500.55.73.1

dtb-apple-5.14.21-150500.55.73.1

dtb-arm-5.14.21-150500.55.73.1

dtb-broadcom-5.14.21-150500.55.73.1

dtb-cavium-5.14.21-150500.55.73.1

dtb-exynos-5.14.21-150500.55.73.1

dtb-freescale-5.14.21-150500.55.73.1

dtb-hisilicon-5.14.21-150500.55.73.1

dtb-lg-5.14.21-150500.55.73.1

dtb-marvell-5.14.21-150500.55.73.1

dtb-mediatek-5.14.21-150500.55.73.1

dtb-nvidia-5.14.21-150500.55.73.1

dtb-qcom-5.14.21-150500.55.73.1

dtb-renesas-5.14.21-150500.55.73.1

dtb-rockchip-5.14.21-150500.55.73.1

dtb-socionext-5.14.21-150500.55.73.1

dtb-sprd-5.14.21-150500.55.73.1

dtb-xilinx-5.14.21-150500.55.73.1

gfs2-kmp-64kb-5.14.21-150500.55.73.1

gfs2-kmp-default-5.14.21-150500.55.73.1

kernel-64kb-5.14.21-150500.55.73.1

kernel-64kb-devel-5.14.21-150500.55.73.1

kernel-64kb-extra-5.14.21-150500.55.73.1

kernel-64kb-livepatch-devel-5.14.21-150500.55.73.1

kernel-64kb-optional-5.14.21-150500.55.73.1

kernel-debug-5.14.21-150500.55.73.1

kernel-debug-devel-5.14.21-150500.55.73.1

kernel-debug-livepatch-devel-5.14.21-150500.55.73.1

kernel-debug-vdso-5.14.21-150500.55.73.1

kernel-default-5.14.21-150500.55.73.1

kernel-default-base-5.14.21-150500.55.73.1.150500.6.33.8

kernel-default-base-rebuild-5.14.21-150500.55.73.1.150500.6.33.8

kernel-default-devel-5.14.21-150500.55.73.1

kernel-default-extra-5.14.21-150500.55.73.1

kernel-default-livepatch-5.14.21-150500.55.73.1

kernel-default-livepatch-devel-5.14.21-150500.55.73.1

kernel-default-optional-5.14.21-150500.55.73.1

kernel-default-vdso-5.14.21-150500.55.73.1

kernel-devel-5.14.21-150500.55.73.1

kernel-docs-5.14.21-150500.55.73.2

kernel-docs-html-5.14.21-150500.55.73.2

kernel-kvmsmall-5.14.21-150500.55.73.1

kernel-kvmsmall-devel-5.14.21-150500.55.73.1

kernel-kvmsmall-livepatch-devel-5.14.21-150500.55.73.1

kernel-kvmsmall-vdso-5.14.21-150500.55.73.1

kernel-macros-5.14.21-150500.55.73.1

kernel-obs-build-5.14.21-150500.55.73.1

kernel-obs-qa-5.14.21-150500.55.73.1

kernel-source-5.14.21-150500.55.73.1

kernel-source-vanilla-5.14.21-150500.55.73.1

kernel-syms-5.14.21-150500.55.73.1

kernel-zfcpdump-5.14.21-150500.55.73.1

kselftests-kmp-64kb-5.14.21-150500.55.73.1

kselftests-kmp-default-5.14.21-150500.55.73.1

ocfs2-kmp-64kb-5.14.21-150500.55.73.1

ocfs2-kmp-default-5.14.21-150500.55.73.1

reiserfs-kmp-64kb-5.14.21-150500.55.73.1

reiserfs-kmp-default-5.14.21-150500.55.73.1

openSUSE Leap Micro 5.5

kernel-default-5.14.21-150500.55.73.1

kernel-default-base-5.14.21-150500.55.73.1.150500.6.33.8

Ссылки

https://www.suse.com/support/update/announcement/2024/suse-su-20242939-1/
Link for SUSE-SU-2024:2939-1
https://lists.suse.com/pipermail/sle-security-updates/2024-August/019211.html
E-Mail link for SUSE-SU-2024:2939-1
https://www.suse.com/support/security/rating/
SUSE Security Ratings
https://bugzilla.suse.com/1082555
SUSE Bug 1082555
https://bugzilla.suse.com/1156395
SUSE Bug 1156395
https://bugzilla.suse.com/1190336
SUSE Bug 1190336
https://bugzilla.suse.com/1191958
SUSE Bug 1191958
https://bugzilla.suse.com/1193454
SUSE Bug 1193454
https://bugzilla.suse.com/1193554
SUSE Bug 1193554
https://bugzilla.suse.com/1193787
SUSE Bug 1193787
https://bugzilla.suse.com/1193883
SUSE Bug 1193883
https://bugzilla.suse.com/1194324
SUSE Bug 1194324
https://bugzilla.suse.com/1194826
SUSE Bug 1194826
https://bugzilla.suse.com/1194869
SUSE Bug 1194869
https://bugzilla.suse.com/1195065
SUSE Bug 1195065
https://bugzilla.suse.com/1195254
SUSE Bug 1195254
https://bugzilla.suse.com/1195341
SUSE Bug 1195341
https://bugzilla.suse.com/1195349
SUSE Bug 1195349
https://bugzilla.suse.com/1195357
SUSE Bug 1195357
https://bugzilla.suse.com/1195668
SUSE Bug 1195668

Описание

In the Linux kernel, the following vulnerability has been resolved: isdn: cpai: check ctr->cnr to avoid array index out of bound The cmtp_add_connection() would add a cmtp session to a controller and run a kernel thread to process cmtp. __module_get(THIS_MODULE); session->task = kthread_run(cmtp_session, session, "kcmtpd_ctr_%d", session->num); During this process, the kernel thread would call detach_capi_ctr() to detach a register controller. if the controller was not attached yet, detach_capi_ctr() would trigger an array-index-out-bounds bug. [ 46.866069][ T6479] UBSAN: array-index-out-of-bounds in drivers/isdn/capi/kcapi.c:483:21 [ 46.867196][ T6479] index -1 is out of range for type 'capi_ctr *[32]' [ 46.867982][ T6479] CPU: 1 PID: 6479 Comm: kcmtpd_ctr_0 Not tainted 5.15.0-rc2+ #8 [ 46.869002][ T6479] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014 [ 46.870107][ T6479] Call Trace: [ 46.870473][ T6479] dump_stack_lvl+0x57/0x7d [ 46.870974][ T6479] ubsan_epilogue+0x5/0x40 [ 46.871458][ T6479] __ubsan_handle_out_of_bounds.cold+0x43/0x48 [ 46.872135][ T6479] detach_capi_ctr+0x64/0xc0 [ 46.872639][ T6479] cmtp_session+0x5c8/0x5d0 [ 46.873131][ T6479] ? __init_waitqueue_head+0x60/0x60 [ 46.873712][ T6479] ? cmtp_add_msgpart+0x120/0x120 [ 46.874256][ T6479] kthread+0x147/0x170 [ 46.874709][ T6479] ? set_kthread_struct+0x40/0x40 [ 46.875248][ T6479] ret_from_fork+0x1f/0x30 [ 46.875773][ T6479]

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2021-4439.html
CVE-2021-4439
https://bugzilla.suse.com/1226670
SUSE Bug 1226670

Описание

In the Linux kernel, the following vulnerability has been resolved: phonet/pep: refuse to enable an unbound pipe This ioctl() implicitly assumed that the socket was already bound to a valid local socket name, i.e. Phonet object. If the socket was not bound, two separate problems would occur: 1) We'd send an pipe enablement request with an invalid source object. 2) Later socket calls could BUG on the socket unexpectedly being connected yet not bound to a valid object.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2021-47086.html
CVE-2021-47086
https://bugzilla.suse.com/1220952
SUSE Bug 1220952

Описание

In the Linux kernel, the following vulnerability has been resolved: kfence: fix memory leak when cat kfence objects Hulk robot reported a kmemleak problem: unreferenced object 0xffff93d1d8cc02e8 (size 248): comm "cat", pid 23327, jiffies 4624670141 (age 495992.217s) hex dump (first 32 bytes): 00 40 85 19 d4 93 ff ff 00 10 00 00 00 00 00 00 .@.............. 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: seq_open+0x2a/0x80 full_proxy_open+0x167/0x1e0 do_dentry_open+0x1e1/0x3a0 path_openat+0x961/0xa20 do_filp_open+0xae/0x120 do_sys_openat2+0x216/0x2f0 do_sys_open+0x57/0x80 do_syscall_64+0x33/0x40 entry_SYSCALL_64_after_hwframe+0x44/0xa9 unreferenced object 0xffff93d419854000 (size 4096): comm "cat", pid 23327, jiffies 4624670141 (age 495992.217s) hex dump (first 32 bytes): 6b 66 65 6e 63 65 2d 23 32 35 30 3a 20 30 78 30 kfence-#250: 0x0 30 30 30 30 30 30 30 37 35 34 62 64 61 31 32 2d 0000000754bda12- backtrace: seq_read_iter+0x313/0x440 seq_read+0x14b/0x1a0 full_proxy_read+0x56/0x80 vfs_read+0xa5/0x1b0 ksys_read+0xa0/0xf0 do_syscall_64+0x33/0x40 entry_SYSCALL_64_after_hwframe+0x44/0xa9 I find that we can easily reproduce this problem with the following commands: cat /sys/kernel/debug/kfence/objects echo scan > /sys/kernel/debug/kmemleak cat /sys/kernel/debug/kmemleak The leaked memory is allocated in the stack below: do_syscall_64 do_sys_open do_dentry_open full_proxy_open seq_open ---> alloc seq_file vfs_read full_proxy_read seq_read seq_read_iter traverse ---> alloc seq_buf And it should have been released in the following process: do_syscall_64 syscall_exit_to_user_mode exit_to_user_mode_prepare task_work_run ____fput __fput full_proxy_release ---> free here However, the release function corresponding to file_operations is not implemented in kfence. As a result, a memory leak occurs. Therefore, the solution to this problem is to implement the corresponding release function.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2021-47089.html
CVE-2021-47089
https://bugzilla.suse.com/1220958
SUSE Bug 1220958

Описание

In the Linux kernel, the following vulnerability has been resolved: inet: fully convert sk->sk_rx_dst to RCU rules syzbot reported various issues around early demux, one being included in this changelog [1] sk->sk_rx_dst is using RCU protection without clearly documenting it. And following sequences in tcp_v4_do_rcv()/tcp_v6_do_rcv() are not following standard RCU rules. [a] dst_release(dst); [b] sk->sk_rx_dst = NULL; They look wrong because a delete operation of RCU protected pointer is supposed to clear the pointer before the call_rcu()/synchronize_rcu() guarding actual memory freeing. In some cases indeed, dst could be freed before [b] is done. We could cheat by clearing sk_rx_dst before calling dst_release(), but this seems the right time to stick to standard RCU annotations and debugging facilities. [1] BUG: KASAN: use-after-free in dst_check include/net/dst.h:470 [inline] BUG: KASAN: use-after-free in tcp_v4_early_demux+0x95b/0x960 net/ipv4/tcp_ipv4.c:1792 Read of size 2 at addr ffff88807f1cb73a by task syz-executor.5/9204 CPU: 0 PID: 9204 Comm: syz-executor.5 Not tainted 5.16.0-rc5-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_address_description.constprop.0.cold+0x8d/0x320 mm/kasan/report.c:247 __kasan_report mm/kasan/report.c:433 [inline] kasan_report.cold+0x83/0xdf mm/kasan/report.c:450 dst_check include/net/dst.h:470 [inline] tcp_v4_early_demux+0x95b/0x960 net/ipv4/tcp_ipv4.c:1792 ip_rcv_finish_core.constprop.0+0x15de/0x1e80 net/ipv4/ip_input.c:340 ip_list_rcv_finish.constprop.0+0x1b2/0x6e0 net/ipv4/ip_input.c:583 ip_sublist_rcv net/ipv4/ip_input.c:609 [inline] ip_list_rcv+0x34e/0x490 net/ipv4/ip_input.c:644 __netif_receive_skb_list_ptype net/core/dev.c:5508 [inline] __netif_receive_skb_list_core+0x549/0x8e0 net/core/dev.c:5556 __netif_receive_skb_list net/core/dev.c:5608 [inline] netif_receive_skb_list_internal+0x75e/0xd80 net/core/dev.c:5699 gro_normal_list net/core/dev.c:5853 [inline] gro_normal_list net/core/dev.c:5849 [inline] napi_complete_done+0x1f1/0x880 net/core/dev.c:6590 virtqueue_napi_complete drivers/net/virtio_net.c:339 [inline] virtnet_poll+0xca2/0x11b0 drivers/net/virtio_net.c:1557 __napi_poll+0xaf/0x440 net/core/dev.c:7023 napi_poll net/core/dev.c:7090 [inline] net_rx_action+0x801/0xb40 net/core/dev.c:7177 __do_softirq+0x29b/0x9c2 kernel/softirq.c:558 invoke_softirq kernel/softirq.c:432 [inline] __irq_exit_rcu+0x123/0x180 kernel/softirq.c:637 irq_exit_rcu+0x5/0x20 kernel/softirq.c:649 common_interrupt+0x52/0xc0 arch/x86/kernel/irq.c:240 asm_common_interrupt+0x1e/0x40 arch/x86/include/asm/idtentry.h:629 RIP: 0033:0x7f5e972bfd57 Code: 39 d1 73 14 0f 1f 80 00 00 00 00 48 8b 50 f8 48 83 e8 08 48 39 ca 77 f3 48 39 c3 73 3e 48 89 13 48 8b 50 f8 48 89 38 49 8b 0e <48> 8b 3e 48 83 c3 08 48 83 c6 08 eb bc 48 39 d1 72 9e 48 39 d0 73 RSP: 002b:00007fff8a413210 EFLAGS: 00000283 RAX: 00007f5e97108990 RBX: 00007f5e97108338 RCX: ffffffff81d3aa45 RDX: ffffffff81d3aa45 RSI: 00007f5e97108340 RDI: ffffffff81d3aa45 RBP: 00007f5e97107eb8 R08: 00007f5e97108d88 R09: 0000000093c2e8d9 R10: 0000000000000000 R11: 0000000000000000 R12: 00007f5e97107eb0 R13: 00007f5e97108338 R14: 00007f5e97107ea8 R15: 0000000000000019 </TASK> Allocated by task 13: kasan_save_stack+0x1e/0x50 mm/kasan/common.c:38 kasan_set_track mm/kasan/common.c:46 [inline] set_alloc_info mm/kasan/common.c:434 [inline] __kasan_slab_alloc+0x90/0xc0 mm/kasan/common.c:467 kasan_slab_alloc include/linux/kasan.h:259 [inline] slab_post_alloc_hook mm/slab.h:519 [inline] slab_alloc_node mm/slub.c:3234 [inline] slab_alloc mm/slub.c:3242 [inline] kmem_cache_alloc+0x202/0x3a0 mm/slub.c:3247 dst_alloc+0x146/0x1f0 net/core/dst.c:92 rt_dst_alloc+0x73/0x430 net/ipv4/route.c:1613 ip_route_input_slow+0x1817/0x3a20 net/ipv4/route.c:234 ---truncated---

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2021-47103.html
CVE-2021-47103
https://bugzilla.suse.com/1221010
SUSE Bug 1221010

Описание

In the Linux kernel, the following vulnerability has been resolved: tipc: check for null after calling kmemdup kmemdup can return a null pointer so need to check for it, otherwise the null key will be dereferenced later in tipc_crypto_key_xmit as can be seen in the trace [1]. [1] https://syzkaller.appspot.com/bug?id=bca180abb29567b189efdbdb34cbf7ba851c2a58

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2021-47186.html
CVE-2021-47186
https://bugzilla.suse.com/1222702
SUSE Bug 1222702

Описание

In the Linux kernel, the following vulnerability has been resolved: lib/generic-radix-tree.c: Don't overflow in peek() When we started spreading new inode numbers throughout most of the 64 bit inode space, that triggered some corner case bugs, in particular some integer overflows related to the radix tree code. Oops.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2021-47432.html
CVE-2021-47432
https://bugzilla.suse.com/1225391
SUSE Bug 1225391

Описание

In the Linux kernel, the following vulnerability has been resolved: seg6: fix the iif in the IPv6 socket control block When an IPv4 packet is received, the ip_rcv_core(...) sets the receiving interface index into the IPv4 socket control block (v5.16-rc4, net/ipv4/ip_input.c line 510): IPCB(skb)->iif = skb->skb_iif; If that IPv4 packet is meant to be encapsulated in an outer IPv6+SRH header, the seg6_do_srh_encap(...) performs the required encapsulation. In this case, the seg6_do_srh_encap function clears the IPv6 socket control block (v5.16-rc4 net/ipv6/seg6_iptunnel.c line 163): memset(IP6CB(skb), 0, sizeof(*IP6CB(skb))); The memset(...) was introduced in commit ef489749aae5 ("ipv6: sr: clear IP6CB(skb) on SRH ip4ip6 encapsulation") a long time ago (2019-01-29). Since the IPv6 socket control block and the IPv4 socket control block share the same memory area (skb->cb), the receiving interface index info is lost (IP6CB(skb)->iif is set to zero). As a side effect, that condition triggers a NULL pointer dereference if commit 0857d6f8c759 ("ipv6: When forwarding count rx stats on the orig netdev") is applied. To fix that issue, we set the IP6CB(skb)->iif with the index of the receiving interface once again.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2021-47515.html
CVE-2021-47515
https://bugzilla.suse.com/1225426
SUSE Bug 1225426

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/vc4: kms: Add missing drm_crtc_commit_put Commit 9ec03d7f1ed3 ("drm/vc4: kms: Wait on previous FIFO users before a commit") introduced a global state for the HVS, with each FIFO storing the current CRTC commit so that we can properly synchronize commits. However, the refcounting was off and we thus ended up leaking the drm_crtc_commit structure every commit. Add a drm_crtc_commit_put to prevent the leakage.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2021-47534.html
CVE-2021-47534
https://bugzilla.suse.com/1230903
SUSE Bug 1230903

Описание

In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix rxrpc_local leak in rxrpc_lookup_peer() Need to call rxrpc_put_local() for peer candidate before kfree() as it holds a ref to rxrpc_local. [DH: v2: Changed to abstract the peer freeing code out into a function]

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2021-47538.html
CVE-2021-47538
https://bugzilla.suse.com/1225448
SUSE Bug 1225448

Описание

In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix rxrpc_peer leak in rxrpc_look_up_bundle() Need to call rxrpc_put_peer() for bundle candidate before kfree() as it holds a ref to rxrpc_peer. [DH: v2: Changed to abstract out the bundle freeing code into a function]

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2021-47539.html
CVE-2021-47539
https://bugzilla.suse.com/1225452
SUSE Bug 1225452

Описание

In the Linux kernel, the following vulnerability has been resolved: ipv6: fix memory leak in fib6_rule_suppress The kernel leaks memory when a `fib` rule is present in IPv6 nftables firewall rules and a suppress_prefix rule is present in the IPv6 routing rules (used by certain tools such as wg-quick). In such scenarios, every incoming packet will leak an allocation in `ip6_dst_cache` slab cache. After some hours of `bpftrace`-ing and source code reading, I tracked down the issue to ca7a03c41753 ("ipv6: do not free rt if FIB_LOOKUP_NOREF is set on suppress rule"). The problem with that change is that the generic `args->flags` always have `FIB_LOOKUP_NOREF` set[1][2] but the IPv6-specific flag `RT6_LOOKUP_F_DST_NOREF` might not be, leading to `fib6_rule_suppress` not decreasing the refcount when needed. How to reproduce: - Add the following nftables rule to a prerouting chain: meta nfproto ipv6 fib saddr . mark . iif oif missing drop This can be done with: sudo nft create table inet test sudo nft create chain inet test test_chain '{ type filter hook prerouting priority filter + 10; policy accept; }' sudo nft add rule inet test test_chain meta nfproto ipv6 fib saddr . mark . iif oif missing drop - Run: sudo ip -6 rule add table main suppress_prefixlength 0 - Watch `sudo slabtop -o | grep ip6_dst_cache` to see memory usage increase with every incoming ipv6 packet. This patch exposes the protocol-specific flags to the protocol specific `suppress` function, and check the protocol-specific `flags` argument for RT6_LOOKUP_F_DST_NOREF instead of the generic FIB_LOOKUP_NOREF when decreasing the refcount, like this. [1]: https://github.com/torvalds/linux/blob/ca7a03c4175366a92cee0ccc4fec0038c3266e26/net/ipv6/fib6_rules.c#L71 [2]: https://github.com/torvalds/linux/blob/ca7a03c4175366a92cee0ccc4fec0038c3266e26/net/ipv6/fib6_rules.c#L99

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2021-47546.html
CVE-2021-47546
https://bugzilla.suse.com/1225504
SUSE Bug 1225504

Описание

In the Linux kernel, the following vulnerability has been resolved: net: tulip: de4x5: fix the problem that the array 'lp->phy[8]' may be out of bound In line 5001, if all id in the array 'lp->phy[8]' is not 0, when the 'for' end, the 'k' is 8. At this time, the array 'lp->phy[8]' may be out of bound.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2021-47547.html
CVE-2021-47547
https://bugzilla.suse.com/1225505
SUSE Bug 1225505

Описание

In the Linux kernel, the following vulnerability has been resolved: net: vlan: fix underflow for the real_dev refcnt Inject error before dev_hold(real_dev) in register_vlan_dev(), and execute the following testcase: ip link add dev dummy1 type dummy ip link add name dummy1.100 link dummy1 type vlan id 100 ip link del dev dummy1 When the dummy netdevice is removed, we will get a WARNING as following: ======================================================================= refcount_t: decrement hit 0; leaking memory. WARNING: CPU: 2 PID: 0 at lib/refcount.c:31 refcount_warn_saturate+0xbf/0x1e0 and an endless loop of: ======================================================================= unregister_netdevice: waiting for dummy1 to become free. Usage count = -1073741824 That is because dev_put(real_dev) in vlan_dev_free() be called without dev_hold(real_dev) in register_vlan_dev(). It makes the refcnt of real_dev underflow. Move the dev_hold(real_dev) to vlan_dev_init() which is the call-back of ndo_init(). That makes dev_hold() and dev_put() for vlan's real_dev symmetrical.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2021-47555.html
CVE-2021-47555
https://bugzilla.suse.com/1225467
SUSE Bug 1225467

Описание

In the Linux kernel, the following vulnerability has been resolved: proc/vmcore: fix clearing user buffer by properly using clear_user() To clear a user buffer we cannot simply use memset, we have to use clear_user(). With a virtio-mem device that registers a vmcore_cb and has some logically unplugged memory inside an added Linux memory block, I can easily trigger a BUG by copying the vmcore via "cp": systemd[1]: Starting Kdump Vmcore Save Service... kdump[420]: Kdump is using the default log level(3). kdump[453]: saving to /sysroot/var/crash/127.0.0.1-2021-11-11-14:59:22/ kdump[458]: saving vmcore-dmesg.txt to /sysroot/var/crash/127.0.0.1-2021-11-11-14:59:22/ kdump[465]: saving vmcore-dmesg.txt complete kdump[467]: saving vmcore BUG: unable to handle page fault for address: 00007f2374e01000 #PF: supervisor write access in kernel mode #PF: error_code(0x0003) - permissions violation PGD 7a523067 P4D 7a523067 PUD 7a528067 PMD 7a525067 PTE 800000007048f867 Oops: 0003 [#1] PREEMPT SMP NOPTI CPU: 0 PID: 468 Comm: cp Not tainted 5.15.0+ #6 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.14.0-27-g64f37cc530f1-prebuilt.qemu.org 04/01/2014 RIP: 0010:read_from_oldmem.part.0.cold+0x1d/0x86 Code: ff ff ff e8 05 ff fe ff e9 b9 e9 7f ff 48 89 de 48 c7 c7 38 3b 60 82 e8 f1 fe fe ff 83 fd 08 72 3c 49 8d 7d 08 4c 89 e9 89 e8 <49> c7 45 00 00 00 00 00 49 c7 44 05 f8 00 00 00 00 48 83 e7 f81 RSP: 0018:ffffc9000073be08 EFLAGS: 00010212 RAX: 0000000000001000 RBX: 00000000002fd000 RCX: 00007f2374e01000 RDX: 0000000000000001 RSI: 00000000ffffdfff RDI: 00007f2374e01008 RBP: 0000000000001000 R08: 0000000000000000 R09: ffffc9000073bc50 R10: ffffc9000073bc48 R11: ffffffff829461a8 R12: 000000000000f000 R13: 00007f2374e01000 R14: 0000000000000000 R15: ffff88807bd421e8 FS: 00007f2374e12140(0000) GS:ffff88807f000000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f2374e01000 CR3: 000000007a4aa000 CR4: 0000000000350eb0 Call Trace: read_vmcore+0x236/0x2c0 proc_reg_read+0x55/0xa0 vfs_read+0x95/0x190 ksys_read+0x4f/0xc0 do_syscall_64+0x3b/0x90 entry_SYSCALL_64_after_hwframe+0x44/0xae Some x86-64 CPUs have a CPU feature called "Supervisor Mode Access Prevention (SMAP)", which is used to detect wrong access from the kernel to user buffers like this: SMAP triggers a permissions violation on wrong access. In the x86-64 variant of clear_user(), SMAP is properly handled via clac()+stac(). To fix, properly use clear_user() when we're dealing with a user buffer.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2021-47566.html
CVE-2021-47566
https://bugzilla.suse.com/1225514
SUSE Bug 1225514

Описание

In the Linux kernel, the following vulnerability has been resolved: staging: rtl8192e: Fix use after free in _rtl92e_pci_disconnect() The free_rtllib() function frees the "dev" pointer so there is use after free on the next line. Re-arrange things to avoid that.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2021-47571.html
CVE-2021-47571
https://bugzilla.suse.com/1225518
SUSE Bug 1225518
https://bugzilla.suse.com/1227551
SUSE Bug 1227551

Описание

In the Linux kernel, the following vulnerability has been resolved: net: nexthop: fix null pointer dereference when IPv6 is not enabled When we try to add an IPv6 nexthop and IPv6 is not enabled (!CONFIG_IPV6) we'll hit a NULL pointer dereference[1] in the error path of nh_create_ipv6() due to calling ipv6_stub->fib6_nh_release. The bug has been present since the beginning of IPv6 nexthop gateway support. Commit 1aefd3de7bc6 ("ipv6: Add fib6_nh_init and release to stubs") tells us that only fib6_nh_init has a dummy stub because fib6_nh_release should not be called if fib6_nh_init returns an error, but the commit below added a call to ipv6_stub->fib6_nh_release in its error path. To fix it return the dummy stub's -EAFNOSUPPORT error directly without calling ipv6_stub->fib6_nh_release in nh_create_ipv6()'s error path. [1] Output is a bit truncated, but it clearly shows the error. BUG: kernel NULL pointer dereference, address: 000000000000000000 #PF: supervisor instruction fetch in kernel modede #PF: error_code(0x0010) - not-present pagege PGD 0 P4D 0 Oops: 0010 [#1] PREEMPT SMP NOPTI CPU: 4 PID: 638 Comm: ip Kdump: loaded Not tainted 5.16.0-rc1+ #446 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-4.fc34 04/01/2014 RIP: 0010:0x0 Code: Unable to access opcode bytes at RIP 0xffffffffffffffd6. RSP: 0018:ffff888109f5b8f0 EFLAGS: 00010286^Ac RAX: 0000000000000000 RBX: ffff888109f5ba28 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff8881008a2860 RBP: ffff888109f5b9d8 R08: 0000000000000000 R09: 0000000000000000 R10: ffff888109f5b978 R11: ffff888109f5b948 R12: 00000000ffffff9f R13: ffff8881008a2a80 R14: ffff8881008a2860 R15: ffff8881008a2840 FS: 00007f98de70f100(0000) GS:ffff88822bf00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffffffffffffd6 CR3: 0000000100efc000 CR4: 00000000000006e0 Call Trace: <TASK> nh_create_ipv6+0xed/0x10c rtm_new_nexthop+0x6d7/0x13f3 ? check_preemption_disabled+0x3d/0xf2 ? lock_is_held_type+0xbe/0xfd rtnetlink_rcv_msg+0x23f/0x26a ? check_preemption_disabled+0x3d/0xf2 ? rtnl_calcit.isra.0+0x147/0x147 netlink_rcv_skb+0x61/0xb2 netlink_unicast+0x100/0x187 netlink_sendmsg+0x37f/0x3a0 ? netlink_unicast+0x187/0x187 sock_sendmsg_nosec+0x67/0x9b ____sys_sendmsg+0x19d/0x1f9 ? copy_msghdr_from_user+0x4c/0x5e ? rcu_read_lock_any_held+0x2a/0x78 ___sys_sendmsg+0x6c/0x8c ? asm_sysvec_apic_timer_interrupt+0x12/0x20 ? lockdep_hardirqs_on+0xd9/0x102 ? sockfd_lookup_light+0x69/0x99 __sys_sendmsg+0x50/0x6e do_syscall_64+0xcb/0xf2 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f98dea28914 Code: 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b5 0f 1f 80 00 00 00 00 48 8d 05 e9 5d 0c 00 8b 00 85 c0 75 13 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 54 c3 0f 1f 00 41 54 41 89 d4 55 48 89 f5 53 RSP: 002b:00007fff859f5e68 EFLAGS: 00000246 ORIG_RAX: 000000000000002e2e RAX: ffffffffffffffda RBX: 00000000619cb810 RCX: 00007f98dea28914 RDX: 0000000000000000 RSI: 00007fff859f5ed0 RDI: 0000000000000003 RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000008 R10: fffffffffffffce6 R11: 0000000000000246 R12: 0000000000000001 R13: 000055c0097ae520 R14: 000055c0097957fd R15: 00007fff859f63a0 </TASK> Modules linked in: bridge stp llc bonding virtio_net

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2021-47572.html
CVE-2021-47572
https://bugzilla.suse.com/1225389
SUSE Bug 1225389

Описание

In the Linux kernel, the following vulnerability has been resolved: scsi: scsi_debug: Sanity check block descriptor length in resp_mode_select() In resp_mode_select() sanity check the block descriptor len to avoid UAF. BUG: KASAN: use-after-free in resp_mode_select+0xa4c/0xb40 drivers/scsi/scsi_debug.c:2509 Read of size 1 at addr ffff888026670f50 by task scsicmd/15032 CPU: 1 PID: 15032 Comm: scsicmd Not tainted 5.15.0-01d0625 #15 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Call Trace: <TASK> dump_stack_lvl+0x89/0xb5 lib/dump_stack.c:107 print_address_description.constprop.9+0x28/0x160 mm/kasan/report.c:257 kasan_report.cold.14+0x7d/0x117 mm/kasan/report.c:443 __asan_report_load1_noabort+0x14/0x20 mm/kasan/report_generic.c:306 resp_mode_select+0xa4c/0xb40 drivers/scsi/scsi_debug.c:2509 schedule_resp+0x4af/0x1a10 drivers/scsi/scsi_debug.c:5483 scsi_debug_queuecommand+0x8c9/0x1e70 drivers/scsi/scsi_debug.c:7537 scsi_queue_rq+0x16b4/0x2d10 drivers/scsi/scsi_lib.c:1521 blk_mq_dispatch_rq_list+0xb9b/0x2700 block/blk-mq.c:1640 __blk_mq_sched_dispatch_requests+0x28f/0x590 block/blk-mq-sched.c:325 blk_mq_sched_dispatch_requests+0x105/0x190 block/blk-mq-sched.c:358 __blk_mq_run_hw_queue+0xe5/0x150 block/blk-mq.c:1762 __blk_mq_delay_run_hw_queue+0x4f8/0x5c0 block/blk-mq.c:1839 blk_mq_run_hw_queue+0x18d/0x350 block/blk-mq.c:1891 blk_mq_sched_insert_request+0x3db/0x4e0 block/blk-mq-sched.c:474 blk_execute_rq_nowait+0x16b/0x1c0 block/blk-exec.c:63 sg_common_write.isra.18+0xeb3/0x2000 drivers/scsi/sg.c:837 sg_new_write.isra.19+0x570/0x8c0 drivers/scsi/sg.c:775 sg_ioctl_common+0x14d6/0x2710 drivers/scsi/sg.c:941 sg_ioctl+0xa2/0x180 drivers/scsi/sg.c:1166 __x64_sys_ioctl+0x19d/0x220 fs/ioctl.c:52 do_syscall_64+0x3a/0x80 arch/x86/entry/common.c:50 entry_SYSCALL_64_after_hwframe+0x44/0xae arch/x86/entry/entry_64.S:113

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2021-47576.html
CVE-2021-47576
https://bugzilla.suse.com/1226537
SUSE Bug 1226537

Описание

In the Linux kernel, the following vulnerability has been resolved: io-wq: check for wq exit after adding new worker task_work We check IO_WQ_BIT_EXIT before attempting to create a new worker, and wq exit cancels pending work if we have any. But it's possible to have a race between the two, where creation checks exit finding it not set, but we're in the process of exiting. The exit side will cancel pending creation task_work, but there's a gap where we add task_work after we've canceled existing creations at exit time. Fix this by checking the EXIT bit post adding the creation task_work. If it's set, run the same cancelation that exit does.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2021-47577.html
CVE-2021-47577
https://bugzilla.suse.com/1226538
SUSE Bug 1226538

Описание

In the Linux kernel, the following vulnerability has been resolved: scsi: scsi_debug: Don't call kcalloc() if size arg is zero If the size arg to kcalloc() is zero, it returns ZERO_SIZE_PTR. Because of that, for a following NULL pointer check to work on the returned pointer, kcalloc() must not be called with the size arg equal to zero. Return early without error before the kcalloc() call if size arg is zero. BUG: KASAN: null-ptr-deref in memcpy include/linux/fortify-string.h:191 [inline] BUG: KASAN: null-ptr-deref in sg_copy_buffer+0x138/0x240 lib/scatterlist.c:974 Write of size 4 at addr 0000000000000010 by task syz-executor.1/22789 CPU: 1 PID: 22789 Comm: syz-executor.1 Not tainted 5.15.0-syzk #1 Hardware name: Red Hat KVM, BIOS 1.13.0-2 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x89/0xb5 lib/dump_stack.c:106 __kasan_report mm/kasan/report.c:446 [inline] kasan_report.cold.14+0x112/0x117 mm/kasan/report.c:459 check_region_inline mm/kasan/generic.c:183 [inline] kasan_check_range+0x1a3/0x210 mm/kasan/generic.c:189 memcpy+0x3b/0x60 mm/kasan/shadow.c:66 memcpy include/linux/fortify-string.h:191 [inline] sg_copy_buffer+0x138/0x240 lib/scatterlist.c:974 do_dout_fetch drivers/scsi/scsi_debug.c:2954 [inline] do_dout_fetch drivers/scsi/scsi_debug.c:2946 [inline] resp_verify+0x49e/0x930 drivers/scsi/scsi_debug.c:4276 schedule_resp+0x4d8/0x1a70 drivers/scsi/scsi_debug.c:5478 scsi_debug_queuecommand+0x8c9/0x1ec0 drivers/scsi/scsi_debug.c:7533 scsi_dispatch_cmd drivers/scsi/scsi_lib.c:1520 [inline] scsi_queue_rq+0x16b0/0x2d40 drivers/scsi/scsi_lib.c:1699 blk_mq_dispatch_rq_list+0xb9b/0x2700 block/blk-mq.c:1639 __blk_mq_sched_dispatch_requests+0x28f/0x590 block/blk-mq-sched.c:325 blk_mq_sched_dispatch_requests+0x105/0x190 block/blk-mq-sched.c:358 __blk_mq_run_hw_queue+0xe5/0x150 block/blk-mq.c:1761 __blk_mq_delay_run_hw_queue+0x4f8/0x5c0 block/blk-mq.c:1838 blk_mq_run_hw_queue+0x18d/0x350 block/blk-mq.c:1891 blk_mq_sched_insert_request+0x3db/0x4e0 block/blk-mq-sched.c:474 blk_execute_rq_nowait+0x16b/0x1c0 block/blk-exec.c:62 blk_execute_rq+0xdb/0x360 block/blk-exec.c:102 sg_scsi_ioctl drivers/scsi/scsi_ioctl.c:621 [inline] scsi_ioctl+0x8bb/0x15c0 drivers/scsi/scsi_ioctl.c:930 sg_ioctl_common+0x172d/0x2710 drivers/scsi/sg.c:1112 sg_ioctl+0xa2/0x180 drivers/scsi/sg.c:1165 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:874 [inline] __se_sys_ioctl fs/ioctl.c:860 [inline] __x64_sys_ioctl+0x19d/0x220 fs/ioctl.c:860 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3a/0x80 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2021-47578.html
CVE-2021-47578
https://bugzilla.suse.com/1226539
SUSE Bug 1226539

Описание

In the Linux kernel, the following vulnerability has been resolved: scsi: scsi_debug: Fix type in min_t to avoid stack OOB Change min_t() to use type "u32" instead of type "int" to avoid stack out of bounds. With min_t() type "int" the values get sign extended and the larger value gets used causing stack out of bounds. BUG: KASAN: stack-out-of-bounds in memcpy include/linux/fortify-string.h:191 [inline] BUG: KASAN: stack-out-of-bounds in sg_copy_buffer+0x1de/0x240 lib/scatterlist.c:976 Read of size 127 at addr ffff888072607128 by task syz-executor.7/18707 CPU: 1 PID: 18707 Comm: syz-executor.7 Not tainted 5.15.0-syzk #1 Hardware name: Red Hat KVM, BIOS 1.13.0-2 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x89/0xb5 lib/dump_stack.c:106 print_address_description.constprop.9+0x28/0x160 mm/kasan/report.c:256 __kasan_report mm/kasan/report.c:442 [inline] kasan_report.cold.14+0x7d/0x117 mm/kasan/report.c:459 check_region_inline mm/kasan/generic.c:183 [inline] kasan_check_range+0x1a3/0x210 mm/kasan/generic.c:189 memcpy+0x23/0x60 mm/kasan/shadow.c:65 memcpy include/linux/fortify-string.h:191 [inline] sg_copy_buffer+0x1de/0x240 lib/scatterlist.c:976 sg_copy_from_buffer+0x33/0x40 lib/scatterlist.c:1000 fill_from_dev_buffer.part.34+0x82/0x130 drivers/scsi/scsi_debug.c:1162 fill_from_dev_buffer drivers/scsi/scsi_debug.c:1888 [inline] resp_readcap16+0x365/0x3b0 drivers/scsi/scsi_debug.c:1887 schedule_resp+0x4d8/0x1a70 drivers/scsi/scsi_debug.c:5478 scsi_debug_queuecommand+0x8c9/0x1ec0 drivers/scsi/scsi_debug.c:7533 scsi_dispatch_cmd drivers/scsi/scsi_lib.c:1520 [inline] scsi_queue_rq+0x16b0/0x2d40 drivers/scsi/scsi_lib.c:1699 blk_mq_dispatch_rq_list+0xb9b/0x2700 block/blk-mq.c:1639 __blk_mq_sched_dispatch_requests+0x28f/0x590 block/blk-mq-sched.c:325 blk_mq_sched_dispatch_requests+0x105/0x190 block/blk-mq-sched.c:358 __blk_mq_run_hw_queue+0xe5/0x150 block/blk-mq.c:1761 __blk_mq_delay_run_hw_queue+0x4f8/0x5c0 block/blk-mq.c:1838 blk_mq_run_hw_queue+0x18d/0x350 block/blk-mq.c:1891 blk_mq_sched_insert_request+0x3db/0x4e0 block/blk-mq-sched.c:474 blk_execute_rq_nowait+0x16b/0x1c0 block/blk-exec.c:62 sg_common_write.isra.18+0xeb3/0x2000 drivers/scsi/sg.c:836 sg_new_write.isra.19+0x570/0x8c0 drivers/scsi/sg.c:774 sg_ioctl_common+0x14d6/0x2710 drivers/scsi/sg.c:939 sg_ioctl+0xa2/0x180 drivers/scsi/sg.c:1165 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:874 [inline] __se_sys_ioctl fs/ioctl.c:860 [inline] __x64_sys_ioctl+0x19d/0x220 fs/ioctl.c:860 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3a/0x80 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2021-47580.html
CVE-2021-47580
https://bugzilla.suse.com/1226550
SUSE Bug 1226550
https://bugzilla.suse.com/1227611
SUSE Bug 1227611

Описание

In the Linux kernel, the following vulnerability has been resolved: USB: core: Make do_proc_control() and do_proc_bulk() killable The USBDEVFS_CONTROL and USBDEVFS_BULK ioctls invoke usb_start_wait_urb(), which contains an uninterruptible wait with a user-specified timeout value. If timeout value is very large and the device being accessed does not respond in a reasonable amount of time, the kernel will complain about "Task X blocked for more than N seconds", as found in testing by syzbot: INFO: task syz-executor.0:8700 blocked for more than 143 seconds. Not tainted 5.14.0-rc7-syzkaller #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz-executor.0 state:D stack:23192 pid: 8700 ppid: 8455 flags:0x00004004 Call Trace: context_switch kernel/sched/core.c:4681 [inline] __schedule+0xc07/0x11f0 kernel/sched/core.c:5938 schedule+0x14b/0x210 kernel/sched/core.c:6017 schedule_timeout+0x98/0x2f0 kernel/time/timer.c:1857 do_wait_for_common+0x2da/0x480 kernel/sched/completion.c:85 __wait_for_common kernel/sched/completion.c:106 [inline] wait_for_common kernel/sched/completion.c:117 [inline] wait_for_completion_timeout+0x46/0x60 kernel/sched/completion.c:157 usb_start_wait_urb+0x167/0x550 drivers/usb/core/message.c:63 do_proc_bulk+0x978/0x1080 drivers/usb/core/devio.c:1236 proc_bulk drivers/usb/core/devio.c:1273 [inline] usbdev_do_ioctl drivers/usb/core/devio.c:2547 [inline] usbdev_ioctl+0x3441/0x6b10 drivers/usb/core/devio.c:2713 ... To fix this problem, this patch replaces usbfs's calls to usb_control_msg() and usb_bulk_msg() with special-purpose code that does essentially the same thing (as recommended in the comment for usb_start_wait_urb()), except that it always uses a killable wait and it uses GFP_KERNEL rather than GFP_NOIO.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2021-47582.html
CVE-2021-47582
https://bugzilla.suse.com/1226559
SUSE Bug 1226559

Описание

In the Linux kernel, the following vulnerability has been resolved: media: mxl111sf: change mutex_init() location Syzbot reported, that mxl111sf_ctrl_msg() uses uninitialized mutex. The problem was in wrong mutex_init() location. Previous mutex_init(&state->msg_lock) call was in ->init() function, but dvb_usbv2_init() has this order of calls: dvb_usbv2_init() dvb_usbv2_adapter_init() dvb_usbv2_adapter_frontend_init() props->frontend_attach() props->init() Since mxl111sf_* devices call mxl111sf_ctrl_msg() in ->frontend_attach() internally we need to initialize state->msg_lock before frontend_attach(). To achieve it, ->probe() call added to all mxl111sf_* devices, which will simply initiaize mutex.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2021-47583.html
CVE-2021-47583
https://bugzilla.suse.com/1226563
SUSE Bug 1226563

Описание

In the Linux kernel, the following vulnerability has been resolved: iocost: Fix divide-by-zero on donation from low hweight cgroup The donation calculation logic assumes that the donor has non-zero after-donation hweight, so the lowest active hweight a donating cgroup can have is 2 so that it can donate 1 while keeping the other 1 for itself. Earlier, we only donated from cgroups with sizable surpluses so this condition was always true. However, with the precise donation algorithm implemented, f1de2439ec43 ("blk-iocost: revamp donation amount determination") made the donation amount calculation exact enabling even low hweight cgroups to donate. This means that in rare occasions, a cgroup with active hweight of 1 can enter donation calculation triggering the following warning and then a divide-by-zero oops. WARNING: CPU: 4 PID: 0 at block/blk-iocost.c:1928 transfer_surpluses.cold+0x0/0x53 [884/94867] ... RIP: 0010:transfer_surpluses.cold+0x0/0x53 Code: 92 ff 48 c7 c7 28 d1 ab b5 65 48 8b 34 25 00 ae 01 00 48 81 c6 90 06 00 00 e8 8b 3f fe ff 48 c7 c0 ea ff ff ff e9 95 ff 92 ff <0f> 0b 48 c7 c7 30 da ab b5 e8 71 3f fe ff 4c 89 e8 4d 85 ed 74 0 4 ... Call Trace: <IRQ> ioc_timer_fn+0x1043/0x1390 call_timer_fn+0xa1/0x2c0 __run_timers.part.0+0x1ec/0x2e0 run_timer_softirq+0x35/0x70 ... iocg: invalid donation weights in /a/b: active=1 donating=1 after=0 Fix it by excluding cgroups w/ active hweight < 2 from donating. Excluding these extreme low hweight donations shouldn't affect work conservation in any meaningful way.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2021-47584.html
CVE-2021-47584
https://bugzilla.suse.com/1226564
SUSE Bug 1226564

Описание

In the Linux kernel, the following vulnerability has been resolved: btrfs: fix memory leak in __add_inode_ref() Line 1169 (#3) allocates a memory chunk for victim_name by kmalloc(), but when the function returns in line 1184 (#4) victim_name allocated by line 1169 (#3) is not freed, which will lead to a memory leak. There is a similar snippet of code in this function as allocating a memory chunk for victim_name in line 1104 (#1) as well as releasing the memory in line 1116 (#2). We should kfree() victim_name when the return value of backref_in_log() is less than zero and before the function returns in line 1184 (#4). 1057 static inline int __add_inode_ref(struct btrfs_trans_handle *trans, 1058 struct btrfs_root *root, 1059 struct btrfs_path *path, 1060 struct btrfs_root *log_root, 1061 struct btrfs_inode *dir, 1062 struct btrfs_inode *inode, 1063 u64 inode_objectid, u64 parent_objectid, 1064 u64 ref_index, char *name, int namelen, 1065 int *search_done) 1066 { 1104 victim_name = kmalloc(victim_name_len, GFP_NOFS); // #1: kmalloc (victim_name-1) 1105 if (!victim_name) 1106 return -ENOMEM; 1112 ret = backref_in_log(log_root, &search_key, 1113 parent_objectid, victim_name, 1114 victim_name_len); 1115 if (ret < 0) { 1116 kfree(victim_name); // #2: kfree (victim_name-1) 1117 return ret; 1118 } else if (!ret) { 1169 victim_name = kmalloc(victim_name_len, GFP_NOFS); // #3: kmalloc (victim_name-2) 1170 if (!victim_name) 1171 return -ENOMEM; 1180 ret = backref_in_log(log_root, &search_key, 1181 parent_objectid, victim_name, 1182 victim_name_len); 1183 if (ret < 0) { 1184 return ret; // #4: missing kfree (victim_name-2) 1185 } else if (!ret) { 1241 return 0; 1242 }

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2021-47585.html
CVE-2021-47585
https://bugzilla.suse.com/1226556
SUSE Bug 1226556

Описание

In the Linux kernel, the following vulnerability has been resolved: net: stmmac: dwmac-rk: fix oob read in rk_gmac_setup KASAN reports an out-of-bounds read in rk_gmac_setup on the line: while (ops->regs[i]) { This happens for most platforms since the regs flexible array member is empty, so the memory after the ops structure is being read here. It seems that mostly this happens to contain zero anyway, so we get lucky and everything still works. To avoid adding redundant data to nearly all the ops structures, add a new flag to indicate whether the regs field is valid and avoid this loop when it is not.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2021-47586.html
CVE-2021-47586
https://bugzilla.suse.com/1226561
SUSE Bug 1226561

Описание

In the Linux kernel, the following vulnerability has been resolved: net: systemport: Add global locking for descriptor lifecycle The descriptor list is a shared resource across all of the transmit queues, and the locking mechanism used today only protects concurrency across a given transmit queue between the transmit and reclaiming. This creates an opportunity for the SYSTEMPORT hardware to work on corrupted descriptors if we have multiple producers at once which is the case when using multiple transmit queues. This was particularly noticeable when using multiple flows/transmit queues and it showed up in interesting ways in that UDP packets would get a correct UDP header checksum being calculated over an incorrect packet length. Similarly TCP packets would get an equally correct checksum computed by the hardware over an incorrect packet length. The SYSTEMPORT hardware maintains an internal descriptor list that it re-arranges when the driver produces a new descriptor anytime it writes to the WRITE_PORT_{HI,LO} registers, there is however some delay in the hardware to re-organize its descriptors and it is possible that concurrent TX queues eventually break this internal allocation scheme to the point where the length/status part of the descriptor gets used for an incorrect data buffer. The fix is to impose a global serialization for all TX queues in the short section where we are writing to the WRITE_PORT_{HI,LO} registers which solves the corruption even with multiple concurrent TX queues being used.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2021-47587.html
CVE-2021-47587
https://bugzilla.suse.com/1226567
SUSE Bug 1226567

Описание

In the Linux kernel, the following vulnerability has been resolved: sit: do not call ipip6_dev_free() from sit_init_net() ipip6_dev_free is sit dev->priv_destructor, already called by register_netdevice() if something goes wrong. Alternative would be to make ipip6_dev_free() robust against multiple invocations, but other drivers do not implement this strategy. syzbot reported: dst_release underflow WARNING: CPU: 0 PID: 5059 at net/core/dst.c:173 dst_release+0xd8/0xe0 net/core/dst.c:173 Modules linked in: CPU: 1 PID: 5059 Comm: syz-executor.4 Not tainted 5.16.0-rc5-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:dst_release+0xd8/0xe0 net/core/dst.c:173 Code: 4c 89 f2 89 d9 31 c0 5b 41 5e 5d e9 da d5 44 f9 e8 1d 90 5f f9 c6 05 87 48 c6 05 01 48 c7 c7 80 44 99 8b 31 c0 e8 e8 67 29 f9 <0f> 0b eb 85 0f 1f 40 00 53 48 89 fb e8 f7 8f 5f f9 48 83 c3 a8 48 RSP: 0018:ffffc9000aa5faa0 EFLAGS: 00010246 RAX: d6894a925dd15a00 RBX: 00000000ffffffff RCX: 0000000000040000 RDX: ffffc90005e19000 RSI: 000000000003ffff RDI: 0000000000040000 RBP: 0000000000000000 R08: ffffffff816a1f42 R09: ffffed1017344f2c R10: ffffed1017344f2c R11: 0000000000000000 R12: 0000607f462b1358 R13: 1ffffffff1bfd305 R14: ffffe8ffffcb1358 R15: dffffc0000000000 FS: 00007f66c71a2700(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f88aaed5058 CR3: 0000000023e0f000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> dst_cache_destroy+0x107/0x1e0 net/core/dst_cache.c:160 ipip6_dev_free net/ipv6/sit.c:1414 [inline] sit_init_net+0x229/0x550 net/ipv6/sit.c:1936 ops_init+0x313/0x430 net/core/net_namespace.c:140 setup_net+0x35b/0x9d0 net/core/net_namespace.c:326 copy_net_ns+0x359/0x5c0 net/core/net_namespace.c:470 create_new_namespaces+0x4ce/0xa00 kernel/nsproxy.c:110 unshare_nsproxy_namespaces+0x11e/0x180 kernel/nsproxy.c:226 ksys_unshare+0x57d/0xb50 kernel/fork.c:3075 __do_sys_unshare kernel/fork.c:3146 [inline] __se_sys_unshare kernel/fork.c:3144 [inline] __x64_sys_unshare+0x34/0x40 kernel/fork.c:3144 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f66c882ce99 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f66c71a2168 EFLAGS: 00000246 ORIG_RAX: 0000000000000110 RAX: ffffffffffffffda RBX: 00007f66c893ff60 RCX: 00007f66c882ce99 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000048040200 RBP: 00007f66c8886ff1 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007fff6634832f R14: 00007f66c71a2300 R15: 0000000000022000 </TASK>

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2021-47588.html
CVE-2021-47588
https://bugzilla.suse.com/1226568
SUSE Bug 1226568

Описание

In the Linux kernel, the following vulnerability has been resolved: igbvf: fix double free in `igbvf_probe` In `igbvf_probe`, if register_netdev() fails, the program will go to label err_hw_init, and then to label err_ioremap. In free_netdev() which is just below label err_ioremap, there is `list_for_each_entry_safe` and `netif_napi_del` which aims to delete all entries in `dev->napi_list`. The program has added an entry `adapter->rx_ring->napi` which is added by `netif_napi_add` in igbvf_alloc_queues(). However, adapter->rx_ring has been freed below label err_hw_init. So this a UAF. In terms of how to patch the problem, we can refer to igbvf_remove() and delete the entry before `adapter->rx_ring`. The KASAN logs are as follows: [ 35.126075] BUG: KASAN: use-after-free in free_netdev+0x1fd/0x450 [ 35.127170] Read of size 8 at addr ffff88810126d990 by task modprobe/366 [ 35.128360] [ 35.128643] CPU: 1 PID: 366 Comm: modprobe Not tainted 5.15.0-rc2+ #14 [ 35.129789] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014 [ 35.131749] Call Trace: [ 35.132199] dump_stack_lvl+0x59/0x7b [ 35.132865] print_address_description+0x7c/0x3b0 [ 35.133707] ? free_netdev+0x1fd/0x450 [ 35.134378] __kasan_report+0x160/0x1c0 [ 35.135063] ? free_netdev+0x1fd/0x450 [ 35.135738] kasan_report+0x4b/0x70 [ 35.136367] free_netdev+0x1fd/0x450 [ 35.137006] igbvf_probe+0x121d/0x1a10 [igbvf] [ 35.137808] ? igbvf_vlan_rx_add_vid+0x100/0x100 [igbvf] [ 35.138751] local_pci_probe+0x13c/0x1f0 [ 35.139461] pci_device_probe+0x37e/0x6c0 [ 35.165526] [ 35.165806] Allocated by task 366: [ 35.166414] ____kasan_kmalloc+0xc4/0xf0 [ 35.167117] foo_kmem_cache_alloc_trace+0x3c/0x50 [igbvf] [ 35.168078] igbvf_probe+0x9c5/0x1a10 [igbvf] [ 35.168866] local_pci_probe+0x13c/0x1f0 [ 35.169565] pci_device_probe+0x37e/0x6c0 [ 35.179713] [ 35.179993] Freed by task 366: [ 35.180539] kasan_set_track+0x4c/0x80 [ 35.181211] kasan_set_free_info+0x1f/0x40 [ 35.181942] ____kasan_slab_free+0x103/0x140 [ 35.182703] kfree+0xe3/0x250 [ 35.183239] igbvf_probe+0x1173/0x1a10 [igbvf] [ 35.184040] local_pci_probe+0x13c/0x1f0

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2021-47589.html
CVE-2021-47589
https://bugzilla.suse.com/1226557
SUSE Bug 1226557

Описание

In the Linux kernel, the following vulnerability has been resolved: mptcp: fix deadlock in __mptcp_push_pending() __mptcp_push_pending() may call mptcp_flush_join_list() with subflow socket lock held. If such call hits mptcp_sockopt_sync_all() then subsequently __mptcp_sockopt_sync() could try to lock the subflow socket for itself, causing a deadlock. sysrq: Show Blocked State task:ss-server state:D stack: 0 pid: 938 ppid: 1 flags:0x00000000 Call Trace: <TASK> __schedule+0x2d6/0x10c0 ? __mod_memcg_state+0x4d/0x70 ? csum_partial+0xd/0x20 ? _raw_spin_lock_irqsave+0x26/0x50 schedule+0x4e/0xc0 __lock_sock+0x69/0x90 ? do_wait_intr_irq+0xa0/0xa0 __lock_sock_fast+0x35/0x50 mptcp_sockopt_sync_all+0x38/0xc0 __mptcp_push_pending+0x105/0x200 mptcp_sendmsg+0x466/0x490 sock_sendmsg+0x57/0x60 __sys_sendto+0xf0/0x160 ? do_wait_intr_irq+0xa0/0xa0 ? fpregs_restore_userregs+0x12/0xd0 __x64_sys_sendto+0x20/0x30 do_syscall_64+0x38/0x90 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f9ba546c2d0 RSP: 002b:00007ffdc3b762d8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 00007f9ba56c8060 RCX: 00007f9ba546c2d0 RDX: 000000000000077a RSI: 0000000000e5e180 RDI: 0000000000000234 RBP: 0000000000cc57f0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f9ba56c8060 R13: 0000000000b6ba60 R14: 0000000000cc7840 R15: 41d8685b1d7901b8 </TASK> Fix the issue by using __mptcp_flush_join_list() instead of plain mptcp_flush_join_list() inside __mptcp_push_pending(), as suggested by Florian. The sockopt sync will be deferred to the workqueue.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2021-47590.html
CVE-2021-47590
https://bugzilla.suse.com/1226565
SUSE Bug 1226565

Описание

In the Linux kernel, the following vulnerability has been resolved: mptcp: remove tcp ulp setsockopt support TCP_ULP setsockopt cannot be used for mptcp because its already used internally to plumb subflow (tcp) sockets to the mptcp layer. syzbot managed to trigger a crash for mptcp connections that are in fallback mode: KASAN: null-ptr-deref in range [0x0000000000000020-0x0000000000000027] CPU: 1 PID: 1083 Comm: syz-executor.3 Not tainted 5.16.0-rc2-syzkaller #0 RIP: 0010:tls_build_proto net/tls/tls_main.c:776 [inline] [..] __tcp_set_ulp net/ipv4/tcp_ulp.c:139 [inline] tcp_set_ulp+0x428/0x4c0 net/ipv4/tcp_ulp.c:160 do_tcp_setsockopt+0x455/0x37c0 net/ipv4/tcp.c:3391 mptcp_setsockopt+0x1b47/0x2400 net/mptcp/sockopt.c:638 Remove support for TCP_ULP setsockopt.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2021-47591.html
CVE-2021-47591
https://bugzilla.suse.com/1226570
SUSE Bug 1226570

Описание

In the Linux kernel, the following vulnerability has been resolved: net: stmmac: fix tc flower deletion for VLAN priority Rx steering To replicate the issue:- 1) Add 1 flower filter for VLAN Priority based frame steering:- $ IFDEVNAME=eth0 $ tc qdisc add dev $IFDEVNAME ingress $ tc qdisc add dev $IFDEVNAME root mqprio num_tc 8 \ map 0 1 2 3 4 5 6 7 0 0 0 0 0 0 0 0 \ queues 1@0 1@1 1@2 1@3 1@4 1@5 1@6 1@7 hw 0 $ tc filter add dev $IFDEVNAME parent ffff: protocol 802.1Q \ flower vlan_prio 0 hw_tc 0 2) Get the 'pref' id $ tc filter show dev $IFDEVNAME ingress 3) Delete a specific tc flower record (say pref 49151) $ tc filter del dev $IFDEVNAME parent ffff: pref 49151 From dmesg, we will observe kernel NULL pointer ooops [ 197.170464] BUG: kernel NULL pointer dereference, address: 0000000000000000 [ 197.171367] #PF: supervisor read access in kernel mode [ 197.171367] #PF: error_code(0x0000) - not-present page [ 197.171367] PGD 0 P4D 0 [ 197.171367] Oops: 0000 [#1] PREEMPT SMP NOPTI <snip> [ 197.171367] RIP: 0010:tc_setup_cls+0x20b/0x4a0 [stmmac] <snip> [ 197.171367] Call Trace: [ 197.171367] <TASK> [ 197.171367] ? __stmmac_disable_all_queues+0xa8/0xe0 [stmmac] [ 197.171367] stmmac_setup_tc_block_cb+0x70/0x110 [stmmac] [ 197.171367] tc_setup_cb_destroy+0xb3/0x180 [ 197.171367] fl_hw_destroy_filter+0x94/0xc0 [cls_flower] The above issue is due to previous incorrect implementation of tc_del_vlan_flow(), shown below, that uses flow_cls_offload_flow_rule() to get struct flow_rule *rule which is no longer valid for tc filter delete operation. struct flow_rule *rule = flow_cls_offload_flow_rule(cls); struct flow_dissector *dissector = rule->match.dissector; So, to ensure tc_del_vlan_flow() deletes the right VLAN cls record for earlier configured RX queue (configured by hw_tc) in tc_add_vlan_flow(), this patch introduces stmmac_rfs_entry as driver-side flow_cls_offload record for 'RX frame steering' tc flower, currently used for VLAN priority. The implementation has taken consideration for future extension to include other type RX frame steering such as EtherType based. v2: - Clean up overly extensive backtrace and rewrite git message to better explain the kernel NULL pointer issue.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2021-47592.html
CVE-2021-47592
https://bugzilla.suse.com/1226572
SUSE Bug 1226572

Описание

In the Linux kernel, the following vulnerability has been resolved: mptcp: clear 'kern' flag from fallback sockets The mptcp ULP extension relies on sk->sk_sock_kern being set correctly: It prevents setsockopt(fd, IPPROTO_TCP, TCP_ULP, "mptcp", 6); from working for plain tcp sockets (any userspace-exposed socket). But in case of fallback, accept() can return a plain tcp sk. In such case, sk is still tagged as 'kernel' and setsockopt will work. This will crash the kernel, The subflow extension has a NULL ctx->conn mptcp socket: BUG: KASAN: null-ptr-deref in subflow_data_ready+0x181/0x2b0 Call Trace: tcp_data_ready+0xf8/0x370 [..]

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2021-47593.html
CVE-2021-47593
https://bugzilla.suse.com/1226551
SUSE Bug 1226551

Описание

In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_ets: don't remove idle classes from the round-robin list Shuang reported that the following script: 1) tc qdisc add dev ddd0 handle 10: parent 1: ets bands 8 strict 4 priomap 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 2) mausezahn ddd0 -A 10.10.10.1 -B 10.10.10.2 -c 0 -a own -b 00:c1:a0:c1:a0:00 -t udp & 3) tc qdisc change dev ddd0 handle 10: ets bands 4 strict 2 quanta 2500 2500 priomap 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 crashes systematically when line 2) is commented: list_del corruption, ffff8e028404bd30->next is LIST_POISON1 (dead000000000100) ------------[ cut here ]------------ kernel BUG at lib/list_debug.c:47! invalid opcode: 0000 [#1] PREEMPT SMP NOPTI CPU: 0 PID: 954 Comm: tc Not tainted 5.16.0-rc4+ #478 Hardware name: Red Hat KVM, BIOS 1.11.1-4.module+el8.1.0+4066+0f1aadab 04/01/2014 RIP: 0010:__list_del_entry_valid.cold.1+0x12/0x47 Code: fe ff 0f 0b 48 89 c1 4c 89 c6 48 c7 c7 08 42 1b 87 e8 1d c5 fe ff 0f 0b 48 89 fe 48 89 c2 48 c7 c7 98 42 1b 87 e8 09 c5 fe ff <0f> 0b 48 c7 c7 48 43 1b 87 e8 fb c4 fe ff 0f 0b 48 89 f2 48 89 fe RSP: 0018:ffffae46807a3888 EFLAGS: 00010246 RAX: 000000000000004e RBX: 0000000000000007 RCX: 0000000000000202 RDX: 0000000000000000 RSI: ffffffff871ac536 RDI: 00000000ffffffff RBP: ffffae46807a3a10 R08: 0000000000000000 R09: c0000000ffff7fff R10: 0000000000000001 R11: ffffae46807a36a8 R12: ffff8e028404b800 R13: ffff8e028404bd30 R14: dead000000000100 R15: ffff8e02fafa2400 FS: 00007efdc92e4480(0000) GS:ffff8e02fb600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000682f48 CR3: 00000001058be000 CR4: 0000000000350ef0 Call Trace: <TASK> ets_qdisc_change+0x58b/0xa70 [sch_ets] tc_modify_qdisc+0x323/0x880 rtnetlink_rcv_msg+0x169/0x4a0 netlink_rcv_skb+0x50/0x100 netlink_unicast+0x1a5/0x280 netlink_sendmsg+0x257/0x4d0 sock_sendmsg+0x5b/0x60 ____sys_sendmsg+0x1f2/0x260 ___sys_sendmsg+0x7c/0xc0 __sys_sendmsg+0x57/0xa0 do_syscall_64+0x3a/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7efdc8031338 Code: 89 02 48 c7 c0 ff ff ff ff eb b5 0f 1f 80 00 00 00 00 f3 0f 1e fa 48 8d 05 25 43 2c 00 8b 00 85 c0 75 17 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 58 c3 0f 1f 80 00 00 00 00 41 54 41 89 d4 55 RSP: 002b:00007ffdf1ce9828 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 0000000061b37a97 RCX: 00007efdc8031338 RDX: 0000000000000000 RSI: 00007ffdf1ce9890 RDI: 0000000000000003 RBP: 0000000000000000 R08: 0000000000000001 R09: 000000000078a940 R10: 000000000000000c R11: 0000000000000246 R12: 0000000000000001 R13: 0000000000688880 R14: 0000000000000000 R15: 0000000000000000 </TASK> Modules linked in: sch_ets sch_tbf dummy rfkill iTCO_wdt iTCO_vendor_support intel_rapl_msr intel_rapl_common joydev pcspkr i2c_i801 virtio_balloon i2c_smbus lpc_ich ip_tables xfs libcrc32c crct10dif_pclmul crc32_pclmul crc32c_intel serio_raw ghash_clmulni_intel ahci libahci libata virtio_blk virtio_console virtio_net net_failover failover sunrpc dm_mirror dm_region_hash dm_log dm_mod [last unloaded: sch_ets] ---[ end trace f35878d1912655c2 ]--- RIP: 0010:__list_del_entry_valid.cold.1+0x12/0x47 Code: fe ff 0f 0b 48 89 c1 4c 89 c6 48 c7 c7 08 42 1b 87 e8 1d c5 fe ff 0f 0b 48 89 fe 48 89 c2 48 c7 c7 98 42 1b 87 e8 09 c5 fe ff <0f> 0b 48 c7 c7 48 43 1b 87 e8 fb c4 fe ff 0f 0b 48 89 f2 48 89 fe RSP: 0018:ffffae46807a3888 EFLAGS: 00010246 RAX: 000000000000004e RBX: 0000000000000007 RCX: 0000000000000202 RDX: 0000000000000000 RSI: ffffffff871ac536 RDI: 00000000ffffffff RBP: ffffae46807a3a10 R08: 0000000000000000 R09: c0000000ffff7fff R10: 0000000000000001 R11: ffffae46807a36a8 R12: ffff8e028404b800 R13: ffff8e028404bd30 R14: dead000000000100 R15: ffff8e02fafa2400 FS: 00007efdc92e4480(0000) GS:ffff8e02fb600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000000 ---truncated---

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2021-47595.html
CVE-2021-47595
https://bugzilla.suse.com/1226552
SUSE Bug 1226552

Описание

In the Linux kernel, the following vulnerability has been resolved: net: hns3: fix use-after-free bug in hclgevf_send_mbx_msg Currently, the hns3_remove function firstly uninstall client instance, and then uninstall acceletion engine device. The netdevice is freed in client instance uninstall process, but acceletion engine device uninstall process still use it to trace runtime information. This causes a use after free problem. So fixes it by check the instance register state to avoid use after free.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2021-47596.html
CVE-2021-47596
https://bugzilla.suse.com/1226558
SUSE Bug 1226558

Описание

In the Linux kernel, the following vulnerability has been resolved: inet_diag: fix kernel-infoleak for UDP sockets KMSAN reported a kernel-infoleak [1], that can exploited by unpriv users. After analysis it turned out UDP was not initializing r->idiag_expires. Other users of inet_sk_diag_fill() might make the same mistake in the future, so fix this in inet_sk_diag_fill(). [1] BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:121 [inline] BUG: KMSAN: kernel-infoleak in copyout lib/iov_iter.c:156 [inline] BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x69d/0x25c0 lib/iov_iter.c:670 instrument_copy_to_user include/linux/instrumented.h:121 [inline] copyout lib/iov_iter.c:156 [inline] _copy_to_iter+0x69d/0x25c0 lib/iov_iter.c:670 copy_to_iter include/linux/uio.h:155 [inline] simple_copy_to_iter+0xf3/0x140 net/core/datagram.c:519 __skb_datagram_iter+0x2cb/0x1280 net/core/datagram.c:425 skb_copy_datagram_iter+0xdc/0x270 net/core/datagram.c:533 skb_copy_datagram_msg include/linux/skbuff.h:3657 [inline] netlink_recvmsg+0x660/0x1c60 net/netlink/af_netlink.c:1974 sock_recvmsg_nosec net/socket.c:944 [inline] sock_recvmsg net/socket.c:962 [inline] sock_read_iter+0x5a9/0x630 net/socket.c:1035 call_read_iter include/linux/fs.h:2156 [inline] new_sync_read fs/read_write.c:400 [inline] vfs_read+0x1631/0x1980 fs/read_write.c:481 ksys_read+0x28c/0x520 fs/read_write.c:619 __do_sys_read fs/read_write.c:629 [inline] __se_sys_read fs/read_write.c:627 [inline] __x64_sys_read+0xdb/0x120 fs/read_write.c:627 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82 entry_SYSCALL_64_after_hwframe+0x44/0xae Uninit was created at: slab_post_alloc_hook mm/slab.h:524 [inline] slab_alloc_node mm/slub.c:3251 [inline] __kmalloc_node_track_caller+0xe0c/0x1510 mm/slub.c:4974 kmalloc_reserve net/core/skbuff.c:354 [inline] __alloc_skb+0x545/0xf90 net/core/skbuff.c:426 alloc_skb include/linux/skbuff.h:1126 [inline] netlink_dump+0x3d5/0x16a0 net/netlink/af_netlink.c:2245 __netlink_dump_start+0xd1c/0xee0 net/netlink/af_netlink.c:2370 netlink_dump_start include/linux/netlink.h:254 [inline] inet_diag_handler_cmd+0x2e7/0x400 net/ipv4/inet_diag.c:1343 sock_diag_rcv_msg+0x24a/0x620 netlink_rcv_skb+0x447/0x800 net/netlink/af_netlink.c:2491 sock_diag_rcv+0x63/0x80 net/core/sock_diag.c:276 netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline] netlink_unicast+0x1095/0x1360 net/netlink/af_netlink.c:1345 netlink_sendmsg+0x16f3/0x1870 net/netlink/af_netlink.c:1916 sock_sendmsg_nosec net/socket.c:704 [inline] sock_sendmsg net/socket.c:724 [inline] sock_write_iter+0x594/0x690 net/socket.c:1057 do_iter_readv_writev+0xa7f/0xc70 do_iter_write+0x52c/0x1500 fs/read_write.c:851 vfs_writev fs/read_write.c:924 [inline] do_writev+0x63f/0xe30 fs/read_write.c:967 __do_sys_writev fs/read_write.c:1040 [inline] __se_sys_writev fs/read_write.c:1037 [inline] __x64_sys_writev+0xe5/0x120 fs/read_write.c:1037 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82 entry_SYSCALL_64_after_hwframe+0x44/0xae Bytes 68-71 of 312 are uninitialized Memory access of size 312 starts at ffff88812ab54000 Data copied to user address 0000000020001440 CPU: 1 PID: 6365 Comm: syz-executor801 Not tainted 5.16.0-rc3-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2021-47597.html
CVE-2021-47597
https://bugzilla.suse.com/1226553
SUSE Bug 1226553

Описание

In the Linux kernel, the following vulnerability has been resolved: sch_cake: do not call cake_destroy() from cake_init() qdiscs are not supposed to call their own destroy() method from init(), because core stack already does that. syzbot was able to trigger use after free: DEBUG_LOCKS_WARN_ON(lock->magic != lock) WARNING: CPU: 0 PID: 21902 at kernel/locking/mutex.c:586 __mutex_lock_common kernel/locking/mutex.c:586 [inline] WARNING: CPU: 0 PID: 21902 at kernel/locking/mutex.c:586 __mutex_lock+0x9ec/0x12f0 kernel/locking/mutex.c:740 Modules linked in: CPU: 0 PID: 21902 Comm: syz-executor189 Not tainted 5.16.0-rc4-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:__mutex_lock_common kernel/locking/mutex.c:586 [inline] RIP: 0010:__mutex_lock+0x9ec/0x12f0 kernel/locking/mutex.c:740 Code: 08 84 d2 0f 85 19 08 00 00 8b 05 97 38 4b 04 85 c0 0f 85 27 f7 ff ff 48 c7 c6 20 00 ac 89 48 c7 c7 a0 fe ab 89 e8 bf 76 ba ff <0f> 0b e9 0d f7 ff ff 48 8b 44 24 40 48 8d b8 c8 08 00 00 48 89 f8 RSP: 0018:ffffc9000627f290 EFLAGS: 00010282 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: ffff88802315d700 RSI: ffffffff815f1db8 RDI: fffff52000c4fe44 RBP: ffff88818f28e000 R08: 0000000000000000 R09: 0000000000000000 R10: ffffffff815ebb5e R11: 0000000000000000 R12: 0000000000000000 R13: dffffc0000000000 R14: ffffc9000627f458 R15: 0000000093c30000 FS: 0000555556abc400(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fda689c3303 CR3: 000000001cfbb000 CR4: 0000000000350ef0 Call Trace: <TASK> tcf_chain0_head_change_cb_del+0x2e/0x3d0 net/sched/cls_api.c:810 tcf_block_put_ext net/sched/cls_api.c:1381 [inline] tcf_block_put_ext net/sched/cls_api.c:1376 [inline] tcf_block_put+0xbc/0x130 net/sched/cls_api.c:1394 cake_destroy+0x3f/0x80 net/sched/sch_cake.c:2695 qdisc_create.constprop.0+0x9da/0x10f0 net/sched/sch_api.c:1293 tc_modify_qdisc+0x4c5/0x1980 net/sched/sch_api.c:1660 rtnetlink_rcv_msg+0x413/0xb80 net/core/rtnetlink.c:5571 netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2496 netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline] netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1345 netlink_sendmsg+0x904/0xdf0 net/netlink/af_netlink.c:1921 sock_sendmsg_nosec net/socket.c:704 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:724 ____sys_sendmsg+0x6e8/0x810 net/socket.c:2409 ___sys_sendmsg+0xf3/0x170 net/socket.c:2463 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2492 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f1bb06badb9 Code: Unable to access opcode bytes at RIP 0x7f1bb06bad8f. RSP: 002b:00007fff3012a658 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f1bb06badb9 RDX: 0000000000000000 RSI: 00000000200007c0 RDI: 0000000000000003 RBP: 0000000000000000 R08: 0000000000000003 R09: 0000000000000003 R10: 0000000000000003 R11: 0000000000000246 R12: 00007fff3012a688 R13: 00007fff3012a6a0 R14: 00007fff3012a6e0 R15: 00000000000013c2 </TASK>

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2021-47598.html
CVE-2021-47598
https://bugzilla.suse.com/1226574
SUSE Bug 1226574
https://bugzilla.suse.com/1227471
SUSE Bug 1227471

Описание

In the Linux kernel, the following vulnerability has been resolved: btrfs: use latest_dev in btrfs_show_devname The test case btrfs/238 reports the warning below: WARNING: CPU: 3 PID: 481 at fs/btrfs/super.c:2509 btrfs_show_devname+0x104/0x1e8 [btrfs] CPU: 2 PID: 1 Comm: systemd Tainted: G W O 5.14.0-rc1-custom #72 Hardware name: QEMU QEMU Virtual Machine, BIOS 0.0.0 02/06/2015 Call trace: btrfs_show_devname+0x108/0x1b4 [btrfs] show_mountinfo+0x234/0x2c4 m_show+0x28/0x34 seq_read_iter+0x12c/0x3c4 vfs_read+0x29c/0x2c8 ksys_read+0x80/0xec __arm64_sys_read+0x28/0x34 invoke_syscall+0x50/0xf8 do_el0_svc+0x88/0x138 el0_svc+0x2c/0x8c el0t_64_sync_handler+0x84/0xe4 el0t_64_sync+0x198/0x19c Reason: While btrfs_prepare_sprout() moves the fs_devices::devices into fs_devices::seed_list, the btrfs_show_devname() searches for the devices and found none, leading to the warning as in above. Fix: latest_dev is updated according to the changes to the device list. That means we could use the latest_dev->name to show the device name in /proc/self/mounts, the pointer will be always valid as it's assigned before the device is deleted from the list in remove or replace. The RCU protection is sufficient as the device structure is freed after synchronization.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2021-47599.html
CVE-2021-47599
https://bugzilla.suse.com/1226571
SUSE Bug 1226571

Описание

In the Linux kernel, the following vulnerability has been resolved: dm btree remove: fix use after free in rebalance_children() Move dm_tm_unlock() after dm_tm_dec().

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2021-47600.html
CVE-2021-47600
https://bugzilla.suse.com/1226575
SUSE Bug 1226575
https://bugzilla.suse.com/1227472
SUSE Bug 1227472

Описание

In the Linux kernel, the following vulnerability has been resolved: tee: amdtee: fix an IS_ERR() vs NULL bug The __get_free_pages() function does not return error pointers it returns NULL so fix this condition to avoid a NULL dereference.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2021-47601.html
CVE-2021-47601
https://bugzilla.suse.com/1226576
SUSE Bug 1226576

Описание

In the Linux kernel, the following vulnerability has been resolved: mac80211: track only QoS data frames for admission control For admission control, obviously all of that only works for QoS data frames, otherwise we cannot even access the QoS field in the header. Syzbot reported (see below) an uninitialized value here due to a status of a non-QoS nullfunc packet, which isn't even long enough to contain the QoS header. Fix this to only do anything for QoS data packets.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2021-47602.html
CVE-2021-47602
https://bugzilla.suse.com/1226554
SUSE Bug 1226554

Описание

In the Linux kernel, the following vulnerability has been resolved: audit: improve robustness of the audit queue handling If the audit daemon were ever to get stuck in a stopped state the kernel's kauditd_thread() could get blocked attempting to send audit records to the userspace audit daemon. With the kernel thread blocked it is possible that the audit queue could grow unbounded as certain audit record generating events must be exempt from the queue limits else the system enter a deadlock state. This patch resolves this problem by lowering the kernel thread's socket sending timeout from MAX_SCHEDULE_TIMEOUT to HZ/10 and tweaks the kauditd_send_queue() function to better manage the various audit queues when connection problems occur between the kernel and the audit daemon. With this patch, the backlog may temporarily grow beyond the defined limits when the audit daemon is stopped and the system is under heavy audit pressure, but kauditd_thread() will continue to make progress and drain the queues as it would for other connection problems. For example, with the audit daemon put into a stopped state and the system configured to audit every syscall it was still possible to shutdown the system without a kernel panic, deadlock, etc.; granted, the system was slow to shutdown but that is to be expected given the extreme pressure of recording every syscall. The timeout value of HZ/10 was chosen primarily through experimentation and this developer's "gut feeling". There is likely no one perfect value, but as this scenario is limited in scope (root privileges would be needed to send SIGSTOP to the audit daemon), it is likely not worth exposing this as a tunable at present. This can always be done at a later date if it proves necessary.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2021-47603.html
CVE-2021-47603
https://bugzilla.suse.com/1226577
SUSE Bug 1226577

Описание

In the Linux kernel, the following vulnerability has been resolved: vduse: check that offset is within bounds in get_config() This condition checks "len" but it does not check "offset" and that could result in an out of bounds read if "offset > dev->config_size". The problem is that since both variables are unsigned the "dev->config_size - offset" subtraction would result in a very high unsigned value. I think these checks might not be necessary because "len" and "offset" are supposed to already have been validated using the vhost_vdpa_config_validate() function. But I do not know the code perfectly, and I like to be safe.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2021-47604.html
CVE-2021-47604
https://bugzilla.suse.com/1226566
SUSE Bug 1226566

Описание

In the Linux kernel, the following vulnerability has been resolved: vduse: fix memory corruption in vduse_dev_ioctl() The "config.offset" comes from the user. There needs to a check to prevent it being out of bounds. The "config.offset" and "dev->config_size" variables are both type u32. So if the offset if out of bounds then the "dev->config_size - config.offset" subtraction results in a very high u32 value. The out of bounds offset can result in memory corruption.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2021-47605.html
CVE-2021-47605
https://bugzilla.suse.com/1226579
SUSE Bug 1226579
https://bugzilla.suse.com/1227550
SUSE Bug 1227550

Описание

In the Linux kernel, the following vulnerability has been resolved: net: netlink: af_netlink: Prevent empty skb by adding a check on len. Adding a check on len parameter to avoid empty skb. This prevents a division error in netem_enqueue function which is caused when skb->len=0 and skb->data_len=0 in the randomized corruption step as shown below. skb->data[prandom_u32() % skb_headlen(skb)] ^= 1<<(prandom_u32() % 8); Crash Report: [ 343.170349] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 343.216110] netem: version 1.3 [ 343.235841] divide error: 0000 [#1] PREEMPT SMP KASAN NOPTI [ 343.236680] CPU: 3 PID: 4288 Comm: reproducer Not tainted 5.16.0-rc1+ [ 343.237569] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014 [ 343.238707] RIP: 0010:netem_enqueue+0x1590/0x33c0 [sch_netem] [ 343.239499] Code: 89 85 58 ff ff ff e8 5f 5d e9 d3 48 8b b5 48 ff ff ff 8b 8d 50 ff ff ff 8b 85 58 ff ff ff 48 8b bd 70 ff ff ff 31 d2 2b 4f 74 <f7> f1 48 b8 00 00 00 00 00 fc ff df 49 01 d5 4c 89 e9 48 c1 e9 03 [ 343.241883] RSP: 0018:ffff88800bcd7368 EFLAGS: 00010246 [ 343.242589] RAX: 00000000ba7c0a9c RBX: 0000000000000001 RCX: 0000000000000000 [ 343.243542] RDX: 0000000000000000 RSI: ffff88800f8edb10 RDI: ffff88800f8eda40 [ 343.244474] RBP: ffff88800bcd7458 R08: 0000000000000000 R09: ffffffff94fb8445 [ 343.245403] R10: ffffffff94fb8336 R11: ffffffff94fb8445 R12: 0000000000000000 [ 343.246355] R13: ffff88800a5a7000 R14: ffff88800a5b5800 R15: 0000000000000020 [ 343.247291] FS: 00007fdde2bd7700(0000) GS:ffff888109780000(0000) knlGS:0000000000000000 [ 343.248350] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 343.249120] CR2: 00000000200000c0 CR3: 000000000ef4c000 CR4: 00000000000006e0 [ 343.250076] Call Trace: [ 343.250423] <TASK> [ 343.250713] ? memcpy+0x4d/0x60 [ 343.251162] ? netem_init+0xa0/0xa0 [sch_netem] [ 343.251795] ? __sanitizer_cov_trace_pc+0x21/0x60 [ 343.252443] netem_enqueue+0xe28/0x33c0 [sch_netem] [ 343.253102] ? stack_trace_save+0x87/0xb0 [ 343.253655] ? filter_irq_stacks+0xb0/0xb0 [ 343.254220] ? netem_init+0xa0/0xa0 [sch_netem] [ 343.254837] ? __kasan_check_write+0x14/0x20 [ 343.255418] ? _raw_spin_lock+0x88/0xd6 [ 343.255953] dev_qdisc_enqueue+0x50/0x180 [ 343.256508] __dev_queue_xmit+0x1a7e/0x3090 [ 343.257083] ? netdev_core_pick_tx+0x300/0x300 [ 343.257690] ? check_kcov_mode+0x10/0x40 [ 343.258219] ? _raw_spin_unlock_irqrestore+0x29/0x40 [ 343.258899] ? __kasan_init_slab_obj+0x24/0x30 [ 343.259529] ? setup_object.isra.71+0x23/0x90 [ 343.260121] ? new_slab+0x26e/0x4b0 [ 343.260609] ? kasan_poison+0x3a/0x50 [ 343.261118] ? kasan_unpoison+0x28/0x50 [ 343.261637] ? __kasan_slab_alloc+0x71/0x90 [ 343.262214] ? memcpy+0x4d/0x60 [ 343.262674] ? write_comp_data+0x2f/0x90 [ 343.263209] ? __kasan_check_write+0x14/0x20 [ 343.263802] ? __skb_clone+0x5d6/0x840 [ 343.264329] ? __sanitizer_cov_trace_pc+0x21/0x60 [ 343.264958] dev_queue_xmit+0x1c/0x20 [ 343.265470] netlink_deliver_tap+0x652/0x9c0 [ 343.266067] netlink_unicast+0x5a0/0x7f0 [ 343.266608] ? netlink_attachskb+0x860/0x860 [ 343.267183] ? __sanitizer_cov_trace_pc+0x21/0x60 [ 343.267820] ? write_comp_data+0x2f/0x90 [ 343.268367] netlink_sendmsg+0x922/0xe80 [ 343.268899] ? netlink_unicast+0x7f0/0x7f0 [ 343.269472] ? __sanitizer_cov_trace_pc+0x21/0x60 [ 343.270099] ? write_comp_data+0x2f/0x90 [ 343.270644] ? netlink_unicast+0x7f0/0x7f0 [ 343.271210] sock_sendmsg+0x155/0x190 [ 343.271721] ____sys_sendmsg+0x75f/0x8f0 [ 343.272262] ? kernel_sendmsg+0x60/0x60 [ 343.272788] ? write_comp_data+0x2f/0x90 [ 343.273332] ? write_comp_data+0x2f/0x90 [ 343.273869] ___sys_sendmsg+0x10f/0x190 [ 343.274405] ? sendmsg_copy_msghdr+0x80/0x80 [ 343.274984] ? slab_post_alloc_hook+0x70/0x230 [ 343.275597] ? futex_wait_setup+0x240/0x240 [ 343.276175] ? security_file_alloc+0x3e/0x170 [ 343.276779] ? write_comp_d ---truncated---

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2021-47606.html
CVE-2021-47606
https://bugzilla.suse.com/1226555
SUSE Bug 1226555

Описание

In the Linux kernel, the following vulnerability has been resolved: bpf: Fix kernel address leakage in atomic cmpxchg's r0 aux reg The implementation of BPF_CMPXCHG on a high level has the following parameters: .-[old-val] .-[new-val] BPF_R0 = cmpxchg{32,64}(DST_REG + insn->off, BPF_R0, SRC_REG) `-[mem-loc] `-[old-val] Given a BPF insn can only have two registers (dst, src), the R0 is fixed and used as an auxilliary register for input (old value) as well as output (returning old value from memory location). While the verifier performs a number of safety checks, it misses to reject unprivileged programs where R0 contains a pointer as old value. Through brute-forcing it takes about ~16sec on my machine to leak a kernel pointer with BPF_CMPXCHG. The PoC is basically probing for kernel addresses by storing the guessed address into the map slot as a scalar, and using the map value pointer as R0 while SRC_REG has a canary value to detect a matching address. Fix it by checking R0 for pointers, and reject if that's the case for unprivileged programs.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2021-47607.html
CVE-2021-47607
https://bugzilla.suse.com/1226580
SUSE Bug 1226580

Описание

In the Linux kernel, the following vulnerability has been resolved: bpf: Fix kernel address leakage in atomic fetch The change in commit 37086bfdc737 ("bpf: Propagate stack bounds to registers in atomics w/ BPF_FETCH") around check_mem_access() handling is buggy since this would allow for unprivileged users to leak kernel pointers. For example, an atomic fetch/and with -1 on a stack destination which holds a spilled pointer will migrate the spilled register type into a scalar, which can then be exported out of the program (since scalar != pointer) by dumping it into a map value. The original implementation of XADD was preventing this situation by using a double call to check_mem_access() one with BPF_READ and a subsequent one with BPF_WRITE, in both cases passing -1 as a placeholder value instead of register as per XADD semantics since it didn't contain a value fetch. The BPF_READ also included a check in check_stack_read_fixed_off() which rejects the program if the stack slot is of __is_pointer_value() if dst_regno < 0. The latter is to distinguish whether we're dealing with a regular stack spill/ fill or some arithmetical operation which is disallowed on non-scalars, see also 6e7e63cbb023 ("bpf: Forbid XADD on spilled pointers for unprivileged users") for more context on check_mem_access() and its handling of placeholder value -1. One minimally intrusive option to fix the leak is for the BPF_FETCH case to initially check the BPF_READ case via check_mem_access() with -1 as register, followed by the actual load case with non-negative load_reg to propagate stack bounds to registers.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2021-47608.html
CVE-2021-47608
https://bugzilla.suse.com/1226569
SUSE Bug 1226569

Описание

In the Linux kernel, the following vulnerability has been resolved: firmware: arm_scpi: Fix string overflow in SCPI genpd driver Without the bound checks for scpi_pd->name, it could result in the buffer overflow when copying the SCPI device name from the corresponding device tree node as the name string is set at maximum size of 30. Let us fix it by using devm_kasprintf so that the string buffer is allocated dynamically.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2021-47609.html
CVE-2021-47609
https://bugzilla.suse.com/1226562
SUSE Bug 1226562

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/msm: Fix null ptr access msm_ioctl_gem_submit() Fix the below null pointer dereference in msm_ioctl_gem_submit(): 26545.260705: Call trace: 26545.263223: kref_put+0x1c/0x60 26545.266452: msm_ioctl_gem_submit+0x254/0x744 26545.270937: drm_ioctl_kernel+0xa8/0x124 26545.274976: drm_ioctl+0x21c/0x33c 26545.278478: drm_compat_ioctl+0xdc/0xf0 26545.282428: __arm64_compat_sys_ioctl+0xc8/0x100 26545.287169: el0_svc_common+0xf8/0x250 26545.291025: do_el0_svc_compat+0x28/0x54 26545.295066: el0_svc_compat+0x10/0x1c 26545.298838: el0_sync_compat_handler+0xa8/0xcc 26545.303403: el0_sync_compat+0x188/0x1c0 26545.307445: Code: d503201f d503201f 52800028 4b0803e8 (b8680008) 26545.318799: Kernel panic - not syncing: Oops: Fatal exception

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2021-47610.html
CVE-2021-47610
https://bugzilla.suse.com/1226581
SUSE Bug 1226581

Описание

In the Linux kernel, the following vulnerability has been resolved: mac80211: validate extended element ID is present Before attempting to parse an extended element, verify that the extended element ID is present.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2021-47611.html
CVE-2021-47611
https://bugzilla.suse.com/1226583
SUSE Bug 1226583

Описание

In the Linux kernel, the following vulnerability has been resolved: nfc: fix segfault in nfc_genl_dump_devices_done When kmalloc in nfc_genl_dump_devices() fails then nfc_genl_dump_devices_done() segfaults as below KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] CPU: 0 PID: 25 Comm: kworker/0:1 Not tainted 5.16.0-rc4-01180-g2a987e65025e-dirty #5 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-6.fc35 04/01/2014 Workqueue: events netlink_sock_destruct_work RIP: 0010:klist_iter_exit+0x26/0x80 Call Trace: <TASK> class_dev_iter_exit+0x15/0x20 nfc_genl_dump_devices_done+0x3b/0x50 genl_lock_done+0x84/0xd0 netlink_sock_destruct+0x8f/0x270 __sk_destruct+0x64/0x3b0 sk_destruct+0xa8/0xd0 __sk_free+0x2e8/0x3d0 sk_free+0x51/0x90 netlink_sock_destruct_work+0x1c/0x20 process_one_work+0x411/0x710 worker_thread+0x6fd/0xa80

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2021-47612.html
CVE-2021-47612
https://bugzilla.suse.com/1226585
SUSE Bug 1226585

Описание

In the Linux kernel, the following vulnerability has been resolved: RDMA/irdma: Fix a user-after-free in add_pble_prm When irdma_hmc_sd_one fails, 'chunk' is freed while its still on the PBLE info list. Add the chunk entry to the PBLE info list only after successful setting of the SD in irdma_hmc_sd_one.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2021-47614.html
CVE-2021-47614
https://bugzilla.suse.com/1226601
SUSE Bug 1226601

Описание

** REJECT ** This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2021-47615.html
CVE-2021-47615
https://bugzilla.suse.com/1226602
SUSE Bug 1226602

Описание

In the Linux kernel, the following vulnerability has been resolved: RDMA: Fix use-after-free in rxe_queue_cleanup On error handling path in rxe_qp_from_init() qp->sq.queue is freed and then rxe_create_qp() will drop last reference to this object. qp clean up function will try to free this queue one time and it causes UAF bug. Fix it by zeroing queue pointer after freeing queue in rxe_qp_from_init().

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2021-47616.html
CVE-2021-47616
https://bugzilla.suse.com/1226603
SUSE Bug 1226603

Описание

In the Linux kernel, the following vulnerability has been resolved: PCI: pciehp: Fix infinite loop in IRQ handler upon power fault The Power Fault Detected bit in the Slot Status register differs from all other hotplug events in that it is sticky: It can only be cleared after turning off slot power. Per PCIe r5.0, sec. 6.7.1.8: If a power controller detects a main power fault on the hot-plug slot, it must automatically set its internal main power fault latch [...]. The main power fault latch is cleared when software turns off power to the hot-plug slot. The stickiness used to cause interrupt storms and infinite loops which were fixed in 2009 by commits 5651c48cfafe ("PCI pciehp: fix power fault interrupt storm problem") and 99f0169c17f3 ("PCI: pciehp: enable software notification on empty slots"). Unfortunately in 2020 the infinite loop issue was inadvertently reintroduced by commit 8edf5332c393 ("PCI: pciehp: Fix MSI interrupt race"): The hardirq handler pciehp_isr() clears the PFD bit until pciehp's power_fault_detected flag is set. That happens in the IRQ thread pciehp_ist(), which never learns of the event because the hardirq handler is stuck in an infinite loop. Fix by setting the power_fault_detected flag already in the hardirq handler.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2021-47617.html
CVE-2021-47617
https://bugzilla.suse.com/1226614
SUSE Bug 1226614

Описание

In the Linux kernel, the following vulnerability has been resolved: ARM: 9170/1: fix panic when kasan and kprobe are enabled arm32 uses software to simulate the instruction replaced by kprobe. some instructions may be simulated by constructing assembly functions. therefore, before executing instruction simulation, it is necessary to construct assembly function execution environment in C language through binding registers. after kasan is enabled, the register binding relationship will be destroyed, resulting in instruction simulation errors and causing kernel panic. the kprobe emulate instruction function is distributed in three files: actions-common.c actions-arm.c actions-thumb.c, so disable KASAN when compiling these files. for example, use kprobe insert on cap_capable+20 after kasan enabled, the cap_capable assembly code is as follows: <cap_capable>: e92d47f0 push {r4, r5, r6, r7, r8, r9, sl, lr} e1a05000 mov r5, r0 e280006c add r0, r0, #108 ; 0x6c e1a04001 mov r4, r1 e1a06002 mov r6, r2 e59fa090 ldr sl, [pc, #144] ; ebfc7bf8 bl c03aa4b4 <__asan_load4> e595706c ldr r7, [r5, #108] ; 0x6c e2859014 add r9, r5, #20 ...... The emulate_ldr assembly code after enabling kasan is as follows: c06f1384 <emulate_ldr>: e92d47f0 push {r4, r5, r6, r7, r8, r9, sl, lr} e282803c add r8, r2, #60 ; 0x3c e1a05000 mov r5, r0 e7e37855 ubfx r7, r5, #16, #4 e1a00008 mov r0, r8 e1a09001 mov r9, r1 e1a04002 mov r4, r2 ebf35462 bl c03c6530 <__asan_load4> e357000f cmp r7, #15 e7e36655 ubfx r6, r5, #12, #4 e205a00f and sl, r5, #15 0a000001 beq c06f13bc <emulate_ldr+0x38> e0840107 add r0, r4, r7, lsl #2 ebf3545c bl c03c6530 <__asan_load4> e084010a add r0, r4, sl, lsl #2 ebf3545a bl c03c6530 <__asan_load4> e2890010 add r0, r9, #16 ebf35458 bl c03c6530 <__asan_load4> e5990010 ldr r0, [r9, #16] e12fff30 blx r0 e356000f cm r6, #15 1a000014 bne c06f1430 <emulate_ldr+0xac> e1a06000 mov r6, r0 e2840040 add r0, r4, #64 ; 0x40 ...... when running in emulate_ldr to simulate the ldr instruction, panic occurred, and the log is as follows: Unable to handle kernel NULL pointer dereference at virtual address 00000090 pgd = ecb46400 [00000090] *pgd=2e0fa003, *pmd=00000000 Internal error: Oops: 206 [#1] SMP ARM PC is at cap_capable+0x14/0xb0 LR is at emulate_ldr+0x50/0xc0 psr: 600d0293 sp : ecd63af8 ip : 00000004 fp : c0a7c30c r10: 00000000 r9 : c30897f4 r8 : ecd63cd4 r7 : 0000000f r6 : 0000000a r5 : e59fa090 r4 : ecd63c98 r3 : c06ae294 r2 : 00000000 r1 : b7611300 r0 : bf4ec008 Flags: nZCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment user Control: 32c5387d Table: 2d546400 DAC: 55555555 Process bash (pid: 1643, stack limit = 0xecd60190) (cap_capable) from (kprobe_handler+0x218/0x340) (kprobe_handler) from (kprobe_trap_handler+0x24/0x48) (kprobe_trap_handler) from (do_undefinstr+0x13c/0x364) (do_undefinstr) from (__und_svc_finish+0x0/0x30) (__und_svc_finish) from (cap_capable+0x18/0xb0) (cap_capable) from (cap_vm_enough_memory+0x38/0x48) (cap_vm_enough_memory) from (security_vm_enough_memory_mm+0x48/0x6c) (security_vm_enough_memory_mm) from (copy_process.constprop.5+0x16b4/0x25c8) (copy_process.constprop.5) from (_do_fork+0xe8/0x55c) (_do_fork) from (SyS_clone+0x1c/0x24) (SyS_clone) from (__sys_trace_return+0x0/0x10) Code: 0050a0e1 6c0080e2 0140a0e1 0260a0e1 (f801f0e7)

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2021-47618.html
CVE-2021-47618
https://bugzilla.suse.com/1226644
SUSE Bug 1226644

Описание

In the Linux kernel, the following vulnerability has been resolved: i40e: Fix queues reservation for XDP When XDP was configured on a system with large number of CPUs and X722 NIC there was a call trace with NULL pointer dereference. i40e 0000:87:00.0: failed to get tracking for 256 queues for VSI 0 err -12 i40e 0000:87:00.0: setup of MAIN VSI failed BUG: kernel NULL pointer dereference, address: 0000000000000000 RIP: 0010:i40e_xdp+0xea/0x1b0 [i40e] Call Trace: ? i40e_reconfig_rss_queues+0x130/0x130 [i40e] dev_xdp_install+0x61/0xe0 dev_xdp_attach+0x18a/0x4c0 dev_change_xdp_fd+0x1e6/0x220 do_setlink+0x616/0x1030 ? ahci_port_stop+0x80/0x80 ? ata_qc_issue+0x107/0x1e0 ? lock_timer_base+0x61/0x80 ? __mod_timer+0x202/0x380 rtnl_setlink+0xe5/0x170 ? bpf_lsm_binder_transaction+0x10/0x10 ? security_capable+0x36/0x50 rtnetlink_rcv_msg+0x121/0x350 ? rtnl_calcit.isra.0+0x100/0x100 netlink_rcv_skb+0x50/0xf0 netlink_unicast+0x1d3/0x2a0 netlink_sendmsg+0x22a/0x440 sock_sendmsg+0x5e/0x60 __sys_sendto+0xf0/0x160 ? __sys_getsockname+0x7e/0xc0 ? _copy_from_user+0x3c/0x80 ? __sys_setsockopt+0xc8/0x1a0 __x64_sys_sendto+0x20/0x30 do_syscall_64+0x33/0x40 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f83fa7a39e0 This was caused by PF queue pile fragmentation due to flow director VSI queue being placed right after main VSI. Because of this main VSI was not able to resize its queue allocation for XDP resulting in no queues allocated for main VSI when XDP was turned on. Fix this by always allocating last queue in PF queue pile for a flow director VSI.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2021-47619.html
CVE-2021-47619
https://bugzilla.suse.com/1226645
SUSE Bug 1226645

Описание

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: refactor malicious adv data check Check for out-of-bound read was being performed at the end of while num_reports loop, and would fill journal with false positives. Added check to beginning of loop processing so that it doesn't get checked after ptr has been advanced.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2021-47620.html
CVE-2021-47620
https://bugzilla.suse.com/1226669
SUSE Bug 1226669

Описание

In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: Fix a deadlock in the error handler The following deadlock has been observed on a test setup: - All tags allocated - The SCSI error handler calls ufshcd_eh_host_reset_handler() - ufshcd_eh_host_reset_handler() queues work that calls ufshcd_err_handler() - ufshcd_err_handler() locks up as follows: Workqueue: ufs_eh_wq_0 ufshcd_err_handler.cfi_jt Call trace: __switch_to+0x298/0x5d8 __schedule+0x6cc/0xa94 schedule+0x12c/0x298 blk_mq_get_tag+0x210/0x480 __blk_mq_alloc_request+0x1c8/0x284 blk_get_request+0x74/0x134 ufshcd_exec_dev_cmd+0x68/0x640 ufshcd_verify_dev_init+0x68/0x35c ufshcd_probe_hba+0x12c/0x1cb8 ufshcd_host_reset_and_restore+0x88/0x254 ufshcd_reset_and_restore+0xd0/0x354 ufshcd_err_handler+0x408/0xc58 process_one_work+0x24c/0x66c worker_thread+0x3e8/0xa4c kthread+0x150/0x1b4 ret_from_fork+0x10/0x30 Fix this lockup by making ufshcd_exec_dev_cmd() allocate a reserved request.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2021-47622.html
CVE-2021-47622
https://bugzilla.suse.com/1227917
SUSE Bug 1227917

Описание

In the Linux kernel, the following vulnerability has been resolved: powerpc/fixmap: Fix VM debug warning on unmap Unmapping a fixmap entry is done by calling __set_fixmap() with FIXMAP_PAGE_CLEAR as flags. Today, powerpc __set_fixmap() calls map_kernel_page(). map_kernel_page() is not happy when called a second time for the same page. WARNING: CPU: 0 PID: 1 at arch/powerpc/mm/pgtable.c:194 set_pte_at+0xc/0x1e8 CPU: 0 PID: 1 Comm: swapper Not tainted 5.16.0-rc3-s3k-dev-01993-g350ff07feb7d-dirty #682 NIP: c0017cd4 LR: c00187f0 CTR: 00000010 REGS: e1011d50 TRAP: 0700 Not tainted (5.16.0-rc3-s3k-dev-01993-g350ff07feb7d-dirty) MSR: 00029032 <EE,ME,IR,DR,RI> CR: 42000208 XER: 00000000 GPR00: c0165fec e1011e10 c14c0000 c0ee2550 ff800000 c0f3d000 00000000 c001686c GPR08: 00001000 b00045a9 00000001 c0f58460 c0f50000 00000000 c0007e10 00000000 GPR16: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 GPR24: 00000000 00000000 c0ee2550 00000000 c0f57000 00000ff8 00000000 ff800000 NIP [c0017cd4] set_pte_at+0xc/0x1e8 LR [c00187f0] map_kernel_page+0x9c/0x100 Call Trace: [e1011e10] [c0736c68] vsnprintf+0x358/0x6c8 (unreliable) [e1011e30] [c0165fec] __set_fixmap+0x30/0x44 [e1011e40] [c0c13bdc] early_iounmap+0x11c/0x170 [e1011e70] [c0c06cb0] ioremap_legacy_serial_console+0x88/0xc0 [e1011e90] [c0c03634] do_one_initcall+0x80/0x178 [e1011ef0] [c0c0385c] kernel_init_freeable+0xb4/0x250 [e1011f20] [c0007e34] kernel_init+0x24/0x140 [e1011f30] [c0016268] ret_from_kernel_thread+0x5c/0x64 Instruction dump: 7fe3fb78 48019689 80010014 7c630034 83e1000c 5463d97e 7c0803a6 38210010 4e800020 81250000 712a0001 41820008 <0fe00000> 9421ffe0 93e1001c 48000030 Implement unmap_kernel_page() which clears an existing pte.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2021-47623.html
CVE-2021-47623
https://bugzilla.suse.com/1227919
SUSE Bug 1227919

Описание

In the Linux kernel, the following vulnerability has been resolved: net/sunrpc: fix reference count leaks in rpc_sysfs_xprt_state_change The refcount leak issues take place in an error handling path. When the 3rd argument buf doesn't match with "offline", "online" or "remove", the function simply returns -EINVAL and forgets to decrease the reference count of a rpc_xprt object and a rpc_xprt_switch object increased by rpc_sysfs_xprt_kobj_get_xprt() and rpc_sysfs_xprt_kobj_get_xprt_switch(), causing reference count leaks of both unused objects. Fix this issue by jumping to the error handling path labelled with out_put when buf matches none of "offline", "online" or "remove".

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2021-47624.html
CVE-2021-47624
https://bugzilla.suse.com/1227920
SUSE Bug 1227920

Описание

In the Linux kernel, the following vulnerability has been resolved: tipc: improve size validations for received domain records The function tipc_mon_rcv() allows a node to receive and process domain_record structs from peer nodes to track their views of the network topology. This patch verifies that the number of members in a received domain record does not exceed the limit defined by MAX_MON_DOMAIN, something that may otherwise lead to a stack overflow. tipc_mon_rcv() is called from the function tipc_link_proto_rcv(), where we are reading a 32 bit message data length field into a uint16. To avert any risk of bit overflow, we add an extra sanity check for this in that function. We cannot see that happen with the current code, but future designers being unaware of this risk, may introduce it by allowing delivery of very large (> 64k) sk buffers from the bearer layer. This potential problem was identified by Eric Dumazet. This fixes CVE-2022-0435

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48711.html
CVE-2022-48711
https://bugzilla.suse.com/1226672
SUSE Bug 1226672
https://bugzilla.suse.com/1227473
SUSE Bug 1227473

Описание

In the Linux kernel, the following vulnerability has been resolved: ext4: fix error handling in ext4_fc_record_modified_inode() Current code does not fully takes care of krealloc() error case, which could lead to silent memory corruption or a kernel bug. This patch fixes that. Also it cleans up some duplicated error handling logic from various functions in fast_commit.c file.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48712.html
CVE-2022-48712
https://bugzilla.suse.com/1226673
SUSE Bug 1226673

Описание

In the Linux kernel, the following vulnerability has been resolved: perf/x86/intel/pt: Fix crash with stop filters in single-range mode Add a check for !buf->single before calling pt_buffer_region_size in a place where a missing check can cause a kernel crash. Fixes a bug introduced by commit 670638477aed ("perf/x86/intel/pt: Opportunistically use single range output mode"), which added a support for PT single-range output mode. Since that commit if a PT stop filter range is hit while tracing, the kernel will crash because of a null pointer dereference in pt_handle_status due to calling pt_buffer_region_size without a ToPA configured. The commit which introduced single-range mode guarded almost all uses of the ToPA buffer variables with checks of the buf->single variable, but missed the case where tracing was stopped by the PT hardware, which happens when execution hits a configured stop filter. Tested that hitting a stop filter while PT recording successfully records a trace with this patch but crashes without this patch.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48713.html
CVE-2022-48713
https://bugzilla.suse.com/1227549
SUSE Bug 1227549

Описание

In the Linux kernel, the following vulnerability has been resolved: bpf: Use VM_MAP instead of VM_ALLOC for ringbuf After commit 2fd3fb0be1d1 ("kasan, vmalloc: unpoison VM_ALLOC pages after mapping"), non-VM_ALLOC mappings will be marked as accessible in __get_vm_area_node() when KASAN is enabled. But now the flag for ringbuf area is VM_ALLOC, so KASAN will complain out-of-bound access after vmap() returns. Because the ringbuf area is created by mapping allocated pages, so use VM_MAP instead. After the change, info in /proc/vmallocinfo also changes from [start]-[end] 24576 ringbuf_map_alloc+0x171/0x290 vmalloc user to [start]-[end] 24576 ringbuf_map_alloc+0x171/0x290 vmap user

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48714.html
CVE-2022-48714
https://bugzilla.suse.com/1226622
SUSE Bug 1226622

Описание

In the Linux kernel, the following vulnerability has been resolved: scsi: bnx2fc: Make bnx2fc_recv_frame() mp safe Running tests with a debug kernel shows that bnx2fc_recv_frame() is modifying the per_cpu lport stats counters in a non-mpsafe way. Just boot a debug kernel and run the bnx2fc driver with the hardware enabled. [ 1391.699147] BUG: using smp_processor_id() in preemptible [00000000] code: bnx2fc_ [ 1391.699160] caller is bnx2fc_recv_frame+0xbf9/0x1760 [bnx2fc] [ 1391.699174] CPU: 2 PID: 4355 Comm: bnx2fc_l2_threa Kdump: loaded Tainted: G B [ 1391.699180] Hardware name: HP ProLiant DL120 G7, BIOS J01 07/01/2013 [ 1391.699183] Call Trace: [ 1391.699188] dump_stack_lvl+0x57/0x7d [ 1391.699198] check_preemption_disabled+0xc8/0xd0 [ 1391.699205] bnx2fc_recv_frame+0xbf9/0x1760 [bnx2fc] [ 1391.699215] ? do_raw_spin_trylock+0xb5/0x180 [ 1391.699221] ? bnx2fc_npiv_create_vports.isra.0+0x4e0/0x4e0 [bnx2fc] [ 1391.699229] ? bnx2fc_l2_rcv_thread+0xb7/0x3a0 [bnx2fc] [ 1391.699240] bnx2fc_l2_rcv_thread+0x1af/0x3a0 [bnx2fc] [ 1391.699250] ? bnx2fc_ulp_init+0xc0/0xc0 [bnx2fc] [ 1391.699258] kthread+0x364/0x420 [ 1391.699263] ? _raw_spin_unlock_irq+0x24/0x50 [ 1391.699268] ? set_kthread_struct+0x100/0x100 [ 1391.699273] ret_from_fork+0x22/0x30 Restore the old get_cpu/put_cpu code with some modifications to reduce the size of the critical section.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48715.html
CVE-2022-48715
https://bugzilla.suse.com/1226621
SUSE Bug 1226621

Описание

In the Linux kernel, the following vulnerability has been resolved: ASoC: codecs: wcd938x: fix incorrect used of portid Mixer controls have the channel id in mixer->reg, which is not same as port id. port id should be derived from chan_info array. So fix this. Without this, its possible that we could corrupt struct wcd938x_sdw_priv by accessing port_map array out of range with channel id instead of port id.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48716.html
CVE-2022-48716
https://bugzilla.suse.com/1226678
SUSE Bug 1226678

Описание

In the Linux kernel, the following vulnerability has been resolved: ASoC: max9759: fix underflow in speaker_gain_control_put() Check for negative values of "priv->gain" to prevent an out of bounds access. The concern is that these might come from the user via: -> snd_ctl_elem_write_user() -> snd_ctl_elem_write() -> kctl->put()

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48717.html
CVE-2022-48717
https://bugzilla.suse.com/1226679
SUSE Bug 1226679

Описание

In the Linux kernel, the following vulnerability has been resolved: drm: mxsfb: Fix NULL pointer dereference mxsfb should not ever dereference the NULL pointer which drm_atomic_get_new_bridge_state is allowed to return. Assume a fixed format instead.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48718.html
CVE-2022-48718
https://bugzilla.suse.com/1226616
SUSE Bug 1226616

Описание

In the Linux kernel, the following vulnerability has been resolved: net: macsec: Fix offload support for NETDEV_UNREGISTER event Current macsec netdev notify handler handles NETDEV_UNREGISTER event by releasing relevant SW resources only, this causes resources leak in case of macsec HW offload, as the underlay driver was not notified to clean it's macsec offload resources. Fix by calling the underlay driver to clean it's relevant resources by moving offload handling from macsec_dellink() to macsec_common_dellink() when handling NETDEV_UNREGISTER event.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48720.html
CVE-2022-48720
https://bugzilla.suse.com/1226683
SUSE Bug 1226683

Описание

In the Linux kernel, the following vulnerability has been resolved: net/smc: Forward wakeup to smc socket waitqueue after fallback When we replace TCP with SMC and a fallback occurs, there may be some socket waitqueue entries remaining in smc socket->wq, such as eppoll_entries inserted by userspace applications. After the fallback, data flows over TCP/IP and only clcsocket->wq will be woken up. Applications can't be notified by the entries which were inserted in smc socket->wq before fallback. So we need a mechanism to wake up smc socket->wq at the same time if some entries remaining in it. The current workaround is to transfer the entries from smc socket->wq to clcsock->wq during the fallback. But this may cause a crash like this: general protection fault, probably for non-canonical address 0xdead000000000100: 0000 [#1] PREEMPT SMP PTI CPU: 3 PID: 0 Comm: swapper/3 Kdump: loaded Tainted: G E 5.16.0+ #107 RIP: 0010:__wake_up_common+0x65/0x170 Call Trace: <IRQ> __wake_up_common_lock+0x7a/0xc0 sock_def_readable+0x3c/0x70 tcp_data_queue+0x4a7/0xc40 tcp_rcv_established+0x32f/0x660 ? sk_filter_trim_cap+0xcb/0x2e0 tcp_v4_do_rcv+0x10b/0x260 tcp_v4_rcv+0xd2a/0xde0 ip_protocol_deliver_rcu+0x3b/0x1d0 ip_local_deliver_finish+0x54/0x60 ip_local_deliver+0x6a/0x110 ? tcp_v4_early_demux+0xa2/0x140 ? tcp_v4_early_demux+0x10d/0x140 ip_sublist_rcv_finish+0x49/0x60 ip_sublist_rcv+0x19d/0x230 ip_list_rcv+0x13e/0x170 __netif_receive_skb_list_core+0x1c2/0x240 netif_receive_skb_list_internal+0x1e6/0x320 napi_complete_done+0x11d/0x190 mlx5e_napi_poll+0x163/0x6b0 [mlx5_core] __napi_poll+0x3c/0x1b0 net_rx_action+0x27c/0x300 __do_softirq+0x114/0x2d2 irq_exit_rcu+0xb4/0xe0 common_interrupt+0xba/0xe0 </IRQ> <TASK> The crash is caused by privately transferring waitqueue entries from smc socket->wq to clcsock->wq. The owners of these entries, such as epoll, have no idea that the entries have been transferred to a different socket wait queue and still use original waitqueue spinlock (smc socket->wq.wait.lock) to make the entries operation exclusive, but it doesn't work. The operations to the entries, such as removing from the waitqueue (now is clcsock->wq after fallback), may cause a crash when clcsock waitqueue is being iterated over at the moment. This patch tries to fix this by no longer transferring wait queue entries privately, but introducing own implementations of clcsock's callback functions in fallback situation. The callback functions will forward the wakeup to smc socket->wq if clcsock->wq is actually woken up and smc socket->wq has remaining entries.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48721.html
CVE-2022-48721
https://bugzilla.suse.com/1226685
SUSE Bug 1226685

Описание

In the Linux kernel, the following vulnerability has been resolved: net: ieee802154: ca8210: Stop leaking skb's Upon error the ieee802154_xmit_complete() helper is not called. Only ieee802154_wake_queue() is called manually. We then leak the skb structure. Free the skb structure upon error before returning.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48722.html
CVE-2022-48722
https://bugzilla.suse.com/1226619
SUSE Bug 1226619

Описание

In the Linux kernel, the following vulnerability has been resolved: spi: uniphier: fix reference count leak in uniphier_spi_probe() The issue happens in several error paths in uniphier_spi_probe(). When either dma_get_slave_caps() or devm_spi_register_master() returns an error code, the function forgets to decrease the refcount of both `dma_rx` and `dma_tx` objects, which may lead to refcount leaks. Fix it by decrementing the reference count of specific objects in those error paths.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48723.html
CVE-2022-48723
https://bugzilla.suse.com/1226617
SUSE Bug 1226617

Описание

In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Fix potential memory leak in intel_setup_irq_remapping() After commit e3beca48a45b ("irqdomain/treewide: Keep firmware node unconditionally allocated"). For tear down scenario, fn is only freed after fail to allocate ir_domain, though it also should be freed in case dmar_enable_qi returns error. Besides free fn, irq_domain and ir_msi_domain need to be removed as well if intel_setup_irq_remapping fails to enable queued invalidation. Improve the rewinding path by add out_free_ir_domain and out_free_fwnode lables per Baolu's suggestion.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48724.html
CVE-2022-48724
https://bugzilla.suse.com/1226624
SUSE Bug 1226624

Описание

In the Linux kernel, the following vulnerability has been resolved: RDMA/siw: Fix refcounting leak in siw_create_qp() The atomic_inc() needs to be paired with an atomic_dec() on the error path.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48725.html
CVE-2022-48725
https://bugzilla.suse.com/1226618
SUSE Bug 1226618

Описание

In the Linux kernel, the following vulnerability has been resolved: RDMA/ucma: Protect mc during concurrent multicast leaves Partially revert the commit mentioned in the Fixes line to make sure that allocation and erasing multicast struct are locked. BUG: KASAN: use-after-free in ucma_cleanup_multicast drivers/infiniband/core/ucma.c:491 [inline] BUG: KASAN: use-after-free in ucma_destroy_private_ctx+0x914/0xb70 drivers/infiniband/core/ucma.c:579 Read of size 8 at addr ffff88801bb74b00 by task syz-executor.1/25529 CPU: 0 PID: 25529 Comm: syz-executor.1 Not tainted 5.16.0-rc7-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_address_description.constprop.0.cold+0x8d/0x320 mm/kasan/report.c:247 __kasan_report mm/kasan/report.c:433 [inline] kasan_report.cold+0x83/0xdf mm/kasan/report.c:450 ucma_cleanup_multicast drivers/infiniband/core/ucma.c:491 [inline] ucma_destroy_private_ctx+0x914/0xb70 drivers/infiniband/core/ucma.c:579 ucma_destroy_id+0x1e6/0x280 drivers/infiniband/core/ucma.c:614 ucma_write+0x25c/0x350 drivers/infiniband/core/ucma.c:1732 vfs_write+0x28e/0xae0 fs/read_write.c:588 ksys_write+0x1ee/0x250 fs/read_write.c:643 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae Currently the xarray search can touch a concurrently freeing mc as the xa_for_each() is not surrounded by any lock. Rather than hold the lock for a full scan hold it only for the effected items, which is usually an empty list.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48726.html
CVE-2022-48726
https://bugzilla.suse.com/1226686
SUSE Bug 1226686
https://bugzilla.suse.com/1227552
SUSE Bug 1227552

Описание

In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Avoid consuming a stale esr value when SError occur When any exception other than an IRQ occurs, the CPU updates the ESR_EL2 register with the exception syndrome. An SError may also become pending, and will be synchronised by KVM. KVM notes the exception type, and whether an SError was synchronised in exit_code. When an exception other than an IRQ occurs, fixup_guest_exit() updates vcpu->arch.fault.esr_el2 from the hardware register. When an SError was synchronised, the vcpu esr value is used to determine if the exception was due to an HVC. If so, ELR_EL2 is moved back one instruction. This is so that KVM can process the SError first, and re-execute the HVC if the guest survives the SError. But if an IRQ synchronises an SError, the vcpu's esr value is stale. If the previous non-IRQ exception was an HVC, KVM will corrupt ELR_EL2, causing an unrelated guest instruction to be executed twice. Check ARM_EXCEPTION_CODE() before messing with ELR_EL2, IRQs don't update this register so don't need to check.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48727.html
CVE-2022-48727
https://bugzilla.suse.com/1226690
SUSE Bug 1226690

Описание

In the Linux kernel, the following vulnerability has been resolved: IB/hfi1: Fix AIP early init panic An early failure in hfi1_ipoib_setup_rn() can lead to the following panic: BUG: unable to handle kernel NULL pointer dereference at 00000000000001b0 PGD 0 P4D 0 Oops: 0002 [#1] SMP NOPTI Workqueue: events work_for_cpu_fn RIP: 0010:try_to_grab_pending+0x2b/0x140 Code: 1f 44 00 00 41 55 41 54 55 48 89 d5 53 48 89 fb 9c 58 0f 1f 44 00 00 48 89 c2 fa 66 0f 1f 44 00 00 48 89 55 00 40 84 f6 75 77 <f0> 48 0f ba 2b 00 72 09 31 c0 5b 5d 41 5c 41 5d c3 48 89 df e8 6c RSP: 0018:ffffb6b3cf7cfa48 EFLAGS: 00010046 RAX: 0000000000000246 RBX: 00000000000001b0 RCX: 0000000000000000 RDX: 0000000000000246 RSI: 0000000000000000 RDI: 00000000000001b0 RBP: ffffb6b3cf7cfa70 R08: 0000000000000f09 R09: 0000000000000001 R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000000 R13: ffffb6b3cf7cfa90 R14: ffffffff9b2fbfc0 R15: ffff8a4fdf244690 FS: 0000000000000000(0000) GS:ffff8a527f400000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000000001b0 CR3: 00000017e2410003 CR4: 00000000007706f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: __cancel_work_timer+0x42/0x190 ? dev_printk_emit+0x4e/0x70 iowait_cancel_work+0x15/0x30 [hfi1] hfi1_ipoib_txreq_deinit+0x5a/0x220 [hfi1] ? dev_err+0x6c/0x90 hfi1_ipoib_netdev_dtor+0x15/0x30 [hfi1] hfi1_ipoib_setup_rn+0x10e/0x150 [hfi1] rdma_init_netdev+0x5a/0x80 [ib_core] ? hfi1_ipoib_free_rdma_netdev+0x20/0x20 [hfi1] ipoib_intf_init+0x6c/0x350 [ib_ipoib] ipoib_intf_alloc+0x5c/0xc0 [ib_ipoib] ipoib_add_one+0xbe/0x300 [ib_ipoib] add_client_context+0x12c/0x1a0 [ib_core] enable_device_and_get+0xdc/0x1d0 [ib_core] ib_register_device+0x572/0x6b0 [ib_core] rvt_register_device+0x11b/0x220 [rdmavt] hfi1_register_ib_device+0x6b4/0x770 [hfi1] do_init_one.isra.20+0x3e3/0x680 [hfi1] local_pci_probe+0x41/0x90 work_for_cpu_fn+0x16/0x20 process_one_work+0x1a7/0x360 ? create_worker+0x1a0/0x1a0 worker_thread+0x1cf/0x390 ? create_worker+0x1a0/0x1a0 kthread+0x116/0x130 ? kthread_flush_work_fn+0x10/0x10 ret_from_fork+0x1f/0x40 The panic happens in hfi1_ipoib_txreq_deinit() because there is a NULL deref when hfi1_ipoib_netdev_dtor() is called in this error case. hfi1_ipoib_txreq_init() and hfi1_ipoib_rxq_init() are self unwinding so fix by adjusting the error paths accordingly. Other changes: - hfi1_ipoib_free_rdma_netdev() is deleted including the free_netdev() since the netdev core code deletes calls free_netdev() - The switch to the accelerated entrances is moved to the success path.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48728.html
CVE-2022-48728
https://bugzilla.suse.com/1226691
SUSE Bug 1226691

Описание

In the Linux kernel, the following vulnerability has been resolved: IB/hfi1: Fix panic with larger ipoib send_queue_size When the ipoib send_queue_size is increased from the default the following panic happens: RIP: 0010:hfi1_ipoib_drain_tx_ring+0x45/0xf0 [hfi1] Code: 31 e4 eb 0f 8b 85 c8 02 00 00 41 83 c4 01 44 39 e0 76 60 8b 8d cc 02 00 00 44 89 e3 be 01 00 00 00 d3 e3 48 03 9d c0 02 00 00 <c7> 83 18 01 00 00 00 00 00 00 48 8b bb 30 01 00 00 e8 25 af a7 e0 RSP: 0018:ffffc9000798f4a0 EFLAGS: 00010286 RAX: 0000000000008000 RBX: ffffc9000aa0f000 RCX: 000000000000000f RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000 RBP: ffff88810ff08000 R08: ffff88889476d900 R09: 0000000000000101 R10: 0000000000000000 R11: ffffc90006590ff8 R12: 0000000000000200 R13: ffffc9000798fba8 R14: 0000000000000000 R15: 0000000000000001 FS: 00007fd0f79cc3c0(0000) GS:ffff88885fb00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffc9000aa0f118 CR3: 0000000889c84001 CR4: 00000000001706e0 Call Trace: <TASK> hfi1_ipoib_napi_tx_disable+0x45/0x60 [hfi1] hfi1_ipoib_dev_stop+0x18/0x80 [hfi1] ipoib_ib_dev_stop+0x1d/0x40 [ib_ipoib] ipoib_stop+0x48/0xc0 [ib_ipoib] __dev_close_many+0x9e/0x110 __dev_change_flags+0xd9/0x210 dev_change_flags+0x21/0x60 do_setlink+0x31c/0x10f0 ? __nla_validate_parse+0x12d/0x1a0 ? __nla_parse+0x21/0x30 ? inet6_validate_link_af+0x5e/0xf0 ? cpumask_next+0x1f/0x20 ? __snmp6_fill_stats64.isra.53+0xbb/0x140 ? __nla_validate_parse+0x47/0x1a0 __rtnl_newlink+0x530/0x910 ? pskb_expand_head+0x73/0x300 ? __kmalloc_node_track_caller+0x109/0x280 ? __nla_put+0xc/0x20 ? cpumask_next_and+0x20/0x30 ? update_sd_lb_stats.constprop.144+0xd3/0x820 ? _raw_spin_unlock_irqrestore+0x25/0x37 ? __wake_up_common_lock+0x87/0xc0 ? kmem_cache_alloc_trace+0x3d/0x3d0 rtnl_newlink+0x43/0x60 The issue happens when the shift that should have been a function of the txq item size mistakenly used the ring size. Fix by using the item size.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48729.html
CVE-2022-48729
https://bugzilla.suse.com/1226710
SUSE Bug 1226710

Описание

In the Linux kernel, the following vulnerability has been resolved: dma-buf: heaps: Fix potential spectre v1 gadget It appears like nr could be a Spectre v1 gadget as it's supplied by a user and used as an array index. Prevent the contents of kernel memory from being leaked to userspace via speculative execution by using array_index_nospec. [sumits: added fixes and cc: stable tags]

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48730.html
CVE-2022-48730
https://bugzilla.suse.com/1226713
SUSE Bug 1226713

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/nouveau: fix off by one in BIOS boundary checking Bounds checking when parsing init scripts embedded in the BIOS reject access to the last byte. This causes driver initialization to fail on Apple eMac's with GeForce 2 MX GPUs, leaving the system with no working console. This is probably only seen on OpenFirmware machines like PowerPC Macs because the BIOS image provided by OF is only the used parts of the ROM, not a power-of-two blocks read from PCI directly so PCs always have empty bytes at the end that are never accessed.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48732.html
CVE-2022-48732
https://bugzilla.suse.com/1226716
SUSE Bug 1226716

Описание

In the Linux kernel, the following vulnerability has been resolved: btrfs: fix use-after-free after failure to create a snapshot At ioctl.c:create_snapshot(), we allocate a pending snapshot structure and then attach it to the transaction's list of pending snapshots. After that we call btrfs_commit_transaction(), and if that returns an error we jump to 'fail' label, where we kfree() the pending snapshot structure. This can result in a later use-after-free of the pending snapshot: 1) We allocated the pending snapshot and added it to the transaction's list of pending snapshots; 2) We call btrfs_commit_transaction(), and it fails either at the first call to btrfs_run_delayed_refs() or btrfs_start_dirty_block_groups(). In both cases, we don't abort the transaction and we release our transaction handle. We jump to the 'fail' label and free the pending snapshot structure. We return with the pending snapshot still in the transaction's list; 3) Another task commits the transaction. This time there's no error at all, and then during the transaction commit it accesses a pointer to the pending snapshot structure that the snapshot creation task has already freed, resulting in a user-after-free. This issue could actually be detected by smatch, which produced the following warning: fs/btrfs/ioctl.c:843 create_snapshot() warn: '&pending_snapshot->list' not removed from list So fix this by not having the snapshot creation ioctl directly add the pending snapshot to the transaction's list. Instead add the pending snapshot to the transaction handle, and then at btrfs_commit_transaction() we add the snapshot to the list only when we can guarantee that any error returned after that point will result in a transaction abort, in which case the ioctl code can safely free the pending snapshot and no one can access it anymore.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48733.html
CVE-2022-48733
https://bugzilla.suse.com/1226718
SUSE Bug 1226718

Описание

In the Linux kernel, the following vulnerability has been resolved: btrfs: fix deadlock between quota disable and qgroup rescan worker Quota disable ioctl starts a transaction before waiting for the qgroup rescan worker completes. However, this wait can be infinite and results in deadlock because of circular dependency among the quota disable ioctl, the qgroup rescan worker and the other task with transaction such as block group relocation task. The deadlock happens with the steps following: 1) Task A calls ioctl to disable quota. It starts a transaction and waits for qgroup rescan worker completes. 2) Task B such as block group relocation task starts a transaction and joins to the transaction that task A started. Then task B commits to the transaction. In this commit, task B waits for a commit by task A. 3) Task C as the qgroup rescan worker starts its job and starts a transaction. In this transaction start, task C waits for completion of the transaction that task A started and task B committed. This deadlock was found with fstests test case btrfs/115 and a zoned null_blk device. The test case enables and disables quota, and the block group reclaim was triggered during the quota disable by chance. The deadlock was also observed by running quota enable and disable in parallel with 'btrfs balance' command on regular null_blk devices. An example report of the deadlock: [372.469894] INFO: task kworker/u16:6:103 blocked for more than 122 seconds. [372.479944] Not tainted 5.16.0-rc8 #7 [372.485067] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. [372.493898] task:kworker/u16:6 state:D stack: 0 pid: 103 ppid: 2 flags:0x00004000 [372.503285] Workqueue: btrfs-qgroup-rescan btrfs_work_helper [btrfs] [372.510782] Call Trace: [372.514092] <TASK> [372.521684] __schedule+0xb56/0x4850 [372.530104] ? io_schedule_timeout+0x190/0x190 [372.538842] ? lockdep_hardirqs_on+0x7e/0x100 [372.547092] ? _raw_spin_unlock_irqrestore+0x3e/0x60 [372.555591] schedule+0xe0/0x270 [372.561894] btrfs_commit_transaction+0x18bb/0x2610 [btrfs] [372.570506] ? btrfs_apply_pending_changes+0x50/0x50 [btrfs] [372.578875] ? free_unref_page+0x3f2/0x650 [372.585484] ? finish_wait+0x270/0x270 [372.591594] ? release_extent_buffer+0x224/0x420 [btrfs] [372.599264] btrfs_qgroup_rescan_worker+0xc13/0x10c0 [btrfs] [372.607157] ? lock_release+0x3a9/0x6d0 [372.613054] ? btrfs_qgroup_account_extent+0xda0/0xda0 [btrfs] [372.620960] ? do_raw_spin_lock+0x11e/0x250 [372.627137] ? rwlock_bug.part.0+0x90/0x90 [372.633215] ? lock_is_held_type+0xe4/0x140 [372.639404] btrfs_work_helper+0x1ae/0xa90 [btrfs] [372.646268] process_one_work+0x7e9/0x1320 [372.652321] ? lock_release+0x6d0/0x6d0 [372.658081] ? pwq_dec_nr_in_flight+0x230/0x230 [372.664513] ? rwlock_bug.part.0+0x90/0x90 [372.670529] worker_thread+0x59e/0xf90 [372.676172] ? process_one_work+0x1320/0x1320 [372.682440] kthread+0x3b9/0x490 [372.687550] ? _raw_spin_unlock_irq+0x24/0x50 [372.693811] ? set_kthread_struct+0x100/0x100 [372.700052] ret_from_fork+0x22/0x30 [372.705517] </TASK> [372.709747] INFO: task btrfs-transacti:2347 blocked for more than 123 seconds. [372.729827] Not tainted 5.16.0-rc8 #7 [372.745907] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. [372.767106] task:btrfs-transacti state:D stack: 0 pid: 2347 ppid: 2 flags:0x00004000 [372.787776] Call Trace: [372.801652] <TASK> [372.812961] __schedule+0xb56/0x4850 [372.830011] ? io_schedule_timeout+0x190/0x190 [372.852547] ? lockdep_hardirqs_on+0x7e/0x100 [372.871761] ? _raw_spin_unlock_irqrestore+0x3e/0x60 [372.886792] schedule+0xe0/0x270 [372.901685] wait_current_trans+0x22c/0x310 [btrfs] [372.919743] ? btrfs_put_transaction+0x3d0/0x3d0 [btrfs] [372.938923] ? finish_wait+0x270/0x270 [372.959085] ? join_transaction+0xc7 ---truncated---

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48734.html
CVE-2022-48734
https://bugzilla.suse.com/1226626
SUSE Bug 1226626

Описание

In the Linux kernel, the following vulnerability has been resolved: ALSA: hda: Fix UAF of leds class devs at unbinding The LED class devices that are created by HD-audio codec drivers are registered via devm_led_classdev_register() and associated with the HD-audio codec device. Unfortunately, it turned out that the devres release doesn't work for this case; namely, since the codec resource release happens before the devm call chain, it triggers a NULL dereference or a UAF for a stale set_brightness_delay callback. For fixing the bug, this patch changes the LED class device register and unregister in a manual manner without devres, keeping the instances in hda_gen_spec.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48735.html
CVE-2022-48735
https://bugzilla.suse.com/1226719
SUSE Bug 1226719
https://bugzilla.suse.com/1227438
SUSE Bug 1227438

Описание

** REJECT ** This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48736.html
CVE-2022-48736
https://bugzilla.suse.com/1226721
SUSE Bug 1226721

Описание

** REJECT ** This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48737.html
CVE-2022-48737
https://bugzilla.suse.com/1226762
SUSE Bug 1226762

Описание

In the Linux kernel, the following vulnerability has been resolved: ASoC: ops: Reject out of bounds values in snd_soc_put_volsw() We don't currently validate that the values being set are within the range we advertised to userspace as being valid, do so and reject any values that are out of range.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48738.html
CVE-2022-48738
https://bugzilla.suse.com/1226674
SUSE Bug 1226674

Описание

In the Linux kernel, the following vulnerability has been resolved: ASoC: hdmi-codec: Fix OOB memory accesses Correct size of iec_status array by changing it to the size of status array of the struct snd_aes_iec958. This fixes out-of-bounds slab read accesses made by memcpy() of the hdmi-codec driver. This problem is reported by KASAN.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48739.html
CVE-2022-48739
https://bugzilla.suse.com/1226675
SUSE Bug 1226675

Описание

In the Linux kernel, the following vulnerability has been resolved: selinux: fix double free of cond_list on error paths On error path from cond_read_list() and duplicate_policydb_cond_list() the cond_list_destroy() gets called a second time in caller functions, resulting in NULL pointer deref. Fix this by resetting the cond_list_len to 0 in cond_list_destroy(), making subsequent calls a noop. Also consistently reset the cond_list pointer to NULL after freeing. [PM: fix line lengths in the description]

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48740.html
CVE-2022-48740
https://bugzilla.suse.com/1226699
SUSE Bug 1226699

Описание

In the Linux kernel, the following vulnerability has been resolved: net: amd-xgbe: Fix skb data length underflow There will be BUG_ON() triggered in include/linux/skbuff.h leading to intermittent kernel panic, when the skb length underflow is detected. Fix this by dropping the packet if such length underflows are seen because of inconsistencies in the hardware descriptors.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48743.html
CVE-2022-48743
https://bugzilla.suse.com/1226705
SUSE Bug 1226705

Описание

In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Avoid field-overflowing memcpy() In preparation for FORTIFY_SOURCE performing compile-time and run-time field bounds checking for memcpy(), memmove(), and memset(), avoid intentionally writing across neighboring fields. Use flexible arrays instead of zero-element arrays (which look like they are always overflowing) and split the cross-field memcpy() into two halves that can be appropriately bounds-checked by the compiler. We were doing: #define ETH_HLEN 14 #define VLAN_HLEN 4 ... #define MLX5E_XDP_MIN_INLINE (ETH_HLEN + VLAN_HLEN) ... struct mlx5e_tx_wqe *wqe = mlx5_wq_cyc_get_wqe(wq, pi); ... struct mlx5_wqe_eth_seg *eseg = &wqe->eth; struct mlx5_wqe_data_seg *dseg = wqe->data; ... memcpy(eseg->inline_hdr.start, xdptxd->data, MLX5E_XDP_MIN_INLINE); target is wqe->eth.inline_hdr.start (which the compiler sees as being 2 bytes in size), but copying 18, intending to write across start (really vlan_tci, 2 bytes). The remaining 16 bytes get written into wqe->data[0], covering byte_count (4 bytes), lkey (4 bytes), and addr (8 bytes). struct mlx5e_tx_wqe { struct mlx5_wqe_ctrl_seg ctrl; /* 0 16 */ struct mlx5_wqe_eth_seg eth; /* 16 16 */ struct mlx5_wqe_data_seg data[]; /* 32 0 */ /* size: 32, cachelines: 1, members: 3 */ /* last cacheline: 32 bytes */ }; struct mlx5_wqe_eth_seg { u8 swp_outer_l4_offset; /* 0 1 */ u8 swp_outer_l3_offset; /* 1 1 */ u8 swp_inner_l4_offset; /* 2 1 */ u8 swp_inner_l3_offset; /* 3 1 */ u8 cs_flags; /* 4 1 */ u8 swp_flags; /* 5 1 */ __be16 mss; /* 6 2 */ __be32 flow_table_metadata; /* 8 4 */ union { struct { __be16 sz; /* 12 2 */ u8 start[2]; /* 14 2 */ } inline_hdr; /* 12 4 */ struct { __be16 type; /* 12 2 */ __be16 vlan_tci; /* 14 2 */ } insert; /* 12 4 */ __be32 trailer; /* 12 4 */ }; /* 12 4 */ /* size: 16, cachelines: 1, members: 9 */ /* last cacheline: 16 bytes */ }; struct mlx5_wqe_data_seg { __be32 byte_count; /* 0 4 */ __be32 lkey; /* 4 4 */ __be64 addr; /* 8 8 */ /* size: 16, cachelines: 1, members: 3 */ /* last cacheline: 16 bytes */ }; So, split the memcpy() so the compiler can reason about the buffer sizes. "pahole" shows no size nor member offset changes to struct mlx5e_tx_wqe nor struct mlx5e_umr_wqe. "objdump -d" shows no meaningful object code changes (i.e. only source line number induced differences and optimizations).

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48744.html
CVE-2022-48744
https://bugzilla.suse.com/1226696
SUSE Bug 1226696

Описание

In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Use del_timer_sync in fw reset flow of halting poll Substitute del_timer() with del_timer_sync() in fw reset polling deactivation flow, in order to prevent a race condition which occurs when del_timer() is called and timer is deactivated while another process is handling the timer interrupt. A situation that led to the following call trace: RIP: 0010:run_timer_softirq+0x137/0x420 <IRQ> recalibrate_cpu_khz+0x10/0x10 ktime_get+0x3e/0xa0 ? sched_clock_cpu+0xb/0xc0 __do_softirq+0xf5/0x2ea irq_exit_rcu+0xc1/0xf0 sysvec_apic_timer_interrupt+0x9e/0xc0 asm_sysvec_apic_timer_interrupt+0x12/0x20 </IRQ>

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48745.html
CVE-2022-48745
https://bugzilla.suse.com/1226702
SUSE Bug 1226702

Описание

In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Fix handling of wrong devices during bond netevent Current implementation of bond netevent handler only check if the handled netdev is VF representor and it missing a check if the VF representor is on the same phys device of the bond handling the netevent. Fix by adding the missing check and optimizing the check if the netdev is VF representor so it will not access uninitialized private data and crashes. BUG: kernel NULL pointer dereference, address: 000000000000036c PGD 0 P4D 0 Oops: 0000 [#1] SMP NOPTI Workqueue: eth3bond0 bond_mii_monitor [bonding] RIP: 0010:mlx5e_is_uplink_rep+0xc/0x50 [mlx5_core] RSP: 0018:ffff88812d69fd60 EFLAGS: 00010282 RAX: 0000000000000000 RBX: ffff8881cf800000 RCX: 0000000000000000 RDX: ffff88812d69fe10 RSI: 000000000000001b RDI: ffff8881cf800880 RBP: ffff8881cf800000 R08: 00000445cabccf2b R09: 0000000000000008 R10: 0000000000000004 R11: 0000000000000008 R12: ffff88812d69fe10 R13: 00000000fffffffe R14: ffff88820c0f9000 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff88846fb00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000000000036c CR3: 0000000103d80006 CR4: 0000000000370ea0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: mlx5e_eswitch_uplink_rep+0x31/0x40 [mlx5_core] mlx5e_rep_is_lag_netdev+0x94/0xc0 [mlx5_core] mlx5e_rep_esw_bond_netevent+0xeb/0x3d0 [mlx5_core] raw_notifier_call_chain+0x41/0x60 call_netdevice_notifiers_info+0x34/0x80 netdev_lower_state_changed+0x4e/0xa0 bond_mii_monitor+0x56b/0x640 [bonding] process_one_work+0x1b9/0x390 worker_thread+0x4d/0x3d0 ? rescuer_thread+0x350/0x350 kthread+0x124/0x150 ? set_kthread_struct+0x40/0x40 ret_from_fork+0x1f/0x30

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48746.html
CVE-2022-48746
https://bugzilla.suse.com/1226703
SUSE Bug 1226703

Описание

In the Linux kernel, the following vulnerability has been resolved: block: Fix wrong offset in bio_truncate() bio_truncate() clears the buffer outside of last block of bdev, however current bio_truncate() is using the wrong offset of page. So it can return the uninitialized data. This happened when both of truncated/corrupted FS and userspace (via bdev) are trying to read the last of bdev.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48747.html
CVE-2022-48747
https://bugzilla.suse.com/1226643
SUSE Bug 1226643

Описание

In the Linux kernel, the following vulnerability has been resolved: net: bridge: vlan: fix memory leak in __allowed_ingress When using per-vlan state, if vlan snooping and stats are disabled, untagged or priority-tagged ingress frame will go to check pvid state. If the port state is forwarding and the pvid state is not learning/forwarding, untagged or priority-tagged frame will be dropped but skb memory is not freed. Should free skb when __allowed_ingress returns false.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48748.html
CVE-2022-48748
https://bugzilla.suse.com/1226647
SUSE Bug 1226647

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/msm/dpu: invalid parameter check in dpu_setup_dspp_pcc The function performs a check on the "ctx" input parameter, however, it is used before the check. Initialize the "base" variable after the sanity check to avoid a possible NULL pointer dereference. Addresses-Coverity-ID: 1493866 ("Null pointer dereference")

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48749.html
CVE-2022-48749
https://bugzilla.suse.com/1226650
SUSE Bug 1226650

Описание

In the Linux kernel, the following vulnerability has been resolved: net/smc: Transitional solution for clcsock race issue We encountered a crash in smc_setsockopt() and it is caused by accessing smc->clcsock after clcsock was released. BUG: kernel NULL pointer dereference, address: 0000000000000020 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP PTI CPU: 1 PID: 50309 Comm: nginx Kdump: loaded Tainted: G E 5.16.0-rc4+ #53 RIP: 0010:smc_setsockopt+0x59/0x280 [smc] Call Trace: <TASK> __sys_setsockopt+0xfc/0x190 __x64_sys_setsockopt+0x20/0x30 do_syscall_64+0x34/0x90 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f16ba83918e </TASK> This patch tries to fix it by holding clcsock_release_lock and checking whether clcsock has already been released before access. In case that a crash of the same reason happens in smc_getsockopt() or smc_switch_to_fallback(), this patch also checkes smc->clcsock in them too. And the caller of smc_switch_to_fallback() will identify whether fallback succeeds according to the return value.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48751.html
CVE-2022-48751
https://bugzilla.suse.com/1226653
SUSE Bug 1226653

Описание

In the Linux kernel, the following vulnerability has been resolved: powerpc/perf: Fix power_pmu_disable to call clear_pmi_irq_pending only if PMI is pending Running selftest with CONFIG_PPC_IRQ_SOFT_MASK_DEBUG enabled in kernel triggered below warning: [ 172.851380] ------------[ cut here ]------------ [ 172.851391] WARNING: CPU: 8 PID: 2901 at arch/powerpc/include/asm/hw_irq.h:246 power_pmu_disable+0x270/0x280 [ 172.851402] Modules linked in: dm_mod bonding nft_ct nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set nf_tables rfkill nfnetlink sunrpc xfs libcrc32c pseries_rng xts vmx_crypto uio_pdrv_genirq uio sch_fq_codel ip_tables ext4 mbcache jbd2 sd_mod t10_pi sg ibmvscsi ibmveth scsi_transport_srp fuse [ 172.851442] CPU: 8 PID: 2901 Comm: lost_exception_ Not tainted 5.16.0-rc5-03218-g798527287598 #2 [ 172.851451] NIP: c00000000013d600 LR: c00000000013d5a4 CTR: c00000000013b180 [ 172.851458] REGS: c000000017687860 TRAP: 0700 Not tainted (5.16.0-rc5-03218-g798527287598) [ 172.851465] MSR: 8000000000029033 <SF,EE,ME,IR,DR,RI,LE> CR: 48004884 XER: 20040000 [ 172.851482] CFAR: c00000000013d5b4 IRQMASK: 1 [ 172.851482] GPR00: c00000000013d5a4 c000000017687b00 c000000002a10600 0000000000000004 [ 172.851482] GPR04: 0000000082004000 c0000008ba08f0a8 0000000000000000 00000008b7ed0000 [ 172.851482] GPR08: 00000000446194f6 0000000000008000 c00000000013b118 c000000000d58e68 [ 172.851482] GPR12: c00000000013d390 c00000001ec54a80 0000000000000000 0000000000000000 [ 172.851482] GPR16: 0000000000000000 0000000000000000 c000000015d5c708 c0000000025396d0 [ 172.851482] GPR20: 0000000000000000 0000000000000000 c00000000a3bbf40 0000000000000003 [ 172.851482] GPR24: 0000000000000000 c0000008ba097400 c0000000161e0d00 c00000000a3bb600 [ 172.851482] GPR28: c000000015d5c700 0000000000000001 0000000082384090 c0000008ba0020d8 [ 172.851549] NIP [c00000000013d600] power_pmu_disable+0x270/0x280 [ 172.851557] LR [c00000000013d5a4] power_pmu_disable+0x214/0x280 [ 172.851565] Call Trace: [ 172.851568] [c000000017687b00] [c00000000013d5a4] power_pmu_disable+0x214/0x280 (unreliable) [ 172.851579] [c000000017687b40] [c0000000003403ac] perf_pmu_disable+0x4c/0x60 [ 172.851588] [c000000017687b60] [c0000000003445e4] __perf_event_task_sched_out+0x1d4/0x660 [ 172.851596] [c000000017687c50] [c000000000d1175c] __schedule+0xbcc/0x12a0 [ 172.851602] [c000000017687d60] [c000000000d11ea8] schedule+0x78/0x140 [ 172.851608] [c000000017687d90] [c0000000001a8080] sys_sched_yield+0x20/0x40 [ 172.851615] [c000000017687db0] [c0000000000334dc] system_call_exception+0x18c/0x380 [ 172.851622] [c000000017687e10] [c00000000000c74c] system_call_common+0xec/0x268 The warning indicates that MSR_EE being set(interrupt enabled) when there was an overflown PMC detected. This could happen in power_pmu_disable since it runs under interrupt soft disable condition ( local_irq_save ) and not with interrupts hard disabled. commit 2c9ac51b850d ("powerpc/perf: Fix PMU callbacks to clear pending PMI before resetting an overflown PMC") intended to clear PMI pending bit in Paca when disabling the PMU. It could happen that PMC gets overflown while code is in power_pmu_disable callback function. Hence add a check to see if PMI pending bit is set in Paca before clearing it via clear_pmi_pending.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48752.html
CVE-2022-48752
https://bugzilla.suse.com/1226709
SUSE Bug 1226709

Описание

In the Linux kernel, the following vulnerability has been resolved: block: fix memory leak in disk_register_independent_access_ranges kobject_init_and_add() takes reference even when it fails. According to the doc of kobject_init_and_add() If this function returns an error, kobject_put() must be called to properly clean up the memory associated with the object. Fix this issue by adding kobject_put(). Callback function blk_ia_ranges_sysfs_release() in kobject_put() can handle the pointer "iars" properly.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48753.html
CVE-2022-48753
https://bugzilla.suse.com/1226693
SUSE Bug 1226693

Описание

In the Linux kernel, the following vulnerability has been resolved: phylib: fix potential use-after-free Commit bafbdd527d56 ("phylib: Add device reset GPIO support") added call to phy_device_reset(phydev) after the put_device() call in phy_detach(). The comment before the put_device() call says that the phydev might go away with put_device(). Fix potential use-after-free by calling phy_device_reset() before put_device().

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48754.html
CVE-2022-48754
https://bugzilla.suse.com/1226692
SUSE Bug 1226692

Описание

In the Linux kernel, the following vulnerability has been resolved: powerpc64/bpf: Limit 'ldbrx' to processors compliant with ISA v2.06 Johan reported the below crash with test_bpf on ppc64 e5500: test_bpf: #296 ALU_END_FROM_LE 64: 0x0123456789abcdef -> 0x67452301 jited:1 Oops: Exception in kernel mode, sig: 4 [#1] BE PAGE_SIZE=4K SMP NR_CPUS=24 QEMU e500 Modules linked in: test_bpf(+) CPU: 0 PID: 76 Comm: insmod Not tainted 5.14.0-03771-g98c2059e008a-dirty #1 NIP: 8000000000061c3c LR: 80000000006dea64 CTR: 8000000000061c18 REGS: c0000000032d3420 TRAP: 0700 Not tainted (5.14.0-03771-g98c2059e008a-dirty) MSR: 0000000080089000 <EE,ME> CR: 88002822 XER: 20000000 IRQMASK: 0 <...> NIP [8000000000061c3c] 0x8000000000061c3c LR [80000000006dea64] .__run_one+0x104/0x17c [test_bpf] Call Trace: .__run_one+0x60/0x17c [test_bpf] (unreliable) .test_bpf_init+0x6a8/0xdc8 [test_bpf] .do_one_initcall+0x6c/0x28c .do_init_module+0x68/0x28c .load_module+0x2460/0x2abc .__do_sys_init_module+0x120/0x18c .system_call_exception+0x110/0x1b8 system_call_common+0xf0/0x210 --- interrupt: c00 at 0x101d0acc <...> ---[ end trace 47b2bf19090bb3d0 ]--- Illegal instruction The illegal instruction turned out to be 'ldbrx' emitted for BPF_FROM_[L|B]E, which was only introduced in ISA v2.06. Guard use of the same and implement an alternative approach for older processors.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48755.html
CVE-2022-48755
https://bugzilla.suse.com/1226706
SUSE Bug 1226706

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/msm/dsi: invalid parameter check in msm_dsi_phy_enable The function performs a check on the "phy" input parameter, however, it is used before the check. Initialize the "dev" variable after the sanity check to avoid a possible NULL pointer dereference. Addresses-Coverity-ID: 1493860 ("Null pointer dereference")

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48756.html
CVE-2022-48756
https://bugzilla.suse.com/1226698
SUSE Bug 1226698

Описание

In the Linux kernel, the following vulnerability has been resolved: scsi: bnx2fc: Flush destroy_work queue before calling bnx2fc_interface_put() The bnx2fc_destroy() functions are removing the interface before calling destroy_work. This results multiple WARNings from sysfs_remove_group() as the controller rport device attributes are removed too early. Replace the fcoe_port's destroy_work queue. It's not needed. The problem is easily reproducible with the following steps. Example: $ dmesg -w & $ systemctl enable --now fcoe $ fipvlan -s -c ens2f1 $ fcoeadm -d ens2f1.802 [ 583.464488] host2: libfc: Link down on port (7500a1) [ 583.472651] bnx2fc: 7500a1 - rport not created Yet!! [ 583.490468] ------------[ cut here ]------------ [ 583.538725] sysfs group 'power' not found for kobject 'rport-2:0-0' [ 583.568814] WARNING: CPU: 3 PID: 192 at fs/sysfs/group.c:279 sysfs_remove_group+0x6f/0x80 [ 583.607130] Modules linked in: dm_service_time 8021q garp mrp stp llc bnx2fc cnic uio rpcsec_gss_krb5 auth_rpcgss nfsv4 ... [ 583.942994] CPU: 3 PID: 192 Comm: kworker/3:2 Kdump: loaded Not tainted 5.14.0-39.el9.x86_64 #1 [ 583.984105] Hardware name: HP ProLiant DL120 G7, BIOS J01 07/01/2013 [ 584.016535] Workqueue: fc_wq_2 fc_rport_final_delete [scsi_transport_fc] [ 584.050691] RIP: 0010:sysfs_remove_group+0x6f/0x80 [ 584.074725] Code: ff 5b 48 89 ef 5d 41 5c e9 ee c0 ff ff 48 89 ef e8 f6 b8 ff ff eb d1 49 8b 14 24 48 8b 33 48 c7 c7 ... [ 584.162586] RSP: 0018:ffffb567c15afdc0 EFLAGS: 00010282 [ 584.188225] RAX: 0000000000000000 RBX: ffffffff8eec4220 RCX: 0000000000000000 [ 584.221053] RDX: ffff8c1586ce84c0 RSI: ffff8c1586cd7cc0 RDI: ffff8c1586cd7cc0 [ 584.255089] RBP: 0000000000000000 R08: 0000000000000000 R09: ffffb567c15afc00 [ 584.287954] R10: ffffb567c15afbf8 R11: ffffffff8fbe7f28 R12: ffff8c1486326400 [ 584.322356] R13: ffff8c1486326480 R14: ffff8c1483a4a000 R15: 0000000000000004 [ 584.355379] FS: 0000000000000000(0000) GS:ffff8c1586cc0000(0000) knlGS:0000000000000000 [ 584.394419] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 584.421123] CR2: 00007fe95a6f7840 CR3: 0000000107674002 CR4: 00000000000606e0 [ 584.454888] Call Trace: [ 584.466108] device_del+0xb2/0x3e0 [ 584.481701] device_unregister+0x13/0x60 [ 584.501306] bsg_unregister_queue+0x5b/0x80 [ 584.522029] bsg_remove_queue+0x1c/0x40 [ 584.541884] fc_rport_final_delete+0xf3/0x1d0 [scsi_transport_fc] [ 584.573823] process_one_work+0x1e3/0x3b0 [ 584.592396] worker_thread+0x50/0x3b0 [ 584.609256] ? rescuer_thread+0x370/0x370 [ 584.628877] kthread+0x149/0x170 [ 584.643673] ? set_kthread_struct+0x40/0x40 [ 584.662909] ret_from_fork+0x22/0x30 [ 584.680002] ---[ end trace 53575ecefa942ece ]---

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48758.html
CVE-2022-48758
https://bugzilla.suse.com/1226708
SUSE Bug 1226708

Описание

In the Linux kernel, the following vulnerability has been resolved: rpmsg: char: Fix race between the release of rpmsg_ctrldev and cdev struct rpmsg_ctrldev contains a struct cdev. The current code frees the rpmsg_ctrldev struct in rpmsg_ctrldev_release_device(), but the cdev is a managed object, therefore its release is not predictable and the rpmsg_ctrldev could be freed before the cdev is entirely released, as in the backtrace below. [ 93.625603] ODEBUG: free active (active state 0) object type: timer_list hint: delayed_work_timer_fn+0x0/0x7c [ 93.636115] WARNING: CPU: 0 PID: 12 at lib/debugobjects.c:488 debug_print_object+0x13c/0x1b0 [ 93.644799] Modules linked in: veth xt_cgroup xt_MASQUERADE rfcomm algif_hash algif_skcipher af_alg uinput ip6table_nat fuse uvcvideo videobuf2_vmalloc venus_enc venus_dec videobuf2_dma_contig hci_uart btandroid btqca snd_soc_rt5682_i2c bluetooth qcom_spmi_temp_alarm snd_soc_rt5682v [ 93.715175] CPU: 0 PID: 12 Comm: kworker/0:1 Tainted: G B 5.4.163-lockdep #26 [ 93.723855] Hardware name: Google Lazor (rev3 - 8) with LTE (DT) [ 93.730055] Workqueue: events kobject_delayed_cleanup [ 93.735271] pstate: 60c00009 (nZCv daif +PAN +UAO) [ 93.740216] pc : debug_print_object+0x13c/0x1b0 [ 93.744890] lr : debug_print_object+0x13c/0x1b0 [ 93.749555] sp : ffffffacf5bc7940 [ 93.752978] x29: ffffffacf5bc7940 x28: dfffffd000000000 [ 93.758448] x27: ffffffacdb11a800 x26: dfffffd000000000 [ 93.763916] x25: ffffffd0734f856c x24: dfffffd000000000 [ 93.769389] x23: 0000000000000000 x22: ffffffd0733c35b0 [ 93.774860] x21: ffffffd0751994a0 x20: ffffffd075ec27c0 [ 93.780338] x19: ffffffd075199100 x18: 00000000000276e0 [ 93.785814] x17: 0000000000000000 x16: dfffffd000000000 [ 93.791291] x15: ffffffffffffffff x14: 6e6968207473696c [ 93.796768] x13: 0000000000000000 x12: ffffffd075e2b000 [ 93.802244] x11: 0000000000000001 x10: 0000000000000000 [ 93.807723] x9 : d13400dff1921900 x8 : d13400dff1921900 [ 93.813200] x7 : 0000000000000000 x6 : 0000000000000000 [ 93.818676] x5 : 0000000000000080 x4 : 0000000000000000 [ 93.824152] x3 : ffffffd0732a0fa4 x2 : 0000000000000001 [ 93.829628] x1 : ffffffacf5bc7580 x0 : 0000000000000061 [ 93.835104] Call trace: [ 93.837644] debug_print_object+0x13c/0x1b0 [ 93.841963] __debug_check_no_obj_freed+0x25c/0x3c0 [ 93.846987] debug_check_no_obj_freed+0x18/0x20 [ 93.851669] slab_free_freelist_hook+0xbc/0x1e4 [ 93.856346] kfree+0xfc/0x2f4 [ 93.859416] rpmsg_ctrldev_release_device+0x78/0xb8 [ 93.864445] device_release+0x84/0x168 [ 93.868310] kobject_cleanup+0x12c/0x298 [ 93.872356] kobject_delayed_cleanup+0x10/0x18 [ 93.876948] process_one_work+0x578/0x92c [ 93.881086] worker_thread+0x804/0xcf8 [ 93.884963] kthread+0x2a8/0x314 [ 93.888303] ret_from_fork+0x10/0x18 The cdev_device_add/del() API was created to address this issue (see commit '233ed09d7fda ("chardev: add helper function to register char devs with a struct device")'), use it instead of cdev add/del().

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48759.html
CVE-2022-48759
https://bugzilla.suse.com/1226711
SUSE Bug 1226711

Описание

In the Linux kernel, the following vulnerability has been resolved: USB: core: Fix hang in usb_kill_urb by adding memory barriers The syzbot fuzzer has identified a bug in which processes hang waiting for usb_kill_urb() to return. It turns out the issue is not unlinking the URB; that works just fine. Rather, the problem arises when the wakeup notification that the URB has completed is not received. The reason is memory-access ordering on SMP systems. In outline form, usb_kill_urb() and __usb_hcd_giveback_urb() operating concurrently on different CPUs perform the following actions: CPU 0 CPU 1 ---------------------------- --------------------------------- usb_kill_urb(): __usb_hcd_giveback_urb(): ... ... atomic_inc(&urb->reject); atomic_dec(&urb->use_count); ... ... wait_event(usb_kill_urb_queue, atomic_read(&urb->use_count) == 0); if (atomic_read(&urb->reject)) wake_up(&usb_kill_urb_queue); Confining your attention to urb->reject and urb->use_count, you can see that the overall pattern of accesses on CPU 0 is: write urb->reject, then read urb->use_count; whereas the overall pattern of accesses on CPU 1 is: write urb->use_count, then read urb->reject. This pattern is referred to in memory-model circles as SB (for "Store Buffering"), and it is well known that without suitable enforcement of the desired order of accesses -- in the form of memory barriers -- it is entirely possible for one or both CPUs to execute their reads ahead of their writes. The end result will be that sometimes CPU 0 sees the old un-decremented value of urb->use_count while CPU 1 sees the old un-incremented value of urb->reject. Consequently CPU 0 ends up on the wait queue and never gets woken up, leading to the observed hang in usb_kill_urb(). The same pattern of accesses occurs in usb_poison_urb() and the failure pathway of usb_hcd_submit_urb(). The problem is fixed by adding suitable memory barriers. To provide proper memory-access ordering in the SB pattern, a full barrier is required on both CPUs. The atomic_inc() and atomic_dec() accesses themselves don't provide any memory ordering, but since they are present, we can use the optimized smp_mb__after_atomic() memory barrier in the various routines to obtain the desired effect. This patch adds the necessary memory barriers.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48760.html
CVE-2022-48760
https://bugzilla.suse.com/1226712
SUSE Bug 1226712

Описание

In the Linux kernel, the following vulnerability has been resolved: usb: xhci-plat: fix crash when suspend if remote wake enable Crashed at i.mx8qm platform when suspend if enable remote wakeup Internal error: synchronous external abort: 96000210 [#1] PREEMPT SMP Modules linked in: CPU: 2 PID: 244 Comm: kworker/u12:6 Not tainted 5.15.5-dirty #12 Hardware name: Freescale i.MX8QM MEK (DT) Workqueue: events_unbound async_run_entry_fn pstate: 600000c5 (nZCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : xhci_disable_hub_port_wake.isra.62+0x60/0xf8 lr : xhci_disable_hub_port_wake.isra.62+0x34/0xf8 sp : ffff80001394bbf0 x29: ffff80001394bbf0 x28: 0000000000000000 x27: ffff00081193b578 x26: ffff00081193b570 x25: 0000000000000000 x24: 0000000000000000 x23: ffff00081193a29c x22: 0000000000020001 x21: 0000000000000001 x20: 0000000000000000 x19: ffff800014e90490 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 x14: 0000000000000000 x13: 0000000000000002 x12: 0000000000000000 x11: 0000000000000000 x10: 0000000000000960 x9 : ffff80001394baa0 x8 : ffff0008145d1780 x7 : ffff0008f95b8e80 x6 : 000000001853b453 x5 : 0000000000000496 x4 : 0000000000000000 x3 : ffff00081193a29c x2 : 0000000000000001 x1 : 0000000000000000 x0 : ffff000814591620 Call trace: xhci_disable_hub_port_wake.isra.62+0x60/0xf8 xhci_suspend+0x58/0x510 xhci_plat_suspend+0x50/0x78 platform_pm_suspend+0x2c/0x78 dpm_run_callback.isra.25+0x50/0xe8 __device_suspend+0x108/0x3c0 The basic flow: 1. run time suspend call xhci_suspend, xhci parent devices gate the clock. 2. echo mem >/sys/power/state, system _device_suspend call xhci_suspend 3. xhci_suspend call xhci_disable_hub_port_wake, which access register, but clock already gated by run time suspend. This problem was hidden by power domain driver, which call run time resume before it. But the below commit remove it and make this issue happen. commit c1df456d0f06e ("PM: domains: Don't runtime resume devices at genpd_prepare()") This patch call run time resume before suspend to make sure clock is on before access register. Testeb-by: Abel Vesa <abel.vesa@nxp.com>

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48761.html
CVE-2022-48761
https://bugzilla.suse.com/1226701
SUSE Bug 1226701

Описание

In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Forcibly leave nested virt when SMM state is toggled Forcibly leave nested virtualization operation if userspace toggles SMM state via KVM_SET_VCPU_EVENTS or KVM_SYNC_X86_EVENTS. If userspace forces the vCPU out of SMM while it's post-VMXON and then injects an SMI, vmx_enter_smm() will overwrite vmx->nested.smm.vmxon and end up with both vmxon=false and smm.vmxon=false, but all other nVMX state allocated. Don't attempt to gracefully handle the transition as (a) most transitions are nonsencial, e.g. forcing SMM while L2 is running, (b) there isn't sufficient information to handle all transitions, e.g. SVM wants access to the SMRAM save state, and (c) KVM_SET_VCPU_EVENTS must precede KVM_SET_NESTED_STATE during state restore as the latter disallows putting the vCPU into L2 if SMM is active, and disallows tagging the vCPU as being post-VMXON in SMM if SMM is not active. Abuse of KVM_SET_VCPU_EVENTS manifests as a WARN and memory leak in nVMX due to failure to free vmcs01's shadow VMCS, but the bug goes far beyond just a memory leak, e.g. toggling SMM on while L2 is active puts the vCPU in an architecturally impossible state. WARNING: CPU: 0 PID: 3606 at free_loaded_vmcs arch/x86/kvm/vmx/vmx.c:2665 [inline] WARNING: CPU: 0 PID: 3606 at free_loaded_vmcs+0x158/0x1a0 arch/x86/kvm/vmx/vmx.c:2656 Modules linked in: CPU: 1 PID: 3606 Comm: syz-executor725 Not tainted 5.17.0-rc1-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:free_loaded_vmcs arch/x86/kvm/vmx/vmx.c:2665 [inline] RIP: 0010:free_loaded_vmcs+0x158/0x1a0 arch/x86/kvm/vmx/vmx.c:2656 Code: <0f> 0b eb b3 e8 8f 4d 9f 00 e9 f7 fe ff ff 48 89 df e8 92 4d 9f 00 Call Trace: <TASK> kvm_arch_vcpu_destroy+0x72/0x2f0 arch/x86/kvm/x86.c:11123 kvm_vcpu_destroy arch/x86/kvm/../../../virt/kvm/kvm_main.c:441 [inline] kvm_destroy_vcpus+0x11f/0x290 arch/x86/kvm/../../../virt/kvm/kvm_main.c:460 kvm_free_vcpus arch/x86/kvm/x86.c:11564 [inline] kvm_arch_destroy_vm+0x2e8/0x470 arch/x86/kvm/x86.c:11676 kvm_destroy_vm arch/x86/kvm/../../../virt/kvm/kvm_main.c:1217 [inline] kvm_put_kvm+0x4fa/0xb00 arch/x86/kvm/../../../virt/kvm/kvm_main.c:1250 kvm_vm_release+0x3f/0x50 arch/x86/kvm/../../../virt/kvm/kvm_main.c:1273 __fput+0x286/0x9f0 fs/file_table.c:311 task_work_run+0xdd/0x1a0 kernel/task_work.c:164 exit_task_work include/linux/task_work.h:32 [inline] do_exit+0xb29/0x2a30 kernel/exit.c:806 do_group_exit+0xd2/0x2f0 kernel/exit.c:935 get_signal+0x4b0/0x28c0 kernel/signal.c:2862 arch_do_signal_or_restart+0x2a9/0x1c40 arch/x86/kernel/signal.c:868 handle_signal_work kernel/entry/common.c:148 [inline] exit_to_user_mode_loop kernel/entry/common.c:172 [inline] exit_to_user_mode_prepare+0x17d/0x290 kernel/entry/common.c:207 __syscall_exit_to_user_mode_work kernel/entry/common.c:289 [inline] syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:300 do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x44/0xae </TASK>

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48763.html
CVE-2022-48763
https://bugzilla.suse.com/1226628
SUSE Bug 1226628

Описание

In the Linux kernel, the following vulnerability has been resolved: KVM: LAPIC: Also cancel preemption timer during SET_LAPIC The below warning is splatting during guest reboot. ------------[ cut here ]------------ WARNING: CPU: 0 PID: 1931 at arch/x86/kvm/x86.c:10322 kvm_arch_vcpu_ioctl_run+0x874/0x880 [kvm] CPU: 0 PID: 1931 Comm: qemu-system-x86 Tainted: G I 5.17.0-rc1+ #5 RIP: 0010:kvm_arch_vcpu_ioctl_run+0x874/0x880 [kvm] Call Trace: <TASK> kvm_vcpu_ioctl+0x279/0x710 [kvm] __x64_sys_ioctl+0x83/0xb0 do_syscall_64+0x3b/0xc0 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7fd39797350b This can be triggered by not exposing tsc-deadline mode and doing a reboot in the guest. The lapic_shutdown() function which is called in sys_reboot path will not disarm the flying timer, it just masks LVTT. lapic_shutdown() clears APIC state w/ LVT_MASKED and timer-mode bit is 0, this can trigger timer-mode switch between tsc-deadline and oneshot/periodic, which can result in preemption timer be cancelled in apic_update_lvtt(). However, We can't depend on this when not exposing tsc-deadline mode and oneshot/periodic modes emulated by preemption timer. Qemu will synchronise states around reset, let's cancel preemption timer under KVM_SET_LAPIC.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48765.html
CVE-2022-48765
https://bugzilla.suse.com/1226697
SUSE Bug 1226697

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Wrap dcn301_calculate_wm_and_dlg for FPU. Mirrors the logic for dcn30. Cue lots of WARNs and some kernel panics without this fix.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48766.html
CVE-2022-48766
https://bugzilla.suse.com/1226704
SUSE Bug 1226704

Описание

In the Linux kernel, the following vulnerability has been resolved: ceph: properly put ceph_string reference after async create attempt The reference acquired by try_prep_async_create is currently leaked. Ensure we put it.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48767.html
CVE-2022-48767
https://bugzilla.suse.com/1226715
SUSE Bug 1226715

Описание

In the Linux kernel, the following vulnerability has been resolved: tracing/histogram: Fix a potential memory leak for kstrdup() kfree() is missing on an error path to free the memory allocated by kstrdup(): p = param = kstrdup(data->params[i], GFP_KERNEL); So it is better to free it via kfree(p).

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48768.html
CVE-2022-48768
https://bugzilla.suse.com/1226720
SUSE Bug 1226720

Описание

In the Linux kernel, the following vulnerability has been resolved: efi: runtime: avoid EFIv2 runtime services on Apple x86 machines Aditya reports [0] that his recent MacbookPro crashes in the firmware when using the variable services at runtime. The culprit appears to be a call to QueryVariableInfo(), which we did not use to call on Apple x86 machines in the past as they only upgraded from EFI v1.10 to EFI v2.40 firmware fairly recently, and QueryVariableInfo() (along with UpdateCapsule() et al) was added in EFI v2.00. The only runtime service introduced in EFI v2.00 that we actually use in Linux is QueryVariableInfo(), as the capsule based ones are optional, generally not used at runtime (all the LVFS/fwupd firmware update infrastructure uses helper EFI programs that invoke capsule update at boot time, not runtime), and not implemented by Apple machines in the first place. QueryVariableInfo() is used to 'safely' set variables, i.e., only when there is enough space. This prevents machines with buggy firmwares from corrupting their NVRAMs when they run out of space. Given that Apple machines have been using EFI v1.10 services only for the longest time (the EFI v2.0 spec was released in 2006, and Linux support for the newly introduced runtime services was added in 2011, but the MacbookPro12,1 released in 2015 still claims to be EFI v1.10 only), let's avoid the EFI v2.0 ones on all Apple x86 machines. [0] https://lore.kernel.org/all/6D757C75-65B1-468B-842D-10410081A8E4@live.com/

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48769.html
CVE-2022-48769
https://bugzilla.suse.com/1226629
SUSE Bug 1226629

Описание

In the Linux kernel, the following vulnerability has been resolved: bpf: Guard against accessing NULL pt_regs in bpf_get_task_stack() task_pt_regs() can return NULL on powerpc for kernel threads. This is then used in __bpf_get_stack() to check for user mode, resulting in a kernel oops. Guard against this by checking return value of task_pt_regs() before trying to obtain the call chain.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48770.html
CVE-2022-48770
https://bugzilla.suse.com/1226730
SUSE Bug 1226730

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx: Fix stale file descriptors on failed usercopy A failing usercopy of the fence_rep object will lead to a stale entry in the file descriptor table as put_unused_fd() won't release it. This enables userland to refer to a dangling 'file' object through that still valid file descriptor, leading to all kinds of use-after-free exploitation scenarios. Fix this by deferring the call to fd_install() until after the usercopy has succeeded.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48771.html
CVE-2022-48771
https://bugzilla.suse.com/1226732
SUSE Bug 1226732

Описание

In the Linux kernel, the following vulnerability has been resolved: media: lgdt3306a: Add a check against null-pointer-def The driver should check whether the client provides the platform_data. The following log reveals it: [ 29.610324] BUG: KASAN: null-ptr-deref in kmemdup+0x30/0x40 [ 29.610730] Read of size 40 at addr 0000000000000000 by task bash/414 [ 29.612820] Call Trace: [ 29.613030] <TASK> [ 29.613201] dump_stack_lvl+0x56/0x6f [ 29.613496] ? kmemdup+0x30/0x40 [ 29.613754] print_report.cold+0x494/0x6b7 [ 29.614082] ? kmemdup+0x30/0x40 [ 29.614340] kasan_report+0x8a/0x190 [ 29.614628] ? kmemdup+0x30/0x40 [ 29.614888] kasan_check_range+0x14d/0x1d0 [ 29.615213] memcpy+0x20/0x60 [ 29.615454] kmemdup+0x30/0x40 [ 29.615700] lgdt3306a_probe+0x52/0x310 [ 29.616339] i2c_device_probe+0x951/0xa90

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48772.html
CVE-2022-48772
https://bugzilla.suse.com/1226976
SUSE Bug 1226976

Описание

In the Linux kernel, the following vulnerability has been resolved: xprtrdma: fix pointer derefs in error cases of rpcrdma_ep_create If there are failures then we must not leave the non-NULL pointers with the error value, otherwise `rpcrdma_ep_destroy` gets confused and tries free them, resulting in an Oops.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48773.html
CVE-2022-48773
https://bugzilla.suse.com/1227921
SUSE Bug 1227921

Описание

In the Linux kernel, the following vulnerability has been resolved: dmaengine: ptdma: Fix the error handling path in pt_core_init() In order to free resources correctly in the error handling path of pt_core_init(), 2 goto's have to be switched. Otherwise, some resources will leak and we will try to release things that have not been allocated yet. Also move a dev_err() to a place where it is more meaningful.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48774.html
CVE-2022-48774
https://bugzilla.suse.com/1227923
SUSE Bug 1227923

Описание

In the Linux kernel, the following vulnerability has been resolved: Drivers: hv: vmbus: Fix memory leak in vmbus_add_channel_kobj kobject_init_and_add() takes reference even when it fails. According to the doc of kobject_init_and_add(): If this function returns an error, kobject_put() must be called to properly clean up the memory associated with the object. Fix memory leak by calling kobject_put().

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48775.html
CVE-2022-48775
https://bugzilla.suse.com/1227924
SUSE Bug 1227924

Описание

In the Linux kernel, the following vulnerability has been resolved: mtd: parsers: qcom: Fix missing free for pparts in cleanup Mtdpart doesn't free pparts when a cleanup function is declared. Add missing free for pparts in cleanup function for smem to fix the leak.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48776.html
CVE-2022-48776
https://bugzilla.suse.com/1227925
SUSE Bug 1227925

Описание

In the Linux kernel, the following vulnerability has been resolved: mtd: parsers: qcom: Fix kernel panic on skipped partition In the event of a skipped partition (case when the entry name is empty) the kernel panics in the cleanup function as the name entry is NULL. Rework the parser logic by first checking the real partition number and then allocate the space and set the data for the valid partitions. The logic was also fundamentally wrong as with a skipped partition, the parts number returned was incorrect by not decreasing it for the skipped partitions.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48777.html
CVE-2022-48777
https://bugzilla.suse.com/1227922
SUSE Bug 1227922

Описание

In the Linux kernel, the following vulnerability has been resolved: mtd: rawnand: gpmi: don't leak PM reference in error path If gpmi_nfc_apply_timings() fails, the PM runtime usage counter must be dropped.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48778.html
CVE-2022-48778
https://bugzilla.suse.com/1227935
SUSE Bug 1227935

Описание

In the Linux kernel, the following vulnerability has been resolved: net/smc: Avoid overwriting the copies of clcsock callback functions The callback functions of clcsock will be saved and replaced during the fallback. But if the fallback happens more than once, then the copies of these callback functions will be overwritten incorrectly, resulting in a loop call issue: clcsk->sk_error_report |- smc_fback_error_report() <------------------------------| |- smc_fback_forward_wakeup() | (loop) |- clcsock_callback() (incorrectly overwritten) | |- smc->clcsk_error_report() ------------------| So this patch fixes the issue by saving these function pointers only once in the fallback and avoiding overwriting.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48780.html
CVE-2022-48780
https://bugzilla.suse.com/1227995
SUSE Bug 1227995

Описание

In the Linux kernel, the following vulnerability has been resolved: net: dsa: lantiq_gswip: fix use after free in gswip_remove() of_node_put(priv->ds->slave_mii_bus->dev.of_node) should be done before mdiobus_free(priv->ds->slave_mii_bus).

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48783.html
CVE-2022-48783
https://bugzilla.suse.com/1227949
SUSE Bug 1227949

Описание

In the Linux kernel, the following vulnerability has been resolved: cfg80211: fix race in netlink owner interface destruction My previous fix here to fix the deadlock left a race where the exact same deadlock (see the original commit referenced below) can still happen if cfg80211_destroy_ifaces() already runs while nl80211_netlink_notify() is still marking some interfaces as nl_owner_dead. The race happens because we have two loops here - first we dev_close() all the netdevs, and then we destroy them. If we also have two netdevs (first one need only be a wdev though) then we can find one during the first iteration, close it, and go to the second iteration -- but then find two, and try to destroy also the one we didn't close yet. Fix this by only iterating once.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48784.html
CVE-2022-48784
https://bugzilla.suse.com/1227938
SUSE Bug 1227938

Описание

In the Linux kernel, the following vulnerability has been resolved: ipv6: mcast: use rcu-safe version of ipv6_get_lladdr() Some time ago 8965779d2c0e ("ipv6,mcast: always hold idev->lock before mca_lock") switched ipv6_get_lladdr() to __ipv6_get_lladdr(), which is rcu-unsafe version. That was OK, because idev->lock was held for these codepaths. In 88e2ca308094 ("mld: convert ifmcaddr6 to RCU") these external locks were removed, so we probably need to restore the original rcu-safe call. Otherwise, we occasionally get a machine crashed/stalled with the following in dmesg: [ 3405.966610][T230589] general protection fault, probably for non-canonical address 0xdead00000000008c: 0000 [#1] SMP NOPTI [ 3405.982083][T230589] CPU: 44 PID: 230589 Comm: kworker/44:3 Tainted: G O 5.15.19-cloudflare-2022.2.1 #1 [ 3405.998061][T230589] Hardware name: SUPA-COOL-SERV [ 3406.009552][T230589] Workqueue: mld mld_ifc_work [ 3406.017224][T230589] RIP: 0010:__ipv6_get_lladdr+0x34/0x60 [ 3406.025780][T230589] Code: 57 10 48 83 c7 08 48 89 e5 48 39 d7 74 3e 48 8d 82 38 ff ff ff eb 13 48 8b 90 d0 00 00 00 48 8d 82 38 ff ff ff 48 39 d7 74 22 <66> 83 78 32 20 77 1b 75 e4 89 ca 23 50 2c 75 dd 48 8b 50 08 48 8b [ 3406.055748][T230589] RSP: 0018:ffff94e4b3fc3d10 EFLAGS: 00010202 [ 3406.065617][T230589] RAX: dead00000000005a RBX: ffff94e4b3fc3d30 RCX: 0000000000000040 [ 3406.077477][T230589] RDX: dead000000000122 RSI: ffff94e4b3fc3d30 RDI: ffff8c3a31431008 [ 3406.089389][T230589] RBP: ffff94e4b3fc3d10 R08: 0000000000000000 R09: 0000000000000000 [ 3406.101445][T230589] R10: ffff8c3a31430000 R11: 000000000000000b R12: ffff8c2c37887100 [ 3406.113553][T230589] R13: ffff8c3a39537000 R14: 00000000000005dc R15: ffff8c3a31431000 [ 3406.125730][T230589] FS: 0000000000000000(0000) GS:ffff8c3b9fc80000(0000) knlGS:0000000000000000 [ 3406.138992][T230589] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 3406.149895][T230589] CR2: 00007f0dfea1db60 CR3: 000000387b5f2000 CR4: 0000000000350ee0 [ 3406.162421][T230589] Call Trace: [ 3406.170235][T230589] <TASK> [ 3406.177736][T230589] mld_newpack+0xfe/0x1a0 [ 3406.186686][T230589] add_grhead+0x87/0xa0 [ 3406.195498][T230589] add_grec+0x485/0x4e0 [ 3406.204310][T230589] ? newidle_balance+0x126/0x3f0 [ 3406.214024][T230589] mld_ifc_work+0x15d/0x450 [ 3406.223279][T230589] process_one_work+0x1e6/0x380 [ 3406.232982][T230589] worker_thread+0x50/0x3a0 [ 3406.242371][T230589] ? rescuer_thread+0x360/0x360 [ 3406.252175][T230589] kthread+0x127/0x150 [ 3406.261197][T230589] ? set_kthread_struct+0x40/0x40 [ 3406.271287][T230589] ret_from_fork+0x22/0x30 [ 3406.280812][T230589] </TASK> [ 3406.288937][T230589] Modules linked in: ... [last unloaded: kheaders] [ 3406.476714][T230589] ---[ end trace 3525a7655f2f3b9e ]---

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48785.html
CVE-2022-48785
https://bugzilla.suse.com/1227927
SUSE Bug 1227927

Описание

In the Linux kernel, the following vulnerability has been resolved: vsock: remove vsock from connected table when connect is interrupted by a signal vsock_connect() expects that the socket could already be in the TCP_ESTABLISHED state when the connecting task wakes up with a signal pending. If this happens the socket will be in the connected table, and it is not removed when the socket state is reset. In this situation it's common for the process to retry connect(), and if the connection is successful the socket will be added to the connected table a second time, corrupting the list. Prevent this by calling vsock_remove_connected() if a signal is received while waiting for a connection. This is harmless if the socket is not in the connected table, and if it is in the table then removing it will prevent list corruption from a double add. Note for backporting: this patch requires d5afa82c977e ("vsock: correct removal of socket from the list"), which is in all current stable trees except 4.9.y.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48786.html
CVE-2022-48786
https://bugzilla.suse.com/1227996
SUSE Bug 1227996

Описание

In the Linux kernel, the following vulnerability has been resolved: iwlwifi: fix use-after-free If no firmware was present at all (or, presumably, all of the firmware files failed to parse), we end up unbinding by calling device_release_driver(), which calls remove(), which then in iwlwifi calls iwl_drv_stop(), freeing the 'drv' struct. However the new code I added will still erroneously access it after it was freed. Set 'failure=false' in this case to avoid the access, all data was already freed anyway.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48787.html
CVE-2022-48787
https://bugzilla.suse.com/1227932
SUSE Bug 1227932

Описание

In the Linux kernel, the following vulnerability has been resolved: nvme-rdma: fix possible use-after-free in transport error_recovery work While nvme_rdma_submit_async_event_work is checking the ctrl and queue state before preparing the AER command and scheduling io_work, in order to fully prevent a race where this check is not reliable the error recovery work must flush async_event_work before continuing to destroy the admin queue after setting the ctrl state to RESETTING such that there is no race .submit_async_event and the error recovery handler itself changing the ctrl state.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48788.html
CVE-2022-48788
https://bugzilla.suse.com/1227952
SUSE Bug 1227952

Описание

In the Linux kernel, the following vulnerability has been resolved: nvme-tcp: fix possible use-after-free in transport error_recovery work While nvme_tcp_submit_async_event_work is checking the ctrl and queue state before preparing the AER command and scheduling io_work, in order to fully prevent a race where this check is not reliable the error recovery work must flush async_event_work before continuing to destroy the admin queue after setting the ctrl state to RESETTING such that there is no race .submit_async_event and the error recovery handler itself changing the ctrl state.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48789.html
CVE-2022-48789
https://bugzilla.suse.com/1228000
SUSE Bug 1228000

Описание

In the Linux kernel, the following vulnerability has been resolved: nvme: fix a possible use-after-free in controller reset during load Unlike .queue_rq, in .submit_async_event drivers may not check the ctrl readiness for AER submission. This may lead to a use-after-free condition that was observed with nvme-tcp. The race condition may happen in the following scenario: 1. driver executes its reset_ctrl_work 2. -> nvme_stop_ctrl - flushes ctrl async_event_work 3. ctrl sends AEN which is received by the host, which in turn schedules AEN handling 4. teardown admin queue (which releases the queue socket) 5. AEN processed, submits another AER, calling the driver to submit 6. driver attempts to send the cmd ==> use-after-free In order to fix that, add ctrl state check to validate the ctrl is actually able to accept the AER submission. This addresses the above race in controller resets because the driver during teardown should: 1. change ctrl state to RESETTING 2. flush async_event_work (as well as other async work elements) So after 1,2, any other AER command will find the ctrl state to be RESETTING and bail out without submitting the AER.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48790.html
CVE-2022-48790
https://bugzilla.suse.com/1227941
SUSE Bug 1227941

Описание

In the Linux kernel, the following vulnerability has been resolved: scsi: pm8001: Fix use-after-free for aborted TMF sas_task Currently a use-after-free may occur if a TMF sas_task is aborted before we handle the IO completion in mpi_ssp_completion(). The abort occurs due to timeout. When the timeout occurs, the SAS_TASK_STATE_ABORTED flag is set and the sas_task is freed in pm8001_exec_internal_tmf_task(). However, if the I/O completion occurs later, the I/O completion still thinks that the sas_task is available. Fix this by clearing the ccb->task if the TMF times out - the I/O completion handler does nothing if this pointer is cleared.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48791.html
CVE-2022-48791
https://bugzilla.suse.com/1228002
SUSE Bug 1228002
https://bugzilla.suse.com/1228012
SUSE Bug 1228012

Описание

In the Linux kernel, the following vulnerability has been resolved: scsi: pm8001: Fix use-after-free for aborted SSP/STP sas_task Currently a use-after-free may occur if a sas_task is aborted by the upper layer before we handle the I/O completion in mpi_ssp_completion() or mpi_sata_completion(). In this case, the following are the two steps in handling those I/O completions: - Call complete() to inform the upper layer handler of completion of the I/O. - Release driver resources associated with the sas_task in pm8001_ccb_task_free() call. When complete() is called, the upper layer may free the sas_task. As such, we should not touch the associated sas_task afterwards, but we do so in the pm8001_ccb_task_free() call. Fix by swapping the complete() and pm8001_ccb_task_free() calls ordering.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48792.html
CVE-2022-48792
https://bugzilla.suse.com/1228013
SUSE Bug 1228013
https://bugzilla.suse.com/1228017
SUSE Bug 1228017

Описание

In the Linux kernel, the following vulnerability has been resolved: KVM: x86: nSVM: fix potential NULL derefernce on nested migration Turns out that due to review feedback and/or rebases I accidentally moved the call to nested_svm_load_cr3 to be too early, before the NPT is enabled, which is very wrong to do. KVM can't even access guest memory at that point as nested NPT is needed for that, and of course it won't initialize the walk_mmu, which is main issue the patch was addressing. Fix this for real.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48793.html
CVE-2022-48793
https://bugzilla.suse.com/1228019
SUSE Bug 1228019

Описание

In the Linux kernel, the following vulnerability has been resolved: net: ieee802154: at86rf230: Stop leaking skb's Upon error the ieee802154_xmit_complete() helper is not called. Only ieee802154_wake_queue() is called manually. In the Tx case we then leak the skb structure. Free the skb structure upon error before returning when appropriate. As the 'is_tx = 0' cannot be moved in the complete handler because of a possible race between the delay in switching to STATE_RX_AACK_ON and a new interrupt, we introduce an intermediate 'was_tx' boolean just for this purpose. There is no Fixes tag applying here, many changes have been made on this area and the issue kind of always existed.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48794.html
CVE-2022-48794
https://bugzilla.suse.com/1228025
SUSE Bug 1228025

Описание

In the Linux kernel, the following vulnerability has been resolved: iommu: Fix potential use-after-free during probe Kasan has reported the following use after free on dev->iommu. when a device probe fails and it is in process of freeing dev->iommu in dev_iommu_free function, a deferred_probe_work_func runs in parallel and tries to access dev->iommu->fwspec in of_iommu_configure path thus causing use after free. BUG: KASAN: use-after-free in of_iommu_configure+0xb4/0x4a4 Read of size 8 at addr ffffff87a2f1acb8 by task kworker/u16:2/153 Workqueue: events_unbound deferred_probe_work_func Call trace: dump_backtrace+0x0/0x33c show_stack+0x18/0x24 dump_stack_lvl+0x16c/0x1e0 print_address_description+0x84/0x39c __kasan_report+0x184/0x308 kasan_report+0x50/0x78 __asan_load8+0xc0/0xc4 of_iommu_configure+0xb4/0x4a4 of_dma_configure_id+0x2fc/0x4d4 platform_dma_configure+0x40/0x5c really_probe+0x1b4/0xb74 driver_probe_device+0x11c/0x228 __device_attach_driver+0x14c/0x304 bus_for_each_drv+0x124/0x1b0 __device_attach+0x25c/0x334 device_initial_probe+0x24/0x34 bus_probe_device+0x78/0x134 deferred_probe_work_func+0x130/0x1a8 process_one_work+0x4c8/0x970 worker_thread+0x5c8/0xaec kthread+0x1f8/0x220 ret_from_fork+0x10/0x18 Allocated by task 1: ____kasan_kmalloc+0xd4/0x114 __kasan_kmalloc+0x10/0x1c kmem_cache_alloc_trace+0xe4/0x3d4 __iommu_probe_device+0x90/0x394 probe_iommu_group+0x70/0x9c bus_for_each_dev+0x11c/0x19c bus_iommu_probe+0xb8/0x7d4 bus_set_iommu+0xcc/0x13c arm_smmu_bus_init+0x44/0x130 [arm_smmu] arm_smmu_device_probe+0xb88/0xc54 [arm_smmu] platform_drv_probe+0xe4/0x13c really_probe+0x2c8/0xb74 driver_probe_device+0x11c/0x228 device_driver_attach+0xf0/0x16c __driver_attach+0x80/0x320 bus_for_each_dev+0x11c/0x19c driver_attach+0x38/0x48 bus_add_driver+0x1dc/0x3a4 driver_register+0x18c/0x244 __platform_driver_register+0x88/0x9c init_module+0x64/0xff4 [arm_smmu] do_one_initcall+0x17c/0x2f0 do_init_module+0xe8/0x378 load_module+0x3f80/0x4a40 __se_sys_finit_module+0x1a0/0x1e4 __arm64_sys_finit_module+0x44/0x58 el0_svc_common+0x100/0x264 do_el0_svc+0x38/0xa4 el0_svc+0x20/0x30 el0_sync_handler+0x68/0xac el0_sync+0x160/0x180 Freed by task 1: kasan_set_track+0x4c/0x84 kasan_set_free_info+0x28/0x4c ____kasan_slab_free+0x120/0x15c __kasan_slab_free+0x18/0x28 slab_free_freelist_hook+0x204/0x2fc kfree+0xfc/0x3a4 __iommu_probe_device+0x284/0x394 probe_iommu_group+0x70/0x9c bus_for_each_dev+0x11c/0x19c bus_iommu_probe+0xb8/0x7d4 bus_set_iommu+0xcc/0x13c arm_smmu_bus_init+0x44/0x130 [arm_smmu] arm_smmu_device_probe+0xb88/0xc54 [arm_smmu] platform_drv_probe+0xe4/0x13c really_probe+0x2c8/0xb74 driver_probe_device+0x11c/0x228 device_driver_attach+0xf0/0x16c __driver_attach+0x80/0x320 bus_for_each_dev+0x11c/0x19c driver_attach+0x38/0x48 bus_add_driver+0x1dc/0x3a4 driver_register+0x18c/0x244 __platform_driver_register+0x88/0x9c init_module+0x64/0xff4 [arm_smmu] do_one_initcall+0x17c/0x2f0 do_init_module+0xe8/0x378 load_module+0x3f80/0x4a40 __se_sys_finit_module+0x1a0/0x1e4 __arm64_sys_finit_module+0x44/0x58 el0_svc_common+0x100/0x264 do_el0_svc+0x38/0xa4 el0_svc+0x20/0x30 el0_sync_handler+0x68/0xac el0_sync+0x160/0x180 Fix this by setting dev->iommu to NULL first and then freeing dev_iommu structure in dev_iommu_free function.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48796.html
CVE-2022-48796
https://bugzilla.suse.com/1228028
SUSE Bug 1228028

Описание

In the Linux kernel, the following vulnerability has been resolved: mm: don't try to NUMA-migrate COW pages that have other uses Oded Gabbay reports that enabling NUMA balancing causes corruption with his Gaudi accelerator test load: "All the details are in the bug, but the bottom line is that somehow, this patch causes corruption when the numa balancing feature is enabled AND we don't use process affinity AND we use GUP to pin pages so our accelerator can DMA to/from system memory. Either disabling numa balancing, using process affinity to bind to specific numa-node or reverting this patch causes the bug to disappear" and Oded bisected the issue to commit 09854ba94c6a ("mm: do_wp_page() simplification"). Now, the NUMA balancing shouldn't actually be changing the writability of a page, and as such shouldn't matter for COW. But it appears it does. Suspicious. However, regardless of that, the condition for enabling NUMA faults in change_pte_range() is nonsensical. It uses "page_mapcount(page)" to decide if a COW page should be NUMA-protected or not, and that makes absolutely no sense. The number of mappings a page has is irrelevant: not only does GUP get a reference to a page as in Oded's case, but the other mappings migth be paged out and the only reference to them would be in the page count. Since we should never try to NUMA-balance a page that we can't move anyway due to other references, just fix the code to use 'page_count()'. Oded confirms that that fixes his issue. Now, this does imply that something in NUMA balancing ends up changing page protections (other than the obvious one of making the page inaccessible to get the NUMA faulting information). Otherwise the COW simplification wouldn't matter - since doing the GUP on the page would make sure it's writable. The cause of that permission change would be good to figure out too, since it clearly results in spurious COW events - but fixing the nonsensical test that just happened to work before is obviously the CorrectThing(tm) to do regardless.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48797.html
CVE-2022-48797
https://bugzilla.suse.com/1228035
SUSE Bug 1228035

Описание

In the Linux kernel, the following vulnerability has been resolved: s390/cio: verify the driver availability for path_event call If no driver is attached to a device or the driver does not provide the path_event function, an FCES path-event on this device could end up in a kernel-panic. Verify the driver availability before the path_event function call.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48798.html
CVE-2022-48798
https://bugzilla.suse.com/1227945
SUSE Bug 1227945

Описание

In the Linux kernel, the following vulnerability has been resolved: perf: Fix list corruption in perf_cgroup_switch() There's list corruption on cgrp_cpuctx_list. This happens on the following path: perf_cgroup_switch: list_for_each_entry(cgrp_cpuctx_list) cpu_ctx_sched_in ctx_sched_in ctx_pinned_sched_in merge_sched_in perf_cgroup_event_disable: remove the event from the list Use list_for_each_entry_safe() to allow removing an entry during iteration.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48799.html
CVE-2022-48799
https://bugzilla.suse.com/1227953
SUSE Bug 1227953

Описание

In the Linux kernel, the following vulnerability has been resolved: mm: vmscan: remove deadlock due to throttling failing to make progress A soft lockup bug in kcompactd was reported in a private bugzilla with the following visible in dmesg; watchdog: BUG: soft lockup - CPU#33 stuck for 26s! [kcompactd0:479] watchdog: BUG: soft lockup - CPU#33 stuck for 52s! [kcompactd0:479] watchdog: BUG: soft lockup - CPU#33 stuck for 78s! [kcompactd0:479] watchdog: BUG: soft lockup - CPU#33 stuck for 104s! [kcompactd0:479] The machine had 256G of RAM with no swap and an earlier failed allocation indicated that node 0 where kcompactd was run was potentially unreclaimable; Node 0 active_anon:29355112kB inactive_anon:2913528kB active_file:0kB inactive_file:0kB unevictable:64kB isolated(anon):0kB isolated(file):0kB mapped:8kB dirty:0kB writeback:0kB shmem:26780kB shmem_thp: 0kB shmem_pmdmapped: 0kB anon_thp: 23480320kB writeback_tmp:0kB kernel_stack:2272kB pagetables:24500kB all_unreclaimable? yes Vlastimil Babka investigated a crash dump and found that a task migrating pages was trying to drain PCP lists; PID: 52922 TASK: ffff969f820e5000 CPU: 19 COMMAND: "kworker/u128:3" Call Trace: __schedule schedule schedule_timeout wait_for_completion __flush_work __drain_all_pages __alloc_pages_slowpath.constprop.114 __alloc_pages alloc_migration_target migrate_pages migrate_to_node do_migrate_pages cpuset_migrate_mm_workfn process_one_work worker_thread kthread ret_from_fork This failure is specific to CONFIG_PREEMPT=n builds. The root of the problem is that kcompact0 is not rescheduling on a CPU while a task that has isolated a large number of the pages from the LRU is waiting on kcompact0 to reschedule so the pages can be released. While shrink_inactive_list() only loops once around too_many_isolated, reclaim can continue without rescheduling if sc->skipped_deactivate == 1 which could happen if there was no file LRU and the inactive anon list was not low.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48800.html
CVE-2022-48800
https://bugzilla.suse.com/1227954
SUSE Bug 1227954

Описание

In the Linux kernel, the following vulnerability has been resolved: iio: buffer: Fix file related error handling in IIO_BUFFER_GET_FD_IOCTL If we fail to copy the just created file descriptor to userland, we try to clean up by putting back 'fd' and freeing 'ib'. The code uses put_unused_fd() for the former which is wrong, as the file descriptor was already published by fd_install() which gets called internally by anon_inode_getfd(). This makes the error handling code leaving a half cleaned up file descriptor table around and a partially destructed 'file' object, allowing userland to play use-after-free tricks on us, by abusing the still usable fd and making the code operate on a dangling 'file->private_data' pointer. Instead of leaving the kernel in a partially corrupted state, don't attempt to explicitly clean up and leave this to the process exit path that'll release any still valid fds, including the one created by the previous call to anon_inode_getfd(). Simply return -EFAULT to indicate the error.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48801.html
CVE-2022-48801
https://bugzilla.suse.com/1227956
SUSE Bug 1227956
https://bugzilla.suse.com/1228023
SUSE Bug 1228023

Описание

In the Linux kernel, the following vulnerability has been resolved: fs/proc: task_mmu.c: don't read mapcount for migration entry The syzbot reported the below BUG: kernel BUG at include/linux/page-flags.h:785! invalid opcode: 0000 [#1] PREEMPT SMP KASAN CPU: 1 PID: 4392 Comm: syz-executor560 Not tainted 5.16.0-rc6-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:PageDoubleMap include/linux/page-flags.h:785 [inline] RIP: 0010:__page_mapcount+0x2d2/0x350 mm/util.c:744 Call Trace: page_mapcount include/linux/mm.h:837 [inline] smaps_account+0x470/0xb10 fs/proc/task_mmu.c:466 smaps_pte_entry fs/proc/task_mmu.c:538 [inline] smaps_pte_range+0x611/0x1250 fs/proc/task_mmu.c:601 walk_pmd_range mm/pagewalk.c:128 [inline] walk_pud_range mm/pagewalk.c:205 [inline] walk_p4d_range mm/pagewalk.c:240 [inline] walk_pgd_range mm/pagewalk.c:277 [inline] __walk_page_range+0xe23/0x1ea0 mm/pagewalk.c:379 walk_page_vma+0x277/0x350 mm/pagewalk.c:530 smap_gather_stats.part.0+0x148/0x260 fs/proc/task_mmu.c:768 smap_gather_stats fs/proc/task_mmu.c:741 [inline] show_smap+0xc6/0x440 fs/proc/task_mmu.c:822 seq_read_iter+0xbb0/0x1240 fs/seq_file.c:272 seq_read+0x3e0/0x5b0 fs/seq_file.c:162 vfs_read+0x1b5/0x600 fs/read_write.c:479 ksys_read+0x12d/0x250 fs/read_write.c:619 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae The reproducer was trying to read /proc/$PID/smaps when calling MADV_FREE at the mean time. MADV_FREE may split THPs if it is called for partial THP. It may trigger the below race: CPU A CPU B ----- ----- smaps walk: MADV_FREE: page_mapcount() PageCompound() split_huge_page() page = compound_head(page) PageDoubleMap(page) When calling PageDoubleMap() this page is not a tail page of THP anymore so the BUG is triggered. This could be fixed by elevated refcount of the page before calling mapcount, but that would prevent it from counting migration entries, and it seems overkilling because the race just could happen when PMD is split so all PTE entries of tail pages are actually migration entries, and smaps_account() does treat migration entries as mapcount == 1 as Kirill pointed out. Add a new parameter for smaps_account() to tell this entry is migration entry then skip calling page_mapcount(). Don't skip getting mapcount for device private entries since they do track references with mapcount. Pagemap also has the similar issue although it was not reported. Fixed it as well. [shy828301@gmail.com: v4] Link: https://lkml.kernel.org/r/20220203182641.824731-1-shy828301@gmail.com [nathan@kernel.org: avoid unused variable warning in pagemap_pmd_range()] Link: https://lkml.kernel.org/r/20220207171049.1102239-1-nathan@kernel.org

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48802.html
CVE-2022-48802
https://bugzilla.suse.com/1227942
SUSE Bug 1227942

Описание

In the Linux kernel, the following vulnerability has been resolved: phy: ti: Fix missing sentinel for clk_div_table _get_table_maxdiv() tries to access "clk_div_table" array out of bound defined in phy-j721e-wiz.c. Add a sentinel entry to prevent the following global-out-of-bounds error reported by enabling KASAN. [ 9.552392] BUG: KASAN: global-out-of-bounds in _get_maxdiv+0xc0/0x148 [ 9.558948] Read of size 4 at addr ffff8000095b25a4 by task kworker/u4:1/38 [ 9.565926] [ 9.567441] CPU: 1 PID: 38 Comm: kworker/u4:1 Not tainted 5.16.0-116492-gdaadb3bd0e8d-dirty #360 [ 9.576242] Hardware name: Texas Instruments J721e EVM (DT) [ 9.581832] Workqueue: events_unbound deferred_probe_work_func [ 9.587708] Call trace: [ 9.590174] dump_backtrace+0x20c/0x218 [ 9.594038] show_stack+0x18/0x68 [ 9.597375] dump_stack_lvl+0x9c/0xd8 [ 9.601062] print_address_description.constprop.0+0x78/0x334 [ 9.606830] kasan_report+0x1f0/0x260 [ 9.610517] __asan_load4+0x9c/0xd8 [ 9.614030] _get_maxdiv+0xc0/0x148 [ 9.617540] divider_determine_rate+0x88/0x488 [ 9.622005] divider_round_rate_parent+0xc8/0x124 [ 9.626729] wiz_clk_div_round_rate+0x54/0x68 [ 9.631113] clk_core_determine_round_nolock+0x124/0x158 [ 9.636448] clk_core_round_rate_nolock+0x68/0x138 [ 9.641260] clk_core_set_rate_nolock+0x268/0x3a8 [ 9.645987] clk_set_rate+0x50/0xa8 [ 9.649499] cdns_sierra_phy_init+0x88/0x248 [ 9.653794] phy_init+0x98/0x108 [ 9.657046] cdns_pcie_enable_phy+0xa0/0x170 [ 9.661340] cdns_pcie_init_phy+0x250/0x2b0 [ 9.665546] j721e_pcie_probe+0x4b8/0x798 [ 9.669579] platform_probe+0x8c/0x108 [ 9.673350] really_probe+0x114/0x630 [ 9.677037] __driver_probe_device+0x18c/0x220 [ 9.681505] driver_probe_device+0xac/0x150 [ 9.685712] __device_attach_driver+0xec/0x170 [ 9.690178] bus_for_each_drv+0xf0/0x158 [ 9.694124] __device_attach+0x184/0x210 [ 9.698070] device_initial_probe+0x14/0x20 [ 9.702277] bus_probe_device+0xec/0x100 [ 9.706223] deferred_probe_work_func+0x124/0x180 [ 9.710951] process_one_work+0x4b0/0xbc0 [ 9.714983] worker_thread+0x74/0x5d0 [ 9.718668] kthread+0x214/0x230 [ 9.721919] ret_from_fork+0x10/0x20 [ 9.725520] [ 9.727032] The buggy address belongs to the variable: [ 9.732183] clk_div_table+0x24/0x440

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48803.html
CVE-2022-48803
https://bugzilla.suse.com/1227965
SUSE Bug 1227965

Описание

In the Linux kernel, the following vulnerability has been resolved: vt_ioctl: fix array_index_nospec in vt_setactivate array_index_nospec ensures that an out-of-bounds value is set to zero on the transient path. Decreasing the value by one afterwards causes a transient integer underflow. vsa.console should be decreased first and then sanitized with array_index_nospec. Kasper Acknowledgements: Jakob Koschel, Brian Johannesmeyer, Kaveh Razavi, Herbert Bos, Cristiano Giuffrida from the VUSec group at VU Amsterdam.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48804.html
CVE-2022-48804
https://bugzilla.suse.com/1227968
SUSE Bug 1227968

Описание

In the Linux kernel, the following vulnerability has been resolved: net: usb: ax88179_178a: Fix out-of-bounds accesses in RX fixup ax88179_rx_fixup() contains several out-of-bounds accesses that can be triggered by a malicious (or defective) USB device, in particular: - The metadata array (hdr_off..hdr_off+2*pkt_cnt) can be out of bounds, causing OOB reads and (on big-endian systems) OOB endianness flips. - A packet can overlap the metadata array, causing a later OOB endianness flip to corrupt data used by a cloned SKB that has already been handed off into the network stack. - A packet SKB can be constructed whose tail is far beyond its end, causing out-of-bounds heap data to be considered part of the SKB's data. I have tested that this can be used by a malicious USB device to send a bogus ICMPv6 Echo Request and receive an ICMPv6 Echo Reply in response that contains random kernel heap data. It's probably also possible to get OOB writes from this on a little-endian system somehow - maybe by triggering skb_cow() via IP options processing -, but I haven't tested that.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48805.html
CVE-2022-48805
https://bugzilla.suse.com/1227969
SUSE Bug 1227969

Описание

In the Linux kernel, the following vulnerability has been resolved: eeprom: ee1004: limit i2c reads to I2C_SMBUS_BLOCK_MAX Commit effa453168a7 ("i2c: i801: Don't silently correct invalid transfer size") revealed that ee1004_eeprom_read() did not properly limit how many bytes to read at once. In particular, i2c_smbus_read_i2c_block_data_or_emulated() takes the length to read as an u8. If count == 256 after taking into account the offset and page boundary, the cast to u8 overflows. And this is common when user space tries to read the entire EEPROM at once. To fix it, limit each read to I2C_SMBUS_BLOCK_MAX (32) bytes, already the maximum length i2c_smbus_read_i2c_block_data_or_emulated() allows.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48806.html
CVE-2022-48806
https://bugzilla.suse.com/1227948
SUSE Bug 1227948

Описание

In the Linux kernel, the following vulnerability has been resolved: ice: Fix KASAN error in LAG NETDEV_UNREGISTER handler Currently, the same handler is called for both a NETDEV_BONDING_INFO LAG unlink notification as for a NETDEV_UNREGISTER call. This is causing a problem though, since the netdev_notifier_info passed has a different structure depending on which event is passed. The problem manifests as a call trace from a BUG: KASAN stack-out-of-bounds error. Fix this by creating a handler specific to NETDEV_UNREGISTER that only is passed valid elements in the netdev_notifier_info struct for the NETDEV_UNREGISTER event. Also included is the removal of an unbalanced dev_put on the peer_netdev and related braces.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48807.html
CVE-2022-48807
https://bugzilla.suse.com/1227970
SUSE Bug 1227970
https://bugzilla.suse.com/1228024
SUSE Bug 1228024

Описание

In the Linux kernel, the following vulnerability has been resolved: net: fix a memleak when uncloning an skb dst and its metadata When uncloning an skb dst and its associated metadata, a new dst+metadata is allocated and later replaces the old one in the skb. This is helpful to have a non-shared dst+metadata attached to a specific skb. The issue is the uncloned dst+metadata is initialized with a refcount of 1, which is increased to 2 before attaching it to the skb. When tun_dst_unclone returns, the dst+metadata is only referenced from a single place (the skb) while its refcount is 2. Its refcount will never drop to 0 (when the skb is consumed), leading to a memory leak. Fix this by removing the call to dst_hold in tun_dst_unclone, as the dst+metadata refcount is already 1.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48809.html
CVE-2022-48809
https://bugzilla.suse.com/1227947
SUSE Bug 1227947

Описание

In the Linux kernel, the following vulnerability has been resolved: ipmr,ip6mr: acquire RTNL before calling ip[6]mr_free_table() on failure path ip[6]mr_free_table() can only be called under RTNL lock. RTNL: assertion failed at net/core/dev.c (10367) WARNING: CPU: 1 PID: 5890 at net/core/dev.c:10367 unregister_netdevice_many+0x1246/0x1850 net/core/dev.c:10367 Modules linked in: CPU: 1 PID: 5890 Comm: syz-executor.2 Not tainted 5.16.0-syzkaller-11627-g422ee58dc0ef #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:unregister_netdevice_many+0x1246/0x1850 net/core/dev.c:10367 Code: 0f 85 9b ee ff ff e8 69 07 4b fa ba 7f 28 00 00 48 c7 c6 00 90 ae 8a 48 c7 c7 40 90 ae 8a c6 05 6d b1 51 06 01 e8 8c 90 d8 01 <0f> 0b e9 70 ee ff ff e8 3e 07 4b fa 4c 89 e7 e8 86 2a 59 fa e9 ee RSP: 0018:ffffc900046ff6e0 EFLAGS: 00010286 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: ffff888050f51d00 RSI: ffffffff815fa008 RDI: fffff520008dfece RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: ffffffff815f3d6e R11: 0000000000000000 R12: 00000000fffffff4 R13: dffffc0000000000 R14: ffffc900046ff750 R15: ffff88807b7dc000 FS: 00007f4ab736e700(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fee0b4f8990 CR3: 000000001e7d2000 CR4: 00000000003506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> mroute_clean_tables+0x244/0xb40 net/ipv6/ip6mr.c:1509 ip6mr_free_table net/ipv6/ip6mr.c:389 [inline] ip6mr_rules_init net/ipv6/ip6mr.c:246 [inline] ip6mr_net_init net/ipv6/ip6mr.c:1306 [inline] ip6mr_net_init+0x3f0/0x4e0 net/ipv6/ip6mr.c:1298 ops_init+0xaf/0x470 net/core/net_namespace.c:140 setup_net+0x54f/0xbb0 net/core/net_namespace.c:331 copy_net_ns+0x318/0x760 net/core/net_namespace.c:475 create_new_namespaces+0x3f6/0xb20 kernel/nsproxy.c:110 copy_namespaces+0x391/0x450 kernel/nsproxy.c:178 copy_process+0x2e0c/0x7300 kernel/fork.c:2167 kernel_clone+0xe7/0xab0 kernel/fork.c:2555 __do_sys_clone+0xc8/0x110 kernel/fork.c:2672 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f4ab89f9059 Code: Unable to access opcode bytes at RIP 0x7f4ab89f902f. RSP: 002b:00007f4ab736e118 EFLAGS: 00000206 ORIG_RAX: 0000000000000038 RAX: ffffffffffffffda RBX: 00007f4ab8b0bf60 RCX: 00007f4ab89f9059 RDX: 0000000020000280 RSI: 0000000020000270 RDI: 0000000040200000 RBP: 00007f4ab8a5308d R08: 0000000020000300 R09: 0000000020000300 R10: 00000000200002c0 R11: 0000000000000206 R12: 0000000000000000 R13: 00007ffc3977cc1f R14: 00007f4ab736e300 R15: 0000000000022000 </TASK>

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48810.html
CVE-2022-48810
https://bugzilla.suse.com/1227936
SUSE Bug 1227936

Описание

In the Linux kernel, the following vulnerability has been resolved: ibmvnic: don't release napi in __ibmvnic_open() If __ibmvnic_open() encounters an error such as when setting link state, it calls release_resources() which frees the napi structures needlessly. Instead, have __ibmvnic_open() only clean up the work it did so far (i.e. disable napi and irqs) and leave the rest to the callers. If caller of __ibmvnic_open() is ibmvnic_open(), it should release the resources immediately. If the caller is do_reset() or do_hard_reset(), they will release the resources on the next reset. This fixes following crash that occurred when running the drmgr command several times to add/remove a vnic interface: [102056] ibmvnic 30000003 env3: Disabling rx_scrq[6] irq [102056] ibmvnic 30000003 env3: Disabling rx_scrq[7] irq [102056] ibmvnic 30000003 env3: Replenished 8 pools Kernel attempted to read user page (10) - exploit attempt? (uid: 0) BUG: Kernel NULL pointer dereference on read at 0x00000010 Faulting instruction address: 0xc000000000a3c840 Oops: Kernel access of bad area, sig: 11 [#1] LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA pSeries ... CPU: 9 PID: 102056 Comm: kworker/9:2 Kdump: loaded Not tainted 5.16.0-rc5-autotest-g6441998e2e37 #1 Workqueue: events_long __ibmvnic_reset [ibmvnic] NIP: c000000000a3c840 LR: c0080000029b5378 CTR: c000000000a3c820 REGS: c0000000548e37e0 TRAP: 0300 Not tainted (5.16.0-rc5-autotest-g6441998e2e37) MSR: 8000000000009033 <SF,EE,ME,IR,DR,RI,LE> CR: 28248484 XER: 00000004 CFAR: c0080000029bdd24 DAR: 0000000000000010 DSISR: 40000000 IRQMASK: 0 GPR00: c0080000029b55d0 c0000000548e3a80 c0000000028f0200 0000000000000000 ... NIP [c000000000a3c840] napi_enable+0x20/0xc0 LR [c0080000029b5378] __ibmvnic_open+0xf0/0x430 [ibmvnic] Call Trace: [c0000000548e3a80] [0000000000000006] 0x6 (unreliable) [c0000000548e3ab0] [c0080000029b55d0] __ibmvnic_open+0x348/0x430 [ibmvnic] [c0000000548e3b40] [c0080000029bcc28] __ibmvnic_reset+0x500/0xdf0 [ibmvnic] [c0000000548e3c60] [c000000000176228] process_one_work+0x288/0x570 [c0000000548e3d00] [c000000000176588] worker_thread+0x78/0x660 [c0000000548e3da0] [c0000000001822f0] kthread+0x1c0/0x1d0 [c0000000548e3e10] [c00000000000cf64] ret_from_kernel_thread+0x5c/0x64 Instruction dump: 7d2948f8 792307e0 4e800020 60000000 3c4c01eb 384239e0 f821ffd1 39430010 38a0fff6 e92d1100 f9210028 39200000 <e9030010> f9010020 60420000 e9210020 ---[ end trace 5f8033b08fd27706 ]---

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48811.html
CVE-2022-48811
https://bugzilla.suse.com/1227928
SUSE Bug 1227928

Описание

In the Linux kernel, the following vulnerability has been resolved: net: dsa: lantiq_gswip: don't use devres for mdiobus As explained in commits: 74b6d7d13307 ("net: dsa: realtek: register the MDIO bus under devres") 5135e96a3dd2 ("net: dsa: don't allocate the slave_mii_bus using devres") mdiobus_free() will panic when called from devm_mdiobus_free() <- devres_release_all() <- __device_release_driver(), and that mdiobus was not previously unregistered. The GSWIP switch is a platform device, so the initial set of constraints that I thought would cause this (I2C or SPI buses which call ->remove on ->shutdown) do not apply. But there is one more which applies here. If the DSA master itself is on a bus that calls ->remove from ->shutdown (like dpaa2-eth, which is on the fsl-mc bus), there is a device link between the switch and the DSA master, and device_links_unbind_consumers() will unbind the GSWIP switch driver on shutdown. So the same treatment must be applied to all DSA switch drivers, which is: either use devres for both the mdiobus allocation and registration, or don't use devres at all. The gswip driver has the code structure in place for orderly mdiobus removal, so just replace devm_mdiobus_alloc() with the non-devres variant, and add manual free where necessary, to ensure that we don't let devres free a still-registered bus.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48812.html
CVE-2022-48812
https://bugzilla.suse.com/1227971
SUSE Bug 1227971

Описание

In the Linux kernel, the following vulnerability has been resolved: net: dsa: felix: don't use devres for mdiobus As explained in commits: 74b6d7d13307 ("net: dsa: realtek: register the MDIO bus under devres") 5135e96a3dd2 ("net: dsa: don't allocate the slave_mii_bus using devres") mdiobus_free() will panic when called from devm_mdiobus_free() <- devres_release_all() <- __device_release_driver(), and that mdiobus was not previously unregistered. The Felix VSC9959 switch is a PCI device, so the initial set of constraints that I thought would cause this (I2C or SPI buses which call ->remove on ->shutdown) do not apply. But there is one more which applies here. If the DSA master itself is on a bus that calls ->remove from ->shutdown (like dpaa2-eth, which is on the fsl-mc bus), there is a device link between the switch and the DSA master, and device_links_unbind_consumers() will unbind the felix switch driver on shutdown. So the same treatment must be applied to all DSA switch drivers, which is: either use devres for both the mdiobus allocation and registration, or don't use devres at all. The felix driver has the code structure in place for orderly mdiobus removal, so just replace devm_mdiobus_alloc_size() with the non-devres variant, and add manual free where necessary, to ensure that we don't let devres free a still-registered bus.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48813.html
CVE-2022-48813
https://bugzilla.suse.com/1227963
SUSE Bug 1227963

Описание

In the Linux kernel, the following vulnerability has been resolved: net: dsa: seville: register the mdiobus under devres As explained in commits: 74b6d7d13307 ("net: dsa: realtek: register the MDIO bus under devres") 5135e96a3dd2 ("net: dsa: don't allocate the slave_mii_bus using devres") mdiobus_free() will panic when called from devm_mdiobus_free() <- devres_release_all() <- __device_release_driver(), and that mdiobus was not previously unregistered. The Seville VSC9959 switch is a platform device, so the initial set of constraints that I thought would cause this (I2C or SPI buses which call ->remove on ->shutdown) do not apply. But there is one more which applies here. If the DSA master itself is on a bus that calls ->remove from ->shutdown (like dpaa2-eth, which is on the fsl-mc bus), there is a device link between the switch and the DSA master, and device_links_unbind_consumers() will unbind the seville switch driver on shutdown. So the same treatment must be applied to all DSA switch drivers, which is: either use devres for both the mdiobus allocation and registration, or don't use devres at all. The seville driver has a code structure that could accommodate both the mdiobus_unregister and mdiobus_free calls, but it has an external dependency upon mscc_miim_setup() from mdio-mscc-miim.c, which calls devm_mdiobus_alloc_size() on its behalf. So rather than restructuring that, and exporting yet one more symbol mscc_miim_teardown(), let's work with devres and replace of_mdiobus_register with the devres variant. When we use all-devres, we can ensure that devres doesn't free a still-registered bus (it either runs both callbacks, or none).

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48814.html
CVE-2022-48814
https://bugzilla.suse.com/1227944
SUSE Bug 1227944

Описание

In the Linux kernel, the following vulnerability has been resolved: net: dsa: bcm_sf2: don't use devres for mdiobus As explained in commits: 74b6d7d13307 ("net: dsa: realtek: register the MDIO bus under devres") 5135e96a3dd2 ("net: dsa: don't allocate the slave_mii_bus using devres") mdiobus_free() will panic when called from devm_mdiobus_free() <- devres_release_all() <- __device_release_driver(), and that mdiobus was not previously unregistered. The Starfighter 2 is a platform device, so the initial set of constraints that I thought would cause this (I2C or SPI buses which call ->remove on ->shutdown) do not apply. But there is one more which applies here. If the DSA master itself is on a bus that calls ->remove from ->shutdown (like dpaa2-eth, which is on the fsl-mc bus), there is a device link between the switch and the DSA master, and device_links_unbind_consumers() will unbind the bcm_sf2 switch driver on shutdown. So the same treatment must be applied to all DSA switch drivers, which is: either use devres for both the mdiobus allocation and registration, or don't use devres at all. The bcm_sf2 driver has the code structure in place for orderly mdiobus removal, so just replace devm_mdiobus_alloc() with the non-devres variant, and add manual free where necessary, to ensure that we don't let devres free a still-registered bus.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48815.html
CVE-2022-48815
https://bugzilla.suse.com/1227933
SUSE Bug 1227933

Описание

In the Linux kernel, the following vulnerability has been resolved: SUNRPC: lock against ->sock changing during sysfs read ->sock can be set to NULL asynchronously unless ->recv_mutex is held. So it is important to hold that mutex. Otherwise a sysfs read can trigger an oops. Commit 17f09d3f619a ("SUNRPC: Check if the xprt is connected before handling sysfs reads") appears to attempt to fix this problem, but it only narrows the race window.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48816.html
CVE-2022-48816
https://bugzilla.suse.com/1228038
SUSE Bug 1228038

Описание

In the Linux kernel, the following vulnerability has been resolved: net: dsa: ar9331: register the mdiobus under devres As explained in commits: 74b6d7d13307 ("net: dsa: realtek: register the MDIO bus under devres") 5135e96a3dd2 ("net: dsa: don't allocate the slave_mii_bus using devres") mdiobus_free() will panic when called from devm_mdiobus_free() <- devres_release_all() <- __device_release_driver(), and that mdiobus was not previously unregistered. The ar9331 is an MDIO device, so the initial set of constraints that I thought would cause this (I2C or SPI buses which call ->remove on ->shutdown) do not apply. But there is one more which applies here. If the DSA master itself is on a bus that calls ->remove from ->shutdown (like dpaa2-eth, which is on the fsl-mc bus), there is a device link between the switch and the DSA master, and device_links_unbind_consumers() will unbind the ar9331 switch driver on shutdown. So the same treatment must be applied to all DSA switch drivers, which is: either use devres for both the mdiobus allocation and registration, or don't use devres at all. The ar9331 driver doesn't have a complex code structure for mdiobus removal, so just replace of_mdiobus_register with the devres variant in order to be all-devres and ensure that we don't free a still-registered bus.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48817.html
CVE-2022-48817
https://bugzilla.suse.com/1227931
SUSE Bug 1227931

Описание

In the Linux kernel, the following vulnerability has been resolved: net: dsa: mv88e6xxx: don't use devres for mdiobus As explained in commits: 74b6d7d13307 ("net: dsa: realtek: register the MDIO bus under devres") 5135e96a3dd2 ("net: dsa: don't allocate the slave_mii_bus using devres") mdiobus_free() will panic when called from devm_mdiobus_free() <- devres_release_all() <- __device_release_driver(), and that mdiobus was not previously unregistered. The mv88e6xxx is an MDIO device, so the initial set of constraints that I thought would cause this (I2C or SPI buses which call ->remove on ->shutdown) do not apply. But there is one more which applies here. If the DSA master itself is on a bus that calls ->remove from ->shutdown (like dpaa2-eth, which is on the fsl-mc bus), there is a device link between the switch and the DSA master, and device_links_unbind_consumers() will unbind the Marvell switch driver on shutdown. systemd-shutdown[1]: Powering off. mv88e6085 0x0000000008b96000:00 sw_gl0: Link is Down fsl-mc dpbp.9: Removing from iommu group 7 fsl-mc dpbp.8: Removing from iommu group 7 ------------[ cut here ]------------ kernel BUG at drivers/net/phy/mdio_bus.c:677! Internal error: Oops - BUG: 0 [#1] PREEMPT SMP Modules linked in: CPU: 0 PID: 1 Comm: systemd-shutdow Not tainted 5.16.5-00040-gdc05f73788e5 #15 pc : mdiobus_free+0x44/0x50 lr : devm_mdiobus_free+0x10/0x20 Call trace: mdiobus_free+0x44/0x50 devm_mdiobus_free+0x10/0x20 devres_release_all+0xa0/0x100 __device_release_driver+0x190/0x220 device_release_driver_internal+0xac/0xb0 device_links_unbind_consumers+0xd4/0x100 __device_release_driver+0x4c/0x220 device_release_driver_internal+0xac/0xb0 device_links_unbind_consumers+0xd4/0x100 __device_release_driver+0x94/0x220 device_release_driver+0x28/0x40 bus_remove_device+0x118/0x124 device_del+0x174/0x420 fsl_mc_device_remove+0x24/0x40 __fsl_mc_device_remove+0xc/0x20 device_for_each_child+0x58/0xa0 dprc_remove+0x90/0xb0 fsl_mc_driver_remove+0x20/0x5c __device_release_driver+0x21c/0x220 device_release_driver+0x28/0x40 bus_remove_device+0x118/0x124 device_del+0x174/0x420 fsl_mc_bus_remove+0x80/0x100 fsl_mc_bus_shutdown+0xc/0x1c platform_shutdown+0x20/0x30 device_shutdown+0x154/0x330 kernel_power_off+0x34/0x6c __do_sys_reboot+0x15c/0x250 __arm64_sys_reboot+0x20/0x30 invoke_syscall.constprop.0+0x4c/0xe0 do_el0_svc+0x4c/0x150 el0_svc+0x24/0xb0 el0t_64_sync_handler+0xa8/0xb0 el0t_64_sync+0x178/0x17c So the same treatment must be applied to all DSA switch drivers, which is: either use devres for both the mdiobus allocation and registration, or don't use devres at all. The Marvell driver already has a good structure for mdiobus removal, so just plug in mdiobus_free and get rid of devres.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48818.html
CVE-2022-48818
https://bugzilla.suse.com/1228039
SUSE Bug 1228039

Описание

In the Linux kernel, the following vulnerability has been resolved: phy: stm32: fix a refcount leak in stm32_usbphyc_pll_enable() This error path needs to decrement "usbphyc->n_pll_cons.counter" before returning.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48820.html
CVE-2022-48820
https://bugzilla.suse.com/1227972
SUSE Bug 1227972

Описание

In the Linux kernel, the following vulnerability has been resolved: misc: fastrpc: avoid double fput() on failed usercopy If the copy back to userland fails for the FASTRPC_IOCTL_ALLOC_DMA_BUFF ioctl(), we shouldn't assume that 'buf->dmabuf' is still valid. In fact, dma_buf_fd() called fd_install() before, i.e. "consumed" one reference, leaving us with none. Calling dma_buf_put() will therefore put a reference we no longer own, leading to a valid file descritor table entry for an already released 'file' object which is a straight use-after-free. Simply avoid calling dma_buf_put() and rely on the process exit code to do the necessary cleanup, if needed, i.e. if the file descriptor is still valid.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48821.html
CVE-2022-48821
https://bugzilla.suse.com/1227976
SUSE Bug 1227976
https://bugzilla.suse.com/1228022
SUSE Bug 1228022

Описание

In the Linux kernel, the following vulnerability has been resolved: usb: f_fs: Fix use-after-free for epfile Consider a case where ffs_func_eps_disable is called from ffs_func_disable as part of composition switch and at the same time ffs_epfile_release get called from userspace. ffs_epfile_release will free up the read buffer and call ffs_data_closed which in turn destroys ffs->epfiles and mark it as NULL. While this was happening the driver has already initialized the local epfile in ffs_func_eps_disable which is now freed and waiting to acquire the spinlock. Once spinlock is acquired the driver proceeds with the stale value of epfile and tries to free the already freed read buffer causing use-after-free. Following is the illustration of the race: CPU1 CPU2 ffs_func_eps_disable epfiles (local copy) ffs_epfile_release ffs_data_closed if (last file closed) ffs_data_reset ffs_data_clear ffs_epfiles_destroy spin_lock dereference epfiles Fix this races by taking epfiles local copy & assigning it under spinlock and if epfiles(local) is null then update it in ffs->epfiles then finally destroy it. Extending the scope further from the race, protecting the ep related structures, and concurrent accesses.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48822.html
CVE-2022-48822
https://bugzilla.suse.com/1228040
SUSE Bug 1228040
https://bugzilla.suse.com/1228136
SUSE Bug 1228136

Описание

In the Linux kernel, the following vulnerability has been resolved: scsi: qedf: Fix refcount issue when LOGO is received during TMF Hung task call trace was seen during LOGO processing. [ 974.309060] [0000:00:00.0]:[qedf_eh_device_reset:868]: 1:0:2:0: LUN RESET Issued... [ 974.309065] [0000:00:00.0]:[qedf_initiate_tmf:2422]: tm_flags 0x10 sc_cmd 00000000c16b930f op = 0x2a target_id = 0x2 lun=0 [ 974.309178] [0000:00:00.0]:[qedf_initiate_tmf:2431]: portid=016900 tm_flags =LUN RESET [ 974.309222] [0000:00:00.0]:[qedf_initiate_tmf:2438]: orig io_req = 00000000ec78df8f xid = 0x180 ref_cnt = 1. [ 974.309625] host1: rport 016900: Received LOGO request while in state Ready [ 974.309627] host1: rport 016900: Delete port [ 974.309642] host1: rport 016900: work event 3 [ 974.309644] host1: rport 016900: lld callback ev 3 [ 974.313243] [0000:61:00.2]:[qedf_execute_tmf:2383]:1: fcport is uploading, not executing flush. [ 974.313295] [0000:61:00.2]:[qedf_execute_tmf:2400]:1: task mgmt command success... [ 984.031088] INFO: task jbd2/dm-15-8:7645 blocked for more than 120 seconds. [ 984.031136] Not tainted 4.18.0-305.el8.x86_64 #1 [ 984.031166] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. [ 984.031209] jbd2/dm-15-8 D 0 7645 2 0x80004080 [ 984.031212] Call Trace: [ 984.031222] __schedule+0x2c4/0x700 [ 984.031230] ? unfreeze_partials.isra.83+0x16e/0x1a0 [ 984.031233] ? bit_wait_timeout+0x90/0x90 [ 984.031235] schedule+0x38/0xa0 [ 984.031238] io_schedule+0x12/0x40 [ 984.031240] bit_wait_io+0xd/0x50 [ 984.031243] __wait_on_bit+0x6c/0x80 [ 984.031248] ? free_buffer_head+0x21/0x50 [ 984.031251] out_of_line_wait_on_bit+0x91/0xb0 [ 984.031257] ? init_wait_var_entry+0x50/0x50 [ 984.031268] jbd2_journal_commit_transaction+0x112e/0x19f0 [jbd2] [ 984.031280] kjournald2+0xbd/0x270 [jbd2] [ 984.031284] ? finish_wait+0x80/0x80 [ 984.031291] ? commit_timeout+0x10/0x10 [jbd2] [ 984.031294] kthread+0x116/0x130 [ 984.031300] ? kthread_flush_work_fn+0x10/0x10 [ 984.031305] ret_from_fork+0x1f/0x40 There was a ref count issue when LOGO is received during TMF. This leads to one of the I/Os hanging with the driver. Fix the ref count.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48823.html
CVE-2022-48823
https://bugzilla.suse.com/1228045
SUSE Bug 1228045

Описание

In the Linux kernel, the following vulnerability has been resolved: scsi: myrs: Fix crash in error case In myrs_detect(), cs->disable_intr is NULL when privdata->hw_init() fails with non-zero. In this case, myrs_cleanup(cs) will call a NULL ptr and crash the kernel. [ 1.105606] myrs 0000:00:03.0: Unknown Initialization Error 5A [ 1.105872] myrs 0000:00:03.0: Failed to initialize Controller [ 1.106082] BUG: kernel NULL pointer dereference, address: 0000000000000000 [ 1.110774] Call Trace: [ 1.110950] myrs_cleanup+0xe4/0x150 [myrs] [ 1.111135] myrs_probe.cold+0x91/0x56a [myrs] [ 1.111302] ? DAC960_GEM_intr_handler+0x1f0/0x1f0 [myrs] [ 1.111500] local_pci_probe+0x48/0x90

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48824.html
CVE-2022-48824
https://bugzilla.suse.com/1227964
SUSE Bug 1227964

Описание

In the Linux kernel, the following vulnerability has been resolved: scsi: qedf: Add stag_work to all the vports Call trace seen when creating NPIV ports, only 32 out of 64 show online. stag work was not initialized for vport, hence initialize the stag work. WARNING: CPU: 8 PID: 645 at kernel/workqueue.c:1635 __queue_delayed_work+0x68/0x80 CPU: 8 PID: 645 Comm: kworker/8:1 Kdump: loaded Tainted: G IOE --------- -- 4.18.0-348.el8.x86_64 #1 Hardware name: Dell Inc. PowerEdge MX740c/0177V9, BIOS 2.12.2 07/09/2021 Workqueue: events fc_lport_timeout [libfc] RIP: 0010:__queue_delayed_work+0x68/0x80 Code: 89 b2 88 00 00 00 44 89 82 90 00 00 00 48 01 c8 48 89 42 50 41 81 f8 00 20 00 00 75 1d e9 60 24 07 00 44 89 c7 e9 98 f6 ff ff <0f> 0b eb c5 0f 0b eb a1 0f 0b eb a7 0f 0b eb ac 44 89 c6 e9 40 23 RSP: 0018:ffffae514bc3be40 EFLAGS: 00010006 RAX: ffff8d25d6143750 RBX: 0000000000000202 RCX: 0000000000000002 RDX: ffff8d2e31383748 RSI: ffff8d25c000d600 RDI: ffff8d2e31383788 RBP: ffff8d2e31380de0 R08: 0000000000002000 R09: ffff8d2e31383750 R10: ffffffffc0c957e0 R11: ffff8d2624800000 R12: ffff8d2e31380a58 R13: ffff8d2d915eb000 R14: ffff8d25c499b5c0 R15: ffff8d2e31380e18 FS: 0000000000000000(0000) GS:ffff8d2d1fb00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055fd0484b8b8 CR3: 00000008ffc10006 CR4: 00000000007706e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: queue_delayed_work_on+0x36/0x40 qedf_elsct_send+0x57/0x60 [qedf] fc_lport_enter_flogi+0x90/0xc0 [libfc] fc_lport_timeout+0xb7/0x140 [libfc] process_one_work+0x1a7/0x360 ? create_worker+0x1a0/0x1a0 worker_thread+0x30/0x390 ? create_worker+0x1a0/0x1a0 kthread+0x116/0x130 ? kthread_flush_work_fn+0x10/0x10 ret_from_fork+0x35/0x40 ---[ end trace 008f00f722f2c2ff ]-- Initialize stag work for all the vports.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48825.html
CVE-2022-48825
https://bugzilla.suse.com/1228056
SUSE Bug 1228056

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/vc4: Fix deadlock on DSI device attach error DSI device attach to DSI host will be done with host device's lock held. Un-registering host in "device attach" error path (ex: probe retry) will result in deadlock with below call trace and non operational DSI display. Startup Call trace: [ 35.043036] rt_mutex_slowlock.constprop.21+0x184/0x1b8 [ 35.043048] mutex_lock_nested+0x7c/0xc8 [ 35.043060] device_del+0x4c/0x3e8 [ 35.043075] device_unregister+0x20/0x40 [ 35.043082] mipi_dsi_remove_device_fn+0x18/0x28 [ 35.043093] device_for_each_child+0x68/0xb0 [ 35.043105] mipi_dsi_host_unregister+0x40/0x90 [ 35.043115] vc4_dsi_host_attach+0xf0/0x120 [vc4] [ 35.043199] mipi_dsi_attach+0x30/0x48 [ 35.043209] tc358762_probe+0x128/0x164 [tc358762] [ 35.043225] mipi_dsi_drv_probe+0x28/0x38 [ 35.043234] really_probe+0xc0/0x318 [ 35.043244] __driver_probe_device+0x80/0xe8 [ 35.043254] driver_probe_device+0xb8/0x118 [ 35.043263] __device_attach_driver+0x98/0xe8 [ 35.043273] bus_for_each_drv+0x84/0xd8 [ 35.043281] __device_attach+0xf0/0x150 [ 35.043290] device_initial_probe+0x1c/0x28 [ 35.043300] bus_probe_device+0xa4/0xb0 [ 35.043308] deferred_probe_work_func+0xa0/0xe0 [ 35.043318] process_one_work+0x254/0x700 [ 35.043330] worker_thread+0x4c/0x448 [ 35.043339] kthread+0x19c/0x1a8 [ 35.043348] ret_from_fork+0x10/0x20 Shutdown Call trace: [ 365.565417] Call trace: [ 365.565423] __switch_to+0x148/0x200 [ 365.565452] __schedule+0x340/0x9c8 [ 365.565467] schedule+0x48/0x110 [ 365.565479] schedule_timeout+0x3b0/0x448 [ 365.565496] wait_for_completion+0xac/0x138 [ 365.565509] __flush_work+0x218/0x4e0 [ 365.565523] flush_work+0x1c/0x28 [ 365.565536] wait_for_device_probe+0x68/0x158 [ 365.565550] device_shutdown+0x24/0x348 [ 365.565561] kernel_restart_prepare+0x40/0x50 [ 365.565578] kernel_restart+0x20/0x70 [ 365.565591] __do_sys_reboot+0x10c/0x220 [ 365.565605] __arm64_sys_reboot+0x2c/0x38 [ 365.565619] invoke_syscall+0x4c/0x110 [ 365.565634] el0_svc_common.constprop.3+0xfc/0x120 [ 365.565648] do_el0_svc+0x2c/0x90 [ 365.565661] el0_svc+0x4c/0xf0 [ 365.565671] el0t_64_sync_handler+0x90/0xb8 [ 365.565682] el0t_64_sync+0x180/0x184

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48826.html
CVE-2022-48826
https://bugzilla.suse.com/1227975
SUSE Bug 1227975

Описание

In the Linux kernel, the following vulnerability has been resolved: NFSD: Fix the behavior of READ near OFFSET_MAX Dan Aloni reports: > Due to commit 8cfb9015280d ("NFS: Always provide aligned buffers to > the RPC read layers") on the client, a read of 0xfff is aligned up > to server rsize of 0x1000. > > As a result, in a test where the server has a file of size > 0x7fffffffffffffff, and the client tries to read from the offset > 0x7ffffffffffff000, the read causes loff_t overflow in the server > and it returns an NFS code of EINVAL to the client. The client as > a result indefinitely retries the request. The Linux NFS client does not handle NFS?ERR_INVAL, even though all NFS specifications permit servers to return that status code for a READ. Instead of NFS?ERR_INVAL, have out-of-range READ requests succeed and return a short result. Set the EOF flag in the result to prevent the client from retrying the READ request. This behavior appears to be consistent with Solaris NFS servers. Note that NFSv3 and NFSv4 use u64 offset values on the wire. These must be converted to loff_t internally before use -- an implicit type cast is not adequate for this purpose. Otherwise VFS checks against sb->s_maxbytes do not work properly.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48827.html
CVE-2022-48827
https://bugzilla.suse.com/1228037
SUSE Bug 1228037

Описание

In the Linux kernel, the following vulnerability has been resolved: NFSD: Fix ia_size underflow iattr::ia_size is a loff_t, which is a signed 64-bit type. NFSv3 and NFSv4 both define file size as an unsigned 64-bit type. Thus there is a range of valid file size values an NFS client can send that is already larger than Linux can handle. Currently decode_fattr4() dumps a full u64 value into ia_size. If that value happens to be larger than S64_MAX, then ia_size underflows. I'm about to fix up the NFSv3 behavior as well, so let's catch the underflow in the common code path: nfsd_setattr().

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48828.html
CVE-2022-48828
https://bugzilla.suse.com/1228054
SUSE Bug 1228054

Описание

In the Linux kernel, the following vulnerability has been resolved: NFSD: Fix NFSv3 SETATTR/CREATE's handling of large file sizes iattr::ia_size is a loff_t, so these NFSv3 procedures must be careful to deal with incoming client size values that are larger than s64_max without corrupting the value. Silently capping the value results in storing a different value than the client passed in which is unexpected behavior, so remove the min_t() check in decode_sattr3(). Note that RFC 1813 permits only the WRITE procedure to return NFS3ERR_FBIG. We believe that NFSv3 reference implementations also return NFS3ERR_FBIG when ia_size is too large.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48829.html
CVE-2022-48829
https://bugzilla.suse.com/1228055
SUSE Bug 1228055

Описание

In the Linux kernel, the following vulnerability has been resolved: can: isotp: fix potential CAN frame reception race in isotp_rcv() When receiving a CAN frame the current code logic does not consider concurrently receiving processes which do not show up in real world usage. Ziyang Xuan writes: The following syz problem is one of the scenarios. so->rx.len is changed by isotp_rcv_ff() during isotp_rcv_cf(), so->rx.len equals 0 before alloc_skb() and equals 4096 after alloc_skb(). That will trigger skb_over_panic() in skb_put(). ======================================================= CPU: 1 PID: 19 Comm: ksoftirqd/1 Not tainted 5.16.0-rc8-syzkaller #0 RIP: 0010:skb_panic+0x16c/0x16e net/core/skbuff.c:113 Call Trace: <TASK> skb_over_panic net/core/skbuff.c:118 [inline] skb_put.cold+0x24/0x24 net/core/skbuff.c:1990 isotp_rcv_cf net/can/isotp.c:570 [inline] isotp_rcv+0xa38/0x1e30 net/can/isotp.c:668 deliver net/can/af_can.c:574 [inline] can_rcv_filter+0x445/0x8d0 net/can/af_can.c:635 can_receive+0x31d/0x580 net/can/af_can.c:665 can_rcv+0x120/0x1c0 net/can/af_can.c:696 __netif_receive_skb_one_core+0x114/0x180 net/core/dev.c:5465 __netif_receive_skb+0x24/0x1b0 net/core/dev.c:5579 Therefore we make sure the state changes and data structures stay consistent at CAN frame reception time by adding a spin_lock in isotp_rcv(). This fixes the issue reported by syzkaller but does not affect real world operation.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48830.html
CVE-2022-48830
https://bugzilla.suse.com/1227982
SUSE Bug 1227982

Описание

In the Linux kernel, the following vulnerability has been resolved: ima: fix reference leak in asymmetric_verify() Don't leak a reference to the key if its algorithm is unknown.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48831.html
CVE-2022-48831
https://bugzilla.suse.com/1227986
SUSE Bug 1227986

Описание

In the Linux kernel, the following vulnerability has been resolved: usb: usbtmc: Fix bug in pipe direction for control transfers The syzbot fuzzer reported a minor bug in the usbtmc driver: usb 5-1: BOGUS control dir, pipe 80001e80 doesn't match bRequestType 0 WARNING: CPU: 0 PID: 3813 at drivers/usb/core/urb.c:412 usb_submit_urb+0x13a5/0x1970 drivers/usb/core/urb.c:410 Modules linked in: CPU: 0 PID: 3813 Comm: syz-executor122 Not tainted 5.17.0-rc5-syzkaller-00306-g2293be58d6a1 #0 ... Call Trace: <TASK> usb_start_wait_urb+0x113/0x530 drivers/usb/core/message.c:58 usb_internal_control_msg drivers/usb/core/message.c:102 [inline] usb_control_msg+0x2a5/0x4b0 drivers/usb/core/message.c:153 usbtmc_ioctl_request drivers/usb/class/usbtmc.c:1947 [inline] The problem is that usbtmc_ioctl_request() uses usb_rcvctrlpipe() for all of its transfers, whether they are in or out. It's easy to fix.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48834.html
CVE-2022-48834
https://bugzilla.suse.com/1228062
SUSE Bug 1228062

Описание

In the Linux kernel, the following vulnerability has been resolved: scsi: mpt3sas: Page fault in reply q processing A page fault was encountered in mpt3sas on a LUN reset error path: [ 145.763216] mpt3sas_cm1: Task abort tm failed: handle(0x0002),timeout(30) tr_method(0x0) smid(3) msix_index(0) [ 145.778932] scsi 1:0:0:0: task abort: FAILED scmd(0x0000000024ba29a2) [ 145.817307] scsi 1:0:0:0: attempting device reset! scmd(0x0000000024ba29a2) [ 145.827253] scsi 1:0:0:0: [sg1] tag#2 CDB: Receive Diagnostic 1c 01 01 ff fc 00 [ 145.837617] scsi target1:0:0: handle(0x0002), sas_address(0x500605b0000272b9), phy(0) [ 145.848598] scsi target1:0:0: enclosure logical id(0x500605b0000272b8), slot(0) [ 149.858378] mpt3sas_cm1: Poll ReplyDescriptor queues for completion of smid(0), task_type(0x05), handle(0x0002) [ 149.875202] BUG: unable to handle page fault for address: 00000007fffc445d [ 149.885617] #PF: supervisor read access in kernel mode [ 149.894346] #PF: error_code(0x0000) - not-present page [ 149.903123] PGD 0 P4D 0 [ 149.909387] Oops: 0000 [#1] PREEMPT SMP NOPTI [ 149.917417] CPU: 24 PID: 3512 Comm: scsi_eh_1 Kdump: loaded Tainted: G S O 5.10.89-altav-1 #1 [ 149.934327] Hardware name: DDN 200NVX2 /200NVX2-MB , BIOS ATHG2.2.02.01 09/10/2021 [ 149.951871] RIP: 0010:_base_process_reply_queue+0x4b/0x900 [mpt3sas] [ 149.961889] Code: 0f 84 22 02 00 00 8d 48 01 49 89 fd 48 8d 57 38 f0 0f b1 4f 38 0f 85 d8 01 00 00 49 8b 45 10 45 31 e4 41 8b 55 0c 48 8d 1c d0 <0f> b6 03 83 e0 0f 3c 0f 0f 85 a2 00 00 00 e9 e6 01 00 00 0f b7 ee [ 149.991952] RSP: 0018:ffffc9000f1ebcb8 EFLAGS: 00010246 [ 150.000937] RAX: 0000000000000055 RBX: 00000007fffc445d RCX: 000000002548f071 [ 150.011841] RDX: 00000000ffff8881 RSI: 0000000000000001 RDI: ffff888125ed50d8 [ 150.022670] RBP: 0000000000000000 R08: 0000000000000000 R09: c0000000ffff7fff [ 150.033445] R10: ffffc9000f1ebb68 R11: ffffc9000f1ebb60 R12: 0000000000000000 [ 150.044204] R13: ffff888125ed50d8 R14: 0000000000000080 R15: 34cdc00034cdea80 [ 150.054963] FS: 0000000000000000(0000) GS:ffff88dfaf200000(0000) knlGS:0000000000000000 [ 150.066715] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 150.076078] CR2: 00000007fffc445d CR3: 000000012448a006 CR4: 0000000000770ee0 [ 150.086887] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 150.097670] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 150.108323] PKRU: 55555554 [ 150.114690] Call Trace: [ 150.120497] ? printk+0x48/0x4a [ 150.127049] mpt3sas_scsih_issue_tm.cold.114+0x2e/0x2b3 [mpt3sas] [ 150.136453] mpt3sas_scsih_issue_locked_tm+0x86/0xb0 [mpt3sas] [ 150.145759] scsih_dev_reset+0xea/0x300 [mpt3sas] [ 150.153891] scsi_eh_ready_devs+0x541/0x9e0 [scsi_mod] [ 150.162206] ? __scsi_host_match+0x20/0x20 [scsi_mod] [ 150.170406] ? scsi_try_target_reset+0x90/0x90 [scsi_mod] [ 150.178925] ? blk_mq_tagset_busy_iter+0x45/0x60 [ 150.186638] ? scsi_try_target_reset+0x90/0x90 [scsi_mod] [ 150.195087] scsi_error_handler+0x3a5/0x4a0 [scsi_mod] [ 150.203206] ? __schedule+0x1e9/0x610 [ 150.209783] ? scsi_eh_get_sense+0x210/0x210 [scsi_mod] [ 150.217924] kthread+0x12e/0x150 [ 150.224041] ? kthread_worker_fn+0x130/0x130 [ 150.231206] ret_from_fork+0x1f/0x30 This is caused by mpt3sas_base_sync_reply_irqs() using an invalid reply_q pointer outside of the list_for_each_entry() loop. At the end of the full list traversal the pointer is invalid. Move the _base_process_reply_queue() call inside of the loop.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48835.html
CVE-2022-48835
https://bugzilla.suse.com/1228060
SUSE Bug 1228060

Описание

In the Linux kernel, the following vulnerability has been resolved: Input: aiptek - properly check endpoint type Syzbot reported warning in usb_submit_urb() which is caused by wrong endpoint type. There was a check for the number of endpoints, but not for the type of endpoint. Fix it by replacing old desc.bNumEndpoints check with usb_find_common_endpoints() helper for finding endpoints Fail log: usb 5-1: BOGUS urb xfer, pipe 1 != type 3 WARNING: CPU: 2 PID: 48 at drivers/usb/core/urb.c:502 usb_submit_urb+0xed2/0x18a0 drivers/usb/core/urb.c:502 Modules linked in: CPU: 2 PID: 48 Comm: kworker/2:2 Not tainted 5.17.0-rc6-syzkaller-00226-g07ebd38a0da2 #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014 Workqueue: usb_hub_wq hub_event ... Call Trace: <TASK> aiptek_open+0xd5/0x130 drivers/input/tablet/aiptek.c:830 input_open_device+0x1bb/0x320 drivers/input/input.c:629 kbd_connect+0xfe/0x160 drivers/tty/vt/keyboard.c:1593

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48836.html
CVE-2022-48836
https://bugzilla.suse.com/1227989
SUSE Bug 1227989

Описание

In the Linux kernel, the following vulnerability has been resolved: usb: gadget: rndis: prevent integer overflow in rndis_set_response() If "BufOffset" is very large the "BufOffset + 8" operation can have an integer overflow.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48837.html
CVE-2022-48837
https://bugzilla.suse.com/1227987
SUSE Bug 1227987

Описание

In the Linux kernel, the following vulnerability has been resolved: usb: gadget: Fix use-after-free bug by not setting udc->dev.driver The syzbot fuzzer found a use-after-free bug: BUG: KASAN: use-after-free in dev_uevent+0x712/0x780 drivers/base/core.c:2320 Read of size 8 at addr ffff88802b934098 by task udevd/3689 CPU: 2 PID: 3689 Comm: udevd Not tainted 5.17.0-rc4-syzkaller-00229-g4f12b742eb2b #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_address_description.constprop.0.cold+0x8d/0x303 mm/kasan/report.c:255 __kasan_report mm/kasan/report.c:442 [inline] kasan_report.cold+0x83/0xdf mm/kasan/report.c:459 dev_uevent+0x712/0x780 drivers/base/core.c:2320 uevent_show+0x1b8/0x380 drivers/base/core.c:2391 dev_attr_show+0x4b/0x90 drivers/base/core.c:2094 Although the bug manifested in the driver core, the real cause was a race with the gadget core. dev_uevent() does: if (dev->driver) add_uevent_var(env, "DRIVER=%s", dev->driver->name); and between the test and the dereference of dev->driver, the gadget core sets dev->driver to NULL. The race wouldn't occur if the gadget core registered its devices on a real bus, using the standard synchronization techniques of the driver core. However, it's not necessary to make such a large change in order to fix this bug; all we need to do is make sure that udc->dev.driver is always NULL. In fact, there is no reason for udc->dev.driver ever to be set to anything, let alone to the value it currently gets: the address of the gadget's driver. After all, a gadget driver only knows how to manage a gadget, not how to manage a UDC. This patch simply removes the statements in the gadget core that touch udc->dev.driver.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48838.html
CVE-2022-48838
https://bugzilla.suse.com/1227988
SUSE Bug 1227988

Описание

In the Linux kernel, the following vulnerability has been resolved: net/packet: fix slab-out-of-bounds access in packet_recvmsg() syzbot found that when an AF_PACKET socket is using PACKET_COPY_THRESH and mmap operations, tpacket_rcv() is queueing skbs with garbage in skb->cb[], triggering a too big copy [1] Presumably, users of af_packet using mmap() already gets correct metadata from the mapped buffer, we can simply make sure to clear 12 bytes that might be copied to user space later. BUG: KASAN: stack-out-of-bounds in memcpy include/linux/fortify-string.h:225 [inline] BUG: KASAN: stack-out-of-bounds in packet_recvmsg+0x56c/0x1150 net/packet/af_packet.c:3489 Write of size 165 at addr ffffc9000385fb78 by task syz-executor233/3631 CPU: 0 PID: 3631 Comm: syz-executor233 Not tainted 5.17.0-rc7-syzkaller-02396-g0b3660695e80 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_address_description.constprop.0.cold+0xf/0x336 mm/kasan/report.c:255 __kasan_report mm/kasan/report.c:442 [inline] kasan_report.cold+0x83/0xdf mm/kasan/report.c:459 check_region_inline mm/kasan/generic.c:183 [inline] kasan_check_range+0x13d/0x180 mm/kasan/generic.c:189 memcpy+0x39/0x60 mm/kasan/shadow.c:66 memcpy include/linux/fortify-string.h:225 [inline] packet_recvmsg+0x56c/0x1150 net/packet/af_packet.c:3489 sock_recvmsg_nosec net/socket.c:948 [inline] sock_recvmsg net/socket.c:966 [inline] sock_recvmsg net/socket.c:962 [inline] ____sys_recvmsg+0x2c4/0x600 net/socket.c:2632 ___sys_recvmsg+0x127/0x200 net/socket.c:2674 __sys_recvmsg+0xe2/0x1a0 net/socket.c:2704 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7fdfd5954c29 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 41 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffcf8e71e48 EFLAGS: 00000246 ORIG_RAX: 000000000000002f RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fdfd5954c29 RDX: 0000000000000000 RSI: 0000000020000500 RDI: 0000000000000005 RBP: 0000000000000000 R08: 000000000000000d R09: 000000000000000d R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffcf8e71e60 R13: 00000000000f4240 R14: 000000000000c1ff R15: 00007ffcf8e71e54 </TASK> addr ffffc9000385fb78 is located in stack of task syz-executor233/3631 at offset 32 in frame: ____sys_recvmsg+0x0/0x600 include/linux/uio.h:246 this frame has 1 object: [32, 160) 'addr' Memory state around the buggy address: ffffc9000385fa80: 00 04 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 ffffc9000385fb00: 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 >ffffc9000385fb80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f3 ^ ffffc9000385fc00: f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 f1 ffffc9000385fc80: f1 f1 f1 00 f2 f2 f2 00 f2 f2 f2 00 00 00 00 00 ==================================================================

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48839.html
CVE-2022-48839
https://bugzilla.suse.com/1227985
SUSE Bug 1227985

Описание

In the Linux kernel, the following vulnerability has been resolved: iavf: Fix hang during reboot/shutdown Recent commit 974578017fc1 ("iavf: Add waiting so the port is initialized in remove") adds a wait-loop at the beginning of iavf_remove() to ensure that port initialization is finished prior unregistering net device. This causes a regression in reboot/shutdown scenario because in this case callback iavf_shutdown() is called and this callback detaches the device, makes it down if it is running and sets its state to __IAVF_REMOVE. Later shutdown callback of associated PF driver (e.g. ice_shutdown) is called. That callback calls among other things sriov_disable() that calls indirectly iavf_remove() (see stack trace below). As the adapter state is already __IAVF_REMOVE then the mentioned loop is end-less and shutdown process hangs. The patch fixes this by checking adapter's state at the beginning of iavf_remove() and skips the rest of the function if the adapter is already in remove state (shutdown is in progress). Reproducer: 1. Create VF on PF driven by ice or i40e driver 2. Ensure that the VF is bound to iavf driver 3. Reboot [52625.981294] sysrq: SysRq : Show Blocked State [52625.988377] task:reboot state:D stack: 0 pid:17359 ppid: 1 f2 [52625.996732] Call Trace: [52625.999187] __schedule+0x2d1/0x830 [52626.007400] schedule+0x35/0xa0 [52626.010545] schedule_hrtimeout_range_clock+0x83/0x100 [52626.020046] usleep_range+0x5b/0x80 [52626.023540] iavf_remove+0x63/0x5b0 [iavf] [52626.027645] pci_device_remove+0x3b/0xc0 [52626.031572] device_release_driver_internal+0x103/0x1f0 [52626.036805] pci_stop_bus_device+0x72/0xa0 [52626.040904] pci_stop_and_remove_bus_device+0xe/0x20 [52626.045870] pci_iov_remove_virtfn+0xba/0x120 [52626.050232] sriov_disable+0x2f/0xe0 [52626.053813] ice_free_vfs+0x7c/0x340 [ice] [52626.057946] ice_remove+0x220/0x240 [ice] [52626.061967] ice_shutdown+0x16/0x50 [ice] [52626.065987] pci_device_shutdown+0x34/0x60 [52626.070086] device_shutdown+0x165/0x1c5 [52626.074011] kernel_restart+0xe/0x30 [52626.077593] __do_sys_reboot+0x1d2/0x210 [52626.093815] do_syscall_64+0x5b/0x1a0 [52626.097483] entry_SYSCALL_64_after_hwframe+0x65/0xca

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48840.html
CVE-2022-48840
https://bugzilla.suse.com/1227990
SUSE Bug 1227990

Описание

In the Linux kernel, the following vulnerability has been resolved: ice: fix NULL pointer dereference in ice_update_vsi_tx_ring_stats() It is possible to do NULL pointer dereference in routine that updates Tx ring stats. Currently only stats and bytes are updated when ring pointer is valid, but later on ring is accessed to propagate gathered Tx stats onto VSI stats. Change the existing logic to move to next ring when ring is NULL.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48841.html
CVE-2022-48841
https://bugzilla.suse.com/1227991
SUSE Bug 1227991

Описание

In the Linux kernel, the following vulnerability has been resolved: ice: Fix race condition during interface enslave Commit 5dbbbd01cbba83 ("ice: Avoid RTNL lock when re-creating auxiliary device") changes a process of re-creation of aux device so ice_plug_aux_dev() is called from ice_service_task() context. This unfortunately opens a race window that can result in dead-lock when interface has left LAG and immediately enters LAG again. Reproducer: ``` #!/bin/sh ip link add lag0 type bond mode 1 miimon 100 ip link set lag0 for n in {1..10}; do echo Cycle: $n ip link set ens7f0 master lag0 sleep 1 ip link set ens7f0 nomaster done ``` This results in: [20976.208697] Workqueue: ice ice_service_task [ice] [20976.213422] Call Trace: [20976.215871] __schedule+0x2d1/0x830 [20976.219364] schedule+0x35/0xa0 [20976.222510] schedule_preempt_disabled+0xa/0x10 [20976.227043] __mutex_lock.isra.7+0x310/0x420 [20976.235071] enum_all_gids_of_dev_cb+0x1c/0x100 [ib_core] [20976.251215] ib_enum_roce_netdev+0xa4/0xe0 [ib_core] [20976.256192] ib_cache_setup_one+0x33/0xa0 [ib_core] [20976.261079] ib_register_device+0x40d/0x580 [ib_core] [20976.266139] irdma_ib_register_device+0x129/0x250 [irdma] [20976.281409] irdma_probe+0x2c1/0x360 [irdma] [20976.285691] auxiliary_bus_probe+0x45/0x70 [20976.289790] really_probe+0x1f2/0x480 [20976.298509] driver_probe_device+0x49/0xc0 [20976.302609] bus_for_each_drv+0x79/0xc0 [20976.306448] __device_attach+0xdc/0x160 [20976.310286] bus_probe_device+0x9d/0xb0 [20976.314128] device_add+0x43c/0x890 [20976.321287] __auxiliary_device_add+0x43/0x60 [20976.325644] ice_plug_aux_dev+0xb2/0x100 [ice] [20976.330109] ice_service_task+0xd0c/0xed0 [ice] [20976.342591] process_one_work+0x1a7/0x360 [20976.350536] worker_thread+0x30/0x390 [20976.358128] kthread+0x10a/0x120 [20976.365547] ret_from_fork+0x1f/0x40 ... [20976.438030] task:ip state:D stack: 0 pid:213658 ppid:213627 flags:0x00004084 [20976.446469] Call Trace: [20976.448921] __schedule+0x2d1/0x830 [20976.452414] schedule+0x35/0xa0 [20976.455559] schedule_preempt_disabled+0xa/0x10 [20976.460090] __mutex_lock.isra.7+0x310/0x420 [20976.464364] device_del+0x36/0x3c0 [20976.467772] ice_unplug_aux_dev+0x1a/0x40 [ice] [20976.472313] ice_lag_event_handler+0x2a2/0x520 [ice] [20976.477288] notifier_call_chain+0x47/0x70 [20976.481386] __netdev_upper_dev_link+0x18b/0x280 [20976.489845] bond_enslave+0xe05/0x1790 [bonding] [20976.494475] do_setlink+0x336/0xf50 [20976.502517] __rtnl_newlink+0x529/0x8b0 [20976.543441] rtnl_newlink+0x43/0x60 [20976.546934] rtnetlink_rcv_msg+0x2b1/0x360 [20976.559238] netlink_rcv_skb+0x4c/0x120 [20976.563079] netlink_unicast+0x196/0x230 [20976.567005] netlink_sendmsg+0x204/0x3d0 [20976.570930] sock_sendmsg+0x4c/0x50 [20976.574423] ____sys_sendmsg+0x1eb/0x250 [20976.586807] ___sys_sendmsg+0x7c/0xc0 [20976.606353] __sys_sendmsg+0x57/0xa0 [20976.609930] do_syscall_64+0x5b/0x1a0 [20976.613598] entry_SYSCALL_64_after_hwframe+0x65/0xca 1. Command 'ip link ... set nomaster' causes that ice_plug_aux_dev() is called from ice_service_task() context, aux device is created and associated device->lock is taken. 2. Command 'ip link ... set master...' calls ice's notifier under RTNL lock and that notifier calls ice_unplug_aux_dev(). That function tries to take aux device->lock but this is already taken by ice_plug_aux_dev() in step 1 3. Later ice_plug_aux_dev() tries to take RTNL lock but this is already taken in step 2 4. Dead-lock The patch fixes this issue by following changes: - Bit ICE_FLAG_PLUG_AUX_DEV is kept to be set during ice_plug_aux_dev() call in ice_service_task() - The bit is checked in ice_clear_rdma_cap() and only if it is not set then ice_unplug_aux_dev() is called. If it is set (in other words plugging of aux device was requested and ice_plug_aux_dev() is potentially running) then the function only clears the ---truncated---

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48842.html
CVE-2022-48842
https://bugzilla.suse.com/1228064
SUSE Bug 1228064

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/vrr: Set VRR capable prop only if it is attached to connector VRR capable property is not attached by default to the connector It is attached only if VRR is supported. So if the driver tries to call drm core set prop function without it being attached that causes NULL dereference.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48843.html
CVE-2022-48843
https://bugzilla.suse.com/1228066
SUSE Bug 1228066

Описание

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_core: Fix leaking sent_cmd skb sent_cmd memory is not freed before freeing hci_dev causing it to leak it contents.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48844.html
CVE-2022-48844
https://bugzilla.suse.com/1228068
SUSE Bug 1228068

Описание

In the Linux kernel, the following vulnerability has been resolved: block: release rq qos structures for queue without disk blkcg_init_queue() may add rq qos structures to request queue, previously blk_cleanup_queue() calls rq_qos_exit() to release them, but commit 8e141f9eb803 ("block: drain file system I/O on del_gendisk") moves rq_qos_exit() into del_gendisk(), so memory leak is caused because queues may not have disk, such as un-present scsi luns, nvme admin queue, ... Fixes the issue by adding rq_qos_exit() to blk_cleanup_queue() back. BTW, v5.18 won't need this patch any more since we move blkcg_init_queue()/blkcg_exit_queue() into disk allocation/release handler, and patches have been in for-5.18/block.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48846.html
CVE-2022-48846
https://bugzilla.suse.com/1227992
SUSE Bug 1227992

Описание

In the Linux kernel, the following vulnerability has been resolved: watch_queue: Fix filter limit check In watch_queue_set_filter(), there are a couple of places where we check that the filter type value does not exceed what the type_filter bitmap can hold. One place calculates the number of bits by: if (tf[i].type >= sizeof(wfilter->type_filter) * 8) which is fine, but the second does: if (tf[i].type >= sizeof(wfilter->type_filter) * BITS_PER_LONG) which is not. This can lead to a couple of out-of-bounds writes due to a too-large type: (1) __set_bit() on wfilter->type_filter (2) Writing more elements in wfilter->filters[] than we allocated. Fix this by just using the proper WATCH_TYPE__NR instead, which is the number of types we actually know about. The bug may cause an oops looking something like: BUG: KASAN: slab-out-of-bounds in watch_queue_set_filter+0x659/0x740 Write of size 4 at addr ffff88800d2c66bc by task watch_queue_oob/611 ... Call Trace: <TASK> dump_stack_lvl+0x45/0x59 print_address_description.constprop.0+0x1f/0x150 ... kasan_report.cold+0x7f/0x11b ... watch_queue_set_filter+0x659/0x740 ... __x64_sys_ioctl+0x127/0x190 do_syscall_64+0x43/0x90 entry_SYSCALL_64_after_hwframe+0x44/0xae Allocated by task 611: kasan_save_stack+0x1e/0x40 __kasan_kmalloc+0x81/0xa0 watch_queue_set_filter+0x23a/0x740 __x64_sys_ioctl+0x127/0x190 do_syscall_64+0x43/0x90 entry_SYSCALL_64_after_hwframe+0x44/0xae The buggy address belongs to the object at ffff88800d2c66a0 which belongs to the cache kmalloc-32 of size 32 The buggy address is located 28 bytes inside of 32-byte region [ffff88800d2c66a0, ffff88800d2c66c0)

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48847.html
CVE-2022-48847
https://bugzilla.suse.com/1227993
SUSE Bug 1227993

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: bypass tiling flag check in virtual display case (v2) vkms leverages common amdgpu framebuffer creation, and also as it does not support FB modifier, there is no need to check tiling flags when initing framebuffer when virtual display is enabled. This can fix below calltrace: amdgpu 0000:00:08.0: GFX9+ requires FB check based on format modifier WARNING: CPU: 0 PID: 1023 at drivers/gpu/drm/amd/amdgpu/amdgpu_display.c:1150 amdgpu_display_framebuffer_init+0x8e7/0xb40 [amdgpu] v2: check adev->enable_virtual_display instead as vkms can be enabled in bare metal as well.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48849.html
CVE-2022-48849
https://bugzilla.suse.com/1228061
SUSE Bug 1228061

Описание

In the Linux kernel, the following vulnerability has been resolved: net-sysfs: add check for netdevice being present to speed_show When bringing down the netdevice or system shutdown, a panic can be triggered while accessing the sysfs path because the device is already removed. [ 755.549084] mlx5_core 0000:12:00.1: Shutdown was called [ 756.404455] mlx5_core 0000:12:00.0: Shutdown was called ... [ 757.937260] BUG: unable to handle kernel NULL pointer dereference at (null) [ 758.031397] IP: [<ffffffff8ee11acb>] dma_pool_alloc+0x1ab/0x280 crash> bt ... PID: 12649 TASK: ffff8924108f2100 CPU: 1 COMMAND: "amsd" ... #9 [ffff89240e1a38b0] page_fault at ffffffff8f38c778 [exception RIP: dma_pool_alloc+0x1ab] RIP: ffffffff8ee11acb RSP: ffff89240e1a3968 RFLAGS: 00010046 RAX: 0000000000000246 RBX: ffff89243d874100 RCX: 0000000000001000 RDX: 0000000000000000 RSI: 0000000000000246 RDI: ffff89243d874090 RBP: ffff89240e1a39c0 R8: 000000000001f080 R9: ffff8905ffc03c00 R10: ffffffffc04680d4 R11: ffffffff8edde9fd R12: 00000000000080d0 R13: ffff89243d874090 R14: ffff89243d874080 R15: 0000000000000000 ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018 #10 [ffff89240e1a39c8] mlx5_alloc_cmd_msg at ffffffffc04680f3 [mlx5_core] #11 [ffff89240e1a3a18] cmd_exec at ffffffffc046ad62 [mlx5_core] #12 [ffff89240e1a3ab8] mlx5_cmd_exec at ffffffffc046b4fb [mlx5_core] #13 [ffff89240e1a3ae8] mlx5_core_access_reg at ffffffffc0475434 [mlx5_core] #14 [ffff89240e1a3b40] mlx5e_get_fec_caps at ffffffffc04a7348 [mlx5_core] #15 [ffff89240e1a3bb0] get_fec_supported_advertised at ffffffffc04992bf [mlx5_core] #16 [ffff89240e1a3c08] mlx5e_get_link_ksettings at ffffffffc049ab36 [mlx5_core] #17 [ffff89240e1a3ce8] __ethtool_get_link_ksettings at ffffffff8f25db46 #18 [ffff89240e1a3d48] speed_show at ffffffff8f277208 #19 [ffff89240e1a3dd8] dev_attr_show at ffffffff8f0b70e3 #20 [ffff89240e1a3df8] sysfs_kf_seq_show at ffffffff8eedbedf #21 [ffff89240e1a3e18] kernfs_seq_show at ffffffff8eeda596 #22 [ffff89240e1a3e28] seq_read at ffffffff8ee76d10 #23 [ffff89240e1a3e98] kernfs_fop_read at ffffffff8eedaef5 #24 [ffff89240e1a3ed8] vfs_read at ffffffff8ee4e3ff #25 [ffff89240e1a3f08] sys_read at ffffffff8ee4f27f #26 [ffff89240e1a3f50] system_call_fastpath at ffffffff8f395f92 crash> net_device.state ffff89443b0c0000 state = 0x5 (__LINK_STATE_START| __LINK_STATE_NOCARRIER) To prevent this scenario, we also make sure that the netdevice is present.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48850.html
CVE-2022-48850
https://bugzilla.suse.com/1228071
SUSE Bug 1228071

Описание

In the Linux kernel, the following vulnerability has been resolved: staging: gdm724x: fix use after free in gdm_lte_rx() The netif_rx_ni() function frees the skb so we can't dereference it to save the skb->len.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48851.html
CVE-2022-48851
https://bugzilla.suse.com/1227997
SUSE Bug 1227997

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/vc4: hdmi: Unregister codec device on unbind On bind we will register the HDMI codec device but we don't unregister it on unbind, leading to a device leakage. Unregister our device at unbind.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48852.html
CVE-2022-48852
https://bugzilla.suse.com/1228067
SUSE Bug 1228067

Описание

In the Linux kernel, the following vulnerability has been resolved: swiotlb: fix info leak with DMA_FROM_DEVICE The problem I'm addressing was discovered by the LTP test covering cve-2018-1000204. A short description of what happens follows: 1) The test case issues a command code 00 (TEST UNIT READY) via the SG_IO interface with: dxfer_len == 524288, dxdfer_dir == SG_DXFER_FROM_DEV and a corresponding dxferp. The peculiar thing about this is that TUR is not reading from the device. 2) In sg_start_req() the invocation of blk_rq_map_user() effectively bounces the user-space buffer. As if the device was to transfer into it. Since commit a45b599ad808 ("scsi: sg: allocate with __GFP_ZERO in sg_build_indirect()") we make sure this first bounce buffer is allocated with GFP_ZERO. 3) For the rest of the story we keep ignoring that we have a TUR, so the device won't touch the buffer we prepare as if the we had a DMA_FROM_DEVICE type of situation. My setup uses a virtio-scsi device and the buffer allocated by SG is mapped by the function virtqueue_add_split() which uses DMA_FROM_DEVICE for the "in" sgs (here scatter-gather and not scsi generics). This mapping involves bouncing via the swiotlb (we need swiotlb to do virtio in protected guest like s390 Secure Execution, or AMD SEV). 4) When the SCSI TUR is done, we first copy back the content of the second (that is swiotlb) bounce buffer (which most likely contains some previous IO data), to the first bounce buffer, which contains all zeros. Then we copy back the content of the first bounce buffer to the user-space buffer. 5) The test case detects that the buffer, which it zero-initialized, ain't all zeros and fails. One can argue that this is an swiotlb problem, because without swiotlb we leak all zeros, and the swiotlb should be transparent in a sense that it does not affect the outcome (if all other participants are well behaved). Copying the content of the original buffer into the swiotlb buffer is the only way I can think of to make swiotlb transparent in such scenarios. So let's do just that if in doubt, but allow the driver to tell us that the whole mapped buffer is going to be overwritten, in which case we can preserve the old behavior and avoid the performance impact of the extra bounce.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48853.html
CVE-2022-48853
https://bugzilla.suse.com/1228015
SUSE Bug 1228015

Описание

In the Linux kernel, the following vulnerability has been resolved: sctp: fix kernel-infoleak for SCTP sockets syzbot reported a kernel infoleak [1] of 4 bytes. After analysis, it turned out r->idiag_expires is not initialized if inet_sctp_diag_fill() calls inet_diag_msg_common_fill() Make sure to clear idiag_timer/idiag_retrans/idiag_expires and let inet_diag_msg_sctpasoc_fill() fill them again if needed. [1] BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:121 [inline] BUG: KMSAN: kernel-infoleak in copyout lib/iov_iter.c:154 [inline] BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x6ef/0x25a0 lib/iov_iter.c:668 instrument_copy_to_user include/linux/instrumented.h:121 [inline] copyout lib/iov_iter.c:154 [inline] _copy_to_iter+0x6ef/0x25a0 lib/iov_iter.c:668 copy_to_iter include/linux/uio.h:162 [inline] simple_copy_to_iter+0xf3/0x140 net/core/datagram.c:519 __skb_datagram_iter+0x2d5/0x11b0 net/core/datagram.c:425 skb_copy_datagram_iter+0xdc/0x270 net/core/datagram.c:533 skb_copy_datagram_msg include/linux/skbuff.h:3696 [inline] netlink_recvmsg+0x669/0x1c80 net/netlink/af_netlink.c:1977 sock_recvmsg_nosec net/socket.c:948 [inline] sock_recvmsg net/socket.c:966 [inline] __sys_recvfrom+0x795/0xa10 net/socket.c:2097 __do_sys_recvfrom net/socket.c:2115 [inline] __se_sys_recvfrom net/socket.c:2111 [inline] __x64_sys_recvfrom+0x19d/0x210 net/socket.c:2111 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82 entry_SYSCALL_64_after_hwframe+0x44/0xae Uninit was created at: slab_post_alloc_hook mm/slab.h:737 [inline] slab_alloc_node mm/slub.c:3247 [inline] __kmalloc_node_track_caller+0xe0c/0x1510 mm/slub.c:4975 kmalloc_reserve net/core/skbuff.c:354 [inline] __alloc_skb+0x545/0xf90 net/core/skbuff.c:426 alloc_skb include/linux/skbuff.h:1158 [inline] netlink_dump+0x3e5/0x16c0 net/netlink/af_netlink.c:2248 __netlink_dump_start+0xcf8/0xe90 net/netlink/af_netlink.c:2373 netlink_dump_start include/linux/netlink.h:254 [inline] inet_diag_handler_cmd+0x2e7/0x400 net/ipv4/inet_diag.c:1341 sock_diag_rcv_msg+0x24a/0x620 netlink_rcv_skb+0x40c/0x7e0 net/netlink/af_netlink.c:2494 sock_diag_rcv+0x63/0x80 net/core/sock_diag.c:277 netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline] netlink_unicast+0x1093/0x1360 net/netlink/af_netlink.c:1343 netlink_sendmsg+0x14d9/0x1720 net/netlink/af_netlink.c:1919 sock_sendmsg_nosec net/socket.c:705 [inline] sock_sendmsg net/socket.c:725 [inline] sock_write_iter+0x594/0x690 net/socket.c:1061 do_iter_readv_writev+0xa7f/0xc70 do_iter_write+0x52c/0x1500 fs/read_write.c:851 vfs_writev fs/read_write.c:924 [inline] do_writev+0x645/0xe00 fs/read_write.c:967 __do_sys_writev fs/read_write.c:1040 [inline] __se_sys_writev fs/read_write.c:1037 [inline] __x64_sys_writev+0xe5/0x120 fs/read_write.c:1037 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82 entry_SYSCALL_64_after_hwframe+0x44/0xae Bytes 68-71 of 2508 are uninitialized Memory access of size 2508 starts at ffff888114f9b000 Data copied to user address 00007f7fe09ff2e0 CPU: 1 PID: 3478 Comm: syz-executor306 Not tainted 5.17.0-rc4-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48855.html
CVE-2022-48855
https://bugzilla.suse.com/1228003
SUSE Bug 1228003

Описание

In the Linux kernel, the following vulnerability has been resolved: gianfar: ethtool: Fix refcount leak in gfar_get_ts_info The of_find_compatible_node() function returns a node pointer with refcount incremented, We should use of_node_put() on it when done Add the missing of_node_put() to release the refcount.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48856.html
CVE-2022-48856
https://bugzilla.suse.com/1228004
SUSE Bug 1228004

Описание

In the Linux kernel, the following vulnerability has been resolved: NFC: port100: fix use-after-free in port100_send_complete Syzbot reported UAF in port100_send_complete(). The root case is in missing usb_kill_urb() calls on error handling path of ->probe function. port100_send_complete() accesses devm allocated memory which will be freed on probe failure. We should kill this urbs before returning an error from probe function to prevent reported use-after-free Fail log: BUG: KASAN: use-after-free in port100_send_complete+0x16e/0x1a0 drivers/nfc/port100.c:935 Read of size 1 at addr ffff88801bb59540 by task ksoftirqd/2/26 ... Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_address_description.constprop.0.cold+0x8d/0x303 mm/kasan/report.c:255 __kasan_report mm/kasan/report.c:442 [inline] kasan_report.cold+0x83/0xdf mm/kasan/report.c:459 port100_send_complete+0x16e/0x1a0 drivers/nfc/port100.c:935 __usb_hcd_giveback_urb+0x2b0/0x5c0 drivers/usb/core/hcd.c:1670 ... Allocated by task 1255: kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38 kasan_set_track mm/kasan/common.c:45 [inline] set_alloc_info mm/kasan/common.c:436 [inline] ____kasan_kmalloc mm/kasan/common.c:515 [inline] ____kasan_kmalloc mm/kasan/common.c:474 [inline] __kasan_kmalloc+0xa6/0xd0 mm/kasan/common.c:524 alloc_dr drivers/base/devres.c:116 [inline] devm_kmalloc+0x96/0x1d0 drivers/base/devres.c:823 devm_kzalloc include/linux/device.h:209 [inline] port100_probe+0x8a/0x1320 drivers/nfc/port100.c:1502 Freed by task 1255: kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38 kasan_set_track+0x21/0x30 mm/kasan/common.c:45 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:370 ____kasan_slab_free mm/kasan/common.c:366 [inline] ____kasan_slab_free+0xff/0x140 mm/kasan/common.c:328 kasan_slab_free include/linux/kasan.h:236 [inline] __cache_free mm/slab.c:3437 [inline] kfree+0xf8/0x2b0 mm/slab.c:3794 release_nodes+0x112/0x1a0 drivers/base/devres.c:501 devres_release_all+0x114/0x190 drivers/base/devres.c:530 really_probe+0x626/0xcc0 drivers/base/dd.c:670

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48857.html
CVE-2022-48857
https://bugzilla.suse.com/1228005
SUSE Bug 1228005

Описание

In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Fix a race on command flush flow Fix a refcount use after free warning due to a race on command entry. Such race occurs when one of the commands releases its last refcount and frees its index and entry while another process running command flush flow takes refcount to this command entry. The process which handles commands flush may see this command as needed to be flushed if the other process released its refcount but didn't release the index yet. Fix it by adding the needed spin lock. It fixes the following warning trace: refcount_t: addition on 0; use-after-free. WARNING: CPU: 11 PID: 540311 at lib/refcount.c:25 refcount_warn_saturate+0x80/0xe0 ... RIP: 0010:refcount_warn_saturate+0x80/0xe0 ... Call Trace: <TASK> mlx5_cmd_trigger_completions+0x293/0x340 [mlx5_core] mlx5_cmd_flush+0x3a/0xf0 [mlx5_core] enter_error_state+0x44/0x80 [mlx5_core] mlx5_fw_fatal_reporter_err_work+0x37/0xe0 [mlx5_core] process_one_work+0x1be/0x390 worker_thread+0x4d/0x3d0 ? rescuer_thread+0x350/0x350 kthread+0x141/0x160 ? set_kthread_struct+0x40/0x40 ret_from_fork+0x1f/0x30 </TASK>

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48858.html
CVE-2022-48858
https://bugzilla.suse.com/1228006
SUSE Bug 1228006

Описание

In the Linux kernel, the following vulnerability has been resolved: net: marvell: prestera: Add missing of_node_put() in prestera_switch_set_base_mac_addr This node pointer is returned by of_find_compatible_node() with refcount incremented. Calling of_node_put() to aovid the refcount leak.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48859.html
CVE-2022-48859
https://bugzilla.suse.com/1228007
SUSE Bug 1228007

Описание

In the Linux kernel, the following vulnerability has been resolved: ethernet: Fix error handling in xemaclite_of_probe This node pointer is returned by of_parse_phandle() with refcount incremented in this function. Calling of_node_put() to avoid the refcount leak. As the remove function do.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48860.html
CVE-2022-48860
https://bugzilla.suse.com/1228008
SUSE Bug 1228008

Описание

In the Linux kernel, the following vulnerability has been resolved: vdpa: fix use-after-free on vp_vdpa_remove When vp_vdpa driver is unbind, vp_vdpa is freed in vdpa_unregister_device and then vp_vdpa->mdev.pci_dev is dereferenced in vp_modern_remove, triggering use-after-free. Call Trace of unbinding driver free vp_vdpa : do_syscall_64 vfs_write kernfs_fop_write_iter device_release_driver_internal pci_device_remove vp_vdpa_remove vdpa_unregister_device kobject_release device_release kfree Call Trace of dereference vp_vdpa->mdev.pci_dev: vp_modern_remove pci_release_selected_regions pci_release_region pci_resource_len pci_resource_end (dev)->resource[(bar)].end

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48861.html
CVE-2022-48861
https://bugzilla.suse.com/1228009
SUSE Bug 1228009

Описание

In the Linux kernel, the following vulnerability has been resolved: vhost: fix hung thread due to erroneous iotlb entries In vhost_iotlb_add_range_ctx(), range size can overflow to 0 when start is 0 and last is ULONG_MAX. One instance where it can happen is when userspace sends an IOTLB message with iova=size=uaddr=0 (vhost_process_iotlb_msg). So, an entry with size = 0, start = 0, last = ULONG_MAX ends up in the iotlb. Next time a packet is sent, iotlb_access_ok() loops indefinitely due to that erroneous entry. Call Trace: <TASK> iotlb_access_ok+0x21b/0x3e0 drivers/vhost/vhost.c:1340 vq_meta_prefetch+0xbc/0x280 drivers/vhost/vhost.c:1366 vhost_transport_do_send_pkt+0xe0/0xfd0 drivers/vhost/vsock.c:104 vhost_worker+0x23d/0x3d0 drivers/vhost/vhost.c:372 kthread+0x2e9/0x3a0 kernel/kthread.c:377 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 </TASK> Reported by syzbot at: https://syzkaller.appspot.com/bug?extid=0abd373e2e50d704db87 To fix this, do two things: 1. Return -EINVAL in vhost_chr_write_iter() when userspace asks to map a range with size 0. 2. Fix vhost_iotlb_add_range_ctx() to handle the range [0, ULONG_MAX] by splitting it into two entries.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48862.html
CVE-2022-48862
https://bugzilla.suse.com/1228010
SUSE Bug 1228010

Описание

In the Linux kernel, the following vulnerability has been resolved: mISDN: Fix memory leak in dsp_pipeline_build() dsp_pipeline_build() allocates dup pointer by kstrdup(cfg), but then it updates dup variable by strsep(&dup, "|"). As a result when it calls kfree(dup), the dup variable contains NULL. Found by Linux Driver Verification project (linuxtesting.org) with SVACE.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48863.html
CVE-2022-48863
https://bugzilla.suse.com/1228063
SUSE Bug 1228063

Описание

In the Linux kernel, the following vulnerability has been resolved: vdpa/mlx5: add validation for VIRTIO_NET_CTRL_MQ_VQ_PAIRS_SET command When control vq receives a VIRTIO_NET_CTRL_MQ_VQ_PAIRS_SET command request from the driver, presently there is no validation against the number of queue pairs to configure, or even if multiqueue had been negotiated or not is unverified. This may lead to kernel panic due to uninitialized resource for the queues were there any bogus request sent down by untrusted driver. Tie up the loose ends there.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48864.html
CVE-2022-48864
https://bugzilla.suse.com/1228011
SUSE Bug 1228011

Описание

In the Linux kernel, the following vulnerability has been resolved: HID: hid-thrustmaster: fix OOB read in thrustmaster_interrupts Syzbot reported an slab-out-of-bounds Read in thrustmaster_probe() bug. The root case is in missing validation check of actual number of endpoints. Code should not blindly access usb_host_interface::endpoint array, since it may contain less endpoints than code expects. Fix it by adding missing validaion check and print an error if number of endpoints do not match expected number

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48866.html
CVE-2022-48866
https://bugzilla.suse.com/1228014
SUSE Bug 1228014
https://bugzilla.suse.com/1228785
SUSE Bug 1228785

Описание

Bluetooth BR/EDR devices with Secure Simple Pairing and Secure Connections pairing in Bluetooth Core Specification 4.2 through 5.4 allow certain man-in-the-middle attacks that force a short key length, and might lead to discovery of the encryption key and live injection, aka BLUFFS.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-24023.html
CVE-2023-24023
https://bugzilla.suse.com/1218148
SUSE Bug 1218148

Описание

In the Linux kernel, the following vulnerability has been resolved: net: prevent mss overflow in skb_segment() Once again syzbot is able to crash the kernel in skb_segment() [1] GSO_BY_FRAGS is a forbidden value, but unfortunately the following computation in skb_segment() can reach it quite easily : mss = mss * partial_segs; 65535 = 3 * 5 * 17 * 257, so many initial values of mss can lead to a bad final result. Make sure to limit segmentation so that the new mss value is smaller than GSO_BY_FRAGS. [1] general protection fault, probably for non-canonical address 0xdffffc000000000e: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077] CPU: 1 PID: 5079 Comm: syz-executor993 Not tainted 6.7.0-rc4-syzkaller-00141-g1ae4cd3cbdd0 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023 RIP: 0010:skb_segment+0x181d/0x3f30 net/core/skbuff.c:4551 Code: 83 e3 02 e9 fb ed ff ff e8 90 68 1c f9 48 8b 84 24 f8 00 00 00 48 8d 78 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e 8a 21 00 00 48 8b 84 24 f8 00 RSP: 0018:ffffc900043473d0 EFLAGS: 00010202 RAX: dffffc0000000000 RBX: 0000000000010046 RCX: ffffffff886b1597 RDX: 000000000000000e RSI: ffffffff886b2520 RDI: 0000000000000070 RBP: ffffc90004347578 R08: 0000000000000005 R09: 000000000000ffff R10: 000000000000ffff R11: 0000000000000002 R12: ffff888063202ac0 R13: 0000000000010000 R14: 000000000000ffff R15: 0000000000000046 FS: 0000555556e7e380(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020010000 CR3: 0000000027ee2000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> udp6_ufo_fragment+0xa0e/0xd00 net/ipv6/udp_offload.c:109 ipv6_gso_segment+0x534/0x17e0 net/ipv6/ip6_offload.c:120 skb_mac_gso_segment+0x290/0x610 net/core/gso.c:53 __skb_gso_segment+0x339/0x710 net/core/gso.c:124 skb_gso_segment include/net/gso.h:83 [inline] validate_xmit_skb+0x36c/0xeb0 net/core/dev.c:3626 __dev_queue_xmit+0x6f3/0x3d60 net/core/dev.c:4338 dev_queue_xmit include/linux/netdevice.h:3134 [inline] packet_xmit+0x257/0x380 net/packet/af_packet.c:276 packet_snd net/packet/af_packet.c:3087 [inline] packet_sendmsg+0x24c6/0x5220 net/packet/af_packet.c:3119 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0xd5/0x180 net/socket.c:745 __sys_sendto+0x255/0x340 net/socket.c:2190 __do_sys_sendto net/socket.c:2202 [inline] __se_sys_sendto net/socket.c:2198 [inline] __x64_sys_sendto+0xe0/0x1b0 net/socket.c:2198 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b RIP: 0033:0x7f8692032aa9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 d1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fff8d685418 EFLAGS: 00000246 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f8692032aa9 RDX: 0000000000010048 RSI: 00000000200000c0 RDI: 0000000000000003 RBP: 00000000000f4240 R08: 0000000020000540 R09: 0000000000000014 R10: 0000000000000000 R11: 0000000000000246 R12: 00007fff8d685480 R13: 0000000000000001 R14: 00007fff8d685480 R15: 0000000000000003 </TASK> Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:skb_segment+0x181d/0x3f30 net/core/skbuff.c:4551 Code: 83 e3 02 e9 fb ed ff ff e8 90 68 1c f9 48 8b 84 24 f8 00 00 00 48 8d 78 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e 8a 21 00 00 48 8b 84 24 f8 00 RSP: 0018:ffffc900043473d0 EFLAGS: 00010202 RAX: dffffc0000000000 RBX: 0000000000010046 RCX: ffffffff886b1597 RDX: 000000000000000e RSI: ffffffff886b2520 RDI: 0000000000000070 RBP: ffffc90004347578 R0 ---truncated---

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52435.html
CVE-2023-52435
https://bugzilla.suse.com/1220138
SUSE Bug 1220138

Описание

In the Linux kernel, the following vulnerability has been resolved: net: rds: Fix possible NULL-pointer dereference In rds_rdma_cm_event_handler_cmn() check, if conn pointer exists before dereferencing it as rdma_set_service_type() argument Found by Linux Verification Center (linuxtesting.org) with SVACE.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52573.html
CVE-2023-52573
https://bugzilla.suse.com/1220869
SUSE Bug 1220869

Описание

In the Linux kernel, the following vulnerability has been resolved: net/core: Fix ETH_P_1588 flow dissector When a PTP ethernet raw frame with a size of more than 256 bytes followed by a 0xff pattern is sent to __skb_flow_dissect, nhoff value calculation is wrong. For example: hdr->message_length takes the wrong value (0xffff) and it does not replicate real header length. In this case, 'nhoff' value was overridden and the PTP header was badly dissected. This leads to a kernel crash. net/core: flow_dissector net/core flow dissector nhoff = 0x0000000e net/core flow dissector hdr->message_length = 0x0000ffff net/core flow dissector nhoff = 0x0001000d (u16 overflow) ... skb linear: 00000000: 00 a0 c9 00 00 00 00 a0 c9 00 00 00 88 skb frag: 00000000: f7 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Using the size of the ptp_header struct will allow the corrected calculation of the nhoff value. net/core flow dissector nhoff = 0x0000000e net/core flow dissector nhoff = 0x00000030 (sizeof ptp_header) ... skb linear: 00000000: 00 a0 c9 00 00 00 00 a0 c9 00 00 00 88 f7 ff ff skb linear: 00000010: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff skb linear: 00000020: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff skb frag: 00000000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Kernel trace: [ 74.984279] ------------[ cut here ]------------ [ 74.989471] kernel BUG at include/linux/skbuff.h:2440! [ 74.995237] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI [ 75.001098] CPU: 4 PID: 0 Comm: swapper/4 Tainted: G U 5.15.85-intel-ese-standard-lts #1 [ 75.011629] Hardware name: Intel Corporation A-Island (CPU:AlderLake)/A-Island (ID:06), BIOS SB_ADLP.01.01.00.01.03.008.D-6A9D9E73-dirty Mar 30 2023 [ 75.026507] RIP: 0010:eth_type_trans+0xd0/0x130 [ 75.031594] Code: 03 88 47 78 eb c7 8b 47 68 2b 47 6c 48 8b 97 c0 00 00 00 83 f8 01 7e 1b 48 85 d2 74 06 66 83 3a ff 74 09 b8 00 04 00 00 eb ab <0f> 0b b8 00 01 00 00 eb a2 48 85 ff 74 eb 48 8d 54 24 06 31 f6 b9 [ 75.052612] RSP: 0018:ffff9948c0228de0 EFLAGS: 00010297 [ 75.058473] RAX: 00000000000003f2 RBX: ffff8e47047dc300 RCX: 0000000000001003 [ 75.066462] RDX: ffff8e4e8c9ea040 RSI: ffff8e4704e0a000 RDI: ffff8e47047dc300 [ 75.074458] RBP: ffff8e4704e2acc0 R08: 00000000000003f3 R09: 0000000000000800 [ 75.082466] R10: 000000000000000d R11: ffff9948c0228dec R12: ffff8e4715e4e010 [ 75.090461] R13: ffff9948c0545018 R14: 0000000000000001 R15: 0000000000000800 [ 75.098464] FS: 0000000000000000(0000) GS:ffff8e4e8fb00000(0000) knlGS:0000000000000000 [ 75.107530] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 75.113982] CR2: 00007f5eb35934a0 CR3: 0000000150e0a002 CR4: 0000000000770ee0 [ 75.121980] PKRU: 55555554 [ 75.125035] Call Trace: [ 75.127792] <IRQ> [ 75.130063] ? eth_get_headlen+0xa4/0xc0 [ 75.134472] igc_process_skb_fields+0xcd/0x150 [ 75.139461] igc_poll+0xc80/0x17b0 [ 75.143272] __napi_poll+0x27/0x170 [ 75.147192] net_rx_action+0x234/0x280 [ 75.151409] __do_softirq+0xef/0x2f4 [ 75.155424] irq_exit_rcu+0xc7/0x110 [ 75.159432] common_interrupt+0xb8/0xd0 [ 75.163748] </IRQ> [ 75.166112] <TASK> [ 75.168473] asm_common_interrupt+0x22/0x40 [ 75.173175] RIP: 0010:cpuidle_enter_state+0xe2/0x350 [ 75.178749] Code: 85 c0 0f 8f 04 02 00 00 31 ff e8 39 6c 67 ff 45 84 ff 74 12 9c 58 f6 c4 02 0f 85 50 02 00 00 31 ff e8 52 b0 6d ff fb 45 85 f6 <0f> 88 b1 00 00 00 49 63 ce 4c 2b 2c 24 48 89 c8 48 6b d1 68 48 c1 [ 75.199757] RSP: 0018:ffff9948c013bea8 EFLAGS: 00000202 [ 75.205614] RAX: ffff8e4e8fb00000 RBX: ffffb948bfd23900 RCX: 000000000000001f [ 75.213619] RDX: 0000000000000004 RSI: ffffffff94206161 RDI: ffffffff94212e20 [ 75.221620] RBP: 0000000000000004 R08: 000000117568973a R09: 0000000000000001 [ 75.229622] R10: 000000000000afc8 R11: ffff8e4e8fb29ce4 R12: ffffffff945ae980 [ 75.237628] R13: 000000117568973a R14: 0000000000000004 R15: 0000000000000000 [ 75.245635] ? ---truncated---

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52580.html
CVE-2023-52580
https://bugzilla.suse.com/1220876
SUSE Bug 1220876

Описание

In the Linux kernel, the following vulnerability has been resolved: ext4: avoid online resizing failures due to oversized flex bg When we online resize an ext4 filesystem with a oversized flexbg_size, mkfs.ext4 -F -G 67108864 $dev -b 4096 100M mount $dev $dir resize2fs $dev 16G the following WARN_ON is triggered: ================================================================== WARNING: CPU: 0 PID: 427 at mm/page_alloc.c:4402 __alloc_pages+0x411/0x550 Modules linked in: sg(E) CPU: 0 PID: 427 Comm: resize2fs Tainted: G E 6.6.0-rc5+ #314 RIP: 0010:__alloc_pages+0x411/0x550 Call Trace: <TASK> __kmalloc_large_node+0xa2/0x200 __kmalloc+0x16e/0x290 ext4_resize_fs+0x481/0xd80 __ext4_ioctl+0x1616/0x1d90 ext4_ioctl+0x12/0x20 __x64_sys_ioctl+0xf0/0x150 do_syscall_64+0x3b/0x90 ================================================================== This is because flexbg_size is too large and the size of the new_group_data array to be allocated exceeds MAX_ORDER. Currently, the minimum value of MAX_ORDER is 8, the minimum value of PAGE_SIZE is 4096, the corresponding maximum number of groups that can be allocated is: (PAGE_SIZE << MAX_ORDER) / sizeof(struct ext4_new_group_data) ~ 21845 And the value that is down-aligned to the power of 2 is 16384. Therefore, this value is defined as MAX_RESIZE_BG, and the number of groups added each time does not exceed this value during resizing, and is added multiple times to complete the online resizing. The difference is that the metadata in a flex_bg may be more dispersed.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52622.html
CVE-2023-52622
https://bugzilla.suse.com/1222080
SUSE Bug 1222080

Описание

In the Linux kernel, the following vulnerability has been resolved: Revert "net/mlx5: Block entering switchdev mode with ns inconsistency" This reverts commit 662404b24a4c4d839839ed25e3097571f5938b9b. The revert is required due to the suspicion it is not good for anything and cause crash.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52658.html
CVE-2023-52658
https://bugzilla.suse.com/1224719
SUSE Bug 1224719

Описание

In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: fix a potential double-free in fs_any_create_groups When kcalloc() for ft->g succeeds but kvzalloc() for in fails, fs_any_create_groups() will free ft->g. However, its caller fs_any_create_table() will free ft->g again through calling mlx5e_destroy_flow_table(), which will lead to a double-free. Fix this by setting ft->g to NULL in fs_any_create_groups().

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52667.html
CVE-2023-52667
https://bugzilla.suse.com/1224603
SUSE Bug 1224603

Описание

In the Linux kernel, the following vulnerability has been resolved: rpmsg: virtio: Free driver_override when rpmsg_remove() Free driver_override when rpmsg_remove(), otherwise the following memory leak will occur: unreferenced object 0xffff0000d55d7080 (size 128): comm "kworker/u8:2", pid 56, jiffies 4294893188 (age 214.272s) hex dump (first 32 bytes): 72 70 6d 73 67 5f 6e 73 00 00 00 00 00 00 00 00 rpmsg_ns........ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<000000009c94c9c1>] __kmem_cache_alloc_node+0x1f8/0x320 [<000000002300d89b>] __kmalloc_node_track_caller+0x44/0x70 [<00000000228a60c3>] kstrndup+0x4c/0x90 [<0000000077158695>] driver_set_override+0xd0/0x164 [<000000003e9c4ea5>] rpmsg_register_device_override+0x98/0x170 [<000000001c0c89a8>] rpmsg_ns_register_device+0x24/0x30 [<000000008bbf8fa2>] rpmsg_probe+0x2e0/0x3ec [<00000000e65a68df>] virtio_dev_probe+0x1c0/0x280 [<00000000443331cc>] really_probe+0xbc/0x2dc [<00000000391064b1>] __driver_probe_device+0x78/0xe0 [<00000000a41c9a5b>] driver_probe_device+0xd8/0x160 [<000000009c3bd5df>] __device_attach_driver+0xb8/0x140 [<0000000043cd7614>] bus_for_each_drv+0x7c/0xd4 [<000000003b929a36>] __device_attach+0x9c/0x19c [<00000000a94e0ba8>] device_initial_probe+0x14/0x20 [<000000003c999637>] bus_probe_device+0xa0/0xac

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52670.html
CVE-2023-52670
https://bugzilla.suse.com/1224696
SUSE Bug 1224696

Описание

In the Linux kernel, the following vulnerability has been resolved: pipe: wakeup wr_wait after setting max_usage Commit c73be61cede5 ("pipe: Add general notification queue support") a regression was introduced that would lock up resized pipes under certain conditions. See the reproducer in [1]. The commit resizing the pipe ring size was moved to a different function, doing that moved the wakeup for pipe->wr_wait before actually raising pipe->max_usage. If a pipe was full before the resize occured it would result in the wakeup never actually triggering pipe_write. Set @max_usage and @nr_accounted before waking writers if this isn't a watch queue. [Christian Brauner <brauner@kernel.org>: rewrite to account for watch queues]

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52672.html
CVE-2023-52672
https://bugzilla.suse.com/1224614
SUSE Bug 1224614

Описание

In the Linux kernel, the following vulnerability has been resolved: powerpc/imc-pmu: Add a null pointer check in update_events_in_group() kasprintf() returns a pointer to dynamically allocated memory which can be NULL upon failure.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52675.html
CVE-2023-52675
https://bugzilla.suse.com/1224504
SUSE Bug 1224504

Описание

In the Linux kernel, the following vulnerability has been resolved: bpf, sockmap: Don't let sock_map_{close,destroy,unhash} call itself sock_map proto callbacks should never call themselves by design. Protect against bugs like [1] and break out of the recursive loop to avoid a stack overflow in favor of a resource leak. [1] https://lore.kernel.org/all/00000000000073b14905ef2e7401@google.com/

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52735.html
CVE-2023-52735
https://bugzilla.suse.com/1225475
SUSE Bug 1225475

Описание

In the Linux kernel, the following vulnerability has been resolved: btrfs: lock the inode in shared mode before starting fiemap Currently fiemap does not take the inode's lock (VFS lock), it only locks a file range in the inode's io tree. This however can lead to a deadlock if we have a concurrent fsync on the file and fiemap code triggers a fault when accessing the user space buffer with fiemap_fill_next_extent(). The deadlock happens on the inode's i_mmap_lock semaphore, which is taken both by fsync and btrfs_page_mkwrite(). This deadlock was recently reported by syzbot and triggers a trace like the following: task:syz-executor361 state:D stack:20264 pid:5668 ppid:5119 flags:0x00004004 Call Trace: <TASK> context_switch kernel/sched/core.c:5293 [inline] __schedule+0x995/0xe20 kernel/sched/core.c:6606 schedule+0xcb/0x190 kernel/sched/core.c:6682 wait_on_state fs/btrfs/extent-io-tree.c:707 [inline] wait_extent_bit+0x577/0x6f0 fs/btrfs/extent-io-tree.c:751 lock_extent+0x1c2/0x280 fs/btrfs/extent-io-tree.c:1742 find_lock_delalloc_range+0x4e6/0x9c0 fs/btrfs/extent_io.c:488 writepage_delalloc+0x1ef/0x540 fs/btrfs/extent_io.c:1863 __extent_writepage+0x736/0x14e0 fs/btrfs/extent_io.c:2174 extent_write_cache_pages+0x983/0x1220 fs/btrfs/extent_io.c:3091 extent_writepages+0x219/0x540 fs/btrfs/extent_io.c:3211 do_writepages+0x3c3/0x680 mm/page-writeback.c:2581 filemap_fdatawrite_wbc+0x11e/0x170 mm/filemap.c:388 __filemap_fdatawrite_range mm/filemap.c:421 [inline] filemap_fdatawrite_range+0x175/0x200 mm/filemap.c:439 btrfs_fdatawrite_range fs/btrfs/file.c:3850 [inline] start_ordered_ops fs/btrfs/file.c:1737 [inline] btrfs_sync_file+0x4ff/0x1190 fs/btrfs/file.c:1839 generic_write_sync include/linux/fs.h:2885 [inline] btrfs_do_write_iter+0xcd3/0x1280 fs/btrfs/file.c:1684 call_write_iter include/linux/fs.h:2189 [inline] new_sync_write fs/read_write.c:491 [inline] vfs_write+0x7dc/0xc50 fs/read_write.c:584 ksys_write+0x177/0x2a0 fs/read_write.c:637 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7f7d4054e9b9 RSP: 002b:00007f7d404fa2f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 00007f7d405d87a0 RCX: 00007f7d4054e9b9 RDX: 0000000000000090 RSI: 0000000020000000 RDI: 0000000000000006 RBP: 00007f7d405a51d0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 61635f65646f6e69 R13: 65646f7475616f6e R14: 7261637369646f6e R15: 00007f7d405d87a8 </TASK> INFO: task syz-executor361:5697 blocked for more than 145 seconds. Not tainted 6.2.0-rc3-syzkaller-00376-g7c6984405241 #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz-executor361 state:D stack:21216 pid:5697 ppid:5119 flags:0x00004004 Call Trace: <TASK> context_switch kernel/sched/core.c:5293 [inline] __schedule+0x995/0xe20 kernel/sched/core.c:6606 schedule+0xcb/0x190 kernel/sched/core.c:6682 rwsem_down_read_slowpath+0x5f9/0x930 kernel/locking/rwsem.c:1095 __down_read_common+0x54/0x2a0 kernel/locking/rwsem.c:1260 btrfs_page_mkwrite+0x417/0xc80 fs/btrfs/inode.c:8526 do_page_mkwrite+0x19e/0x5e0 mm/memory.c:2947 wp_page_shared+0x15e/0x380 mm/memory.c:3295 handle_pte_fault mm/memory.c:4949 [inline] __handle_mm_fault mm/memory.c:5073 [inline] handle_mm_fault+0x1b79/0x26b0 mm/memory.c:5219 do_user_addr_fault+0x69b/0xcb0 arch/x86/mm/fault.c:1428 handle_page_fault arch/x86/mm/fault.c:1519 [inline] exc_page_fault+0x7a/0x110 arch/x86/mm/fault.c:1575 asm_exc_page_fault+0x22/0x30 arch/x86/include/asm/idtentry.h:570 RIP: 0010:copy_user_short_string+0xd/0x40 arch/x86/lib/copy_user_64.S:233 Code: 74 0a 89 (...) RSP: 0018:ffffc9000570f330 EFLAGS: 000502 ---truncated---

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52737.html
CVE-2023-52737
https://bugzilla.suse.com/1225484
SUSE Bug 1225484

Описание

In the Linux kernel, the following vulnerability has been resolved: smb: client: fix use-after-free in smb2_query_info_compound() The following UAF was triggered when running fstests generic/072 with KASAN enabled against Windows Server 2022 and mount options 'multichannel,max_channels=2,vers=3.1.1,mfsymlinks,noperm' BUG: KASAN: slab-use-after-free in smb2_query_info_compound+0x423/0x6d0 [cifs] Read of size 8 at addr ffff888014941048 by task xfs_io/27534 CPU: 0 PID: 27534 Comm: xfs_io Not tainted 6.6.0-rc7 #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014 Call Trace: dump_stack_lvl+0x4a/0x80 print_report+0xcf/0x650 ? srso_alias_return_thunk+0x5/0x7f ? srso_alias_return_thunk+0x5/0x7f ? __phys_addr+0x46/0x90 kasan_report+0xda/0x110 ? smb2_query_info_compound+0x423/0x6d0 [cifs] ? smb2_query_info_compound+0x423/0x6d0 [cifs] smb2_query_info_compound+0x423/0x6d0 [cifs] ? __pfx_smb2_query_info_compound+0x10/0x10 [cifs] ? srso_alias_return_thunk+0x5/0x7f ? __stack_depot_save+0x39/0x480 ? kasan_save_stack+0x33/0x60 ? kasan_set_track+0x25/0x30 ? ____kasan_slab_free+0x126/0x170 smb2_queryfs+0xc2/0x2c0 [cifs] ? __pfx_smb2_queryfs+0x10/0x10 [cifs] ? __pfx___lock_acquire+0x10/0x10 smb311_queryfs+0x210/0x220 [cifs] ? __pfx_smb311_queryfs+0x10/0x10 [cifs] ? srso_alias_return_thunk+0x5/0x7f ? __lock_acquire+0x480/0x26c0 ? lock_release+0x1ed/0x640 ? srso_alias_return_thunk+0x5/0x7f ? do_raw_spin_unlock+0x9b/0x100 cifs_statfs+0x18c/0x4b0 [cifs] statfs_by_dentry+0x9b/0xf0 fd_statfs+0x4e/0xb0 __do_sys_fstatfs+0x7f/0xe0 ? __pfx___do_sys_fstatfs+0x10/0x10 ? srso_alias_return_thunk+0x5/0x7f ? lockdep_hardirqs_on_prepare+0x136/0x200 ? srso_alias_return_thunk+0x5/0x7f do_syscall_64+0x3f/0x90 entry_SYSCALL_64_after_hwframe+0x6e/0xd8 Allocated by task 27534: kasan_save_stack+0x33/0x60 kasan_set_track+0x25/0x30 __kasan_kmalloc+0x8f/0xa0 open_cached_dir+0x71b/0x1240 [cifs] smb2_query_info_compound+0x5c3/0x6d0 [cifs] smb2_queryfs+0xc2/0x2c0 [cifs] smb311_queryfs+0x210/0x220 [cifs] cifs_statfs+0x18c/0x4b0 [cifs] statfs_by_dentry+0x9b/0xf0 fd_statfs+0x4e/0xb0 __do_sys_fstatfs+0x7f/0xe0 do_syscall_64+0x3f/0x90 entry_SYSCALL_64_after_hwframe+0x6e/0xd8 Freed by task 27534: kasan_save_stack+0x33/0x60 kasan_set_track+0x25/0x30 kasan_save_free_info+0x2b/0x50 ____kasan_slab_free+0x126/0x170 slab_free_freelist_hook+0xd0/0x1e0 __kmem_cache_free+0x9d/0x1b0 open_cached_dir+0xff5/0x1240 [cifs] smb2_query_info_compound+0x5c3/0x6d0 [cifs] smb2_queryfs+0xc2/0x2c0 [cifs] This is a race between open_cached_dir() and cached_dir_lease_break() where the cache entry for the open directory handle receives a lease break while creating it. And before returning from open_cached_dir(), we put the last reference of the new @cfid because of !@cfid->has_lease. Besides the UAF, while running xfstests a lot of missed lease breaks have been noticed in tests that run several concurrent statfs(2) calls on those cached fids CIFS: VFS: \\w22-root1.gandalf.test No task to wake, unknown frame... CIFS: VFS: \\w22-root1.gandalf.test Cmd: 18 Err: 0x0 Flags: 0x1... CIFS: VFS: \\w22-root1.gandalf.test smb buf 00000000715bfe83 len 108 CIFS: VFS: Dump pending requests: CIFS: VFS: \\w22-root1.gandalf.test No task to wake, unknown frame... CIFS: VFS: \\w22-root1.gandalf.test Cmd: 18 Err: 0x0 Flags: 0x1... CIFS: VFS: \\w22-root1.gandalf.test smb buf 000000005aa7316e len 108 ... To fix both, in open_cached_dir() ensure that @cfid->has_lease is set right before sending out compounded request so that any potential lease break will be get processed by demultiplex thread while we're still caching @cfid. And, if open failed for some reason, re-check @cfid->has_lease to decide whether or not put lease reference.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52751.html
CVE-2023-52751
https://bugzilla.suse.com/1225489
SUSE Bug 1225489

Описание

In the Linux kernel, the following vulnerability has been resolved: smb: client: fix use-after-free bug in cifs_debug_data_proc_show() Skip SMB sessions that are being teared down (e.g. @ses->ses_status == SES_EXITING) in cifs_debug_data_proc_show() to avoid use-after-free in @ses. This fixes the following GPF when reading from /proc/fs/cifs/DebugData while mounting and umounting [ 816.251274] general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6d81: 0000 [#1] PREEMPT SMP NOPTI ... [ 816.260138] Call Trace: [ 816.260329] <TASK> [ 816.260499] ? die_addr+0x36/0x90 [ 816.260762] ? exc_general_protection+0x1b3/0x410 [ 816.261126] ? asm_exc_general_protection+0x26/0x30 [ 816.261502] ? cifs_debug_tcon+0xbd/0x240 [cifs] [ 816.261878] ? cifs_debug_tcon+0xab/0x240 [cifs] [ 816.262249] cifs_debug_data_proc_show+0x516/0xdb0 [cifs] [ 816.262689] ? seq_read_iter+0x379/0x470 [ 816.262995] seq_read_iter+0x118/0x470 [ 816.263291] proc_reg_read_iter+0x53/0x90 [ 816.263596] ? srso_alias_return_thunk+0x5/0x7f [ 816.263945] vfs_read+0x201/0x350 [ 816.264211] ksys_read+0x75/0x100 [ 816.264472] do_syscall_64+0x3f/0x90 [ 816.264750] entry_SYSCALL_64_after_hwframe+0x6e/0xd8 [ 816.265135] RIP: 0033:0x7fd5e669d381

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52752.html
CVE-2023-52752
https://bugzilla.suse.com/1225487
SUSE Bug 1225487
https://bugzilla.suse.com/1225819
SUSE Bug 1225819

Описание

In the Linux kernel, the following vulnerability has been resolved: virtio-blk: fix implicit overflow on virtio_max_dma_size The following codes have an implicit conversion from size_t to u32: (u32)max_size = (size_t)virtio_max_dma_size(vdev); This may lead overflow, Ex (size_t)4G -> (u32)0. Once virtio_max_dma_size() has a larger size than U32_MAX, use U32_MAX instead.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52762.html
CVE-2023-52762
https://bugzilla.suse.com/1225573
SUSE Bug 1225573

Описание

In the Linux kernel, the following vulnerability has been resolved: i3c: mipi-i3c-hci: Fix out of bounds access in hci_dma_irq_handler Do not loop over ring headers in hci_dma_irq_handler() that are not allocated and enabled in hci_dma_init(). Otherwise out of bounds access will occur from rings->headers[i] access when i >= number of allocated ring headers.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52766.html
CVE-2023-52766
https://bugzilla.suse.com/1230620
SUSE Bug 1230620

Описание

In the Linux kernel, the following vulnerability has been resolved: net/smc: avoid data corruption caused by decline We found a data corruption issue during testing of SMC-R on Redis applications. The benchmark has a low probability of reporting a strange error as shown below. "Error: Protocol error, got "\xe2" as reply type byte" Finally, we found that the retrieved error data was as follows: 0xE2 0xD4 0xC3 0xD9 0x04 0x00 0x2C 0x20 0xA6 0x56 0x00 0x16 0x3E 0x0C 0xCB 0x04 0x02 0x01 0x00 0x00 0x20 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0xE2 It is quite obvious that this is a SMC DECLINE message, which means that the applications received SMC protocol message. We found that this was caused by the following situations: client server | clc proposal -------------> | clc accept <------------- | clc confirm -------------> wait llc confirm send llc confirm |failed llc confirm | x------ (after 2s)timeout wait llc confirm rsp wait decline (after 1s) timeout (after 2s) timeout | decline --------------> | decline <-------------- As a result, a decline message was sent in the implementation, and this message was read from TCP by the already-fallback connection. This patch double the client timeout as 2x of the server value, With this simple change, the Decline messages should never cross or collide (during Confirm link timeout). This issue requires an immediate solution, since the protocol updates involve a more long-term solution.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52775.html
CVE-2023-52775
https://bugzilla.suse.com/1225088
SUSE Bug 1225088

Описание

In the Linux kernel, the following vulnerability has been resolved: bonding: stop the device in bond_setup_by_slave() Commit 9eed321cde22 ("net: lapbether: only support ethernet devices") has been able to keep syzbot away from net/lapb, until today. In the following splat [1], the issue is that a lapbether device has been created on a bonding device without members. Then adding a non ARPHRD_ETHER member forced the bonding master to change its type. The fix is to make sure we call dev_close() in bond_setup_by_slave() so that the potential linked lapbether devices (or any other devices having assumptions on the physical device) are removed. A similar bug has been addressed in commit 40baec225765 ("bonding: fix panic on non-ARPHRD_ETHER enslave failure") [1] skbuff: skb_under_panic: text:ffff800089508810 len:44 put:40 head:ffff0000c78e7c00 data:ffff0000c78e7bea tail:0x16 end:0x140 dev:bond0 kernel BUG at net/core/skbuff.c:192 ! Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP Modules linked in: CPU: 0 PID: 6007 Comm: syz-executor383 Not tainted 6.6.0-rc3-syzkaller-gbf6547d8715b #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : skb_panic net/core/skbuff.c:188 [inline] pc : skb_under_panic+0x13c/0x140 net/core/skbuff.c:202 lr : skb_panic net/core/skbuff.c:188 [inline] lr : skb_under_panic+0x13c/0x140 net/core/skbuff.c:202 sp : ffff800096a06aa0 x29: ffff800096a06ab0 x28: ffff800096a06ba0 x27: dfff800000000000 x26: ffff0000ce9b9b50 x25: 0000000000000016 x24: ffff0000c78e7bea x23: ffff0000c78e7c00 x22: 000000000000002c x21: 0000000000000140 x20: 0000000000000028 x19: ffff800089508810 x18: ffff800096a06100 x17: 0000000000000000 x16: ffff80008a629a3c x15: 0000000000000001 x14: 1fffe00036837a32 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000201 x10: 0000000000000000 x9 : cb50b496c519aa00 x8 : cb50b496c519aa00 x7 : 0000000000000001 x6 : 0000000000000001 x5 : ffff800096a063b8 x4 : ffff80008e280f80 x3 : ffff8000805ad11c x2 : 0000000000000001 x1 : 0000000100000201 x0 : 0000000000000086 Call trace: skb_panic net/core/skbuff.c:188 [inline] skb_under_panic+0x13c/0x140 net/core/skbuff.c:202 skb_push+0xf0/0x108 net/core/skbuff.c:2446 ip6gre_header+0xbc/0x738 net/ipv6/ip6_gre.c:1384 dev_hard_header include/linux/netdevice.h:3136 [inline] lapbeth_data_transmit+0x1c4/0x298 drivers/net/wan/lapbether.c:257 lapb_data_transmit+0x8c/0xb0 net/lapb/lapb_iface.c:447 lapb_transmit_buffer+0x178/0x204 net/lapb/lapb_out.c:149 lapb_send_control+0x220/0x320 net/lapb/lapb_subr.c:251 __lapb_disconnect_request+0x9c/0x17c net/lapb/lapb_iface.c:326 lapb_device_event+0x288/0x4e0 net/lapb/lapb_iface.c:492 notifier_call_chain+0x1a4/0x510 kernel/notifier.c:93 raw_notifier_call_chain+0x3c/0x50 kernel/notifier.c:461 call_netdevice_notifiers_info net/core/dev.c:1970 [inline] call_netdevice_notifiers_extack net/core/dev.c:2008 [inline] call_netdevice_notifiers net/core/dev.c:2022 [inline] __dev_close_many+0x1b8/0x3c4 net/core/dev.c:1508 dev_close_many+0x1e0/0x470 net/core/dev.c:1559 dev_close+0x174/0x250 net/core/dev.c:1585 lapbeth_device_event+0x2e4/0x958 drivers/net/wan/lapbether.c:466 notifier_call_chain+0x1a4/0x510 kernel/notifier.c:93 raw_notifier_call_chain+0x3c/0x50 kernel/notifier.c:461 call_netdevice_notifiers_info net/core/dev.c:1970 [inline] call_netdevice_notifiers_extack net/core/dev.c:2008 [inline] call_netdevice_notifiers net/core/dev.c:2022 [inline] __dev_close_many+0x1b8/0x3c4 net/core/dev.c:1508 dev_close_many+0x1e0/0x470 net/core/dev.c:1559 dev_close+0x174/0x250 net/core/dev.c:1585 bond_enslave+0x2298/0x30cc drivers/net/bonding/bond_main.c:2332 bond_do_ioctl+0x268/0xc64 drivers/net/bonding/bond_main.c:4539 dev_ifsioc+0x754/0x9ac dev_ioctl+0x4d8/0xd34 net/core/dev_ioctl.c:786 sock_do_ioctl+0x1d4/0x2d0 net/socket.c:1217 sock_ioctl+0x4e8/0x834 net/socket.c:1322 vfs_ioctl fs/ioctl.c:51 [inline] __do_ ---truncated---

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52784.html
CVE-2023-52784
https://bugzilla.suse.com/1224946
SUSE Bug 1224946

Описание

In the Linux kernel, the following vulnerability has been resolved: blk-mq: make sure active queue usage is held for bio_integrity_prep() blk_integrity_unregister() can come if queue usage counter isn't held for one bio with integrity prepared, so this request may be completed with calling profile->complete_fn, then kernel panic. Another constraint is that bio_integrity_prep() needs to be called before bio merge. Fix the issue by: - call bio_integrity_prep() with one queue usage counter grabbed reliably - call bio_integrity_prep() before bio merge

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52787.html
CVE-2023-52787
https://bugzilla.suse.com/1225105
SUSE Bug 1225105

Описание

In the Linux kernel, the following vulnerability has been resolved: wifi: ath11k: fix htt pktlog locking The ath11k active pdevs are protected by RCU but the htt pktlog handling code calling ath11k_mac_get_ar_by_pdev_id() was not marked as a read-side critical section. Mark the code in question as an RCU read-side critical section to avoid any potential use-after-free issues. Compile tested only.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52800.html
CVE-2023-52800
https://bugzilla.suse.com/1230600
SUSE Bug 1230600

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amd: check num of link levels when update pcie param In SR-IOV environment, the value of pcie_table->num_of_link_levels will be 0, and num_of_levels - 1 will cause array index out of bounds

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52812.html
CVE-2023-52812
https://bugzilla.suse.com/1225564
SUSE Bug 1225564

Описание

In the Linux kernel, the following vulnerability has been resolved: perf/core: Bail out early if the request AUX area is out of bound When perf-record with a large AUX area, e.g 4GB, it fails with: #perf record -C 0 -m ,4G -e arm_spe_0// -- sleep 1 failed to mmap with 12 (Cannot allocate memory) and it reveals a WARNING with __alloc_pages(): ------------[ cut here ]------------ WARNING: CPU: 44 PID: 17573 at mm/page_alloc.c:5568 __alloc_pages+0x1ec/0x248 Call trace: __alloc_pages+0x1ec/0x248 __kmalloc_large_node+0xc0/0x1f8 __kmalloc_node+0x134/0x1e8 rb_alloc_aux+0xe0/0x298 perf_mmap+0x440/0x660 mmap_region+0x308/0x8a8 do_mmap+0x3c0/0x528 vm_mmap_pgoff+0xf4/0x1b8 ksys_mmap_pgoff+0x18c/0x218 __arm64_sys_mmap+0x38/0x58 invoke_syscall+0x50/0x128 el0_svc_common.constprop.0+0x58/0x188 do_el0_svc+0x34/0x50 el0_svc+0x34/0x108 el0t_64_sync_handler+0xb8/0xc0 el0t_64_sync+0x1a4/0x1a8 'rb->aux_pages' allocated by kcalloc() is a pointer array which is used to maintains AUX trace pages. The allocated page for this array is physically contiguous (and virtually contiguous) with an order of 0..MAX_ORDER. If the size of pointer array crosses the limitation set by MAX_ORDER, it reveals a WARNING. So bail out early with -ENOMEM if the request AUX area is out of bound, e.g.: #perf record -C 0 -m ,4G -e arm_spe_0// -- sleep 1 failed to mmap with 12 (Cannot allocate memory)

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52835.html
CVE-2023-52835
https://bugzilla.suse.com/1225602
SUSE Bug 1225602

Описание

In the Linux kernel, the following vulnerability has been resolved: nbd: fix uaf in nbd_open Commit 4af5f2e03013 ("nbd: use blk_mq_alloc_disk and blk_cleanup_disk") cleans up disk by blk_cleanup_disk() and it won't set disk->private_data as NULL as before. UAF may be triggered in nbd_open() if someone tries to open nbd device right after nbd_put() since nbd has been free in nbd_dev_remove(). Fix this by implementing ->free_disk and free private data in it.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52837.html
CVE-2023-52837
https://bugzilla.suse.com/1224935
SUSE Bug 1224935

Описание

In the Linux kernel, the following vulnerability has been resolved: llc: verify mac len before reading mac header LLC reads the mac header with eth_hdr without verifying that the skb has an Ethernet header. Syzbot was able to enter llc_rcv on a tun device. Tun can insert packets without mac len and with user configurable skb->protocol (passing a tun_pi header when not configuring IFF_NO_PI). BUG: KMSAN: uninit-value in llc_station_ac_send_test_r net/llc/llc_station.c:81 [inline] BUG: KMSAN: uninit-value in llc_station_rcv+0x6fb/0x1290 net/llc/llc_station.c:111 llc_station_ac_send_test_r net/llc/llc_station.c:81 [inline] llc_station_rcv+0x6fb/0x1290 net/llc/llc_station.c:111 llc_rcv+0xc5d/0x14a0 net/llc/llc_input.c:218 __netif_receive_skb_one_core net/core/dev.c:5523 [inline] __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5637 netif_receive_skb_internal net/core/dev.c:5723 [inline] netif_receive_skb+0x58/0x660 net/core/dev.c:5782 tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1555 tun_get_user+0x54c5/0x69c0 drivers/net/tun.c:2002 Add a mac_len test before all three eth_hdr(skb) calls under net/llc. There are further uses in include/net/llc_pdu.h. All these are protected by a test skb->protocol == ETH_P_802_2. Which does not protect against this tun scenario. But the mac_len test added in this patch in llc_fixup_skb will indirectly protect those too. That is called from llc_rcv before any other LLC code. It is tempting to just add a blanket mac_len check in llc_rcv, but not sure whether that could break valid LLC paths that do not assume an Ethernet header. 802.2 LLC may be used on top of non-802.3 protocols in principle. The below referenced commit shows that used to, on top of Token Ring. At least one of the three eth_hdr uses goes back to before the start of git history. But the one that syzbot exercises is introduced in this commit. That commit is old enough (2008), that effectively all stable kernels should receive this.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52843.html
CVE-2023-52843
https://bugzilla.suse.com/1224951
SUSE Bug 1224951

Описание

In the Linux kernel, the following vulnerability has been resolved: tipc: Change nla_policy for bearer-related names to NLA_NUL_STRING syzbot reported the following uninit-value access issue [1]: ===================================================== BUG: KMSAN: uninit-value in strlen lib/string.c:418 [inline] BUG: KMSAN: uninit-value in strstr+0xb8/0x2f0 lib/string.c:756 strlen lib/string.c:418 [inline] strstr+0xb8/0x2f0 lib/string.c:756 tipc_nl_node_reset_link_stats+0x3ea/0xb50 net/tipc/node.c:2595 genl_family_rcv_msg_doit net/netlink/genetlink.c:971 [inline] genl_family_rcv_msg net/netlink/genetlink.c:1051 [inline] genl_rcv_msg+0x11ec/0x1290 net/netlink/genetlink.c:1066 netlink_rcv_skb+0x371/0x650 net/netlink/af_netlink.c:2545 genl_rcv+0x40/0x60 net/netlink/genetlink.c:1075 netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline] netlink_unicast+0xf47/0x1250 net/netlink/af_netlink.c:1368 netlink_sendmsg+0x1238/0x13d0 net/netlink/af_netlink.c:1910 sock_sendmsg_nosec net/socket.c:730 [inline] sock_sendmsg net/socket.c:753 [inline] ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2541 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2595 __sys_sendmsg net/socket.c:2624 [inline] __do_sys_sendmsg net/socket.c:2633 [inline] __se_sys_sendmsg net/socket.c:2631 [inline] __x64_sys_sendmsg+0x307/0x490 net/socket.c:2631 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd Uninit was created at: slab_post_alloc_hook+0x12f/0xb70 mm/slab.h:767 slab_alloc_node mm/slub.c:3478 [inline] kmem_cache_alloc_node+0x577/0xa80 mm/slub.c:3523 kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:559 __alloc_skb+0x318/0x740 net/core/skbuff.c:650 alloc_skb include/linux/skbuff.h:1286 [inline] netlink_alloc_large_skb net/netlink/af_netlink.c:1214 [inline] netlink_sendmsg+0xb34/0x13d0 net/netlink/af_netlink.c:1885 sock_sendmsg_nosec net/socket.c:730 [inline] sock_sendmsg net/socket.c:753 [inline] ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2541 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2595 __sys_sendmsg net/socket.c:2624 [inline] __do_sys_sendmsg net/socket.c:2633 [inline] __se_sys_sendmsg net/socket.c:2631 [inline] __x64_sys_sendmsg+0x307/0x490 net/socket.c:2631 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd TIPC bearer-related names including link names must be null-terminated strings. If a link name which is not null-terminated is passed through netlink, strstr() and similar functions can cause buffer overrun. This causes the above issue. This patch changes the nla_policy for bearer-related names from NLA_STRING to NLA_NUL_STRING. This resolves the issue by ensuring that only null-terminated strings are accepted as bearer-related names. syzbot reported similar uninit-value issue related to bearer names [2]. The root cause of this issue is that a non-null-terminated bearer name was passed. This patch also resolved this issue.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52845.html
CVE-2023-52845
https://bugzilla.suse.com/1225585
SUSE Bug 1225585

Описание

In the Linux kernel, the following vulnerability has been resolved: hsr: Prevent use after free in prp_create_tagged_frame() The prp_fill_rct() function can fail. In that situation, it frees the skb and returns NULL. Meanwhile on the success path, it returns the original skb. So it's straight forward to fix bug by using the returned value.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52846.html
CVE-2023-52846
https://bugzilla.suse.com/1225098
SUSE Bug 1225098
https://bugzilla.suse.com/1225099
SUSE Bug 1225099

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/mediatek: Fix coverity issue with unintentional integer overflow 1. Instead of multiplying 2 variable of different types. Change to assign a value of one variable and then multiply the other variable. 2. Add a int variable for multiplier calculation instead of calculating different types multiplier with dma_addr_t variable directly.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52857.html
CVE-2023-52857
https://bugzilla.suse.com/1225581
SUSE Bug 1225581

Описание

In the Linux kernel, the following vulnerability has been resolved: hwmon: (axi-fan-control) Fix possible NULL pointer dereference axi_fan_control_irq_handler(), dependent on the private axi_fan_control_data structure, might be called before the hwmon device is registered. That will cause an "Unable to handle kernel NULL pointer dereference" error.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52863.html
CVE-2023-52863
https://bugzilla.suse.com/1225586
SUSE Bug 1225586

Описание

In the Linux kernel, the following vulnerability has been resolved: pstore/platform: Add check for kstrdup Add check for the return value of kstrdup() and return the error if it fails in order to avoid NULL pointer dereference.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52869.html
CVE-2023-52869
https://bugzilla.suse.com/1225050
SUSE Bug 1225050

Описание

In the Linux kernel, the following vulnerability has been resolved: tcp: do not accept ACK of bytes we never sent This patch is based on a detailed report and ideas from Yepeng Pan and Christian Rossow. ACK seq validation is currently following RFC 5961 5.2 guidelines: The ACK value is considered acceptable only if it is in the range of ((SND.UNA - MAX.SND.WND) <= SEG.ACK <= SND.NXT). All incoming segments whose ACK value doesn't satisfy the above condition MUST be discarded and an ACK sent back. It needs to be noted that RFC 793 on page 72 (fifth check) says: "If the ACK is a duplicate (SEG.ACK < SND.UNA), it can be ignored. If the ACK acknowledges something not yet sent (SEG.ACK > SND.NXT) then send an ACK, drop the segment, and return". The "ignored" above implies that the processing of the incoming data segment continues, which means the ACK value is treated as acceptable. This mitigation makes the ACK check more stringent since any ACK < SND.UNA wouldn't be accepted, instead only ACKs that are in the range ((SND.UNA - MAX.SND.WND) <= SEG.ACK <= SND.NXT) get through. This can be refined for new (and possibly spoofed) flows, by not accepting ACK for bytes that were never sent. This greatly improves TCP security at a little cost. I added a Fixes: tag to make sure this patch will reach stable trees, even if the 'blamed' patch was adhering to the RFC. tp->bytes_acked was added in linux-4.2 Following packetdrill test (courtesy of Yepeng Pan) shows the issue at hand: 0 socket(..., SOCK_STREAM, IPPROTO_TCP) = 3 +0 setsockopt(3, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0 +0 bind(3, ..., ...) = 0 +0 listen(3, 1024) = 0 // ---------------- Handshake ------------------- // // when window scale is set to 14 the window size can be extended to // 65535 * (2^14) = 1073725440. Linux would accept an ACK packet // with ack number in (Server_ISN+1-1073725440. Server_ISN+1) // ,though this ack number acknowledges some data never // sent by the server. +0 < S 0:0(0) win 65535 <mss 1400,nop,wscale 14> +0 > S. 0:0(0) ack 1 <...> +0 < . 1:1(0) ack 1 win 65535 +0 accept(3, ..., ...) = 4 // For the established connection, we send an ACK packet, // the ack packet uses ack number 1 - 1073725300 + 2^32, // where 2^32 is used to wrap around. // Note: we used 1073725300 instead of 1073725440 to avoid possible // edge cases. // 1 - 1073725300 + 2^32 = 3221241997 // Oops, old kernels happily accept this packet. +0 < . 1:1001(1000) ack 3221241997 win 65535 // After the kernel fix the following will be replaced by a challenge ACK, // and prior malicious frame would be dropped. +0 > . 1:1(0) ack 1001

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52881.html
CVE-2023-52881
https://bugzilla.suse.com/1223384
SUSE Bug 1223384
https://bugzilla.suse.com/1225611
SUSE Bug 1225611
https://bugzilla.suse.com/1226152
SUSE Bug 1226152

Описание

In the Linux kernel, the following vulnerability has been resolved: clk: sunxi-ng: h6: Reparent CPUX during PLL CPUX rate change While PLL CPUX clock rate change when CPU is running from it works in vast majority of cases, now and then it causes instability. This leads to system crashes and other undefined behaviour. After a lot of testing (30+ hours) while also doing a lot of frequency switches, we can't observe any instability issues anymore when doing reparenting to stable clock like 24 MHz oscillator.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52882.html
CVE-2023-52882
https://bugzilla.suse.com/1225692
SUSE Bug 1225692

Описание

In the Linux kernel, the following vulnerability has been resolved: Input: cyapa - add missing input core locking to suspend/resume functions Grab input->mutex during suspend/resume functions like it is done in other input drivers. This fixes the following warning during system suspend/resume cycle on Samsung Exynos5250-based Snow Chromebook: ------------[ cut here ]------------ WARNING: CPU: 1 PID: 1680 at drivers/input/input.c:2291 input_device_enabled+0x68/0x6c Modules linked in: ... CPU: 1 PID: 1680 Comm: kworker/u4:12 Tainted: G W 6.6.0-rc5-next-20231009 #14109 Hardware name: Samsung Exynos (Flattened Device Tree) Workqueue: events_unbound async_run_entry_fn unwind_backtrace from show_stack+0x10/0x14 show_stack from dump_stack_lvl+0x58/0x70 dump_stack_lvl from __warn+0x1a8/0x1cc __warn from warn_slowpath_fmt+0x18c/0x1b4 warn_slowpath_fmt from input_device_enabled+0x68/0x6c input_device_enabled from cyapa_gen3_set_power_mode+0x13c/0x1dc cyapa_gen3_set_power_mode from cyapa_reinitialize+0x10c/0x15c cyapa_reinitialize from cyapa_resume+0x48/0x98 cyapa_resume from dpm_run_callback+0x90/0x298 dpm_run_callback from device_resume+0xb4/0x258 device_resume from async_resume+0x20/0x64 async_resume from async_run_entry_fn+0x40/0x15c async_run_entry_fn from process_scheduled_works+0xbc/0x6a8 process_scheduled_works from worker_thread+0x188/0x454 worker_thread from kthread+0x108/0x140 kthread from ret_from_fork+0x14/0x28 Exception stack(0xf1625fb0 to 0xf1625ff8) ... ---[ end trace 0000000000000000 ]--- ... ------------[ cut here ]------------ WARNING: CPU: 1 PID: 1680 at drivers/input/input.c:2291 input_device_enabled+0x68/0x6c Modules linked in: ... CPU: 1 PID: 1680 Comm: kworker/u4:12 Tainted: G W 6.6.0-rc5-next-20231009 #14109 Hardware name: Samsung Exynos (Flattened Device Tree) Workqueue: events_unbound async_run_entry_fn unwind_backtrace from show_stack+0x10/0x14 show_stack from dump_stack_lvl+0x58/0x70 dump_stack_lvl from __warn+0x1a8/0x1cc __warn from warn_slowpath_fmt+0x18c/0x1b4 warn_slowpath_fmt from input_device_enabled+0x68/0x6c input_device_enabled from cyapa_gen3_set_power_mode+0x13c/0x1dc cyapa_gen3_set_power_mode from cyapa_reinitialize+0x10c/0x15c cyapa_reinitialize from cyapa_resume+0x48/0x98 cyapa_resume from dpm_run_callback+0x90/0x298 dpm_run_callback from device_resume+0xb4/0x258 device_resume from async_resume+0x20/0x64 async_resume from async_run_entry_fn+0x40/0x15c async_run_entry_fn from process_scheduled_works+0xbc/0x6a8 process_scheduled_works from worker_thread+0x188/0x454 worker_thread from kthread+0x108/0x140 kthread from ret_from_fork+0x14/0x28 Exception stack(0xf1625fb0 to 0xf1625ff8) ... ---[ end trace 0000000000000000 ]---

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52884.html
CVE-2023-52884
https://bugzilla.suse.com/1226764
SUSE Bug 1226764

Описание

In the Linux kernel, the following vulnerability has been resolved: SUNRPC: Fix UAF in svc_tcp_listen_data_ready() After the listener svc_sock is freed, and before invoking svc_tcp_accept() for the established child sock, there is a window that the newsock retaining a freed listener svc_sock in sk_user_data which cloning from parent. In the race window, if data is received on the newsock, we will observe use-after-free report in svc_tcp_listen_data_ready(). Reproduce by two tasks: 1. while :; do rpc.nfsd 0 ; rpc.nfsd; done 2. while :; do echo "" | ncat -4 127.0.0.1 2049 ; done KASAN report: ================================================================== BUG: KASAN: slab-use-after-free in svc_tcp_listen_data_ready+0x1cf/0x1f0 [sunrpc] Read of size 8 at addr ffff888139d96228 by task nc/102553 CPU: 7 PID: 102553 Comm: nc Not tainted 6.3.0+ #18 Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020 Call Trace: <IRQ> dump_stack_lvl+0x33/0x50 print_address_description.constprop.0+0x27/0x310 print_report+0x3e/0x70 kasan_report+0xae/0xe0 svc_tcp_listen_data_ready+0x1cf/0x1f0 [sunrpc] tcp_data_queue+0x9f4/0x20e0 tcp_rcv_established+0x666/0x1f60 tcp_v4_do_rcv+0x51c/0x850 tcp_v4_rcv+0x23fc/0x2e80 ip_protocol_deliver_rcu+0x62/0x300 ip_local_deliver_finish+0x267/0x350 ip_local_deliver+0x18b/0x2d0 ip_rcv+0x2fb/0x370 __netif_receive_skb_one_core+0x166/0x1b0 process_backlog+0x24c/0x5e0 __napi_poll+0xa2/0x500 net_rx_action+0x854/0xc90 __do_softirq+0x1bb/0x5de do_softirq+0xcb/0x100 </IRQ> <TASK> ... </TASK> Allocated by task 102371: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 __kasan_kmalloc+0x7b/0x90 svc_setup_socket+0x52/0x4f0 [sunrpc] svc_addsock+0x20d/0x400 [sunrpc] __write_ports_addfd+0x209/0x390 [nfsd] write_ports+0x239/0x2c0 [nfsd] nfsctl_transaction_write+0xac/0x110 [nfsd] vfs_write+0x1c3/0xae0 ksys_write+0xed/0x1c0 do_syscall_64+0x38/0x90 entry_SYSCALL_64_after_hwframe+0x72/0xdc Freed by task 102551: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 kasan_save_free_info+0x2a/0x50 __kasan_slab_free+0x106/0x190 __kmem_cache_free+0x133/0x270 svc_xprt_free+0x1e2/0x350 [sunrpc] svc_xprt_destroy_all+0x25a/0x440 [sunrpc] nfsd_put+0x125/0x240 [nfsd] nfsd_svc+0x2cb/0x3c0 [nfsd] write_threads+0x1ac/0x2a0 [nfsd] nfsctl_transaction_write+0xac/0x110 [nfsd] vfs_write+0x1c3/0xae0 ksys_write+0xed/0x1c0 do_syscall_64+0x38/0x90 entry_SYSCALL_64_after_hwframe+0x72/0xdc Fix the UAF by simply doing nothing in svc_tcp_listen_data_ready() if state != TCP_LISTEN, that will avoid dereferencing svsk for all child socket.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52885.html
CVE-2023-52885
https://bugzilla.suse.com/1227750
SUSE Bug 1227750
https://bugzilla.suse.com/1227753
SUSE Bug 1227753

Описание

In the Linux kernel, the following vulnerability has been resolved: USB: core: Fix race by not overwriting udev->descriptor in hub_port_init() Syzbot reported an out-of-bounds read in sysfs.c:read_descriptors(): BUG: KASAN: slab-out-of-bounds in read_descriptors+0x263/0x280 drivers/usb/core/sysfs.c:883 Read of size 8 at addr ffff88801e78b8c8 by task udevd/5011 CPU: 0 PID: 5011 Comm: udevd Not tainted 6.4.0-rc6-syzkaller-00195-g40f71e7cd3c6 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xd9/0x150 lib/dump_stack.c:106 print_address_description.constprop.0+0x2c/0x3c0 mm/kasan/report.c:351 print_report mm/kasan/report.c:462 [inline] kasan_report+0x11c/0x130 mm/kasan/report.c:572 read_descriptors+0x263/0x280 drivers/usb/core/sysfs.c:883 ... Allocated by task 758: ... __do_kmalloc_node mm/slab_common.c:966 [inline] __kmalloc+0x5e/0x190 mm/slab_common.c:979 kmalloc include/linux/slab.h:563 [inline] kzalloc include/linux/slab.h:680 [inline] usb_get_configuration+0x1f7/0x5170 drivers/usb/core/config.c:887 usb_enumerate_device drivers/usb/core/hub.c:2407 [inline] usb_new_device+0x12b0/0x19d0 drivers/usb/core/hub.c:2545 As analyzed by Khazhy Kumykov, the cause of this bug is a race between read_descriptors() and hub_port_init(): The first routine uses a field in udev->descriptor, not expecting it to change, while the second overwrites it. Prior to commit 45bf39f8df7f ("USB: core: Don't hold device lock while reading the "descriptors" sysfs file") this race couldn't occur, because the routines were mutually exclusive thanks to the device locking. Removing that locking from read_descriptors() exposed it to the race. The best way to fix the bug is to keep hub_port_init() from changing udev->descriptor once udev has been initialized and registered. Drivers expect the descriptors stored in the kernel to be immutable; we should not undermine this expectation. In fact, this change should have been made long ago. So now hub_port_init() will take an additional argument, specifying a buffer in which to store the device descriptor it reads. (If udev has not yet been initialized, the buffer pointer will be NULL and then hub_port_init() will store the device descriptor in udev as before.) This eliminates the data race responsible for the out-of-bounds read. The changes to hub_port_init() appear more extensive than they really are, because of indentation changes resulting from an attempt to avoid writing to other parts of the usb_device structure after it has been initialized. Similar changes should be made to the code that reads the BOS descriptor, but that can be handled in a separate patch later on. This patch is sufficient to fix the bug found by syzbot.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52886.html
CVE-2023-52886
https://bugzilla.suse.com/1227981
SUSE Bug 1227981

Описание

printer_write in drivers/usb/gadget/function/f_printer.c in the Linux kernel through 6.7.4 does not properly call usb_ep_queue, which might allow attackers to cause a denial of service or have unspecified other impact.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-25741.html
CVE-2024-25741
https://bugzilla.suse.com/1219832
SUSE Bug 1219832

Описание

In the Linux kernel, the following vulnerability has been resolved: tls: fix race between async notify and socket close The submitting thread (one which called recvmsg/sendmsg) may exit as soon as the async crypto handler calls complete() so any code past that point risks touching already freed data. Try to avoid the locking and extra flags altogether. Have the main thread hold an extra reference, this way we can depend solely on the atomic ref counter for synchronization. Don't futz with reiniting the completion, either, we are now tightly controlling when completion fires.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26583.html
CVE-2024-26583
https://bugzilla.suse.com/1220185
SUSE Bug 1220185

Описание

In the Linux kernel, the following vulnerability has been resolved: net: tls: handle backlogging of crypto requests Since we're setting the CRYPTO_TFM_REQ_MAY_BACKLOG flag on our requests to the crypto API, crypto_aead_{encrypt,decrypt} can return -EBUSY instead of -EINPROGRESS in valid situations. For example, when the cryptd queue for AESNI is full (easy to trigger with an artificially low cryptd.cryptd_max_cpu_qlen), requests will be enqueued to the backlog but still processed. In that case, the async callback will also be called twice: first with err == -EINPROGRESS, which it seems we can just ignore, then with err == 0. Compared to Sabrina's original patch this version uses the new tls_*crypt_async_wait() helpers and converts the EBUSY to EINPROGRESS to avoid having to modify all the error handling paths. The handling is identical.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26584.html
CVE-2024-26584
https://bugzilla.suse.com/1220186
SUSE Bug 1220186

Описание

In the Linux kernel, the following vulnerability has been resolved: net/smc: fix illegal rmb_desc access in SMC-D connection dump A crash was found when dumping SMC-D connections. It can be reproduced by following steps: - run nginx/wrk test: smc_run nginx smc_run wrk -t 16 -c 1000 -d <duration> -H 'Connection: Close' <URL> - continuously dump SMC-D connections in parallel: watch -n 1 'smcss -D' BUG: kernel NULL pointer dereference, address: 0000000000000030 CPU: 2 PID: 7204 Comm: smcss Kdump: loaded Tainted: G E 6.7.0+ #55 RIP: 0010:__smc_diag_dump.constprop.0+0x5e5/0x620 [smc_diag] Call Trace: <TASK> ? __die+0x24/0x70 ? page_fault_oops+0x66/0x150 ? exc_page_fault+0x69/0x140 ? asm_exc_page_fault+0x26/0x30 ? __smc_diag_dump.constprop.0+0x5e5/0x620 [smc_diag] ? __kmalloc_node_track_caller+0x35d/0x430 ? __alloc_skb+0x77/0x170 smc_diag_dump_proto+0xd0/0xf0 [smc_diag] smc_diag_dump+0x26/0x60 [smc_diag] netlink_dump+0x19f/0x320 __netlink_dump_start+0x1dc/0x300 smc_diag_handler_dump+0x6a/0x80 [smc_diag] ? __pfx_smc_diag_dump+0x10/0x10 [smc_diag] sock_diag_rcv_msg+0x121/0x140 ? __pfx_sock_diag_rcv_msg+0x10/0x10 netlink_rcv_skb+0x5a/0x110 sock_diag_rcv+0x28/0x40 netlink_unicast+0x22a/0x330 netlink_sendmsg+0x1f8/0x420 __sock_sendmsg+0xb0/0xc0 ____sys_sendmsg+0x24e/0x300 ? copy_msghdr_from_user+0x62/0x80 ___sys_sendmsg+0x7c/0xd0 ? __do_fault+0x34/0x160 ? do_read_fault+0x5f/0x100 ? do_fault+0xb0/0x110 ? __handle_mm_fault+0x2b0/0x6c0 __sys_sendmsg+0x4d/0x80 do_syscall_64+0x69/0x180 entry_SYSCALL_64_after_hwframe+0x6e/0x76 It is possible that the connection is in process of being established when we dump it. Assumed that the connection has been registered in a link group by smc_conn_create() but the rmb_desc has not yet been initialized by smc_buf_create(), thus causing the illegal access to conn->rmb_desc. So fix it by checking before dump.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26615.html
CVE-2024-26615
https://bugzilla.suse.com/1220942
SUSE Bug 1220942

Описание

In the Linux kernel, the following vulnerability has been resolved: llc: call sock_orphan() at release time syzbot reported an interesting trace [1] caused by a stale sk->sk_wq pointer in a closed llc socket. In commit ff7b11aa481f ("net: socket: set sock->sk to NULL after calling proto_ops::release()") Eric Biggers hinted that some protocols are missing a sock_orphan(), we need to perform a full audit. In net-next, I plan to clear sock->sk from sock_orphan() and amend Eric patch to add a warning. [1] BUG: KASAN: slab-use-after-free in list_empty include/linux/list.h:373 [inline] BUG: KASAN: slab-use-after-free in waitqueue_active include/linux/wait.h:127 [inline] BUG: KASAN: slab-use-after-free in sock_def_write_space_wfree net/core/sock.c:3384 [inline] BUG: KASAN: slab-use-after-free in sock_wfree+0x9a8/0x9d0 net/core/sock.c:2468 Read of size 8 at addr ffff88802f4fc880 by task ksoftirqd/1/27 CPU: 1 PID: 27 Comm: ksoftirqd/1 Not tainted 6.8.0-rc1-syzkaller-00049-g6098d87eaf31 #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:377 [inline] print_report+0xc4/0x620 mm/kasan/report.c:488 kasan_report+0xda/0x110 mm/kasan/report.c:601 list_empty include/linux/list.h:373 [inline] waitqueue_active include/linux/wait.h:127 [inline] sock_def_write_space_wfree net/core/sock.c:3384 [inline] sock_wfree+0x9a8/0x9d0 net/core/sock.c:2468 skb_release_head_state+0xa3/0x2b0 net/core/skbuff.c:1080 skb_release_all net/core/skbuff.c:1092 [inline] napi_consume_skb+0x119/0x2b0 net/core/skbuff.c:1404 e1000_unmap_and_free_tx_resource+0x144/0x200 drivers/net/ethernet/intel/e1000/e1000_main.c:1970 e1000_clean_tx_irq drivers/net/ethernet/intel/e1000/e1000_main.c:3860 [inline] e1000_clean+0x4a1/0x26e0 drivers/net/ethernet/intel/e1000/e1000_main.c:3801 __napi_poll.constprop.0+0xb4/0x540 net/core/dev.c:6576 napi_poll net/core/dev.c:6645 [inline] net_rx_action+0x956/0xe90 net/core/dev.c:6778 __do_softirq+0x21a/0x8de kernel/softirq.c:553 run_ksoftirqd kernel/softirq.c:921 [inline] run_ksoftirqd+0x31/0x60 kernel/softirq.c:913 smpboot_thread_fn+0x660/0xa10 kernel/smpboot.c:164 kthread+0x2c6/0x3a0 kernel/kthread.c:388 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242 </TASK> Allocated by task 5167: kasan_save_stack+0x33/0x50 mm/kasan/common.c:47 kasan_save_track+0x14/0x30 mm/kasan/common.c:68 unpoison_slab_object mm/kasan/common.c:314 [inline] __kasan_slab_alloc+0x81/0x90 mm/kasan/common.c:340 kasan_slab_alloc include/linux/kasan.h:201 [inline] slab_post_alloc_hook mm/slub.c:3813 [inline] slab_alloc_node mm/slub.c:3860 [inline] kmem_cache_alloc_lru+0x142/0x6f0 mm/slub.c:3879 alloc_inode_sb include/linux/fs.h:3019 [inline] sock_alloc_inode+0x25/0x1c0 net/socket.c:308 alloc_inode+0x5d/0x220 fs/inode.c:260 new_inode_pseudo+0x16/0x80 fs/inode.c:1005 sock_alloc+0x40/0x270 net/socket.c:634 __sock_create+0xbc/0x800 net/socket.c:1535 sock_create net/socket.c:1622 [inline] __sys_socket_create net/socket.c:1659 [inline] __sys_socket+0x14c/0x260 net/socket.c:1706 __do_sys_socket net/socket.c:1720 [inline] __se_sys_socket net/socket.c:1718 [inline] __x64_sys_socket+0x72/0xb0 net/socket.c:1718 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xd3/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b Freed by task 0: kasan_save_stack+0x33/0x50 mm/kasan/common.c:47 kasan_save_track+0x14/0x30 mm/kasan/common.c:68 kasan_save_free_info+0x3f/0x60 mm/kasan/generic.c:640 poison_slab_object mm/kasan/common.c:241 [inline] __kasan_slab_free+0x121/0x1b0 mm/kasan/common.c:257 kasan_slab_free include/linux/kasan.h:184 [inline] slab_free_hook mm/slub.c:2121 [inlin ---truncated---

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26625.html
CVE-2024-26625
https://bugzilla.suse.com/1221086
SUSE Bug 1221086

Описание

In the Linux kernel, the following vulnerability has been resolved: ip6_tunnel: fix NEXTHDR_FRAGMENT handling in ip6_tnl_parse_tlv_enc_lim() syzbot pointed out [1] that NEXTHDR_FRAGMENT handling is broken. Reading frag_off can only be done if we pulled enough bytes to skb->head. Currently we might access garbage. [1] BUG: KMSAN: uninit-value in ip6_tnl_parse_tlv_enc_lim+0x94f/0xbb0 ip6_tnl_parse_tlv_enc_lim+0x94f/0xbb0 ipxip6_tnl_xmit net/ipv6/ip6_tunnel.c:1326 [inline] ip6_tnl_start_xmit+0xab2/0x1a70 net/ipv6/ip6_tunnel.c:1432 __netdev_start_xmit include/linux/netdevice.h:4940 [inline] netdev_start_xmit include/linux/netdevice.h:4954 [inline] xmit_one net/core/dev.c:3548 [inline] dev_hard_start_xmit+0x247/0xa10 net/core/dev.c:3564 __dev_queue_xmit+0x33b8/0x5130 net/core/dev.c:4349 dev_queue_xmit include/linux/netdevice.h:3134 [inline] neigh_connected_output+0x569/0x660 net/core/neighbour.c:1592 neigh_output include/net/neighbour.h:542 [inline] ip6_finish_output2+0x23a9/0x2b30 net/ipv6/ip6_output.c:137 ip6_finish_output+0x855/0x12b0 net/ipv6/ip6_output.c:222 NF_HOOK_COND include/linux/netfilter.h:303 [inline] ip6_output+0x323/0x610 net/ipv6/ip6_output.c:243 dst_output include/net/dst.h:451 [inline] ip6_local_out+0xe9/0x140 net/ipv6/output_core.c:155 ip6_send_skb net/ipv6/ip6_output.c:1952 [inline] ip6_push_pending_frames+0x1f9/0x560 net/ipv6/ip6_output.c:1972 rawv6_push_pending_frames+0xbe8/0xdf0 net/ipv6/raw.c:582 rawv6_sendmsg+0x2b66/0x2e70 net/ipv6/raw.c:920 inet_sendmsg+0x105/0x190 net/ipv4/af_inet.c:847 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg net/socket.c:745 [inline] ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638 __sys_sendmsg net/socket.c:2667 [inline] __do_sys_sendmsg net/socket.c:2676 [inline] __se_sys_sendmsg net/socket.c:2674 [inline] __x64_sys_sendmsg+0x307/0x490 net/socket.c:2674 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b Uninit was created at: slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768 slab_alloc_node mm/slub.c:3478 [inline] __kmem_cache_alloc_node+0x5c9/0x970 mm/slub.c:3517 __do_kmalloc_node mm/slab_common.c:1006 [inline] __kmalloc_node_track_caller+0x118/0x3c0 mm/slab_common.c:1027 kmalloc_reserve+0x249/0x4a0 net/core/skbuff.c:582 pskb_expand_head+0x226/0x1a00 net/core/skbuff.c:2098 __pskb_pull_tail+0x13b/0x2310 net/core/skbuff.c:2655 pskb_may_pull_reason include/linux/skbuff.h:2673 [inline] pskb_may_pull include/linux/skbuff.h:2681 [inline] ip6_tnl_parse_tlv_enc_lim+0x901/0xbb0 net/ipv6/ip6_tunnel.c:408 ipxip6_tnl_xmit net/ipv6/ip6_tunnel.c:1326 [inline] ip6_tnl_start_xmit+0xab2/0x1a70 net/ipv6/ip6_tunnel.c:1432 __netdev_start_xmit include/linux/netdevice.h:4940 [inline] netdev_start_xmit include/linux/netdevice.h:4954 [inline] xmit_one net/core/dev.c:3548 [inline] dev_hard_start_xmit+0x247/0xa10 net/core/dev.c:3564 __dev_queue_xmit+0x33b8/0x5130 net/core/dev.c:4349 dev_queue_xmit include/linux/netdevice.h:3134 [inline] neigh_connected_output+0x569/0x660 net/core/neighbour.c:1592 neigh_output include/net/neighbour.h:542 [inline] ip6_finish_output2+0x23a9/0x2b30 net/ipv6/ip6_output.c:137 ip6_finish_output+0x855/0x12b0 net/ipv6/ip6_output.c:222 NF_HOOK_COND include/linux/netfilter.h:303 [inline] ip6_output+0x323/0x610 net/ipv6/ip6_output.c:243 dst_output include/net/dst.h:451 [inline] ip6_local_out+0xe9/0x140 net/ipv6/output_core.c:155 ip6_send_skb net/ipv6/ip6_output.c:1952 [inline] ip6_push_pending_frames+0x1f9/0x560 net/ipv6/ip6_output.c:1972 rawv6_push_pending_frames+0xbe8/0xdf0 net/ipv6/raw.c:582 rawv6_sendmsg+0x2b66/0x2e70 net/ipv6/raw.c:920 inet_sendmsg+0x105/0x190 net/ipv4/af_inet.c:847 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg net/socket.c:745 [inline] ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638 __sys_sendmsg net/socket.c:2667 [inline] __do_sys_sendms ---truncated---

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26633.html
CVE-2024-26633
https://bugzilla.suse.com/1221647
SUSE Bug 1221647

Описание

In the Linux kernel, the following vulnerability has been resolved: llc: Drop support for ETH_P_TR_802_2. syzbot reported an uninit-value bug below. [0] llc supports ETH_P_802_2 (0x0004) and used to support ETH_P_TR_802_2 (0x0011), and syzbot abused the latter to trigger the bug. write$tun(r0, &(0x7f0000000040)={@val={0x0, 0x11}, @val, @mpls={[], @llc={@snap={0xaa, 0x1, ')', "90e5dd"}}}}, 0x16) llc_conn_handler() initialises local variables {saddr,daddr}.mac based on skb in llc_pdu_decode_sa()/llc_pdu_decode_da() and passes them to __llc_lookup(). However, the initialisation is done only when skb->protocol is htons(ETH_P_802_2), otherwise, __llc_lookup_established() and __llc_lookup_listener() will read garbage. The missing initialisation existed prior to commit 211ed865108e ("net: delete all instances of special processing for token ring"). It removed the part to kick out the token ring stuff but forgot to close the door allowing ETH_P_TR_802_2 packets to sneak into llc_rcv(). Let's remove llc_tr_packet_type and complete the deprecation. [0]: BUG: KMSAN: uninit-value in __llc_lookup_established+0xe9d/0xf90 __llc_lookup_established+0xe9d/0xf90 __llc_lookup net/llc/llc_conn.c:611 [inline] llc_conn_handler+0x4bd/0x1360 net/llc/llc_conn.c:791 llc_rcv+0xfbb/0x14a0 net/llc/llc_input.c:206 __netif_receive_skb_one_core net/core/dev.c:5527 [inline] __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5641 netif_receive_skb_internal net/core/dev.c:5727 [inline] netif_receive_skb+0x58/0x660 net/core/dev.c:5786 tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1555 tun_get_user+0x53af/0x66d0 drivers/net/tun.c:2002 tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048 call_write_iter include/linux/fs.h:2020 [inline] new_sync_write fs/read_write.c:491 [inline] vfs_write+0x8ef/0x1490 fs/read_write.c:584 ksys_write+0x20f/0x4c0 fs/read_write.c:637 __do_sys_write fs/read_write.c:649 [inline] __se_sys_write fs/read_write.c:646 [inline] __x64_sys_write+0x93/0xd0 fs/read_write.c:646 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x44/0x110 arch/x86/entry/common.c:82 entry_SYSCALL_64_after_hwframe+0x63/0x6b Local variable daddr created at: llc_conn_handler+0x53/0x1360 net/llc/llc_conn.c:783 llc_rcv+0xfbb/0x14a0 net/llc/llc_input.c:206 CPU: 1 PID: 5004 Comm: syz-executor994 Not tainted 6.6.0-syzkaller-14500-g1c41041124bd #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26635.html
CVE-2024-26635
https://bugzilla.suse.com/1221656
SUSE Bug 1221656

Описание

In the Linux kernel, the following vulnerability has been resolved: llc: make llc_ui_sendmsg() more robust against bonding changes syzbot was able to trick llc_ui_sendmsg(), allocating an skb with no headroom, but subsequently trying to push 14 bytes of Ethernet header [1] Like some others, llc_ui_sendmsg() releases the socket lock before calling sock_alloc_send_skb(). Then it acquires it again, but does not redo all the sanity checks that were performed. This fix: - Uses LL_RESERVED_SPACE() to reserve space. - Check all conditions again after socket lock is held again. - Do not account Ethernet header for mtu limitation. [1] skbuff: skb_under_panic: text:ffff800088baa334 len:1514 put:14 head:ffff0000c9c37000 data:ffff0000c9c36ff2 tail:0x5dc end:0x6c0 dev:bond0 kernel BUG at net/core/skbuff.c:193 ! Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP Modules linked in: CPU: 0 PID: 6875 Comm: syz-executor.0 Not tainted 6.7.0-rc8-syzkaller-00101-g0802e17d9aca-dirty #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023 pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : skb_panic net/core/skbuff.c:189 [inline] pc : skb_under_panic+0x13c/0x140 net/core/skbuff.c:203 lr : skb_panic net/core/skbuff.c:189 [inline] lr : skb_under_panic+0x13c/0x140 net/core/skbuff.c:203 sp : ffff800096f97000 x29: ffff800096f97010 x28: ffff80008cc8d668 x27: dfff800000000000 x26: ffff0000cb970c90 x25: 00000000000005dc x24: ffff0000c9c36ff2 x23: ffff0000c9c37000 x22: 00000000000005ea x21: 00000000000006c0 x20: 000000000000000e x19: ffff800088baa334 x18: 1fffe000368261ce x17: ffff80008e4ed000 x16: ffff80008a8310f8 x15: 0000000000000001 x14: 1ffff00012df2d58 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000001 x10: 0000000000ff0100 x9 : e28a51f1087e8400 x8 : e28a51f1087e8400 x7 : ffff80008028f8d0 x6 : 0000000000000000 x5 : 0000000000000001 x4 : 0000000000000001 x3 : ffff800082b78714 x2 : 0000000000000001 x1 : 0000000100000000 x0 : 0000000000000089 Call trace: skb_panic net/core/skbuff.c:189 [inline] skb_under_panic+0x13c/0x140 net/core/skbuff.c:203 skb_push+0xf0/0x108 net/core/skbuff.c:2451 eth_header+0x44/0x1f8 net/ethernet/eth.c:83 dev_hard_header include/linux/netdevice.h:3188 [inline] llc_mac_hdr_init+0x110/0x17c net/llc/llc_output.c:33 llc_sap_action_send_xid_c+0x170/0x344 net/llc/llc_s_ac.c:85 llc_exec_sap_trans_actions net/llc/llc_sap.c:153 [inline] llc_sap_next_state net/llc/llc_sap.c:182 [inline] llc_sap_state_process+0x1ec/0x774 net/llc/llc_sap.c:209 llc_build_and_send_xid_pkt+0x12c/0x1c0 net/llc/llc_sap.c:270 llc_ui_sendmsg+0x7bc/0xb1c net/llc/af_llc.c:997 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg net/socket.c:745 [inline] sock_sendmsg+0x194/0x274 net/socket.c:767 splice_to_socket+0x7cc/0xd58 fs/splice.c:881 do_splice_from fs/splice.c:933 [inline] direct_splice_actor+0xe4/0x1c0 fs/splice.c:1142 splice_direct_to_actor+0x2a0/0x7e4 fs/splice.c:1088 do_splice_direct+0x20c/0x348 fs/splice.c:1194 do_sendfile+0x4bc/0xc70 fs/read_write.c:1254 __do_sys_sendfile64 fs/read_write.c:1322 [inline] __se_sys_sendfile64 fs/read_write.c:1308 [inline] __arm64_sys_sendfile64+0x160/0x3b4 fs/read_write.c:1308 __invoke_syscall arch/arm64/kernel/syscall.c:37 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:51 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:136 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:155 el0_svc+0x54/0x158 arch/arm64/kernel/entry-common.c:678 el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:696 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:595 Code: aa1803e6 aa1903e7 a90023f5 94792f6a (d4210000)

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26636.html
CVE-2024-26636
https://bugzilla.suse.com/1221659
SUSE Bug 1221659

Описание

In the Linux kernel, the following vulnerability has been resolved: ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv() syzbot found __ip6_tnl_rcv() could access unitiliazed data [1]. Call pskb_inet_may_pull() to fix this, and initialize ipv6h variable after this call as it can change skb->head. [1] BUG: KMSAN: uninit-value in __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline] BUG: KMSAN: uninit-value in INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline] BUG: KMSAN: uninit-value in IP6_ECN_decapsulate+0x7df/0x1e50 include/net/inet_ecn.h:321 __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline] INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline] IP6_ECN_decapsulate+0x7df/0x1e50 include/net/inet_ecn.h:321 ip6ip6_dscp_ecn_decapsulate+0x178/0x1b0 net/ipv6/ip6_tunnel.c:727 __ip6_tnl_rcv+0xd4e/0x1590 net/ipv6/ip6_tunnel.c:845 ip6_tnl_rcv+0xce/0x100 net/ipv6/ip6_tunnel.c:888 gre_rcv+0x143f/0x1870 ip6_protocol_deliver_rcu+0xda6/0x2a60 net/ipv6/ip6_input.c:438 ip6_input_finish net/ipv6/ip6_input.c:483 [inline] NF_HOOK include/linux/netfilter.h:314 [inline] ip6_input+0x15d/0x430 net/ipv6/ip6_input.c:492 ip6_mc_input+0xa7e/0xc80 net/ipv6/ip6_input.c:586 dst_input include/net/dst.h:461 [inline] ip6_rcv_finish+0x5db/0x870 net/ipv6/ip6_input.c:79 NF_HOOK include/linux/netfilter.h:314 [inline] ipv6_rcv+0xda/0x390 net/ipv6/ip6_input.c:310 __netif_receive_skb_one_core net/core/dev.c:5532 [inline] __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5646 netif_receive_skb_internal net/core/dev.c:5732 [inline] netif_receive_skb+0x58/0x660 net/core/dev.c:5791 tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1555 tun_get_user+0x53af/0x66d0 drivers/net/tun.c:2002 tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048 call_write_iter include/linux/fs.h:2084 [inline] new_sync_write fs/read_write.c:497 [inline] vfs_write+0x786/0x1200 fs/read_write.c:590 ksys_write+0x20f/0x4c0 fs/read_write.c:643 __do_sys_write fs/read_write.c:655 [inline] __se_sys_write fs/read_write.c:652 [inline] __x64_sys_write+0x93/0xd0 fs/read_write.c:652 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x6d/0x140 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b Uninit was created at: slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768 slab_alloc_node mm/slub.c:3478 [inline] kmem_cache_alloc_node+0x5e9/0xb10 mm/slub.c:3523 kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:560 __alloc_skb+0x318/0x740 net/core/skbuff.c:651 alloc_skb include/linux/skbuff.h:1286 [inline] alloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6334 sock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2787 tun_alloc_skb drivers/net/tun.c:1531 [inline] tun_get_user+0x1e8a/0x66d0 drivers/net/tun.c:1846 tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048 call_write_iter include/linux/fs.h:2084 [inline] new_sync_write fs/read_write.c:497 [inline] vfs_write+0x786/0x1200 fs/read_write.c:590 ksys_write+0x20f/0x4c0 fs/read_write.c:643 __do_sys_write fs/read_write.c:655 [inline] __se_sys_write fs/read_write.c:652 [inline] __x64_sys_write+0x93/0xd0 fs/read_write.c:652 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x6d/0x140 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b CPU: 0 PID: 5034 Comm: syz-executor331 Not tainted 6.7.0-syzkaller-00562-g9f8413c4a66f #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26641.html
CVE-2024-26641
https://bugzilla.suse.com/1221654
SUSE Bug 1221654

Описание

In the Linux kernel, the following vulnerability has been resolved: btrfs: don't abort filesystem when attempting to snapshot deleted subvolume If the source file descriptor to the snapshot ioctl refers to a deleted subvolume, we get the following abort: BTRFS: Transaction aborted (error -2) WARNING: CPU: 0 PID: 833 at fs/btrfs/transaction.c:1875 create_pending_snapshot+0x1040/0x1190 [btrfs] Modules linked in: pata_acpi btrfs ata_piix libata scsi_mod virtio_net blake2b_generic xor net_failover virtio_rng failover scsi_common rng_core raid6_pq libcrc32c CPU: 0 PID: 833 Comm: t_snapshot_dele Not tainted 6.7.0-rc6 #2 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-1.fc39 04/01/2014 RIP: 0010:create_pending_snapshot+0x1040/0x1190 [btrfs] RSP: 0018:ffffa09c01337af8 EFLAGS: 00010282 RAX: 0000000000000000 RBX: ffff9982053e7c78 RCX: 0000000000000027 RDX: ffff99827dc20848 RSI: 0000000000000001 RDI: ffff99827dc20840 RBP: ffffa09c01337c00 R08: 0000000000000000 R09: ffffa09c01337998 R10: 0000000000000003 R11: ffffffffb96da248 R12: fffffffffffffffe R13: ffff99820535bb28 R14: ffff99820b7bd000 R15: ffff99820381ea80 FS: 00007fe20aadabc0(0000) GS:ffff99827dc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000559a120b502f CR3: 00000000055b6000 CR4: 00000000000006f0 Call Trace: <TASK> ? create_pending_snapshot+0x1040/0x1190 [btrfs] ? __warn+0x81/0x130 ? create_pending_snapshot+0x1040/0x1190 [btrfs] ? report_bug+0x171/0x1a0 ? handle_bug+0x3a/0x70 ? exc_invalid_op+0x17/0x70 ? asm_exc_invalid_op+0x1a/0x20 ? create_pending_snapshot+0x1040/0x1190 [btrfs] ? create_pending_snapshot+0x1040/0x1190 [btrfs] create_pending_snapshots+0x92/0xc0 [btrfs] btrfs_commit_transaction+0x66b/0xf40 [btrfs] btrfs_mksubvol+0x301/0x4d0 [btrfs] btrfs_mksnapshot+0x80/0xb0 [btrfs] __btrfs_ioctl_snap_create+0x1c2/0x1d0 [btrfs] btrfs_ioctl_snap_create_v2+0xc4/0x150 [btrfs] btrfs_ioctl+0x8a6/0x2650 [btrfs] ? kmem_cache_free+0x22/0x340 ? do_sys_openat2+0x97/0xe0 __x64_sys_ioctl+0x97/0xd0 do_syscall_64+0x46/0xf0 entry_SYSCALL_64_after_hwframe+0x6e/0x76 RIP: 0033:0x7fe20abe83af RSP: 002b:00007ffe6eff1360 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007fe20abe83af RDX: 00007ffe6eff23c0 RSI: 0000000050009417 RDI: 0000000000000003 RBP: 0000000000000003 R08: 0000000000000000 R09: 00007fe20ad16cd0 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffe6eff13c0 R14: 00007fe20ad45000 R15: 0000559a120b6d58 </TASK> ---[ end trace 0000000000000000 ]--- BTRFS: error (device vdc: state A) in create_pending_snapshot:1875: errno=-2 No such entry BTRFS info (device vdc: state EA): forced readonly BTRFS warning (device vdc: state EA): Skipping commit of aborted transaction. BTRFS: error (device vdc: state EA) in cleanup_transaction:2055: errno=-2 No such entry This happens because create_pending_snapshot() initializes the new root item as a copy of the source root item. This includes the refs field, which is 0 for a deleted subvolume. The call to btrfs_insert_root() therefore inserts a root with refs == 0. btrfs_get_new_fs_root() then finds the root and returns -ENOENT if refs == 0, which causes create_pending_snapshot() to abort. Fix it by checking the source root's refs before attempting the snapshot, but after locking subvol_sem to avoid racing with deletion.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26644.html
CVE-2024-26644
https://bugzilla.suse.com/1222072
SUSE Bug 1222072

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Add NULL test for 'timing generator' in 'dcn21_set_pipe()' In "u32 otg_inst = pipe_ctx->stream_res.tg->inst;" pipe_ctx->stream_res.tg could be NULL, it is relying on the caller to ensure the tg is not NULL.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26661.html
CVE-2024-26661
https://bugzilla.suse.com/1222323
SUSE Bug 1222323

Описание

In the Linux kernel, the following vulnerability has been resolved: tipc: Check the bearer type before calling tipc_udp_nl_bearer_add() syzbot reported the following general protection fault [1]: general protection fault, probably for non-canonical address 0xdffffc0000000010: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000080-0x0000000000000087] ... RIP: 0010:tipc_udp_is_known_peer+0x9c/0x250 net/tipc/udp_media.c:291 ... Call Trace: <TASK> tipc_udp_nl_bearer_add+0x212/0x2f0 net/tipc/udp_media.c:646 tipc_nl_bearer_add+0x21e/0x360 net/tipc/bearer.c:1089 genl_family_rcv_msg_doit+0x1fc/0x2e0 net/netlink/genetlink.c:972 genl_family_rcv_msg net/netlink/genetlink.c:1052 [inline] genl_rcv_msg+0x561/0x800 net/netlink/genetlink.c:1067 netlink_rcv_skb+0x16b/0x440 net/netlink/af_netlink.c:2544 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1076 netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline] netlink_unicast+0x53b/0x810 net/netlink/af_netlink.c:1367 netlink_sendmsg+0x8b7/0xd70 net/netlink/af_netlink.c:1909 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0xd5/0x180 net/socket.c:745 ____sys_sendmsg+0x6ac/0x940 net/socket.c:2584 ___sys_sendmsg+0x135/0x1d0 net/socket.c:2638 __sys_sendmsg+0x117/0x1e0 net/socket.c:2667 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b The cause of this issue is that when tipc_nl_bearer_add() is called with the TIPC_NLA_BEARER_UDP_OPTS attribute, tipc_udp_nl_bearer_add() is called even if the bearer is not UDP. tipc_udp_is_known_peer() called by tipc_udp_nl_bearer_add() assumes that the media_ptr field of the tipc_bearer has an udp_bearer type object, so the function goes crazy for non-UDP bearers. This patch fixes the issue by checking the bearer type before calling tipc_udp_nl_bearer_add() in tipc_nl_bearer_add().

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26663.html
CVE-2024-26663
https://bugzilla.suse.com/1222326
SUSE Bug 1222326

Описание

In the Linux kernel, the following vulnerability has been resolved: tunnels: fix out of bounds access when building IPv6 PMTU error If the ICMPv6 error is built from a non-linear skb we get the following splat, BUG: KASAN: slab-out-of-bounds in do_csum+0x220/0x240 Read of size 4 at addr ffff88811d402c80 by task netperf/820 CPU: 0 PID: 820 Comm: netperf Not tainted 6.8.0-rc1+ #543 ... kasan_report+0xd8/0x110 do_csum+0x220/0x240 csum_partial+0xc/0x20 skb_tunnel_check_pmtu+0xeb9/0x3280 vxlan_xmit_one+0x14c2/0x4080 vxlan_xmit+0xf61/0x5c00 dev_hard_start_xmit+0xfb/0x510 __dev_queue_xmit+0x7cd/0x32a0 br_dev_queue_push_xmit+0x39d/0x6a0 Use skb_checksum instead of csum_partial who cannot deal with non-linear SKBs.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26665.html
CVE-2024-26665
https://bugzilla.suse.com/1222328
SUSE Bug 1222328

Описание

** REJECT ** This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26720.html
CVE-2024-26720
https://bugzilla.suse.com/1222364
SUSE Bug 1222364

Описание

In the Linux kernel, the following vulnerability has been resolved: tls: fix use-after-free on failed backlog decryption When the decrypt request goes to the backlog and crypto_aead_decrypt returns -EBUSY, tls_do_decryption will wait until all async decryptions have completed. If one of them fails, tls_do_decryption will return -EBADMSG and tls_decrypt_sg jumps to the error path, releasing all the pages. But the pages have been passed to the async callback, and have already been released by tls_decrypt_done. The only true async case is when crypto_aead_decrypt returns -EINPROGRESS. With -EBUSY, we already waited so we can tell tls_sw_recvmsg that the data is available for immediate copy, but we need to notify tls_decrypt_sg (via the new ->async_done flag) that the memory has already been released.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26800.html
CVE-2024-26800
https://bugzilla.suse.com/1222728
SUSE Bug 1222728

Описание

In the Linux kernel, the following vulnerability has been resolved: stmmac: Clear variable when destroying workqueue Currently when suspending driver and stopping workqueue it is checked whether workqueue is not NULL and if so, it is destroyed. Function destroy_workqueue() does drain queue and does clear variable, but it does not set workqueue variable to NULL. This can cause kernel/module panic if code attempts to clear workqueue that was not initialized. This scenario is possible when resuming suspended driver in stmmac_resume(), because there is no handling for failed stmmac_hw_setup(), which can fail and return if DMA engine has failed to initialize, and workqueue is initialized after DMA engine. Should DMA engine fail to initialize, resume will proceed normally, but interface won't work and TX queue will eventually timeout, causing 'Reset adapter' error. This then does destroy workqueue during reset process. And since workqueue is initialized after DMA engine and can be skipped, it will cause kernel/module panic. To secure against this possible crash, set workqueue variable to NULL when destroying workqueue. Log/backtrace from crash goes as follows: [88.031977]------------[ cut here ]------------ [88.031985]NETDEV WATCHDOG: eth0 (sxgmac): transmit queue 1 timed out [88.032017]WARNING: CPU: 0 PID: 0 at net/sched/sch_generic.c:477 dev_watchdog+0x390/0x398 <Skipping backtrace for watchdog timeout> [88.032251]---[ end trace e70de432e4d5c2c0 ]--- [88.032282]sxgmac 16d88000.ethernet eth0: Reset adapter. [88.036359]------------[ cut here ]------------ [88.036519]Call trace: [88.036523] flush_workqueue+0x3e4/0x430 [88.036528] drain_workqueue+0xc4/0x160 [88.036533] destroy_workqueue+0x40/0x270 [88.036537] stmmac_fpe_stop_wq+0x4c/0x70 [88.036541] stmmac_release+0x278/0x280 [88.036546] __dev_close_many+0xcc/0x158 [88.036551] dev_close_many+0xbc/0x190 [88.036555] dev_close.part.0+0x70/0xc0 [88.036560] dev_close+0x24/0x30 [88.036564] stmmac_service_task+0x110/0x140 [88.036569] process_one_work+0x1d8/0x4a0 [88.036573] worker_thread+0x54/0x408 [88.036578] kthread+0x164/0x170 [88.036583] ret_from_fork+0x10/0x20 [88.036588]---[ end trace e70de432e4d5c2c1 ]--- [88.036597]Unable to handle kernel NULL pointer dereference at virtual address 0000000000000004

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26802.html
CVE-2024-26802
https://bugzilla.suse.com/1222799
SUSE Bug 1222799

Описание

In the Linux kernel, the following vulnerability has been resolved: vfio/platform: Create persistent IRQ handlers The vfio-platform SET_IRQS ioctl currently allows loopback triggering of an interrupt before a signaling eventfd has been configured by the user, which thereby allows a NULL pointer dereference. Rather than register the IRQ relative to a valid trigger, register all IRQs in a disabled state in the device open path. This allows mask operations on the IRQ to nest within the overall enable state governed by a valid eventfd signal. This decouples @masked, protected by the @locked spinlock from @trigger, protected via the @igate mutex. In doing so, it's guaranteed that changes to @trigger cannot race the IRQ handlers because the IRQ handler is synchronously disabled before modifying the trigger, and loopback triggering of the IRQ via ioctl is safe due to serialization with trigger changes via igate. For compatibility, request_irq() failures are maintained to be local to the SET_IRQS ioctl rather than a fatal error in the open device path. This allows, for example, a userspace driver with polling mode support to continue to work regardless of moving the request_irq() call site. This necessarily blocks all SET_IRQS access to the failed index.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26813.html
CVE-2024-26813
https://bugzilla.suse.com/1222809
SUSE Bug 1222809

Описание

In the Linux kernel, the following vulnerability has been resolved: vfio/fsl-mc: Block calling interrupt handler without trigger The eventfd_ctx trigger pointer of the vfio_fsl_mc_irq object is initially NULL and may become NULL if the user sets the trigger eventfd to -1. The interrupt handler itself is guaranteed that trigger is always valid between request_irq() and free_irq(), but the loopback testing mechanisms to invoke the handler function need to test the trigger. The triggering and setting ioctl paths both make use of igate and are therefore mutually exclusive. The vfio-fsl-mc driver does not make use of irqfds, nor does it support any sort of masking operations, therefore unlike vfio-pci and vfio-platform, the flow can remain essentially unchanged.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26814.html
CVE-2024-26814
https://bugzilla.suse.com/1222810
SUSE Bug 1222810

Описание

In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Fix shift issue in ufshcd_clear_cmd() When task_tag >= 32 (in MCQ mode) and sizeof(unsigned int) == 4, 1U << task_tag will out of bounds for a u32 mask. Fix this up to prevent SHIFT_ISSUE (bitwise shifts that are out of bounds for their data type). [name:debug_monitors&]Unexpected kernel BRK exception at EL1 [name:traps&]Internal error: BRK handler: 00000000f2005514 [#1] PREEMPT SMP [name:mediatek_cpufreq_hw&]cpufreq stop DVFS log done [name:mrdump&]Kernel Offset: 0x1ba5800000 from 0xffffffc008000000 [name:mrdump&]PHYS_OFFSET: 0x80000000 [name:mrdump&]pstate: 22400005 (nzCv daif +PAN -UAO) [name:mrdump&]pc : [0xffffffdbaf52bb2c] ufshcd_clear_cmd+0x280/0x288 [name:mrdump&]lr : [0xffffffdbaf52a774] ufshcd_wait_for_dev_cmd+0x3e4/0x82c [name:mrdump&]sp : ffffffc0081471b0 <snip> Workqueue: ufs_eh_wq_0 ufshcd_err_handler Call trace: dump_backtrace+0xf8/0x144 show_stack+0x18/0x24 dump_stack_lvl+0x78/0x9c dump_stack+0x18/0x44 mrdump_common_die+0x254/0x480 [mrdump] ipanic_die+0x20/0x30 [mrdump] notify_die+0x15c/0x204 die+0x10c/0x5f8 arm64_notify_die+0x74/0x13c do_debug_exception+0x164/0x26c el1_dbg+0x64/0x80 el1h_64_sync_handler+0x3c/0x90 el1h_64_sync+0x68/0x6c ufshcd_clear_cmd+0x280/0x288 ufshcd_wait_for_dev_cmd+0x3e4/0x82c ufshcd_exec_dev_cmd+0x5bc/0x9ac ufshcd_verify_dev_init+0x84/0x1c8 ufshcd_probe_hba+0x724/0x1ce0 ufshcd_host_reset_and_restore+0x260/0x574 ufshcd_reset_and_restore+0x138/0xbd0 ufshcd_err_handler+0x1218/0x2f28 process_one_work+0x5fc/0x1140 worker_thread+0x7d8/0xe20 kthread+0x25c/0x468 ret_from_fork+0x10/0x20

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26842.html
CVE-2024-26842
https://bugzilla.suse.com/1223013
SUSE Bug 1223013

Описание

In the Linux kernel, the following vulnerability has been resolved: scsi: target: core: Add TMF to tmr_list handling An abort that is responded to by iSCSI itself is added to tmr_list but does not go to target core. A LUN_RESET that goes through tmr_list takes a refcounter on the abort and waits for completion. However, the abort will be never complete because it was not started in target core. Unable to locate ITT: 0x05000000 on CID: 0 Unable to locate RefTaskTag: 0x05000000 on CID: 0. wait_for_tasks: Stopping tmf LUN_RESET with tag 0x0 ref_task_tag 0x0 i_state 34 t_state ISTATE_PROCESSING refcnt 2 transport_state active,stop,fabric_stop wait for tasks: tmf LUN_RESET with tag 0x0 ref_task_tag 0x0 i_state 34 t_state ISTATE_PROCESSING refcnt 2 transport_state active,stop,fabric_stop ... INFO: task kworker/0:2:49 blocked for more than 491 seconds. task:kworker/0:2 state:D stack: 0 pid: 49 ppid: 2 flags:0x00000800 Workqueue: events target_tmr_work [target_core_mod] Call Trace: __switch_to+0x2c4/0x470 _schedule+0x314/0x1730 schedule+0x64/0x130 schedule_timeout+0x168/0x430 wait_for_completion+0x140/0x270 target_put_cmd_and_wait+0x64/0xb0 [target_core_mod] core_tmr_lun_reset+0x30/0xa0 [target_core_mod] target_tmr_work+0xc8/0x1b0 [target_core_mod] process_one_work+0x2d4/0x5d0 worker_thread+0x78/0x6c0 To fix this, only add abort to tmr_list if it will be handled by target core.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26845.html
CVE-2024-26845
https://bugzilla.suse.com/1223018
SUSE Bug 1223018

Описание

In the Linux kernel, the following vulnerability has been resolved: hsr: Fix uninit-value access in hsr_get_node() KMSAN reported the following uninit-value access issue [1]: ===================================================== BUG: KMSAN: uninit-value in hsr_get_node+0xa2e/0xa40 net/hsr/hsr_framereg.c:246 hsr_get_node+0xa2e/0xa40 net/hsr/hsr_framereg.c:246 fill_frame_info net/hsr/hsr_forward.c:577 [inline] hsr_forward_skb+0xe12/0x30e0 net/hsr/hsr_forward.c:615 hsr_dev_xmit+0x1a1/0x270 net/hsr/hsr_device.c:223 __netdev_start_xmit include/linux/netdevice.h:4940 [inline] netdev_start_xmit include/linux/netdevice.h:4954 [inline] xmit_one net/core/dev.c:3548 [inline] dev_hard_start_xmit+0x247/0xa10 net/core/dev.c:3564 __dev_queue_xmit+0x33b8/0x5130 net/core/dev.c:4349 dev_queue_xmit include/linux/netdevice.h:3134 [inline] packet_xmit+0x9c/0x6b0 net/packet/af_packet.c:276 packet_snd net/packet/af_packet.c:3087 [inline] packet_sendmsg+0x8b1d/0x9f30 net/packet/af_packet.c:3119 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg net/socket.c:745 [inline] __sys_sendto+0x735/0xa10 net/socket.c:2191 __do_sys_sendto net/socket.c:2203 [inline] __se_sys_sendto net/socket.c:2199 [inline] __x64_sys_sendto+0x125/0x1c0 net/socket.c:2199 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x6d/0x140 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b Uninit was created at: slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768 slab_alloc_node mm/slub.c:3478 [inline] kmem_cache_alloc_node+0x5e9/0xb10 mm/slub.c:3523 kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:560 __alloc_skb+0x318/0x740 net/core/skbuff.c:651 alloc_skb include/linux/skbuff.h:1286 [inline] alloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6334 sock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2787 packet_alloc_skb net/packet/af_packet.c:2936 [inline] packet_snd net/packet/af_packet.c:3030 [inline] packet_sendmsg+0x70e8/0x9f30 net/packet/af_packet.c:3119 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg net/socket.c:745 [inline] __sys_sendto+0x735/0xa10 net/socket.c:2191 __do_sys_sendto net/socket.c:2203 [inline] __se_sys_sendto net/socket.c:2199 [inline] __x64_sys_sendto+0x125/0x1c0 net/socket.c:2199 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x6d/0x140 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b CPU: 1 PID: 5033 Comm: syz-executor334 Not tainted 6.7.0-syzkaller-00562-g9f8413c4a66f #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023 ===================================================== If the packet type ID field in the Ethernet header is either ETH_P_PRP or ETH_P_HSR, but it is not followed by an HSR tag, hsr_get_skb_sequence_nr() reads an invalid value as a sequence number. This causes the above issue. This patch fixes the issue by returning NULL if the Ethernet header is not followed by an HSR tag.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26863.html
CVE-2024-26863
https://bugzilla.suse.com/1223021
SUSE Bug 1223021

Описание

In the Linux kernel, the following vulnerability has been resolved: af_unix: Fix garbage collector racing against connect() Garbage collector does not take into account the risk of embryo getting enqueued during the garbage collection. If such embryo has a peer that carries SCM_RIGHTS, two consecutive passes of scan_children() may see a different set of children. Leading to an incorrectly elevated inflight count, and then a dangling pointer within the gc_inflight_list. sockets are AF_UNIX/SOCK_STREAM S is an unconnected socket L is a listening in-flight socket bound to addr, not in fdtable V's fd will be passed via sendmsg(), gets inflight count bumped connect(S, addr) sendmsg(S, [V]); close(V) __unix_gc() ---------------- ------------------------- ----------- NS = unix_create1() skb1 = sock_wmalloc(NS) L = unix_find_other(addr) unix_state_lock(L) unix_peer(S) = NS // V count=1 inflight=0 NS = unix_peer(S) skb2 = sock_alloc() skb_queue_tail(NS, skb2[V]) // V became in-flight // V count=2 inflight=1 close(V) // V count=1 inflight=1 // GC candidate condition met for u in gc_inflight_list: if (total_refs == inflight_refs) add u to gc_candidates // gc_candidates={L, V} for u in gc_candidates: scan_children(u, dec_inflight) // embryo (skb1) was not // reachable from L yet, so V's // inflight remains unchanged __skb_queue_tail(L, skb1) unix_state_unlock(L) for u in gc_candidates: if (u.inflight) scan_children(u, inc_inflight_move_tail) // V count=1 inflight=2 (!) If there is a GC-candidate listening socket, lock/unlock its state. This makes GC wait until the end of any ongoing connect() to that socket. After flipping the lock, a possibly SCM-laden embryo is already enqueued. And if there is another embryo coming, it can not possibly carry SCM_RIGHTS. At this point, unix_inflight() can not happen because unix_gc_lock is already taken. Inflight graph remains unaffected.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26923.html
CVE-2024-26923
https://bugzilla.suse.com/1223384
SUSE Bug 1223384
https://bugzilla.suse.com/1223683
SUSE Bug 1223683

Описание

In the Linux kernel, the following vulnerability has been resolved: scsi: core: Fix unremoved procfs host directory regression Commit fc663711b944 ("scsi: core: Remove the /proc/scsi/${proc_name} directory earlier") fixed a bug related to modules loading/unloading, by adding a call to scsi_proc_hostdir_rm() on scsi_remove_host(). But that led to a potential duplicate call to the hostdir_rm() routine, since it's also called from scsi_host_dev_release(). That triggered a regression report, which was then fixed by commit be03df3d4bfe ("scsi: core: Fix a procfs host directory removal regression"). The fix just dropped the hostdir_rm() call from dev_release(). But it happens that this proc directory is created on scsi_host_alloc(), and that function "pairs" with scsi_host_dev_release(), while scsi_remove_host() pairs with scsi_add_host(). In other words, it seems the reason for removing the proc directory on dev_release() was meant to cover cases in which a SCSI host structure was allocated, but the call to scsi_add_host() didn't happen. And that pattern happens to exist in some error paths, for example. Syzkaller causes that by using USB raw gadget device, error'ing on usb-storage driver, at usb_stor_probe2(). By checking that path, we can see that the BadDevice label leads to a scsi_host_put() after a SCSI host allocation, but there's no call to scsi_add_host() in such path. That leads to messages like this in dmesg (and a leak of the SCSI host proc structure): usb-storage 4-1:87.51: USB Mass Storage device detected proc_dir_entry 'scsi/usb-storage' already registered WARNING: CPU: 1 PID: 3519 at fs/proc/generic.c:377 proc_register+0x347/0x4e0 fs/proc/generic.c:376 The proper fix seems to still call scsi_proc_hostdir_rm() on dev_release(), but guard that with the state check for SHOST_CREATED; there is even a comment in scsi_host_dev_release() detailing that: such conditional is meant for cases where the SCSI host was allocated but there was no calls to {add,remove}_host(), like the usb-storage case. This is what we propose here and with that, the error path of usb-storage does not trigger the warning anymore.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26935.html
CVE-2024-26935
https://bugzilla.suse.com/1223675
SUSE Bug 1223675

Описание

In the Linux kernel, the following vulnerability has been resolved: mac802154: fix llsec key resources release in mac802154_llsec_key_del mac802154_llsec_key_del() can free resources of a key directly without following the RCU rules for waiting before the end of a grace period. This may lead to use-after-free in case llsec_lookup_key() is traversing the list of keys in parallel with a key deletion: refcount_t: addition on 0; use-after-free. WARNING: CPU: 4 PID: 16000 at lib/refcount.c:25 refcount_warn_saturate+0x162/0x2a0 Modules linked in: CPU: 4 PID: 16000 Comm: wpan-ping Not tainted 6.7.0 #19 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 RIP: 0010:refcount_warn_saturate+0x162/0x2a0 Call Trace: <TASK> llsec_lookup_key.isra.0+0x890/0x9e0 mac802154_llsec_encrypt+0x30c/0x9c0 ieee802154_subif_start_xmit+0x24/0x1e0 dev_hard_start_xmit+0x13e/0x690 sch_direct_xmit+0x2ae/0xbc0 __dev_queue_xmit+0x11dd/0x3c20 dgram_sendmsg+0x90b/0xd60 __sys_sendto+0x466/0x4c0 __x64_sys_sendto+0xe0/0x1c0 do_syscall_64+0x45/0xf0 entry_SYSCALL_64_after_hwframe+0x6e/0x76 Also, ieee802154_llsec_key_entry structures are not freed by mac802154_llsec_key_del(): unreferenced object 0xffff8880613b6980 (size 64): comm "iwpan", pid 2176, jiffies 4294761134 (age 60.475s) hex dump (first 32 bytes): 78 0d 8f 18 80 88 ff ff 22 01 00 00 00 00 ad de x......."....... 00 00 00 00 00 00 00 00 03 00 cd ab 00 00 00 00 ................ backtrace: [<ffffffff81dcfa62>] __kmem_cache_alloc_node+0x1e2/0x2d0 [<ffffffff81c43865>] kmalloc_trace+0x25/0xc0 [<ffffffff88968b09>] mac802154_llsec_key_add+0xac9/0xcf0 [<ffffffff8896e41a>] ieee802154_add_llsec_key+0x5a/0x80 [<ffffffff8892adc6>] nl802154_add_llsec_key+0x426/0x5b0 [<ffffffff86ff293e>] genl_family_rcv_msg_doit+0x1fe/0x2f0 [<ffffffff86ff46d1>] genl_rcv_msg+0x531/0x7d0 [<ffffffff86fee7a9>] netlink_rcv_skb+0x169/0x440 [<ffffffff86ff1d88>] genl_rcv+0x28/0x40 [<ffffffff86fec15c>] netlink_unicast+0x53c/0x820 [<ffffffff86fecd8b>] netlink_sendmsg+0x93b/0xe60 [<ffffffff86b91b35>] ____sys_sendmsg+0xac5/0xca0 [<ffffffff86b9c3dd>] ___sys_sendmsg+0x11d/0x1c0 [<ffffffff86b9c65a>] __sys_sendmsg+0xfa/0x1d0 [<ffffffff88eadbf5>] do_syscall_64+0x45/0xf0 [<ffffffff890000ea>] entry_SYSCALL_64_after_hwframe+0x6e/0x76 Handle the proper resource release in the RCU callback function mac802154_llsec_key_del_rcu(). Note that if llsec_lookup_key() finds a key, it gets a refcount via llsec_key_get() and locally copies key id from key_entry (which is a list element). So it's safe to call llsec_key_put() and free the list entry after the RCU grace period elapses. Found by Linux Verification Center (linuxtesting.org).

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26961.html
CVE-2024-26961
https://bugzilla.suse.com/1223652
SUSE Bug 1223652

Описание

In the Linux kernel, the following vulnerability has been resolved: fat: fix uninitialized field in nostale filehandles When fat_encode_fh_nostale() encodes file handle without a parent it stores only first 10 bytes of the file handle. However the length of the file handle must be a multiple of 4 so the file handle is actually 12 bytes long and the last two bytes remain uninitialized. This is not great at we potentially leak uninitialized information with the handle to userspace. Properly initialize the full handle length.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26973.html
CVE-2024-26973
https://bugzilla.suse.com/1223641
SUSE Bug 1223641

Описание

In the Linux kernel, the following vulnerability has been resolved: KVM: Always flush async #PF workqueue when vCPU is being destroyed Always flush the per-vCPU async #PF workqueue when a vCPU is clearing its completion queue, e.g. when a VM and all its vCPUs is being destroyed. KVM must ensure that none of its workqueue callbacks is running when the last reference to the KVM _module_ is put. Gifting a reference to the associated VM prevents the workqueue callback from dereferencing freed vCPU/VM memory, but does not prevent the KVM module from being unloaded before the callback completes. Drop the misguided VM refcount gifting, as calling kvm_put_kvm() from async_pf_execute() if kvm_put_kvm() flushes the async #PF workqueue will result in deadlock. async_pf_execute() can't return until kvm_put_kvm() finishes, and kvm_put_kvm() can't return until async_pf_execute() finishes: WARNING: CPU: 8 PID: 251 at virt/kvm/kvm_main.c:1435 kvm_put_kvm+0x2d/0x320 [kvm] Modules linked in: vhost_net vhost vhost_iotlb tap kvm_intel kvm irqbypass CPU: 8 PID: 251 Comm: kworker/8:1 Tainted: G W 6.6.0-rc1-e7af8d17224a-x86/gmem-vm #119 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 Workqueue: events async_pf_execute [kvm] RIP: 0010:kvm_put_kvm+0x2d/0x320 [kvm] Call Trace: <TASK> async_pf_execute+0x198/0x260 [kvm] process_one_work+0x145/0x2d0 worker_thread+0x27e/0x3a0 kthread+0xba/0xe0 ret_from_fork+0x2d/0x50 ret_from_fork_asm+0x11/0x20 </TASK> ---[ end trace 0000000000000000 ]--- INFO: task kworker/8:1:251 blocked for more than 120 seconds. Tainted: G W 6.6.0-rc1-e7af8d17224a-x86/gmem-vm #119 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:kworker/8:1 state:D stack:0 pid:251 ppid:2 flags:0x00004000 Workqueue: events async_pf_execute [kvm] Call Trace: <TASK> __schedule+0x33f/0xa40 schedule+0x53/0xc0 schedule_timeout+0x12a/0x140 __wait_for_common+0x8d/0x1d0 __flush_work.isra.0+0x19f/0x2c0 kvm_clear_async_pf_completion_queue+0x129/0x190 [kvm] kvm_arch_destroy_vm+0x78/0x1b0 [kvm] kvm_put_kvm+0x1c1/0x320 [kvm] async_pf_execute+0x198/0x260 [kvm] process_one_work+0x145/0x2d0 worker_thread+0x27e/0x3a0 kthread+0xba/0xe0 ret_from_fork+0x2d/0x50 ret_from_fork_asm+0x11/0x20 </TASK> If kvm_clear_async_pf_completion_queue() actually flushes the workqueue, then there's no need to gift async_pf_execute() a reference because all invocations of async_pf_execute() will be forced to complete before the vCPU and its VM are destroyed/freed. And that in turn fixes the module unloading bug as __fput() won't do module_put() on the last vCPU reference until the vCPU has been freed, e.g. if closing the vCPU file also puts the last reference to the KVM module. Note that kvm_check_async_pf_completion() may also take the work item off the completion queue and so also needs to flush the work queue, as the work will not be seen by kvm_clear_async_pf_completion_queue(). Waiting on the workqueue could theoretically delay a vCPU due to waiting for the work to complete, but that's a very, very small chance, and likely a very small delay. kvm_arch_async_page_present_queued() unconditionally makes a new request, i.e. will effectively delay entering the guest, so the remaining work is really just: trace_kvm_async_pf_completed(addr, cr2_or_gpa); __kvm_vcpu_wake_up(vcpu); mmput(mm); and mmput() can't drop the last reference to the page tables if the vCPU is still alive, i.e. the vCPU won't get stuck tearing down page tables. Add a helper to do the flushing, specifically to deal with "wakeup all" work items, as they aren't actually work items, i.e. are never placed in a workqueue. Trying to flush a bogus workqueue entry rightly makes __flush_work() complain (kudos to whoever added that sanity check). Note, commit 5f6de5cbebee ("KVM: Prevent module exit until al ---truncated---

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26976.html
CVE-2024-26976
https://bugzilla.suse.com/1223635
SUSE Bug 1223635

Описание

In the Linux kernel, the following vulnerability has been resolved: netfilter: flowtable: incorrect pppoe tuple pppoe traffic reaching ingress path does not match the flowtable entry because the pppoe header is expected to be at the network header offset. This bug causes a mismatch in the flow table lookup, so pppoe packets enter the classical forwarding path.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-27015.html
CVE-2024-27015
https://bugzilla.suse.com/1223806
SUSE Bug 1223806

Описание

In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: Fix potential data-race in __nft_obj_type_get() nft_unregister_obj() can concurrent with __nft_obj_type_get(), and there is not any protection when iterate over nf_tables_objects list in __nft_obj_type_get(). Therefore, there is potential data-race of nf_tables_objects list entry. Use list_for_each_entry_rcu() to iterate over nf_tables_objects list in __nft_obj_type_get(), and use rcu_read_lock() in the caller nft_obj_type_get() to protect the entire type query process.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-27019.html
CVE-2024-27019
https://bugzilla.suse.com/1223813
SUSE Bug 1223813

Описание

In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: Fix potential data-race in __nft_expr_type_get() nft_unregister_expr() can concurrent with __nft_expr_type_get(), and there is not any protection when iterate over nf_tables_expressions list in __nft_expr_type_get(). Therefore, there is potential data-race of nf_tables_expressions list entry. Use list_for_each_entry_rcu() to iterate over nf_tables_expressions list in __nft_expr_type_get(), and use rcu_read_lock() in the caller nft_expr_type_get() to protect the entire type query process.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-27020.html
CVE-2024-27020
https://bugzilla.suse.com/1223815
SUSE Bug 1223815

Описание

In the Linux kernel, the following vulnerability has been resolved: nbd: null check for nla_nest_start nla_nest_start() may fail and return NULL. Insert a check and set errno based on other call sites within the same source code.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-27025.html
CVE-2024-27025
https://bugzilla.suse.com/1223778
SUSE Bug 1223778

Описание

In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: do not compare internal table flags on updates Restore skipping transaction if table update does not modify flags.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-27065.html
CVE-2024-27065
https://bugzilla.suse.com/1223836
SUSE Bug 1223836

Описание

In the Linux kernel, the following vulnerability has been resolved: phonet/pep: fix racy skb_queue_empty() use The receive queues are protected by their respective spin-lock, not the socket lock. This could lead to skb_peek() unexpectedly returning NULL or a pointer to an already dequeued socket buffer.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-27402.html
CVE-2024-27402
https://bugzilla.suse.com/1224414
SUSE Bug 1224414

Описание

In the Linux kernel, the following vulnerability has been resolved: net: ethernet: mtk_eth_soc: fix PPE hanging issue A patch to resolve an issue was found in MediaTek's GPL-licensed SDK: In the mtk_ppe_stop() function, the PPE scan mode is not disabled before disabling the PPE. This can potentially lead to a hang during the process of disabling the PPE. Without this patch, the PPE may experience a hang during the reboot test.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-27432.html
CVE-2024-27432
https://bugzilla.suse.com/1224716
SUSE Bug 1224716

Описание

In the Linux kernel, the following vulnerability has been resolved: vfio/pci: Disable auto-enable of exclusive INTx IRQ Currently for devices requiring masking at the irqchip for INTx, ie. devices without DisINTx support, the IRQ is enabled in request_irq() and subsequently disabled as necessary to align with the masked status flag. This presents a window where the interrupt could fire between these events, resulting in the IRQ incrementing the disable depth twice. This would be unrecoverable for a user since the masked flag prevents nested enables through vfio. Instead, invert the logic using IRQF_NO_AUTOEN such that exclusive INTx is never auto-enabled, then unmask as required.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-27437.html
CVE-2024-27437
https://bugzilla.suse.com/1222625
SUSE Bug 1222625

Описание

In the Linux kernel, the following vulnerability has been resolved: efi: libstub: only free priv.runtime_map when allocated priv.runtime_map is only allocated when efi_novamap is not set. Otherwise, it is an uninitialized value. In the error path, it is freed unconditionally. Avoid passing an uninitialized value to free_pool. Free priv.runtime_map only when it was allocated. This bug was discovered and resolved using Coverity Static Analysis Security Testing (SAST) by Synopsys, Inc.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-33619.html
CVE-2024-33619
https://bugzilla.suse.com/1226768
SUSE Bug 1226768

Описание

In the Linux kernel, the following vulnerability has been resolved: fpga: region: add owner module and take its refcount The current implementation of the fpga region assumes that the low-level module registers a driver for the parent device and uses its owner pointer to take the module's refcount. This approach is problematic since it can lead to a null pointer dereference while attempting to get the region during programming if the parent device does not have a driver. To address this problem, add a module owner pointer to the fpga_region struct and use it to take the module's refcount. Modify the functions for registering a region to take an additional owner module parameter and rename them to avoid conflicts. Use the old function names for helper macros that automatically set the module that registers the region as the owner. This ensures compatibility with existing low-level control modules and reduces the chances of registering a region without setting the owner. Also, update the documentation to keep it consistent with the new interface for registering an fpga region.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35247.html
CVE-2024-35247
https://bugzilla.suse.com/1226948
SUSE Bug 1226948

Описание

In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: check/clear fast rx for non-4addr sta VLAN changes When moving a station out of a VLAN and deleting the VLAN afterwards, the fast_rx entry still holds a pointer to the VLAN's netdev, which can cause use-after-free bugs. Fix this by immediately calling ieee80211_check_fast_rx after the VLAN change.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35789.html
CVE-2024-35789
https://bugzilla.suse.com/1224749
SUSE Bug 1224749
https://bugzilla.suse.com/1227320
SUSE Bug 1227320

Описание

In the Linux kernel, the following vulnerability has been resolved: usb: typec: altmodes/displayport: create sysfs nodes as driver's default device attribute group The DisplayPort driver's sysfs nodes may be present to the userspace before typec_altmode_set_drvdata() completes in dp_altmode_probe. This means that a sysfs read can trigger a NULL pointer error by deferencing dp->hpd in hpd_show or dp->lock in pin_assignment_show, as dev_get_drvdata() returns NULL in those cases. Remove manual sysfs node creation in favor of adding attribute group as default for devices bound to the driver. The ATTRIBUTE_GROUPS() macro is not used here otherwise the path to the sysfs nodes is no longer compliant with the ABI.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35790.html
CVE-2024-35790
https://bugzilla.suse.com/1224712
SUSE Bug 1224712

Описание

In the Linux kernel, the following vulnerability has been resolved: dm snapshot: fix lockup in dm_exception_table_exit There was reported lockup when we exit a snapshot with many exceptions. Fix this by adding "cond_resched" to the loop that frees the exceptions.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35805.html
CVE-2024-35805
https://bugzilla.suse.com/1224743
SUSE Bug 1224743

Описание

In the Linux kernel, the following vulnerability has been resolved: ext4: fix corruption during on-line resize We observed a corruption during on-line resize of a file system that is larger than 16 TiB with 4k block size. With having more then 2^32 blocks resize_inode is turned off by default by mke2fs. The issue can be reproduced on a smaller file system for convenience by explicitly turning off resize_inode. An on-line resize across an 8 GiB boundary (the size of a meta block group in this setup) then leads to a corruption: dev=/dev/<some_dev> # should be >= 16 GiB mkdir -p /corruption /sbin/mke2fs -t ext4 -b 4096 -O ^resize_inode $dev $((2 * 2**21 - 2**15)) mount -t ext4 $dev /corruption dd if=/dev/zero bs=4096 of=/corruption/test count=$((2*2**21 - 4*2**15)) sha1sum /corruption/test # 79d2658b39dcfd77274e435b0934028adafaab11 /corruption/test /sbin/resize2fs $dev $((2*2**21)) # drop page cache to force reload the block from disk echo 1 > /proc/sys/vm/drop_caches sha1sum /corruption/test # 3c2abc63cbf1a94c9e6977e0fbd72cd832c4d5c3 /corruption/test 2^21 = 2^15*2^6 equals 8 GiB whereof 2^15 is the number of blocks per block group and 2^6 are the number of block groups that make a meta block group. The last checksum might be different depending on how the file is laid out across the physical blocks. The actual corruption occurs at physical block 63*2^15 = 2064384 which would be the location of the backup of the meta block group's block descriptor. During the on-line resize the file system will be converted to meta_bg starting at s_first_meta_bg which is 2 in the example - meaning all block groups after 16 GiB. However, in ext4_flex_group_add we might add block groups that are not part of the first meta block group yet. In the reproducer we achieved this by substracting the size of a whole block group from the point where the meta block group would start. This must be considered when updating the backup block group descriptors to follow the non-meta_bg layout. The fix is to add a test whether the group to add is already part of the meta block group or not.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35807.html
CVE-2024-35807
https://bugzilla.suse.com/1224735
SUSE Bug 1224735

Описание

In the Linux kernel, the following vulnerability has been resolved: swiotlb: Fix double-allocation of slots due to broken alignment handling Commit bbb73a103fbb ("swiotlb: fix a braino in the alignment check fix"), which was a fix for commit 0eee5ae10256 ("swiotlb: fix slot alignment checks"), causes a functional regression with vsock in a virtual machine using bouncing via a restricted DMA SWIOTLB pool. When virtio allocates the virtqueues for the vsock device using dma_alloc_coherent(), the SWIOTLB search can return page-unaligned allocations if 'area->index' was left unaligned by a previous allocation from the buffer: # Final address in brackets is the SWIOTLB address returned to the caller | virtio-pci 0000:00:07.0: orig_addr 0x0 alloc_size 0x2000, iotlb_align_mask 0x800 stride 0x2: got slot 1645-1649/7168 (0x98326800) | virtio-pci 0000:00:07.0: orig_addr 0x0 alloc_size 0x2000, iotlb_align_mask 0x800 stride 0x2: got slot 1649-1653/7168 (0x98328800) | virtio-pci 0000:00:07.0: orig_addr 0x0 alloc_size 0x2000, iotlb_align_mask 0x800 stride 0x2: got slot 1653-1657/7168 (0x9832a800) This ends badly (typically buffer corruption and/or a hang) because swiotlb_alloc() is expecting a page-aligned allocation and so blindly returns a pointer to the 'struct page' corresponding to the allocation, therefore double-allocating the first half (2KiB slot) of the 4KiB page. Fix the problem by treating the allocation alignment separately to any additional alignment requirements from the device, using the maximum of the two as the stride to search the buffer slots and taking care to ensure a minimum of page-alignment for buffers larger than a page. This also resolves swiotlb allocation failures occuring due to the inclusion of ~PAGE_MASK in 'iotlb_align_mask' for large allocations and resulting in alignment requirements exceeding swiotlb_max_mapping_size().

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35814.html
CVE-2024-35814
https://bugzilla.suse.com/1224602
SUSE Bug 1224602

Описание

In the Linux kernel, the following vulnerability has been resolved: soc: fsl: qbman: Use raw spinlock for cgr_lock smp_call_function always runs its callback in hard IRQ context, even on PREEMPT_RT, where spinlocks can sleep. So we need to use a raw spinlock for cgr_lock to ensure we aren't waiting on a sleeping task. Although this bug has existed for a while, it was not apparent until commit ef2a8d5478b9 ("net: dpaa: Adjust queue depth on rate change") which invokes smp_call_function_single via qman_update_cgr_safe every time a link goes up or down.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35819.html
CVE-2024-35819
https://bugzilla.suse.com/1224683
SUSE Bug 1224683

Описание

In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: fix a double-free in arfs_create_groups When `in` allocated by kvzalloc fails, arfs_create_groups will free ft->g and return an error. However, arfs_create_table, the only caller of arfs_create_groups, will hold this error and call to mlx5e_destroy_flow_table, in which the ft->g will be freed again.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35835.html
CVE-2024-35835
https://bugzilla.suse.com/1224605
SUSE Bug 1224605

Описание

In the Linux kernel, the following vulnerability has been resolved: net: mvpp2: clear BM pool before initialization Register value persist after booting the kernel using kexec which results in kernel panic. Thus clear the BM pool registers before initialisation to fix the issue.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35837.html
CVE-2024-35837
https://bugzilla.suse.com/1224500
SUSE Bug 1224500

Описание

In the Linux kernel, the following vulnerability has been resolved: eeprom: at24: fix memory corruption race condition If the eeprom is not accessible, an nvmem device will be registered, the read will fail, and the device will be torn down. If another driver accesses the nvmem device after the teardown, it will reference invalid memory. Move the failure point before registering the nvmem device.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35848.html
CVE-2024-35848
https://bugzilla.suse.com/1224612
SUSE Bug 1224612

Описание

In the Linux kernel, the following vulnerability has been resolved: mlxsw: spectrum_acl_tcam: Fix memory leak during rehash The rehash delayed work migrates filters from one region to another. This is done by iterating over all chunks (all the filters with the same priority) in the region and in each chunk iterating over all the filters. If the migration fails, the code tries to migrate the filters back to the old region. However, the rollback itself can also fail in which case another migration will be erroneously performed. Besides the fact that this ping pong is not a very good idea, it also creates a problem. Each virtual chunk references two chunks: The currently used one ('vchunk->chunk') and a backup ('vchunk->chunk2'). During migration the first holds the chunk we want to migrate filters to and the second holds the chunk we are migrating filters from. The code currently assumes - but does not verify - that the backup chunk does not exist (NULL) if the currently used chunk does not reference the target region. This assumption breaks when we are trying to rollback a rollback, resulting in the backup chunk being overwritten and leaked [1]. Fix by not rolling back a failed rollback and add a warning to avoid future cases. [1] WARNING: CPU: 5 PID: 1063 at lib/parman.c:291 parman_destroy+0x17/0x20 Modules linked in: CPU: 5 PID: 1063 Comm: kworker/5:11 Tainted: G W 6.9.0-rc2-custom-00784-gc6a05c468a0b #14 Hardware name: Mellanox Technologies Ltd. MSN3700/VMOD0005, BIOS 5.11 01/06/2019 Workqueue: mlxsw_core mlxsw_sp_acl_tcam_vregion_rehash_work RIP: 0010:parman_destroy+0x17/0x20 [...] Call Trace: <TASK> mlxsw_sp_acl_atcam_region_fini+0x19/0x60 mlxsw_sp_acl_tcam_region_destroy+0x49/0xf0 mlxsw_sp_acl_tcam_vregion_rehash_work+0x1f1/0x470 process_one_work+0x151/0x370 worker_thread+0x2cb/0x3e0 kthread+0xd0/0x100 ret_from_fork+0x34/0x50 ret_from_fork_asm+0x1a/0x30 </TASK>

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35853.html
CVE-2024-35853
https://bugzilla.suse.com/1224604
SUSE Bug 1224604

Описание

In the Linux kernel, the following vulnerability has been resolved: mlxsw: spectrum_acl_tcam: Fix possible use-after-free during activity update The rule activity update delayed work periodically traverses the list of configured rules and queries their activity from the device. As part of this task it accesses the entry pointed by 'ventry->entry', but this entry can be changed concurrently by the rehash delayed work, leading to a use-after-free [1]. Fix by closing the race and perform the activity query under the 'vregion->lock' mutex. [1] BUG: KASAN: slab-use-after-free in mlxsw_sp_acl_tcam_flower_rule_activity_get+0x121/0x140 Read of size 8 at addr ffff8881054ed808 by task kworker/0:18/181 CPU: 0 PID: 181 Comm: kworker/0:18 Not tainted 6.9.0-rc2-custom-00781-gd5ab772d32f7 #2 Hardware name: Mellanox Technologies Ltd. MSN3700/VMOD0005, BIOS 5.11 01/06/2019 Workqueue: mlxsw_core mlxsw_sp_acl_rule_activity_update_work Call Trace: <TASK> dump_stack_lvl+0xc6/0x120 print_report+0xce/0x670 kasan_report+0xd7/0x110 mlxsw_sp_acl_tcam_flower_rule_activity_get+0x121/0x140 mlxsw_sp_acl_rule_activity_update_work+0x219/0x400 process_one_work+0x8eb/0x19b0 worker_thread+0x6c9/0xf70 kthread+0x2c9/0x3b0 ret_from_fork+0x4d/0x80 ret_from_fork_asm+0x1a/0x30 </TASK> Allocated by task 1039: kasan_save_stack+0x33/0x60 kasan_save_track+0x14/0x30 __kasan_kmalloc+0x8f/0xa0 __kmalloc+0x19c/0x360 mlxsw_sp_acl_tcam_entry_create+0x7b/0x1f0 mlxsw_sp_acl_tcam_vchunk_migrate_all+0x30d/0xb50 mlxsw_sp_acl_tcam_vregion_rehash_work+0x157/0x1300 process_one_work+0x8eb/0x19b0 worker_thread+0x6c9/0xf70 kthread+0x2c9/0x3b0 ret_from_fork+0x4d/0x80 ret_from_fork_asm+0x1a/0x30 Freed by task 1039: kasan_save_stack+0x33/0x60 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x60 poison_slab_object+0x102/0x170 __kasan_slab_free+0x14/0x30 kfree+0xc1/0x290 mlxsw_sp_acl_tcam_vchunk_migrate_all+0x3d7/0xb50 mlxsw_sp_acl_tcam_vregion_rehash_work+0x157/0x1300 process_one_work+0x8eb/0x19b0 worker_thread+0x6c9/0xf70 kthread+0x2c9/0x3b0 ret_from_fork+0x4d/0x80 ret_from_fork_asm+0x1a/0x30

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35855.html
CVE-2024-35855
https://bugzilla.suse.com/1224694
SUSE Bug 1224694

Описание

In the Linux kernel, the following vulnerability has been resolved: icmp: prevent possible NULL dereferences from icmp_build_probe() First problem is a double call to __in_dev_get_rcu(), because the second one could return NULL. if (__in_dev_get_rcu(dev) && __in_dev_get_rcu(dev)->ifa_list) Second problem is a read from dev->ip6_ptr with no NULL check: if (!list_empty(&rcu_dereference(dev->ip6_ptr)->addr_list)) Use the correct RCU API to fix these. v2: add missing include <net/addrconf.h>

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35857.html
CVE-2024-35857
https://bugzilla.suse.com/1224619
SUSE Bug 1224619

Описание

In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential UAF in cifs_signal_cifsd_for_reconnect() Skip sessions that are being teared down (status == SES_EXITING) to avoid UAF.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35861.html
CVE-2024-35861
https://bugzilla.suse.com/1224766
SUSE Bug 1224766
https://bugzilla.suse.com/1225312
SUSE Bug 1225312

Описание

In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential UAF in smb2_is_network_name_deleted() Skip sessions that are being teared down (status == SES_EXITING) to avoid UAF.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35862.html
CVE-2024-35862
https://bugzilla.suse.com/1224764
SUSE Bug 1224764
https://bugzilla.suse.com/1225311
SUSE Bug 1225311

Описание

In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential UAF in smb2_is_valid_lease_break() Skip sessions that are being teared down (status == SES_EXITING) to avoid UAF.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35864.html
CVE-2024-35864
https://bugzilla.suse.com/1224765
SUSE Bug 1224765
https://bugzilla.suse.com/1225309
SUSE Bug 1225309

Описание

In the Linux kernel, the following vulnerability has been resolved: smb: client: guarantee refcounted children from parent session Avoid potential use-after-free bugs when walking DFS referrals, mounting and performing DFS failover by ensuring that all children from parent @tcon->ses are also refcounted. They're all needed across the entire DFS mount. Get rid of @tcon->dfs_ses_list while we're at it, too.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35869.html
CVE-2024-35869
https://bugzilla.suse.com/1224679
SUSE Bug 1224679
https://bugzilla.suse.com/1226328
SUSE Bug 1226328

Описание

In the Linux kernel, the following vulnerability has been resolved: of: module: prevent NULL pointer dereference in vsnprintf() In of_modalias(), we can get passed the str and len parameters which would cause a kernel oops in vsnprintf() since it only allows passing a NULL ptr when the length is also 0. Also, we need to filter out the negative values of the len parameter as these will result in a really huge buffer since snprintf() takes size_t parameter while ours is ssize_t... Found by Linux Verification Center (linuxtesting.org) with the Svace static analysis tool.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35878.html
CVE-2024-35878
https://bugzilla.suse.com/1224671
SUSE Bug 1224671

Описание

In the Linux kernel, the following vulnerability has been resolved: udp: do not accept non-tunnel GSO skbs landing in a tunnel When rx-udp-gro-forwarding is enabled UDP packets might be GROed when being forwarded. If such packets might land in a tunnel this can cause various issues and udp_gro_receive makes sure this isn't the case by looking for a matching socket. This is performed in udp4/6_gro_lookup_skb but only in the current netns. This is an issue with tunneled packets when the endpoint is in another netns. In such cases the packets will be GROed at the UDP level, which leads to various issues later on. The same thing can happen with rx-gro-list. We saw this with geneve packets being GROed at the UDP level. In such case gso_size is set; later the packet goes through the geneve rx path, the geneve header is pulled, the offset are adjusted and frag_list skbs are not adjusted with regard to geneve. When those skbs hit skb_fragment, it will misbehave. Different outcomes are possible depending on what the GROed skbs look like; from corrupted packets to kernel crashes. One example is a BUG_ON[1] triggered in skb_segment while processing the frag_list. Because gso_size is wrong (geneve header was pulled) skb_segment thinks there is "geneve header size" of data in frag_list, although it's in fact the next packet. The BUG_ON itself has nothing to do with the issue. This is only one of the potential issues. Looking up for a matching socket in udp_gro_receive is fragile: the lookup could be extended to all netns (not speaking about performances) but nothing prevents those packets from being modified in between and we could still not find a matching socket. It's OK to keep the current logic there as it should cover most cases but we also need to make sure we handle tunnel packets being GROed too early. This is done by extending the checks in udp_unexpected_gso: GSO packets lacking the SKB_GSO_UDP_TUNNEL/_CSUM bits and landing in a tunnel must be segmented. [1] kernel BUG at net/core/skbuff.c:4408! RIP: 0010:skb_segment+0xd2a/0xf70 __udp_gso_segment+0xaa/0x560

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35884.html
CVE-2024-35884
https://bugzilla.suse.com/1224520
SUSE Bug 1224520

Описание

In the Linux kernel, the following vulnerability has been resolved: ipv6: Fix infinite recursion in fib6_dump_done(). syzkaller reported infinite recursive calls of fib6_dump_done() during netlink socket destruction. [1] From the log, syzkaller sent an AF_UNSPEC RTM_GETROUTE message, and then the response was generated. The following recvmmsg() resumed the dump for IPv6, but the first call of inet6_dump_fib() failed at kzalloc() due to the fault injection. [0] 12:01:34 executing program 3: r0 = socket$nl_route(0x10, 0x3, 0x0) sendmsg$nl_route(r0, ... snip ...) recvmmsg(r0, ... snip ...) (fail_nth: 8) Here, fib6_dump_done() was set to nlk_sk(sk)->cb.done, and the next call of inet6_dump_fib() set it to nlk_sk(sk)->cb.args[3]. syzkaller stopped receiving the response halfway through, and finally netlink_sock_destruct() called nlk_sk(sk)->cb.done(). fib6_dump_done() calls fib6_dump_end() and nlk_sk(sk)->cb.done() if it is still not NULL. fib6_dump_end() rewrites nlk_sk(sk)->cb.done() by nlk_sk(sk)->cb.args[3], but it has the same function, not NULL, calling itself recursively and hitting the stack guard page. To avoid the issue, let's set the destructor after kzalloc(). [0]: FAULT_INJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 0 CPU: 1 PID: 432110 Comm: syz-executor.3 Not tainted 6.8.0-12821-g537c2e91d354-dirty #11 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 Call Trace: <TASK> dump_stack_lvl (lib/dump_stack.c:117) should_fail_ex (lib/fault-inject.c:52 lib/fault-inject.c:153) should_failslab (mm/slub.c:3733) kmalloc_trace (mm/slub.c:3748 mm/slub.c:3827 mm/slub.c:3992) inet6_dump_fib (./include/linux/slab.h:628 ./include/linux/slab.h:749 net/ipv6/ip6_fib.c:662) rtnl_dump_all (net/core/rtnetlink.c:4029) netlink_dump (net/netlink/af_netlink.c:2269) netlink_recvmsg (net/netlink/af_netlink.c:1988) ____sys_recvmsg (net/socket.c:1046 net/socket.c:2801) ___sys_recvmsg (net/socket.c:2846) do_recvmmsg (net/socket.c:2943) __x64_sys_recvmmsg (net/socket.c:3041 net/socket.c:3034 net/socket.c:3034) [1]: BUG: TASK stack guard page was hit at 00000000f2fa9af1 (stack is 00000000b7912430..000000009a436beb) stack guard page: 0000 [#1] PREEMPT SMP KASAN CPU: 1 PID: 223719 Comm: kworker/1:3 Not tainted 6.8.0-12821-g537c2e91d354-dirty #11 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 Workqueue: events netlink_sock_destruct_work RIP: 0010:fib6_dump_done (net/ipv6/ip6_fib.c:570) Code: 3c 24 e8 f3 e9 51 fd e9 28 fd ff ff 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 41 57 41 56 41 55 41 54 55 48 89 fd <53> 48 8d 5d 60 e8 b6 4d 07 fd 48 89 da 48 b8 00 00 00 00 00 fc ff RSP: 0018:ffffc9000d980000 EFLAGS: 00010293 RAX: 0000000000000000 RBX: ffffffff84405990 RCX: ffffffff844059d3 RDX: ffff8881028e0000 RSI: ffffffff84405ac2 RDI: ffff88810c02f358 RBP: ffff88810c02f358 R08: 0000000000000007 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000224 R12: 0000000000000000 R13: ffff888007c82c78 R14: ffff888007c82c68 R15: ffff888007c82c68 FS: 0000000000000000(0000) GS:ffff88811b100000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffc9000d97fff8 CR3: 0000000102309002 CR4: 0000000000770ef0 PKRU: 55555554 Call Trace: <#DF> </#DF> <TASK> fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1)) fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1)) ... fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1)) fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1)) netlink_sock_destruct (net/netlink/af_netlink.c:401) __sk_destruct (net/core/sock.c:2177 (discriminator 2)) sk_destruct (net/core/sock.c:2224) __sk_free (net/core/sock.c:2235) sk_free (net/core/sock.c:2246) process_one_work (kernel/workqueue.c:3259) worker_thread (kernel/workqueue.c:3329 kernel/workqueue. ---truncated---

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35886.html
CVE-2024-35886
https://bugzilla.suse.com/1224670
SUSE Bug 1224670

Описание

In the Linux kernel, the following vulnerability has been resolved: idpf: fix kernel panic on unknown packet types In the very rare case where a packet type is unknown to the driver, idpf_rx_process_skb_fields would return early without calling eth_type_trans to set the skb protocol / the network layer handler. This is especially problematic if tcpdump is running when such a packet is received, i.e. it would cause a kernel panic. Instead, call eth_type_trans for every single packet, even when the packet type is unknown.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35889.html
CVE-2024-35889
https://bugzilla.suse.com/1224517
SUSE Bug 1224517

Описание

In the Linux kernel, the following vulnerability has been resolved: gro: fix ownership transfer If packets are GROed with fraglist they might be segmented later on and continue their journey in the stack. In skb_segment_list those skbs can be reused as-is. This is an issue as their destructor was removed in skb_gro_receive_list but not the reference to their socket, and then they can't be orphaned. Fix this by also removing the reference to the socket. For example this could be observed, kernel BUG at include/linux/skbuff.h:3131! (skb_orphan) RIP: 0010:ip6_rcv_core+0x11bc/0x19a0 Call Trace: ipv6_list_rcv+0x250/0x3f0 __netif_receive_skb_list_core+0x49d/0x8f0 netif_receive_skb_list_internal+0x634/0xd40 napi_complete_done+0x1d2/0x7d0 gro_cell_poll+0x118/0x1f0 A similar construction is found in skb_gro_receive, apply the same change there.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35890.html
CVE-2024-35890
https://bugzilla.suse.com/1224516
SUSE Bug 1224516

Описание

In the Linux kernel, the following vulnerability has been resolved: net/sched: act_skbmod: prevent kernel-infoleak syzbot found that tcf_skbmod_dump() was copying four bytes from kernel stack to user space [1]. The issue here is that 'struct tc_skbmod' has a four bytes hole. We need to clear the structure before filling fields. [1] BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline] BUG: KMSAN: kernel-infoleak in copy_to_user_iter lib/iov_iter.c:24 [inline] BUG: KMSAN: kernel-infoleak in iterate_ubuf include/linux/iov_iter.h:29 [inline] BUG: KMSAN: kernel-infoleak in iterate_and_advance2 include/linux/iov_iter.h:245 [inline] BUG: KMSAN: kernel-infoleak in iterate_and_advance include/linux/iov_iter.h:271 [inline] BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185 instrument_copy_to_user include/linux/instrumented.h:114 [inline] copy_to_user_iter lib/iov_iter.c:24 [inline] iterate_ubuf include/linux/iov_iter.h:29 [inline] iterate_and_advance2 include/linux/iov_iter.h:245 [inline] iterate_and_advance include/linux/iov_iter.h:271 [inline] _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185 copy_to_iter include/linux/uio.h:196 [inline] simple_copy_to_iter net/core/datagram.c:532 [inline] __skb_datagram_iter+0x185/0x1000 net/core/datagram.c:420 skb_copy_datagram_iter+0x5c/0x200 net/core/datagram.c:546 skb_copy_datagram_msg include/linux/skbuff.h:4050 [inline] netlink_recvmsg+0x432/0x1610 net/netlink/af_netlink.c:1962 sock_recvmsg_nosec net/socket.c:1046 [inline] sock_recvmsg+0x2c4/0x340 net/socket.c:1068 __sys_recvfrom+0x35a/0x5f0 net/socket.c:2242 __do_sys_recvfrom net/socket.c:2260 [inline] __se_sys_recvfrom net/socket.c:2256 [inline] __x64_sys_recvfrom+0x126/0x1d0 net/socket.c:2256 do_syscall_64+0xd5/0x1f0 entry_SYSCALL_64_after_hwframe+0x6d/0x75 Uninit was stored to memory at: pskb_expand_head+0x30f/0x19d0 net/core/skbuff.c:2253 netlink_trim+0x2c2/0x330 net/netlink/af_netlink.c:1317 netlink_unicast+0x9f/0x1260 net/netlink/af_netlink.c:1351 nlmsg_unicast include/net/netlink.h:1144 [inline] nlmsg_notify+0x21d/0x2f0 net/netlink/af_netlink.c:2610 rtnetlink_send+0x73/0x90 net/core/rtnetlink.c:741 rtnetlink_maybe_send include/linux/rtnetlink.h:17 [inline] tcf_add_notify net/sched/act_api.c:2048 [inline] tcf_action_add net/sched/act_api.c:2071 [inline] tc_ctl_action+0x146e/0x19d0 net/sched/act_api.c:2119 rtnetlink_rcv_msg+0x1737/0x1900 net/core/rtnetlink.c:6595 netlink_rcv_skb+0x375/0x650 net/netlink/af_netlink.c:2559 rtnetlink_rcv+0x34/0x40 net/core/rtnetlink.c:6613 netlink_unicast_kernel net/netlink/af_netlink.c:1335 [inline] netlink_unicast+0xf4c/0x1260 net/netlink/af_netlink.c:1361 netlink_sendmsg+0x10df/0x11f0 net/netlink/af_netlink.c:1905 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x30f/0x380 net/socket.c:745 ____sys_sendmsg+0x877/0xb60 net/socket.c:2584 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638 __sys_sendmsg net/socket.c:2667 [inline] __do_sys_sendmsg net/socket.c:2676 [inline] __se_sys_sendmsg net/socket.c:2674 [inline] __x64_sys_sendmsg+0x307/0x4a0 net/socket.c:2674 do_syscall_64+0xd5/0x1f0 entry_SYSCALL_64_after_hwframe+0x6d/0x75 Uninit was stored to memory at: __nla_put lib/nlattr.c:1041 [inline] nla_put+0x1c6/0x230 lib/nlattr.c:1099 tcf_skbmod_dump+0x23f/0xc20 net/sched/act_skbmod.c:256 tcf_action_dump_old net/sched/act_api.c:1191 [inline] tcf_action_dump_1+0x85e/0x970 net/sched/act_api.c:1227 tcf_action_dump+0x1fd/0x460 net/sched/act_api.c:1251 tca_get_fill+0x519/0x7a0 net/sched/act_api.c:1628 tcf_add_notify_msg net/sched/act_api.c:2023 [inline] tcf_add_notify net/sched/act_api.c:2042 [inline] tcf_action_add net/sched/act_api.c:2071 [inline] tc_ctl_action+0x1365/0x19d0 net/sched/act_api.c:2119 rtnetlink_rcv_msg+0x1737/0x1900 net/core/rtnetlink.c:6595 netlink_rcv_skb+0x375/0x650 net/netlink/af_netli ---truncated---

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35893.html
CVE-2024-35893
https://bugzilla.suse.com/1224512
SUSE Bug 1224512

Описание

In the Linux kernel, the following vulnerability has been resolved: netfilter: validate user input for expected length I got multiple syzbot reports showing old bugs exposed by BPF after commit 20f2505fb436 ("bpf: Try to avoid kzalloc in cgroup/{s,g}etsockopt") setsockopt() @optlen argument should be taken into account before copying data. BUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset include/linux/sockptr.h:49 [inline] BUG: KASAN: slab-out-of-bounds in copy_from_sockptr include/linux/sockptr.h:55 [inline] BUG: KASAN: slab-out-of-bounds in do_replace net/ipv4/netfilter/ip_tables.c:1111 [inline] BUG: KASAN: slab-out-of-bounds in do_ipt_set_ctl+0x902/0x3dd0 net/ipv4/netfilter/ip_tables.c:1627 Read of size 96 at addr ffff88802cd73da0 by task syz-executor.4/7238 CPU: 1 PID: 7238 Comm: syz-executor.4 Not tainted 6.9.0-rc2-next-20240403-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 kasan_check_range+0x282/0x290 mm/kasan/generic.c:189 __asan_memcpy+0x29/0x70 mm/kasan/shadow.c:105 copy_from_sockptr_offset include/linux/sockptr.h:49 [inline] copy_from_sockptr include/linux/sockptr.h:55 [inline] do_replace net/ipv4/netfilter/ip_tables.c:1111 [inline] do_ipt_set_ctl+0x902/0x3dd0 net/ipv4/netfilter/ip_tables.c:1627 nf_setsockopt+0x295/0x2c0 net/netfilter/nf_sockopt.c:101 do_sock_setsockopt+0x3af/0x720 net/socket.c:2311 __sys_setsockopt+0x1ae/0x250 net/socket.c:2334 __do_sys_setsockopt net/socket.c:2343 [inline] __se_sys_setsockopt net/socket.c:2340 [inline] __x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340 do_syscall_64+0xfb/0x240 entry_SYSCALL_64_after_hwframe+0x72/0x7a RIP: 0033:0x7fd22067dde9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fd21f9ff0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000036 RAX: ffffffffffffffda RBX: 00007fd2207abf80 RCX: 00007fd22067dde9 RDX: 0000000000000040 RSI: 0000000000000000 RDI: 0000000000000003 RBP: 00007fd2206ca47a R08: 0000000000000001 R09: 0000000000000000 R10: 0000000020000880 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000000b R14: 00007fd2207abf80 R15: 00007ffd2d0170d8 </TASK> Allocated by task 7238: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:370 [inline] __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:387 kasan_kmalloc include/linux/kasan.h:211 [inline] __do_kmalloc_node mm/slub.c:4069 [inline] __kmalloc_noprof+0x200/0x410 mm/slub.c:4082 kmalloc_noprof include/linux/slab.h:664 [inline] __cgroup_bpf_run_filter_setsockopt+0xd47/0x1050 kernel/bpf/cgroup.c:1869 do_sock_setsockopt+0x6b4/0x720 net/socket.c:2293 __sys_setsockopt+0x1ae/0x250 net/socket.c:2334 __do_sys_setsockopt net/socket.c:2343 [inline] __se_sys_setsockopt net/socket.c:2340 [inline] __x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340 do_syscall_64+0xfb/0x240 entry_SYSCALL_64_after_hwframe+0x72/0x7a The buggy address belongs to the object at ffff88802cd73da0 which belongs to the cache kmalloc-8 of size 8 The buggy address is located 0 bytes inside of allocated 1-byte region [ffff88802cd73da0, ffff88802cd73da1) The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88802cd73020 pfn:0x2cd73 flags: 0xfff80000000000(node=0|zone=1|lastcpupid=0xfff) page_type: 0xffffefff(slab) raw: 00fff80000000000 ffff888015041280 dead000000000100 dead000000000122 raw: ffff88802cd73020 000000008080007f 00000001ffffefff 00 ---truncated---

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35896.html
CVE-2024-35896
https://bugzilla.suse.com/1224662
SUSE Bug 1224662

Описание

In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: Fix potential data-race in __nft_flowtable_type_get() nft_unregister_flowtable_type() within nf_flow_inet_module_exit() can concurrent with __nft_flowtable_type_get() within nf_tables_newflowtable(). And thhere is not any protection when iterate over nf_tables_flowtables list in __nft_flowtable_type_get(). Therefore, there is pertential data-race of nf_tables_flowtables list entry. Use list_for_each_entry_rcu() to iterate over nf_tables_flowtables list in __nft_flowtable_type_get(), and use rcu_read_lock() in the caller nft_flowtable_type_get() to protect the entire type query process.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35898.html
CVE-2024-35898
https://bugzilla.suse.com/1224498
SUSE Bug 1224498

Описание

In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: flush pending destroy work before exit_net release Similar to 2c9f0293280e ("netfilter: nf_tables: flush pending destroy work before netlink notifier") to address a race between exit_net and the destroy workqueue. The trace below shows an element to be released via destroy workqueue while exit_net path (triggered via module removal) has already released the set that is used in such transaction. [ 1360.547789] BUG: KASAN: slab-use-after-free in nf_tables_trans_destroy_work+0x3f5/0x590 [nf_tables] [ 1360.547861] Read of size 8 at addr ffff888140500cc0 by task kworker/4:1/152465 [ 1360.547870] CPU: 4 PID: 152465 Comm: kworker/4:1 Not tainted 6.8.0+ #359 [ 1360.547882] Workqueue: events nf_tables_trans_destroy_work [nf_tables] [ 1360.547984] Call Trace: [ 1360.547991] <TASK> [ 1360.547998] dump_stack_lvl+0x53/0x70 [ 1360.548014] print_report+0xc4/0x610 [ 1360.548026] ? __virt_addr_valid+0xba/0x160 [ 1360.548040] ? __pfx__raw_spin_lock_irqsave+0x10/0x10 [ 1360.548054] ? nf_tables_trans_destroy_work+0x3f5/0x590 [nf_tables] [ 1360.548176] kasan_report+0xae/0xe0 [ 1360.548189] ? nf_tables_trans_destroy_work+0x3f5/0x590 [nf_tables] [ 1360.548312] nf_tables_trans_destroy_work+0x3f5/0x590 [nf_tables] [ 1360.548447] ? __pfx_nf_tables_trans_destroy_work+0x10/0x10 [nf_tables] [ 1360.548577] ? _raw_spin_unlock_irq+0x18/0x30 [ 1360.548591] process_one_work+0x2f1/0x670 [ 1360.548610] worker_thread+0x4d3/0x760 [ 1360.548627] ? __pfx_worker_thread+0x10/0x10 [ 1360.548640] kthread+0x16b/0x1b0 [ 1360.548653] ? __pfx_kthread+0x10/0x10 [ 1360.548665] ret_from_fork+0x2f/0x50 [ 1360.548679] ? __pfx_kthread+0x10/0x10 [ 1360.548690] ret_from_fork_asm+0x1a/0x30 [ 1360.548707] </TASK> [ 1360.548719] Allocated by task 192061: [ 1360.548726] kasan_save_stack+0x20/0x40 [ 1360.548739] kasan_save_track+0x14/0x30 [ 1360.548750] __kasan_kmalloc+0x8f/0xa0 [ 1360.548760] __kmalloc_node+0x1f1/0x450 [ 1360.548771] nf_tables_newset+0x10c7/0x1b50 [nf_tables] [ 1360.548883] nfnetlink_rcv_batch+0xbc4/0xdc0 [nfnetlink] [ 1360.548909] nfnetlink_rcv+0x1a8/0x1e0 [nfnetlink] [ 1360.548927] netlink_unicast+0x367/0x4f0 [ 1360.548935] netlink_sendmsg+0x34b/0x610 [ 1360.548944] ____sys_sendmsg+0x4d4/0x510 [ 1360.548953] ___sys_sendmsg+0xc9/0x120 [ 1360.548961] __sys_sendmsg+0xbe/0x140 [ 1360.548971] do_syscall_64+0x55/0x120 [ 1360.548982] entry_SYSCALL_64_after_hwframe+0x55/0x5d [ 1360.548994] Freed by task 192222: [ 1360.548999] kasan_save_stack+0x20/0x40 [ 1360.549009] kasan_save_track+0x14/0x30 [ 1360.549019] kasan_save_free_info+0x3b/0x60 [ 1360.549028] poison_slab_object+0x100/0x180 [ 1360.549036] __kasan_slab_free+0x14/0x30 [ 1360.549042] kfree+0xb6/0x260 [ 1360.549049] __nft_release_table+0x473/0x6a0 [nf_tables] [ 1360.549131] nf_tables_exit_net+0x170/0x240 [nf_tables] [ 1360.549221] ops_exit_list+0x50/0xa0 [ 1360.549229] free_exit_list+0x101/0x140 [ 1360.549236] unregister_pernet_operations+0x107/0x160 [ 1360.549245] unregister_pernet_subsys+0x1c/0x30 [ 1360.549254] nf_tables_module_exit+0x43/0x80 [nf_tables] [ 1360.549345] __do_sys_delete_module+0x253/0x370 [ 1360.549352] do_syscall_64+0x55/0x120 [ 1360.549360] entry_SYSCALL_64_after_hwframe+0x55/0x5d (gdb) list *__nft_release_table+0x473 0x1e033 is in __nft_release_table (net/netfilter/nf_tables_api.c:11354). 11349 list_for_each_entry_safe(flowtable, nf, &table->flowtables, list) { 11350 list_del(&flowtable->list); 11351 nft_use_dec(&table->use); 11352 nf_tables_flowtable_destroy(flowtable); 11353 } 11354 list_for_each_entry_safe(set, ns, &table->sets, list) { 11355 list_del(&set->list); 11356 nft_use_dec(&table->use); 11357 if (set->flags & (NFT_SET_MAP | NFT_SET_OBJECT)) 11358 nft_map_deactivat ---truncated---

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35899.html
CVE-2024-35899
https://bugzilla.suse.com/1224499
SUSE Bug 1224499

Описание

In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: reject new basechain after table flag update When dormant flag is toggled, hooks are disabled in the commit phase by iterating over current chains in table (existing and new). The following configuration allows for an inconsistent state: add table x add chain x y { type filter hook input priority 0; } add table x { flags dormant; } add chain x w { type filter hook input priority 1; } which triggers the following warning when trying to unregister chain w which is already unregistered. [ 127.322252] WARNING: CPU: 7 PID: 1211 at net/netfilter/core.c:50 1 __nf_unregister_net_hook+0x21a/0x260 [...] [ 127.322519] Call Trace: [ 127.322521] <TASK> [ 127.322524] ? __warn+0x9f/0x1a0 [ 127.322531] ? __nf_unregister_net_hook+0x21a/0x260 [ 127.322537] ? report_bug+0x1b1/0x1e0 [ 127.322545] ? handle_bug+0x3c/0x70 [ 127.322552] ? exc_invalid_op+0x17/0x40 [ 127.322556] ? asm_exc_invalid_op+0x1a/0x20 [ 127.322563] ? kasan_save_free_info+0x3b/0x60 [ 127.322570] ? __nf_unregister_net_hook+0x6a/0x260 [ 127.322577] ? __nf_unregister_net_hook+0x21a/0x260 [ 127.322583] ? __nf_unregister_net_hook+0x6a/0x260 [ 127.322590] ? __nf_tables_unregister_hook+0x8a/0xe0 [nf_tables] [ 127.322655] nft_table_disable+0x75/0xf0 [nf_tables] [ 127.322717] nf_tables_commit+0x2571/0x2620 [nf_tables]

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35900.html
CVE-2024-35900
https://bugzilla.suse.com/1224497
SUSE Bug 1224497

Описание

In the Linux kernel, the following vulnerability has been resolved: bpf: Protect against int overflow for stack access size This patch re-introduces protection against the size of access to stack memory being negative; the access size can appear negative as a result of overflowing its signed int representation. This should not actually happen, as there are other protections along the way, but we should protect against it anyway. One code path was missing such protections (fixed in the previous patch in the series), causing out-of-bounds array accesses in check_stack_range_initialized(). This patch causes the verification of a program with such a non-sensical access size to fail. This check used to exist in a more indirect way, but was inadvertendly removed in a833a17aeac7.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35905.html
CVE-2024-35905
https://bugzilla.suse.com/1224488
SUSE Bug 1224488
https://bugzilla.suse.com/1226327
SUSE Bug 1226327

Описание

In the Linux kernel, the following vulnerability has been resolved: block: prevent division by zero in blk_rq_stat_sum() The expression dst->nr_samples + src->nr_samples may have zero value on overflow. It is necessary to add a check to avoid division by zero. Found by Linux Verification Center (linuxtesting.org) with Svace.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35925.html
CVE-2024-35925
https://bugzilla.suse.com/1224661
SUSE Bug 1224661

Описание

In the Linux kernel, the following vulnerability has been resolved: net/smc: reduce rtnl pressure in smc_pnet_create_pnetids_list() Many syzbot reports show extreme rtnl pressure, and many of them hint that smc acquires rtnl in netns creation for no good reason [1] This patch returns early from smc_pnet_net_init() if there is no netdevice yet. I am not even sure why smc_pnet_create_pnetids_list() even exists, because smc_pnet_netdev_event() is also calling smc_pnet_add_base_pnetid() when handling NETDEV_UP event. [1] extract of typical syzbot reports 2 locks held by syz-executor.3/12252: #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491 #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline] #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878 2 locks held by syz-executor.4/12253: #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491 #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline] #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878 2 locks held by syz-executor.1/12257: #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491 #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline] #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878 2 locks held by syz-executor.2/12261: #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491 #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline] #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878 2 locks held by syz-executor.0/12265: #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491 #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline] #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878 2 locks held by syz-executor.3/12268: #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491 #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline] #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878 2 locks held by syz-executor.4/12271: #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491 #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline] #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878 2 locks held by syz-executor.1/12274: #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491 #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline] #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878 2 locks held by syz-executor.2/12280: #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491 #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline] #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35934.html
CVE-2024-35934
https://bugzilla.suse.com/1224641
SUSE Bug 1224641

Описание

In the Linux kernel, the following vulnerability has been resolved: btrfs: make sure that WRITTEN is set on all metadata blocks We previously would call btrfs_check_leaf() if we had the check integrity code enabled, which meant that we could only run the extended leaf checks if we had WRITTEN set on the header flags. This leaves a gap in our checking, because we could end up with corruption on disk where WRITTEN isn't set on the leaf, and then the extended leaf checks don't get run which we rely on to validate all of the item pointers to make sure we don't access memory outside of the extent buffer. However, since 732fab95abe2 ("btrfs: check-integrity: remove CONFIG_BTRFS_FS_CHECK_INTEGRITY option") we no longer call btrfs_check_leaf() from btrfs_mark_buffer_dirty(), which means we only ever call it on blocks that are being written out, and thus have WRITTEN set, or that are being read in, which should have WRITTEN set. Add checks to make sure we have WRITTEN set appropriately, and then make sure __btrfs_check_leaf() always does the item checking. This will protect us from file systems that have been corrupted and no longer have WRITTEN set on some of the blocks. This was hit on a crafted image tweaking the WRITTEN bit and reported by KASAN as out-of-bound access in the eb accessors. The example is a dir item at the end of an eb. [2.042] BTRFS warning (device loop1): bad eb member start: ptr 0x3fff start 30572544 member offset 16410 size 2 [2.040] general protection fault, probably for non-canonical address 0xe0009d1000000003: 0000 [#1] PREEMPT SMP KASAN NOPTI [2.537] KASAN: maybe wild-memory-access in range [0x0005088000000018-0x000508800000001f] [2.729] CPU: 0 PID: 2587 Comm: mount Not tainted 6.8.2 #1 [2.729] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 [2.621] RIP: 0010:btrfs_get_16+0x34b/0x6d0 [2.621] RSP: 0018:ffff88810871fab8 EFLAGS: 00000206 [2.621] RAX: 0000a11000000003 RBX: ffff888104ff8720 RCX: ffff88811b2288c0 [2.621] RDX: dffffc0000000000 RSI: ffffffff81dd8aca RDI: ffff88810871f748 [2.621] RBP: 000000000000401a R08: 0000000000000001 R09: ffffed10210e3ee9 [2.621] R10: ffff88810871f74f R11: 205d323430333737 R12: 000000000000001a [2.621] R13: 000508800000001a R14: 1ffff110210e3f5d R15: ffffffff850011e8 [2.621] FS: 00007f56ea275840(0000) GS:ffff88811b200000(0000) knlGS:0000000000000000 [2.621] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [2.621] CR2: 00007febd13b75c0 CR3: 000000010bb50000 CR4: 00000000000006f0 [2.621] Call Trace: [2.621] <TASK> [2.621] ? show_regs+0x74/0x80 [2.621] ? die_addr+0x46/0xc0 [2.621] ? exc_general_protection+0x161/0x2a0 [2.621] ? asm_exc_general_protection+0x26/0x30 [2.621] ? btrfs_get_16+0x33a/0x6d0 [2.621] ? btrfs_get_16+0x34b/0x6d0 [2.621] ? btrfs_get_16+0x33a/0x6d0 [2.621] ? __pfx_btrfs_get_16+0x10/0x10 [2.621] ? __pfx_mutex_unlock+0x10/0x10 [2.621] btrfs_match_dir_item_name+0x101/0x1a0 [2.621] btrfs_lookup_dir_item+0x1f3/0x280 [2.621] ? __pfx_btrfs_lookup_dir_item+0x10/0x10 [2.621] btrfs_get_tree+0xd25/0x1910 [ copy more details from report ]

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35949.html
CVE-2024-35949
https://bugzilla.suse.com/1224700
SUSE Bug 1224700
https://bugzilla.suse.com/1229273
SUSE Bug 1229273

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/client: Fully protect modes[] with dev->mode_config.mutex The modes[] array contains pointers to modes on the connectors' mode lists, which are protected by dev->mode_config.mutex. Thus we need to extend modes[] the same protection or by the time we use it the elements may already be pointing to freed/reused memory.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35950.html
CVE-2024-35950
https://bugzilla.suse.com/1224703
SUSE Bug 1224703
https://bugzilla.suse.com/1225310
SUSE Bug 1225310

Описание

In the Linux kernel, the following vulnerability has been resolved: btrfs: qgroup: fix qgroup prealloc rsv leak in subvolume operations Create subvolume, create snapshot and delete subvolume all use btrfs_subvolume_reserve_metadata() to reserve metadata for the changes done to the parent subvolume's fs tree, which cannot be mediated in the normal way via start_transaction. When quota groups (squota or qgroups) are enabled, this reserves qgroup metadata of type PREALLOC. Once the operation is associated to a transaction, we convert PREALLOC to PERTRANS, which gets cleared in bulk at the end of the transaction. However, the error paths of these three operations were not implementing this lifecycle correctly. They unconditionally converted the PREALLOC to PERTRANS in a generic cleanup step regardless of errors or whether the operation was fully associated to a transaction or not. This resulted in error paths occasionally converting this rsv to PERTRANS without calling record_root_in_trans successfully, which meant that unless that root got recorded in the transaction by some other thread, the end of the transaction would not free that root's PERTRANS, leaking it. Ultimately, this resulted in hitting a WARN in CONFIG_BTRFS_DEBUG builds at unmount for the leaked reservation. The fix is to ensure that every qgroup PREALLOC reservation observes the following properties: 1. any failure before record_root_in_trans is called successfully results in freeing the PREALLOC reservation. 2. after record_root_in_trans, we convert to PERTRANS, and now the transaction owns freeing the reservation. This patch enforces those properties on the three operations. Without it, generic/269 with squotas enabled at mkfs time would fail in ~5-10 runs on my system. With this patch, it ran successfully 1000 times in a row.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35956.html
CVE-2024-35956
https://bugzilla.suse.com/1224674
SUSE Bug 1224674

Описание

In the Linux kernel, the following vulnerability has been resolved: net: ena: Fix incorrect descriptor free behavior ENA has two types of TX queues: - queues which only process TX packets arriving from the network stack - queues which only process TX packets forwarded to it by XDP_REDIRECT or XDP_TX instructions The ena_free_tx_bufs() cycles through all descriptors in a TX queue and unmaps + frees every descriptor that hasn't been acknowledged yet by the device (uncompleted TX transactions). The function assumes that the processed TX queue is necessarily from the first category listed above and ends up using napi_consume_skb() for descriptors belonging to an XDP specific queue. This patch solves a bug in which, in case of a VF reset, the descriptors aren't freed correctly, leading to crashes.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35958.html
CVE-2024-35958
https://bugzilla.suse.com/1224677
SUSE Bug 1224677

Описание

In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Properly link new fs rules into the tree Previously, add_rule_fg would only add newly created rules from the handle into the tree when they had a refcount of 1. On the other hand, create_flow_handle tries hard to find and reference already existing identical rules instead of creating new ones. These two behaviors can result in a situation where create_flow_handle 1) creates a new rule and references it, then 2) in a subsequent step during the same handle creation references it again, resulting in a rule with a refcount of 2 that is not linked into the tree, will have a NULL parent and root and will result in a crash when the flow group is deleted because del_sw_hw_rule, invoked on rule deletion, assumes node->parent is != NULL. This happened in the wild, due to another bug related to incorrect handling of duplicate pkt_reformat ids, which lead to the code in create_flow_handle incorrectly referencing a just-added rule in the same flow handle, resulting in the problem described above. Full details are at [1]. This patch changes add_rule_fg to add new rules without parents into the tree, properly initializing them and avoiding the crash. This makes it more consistent with how rules are added to an FTE in create_flow_handle.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35960.html
CVE-2024-35960
https://bugzilla.suse.com/1224588
SUSE Bug 1224588

Описание

In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Register devlink first under devlink lock In case device is having a non fatal FW error during probe, the driver will report the error to user via devlink. This will trigger a WARN_ON, since mlx5 is calling devlink_register() last. In order to avoid the WARN_ON[1], change mlx5 to invoke devl_register() first under devlink lock. [1] WARNING: CPU: 5 PID: 227 at net/devlink/health.c:483 devlink_recover_notify.constprop.0+0xb8/0xc0 CPU: 5 PID: 227 Comm: kworker/u16:3 Not tainted 6.4.0-rc5_for_upstream_min_debug_2023_06_12_12_38 #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 Workqueue: mlx5_health0000:08:00.0 mlx5_fw_reporter_err_work [mlx5_core] RIP: 0010:devlink_recover_notify.constprop.0+0xb8/0xc0 Call Trace: <TASK> ? __warn+0x79/0x120 ? devlink_recover_notify.constprop.0+0xb8/0xc0 ? report_bug+0x17c/0x190 ? handle_bug+0x3c/0x60 ? exc_invalid_op+0x14/0x70 ? asm_exc_invalid_op+0x16/0x20 ? devlink_recover_notify.constprop.0+0xb8/0xc0 devlink_health_report+0x4a/0x1c0 mlx5_fw_reporter_err_work+0xa4/0xd0 [mlx5_core] process_one_work+0x1bb/0x3c0 ? process_one_work+0x3c0/0x3c0 worker_thread+0x4d/0x3c0 ? process_one_work+0x3c0/0x3c0 kthread+0xc6/0xf0 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork+0x1f/0x30 </TASK>

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35961.html
CVE-2024-35961
https://bugzilla.suse.com/1224585
SUSE Bug 1224585

Описание

In the Linux kernel, the following vulnerability has been resolved: netfilter: complete validation of user input In my recent commit, I missed that do_replace() handlers use copy_from_sockptr() (which I fixed), followed by unsafe copy_from_sockptr_offset() calls. In all functions, we can perform the @optlen validation before even calling xt_alloc_table_info() with the following check: if ((u64)optlen < (u64)tmp.size + sizeof(tmp)) return -EINVAL;

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35962.html
CVE-2024-35962
https://bugzilla.suse.com/1224583
SUSE Bug 1224583

Описание

In the Linux kernel, the following vulnerability has been resolved: raid1: fix use-after-free for original bio in raid1_write_request() r1_bio->bios[] is used to record new bios that will be issued to underlying disks, however, in raid1_write_request(), r1_bio->bios[] will set to the original bio temporarily. Meanwhile, if blocked rdev is set, free_r1bio() will be called causing that all r1_bio->bios[] to be freed: raid1_write_request() r1_bio = alloc_r1bio(mddev, bio); -> r1_bio->bios[] is NULL for (i = 0; i < disks; i++) -> for each rdev in conf // first rdev is normal r1_bio->bios[0] = bio; -> set to original bio // second rdev is blocked if (test_bit(Blocked, &rdev->flags)) break if (blocked_rdev) free_r1bio() put_all_bios() bio_put(r1_bio->bios[0]) -> original bio is freed Test scripts: mdadm -CR /dev/md0 -l1 -n4 /dev/sd[abcd] --assume-clean fio -filename=/dev/md0 -ioengine=libaio -rw=write -bs=4k -numjobs=1 \ -iodepth=128 -name=test -direct=1 echo blocked > /sys/block/md0/md/rd2/state Test result: BUG bio-264 (Not tainted): Object already free ----------------------------------------------------------------------------- Allocated in mempool_alloc_slab+0x24/0x50 age=1 cpu=1 pid=869 kmem_cache_alloc+0x324/0x480 mempool_alloc_slab+0x24/0x50 mempool_alloc+0x6e/0x220 bio_alloc_bioset+0x1af/0x4d0 blkdev_direct_IO+0x164/0x8a0 blkdev_write_iter+0x309/0x440 aio_write+0x139/0x2f0 io_submit_one+0x5ca/0xb70 __do_sys_io_submit+0x86/0x270 __x64_sys_io_submit+0x22/0x30 do_syscall_64+0xb1/0x210 entry_SYSCALL_64_after_hwframe+0x6c/0x74 Freed in mempool_free_slab+0x1f/0x30 age=1 cpu=1 pid=869 kmem_cache_free+0x28c/0x550 mempool_free_slab+0x1f/0x30 mempool_free+0x40/0x100 bio_free+0x59/0x80 bio_put+0xf0/0x220 free_r1bio+0x74/0xb0 raid1_make_request+0xadf/0x1150 md_handle_request+0xc7/0x3b0 md_submit_bio+0x76/0x130 __submit_bio+0xd8/0x1d0 submit_bio_noacct_nocheck+0x1eb/0x5c0 submit_bio_noacct+0x169/0xd40 submit_bio+0xee/0x1d0 blkdev_direct_IO+0x322/0x8a0 blkdev_write_iter+0x309/0x440 aio_write+0x139/0x2f0 Since that bios for underlying disks are not allocated yet, fix this problem by using mempool_free() directly to free the r1_bio.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35979.html
CVE-2024-35979
https://bugzilla.suse.com/1224572
SUSE Bug 1224572

Описание

In the Linux kernel, the following vulnerability has been resolved: ACPI: CPPC: Use access_width over bit_width for system memory accesses To align with ACPI 6.3+, since bit_width can be any 8-bit value, it cannot be depended on to be always on a clean 8b boundary. This was uncovered on the Cobalt 100 platform. SError Interrupt on CPU26, code 0xbe000011 -- SError CPU: 26 PID: 1510 Comm: systemd-udevd Not tainted 5.15.2.1-13 #1 Hardware name: MICROSOFT CORPORATION, BIOS MICROSOFT CORPORATION pstate: 62400009 (nZCv daif +PAN -UAO +TCO -DIT -SSBS BTYPE=--) pc : cppc_get_perf_caps+0xec/0x410 lr : cppc_get_perf_caps+0xe8/0x410 sp : ffff8000155ab730 x29: ffff8000155ab730 x28: ffff0080139d0038 x27: ffff0080139d0078 x26: 0000000000000000 x25: ffff0080139d0058 x24: 00000000ffffffff x23: ffff0080139d0298 x22: ffff0080139d0278 x21: 0000000000000000 x20: ffff00802b251910 x19: ffff0080139d0000 x18: ffffffffffffffff x17: 0000000000000000 x16: ffffdc7e111bad04 x15: ffff00802b251008 x14: ffffffffffffffff x13: ffff013f1fd63300 x12: 0000000000000006 x11: ffffdc7e128f4420 x10: 0000000000000000 x9 : ffffdc7e111badec x8 : ffff00802b251980 x7 : 0000000000000000 x6 : ffff0080139d0028 x5 : 0000000000000000 x4 : ffff0080139d0018 x3 : 00000000ffffffff x2 : 0000000000000008 x1 : ffff8000155ab7a0 x0 : 0000000000000000 Kernel panic - not syncing: Asynchronous SError Interrupt CPU: 26 PID: 1510 Comm: systemd-udevd Not tainted 5.15.2.1-13 #1 Hardware name: MICROSOFT CORPORATION, BIOS MICROSOFT CORPORATION Call trace: dump_backtrace+0x0/0x1e0 show_stack+0x24/0x30 dump_stack_lvl+0x8c/0xb8 dump_stack+0x18/0x34 panic+0x16c/0x384 add_taint+0x0/0xc0 arm64_serror_panic+0x7c/0x90 arm64_is_fatal_ras_serror+0x34/0xa4 do_serror+0x50/0x6c el1h_64_error_handler+0x40/0x74 el1h_64_error+0x7c/0x80 cppc_get_perf_caps+0xec/0x410 cppc_cpufreq_cpu_init+0x74/0x400 [cppc_cpufreq] cpufreq_online+0x2dc/0xa30 cpufreq_add_dev+0xc0/0xd4 subsys_interface_register+0x134/0x14c cpufreq_register_driver+0x1b0/0x354 cppc_cpufreq_init+0x1a8/0x1000 [cppc_cpufreq] do_one_initcall+0x50/0x250 do_init_module+0x60/0x27c load_module+0x2300/0x2570 __do_sys_finit_module+0xa8/0x114 __arm64_sys_finit_module+0x2c/0x3c invoke_syscall+0x78/0x100 el0_svc_common.constprop.0+0x180/0x1a0 do_el0_svc+0x84/0xa0 el0_svc+0x2c/0xc0 el0t_64_sync_handler+0xa4/0x12c el0t_64_sync+0x1a4/0x1a8 Instead, use access_width to determine the size and use the offset and width to shift and mask the bits to read/write out. Make sure to add a check for system memory since pcc redefines the access_width to subspace id. If access_width is not set, then fall back to using bit_width. [ rjw: Subject and changelog edits, comment adjustments ]

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35995.html
CVE-2024-35995
https://bugzilla.suse.com/1224557
SUSE Bug 1224557

Описание

In the Linux kernel, the following vulnerability has been resolved: HID: i2c-hid: remove I2C_HID_READ_PENDING flag to prevent lock-up The flag I2C_HID_READ_PENDING is used to serialize I2C operations. However, this is not necessary, because I2C core already has its own locking for that. More importantly, this flag can cause a lock-up: if the flag is set in i2c_hid_xfer() and an interrupt happens, the interrupt handler (i2c_hid_irq) will check this flag and return immediately without doing anything, then the interrupt handler will be invoked again in an infinite loop. Since interrupt handler is an RT task, it takes over the CPU and the flag-clearing task never gets scheduled, thus we have a lock-up. Delete this unnecessary flag.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35997.html
CVE-2024-35997
https://bugzilla.suse.com/1224552
SUSE Bug 1224552

Описание

In the Linux kernel, the following vulnerability has been resolved: mm/hugetlb: fix missing hugetlb_lock for resv uncharge There is a recent report on UFFDIO_COPY over hugetlb: https://lore.kernel.org/all/000000000000ee06de0616177560@google.com/ 350: lockdep_assert_held(&hugetlb_lock); Should be an issue in hugetlb but triggered in an userfault context, where it goes into the unlikely path where two threads modifying the resv map together. Mike has a fix in that path for resv uncharge but it looks like the locking criteria was overlooked: hugetlb_cgroup_uncharge_folio_rsvd() will update the cgroup pointer, so it requires to be called with the lock held.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36000.html
CVE-2024-36000
https://bugzilla.suse.com/1224548
SUSE Bug 1224548

Описание

In the Linux kernel, the following vulnerability has been resolved: i40e: Do not use WQ_MEM_RECLAIM flag for workqueue Issue reported by customer during SRIOV testing, call trace: When both i40e and the i40iw driver are loaded, a warning in check_flush_dependency is being triggered. This seems to be because of the i40e driver workqueue is allocated with the WQ_MEM_RECLAIM flag, and the i40iw one is not. Similar error was encountered on ice too and it was fixed by removing the flag. Do the same for i40e too. [Feb 9 09:08] ------------[ cut here ]------------ [ +0.000004] workqueue: WQ_MEM_RECLAIM i40e:i40e_service_task [i40e] is flushing !WQ_MEM_RECLAIM infiniband:0x0 [ +0.000060] WARNING: CPU: 0 PID: 937 at kernel/workqueue.c:2966 check_flush_dependency+0x10b/0x120 [ +0.000007] Modules linked in: snd_seq_dummy snd_hrtimer snd_seq snd_timer snd_seq_device snd soundcore nls_utf8 cifs cifs_arc4 nls_ucs2_utils rdma_cm iw_cm ib_cm cifs_md4 dns_resolver netfs qrtr rfkill sunrpc vfat fat intel_rapl_msr intel_rapl_common irdma intel_uncore_frequency intel_uncore_frequency_common ice ipmi_ssif isst_if_common skx_edac nfit libnvdimm x86_pkg_temp_thermal intel_powerclamp gnss coretemp ib_uverbs rapl intel_cstate ib_core iTCO_wdt iTCO_vendor_support acpi_ipmi mei_me ipmi_si intel_uncore ioatdma i2c_i801 joydev pcspkr mei ipmi_devintf lpc_ich intel_pch_thermal i2c_smbus ipmi_msghandler acpi_power_meter acpi_pad xfs libcrc32c ast sd_mod drm_shmem_helper t10_pi drm_kms_helper sg ixgbe drm i40e ahci crct10dif_pclmul libahci crc32_pclmul igb crc32c_intel libata ghash_clmulni_intel i2c_algo_bit mdio dca wmi dm_mirror dm_region_hash dm_log dm_mod fuse [ +0.000050] CPU: 0 PID: 937 Comm: kworker/0:3 Kdump: loaded Not tainted 6.8.0-rc2-Feb-net_dev-Qiueue-00279-gbd43c5687e05 #1 [ +0.000003] Hardware name: Intel Corporation S2600BPB/S2600BPB, BIOS SE5C620.86B.02.01.0013.121520200651 12/15/2020 [ +0.000001] Workqueue: i40e i40e_service_task [i40e] [ +0.000024] RIP: 0010:check_flush_dependency+0x10b/0x120 [ +0.000003] Code: ff 49 8b 54 24 18 48 8d 8b b0 00 00 00 49 89 e8 48 81 c6 b0 00 00 00 48 c7 c7 b0 97 fa 9f c6 05 8a cc 1f 02 01 e8 35 b3 fd ff <0f> 0b e9 10 ff ff ff 80 3d 78 cc 1f 02 00 75 94 e9 46 ff ff ff 90 [ +0.000002] RSP: 0018:ffffbd294976bcf8 EFLAGS: 00010282 [ +0.000002] RAX: 0000000000000000 RBX: ffff94d4c483c000 RCX: 0000000000000027 [ +0.000001] RDX: ffff94d47f620bc8 RSI: 0000000000000001 RDI: ffff94d47f620bc0 [ +0.000001] RBP: 0000000000000000 R08: 0000000000000000 R09: 00000000ffff7fff [ +0.000001] R10: ffffbd294976bb98 R11: ffffffffa0be65e8 R12: ffff94c5451ea180 [ +0.000001] R13: ffff94c5ab5e8000 R14: ffff94c5c20b6e05 R15: ffff94c5f1330ab0 [ +0.000001] FS: 0000000000000000(0000) GS:ffff94d47f600000(0000) knlGS:0000000000000000 [ +0.000002] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ +0.000001] CR2: 00007f9e6f1fca70 CR3: 0000000038e20004 CR4: 00000000007706f0 [ +0.000000] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ +0.000001] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ +0.000001] PKRU: 55555554 [ +0.000001] Call Trace: [ +0.000001] <TASK> [ +0.000002] ? __warn+0x80/0x130 [ +0.000003] ? check_flush_dependency+0x10b/0x120 [ +0.000002] ? report_bug+0x195/0x1a0 [ +0.000005] ? handle_bug+0x3c/0x70 [ +0.000003] ? exc_invalid_op+0x14/0x70 [ +0.000002] ? asm_exc_invalid_op+0x16/0x20 [ +0.000006] ? check_flush_dependency+0x10b/0x120 [ +0.000002] ? check_flush_dependency+0x10b/0x120 [ +0.000002] __flush_workqueue+0x126/0x3f0 [ +0.000015] ib_cache_cleanup_one+0x1c/0xe0 [ib_core] [ +0.000056] __ib_unregister_device+0x6a/0xb0 [ib_core] [ +0.000023] ib_unregister_device_and_put+0x34/0x50 [ib_core] [ +0.000020] i40iw_close+0x4b/0x90 [irdma] [ +0.000022] i40e_notify_client_of_netdev_close+0x54/0xc0 [i40e] [ +0.000035] i40e_service_task+0x126/0x190 [i40e] [ +0.000024] process_one_work+0x174/0x340 [ +0.000003] worker_th ---truncated---

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36004.html
CVE-2024-36004
https://bugzilla.suse.com/1224545
SUSE Bug 1224545

Описание

In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: honor table dormant flag from netdev release event path Check for table dormant flag otherwise netdev release event path tries to unregister an already unregistered hook. [524854.857999] ------------[ cut here ]------------ [524854.858010] WARNING: CPU: 0 PID: 3386599 at net/netfilter/core.c:501 __nf_unregister_net_hook+0x21a/0x260 [...] [524854.858848] CPU: 0 PID: 3386599 Comm: kworker/u32:2 Not tainted 6.9.0-rc3+ #365 [524854.858869] Workqueue: netns cleanup_net [524854.858886] RIP: 0010:__nf_unregister_net_hook+0x21a/0x260 [524854.858903] Code: 24 e8 aa 73 83 ff 48 63 43 1c 83 f8 01 0f 85 3d ff ff ff e8 98 d1 f0 ff 48 8b 3c 24 e8 8f 73 83 ff 48 63 43 1c e9 26 ff ff ff <0f> 0b 48 83 c4 18 48 c7 c7 00 68 e9 82 5b 5d 41 5c 41 5d 41 5e 41 [524854.858914] RSP: 0018:ffff8881e36d79e0 EFLAGS: 00010246 [524854.858926] RAX: 0000000000000000 RBX: ffff8881339ae790 RCX: ffffffff81ba524a [524854.858936] RDX: dffffc0000000000 RSI: 0000000000000008 RDI: ffff8881c8a16438 [524854.858945] RBP: ffff8881c8a16438 R08: 0000000000000001 R09: ffffed103c6daf34 [524854.858954] R10: ffff8881e36d79a7 R11: 0000000000000000 R12: 0000000000000005 [524854.858962] R13: ffff8881c8a16000 R14: 0000000000000000 R15: ffff8881351b5a00 [524854.858971] FS: 0000000000000000(0000) GS:ffff888390800000(0000) knlGS:0000000000000000 [524854.858982] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [524854.858991] CR2: 00007fc9be0f16f4 CR3: 00000001437cc004 CR4: 00000000001706f0 [524854.859000] Call Trace: [524854.859006] <TASK> [524854.859013] ? __warn+0x9f/0x1a0 [524854.859027] ? __nf_unregister_net_hook+0x21a/0x260 [524854.859044] ? report_bug+0x1b1/0x1e0 [524854.859060] ? handle_bug+0x3c/0x70 [524854.859071] ? exc_invalid_op+0x17/0x40 [524854.859083] ? asm_exc_invalid_op+0x1a/0x20 [524854.859100] ? __nf_unregister_net_hook+0x6a/0x260 [524854.859116] ? __nf_unregister_net_hook+0x21a/0x260 [524854.859135] nf_tables_netdev_event+0x337/0x390 [nf_tables] [524854.859304] ? __pfx_nf_tables_netdev_event+0x10/0x10 [nf_tables] [524854.859461] ? packet_notifier+0xb3/0x360 [524854.859476] ? _raw_spin_unlock_irqrestore+0x11/0x40 [524854.859489] ? dcbnl_netdevice_event+0x35/0x140 [524854.859507] ? __pfx_nf_tables_netdev_event+0x10/0x10 [nf_tables] [524854.859661] notifier_call_chain+0x7d/0x140 [524854.859677] unregister_netdevice_many_notify+0x5e1/0xae0

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36005.html
CVE-2024-36005
https://bugzilla.suse.com/1224539
SUSE Bug 1224539

Описание

In the Linux kernel, the following vulnerability has been resolved: ipv4: check for NULL idev in ip_route_use_hint() syzbot was able to trigger a NULL deref in fib_validate_source() in an old tree [1]. It appears the bug exists in latest trees. All calls to __in_dev_get_rcu() must be checked for a NULL result. [1] general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] CPU: 2 PID: 3257 Comm: syz-executor.3 Not tainted 5.10.0-syzkaller #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 RIP: 0010:fib_validate_source+0xbf/0x15a0 net/ipv4/fib_frontend.c:425 Code: 18 f2 f2 f2 f2 42 c7 44 20 23 f3 f3 f3 f3 48 89 44 24 78 42 c6 44 20 27 f3 e8 5d 88 48 fc 4c 89 e8 48 c1 e8 03 48 89 44 24 18 <42> 80 3c 20 00 74 08 4c 89 ef e8 d2 15 98 fc 48 89 5c 24 10 41 bf RSP: 0018:ffffc900015fee40 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff88800f7a4000 RCX: ffff88800f4f90c0 RDX: 0000000000000000 RSI: 0000000004001eac RDI: ffff8880160c64c0 RBP: ffffc900015ff060 R08: 0000000000000000 R09: ffff88800f7a4000 R10: 0000000000000002 R11: ffff88800f4f90c0 R12: dffffc0000000000 R13: 0000000000000000 R14: 0000000000000000 R15: ffff88800f7a4000 FS: 00007f938acfe6c0(0000) GS:ffff888058c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f938acddd58 CR3: 000000001248e000 CR4: 0000000000352ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: ip_route_use_hint+0x410/0x9b0 net/ipv4/route.c:2231 ip_rcv_finish_core+0x2c4/0x1a30 net/ipv4/ip_input.c:327 ip_list_rcv_finish net/ipv4/ip_input.c:612 [inline] ip_sublist_rcv+0x3ed/0xe50 net/ipv4/ip_input.c:638 ip_list_rcv+0x422/0x470 net/ipv4/ip_input.c:673 __netif_receive_skb_list_ptype net/core/dev.c:5572 [inline] __netif_receive_skb_list_core+0x6b1/0x890 net/core/dev.c:5620 __netif_receive_skb_list net/core/dev.c:5672 [inline] netif_receive_skb_list_internal+0x9f9/0xdc0 net/core/dev.c:5764 netif_receive_skb_list+0x55/0x3e0 net/core/dev.c:5816 xdp_recv_frames net/bpf/test_run.c:257 [inline] xdp_test_run_batch net/bpf/test_run.c:335 [inline] bpf_test_run_xdp_live+0x1818/0x1d00 net/bpf/test_run.c:363 bpf_prog_test_run_xdp+0x81f/0x1170 net/bpf/test_run.c:1376 bpf_prog_test_run+0x349/0x3c0 kernel/bpf/syscall.c:3736 __sys_bpf+0x45c/0x710 kernel/bpf/syscall.c:5115 __do_sys_bpf kernel/bpf/syscall.c:5201 [inline] __se_sys_bpf kernel/bpf/syscall.c:5199 [inline] __x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:5199

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36008.html
CVE-2024-36008
https://bugzilla.suse.com/1224540
SUSE Bug 1224540

Описание

In the Linux kernel, the following vulnerability has been resolved: rtnetlink: Correct nested IFLA_VF_VLAN_LIST attribute validation Each attribute inside a nested IFLA_VF_VLAN_LIST is assumed to be a struct ifla_vf_vlan_info so the size of such attribute needs to be at least of sizeof(struct ifla_vf_vlan_info) which is 14 bytes. The current size validation in do_setvfinfo is against NLA_HDRLEN (4 bytes) which is less than sizeof(struct ifla_vf_vlan_info) so this validation is not enough and a too small attribute might be cast to a struct ifla_vf_vlan_info, this might result in an out of bands read access when accessing the saved (casted) entry in ivvl.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36017.html
CVE-2024-36017
https://bugzilla.suse.com/1225681
SUSE Bug 1225681

Описание

In the Linux kernel, the following vulnerability has been resolved: i40e: fix vf may be used uninitialized in this function warning To fix the regression introduced by commit 52424f974bc5, which causes servers hang in very hard to reproduce conditions with resets races. Using two sources for the information is the root cause. In this function before the fix bumping v didn't mean bumping vf pointer. But the code used this variables interchangeably, so stale vf could point to different/not intended vf. Remove redundant "v" variable and iterate via single VF pointer across whole function instead to guarantee VF pointer validity.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36020.html
CVE-2024-36020
https://bugzilla.suse.com/1225698
SUSE Bug 1225698

Описание

In the Linux kernel, the following vulnerability has been resolved: net: hns3: fix kernel crash when devlink reload during pf initialization The devlink reload process will access the hardware resources, but the register operation is done before the hardware is initialized. So, processing the devlink reload during initialization may lead to kernel crash. This patch fixes this by taking devl_lock during initialization.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36021.html
CVE-2024-36021
https://bugzilla.suse.com/1225699
SUSE Bug 1225699

Описание

In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Fix off by one in qla_edif_app_getstats() The app_reply->elem[] array is allocated earlier in this function and it has app_req.num_ports elements. Thus this > comparison needs to be >= to prevent memory corruption.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36025.html
CVE-2024-36025
https://bugzilla.suse.com/1225704
SUSE Bug 1225704

Описание

In the Linux kernel, the following vulnerability has been resolved: SUNRPC: Fix loop termination condition in gss_free_in_token_pages() The in_token->pages[] array is not NULL terminated. This results in the following KASAN splat: KASAN: maybe wild-memory-access in range [0x04a2013400000008-0x04a201340000000f]

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36288.html
CVE-2024-36288
https://bugzilla.suse.com/1226834
SUSE Bug 1226834

Описание

In the Linux kernel, the following vulnerability has been resolved: tpm_tis_spi: Account for SPI header when allocating TPM SPI xfer buffer The TPM SPI transfer mechanism uses MAX_SPI_FRAMESIZE for computing the maximum transfer length and the size of the transfer buffer. As such, it does not account for the 4 bytes of header that prepends the SPI data frame. This can result in out-of-bounds accesses and was confirmed with KASAN. Introduce SPI_HDRSIZE to account for the header and use to allocate the transfer buffer.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36477.html
CVE-2024-36477
https://bugzilla.suse.com/1226840
SUSE Bug 1226840

Описание

In the Linux kernel, the following vulnerability has been resolved: null_blk: fix null-ptr-dereference while configuring 'power' and 'submit_queues' Writing 'power' and 'submit_queues' concurrently will trigger kernel panic: Test script: modprobe null_blk nr_devices=0 mkdir -p /sys/kernel/config/nullb/nullb0 while true; do echo 1 > submit_queues; echo 4 > submit_queues; done & while true; do echo 1 > power; echo 0 > power; done Test result: BUG: kernel NULL pointer dereference, address: 0000000000000148 Oops: 0000 [#1] PREEMPT SMP RIP: 0010:__lock_acquire+0x41d/0x28f0 Call Trace: <TASK> lock_acquire+0x121/0x450 down_write+0x5f/0x1d0 simple_recursive_removal+0x12f/0x5c0 blk_mq_debugfs_unregister_hctxs+0x7c/0x100 blk_mq_update_nr_hw_queues+0x4a3/0x720 nullb_update_nr_hw_queues+0x71/0xf0 [null_blk] nullb_device_submit_queues_store+0x79/0xf0 [null_blk] configfs_write_iter+0x119/0x1e0 vfs_write+0x326/0x730 ksys_write+0x74/0x150 This is because del_gendisk() can concurrent with blk_mq_update_nr_hw_queues(): nullb_device_power_store nullb_apply_submit_queues null_del_dev del_gendisk nullb_update_nr_hw_queues if (!dev->nullb) // still set while gendisk is deleted return 0 blk_mq_update_nr_hw_queues dev->nullb = NULL Fix this problem by resuing the global mutex to protect nullb_device_power_store() and nullb_update_nr_hw_queues() from configfs.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36478.html
CVE-2024-36478
https://bugzilla.suse.com/1226841
SUSE Bug 1226841

Описание

In the Linux kernel, the following vulnerability has been resolved: fpga: bridge: add owner module and take its refcount The current implementation of the fpga bridge assumes that the low-level module registers a driver for the parent device and uses its owner pointer to take the module's refcount. This approach is problematic since it can lead to a null pointer dereference while attempting to get the bridge if the parent device does not have a driver. To address this problem, add a module owner pointer to the fpga_bridge struct and use it to take the module's refcount. Modify the function for registering a bridge to take an additional owner module parameter and rename it to avoid conflicts. Use the old function name for a helper macro that automatically sets the module that registers the bridge as the owner. This ensures compatibility with existing low-level control modules and reduces the chances of registering a bridge without setting the owner. Also, update the documentation to keep it consistent with the new interface for registering an fpga bridge. Other changes: opportunistically move put_device() from __fpga_bridge_get() to fpga_bridge_get() and of_fpga_bridge_get() to improve code clarity since the bridge device is taken in these functions.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36479.html
CVE-2024-36479
https://bugzilla.suse.com/1226949
SUSE Bug 1226949

Описание

In the Linux kernel, the following vulnerability has been resolved: mptcp: ensure snd_nxt is properly initialized on connect Christoph reported a splat hinting at a corrupted snd_una: WARNING: CPU: 1 PID: 38 at net/mptcp/protocol.c:1005 __mptcp_clean_una+0x4b3/0x620 net/mptcp/protocol.c:1005 Modules linked in: CPU: 1 PID: 38 Comm: kworker/1:1 Not tainted 6.9.0-rc1-gbbeac67456c9 #59 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014 Workqueue: events mptcp_worker RIP: 0010:__mptcp_clean_una+0x4b3/0x620 net/mptcp/protocol.c:1005 Code: be 06 01 00 00 bf 06 01 00 00 e8 a8 12 e7 fe e9 00 fe ff ff e8 8e 1a e7 fe 0f b7 ab 3e 02 00 00 e9 d3 fd ff ff e8 7d 1a e7 fe <0f> 0b 4c 8b bb e0 05 00 00 e9 74 fc ff ff e8 6a 1a e7 fe 0f 0b e9 RSP: 0018:ffffc9000013fd48 EFLAGS: 00010293 RAX: 0000000000000000 RBX: ffff8881029bd280 RCX: ffffffff82382fe4 RDX: ffff8881003cbd00 RSI: ffffffff823833c3 RDI: 0000000000000001 RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000000 R11: fefefefefefefeff R12: ffff888138ba8000 R13: 0000000000000106 R14: ffff8881029bd908 R15: ffff888126560000 FS: 0000000000000000(0000) GS:ffff88813bd00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f604a5dae38 CR3: 0000000101dac002 CR4: 0000000000170ef0 Call Trace: <TASK> __mptcp_clean_una_wakeup net/mptcp/protocol.c:1055 [inline] mptcp_clean_una_wakeup net/mptcp/protocol.c:1062 [inline] __mptcp_retrans+0x7f/0x7e0 net/mptcp/protocol.c:2615 mptcp_worker+0x434/0x740 net/mptcp/protocol.c:2767 process_one_work+0x1e0/0x560 kernel/workqueue.c:3254 process_scheduled_works kernel/workqueue.c:3335 [inline] worker_thread+0x3c7/0x640 kernel/workqueue.c:3416 kthread+0x121/0x170 kernel/kthread.c:388 ret_from_fork+0x44/0x50 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:243 </TASK> When fallback to TCP happens early on a client socket, snd_nxt is not yet initialized and any incoming ack will copy such value into snd_una. If the mptcp worker (dumbly) tries mptcp-level re-injection after such ack, that would unconditionally trigger a send buffer cleanup using 'bad' snd_una values. We could easily disable re-injection for fallback sockets, but such dumb behavior already helped catching a few subtle issues and a very low to zero impact in practice. Instead address the issue always initializing snd_nxt (and write_seq, for consistency) at connect time.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36889.html
CVE-2024-36889
https://bugzilla.suse.com/1225746
SUSE Bug 1225746

Описание

In the Linux kernel, the following vulnerability has been resolved: mm/slab: make __free(kfree) accept error pointers Currently, if an automatically freed allocation is an error pointer that will lead to a crash. An example of this is in wm831x_gpio_dbg_show(). 171 char *label __free(kfree) = gpiochip_dup_line_label(chip, i); 172 if (IS_ERR(label)) { 173 dev_err(wm831x->dev, "Failed to duplicate label\n"); 174 continue; 175 } The auto clean up function should check for error pointers as well, otherwise we're going to keep hitting issues like this.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36890.html
CVE-2024-36890
https://bugzilla.suse.com/1225714
SUSE Bug 1225714

Описание

In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_fs: Fix race between aio_cancel() and AIO request complete FFS based applications can utilize the aio_cancel() callback to dequeue pending USB requests submitted to the UDC. There is a scenario where the FFS application issues an AIO cancel call, while the UDC is handling a soft disconnect. For a DWC3 based implementation, the callstack looks like the following: DWC3 Gadget FFS Application dwc3_gadget_soft_disconnect() ... --> dwc3_stop_active_transfers() --> dwc3_gadget_giveback(-ESHUTDOWN) --> ffs_epfile_async_io_complete() ffs_aio_cancel() --> usb_ep_free_request() --> usb_ep_dequeue() There is currently no locking implemented between the AIO completion handler and AIO cancel, so the issue occurs if the completion routine is running in parallel to an AIO cancel call coming from the FFS application. As the completion call frees the USB request (io_data->req) the FFS application is also referencing it for the usb_ep_dequeue() call. This can lead to accessing a stale/hanging pointer. commit b566d38857fc ("usb: gadget: f_fs: use io_data->status consistently") relocated the usb_ep_free_request() into ffs_epfile_async_io_complete(). However, in order to properly implement locking to mitigate this issue, the spinlock can't be added to ffs_epfile_async_io_complete(), as usb_ep_dequeue() (if successfully dequeuing a USB request) will call the function driver's completion handler in the same context. Hence, leading into a deadlock. Fix this issue by moving the usb_ep_free_request() back to ffs_user_copy_worker(), and ensuring that it explicitly sets io_data->req to NULL after freeing it within the ffs->eps_lock. This resolves the race condition above, as the ffs_aio_cancel() routine will not continue attempting to dequeue a request that has already been freed, or the ffs_user_copy_work() not freeing the USB request until the AIO cancel is done referencing it. This fix depends on commit b566d38857fc ("usb: gadget: f_fs: use io_data->status consistently")

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36894.html
CVE-2024-36894
https://bugzilla.suse.com/1225749
SUSE Bug 1225749
https://bugzilla.suse.com/1226139
SUSE Bug 1226139

Описание

In the Linux kernel, the following vulnerability has been resolved: gpiolib: cdev: Fix use after free in lineinfo_changed_notify The use-after-free issue occurs as follows: when the GPIO chip device file is being closed by invoking gpio_chrdev_release(), watched_lines is freed by bitmap_free(), but the unregistration of lineinfo_changed_nb notifier chain failed due to waiting write rwsem. Additionally, one of the GPIO chip's lines is also in the release process and holds the notifier chain's read rwsem. Consequently, a race condition leads to the use-after-free of watched_lines. Here is the typical stack when issue happened: [free] gpio_chrdev_release() --> bitmap_free(cdev->watched_lines) <-- freed --> blocking_notifier_chain_unregister() --> down_write(&nh->rwsem) <-- waiting rwsem --> __down_write_common() --> rwsem_down_write_slowpath() --> schedule_preempt_disabled() --> schedule() [use] st54spi_gpio_dev_release() --> gpio_free() --> gpiod_free() --> gpiod_free_commit() --> gpiod_line_state_notify() --> blocking_notifier_call_chain() --> down_read(&nh->rwsem); <-- held rwsem --> notifier_call_chain() --> lineinfo_changed_notify() --> test_bit(xxxx, cdev->watched_lines) <-- use after free The side effect of the use-after-free issue is that a GPIO line event is being generated for userspace where it shouldn't. However, since the chrdev is being closed, userspace won't have the chance to read that event anyway. To fix the issue, call the bitmap_free() function after the unregistration of lineinfo_changed_nb notifier chain.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36899.html
CVE-2024-36899
https://bugzilla.suse.com/1225737
SUSE Bug 1225737
https://bugzilla.suse.com/1225739
SUSE Bug 1225739

Описание

In the Linux kernel, the following vulnerability has been resolved: net: hns3: fix kernel crash when devlink reload during initialization The devlink reload process will access the hardware resources, but the register operation is done before the hardware is initialized. So, processing the devlink reload during initialization may lead to kernel crash. This patch fixes this by registering the devlink after hardware initialization.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36900.html
CVE-2024-36900
https://bugzilla.suse.com/1225726
SUSE Bug 1225726

Описание

In the Linux kernel, the following vulnerability has been resolved: ipv6: prevent NULL dereference in ip6_output() According to syzbot, there is a chance that ip6_dst_idev() returns NULL in ip6_output(). Most places in IPv6 stack deal with a NULL idev just fine, but not here. syzbot reported: general protection fault, probably for non-canonical address 0xdffffc00000000bc: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x00000000000005e0-0x00000000000005e7] CPU: 0 PID: 9775 Comm: syz-executor.4 Not tainted 6.9.0-rc5-syzkaller-00157-g6a30653b604a #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 RIP: 0010:ip6_output+0x231/0x3f0 net/ipv6/ip6_output.c:237 Code: 3c 1e 00 49 89 df 74 08 4c 89 ef e8 19 58 db f7 48 8b 44 24 20 49 89 45 00 49 89 c5 48 8d 9d e0 05 00 00 48 89 d8 48 c1 e8 03 <42> 0f b6 04 38 84 c0 4c 8b 74 24 28 0f 85 61 01 00 00 8b 1b 31 ff RSP: 0018:ffffc9000927f0d8 EFLAGS: 00010202 RAX: 00000000000000bc RBX: 00000000000005e0 RCX: 0000000000040000 RDX: ffffc900131f9000 RSI: 0000000000004f47 RDI: 0000000000004f48 RBP: 0000000000000000 R08: ffffffff8a1f0b9a R09: 1ffffffff1f51fad R10: dffffc0000000000 R11: fffffbfff1f51fae R12: ffff8880293ec8c0 R13: ffff88805d7fc000 R14: 1ffff1100527d91a R15: dffffc0000000000 FS: 00007f135c6856c0(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020000080 CR3: 0000000064096000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> NF_HOOK include/linux/netfilter.h:314 [inline] ip6_xmit+0xefe/0x17f0 net/ipv6/ip6_output.c:358 sctp_v6_xmit+0x9f2/0x13f0 net/sctp/ipv6.c:248 sctp_packet_transmit+0x26ad/0x2ca0 net/sctp/output.c:653 sctp_packet_singleton+0x22c/0x320 net/sctp/outqueue.c:783 sctp_outq_flush_ctrl net/sctp/outqueue.c:914 [inline] sctp_outq_flush+0x6d5/0x3e20 net/sctp/outqueue.c:1212 sctp_side_effects net/sctp/sm_sideeffect.c:1198 [inline] sctp_do_sm+0x59cc/0x60c0 net/sctp/sm_sideeffect.c:1169 sctp_primitive_ASSOCIATE+0x95/0xc0 net/sctp/primitive.c:73 __sctp_connect+0x9cd/0xe30 net/sctp/socket.c:1234 sctp_connect net/sctp/socket.c:4819 [inline] sctp_inet_connect+0x149/0x1f0 net/sctp/socket.c:4834 __sys_connect_file net/socket.c:2048 [inline] __sys_connect+0x2df/0x310 net/socket.c:2065 __do_sys_connect net/socket.c:2075 [inline] __se_sys_connect net/socket.c:2072 [inline] __x64_sys_connect+0x7a/0x90 net/socket.c:2072 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36901.html
CVE-2024-36901
https://bugzilla.suse.com/1225711
SUSE Bug 1225711

Описание

In the Linux kernel, the following vulnerability has been resolved: ipv6: fib6_rules: avoid possible NULL dereference in fib6_rule_action() syzbot is able to trigger the following crash [1], caused by unsafe ip6_dst_idev() use. Indeed ip6_dst_idev() can return NULL, and must always be checked. [1] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] CPU: 0 PID: 31648 Comm: syz-executor.0 Not tainted 6.9.0-rc4-next-20240417-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 RIP: 0010:__fib6_rule_action net/ipv6/fib6_rules.c:237 [inline] RIP: 0010:fib6_rule_action+0x241/0x7b0 net/ipv6/fib6_rules.c:267 Code: 02 00 00 49 8d 9f d8 00 00 00 48 89 d8 48 c1 e8 03 42 80 3c 20 00 74 08 48 89 df e8 f9 32 bf f7 48 8b 1b 48 89 d8 48 c1 e8 03 <42> 80 3c 20 00 74 08 48 89 df e8 e0 32 bf f7 4c 8b 03 48 89 ef 4c RSP: 0018:ffffc9000fc1f2f0 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 1a772f98c8186700 RDX: 0000000000000003 RSI: ffffffff8bcac4e0 RDI: ffffffff8c1f9760 RBP: ffff8880673fb980 R08: ffffffff8fac15ef R09: 1ffffffff1f582bd R10: dffffc0000000000 R11: fffffbfff1f582be R12: dffffc0000000000 R13: 0000000000000080 R14: ffff888076509000 R15: ffff88807a029a00 FS: 00007f55e82ca6c0(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000001b31d23000 CR3: 0000000022b66000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> fib_rules_lookup+0x62c/0xdb0 net/core/fib_rules.c:317 fib6_rule_lookup+0x1fd/0x790 net/ipv6/fib6_rules.c:108 ip6_route_output_flags_noref net/ipv6/route.c:2637 [inline] ip6_route_output_flags+0x38e/0x610 net/ipv6/route.c:2649 ip6_route_output include/net/ip6_route.h:93 [inline] ip6_dst_lookup_tail+0x189/0x11a0 net/ipv6/ip6_output.c:1120 ip6_dst_lookup_flow+0xb9/0x180 net/ipv6/ip6_output.c:1250 sctp_v6_get_dst+0x792/0x1e20 net/sctp/ipv6.c:326 sctp_transport_route+0x12c/0x2e0 net/sctp/transport.c:455 sctp_assoc_add_peer+0x614/0x15c0 net/sctp/associola.c:662 sctp_connect_new_asoc+0x31d/0x6c0 net/sctp/socket.c:1099 __sctp_connect+0x66d/0xe30 net/sctp/socket.c:1197 sctp_connect net/sctp/socket.c:4819 [inline] sctp_inet_connect+0x149/0x1f0 net/sctp/socket.c:4834 __sys_connect_file net/socket.c:2048 [inline] __sys_connect+0x2df/0x310 net/socket.c:2065 __do_sys_connect net/socket.c:2075 [inline] __se_sys_connect net/socket.c:2072 [inline] __x64_sys_connect+0x7a/0x90 net/socket.c:2072 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36902.html
CVE-2024-36902
https://bugzilla.suse.com/1225719
SUSE Bug 1225719

Описание

In the Linux kernel, the following vulnerability has been resolved: tcp: Use refcount_inc_not_zero() in tcp_twsk_unique(). Anderson Nascimento reported a use-after-free splat in tcp_twsk_unique() with nice analysis. Since commit ec94c2696f0b ("tcp/dccp: avoid one atomic operation for timewait hashdance"), inet_twsk_hashdance() sets TIME-WAIT socket's sk_refcnt after putting it into ehash and releasing the bucket lock. Thus, there is a small race window where other threads could try to reuse the port during connect() and call sock_hold() in tcp_twsk_unique() for the TIME-WAIT socket with zero refcnt. If that happens, the refcnt taken by tcp_twsk_unique() is overwritten and sock_put() will cause underflow, triggering a real use-after-free somewhere else. To avoid the use-after-free, we need to use refcount_inc_not_zero() in tcp_twsk_unique() and give up on reusing the port if it returns false. [0]: refcount_t: addition on 0; use-after-free. WARNING: CPU: 0 PID: 1039313 at lib/refcount.c:25 refcount_warn_saturate+0xe5/0x110 CPU: 0 PID: 1039313 Comm: trigger Not tainted 6.8.6-200.fc39.x86_64 #1 Hardware name: VMware, Inc. VMware20,1/440BX Desktop Reference Platform, BIOS VMW201.00V.21805430.B64.2305221830 05/22/2023 RIP: 0010:refcount_warn_saturate+0xe5/0x110 Code: 42 8e ff 0f 0b c3 cc cc cc cc 80 3d aa 13 ea 01 00 0f 85 5e ff ff ff 48 c7 c7 f8 8e b7 82 c6 05 96 13 ea 01 01 e8 7b 42 8e ff <0f> 0b c3 cc cc cc cc 48 c7 c7 50 8f b7 82 c6 05 7a 13 ea 01 01 e8 RSP: 0018:ffffc90006b43b60 EFLAGS: 00010282 RAX: 0000000000000000 RBX: ffff888009bb3ef0 RCX: 0000000000000027 RDX: ffff88807be218c8 RSI: 0000000000000001 RDI: ffff88807be218c0 RBP: 0000000000069d70 R08: 0000000000000000 R09: ffffc90006b439f0 R10: ffffc90006b439e8 R11: 0000000000000003 R12: ffff8880029ede84 R13: 0000000000004e20 R14: ffffffff84356dc0 R15: ffff888009bb3ef0 FS: 00007f62c10926c0(0000) GS:ffff88807be00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020ccb000 CR3: 000000004628c005 CR4: 0000000000f70ef0 PKRU: 55555554 Call Trace: <TASK> ? refcount_warn_saturate+0xe5/0x110 ? __warn+0x81/0x130 ? refcount_warn_saturate+0xe5/0x110 ? report_bug+0x171/0x1a0 ? refcount_warn_saturate+0xe5/0x110 ? handle_bug+0x3c/0x80 ? exc_invalid_op+0x17/0x70 ? asm_exc_invalid_op+0x1a/0x20 ? refcount_warn_saturate+0xe5/0x110 tcp_twsk_unique+0x186/0x190 __inet_check_established+0x176/0x2d0 __inet_hash_connect+0x74/0x7d0 ? __pfx___inet_check_established+0x10/0x10 tcp_v4_connect+0x278/0x530 __inet_stream_connect+0x10f/0x3d0 inet_stream_connect+0x3a/0x60 __sys_connect+0xa8/0xd0 __x64_sys_connect+0x18/0x20 do_syscall_64+0x83/0x170 entry_SYSCALL_64_after_hwframe+0x78/0x80 RIP: 0033:0x7f62c11a885d Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d a3 45 0c 00 f7 d8 64 89 01 48 RSP: 002b:00007f62c1091e58 EFLAGS: 00000296 ORIG_RAX: 000000000000002a RAX: ffffffffffffffda RBX: 0000000020ccb004 RCX: 00007f62c11a885d RDX: 0000000000000010 RSI: 0000000020ccb000 RDI: 0000000000000003 RBP: 00007f62c1091e90 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000296 R12: 00007f62c10926c0 R13: ffffffffffffff88 R14: 0000000000000000 R15: 00007ffe237885b0 </TASK>

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36904.html
CVE-2024-36904
https://bugzilla.suse.com/1225732
SUSE Bug 1225732
https://bugzilla.suse.com/1225733
SUSE Bug 1225733

Описание

In the Linux kernel, the following vulnerability has been resolved: Drivers: hv: vmbus: Don't free ring buffers that couldn't be re-encrypted In CoCo VMs it is possible for the untrusted host to cause set_memory_encrypted() or set_memory_decrypted() to fail such that an error is returned and the resulting memory is shared. Callers need to take care to handle these errors to avoid returning decrypted (shared) memory to the page allocator, which could lead to functional or security issues. The VMBus ring buffer code could free decrypted/shared pages if set_memory_decrypted() fails. Check the decrypted field in the struct vmbus_gpadl for the ring buffers to decide whether to free the memory.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36909.html
CVE-2024-36909
https://bugzilla.suse.com/1225744
SUSE Bug 1225744

Описание

In the Linux kernel, the following vulnerability has been resolved: uio_hv_generic: Don't free decrypted memory In CoCo VMs it is possible for the untrusted host to cause set_memory_encrypted() or set_memory_decrypted() to fail such that an error is returned and the resulting memory is shared. Callers need to take care to handle these errors to avoid returning decrypted (shared) memory to the page allocator, which could lead to functional or security issues. The VMBus device UIO driver could free decrypted/shared pages if set_memory_decrypted() fails. Check the decrypted field in the gpadl to decide whether to free the memory.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36910.html
CVE-2024-36910
https://bugzilla.suse.com/1225717
SUSE Bug 1225717

Описание

In the Linux kernel, the following vulnerability has been resolved: hv_netvsc: Don't free decrypted memory In CoCo VMs it is possible for the untrusted host to cause set_memory_encrypted() or set_memory_decrypted() to fail such that an error is returned and the resulting memory is shared. Callers need to take care to handle these errors to avoid returning decrypted (shared) memory to the page allocator, which could lead to functional or security issues. The netvsc driver could free decrypted/shared pages if set_memory_decrypted() fails. Check the decrypted field in the gpadl to decide whether to free the memory.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36911.html
CVE-2024-36911
https://bugzilla.suse.com/1225745
SUSE Bug 1225745

Описание

In the Linux kernel, the following vulnerability has been resolved: Drivers: hv: vmbus: Track decrypted status in vmbus_gpadl In CoCo VMs it is possible for the untrusted host to cause set_memory_encrypted() or set_memory_decrypted() to fail such that an error is returned and the resulting memory is shared. Callers need to take care to handle these errors to avoid returning decrypted (shared) memory to the page allocator, which could lead to functional or security issues. In order to make sure callers of vmbus_establish_gpadl() and vmbus_teardown_gpadl() don't return decrypted/shared pages to allocators, add a field in struct vmbus_gpadl to keep track of the decryption status of the buffers. This will allow the callers to know if they should free or leak the pages.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36912.html
CVE-2024-36912
https://bugzilla.suse.com/1225752
SUSE Bug 1225752

Описание

In the Linux kernel, the following vulnerability has been resolved: Drivers: hv: vmbus: Leak pages if set_memory_encrypted() fails In CoCo VMs it is possible for the untrusted host to cause set_memory_encrypted() or set_memory_decrypted() to fail such that an error is returned and the resulting memory is shared. Callers need to take care to handle these errors to avoid returning decrypted (shared) memory to the page allocator, which could lead to functional or security issues. VMBus code could free decrypted pages if set_memory_encrypted()/decrypted() fails. Leak the pages if this happens.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36913.html
CVE-2024-36913
https://bugzilla.suse.com/1225753
SUSE Bug 1225753

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Skip on writeback when it's not applicable [WHY] dynamic memory safety error detector (KASAN) catches and generates error messages "BUG: KASAN: slab-out-of-bounds" as writeback connector does not support certain features which are not initialized. [HOW] Skip them when connector type is DRM_MODE_CONNECTOR_WRITEBACK.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36914.html
CVE-2024-36914
https://bugzilla.suse.com/1225757
SUSE Bug 1225757

Описание

In the Linux kernel, the following vulnerability has been resolved: nfc: llcp: fix nfc_llcp_setsockopt() unsafe copies syzbot reported unsafe calls to copy_from_sockptr() [1] Use copy_safe_from_sockptr() instead. [1] BUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset include/linux/sockptr.h:49 [inline] BUG: KASAN: slab-out-of-bounds in copy_from_sockptr include/linux/sockptr.h:55 [inline] BUG: KASAN: slab-out-of-bounds in nfc_llcp_setsockopt+0x6c2/0x850 net/nfc/llcp_sock.c:255 Read of size 4 at addr ffff88801caa1ec3 by task syz-executor459/5078 CPU: 0 PID: 5078 Comm: syz-executor459 Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 copy_from_sockptr_offset include/linux/sockptr.h:49 [inline] copy_from_sockptr include/linux/sockptr.h:55 [inline] nfc_llcp_setsockopt+0x6c2/0x850 net/nfc/llcp_sock.c:255 do_sock_setsockopt+0x3b1/0x720 net/socket.c:2311 __sys_setsockopt+0x1ae/0x250 net/socket.c:2334 __do_sys_setsockopt net/socket.c:2343 [inline] __se_sys_setsockopt net/socket.c:2340 [inline] __x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340 do_syscall_64+0xfd/0x240 entry_SYSCALL_64_after_hwframe+0x6d/0x75 RIP: 0033:0x7f7fac07fd89 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 91 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fff660eb788 EFLAGS: 00000246 ORIG_RAX: 0000000000000036 RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f7fac07fd89 RDX: 0000000000000000 RSI: 0000000000000118 RDI: 0000000000000004 RBP: 0000000000000000 R08: 0000000000000002 R09: 0000000000000000 R10: 0000000020000a80 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36915.html
CVE-2024-36915
https://bugzilla.suse.com/1225758
SUSE Bug 1225758

Описание

In the Linux kernel, the following vulnerability has been resolved: blk-iocost: avoid out of bounds shift UBSAN catches undefined behavior in blk-iocost, where sometimes iocg->delay is shifted right by a number that is too large, resulting in undefined behavior on some architectures. [ 186.556576] ------------[ cut here ]------------ UBSAN: shift-out-of-bounds in block/blk-iocost.c:1366:23 shift exponent 64 is too large for 64-bit type 'u64' (aka 'unsigned long long') CPU: 16 PID: 0 Comm: swapper/16 Tainted: G S E N 6.9.0-0_fbk700_debug_rc2_kbuilder_0_gc85af715cac0 #1 Hardware name: Quanta Twin Lakes MP/Twin Lakes Passive MP, BIOS F09_3A23 12/08/2020 Call Trace: <IRQ> dump_stack_lvl+0x8f/0xe0 __ubsan_handle_shift_out_of_bounds+0x22c/0x280 iocg_kick_delay+0x30b/0x310 ioc_timer_fn+0x2fb/0x1f80 __run_timer_base+0x1b6/0x250 ... Avoid that undefined behavior by simply taking the "delay = 0" branch if the shift is too large. I am not sure what the symptoms of an undefined value delay will be, but I suspect it could be more than a little annoying to debug.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36916.html
CVE-2024-36916
https://bugzilla.suse.com/1225759
SUSE Bug 1225759

Описание

In the Linux kernel, the following vulnerability has been resolved: block: fix overflow in blk_ioctl_discard() There is no check for overflow of 'start + len' in blk_ioctl_discard(). Hung task occurs if submit an discard ioctl with the following param: start = 0x80000000000ff000, len = 0x8000000000fff000; Add the overflow validation now.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36917.html
CVE-2024-36917
https://bugzilla.suse.com/1225770
SUSE Bug 1225770

Описание

In the Linux kernel, the following vulnerability has been resolved: scsi: bnx2fc: Remove spin_lock_bh while releasing resources after upload The session resources are used by FW and driver when session is offloaded, once session is uploaded these resources are not used. The lock is not required as these fields won't be used any longer. The offload and upload calls are sequential, hence lock is not required. This will suppress following BUG_ON(): [ 449.843143] ------------[ cut here ]------------ [ 449.848302] kernel BUG at mm/vmalloc.c:2727! [ 449.853072] invalid opcode: 0000 [#1] PREEMPT SMP PTI [ 449.858712] CPU: 5 PID: 1996 Comm: kworker/u24:2 Not tainted 5.14.0-118.el9.x86_64 #1 Rebooting. [ 449.867454] Hardware name: Dell Inc. PowerEdge R730/0WCJNT, BIOS 2.3.4 11/08/2016 [ 449.876966] Workqueue: fc_rport_eq fc_rport_work [libfc] [ 449.882910] RIP: 0010:vunmap+0x2e/0x30 [ 449.887098] Code: 00 65 8b 05 14 a2 f0 4a a9 00 ff ff 00 75 1b 55 48 89 fd e8 34 36 79 00 48 85 ed 74 0b 48 89 ef 31 f6 5d e9 14 fc ff ff 5d c3 <0f> 0b 0f 1f 44 00 00 41 57 41 56 49 89 ce 41 55 49 89 fd 41 54 41 [ 449.908054] RSP: 0018:ffffb83d878b3d68 EFLAGS: 00010206 [ 449.913887] RAX: 0000000080000201 RBX: ffff8f4355133550 RCX: 000000000d400005 [ 449.921843] RDX: 0000000000000001 RSI: 0000000000001000 RDI: ffffb83da53f5000 [ 449.929808] RBP: ffff8f4ac6675800 R08: ffffb83d878b3d30 R09: 00000000000efbdf [ 449.937774] R10: 0000000000000003 R11: ffff8f434573e000 R12: 0000000000001000 [ 449.945736] R13: 0000000000001000 R14: ffffb83da53f5000 R15: ffff8f43d4ea3ae0 [ 449.953701] FS: 0000000000000000(0000) GS:ffff8f529fc80000(0000) knlGS:0000000000000000 [ 449.962732] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 449.969138] CR2: 00007f8cf993e150 CR3: 0000000efbe10003 CR4: 00000000003706e0 [ 449.977102] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 449.985065] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 449.993028] Call Trace: [ 449.995756] __iommu_dma_free+0x96/0x100 [ 450.000139] bnx2fc_free_session_resc+0x67/0x240 [bnx2fc] [ 450.006171] bnx2fc_upload_session+0xce/0x100 [bnx2fc] [ 450.011910] bnx2fc_rport_event_handler+0x9f/0x240 [bnx2fc] [ 450.018136] fc_rport_work+0x103/0x5b0 [libfc] [ 450.023103] process_one_work+0x1e8/0x3c0 [ 450.027581] worker_thread+0x50/0x3b0 [ 450.031669] ? rescuer_thread+0x370/0x370 [ 450.036143] kthread+0x149/0x170 [ 450.039744] ? set_kthread_struct+0x40/0x40 [ 450.044411] ret_from_fork+0x22/0x30 [ 450.048404] Modules linked in: vfat msdos fat xfs nfs_layout_nfsv41_files rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver dm_service_time qedf qed crc8 bnx2fc libfcoe libfc scsi_transport_fc intel_rapl_msr intel_rapl_common x86_pkg_temp_thermal intel_powerclamp dcdbas rapl intel_cstate intel_uncore mei_me pcspkr mei ipmi_ssif lpc_ich ipmi_si fuse zram ext4 mbcache jbd2 loop nfsv3 nfs_acl nfs lockd grace fscache netfs irdma ice sd_mod t10_pi sg ib_uverbs ib_core 8021q garp mrp stp llc mgag200 i2c_algo_bit drm_kms_helper syscopyarea sysfillrect sysimgblt mxm_wmi fb_sys_fops cec crct10dif_pclmul ahci crc32_pclmul bnx2x drm ghash_clmulni_intel libahci rfkill i40e libata megaraid_sas mdio wmi sunrpc lrw dm_crypt dm_round_robin dm_multipath dm_snapshot dm_bufio dm_mirror dm_region_hash dm_log dm_zero dm_mod linear raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid6_pq libcrc32c crc32c_intel raid1 raid0 iscsi_ibft squashfs be2iscsi bnx2i cnic uio cxgb4i cxgb4 tls [ 450.048497] libcxgbi libcxgb qla4xxx iscsi_boot_sysfs iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi edd ipmi_devintf ipmi_msghandler [ 450.159753] ---[ end trace 712de2c57c64abc8 ]---

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36919.html
CVE-2024-36919
https://bugzilla.suse.com/1225767
SUSE Bug 1225767

Описание

In the Linux kernel, the following vulnerability has been resolved: fs/9p: fix uninitialized values during inode evict If an iget fails due to not being able to retrieve information from the server then the inode structure is only partially initialized. When the inode gets evicted, references to uninitialized structures (like fscache cookies) were being made. This patch checks for a bad_inode before doing anything other than clearing the inode from the cache. Since the inode is bad, it shouldn't have any state associated with it that needs to be written back (and there really isn't a way to complete those anyways).

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36923.html
CVE-2024-36923
https://bugzilla.suse.com/1225815
SUSE Bug 1225815

Описание

In the Linux kernel, the following vulnerability has been resolved: bna: ensure the copied buf is NUL terminated Currently, we allocate a nbytes-sized kernel buffer and copy nbytes from userspace to that buffer. Later, we use sscanf on this buffer but we don't ensure that the string is terminated inside the buffer, this can lead to OOB read when using sscanf. Fix this issue by using memdup_user_nul instead of memdup_user.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36934.html
CVE-2024-36934
https://bugzilla.suse.com/1225760
SUSE Bug 1225760

Описание

In the Linux kernel, the following vulnerability has been resolved: xdp: use flags field to disambiguate broadcast redirect When redirecting a packet using XDP, the bpf_redirect_map() helper will set up the redirect destination information in struct bpf_redirect_info (using the __bpf_xdp_redirect_map() helper function), and the xdp_do_redirect() function will read this information after the XDP program returns and pass the frame on to the right redirect destination. When using the BPF_F_BROADCAST flag to do multicast redirect to a whole map, __bpf_xdp_redirect_map() sets the 'map' pointer in struct bpf_redirect_info to point to the destination map to be broadcast. And xdp_do_redirect() reacts to the value of this map pointer to decide whether it's dealing with a broadcast or a single-value redirect. However, if the destination map is being destroyed before xdp_do_redirect() is called, the map pointer will be cleared out (by bpf_clear_redirect_map()) without waiting for any XDP programs to stop running. This causes xdp_do_redirect() to think that the redirect was to a single target, but the target pointer is also NULL (since broadcast redirects don't have a single target), so this causes a crash when a NULL pointer is passed to dev_map_enqueue(). To fix this, change xdp_do_redirect() to react directly to the presence of the BPF_F_BROADCAST flag in the 'flags' value in struct bpf_redirect_info to disambiguate between a single-target and a broadcast redirect. And only read the 'map' pointer if the broadcast flag is set, aborting if that has been cleared out in the meantime. This prevents the crash, while keeping the atomic (cmpxchg-based) clearing of the map pointer itself, and without adding any more checks in the non-broadcast fast path.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36937.html
CVE-2024-36937
https://bugzilla.suse.com/1225834
SUSE Bug 1225834

Описание

In the Linux kernel, the following vulnerability has been resolved: nfs: Handle error of rpc_proc_register() in nfs_net_init(). syzkaller reported a warning [0] triggered while destroying immature netns. rpc_proc_register() was called in init_nfs_fs(), but its error has been ignored since at least the initial commit 1da177e4c3f4 ("Linux-2.6.12-rc2"). Recently, commit d47151b79e32 ("nfs: expose /proc/net/sunrpc/nfs in net namespaces") converted the procfs to per-netns and made the problem more visible. Even when rpc_proc_register() fails, nfs_net_init() could succeed, and thus nfs_net_exit() will be called while destroying the netns. Then, remove_proc_entry() will be called for non-existing proc directory and trigger the warning below. Let's handle the error of rpc_proc_register() properly in nfs_net_init(). [0]: name 'nfs' WARNING: CPU: 1 PID: 1710 at fs/proc/generic.c:711 remove_proc_entry+0x1bb/0x2d0 fs/proc/generic.c:711 Modules linked in: CPU: 1 PID: 1710 Comm: syz-executor.2 Not tainted 6.8.0-12822-gcd51db110a7e #12 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 RIP: 0010:remove_proc_entry+0x1bb/0x2d0 fs/proc/generic.c:711 Code: 41 5d 41 5e c3 e8 85 09 b5 ff 48 c7 c7 88 58 64 86 e8 09 0e 71 02 e8 74 09 b5 ff 4c 89 e6 48 c7 c7 de 1b 80 84 e8 c5 ad 97 ff <0f> 0b eb b1 e8 5c 09 b5 ff 48 c7 c7 88 58 64 86 e8 e0 0d 71 02 eb RSP: 0018:ffffc9000c6d7ce0 EFLAGS: 00010286 RAX: 0000000000000000 RBX: ffff8880422b8b00 RCX: ffffffff8110503c RDX: ffff888030652f00 RSI: ffffffff81105045 RDI: 0000000000000001 RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000001 R11: ffffffff81bb62cb R12: ffffffff84807ffc R13: ffff88804ad6fcc0 R14: ffffffff84807ffc R15: ffffffff85741ff8 FS: 00007f30cfba8640(0000) GS:ffff88807dd00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ff51afe8000 CR3: 000000005a60a005 CR4: 0000000000770ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <TASK> rpc_proc_unregister+0x64/0x70 net/sunrpc/stats.c:310 nfs_net_exit+0x1c/0x30 fs/nfs/inode.c:2438 ops_exit_list+0x62/0xb0 net/core/net_namespace.c:170 setup_net+0x46c/0x660 net/core/net_namespace.c:372 copy_net_ns+0x244/0x590 net/core/net_namespace.c:505 create_new_namespaces+0x2ed/0x770 kernel/nsproxy.c:110 unshare_nsproxy_namespaces+0xae/0x160 kernel/nsproxy.c:228 ksys_unshare+0x342/0x760 kernel/fork.c:3322 __do_sys_unshare kernel/fork.c:3393 [inline] __se_sys_unshare kernel/fork.c:3391 [inline] __x64_sys_unshare+0x1f/0x30 kernel/fork.c:3391 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x4f/0x110 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x46/0x4e RIP: 0033:0x7f30d0febe5d Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 73 9f 1b 00 f7 d8 64 89 01 48 RSP: 002b:00007f30cfba7cc8 EFLAGS: 00000246 ORIG_RAX: 0000000000000110 RAX: ffffffffffffffda RBX: 00000000004bbf80 RCX: 00007f30d0febe5d RDX: 0000000000000000 RSI: 0000000000000000 RDI: 000000006c020600 RBP: 00000000004bbf80 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000002 R13: 000000000000000b R14: 00007f30d104c530 R15: 0000000000000000 </TASK>

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36939.html
CVE-2024-36939
https://bugzilla.suse.com/1225838
SUSE Bug 1225838

Описание

In the Linux kernel, the following vulnerability has been resolved: pinctrl: core: delete incorrect free in pinctrl_enable() The "pctldev" struct is allocated in devm_pinctrl_register_and_init(). It's a devm_ managed pointer that is freed by devm_pinctrl_dev_release(), so freeing it in pinctrl_enable() will lead to a double free. The devm_pinctrl_dev_release() function frees the pindescs and destroys the mutex as well.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36940.html
CVE-2024-36940
https://bugzilla.suse.com/1225840
SUSE Bug 1225840
https://bugzilla.suse.com/1225841
SUSE Bug 1225841

Описание

In the Linux kernel, the following vulnerability has been resolved: net/smc: fix neighbour and rtable leak in smc_ib_find_route() In smc_ib_find_route(), the neighbour found by neigh_lookup() and rtable resolved by ip_route_output_flow() are not released or put before return. It may cause the refcount leak, so fix it.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36945.html
CVE-2024-36945
https://bugzilla.suse.com/1225823
SUSE Bug 1225823

Описание

In the Linux kernel, the following vulnerability has been resolved: phonet: fix rtm_phonet_notify() skb allocation fill_route() stores three components in the skb: - struct rtmsg - RTA_DST (u8) - RTA_OIF (u32) Therefore, rtm_phonet_notify() should use NLMSG_ALIGN(sizeof(struct rtmsg)) + nla_total_size(1) + nla_total_size(4)

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36946.html
CVE-2024-36946
https://bugzilla.suse.com/1225851
SUSE Bug 1225851

Описание

In the Linux kernel, the following vulnerability has been resolved: amd/amdkfd: sync all devices to wait all processes being evicted If there are more than one device doing reset in parallel, the first device will call kfd_suspend_all_processes() to evict all processes on all devices, this call takes time to finish. other device will start reset and recover without waiting. if the process has not been evicted before doing recover, it will be restored, then caused page fault.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36949.html
CVE-2024-36949
https://bugzilla.suse.com/1225894
SUSE Bug 1225894

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx: Fix invalid reads in fence signaled events Correctly set the length of the drm_event to the size of the structure that's actually used. The length of the drm_event was set to the parent structure instead of to the drm_vmw_event_fence which is supposed to be read. drm_read uses the length parameter to copy the event to the user space thus resuling in oob reads.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36960.html
CVE-2024-36960
https://bugzilla.suse.com/1225872
SUSE Bug 1225872

Описание

In the Linux kernel, the following vulnerability has been resolved: fs/9p: only translate RWX permissions for plain 9P2000 Garbage in plain 9P2000's perm bits is allowed through, which causes it to be able to set (among others) the suid bit. This was presumably not the intent since the unix extended bits are handled explicitly and conditionally on .u.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36964.html
CVE-2024-36964
https://bugzilla.suse.com/1225866
SUSE Bug 1225866
https://bugzilla.suse.com/1226325
SUSE Bug 1226325

Описание

In the Linux kernel, the following vulnerability has been resolved: remoteproc: mediatek: Make sure IPI buffer fits in L2TCM The IPI buffer location is read from the firmware that we load to the System Companion Processor, and it's not granted that both the SRAM (L2TCM) size that is defined in the devicetree node is large enough for that, and while this is especially true for multi-core SCP, it's still useful to check on single-core variants as well. Failing to perform this check may make this driver perform R/W operations out of the L2TCM boundary, resulting (at best) in a kernel panic. To fix that, check that the IPI buffer fits, otherwise return a failure and refuse to boot the relevant SCP core (or the SCP at all, if this is single core).

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36965.html
CVE-2024-36965
https://bugzilla.suse.com/1226149
SUSE Bug 1226149

Описание

In the Linux kernel, the following vulnerability has been resolved: KEYS: trusted: Fix memory leak in tpm2_key_encode() 'scratch' is never freed. Fix this by calling kfree() in the success, and in the error case.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36967.html
CVE-2024-36967
https://bugzilla.suse.com/1226131
SUSE Bug 1226131

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix division by zero in setup_dsc_config When slice_height is 0, the division by slice_height in the calculation of the number of slices will cause a division by zero driver crash. This leaves the kernel in a state that requires a reboot. This patch adds a check to avoid the division by zero. The stack trace below is for the 6.8.4 Kernel. I reproduced the issue on a Z16 Gen 2 Lenovo Thinkpad with a Apple Studio Display monitor connected via Thunderbolt. The amdgpu driver crashed with this exception when I rebooted the system with the monitor connected. kernel: ? die (arch/x86/kernel/dumpstack.c:421 arch/x86/kernel/dumpstack.c:434 arch/x86/kernel/dumpstack.c:447) kernel: ? do_trap (arch/x86/kernel/traps.c:113 arch/x86/kernel/traps.c:154) kernel: ? setup_dsc_config (drivers/gpu/drm/amd/amdgpu/../display/dc/dsc/dc_dsc.c:1053) amdgpu kernel: ? do_error_trap (./arch/x86/include/asm/traps.h:58 arch/x86/kernel/traps.c:175) kernel: ? setup_dsc_config (drivers/gpu/drm/amd/amdgpu/../display/dc/dsc/dc_dsc.c:1053) amdgpu kernel: ? exc_divide_error (arch/x86/kernel/traps.c:194 (discriminator 2)) kernel: ? setup_dsc_config (drivers/gpu/drm/amd/amdgpu/../display/dc/dsc/dc_dsc.c:1053) amdgpu kernel: ? asm_exc_divide_error (./arch/x86/include/asm/idtentry.h:548) kernel: ? setup_dsc_config (drivers/gpu/drm/amd/amdgpu/../display/dc/dsc/dc_dsc.c:1053) amdgpu kernel: dc_dsc_compute_config (drivers/gpu/drm/amd/amdgpu/../display/dc/dsc/dc_dsc.c:1109) amdgpu After applying this patch, the driver no longer crashes when the monitor is connected and the system is rebooted. I believe this is the same issue reported for 3113.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36969.html
CVE-2024-36969
https://bugzilla.suse.com/1226155
SUSE Bug 1226155

Описание

In the Linux kernel, the following vulnerability has been resolved: net: fix __dst_negative_advice() race __dst_negative_advice() does not enforce proper RCU rules when sk->dst_cache must be cleared, leading to possible UAF. RCU rules are that we must first clear sk->sk_dst_cache, then call dst_release(old_dst). Note that sk_dst_reset(sk) is implementing this protocol correctly, while __dst_negative_advice() uses the wrong order. Given that ip6_negative_advice() has special logic against RTF_CACHE, this means each of the three ->negative_advice() existing methods must perform the sk_dst_reset() themselves. Note the check against NULL dst is centralized in __dst_negative_advice(), there is no need to duplicate it in various callbacks. Many thanks to Clement Lecigne for tracking this issue. This old bug became visible after the blamed commit, using UDP sockets.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36971.html
CVE-2024-36971
https://bugzilla.suse.com/1226145
SUSE Bug 1226145
https://bugzilla.suse.com/1226324
SUSE Bug 1226324

Описание

In the Linux kernel, the following vulnerability has been resolved: net/sched: taprio: always validate TCA_TAPRIO_ATTR_PRIOMAP If one TCA_TAPRIO_ATTR_PRIOMAP attribute has been provided, taprio_parse_mqprio_opt() must validate it, or userspace can inject arbitrary data to the kernel, the second time taprio_change() is called. First call (with valid attributes) sets dev->num_tc to a non zero value. Second call (with arbitrary mqprio attributes) returns early from taprio_parse_mqprio_opt() and bad things can happen.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36974.html
CVE-2024-36974
https://bugzilla.suse.com/1226519
SUSE Bug 1226519
https://bugzilla.suse.com/1227371
SUSE Bug 1227371

Описание

In the Linux kernel, the following vulnerability has been resolved: KEYS: trusted: Do not use WARN when encode fails When asn1_encode_sequence() fails, WARN is not the correct solution. 1. asn1_encode_sequence() is not an internal function (located in lib/asn1_encode.c). 2. Location is known, which makes the stack trace useless. 3. Results a crash if panic_on_warn is set. It is also noteworthy that the use of WARN is undocumented, and it should be avoided unless there is a carefully considered rationale to use it. Replace WARN with pr_err, and print the return value instead, which is only useful piece of information.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36975.html
CVE-2024-36975
https://bugzilla.suse.com/1226520
SUSE Bug 1226520

Описание

In the Linux kernel, the following vulnerability has been resolved: net: sched: sch_multiq: fix possible OOB write in multiq_tune() q->bands will be assigned to qopt->bands to execute subsequent code logic after kmalloc. So the old q->bands should not be used in kmalloc. Otherwise, an out-of-bounds write will occur.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36978.html
CVE-2024-36978
https://bugzilla.suse.com/1226514
SUSE Bug 1226514

Описание

In the Linux kernel, the following vulnerability has been resolved: fpga: manager: add owner module and take its refcount The current implementation of the fpga manager assumes that the low-level module registers a driver for the parent device and uses its owner pointer to take the module's refcount. This approach is problematic since it can lead to a null pointer dereference while attempting to get the manager if the parent device does not have a driver. To address this problem, add a module owner pointer to the fpga_manager struct and use it to take the module's refcount. Modify the functions for registering the manager to take an additional owner module parameter and rename them to avoid conflicts. Use the old function names for helper macros that automatically set the module that registers the manager as the owner. This ensures compatibility with existing low-level control modules and reduces the chances of registering a manager without setting the owner. Also, update the documentation to keep it consistent with the new interface for registering an fpga manager. Other changes: opportunistically move put_device() from __fpga_mgr_get() to fpga_mgr_get() and of_fpga_mgr_get() to improve code clarity since the manager device is taken in these functions.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-37021.html
CVE-2024-37021
https://bugzilla.suse.com/1226950
SUSE Bug 1226950

Описание

In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix potential kernel bug due to lack of writeback flag waiting Destructive writes to a block device on which nilfs2 is mounted can cause a kernel bug in the folio/page writeback start routine or writeback end routine (__folio_start_writeback in the log below): kernel BUG at mm/page-writeback.c:3070! Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI ... RIP: 0010:__folio_start_writeback+0xbaa/0x10e0 Code: 25 ff 0f 00 00 0f 84 18 01 00 00 e8 40 ca c6 ff e9 17 f6 ff ff e8 36 ca c6 ff 4c 89 f7 48 c7 c6 80 c0 12 84 e8 e7 b3 0f 00 90 <0f> 0b e8 1f ca c6 ff 4c 89 f7 48 c7 c6 a0 c6 12 84 e8 d0 b3 0f 00 ... Call Trace: <TASK> nilfs_segctor_do_construct+0x4654/0x69d0 [nilfs2] nilfs_segctor_construct+0x181/0x6b0 [nilfs2] nilfs_segctor_thread+0x548/0x11c0 [nilfs2] kthread+0x2f0/0x390 ret_from_fork+0x4b/0x80 ret_from_fork_asm+0x1a/0x30 </TASK> This is because when the log writer starts a writeback for segment summary blocks or a super root block that use the backing device's page cache, it does not wait for the ongoing folio/page writeback, resulting in an inconsistent writeback state. Fix this issue by waiting for ongoing writebacks when putting folios/pages on the backing device into writeback state.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-37078.html
CVE-2024-37078
https://bugzilla.suse.com/1227066
SUSE Bug 1227066

Описание

In the Linux kernel, the following vulnerability has been resolved: btrfs: fix crash on racing fsync and size-extending write into prealloc We have been seeing crashes on duplicate keys in btrfs_set_item_key_safe(): BTRFS critical (device vdb): slot 4 key (450 108 8192) new key (450 108 8192) ------------[ cut here ]------------ kernel BUG at fs/btrfs/ctree.c:2620! invalid opcode: 0000 [#1] PREEMPT SMP PTI CPU: 0 PID: 3139 Comm: xfs_io Kdump: loaded Not tainted 6.9.0 #6 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014 RIP: 0010:btrfs_set_item_key_safe+0x11f/0x290 [btrfs] With the following stack trace: #0 btrfs_set_item_key_safe (fs/btrfs/ctree.c:2620:4) #1 btrfs_drop_extents (fs/btrfs/file.c:411:4) #2 log_one_extent (fs/btrfs/tree-log.c:4732:9) #3 btrfs_log_changed_extents (fs/btrfs/tree-log.c:4955:9) #4 btrfs_log_inode (fs/btrfs/tree-log.c:6626:9) #5 btrfs_log_inode_parent (fs/btrfs/tree-log.c:7070:8) #6 btrfs_log_dentry_safe (fs/btrfs/tree-log.c:7171:8) #7 btrfs_sync_file (fs/btrfs/file.c:1933:8) #8 vfs_fsync_range (fs/sync.c:188:9) #9 vfs_fsync (fs/sync.c:202:9) #10 do_fsync (fs/sync.c:212:9) #11 __do_sys_fdatasync (fs/sync.c:225:9) #12 __se_sys_fdatasync (fs/sync.c:223:1) #13 __x64_sys_fdatasync (fs/sync.c:223:1) #14 do_syscall_x64 (arch/x86/entry/common.c:52:14) #15 do_syscall_64 (arch/x86/entry/common.c:83:7) #16 entry_SYSCALL_64+0xaf/0x14c (arch/x86/entry/entry_64.S:121) So we're logging a changed extent from fsync, which is splitting an extent in the log tree. But this split part already exists in the tree, triggering the BUG(). This is the state of the log tree at the time of the crash, dumped with drgn (https://github.com/osandov/drgn/blob/main/contrib/btrfs_tree.py) to get more details than btrfs_print_leaf() gives us: >>> print_extent_buffer(prog.crashed_thread().stack_trace()[0]["eb"]) leaf 33439744 level 0 items 72 generation 9 owner 18446744073709551610 leaf 33439744 flags 0x100000000000000 fs uuid e5bd3946-400c-4223-8923-190ef1f18677 chunk uuid d58cb17e-6d02-494a-829a-18b7d8a399da item 0 key (450 INODE_ITEM 0) itemoff 16123 itemsize 160 generation 7 transid 9 size 8192 nbytes 8473563889606862198 block group 0 mode 100600 links 1 uid 0 gid 0 rdev 0 sequence 204 flags 0x10(PREALLOC) atime 1716417703.220000000 (2024-05-22 15:41:43) ctime 1716417704.983333333 (2024-05-22 15:41:44) mtime 1716417704.983333333 (2024-05-22 15:41:44) otime 17592186044416.000000000 (559444-03-08 01:40:16) item 1 key (450 INODE_REF 256) itemoff 16110 itemsize 13 index 195 namelen 3 name: 193 item 2 key (450 XATTR_ITEM 1640047104) itemoff 16073 itemsize 37 location key (0 UNKNOWN.0 0) type XATTR transid 7 data_len 1 name_len 6 name: user.a data a item 3 key (450 EXTENT_DATA 0) itemoff 16020 itemsize 53 generation 9 type 1 (regular) extent data disk byte 303144960 nr 12288 extent data offset 0 nr 4096 ram 12288 extent compression 0 (none) item 4 key (450 EXTENT_DATA 4096) itemoff 15967 itemsize 53 generation 9 type 2 (prealloc) prealloc data disk byte 303144960 nr 12288 prealloc data offset 4096 nr 8192 item 5 key (450 EXTENT_DATA 8192) itemoff 15914 itemsize 53 generation 9 type 2 (prealloc) prealloc data disk byte 303144960 nr 12288 prealloc data offset 8192 nr 4096 ... So the real problem happened earlier: notice that items 4 (4k-12k) and 5 (8k-12k) overlap. Both are prealloc extents. Item 4 straddles i_size and item 5 starts at i_size. Here is the state of ---truncated---

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-37354.html
CVE-2024-37354
https://bugzilla.suse.com/1227101
SUSE Bug 1227101

Описание

In the Linux kernel, the following vulnerability has been resolved: nfc: nci: Fix uninit-value in nci_rx_work syzbot reported the following uninit-value access issue [1] nci_rx_work() parses received packet from ndev->rx_q. It should be validated header size, payload size and total packet size before processing the packet. If an invalid packet is detected, it should be silently discarded.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38381.html
CVE-2024-38381
https://bugzilla.suse.com/1226878
SUSE Bug 1226878

Описание

In the Linux kernel, the following vulnerability has been resolved: ALSA: hda/cs_dsp_ctl: Use private_free for control cleanup Use the control private_free callback to free the associated data block. This ensures that the memory won't leak, whatever way the control gets destroyed. The original implementation didn't actually remove the ALSA controls in hda_cs_dsp_control_remove(). It only freed the internal tracking structure. This meant it was possible to remove/unload the amp driver while leaving its ALSA controls still present in the soundcard. Obviously attempting to access them could cause segfaults or at least dereferencing stale pointers.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38388.html
CVE-2024-38388
https://bugzilla.suse.com/1226890
SUSE Bug 1226890

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/msm/a6xx: Avoid a nullptr dereference when speedbin setting fails Calling a6xx_destroy() before adreno_gpu_init() leads to a null pointer dereference on: msm_gpu_cleanup() : platform_set_drvdata(gpu->pdev, NULL); as gpu->pdev is only assigned in: a6xx_gpu_init() |_ adreno_gpu_init |_ msm_gpu_init() Instead of relying on handwavy null checks down the cleanup chain, explicitly de-allocate the LLC data and free a6xx_gpu instead. Patchwork: https://patchwork.freedesktop.org/patch/588919/

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38390.html
CVE-2024-38390
https://bugzilla.suse.com/1226891
SUSE Bug 1226891

Описание

In the Linux kernel, the following vulnerability has been resolved: bnxt_re: avoid shift undefined behavior in bnxt_qplib_alloc_init_hwq Undefined behavior is triggered when bnxt_qplib_alloc_init_hwq is called with hwq_attr->aux_depth != 0 and hwq_attr->aux_stride == 0. In that case, "roundup_pow_of_two(hwq_attr->aux_stride)" gets called. roundup_pow_of_two is documented as undefined for 0. Fix it in the one caller that had this combination. The undefined behavior was detected by UBSAN: UBSAN: shift-out-of-bounds in ./include/linux/log2.h:57:13 shift exponent 64 is too large for 64-bit type 'long unsigned int' CPU: 24 PID: 1075 Comm: (udev-worker) Not tainted 6.9.0-rc6+ #4 Hardware name: Abacus electric, s.r.o. - servis@abacus.cz Super Server/H12SSW-iN, BIOS 2.7 10/25/2023 Call Trace: <TASK> dump_stack_lvl+0x5d/0x80 ubsan_epilogue+0x5/0x30 __ubsan_handle_shift_out_of_bounds.cold+0x61/0xec __roundup_pow_of_two+0x25/0x35 [bnxt_re] bnxt_qplib_alloc_init_hwq+0xa1/0x470 [bnxt_re] bnxt_qplib_create_qp+0x19e/0x840 [bnxt_re] bnxt_re_create_qp+0x9b1/0xcd0 [bnxt_re] ? srso_alias_return_thunk+0x5/0xfbef5 ? srso_alias_return_thunk+0x5/0xfbef5 ? __kmalloc+0x1b6/0x4f0 ? create_qp.part.0+0x128/0x1c0 [ib_core] ? __pfx_bnxt_re_create_qp+0x10/0x10 [bnxt_re] create_qp.part.0+0x128/0x1c0 [ib_core] ib_create_qp_kernel+0x50/0xd0 [ib_core] create_mad_qp+0x8e/0xe0 [ib_core] ? __pfx_qp_event_handler+0x10/0x10 [ib_core] ib_mad_init_device+0x2be/0x680 [ib_core] add_client_context+0x10d/0x1a0 [ib_core] enable_device_and_get+0xe0/0x1d0 [ib_core] ib_register_device+0x53c/0x630 [ib_core] ? srso_alias_return_thunk+0x5/0xfbef5 bnxt_re_probe+0xbd8/0xe50 [bnxt_re] ? __pfx_bnxt_re_probe+0x10/0x10 [bnxt_re] auxiliary_bus_probe+0x49/0x80 ? driver_sysfs_add+0x57/0xc0 really_probe+0xde/0x340 ? pm_runtime_barrier+0x54/0x90 ? __pfx___driver_attach+0x10/0x10 __driver_probe_device+0x78/0x110 driver_probe_device+0x1f/0xa0 __driver_attach+0xba/0x1c0 bus_for_each_dev+0x8f/0xe0 bus_add_driver+0x146/0x220 driver_register+0x72/0xd0 __auxiliary_driver_register+0x6e/0xd0 ? __pfx_bnxt_re_mod_init+0x10/0x10 [bnxt_re] bnxt_re_mod_init+0x3e/0xff0 [bnxt_re] ? __pfx_bnxt_re_mod_init+0x10/0x10 [bnxt_re] do_one_initcall+0x5b/0x310 do_init_module+0x90/0x250 init_module_from_file+0x86/0xc0 idempotent_init_module+0x121/0x2b0 __x64_sys_finit_module+0x5e/0xb0 do_syscall_64+0x82/0x160 ? srso_alias_return_thunk+0x5/0xfbef5 ? syscall_exit_to_user_mode_prepare+0x149/0x170 ? srso_alias_return_thunk+0x5/0xfbef5 ? syscall_exit_to_user_mode+0x75/0x230 ? srso_alias_return_thunk+0x5/0xfbef5 ? do_syscall_64+0x8e/0x160 ? srso_alias_return_thunk+0x5/0xfbef5 ? __count_memcg_events+0x69/0x100 ? srso_alias_return_thunk+0x5/0xfbef5 ? count_memcg_events.constprop.0+0x1a/0x30 ? srso_alias_return_thunk+0x5/0xfbef5 ? handle_mm_fault+0x1f0/0x300 ? srso_alias_return_thunk+0x5/0xfbef5 ? do_user_addr_fault+0x34e/0x640 ? srso_alias_return_thunk+0x5/0xfbef5 ? srso_alias_return_thunk+0x5/0xfbef5 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f4e5132821d Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e3 db 0c 00 f7 d8 64 89 01 48 RSP: 002b:00007ffca9c906a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000139 RAX: ffffffffffffffda RBX: 0000563ec8a8f130 RCX: 00007f4e5132821d RDX: 0000000000000000 RSI: 00007f4e518fa07d RDI: 000000000000003b RBP: 00007ffca9c90760 R08: 00007f4e513f6b20 R09: 00007ffca9c906f0 R10: 0000563ec8a8faa0 R11: 0000000000000246 R12: 00007f4e518fa07d R13: 0000000000020000 R14: 0000563ec8409e90 R15: 0000563ec8a8fa60 </TASK> ---[ end trace ]---

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38540.html
CVE-2024-38540
https://bugzilla.suse.com/1226582
SUSE Bug 1226582

Описание

In the Linux kernel, the following vulnerability has been resolved: of: module: add buffer overflow check in of_modalias() In of_modalias(), if the buffer happens to be too small even for the 1st snprintf() call, the len parameter will become negative and str parameter (if not NULL initially) will point beyond the buffer's end. Add the buffer overflow check after the 1st snprintf() call and fix such check after the strlen() call (accounting for the terminating NUL char).

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38541.html
CVE-2024-38541
https://bugzilla.suse.com/1226587
SUSE Bug 1226587
https://bugzilla.suse.com/1227496
SUSE Bug 1227496

Описание

In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Fix seg fault in rxe_comp_queue_pkt In rxe_comp_queue_pkt() an incoming response packet skb is enqueued to the resp_pkts queue and then a decision is made whether to run the completer task inline or schedule it. Finally the skb is dereferenced to bump a 'hw' performance counter. This is wrong because if the completer task is already running in a separate thread it may have already processed the skb and freed it which can cause a seg fault. This has been observed infrequently in testing at high scale. This patch fixes this by changing the order of enqueuing the packet until after the counter is accessed.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38544.html
CVE-2024-38544
https://bugzilla.suse.com/1226597
SUSE Bug 1226597

Описание

In the Linux kernel, the following vulnerability has been resolved: RDMA/hns: Fix UAF for cq async event The refcount of CQ is not protected by locks. When CQ asynchronous events and CQ destruction are concurrent, CQ may have been released, which will cause UAF. Use the xa_lock() to protect the CQ refcount.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38545.html
CVE-2024-38545
https://bugzilla.suse.com/1226595
SUSE Bug 1226595

Описание

In the Linux kernel, the following vulnerability has been resolved: drm: vc4: Fix possible null pointer dereference In vc4_hdmi_audio_init() of_get_address() may return NULL which is later dereferenced. Fix this bug by adding NULL check. Found by Linux Verification Center (linuxtesting.org) with SVACE.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38546.html
CVE-2024-38546
https://bugzilla.suse.com/1226593
SUSE Bug 1226593

Описание

In the Linux kernel, the following vulnerability has been resolved: media: atomisp: ssh_css: Fix a null-pointer dereference in load_video_binaries The allocation failure of mycs->yuv_scaler_binary in load_video_binaries() is followed with a dereference of mycs->yuv_scaler_binary after the following call chain: sh_css_pipe_load_binaries() |-> load_video_binaries(mycs->yuv_scaler_binary == NULL) | |-> sh_css_pipe_unload_binaries() |-> unload_video_binaries() In unload_video_binaries(), it calls to ia_css_binary_unload with argument &pipe->pipe_settings.video.yuv_scaler_binary[i], which refers to the same memory slot as mycs->yuv_scaler_binary. Thus, a null-pointer dereference is triggered.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38547.html
CVE-2024-38547
https://bugzilla.suse.com/1226632
SUSE Bug 1226632

Описание

In the Linux kernel, the following vulnerability has been resolved: drm: bridge: cdns-mhdp8546: Fix possible null pointer dereference In cdns_mhdp_atomic_enable(), the return value of drm_mode_duplicate() is assigned to mhdp_state->current_mode, and there is a dereference of it in drm_mode_set_name(), which will lead to a NULL pointer dereference on failure of drm_mode_duplicate(). Fix this bug add a check of mhdp_state->current_mode.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38548.html
CVE-2024-38548
https://bugzilla.suse.com/1228202
SUSE Bug 1228202

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/mediatek: Add 0 size check to mtk_drm_gem_obj Add a check to mtk_drm_gem_init if we attempt to allocate a GEM object of 0 bytes. Currently, no such check exists and the kernel will panic if a userspace application attempts to allocate a 0x0 GBM buffer. Tested by attempting to allocate a 0x0 GBM buffer on an MT8188 and verifying that we now return EINVAL.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38549.html
CVE-2024-38549
https://bugzilla.suse.com/1226735
SUSE Bug 1226735

Описание

In the Linux kernel, the following vulnerability has been resolved: ASoC: kirkwood: Fix potential NULL dereference In kirkwood_dma_hw_params() mv_mbus_dram_info() returns NULL if CONFIG_PLAT_ORION macro is not defined. Fix this bug by adding NULL check. Found by Linux Verification Center (linuxtesting.org) with SVACE.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38550.html
CVE-2024-38550
https://bugzilla.suse.com/1226633
SUSE Bug 1226633

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix potential index out of bounds in color transformation function Fixes index out of bounds issue in the color transformation function. The issue could occur when the index 'i' exceeds the number of transfer function points (TRANSFER_FUNC_POINTS). The fix adds a check to ensure 'i' is within bounds before accessing the transfer function points. If 'i' is out of bounds, an error message is logged and the function returns false to indicate an error. Reported by smatch: drivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:405 cm_helper_translate_curve_to_hw_format() error: buffer overflow 'output_tf->tf_pts.red' 1025 <= s32max drivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:406 cm_helper_translate_curve_to_hw_format() error: buffer overflow 'output_tf->tf_pts.green' 1025 <= s32max drivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:407 cm_helper_translate_curve_to_hw_format() error: buffer overflow 'output_tf->tf_pts.blue' 1025 <= s32max

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38552.html
CVE-2024-38552
https://bugzilla.suse.com/1226767
SUSE Bug 1226767

Описание

In the Linux kernel, the following vulnerability has been resolved: net: fec: remove .ndo_poll_controller to avoid deadlocks There is a deadlock issue found in sungem driver, please refer to the commit ac0a230f719b ("eth: sungem: remove .ndo_poll_controller to avoid deadlocks"). The root cause of the issue is that netpoll is in atomic context and disable_irq() is called by .ndo_poll_controller interface of sungem driver, however, disable_irq() might sleep. After analyzing the implementation of fec_poll_controller(), the fec driver should have the same issue. Due to the fec driver uses NAPI for TX completions, the .ndo_poll_controller is unnecessary to be implemented in the fec driver, so fec_poll_controller() can be safely removed.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38553.html
CVE-2024-38553
https://bugzilla.suse.com/1226744
SUSE Bug 1226744

Описание

In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Discard command completions in internal error Fix use after free when FW completion arrives while device is in internal error state. Avoid calling completion handler in this case, since the device will flush the command interface and trigger all completions manually. Kernel log: ------------[ cut here ]------------ refcount_t: underflow; use-after-free. ... RIP: 0010:refcount_warn_saturate+0xd8/0xe0 ... Call Trace: <IRQ> ? __warn+0x79/0x120 ? refcount_warn_saturate+0xd8/0xe0 ? report_bug+0x17c/0x190 ? handle_bug+0x3c/0x60 ? exc_invalid_op+0x14/0x70 ? asm_exc_invalid_op+0x16/0x20 ? refcount_warn_saturate+0xd8/0xe0 cmd_ent_put+0x13b/0x160 [mlx5_core] mlx5_cmd_comp_handler+0x5f9/0x670 [mlx5_core] cmd_comp_notifier+0x1f/0x30 [mlx5_core] notifier_call_chain+0x35/0xb0 atomic_notifier_call_chain+0x16/0x20 mlx5_eq_async_int+0xf6/0x290 [mlx5_core] notifier_call_chain+0x35/0xb0 atomic_notifier_call_chain+0x16/0x20 irq_int_handler+0x19/0x30 [mlx5_core] __handle_irq_event_percpu+0x4b/0x160 handle_irq_event+0x2e/0x80 handle_edge_irq+0x98/0x230 __common_interrupt+0x3b/0xa0 common_interrupt+0x7b/0xa0 </IRQ> <TASK> asm_common_interrupt+0x22/0x40

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38555.html
CVE-2024-38555
https://bugzilla.suse.com/1226607
SUSE Bug 1226607

Описание

In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Add a timeout to acquire the command queue semaphore Prevent forced completion handling on an entry that has not yet been assigned an index, causing an out of bounds access on idx = -22. Instead of waiting indefinitely for the sem, blocking flow now waits for index to be allocated or a sem acquisition timeout before beginning the timer for FW completion. Kernel log example: mlx5_core 0000:06:00.0: wait_func_handle_exec_timeout:1128:(pid 185911): cmd[-22]: CREATE_UCTX(0xa04) No done completion

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38556.html
CVE-2024-38556
https://bugzilla.suse.com/1226774
SUSE Bug 1226774

Описание

In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Reload only IB representors upon lag disable/enable On lag disable, the bond IB device along with all of its representors are destroyed, and then the slaves' representors get reloaded. In case the slave IB representor load fails, the eswitch error flow unloads all representors, including ethernet representors, where the netdevs get detached and removed from lag bond. Such flow is inaccurate as the lag driver is not responsible for loading/unloading ethernet representors. Furthermore, the flow described above begins by holding lag lock to prevent bond changes during disable flow. However, when reaching the ethernet representors detachment from lag, the lag lock is required again, triggering the following deadlock: Call trace: __switch_to+0xf4/0x148 __schedule+0x2c8/0x7d0 schedule+0x50/0xe0 schedule_preempt_disabled+0x18/0x28 __mutex_lock.isra.13+0x2b8/0x570 __mutex_lock_slowpath+0x1c/0x28 mutex_lock+0x4c/0x68 mlx5_lag_remove_netdev+0x3c/0x1a0 [mlx5_core] mlx5e_uplink_rep_disable+0x70/0xa0 [mlx5_core] mlx5e_detach_netdev+0x6c/0xb0 [mlx5_core] mlx5e_netdev_change_profile+0x44/0x138 [mlx5_core] mlx5e_netdev_attach_nic_profile+0x28/0x38 [mlx5_core] mlx5e_vport_rep_unload+0x184/0x1b8 [mlx5_core] mlx5_esw_offloads_rep_load+0xd8/0xe0 [mlx5_core] mlx5_eswitch_reload_reps+0x74/0xd0 [mlx5_core] mlx5_disable_lag+0x130/0x138 [mlx5_core] mlx5_lag_disable_change+0x6c/0x70 [mlx5_core] // hold ldev->lock mlx5_devlink_eswitch_mode_set+0xc0/0x410 [mlx5_core] devlink_nl_cmd_eswitch_set_doit+0xdc/0x180 genl_family_rcv_msg_doit.isra.17+0xe8/0x138 genl_rcv_msg+0xe4/0x220 netlink_rcv_skb+0x44/0x108 genl_rcv+0x40/0x58 netlink_unicast+0x198/0x268 netlink_sendmsg+0x1d4/0x418 sock_sendmsg+0x54/0x60 __sys_sendto+0xf4/0x120 __arm64_sys_sendto+0x30/0x40 el0_svc_common+0x8c/0x120 do_el0_svc+0x30/0xa0 el0_svc+0x20/0x30 el0_sync_handler+0x90/0xb8 el0_sync+0x160/0x180 Thus, upon lag enable/disable, load and unload only the IB representors of the slaves preventing the deadlock mentioned above. While at it, refactor the mlx5_esw_offloads_rep_load() function to have a static helper method for its internal logic, in symmetry with the representor unload design.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38557.html
CVE-2024-38557
https://bugzilla.suse.com/1226781
SUSE Bug 1226781

Описание

In the Linux kernel, the following vulnerability has been resolved: net: openvswitch: fix overwriting ct original tuple for ICMPv6 OVS_PACKET_CMD_EXECUTE has 3 main attributes: - OVS_PACKET_ATTR_KEY - Packet metadata in a netlink format. - OVS_PACKET_ATTR_PACKET - Binary packet content. - OVS_PACKET_ATTR_ACTIONS - Actions to execute on the packet. OVS_PACKET_ATTR_KEY is parsed first to populate sw_flow_key structure with the metadata like conntrack state, input port, recirculation id, etc. Then the packet itself gets parsed to populate the rest of the keys from the packet headers. Whenever the packet parsing code starts parsing the ICMPv6 header, it first zeroes out fields in the key corresponding to Neighbor Discovery information even if it is not an ND packet. It is an 'ipv6.nd' field. However, the 'ipv6' is a union that shares the space between 'nd' and 'ct_orig' that holds the original tuple conntrack metadata parsed from the OVS_PACKET_ATTR_KEY. ND packets should not normally have conntrack state, so it's fine to share the space, but normal ICMPv6 Echo packets or maybe other types of ICMPv6 can have the state attached and it should not be overwritten. The issue results in all but the last 4 bytes of the destination address being wiped from the original conntrack tuple leading to incorrect packet matching and potentially executing wrong actions in case this packet recirculates within the datapath or goes back to userspace. ND fields should not be accessed in non-ND packets, so not clearing them should be fine. Executing memset() only for actual ND packets to avoid the issue. Initializing the whole thing before parsing is needed because ND packet may not contain all the options. The issue only affects the OVS_PACKET_CMD_EXECUTE path and doesn't affect packets entering OVS datapath from network interfaces, because in this case CT metadata is populated from skb after the packet is already parsed.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38558.html
CVE-2024-38558
https://bugzilla.suse.com/1226783
SUSE Bug 1226783

Описание

In the Linux kernel, the following vulnerability has been resolved: scsi: qedf: Ensure the copied buf is NUL terminated Currently, we allocate a count-sized kernel buffer and copy count from userspace to that buffer. Later, we use kstrtouint on this buffer but we don't ensure that the string is terminated inside the buffer, this can lead to OOB read when using kstrtouint. Fix this issue by using memdup_user_nul instead of memdup_user.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38559.html
CVE-2024-38559
https://bugzilla.suse.com/1226785
SUSE Bug 1226785
https://bugzilla.suse.com/1227495
SUSE Bug 1227495

Описание

In the Linux kernel, the following vulnerability has been resolved: scsi: bfa: Ensure the copied buf is NUL terminated Currently, we allocate a nbytes-sized kernel buffer and copy nbytes from userspace to that buffer. Later, we use sscanf on this buffer but we don't ensure that the string is terminated inside the buffer, this can lead to OOB read when using sscanf. Fix this issue by using memdup_user_nul instead of memdup_user.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38560.html
CVE-2024-38560
https://bugzilla.suse.com/1226786
SUSE Bug 1226786
https://bugzilla.suse.com/1227319
SUSE Bug 1227319

Описание

In the Linux kernel, the following vulnerability has been resolved: bpf: Add BPF_PROG_TYPE_CGROUP_SKB attach type enforcement in BPF_LINK_CREATE bpf_prog_attach uses attach_type_to_prog_type to enforce proper attach type for BPF_PROG_TYPE_CGROUP_SKB. link_create uses bpf_prog_get and relies on bpf_prog_attach_check_attach_type to properly verify prog_type <> attach_type association. Add missing attach_type enforcement for the link_create case. Otherwise, it's currently possible to attach cgroup_skb prog types to other cgroup hooks.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38564.html
CVE-2024-38564
https://bugzilla.suse.com/1226789
SUSE Bug 1226789
https://bugzilla.suse.com/1228730
SUSE Bug 1228730

Описание

In the Linux kernel, the following vulnerability has been resolved: wifi: ar5523: enable proper endpoint verification Syzkaller reports [1] hitting a warning about an endpoint in use not having an expected type to it. Fix the issue by checking for the existence of all proper endpoints with their according types intact. Sadly, this patch has not been tested on real hardware. [1] Syzkaller report: ------------[ cut here ]------------ usb 1-1: BOGUS urb xfer, pipe 3 != type 1 WARNING: CPU: 0 PID: 3643 at drivers/usb/core/urb.c:504 usb_submit_urb+0xed6/0x1880 drivers/usb/core/urb.c:504 ... Call Trace: <TASK> ar5523_cmd+0x41b/0x780 drivers/net/wireless/ath/ar5523/ar5523.c:275 ar5523_cmd_read drivers/net/wireless/ath/ar5523/ar5523.c:302 [inline] ar5523_host_available drivers/net/wireless/ath/ar5523/ar5523.c:1376 [inline] ar5523_probe+0x14b0/0x1d10 drivers/net/wireless/ath/ar5523/ar5523.c:1655 usb_probe_interface+0x30f/0x7f0 drivers/usb/core/driver.c:396 call_driver_probe drivers/base/dd.c:560 [inline] really_probe+0x249/0xb90 drivers/base/dd.c:639 __driver_probe_device+0x1df/0x4d0 drivers/base/dd.c:778 driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:808 __device_attach_driver+0x1d4/0x2e0 drivers/base/dd.c:936 bus_for_each_drv+0x163/0x1e0 drivers/base/bus.c:427 __device_attach+0x1e4/0x530 drivers/base/dd.c:1008 bus_probe_device+0x1e8/0x2a0 drivers/base/bus.c:487 device_add+0xbd9/0x1e90 drivers/base/core.c:3517 usb_set_configuration+0x101d/0x1900 drivers/usb/core/message.c:2170 usb_generic_driver_probe+0xbe/0x100 drivers/usb/core/generic.c:238 usb_probe_device+0xd8/0x2c0 drivers/usb/core/driver.c:293 call_driver_probe drivers/base/dd.c:560 [inline] really_probe+0x249/0xb90 drivers/base/dd.c:639 __driver_probe_device+0x1df/0x4d0 drivers/base/dd.c:778 driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:808 __device_attach_driver+0x1d4/0x2e0 drivers/base/dd.c:936 bus_for_each_drv+0x163/0x1e0 drivers/base/bus.c:427 __device_attach+0x1e4/0x530 drivers/base/dd.c:1008 bus_probe_device+0x1e8/0x2a0 drivers/base/bus.c:487 device_add+0xbd9/0x1e90 drivers/base/core.c:3517 usb_new_device.cold+0x685/0x10ad drivers/usb/core/hub.c:2573 hub_port_connect drivers/usb/core/hub.c:5353 [inline] hub_port_connect_change drivers/usb/core/hub.c:5497 [inline] port_event drivers/usb/core/hub.c:5653 [inline] hub_event+0x26cb/0x45d0 drivers/usb/core/hub.c:5735 process_one_work+0x9bf/0x1710 kernel/workqueue.c:2289 worker_thread+0x669/0x1090 kernel/workqueue.c:2436 kthread+0x2e8/0x3a0 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306 </TASK>

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38565.html
CVE-2024-38565
https://bugzilla.suse.com/1226747
SUSE Bug 1226747

Описание

In the Linux kernel, the following vulnerability has been resolved: wifi: carl9170: add a proper sanity check for endpoints Syzkaller reports [1] hitting a warning which is caused by presence of a wrong endpoint type at the URB sumbitting stage. While there was a check for a specific 4th endpoint, since it can switch types between bulk and interrupt, other endpoints are trusted implicitly. Similar warning is triggered in a couple of other syzbot issues [2]. Fix the issue by doing a comprehensive check of all endpoints taking into account difference between high- and full-speed configuration. [1] Syzkaller report: ... WARNING: CPU: 0 PID: 4721 at drivers/usb/core/urb.c:504 usb_submit_urb+0xed6/0x1880 drivers/usb/core/urb.c:504 ... Call Trace: <TASK> carl9170_usb_send_rx_irq_urb+0x273/0x340 drivers/net/wireless/ath/carl9170/usb.c:504 carl9170_usb_init_device drivers/net/wireless/ath/carl9170/usb.c:939 [inline] carl9170_usb_firmware_finish drivers/net/wireless/ath/carl9170/usb.c:999 [inline] carl9170_usb_firmware_step2+0x175/0x240 drivers/net/wireless/ath/carl9170/usb.c:1028 request_firmware_work_func+0x130/0x240 drivers/base/firmware_loader/main.c:1107 process_one_work+0x9bf/0x1710 kernel/workqueue.c:2289 worker_thread+0x669/0x1090 kernel/workqueue.c:2436 kthread+0x2e8/0x3a0 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308 </TASK> [2] Related syzkaller crashes:

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38567.html
CVE-2024-38567
https://bugzilla.suse.com/1226769
SUSE Bug 1226769

Описание

In the Linux kernel, the following vulnerability has been resolved: drivers/perf: hisi: hns3: Fix out-of-bound access when valid event group The perf tool allows users to create event groups through following cmd [1], but the driver does not check whether the array index is out of bounds when writing data to the event_group array. If the number of events in an event_group is greater than HNS3_PMU_MAX_HW_EVENTS, the memory write overflow of event_group array occurs. Add array index check to fix the possible array out of bounds violation, and return directly when write new events are written to array bounds. There are 9 different events in an event_group. [1] perf stat -e '{pmu/event1/, ... ,pmu/event9/}

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38568.html
CVE-2024-38568
https://bugzilla.suse.com/1226771
SUSE Bug 1226771

Описание

In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix potential glock use-after-free on unmount When a DLM lockspace is released and there ares still locks in that lockspace, DLM will unlock those locks automatically. Commit fb6791d100d1b started exploiting this behavior to speed up filesystem unmount: gfs2 would simply free glocks it didn't want to unlock and then release the lockspace. This didn't take the bast callbacks for asynchronous lock contention notifications into account, which remain active until until a lock is unlocked or its lockspace is released. To prevent those callbacks from accessing deallocated objects, put the glocks that should not be unlocked on the sd_dead_glocks list, release the lockspace, and only then free those glocks. As an additional measure, ignore unexpected ast and bast callbacks if the receiving glock is dead.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38570.html
CVE-2024-38570
https://bugzilla.suse.com/1226775
SUSE Bug 1226775

Описание

In the Linux kernel, the following vulnerability has been resolved: thermal/drivers/tsens: Fix null pointer dereference compute_intercept_slope() is called from calibrate_8960() (in tsens-8960.c) as compute_intercept_slope(priv, p1, NULL, ONE_PT_CALIB) which lead to null pointer dereference (if DEBUG or DYNAMIC_DEBUG set). Fix this bug by adding null pointer check. Found by Linux Verification Center (linuxtesting.org) with SVACE.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38571.html
CVE-2024-38571
https://bugzilla.suse.com/1226737
SUSE Bug 1226737

Описание

In the Linux kernel, the following vulnerability has been resolved: cppc_cpufreq: Fix possible null pointer dereference cppc_cpufreq_get_rate() and hisi_cppc_cpufreq_get_rate() can be called from different places with various parameters. So cpufreq_cpu_get() can return null as 'policy' in some circumstances. Fix this bug by adding null return check. Found by Linux Verification Center (linuxtesting.org) with SVACE.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38573.html
CVE-2024-38573
https://bugzilla.suse.com/1226739
SUSE Bug 1226739

Описание

In the Linux kernel, the following vulnerability has been resolved: ecryptfs: Fix buffer size for tag 66 packet The 'TAG 66 Packet Format' description is missing the cipher code and checksum fields that are packed into the message packet. As a result, the buffer allocated for the packet is 3 bytes too small and write_tag_66_packet() will write up to 3 bytes past the end of the buffer. Fix this by increasing the size of the allocation so the whole packet will always fit in the buffer. This fixes the below kasan slab-out-of-bounds bug: BUG: KASAN: slab-out-of-bounds in ecryptfs_generate_key_packet_set+0x7d6/0xde0 Write of size 1 at addr ffff88800afbb2a5 by task touch/181 CPU: 0 PID: 181 Comm: touch Not tainted 6.6.13-gnu #1 4c9534092be820851bb687b82d1f92a426598dc6 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2/GNU Guix 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x4c/0x70 print_report+0xc5/0x610 ? ecryptfs_generate_key_packet_set+0x7d6/0xde0 ? kasan_complete_mode_report_info+0x44/0x210 ? ecryptfs_generate_key_packet_set+0x7d6/0xde0 kasan_report+0xc2/0x110 ? ecryptfs_generate_key_packet_set+0x7d6/0xde0 __asan_store1+0x62/0x80 ecryptfs_generate_key_packet_set+0x7d6/0xde0 ? __pfx_ecryptfs_generate_key_packet_set+0x10/0x10 ? __alloc_pages+0x2e2/0x540 ? __pfx_ovl_open+0x10/0x10 [overlay 30837f11141636a8e1793533a02e6e2e885dad1d] ? dentry_open+0x8f/0xd0 ecryptfs_write_metadata+0x30a/0x550 ? __pfx_ecryptfs_write_metadata+0x10/0x10 ? ecryptfs_get_lower_file+0x6b/0x190 ecryptfs_initialize_file+0x77/0x150 ecryptfs_create+0x1c2/0x2f0 path_openat+0x17cf/0x1ba0 ? __pfx_path_openat+0x10/0x10 do_filp_open+0x15e/0x290 ? __pfx_do_filp_open+0x10/0x10 ? __kasan_check_write+0x18/0x30 ? _raw_spin_lock+0x86/0xf0 ? __pfx__raw_spin_lock+0x10/0x10 ? __kasan_check_write+0x18/0x30 ? alloc_fd+0xf4/0x330 do_sys_openat2+0x122/0x160 ? __pfx_do_sys_openat2+0x10/0x10 __x64_sys_openat+0xef/0x170 ? __pfx___x64_sys_openat+0x10/0x10 do_syscall_64+0x60/0xd0 entry_SYSCALL_64_after_hwframe+0x6e/0xd8 RIP: 0033:0x7f00a703fd67 Code: 25 00 00 41 00 3d 00 00 41 00 74 37 64 8b 04 25 18 00 00 00 85 c0 75 5b 44 89 e2 48 89 ee bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 0f 87 85 00 00 00 48 83 c4 68 5d 41 5c c3 0f 1f RSP: 002b:00007ffc088e30b0 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 RAX: ffffffffffffffda RBX: 00007ffc088e3368 RCX: 00007f00a703fd67 RDX: 0000000000000941 RSI: 00007ffc088e48d7 RDI: 00000000ffffff9c RBP: 00007ffc088e48d7 R08: 0000000000000001 R09: 0000000000000000 R10: 00000000000001b6 R11: 0000000000000246 R12: 0000000000000941 R13: 0000000000000000 R14: 00007ffc088e48d7 R15: 00007f00a7180040 </TASK> Allocated by task 181: kasan_save_stack+0x2f/0x60 kasan_set_track+0x29/0x40 kasan_save_alloc_info+0x25/0x40 __kasan_kmalloc+0xc5/0xd0 __kmalloc+0x66/0x160 ecryptfs_generate_key_packet_set+0x6d2/0xde0 ecryptfs_write_metadata+0x30a/0x550 ecryptfs_initialize_file+0x77/0x150 ecryptfs_create+0x1c2/0x2f0 path_openat+0x17cf/0x1ba0 do_filp_open+0x15e/0x290 do_sys_openat2+0x122/0x160 __x64_sys_openat+0xef/0x170 do_syscall_64+0x60/0xd0 entry_SYSCALL_64_after_hwframe+0x6e/0xd8

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38578.html
CVE-2024-38578
https://bugzilla.suse.com/1226634
SUSE Bug 1226634

Описание

In the Linux kernel, the following vulnerability has been resolved: crypto: bcm - Fix pointer arithmetic In spu2_dump_omd() value of ptr is increased by ciph_key_len instead of hash_iv_len which could lead to going beyond the buffer boundaries. Fix this bug by changing ciph_key_len to hash_iv_len. Found by Linux Verification Center (linuxtesting.org) with SVACE.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38579.html
CVE-2024-38579
https://bugzilla.suse.com/1226637
SUSE Bug 1226637

Описание

In the Linux kernel, the following vulnerability has been resolved: epoll: be better about file lifetimes epoll can call out to vfs_poll() with a file pointer that may race with the last 'fput()'. That would make f_count go down to zero, and while the ep->mtx locking means that the resulting file pointer tear-down will be blocked until the poll returns, it means that f_count is already dead, and any use of it won't actually get a reference to the file any more: it's dead regardless. Make sure we have a valid ref on the file pointer before we call down to vfs_poll() from the epoll routines.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38580.html
CVE-2024-38580
https://bugzilla.suse.com/1226610
SUSE Bug 1226610

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu/mes: fix use-after-free issue Delete fence fallback timer to fix the ramdom use-after-free issue. v2: move to amdgpu_mes.c

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38581.html
CVE-2024-38581
https://bugzilla.suse.com/1226657
SUSE Bug 1226657

Описание

In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix potential hang in nilfs_detach_log_writer() Syzbot has reported a potential hang in nilfs_detach_log_writer() called during nilfs2 unmount. Analysis revealed that this is because nilfs_segctor_sync(), which synchronizes with the log writer thread, can be called after nilfs_segctor_destroy() terminates that thread, as shown in the call trace below: nilfs_detach_log_writer nilfs_segctor_destroy nilfs_segctor_kill_thread --> Shut down log writer thread flush_work nilfs_iput_work_func nilfs_dispose_list iput nilfs_evict_inode nilfs_transaction_commit nilfs_construct_segment (if inode needs sync) nilfs_segctor_sync --> Attempt to synchronize with log writer thread *** DEADLOCK *** Fix this issue by changing nilfs_segctor_sync() so that the log writer thread returns normally without synchronizing after it terminates, and by forcing tasks that are already waiting to complete once after the thread terminates. The skipped inode metadata flushout will then be processed together in the subsequent cleanup work in nilfs_segctor_destroy().

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38582.html
CVE-2024-38582
https://bugzilla.suse.com/1226658
SUSE Bug 1226658

Описание

In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix use-after-free of timer for log writer thread Patch series "nilfs2: fix log writer related issues". This bug fix series covers three nilfs2 log writer-related issues, including a timer use-after-free issue and potential deadlock issue on unmount, and a potential freeze issue in event synchronization found during their analysis. Details are described in each commit log. This patch (of 3): A use-after-free issue has been reported regarding the timer sc_timer on the nilfs_sc_info structure. The problem is that even though it is used to wake up a sleeping log writer thread, sc_timer is not shut down until the nilfs_sc_info structure is about to be freed, and is used regardless of the thread's lifetime. Fix this issue by limiting the use of sc_timer only while the log writer thread is alive.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38583.html
CVE-2024-38583
https://bugzilla.suse.com/1226777
SUSE Bug 1226777
https://bugzilla.suse.com/1227286
SUSE Bug 1227286

Описание

In the Linux kernel, the following vulnerability has been resolved: r8169: Fix possible ring buffer corruption on fragmented Tx packets. An issue was found on the RTL8125b when transmitting small fragmented packets, whereby invalid entries were inserted into the transmit ring buffer, subsequently leading to calls to dma_unmap_single() with a null address. This was caused by rtl8169_start_xmit() not noticing changes to nr_frags which may occur when small packets are padded (to work around hardware quirks) in rtl8169_tso_csum_v2(). To fix this, postpone inspecting nr_frags until after any padding has been applied.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38586.html
CVE-2024-38586
https://bugzilla.suse.com/1226750
SUSE Bug 1226750

Описание

In the Linux kernel, the following vulnerability has been resolved: speakup: Fix sizeof() vs ARRAY_SIZE() bug The "buf" pointer is an array of u16 values. This code should be using ARRAY_SIZE() (which is 256) instead of sizeof() (which is 512), otherwise it can the still got out of bounds.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38587.html
CVE-2024-38587
https://bugzilla.suse.com/1226780
SUSE Bug 1226780

Описание

In the Linux kernel, the following vulnerability has been resolved: ftrace: Fix possible use-after-free issue in ftrace_location() KASAN reports a bug: BUG: KASAN: use-after-free in ftrace_location+0x90/0x120 Read of size 8 at addr ffff888141d40010 by task insmod/424 CPU: 8 PID: 424 Comm: insmod Tainted: G W 6.9.0-rc2+ [...] Call Trace: <TASK> dump_stack_lvl+0x68/0xa0 print_report+0xcf/0x610 kasan_report+0xb5/0xe0 ftrace_location+0x90/0x120 register_kprobe+0x14b/0xa40 kprobe_init+0x2d/0xff0 [kprobe_example] do_one_initcall+0x8f/0x2d0 do_init_module+0x13a/0x3c0 load_module+0x3082/0x33d0 init_module_from_file+0xd2/0x130 __x64_sys_finit_module+0x306/0x440 do_syscall_64+0x68/0x140 entry_SYSCALL_64_after_hwframe+0x71/0x79 The root cause is that, in lookup_rec(), ftrace record of some address is being searched in ftrace pages of some module, but those ftrace pages at the same time is being freed in ftrace_release_mod() as the corresponding module is being deleted: CPU1 | CPU2 register_kprobes() { | delete_module() { check_kprobe_address_safe() { | arch_check_ftrace_location() { | ftrace_location() { | lookup_rec() // USE! | ftrace_release_mod() // Free! To fix this issue: 1. Hold rcu lock as accessing ftrace pages in ftrace_location_range(); 2. Use ftrace_location_range() instead of lookup_rec() in ftrace_location(); 3. Call synchronize_rcu() before freeing any ftrace pages both in ftrace_process_locs()/ftrace_release_mod()/ftrace_free_mem().

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38588.html
CVE-2024-38588
https://bugzilla.suse.com/1226837
SUSE Bug 1226837

Описание

In the Linux kernel, the following vulnerability has been resolved: RDMA/hns: Modify the print level of CQE error Too much print may lead to a panic in kernel. Change ibdev_err() to ibdev_err_ratelimited(), and change the printing level of cqe dump to debug level.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38590.html
CVE-2024-38590
https://bugzilla.suse.com/1226839
SUSE Bug 1226839

Описание

In the Linux kernel, the following vulnerability has been resolved: RDMA/hns: Fix deadlock on SRQ async events. xa_lock for SRQ table may be required in AEQ. Use xa_store_irq()/ xa_erase_irq() to avoid deadlock.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38591.html
CVE-2024-38591
https://bugzilla.suse.com/1226738
SUSE Bug 1226738

Описание

In the Linux kernel, the following vulnerability has been resolved: net: stmmac: move the EST lock to struct stmmac_priv Reinitialize the whole EST structure would also reset the mutex lock which is embedded in the EST structure, and then trigger the following warning. To address this, move the lock to struct stmmac_priv. We also need to reacquire the mutex lock when doing this initialization. DEBUG_LOCKS_WARN_ON(lock->magic != lock) WARNING: CPU: 3 PID: 505 at kernel/locking/mutex.c:587 __mutex_lock+0xd84/0x1068 Modules linked in: CPU: 3 PID: 505 Comm: tc Not tainted 6.9.0-rc6-00053-g0106679839f7-dirty #29 Hardware name: NXP i.MX8MPlus EVK board (DT) pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : __mutex_lock+0xd84/0x1068 lr : __mutex_lock+0xd84/0x1068 sp : ffffffc0864e3570 x29: ffffffc0864e3570 x28: ffffffc0817bdc78 x27: 0000000000000003 x26: ffffff80c54f1808 x25: ffffff80c9164080 x24: ffffffc080d723ac x23: 0000000000000000 x22: 0000000000000002 x21: 0000000000000000 x20: 0000000000000000 x19: ffffffc083bc3000 x18: ffffffffffffffff x17: ffffffc08117b080 x16: 0000000000000002 x15: ffffff80d2d40000 x14: 00000000000002da x13: ffffff80d2d404b8 x12: ffffffc082b5a5c8 x11: ffffffc082bca680 x10: ffffffc082bb2640 x9 : ffffffc082bb2698 x8 : 0000000000017fe8 x7 : c0000000ffffefff x6 : 0000000000000001 x5 : ffffff8178fe0d48 x4 : 0000000000000000 x3 : 0000000000000027 x2 : ffffff8178fe0d50 x1 : 0000000000000000 x0 : 0000000000000000 Call trace: __mutex_lock+0xd84/0x1068 mutex_lock_nested+0x28/0x34 tc_setup_taprio+0x118/0x68c stmmac_setup_tc+0x50/0xf0 taprio_change+0x868/0xc9c

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38594.html
CVE-2024-38594
https://bugzilla.suse.com/1226734
SUSE Bug 1226734

Описание

In the Linux kernel, the following vulnerability has been resolved: eth: sungem: remove .ndo_poll_controller to avoid deadlocks Erhard reports netpoll warnings from sungem: netpoll_send_skb_on_dev(): eth0 enabled interrupts in poll (gem_start_xmit+0x0/0x398) WARNING: CPU: 1 PID: 1 at net/core/netpoll.c:370 netpoll_send_skb+0x1fc/0x20c gem_poll_controller() disables interrupts, which may sleep. We can't sleep in netpoll, it has interrupts disabled completely. Strangely, gem_poll_controller() doesn't even poll the completions, and instead acts as if an interrupt has fired so it just schedules NAPI and exits. None of this has been necessary for years, since netpoll invokes NAPI directly.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38597.html
CVE-2024-38597
https://bugzilla.suse.com/1226749
SUSE Bug 1226749

Описание

In the Linux kernel, the following vulnerability has been resolved: md: fix resync softlockup when bitmap size is less than array size Is is reported that for dm-raid10, lvextend + lvchange --syncaction will trigger following softlockup: kernel:watchdog: BUG: soft lockup - CPU#3 stuck for 26s! [mdX_resync:6976] CPU: 7 PID: 3588 Comm: mdX_resync Kdump: loaded Not tainted 6.9.0-rc4-next-20240419 #1 RIP: 0010:_raw_spin_unlock_irq+0x13/0x30 Call Trace: <TASK> md_bitmap_start_sync+0x6b/0xf0 raid10_sync_request+0x25c/0x1b40 [raid10] md_do_sync+0x64b/0x1020 md_thread+0xa7/0x170 kthread+0xcf/0x100 ret_from_fork+0x30/0x50 ret_from_fork_asm+0x1a/0x30 And the detailed process is as follows: md_do_sync j = mddev->resync_min while (j < max_sectors) sectors = raid10_sync_request(mddev, j, &skipped) if (!md_bitmap_start_sync(..., &sync_blocks)) // md_bitmap_start_sync set sync_blocks to 0 return sync_blocks + sectors_skippe; // sectors = 0; j += sectors; // j never change Root cause is that commit 301867b1c168 ("md/raid10: check slab-out-of-bounds in md_bitmap_get_counter") return early from md_bitmap_get_counter(), without setting returned blocks. Fix this problem by always set returned blocks from md_bitmap_get_counter"(), as it used to be. Noted that this patch just fix the softlockup problem in kernel, the case that bitmap size doesn't match array size still need to be fixed.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38598.html
CVE-2024-38598
https://bugzilla.suse.com/1226757
SUSE Bug 1226757

Описание

In the Linux kernel, the following vulnerability has been resolved: jffs2: prevent xattr node from overflowing the eraseblock Add a check to make sure that the requested xattr node size is no larger than the eraseblock minus the cleanmarker. Unlike the usual inode nodes, the xattr nodes aren't split into parts and spread across multiple eraseblocks, which means that a xattr node must not occupy more than one eraseblock. If the requested xattr value is too large, the xattr node can spill onto the next eraseblock, overwriting the nodes and causing errors such as: jffs2: argh. node added in wrong place at 0x0000b050(2) jffs2: nextblock 0x0000a000, expected at 0000b00c jffs2: error: (823) do_verify_xattr_datum: node CRC failed at 0x01e050, read=0xfc892c93, calc=0x000000 jffs2: notice: (823) jffs2_get_inode_nodes: Node header CRC failed at 0x01e00c. {848f,2fc4,0fef511f,59a3d171} jffs2: Node at 0x0000000c with length 0x00001044 would run over the end of the erase block jffs2: Perhaps the file system was created with the wrong erase size? jffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x00000010: 0x1044 instead This breaks the filesystem and can lead to KASAN crashes such as: BUG: KASAN: slab-out-of-bounds in jffs2_sum_add_kvec+0x125e/0x15d0 Read of size 4 at addr ffff88802c31e914 by task repro/830 CPU: 0 PID: 830 Comm: repro Not tainted 6.9.0-rc3+ #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.16.3-1-1 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0xc6/0x120 print_report+0xc4/0x620 ? __virt_addr_valid+0x308/0x5b0 kasan_report+0xc1/0xf0 ? jffs2_sum_add_kvec+0x125e/0x15d0 ? jffs2_sum_add_kvec+0x125e/0x15d0 jffs2_sum_add_kvec+0x125e/0x15d0 jffs2_flash_direct_writev+0xa8/0xd0 jffs2_flash_writev+0x9c9/0xef0 ? __x64_sys_setxattr+0xc4/0x160 ? do_syscall_64+0x69/0x140 ? entry_SYSCALL_64_after_hwframe+0x76/0x7e [...] Found by Linux Verification Center (linuxtesting.org) with Syzkaller.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38599.html
CVE-2024-38599
https://bugzilla.suse.com/1223384
SUSE Bug 1223384
https://bugzilla.suse.com/1226848
SUSE Bug 1226848
https://bugzilla.suse.com/1227283
SUSE Bug 1227283

Описание

In the Linux kernel, the following vulnerability has been resolved: ALSA: Fix deadlocks with kctl removals at disconnection In snd_card_disconnect(), we set card->shutdown flag at the beginning, call callbacks and do sync for card->power_ref_sleep waiters at the end. The callback may delete a kctl element, and this can lead to a deadlock when the device was in the suspended state. Namely: * A process waits for the power up at snd_power_ref_and_wait() in snd_ctl_info() or read/write() inside card->controls_rwsem. * The system gets disconnected meanwhile, and the driver tries to delete a kctl via snd_ctl_remove*(); it tries to take card->controls_rwsem again, but this is already locked by the above. Since the sleeper isn't woken up, this deadlocks. An easy fix is to wake up sleepers before processing the driver disconnect callbacks but right after setting the card->shutdown flag. Then all sleepers will abort immediately, and the code flows again. So, basically this patch moves the wait_event() call at the right timing. While we're at it, just to be sure, call wait_event_all() instead of wait_event(), although we don't use exclusive events on this queue for now.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38600.html
CVE-2024-38600
https://bugzilla.suse.com/1226864
SUSE Bug 1226864

Описание

In the Linux kernel, the following vulnerability has been resolved: ring-buffer: Fix a race between readers and resize checks The reader code in rb_get_reader_page() swaps a new reader page into the ring buffer by doing cmpxchg on old->list.prev->next to point it to the new page. Following that, if the operation is successful, old->list.next->prev gets updated too. This means the underlying doubly-linked list is temporarily inconsistent, page->prev->next or page->next->prev might not be equal back to page for some page in the ring buffer. The resize operation in ring_buffer_resize() can be invoked in parallel. It calls rb_check_pages() which can detect the described inconsistency and stop further tracing: [ 190.271762] ------------[ cut here ]------------ [ 190.271771] WARNING: CPU: 1 PID: 6186 at kernel/trace/ring_buffer.c:1467 rb_check_pages.isra.0+0x6a/0xa0 [ 190.271789] Modules linked in: [...] [ 190.271991] Unloaded tainted modules: intel_uncore_frequency(E):1 skx_edac(E):1 [ 190.272002] CPU: 1 PID: 6186 Comm: cmd.sh Kdump: loaded Tainted: G E 6.9.0-rc6-default #5 158d3e1e6d0b091c34c3b96bfd99a1c58306d79f [ 190.272011] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.0-0-gd239552c-rebuilt.opensuse.org 04/01/2014 [ 190.272015] RIP: 0010:rb_check_pages.isra.0+0x6a/0xa0 [ 190.272023] Code: [...] [ 190.272028] RSP: 0018:ffff9c37463abb70 EFLAGS: 00010206 [ 190.272034] RAX: ffff8eba04b6cb80 RBX: 0000000000000007 RCX: ffff8eba01f13d80 [ 190.272038] RDX: ffff8eba01f130c0 RSI: ffff8eba04b6cd00 RDI: ffff8eba0004c700 [ 190.272042] RBP: ffff8eba0004c700 R08: 0000000000010002 R09: 0000000000000000 [ 190.272045] R10: 00000000ffff7f52 R11: ffff8eba7f600000 R12: ffff8eba0004c720 [ 190.272049] R13: ffff8eba00223a00 R14: 0000000000000008 R15: ffff8eba067a8000 [ 190.272053] FS: 00007f1bd64752c0(0000) GS:ffff8eba7f680000(0000) knlGS:0000000000000000 [ 190.272057] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 190.272061] CR2: 00007f1bd6662590 CR3: 000000010291e001 CR4: 0000000000370ef0 [ 190.272070] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 190.272073] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 190.272077] Call Trace: [ 190.272098] <TASK> [ 190.272189] ring_buffer_resize+0x2ab/0x460 [ 190.272199] __tracing_resize_ring_buffer.part.0+0x23/0xa0 [ 190.272206] tracing_resize_ring_buffer+0x65/0x90 [ 190.272216] tracing_entries_write+0x74/0xc0 [ 190.272225] vfs_write+0xf5/0x420 [ 190.272248] ksys_write+0x67/0xe0 [ 190.272256] do_syscall_64+0x82/0x170 [ 190.272363] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 190.272373] RIP: 0033:0x7f1bd657d263 [ 190.272381] Code: [...] [ 190.272385] RSP: 002b:00007ffe72b643f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 190.272391] RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007f1bd657d263 [ 190.272395] RDX: 0000000000000002 RSI: 0000555a6eb538e0 RDI: 0000000000000001 [ 190.272398] RBP: 0000555a6eb538e0 R08: 000000000000000a R09: 0000000000000000 [ 190.272401] R10: 0000555a6eb55190 R11: 0000000000000246 R12: 00007f1bd6662500 [ 190.272404] R13: 0000000000000002 R14: 00007f1bd6667c00 R15: 0000000000000002 [ 190.272412] </TASK> [ 190.272414] ---[ end trace 0000000000000000 ]--- Note that ring_buffer_resize() calls rb_check_pages() only if the parent trace_buffer has recording disabled. Recent commit d78ab792705c ("tracing: Stop current tracer when resizing buffer") causes that it is now always the case which makes it more likely to experience this issue. The window to hit this race is nonetheless very small. To help reproducing it, one can add a delay loop in rb_get_reader_page(): ret = rb_head_page_replace(reader, cpu_buffer->reader_page); if (!ret) goto spin; for (unsigned i = 0; i < 1U << 26; i++) /* inserted delay loop */ __asm__ __volatile__ ("" : : : "memory"); rb_list_head(reader->list.next)->prev = &cpu_buffer->reader_page->list; .. ---truncated---

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38601.html
CVE-2024-38601
https://bugzilla.suse.com/1226876
SUSE Bug 1226876

Описание

In the Linux kernel, the following vulnerability has been resolved: drivers/perf: hisi: hns3: Actually use devm_add_action_or_reset() pci_alloc_irq_vectors() allocates an irq vector. When devm_add_action() fails, the irq vector is not freed, which leads to a memory leak. Replace the devm_add_action with devm_add_action_or_reset to ensure the irq vector can be destroyed when it fails.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38603.html
CVE-2024-38603
https://bugzilla.suse.com/1226842
SUSE Bug 1226842

Описание

In the Linux kernel, the following vulnerability has been resolved: ALSA: core: Fix NULL module pointer assignment at card init The commit 81033c6b584b ("ALSA: core: Warn on empty module") introduced a WARN_ON() for a NULL module pointer passed at snd_card object creation, and it also wraps the code around it with '#ifdef MODULE'. This works in most cases, but the devils are always in details. "MODULE" is defined when the target code (i.e. the sound core) is built as a module; but this doesn't mean that the caller is also built-in or not. Namely, when only the sound core is built-in (CONFIG_SND=y) while the driver is a module (CONFIG_SND_USB_AUDIO=m), the passed module pointer is ignored even if it's non-NULL, and card->module remains as NULL. This would result in the missing module reference up/down at the device open/close, leading to a race with the code execution after the module removal. For addressing the bug, move the assignment of card->module again out of ifdef. The WARN_ON() is still wrapped with ifdef because the module can be really NULL when all sound drivers are built-in. Note that we keep 'ifdef MODULE' for WARN_ON(), otherwise it would lead to a false-positive NULL module check. Admittedly it won't catch perfectly, i.e. no check is performed when CONFIG_SND=y. But, it's no real problem as it's only for debugging, and the condition is pretty rare.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38605.html
CVE-2024-38605
https://bugzilla.suse.com/1226740
SUSE Bug 1226740

Описание

In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Fix netif state handling mlx5e_suspend cleans resources only if netif_device_present() returns true. However, mlx5e_resume changes the state of netif, via mlx5e_nic_enable, only if reg_state == NETREG_REGISTERED. In the below case, the above leads to NULL-ptr Oops[1] and memory leaks: mlx5e_probe _mlx5e_resume mlx5e_attach_netdev mlx5e_nic_enable <-- netdev not reg, not calling netif_device_attach() register_netdev <-- failed for some reason. ERROR_FLOW: _mlx5e_suspend <-- netif_device_present return false, resources aren't freed :( Hence, clean resources in this case as well. [1] BUG: kernel NULL pointer dereference, address: 0000000000000000 PGD 0 P4D 0 Oops: 0010 [#1] SMP CPU: 2 PID: 9345 Comm: test-ovs-ct-gen Not tainted 6.5.0_for_upstream_min_debug_2023_09_05_16_01 #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:0x0 Code: Unable to access opcode bytes at0xffffffffffffffd6. RSP: 0018:ffff888178aaf758 EFLAGS: 00010246 Call Trace: <TASK> ? __die+0x20/0x60 ? page_fault_oops+0x14c/0x3c0 ? exc_page_fault+0x75/0x140 ? asm_exc_page_fault+0x22/0x30 notifier_call_chain+0x35/0xb0 blocking_notifier_call_chain+0x3d/0x60 mlx5_blocking_notifier_call_chain+0x22/0x30 [mlx5_core] mlx5_core_uplink_netdev_event_replay+0x3e/0x60 [mlx5_core] mlx5_mdev_netdev_track+0x53/0x60 [mlx5_ib] mlx5_ib_roce_init+0xc3/0x340 [mlx5_ib] __mlx5_ib_add+0x34/0xd0 [mlx5_ib] mlx5r_probe+0xe1/0x210 [mlx5_ib] ? auxiliary_match_id+0x6a/0x90 auxiliary_bus_probe+0x38/0x80 ? driver_sysfs_add+0x51/0x80 really_probe+0xc9/0x3e0 ? driver_probe_device+0x90/0x90 __driver_probe_device+0x80/0x160 driver_probe_device+0x1e/0x90 __device_attach_driver+0x7d/0x100 bus_for_each_drv+0x80/0xd0 __device_attach+0xbc/0x1f0 bus_probe_device+0x86/0xa0 device_add+0x637/0x840 __auxiliary_device_add+0x3b/0xa0 add_adev+0xc9/0x140 [mlx5_core] mlx5_rescan_drivers_locked+0x22a/0x310 [mlx5_core] mlx5_register_device+0x53/0xa0 [mlx5_core] mlx5_init_one_devl_locked+0x5c4/0x9c0 [mlx5_core] mlx5_init_one+0x3b/0x60 [mlx5_core] probe_one+0x44c/0x730 [mlx5_core] local_pci_probe+0x3e/0x90 pci_device_probe+0xbf/0x210 ? kernfs_create_link+0x5d/0xa0 ? sysfs_do_create_link_sd+0x60/0xc0 really_probe+0xc9/0x3e0 ? driver_probe_device+0x90/0x90 __driver_probe_device+0x80/0x160 driver_probe_device+0x1e/0x90 __device_attach_driver+0x7d/0x100 bus_for_each_drv+0x80/0xd0 __device_attach+0xbc/0x1f0 pci_bus_add_device+0x54/0x80 pci_iov_add_virtfn+0x2e6/0x320 sriov_enable+0x208/0x420 mlx5_core_sriov_configure+0x9e/0x200 [mlx5_core] sriov_numvfs_store+0xae/0x1a0 kernfs_fop_write_iter+0x10c/0x1a0 vfs_write+0x291/0x3c0 ksys_write+0x5f/0xe0 do_syscall_64+0x3d/0x90 entry_SYSCALL_64_after_hwframe+0x46/0xb0 CR2: 0000000000000000 ---[ end trace 0000000000000000 ]---

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38608.html
CVE-2024-38608
https://bugzilla.suse.com/1226746
SUSE Bug 1226746

Описание

In the Linux kernel, the following vulnerability has been resolved: wifi: carl9170: re-fix fortified-memset warning The carl9170_tx_release() function sometimes triggers a fortified-memset warning in my randconfig builds: In file included from include/linux/string.h:254, from drivers/net/wireless/ath/carl9170/tx.c:40: In function 'fortify_memset_chk', inlined from 'carl9170_tx_release' at drivers/net/wireless/ath/carl9170/tx.c:283:2, inlined from 'kref_put' at include/linux/kref.h:65:3, inlined from 'carl9170_tx_put_skb' at drivers/net/wireless/ath/carl9170/tx.c:342:9: include/linux/fortify-string.h:493:25: error: call to '__write_overflow_field' declared with attribute warning: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Werror=attribute-warning] 493 | __write_overflow_field(p_size_field, size); Kees previously tried to avoid this by using memset_after(), but it seems this does not fully address the problem. I noticed that the memset_after() here is done on a different part of the union (status) than the original cast was from (rate_driver_data), which may confuse the compiler. Unfortunately, the memset_after() trick does not work on driver_rates[] because that is part of an anonymous struct, and I could not get struct_group() to do this either. Using two separate memset() calls on the two members does address the warning though.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38616.html
CVE-2024-38616
https://bugzilla.suse.com/1226852
SUSE Bug 1226852

Описание

In the Linux kernel, the following vulnerability has been resolved: ALSA: timer: Set lower bound of start tick time Currently ALSA timer doesn't have the lower limit of the start tick time, and it allows a very small size, e.g. 1 tick with 1ns resolution for hrtimer. Such a situation may lead to an unexpected RCU stall, where the callback repeatedly queuing the expire update, as reported by fuzzer. This patch introduces a sanity check of the timer start tick time, so that the system returns an error when a too small start size is set. As of this patch, the lower limit is hard-coded to 100us, which is small enough but can still work somehow.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38618.html
CVE-2024-38618
https://bugzilla.suse.com/1226754
SUSE Bug 1226754

Описание

In the Linux kernel, the following vulnerability has been resolved: usb-storage: alauda: Check whether the media is initialized The member "uzonesize" of struct alauda_info will remain 0 if alauda_init_media() fails, potentially causing divide errors in alauda_read_data() and alauda_write_lba(). - Add a member "media_initialized" to struct alauda_info. - Change a condition in alauda_check_media() to ensure the first initialization. - Add an error check for the return value of alauda_init_media().

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38619.html
CVE-2024-38619
https://bugzilla.suse.com/1226861
SUSE Bug 1226861

Описание

In the Linux kernel, the following vulnerability has been resolved: media: stk1160: fix bounds checking in stk1160_copy_video() The subtract in this condition is reversed. The ->length is the length of the buffer. The ->bytesused is how many bytes we have copied thus far. When the condition is reversed that means the result of the subtraction is always negative but since it's unsigned then the result is a very high positive value. That means the overflow check is never true. Additionally, the ->bytesused doesn't actually work for this purpose because we're not writing to "buf->mem + buf->bytesused". Instead, the math to calculate the destination where we are writing is a bit involved. You calculate the number of full lines already written, multiply by two, skip a line if necessary so that we start on an odd numbered line, and add the offset into the line. To fix this buffer overflow, just take the actual destination where we are writing, if the offset is already out of bounds print an error and return. Otherwise, write up to buf->length bytes.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38621.html
CVE-2024-38621
https://bugzilla.suse.com/1226895
SUSE Bug 1226895

Описание

In the Linux kernel, the following vulnerability has been resolved: stm class: Fix a double free in stm_register_device() The put_device(&stm->dev) call will trigger stm_device_release() which frees "stm" so the vfree(stm) on the next line is a double free.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38627.html
CVE-2024-38627
https://bugzilla.suse.com/1226857
SUSE Bug 1226857

Описание

In the Linux kernel, the following vulnerability has been resolved: usb: gadget: u_audio: Fix race condition use of controls after free during gadget unbind. Hang on to the control IDs instead of pointers since those are correctly handled with locks.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38628.html
CVE-2024-38628
https://bugzilla.suse.com/1226911
SUSE Bug 1226911

Описание

In the Linux kernel, the following vulnerability has been resolved: watchdog: cpu5wdt.c: Fix use-after-free bug caused by cpu5wdt_trigger When the cpu5wdt module is removing, the origin code uses del_timer() to de-activate the timer. If the timer handler is running, del_timer() could not stop it and will return directly. If the port region is released by release_region() and then the timer handler cpu5wdt_trigger() calls outb() to write into the region that is released, the use-after-free bug will happen. Change del_timer() to timer_shutdown_sync() in order that the timer handler could be finished before the port region is released.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38630.html
CVE-2024-38630
https://bugzilla.suse.com/1226908
SUSE Bug 1226908

Описание

In the Linux kernel, the following vulnerability has been resolved: serial: max3100: Update uart_driver_registered on driver removal The removal of the last MAX3100 device triggers the removal of the driver. However, code doesn't update the respective global variable and after insmod — rmmod — insmod cycle the kernel oopses: max3100 spi-PRP0001:01: max3100_probe: adding port 0 BUG: kernel NULL pointer dereference, address: 0000000000000408 ... RIP: 0010:serial_core_register_port+0xa0/0x840 ... max3100_probe+0x1b6/0x280 [max3100] spi_probe+0x8d/0xb0 Update the actual state so next time UART driver will be registered again. Hugo also noticed, that the error path in the probe also affected by having the variable set, and not cleared. Instead of clearing it move the assignment after the successfull uart_register_driver() call.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38633.html
CVE-2024-38633
https://bugzilla.suse.com/1226867
SUSE Bug 1226867

Описание

In the Linux kernel, the following vulnerability has been resolved: serial: max3100: Lock port->lock when calling uart_handle_cts_change() uart_handle_cts_change() has to be called with port lock taken, Since we run it in a separate work, the lock may not be taken at the time of running. Make sure that it's taken by explicitly doing that. Without it we got a splat: WARNING: CPU: 0 PID: 10 at drivers/tty/serial/serial_core.c:3491 uart_handle_cts_change+0xa6/0xb0 ... Workqueue: max3100-0 max3100_work [max3100] RIP: 0010:uart_handle_cts_change+0xa6/0xb0 ... max3100_handlerx+0xc5/0x110 [max3100] max3100_work+0x12a/0x340 [max3100]

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38634.html
CVE-2024-38634
https://bugzilla.suse.com/1226868
SUSE Bug 1226868

Описание

In the Linux kernel, the following vulnerability has been resolved: soundwire: cadence: fix invalid PDI offset For some reason, we add an offset to the PDI, presumably to skip the PDI0 and PDI1 which are reserved for BPT. This code is however completely wrong and leads to an out-of-bounds access. We were just lucky so far since we used only a couple of PDIs and remained within the PDI array bounds. A Fixes: tag is not provided since there are no known platforms where the out-of-bounds would be accessed, and the initial code had problems as well. A follow-up patch completely removes this useless offset.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38635.html
CVE-2024-38635
https://bugzilla.suse.com/1226863
SUSE Bug 1226863

Описание

In the Linux kernel, the following vulnerability has been resolved: enic: Validate length of nl attributes in enic_set_vf_port enic_set_vf_port assumes that the nl attribute IFLA_PORT_PROFILE is of length PORT_PROFILE_MAX and that the nl attributes IFLA_PORT_INSTANCE_UUID, IFLA_PORT_HOST_UUID are of length PORT_UUID_MAX. These attributes are validated (in the function do_setlink in rtnetlink.c) using the nla_policy ifla_port_policy. The policy defines IFLA_PORT_PROFILE as NLA_STRING, IFLA_PORT_INSTANCE_UUID as NLA_BINARY and IFLA_PORT_HOST_UUID as NLA_STRING. That means that the length validation using the policy is for the max size of the attributes and not on exact size so the length of these attributes might be less than the sizes that enic_set_vf_port expects. This might cause an out of bands read access in the memcpys of the data of these attributes in enic_set_vf_port.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38659.html
CVE-2024-38659
https://bugzilla.suse.com/1226883
SUSE Bug 1226883

Описание

In the Linux kernel, the following vulnerability has been resolved: s390/ap: Fix crash in AP internal function modify_bitmap() A system crash like this Failing address: 200000cb7df6f000 TEID: 200000cb7df6f403 Fault in home space mode while using kernel ASCE. AS:00000002d71bc007 R3:00000003fe5b8007 S:000000011a446000 P:000000015660c13d Oops: 0038 ilc:3 [#1] PREEMPT SMP Modules linked in: mlx5_ib ... CPU: 8 PID: 7556 Comm: bash Not tainted 6.9.0-rc7 #8 Hardware name: IBM 3931 A01 704 (LPAR) Krnl PSW : 0704e00180000000 0000014b75e7b606 (ap_parse_bitmap_str+0x10e/0x1f8) R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:2 PM:0 RI:0 EA:3 Krnl GPRS: 0000000000000001 ffffffffffffffc0 0000000000000001 00000048f96b75d3 000000cb00000100 ffffffffffffffff ffffffffffffffff 000000cb7df6fce0 000000cb7df6fce0 00000000ffffffff 000000000000002b 00000048ffffffff 000003ff9b2dbc80 200000cb7df6fcd8 0000014bffffffc0 000000cb7df6fbc8 Krnl Code: 0000014b75e7b5fc: a7840047 brc 8,0000014b75e7b68a 0000014b75e7b600: 18b2 lr %r11,%r2 #0000014b75e7b602: a7f4000a brc 15,0000014b75e7b616 >0000014b75e7b606: eb22d00000e6 laog %r2,%r2,0(%r13) 0000014b75e7b60c: a7680001 lhi %r6,1 0000014b75e7b610: 187b lr %r7,%r11 0000014b75e7b612: 84960021 brxh %r9,%r6,0000014b75e7b654 0000014b75e7b616: 18e9 lr %r14,%r9 Call Trace: [<0000014b75e7b606>] ap_parse_bitmap_str+0x10e/0x1f8 ([<0000014b75e7b5dc>] ap_parse_bitmap_str+0xe4/0x1f8) [<0000014b75e7b758>] apmask_store+0x68/0x140 [<0000014b75679196>] kernfs_fop_write_iter+0x14e/0x1e8 [<0000014b75598524>] vfs_write+0x1b4/0x448 [<0000014b7559894c>] ksys_write+0x74/0x100 [<0000014b7618a440>] __do_syscall+0x268/0x328 [<0000014b761a3558>] system_call+0x70/0x98 INFO: lockdep is turned off. Last Breaking-Event-Address: [<0000014b75e7b636>] ap_parse_bitmap_str+0x13e/0x1f8 Kernel panic - not syncing: Fatal exception: panic_on_oops occured when /sys/bus/ap/a[pq]mask was updated with a relative mask value (like +0x10-0x12,+60,-90) with one of the numeric values exceeding INT_MAX. The fix is simple: use unsigned long values for the internal variables. The correct checks are already in place in the function but a simple int for the internal variables was used with the possibility to overflow.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38661.html
CVE-2024-38661
https://bugzilla.suse.com/1226996
SUSE Bug 1226996

Описание

In the Linux kernel, the following vulnerability has been resolved: dma-buf/sw-sync: don't enable IRQ from sync_print_obj() Since commit a6aa8fca4d79 ("dma-buf/sw-sync: Reduce irqsave/irqrestore from known context") by error replaced spin_unlock_irqrestore() with spin_unlock_irq() for both sync_debugfs_show() and sync_print_obj() despite sync_print_obj() is called from sync_debugfs_show(), lockdep complains inconsistent lock state warning. Use plain spin_{lock,unlock}() for sync_print_obj(), for sync_debugfs_show() is already using spin_{lock,unlock}_irq().

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38780.html
CVE-2024-38780
https://bugzilla.suse.com/1226886
SUSE Bug 1226886

Описание

In the Linux kernel, the following vulnerability has been resolved: ext4: fix mb_cache_entry's e_refcnt leak in ext4_xattr_block_cache_find() Syzbot reports a warning as follows: ============================================ WARNING: CPU: 0 PID: 5075 at fs/mbcache.c:419 mb_cache_destroy+0x224/0x290 Modules linked in: CPU: 0 PID: 5075 Comm: syz-executor199 Not tainted 6.9.0-rc6-gb947cc5bf6d7 RIP: 0010:mb_cache_destroy+0x224/0x290 fs/mbcache.c:419 Call Trace: <TASK> ext4_put_super+0x6d4/0xcd0 fs/ext4/super.c:1375 generic_shutdown_super+0x136/0x2d0 fs/super.c:641 kill_block_super+0x44/0x90 fs/super.c:1675 ext4_kill_sb+0x68/0xa0 fs/ext4/super.c:7327 [...] ============================================ This is because when finding an entry in ext4_xattr_block_cache_find(), if ext4_sb_bread() returns -ENOMEM, the ce's e_refcnt, which has already grown in the __entry_find(), won't be put away, and eventually trigger the above issue in mb_cache_destroy() due to reference count leakage. So call mb_cache_entry_put() on the -ENOMEM error branch as a quick fix.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-39276.html
CVE-2024-39276
https://bugzilla.suse.com/1226993
SUSE Bug 1226993

Описание

In the Linux kernel, the following vulnerability has been resolved: net/9p: fix uninit-value in p9_client_rpc() Syzbot with the help of KMSAN reported the following error: BUG: KMSAN: uninit-value in trace_9p_client_res include/trace/events/9p.h:146 [inline] BUG: KMSAN: uninit-value in p9_client_rpc+0x1314/0x1340 net/9p/client.c:754 trace_9p_client_res include/trace/events/9p.h:146 [inline] p9_client_rpc+0x1314/0x1340 net/9p/client.c:754 p9_client_create+0x1551/0x1ff0 net/9p/client.c:1031 v9fs_session_init+0x1b9/0x28e0 fs/9p/v9fs.c:410 v9fs_mount+0xe2/0x12b0 fs/9p/vfs_super.c:122 legacy_get_tree+0x114/0x290 fs/fs_context.c:662 vfs_get_tree+0xa7/0x570 fs/super.c:1797 do_new_mount+0x71f/0x15e0 fs/namespace.c:3352 path_mount+0x742/0x1f20 fs/namespace.c:3679 do_mount fs/namespace.c:3692 [inline] __do_sys_mount fs/namespace.c:3898 [inline] __se_sys_mount+0x725/0x810 fs/namespace.c:3875 __x64_sys_mount+0xe4/0x150 fs/namespace.c:3875 do_syscall_64+0xd5/0x1f0 entry_SYSCALL_64_after_hwframe+0x6d/0x75 Uninit was created at: __alloc_pages+0x9d6/0xe70 mm/page_alloc.c:4598 __alloc_pages_node include/linux/gfp.h:238 [inline] alloc_pages_node include/linux/gfp.h:261 [inline] alloc_slab_page mm/slub.c:2175 [inline] allocate_slab mm/slub.c:2338 [inline] new_slab+0x2de/0x1400 mm/slub.c:2391 ___slab_alloc+0x1184/0x33d0 mm/slub.c:3525 __slab_alloc mm/slub.c:3610 [inline] __slab_alloc_node mm/slub.c:3663 [inline] slab_alloc_node mm/slub.c:3835 [inline] kmem_cache_alloc+0x6d3/0xbe0 mm/slub.c:3852 p9_tag_alloc net/9p/client.c:278 [inline] p9_client_prepare_req+0x20a/0x1770 net/9p/client.c:641 p9_client_rpc+0x27e/0x1340 net/9p/client.c:688 p9_client_create+0x1551/0x1ff0 net/9p/client.c:1031 v9fs_session_init+0x1b9/0x28e0 fs/9p/v9fs.c:410 v9fs_mount+0xe2/0x12b0 fs/9p/vfs_super.c:122 legacy_get_tree+0x114/0x290 fs/fs_context.c:662 vfs_get_tree+0xa7/0x570 fs/super.c:1797 do_new_mount+0x71f/0x15e0 fs/namespace.c:3352 path_mount+0x742/0x1f20 fs/namespace.c:3679 do_mount fs/namespace.c:3692 [inline] __do_sys_mount fs/namespace.c:3898 [inline] __se_sys_mount+0x725/0x810 fs/namespace.c:3875 __x64_sys_mount+0xe4/0x150 fs/namespace.c:3875 do_syscall_64+0xd5/0x1f0 entry_SYSCALL_64_after_hwframe+0x6d/0x75 If p9_check_errors() fails early in p9_client_rpc(), req->rc.tag will not be properly initialized. However, trace_9p_client_res() ends up trying to print it out anyway before p9_client_rpc() finishes. Fix this issue by assigning default values to p9_fcall fields such as 'tag' and (just in case KMSAN unearths something new) 'id' during the tag allocation stage.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-39301.html
CVE-2024-39301
https://bugzilla.suse.com/1226994
SUSE Bug 1226994

Описание

In the Linux kernel, the following vulnerability has been resolved: io_uring: check for non-NULL file pointer in io_file_can_poll() In earlier kernels, it was possible to trigger a NULL pointer dereference off the forced async preparation path, if no file had been assigned. The trace leading to that looks as follows: BUG: kernel NULL pointer dereference, address: 00000000000000b0 PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP CPU: 67 PID: 1633 Comm: buf-ring-invali Not tainted 6.8.0-rc3+ #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS unknown 2/2/2022 RIP: 0010:io_buffer_select+0xc3/0x210 Code: 00 00 48 39 d1 0f 82 ae 00 00 00 48 81 4b 48 00 00 01 00 48 89 73 70 0f b7 50 0c 66 89 53 42 85 ed 0f 85 d2 00 00 00 48 8b 13 <48> 8b 92 b0 00 00 00 48 83 7a 40 00 0f 84 21 01 00 00 4c 8b 20 5b RSP: 0018:ffffb7bec38c7d88 EFLAGS: 00010246 RAX: ffff97af2be61000 RBX: ffff97af234f1700 RCX: 0000000000000040 RDX: 0000000000000000 RSI: ffff97aecfb04820 RDI: ffff97af234f1700 RBP: 0000000000000000 R08: 0000000000200030 R09: 0000000000000020 R10: ffffb7bec38c7dc8 R11: 000000000000c000 R12: ffffb7bec38c7db8 R13: ffff97aecfb05800 R14: ffff97aecfb05800 R15: ffff97af2be5e000 FS: 00007f852f74b740(0000) GS:ffff97b1eeec0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000000000b0 CR3: 000000016deab005 CR4: 0000000000370ef0 Call Trace: <TASK> ? __die+0x1f/0x60 ? page_fault_oops+0x14d/0x420 ? do_user_addr_fault+0x61/0x6a0 ? exc_page_fault+0x6c/0x150 ? asm_exc_page_fault+0x22/0x30 ? io_buffer_select+0xc3/0x210 __io_import_iovec+0xb5/0x120 io_readv_prep_async+0x36/0x70 io_queue_sqe_fallback+0x20/0x260 io_submit_sqes+0x314/0x630 __do_sys_io_uring_enter+0x339/0xbc0 ? __do_sys_io_uring_register+0x11b/0xc50 ? vm_mmap_pgoff+0xce/0x160 do_syscall_64+0x5f/0x180 entry_SYSCALL_64_after_hwframe+0x46/0x4e RIP: 0033:0x55e0a110a67e Code: ba cc 00 00 00 45 31 c0 44 0f b6 92 d0 00 00 00 31 d2 41 b9 08 00 00 00 41 83 e2 01 41 c1 e2 04 41 09 c2 b8 aa 01 00 00 0f 05 <c3> 90 89 30 eb a9 0f 1f 40 00 48 8b 42 20 8b 00 a8 06 75 af 85 f6 because the request is marked forced ASYNC and has a bad file fd, and hence takes the forced async prep path. Current kernels with the request async prep cleaned up can no longer hit this issue, but for ease of backporting, let's add this safety check in here too as it really doesn't hurt. For both cases, this will inevitably end with a CQE posted with -EBADF.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-39371.html
CVE-2024-39371
https://bugzilla.suse.com/1226990
SUSE Bug 1226990

Описание

In the Linux kernel, the following vulnerability has been resolved: 9p: add missing locking around taking dentry fid list Fix a use-after-free on dentry's d_fsdata fid list when a thread looks up a fid through dentry while another thread unlinks it: UAF thread: refcount_t: addition on 0; use-after-free. p9_fid_get linux/./include/net/9p/client.h:262 v9fs_fid_find+0x236/0x280 linux/fs/9p/fid.c:129 v9fs_fid_lookup_with_uid linux/fs/9p/fid.c:181 v9fs_fid_lookup+0xbf/0xc20 linux/fs/9p/fid.c:314 v9fs_vfs_getattr_dotl+0xf9/0x360 linux/fs/9p/vfs_inode_dotl.c:400 vfs_statx+0xdd/0x4d0 linux/fs/stat.c:248 Freed by: p9_fid_destroy (inlined) p9_client_clunk+0xb0/0xe0 linux/net/9p/client.c:1456 p9_fid_put linux/./include/net/9p/client.h:278 v9fs_dentry_release+0xb5/0x140 linux/fs/9p/vfs_dentry.c:55 v9fs_remove+0x38f/0x620 linux/fs/9p/vfs_inode.c:518 vfs_unlink+0x29a/0x810 linux/fs/namei.c:4335 The problem is that d_fsdata was not accessed under d_lock, because d_release() normally is only called once the dentry is otherwise no longer accessible but since we also call it explicitly in v9fs_remove that lock is required: move the hlist out of the dentry under lock then unref its fids once they are no longer accessible.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-39463.html
CVE-2024-39463
https://bugzilla.suse.com/1227090
SUSE Bug 1227090
https://bugzilla.suse.com/1227091
SUSE Bug 1227091

Описание

In the Linux kernel, the following vulnerability has been resolved: smb: client: fix deadlock in smb2_find_smb_tcon() Unlock cifs_tcp_ses_lock before calling cifs_put_smb_ses() to avoid such deadlock.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-39468.html
CVE-2024-39468
https://bugzilla.suse.com/1227103
SUSE Bug 1227103

Описание

In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix nilfs_empty_dir() misjudgment and long loop on I/O errors The error handling in nilfs_empty_dir() when a directory folio/page read fails is incorrect, as in the old ext2 implementation, and if the folio/page cannot be read or nilfs_check_folio() fails, it will falsely determine the directory as empty and corrupt the file system. In addition, since nilfs_empty_dir() does not immediately return on a failed folio/page read, but continues to loop, this can cause a long loop with I/O if i_size of the directory's inode is also corrupted, causing the log writer thread to wait and hang, as reported by syzbot. Fix these issues by making nilfs_empty_dir() immediately return a false value (0) if it fails to get a directory folio/page.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-39469.html
CVE-2024-39469
https://bugzilla.suse.com/1226992
SUSE Bug 1226992

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: add error handle to avoid out-of-bounds if the sdma_v4_0_irq_id_to_seq return -EINVAL, the process should be stop to avoid out-of-bounds read, so directly return -EINVAL.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-39471.html
CVE-2024-39471
https://bugzilla.suse.com/1227096
SUSE Bug 1227096

Описание

In the Linux kernel, the following vulnerability has been resolved: xfs: fix log recovery buffer allocation for the legacy h_size fixup Commit a70f9fe52daa ("xfs: detect and handle invalid iclog size set by mkfs") added a fixup for incorrect h_size values used for the initial umount record in old xfsprogs versions. Later commit 0c771b99d6c9 ("xfs: clean up calculation of LR header blocks") cleaned up the log reover buffer calculation, but stoped using the fixed up h_size value to size the log recovery buffer, which can lead to an out of bounds access when the incorrect h_size does not come from the old mkfs tool, but a fuzzer. Fix this by open coding xlog_logrec_hblks and taking the fixed h_size into account for this calculation.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-39472.html
CVE-2024-39472
https://bugzilla.suse.com/1227432
SUSE Bug 1227432

Описание

In the Linux kernel, the following vulnerability has been resolved: fbdev: savage: Handle err return when savagefb_check_var failed The commit 04e5eac8f3ab("fbdev: savage: Error out if pixclock equals zero") checks the value of pixclock to avoid divide-by-zero error. However the function savagefb_probe doesn't handle the error return of savagefb_check_var. When pixclock is 0, it will cause divide-by-zero error.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-39475.html
CVE-2024-39475
https://bugzilla.suse.com/1227435
SUSE Bug 1227435

Описание

In the Linux kernel, the following vulnerability has been resolved: bcache: fix variable length array abuse in btree_iter btree_iter is used in two ways: either allocated on the stack with a fixed size MAX_BSETS, or from a mempool with a dynamic size based on the specific cache set. Previously, the struct had a fixed-length array of size MAX_BSETS which was indexed out-of-bounds for the dynamically-sized iterators, which causes UBSAN to complain. This patch uses the same approach as in bcachefs's sort_iter and splits the iterator into a btree_iter with a flexible array member and a btree_iter_stack which embeds a btree_iter as well as a fixed-length data array.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-39482.html
CVE-2024-39482
https://bugzilla.suse.com/1227447
SUSE Bug 1227447

Описание

In the Linux kernel, the following vulnerability has been resolved: bonding: Fix out-of-bounds read in bond_option_arp_ip_targets_set() In function bond_option_arp_ip_targets_set(), if newval->string is an empty string, newval->string+1 will point to the byte after the string, causing an out-of-bound read. BUG: KASAN: slab-out-of-bounds in strlen+0x7d/0xa0 lib/string.c:418 Read of size 1 at addr ffff8881119c4781 by task syz-executor665/8107 CPU: 1 PID: 8107 Comm: syz-executor665 Not tainted 6.7.0-rc7 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xd9/0x150 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:364 [inline] print_report+0xc1/0x5e0 mm/kasan/report.c:475 kasan_report+0xbe/0xf0 mm/kasan/report.c:588 strlen+0x7d/0xa0 lib/string.c:418 __fortify_strlen include/linux/fortify-string.h:210 [inline] in4_pton+0xa3/0x3f0 net/core/utils.c:130 bond_option_arp_ip_targets_set+0xc2/0x910 drivers/net/bonding/bond_options.c:1201 __bond_opt_set+0x2a4/0x1030 drivers/net/bonding/bond_options.c:767 __bond_opt_set_notify+0x48/0x150 drivers/net/bonding/bond_options.c:792 bond_opt_tryset_rtnl+0xda/0x160 drivers/net/bonding/bond_options.c:817 bonding_sysfs_store_option+0xa1/0x120 drivers/net/bonding/bond_sysfs.c:156 dev_attr_store+0x54/0x80 drivers/base/core.c:2366 sysfs_kf_write+0x114/0x170 fs/sysfs/file.c:136 kernfs_fop_write_iter+0x337/0x500 fs/kernfs/file.c:334 call_write_iter include/linux/fs.h:2020 [inline] new_sync_write fs/read_write.c:491 [inline] vfs_write+0x96a/0xd80 fs/read_write.c:584 ksys_write+0x122/0x250 fs/read_write.c:637 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b ---[ end trace ]--- Fix it by adding a check of string length before using it.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-39487.html
CVE-2024-39487
https://bugzilla.suse.com/1227573
SUSE Bug 1227573

Описание

In the Linux kernel, the following vulnerability has been resolved: arm64: asm-bug: Add .align 2 to the end of __BUG_ENTRY When CONFIG_DEBUG_BUGVERBOSE=n, we fail to add necessary padding bytes to bug_table entries, and as a result the last entry in a bug table will be ignored, potentially leading to an unexpected panic(). All prior entries in the table will be handled correctly. The arm64 ABI requires that struct fields of up to 8 bytes are naturally-aligned, with padding added within a struct such that struct are suitably aligned within arrays. When CONFIG_DEBUG_BUGVERPOSE=y, the layout of a bug_entry is: struct bug_entry { signed int bug_addr_disp; // 4 bytes signed int file_disp; // 4 bytes unsigned short line; // 2 bytes unsigned short flags; // 2 bytes } ... with 12 bytes total, requiring 4-byte alignment. When CONFIG_DEBUG_BUGVERBOSE=n, the layout of a bug_entry is: struct bug_entry { signed int bug_addr_disp; // 4 bytes unsigned short flags; // 2 bytes < implicit padding > // 2 bytes } ... with 8 bytes total, with 6 bytes of data and 2 bytes of trailing padding, requiring 4-byte alginment. When we create a bug_entry in assembly, we align the start of the entry to 4 bytes, which implicitly handles padding for any prior entries. However, we do not align the end of the entry, and so when CONFIG_DEBUG_BUGVERBOSE=n, the final entry lacks the trailing padding bytes. For the main kernel image this is not a problem as find_bug() doesn't depend on the trailing padding bytes when searching for entries: for (bug = __start___bug_table; bug < __stop___bug_table; ++bug) if (bugaddr == bug_addr(bug)) return bug; However for modules, module_bug_finalize() depends on the trailing bytes when calculating the number of entries: mod->num_bugs = sechdrs[i].sh_size / sizeof(struct bug_entry); ... and as the last bug_entry lacks the necessary padding bytes, this entry will not be counted, e.g. in the case of a single entry: sechdrs[i].sh_size == 6 sizeof(struct bug_entry) == 8; sechdrs[i].sh_size / sizeof(struct bug_entry) == 0; Consequently module_find_bug() will miss the last bug_entry when it does: for (i = 0; i < mod->num_bugs; ++i, ++bug) if (bugaddr == bug_addr(bug)) goto out; ... which can lead to a kenrel panic due to an unhandled bug. This can be demonstrated with the following module: static int __init buginit(void) { WARN(1, "hello\n"); return 0; } static void __exit bugexit(void) { } module_init(buginit); module_exit(bugexit); MODULE_LICENSE("GPL"); ... which will trigger a kernel panic when loaded: ------------[ cut here ]------------ hello Unexpected kernel BRK exception at EL1 Internal error: BRK handler: 00000000f2000800 [#1] PREEMPT SMP Modules linked in: hello(O+) CPU: 0 PID: 50 Comm: insmod Tainted: G O 6.9.1 #8 Hardware name: linux,dummy-virt (DT) pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : buginit+0x18/0x1000 [hello] lr : buginit+0x18/0x1000 [hello] sp : ffff800080533ae0 x29: ffff800080533ae0 x28: 0000000000000000 x27: 0000000000000000 x26: ffffaba8c4e70510 x25: ffff800080533c30 x24: ffffaba8c4a28a58 x23: 0000000000000000 x22: 0000000000000000 x21: ffff3947c0eab3c0 x20: ffffaba8c4e3f000 x19: ffffaba846464000 x18: 0000000000000006 x17: 0000000000000000 x16: ffffaba8c2492834 x15: 0720072007200720 x14: 0720072007200720 x13: ffffaba8c49b27c8 x12: 0000000000000312 x11: 0000000000000106 x10: ffffaba8c4a0a7c8 x9 : ffffaba8c49b27c8 x8 : 00000000ffffefff x7 : ffffaba8c4a0a7c8 x6 : 80000000fffff000 x5 : 0000000000000107 x4 : 0000000000000000 x3 : 0000000000000000 x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff3947c0eab3c0 Call trace: buginit+0x18/0x1000 [hello] do_one_initcall+0x80/0x1c8 do_init_module+0x60/0x218 load_module+0x1ba4/0x1d70 __do_sys_init_module+0x198/0x1d0 __arm64_sys_init_module+0x1c/0x28 invoke_syscall+0x48/0x114 el0_svc ---truncated---

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-39488.html
CVE-2024-39488
https://bugzilla.suse.com/1227618
SUSE Bug 1227618

Описание

In the Linux kernel, the following vulnerability has been resolved: ipv6: sr: fix missing sk_buff release in seg6_input_core The seg6_input() function is responsible for adding the SRH into a packet, delegating the operation to the seg6_input_core(). This function uses the skb_cow_head() to ensure that there is sufficient headroom in the sk_buff for accommodating the link-layer header. In the event that the skb_cow_header() function fails, the seg6_input_core() catches the error but it does not release the sk_buff, which will result in a memory leak. This issue was introduced in commit af3b5158b89d ("ipv6: sr: fix BUG due to headroom too small after SRH push") and persists even after commit 7a3f5b0de364 ("netfilter: add netfilter hooks to SRv6 data plane"), where the entire seg6_input() code was refactored to deal with netfilter hooks. The proposed patch addresses the identified memory leak by requiring the seg6_input_core() function to release the sk_buff in the event that skb_cow_head() fails.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-39490.html
CVE-2024-39490
https://bugzilla.suse.com/1227626
SUSE Bug 1227626

Описание

In the Linux kernel, the following vulnerability has been resolved: crypto: qat - Fix ADF_DEV_RESET_SYNC memory leak Using completion_done to determine whether the caller has gone away only works after a complete call. Furthermore it's still possible that the caller has not yet called wait_for_completion, resulting in another potential UAF. Fix this by making the caller use cancel_work_sync and then freeing the memory safely.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-39493.html
CVE-2024-39493
https://bugzilla.suse.com/1227620
SUSE Bug 1227620

Описание

In the Linux kernel, the following vulnerability has been resolved: ima: Fix use-after-free on a dentry's dname.name ->d_name.name can change on rename and the earlier value can be freed; there are conditions sufficient to stabilize it (->d_lock on dentry, ->d_lock on its parent, ->i_rwsem exclusive on the parent's inode, rename_lock), but none of those are met at any of the sites. Take a stable snapshot of the name instead.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-39494.html
CVE-2024-39494
https://bugzilla.suse.com/1227716
SUSE Bug 1227716
https://bugzilla.suse.com/1227901
SUSE Bug 1227901

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/shmem-helper: Fix BUG_ON() on mmap(PROT_WRITE, MAP_PRIVATE) Lack of check for copy-on-write (COW) mapping in drm_gem_shmem_mmap allows users to call mmap with PROT_WRITE and MAP_PRIVATE flag causing a kernel panic due to BUG_ON in vmf_insert_pfn_prot: BUG_ON((vma->vm_flags & VM_PFNMAP) && is_cow_mapping(vma->vm_flags)); Return -EINVAL early if COW mapping is detected. This bug affects all drm drivers using default shmem helpers. It can be reproduced by this simple example: void *ptr = mmap(0, size, PROT_WRITE, MAP_PRIVATE, fd, mmap_offset); ptr[0] = 0;

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-39497.html
CVE-2024-39497
https://bugzilla.suse.com/1227722
SUSE Bug 1227722

Описание

In the Linux kernel, the following vulnerability has been resolved: vmci: prevent speculation leaks by sanitizing event in event_deliver() Coverity spotted that event_msg is controlled by user-space, event_msg->event_data.event is passed to event_deliver() and used as an index without sanitization. This change ensures that the event index is sanitized to mitigate any possibility of speculative information leaks. This bug was discovered and resolved using Coverity Static Analysis Security Testing (SAST) by Synopsys, Inc. Only compile tested, no access to HW.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-39499.html
CVE-2024-39499
https://bugzilla.suse.com/1227725
SUSE Bug 1227725

Описание

In the Linux kernel, the following vulnerability has been resolved: sock_map: avoid race between sock_map_close and sk_psock_put sk_psock_get will return NULL if the refcount of psock has gone to 0, which will happen when the last call of sk_psock_put is done. However, sk_psock_drop may not have finished yet, so the close callback will still point to sock_map_close despite psock being NULL. This can be reproduced with a thread deleting an element from the sock map, while the second one creates a socket, adds it to the map and closes it. That will trigger the WARN_ON_ONCE: ------------[ cut here ]------------ WARNING: CPU: 1 PID: 7220 at net/core/sock_map.c:1701 sock_map_close+0x2a2/0x2d0 net/core/sock_map.c:1701 Modules linked in: CPU: 1 PID: 7220 Comm: syz-executor380 Not tainted 6.9.0-syzkaller-07726-g3c999d1ae3c7 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024 RIP: 0010:sock_map_close+0x2a2/0x2d0 net/core/sock_map.c:1701 Code: df e8 92 29 88 f8 48 8b 1b 48 89 d8 48 c1 e8 03 42 80 3c 20 00 74 08 48 89 df e8 79 29 88 f8 4c 8b 23 eb 89 e8 4f 15 23 f8 90 <0f> 0b 90 48 83 c4 08 5b 41 5c 41 5d 41 5e 41 5f 5d e9 13 26 3d 02 RSP: 0018:ffffc9000441fda8 EFLAGS: 00010293 RAX: ffffffff89731ae1 RBX: ffffffff94b87540 RCX: ffff888029470000 RDX: 0000000000000000 RSI: ffffffff8bcab5c0 RDI: ffffffff8c1faba0 RBP: 0000000000000000 R08: ffffffff92f9b61f R09: 1ffffffff25f36c3 R10: dffffc0000000000 R11: fffffbfff25f36c4 R12: ffffffff89731840 R13: ffff88804b587000 R14: ffff88804b587000 R15: ffffffff89731870 FS: 000055555e080380(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 00000000207d4000 CR4: 0000000000350ef0 Call Trace: <TASK> unix_release+0x87/0xc0 net/unix/af_unix.c:1048 __sock_release net/socket.c:659 [inline] sock_close+0xbe/0x240 net/socket.c:1421 __fput+0x42b/0x8a0 fs/file_table.c:422 __do_sys_close fs/open.c:1556 [inline] __se_sys_close fs/open.c:1541 [inline] __x64_sys_close+0x7f/0x110 fs/open.c:1541 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fb37d618070 Code: 00 00 48 c7 c2 b8 ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb d4 e8 10 2c 00 00 80 3d 31 f0 07 00 00 74 17 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 48 c3 0f 1f 80 00 00 00 00 48 83 ec 18 89 7c RSP: 002b:00007ffcd4a525d8 EFLAGS: 00000202 ORIG_RAX: 0000000000000003 RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 00007fb37d618070 RDX: 0000000000000010 RSI: 00000000200001c0 RDI: 0000000000000004 RBP: 0000000000000000 R08: 0000000100000000 R09: 0000000100000000 R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 </TASK> Use sk_psock, which will only check that the pointer is not been set to NULL yet, which should only happen after the callbacks are restored. If, then, a reference can still be gotten, we may call sk_psock_stop and cancel psock->work. As suggested by Paolo Abeni, reorder the condition so the control flow is less convoluted. After that change, the reproducer does not trigger the WARN_ON_ONCE anymore.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-39500.html
CVE-2024-39500
https://bugzilla.suse.com/1227724
SUSE Bug 1227724

Описание

In the Linux kernel, the following vulnerability has been resolved: drivers: core: synchronize really_probe() and dev_uevent() Synchronize the dev->driver usage in really_probe() and dev_uevent(). These can run in different threads, what can result in the following race condition for dev->driver uninitialization: Thread #1: ========== really_probe() { ... probe_failed: ... device_unbind_cleanup(dev) { ... dev->driver = NULL; // <= Failed probe sets dev->driver to NULL ... } ... } Thread #2: ========== dev_uevent() { ... if (dev->driver) // If dev->driver is NULLed from really_probe() from here on, // after above check, the system crashes add_uevent_var(env, "DRIVER=%s", dev->driver->name); ... } really_probe() holds the lock, already. So nothing needs to be done there. dev_uevent() is called with lock held, often, too. But not always. What implies that we can't add any locking in dev_uevent() itself. So fix this race by adding the lock to the non-protected path. This is the path where above race is observed: dev_uevent+0x235/0x380 uevent_show+0x10c/0x1f0 <= Add lock here dev_attr_show+0x3a/0xa0 sysfs_kf_seq_show+0x17c/0x250 kernfs_seq_show+0x7c/0x90 seq_read_iter+0x2d7/0x940 kernfs_fop_read_iter+0xc6/0x310 vfs_read+0x5bc/0x6b0 ksys_read+0xeb/0x1b0 __x64_sys_read+0x42/0x50 x64_sys_call+0x27ad/0x2d30 do_syscall_64+0xcd/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Similar cases are reported by syzkaller in https://syzkaller.appspot.com/bug?extid=ffa8143439596313a85a But these are regarding the *initialization* of dev->driver dev->driver = drv; As this switches dev->driver to non-NULL these reports can be considered to be false-positives (which should be "fixed" by this commit, as well, though). The same issue was reported and tried to be fixed back in 2015 in https://lore.kernel.org/lkml/1421259054-2574-1-git-send-email-a.sangwan@samsung.com/ already.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-39501.html
CVE-2024-39501
https://bugzilla.suse.com/1227754
SUSE Bug 1227754

Описание

In the Linux kernel, the following vulnerability has been resolved: ionic: fix use after netif_napi_del() When queues are started, netif_napi_add() and napi_enable() are called. If there are 4 queues and only 3 queues are used for the current configuration, only 3 queues' napi should be registered and enabled. The ionic_qcq_enable() checks whether the .poll pointer is not NULL for enabling only the using queue' napi. Unused queues' napi will not be registered by netif_napi_add(), so the .poll pointer indicates NULL. But it couldn't distinguish whether the napi was unregistered or not because netif_napi_del() doesn't reset the .poll pointer to NULL. So, ionic_qcq_enable() calls napi_enable() for the queue, which was unregistered by netif_napi_del(). Reproducer: ethtool -L <interface name> rx 1 tx 1 combined 0 ethtool -L <interface name> rx 0 tx 0 combined 1 ethtool -L <interface name> rx 0 tx 0 combined 4 Splat looks like: kernel BUG at net/core/dev.c:6666! Oops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI CPU: 3 PID: 1057 Comm: kworker/3:3 Not tainted 6.10.0-rc2+ #16 Workqueue: events ionic_lif_deferred_work [ionic] RIP: 0010:napi_enable+0x3b/0x40 Code: 48 89 c2 48 83 e2 f6 80 b9 61 09 00 00 00 74 0d 48 83 bf 60 01 00 00 00 74 03 80 ce 01 f0 4f RSP: 0018:ffffb6ed83227d48 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff97560cda0828 RCX: 0000000000000029 RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff97560cda0a28 RBP: ffffb6ed83227d50 R08: 0000000000000400 R09: 0000000000000001 R10: 0000000000000001 R11: 0000000000000001 R12: 0000000000000000 R13: ffff97560ce3c1a0 R14: 0000000000000000 R15: ffff975613ba0a20 FS: 0000000000000000(0000) GS:ffff975d5f780000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f8f734ee200 CR3: 0000000103e50000 CR4: 00000000007506f0 PKRU: 55555554 Call Trace: <TASK> ? die+0x33/0x90 ? do_trap+0xd9/0x100 ? napi_enable+0x3b/0x40 ? do_error_trap+0x83/0xb0 ? napi_enable+0x3b/0x40 ? napi_enable+0x3b/0x40 ? exc_invalid_op+0x4e/0x70 ? napi_enable+0x3b/0x40 ? asm_exc_invalid_op+0x16/0x20 ? napi_enable+0x3b/0x40 ionic_qcq_enable+0xb7/0x180 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8] ionic_start_queues+0xc4/0x290 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8] ionic_link_status_check+0x11c/0x170 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8] ionic_lif_deferred_work+0x129/0x280 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8] process_one_work+0x145/0x360 worker_thread+0x2bb/0x3d0 ? __pfx_worker_thread+0x10/0x10 kthread+0xcc/0x100 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x2d/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-39502.html
CVE-2024-39502
https://bugzilla.suse.com/1227755
SUSE Bug 1227755

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/komeda: check for error-valued pointer komeda_pipeline_get_state() may return an error-valued pointer, thus check the pointer for negative or null value before dereferencing.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-39505.html
CVE-2024-39505
https://bugzilla.suse.com/1227728
SUSE Bug 1227728

Описание

In the Linux kernel, the following vulnerability has been resolved: liquidio: Adjust a NULL pointer handling path in lio_vf_rep_copy_packet In lio_vf_rep_copy_packet() pg_info->page is compared to a NULL value, but then it is unconditionally passed to skb_add_rx_frag() which looks strange and could lead to null pointer dereference. lio_vf_rep_copy_packet() call trace looks like: octeon_droq_process_packets octeon_droq_fast_process_packets octeon_droq_dispatch_pkt octeon_create_recv_info ...search in the dispatch_list... ->disp_fn(rdisp->rinfo, ...) lio_vf_rep_pkt_recv(struct octeon_recv_info *recv_info, ...) In this path there is no code which sets pg_info->page to NULL. So this check looks unneeded and doesn't solve potential problem. But I guess the author had reason to add a check and I have no such card and can't do real test. In addition, the code in the function liquidio_push_packet() in liquidio/lio_core.c does exactly the same. Based on this, I consider the most acceptable compromise solution to adjust this issue by moving skb_add_rx_frag() into conditional scope. Found by Linux Verification Center (linuxtesting.org) with SVACE.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-39506.html
CVE-2024-39506
https://bugzilla.suse.com/1227729
SUSE Bug 1227729

Описание

In the Linux kernel, the following vulnerability has been resolved: net: hns3: fix kernel crash problem in concurrent scenario When link status change, the nic driver need to notify the roce driver to handle this event, but at this time, the roce driver may uninit, then cause kernel crash. To fix the problem, when link status change, need to check whether the roce registered, and when uninit, need to wait link update finish.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-39507.html
CVE-2024-39507
https://bugzilla.suse.com/1227730
SUSE Bug 1227730

Описание

In the Linux kernel, the following vulnerability has been resolved: io_uring/io-wq: Use set_bit() and test_bit() at worker->flags Utilize set_bit() and test_bit() on worker->flags within io_uring/io-wq to address potential data races. The structure io_worker->flags may be accessed through various data paths, leading to concurrency issues. When KCSAN is enabled, it reveals data races occurring in io_worker_handle_work and io_wq_activate_free_worker functions. BUG: KCSAN: data-race in io_worker_handle_work / io_wq_activate_free_worker write to 0xffff8885c4246404 of 4 bytes by task 49071 on cpu 28: io_worker_handle_work (io_uring/io-wq.c:434 io_uring/io-wq.c:569) io_wq_worker (io_uring/io-wq.c:?) <snip> read to 0xffff8885c4246404 of 4 bytes by task 49024 on cpu 5: io_wq_activate_free_worker (io_uring/io-wq.c:? io_uring/io-wq.c:285) io_wq_enqueue (io_uring/io-wq.c:947) io_queue_iowq (io_uring/io_uring.c:524) io_req_task_submit (io_uring/io_uring.c:1511) io_handle_tw_list (io_uring/io_uring.c:1198) <snip> Line numbers against commit 18daea77cca6 ("Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm"). These races involve writes and reads to the same memory location by different tasks running on different CPUs. To mitigate this, refactor the code to use atomic operations such as set_bit(), test_bit(), and clear_bit() instead of basic "and" and "or" operations. This ensures thread-safe manipulation of worker flags. Also, move `create_index` to avoid holes in the structure.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-39508.html
CVE-2024-39508
https://bugzilla.suse.com/1227732
SUSE Bug 1227732

Описание

In the Linux kernel, the following vulnerability has been resolved: HID: core: remove unnecessary WARN_ON() in implement() Syzkaller hit a warning [1] in a call to implement() when trying to write a value into a field of smaller size in an output report. Since implement() already has a warn message printed out with the help of hid_warn() and value in question gets trimmed with: ... value &= m; ... WARN_ON may be considered superfluous. Remove it to suppress future syzkaller triggers. [1] WARNING: CPU: 0 PID: 5084 at drivers/hid/hid-core.c:1451 implement drivers/hid/hid-core.c:1451 [inline] WARNING: CPU: 0 PID: 5084 at drivers/hid/hid-core.c:1451 hid_output_report+0x548/0x760 drivers/hid/hid-core.c:1863 Modules linked in: CPU: 0 PID: 5084 Comm: syz-executor424 Not tainted 6.9.0-rc7-syzkaller-00183-gcf87f46fd34d #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024 RIP: 0010:implement drivers/hid/hid-core.c:1451 [inline] RIP: 0010:hid_output_report+0x548/0x760 drivers/hid/hid-core.c:1863 ... Call Trace: <TASK> __usbhid_submit_report drivers/hid/usbhid/hid-core.c:591 [inline] usbhid_submit_report+0x43d/0x9e0 drivers/hid/usbhid/hid-core.c:636 hiddev_ioctl+0x138b/0x1f00 drivers/hid/usbhid/hiddev.c:726 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:904 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:890 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f ...

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-39509.html
CVE-2024-39509
https://bugzilla.suse.com/1227733
SUSE Bug 1227733

Описание

In the Linux kernel, the following vulnerability has been resolved: cachefiles: remove requests from xarray during flushing requests Even with CACHEFILES_DEAD set, we can still read the requests, so in the following concurrency the request may be used after it has been freed: mount | daemon_thread1 | daemon_thread2 ------------------------------------------------------------ cachefiles_ondemand_init_object cachefiles_ondemand_send_req REQ_A = kzalloc(sizeof(*req) + data_len) wait_for_completion(&REQ_A->done) cachefiles_daemon_read cachefiles_ondemand_daemon_read // close dev fd cachefiles_flush_reqs complete(&REQ_A->done) kfree(REQ_A) xa_lock(&cache->reqs); cachefiles_ondemand_select_req req->msg.opcode != CACHEFILES_OP_READ // req use-after-free !!! xa_unlock(&cache->reqs); xa_destroy(&cache->reqs) Hence remove requests from cache->reqs when flushing them to avoid accessing freed requests.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-40900.html
CVE-2024-40900
https://bugzilla.suse.com/1227760
SUSE Bug 1227760

Описание

In the Linux kernel, the following vulnerability has been resolved: scsi: mpt3sas: Avoid test/set_bit() operating in non-allocated memory There is a potential out-of-bounds access when using test_bit() on a single word. The test_bit() and set_bit() functions operate on long values, and when testing or setting a single word, they can exceed the word boundary. KASAN detects this issue and produces a dump: BUG: KASAN: slab-out-of-bounds in _scsih_add_device.constprop.0 (./arch/x86/include/asm/bitops.h:60 ./include/asm-generic/bitops/instrumented-atomic.h:29 drivers/scsi/mpt3sas/mpt3sas_scsih.c:7331) mpt3sas Write of size 8 at addr ffff8881d26e3c60 by task kworker/u1536:2/2965 For full log, please look at [1]. Make the allocation at least the size of sizeof(unsigned long) so that set_bit() and test_bit() have sufficient room for read/write operations without overwriting unallocated memory. [1] Link: https://lore.kernel.org/all/ZkNcALr3W3KGYYJG@gmail.com/

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-40901.html
CVE-2024-40901
https://bugzilla.suse.com/1227762
SUSE Bug 1227762

Описание

In the Linux kernel, the following vulnerability has been resolved: jfs: xattr: fix buffer overflow for invalid xattr When an xattr size is not what is expected, it is printed out to the kernel log in hex format as a form of debugging. But when that xattr size is bigger than the expected size, printing it out can cause an access off the end of the buffer. Fix this all up by properly restricting the size of the debug hex dump in the kernel log.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-40902.html
CVE-2024-40902
https://bugzilla.suse.com/1227764
SUSE Bug 1227764

Описание

In the Linux kernel, the following vulnerability has been resolved: usb: typec: tcpm: fix use-after-free case in tcpm_register_source_caps There could be a potential use-after-free case in tcpm_register_source_caps(). This could happen when: * new (say invalid) source caps are advertised * the existing source caps are unregistered * tcpm_register_source_caps() returns with an error as usb_power_delivery_register_capabilities() fails This causes port->partner_source_caps to hold on to the now freed source caps. Reset port->partner_source_caps value to NULL after unregistering existing source caps.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-40903.html
CVE-2024-40903
https://bugzilla.suse.com/1227766
SUSE Bug 1227766

Описание

In the Linux kernel, the following vulnerability has been resolved: USB: class: cdc-wdm: Fix CPU lockup caused by excessive log messages The syzbot fuzzer found that the interrupt-URB completion callback in the cdc-wdm driver was taking too long, and the driver's immediate resubmission of interrupt URBs with -EPROTO status combined with the dummy-hcd emulation to cause a CPU lockup: cdc_wdm 1-1:1.0: nonzero urb status received: -71 cdc_wdm 1-1:1.0: wdm_int_callback - 0 bytes watchdog: BUG: soft lockup - CPU#0 stuck for 26s! [syz-executor782:6625] CPU#0 Utilization every 4s during lockup: #1: 98% system, 0% softirq, 3% hardirq, 0% idle #2: 98% system, 0% softirq, 3% hardirq, 0% idle #3: 98% system, 0% softirq, 3% hardirq, 0% idle #4: 98% system, 0% softirq, 3% hardirq, 0% idle #5: 98% system, 1% softirq, 3% hardirq, 0% idle Modules linked in: irq event stamp: 73096 hardirqs last enabled at (73095): [<ffff80008037bc00>] console_emit_next_record kernel/printk/printk.c:2935 [inline] hardirqs last enabled at (73095): [<ffff80008037bc00>] console_flush_all+0x650/0xb74 kernel/printk/printk.c:2994 hardirqs last disabled at (73096): [<ffff80008af10b00>] __el1_irq arch/arm64/kernel/entry-common.c:533 [inline] hardirqs last disabled at (73096): [<ffff80008af10b00>] el1_interrupt+0x24/0x68 arch/arm64/kernel/entry-common.c:551 softirqs last enabled at (73048): [<ffff8000801ea530>] softirq_handle_end kernel/softirq.c:400 [inline] softirqs last enabled at (73048): [<ffff8000801ea530>] handle_softirqs+0xa60/0xc34 kernel/softirq.c:582 softirqs last disabled at (73043): [<ffff800080020de8>] __do_softirq+0x14/0x20 kernel/softirq.c:588 CPU: 0 PID: 6625 Comm: syz-executor782 Tainted: G W 6.10.0-rc2-syzkaller-g8867bbd4a056 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024 Testing showed that the problem did not occur if the two error messages -- the first two lines above -- were removed; apparently adding material to the kernel log takes a surprisingly large amount of time. In any case, the best approach for preventing these lockups and to avoid spamming the log with thousands of error messages per second is to ratelimit the two dev_err() calls. Therefore we replace them with dev_err_ratelimited().

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-40904.html
CVE-2024-40904
https://bugzilla.suse.com/1227772
SUSE Bug 1227772

Описание

In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Always stop health timer during driver removal Currently, if teardown_hca fails to execute during driver removal, mlx5 does not stop the health timer. Afterwards, mlx5 continue with driver teardown. This may lead to a UAF bug, which results in page fault Oops[1], since the health timer invokes after resources were freed. Hence, stop the health monitor even if teardown_hca fails. [1] mlx5_core 0000:18:00.0: E-Switch: Unload vfs: mode(LEGACY), nvfs(0), necvfs(0), active vports(0) mlx5_core 0000:18:00.0: E-Switch: Disable: mode(LEGACY), nvfs(0), necvfs(0), active vports(0) mlx5_core 0000:18:00.0: E-Switch: Disable: mode(LEGACY), nvfs(0), necvfs(0), active vports(0) mlx5_core 0000:18:00.0: E-Switch: cleanup mlx5_core 0000:18:00.0: wait_func:1155:(pid 1967079): TEARDOWN_HCA(0x103) timeout. Will cause a leak of a command resource mlx5_core 0000:18:00.0: mlx5_function_close:1288:(pid 1967079): tear_down_hca failed, skip cleanup BUG: unable to handle page fault for address: ffffa26487064230 PGD 100c00067 P4D 100c00067 PUD 100e5a067 PMD 105ed7067 PTE 0 Oops: 0000 [#1] PREEMPT SMP PTI CPU: 0 PID: 0 Comm: swapper/0 Tainted: G OE ------- --- 6.7.0-68.fc38.x86_64 #1 Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0013.121520200651 12/15/2020 RIP: 0010:ioread32be+0x34/0x60 RSP: 0018:ffffa26480003e58 EFLAGS: 00010292 RAX: ffffa26487064200 RBX: ffff9042d08161a0 RCX: ffff904c108222c0 RDX: 000000010bbf1b80 RSI: ffffffffc055ddb0 RDI: ffffa26487064230 RBP: ffff9042d08161a0 R08: 0000000000000022 R09: ffff904c108222e8 R10: 0000000000000004 R11: 0000000000000441 R12: ffffffffc055ddb0 R13: ffffa26487064200 R14: ffffa26480003f00 R15: ffff904c108222c0 FS: 0000000000000000(0000) GS:ffff904c10800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffa26487064230 CR3: 00000002c4420006 CR4: 00000000007706f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <IRQ> ? __die+0x23/0x70 ? page_fault_oops+0x171/0x4e0 ? exc_page_fault+0x175/0x180 ? asm_exc_page_fault+0x26/0x30 ? __pfx_poll_health+0x10/0x10 [mlx5_core] ? __pfx_poll_health+0x10/0x10 [mlx5_core] ? ioread32be+0x34/0x60 mlx5_health_check_fatal_sensors+0x20/0x100 [mlx5_core] ? __pfx_poll_health+0x10/0x10 [mlx5_core] poll_health+0x42/0x230 [mlx5_core] ? __next_timer_interrupt+0xbc/0x110 ? __pfx_poll_health+0x10/0x10 [mlx5_core] call_timer_fn+0x21/0x130 ? __pfx_poll_health+0x10/0x10 [mlx5_core] __run_timers+0x222/0x2c0 run_timer_softirq+0x1d/0x40 __do_softirq+0xc9/0x2c8 __irq_exit_rcu+0xa6/0xc0 sysvec_apic_timer_interrupt+0x72/0x90 </IRQ> <TASK> asm_sysvec_apic_timer_interrupt+0x1a/0x20 RIP: 0010:cpuidle_enter_state+0xcc/0x440 ? cpuidle_enter_state+0xbd/0x440 cpuidle_enter+0x2d/0x40 do_idle+0x20d/0x270 cpu_startup_entry+0x2a/0x30 rest_init+0xd0/0xd0 arch_call_rest_init+0xe/0x30 start_kernel+0x709/0xa90 x86_64_start_reservations+0x18/0x30 x86_64_start_kernel+0x96/0xa0 secondary_startup_64_no_verify+0x18f/0x19b ---[ end trace 0000000000000000 ]---

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-40906.html
CVE-2024-40906
https://bugzilla.suse.com/1227763
SUSE Bug 1227763

Описание

In the Linux kernel, the following vulnerability has been resolved: bpf: Set run context for rawtp test_run callback syzbot reported crash when rawtp program executed through the test_run interface calls bpf_get_attach_cookie helper or any other helper that touches task->bpf_ctx pointer. Setting the run context (task->bpf_ctx pointer) for test_run callback.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-40908.html
CVE-2024-40908
https://bugzilla.suse.com/1227783
SUSE Bug 1227783

Описание

In the Linux kernel, the following vulnerability has been resolved: bpf: Fix a potential use-after-free in bpf_link_free() After commit 1a80dbcb2dba, bpf_link can be freed by link->ops->dealloc_deferred, but the code still tests and uses link->ops->dealloc afterward, which leads to a use-after-free as reported by syzbot. Actually, one of them should be sufficient, so just call one of them instead of both. Also add a WARN_ON() in case of any problematic implementation.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-40909.html
CVE-2024-40909
https://bugzilla.suse.com/1227798
SUSE Bug 1227798
https://bugzilla.suse.com/1228349
SUSE Bug 1228349

Описание

In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: Lock wiphy in cfg80211_get_station Wiphy should be locked before calling rdev_get_station() (see lockdep assert in ieee80211_get_station()). This fixes the following kernel NULL dereference: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000050 Mem abort info: ESR = 0x0000000096000006 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x06: level 2 translation fault Data abort info: ISV = 0, ISS = 0x00000006 CM = 0, WnR = 0 user pgtable: 4k pages, 48-bit VAs, pgdp=0000000003001000 [0000000000000050] pgd=0800000002dca003, p4d=0800000002dca003, pud=08000000028e9003, pmd=0000000000000000 Internal error: Oops: 0000000096000006 [#1] SMP Modules linked in: netconsole dwc3_meson_g12a dwc3_of_simple dwc3 ip_gre gre ath10k_pci ath10k_core ath9k ath9k_common ath9k_hw ath CPU: 0 PID: 1091 Comm: kworker/u8:0 Not tainted 6.4.0-02144-g565f9a3a7911-dirty #705 Hardware name: RPT (r1) (DT) Workqueue: bat_events batadv_v_elp_throughput_metric_update pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : ath10k_sta_statistics+0x10/0x2dc [ath10k_core] lr : sta_set_sinfo+0xcc/0xbd4 sp : ffff000007b43ad0 x29: ffff000007b43ad0 x28: ffff0000071fa900 x27: ffff00000294ca98 x26: ffff000006830880 x25: ffff000006830880 x24: ffff00000294c000 x23: 0000000000000001 x22: ffff000007b43c90 x21: ffff800008898acc x20: ffff00000294c6e8 x19: ffff000007b43c90 x18: 0000000000000000 x17: 445946354d552d78 x16: 62661f7200000000 x15: 57464f445946354d x14: 0000000000000000 x13: 00000000000000e3 x12: d5f0acbcebea978e x11: 00000000000000e3 x10: 000000010048fe41 x9 : 0000000000000000 x8 : ffff000007b43d90 x7 : 000000007a1e2125 x6 : 0000000000000000 x5 : ffff0000024e0900 x4 : ffff800000a0250c x3 : ffff000007b43c90 x2 : ffff00000294ca98 x1 : ffff000006831920 x0 : 0000000000000000 Call trace: ath10k_sta_statistics+0x10/0x2dc [ath10k_core] sta_set_sinfo+0xcc/0xbd4 ieee80211_get_station+0x2c/0x44 cfg80211_get_station+0x80/0x154 batadv_v_elp_get_throughput+0x138/0x1fc batadv_v_elp_throughput_metric_update+0x1c/0xa4 process_one_work+0x1ec/0x414 worker_thread+0x70/0x46c kthread+0xdc/0xe0 ret_from_fork+0x10/0x20 Code: a9bb7bfd 910003fd a90153f3 f9411c40 (f9402814) This happens because STA has time to disconnect and reconnect before batadv_v_elp_throughput_metric_update() delayed work gets scheduled. In this situation, ath10k_sta_state() can be in the middle of resetting arsta data when the work queue get chance to be scheduled and ends up accessing it. Locking wiphy prevents that.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-40911.html
CVE-2024-40911
https://bugzilla.suse.com/1227792
SUSE Bug 1227792

Описание

In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: Fix deadlock in ieee80211_sta_ps_deliver_wakeup() The ieee80211_sta_ps_deliver_wakeup() function takes sta->ps_lock to synchronizes with ieee80211_tx_h_unicast_ps_buf() which is called from softirq context. However using only spin_lock() to get sta->ps_lock in ieee80211_sta_ps_deliver_wakeup() does not prevent softirq to execute on this same CPU, to run ieee80211_tx_h_unicast_ps_buf() and try to take this same lock ending in deadlock. Below is an example of rcu stall that arises in such situation. rcu: INFO: rcu_sched self-detected stall on CPU rcu: 2-....: (42413413 ticks this GP) idle=b154/1/0x4000000000000000 softirq=1763/1765 fqs=21206996 rcu: (t=42586894 jiffies g=2057 q=362405 ncpus=4) CPU: 2 PID: 719 Comm: wpa_supplicant Tainted: G W 6.4.0-02158-g1b062f552873 #742 Hardware name: RPT (r1) (DT) pstate: 00000005 (nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : queued_spin_lock_slowpath+0x58/0x2d0 lr : invoke_tx_handlers_early+0x5b4/0x5c0 sp : ffff00001ef64660 x29: ffff00001ef64660 x28: ffff000009bc1070 x27: ffff000009bc0ad8 x26: ffff000009bc0900 x25: ffff00001ef647a8 x24: 0000000000000000 x23: ffff000009bc0900 x22: ffff000009bc0900 x21: ffff00000ac0e000 x20: ffff00000a279e00 x19: ffff00001ef646e8 x18: 0000000000000000 x17: ffff800016468000 x16: ffff00001ef608c0 x15: 0010533c93f64f80 x14: 0010395c9faa3946 x13: 0000000000000000 x12: 00000000fa83b2da x11: 000000012edeceea x10: ffff0000010fbe00 x9 : 0000000000895440 x8 : 000000000010533c x7 : ffff00000ad8b740 x6 : ffff00000c350880 x5 : 0000000000000007 x4 : 0000000000000001 x3 : 0000000000000000 x2 : 0000000000000000 x1 : 0000000000000001 x0 : ffff00000ac0e0e8 Call trace: queued_spin_lock_slowpath+0x58/0x2d0 ieee80211_tx+0x80/0x12c ieee80211_tx_pending+0x110/0x278 tasklet_action_common.constprop.0+0x10c/0x144 tasklet_action+0x20/0x28 _stext+0x11c/0x284 ____do_softirq+0xc/0x14 call_on_irq_stack+0x24/0x34 do_softirq_own_stack+0x18/0x20 do_softirq+0x74/0x7c __local_bh_enable_ip+0xa0/0xa4 _ieee80211_wake_txqs+0x3b0/0x4b8 __ieee80211_wake_queue+0x12c/0x168 ieee80211_add_pending_skbs+0xec/0x138 ieee80211_sta_ps_deliver_wakeup+0x2a4/0x480 ieee80211_mps_sta_status_update.part.0+0xd8/0x11c ieee80211_mps_sta_status_update+0x18/0x24 sta_apply_parameters+0x3bc/0x4c0 ieee80211_change_station+0x1b8/0x2dc nl80211_set_station+0x444/0x49c genl_family_rcv_msg_doit.isra.0+0xa4/0xfc genl_rcv_msg+0x1b0/0x244 netlink_rcv_skb+0x38/0x10c genl_rcv+0x34/0x48 netlink_unicast+0x254/0x2bc netlink_sendmsg+0x190/0x3b4 ____sys_sendmsg+0x1e8/0x218 ___sys_sendmsg+0x68/0x8c __sys_sendmsg+0x44/0x84 __arm64_sys_sendmsg+0x20/0x28 do_el0_svc+0x6c/0xe8 el0_svc+0x14/0x48 el0t_64_sync_handler+0xb0/0xb4 el0t_64_sync+0x14c/0x150 Using spin_lock_bh()/spin_unlock_bh() instead prevents softirq to raise on the same CPU that is holding the lock.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-40912.html
CVE-2024-40912
https://bugzilla.suse.com/1227790
SUSE Bug 1227790

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/exynos: hdmi: report safe 640x480 mode as a fallback when no EDID found When reading EDID fails and driver reports no modes available, the DRM core adds an artificial 1024x786 mode to the connector. Unfortunately some variants of the Exynos HDMI (like the one in Exynos4 SoCs) are not able to drive such mode, so report a safe 640x480 mode instead of nothing in case of the EDID reading failure. This fixes the following issue observed on Trats2 board since commit 13d5b040363c ("drm/exynos: do not return negative values from .get_modes()"): [drm] Exynos DRM: using 11c00000.fimd device for DMA mapping operations exynos-drm exynos-drm: bound 11c00000.fimd (ops fimd_component_ops) exynos-drm exynos-drm: bound 12c10000.mixer (ops mixer_component_ops) exynos-dsi 11c80000.dsi: [drm:samsung_dsim_host_attach] Attached s6e8aa0 device (lanes:4 bpp:24 mode-flags:0x10b) exynos-drm exynos-drm: bound 11c80000.dsi (ops exynos_dsi_component_ops) exynos-drm exynos-drm: bound 12d00000.hdmi (ops hdmi_component_ops) [drm] Initialized exynos 1.1.0 20180330 for exynos-drm on minor 1 exynos-hdmi 12d00000.hdmi: [drm:hdmiphy_enable.part.0] *ERROR* PLL could not reach steady state panel-samsung-s6e8aa0 11c80000.dsi.0: ID: 0xa2, 0x20, 0x8c exynos-mixer 12c10000.mixer: timeout waiting for VSYNC ------------[ cut here ]------------ WARNING: CPU: 1 PID: 11 at drivers/gpu/drm/drm_atomic_helper.c:1682 drm_atomic_helper_wait_for_vblanks.part.0+0x2b0/0x2b8 [CRTC:70:crtc-1] vblank wait timed out Modules linked in: CPU: 1 PID: 11 Comm: kworker/u16:0 Not tainted 6.9.0-rc5-next-20240424 #14913 Hardware name: Samsung Exynos (Flattened Device Tree) Workqueue: events_unbound deferred_probe_work_func Call trace: unwind_backtrace from show_stack+0x10/0x14 show_stack from dump_stack_lvl+0x68/0x88 dump_stack_lvl from __warn+0x7c/0x1c4 __warn from warn_slowpath_fmt+0x11c/0x1a8 warn_slowpath_fmt from drm_atomic_helper_wait_for_vblanks.part.0+0x2b0/0x2b8 drm_atomic_helper_wait_for_vblanks.part.0 from drm_atomic_helper_commit_tail_rpm+0x7c/0x8c drm_atomic_helper_commit_tail_rpm from commit_tail+0x9c/0x184 commit_tail from drm_atomic_helper_commit+0x168/0x190 drm_atomic_helper_commit from drm_atomic_commit+0xb4/0xe0 drm_atomic_commit from drm_client_modeset_commit_atomic+0x23c/0x27c drm_client_modeset_commit_atomic from drm_client_modeset_commit_locked+0x60/0x1cc drm_client_modeset_commit_locked from drm_client_modeset_commit+0x24/0x40 drm_client_modeset_commit from __drm_fb_helper_restore_fbdev_mode_unlocked+0x9c/0xc4 __drm_fb_helper_restore_fbdev_mode_unlocked from drm_fb_helper_set_par+0x2c/0x3c drm_fb_helper_set_par from fbcon_init+0x3d8/0x550 fbcon_init from visual_init+0xc0/0x108 visual_init from do_bind_con_driver+0x1b8/0x3a4 do_bind_con_driver from do_take_over_console+0x140/0x1ec do_take_over_console from do_fbcon_takeover+0x70/0xd0 do_fbcon_takeover from fbcon_fb_registered+0x19c/0x1ac fbcon_fb_registered from register_framebuffer+0x190/0x21c register_framebuffer from __drm_fb_helper_initial_config_and_unlock+0x350/0x574 __drm_fb_helper_initial_config_and_unlock from exynos_drm_fbdev_client_hotplug+0x6c/0xb0 exynos_drm_fbdev_client_hotplug from drm_client_register+0x58/0x94 drm_client_register from exynos_drm_bind+0x160/0x190 exynos_drm_bind from try_to_bring_up_aggregate_device+0x200/0x2d8 try_to_bring_up_aggregate_device from __component_add+0xb0/0x170 __component_add from mixer_probe+0x74/0xcc mixer_probe from platform_probe+0x5c/0xb8 platform_probe from really_probe+0xe0/0x3d8 really_probe from __driver_probe_device+0x9c/0x1e4 __driver_probe_device from driver_probe_device+0x30/0xc0 driver_probe_device from __device_attach_driver+0xa8/0x120 __device_attach_driver from bus_for_each_drv+0x80/0xcc bus_for_each_drv from __device_attach+0xac/0x1fc __device_attach from bus_probe_device+0x8c/0x90 bus_probe_device from deferred_probe_work_func+0 ---truncated---

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-40916.html
CVE-2024-40916
https://bugzilla.suse.com/1227846
SUSE Bug 1227846

Описание

In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Adjust logging of firmware messages in case of released token in __hwrm_send() In case of token is released due to token->state == BNXT_HWRM_DEFERRED, released token (set to NULL) is used in log messages. This issue is expected to be prevented by HWRM_ERR_CODE_PF_UNAVAILABLE error code. But this error code is returned by recent firmware. So some firmware may not return it. This may lead to NULL pointer dereference. Adjust this issue by adding token pointer check. Found by Linux Verification Center (linuxtesting.org) with SVACE.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-40919.html
CVE-2024-40919
https://bugzilla.suse.com/1227779
SUSE Bug 1227779

Описание

In the Linux kernel, the following vulnerability has been resolved: vmxnet3: disable rx data ring on dma allocation failure When vmxnet3_rq_create() fails to allocate memory for rq->data_ring.base, the subsequent call to vmxnet3_rq_destroy_all_rxdataring does not reset rq->data_ring.desc_size for the data ring that failed, which presumably causes the hypervisor to reference it on packet reception. To fix this bug, rq->data_ring.desc_size needs to be set to 0 to tell the hypervisor to disable this feature. [ 95.436876] kernel BUG at net/core/skbuff.c:207! [ 95.439074] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI [ 95.440411] CPU: 7 PID: 0 Comm: swapper/7 Not tainted 6.9.3-dirty #1 [ 95.441558] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 12/12/2018 [ 95.443481] RIP: 0010:skb_panic+0x4d/0x4f [ 95.444404] Code: 4f 70 50 8b 87 c0 00 00 00 50 8b 87 bc 00 00 00 50 ff b7 d0 00 00 00 4c 8b 8f c8 00 00 00 48 c7 c7 68 e8 be 9f e8 63 58 f9 ff <0f> 0b 48 8b 14 24 48 c7 c1 d0 73 65 9f e8 a1 ff ff ff 48 8b 14 24 [ 95.447684] RSP: 0018:ffffa13340274dd0 EFLAGS: 00010246 [ 95.448762] RAX: 0000000000000089 RBX: ffff8fbbc72b02d0 RCX: 000000000000083f [ 95.450148] RDX: 0000000000000000 RSI: 00000000000000f6 RDI: 000000000000083f [ 95.451520] RBP: 000000000000002d R08: 0000000000000000 R09: ffffa13340274c60 [ 95.452886] R10: ffffffffa04ed468 R11: 0000000000000002 R12: 0000000000000000 [ 95.454293] R13: ffff8fbbdab3c2d0 R14: ffff8fbbdbd829e0 R15: ffff8fbbdbd809e0 [ 95.455682] FS: 0000000000000000(0000) GS:ffff8fbeefd80000(0000) knlGS:0000000000000000 [ 95.457178] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 95.458340] CR2: 00007fd0d1f650c8 CR3: 0000000115f28000 CR4: 00000000000406f0 [ 95.459791] Call Trace: [ 95.460515] <IRQ> [ 95.461180] ? __die_body.cold+0x19/0x27 [ 95.462150] ? die+0x2e/0x50 [ 95.462976] ? do_trap+0xca/0x110 [ 95.463973] ? do_error_trap+0x6a/0x90 [ 95.464966] ? skb_panic+0x4d/0x4f [ 95.465901] ? exc_invalid_op+0x50/0x70 [ 95.466849] ? skb_panic+0x4d/0x4f [ 95.467718] ? asm_exc_invalid_op+0x1a/0x20 [ 95.468758] ? skb_panic+0x4d/0x4f [ 95.469655] skb_put.cold+0x10/0x10 [ 95.470573] vmxnet3_rq_rx_complete+0x862/0x11e0 [vmxnet3] [ 95.471853] vmxnet3_poll_rx_only+0x36/0xb0 [vmxnet3] [ 95.473185] __napi_poll+0x2b/0x160 [ 95.474145] net_rx_action+0x2c6/0x3b0 [ 95.475115] handle_softirqs+0xe7/0x2a0 [ 95.476122] __irq_exit_rcu+0x97/0xb0 [ 95.477109] common_interrupt+0x85/0xa0 [ 95.478102] </IRQ> [ 95.478846] <TASK> [ 95.479603] asm_common_interrupt+0x26/0x40 [ 95.480657] RIP: 0010:pv_native_safe_halt+0xf/0x20 [ 95.481801] Code: 22 d7 e9 54 87 01 00 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa eb 07 0f 00 2d 93 ba 3b 00 fb f4 <e9> 2c 87 01 00 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 [ 95.485563] RSP: 0018:ffffa133400ffe58 EFLAGS: 00000246 [ 95.486882] RAX: 0000000000004000 RBX: ffff8fbbc1d14064 RCX: 0000000000000000 [ 95.488477] RDX: ffff8fbeefd80000 RSI: ffff8fbbc1d14000 RDI: 0000000000000001 [ 95.490067] RBP: ffff8fbbc1d14064 R08: ffffffffa0652260 R09: 00000000000010d3 [ 95.491683] R10: 0000000000000018 R11: ffff8fbeefdb4764 R12: ffffffffa0652260 [ 95.493389] R13: ffffffffa06522e0 R14: 0000000000000001 R15: 0000000000000000 [ 95.495035] acpi_safe_halt+0x14/0x20 [ 95.496127] acpi_idle_do_entry+0x2f/0x50 [ 95.497221] acpi_idle_enter+0x7f/0xd0 [ 95.498272] cpuidle_enter_state+0x81/0x420 [ 95.499375] cpuidle_enter+0x2d/0x40 [ 95.500400] do_idle+0x1e5/0x240 [ 95.501385] cpu_startup_entry+0x29/0x30 [ 95.502422] start_secondary+0x11c/0x140 [ 95.503454] common_startup_64+0x13e/0x141 [ 95.504466] </TASK> [ 95.505197] Modules linked in: nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ip ---truncated---

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-40923.html
CVE-2024-40923
https://bugzilla.suse.com/1227786
SUSE Bug 1227786

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/i915/dpt: Make DPT object unshrinkable In some scenarios, the DPT object gets shrunk but the actual framebuffer did not and thus its still there on the DPT's vm->bound_list. Then it tries to rewrite the PTEs via a stale CPU mapping. This causes panic. [vsyrjala: Add TODO comment] (cherry picked from commit 51064d471c53dcc8eddd2333c3f1c1d9131ba36c)

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-40924.html
CVE-2024-40924
https://bugzilla.suse.com/1227787
SUSE Bug 1227787

Описание

In the Linux kernel, the following vulnerability has been resolved: xhci: Handle TD clearing for multiple streams case When multiple streams are in use, multiple TDs might be in flight when an endpoint is stopped. We need to issue a Set TR Dequeue Pointer for each, to ensure everything is reset properly and the caches cleared. Change the logic so that any N>1 TDs found active for different streams are deferred until after the first one is processed, calling xhci_invalidate_cancelled_tds() again from xhci_handle_cmd_set_deq() to queue another command until we are done with all of them. Also change the error/"should never happen" paths to ensure we at least clear any affected TDs, even if we can't issue a command to clear the hardware cache, and complain loudly with an xhci_warn() if this ever happens. This problem case dates back to commit e9df17eb1408 ("USB: xhci: Correct assumptions about number of rings per endpoint.") early on in the XHCI driver's life, when stream support was first added. It was then identified but not fixed nor made into a warning in commit 674f8438c121 ("xhci: split handling halted endpoints into two steps"), which added a FIXME comment for the problem case (without materially changing the behavior as far as I can tell, though the new logic made the problem more obvious). Then later, in commit 94f339147fc3 ("xhci: Fix failure to give back some cached cancelled URBs."), it was acknowledged again. [Mathias: commit 94f339147fc3 ("xhci: Fix failure to give back some cached cancelled URBs.") was a targeted regression fix to the previously mentioned patch. Users reported issues with usb stuck after unmounting/disconnecting UAS devices. This rolled back the TD clearing of multiple streams to its original state.] Apparently the commit author was aware of the problem (yet still chose to submit it): It was still mentioned as a FIXME, an xhci_dbg() was added to log the problem condition, and the remaining issue was mentioned in the commit description. The choice of making the log type xhci_dbg() for what is, at this point, a completely unhandled and known broken condition is puzzling and unfortunate, as it guarantees that no actual users would see the log in production, thereby making it nigh undebuggable (indeed, even if you turn on DEBUG, the message doesn't really hint at there being a problem at all). It took me *months* of random xHC crashes to finally find a reliable repro and be able to do a deep dive debug session, which could all have been avoided had this unhandled, broken condition been actually reported with a warning, as it should have been as a bug intentionally left in unfixed (never mind that it shouldn't have been left in at all). > Another fix to solve clearing the caches of all stream rings with > cancelled TDs is needed, but not as urgent. 3 years after that statement and 14 years after the original bug was introduced, I think it's finally time to fix it. And maybe next time let's not leave bugs unfixed (that are actually worse than the original bug), and let's actually get people to review kernel commits please. Fixes xHC crashes and IOMMU faults with UAS devices when handling errors/faults. Easiest repro is to use `hdparm` to mark an early sector (e.g. 1024) on a disk as bad, then `cat /dev/sdX > /dev/null` in a loop. At least in the case of JMicron controllers, the read errors end up having to cancel two TDs (for two queued requests to different streams) and the one that didn't get cleared properly ends up faulting the xHC entirely when it tries to access DMA pages that have since been unmapped, referred to by the stale TDs. This normally happens quickly (after two or three loops). After this fix, I left the `cat` in a loop running overnight and experienced no xHC failures, with all read errors recovered properly. Repro'd and tested on an Apple M1 Mac Mini (dwc3 host). On systems without an IOMMU, this bug would instead silently corrupt freed memory, making this a ---truncated---

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-40927.html
CVE-2024-40927
https://bugzilla.suse.com/1227816
SUSE Bug 1227816

Описание

In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mvm: check n_ssids before accessing the ssids In some versions of cfg80211, the ssids poinet might be a valid one even though n_ssids is 0. Accessing the pointer in this case will cuase an out-of-bound access. Fix this by checking n_ssids first.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-40929.html
CVE-2024-40929
https://bugzilla.suse.com/1227774
SUSE Bug 1227774

Описание

In the Linux kernel, the following vulnerability has been resolved: mptcp: ensure snd_una is properly initialized on connect This is strictly related to commit fb7a0d334894 ("mptcp: ensure snd_nxt is properly initialized on connect"). It turns out that syzkaller can trigger the retransmit after fallback and before processing any other incoming packet - so that snd_una is still left uninitialized. Address the issue explicitly initializing snd_una together with snd_nxt and write_seq.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-40931.html
CVE-2024-40931
https://bugzilla.suse.com/1227780
SUSE Bug 1227780

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/exynos/vidi: fix memory leak in .get_modes() The duplicated EDID is never freed. Fix it.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-40932.html
CVE-2024-40932
https://bugzilla.suse.com/1227828
SUSE Bug 1227828

Описание

In the Linux kernel, the following vulnerability has been resolved: HID: logitech-dj: Fix memory leak in logi_dj_recv_switch_to_dj_mode() Fix a memory leak on logi_dj_recv_send_report() error path.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-40934.html
CVE-2024-40934
https://bugzilla.suse.com/1227796
SUSE Bug 1227796

Описание

In the Linux kernel, the following vulnerability has been resolved: cachefiles: flush all requests after setting CACHEFILES_DEAD In ondemand mode, when the daemon is processing an open request, if the kernel flags the cache as CACHEFILES_DEAD, the cachefiles_daemon_write() will always return -EIO, so the daemon can't pass the copen to the kernel. Then the kernel process that is waiting for the copen triggers a hung_task. Since the DEAD state is irreversible, it can only be exited by closing /dev/cachefiles. Therefore, after calling cachefiles_io_error() to mark the cache as CACHEFILES_DEAD, if in ondemand mode, flush all requests to avoid the above hungtask. We may still be able to read some of the cached data before closing the fd of /dev/cachefiles. Note that this relies on the patch that adds reference counting to the req, otherwise it may UAF.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-40935.html
CVE-2024-40935
https://bugzilla.suse.com/1227797
SUSE Bug 1227797

Описание

In the Linux kernel, the following vulnerability has been resolved: gve: Clear napi->skb before dev_kfree_skb_any() gve_rx_free_skb incorrectly leaves napi->skb referencing an skb after it is freed with dev_kfree_skb_any(). This can result in a subsequent call to napi_get_frags returning a dangling pointer. Fix this by clearing napi->skb before the skb is freed.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-40937.html
CVE-2024-40937
https://bugzilla.suse.com/1227836
SUSE Bug 1227836
https://bugzilla.suse.com/1227903
SUSE Bug 1227903

Описание

In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Fix tainted pointer delete is case of flow rules creation fail In case of flow rule creation fail in mlx5_lag_create_port_sel_table(), instead of previously created rules, the tainted pointer is deleted deveral times. Fix this bug by using correct flow rules pointers. Found by Linux Verification Center (linuxtesting.org) with SVACE.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-40940.html
CVE-2024-40940
https://bugzilla.suse.com/1227800
SUSE Bug 1227800

Описание

In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mvm: don't read past the mfuart notifcation In case the firmware sends a notification that claims it has more data than it has, we will read past that was allocated for the notification. Remove the print of the buffer, we won't see it by default. If needed, we can see the content with tracing. This was reported by KFENCE.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-40941.html
CVE-2024-40941
https://bugzilla.suse.com/1227771
SUSE Bug 1227771

Описание

In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: mesh: Fix leak of mesh_preq_queue objects The hwmp code use objects of type mesh_preq_queue, added to a list in ieee80211_if_mesh, to keep track of mpath we need to resolve. If the mpath gets deleted, ex mesh interface is removed, the entries in that list will never get cleaned. Fix this by flushing all corresponding items of the preq_queue in mesh_path_flush_pending(). This should take care of KASAN reports like this: unreferenced object 0xffff00000668d800 (size 128): comm "kworker/u8:4", pid 67, jiffies 4295419552 (age 1836.444s) hex dump (first 32 bytes): 00 1f 05 09 00 00 ff ff 00 d5 68 06 00 00 ff ff ..........h..... 8e 97 ea eb 3e b8 01 00 00 00 00 00 00 00 00 00 ....>........... backtrace: [<000000007302a0b6>] __kmem_cache_alloc_node+0x1e0/0x35c [<00000000049bd418>] kmalloc_trace+0x34/0x80 [<0000000000d792bb>] mesh_queue_preq+0x44/0x2a8 [<00000000c99c3696>] mesh_nexthop_resolve+0x198/0x19c [<00000000926bf598>] ieee80211_xmit+0x1d0/0x1f4 [<00000000fc8c2284>] __ieee80211_subif_start_xmit+0x30c/0x764 [<000000005926ee38>] ieee80211_subif_start_xmit+0x9c/0x7a4 [<000000004c86e916>] dev_hard_start_xmit+0x174/0x440 [<0000000023495647>] __dev_queue_xmit+0xe24/0x111c [<00000000cfe9ca78>] batadv_send_skb_packet+0x180/0x1e4 [<000000007bacc5d5>] batadv_v_elp_periodic_work+0x2f4/0x508 [<00000000adc3cd94>] process_one_work+0x4b8/0xa1c [<00000000b36425d1>] worker_thread+0x9c/0x634 [<0000000005852dd5>] kthread+0x1bc/0x1c4 [<000000005fccd770>] ret_from_fork+0x10/0x20 unreferenced object 0xffff000009051f00 (size 128): comm "kworker/u8:4", pid 67, jiffies 4295419553 (age 1836.440s) hex dump (first 32 bytes): 90 d6 92 0d 00 00 ff ff 00 d8 68 06 00 00 ff ff ..........h..... 36 27 92 e4 02 e0 01 00 00 58 79 06 00 00 ff ff 6'.......Xy..... backtrace: [<000000007302a0b6>] __kmem_cache_alloc_node+0x1e0/0x35c [<00000000049bd418>] kmalloc_trace+0x34/0x80 [<0000000000d792bb>] mesh_queue_preq+0x44/0x2a8 [<00000000c99c3696>] mesh_nexthop_resolve+0x198/0x19c [<00000000926bf598>] ieee80211_xmit+0x1d0/0x1f4 [<00000000fc8c2284>] __ieee80211_subif_start_xmit+0x30c/0x764 [<000000005926ee38>] ieee80211_subif_start_xmit+0x9c/0x7a4 [<000000004c86e916>] dev_hard_start_xmit+0x174/0x440 [<0000000023495647>] __dev_queue_xmit+0xe24/0x111c [<00000000cfe9ca78>] batadv_send_skb_packet+0x180/0x1e4 [<000000007bacc5d5>] batadv_v_elp_periodic_work+0x2f4/0x508 [<00000000adc3cd94>] process_one_work+0x4b8/0xa1c [<00000000b36425d1>] worker_thread+0x9c/0x634 [<0000000005852dd5>] kthread+0x1bc/0x1c4 [<000000005fccd770>] ret_from_fork+0x10/0x20

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-40942.html
CVE-2024-40942
https://bugzilla.suse.com/1227770
SUSE Bug 1227770

Описание

In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix races between hole punching and AIO+DIO After commit "ocfs2: return real error code in ocfs2_dio_wr_get_block", fstests/generic/300 become from always failed to sometimes failed: ======================================================================== [ 473.293420 ] run fstests generic/300 [ 475.296983 ] JBD2: Ignoring recovery information on journal [ 475.302473 ] ocfs2: Mounting device (253,1) on (node local, slot 0) with ordered data mode. [ 494.290998 ] OCFS2: ERROR (device dm-1): ocfs2_change_extent_flag: Owner 5668 has an extent at cpos 78723 which can no longer be found [ 494.291609 ] On-disk corruption discovered. Please run fsck.ocfs2 once the filesystem is unmounted. [ 494.292018 ] OCFS2: File system is now read-only. [ 494.292224 ] (kworker/19:11,2628,19):ocfs2_mark_extent_written:5272 ERROR: status = -30 [ 494.292602 ] (kworker/19:11,2628,19):ocfs2_dio_end_io_write:2374 ERROR: status = -3 fio: io_u error on file /mnt/scratch/racer: Read-only file system: write offset=460849152, buflen=131072 ========================================================================= In __blockdev_direct_IO, ocfs2_dio_wr_get_block is called to add unwritten extents to a list. extents are also inserted into extent tree in ocfs2_write_begin_nolock. Then another thread call fallocate to puch a hole at one of the unwritten extent. The extent at cpos was removed by ocfs2_remove_extent(). At end io worker thread, ocfs2_search_extent_list found there is no such extent at the cpos. T1 T2 T3 inode lock ... insert extents ... inode unlock ocfs2_fallocate __ocfs2_change_file_space inode lock lock ip_alloc_sem ocfs2_remove_inode_range inode ocfs2_remove_btree_range ocfs2_remove_extent ^---remove the extent at cpos 78723 ... unlock ip_alloc_sem inode unlock ocfs2_dio_end_io ocfs2_dio_end_io_write lock ip_alloc_sem ocfs2_mark_extent_written ocfs2_change_extent_flag ocfs2_search_extent_list ^---failed to find extent ... unlock ip_alloc_sem In most filesystems, fallocate is not compatible with racing with AIO+DIO, so fix it by adding to wait for all dio before fallocate/punch_hole like ext4.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-40943.html
CVE-2024-40943
https://bugzilla.suse.com/1227849
SUSE Bug 1227849

Описание

In the Linux kernel, the following vulnerability has been resolved: iommu: Return right value in iommu_sva_bind_device() iommu_sva_bind_device() should return either a sva bond handle or an ERR_PTR value in error cases. Existing drivers (idxd and uacce) only check the return value with IS_ERR(). This could potentially lead to a kernel NULL pointer dereference issue if the function returns NULL instead of an error pointer. In reality, this doesn't cause any problems because iommu_sva_bind_device() only returns NULL when the kernel is not configured with CONFIG_IOMMU_SVA. In this case, iommu_dev_enable_feature(dev, IOMMU_DEV_FEAT_SVA) will return an error, and the device drivers won't call iommu_sva_bind_device() at all.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-40945.html
CVE-2024-40945
https://bugzilla.suse.com/1227802
SUSE Bug 1227802

Описание

In the Linux kernel, the following vulnerability has been resolved: KVM: Fix a data race on last_boosted_vcpu in kvm_vcpu_on_spin() Use {READ,WRITE}_ONCE() to access kvm->last_boosted_vcpu to ensure the loads and stores are atomic. In the extremely unlikely scenario the compiler tears the stores, it's theoretically possible for KVM to attempt to get a vCPU using an out-of-bounds index, e.g. if the write is split into multiple 8-bit stores, and is paired with a 32-bit load on a VM with 257 vCPUs: CPU0 CPU1 last_boosted_vcpu = 0xff; (last_boosted_vcpu = 0x100) last_boosted_vcpu[15:8] = 0x01; i = (last_boosted_vcpu = 0x1ff) last_boosted_vcpu[7:0] = 0x00; vcpu = kvm->vcpu_array[0x1ff]; As detected by KCSAN: BUG: KCSAN: data-race in kvm_vcpu_on_spin [kvm] / kvm_vcpu_on_spin [kvm] write to 0xffffc90025a92344 of 4 bytes by task 4340 on cpu 16: kvm_vcpu_on_spin (arch/x86/kvm/../../../virt/kvm/kvm_main.c:4112) kvm handle_pause (arch/x86/kvm/vmx/vmx.c:5929) kvm_intel vmx_handle_exit (arch/x86/kvm/vmx/vmx.c:? arch/x86/kvm/vmx/vmx.c:6606) kvm_intel vcpu_run (arch/x86/kvm/x86.c:11107 arch/x86/kvm/x86.c:11211) kvm kvm_arch_vcpu_ioctl_run (arch/x86/kvm/x86.c:?) kvm kvm_vcpu_ioctl (arch/x86/kvm/../../../virt/kvm/kvm_main.c:?) kvm __se_sys_ioctl (fs/ioctl.c:52 fs/ioctl.c:904 fs/ioctl.c:890) __x64_sys_ioctl (fs/ioctl.c:890) x64_sys_call (arch/x86/entry/syscall_64.c:33) do_syscall_64 (arch/x86/entry/common.c:?) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) read to 0xffffc90025a92344 of 4 bytes by task 4342 on cpu 4: kvm_vcpu_on_spin (arch/x86/kvm/../../../virt/kvm/kvm_main.c:4069) kvm handle_pause (arch/x86/kvm/vmx/vmx.c:5929) kvm_intel vmx_handle_exit (arch/x86/kvm/vmx/vmx.c:? arch/x86/kvm/vmx/vmx.c:6606) kvm_intel vcpu_run (arch/x86/kvm/x86.c:11107 arch/x86/kvm/x86.c:11211) kvm kvm_arch_vcpu_ioctl_run (arch/x86/kvm/x86.c:?) kvm kvm_vcpu_ioctl (arch/x86/kvm/../../../virt/kvm/kvm_main.c:?) kvm __se_sys_ioctl (fs/ioctl.c:52 fs/ioctl.c:904 fs/ioctl.c:890) __x64_sys_ioctl (fs/ioctl.c:890) x64_sys_call (arch/x86/entry/syscall_64.c:33) do_syscall_64 (arch/x86/entry/common.c:?) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) value changed: 0x00000012 -> 0x00000000

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-40953.html
CVE-2024-40953
https://bugzilla.suse.com/1227806
SUSE Bug 1227806

Описание

In the Linux kernel, the following vulnerability has been resolved: net: do not leave a dangling sk pointer, when socket creation fails It is possible to trigger a use-after-free by: * attaching an fentry probe to __sock_release() and the probe calling the bpf_get_socket_cookie() helper * running traceroute -I 1.1.1.1 on a freshly booted VM A KASAN enabled kernel will log something like below (decoded and stripped): ================================================================== BUG: KASAN: slab-use-after-free in __sock_gen_cookie (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-instrumented.h:1611 net/core/sock_diag.c:29) Read of size 8 at addr ffff888007110dd8 by task traceroute/299 CPU: 2 PID: 299 Comm: traceroute Tainted: G E 6.10.0-rc2+ #2 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 Call Trace: <TASK> dump_stack_lvl (lib/dump_stack.c:117 (discriminator 1)) print_report (mm/kasan/report.c:378 mm/kasan/report.c:488) ? __sock_gen_cookie (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-instrumented.h:1611 net/core/sock_diag.c:29) kasan_report (mm/kasan/report.c:603) ? __sock_gen_cookie (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-instrumented.h:1611 net/core/sock_diag.c:29) kasan_check_range (mm/kasan/generic.c:183 mm/kasan/generic.c:189) __sock_gen_cookie (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-instrumented.h:1611 net/core/sock_diag.c:29) bpf_get_socket_ptr_cookie (./arch/x86/include/asm/preempt.h:94 ./include/linux/sock_diag.h:42 net/core/filter.c:5094 net/core/filter.c:5092) bpf_prog_875642cf11f1d139___sock_release+0x6e/0x8e bpf_trampoline_6442506592+0x47/0xaf __sock_release (net/socket.c:652) __sock_create (net/socket.c:1601) ... Allocated by task 299 on cpu 2 at 78.328492s: kasan_save_stack (mm/kasan/common.c:48) kasan_save_track (mm/kasan/common.c:68) __kasan_slab_alloc (mm/kasan/common.c:312 mm/kasan/common.c:338) kmem_cache_alloc_noprof (mm/slub.c:3941 mm/slub.c:4000 mm/slub.c:4007) sk_prot_alloc (net/core/sock.c:2075) sk_alloc (net/core/sock.c:2134) inet_create (net/ipv4/af_inet.c:327 net/ipv4/af_inet.c:252) __sock_create (net/socket.c:1572) __sys_socket (net/socket.c:1660 net/socket.c:1644 net/socket.c:1706) __x64_sys_socket (net/socket.c:1718) do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) Freed by task 299 on cpu 2 at 78.328502s: kasan_save_stack (mm/kasan/common.c:48) kasan_save_track (mm/kasan/common.c:68) kasan_save_free_info (mm/kasan/generic.c:582) poison_slab_object (mm/kasan/common.c:242) __kasan_slab_free (mm/kasan/common.c:256) kmem_cache_free (mm/slub.c:4437 mm/slub.c:4511) __sk_destruct (net/core/sock.c:2117 net/core/sock.c:2208) inet_create (net/ipv4/af_inet.c:397 net/ipv4/af_inet.c:252) __sock_create (net/socket.c:1572) __sys_socket (net/socket.c:1660 net/socket.c:1644 net/socket.c:1706) __x64_sys_socket (net/socket.c:1718) do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) Fix this by clearing the struct socket reference in sk_common_release() to cover all protocol families create functions, which may already attached the reference to the sk object with sock_init_data().

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-40954.html
CVE-2024-40954
https://bugzilla.suse.com/1227808
SUSE Bug 1227808
https://bugzilla.suse.com/1228786
SUSE Bug 1228786

Описание

In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: Fix possible Use-After-Free in irq_process_work_list Use list_for_each_entry_safe() to allow iterating through the list and deleting the entry in the iteration process. The descriptor is freed via idxd_desc_complete() and there's a slight chance may cause issue for the list iterator when the descriptor is reused by another thread without it being deleted from the list.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-40956.html
CVE-2024-40956
https://bugzilla.suse.com/1227810
SUSE Bug 1227810
https://bugzilla.suse.com/1228585
SUSE Bug 1228585

Описание

In the Linux kernel, the following vulnerability has been resolved: netns: Make get_net_ns() handle zero refcount net Syzkaller hit a warning: refcount_t: addition on 0; use-after-free. WARNING: CPU: 3 PID: 7890 at lib/refcount.c:25 refcount_warn_saturate+0xdf/0x1d0 Modules linked in: CPU: 3 PID: 7890 Comm: tun Not tainted 6.10.0-rc3-00100-gcaa4f9578aba-dirty #310 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 RIP: 0010:refcount_warn_saturate+0xdf/0x1d0 Code: 41 49 04 31 ff 89 de e8 9f 1e cd fe 84 db 75 9c e8 76 26 cd fe c6 05 b6 41 49 04 01 90 48 c7 c7 b8 8e 25 86 e8 d2 05 b5 fe 90 <0f> 0b 90 90 e9 79 ff ff ff e8 53 26 cd fe 0f b6 1 RSP: 0018:ffff8881067b7da0 EFLAGS: 00010286 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff811c72ac RDX: ffff8881026a2140 RSI: ffffffff811c72b5 RDI: 0000000000000001 RBP: ffff8881067b7db0 R08: 0000000000000000 R09: 205b5d3730353139 R10: 0000000000000000 R11: 205d303938375420 R12: ffff8881086500c4 R13: ffff8881086500c4 R14: ffff8881086500b0 R15: ffff888108650040 FS: 00007f5b2961a4c0(0000) GS:ffff88823bd00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055d7ed36fd18 CR3: 00000001482f6000 CR4: 00000000000006f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> ? show_regs+0xa3/0xc0 ? __warn+0xa5/0x1c0 ? refcount_warn_saturate+0xdf/0x1d0 ? report_bug+0x1fc/0x2d0 ? refcount_warn_saturate+0xdf/0x1d0 ? handle_bug+0xa1/0x110 ? exc_invalid_op+0x3c/0xb0 ? asm_exc_invalid_op+0x1f/0x30 ? __warn_printk+0xcc/0x140 ? __warn_printk+0xd5/0x140 ? refcount_warn_saturate+0xdf/0x1d0 get_net_ns+0xa4/0xc0 ? __pfx_get_net_ns+0x10/0x10 open_related_ns+0x5a/0x130 __tun_chr_ioctl+0x1616/0x2370 ? __sanitizer_cov_trace_switch+0x58/0xa0 ? __sanitizer_cov_trace_const_cmp2+0x1c/0x30 ? __pfx_tun_chr_ioctl+0x10/0x10 tun_chr_ioctl+0x2f/0x40 __x64_sys_ioctl+0x11b/0x160 x64_sys_call+0x1211/0x20d0 do_syscall_64+0x9e/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f5b28f165d7 Code: b3 66 90 48 8b 05 b1 48 2d 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 81 48 2d 00 8 RSP: 002b:00007ffc2b59c5e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f5b28f165d7 RDX: 0000000000000000 RSI: 00000000000054e3 RDI: 0000000000000003 RBP: 00007ffc2b59c650 R08: 00007f5b291ed8c0 R09: 00007f5b2961a4c0 R10: 0000000029690010 R11: 0000000000000246 R12: 0000000000400730 R13: 00007ffc2b59cf40 R14: 0000000000000000 R15: 0000000000000000 </TASK> Kernel panic - not syncing: kernel: panic_on_warn set ... This is trigger as below: ns0 ns1 tun_set_iff() //dev is tun0 tun->dev = dev //ip link set tun0 netns ns1 put_net() //ref is 0 __tun_chr_ioctl() //TUNGETDEVNETNS net = dev_net(tun->dev); open_related_ns(&net->ns, get_net_ns); //ns1 get_net_ns() get_net() //addition on 0 Use maybe_get_net() in get_net_ns in case net's ref is zero to fix this

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-40958.html
CVE-2024-40958
https://bugzilla.suse.com/1227812
SUSE Bug 1227812

Описание

In the Linux kernel, the following vulnerability has been resolved: xfrm6: check ip6_dst_idev() return value in xfrm6_get_saddr() ip6_dst_idev() can return NULL, xfrm6_get_saddr() must act accordingly. syzbot reported: Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] CPU: 1 PID: 12 Comm: kworker/u8:1 Not tainted 6.10.0-rc2-syzkaller-00383-gb8481381d4e2 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024 Workqueue: wg-kex-wg1 wg_packet_handshake_send_worker RIP: 0010:xfrm6_get_saddr+0x93/0x130 net/ipv6/xfrm6_policy.c:64 Code: df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 97 00 00 00 4c 8b ab d8 00 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 ea 48 c1 ea 03 <80> 3c 02 00 0f 85 86 00 00 00 4d 8b 6d 00 e8 ca 13 47 01 48 b8 00 RSP: 0018:ffffc90000117378 EFLAGS: 00010246 RAX: dffffc0000000000 RBX: ffff88807b079dc0 RCX: ffffffff89a0d6d7 RDX: 0000000000000000 RSI: ffffffff89a0d6e9 RDI: ffff88807b079e98 RBP: ffff88807ad73248 R08: 0000000000000007 R09: fffffffffffff000 R10: ffff88807b079dc0 R11: 0000000000000007 R12: ffffc90000117480 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff8880b9300000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f4586d00440 CR3: 0000000079042000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> xfrm_get_saddr net/xfrm/xfrm_policy.c:2452 [inline] xfrm_tmpl_resolve_one net/xfrm/xfrm_policy.c:2481 [inline] xfrm_tmpl_resolve+0xa26/0xf10 net/xfrm/xfrm_policy.c:2541 xfrm_resolve_and_create_bundle+0x140/0x2570 net/xfrm/xfrm_policy.c:2835 xfrm_bundle_lookup net/xfrm/xfrm_policy.c:3070 [inline] xfrm_lookup_with_ifid+0x4d1/0x1e60 net/xfrm/xfrm_policy.c:3201 xfrm_lookup net/xfrm/xfrm_policy.c:3298 [inline] xfrm_lookup_route+0x3b/0x200 net/xfrm/xfrm_policy.c:3309 ip6_dst_lookup_flow+0x15c/0x1d0 net/ipv6/ip6_output.c:1256 send6+0x611/0xd20 drivers/net/wireguard/socket.c:139 wg_socket_send_skb_to_peer+0xf9/0x220 drivers/net/wireguard/socket.c:178 wg_socket_send_buffer_to_peer+0x12b/0x190 drivers/net/wireguard/socket.c:200 wg_packet_send_handshake_initiation+0x227/0x360 drivers/net/wireguard/send.c:40 wg_packet_handshake_send_worker+0x1c/0x30 drivers/net/wireguard/send.c:51 process_one_work+0x9fb/0x1b60 kernel/workqueue.c:3231 process_scheduled_works kernel/workqueue.c:3312 [inline] worker_thread+0x6c8/0xf70 kernel/workqueue.c:3393 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-40959.html
CVE-2024-40959
https://bugzilla.suse.com/1227884
SUSE Bug 1227884

Описание

In the Linux kernel, the following vulnerability has been resolved: ipv6: prevent possible NULL dereference in rt6_probe() syzbot caught a NULL dereference in rt6_probe() [1] Bail out if __in6_dev_get() returns NULL. [1] Oops: general protection fault, probably for non-canonical address 0xdffffc00000000cb: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000658-0x000000000000065f] CPU: 1 PID: 22444 Comm: syz-executor.0 Not tainted 6.10.0-rc2-syzkaller-00383-gb8481381d4e2 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024 RIP: 0010:rt6_probe net/ipv6/route.c:656 [inline] RIP: 0010:find_match+0x8c4/0xf50 net/ipv6/route.c:758 Code: 14 fd f7 48 8b 85 38 ff ff ff 48 c7 45 b0 00 00 00 00 48 8d b8 5c 06 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 19 RSP: 0018:ffffc900034af070 EFLAGS: 00010203 RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffc90004521000 RDX: 00000000000000cb RSI: ffffffff8990d0cd RDI: 000000000000065c RBP: ffffc900034af150 R08: 0000000000000005 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000002 R12: 000000000000000a R13: 1ffff92000695e18 R14: ffff8880244a1d20 R15: 0000000000000000 FS: 00007f4844a5a6c0(0000) GS:ffff8880b9300000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000001b31b27000 CR3: 000000002d42c000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> rt6_nh_find_match+0xfa/0x1a0 net/ipv6/route.c:784 nexthop_for_each_fib6_nh+0x26d/0x4a0 net/ipv4/nexthop.c:1496 __find_rr_leaf+0x6e7/0xe00 net/ipv6/route.c:825 find_rr_leaf net/ipv6/route.c:853 [inline] rt6_select net/ipv6/route.c:897 [inline] fib6_table_lookup+0x57e/0xa30 net/ipv6/route.c:2195 ip6_pol_route+0x1cd/0x1150 net/ipv6/route.c:2231 pol_lookup_func include/net/ip6_fib.h:616 [inline] fib6_rule_lookup+0x386/0x720 net/ipv6/fib6_rules.c:121 ip6_route_output_flags_noref net/ipv6/route.c:2639 [inline] ip6_route_output_flags+0x1d0/0x640 net/ipv6/route.c:2651 ip6_dst_lookup_tail.constprop.0+0x961/0x1760 net/ipv6/ip6_output.c:1147 ip6_dst_lookup_flow+0x99/0x1d0 net/ipv6/ip6_output.c:1250 rawv6_sendmsg+0xdab/0x4340 net/ipv6/raw.c:898 inet_sendmsg+0x119/0x140 net/ipv4/af_inet.c:853 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg net/socket.c:745 [inline] sock_write_iter+0x4b8/0x5c0 net/socket.c:1160 new_sync_write fs/read_write.c:497 [inline] vfs_write+0x6b6/0x1140 fs/read_write.c:590 ksys_write+0x1f8/0x260 fs/read_write.c:643 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-40960.html
CVE-2024-40960
https://bugzilla.suse.com/1227813
SUSE Bug 1227813

Описание

In the Linux kernel, the following vulnerability has been resolved: ipv6: prevent possible NULL deref in fib6_nh_init() syzbot reminds us that in6_dev_get() can return NULL. fib6_nh_init() ip6_validate_gw( &idev ) ip6_route_check_nh( idev ) *idev = in6_dev_get(dev); // can be NULL Oops: general protection fault, probably for non-canonical address 0xdffffc00000000bc: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x00000000000005e0-0x00000000000005e7] CPU: 0 PID: 11237 Comm: syz-executor.3 Not tainted 6.10.0-rc2-syzkaller-00249-gbe27b8965297 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024 RIP: 0010:fib6_nh_init+0x640/0x2160 net/ipv6/route.c:3606 Code: 00 00 fc ff df 4c 8b 64 24 58 48 8b 44 24 28 4c 8b 74 24 30 48 89 c1 48 89 44 24 28 48 8d 98 e0 05 00 00 48 89 d8 48 c1 e8 03 <42> 0f b6 04 38 84 c0 0f 85 b3 17 00 00 8b 1b 31 ff 89 de e8 b8 8b RSP: 0018:ffffc900032775a0 EFLAGS: 00010202 RAX: 00000000000000bc RBX: 00000000000005e0 RCX: 0000000000000000 RDX: 0000000000000010 RSI: ffffc90003277a54 RDI: ffff88802b3a08d8 RBP: ffffc900032778b0 R08: 00000000000002fc R09: 0000000000000000 R10: 00000000000002fc R11: 0000000000000000 R12: ffff88802b3a08b8 R13: 1ffff9200064eec8 R14: ffffc90003277a00 R15: dffffc0000000000 FS: 00007f940feb06c0(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 00000000245e8000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> ip6_route_info_create+0x99e/0x12b0 net/ipv6/route.c:3809 ip6_route_add+0x28/0x160 net/ipv6/route.c:3853 ipv6_route_ioctl+0x588/0x870 net/ipv6/route.c:4483 inet6_ioctl+0x21a/0x280 net/ipv6/af_inet6.c:579 sock_do_ioctl+0x158/0x460 net/socket.c:1222 sock_ioctl+0x629/0x8e0 net/socket.c:1341 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f940f07cea9

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-40961.html
CVE-2024-40961
https://bugzilla.suse.com/1227814
SUSE Bug 1227814

Описание

In the Linux kernel, the following vulnerability has been resolved: tty: add the option to have a tty reject a new ldisc ... and use it to limit the virtual terminals to just N_TTY. They are kind of special, and in particular, the "con_write()" routine violates the "writes cannot sleep" rule that some ldiscs rely on. This avoids the BUG: sleeping function called from invalid context at kernel/printk/printk.c:2659 when N_GSM has been attached to a virtual console, and gsmld_write() calls con_write() while holding a spinlock, and con_write() then tries to get the console lock.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-40966.html
CVE-2024-40966
https://bugzilla.suse.com/1227886
SUSE Bug 1227886

Описание

In the Linux kernel, the following vulnerability has been resolved: serial: imx: Introduce timeout when waiting on transmitter empty By waiting at most 1 second for USR2_TXDC to be set, we avoid a potential deadlock. In case of the timeout, there is not much we can do, so we simply ignore the transmitter state and optimistically try to continue.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-40967.html
CVE-2024-40967
https://bugzilla.suse.com/1227891
SUSE Bug 1227891

Описание

In the Linux kernel, the following vulnerability has been resolved: Avoid hw_desc array overrun in dw-axi-dmac I have a use case where nr_buffers = 3 and in which each descriptor is composed by 3 segments, resulting in the DMA channel descs_allocated to be 9. Since axi_desc_put() handles the hw_desc considering the descs_allocated, this scenario would result in a kernel panic (hw_desc array will be overrun). To fix this, the proposal is to add a new member to the axi_dma_desc structure, where we keep the number of allocated hw_descs (axi_desc_alloc()) and use it in axi_desc_put() to handle the hw_desc array correctly. Additionally I propose to remove the axi_chan_start_first_queued() call after completing the transfer, since it was identified that unbalance can occur (started descriptors can be interrupted and transfer ignored due to DMA channel not being enabled).

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-40970.html
CVE-2024-40970
https://bugzilla.suse.com/1227899
SUSE Bug 1227899

Описание

In the Linux kernel, the following vulnerability has been resolved: ext4: do not create EA inode under buffer lock ext4_xattr_set_entry() creates new EA inodes while holding buffer lock on the external xattr block. This is problematic as it nests all the allocation locking (which acquires locks on other buffers) under the buffer lock. This can even deadlock when the filesystem is corrupted and e.g. quota file is setup to contain xattr block as data block. Move the allocation of EA inode out of ext4_xattr_set_entry() into the callers.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-40972.html
CVE-2024-40972
https://bugzilla.suse.com/1227910
SUSE Bug 1227910

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/lima: mask irqs in timeout path before hard reset There is a race condition in which a rendering job might take just long enough to trigger the drm sched job timeout handler but also still complete before the hard reset is done by the timeout handler. This runs into race conditions not expected by the timeout handler. In some very specific cases it currently may result in a refcount imbalance on lima_pm_idle, with a stack dump such as: [10136.669170] WARNING: CPU: 0 PID: 0 at drivers/gpu/drm/lima/lima_devfreq.c:205 lima_devfreq_record_idle+0xa0/0xb0 ... [10136.669459] pc : lima_devfreq_record_idle+0xa0/0xb0 ... [10136.669628] Call trace: [10136.669634] lima_devfreq_record_idle+0xa0/0xb0 [10136.669646] lima_sched_pipe_task_done+0x5c/0xb0 [10136.669656] lima_gp_irq_handler+0xa8/0x120 [10136.669666] __handle_irq_event_percpu+0x48/0x160 [10136.669679] handle_irq_event+0x4c/0xc0 We can prevent that race condition entirely by masking the irqs at the beginning of the timeout handler, at which point we give up on waiting for that job entirely. The irqs will be enabled again at the next hard reset which is already done as a recovery by the timeout handler.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-40976.html
CVE-2024-40976
https://bugzilla.suse.com/1227893
SUSE Bug 1227893

Описание

In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7921s: fix potential hung tasks during chip recovery During chip recovery (e.g. chip reset), there is a possible situation that kernel worker reset_work is holding the lock and waiting for kernel thread stat_worker to be parked, while stat_worker is waiting for the release of the same lock. It causes a deadlock resulting in the dumping of hung tasks messages and possible rebooting of the device. This patch prevents the execution of stat_worker during the chip recovery.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-40977.html
CVE-2024-40977
https://bugzilla.suse.com/1227950
SUSE Bug 1227950

Описание

In the Linux kernel, the following vulnerability has been resolved: batman-adv: bypass empty buckets in batadv_purge_orig_ref() Many syzbot reports are pointing to soft lockups in batadv_purge_orig_ref() [1] Root cause is unknown, but we can avoid spending too much time there and perhaps get more interesting reports. [1] watchdog: BUG: soft lockup - CPU#0 stuck for 27s! [kworker/u4:6:621] Modules linked in: irq event stamp: 6182794 hardirqs last enabled at (6182793): [<ffff8000801dae10>] __local_bh_enable_ip+0x224/0x44c kernel/softirq.c:386 hardirqs last disabled at (6182794): [<ffff80008ad66a78>] __el1_irq arch/arm64/kernel/entry-common.c:533 [inline] hardirqs last disabled at (6182794): [<ffff80008ad66a78>] el1_interrupt+0x24/0x68 arch/arm64/kernel/entry-common.c:551 softirqs last enabled at (6182792): [<ffff80008aab71c4>] spin_unlock_bh include/linux/spinlock.h:396 [inline] softirqs last enabled at (6182792): [<ffff80008aab71c4>] batadv_purge_orig_ref+0x114c/0x1228 net/batman-adv/originator.c:1287 softirqs last disabled at (6182790): [<ffff80008aab61dc>] spin_lock_bh include/linux/spinlock.h:356 [inline] softirqs last disabled at (6182790): [<ffff80008aab61dc>] batadv_purge_orig_ref+0x164/0x1228 net/batman-adv/originator.c:1271 CPU: 0 PID: 621 Comm: kworker/u4:6 Not tainted 6.8.0-rc7-syzkaller-g707081b61156 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024 Workqueue: bat_events batadv_purge_orig pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : should_resched arch/arm64/include/asm/preempt.h:79 [inline] pc : __local_bh_enable_ip+0x228/0x44c kernel/softirq.c:388 lr : __local_bh_enable_ip+0x224/0x44c kernel/softirq.c:386 sp : ffff800099007970 x29: ffff800099007980 x28: 1fffe00018fce1bd x27: dfff800000000000 x26: ffff0000d2620008 x25: ffff0000c7e70de8 x24: 0000000000000001 x23: 1fffe00018e57781 x22: dfff800000000000 x21: ffff80008aab71c4 x20: ffff0001b40136c0 x19: ffff0000c72bbc08 x18: 1fffe0001a817bb0 x17: ffff800125414000 x16: ffff80008032116c x15: 0000000000000001 x14: 1fffe0001ee9d610 x13: 0000000000000000 x12: 0000000000000003 x11: 0000000000000000 x10: 0000000000ff0100 x9 : 0000000000000000 x8 : 00000000005e5789 x7 : ffff80008aab61dc x6 : 0000000000000000 x5 : 0000000000000000 x4 : 0000000000000001 x3 : 0000000000000000 x2 : 0000000000000006 x1 : 0000000000000080 x0 : ffff800125414000 Call trace: __daif_local_irq_enable arch/arm64/include/asm/irqflags.h:27 [inline] arch_local_irq_enable arch/arm64/include/asm/irqflags.h:49 [inline] __local_bh_enable_ip+0x228/0x44c kernel/softirq.c:386 __raw_spin_unlock_bh include/linux/spinlock_api_smp.h:167 [inline] _raw_spin_unlock_bh+0x3c/0x4c kernel/locking/spinlock.c:210 spin_unlock_bh include/linux/spinlock.h:396 [inline] batadv_purge_orig_ref+0x114c/0x1228 net/batman-adv/originator.c:1287 batadv_purge_orig+0x20/0x70 net/batman-adv/originator.c:1300 process_one_work+0x694/0x1204 kernel/workqueue.c:2633 process_scheduled_works kernel/workqueue.c:2706 [inline] worker_thread+0x938/0xef4 kernel/workqueue.c:2787 kthread+0x288/0x310 kernel/kthread.c:388 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860 Sending NMI from CPU 0 to CPUs 1: NMI backtrace for cpu 1 CPU: 1 PID: 0 Comm: swapper/1 Not tainted 6.8.0-rc7-syzkaller-g707081b61156 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024 pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : arch_local_irq_enable+0x8/0xc arch/arm64/include/asm/irqflags.h:51 lr : default_idle_call+0xf8/0x128 kernel/sched/idle.c:103 sp : ffff800093a17d30 x29: ffff800093a17d30 x28: dfff800000000000 x27: 1ffff00012742fb4 x26: ffff80008ec9d000 x25: 0000000000000000 x24: 0000000000000002 x23: 1ffff00011d93a74 x22: ffff80008ec9d3a0 x21: 0000000000000000 x20: ffff0000c19dbc00 x19: ffff8000802d0fd8 x18: 1fffe00036804396 x17: ffff80008ec9d000 x16: ffff8000802d089c x15: 0000000000000001 ---truncated---

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-40981.html
CVE-2024-40981
https://bugzilla.suse.com/1227864
SUSE Bug 1227864

Описание

** REJECT ** This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-40982.html
CVE-2024-40982
https://bugzilla.suse.com/1227865
SUSE Bug 1227865

Описание

In the Linux kernel, the following vulnerability has been resolved: ACPICA: Revert "ACPICA: avoid Info: mapping multiple BARs. Your kernel is fine." Undo the modifications made in commit d410ee5109a1 ("ACPICA: avoid "Info: mapping multiple BARs. Your kernel is fine.""). The initial purpose of this commit was to stop memory mappings for operation regions from overlapping page boundaries, as it can trigger warnings if different page attributes are present. However, it was found that when this situation arises, mapping continues until the boundary's end, but there is still an attempt to read/write the entire length of the map, leading to a NULL pointer deference. For example, if a four-byte mapping request is made but only one byte is mapped because it hits the current page boundary's end, a four-byte read/write attempt is still made, resulting in a NULL pointer deference. Instead, map the entire length, as the ACPI specification does not mandate that it must be within the same page boundary. It is permissible for it to be mapped across different regions.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-40984.html
CVE-2024-40984
https://bugzilla.suse.com/1227820
SUSE Bug 1227820

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix UBSAN warning in kv_dpm.c Adds bounds check for sumo_vid_mapping_entry.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-40987.html
CVE-2024-40987
https://bugzilla.suse.com/1228235
SUSE Bug 1228235

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/radeon: fix UBSAN warning in kv_dpm.c Adds bounds check for sumo_vid_mapping_entry.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-40988.html
CVE-2024-40988
https://bugzilla.suse.com/1227957
SUSE Bug 1227957

Описание

In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Disassociate vcpus from redistributor region on teardown When tearing down a redistributor region, make sure we don't have any dangling pointer to that region stored in a vcpu.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-40989.html
CVE-2024-40989
https://bugzilla.suse.com/1227823
SUSE Bug 1227823
https://bugzilla.suse.com/1228589
SUSE Bug 1228589

Описание

In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx5: Add check for srq max_sge attribute max_sge attribute is passed by the user, and is inserted and used unchecked, so verify that the value doesn't exceed maximum allowed value before using it.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-40990.html
CVE-2024-40990
https://bugzilla.suse.com/1227824
SUSE Bug 1227824

Описание

In the Linux kernel, the following vulnerability has been resolved: ptp: fix integer overflow in max_vclocks_store On 32bit systems, the "4 * max" multiply can overflow. Use kcalloc() to do the allocation to prevent this.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-40994.html
CVE-2024-40994
https://bugzilla.suse.com/1227829
SUSE Bug 1227829
https://bugzilla.suse.com/1228587
SUSE Bug 1228587

Описание

In the Linux kernel, the following vulnerability has been resolved: ext4: fix uninitialized ratelimit_state->lock access in __ext4_fill_super() In the following concurrency we will access the uninitialized rs->lock: ext4_fill_super ext4_register_sysfs // sysfs registered msg_ratelimit_interval_ms // Other processes modify rs->interval to // non-zero via msg_ratelimit_interval_ms ext4_orphan_cleanup ext4_msg(sb, KERN_INFO, "Errors on filesystem, " __ext4_msg ___ratelimit(&(EXT4_SB(sb)->s_msg_ratelimit_state) if (!rs->interval) // do nothing if interval is 0 return 1; raw_spin_trylock_irqsave(&rs->lock, flags) raw_spin_trylock(lock) _raw_spin_trylock __raw_spin_trylock spin_acquire(&lock->dep_map, 0, 1, _RET_IP_) lock_acquire __lock_acquire register_lock_class assign_lock_key dump_stack(); ratelimit_state_init(&sbi->s_msg_ratelimit_state, 5 * HZ, 10); raw_spin_lock_init(&rs->lock); // init rs->lock here and get the following dump_stack: ========================================================= INFO: trying to register non-static key. The code is fine but needs lockdep annotation, or maybe you didn't initialize this object before use? turning off the locking correctness validator. CPU: 12 PID: 753 Comm: mount Tainted: G E 6.7.0-rc6-next-20231222 #504 [...] Call Trace: dump_stack_lvl+0xc5/0x170 dump_stack+0x18/0x30 register_lock_class+0x740/0x7c0 __lock_acquire+0x69/0x13a0 lock_acquire+0x120/0x450 _raw_spin_trylock+0x98/0xd0 ___ratelimit+0xf6/0x220 __ext4_msg+0x7f/0x160 [ext4] ext4_orphan_cleanup+0x665/0x740 [ext4] __ext4_fill_super+0x21ea/0x2b10 [ext4] ext4_fill_super+0x14d/0x360 [ext4] [...] ========================================================= Normally interval is 0 until s_msg_ratelimit_state is initialized, so ___ratelimit() does nothing. But registering sysfs precedes initializing rs->lock, so it is possible to change rs->interval to a non-zero value via the msg_ratelimit_interval_ms interface of sysfs while rs->lock is uninitialized, and then a call to ext4_msg triggers the problem by accessing an uninitialized rs->lock. Therefore register sysfs after all initializations are complete to avoid such problems.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-40998.html
CVE-2024-40998
https://bugzilla.suse.com/1227866
SUSE Bug 1227866

Описание

In the Linux kernel, the following vulnerability has been resolved: net: ena: Add validation for completion descriptors consistency Validate that `first` flag is set only for the first descriptor in multi-buffer packets. In case of an invalid descriptor, a reset will occur. A new reset reason for RX data corruption has been added.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-40999.html
CVE-2024-40999
https://bugzilla.suse.com/1227913
SUSE Bug 1227913

Описание

In the Linux kernel, the following vulnerability has been resolved: crypto: hisilicon/sec - Fix memory leak for sec resource release The AIV is one of the SEC resources. When releasing resources, it need to release the AIV resources at the same time. Otherwise, memory leakage occurs. The aiv resource release is added to the sec resource release function.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-41002.html
CVE-2024-41002
https://bugzilla.suse.com/1227870
SUSE Bug 1227870

Описание

In the Linux kernel, the following vulnerability has been resolved: tracing: Build event generation tests only as modules The kprobes and synth event generation test modules add events and lock (get a reference) those event file reference in module init function, and unlock and delete it in module exit function. This is because those are designed for playing as modules. If we make those modules as built-in, those events are left locked in the kernel, and never be removed. This causes kprobe event self-test failure as below. [ 97.349708] ------------[ cut here ]------------ [ 97.353453] WARNING: CPU: 3 PID: 1 at kernel/trace/trace_kprobe.c:2133 kprobe_trace_self_tests_init+0x3f1/0x480 [ 97.357106] Modules linked in: [ 97.358488] CPU: 3 PID: 1 Comm: swapper/0 Not tainted 6.9.0-g699646734ab5-dirty #14 [ 97.361556] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 [ 97.363880] RIP: 0010:kprobe_trace_self_tests_init+0x3f1/0x480 [ 97.365538] Code: a8 24 08 82 e9 ae fd ff ff 90 0f 0b 90 48 c7 c7 e5 aa 0b 82 e9 ee fc ff ff 90 0f 0b 90 48 c7 c7 2d 61 06 82 e9 8e fd ff ff 90 <0f> 0b 90 48 c7 c7 33 0b 0c 82 89 c6 e8 6e 03 1f ff 41 ff c7 e9 90 [ 97.370429] RSP: 0000:ffffc90000013b50 EFLAGS: 00010286 [ 97.371852] RAX: 00000000fffffff0 RBX: ffff888005919c00 RCX: 0000000000000000 [ 97.373829] RDX: ffff888003f40000 RSI: ffffffff8236a598 RDI: ffff888003f40a68 [ 97.375715] RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000 [ 97.377675] R10: ffffffff811c9ae5 R11: ffffffff8120c4e0 R12: 0000000000000000 [ 97.379591] R13: 0000000000000001 R14: 0000000000000015 R15: 0000000000000000 [ 97.381536] FS: 0000000000000000(0000) GS:ffff88807dcc0000(0000) knlGS:0000000000000000 [ 97.383813] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 97.385449] CR2: 0000000000000000 CR3: 0000000002244000 CR4: 00000000000006b0 [ 97.387347] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 97.389277] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 97.391196] Call Trace: [ 97.391967] <TASK> [ 97.392647] ? __warn+0xcc/0x180 [ 97.393640] ? kprobe_trace_self_tests_init+0x3f1/0x480 [ 97.395181] ? report_bug+0xbd/0x150 [ 97.396234] ? handle_bug+0x3e/0x60 [ 97.397311] ? exc_invalid_op+0x1a/0x50 [ 97.398434] ? asm_exc_invalid_op+0x1a/0x20 [ 97.399652] ? trace_kprobe_is_busy+0x20/0x20 [ 97.400904] ? tracing_reset_all_online_cpus+0x15/0x90 [ 97.402304] ? kprobe_trace_self_tests_init+0x3f1/0x480 [ 97.403773] ? init_kprobe_trace+0x50/0x50 [ 97.404972] do_one_initcall+0x112/0x240 [ 97.406113] do_initcall_level+0x95/0xb0 [ 97.407286] ? kernel_init+0x1a/0x1a0 [ 97.408401] do_initcalls+0x3f/0x70 [ 97.409452] kernel_init_freeable+0x16f/0x1e0 [ 97.410662] ? rest_init+0x1f0/0x1f0 [ 97.411738] kernel_init+0x1a/0x1a0 [ 97.412788] ret_from_fork+0x39/0x50 [ 97.413817] ? rest_init+0x1f0/0x1f0 [ 97.414844] ret_from_fork_asm+0x11/0x20 [ 97.416285] </TASK> [ 97.417134] irq event stamp: 13437323 [ 97.418376] hardirqs last enabled at (13437337): [<ffffffff8110bc0c>] console_unlock+0x11c/0x150 [ 97.421285] hardirqs last disabled at (13437370): [<ffffffff8110bbf1>] console_unlock+0x101/0x150 [ 97.423838] softirqs last enabled at (13437366): [<ffffffff8108e17f>] handle_softirqs+0x23f/0x2a0 [ 97.426450] softirqs last disabled at (13437393): [<ffffffff8108e346>] __irq_exit_rcu+0x66/0xd0 [ 97.428850] ---[ end trace 0000000000000000 ]--- And also, since we can not cleanup dynamic_event file, ftracetest are failed too. To avoid these issues, build these tests only as modules.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-41004.html
CVE-2024-41004
https://bugzilla.suse.com/1227851
SUSE Bug 1227851

Описание

In the Linux kernel, the following vulnerability has been resolved: netrom: Fix a memory leak in nr_heartbeat_expiry() syzbot reported a memory leak in nr_create() [0]. Commit 409db27e3a2e ("netrom: Fix use-after-free of a listening socket.") added sock_hold() to the nr_heartbeat_expiry() function, where a) a socket has a SOCK_DESTROY flag or b) a listening socket has a SOCK_DEAD flag. But in the case "a," when the SOCK_DESTROY flag is set, the file descriptor has already been closed and the nr_release() function has been called. So it makes no sense to hold the reference count because no one will call another nr_destroy_socket() and put it as in the case "b." nr_connect nr_establish_data_link nr_start_heartbeat nr_release switch (nr->state) case NR_STATE_3 nr->state = NR_STATE_2 sock_set_flag(sk, SOCK_DESTROY); nr_rx_frame nr_process_rx_frame switch (nr->state) case NR_STATE_2 nr_state2_machine() nr_disconnect() nr_sk(sk)->state = NR_STATE_0 sock_set_flag(sk, SOCK_DEAD) nr_heartbeat_expiry switch (nr->state) case NR_STATE_0 if (sock_flag(sk, SOCK_DESTROY) || (sk->sk_state == TCP_LISTEN && sock_flag(sk, SOCK_DEAD))) sock_hold() // ( !!! ) nr_destroy_socket() To fix the memory leak, let's call sock_hold() only for a listening socket. Found by InfoTeCS on behalf of Linux Verification Center (linuxtesting.org) with Syzkaller. [0]: https://syzkaller.appspot.com/bug?extid=d327a1f3b12e1e206c16

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-41006.html
CVE-2024-41006
https://bugzilla.suse.com/1227862
SUSE Bug 1227862

Описание

In the Linux kernel, the following vulnerability has been resolved: bpf: Fix overrunning reservations in ringbuf The BPF ring buffer internally is implemented as a power-of-2 sized circular buffer, with two logical and ever-increasing counters: consumer_pos is the consumer counter to show which logical position the consumer consumed the data, and producer_pos which is the producer counter denoting the amount of data reserved by all producers. Each time a record is reserved, the producer that "owns" the record will successfully advance producer counter. In user space each time a record is read, the consumer of the data advanced the consumer counter once it finished processing. Both counters are stored in separate pages so that from user space, the producer counter is read-only and the consumer counter is read-write. One aspect that simplifies and thus speeds up the implementation of both producers and consumers is how the data area is mapped twice contiguously back-to-back in the virtual memory, allowing to not take any special measures for samples that have to wrap around at the end of the circular buffer data area, because the next page after the last data page would be first data page again, and thus the sample will still appear completely contiguous in virtual memory. Each record has a struct bpf_ringbuf_hdr { u32 len; u32 pg_off; } header for book-keeping the length and offset, and is inaccessible to the BPF program. Helpers like bpf_ringbuf_reserve() return `(void *)hdr + BPF_RINGBUF_HDR_SZ` for the BPF program to use. Bing-Jhong and Muhammad reported that it is however possible to make a second allocated memory chunk overlapping with the first chunk and as a result, the BPF program is now able to edit first chunk's header. For example, consider the creation of a BPF_MAP_TYPE_RINGBUF map with size of 0x4000. Next, the consumer_pos is modified to 0x3000 /before/ a call to bpf_ringbuf_reserve() is made. This will allocate a chunk A, which is in [0x0,0x3008], and the BPF program is able to edit [0x8,0x3008]. Now, lets allocate a chunk B with size 0x3000. This will succeed because consumer_pos was edited ahead of time to pass the `new_prod_pos - cons_pos > rb->mask` check. Chunk B will be in range [0x3008,0x6010], and the BPF program is able to edit [0x3010,0x6010]. Due to the ring buffer memory layout mentioned earlier, the ranges [0x0,0x4000] and [0x4000,0x8000] point to the same data pages. This means that chunk B at [0x4000,0x4008] is chunk A's header. bpf_ringbuf_submit() / bpf_ringbuf_discard() use the header's pg_off to then locate the bpf_ringbuf itself via bpf_ringbuf_restore_from_rec(). Once chunk B modified chunk A's header, then bpf_ringbuf_commit() refers to the wrong page and could cause a crash. Fix it by calculating the oldest pending_pos and check whether the range from the oldest outstanding record to the newest would span beyond the ring buffer size. If that is the case, then reject the request. We've tested with the ring buffer benchmark in BPF selftests (./benchs/run_bench_ringbufs.sh) before/after the fix and while it seems a bit slower on some benchmarks, it is still not significantly enough to matter.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-41009.html
CVE-2024-41009
https://bugzilla.suse.com/1228020
SUSE Bug 1228020

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: don't allow mapping the MMIO HDP page with large pages We don't get the right offset in that case. The GPU has an unused 4K area of the register BAR space into which you can remap registers. We remap the HDP flush registers into this space to allow userspace (CPU or GPU) to flush the HDP when it updates VRAM. However, on systems with >4K pages, we end up exposing PAGE_SIZE of MMIO space.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-41011.html
CVE-2024-41011
https://bugzilla.suse.com/1228114
SUSE Bug 1228114
https://bugzilla.suse.com/1228115
SUSE Bug 1228115

Описание

In the Linux kernel, the following vulnerability has been resolved: filelock: Remove locks reliably when fcntl/close race is detected When fcntl_setlk() races with close(), it removes the created lock with do_lock_file_wait(). However, LSMs can allow the first do_lock_file_wait() that created the lock while denying the second do_lock_file_wait() that tries to remove the lock. Separately, posix_lock_file() could also fail to remove a lock due to GFP_KERNEL allocation failure (when splitting a range in the middle). After the bug has been triggered, use-after-free reads will occur in lock_get_status() when userspace reads /proc/locks. This can likely be used to read arbitrary kernel memory, but can't corrupt kernel memory. Fix it by calling locks_remove_posix() instead, which is designed to reliably get rid of POSIX locks associated with the given file and files_struct and is also used by filp_flush().

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-41012.html
CVE-2024-41012
https://bugzilla.suse.com/1228247
SUSE Bug 1228247

Описание

In the Linux kernel, the following vulnerability has been resolved: xfs: don't walk off the end of a directory data block This adds sanity checks for xfs_dir2_data_unused and xfs_dir2_data_entry to make sure don't stray beyond valid memory region. Before patching, the loop simply checks that the start offset of the dup and dep is within the range. So in a crafted image, if last entry is xfs_dir2_data_unused, we can change dup->length to dup->length-1 and leave 1 byte of space. In the next traversal, this space will be considered as dup or dep. We may encounter an out of bound read when accessing the fixed members. In the patch, we make sure that the remaining bytes large enough to hold an unused entry before accessing xfs_dir2_data_unused and xfs_dir2_data_unused is XFS_DIR2_DATA_ALIGN byte aligned. We also make sure that the remaining bytes large enough to hold a dirent with a single-byte name before accessing xfs_dir2_data_entry.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-41013.html
CVE-2024-41013
https://bugzilla.suse.com/1228405
SUSE Bug 1228405

Описание

In the Linux kernel, the following vulnerability has been resolved: xfs: add bounds checking to xlog_recover_process_data There is a lack of verification of the space occupied by fixed members of xlog_op_header in the xlog_recover_process_data. We can create a crafted image to trigger an out of bounds read by following these steps: 1) Mount an image of xfs, and do some file operations to leave records 2) Before umounting, copy the image for subsequent steps to simulate abnormal exit. Because umount will ensure that tail_blk and head_blk are the same, which will result in the inability to enter xlog_recover_process_data 3) Write a tool to parse and modify the copied image in step 2 4) Make the end of the xlog_op_header entries only 1 byte away from xlog_rec_header->h_size 5) xlog_rec_header->h_num_logops++ 6) Modify xlog_rec_header->h_crc Fix: Add a check to make sure there is sufficient space to access fixed members of xlog_op_header.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-41014.html
CVE-2024-41014
https://bugzilla.suse.com/1228408
SUSE Bug 1228408

Описание

In the Linux kernel, the following vulnerability has been resolved: ocfs2: add bounds checking to ocfs2_check_dir_entry() This adds sanity checks for ocfs2_dir_entry to make sure all members of ocfs2_dir_entry don't stray beyond valid memory region.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-41015.html
CVE-2024-41015
https://bugzilla.suse.com/1228409
SUSE Bug 1228409

Описание

In the Linux kernel, the following vulnerability has been resolved: ocfs2: strict bound check before memcmp in ocfs2_xattr_find_entry() xattr in ocfs2 maybe 'non-indexed', which saved with additional space requested. It's better to check if the memory is out of bound before memcmp, although this possibility mainly comes from crafted poisonous images.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-41016.html
CVE-2024-41016
https://bugzilla.suse.com/1228410
SUSE Bug 1228410

Описание

In the Linux kernel, the following vulnerability has been resolved: jfs: don't walk off the end of ealist Add a check before visiting the members of ea to make sure each ea stays within the ealist.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-41017.html
CVE-2024-41017
https://bugzilla.suse.com/1228403
SUSE Bug 1228403

Описание

In the Linux kernel, the following vulnerability has been resolved: net/sched: Fix UAF when resolving a clash KASAN reports the following UAF: BUG: KASAN: slab-use-after-free in tcf_ct_flow_table_process_conn+0x12b/0x380 [act_ct] Read of size 1 at addr ffff888c07603600 by task handler130/6469 Call Trace: <IRQ> dump_stack_lvl+0x48/0x70 print_address_description.constprop.0+0x33/0x3d0 print_report+0xc0/0x2b0 kasan_report+0xd0/0x120 __asan_load1+0x6c/0x80 tcf_ct_flow_table_process_conn+0x12b/0x380 [act_ct] tcf_ct_act+0x886/0x1350 [act_ct] tcf_action_exec+0xf8/0x1f0 fl_classify+0x355/0x360 [cls_flower] __tcf_classify+0x1fd/0x330 tcf_classify+0x21c/0x3c0 sch_handle_ingress.constprop.0+0x2c5/0x500 __netif_receive_skb_core.constprop.0+0xb25/0x1510 __netif_receive_skb_list_core+0x220/0x4c0 netif_receive_skb_list_internal+0x446/0x620 napi_complete_done+0x157/0x3d0 gro_cell_poll+0xcf/0x100 __napi_poll+0x65/0x310 net_rx_action+0x30c/0x5c0 __do_softirq+0x14f/0x491 __irq_exit_rcu+0x82/0xc0 irq_exit_rcu+0xe/0x20 common_interrupt+0xa1/0xb0 </IRQ> <TASK> asm_common_interrupt+0x27/0x40 Allocated by task 6469: kasan_save_stack+0x38/0x70 kasan_set_track+0x25/0x40 kasan_save_alloc_info+0x1e/0x40 __kasan_krealloc+0x133/0x190 krealloc+0xaa/0x130 nf_ct_ext_add+0xed/0x230 [nf_conntrack] tcf_ct_act+0x1095/0x1350 [act_ct] tcf_action_exec+0xf8/0x1f0 fl_classify+0x355/0x360 [cls_flower] __tcf_classify+0x1fd/0x330 tcf_classify+0x21c/0x3c0 sch_handle_ingress.constprop.0+0x2c5/0x500 __netif_receive_skb_core.constprop.0+0xb25/0x1510 __netif_receive_skb_list_core+0x220/0x4c0 netif_receive_skb_list_internal+0x446/0x620 napi_complete_done+0x157/0x3d0 gro_cell_poll+0xcf/0x100 __napi_poll+0x65/0x310 net_rx_action+0x30c/0x5c0 __do_softirq+0x14f/0x491 Freed by task 6469: kasan_save_stack+0x38/0x70 kasan_set_track+0x25/0x40 kasan_save_free_info+0x2b/0x60 ____kasan_slab_free+0x180/0x1f0 __kasan_slab_free+0x12/0x30 slab_free_freelist_hook+0xd2/0x1a0 __kmem_cache_free+0x1a2/0x2f0 kfree+0x78/0x120 nf_conntrack_free+0x74/0x130 [nf_conntrack] nf_ct_destroy+0xb2/0x140 [nf_conntrack] __nf_ct_resolve_clash+0x529/0x5d0 [nf_conntrack] nf_ct_resolve_clash+0xf6/0x490 [nf_conntrack] __nf_conntrack_confirm+0x2c6/0x770 [nf_conntrack] tcf_ct_act+0x12ad/0x1350 [act_ct] tcf_action_exec+0xf8/0x1f0 fl_classify+0x355/0x360 [cls_flower] __tcf_classify+0x1fd/0x330 tcf_classify+0x21c/0x3c0 sch_handle_ingress.constprop.0+0x2c5/0x500 __netif_receive_skb_core.constprop.0+0xb25/0x1510 __netif_receive_skb_list_core+0x220/0x4c0 netif_receive_skb_list_internal+0x446/0x620 napi_complete_done+0x157/0x3d0 gro_cell_poll+0xcf/0x100 __napi_poll+0x65/0x310 net_rx_action+0x30c/0x5c0 __do_softirq+0x14f/0x491 The ct may be dropped if a clash has been resolved but is still passed to the tcf_ct_flow_table_process_conn function for further usage. This issue can be fixed by retrieving ct from skb again after confirming conntrack.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-41040.html
CVE-2024-41040
https://bugzilla.suse.com/1228518
SUSE Bug 1228518

Описание

In the Linux kernel, the following vulnerability has been resolved: udp: Set SOCK_RCU_FREE earlier in udp_lib_get_port(). syzkaller triggered the warning [0] in udp_v4_early_demux(). In udp_v[46]_early_demux() and sk_lookup(), we do not touch the refcount of the looked-up sk and use sock_pfree() as skb->destructor, so we check SOCK_RCU_FREE to ensure that the sk is safe to access during the RCU grace period. Currently, SOCK_RCU_FREE is flagged for a bound socket after being put into the hash table. Moreover, the SOCK_RCU_FREE check is done too early in udp_v[46]_early_demux() and sk_lookup(), so there could be a small race window: CPU1 CPU2 ---- ---- udp_v4_early_demux() udp_lib_get_port() | |- hlist_add_head_rcu() |- sk = __udp4_lib_demux_lookup() | |- DEBUG_NET_WARN_ON_ONCE(sk_is_refcounted(sk)); `- sock_set_flag(sk, SOCK_RCU_FREE) We had the same bug in TCP and fixed it in commit 871019b22d1b ("net: set SOCK_RCU_FREE before inserting socket into hashtable"). Let's apply the same fix for UDP. [0]: WARNING: CPU: 0 PID: 11198 at net/ipv4/udp.c:2599 udp_v4_early_demux+0x481/0xb70 net/ipv4/udp.c:2599 Modules linked in: CPU: 0 PID: 11198 Comm: syz-executor.1 Not tainted 6.9.0-g93bda33046e7 #13 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 RIP: 0010:udp_v4_early_demux+0x481/0xb70 net/ipv4/udp.c:2599 Code: c5 7a 15 fe bb 01 00 00 00 44 89 e9 31 ff d3 e3 81 e3 bf ef ff ff 89 de e8 2c 74 15 fe 85 db 0f 85 02 06 00 00 e8 9f 7a 15 fe <0f> 0b e8 98 7a 15 fe 49 8d 7e 60 e8 4f 39 2f fe 49 c7 46 60 20 52 RSP: 0018:ffffc9000ce3fa58 EFLAGS: 00010293 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff8318c92c RDX: ffff888036ccde00 RSI: ffffffff8318c2f1 RDI: 0000000000000001 RBP: ffff88805a2dd6e0 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000000 R11: 0001ffffffffffff R12: ffff88805a2dd680 R13: 0000000000000007 R14: ffff88800923f900 R15: ffff88805456004e FS: 00007fc449127640(0000) GS:ffff88807dc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fc449126e38 CR3: 000000003de4b002 CR4: 0000000000770ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600 PKRU: 55555554 Call Trace: <TASK> ip_rcv_finish_core.constprop.0+0xbdd/0xd20 net/ipv4/ip_input.c:349 ip_rcv_finish+0xda/0x150 net/ipv4/ip_input.c:447 NF_HOOK include/linux/netfilter.h:314 [inline] NF_HOOK include/linux/netfilter.h:308 [inline] ip_rcv+0x16c/0x180 net/ipv4/ip_input.c:569 __netif_receive_skb_one_core+0xb3/0xe0 net/core/dev.c:5624 __netif_receive_skb+0x21/0xd0 net/core/dev.c:5738 netif_receive_skb_internal net/core/dev.c:5824 [inline] netif_receive_skb+0x271/0x300 net/core/dev.c:5884 tun_rx_batched drivers/net/tun.c:1549 [inline] tun_get_user+0x24db/0x2c50 drivers/net/tun.c:2002 tun_chr_write_iter+0x107/0x1a0 drivers/net/tun.c:2048 new_sync_write fs/read_write.c:497 [inline] vfs_write+0x76f/0x8d0 fs/read_write.c:590 ksys_write+0xbf/0x190 fs/read_write.c:643 __do_sys_write fs/read_write.c:655 [inline] __se_sys_write fs/read_write.c:652 [inline] __x64_sys_write+0x41/0x50 fs/read_write.c:652 x64_sys_call+0xe66/0x1990 arch/x86/include/generated/asm/syscalls_64.h:2 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x4b/0x110 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x4b/0x53 RIP: 0033:0x7fc44a68bc1f Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 e9 cf f5 ff 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 3c d0 f5 ff 48 RSP: 002b:00007fc449126c90 EFLAGS: 00000293 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 00000000004bc050 RCX: 00007fc44a68bc1f R ---truncated---

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-41041.html
CVE-2024-41041
https://bugzilla.suse.com/1228520
SUSE Bug 1228520

Описание

In the Linux kernel, the following vulnerability has been resolved: ppp: reject claimed-as-LCP but actually malformed packets Since 'ppp_async_encode()' assumes valid LCP packets (with code from 1 to 7 inclusive), add 'ppp_check_packet()' to ensure that LCP packet has an actual body beyond PPP_LCP header bytes, and reject claimed-as-LCP but actually malformed data otherwise.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-41044.html
CVE-2024-41044
https://bugzilla.suse.com/1228530
SUSE Bug 1228530

Описание

In the Linux kernel, the following vulnerability has been resolved: skmsg: Skip zero length skb in sk_msg_recvmsg When running BPF selftests (./test_progs -t sockmap_basic) on a Loongarch platform, the following kernel panic occurs: [...] Oops[#1]: CPU: 22 PID: 2824 Comm: test_progs Tainted: G OE 6.10.0-rc2+ #18 Hardware name: LOONGSON Dabieshan/Loongson-TC542F0, BIOS Loongson-UDK2018 ... ... ra: 90000000048bf6c0 sk_msg_recvmsg+0x120/0x560 ERA: 9000000004162774 copy_page_to_iter+0x74/0x1c0 CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE) PRMD: 0000000c (PPLV0 +PIE +PWE) EUEN: 00000007 (+FPE +SXE +ASXE -BTE) ECFG: 00071c1d (LIE=0,2-4,10-12 VS=7) ESTAT: 00010000 [PIL] (IS= ECode=1 EsubCode=0) BADV: 0000000000000040 PRID: 0014c011 (Loongson-64bit, Loongson-3C5000) Modules linked in: bpf_testmod(OE) xt_CHECKSUM xt_MASQUERADE xt_conntrack Process test_progs (pid: 2824, threadinfo=0000000000863a31, task=...) Stack : ... Call Trace: [<9000000004162774>] copy_page_to_iter+0x74/0x1c0 [<90000000048bf6c0>] sk_msg_recvmsg+0x120/0x560 [<90000000049f2b90>] tcp_bpf_recvmsg_parser+0x170/0x4e0 [<90000000049aae34>] inet_recvmsg+0x54/0x100 [<900000000481ad5c>] sock_recvmsg+0x7c/0xe0 [<900000000481e1a8>] __sys_recvfrom+0x108/0x1c0 [<900000000481e27c>] sys_recvfrom+0x1c/0x40 [<9000000004c076ec>] do_syscall+0x8c/0xc0 [<9000000003731da4>] handle_syscall+0xc4/0x160 Code: ... ---[ end trace 0000000000000000 ]--- Kernel panic - not syncing: Fatal exception Kernel relocated by 0x3510000 .text @ 0x9000000003710000 .data @ 0x9000000004d70000 .bss @ 0x9000000006469400 ---[ end Kernel panic - not syncing: Fatal exception ]--- [...] This crash happens every time when running sockmap_skb_verdict_shutdown subtest in sockmap_basic. This crash is because a NULL pointer is passed to page_address() in the sk_msg_recvmsg(). Due to the different implementations depending on the architecture, page_address(NULL) will trigger a panic on Loongarch platform but not on x86 platform. So this bug was hidden on x86 platform for a while, but now it is exposed on Loongarch platform. The root cause is that a zero length skb (skb->len == 0) was put on the queue. This zero length skb is a TCP FIN packet, which was sent by shutdown(), invoked in test_sockmap_skb_verdict_shutdown(): shutdown(p1, SHUT_WR); In this case, in sk_psock_skb_ingress_enqueue(), num_sge is zero, and no page is put to this sge (see sg_set_page in sg_set_page), but this empty sge is queued into ingress_msg list. And in sk_msg_recvmsg(), this empty sge is used, and a NULL page is got by sg_page(sge). Pass this NULL page to copy_page_to_iter(), which passes it to kmap_local_page() and to page_address(), then kernel panics. To solve this, we should skip this zero length skb. So in sk_msg_recvmsg(), if copy is zero, that means it's a zero length skb, skip invoking copy_page_to_iter(). We are using the EFAULT return triggered by copy_page_to_iter to check for is_fin in tcp_bpf.c.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-41048.html
CVE-2024-41048
https://bugzilla.suse.com/1228565
SUSE Bug 1228565

Описание

In the Linux kernel, the following vulnerability has been resolved: cachefiles: fix slab-use-after-free in cachefiles_withdraw_cookie() We got the following issue in our fault injection stress test: ================================================================== BUG: KASAN: slab-use-after-free in cachefiles_withdraw_cookie+0x4d9/0x600 Read of size 8 at addr ffff888118efc000 by task kworker/u78:0/109 CPU: 13 PID: 109 Comm: kworker/u78:0 Not tainted 6.8.0-dirty #566 Call Trace: <TASK> kasan_report+0x93/0xc0 cachefiles_withdraw_cookie+0x4d9/0x600 fscache_cookie_state_machine+0x5c8/0x1230 fscache_cookie_worker+0x91/0x1c0 process_one_work+0x7fa/0x1800 [...] Allocated by task 117: kmalloc_trace+0x1b3/0x3c0 cachefiles_acquire_volume+0xf3/0x9c0 fscache_create_volume_work+0x97/0x150 process_one_work+0x7fa/0x1800 [...] Freed by task 120301: kfree+0xf1/0x2c0 cachefiles_withdraw_cache+0x3fa/0x920 cachefiles_put_unbind_pincount+0x1f6/0x250 cachefiles_daemon_release+0x13b/0x290 __fput+0x204/0xa00 task_work_run+0x139/0x230 do_exit+0x87a/0x29b0 [...] ================================================================== Following is the process that triggers the issue: p1 | p2 ------------------------------------------------------------ fscache_begin_lookup fscache_begin_volume_access fscache_cache_is_live(fscache_cache) cachefiles_daemon_release cachefiles_put_unbind_pincount cachefiles_daemon_unbind cachefiles_withdraw_cache fscache_withdraw_cache fscache_set_cache_state(cache, FSCACHE_CACHE_IS_WITHDRAWN); cachefiles_withdraw_objects(cache) fscache_wait_for_objects(fscache) atomic_read(&fscache_cache->object_count) == 0 fscache_perform_lookup cachefiles_lookup_cookie cachefiles_alloc_object refcount_set(&object->ref, 1); object->volume = volume fscache_count_object(vcookie->cache); atomic_inc(&fscache_cache->object_count) cachefiles_withdraw_volumes cachefiles_withdraw_volume fscache_withdraw_volume __cachefiles_free_volume kfree(cachefiles_volume) fscache_cookie_state_machine cachefiles_withdraw_cookie cache = object->volume->cache; // cachefiles_volume UAF !!! After setting FSCACHE_CACHE_IS_WITHDRAWN, wait for all the cookie lookups to complete first, and then wait for fscache_cache->object_count == 0 to avoid the cookie exiting after the volume has been freed and triggering the above issue. Therefore call fscache_withdraw_volume() before calling cachefiles_withdraw_objects(). This way, after setting FSCACHE_CACHE_IS_WITHDRAWN, only the following two cases will occur: 1) fscache_begin_lookup fails in fscache_begin_volume_access(). 2) fscache_withdraw_volume() will ensure that fscache_count_object() has been executed before calling fscache_wait_for_objects().

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-41057.html
CVE-2024-41057
https://bugzilla.suse.com/1228462
SUSE Bug 1228462
https://bugzilla.suse.com/1229275
SUSE Bug 1229275

Описание

In the Linux kernel, the following vulnerability has been resolved: cachefiles: fix slab-use-after-free in fscache_withdraw_volume() We got the following issue in our fault injection stress test: ================================================================== BUG: KASAN: slab-use-after-free in fscache_withdraw_volume+0x2e1/0x370 Read of size 4 at addr ffff88810680be08 by task ondemand-04-dae/5798 CPU: 0 PID: 5798 Comm: ondemand-04-dae Not tainted 6.8.0-dirty #565 Call Trace: kasan_check_range+0xf6/0x1b0 fscache_withdraw_volume+0x2e1/0x370 cachefiles_withdraw_volume+0x31/0x50 cachefiles_withdraw_cache+0x3ad/0x900 cachefiles_put_unbind_pincount+0x1f6/0x250 cachefiles_daemon_release+0x13b/0x290 __fput+0x204/0xa00 task_work_run+0x139/0x230 Allocated by task 5820: __kmalloc+0x1df/0x4b0 fscache_alloc_volume+0x70/0x600 __fscache_acquire_volume+0x1c/0x610 erofs_fscache_register_volume+0x96/0x1a0 erofs_fscache_register_fs+0x49a/0x690 erofs_fc_fill_super+0x6c0/0xcc0 vfs_get_super+0xa9/0x140 vfs_get_tree+0x8e/0x300 do_new_mount+0x28c/0x580 [...] Freed by task 5820: kfree+0xf1/0x2c0 fscache_put_volume.part.0+0x5cb/0x9e0 erofs_fscache_unregister_fs+0x157/0x1b0 erofs_kill_sb+0xd9/0x1c0 deactivate_locked_super+0xa3/0x100 vfs_get_super+0x105/0x140 vfs_get_tree+0x8e/0x300 do_new_mount+0x28c/0x580 [...] ================================================================== Following is the process that triggers the issue: mount failed | daemon exit ------------------------------------------------------------ deactivate_locked_super cachefiles_daemon_release erofs_kill_sb erofs_fscache_unregister_fs fscache_relinquish_volume __fscache_relinquish_volume fscache_put_volume(fscache_volume, fscache_volume_put_relinquish) zero = __refcount_dec_and_test(&fscache_volume->ref, &ref); cachefiles_put_unbind_pincount cachefiles_daemon_unbind cachefiles_withdraw_cache cachefiles_withdraw_volumes list_del_init(&volume->cache_link) fscache_free_volume(fscache_volume) cache->ops->free_volume cachefiles_free_volume list_del_init(&cachefiles_volume->cache_link); kfree(fscache_volume) cachefiles_withdraw_volume fscache_withdraw_volume fscache_volume->n_accesses // fscache_volume UAF !!! The fscache_volume in cache->volumes must not have been freed yet, but its reference count may be 0. So use the new fscache_try_get_volume() helper function try to get its reference count. If the reference count of fscache_volume is 0, fscache_put_volume() is freeing it, so wait for it to be removed from cache->volumes. If its reference count is not 0, call cachefiles_withdraw_volume() with reference count protection to avoid the above issue.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-41058.html
CVE-2024-41058
https://bugzilla.suse.com/1228459
SUSE Bug 1228459

Описание

In the Linux kernel, the following vulnerability has been resolved: hfsplus: fix uninit-value in copy_name [syzbot reported] BUG: KMSAN: uninit-value in sized_strscpy+0xc4/0x160 sized_strscpy+0xc4/0x160 copy_name+0x2af/0x320 fs/hfsplus/xattr.c:411 hfsplus_listxattr+0x11e9/0x1a50 fs/hfsplus/xattr.c:750 vfs_listxattr fs/xattr.c:493 [inline] listxattr+0x1f3/0x6b0 fs/xattr.c:840 path_listxattr fs/xattr.c:864 [inline] __do_sys_listxattr fs/xattr.c:876 [inline] __se_sys_listxattr fs/xattr.c:873 [inline] __x64_sys_listxattr+0x16b/0x2f0 fs/xattr.c:873 x64_sys_call+0x2ba0/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:195 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: slab_post_alloc_hook mm/slub.c:3877 [inline] slab_alloc_node mm/slub.c:3918 [inline] kmalloc_trace+0x57b/0xbe0 mm/slub.c:4065 kmalloc include/linux/slab.h:628 [inline] hfsplus_listxattr+0x4cc/0x1a50 fs/hfsplus/xattr.c:699 vfs_listxattr fs/xattr.c:493 [inline] listxattr+0x1f3/0x6b0 fs/xattr.c:840 path_listxattr fs/xattr.c:864 [inline] __do_sys_listxattr fs/xattr.c:876 [inline] __se_sys_listxattr fs/xattr.c:873 [inline] __x64_sys_listxattr+0x16b/0x2f0 fs/xattr.c:873 x64_sys_call+0x2ba0/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:195 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f [Fix] When allocating memory to strbuf, initialize memory to 0.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-41059.html
CVE-2024-41059
https://bugzilla.suse.com/1228561
SUSE Bug 1228561
https://bugzilla.suse.com/1228573
SUSE Bug 1228573

Описание

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_core: cancel all works upon hci_unregister_dev() syzbot is reporting that calling hci_release_dev() from hci_error_reset() due to hci_dev_put() from hci_error_reset() can cause deadlock at destroy_workqueue(), for hci_error_reset() is called from hdev->req_workqueue which destroy_workqueue() needs to flush. We need to make sure that hdev->{rx_work,cmd_work,tx_work} which are queued into hdev->workqueue and hdev->{power_on,error_reset} which are queued into hdev->req_workqueue are no longer running by the moment destroy_workqueue(hdev->workqueue); destroy_workqueue(hdev->req_workqueue); are called from hci_release_dev(). Call cancel_work_sync() on these work items from hci_unregister_dev() as soon as hdev->list is removed from hci_dev_list.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-41063.html
CVE-2024-41063
https://bugzilla.suse.com/1228580
SUSE Bug 1228580

Описание

In the Linux kernel, the following vulnerability has been resolved: powerpc/eeh: avoid possible crash when edev->pdev changes If a PCI device is removed during eeh_pe_report_edev(), edev->pdev will change and can cause a crash, hold the PCI rescan/remove lock while taking a copy of edev->pdev->bus.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-41064.html
CVE-2024-41064
https://bugzilla.suse.com/1228599
SUSE Bug 1228599

Описание

In the Linux kernel, the following vulnerability has been resolved: ibmvnic: Add tx check to prevent skb leak Below is a summary of how the driver stores a reference to an skb during transmit: tx_buff[free_map[consumer_index]]->skb = new_skb; free_map[consumer_index] = IBMVNIC_INVALID_MAP; consumer_index ++; Where variable data looks like this: free_map == [4, IBMVNIC_INVALID_MAP, IBMVNIC_INVALID_MAP, 0, 3] consumer_index^ tx_buff == [skb=null, skb=<ptr>, skb=<ptr>, skb=null, skb=null] The driver has checks to ensure that free_map[consumer_index] pointed to a valid index but there was no check to ensure that this index pointed to an unused/null skb address. So, if, by some chance, our free_map and tx_buff lists become out of sync then we were previously risking an skb memory leak. This could then cause tcp congestion control to stop sending packets, eventually leading to ETIMEDOUT. Therefore, add a conditional to ensure that the skb address is null. If not then warn the user (because this is still a bug that should be patched) and free the old pointer to prevent memleak/tcp problems.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-41066.html
CVE-2024-41066
https://bugzilla.suse.com/1228640
SUSE Bug 1228640

Описание

In the Linux kernel, the following vulnerability has been resolved: ASoC: topology: Fix references to freed memory Most users after parsing a topology file, release memory used by it, so having pointer references directly into topology file contents is wrong. Use devm_kmemdup(), to allocate memory as needed.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-41069.html
CVE-2024-41069
https://bugzilla.suse.com/1228644
SUSE Bug 1228644
https://bugzilla.suse.com/1228645
SUSE Bug 1228645

Описание

In the Linux kernel, the following vulnerability has been resolved: KVM: PPC: Book3S HV: Prevent UAF in kvm_spapr_tce_attach_iommu_group() Al reported a possible use-after-free (UAF) in kvm_spapr_tce_attach_iommu_group(). It looks up `stt` from tablefd, but then continues to use it after doing fdput() on the returned fd. After the fdput() the tablefd is free to be closed by another thread. The close calls kvm_spapr_tce_release() and then release_spapr_tce_table() (via call_rcu()) which frees `stt`. Although there are calls to rcu_read_lock() in kvm_spapr_tce_attach_iommu_group() they are not sufficient to prevent the UAF, because `stt` is used outside the locked regions. With an artifcial delay after the fdput() and a userspace program which triggers the race, KASAN detects the UAF: BUG: KASAN: slab-use-after-free in kvm_spapr_tce_attach_iommu_group+0x298/0x720 [kvm] Read of size 4 at addr c000200027552c30 by task kvm-vfio/2505 CPU: 54 PID: 2505 Comm: kvm-vfio Not tainted 6.10.0-rc3-next-20240612-dirty #1 Hardware name: 8335-GTH POWER9 0x4e1202 opal:skiboot-v6.5.3-35-g1851b2a06 PowerNV Call Trace: dump_stack_lvl+0xb4/0x108 (unreliable) print_report+0x2b4/0x6ec kasan_report+0x118/0x2b0 __asan_load4+0xb8/0xd0 kvm_spapr_tce_attach_iommu_group+0x298/0x720 [kvm] kvm_vfio_set_attr+0x524/0xac0 [kvm] kvm_device_ioctl+0x144/0x240 [kvm] sys_ioctl+0x62c/0x1810 system_call_exception+0x190/0x440 system_call_vectored_common+0x15c/0x2ec ... Freed by task 0: ... kfree+0xec/0x3e0 release_spapr_tce_table+0xd4/0x11c [kvm] rcu_core+0x568/0x16a0 handle_softirqs+0x23c/0x920 do_softirq_own_stack+0x6c/0x90 do_softirq_own_stack+0x58/0x90 __irq_exit_rcu+0x218/0x2d0 irq_exit+0x30/0x80 arch_local_irq_restore+0x128/0x230 arch_local_irq_enable+0x1c/0x30 cpuidle_enter_state+0x134/0x5cc cpuidle_enter+0x6c/0xb0 call_cpuidle+0x7c/0x100 do_idle+0x394/0x410 cpu_startup_entry+0x60/0x70 start_secondary+0x3fc/0x410 start_secondary_prolog+0x10/0x14 Fix it by delaying the fdput() until `stt` is no longer in use, which is effectively the entire function. To keep the patch minimal add a call to fdput() at each of the existing return paths. Future work can convert the function to goto or __cleanup style cleanup. With the fix in place the test case no longer triggers the UAF.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-41070.html
CVE-2024-41070
https://bugzilla.suse.com/1228581
SUSE Bug 1228581

Описание

** REJECT ** This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-41071.html
CVE-2024-41071
https://bugzilla.suse.com/1228625
SUSE Bug 1228625

Описание

In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: wext: add extra SIOCSIWSCAN data check In 'cfg80211_wext_siwscan()', add extra check whether number of channels passed via 'ioctl(sock, SIOCSIWSCAN, ...)' doesn't exceed IW_MAX_FREQUENCIES and reject invalid request with -EINVAL otherwise.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-41072.html
CVE-2024-41072
https://bugzilla.suse.com/1228626
SUSE Bug 1228626

Описание

In the Linux kernel, the following vulnerability has been resolved: NFSv4: Fix memory leak in nfs4_set_security_label We leak nfs_fattr and nfs4_label every time we set a security xattr.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-41076.html
CVE-2024-41076
https://bugzilla.suse.com/1228649
SUSE Bug 1228649

Описание

In the Linux kernel, the following vulnerability has been resolved: btrfs: qgroup: fix quota root leak after quota disable failure If during the quota disable we fail when cleaning the quota tree or when deleting the root from the root tree, we jump to the 'out' label without ever dropping the reference on the quota root, resulting in a leak of the root since fs_info->quota_root is no longer pointing to the root (we have set it to NULL just before those steps). Fix this by always doing a btrfs_put_root() call under the 'out' label. This is a problem that exists since qgroups were first added in 2012 by commit bed92eae26cc ("Btrfs: qgroup implementation and prototypes"), but back then we missed a kfree on the quota root and free_extent_buffer() calls on its root and commit root nodes, since back then roots were not yet reference counted.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-41078.html
CVE-2024-41078
https://bugzilla.suse.com/1228655
SUSE Bug 1228655

Описание

In the Linux kernel, the following vulnerability has been resolved: ila: block BH in ila_output() As explained in commit 1378817486d6 ("tipc: block BH before using dst_cache"), net/core/dst_cache.c helpers need to be called with BH disabled. ila_output() is called from lwtunnel_output() possibly from process context, and under rcu_read_lock(). We might be interrupted by a softirq, re-enter ila_output() and corrupt dst_cache data structures. Fix the race by using local_bh_disable().

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-41081.html
CVE-2024-41081
https://bugzilla.suse.com/1228617
SUSE Bug 1228617

Описание

In the Linux kernel, the following vulnerability has been resolved: ata: libata-core: Fix double free on error If e.g. the ata_port_alloc() call in ata_host_alloc() fails, we will jump to the err_out label, which will call devres_release_group(). devres_release_group() will trigger a call to ata_host_release(). ata_host_release() calls kfree(host), so executing the kfree(host) in ata_host_alloc() will lead to a double free: kernel BUG at mm/slub.c:553! Oops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI CPU: 11 PID: 599 Comm: (udev-worker) Not tainted 6.10.0-rc5 #47 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014 RIP: 0010:kfree+0x2cf/0x2f0 Code: 5d 41 5e 41 5f 5d e9 80 d6 ff ff 4d 89 f1 41 b8 01 00 00 00 48 89 d9 48 89 da RSP: 0018:ffffc90000f377f0 EFLAGS: 00010246 RAX: ffff888112b1f2c0 RBX: ffff888112b1f2c0 RCX: ffff888112b1f320 RDX: 000000000000400b RSI: ffffffffc02c9de5 RDI: ffff888112b1f2c0 RBP: ffffc90000f37830 R08: 0000000000000000 R09: 0000000000000000 R10: ffffc90000f37610 R11: 617461203a736b6e R12: ffffea00044ac780 R13: ffff888100046400 R14: ffffffffc02c9de5 R15: 0000000000000006 FS: 00007f2f1cabe980(0000) GS:ffff88813b380000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f2f1c3acf75 CR3: 0000000111724000 CR4: 0000000000750ef0 PKRU: 55555554 Call Trace: <TASK> ? __die_body.cold+0x19/0x27 ? die+0x2e/0x50 ? do_trap+0xca/0x110 ? do_error_trap+0x6a/0x90 ? kfree+0x2cf/0x2f0 ? exc_invalid_op+0x50/0x70 ? kfree+0x2cf/0x2f0 ? asm_exc_invalid_op+0x1a/0x20 ? ata_host_alloc+0xf5/0x120 [libata] ? ata_host_alloc+0xf5/0x120 [libata] ? kfree+0x2cf/0x2f0 ata_host_alloc+0xf5/0x120 [libata] ata_host_alloc_pinfo+0x14/0xa0 [libata] ahci_init_one+0x6c9/0xd20 [ahci] Ensure that we will not call kfree(host) twice, by performing the kfree() only if the devres_open_group() call failed.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-41087.html
CVE-2024-41087
https://bugzilla.suse.com/1228466
SUSE Bug 1228466
https://bugzilla.suse.com/1228740
SUSE Bug 1228740

Описание

In the Linux kernel, the following vulnerability has been resolved: tap: add missing verification for short frame The cited commit missed to check against the validity of the frame length in the tap_get_user_xdp() path, which could cause a corrupted skb to be sent downstack. Even before the skb is transmitted, the tap_get_user_xdp()-->skb_set_network_header() may assume the size is more than ETH_HLEN. Once transmitted, this could either cause out-of-bound access beyond the actual length, or confuse the underlayer with incorrect or inconsistent header length in the skb metadata. In the alternative path, tap_get_user() already prohibits short frame which has the length less than Ethernet header size from being transmitted. This is to drop any frame shorter than the Ethernet header size just like how tap_get_user() does. CVE: CVE-2024-41090

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-41090.html
CVE-2024-41090
https://bugzilla.suse.com/1228328
SUSE Bug 1228328
https://bugzilla.suse.com/1228714
SUSE Bug 1228714

Описание

In the Linux kernel, the following vulnerability has been resolved: tun: add missing verification for short frame The cited commit missed to check against the validity of the frame length in the tun_xdp_one() path, which could cause a corrupted skb to be sent downstack. Even before the skb is transmitted, the tun_xdp_one-->eth_type_trans() may access the Ethernet header although it can be less than ETH_HLEN. Once transmitted, this could either cause out-of-bound access beyond the actual length, or confuse the underlayer with incorrect or inconsistent header length in the skb metadata. In the alternative path, tun_get_user() already prohibits short frame which has the length less than Ethernet header size from being transmitted for IFF_TAP. This is to drop any frame shorter than the Ethernet header size just like how tun_get_user() does. CVE: CVE-2024-41091

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-41091.html
CVE-2024-41091
https://bugzilla.suse.com/1228327
SUSE Bug 1228327

Описание

In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: fully validate NFT_DATA_VALUE on store to data registers register store validation for NFT_DATA_VALUE is conditional, however, the datatype is always either NFT_DATA_VALUE or NFT_DATA_VERDICT. This only requires a new helper function to infer the register type from the set datatype so this conditional check can be removed. Otherwise, pointer to chain object can be leaked through the registers.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-42070.html
CVE-2024-42070
https://bugzilla.suse.com/1228470
SUSE Bug 1228470

Описание

In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix NULL pointer dereference in gfs2_log_flush In gfs2_jindex_free(), set sdp->sd_jdesc to NULL under the log flush lock to provide exclusion against gfs2_log_flush(). In gfs2_log_flush(), check if sdp->sd_jdesc is non-NULL before dereferencing it. Otherwise, we could run into a NULL pointer dereference when outstanding glock work races with an unmount (glock_work_func -> run_queue -> do_xmote -> inode_go_sync -> gfs2_log_flush).

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-42079.html
CVE-2024-42079
https://bugzilla.suse.com/1228672
SUSE Bug 1228672

Описание

In the Linux kernel, the following vulnerability has been resolved: net/dpaa2: Avoid explicit cpumask var allocation on stack For CONFIG_CPUMASK_OFFSTACK=y kernel, explicit allocation of cpumask variable on stack is not recommended since it can cause potential stack overflow. Instead, kernel code should always use *cpumask_var API(s) to allocate cpumask var in config-neutral way, leaving allocation strategy to CONFIG_CPUMASK_OFFSTACK. Use *cpumask_var API(s) to address it.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-42093.html
CVE-2024-42093
https://bugzilla.suse.com/1228680
SUSE Bug 1228680

Описание

In the Linux kernel, the following vulnerability has been resolved: x86: stop playing stack games in profile_pc() The 'profile_pc()' function is used for timer-based profiling, which isn't really all that relevant any more to begin with, but it also ends up making assumptions based on the stack layout that aren't necessarily valid. Basically, the code tries to account the time spent in spinlocks to the caller rather than the spinlock, and while I support that as a concept, it's not worth the code complexity or the KASAN warnings when no serious profiling is done using timers anyway these days. And the code really does depend on stack layout that is only true in the simplest of cases. We've lost the comment at some point (I think when the 32-bit and 64-bit code was unified), but it used to say: Assume the lock function has either no stack frame or a copy of eflags from PUSHF. which explains why it just blindly loads a word or two straight off the stack pointer and then takes a minimal look at the values to just check if they might be eflags or the return pc: Eflags always has bits 22 and up cleared unlike kernel addresses but that basic stack layout assumption assumes that there isn't any lock debugging etc going on that would complicate the code and cause a stack frame. It causes KASAN unhappiness reported for years by syzkaller [1] and others [2]. With no real practical reason for this any more, just remove the code. Just for historical interest, here's some background commits relating to this code from 2006: 0cb91a229364 ("i386: Account spinlocks to the caller during profiling for !FP kernels") 31679f38d886 ("Simplify profile_pc on x86-64") and a code unification from 2009: ef4512882dbe ("x86: time_32/64.c unify profile_pc") but the basics of this thing actually goes back to before the git tree.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-42096.html
CVE-2024-42096
https://bugzilla.suse.com/1228633
SUSE Bug 1228633

Описание

In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix inode number range checks Patch series "nilfs2: fix potential issues related to reserved inodes". This series fixes one use-after-free issue reported by syzbot, caused by nilfs2's internal inode being exposed in the namespace on a corrupted filesystem, and a couple of flaws that cause problems if the starting number of non-reserved inodes written in the on-disk super block is intentionally (or corruptly) changed from its default value. This patch (of 3): In the current implementation of nilfs2, "nilfs->ns_first_ino", which gives the first non-reserved inode number, is read from the superblock, but its lower limit is not checked. As a result, if a number that overlaps with the inode number range of reserved inodes such as the root directory or metadata files is set in the super block parameter, the inode number test macros (NILFS_MDT_INODE and NILFS_VALID_INODE) will not function properly. In addition, these test macros use left bit-shift calculations using with the inode number as the shift count via the BIT macro, but the result of a shift calculation that exceeds the bit width of an integer is undefined in the C specification, so if "ns_first_ino" is set to a large value other than the default value NILFS_USER_INO (=11), the macros may potentially malfunction depending on the environment. Fix these issues by checking the lower bound of "nilfs->ns_first_ino" and by preventing bit shifts equal to or greater than the NILFS_USER_INO constant in the inode number test macros. Also, change the type of "ns_first_ino" from signed integer to unsigned integer to avoid the need for type casting in comparisons such as the lower bound check introduced this time.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-42105.html
CVE-2024-42105
https://bugzilla.suse.com/1228665
SUSE Bug 1228665

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Add NULL pointer check for kzalloc [Why & How] Check return pointer of kzalloc before using it.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-42122.html
CVE-2024-42122
https://bugzilla.suse.com/1228591
SUSE Bug 1228591

Описание

In the Linux kernel, the following vulnerability has been resolved: scsi: qedf: Make qedf_execute_tmf() non-preemptible Stop calling smp_processor_id() from preemptible code in qedf_execute_tmf90. This results in BUG_ON() when running an RT kernel. [ 659.343280] BUG: using smp_processor_id() in preemptible [00000000] code: sg_reset/3646 [ 659.343282] caller is qedf_execute_tmf+0x8b/0x360 [qedf]

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-42124.html
CVE-2024-42124
https://bugzilla.suse.com/1228705
SUSE Bug 1228705

Описание

In the Linux kernel, the following vulnerability has been resolved: IB/core: Implement a limit on UMAD receive List The existing behavior of ib_umad, which maintains received MAD packets in an unbounded list, poses a risk of uncontrolled growth. As user-space applications extract packets from this list, the rate of extraction may not match the rate of incoming packets, leading to potential list overflow. To address this, we introduce a limit to the size of the list. After considering typical scenarios, such as OpenSM processing, which can handle approximately 100k packets per second, and the 1-second retry timeout for most packets, we set the list size limit to 200k. Packets received beyond this limit are dropped, assuming they are likely timed out by the time they are handled by user-space. Notably, packets queued on the receive list due to reasons like timed-out sends are preserved even when the list is full.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-42145.html
CVE-2024-42145
https://bugzilla.suse.com/1223384
SUSE Bug 1223384
https://bugzilla.suse.com/1228743
SUSE Bug 1228743
https://bugzilla.suse.com/1228744
SUSE Bug 1228744

Описание

In the Linux kernel, the following vulnerability has been resolved: bpf: Avoid uninitialized value in BPF_CORE_READ_BITFIELD [Changes from V1: - Use a default branch in the switch statement to initialize `val'.] GCC warns that `val' may be used uninitialized in the BPF_CRE_READ_BITFIELD macro, defined in bpf_core_read.h as: [...] unsigned long long val; \ [...] \ switch (__CORE_RELO(s, field, BYTE_SIZE)) { \ case 1: val = *(const unsigned char *)p; break; \ case 2: val = *(const unsigned short *)p; break; \ case 4: val = *(const unsigned int *)p; break; \ case 8: val = *(const unsigned long long *)p; break; \ } \ [...] val; \ } \ This patch adds a default entry in the switch statement that sets `val' to zero in order to avoid the warning, and random values to be used in case __builtin_preserve_field_info returns unexpected values for BPF_FIELD_BYTE_SIZE. Tested in bpf-next master. No regressions.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-42161.html
CVE-2024-42161
https://bugzilla.suse.com/1228756
SUSE Bug 1228756

Описание

In the Linux kernel, the following vulnerability has been resolved: net: dsa: mv88e6xxx: Correct check for empty list Since commit a3c53be55c95 ("net: dsa: mv88e6xxx: Support multiple MDIO busses") mv88e6xxx_default_mdio_bus() has checked that the return value of list_first_entry() is non-NULL. This appears to be intended to guard against the list chip->mdios being empty. However, it is not the correct check as the implementation of list_first_entry is not designed to return NULL for empty lists. Instead, use list_first_entry_or_null() which does return NULL if the list is empty. Flagged by Smatch. Compile tested only.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-42224.html
CVE-2024-42224
https://bugzilla.suse.com/1228723
SUSE Bug 1228723

Описание

In the Linux kernel, the following vulnerability has been resolved: powerpc/pseries: Fix scv instruction crash with kexec kexec on pseries disables AIL (reloc_on_exc), required for scv instruction support, before other CPUs have been shut down. This means they can execute scv instructions after AIL is disabled, which causes an interrupt at an unexpected entry location that crashes the kernel. Change the kexec sequence to disable AIL after other CPUs have been brought down. As a refresher, the real-mode scv interrupt vector is 0x17000, and the fixed-location head code probably couldn't easily deal with implementing such high addresses so it was just decided not to support that interrupt at all.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.73.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.73.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-42230.html
CVE-2024-42230
https://bugzilla.suse.com/1228489
SUSE Bug 1228489

SUSE-SU-2024:2939-1

Описание

Список пакетов

Container bci/bci-sle15-kernel-module-devel:15.5

Container suse/sle-micro/base-5.5:latest

Container suse/sle-micro/kvm-5.5:latest

Image SLES15-SP5-BYOS-Azure

Image SLES15-SP5-BYOS-EC2

Image SLES15-SP5-BYOS-GCE

Image SLES15-SP5-CHOST-BYOS-Aliyun

Image SLES15-SP5-CHOST-BYOS-Azure

Image SLES15-SP5-CHOST-BYOS-EC2

Image SLES15-SP5-CHOST-BYOS-GCE

Image SLES15-SP5-CHOST-BYOS-GDC

Image SLES15-SP5-CHOST-BYOS-SAP-CCloud

Image SLES15-SP5-EC2

Image SLES15-SP5-GCE

Image SLES15-SP5-HPC-BYOS-Azure

Image SLES15-SP5-HPC-BYOS-EC2

Image SLES15-SP5-HPC-BYOS-GCE

Image SLES15-SP5-Hardened-BYOS-Azure

Image SLES15-SP5-Hardened-BYOS-EC2

Image SLES15-SP5-Hardened-BYOS-GCE

Image SLES15-SP5-Manager-Proxy-5-0-BYOS

Image SLES15-SP5-Manager-Proxy-5-0-BYOS-Azure

Image SLES15-SP5-Manager-Proxy-5-0-BYOS-EC2

Image SLES15-SP5-Manager-Proxy-5-0-BYOS-GCE

Image SLES15-SP5-Manager-Server-5-0

Image SLES15-SP5-Manager-Server-5-0-Azure-llc

Image SLES15-SP5-Manager-Server-5-0-Azure-ltd

Image SLES15-SP5-Manager-Server-5-0-BYOS

Image SLES15-SP5-Manager-Server-5-0-BYOS-Azure

Image SLES15-SP5-Manager-Server-5-0-BYOS-EC2

Image SLES15-SP5-Manager-Server-5-0-BYOS-GCE

Image SLES15-SP5-Manager-Server-5-0-EC2-llc

Image SLES15-SP5-Manager-Server-5-0-EC2-ltd

Image SLES15-SP5-Micro-5-5

Image SLES15-SP5-Micro-5-5-Azure

Image SLES15-SP5-Micro-5-5-BYOS

Image SLES15-SP5-Micro-5-5-BYOS-Azure

Image SLES15-SP5-Micro-5-5-BYOS-EC2

Image SLES15-SP5-Micro-5-5-BYOS-GCE

Image SLES15-SP5-Micro-5-5-EC2

Image SLES15-SP5-Micro-5-5-GCE

Image SLES15-SP5-SAP-Azure-3P

Image SLES15-SP5-SAP-Azure-LI-BYOS

Image SLES15-SP5-SAP-Azure-LI-BYOS-Production

Image SLES15-SP5-SAP-Azure-VLI-BYOS

Image SLES15-SP5-SAP-Azure-VLI-BYOS-Production

Image SLES15-SP5-SAP-BYOS-Azure

Image SLES15-SP5-SAP-BYOS-EC2

Image SLES15-SP5-SAP-BYOS-GCE

Image SLES15-SP5-SAP-Hardened-Azure

Image SLES15-SP5-SAP-Hardened-BYOS-Azure

Image SLES15-SP5-SAP-Hardened-BYOS-EC2

Image SLES15-SP5-SAP-Hardened-BYOS-GCE

Image SLES15-SP5-SAP-Hardened-GCE

Image SLES15-SP5-SAPCAL-Azure

Image SLES15-SP5-SAPCAL-EC2

Image SLES15-SP5-SAPCAL-GCE

SUSE Linux Enterprise High Availability Extension 15 SP5

SUSE Linux Enterprise Live Patching 15 SP5

SUSE Linux Enterprise Micro 5.5

SUSE Linux Enterprise Module for Basesystem 15 SP5

SUSE Linux Enterprise Module for Development Tools 15 SP5

SUSE Linux Enterprise Module for Legacy 15 SP5

SUSE Linux Enterprise Workstation Extension 15 SP5

openSUSE Leap 15.5

openSUSE Leap Micro 5.5

Ссылки

Уязвимость: CVE-2021-4439

Описание

Затронутые продукты

Ссылки

Уязвимость: CVE-2021-47086

Описание

Затронутые продукты

Ссылки

Уязвимость: CVE-2021-47089

Описание