{"document":{"aggregate_severity":{"namespace":"https://www.suse.com/support/security/rating/","text":"important"},"category":"csaf_security_advisory","csaf_version":"2.0","distribution":{"text":"Copyright 2024 SUSE LLC. All rights reserved.","tlp":{"label":"WHITE","url":"https://www.first.org/tlp/"}},"lang":"en","notes":[{"category":"summary","text":"Security update for the Linux Kernel (Live Patch 1 for SLE 15 SP6)","title":"Title of the patch"},{"category":"description","text":"This update for the Linux Kernel 6.4.0-150600_23_7 fixes several issues.\n\nThe following security issues were fixed:\n\n- CVE-2024-36899: gpiolib: cdev: Fix use after free in lineinfo_changed_notify (bsc#1225739).\n- CVE-2024-40954: net: do not leave a dangling sk pointer, when socket creation fails (bsc#1227808)\n","title":"Description of the patch"},{"category":"details","text":"SUSE-2024-3680,SUSE-SLE-Module-Live-Patching-15-SP6-2024-3680","title":"Patchnames"},{"category":"legal_disclaimer","text":"CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).","title":"Terms of use"}],"publisher":{"category":"vendor","contact_details":"https://www.suse.com/support/security/contact/","name":"SUSE Product Security Team","namespace":"https://www.suse.com/"},"references":[{"category":"external","summary":"SUSE ratings","url":"https://www.suse.com/support/security/rating/"},{"category":"self","summary":"URL of this CSAF notice","url":"https://ftp.suse.com/pub/projects/security/csaf/suse-su-2024_3680-1.json"},{"category":"self","summary":"URL for SUSE-SU-2024:3680-1","url":"https://www.suse.com/support/update/announcement/2024/suse-su-20243680-1/"},{"category":"self","summary":"E-Mail link for SUSE-SU-2024:3680-1","url":"https://lists.suse.com/pipermail/sle-updates/2024-October/037286.html"},{"category":"self","summary":"SUSE Bug 1225739","url":"https://bugzilla.suse.com/1225739"},{"category":"self","summary":"SUSE Bug 1228786","url":"https://bugzilla.suse.com/1228786"},{"category":"self","summary":"SUSE CVE CVE-2024-36899 page","url":"https://www.suse.com/security/cve/CVE-2024-36899/"},{"category":"self","summary":"SUSE CVE CVE-2024-40954 page","url":"https://www.suse.com/security/cve/CVE-2024-40954/"}],"title":"Security update for the Linux Kernel (Live Patch 1 for SLE 15 SP6)","tracking":{"current_release_date":"2024-10-16T17:34:22Z","generator":{"date":"2024-10-16T17:34:22Z","engine":{"name":"cve-database.git:bin/generate-csaf.pl","version":"1"}},"id":"SUSE-SU-2024:3680-1","initial_release_date":"2024-10-16T17:34:22Z","revision_history":[{"date":"2024-10-16T17:34:22Z","number":"1","summary":"Current version"}],"status":"final","version":"1"}},"product_tree":{"branches":[{"branches":[{"branches":[{"category":"product_version","name":"kernel-livepatch-6_4_0-150600_23_7-default-3-150600.13.6.1.ppc64le","product":{"name":"kernel-livepatch-6_4_0-150600_23_7-default-3-150600.13.6.1.ppc64le","product_id":"kernel-livepatch-6_4_0-150600_23_7-default-3-150600.13.6.1.ppc64le"}}],"category":"architecture","name":"ppc64le"},{"branches":[{"category":"product_version","name":"kernel-livepatch-6_4_0-150600_23_7-default-3-150600.13.6.1.s390x","product":{"name":"kernel-livepatch-6_4_0-150600_23_7-default-3-150600.13.6.1.s390x","product_id":"kernel-livepatch-6_4_0-150600_23_7-default-3-150600.13.6.1.s390x"}}],"category":"architecture","name":"s390x"},{"branches":[{"category":"product_version","name":"kernel-livepatch-6_4_0-150600_23_7-default-3-150600.13.6.1.x86_64","product":{"name":"kernel-livepatch-6_4_0-150600_23_7-default-3-150600.13.6.1.x86_64","product_id":"kernel-livepatch-6_4_0-150600_23_7-default-3-150600.13.6.1.x86_64"}}],"category":"architecture","name":"x86_64"},{"branches":[{"category":"product_name","name":"SUSE Linux Enterprise Live Patching 15 SP6","product":{"name":"SUSE Linux Enterprise Live Patching 15 SP6","product_id":"SUSE Linux Enterprise Live Patching 15 SP6","product_identification_helper":{"cpe":"cpe:/o:suse:sle-module-live-patching:15:sp6"}}}],"category":"product_family","name":"SUSE Linux Enterprise"}],"category":"vendor","name":"SUSE"}],"relationships":[{"category":"default_component_of","full_product_name":{"name":"kernel-livepatch-6_4_0-150600_23_7-default-3-150600.13.6.1.ppc64le as component of SUSE Linux Enterprise Live Patching 15 SP6","product_id":"SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_23_7-default-3-150600.13.6.1.ppc64le"},"product_reference":"kernel-livepatch-6_4_0-150600_23_7-default-3-150600.13.6.1.ppc64le","relates_to_product_reference":"SUSE Linux Enterprise Live Patching 15 SP6"},{"category":"default_component_of","full_product_name":{"name":"kernel-livepatch-6_4_0-150600_23_7-default-3-150600.13.6.1.s390x as component of SUSE Linux Enterprise Live Patching 15 SP6","product_id":"SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_23_7-default-3-150600.13.6.1.s390x"},"product_reference":"kernel-livepatch-6_4_0-150600_23_7-default-3-150600.13.6.1.s390x","relates_to_product_reference":"SUSE Linux Enterprise Live Patching 15 SP6"},{"category":"default_component_of","full_product_name":{"name":"kernel-livepatch-6_4_0-150600_23_7-default-3-150600.13.6.1.x86_64 as component of SUSE Linux Enterprise Live Patching 15 SP6","product_id":"SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_23_7-default-3-150600.13.6.1.x86_64"},"product_reference":"kernel-livepatch-6_4_0-150600_23_7-default-3-150600.13.6.1.x86_64","relates_to_product_reference":"SUSE Linux Enterprise Live Patching 15 SP6"}]},"vulnerabilities":[{"cve":"CVE-2024-36899","ids":[{"system_name":"SUSE CVE Page","text":"https://www.suse.com/security/cve/CVE-2024-36899"}],"notes":[{"category":"general","text":"In the Linux kernel, the following vulnerability has been resolved:\n\ngpiolib: cdev: Fix use after free in lineinfo_changed_notify\n\nThe use-after-free issue occurs as follows: when the GPIO chip device file\nis being closed by invoking gpio_chrdev_release(), watched_lines is freed\nby bitmap_free(), but the unregistration of lineinfo_changed_nb notifier\nchain failed due to waiting write rwsem. Additionally, one of the GPIO\nchip's lines is also in the release process and holds the notifier chain's\nread rwsem. Consequently, a race condition leads to the use-after-free of\nwatched_lines.\n\nHere is the typical stack when issue happened:\n\n[free]\ngpio_chrdev_release()\n --> bitmap_free(cdev->watched_lines) <-- freed\n --> blocking_notifier_chain_unregister()\n --> down_write(&nh->rwsem) <-- waiting rwsem\n --> __down_write_common()\n --> rwsem_down_write_slowpath()\n --> schedule_preempt_disabled()\n --> schedule()\n\n[use]\nst54spi_gpio_dev_release()\n --> gpio_free()\n --> gpiod_free()\n --> gpiod_free_commit()\n --> gpiod_line_state_notify()\n --> blocking_notifier_call_chain()\n --> down_read(&nh->rwsem); <-- held rwsem\n --> notifier_call_chain()\n --> lineinfo_changed_notify()\n --> test_bit(xxxx, cdev->watched_lines) <-- use after free\n\nThe side effect of the use-after-free issue is that a GPIO line event is\nbeing generated for userspace where it shouldn't. However, since the chrdev\nis being closed, userspace won't have the chance to read that event anyway.\n\nTo fix the issue, call the bitmap_free() function after the unregistration\nof lineinfo_changed_nb notifier chain.","title":"CVE description"}],"product_status":{"recommended":["SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_23_7-default-3-150600.13.6.1.ppc64le","SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_23_7-default-3-150600.13.6.1.s390x","SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_23_7-default-3-150600.13.6.1.x86_64"]},"references":[{"category":"external","summary":"CVE-2024-36899","url":"https://www.suse.com/security/cve/CVE-2024-36899"},{"category":"external","summary":"SUSE Bug 1225737 for CVE-2024-36899","url":"https://bugzilla.suse.com/1225737"},{"category":"external","summary":"SUSE Bug 1225739 for CVE-2024-36899","url":"https://bugzilla.suse.com/1225739"}],"remediations":[{"category":"vendor_fix","details":"To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n","product_ids":["SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_23_7-default-3-150600.13.6.1.ppc64le","SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_23_7-default-3-150600.13.6.1.s390x","SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_23_7-default-3-150600.13.6.1.x86_64"]}],"scores":[{"cvss_v3":{"baseScore":7,"baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_23_7-default-3-150600.13.6.1.ppc64le","SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_23_7-default-3-150600.13.6.1.s390x","SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_23_7-default-3-150600.13.6.1.x86_64"]}],"threats":[{"category":"impact","date":"2024-10-16T17:34:22Z","details":"important"}],"title":"CVE-2024-36899"},{"cve":"CVE-2024-40954","ids":[{"system_name":"SUSE CVE Page","text":"https://www.suse.com/security/cve/CVE-2024-40954"}],"notes":[{"category":"general","text":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: do not leave a dangling sk pointer, when socket creation fails\n\nIt is possible to trigger a use-after-free by:\n * attaching an fentry probe to __sock_release() and the probe calling the\n bpf_get_socket_cookie() helper\n * running traceroute -I 1.1.1.1 on a freshly booted VM\n\nA KASAN enabled kernel will log something like below (decoded and stripped):\n==================================================================\nBUG: KASAN: slab-use-after-free in __sock_gen_cookie (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-instrumented.h:1611 net/core/sock_diag.c:29)\nRead of size 8 at addr ffff888007110dd8 by task traceroute/299\n\nCPU: 2 PID: 299 Comm: traceroute Tainted: G E 6.10.0-rc2+ #2\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014\nCall Trace:\n \ndump_stack_lvl (lib/dump_stack.c:117 (discriminator 1))\nprint_report (mm/kasan/report.c:378 mm/kasan/report.c:488)\n? __sock_gen_cookie (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-instrumented.h:1611 net/core/sock_diag.c:29)\nkasan_report (mm/kasan/report.c:603)\n? __sock_gen_cookie (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-instrumented.h:1611 net/core/sock_diag.c:29)\nkasan_check_range (mm/kasan/generic.c:183 mm/kasan/generic.c:189)\n__sock_gen_cookie (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-instrumented.h:1611 net/core/sock_diag.c:29)\nbpf_get_socket_ptr_cookie (./arch/x86/include/asm/preempt.h:94 ./include/linux/sock_diag.h:42 net/core/filter.c:5094 net/core/filter.c:5092)\nbpf_prog_875642cf11f1d139___sock_release+0x6e/0x8e\nbpf_trampoline_6442506592+0x47/0xaf\n__sock_release (net/socket.c:652)\n__sock_create (net/socket.c:1601)\n...\nAllocated by task 299 on cpu 2 at 78.328492s:\nkasan_save_stack (mm/kasan/common.c:48)\nkasan_save_track (mm/kasan/common.c:68)\n__kasan_slab_alloc (mm/kasan/common.c:312 mm/kasan/common.c:338)\nkmem_cache_alloc_noprof (mm/slub.c:3941 mm/slub.c:4000 mm/slub.c:4007)\nsk_prot_alloc (net/core/sock.c:2075)\nsk_alloc (net/core/sock.c:2134)\ninet_create (net/ipv4/af_inet.c:327 net/ipv4/af_inet.c:252)\n__sock_create (net/socket.c:1572)\n__sys_socket (net/socket.c:1660 net/socket.c:1644 net/socket.c:1706)\n__x64_sys_socket (net/socket.c:1718)\ndo_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)\nentry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\n\nFreed by task 299 on cpu 2 at 78.328502s:\nkasan_save_stack (mm/kasan/common.c:48)\nkasan_save_track (mm/kasan/common.c:68)\nkasan_save_free_info (mm/kasan/generic.c:582)\npoison_slab_object (mm/kasan/common.c:242)\n__kasan_slab_free (mm/kasan/common.c:256)\nkmem_cache_free (mm/slub.c:4437 mm/slub.c:4511)\n__sk_destruct (net/core/sock.c:2117 net/core/sock.c:2208)\ninet_create (net/ipv4/af_inet.c:397 net/ipv4/af_inet.c:252)\n__sock_create (net/socket.c:1572)\n__sys_socket (net/socket.c:1660 net/socket.c:1644 net/socket.c:1706)\n__x64_sys_socket (net/socket.c:1718)\ndo_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)\nentry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\n\nFix this by clearing the struct socket reference in sk_common_release() to cover\nall protocol families create functions, which may already attached the\nreference to the sk object with sock_init_data().","title":"CVE description"}],"product_status":{"recommended":["SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_23_7-default-3-150600.13.6.1.ppc64le","SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_23_7-default-3-150600.13.6.1.s390x","SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_23_7-default-3-150600.13.6.1.x86_64"]},"references":[{"category":"external","summary":"CVE-2024-40954","url":"https://www.suse.com/security/cve/CVE-2024-40954"},{"category":"external","summary":"SUSE Bug 1227808 for CVE-2024-40954","url":"https://bugzilla.suse.com/1227808"},{"category":"external","summary":"SUSE Bug 1228786 for CVE-2024-40954","url":"https://bugzilla.suse.com/1228786"}],"remediations":[{"category":"vendor_fix","details":"To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n","product_ids":["SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_23_7-default-3-150600.13.6.1.ppc64le","SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_23_7-default-3-150600.13.6.1.s390x","SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_23_7-default-3-150600.13.6.1.x86_64"]}],"scores":[{"cvss_v3":{"baseScore":7,"baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_23_7-default-3-150600.13.6.1.ppc64le","SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_23_7-default-3-150600.13.6.1.s390x","SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_23_7-default-3-150600.13.6.1.x86_64"]}],"threats":[{"category":"impact","date":"2024-10-16T17:34:22Z","details":"important"}],"title":"CVE-2024-40954"}]}