{"schema_version":"1.7.2","id":"OESA-2025-1202","modified":"2025-02-28T15:33:12Z","published":"2025-02-28T15:33:12Z","upstream":["CVE-2024-50150","CVE-2024-56650","CVE-2024-56658","CVE-2024-56754","CVE-2024-57792","CVE-2024-57795","CVE-2024-57857"],"summary":"kernel security update","details":"The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: altmode should keep reference to parent\n\nThe altmode device release refers to its parent device, but without keeping\na reference to it.\n\nWhen registering the altmode, get a reference to the parent and put it in\nthe release function.\n\nBefore this fix, when using CONFIG_DEBUG_KOBJECT_RELEASE, we see issues\nlike this:\n\n[   43.572860] kobject: \u0026apos;port0.0\u0026apos; (ffff8880057ba008): kobject_release, parent 0000000000000000 (delayed 3000)\n[   43.573532] kobject: \u0026apos;port0.1\u0026apos; (ffff8880057bd008): kobject_release, parent 0000000000000000 (delayed 1000)\n[   43.574407] kobject: \u0026apos;port0\u0026apos; (ffff8880057b9008): kobject_release, parent 0000000000000000 (delayed 3000)\n[   43.575059] kobject: \u0026apos;port1.0\u0026apos; (ffff8880057ca008): kobject_release, parent 0000000000000000 (delayed 4000)\n[   43.575908] kobject: \u0026apos;port1.1\u0026apos; (ffff8880057c9008): kobject_release, parent 0000000000000000 (delayed 4000)\n[   43.576908] kobject: \u0026apos;typec\u0026apos; (ffff8880062dbc00): kobject_release, parent 0000000000000000 (delayed 4000)\n[   43.577769] kobject: \u0026apos;port1\u0026apos; (ffff8880057bf008): kobject_release, parent 0000000000000000 (delayed 3000)\n[   46.612867] ==================================================================\n[   46.613402] BUG: KASAN: slab-use-after-free in typec_altmode_release+0x38/0x129\n[   46.614003] Read of size 8 at addr ffff8880057b9118 by task kworker/2:1/48\n[   46.614538]\n[   46.614668] CPU: 2 UID: 0 PID: 48 Comm: kworker/2:1 Not tainted 6.12.0-rc1-00138-gedbae730ad31 #535\n[   46.615391] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014\n[   46.616042] Workqueue: events kobject_delayed_cleanup\n[   46.616446] Call Trace:\n[   46.616648]  \u0026lt;TASK\u0026gt;\n[   46.616820]  dump_stack_lvl+0x5b/0x7c\n[   46.617112]  ? typec_altmode_release+0x38/0x129\n[   46.617470]  print_report+0x14c/0x49e\n[   46.617769]  ? rcu_read_unlock_sched+0x56/0x69\n[   46.618117]  ? __virt_addr_valid+0x19a/0x1ab\n[   46.618456]  ? kmem_cache_debug_flags+0xc/0x1d\n[   46.618807]  ? typec_altmode_release+0x38/0x129\n[   46.619161]  kasan_report+0x8d/0xb4\n[   46.619447]  ? typec_altmode_release+0x38/0x129\n[   46.619809]  ? process_scheduled_works+0x3cb/0x85f\n[   46.620185]  typec_altmode_release+0x38/0x129\n[   46.620537]  ? process_scheduled_works+0x3cb/0x85f\n[   46.620907]  device_release+0xaf/0xf2\n[   46.621206]  kobject_delayed_cleanup+0x13b/0x17a\n[   46.621584]  process_scheduled_works+0x4f6/0x85f\n[   46.621955]  ? __pfx_process_scheduled_works+0x10/0x10\n[   46.622353]  ? hlock_class+0x31/0x9a\n[   46.622647]  ? lock_acquired+0x361/0x3c3\n[   46.622956]  ? move_linked_works+0x46/0x7d\n[   46.623277]  worker_thread+0x1ce/0x291\n[   46.623582]  ? __kthread_parkme+0xc8/0xdf\n[   46.623900]  ? __pfx_worker_thread+0x10/0x10\n[   46.624236]  kthread+0x17e/0x190\n[   46.624501]  ? kthread+0xfb/0x190\n[   46.624756]  ? __pfx_kthread+0x10/0x10\n[   46.625015]  ret_from_fork+0x20/0x40\n[   46.625268]  ? __pfx_kthread+0x10/0x10\n[   46.625532]  ret_from_fork_asm+0x1a/0x30\n[   46.625805]  \u0026lt;/TASK\u0026gt;\n[   46.625953]\n[   46.626056] Allocated by task 678:\n[   46.626287]  kasan_save_stack+0x24/0x44\n[   46.626555]  kasan_save_track+0x14/0x2d\n[   46.626811]  __kasan_kmalloc+0x3f/0x4d\n[   46.627049]  __kmalloc_noprof+0x1bf/0x1f0\n[   46.627362]  typec_register_port+0x23/0x491\n[   46.627698]  cros_typec_probe+0x634/0xbb6\n[   46.628026]  platform_probe+0x47/0x8c\n[   46.628311]  really_probe+0x20a/0x47d\n[   46.628605]  device_driver_attach+0x39/0x72\n[   46.628940]  bind_store+0x87/0xd7\n[   46.629213]  kernfs_fop_write_iter+0x1aa/0x218\n[   46.629574]  vfs_write+0x1d6/0x29b\n[   46.629856]  ksys_write+0xcd/0x13b\n[   46.630128]  do_syscall_64+0xd4/0x139\n[   46.630420]  entry_SYSCALL_64_after_hwframe+0x76/0x7e\n[   46.630820]\n[   46.630946] Freed by task 48:\n[   46.631182]  kasan_save_stack+0x24/0x44\n[   46.631493]  kasan_save_track+0x14/0x2d\n[   46.631799]  kasan_save_free_info+0x3f/0x4d\n[   46.632144]  __kasan_slab_free+0x37/0x45\n[   46.632474]\n---truncated---(CVE-2024-50150)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: x_tables: fix LED ID check in led_tg_check()\n\nSyzbot has reported the following BUG detected by KASAN:\n\nBUG: KASAN: slab-out-of-bounds in strlen+0x58/0x70\nRead of size 1 at addr ffff8881022da0c8 by task repro/5879\n...\nCall Trace:\n \u0026lt;TASK\u0026gt;\n dump_stack_lvl+0x241/0x360\n ? __pfx_dump_stack_lvl+0x10/0x10\n ? __pfx__printk+0x10/0x10\n ? _printk+0xd5/0x120\n ? __virt_addr_valid+0x183/0x530\n ? __virt_addr_valid+0x183/0x530\n print_report+0x169/0x550\n ? __virt_addr_valid+0x183/0x530\n ? __virt_addr_valid+0x183/0x530\n ? __virt_addr_valid+0x45f/0x530\n ? __phys_addr+0xba/0x170\n ? strlen+0x58/0x70\n kasan_report+0x143/0x180\n ? strlen+0x58/0x70\n strlen+0x58/0x70\n kstrdup+0x20/0x80\n led_tg_check+0x18b/0x3c0\n xt_check_target+0x3bb/0xa40\n ? __pfx_xt_check_target+0x10/0x10\n ? stack_depot_save_flags+0x6e4/0x830\n ? nft_target_init+0x174/0xc30\n nft_target_init+0x82d/0xc30\n ? __pfx_nft_target_init+0x10/0x10\n ? nf_tables_newrule+0x1609/0x2980\n ? nf_tables_newrule+0x1609/0x2980\n ? rcu_is_watching+0x15/0xb0\n ? nf_tables_newrule+0x1609/0x2980\n ? nf_tables_newrule+0x1609/0x2980\n ? __kmalloc_noprof+0x21a/0x400\n nf_tables_newrule+0x1860/0x2980\n ? __pfx_nf_tables_newrule+0x10/0x10\n ? __nla_parse+0x40/0x60\n nfnetlink_rcv+0x14e5/0x2ab0\n ? __pfx_validate_chain+0x10/0x10\n ? __pfx_nfnetlink_rcv+0x10/0x10\n ? __lock_acquire+0x1384/0x2050\n ? netlink_deliver_tap+0x2e/0x1b0\n ? __pfx_lock_release+0x10/0x10\n ? netlink_deliver_tap+0x2e/0x1b0\n netlink_unicast+0x7f8/0x990\n ? __pfx_netlink_unicast+0x10/0x10\n ? __virt_addr_valid+0x183/0x530\n ? __check_object_size+0x48e/0x900\n netlink_sendmsg+0x8e4/0xcb0\n ? __pfx_netlink_sendmsg+0x10/0x10\n ? aa_sock_msg_perm+0x91/0x160\n ? __pfx_netlink_sendmsg+0x10/0x10\n __sock_sendmsg+0x223/0x270\n ____sys_sendmsg+0x52a/0x7e0\n ? __pfx_____sys_sendmsg+0x10/0x10\n __sys_sendmsg+0x292/0x380\n ? __pfx___sys_sendmsg+0x10/0x10\n ? lockdep_hardirqs_on_prepare+0x43d/0x780\n ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10\n ? exc_page_fault+0x590/0x8c0\n ? do_syscall_64+0xb6/0x230\n do_syscall_64+0xf3/0x230\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n...\n \u0026lt;/TASK\u0026gt;\n\nSince an invalid (without \u0026apos;\\0\u0026apos; byte at all) byte sequence may be passed\nfrom userspace, add an extra check to ensure that such a sequence is\nrejected as possible ID and so never passed to \u0026apos;kstrdup()\u0026apos; and further.(CVE-2024-56650)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nnet: defer final \u0026apos;struct net\u0026apos; free in netns dismantle\n\nIlya reported a slab-use-after-free in dst_destroy [1]\n\nIssue is in xfrm6_net_init() and xfrm4_net_init() :\n\nThey copy xfrm[46]_dst_ops_template into net-\u0026gt;xfrm.xfrm[46]_dst_ops.\n\nBut net structure might be freed before all the dst callbacks are\ncalled. So when dst_destroy() calls later :\n\nif (dst-\u0026gt;ops-\u0026gt;destroy)\n    dst-\u0026gt;ops-\u0026gt;destroy(dst);\n\ndst-\u0026gt;ops points to the old net-\u0026gt;xfrm.xfrm[46]_dst_ops, which has been freed.\n\nSee a relevant issue fixed in :\n\nac888d58869b (\u0026quot;net: do not delay dst_entries_add() in dst_release()\u0026quot;)\n\nA fix is to queue the \u0026apos;struct net\u0026apos; to be freed after one\nanother cleanup_net() round (and existing rcu_barrier())\n\n[1]\n\nBUG: KASAN: slab-use-after-free in dst_destroy (net/core/dst.c:112)\nRead of size 8 at addr ffff8882137ccab0 by task swapper/37/0\nDec 03 05:46:18 kernel:\nCPU: 37 UID: 0 PID: 0 Comm: swapper/37 Kdump: loaded Not tainted 6.12.0 #67\nHardware name: Red Hat KVM/RHEL, BIOS 1.16.1-1.el9 04/01/2014\nCall Trace:\n \u0026lt;IRQ\u0026gt;\ndump_stack_lvl (lib/dump_stack.c:124)\nprint_address_description.constprop.0 (mm/kasan/report.c:378)\n? dst_destroy (net/core/dst.c:112)\nprint_report (mm/kasan/report.c:489)\n? dst_destroy (net/core/dst.c:112)\n? kasan_addr_to_slab (mm/kasan/common.c:37)\nkasan_report (mm/kasan/report.c:603)\n? dst_destroy (net/core/dst.c:112)\n? rcu_do_batch (kernel/rcu/tree.c:2567)\ndst_destroy (net/core/dst.c:112)\nrcu_do_batch (kernel/rcu/tree.c:2567)\n? __pfx_rcu_do_batch (kernel/rcu/tree.c:2491)\n? lockdep_hardirqs_on_prepare (kernel/locking/lockdep.c:4339 kernel/locking/lockdep.c:4406)\nrcu_core (kernel/rcu/tree.c:2825)\nhandle_softirqs (kernel/softirq.c:554)\n__irq_exit_rcu (kernel/softirq.c:589 kernel/softirq.c:428 kernel/softirq.c:637)\nirq_exit_rcu (kernel/softirq.c:651)\nsysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1049 arch/x86/kernel/apic/apic.c:1049)\n \u0026lt;/IRQ\u0026gt;\n \u0026lt;TASK\u0026gt;\nasm_sysvec_apic_timer_interrupt (./arch/x86/include/asm/idtentry.h:702)\nRIP: 0010:default_idle (./arch/x86/include/asm/irqflags.h:37 ./arch/x86/include/asm/irqflags.h:92 arch/x86/kernel/process.c:743)\nCode: 00 4d 29 c8 4c 01 c7 4c 29 c2 e9 6e ff ff ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 66 90 0f 00 2d c7 c9 27 00 fb f4 \u0026lt;fa\u0026gt; c3 cc cc cc cc 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 90\nRSP: 0018:ffff888100d2fe00 EFLAGS: 00000246\nRAX: 00000000001870ed RBX: 1ffff110201a5fc2 RCX: ffffffffb61a3e46\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffffb3d4d123\nRBP: 0000000000000000 R08: 0000000000000001 R09: ffffed11c7e1835d\nR10: ffff888e3f0c1aeb R11: 0000000000000000 R12: 0000000000000000\nR13: ffff888100d20000 R14: dffffc0000000000 R15: 0000000000000000\n? ct_kernel_exit.constprop.0 (kernel/context_tracking.c:148)\n? cpuidle_idle_call (kernel/sched/idle.c:186)\ndefault_idle_call (./include/linux/cpuidle.h:143 kernel/sched/idle.c:118)\ncpuidle_idle_call (kernel/sched/idle.c:186)\n? __pfx_cpuidle_idle_call (kernel/sched/idle.c:168)\n? lock_release (kernel/locking/lockdep.c:467 kernel/locking/lockdep.c:5848)\n? lockdep_hardirqs_on_prepare (kernel/locking/lockdep.c:4347 kernel/locking/lockdep.c:4406)\n? tsc_verify_tsc_adjust (arch/x86/kernel/tsc_sync.c:59)\ndo_idle (kernel/sched/idle.c:326)\ncpu_startup_entry (kernel/sched/idle.c:423 (discriminator 1))\nstart_secondary (arch/x86/kernel/smpboot.c:202 arch/x86/kernel/smpboot.c:282)\n? __pfx_start_secondary (arch/x86/kernel/smpboot.c:232)\n? soft_restart_cpu (arch/x86/kernel/head_64.S:452)\ncommon_startup_64 (arch/x86/kernel/head_64.S:414)\n \u0026lt;/TASK\u0026gt;\nDec 03 05:46:18 kernel:\nAllocated by task 12184:\nkasan_save_stack (mm/kasan/common.c:48)\nkasan_save_track (./arch/x86/include/asm/current.h:49 mm/kasan/common.c:60 mm/kasan/common.c:69)\n__kasan_slab_alloc (mm/kasan/common.c:319 mm/kasan/common.c:345)\nkmem_cache_alloc_noprof (mm/slub.c:4085 mm/slub.c:4134 mm/slub.c:4141)\ncopy_net_ns (net/core/net_namespace.c:421 net/core/net_namespace.c:480)\ncreate_new_namespaces\n---truncated---(CVE-2024-56658)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: caam - Fix the pointer passed to caam_qi_shutdown()\n\nThe type of the last parameter given to devm_add_action_or_reset() is\n\u0026quot;struct caam_drv_private *\u0026quot;, but in caam_qi_shutdown(), it is casted to\n\u0026quot;struct device *\u0026quot;.\n\nPass the correct parameter to devm_add_action_or_reset() so that the\nresources are released as expected.(CVE-2024-56754)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\npower: supply: gpio-charger: Fix set charge current limits\n\nFix set charge current limits for devices which allow to set the lowest\ncharge current limit to be greater zero. If requested charge current limit\nis below lowest limit, the index equals current_limit_map_size which leads\nto accessing memory beyond allocated memory.(CVE-2024-57792)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/rxe: Remove the direct link to net_device\n\nThe similar patch in siw is in the link:\nhttps://git.kernel.org/rdma/rdma/c/16b87037b48889\n\nThis problem also occurred in RXE. The following analyze this problem.\nIn the following Call Traces:\n\u0026quot;\nBUG: KASAN: slab-use-after-free in dev_get_flags+0x188/0x1d0 net/core/dev.c:8782\nRead of size 4 at addr ffff8880554640b0 by task kworker/1:4/5295\n\nCPU: 1 UID: 0 PID: 5295 Comm: kworker/1:4 Not tainted\n6.12.0-rc3-syzkaller-00399-g9197b73fd7bb #0\nHardware name: Google Compute Engine/Google Compute Engine,\nBIOS Google 09/13/2024\nWorkqueue: infiniband ib_cache_event_task\nCall Trace:\n \u0026lt;TASK\u0026gt;\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:377 [inline]\n print_report+0x169/0x550 mm/kasan/report.c:488\n kasan_report+0x143/0x180 mm/kasan/report.c:601\n dev_get_flags+0x188/0x1d0 net/core/dev.c:8782\n rxe_query_port+0x12d/0x260 drivers/infiniband/sw/rxe/rxe_verbs.c:60\n __ib_query_port drivers/infiniband/core/device.c:2111 [inline]\n ib_query_port+0x168/0x7d0 drivers/infiniband/core/device.c:2143\n ib_cache_update+0x1a9/0xb80 drivers/infiniband/core/cache.c:1494\n ib_cache_event_task+0xf3/0x1e0 drivers/infiniband/core/cache.c:1568\n process_one_work kernel/workqueue.c:3229 [inline]\n process_scheduled_works+0xa65/0x1850 kernel/workqueue.c:3310\n worker_thread+0x870/0xd30 kernel/workqueue.c:3391\n kthread+0x2f2/0x390 kernel/kthread.c:389\n ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\n \u0026lt;/TASK\u0026gt;\n\u0026quot;\n\n1). In the link [1],\n\n\u0026quot;\n infiniband syz2: set down\n\u0026quot;\n\nThis means that on 839.350575, the event ib_cache_event_task was sent andi\nqueued in ib_wq.\n\n2). In the link [1],\n\n\u0026quot;\n team0 (unregistering): Port device team_slave_0 removed\n\u0026quot;\n\nIt indicates that before 843.251853, the net device should be freed.\n\n3). In the link [1],\n\n\u0026quot;\n BUG: KASAN: slab-use-after-free in dev_get_flags+0x188/0x1d0\n\u0026quot;\n\nThis means that on 850.559070, this slab-use-after-free problem occurred.\n\nIn all, on 839.350575, the event ib_cache_event_task was sent and queued\nin ib_wq,\n\nbefore 843.251853, the net device veth was freed.\n\non 850.559070, this event was executed, and the mentioned freed net device\nwas called. Thus, the above call trace occurred.\n\n[1] https://syzkaller.appspot.com/x/log.txt?x=12e7025f980000(CVE-2024-57795)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/siw: Remove direct link to net_device\n\nDo not manage a per device direct link to net_device. Rely\non associated ib_devices net_device management, not doubling\nthe effort locally. A badly managed local link to net_device\nwas causing a \u0026apos;KASAN: slab-use-after-free\u0026apos; exception during\nsiw_query_port() call.(CVE-2024-57857)","affected":[{"package":{"ecosystem":"openEuler:22.03-LTS-SP3","name":"kernel","purl":"pkg:rpm/openEuler/kernel\u0026distro=openEuler-22.03-LTS-SP3"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"5.10.0-251.0.0.154.oe2203sp3"}]}],"ecosystem_specific":{"aarch64":["kernel-5.10.0-251.0.0.154.oe2203sp3.aarch64.rpm","kernel-debuginfo-5.10.0-251.0.0.154.oe2203sp3.aarch64.rpm","kernel-debugsource-5.10.0-251.0.0.154.oe2203sp3.aarch64.rpm","kernel-devel-5.10.0-251.0.0.154.oe2203sp3.aarch64.rpm","kernel-headers-5.10.0-251.0.0.154.oe2203sp3.aarch64.rpm","kernel-source-5.10.0-251.0.0.154.oe2203sp3.aarch64.rpm","kernel-tools-5.10.0-251.0.0.154.oe2203sp3.aarch64.rpm","kernel-tools-debuginfo-5.10.0-251.0.0.154.oe2203sp3.aarch64.rpm","kernel-tools-devel-5.10.0-251.0.0.154.oe2203sp3.aarch64.rpm","perf-5.10.0-251.0.0.154.oe2203sp3.aarch64.rpm","perf-debuginfo-5.10.0-251.0.0.154.oe2203sp3.aarch64.rpm","python3-perf-5.10.0-251.0.0.154.oe2203sp3.aarch64.rpm","python3-perf-debuginfo-5.10.0-251.0.0.154.oe2203sp3.aarch64.rpm"],"src":["kernel-5.10.0-251.0.0.154.oe2203sp3.src.rpm"],"x86_64":["kernel-5.10.0-251.0.0.154.oe2203sp3.x86_64.rpm","kernel-debuginfo-5.10.0-251.0.0.154.oe2203sp3.x86_64.rpm","kernel-debugsource-5.10.0-251.0.0.154.oe2203sp3.x86_64.rpm","kernel-devel-5.10.0-251.0.0.154.oe2203sp3.x86_64.rpm","kernel-headers-5.10.0-251.0.0.154.oe2203sp3.x86_64.rpm","kernel-source-5.10.0-251.0.0.154.oe2203sp3.x86_64.rpm","kernel-tools-5.10.0-251.0.0.154.oe2203sp3.x86_64.rpm","kernel-tools-debuginfo-5.10.0-251.0.0.154.oe2203sp3.x86_64.rpm","kernel-tools-devel-5.10.0-251.0.0.154.oe2203sp3.x86_64.rpm","perf-5.10.0-251.0.0.154.oe2203sp3.x86_64.rpm","perf-debuginfo-5.10.0-251.0.0.154.oe2203sp3.x86_64.rpm","python3-perf-5.10.0-251.0.0.154.oe2203sp3.x86_64.rpm","python3-perf-debuginfo-5.10.0-251.0.0.154.oe2203sp3.x86_64.rpm"]}}],"references":[{"type":"ADVISORY","url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1202"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-50150"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-56650"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-56658"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-56754"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-57792"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-57795"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-57857"}],"database_specific":{"severity":"High"}}