{"document":{"aggregate_severity":{"namespace":"https://www.suse.com/support/security/rating/","text":"important"},"category":"csaf_security_advisory","csaf_version":"2.0","distribution":{"text":"Copyright 2024 SUSE LLC. All rights reserved.","tlp":{"label":"WHITE","url":"https://www.first.org/tlp/"}},"lang":"en","notes":[{"category":"summary","text":"Security update for the Linux Kernel RT (Live Patch 0 for SLE 15 SP6)","title":"Title of the patch"},{"category":"description","text":"This update for the Linux Kernel 6.4.0-150600_8 fixes several issues.\n\nThe following security issues were fixed:\n\n- CVE-2024-40921: net: bridge: mst: pass vlan group directly to br_mst_vlan_set_state (bsc#1227784).\n- CVE-2024-40920: net: bridge: mst: fix suspicious rcu usage in br_mst_set_state (bsc#1227781).\n- CVE-2024-36979: net: bridge: mst: fix vlan use-after-free (bsc#1227369).\n- CVE-2024-41057: cachefiles: fix slab-use-after-free in cachefiles_withdraw_cookie() (bsc#1229275).\n- CVE-2024-36971: Fixed __dst_negative_advice() race (bsc#1226324).\n","title":"Description of the patch"},{"category":"details","text":"SUSE-2025-268,SUSE-SLE-Module-Live-Patching-15-SP6-2025-268","title":"Patchnames"},{"category":"legal_disclaimer","text":"CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).","title":"Terms of use"}],"publisher":{"category":"vendor","contact_details":"https://www.suse.com/support/security/contact/","name":"SUSE Product Security Team","namespace":"https://www.suse.com/"},"references":[{"category":"external","summary":"SUSE ratings","url":"https://www.suse.com/support/security/rating/"},{"category":"self","summary":"URL of this CSAF notice","url":"https://ftp.suse.com/pub/projects/security/csaf/suse-su-2025_0268-1.json"},{"category":"self","summary":"URL for SUSE-SU-2025:0268-1","url":"https://www.suse.com/support/update/announcement/2025/suse-su-20250268-1/"},{"category":"self","summary":"E-Mail link for SUSE-SU-2025:0268-1","url":"https://lists.suse.com/pipermail/sle-security-updates/2025-January/020227.html"},{"category":"self","summary":"SUSE Bug 1226324","url":"https://bugzilla.suse.com/1226324"},{"category":"self","summary":"SUSE Bug 1227369","url":"https://bugzilla.suse.com/1227369"},{"category":"self","summary":"SUSE Bug 1227781","url":"https://bugzilla.suse.com/1227781"},{"category":"self","summary":"SUSE Bug 1227784","url":"https://bugzilla.suse.com/1227784"},{"category":"self","summary":"SUSE Bug 1229275","url":"https://bugzilla.suse.com/1229275"},{"category":"self","summary":"SUSE CVE CVE-2024-36971 page","url":"https://www.suse.com/security/cve/CVE-2024-36971/"},{"category":"self","summary":"SUSE CVE CVE-2024-36979 page","url":"https://www.suse.com/security/cve/CVE-2024-36979/"},{"category":"self","summary":"SUSE CVE CVE-2024-40920 page","url":"https://www.suse.com/security/cve/CVE-2024-40920/"},{"category":"self","summary":"SUSE CVE CVE-2024-40921 page","url":"https://www.suse.com/security/cve/CVE-2024-40921/"},{"category":"self","summary":"SUSE CVE CVE-2024-41057 page","url":"https://www.suse.com/security/cve/CVE-2024-41057/"}],"title":"Security update for the Linux Kernel RT (Live Patch 0 for SLE 15 SP6)","tracking":{"current_release_date":"2025-01-28T13:03:45Z","generator":{"date":"2025-01-28T13:03:45Z","engine":{"name":"cve-database.git:bin/generate-csaf.pl","version":"1"}},"id":"SUSE-SU-2025:0268-1","initial_release_date":"2025-01-28T13:03:45Z","revision_history":[{"date":"2025-01-28T13:03:45Z","number":"1","summary":"Current version"}],"status":"final","version":"1"}},"product_tree":{"branches":[{"branches":[{"branches":[{"category":"product_version","name":"kernel-livepatch-6_4_0-150600_8-rt-8-150600.3.1.x86_64","product":{"name":"kernel-livepatch-6_4_0-150600_8-rt-8-150600.3.1.x86_64","product_id":"kernel-livepatch-6_4_0-150600_8-rt-8-150600.3.1.x86_64"}}],"category":"architecture","name":"x86_64"},{"branches":[{"category":"product_name","name":"SUSE Linux Enterprise Live Patching 15 SP6","product":{"name":"SUSE Linux Enterprise Live Patching 15 SP6","product_id":"SUSE Linux Enterprise Live Patching 15 SP6","product_identification_helper":{"cpe":"cpe:/o:suse:sle-module-live-patching:15:sp6"}}}],"category":"product_family","name":"SUSE Linux Enterprise"}],"category":"vendor","name":"SUSE"}],"relationships":[{"category":"default_component_of","full_product_name":{"name":"kernel-livepatch-6_4_0-150600_8-rt-8-150600.3.1.x86_64 as component of SUSE Linux Enterprise Live Patching 15 SP6","product_id":"SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_8-rt-8-150600.3.1.x86_64"},"product_reference":"kernel-livepatch-6_4_0-150600_8-rt-8-150600.3.1.x86_64","relates_to_product_reference":"SUSE Linux Enterprise Live Patching 15 SP6"}]},"vulnerabilities":[{"cve":"CVE-2024-36971","ids":[{"system_name":"SUSE CVE Page","text":"https://www.suse.com/security/cve/CVE-2024-36971"}],"notes":[{"category":"general","text":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fix __dst_negative_advice() race\n\n__dst_negative_advice() does not enforce proper RCU rules when\nsk->dst_cache must be cleared, leading to possible UAF.\n\nRCU rules are that we must first clear sk->sk_dst_cache,\nthen call dst_release(old_dst).\n\nNote that sk_dst_reset(sk) is implementing this protocol correctly,\nwhile __dst_negative_advice() uses the wrong order.\n\nGiven that ip6_negative_advice() has special logic\nagainst RTF_CACHE, this means each of the three ->negative_advice()\nexisting methods must perform the sk_dst_reset() themselves.\n\nNote the check against NULL dst is centralized in\n__dst_negative_advice(), there is no need to duplicate\nit in various callbacks.\n\nMany thanks to Clement Lecigne for tracking this issue.\n\nThis old bug became visible after the blamed commit, using UDP sockets.","title":"CVE description"}],"product_status":{"recommended":["SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_8-rt-8-150600.3.1.x86_64"]},"references":[{"category":"external","summary":"CVE-2024-36971","url":"https://www.suse.com/security/cve/CVE-2024-36971"},{"category":"external","summary":"SUSE Bug 1226145 for CVE-2024-36971","url":"https://bugzilla.suse.com/1226145"},{"category":"external","summary":"SUSE Bug 1226324 for CVE-2024-36971","url":"https://bugzilla.suse.com/1226324"}],"remediations":[{"category":"vendor_fix","details":"To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n","product_ids":["SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_8-rt-8-150600.3.1.x86_64"]}],"scores":[{"cvss_v3":{"baseScore":7,"baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_8-rt-8-150600.3.1.x86_64"]}],"threats":[{"category":"impact","date":"2025-01-28T13:03:45Z","details":"important"}],"title":"CVE-2024-36971"},{"cve":"CVE-2024-36979","ids":[{"system_name":"SUSE CVE Page","text":"https://www.suse.com/security/cve/CVE-2024-36979"}],"notes":[{"category":"general","text":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: bridge: mst: fix vlan use-after-free\n\nsyzbot reported a suspicious rcu usage[1] in bridge's mst code. While\nfixing it I noticed that nothing prevents a vlan to be freed while\nwalking the list from the same path (br forward delay timer). Fix the rcu\nusage and also make sure we are not accessing freed memory by making\nbr_mst_vlan_set_state use rcu read lock.\n\n[1]\n WARNING: suspicious RCU usage\n 6.9.0-rc6-syzkaller #0 Not tainted\n -----------------------------\n net/bridge/br_private.h:1599 suspicious rcu_dereference_protected() usage!\n ...\n stack backtrace:\n CPU: 1 PID: 8017 Comm: syz-executor.1 Not tainted 6.9.0-rc6-syzkaller #0\n Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\n Call Trace:\n  <IRQ>\n  __dump_stack lib/dump_stack.c:88 [inline]\n  dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114\n  lockdep_rcu_suspicious+0x221/0x340 kernel/locking/lockdep.c:6712\n  nbp_vlan_group net/bridge/br_private.h:1599 [inline]\n  br_mst_set_state+0x1ea/0x650 net/bridge/br_mst.c:105\n  br_set_state+0x28a/0x7b0 net/bridge/br_stp.c:47\n  br_forward_delay_timer_expired+0x176/0x440 net/bridge/br_stp_timer.c:88\n  call_timer_fn+0x18e/0x650 kernel/time/timer.c:1793\n  expire_timers kernel/time/timer.c:1844 [inline]\n  __run_timers kernel/time/timer.c:2418 [inline]\n  __run_timer_base+0x66a/0x8e0 kernel/time/timer.c:2429\n  run_timer_base kernel/time/timer.c:2438 [inline]\n  run_timer_softirq+0xb7/0x170 kernel/time/timer.c:2448\n  __do_softirq+0x2c6/0x980 kernel/softirq.c:554\n  invoke_softirq kernel/softirq.c:428 [inline]\n  __irq_exit_rcu+0xf2/0x1c0 kernel/softirq.c:633\n  irq_exit_rcu+0x9/0x30 kernel/softirq.c:645\n  instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline]\n  sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1043\n  </IRQ>\n  <TASK>\n asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702\n RIP: 0010:lock_acquire+0x264/0x550 kernel/locking/lockdep.c:5758\n Code: 2b 00 74 08 4c 89 f7 e8 ba d1 84 00 f6 44 24 61 02 0f 85 85 01 00 00 41 f7 c7 00 02 00 00 74 01 fb 48 c7 44 24 40 0e 36 e0 45 <4b> c7 44 25 00 00 00 00 00 43 c7 44 25 09 00 00 00 00 43 c7 44 25\n RSP: 0018:ffffc90013657100 EFLAGS: 00000206\n RAX: 0000000000000001 RBX: 1ffff920026cae2c RCX: 0000000000000001\n RDX: dffffc0000000000 RSI: ffffffff8bcaca00 RDI: ffffffff8c1eaa60\n RBP: ffffc90013657260 R08: ffffffff92efe507 R09: 1ffffffff25dfca0\n R10: dffffc0000000000 R11: fffffbfff25dfca1 R12: 1ffff920026cae28\n R13: dffffc0000000000 R14: ffffc90013657160 R15: 0000000000000246","title":"CVE description"}],"product_status":{"recommended":["SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_8-rt-8-150600.3.1.x86_64"]},"references":[{"category":"external","summary":"CVE-2024-36979","url":"https://www.suse.com/security/cve/CVE-2024-36979"},{"category":"external","summary":"SUSE Bug 1226604 for CVE-2024-36979","url":"https://bugzilla.suse.com/1226604"},{"category":"external","summary":"SUSE Bug 1227369 for CVE-2024-36979","url":"https://bugzilla.suse.com/1227369"}],"remediations":[{"category":"vendor_fix","details":"To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n","product_ids":["SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_8-rt-8-150600.3.1.x86_64"]}],"scores":[{"cvss_v3":{"baseScore":7,"baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_8-rt-8-150600.3.1.x86_64"]}],"threats":[{"category":"impact","date":"2025-01-28T13:03:45Z","details":"important"}],"title":"CVE-2024-36979"},{"cve":"CVE-2024-40920","ids":[{"system_name":"SUSE CVE Page","text":"https://www.suse.com/security/cve/CVE-2024-40920"}],"notes":[{"category":"general","text":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: bridge: mst: fix suspicious rcu usage in br_mst_set_state\n\nI converted br_mst_set_state to RCU to avoid a vlan use-after-free\nbut forgot to change the vlan group dereference helper. Switch to vlan\ngroup RCU deref helper to fix the suspicious rcu usage warning.","title":"CVE description"}],"product_status":{"recommended":["SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_8-rt-8-150600.3.1.x86_64"]},"references":[{"category":"external","summary":"CVE-2024-40920","url":"https://www.suse.com/security/cve/CVE-2024-40920"},{"category":"external","summary":"SUSE Bug 1227781 for CVE-2024-40920","url":"https://bugzilla.suse.com/1227781"}],"remediations":[{"category":"vendor_fix","details":"To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n","product_ids":["SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_8-rt-8-150600.3.1.x86_64"]}],"scores":[{"cvss_v3":{"baseScore":5.5,"baseSeverity":"MEDIUM","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","version":"3.1"},"products":["SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_8-rt-8-150600.3.1.x86_64"]}],"threats":[{"category":"impact","date":"2025-01-28T13:03:45Z","details":"moderate"}],"title":"CVE-2024-40920"},{"cve":"CVE-2024-40921","ids":[{"system_name":"SUSE CVE Page","text":"https://www.suse.com/security/cve/CVE-2024-40921"}],"notes":[{"category":"general","text":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: bridge: mst: pass vlan group directly to br_mst_vlan_set_state\n\nPass the already obtained vlan group pointer to br_mst_vlan_set_state()\ninstead of dereferencing it again. Each caller has already correctly\ndereferenced it for their context. This change is required for the\nfollowing suspicious RCU dereference fix. No functional changes\nintended.","title":"CVE description"}],"product_status":{"recommended":["SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_8-rt-8-150600.3.1.x86_64"]},"references":[{"category":"external","summary":"CVE-2024-40921","url":"https://www.suse.com/security/cve/CVE-2024-40921"},{"category":"external","summary":"SUSE Bug 1227784 for CVE-2024-40921","url":"https://bugzilla.suse.com/1227784"}],"remediations":[{"category":"vendor_fix","details":"To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n","product_ids":["SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_8-rt-8-150600.3.1.x86_64"]}],"scores":[{"cvss_v3":{"baseScore":5.5,"baseSeverity":"MEDIUM","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","version":"3.1"},"products":["SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_8-rt-8-150600.3.1.x86_64"]}],"threats":[{"category":"impact","date":"2025-01-28T13:03:45Z","details":"moderate"}],"title":"CVE-2024-40921"},{"cve":"CVE-2024-41057","ids":[{"system_name":"SUSE CVE Page","text":"https://www.suse.com/security/cve/CVE-2024-41057"}],"notes":[{"category":"general","text":"In the Linux kernel, the following vulnerability has been resolved:\n\ncachefiles: fix slab-use-after-free in cachefiles_withdraw_cookie()\n\nWe got the following issue in our fault injection stress test:\n\n==================================================================\nBUG: KASAN: slab-use-after-free in cachefiles_withdraw_cookie+0x4d9/0x600\nRead of size 8 at addr ffff888118efc000 by task kworker/u78:0/109\n\nCPU: 13 PID: 109 Comm: kworker/u78:0 Not tainted 6.8.0-dirty #566\nCall Trace:\n <TASK>\n kasan_report+0x93/0xc0\n cachefiles_withdraw_cookie+0x4d9/0x600\n fscache_cookie_state_machine+0x5c8/0x1230\n fscache_cookie_worker+0x91/0x1c0\n process_one_work+0x7fa/0x1800\n [...]\n\nAllocated by task 117:\n kmalloc_trace+0x1b3/0x3c0\n cachefiles_acquire_volume+0xf3/0x9c0\n fscache_create_volume_work+0x97/0x150\n process_one_work+0x7fa/0x1800\n [...]\n\nFreed by task 120301:\n kfree+0xf1/0x2c0\n cachefiles_withdraw_cache+0x3fa/0x920\n cachefiles_put_unbind_pincount+0x1f6/0x250\n cachefiles_daemon_release+0x13b/0x290\n __fput+0x204/0xa00\n task_work_run+0x139/0x230\n do_exit+0x87a/0x29b0\n [...]\n==================================================================\n\nFollowing is the process that triggers the issue:\n\n           p1                |             p2\n------------------------------------------------------------\n                              fscache_begin_lookup\n                               fscache_begin_volume_access\n                                fscache_cache_is_live(fscache_cache)\ncachefiles_daemon_release\n cachefiles_put_unbind_pincount\n  cachefiles_daemon_unbind\n   cachefiles_withdraw_cache\n    fscache_withdraw_cache\n     fscache_set_cache_state(cache, FSCACHE_CACHE_IS_WITHDRAWN);\n    cachefiles_withdraw_objects(cache)\n    fscache_wait_for_objects(fscache)\n      atomic_read(&fscache_cache->object_count) == 0\n                              fscache_perform_lookup\n                               cachefiles_lookup_cookie\n                                cachefiles_alloc_object\n                                 refcount_set(&object->ref, 1);\n                                 object->volume = volume\n                                 fscache_count_object(vcookie->cache);\n                                  atomic_inc(&fscache_cache->object_count)\n    cachefiles_withdraw_volumes\n     cachefiles_withdraw_volume\n      fscache_withdraw_volume\n      __cachefiles_free_volume\n       kfree(cachefiles_volume)\n                              fscache_cookie_state_machine\n                               cachefiles_withdraw_cookie\n                                cache = object->volume->cache;\n                                // cachefiles_volume UAF !!!\n\nAfter setting FSCACHE_CACHE_IS_WITHDRAWN, wait for all the cookie lookups\nto complete first, and then wait for fscache_cache->object_count == 0 to\navoid the cookie exiting after the volume has been freed and triggering\nthe above issue. Therefore call fscache_withdraw_volume() before calling\ncachefiles_withdraw_objects().\n\nThis way, after setting FSCACHE_CACHE_IS_WITHDRAWN, only the following two\ncases will occur:\n1) fscache_begin_lookup fails in fscache_begin_volume_access().\n2) fscache_withdraw_volume() will ensure that fscache_count_object() has\n   been executed before calling fscache_wait_for_objects().","title":"CVE description"}],"product_status":{"recommended":["SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_8-rt-8-150600.3.1.x86_64"]},"references":[{"category":"external","summary":"CVE-2024-41057","url":"https://www.suse.com/security/cve/CVE-2024-41057"},{"category":"external","summary":"SUSE Bug 1228462 for CVE-2024-41057","url":"https://bugzilla.suse.com/1228462"},{"category":"external","summary":"SUSE Bug 1229275 for CVE-2024-41057","url":"https://bugzilla.suse.com/1229275"}],"remediations":[{"category":"vendor_fix","details":"To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n","product_ids":["SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_8-rt-8-150600.3.1.x86_64"]}],"scores":[{"cvss_v3":{"baseScore":7,"baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_8-rt-8-150600.3.1.x86_64"]}],"threats":[{"category":"impact","date":"2025-01-28T13:03:45Z","details":"important"}],"title":"CVE-2024-41057"}]}