{"schema_version":"1.7.2","id":"OESA-2024-2569","modified":"2024-12-20T13:07:41Z","published":"2024-12-20T13:07:41Z","upstream":["CVE-2022-48868","CVE-2023-52434","CVE-2023-6356","CVE-2023-6535","CVE-2023-6536","CVE-2024-50218","CVE-2024-53114","CVE-2024-53142"],"summary":"kernel security update","details":"The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndmaengine: idxd: Let probe fail when workqueue cannot be enabled\r\n\r\nThe workqueue is enabled when the appropriate driver is loaded and\ndisabled when the driver is removed. When the driver is removed it\nassumes that the workqueue was enabled successfully and proceeds to\nfree allocations made during workqueue enabling.\r\n\r\nFailure during workqueue enabling does not prevent the driver from\nbeing loaded. This is because the error path within drv_enable_wq()\nreturns success unless a second failure is encountered\nduring the error path. By returning success it is possible to load\nthe driver even if the workqueue cannot be enabled and\nallocations that do not exist are attempted to be freed during\ndriver remove.\r\n\r\nSome examples of problematic flows:\n(a)\r\n\r\n idxd_dmaengine_drv_probe() -\u0026gt; drv_enable_wq() -\u0026gt; idxd_wq_request_irq():\n In above flow, if idxd_wq_request_irq() fails then\n idxd_wq_unmap_portal() is called on error exit path, but\n drv_enable_wq() returns 0 because idxd_wq_disable() succeeds. The\n driver is thus loaded successfully.\r\n\r\n idxd_dmaengine_drv_remove()-\u0026gt;drv_disable_wq()-\u0026gt;idxd_wq_unmap_portal()\n Above flow on driver unload triggers the WARN in devm_iounmap() because\n the device resource has already been removed during error path of\n drv_enable_wq().\r\n\r\n(b)\r\n\r\n idxd_dmaengine_drv_probe() -\u0026gt; drv_enable_wq() -\u0026gt; idxd_wq_request_irq():\n In above flow, if idxd_wq_request_irq() fails then\n idxd_wq_init_percpu_ref() is never called to initialize the percpu\n counter, yet the driver loads successfully because drv_enable_wq()\n returns 0.\r\n\r\n idxd_dmaengine_drv_remove()-\u0026gt;__idxd_wq_quiesce()-\u0026gt;percpu_ref_kill():\n Above flow on driver unload triggers a BUG when attempting to drop the\n initial ref of the uninitialized percpu ref:\n BUG: kernel NULL pointer dereference, address: 0000000000000010\r\n\r\nFix the drv_enable_wq() error path by returning the original error that\nindicates failure of workqueue enabling. This ensures that the probe\nfails when an error is encountered and the driver remove paths are only\nattempted when the workqueue was enabled successfully.(CVE-2022-48868)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nsmb: client: fix potential OOBs in smb2_parse_contexts()\r\n\r\nValidate offsets and lengths before dereferencing create contexts in\nsmb2_parse_contexts().\r\n\r\nThis fixes following oops when accessing invalid create contexts from\nserver:\r\n\r\n  BUG: unable to handle page fault for address: ffff8881178d8cc3\n  #PF: supervisor read access in kernel mode\n  #PF: error_code(0x0000) - not-present page\n  PGD 4a01067 P4D 4a01067 PUD 0\n  Oops: 0000 [#1] PREEMPT SMP NOPTI\n  CPU: 3 PID: 1736 Comm: mount.cifs Not tainted 6.7.0-rc4 #1\n  Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS\n  rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014\n  RIP: 0010:smb2_parse_contexts+0xa0/0x3a0 [cifs]\n  Code: f8 10 75 13 48 b8 93 ad 25 50 9c b4 11 e7 49 39 06 0f 84 d2 00\n  00 00 8b 45 00 85 c0 74 61 41 29 c5 48 01 c5 41 83 fd 0f 76 55 \u0026lt;0f\u0026gt; b7\n  7d 04 0f b7 45 06 4c 8d 74 3d 00 66 83 f8 04 75 bc ba 04 00\n  RSP: 0018:ffffc900007939e0 EFLAGS: 00010216\n  RAX: ffffc90000793c78 RBX: ffff8880180cc000 RCX: ffffc90000793c90\n  RDX: ffffc90000793cc0 RSI: ffff8880178d8cc0 RDI: ffff8880180cc000\n  RBP: ffff8881178d8cbf R08: ffffc90000793c22 R09: 0000000000000000\n  R10: ffff8880180cc000 R11: 0000000000000024 R12: 0000000000000000\n  R13: 0000000000000020 R14: 0000000000000000 R15: ffffc90000793c22\n  FS: 00007f873753cbc0(0000) GS:ffff88806bc00000(0000)\n  knlGS:0000000000000000\n  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n  CR2: ffff8881178d8cc3 CR3: 00000000181ca000 CR4: 0000000000750ef0\n  PKRU: 55555554\n  Call Trace:\n   \u0026lt;TASK\u0026gt;\n   ? __die+0x23/0x70\n   ? page_fault_oops+0x181/0x480\n   ? search_module_extables+0x19/0x60\n   ? srso_alias_return_thunk+0x5/0xfbef5\n   ? exc_page_fault+0x1b6/0x1c0\n   ? asm_exc_page_fault+0x26/0x30\n   ? smb2_parse_contexts+0xa0/0x3a0 [cifs]\n   SMB2_open+0x38d/0x5f0 [cifs]\n   ? smb2_is_path_accessible+0x138/0x260 [cifs]\n   smb2_is_path_accessible+0x138/0x260 [cifs]\n   cifs_is_path_remote+0x8d/0x230 [cifs]\n   cifs_mount+0x7e/0x350 [cifs]\n   cifs_smb3_do_mount+0x128/0x780 [cifs]\n   smb3_get_tree+0xd9/0x290 [cifs]\n   vfs_get_tree+0x2c/0x100\n   ? capable+0x37/0x70\n   path_mount+0x2d7/0xb80\n   ? srso_alias_return_thunk+0x5/0xfbef5\n   ? _raw_spin_unlock_irqrestore+0x44/0x60\n   __x64_sys_mount+0x11a/0x150\n   do_syscall_64+0x47/0xf0\n   entry_SYSCALL_64_after_hwframe+0x6f/0x77\n  RIP: 0033:0x7f8737657b1e(CVE-2023-52434)\r\n\r\nA flaw was found in the Linux kernel\u0026apos;s NVMe driver. This issue may allow an unauthenticated malicious actor to send a set of crafted TCP packages when using NVMe over TCP, leading the NVMe driver to a NULL pointer dereference in the NVMe driver and causing kernel panic and a denial of service.(CVE-2023-6356)\r\n\r\nA flaw was found in the Linux kernel\u0026apos;s NVMe driver. This issue may allow an unauthenticated malicious actor to send a set of crafted TCP packages when using NVMe over TCP, leading the NVMe driver to a NULL pointer dereference in the NVMe driver, causing kernel panic and a denial of service.(CVE-2023-6535)\r\n\r\nA flaw was found in the Linux kernel\u0026apos;s NVMe driver. This issue may allow an unauthenticated malicious actor to send a set of crafted TCP packages when using NVMe over TCP, leading the NVMe driver to a NULL pointer dereference in the NVMe driver, causing kernel panic and a denial of service.(CVE-2023-6536)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:  ocfs2: pass u64 to ocfs2_truncate_inline maybe overflow  Syzbot reported a kernel BUG in ocfs2_truncate_inline.  There are two reasons for this: first, the parameter value passed is greater than ocfs2_max_inline_data_with_xattr, second, the start and end parameters of ocfs2_truncate_inline are \u0026quot;unsigned int\u0026quot;.  So, we need to add a sanity check for byte_start and byte_len right before ocfs2_truncate_inline() in ocfs2_remove_inode_range(), if they are greater than ocfs2_max_inline_data_with_xattr return -EINVAL.(CVE-2024-50218)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:  x86/CPU/AMD: Clear virtualized VMLOAD/VMSAVE on Zen4 client  A number of Zen4 client SoCs advertise the ability to use virtualized VMLOAD/VMSAVE, but using these instructions is reported to be a cause of a random host reboot.  These instructions aren\u0026apos;t intended to be advertised on Zen4 client so clear the capability.(CVE-2024-53114)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:  initramfs: avoid filename buffer overrun  The initramfs filename field is defined in Documentation/driver-api/early-userspace/buffer-format.rst as:   37 cpio_file := ALGN(4) + cpio_header + filename + \u0026quot;\\0\u0026quot; + ALGN(4) + data ...  55 ============= ================== =========================  56 Field name    Field size         Meaning  57 ============= ================== ========================= ...  70 c_namesize    8 bytes            Length of filename, including final \\0  When extracting an initramfs cpio archive, the kernel\u0026apos;s do_name() path handler assumes a zero-terminated path at @collected, passing it directly to filp_open() / init_mkdir() / init_mknod().  If a specially crafted cpio entry carries a non-zero-terminated filename and is followed by uninitialized memory, then a file may be created with trailing characters that represent the uninitialized memory. The ability to create an initramfs entry would imply already having full control of the system, so the buffer overrun shouldn\u0026apos;t be considered a security vulnerability.  Append the output of the following bash script to an existing initramfs and observe any created /initramfs_test_fname_overrunAA* path. E.g.   ./reproducer.sh | gzip \u0026gt;\u0026gt; /myinitramfs  It\u0026apos;s easiest to observe non-zero uninitialized memory when the output is gzipped, as it\u0026apos;ll overflow the heap allocated @out_buf in __gunzip(), rather than the initrd_start+initrd_size block.  ---- reproducer.sh ---- nilchar=\u0026quot;A\u0026quot; # change to \u0026quot;\\0\u0026quot; to properly zero terminate / pad magic=\u0026quot;070701\u0026quot; ino=1 mode=$(( 0100777 )) uid=0 gid=0 nlink=1 mtime=1 filesize=0 devmajor=0 devminor=1 rdevmajor=0 rdevminor=0 csum=0 fname=\u0026quot;initramfs_test_fname_overrun\u0026quot; namelen=$(( ${#fname} + 1 )) # plus one to account for terminator  printf \u0026quot;%s%08x%08x%08x%08x%08x%08x%08x%08x%08x%08x%08x%08x%08x%s\u0026quot; \\  $magic $ino $mode $uid $gid $nlink $mtime $filesize \\  $devmajor $devminor $rdevmajor $rdevminor $namelen $csum $fname  termpadlen=$(( 1 + ((4 - ((110 + $namelen) \u0026amp; 3)) % 4) )) printf \u0026quot;%.s${nilchar}\u0026quot; $(seq 1 $termpadlen) ---- reproducer.sh ----  Symlink filename fields handled in do_symlink() won\u0026apos;t overrun past the data segment, due to the explicit zero-termination of the symlink target.  Fix filename buffer overrun by aborting the initramfs FSM if any cpio entry doesn\u0026apos;t carry a zero-terminator at the expected (name_len - 1) offset.(CVE-2024-53142)","affected":[{"package":{"ecosystem":"openEuler:22.03-LTS-SP3","name":"kernel","purl":"pkg:rpm/openEuler/kernel\u0026distro=openEuler-22.03-LTS-SP3"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"5.10.0-242.0.0.144.oe2203sp3"}]}],"ecosystem_specific":{"aarch64":["kernel-5.10.0-242.0.0.144.oe2203sp3.aarch64.rpm","kernel-debuginfo-5.10.0-242.0.0.144.oe2203sp3.aarch64.rpm","kernel-debugsource-5.10.0-242.0.0.144.oe2203sp3.aarch64.rpm","kernel-devel-5.10.0-242.0.0.144.oe2203sp3.aarch64.rpm","kernel-headers-5.10.0-242.0.0.144.oe2203sp3.aarch64.rpm","kernel-source-5.10.0-242.0.0.144.oe2203sp3.aarch64.rpm","kernel-tools-5.10.0-242.0.0.144.oe2203sp3.aarch64.rpm","kernel-tools-debuginfo-5.10.0-242.0.0.144.oe2203sp3.aarch64.rpm","kernel-tools-devel-5.10.0-242.0.0.144.oe2203sp3.aarch64.rpm","perf-5.10.0-242.0.0.144.oe2203sp3.aarch64.rpm","perf-debuginfo-5.10.0-242.0.0.144.oe2203sp3.aarch64.rpm","python3-perf-5.10.0-242.0.0.144.oe2203sp3.aarch64.rpm","python3-perf-debuginfo-5.10.0-242.0.0.144.oe2203sp3.aarch64.rpm"],"src":["kernel-5.10.0-242.0.0.144.oe2203sp3.src.rpm"],"x86_64":["kernel-5.10.0-242.0.0.144.oe2203sp3.x86_64.rpm","kernel-debuginfo-5.10.0-242.0.0.144.oe2203sp3.x86_64.rpm","kernel-debugsource-5.10.0-242.0.0.144.oe2203sp3.x86_64.rpm","kernel-devel-5.10.0-242.0.0.144.oe2203sp3.x86_64.rpm","kernel-headers-5.10.0-242.0.0.144.oe2203sp3.x86_64.rpm","kernel-source-5.10.0-242.0.0.144.oe2203sp3.x86_64.rpm","kernel-tools-5.10.0-242.0.0.144.oe2203sp3.x86_64.rpm","kernel-tools-debuginfo-5.10.0-242.0.0.144.oe2203sp3.x86_64.rpm","kernel-tools-devel-5.10.0-242.0.0.144.oe2203sp3.x86_64.rpm","perf-5.10.0-242.0.0.144.oe2203sp3.x86_64.rpm","perf-debuginfo-5.10.0-242.0.0.144.oe2203sp3.x86_64.rpm","python3-perf-5.10.0-242.0.0.144.oe2203sp3.x86_64.rpm","python3-perf-debuginfo-5.10.0-242.0.0.144.oe2203sp3.x86_64.rpm"]}}],"references":[{"type":"ADVISORY","url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-2569"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-48868"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-52434"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-6356"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-6535"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-6536"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-50218"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-53114"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-53142"}],"database_specific":{"severity":"High"}}