Описание
Security update for the Linux Kernel (Live Patch 44 for SLE 15 SP3)
This update for the Linux Kernel 5.3.18-150300_59_161 fixes several issues.
The following security issues were fixed:
- CVE-2022-49025: net/mlx5e: Fix use-after-free when reverting termination table (bsc#1233023).
- CVE-2024-41062: Sync sock recv cb and release (bsc#1228578).
- CVE-2022-48791: Fix use-after-free for aborted TMF sas_task (bsc#1228002)
Список пакетов
SUSE Linux Enterprise Live Patching 15 SP3
Ссылки
- Link for SUSE-SU-2025:1139-1
- E-Mail link for SUSE-SU-2025:1139-1
- SUSE Security Ratings
- SUSE Bug 1228012
- SUSE Bug 1228578
- SUSE Bug 1233023
- SUSE CVE CVE-2022-48791 page
- SUSE CVE CVE-2022-49025 page
- SUSE CVE CVE-2024-41062 page
Описание
In the Linux kernel, the following vulnerability has been resolved: scsi: pm8001: Fix use-after-free for aborted TMF sas_task Currently a use-after-free may occur if a TMF sas_task is aborted before we handle the IO completion in mpi_ssp_completion(). The abort occurs due to timeout. When the timeout occurs, the SAS_TASK_STATE_ABORTED flag is set and the sas_task is freed in pm8001_exec_internal_tmf_task(). However, if the I/O completion occurs later, the I/O completion still thinks that the sas_task is available. Fix this by clearing the ccb->task if the TMF times out - the I/O completion handler does nothing if this pointer is cleared.
Затронутые продукты
Ссылки
- CVE-2022-48791
- SUSE Bug 1228002
- SUSE Bug 1228012
Описание
In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Fix use-after-free when reverting termination table When having multiple dests with termination tables and second one or afterwards fails the driver reverts usage of term tables but doesn't reset the assignment in attr->dests[num_vport_dests].termtbl which case a use-after-free when releasing the rule. Fix by resetting the assignment of termtbl to null.
Затронутые продукты
Ссылки
- CVE-2022-49025
- SUSE Bug 1231960
- SUSE Bug 1233023
Описание
In the Linux kernel, the following vulnerability has been resolved: bluetooth/l2cap: sync sock recv cb and release The problem occurs between the system call to close the sock and hci_rx_work, where the former releases the sock and the latter accesses it without lock protection. CPU0 CPU1 ---- ---- sock_close hci_rx_work l2cap_sock_release hci_acldata_packet l2cap_sock_kill l2cap_recv_frame sk_free l2cap_conless_channel l2cap_sock_recv_cb If hci_rx_work processes the data that needs to be received before the sock is closed, then everything is normal; Otherwise, the work thread may access the released sock when receiving data. Add a chan mutex in the rx callback of the sock to achieve synchronization between the sock release and recv cb. Sock is dead, so set chan data to NULL, avoid others use invalid sock pointer.
Затронутые продукты
Ссылки
- CVE-2024-41062
- SUSE Bug 1228576
- SUSE Bug 1228578