{"schema_version":"1.7.2","id":"OESA-2024-1244","modified":"2024-03-01T11:07:08Z","published":"2024-03-01T11:07:08Z","upstream":["CVE-2023-52435","CVE-2023-52436","CVE-2023-52438","CVE-2024-23196","CVE-2024-26595"],"summary":"kernel security update","details":"The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: prevent mss overflow in skb_segment()\r\n\r\nOnce again syzbot is able to crash the kernel in skb_segment() [1]\r\n\r\nGSO_BY_FRAGS is a forbidden value, but unfortunately the following\ncomputation in skb_segment() can reach it quite easily :\r\n\r\n\tmss = mss * partial_segs;\r\n\r\n65535 = 3 * 5 * 17 * 257, so many initial values of mss can lead to\na bad final result.\r\n\r\nMake sure to limit segmentation so that the new mss value is smaller\nthan GSO_BY_FRAGS.\r\n\r\n[1]\r\n\r\ngeneral protection fault, probably for non-canonical address 0xdffffc000000000e: 0000 [#1] PREEMPT SMP KASAN\nKASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077]\nCPU: 1 PID: 5079 Comm: syz-executor993 Not tainted 6.7.0-rc4-syzkaller-00141-g1ae4cd3cbdd0 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023\nRIP: 0010:skb_segment+0x181d/0x3f30 net/core/skbuff.c:4551\nCode: 83 e3 02 e9 fb ed ff ff e8 90 68 1c f9 48 8b 84 24 f8 00 00 00 48 8d 78 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 \u0026lt;0f\u0026gt; b6 04 02 84 c0 74 08 3c 03 0f 8e 8a 21 00 00 48 8b 84 24 f8 00\nRSP: 0018:ffffc900043473d0 EFLAGS: 00010202\nRAX: dffffc0000000000 RBX: 0000000000010046 RCX: ffffffff886b1597\nRDX: 000000000000000e RSI: ffffffff886b2520 RDI: 0000000000000070\nRBP: ffffc90004347578 R08: 0000000000000005 R09: 000000000000ffff\nR10: 000000000000ffff R11: 0000000000000002 R12: ffff888063202ac0\nR13: 0000000000010000 R14: 000000000000ffff R15: 0000000000000046\nFS: 0000555556e7e380(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000020010000 CR3: 0000000027ee2000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n\u0026lt;TASK\u0026gt;\nudp6_ufo_fragment+0xa0e/0xd00 net/ipv6/udp_offload.c:109\nipv6_gso_segment+0x534/0x17e0 net/ipv6/ip6_offload.c:120\nskb_mac_gso_segment+0x290/0x610 net/core/gso.c:53\n__skb_gso_segment+0x339/0x710 net/core/gso.c:124\nskb_gso_segment include/net/gso.h:83 [inline]\nvalidate_xmit_skb+0x36c/0xeb0 net/core/dev.c:3626\n__dev_queue_xmit+0x6f3/0x3d60 net/core/dev.c:4338\ndev_queue_xmit include/linux/netdevice.h:3134 [inline]\npacket_xmit+0x257/0x380 net/packet/af_packet.c:276\npacket_snd net/packet/af_packet.c:3087 [inline]\npacket_sendmsg+0x24c6/0x5220 net/packet/af_packet.c:3119\nsock_sendmsg_nosec net/socket.c:730 [inline]\n__sock_sendmsg+0xd5/0x180 net/socket.c:745\n__sys_sendto+0x255/0x340 net/socket.c:2190\n__do_sys_sendto net/socket.c:2202 [inline]\n__se_sys_sendto net/socket.c:2198 [inline]\n__x64_sys_sendto+0xe0/0x1b0 net/socket.c:2198\ndo_syscall_x64 arch/x86/entry/common.c:52 [inline]\ndo_syscall_64+0x40/0x110 arch/x86/entry/common.c:83\nentry_SYSCALL_64_after_hwframe+0x63/0x6b\nRIP: 0033:0x7f8692032aa9\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 d1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u0026lt;48\u0026gt; 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007fff8d685418 EFLAGS: 00000246 ORIG_RAX: 000000000000002c\nRAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f8692032aa9\nRDX: 0000000000010048 RSI: 00000000200000c0 RDI: 0000000000000003\nRBP: 00000000000f4240 R08: 0000000020000540 R09: 0000000000000014\nR10: 0000000000000000 R11: 0000000000000246 R12: 00007fff8d685480\nR13: 0000000000000001 R14: 00007fff8d685480 R15: 0000000000000003\n\u0026lt;/TASK\u0026gt;\nModules linked in:\n---[ end trace 0000000000000000 ]---\nRIP: 0010:skb_segment+0x181d/0x3f30 net/core/skbuff.c:4551\nCode: 83 e3 02 e9 fb ed ff ff e8 90 68 1c f9 48 8b 84 24 f8 00 00 00 48 8d 78 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 \u0026lt;0f\u0026gt; b6 04 02 84 c0 74 08 3c 03 0f 8e 8a 21 00 00 48 8b 84 24 f8 00\nRSP: 0018:ffffc900043473d0 EFLAGS: 00010202\nRAX: dffffc0000000000 RBX: 0000000000010046 RCX: ffffffff886b1597\nRDX: 000000000000000e RSI: ffffffff886b2520 RDI: 0000000000000070\nRBP: ffffc90004347578 R0\n---truncated---(CVE-2023-52435)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nf2fs: explicitly null-terminate the xattr list\r\n\r\nWhen setting an xattr, explicitly null-terminate the xattr list.  This\neliminates the fragile assumption that the unused xattr space is always\nzeroed.(CVE-2023-52436)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbinder: fix use-after-free in shinker\u0026apos;s callback\r\n\r\nThe mmap read lock is used during the shrinker\u0026apos;s callback, which means\nthat using alloc-\u0026gt;vma pointer isn\u0026apos;t safe as it can race with munmap().\nAs of commit dd2283f2605e (\u0026quot;mm: mmap: zap pages with read mmap_sem in\nmunmap\u0026quot;) the mmap lock is downgraded after the vma has been isolated.\r\n\r\nI was able to reproduce this issue by manually adding some delays and\ntriggering page reclaiming through the shrinker\u0026apos;s debug sysfs. The\nfollowing KASAN report confirms the UAF:\r\n\r\n  ==================================================================\n  BUG: KASAN: slab-use-after-free in zap_page_range_single+0x470/0x4b8\n  Read of size 8 at addr ffff356ed50e50f0 by task bash/478\r\n\r\n  CPU: 1 PID: 478 Comm: bash Not tainted 6.6.0-rc5-00055-g1c8b86a3799f-dirty #70\n  Hardware name: linux,dummy-virt (DT)\n  Call trace:\n   zap_page_range_single+0x470/0x4b8\n   binder_alloc_free_page+0x608/0xadc\n   __list_lru_walk_one+0x130/0x3b0\n   list_lru_walk_node+0xc4/0x22c\n   binder_shrink_scan+0x108/0x1dc\n   shrinker_debugfs_scan_write+0x2b4/0x500\n   full_proxy_write+0xd4/0x140\n   vfs_write+0x1ac/0x758\n   ksys_write+0xf0/0x1dc\n   __arm64_sys_write+0x6c/0x9c\r\n\r\n  Allocated by task 492:\n   kmem_cache_alloc+0x130/0x368\n   vm_area_alloc+0x2c/0x190\n   mmap_region+0x258/0x18bc\n   do_mmap+0x694/0xa60\n   vm_mmap_pgoff+0x170/0x29c\n   ksys_mmap_pgoff+0x290/0x3a0\n   __arm64_sys_mmap+0xcc/0x144\r\n\r\n  Freed by task 491:\n   kmem_cache_free+0x17c/0x3c8\n   vm_area_free_rcu_cb+0x74/0x98\n   rcu_core+0xa38/0x26d4\n   rcu_core_si+0x10/0x1c\n   __do_softirq+0x2fc/0xd24\r\n\r\n  Last potentially related work creation:\n   __call_rcu_common.constprop.0+0x6c/0xba0\n   call_rcu+0x10/0x1c\n   vm_area_free+0x18/0x24\n   remove_vma+0xe4/0x118\n   do_vmi_align_munmap.isra.0+0x718/0xb5c\n   do_vmi_munmap+0xdc/0x1fc\n   __vm_munmap+0x10c/0x278\n   __arm64_sys_munmap+0x58/0x7c\r\n\r\nFix this issue by performing instead a vma_lookup() which will fail to\nfind the vma that was isolated before the mmap lock downgrade. Note that\nthis option has better performance than upgrading to a mmap write lock\nwhich would increase contention. Plus, mmap_write_trylock() has been\nrecently removed anyway.(CVE-2023-52438)\r\n\r\nA race condition was found in the Linux kernel\u0026apos;s sound/hda  device driver in snd_hdac_regmap_sync() function. This can result in a null pointer dereference issue, possibly leading to a kernel panic or denial of service issue.\r\n\r\n(CVE-2024-23196)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmlxsw: spectrum_acl_tcam: Fix NULL pointer dereference in error path\r\n\r\nWhen calling mlxsw_sp_acl_tcam_region_destroy() from an error path after\nfailing to attach the region to an ACL group, we hit a NULL pointer\ndereference upon \u0026apos;region-\u0026gt;group-\u0026gt;tcam\u0026apos; [1].\r\n\r\nFix by retrieving the \u0026apos;tcam\u0026apos; pointer using mlxsw_sp_acl_to_tcam().\r\n\r\n[1]\nBUG: kernel NULL pointer dereference, address: 0000000000000000\n[...]\nRIP: 0010:mlxsw_sp_acl_tcam_region_destroy+0xa0/0xd0\n[...]\nCall Trace:\n mlxsw_sp_acl_tcam_vchunk_get+0x88b/0xa20\n mlxsw_sp_acl_tcam_ventry_add+0x25/0xe0\n mlxsw_sp_acl_rule_add+0x47/0x240\n mlxsw_sp_flower_replace+0x1a9/0x1d0\n tc_setup_cb_add+0xdc/0x1c0\n fl_hw_replace_filter+0x146/0x1f0\n fl_change+0xc17/0x1360\n tc_new_tfilter+0x472/0xb90\n rtnetlink_rcv_msg+0x313/0x3b0\n netlink_rcv_skb+0x58/0x100\n netlink_unicast+0x244/0x390\n netlink_sendmsg+0x1e4/0x440\n ____sys_sendmsg+0x164/0x260\n ___sys_sendmsg+0x9a/0xe0\n __sys_sendmsg+0x7a/0xc0\n do_syscall_64+0x40/0xe0\n entry_SYSCALL_64_after_hwframe+0x63/0x6b(CVE-2024-26595)","affected":[{"package":{"ecosystem":"openEuler:22.03-LTS-SP3","name":"kernel","purl":"pkg:rpm/openEuler/kernel\u0026distro=openEuler-22.03-LTS-SP3"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"5.10.0-189.0.0.102.oe2203sp3"}]}],"ecosystem_specific":{"aarch64":["kernel-tools-5.10.0-189.0.0.102.oe2203sp3.aarch64.rpm","kernel-5.10.0-189.0.0.102.oe2203sp3.aarch64.rpm","kernel-headers-5.10.0-189.0.0.102.oe2203sp3.aarch64.rpm","perf-5.10.0-189.0.0.102.oe2203sp3.aarch64.rpm","perf-debuginfo-5.10.0-189.0.0.102.oe2203sp3.aarch64.rpm","python3-perf-5.10.0-189.0.0.102.oe2203sp3.aarch64.rpm","kernel-source-5.10.0-189.0.0.102.oe2203sp3.aarch64.rpm","kernel-devel-5.10.0-189.0.0.102.oe2203sp3.aarch64.rpm","kernel-tools-devel-5.10.0-189.0.0.102.oe2203sp3.aarch64.rpm","kernel-tools-debuginfo-5.10.0-189.0.0.102.oe2203sp3.aarch64.rpm","python3-perf-debuginfo-5.10.0-189.0.0.102.oe2203sp3.aarch64.rpm","kernel-debugsource-5.10.0-189.0.0.102.oe2203sp3.aarch64.rpm","kernel-debuginfo-5.10.0-189.0.0.102.oe2203sp3.aarch64.rpm"],"src":["kernel-5.10.0-189.0.0.102.oe2203sp3.src.rpm"],"x86_64":["perf-5.10.0-189.0.0.102.oe2203sp3.x86_64.rpm","kernel-devel-5.10.0-189.0.0.102.oe2203sp3.x86_64.rpm","kernel-tools-5.10.0-189.0.0.102.oe2203sp3.x86_64.rpm","kernel-source-5.10.0-189.0.0.102.oe2203sp3.x86_64.rpm","python3-perf-5.10.0-189.0.0.102.oe2203sp3.x86_64.rpm","python3-perf-debuginfo-5.10.0-189.0.0.102.oe2203sp3.x86_64.rpm","kernel-5.10.0-189.0.0.102.oe2203sp3.x86_64.rpm","kernel-tools-debuginfo-5.10.0-189.0.0.102.oe2203sp3.x86_64.rpm","perf-debuginfo-5.10.0-189.0.0.102.oe2203sp3.x86_64.rpm","kernel-tools-devel-5.10.0-189.0.0.102.oe2203sp3.x86_64.rpm","kernel-headers-5.10.0-189.0.0.102.oe2203sp3.x86_64.rpm","kernel-debugsource-5.10.0-189.0.0.102.oe2203sp3.x86_64.rpm","kernel-debuginfo-5.10.0-189.0.0.102.oe2203sp3.x86_64.rpm"]}}],"references":[{"type":"ADVISORY","url":"https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2024-1244"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-52435"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-52436"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-52438"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-23196"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-26595"}],"database_specific":{"severity":"High"}}