An update for kernel is now available for openEuler-22.03-LTS-SP4 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2025-1014 Final 1.0 1.0 2025-01-03 Initial 2025-01-03 2025-01-03 openEuler SA Tool V1.0 2025-01-03 kernel security update An update for kernel is now available for openEuler-22.03-LTS-SP4 The Linux Kernel, the operating system core itself. Security Fix(es): In the Linux kernel, the following vulnerability has been resolved: x86/sgx: Fix deadlock in SGX NUMA node search When the current node doesn't have an EPC section configured by firmware and all other EPC sections are used up, CPU can get stuck inside the while loop that looks for an available EPC page from remote nodes indefinitely, leading to a soft lockup. Note how nid_of_current will never be equal to nid in that while loop because nid_of_current is not set in sgx_numa_mask. Also worth mentioning is that it's perfectly fine for the firmware not to setup an EPC section on a node. While setting up an EPC section on each node can enhance performance, it is not a requirement for functionality. Rework the loop to start and end on *a* node that has SGX memory. This avoids the deadlock looking for the current SGX-lacking node to show up in the loop when it never will.(CVE-2024-49856) In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix user-after-free from session log off There is racy issue between smb2 session log off and smb2 session setup. It will cause user-after-free from session log off. This add session_lock when setting SMB2_SESSION_EXPIRED and referece count to session struct not to free session while it is being used.(CVE-2024-50086) In the Linux kernel, the following vulnerability has been resolved: media: v4l2-tpg: prevent the risk of a division by zero As reported by Coverity, the logic at tpg_precalculate_line() blindly rescales the buffer even when scaled_witdh is equal to zero. If this ever happens, this will cause a division by zero. Instead, add a WARN_ON_ONCE() to trigger such cases and return without doing any precalculation.(CVE-2024-50287) In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix out of bounds reads when finding clock sources The current USB-audio driver code doesn't check bLength of each descriptor at traversing for clock descriptors. That is, when a device provides a bogus descriptor with a shorter bLength, the driver might hit out-of-bounds reads. For addressing it, this patch adds sanity checks to the validator functions for the clock descriptor traversal. When the descriptor length is shorter than expected, it's skipped in the loop. For the clock source and clock multiplier descriptors, we can just check bLength against the sizeof() of each descriptor type. OTOH, the clock selector descriptor of UAC2 and UAC3 has an array of bNrInPins elements and two more fields at its tail, hence those have to be checked in addition to the sizeof() check.(CVE-2024-53150) In the Linux kernel, the following vulnerability has been resolved: ocfs2: free inode when ocfs2_get_init_inode() fails syzbot is reporting busy inodes after unmount, for commit 9c89fe0af826 ("ocfs2: Handle error from dquot_initialize()") forgot to call iput() when new_inode() succeeded and dquot_initialize() failed.(CVE-2024-56630) An update for kernel is now available for openEuler-22.03-LTS-SP4. openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. High kernel https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1014 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2024-49856 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2024-50086 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2024-50287 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2024-53150 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2024-56630 https://nvd.nist.gov/vuln/detail/CVE-2024-49856 https://nvd.nist.gov/vuln/detail/CVE-2024-50086 https://nvd.nist.gov/vuln/detail/CVE-2024-50287 https://nvd.nist.gov/vuln/detail/CVE-2024-53150 https://nvd.nist.gov/vuln/detail/CVE-2024-56630 openEuler-22.03-LTS-SP4 bpftool-5.10.0-244.0.0.143.oe2203sp4.aarch64.rpm bpftool-debuginfo-5.10.0-244.0.0.143.oe2203sp4.aarch64.rpm kernel-5.10.0-244.0.0.143.oe2203sp4.aarch64.rpm kernel-debuginfo-5.10.0-244.0.0.143.oe2203sp4.aarch64.rpm kernel-debugsource-5.10.0-244.0.0.143.oe2203sp4.aarch64.rpm kernel-devel-5.10.0-244.0.0.143.oe2203sp4.aarch64.rpm kernel-headers-5.10.0-244.0.0.143.oe2203sp4.aarch64.rpm kernel-source-5.10.0-244.0.0.143.oe2203sp4.aarch64.rpm kernel-tools-5.10.0-244.0.0.143.oe2203sp4.aarch64.rpm kernel-tools-debuginfo-5.10.0-244.0.0.143.oe2203sp4.aarch64.rpm kernel-tools-devel-5.10.0-244.0.0.143.oe2203sp4.aarch64.rpm perf-5.10.0-244.0.0.143.oe2203sp4.aarch64.rpm perf-debuginfo-5.10.0-244.0.0.143.oe2203sp4.aarch64.rpm python3-perf-5.10.0-244.0.0.143.oe2203sp4.aarch64.rpm python3-perf-debuginfo-5.10.0-244.0.0.143.oe2203sp4.aarch64.rpm bpftool-5.10.0-244.0.0.143.oe2203sp4.x86_64.rpm bpftool-debuginfo-5.10.0-244.0.0.143.oe2203sp4.x86_64.rpm kernel-5.10.0-244.0.0.143.oe2203sp4.x86_64.rpm kernel-debuginfo-5.10.0-244.0.0.143.oe2203sp4.x86_64.rpm kernel-debugsource-5.10.0-244.0.0.143.oe2203sp4.x86_64.rpm kernel-devel-5.10.0-244.0.0.143.oe2203sp4.x86_64.rpm kernel-headers-5.10.0-244.0.0.143.oe2203sp4.x86_64.rpm kernel-source-5.10.0-244.0.0.143.oe2203sp4.x86_64.rpm kernel-tools-5.10.0-244.0.0.143.oe2203sp4.x86_64.rpm kernel-tools-debuginfo-5.10.0-244.0.0.143.oe2203sp4.x86_64.rpm kernel-tools-devel-5.10.0-244.0.0.143.oe2203sp4.x86_64.rpm perf-5.10.0-244.0.0.143.oe2203sp4.x86_64.rpm perf-debuginfo-5.10.0-244.0.0.143.oe2203sp4.x86_64.rpm python3-perf-5.10.0-244.0.0.143.oe2203sp4.x86_64.rpm python3-perf-debuginfo-5.10.0-244.0.0.143.oe2203sp4.x86_64.rpm kernel-5.10.0-244.0.0.143.oe2203sp4.src.rpm In the Linux kernel, the following vulnerability has been resolved: x86/sgx: Fix deadlock in SGX NUMA node search When the current node doesn't have an EPC section configured by firmware and all other EPC sections are used up, CPU can get stuck inside the while loop that looks for an available EPC page from remote nodes indefinitely, leading to a soft lockup. Note how nid_of_current will never be equal to nid in that while loop because nid_of_current is not set in sgx_numa_mask. Also worth mentioning is that it's perfectly fine for the firmware not to setup an EPC section on a node. While setting up an EPC section on each node can enhance performance, it is not a requirement for functionality. Rework the loop to start and end on *a* node that has SGX memory. This avoids the deadlock looking for the current SGX-lacking node to show up in the loop when it never will. 2025-01-03 CVE-2024-49856 openEuler-22.03-LTS-SP4 Medium 5.5 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H kernel security update 2025-01-03 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1014 In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix user-after-free from session log off There is racy issue between smb2 session log off and smb2 session setup. It will cause user-after-free from session log off. This add session_lock when setting SMB2_SESSION_EXPIRED and referece count to session struct not to free session while it is being used. 2025-01-03 CVE-2024-50086 openEuler-22.03-LTS-SP4 High 7.0 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H kernel security update 2025-01-03 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1014 In the Linux kernel, the following vulnerability has been resolved: media: v4l2-tpg: prevent the risk of a division by zero As reported by Coverity, the logic at tpg_precalculate_line() blindly rescales the buffer even when scaled_witdh is equal to zero. If this ever happens, this will cause a division by zero. Instead, add a WARN_ON_ONCE() to trigger such cases and return without doing any precalculation. 2025-01-03 CVE-2024-50287 openEuler-22.03-LTS-SP4 Medium 5.5 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H kernel security update 2025-01-03 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1014 In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix out of bounds reads when finding clock sources The current USB-audio driver code doesn't check bLength of each descriptor at traversing for clock descriptors. That is, when a device provides a bogus descriptor with a shorter bLength, the driver might hit out-of-bounds reads. For addressing it, this patch adds sanity checks to the validator functions for the clock descriptor traversal. When the descriptor length is shorter than expected, it's skipped in the loop. For the clock source and clock multiplier descriptors, we can just check bLength against the sizeof() of each descriptor type. OTOH, the clock selector descriptor of UAC2 and UAC3 has an array of bNrInPins elements and two more fields at its tail, hence those have to be checked in addition to the sizeof() check. 2025-01-03 CVE-2024-53150 openEuler-22.03-LTS-SP4 Medium 5.5 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H kernel security update 2025-01-03 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1014 In the Linux kernel, the following vulnerability has been resolved: ocfs2: free inode when ocfs2_get_init_inode() fails syzbot is reporting busy inodes after unmount, for commit 9c89fe0af826 ("ocfs2: Handle error from dquot_initialize()") forgot to call iput() when new_inode() succeeded and dquot_initialize() failed. 2025-01-03 CVE-2024-56630 openEuler-22.03-LTS-SP4 Medium 5.5 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H kernel security update 2025-01-03 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1014