{"schema_version":"1.7.2","id":"OESA-2024-2152","modified":"2024-09-20T11:09:10Z","published":"2024-09-20T11:09:10Z","upstream":["CVE-2023-52915","CVE-2024-44960","CVE-2024-44987","CVE-2024-45006"],"summary":"kernel security update","details":"The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmedia: dvb-usb-v2: af9035: Fix null-ptr-deref in af9035_i2c_master_xfer\r\n\r\nIn af9035_i2c_master_xfer, msg is controlled by user. When msg[i].buf\nis null and msg[i].len is zero, former checks on msg[i].buf would be\npassed. Malicious data finally reach af9035_i2c_master_xfer. If accessing\nmsg[i].buf[0] without sanity check, null ptr deref would happen.\nWe add check on msg[i].len to prevent crash.\r\n\r\nSimilar commit:\ncommit 0ed554fd769a\n(\u0026quot;media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()\u0026quot;)(CVE-2023-52915)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nusb: gadget: core: Check for unset descriptor\r\n\r\nMake sure the descriptor has been set before looking at maxpacket.\nThis fixes a null pointer panic in this case.\r\n\r\nThis may happen if the gadget doesn\u0026apos;t properly set up the endpoint\nfor the current speed, or the gadget descriptors are malformed and\nthe descriptor for the speed/endpoint are not found.\r\n\r\nNo current gadget driver is known to have this problem, but this\nmay cause a hard-to-find bug during development of new gadgets.(CVE-2024-44960)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nipv6: prevent UAF in ip6_send_skb()\r\n\r\nsyzbot reported an UAF in ip6_send_skb() [1]\r\n\r\nAfter ip6_local_out() has returned, we no longer can safely\ndereference rt, unless we hold rcu_read_lock().\r\n\r\nA similar issue has been fixed in commit\na688caa34beb (\u0026quot;ipv6: take rcu lock in rawv6_send_hdrinc()\u0026quot;)\r\n\r\nAnother potential issue in ip6_finish_output2() is handled in a\nseparate patch.\r\n\r\n[1]\n BUG: KASAN: slab-use-after-free in ip6_send_skb+0x18d/0x230 net/ipv6/ip6_output.c:1964\nRead of size 8 at addr ffff88806dde4858 by task syz.1.380/6530\r\n\r\nCPU: 1 UID: 0 PID: 6530 Comm: syz.1.380 Not tainted 6.11.0-rc3-syzkaller-00306-gdf6cbc62cc9b #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024\nCall Trace:\n \u0026lt;TASK\u0026gt;\n  __dump_stack lib/dump_stack.c:93 [inline]\n  dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119\n  print_address_description mm/kasan/report.c:377 [inline]\n  print_report+0x169/0x550 mm/kasan/report.c:488\n  kasan_report+0x143/0x180 mm/kasan/report.c:601\n  ip6_send_skb+0x18d/0x230 net/ipv6/ip6_output.c:1964\n  rawv6_push_pending_frames+0x75c/0x9e0 net/ipv6/raw.c:588\n  rawv6_sendmsg+0x19c7/0x23c0 net/ipv6/raw.c:926\n  sock_sendmsg_nosec net/socket.c:730 [inline]\n  __sock_sendmsg+0x1a6/0x270 net/socket.c:745\n  sock_write_iter+0x2dd/0x400 net/socket.c:1160\n do_iter_readv_writev+0x60a/0x890\n  vfs_writev+0x37c/0xbb0 fs/read_write.c:971\n  do_writev+0x1b1/0x350 fs/read_write.c:1018\n  do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n  do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f936bf79e79\nCode: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u0026lt;48\u0026gt; 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f936cd7f038 EFLAGS: 00000246 ORIG_RAX: 0000000000000014\nRAX: ffffffffffffffda RBX: 00007f936c115f80 RCX: 00007f936bf79e79\nRDX: 0000000000000001 RSI: 0000000020000040 RDI: 0000000000000004\nRBP: 00007f936bfe7916 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 0000000000000000 R14: 00007f936c115f80 R15: 00007fff2860a7a8\n \u0026lt;/TASK\u0026gt;\r\n\r\nAllocated by task 6530:\n  kasan_save_stack mm/kasan/common.c:47 [inline]\n  kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\n  unpoison_slab_object mm/kasan/common.c:312 [inline]\n  __kasan_slab_alloc+0x66/0x80 mm/kasan/common.c:338\n  kasan_slab_alloc include/linux/kasan.h:201 [inline]\n  slab_post_alloc_hook mm/slub.c:3988 [inline]\n  slab_alloc_node mm/slub.c:4037 [inline]\n  kmem_cache_alloc_noprof+0x135/0x2a0 mm/slub.c:4044\n  dst_alloc+0x12b/0x190 net/core/dst.c:89\n  ip6_blackhole_route+0x59/0x340 net/ipv6/route.c:2670\n  make_blackhole net/xfrm/xfrm_policy.c:3120 [inline]\n  xfrm_lookup_route+0xd1/0x1c0 net/xfrm/xfrm_policy.c:3313\n  ip6_dst_lookup_flow+0x13e/0x180 net/ipv6/ip6_output.c:1257\n  rawv6_sendmsg+0x1283/0x23c0 net/ipv6/raw.c:898\n  sock_sendmsg_nosec net/socket.c:730 [inline]\n  __sock_sendmsg+0x1a6/0x270 net/socket.c:745\n  ____sys_sendmsg+0x525/0x7d0 net/socket.c:2597\n  ___sys_sendmsg net/socket.c:2651 [inline]\n  __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2680\n  do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n  do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\r\n\r\nFreed by task 45:\n  kasan_save_stack mm/kasan/common.c:47 [inline]\n  kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\n  kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579\n  poison_slab_object+0xe0/0x150 mm/kasan/common.c:240\n  __kasan_slab_free+0x37/0x60 mm/kasan/common.c:256\n  kasan_slab_free include/linux/kasan.h:184 [inline]\n  slab_free_hook mm/slub.c:2252 [inline]\n  slab_free mm/slub.c:4473 [inline]\n  kmem_cache_free+0x145/0x350 mm/slub.c:4548\n  dst_destroy+0x2ac/0x460 net/core/dst.c:124\n  rcu_do_batch kernel/rcu/tree.c:2569 [inline]\n  rcu_core+0xafd/0x1830 kernel/rcu/tree.\n---truncated---(CVE-2024-44987)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nxhci: Fix Panther point NULL pointer deref at full-speed re-enumeration\r\n\r\nre-enumerating full-speed devices after a failed address device command\ncan trigger a NULL pointer dereference.\r\n\r\nFull-speed devices may need to reconfigure the endpoint 0 Max Packet Size\nvalue during enumeration. Usb core calls usb_ep0_reinit() in this case,\nwhich ends up calling xhci_configure_endpoint().\r\n\r\nOn Panther point xHC the xhci_configure_endpoint() function will\nadditionally check and reserve bandwidth in software. Other hosts do\nthis in hardware\r\n\r\nIf xHC address device command fails then a new xhci_virt_device structure\nis allocated as part of re-enabling the slot, but the bandwidth table\npointers are not set up properly here.\nThis triggers the NULL pointer dereference the next time usb_ep0_reinit()\nis called and xhci_configure_endpoint() tries to check and reserve\nbandwidth\r\n\r\n[46710.713538] usb 3-1: new full-speed USB device number 5 using xhci_hcd\n[46710.713699] usb 3-1: Device not responding to setup address.\n[46710.917684] usb 3-1: Device not responding to setup address.\n[46711.125536] usb 3-1: device not accepting address 5, error -71\n[46711.125594] BUG: kernel NULL pointer dereference, address: 0000000000000008\n[46711.125600] #PF: supervisor read access in kernel mode\n[46711.125603] #PF: error_code(0x0000) - not-present page\n[46711.125606] PGD 0 P4D 0\n[46711.125610] Oops: Oops: 0000 [#1] PREEMPT SMP PTI\n[46711.125615] CPU: 1 PID: 25760 Comm: kworker/1:2 Not tainted 6.10.3_2 #1\n[46711.125620] Hardware name: Gigabyte Technology Co., Ltd.\n[46711.125623] Workqueue: usb_hub_wq hub_event [usbcore]\n[46711.125668] RIP: 0010:xhci_reserve_bandwidth (drivers/usb/host/xhci.c\r\n\r\nFix this by making sure bandwidth table pointers are set up correctly\nafter a failed address device command, and additionally by avoiding\nchecking for bandwidth in cases like this where no actual endpoints are\nadded or removed, i.e. only context for default control endpoint 0 is\nevaluated.(CVE-2024-45006)","affected":[{"package":{"ecosystem":"openEuler:20.03-LTS-SP4","name":"kernel","purl":"pkg:rpm/openEuler/kernel\u0026distro=openEuler-20.03-LTS-SP4"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"4.19.90-2409.4.0.0295.oe2003sp4"}]}],"ecosystem_specific":{"aarch64":["bpftool-4.19.90-2409.4.0.0295.oe2003sp4.aarch64.rpm","bpftool-debuginfo-4.19.90-2409.4.0.0295.oe2003sp4.aarch64.rpm","kernel-4.19.90-2409.4.0.0295.oe2003sp4.aarch64.rpm","kernel-debuginfo-4.19.90-2409.4.0.0295.oe2003sp4.aarch64.rpm","kernel-debugsource-4.19.90-2409.4.0.0295.oe2003sp4.aarch64.rpm","kernel-devel-4.19.90-2409.4.0.0295.oe2003sp4.aarch64.rpm","kernel-source-4.19.90-2409.4.0.0295.oe2003sp4.aarch64.rpm","kernel-tools-4.19.90-2409.4.0.0295.oe2003sp4.aarch64.rpm","kernel-tools-debuginfo-4.19.90-2409.4.0.0295.oe2003sp4.aarch64.rpm","kernel-tools-devel-4.19.90-2409.4.0.0295.oe2003sp4.aarch64.rpm","perf-4.19.90-2409.4.0.0295.oe2003sp4.aarch64.rpm","perf-debuginfo-4.19.90-2409.4.0.0295.oe2003sp4.aarch64.rpm","python2-perf-4.19.90-2409.4.0.0295.oe2003sp4.aarch64.rpm","python2-perf-debuginfo-4.19.90-2409.4.0.0295.oe2003sp4.aarch64.rpm","python3-perf-4.19.90-2409.4.0.0295.oe2003sp4.aarch64.rpm","python3-perf-debuginfo-4.19.90-2409.4.0.0295.oe2003sp4.aarch64.rpm"],"src":["kernel-4.19.90-2409.4.0.0295.oe2003sp4.src.rpm"],"x86_64":["bpftool-4.19.90-2409.4.0.0295.oe2003sp4.x86_64.rpm","bpftool-debuginfo-4.19.90-2409.4.0.0295.oe2003sp4.x86_64.rpm","kernel-4.19.90-2409.4.0.0295.oe2003sp4.x86_64.rpm","kernel-debuginfo-4.19.90-2409.4.0.0295.oe2003sp4.x86_64.rpm","kernel-debugsource-4.19.90-2409.4.0.0295.oe2003sp4.x86_64.rpm","kernel-devel-4.19.90-2409.4.0.0295.oe2003sp4.x86_64.rpm","kernel-source-4.19.90-2409.4.0.0295.oe2003sp4.x86_64.rpm","kernel-tools-4.19.90-2409.4.0.0295.oe2003sp4.x86_64.rpm","kernel-tools-debuginfo-4.19.90-2409.4.0.0295.oe2003sp4.x86_64.rpm","kernel-tools-devel-4.19.90-2409.4.0.0295.oe2003sp4.x86_64.rpm","perf-4.19.90-2409.4.0.0295.oe2003sp4.x86_64.rpm","perf-debuginfo-4.19.90-2409.4.0.0295.oe2003sp4.x86_64.rpm","python2-perf-4.19.90-2409.4.0.0295.oe2003sp4.x86_64.rpm","python2-perf-debuginfo-4.19.90-2409.4.0.0295.oe2003sp4.x86_64.rpm","python3-perf-4.19.90-2409.4.0.0295.oe2003sp4.x86_64.rpm","python3-perf-debuginfo-4.19.90-2409.4.0.0295.oe2003sp4.x86_64.rpm"]}}],"references":[{"type":"ADVISORY","url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-2152"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-52915"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-44960"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-44987"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-45006"}],"database_specific":{"severity":"High"}}