SUSE-IU-2024:504-1 SUSE Image security@suse.de SUSE Security Team SUSE Image SUSE-IU-2024:504-1 Interim 1 1 2025-02-04T12:50:09Z current 2024-06-09T01:00:00Z 2024-06-09T01:00:00Z cve-database/bin/generate-cvrf-publiccloud.pl 2021-02-18T01:00:00Z Image update for SUSE-IU-2024:504-1 / google/sles-12-sp5-v20240609-x86-64 This image update for google/sles-12-sp5-v20240609-x86-64 contains the following changes: Package fdupes was updated: - Apply &quot;toctou-race-allows-arbitrary-file-deletion.patch&quot; to fix a race condition that could be exploited to delete arbitrary files. This patch is a back-ported and simplified version of the commit https://github.com/adrianlopezroche/fdupes/commit/85680897148f1ac33b55418e00334116e419717f introduced upstream in release 2.2.0. [bsc#1200381] Package glib2 was updated: - Add patches to fix CVE-2024-34397 (boo#1224044): glib2-CVE-2024-34397-add-ref-count-types.patch glib2-allocate-SignalSubscriber-structs-individually.patch glib2-CVE-2024-34397.patch (glgo#GNOME/glib#3268). glib2-fix-ibus-regression.patch (glgo#GNOME/glib#3353) Package shadow was updated: - bsc#1188307: Fix passwd segfault Add shadow-bsc1188307-passwd-segfault.patch Package python-pyOpenSSL was updated: - Add CVE-2018-1000807-8_use_after_free_X509.patch to fix CVE-2018-1000807 (bsc#1111635) and CVE-2018-1000808 (bsc#1111634) fix a memory leak and a potential UAF and also #722 (#723) sanity check bump cryptography minimum version, add changelog - Add skip_user_after_free_tests.patch to pass the test suite. - bsc#1021578 add move_cryptography_backend_import.patch to avoid bad interaction with python-cryptography package. Package libfastjson was updated: - fix CVE-2020-12762 integer overflow and out-of-bounds write via a large JSON file (bsc#1171479) add 0001-Fix-CVE-2020-12762.patch Package openssl-1_0_0 was updated: - Security fix: [bsc#1219243, CVE-2024-0727] * Add NULL checks where ContentInfo data can be NULL * Add openssl-CVE-2024-0727.patch Package google-guest-oslogin was updated: - Fix file permissions for google_authorized_principals binary (bsc#1222171) - Update to version 20240311.00 (bsc#1218548, bsc#1221900, bsc#1221901) * pam: Bring back pam's account management implementation (#133) * Change error messages when checking login policy (#129) * Remove quintonamore from OWNERS (#128) - Add explicit versioned dependency on google-guest-agent (bsc#1219642) - Update to version 20231116.00 * build: Fix DESTDIR concatenation (#124) - from version 20231113.00 * build: Fix clang build (#122) - from version 20231103.00 * Update owners (#121) - Update to version 20231101.00 (bsc#1216548, bsc#1216750) * Fix HTTP calls retry logic (#117) - Update to version 20231004 * packaging: Make the dependency explicit (#120) - update to 20230926.00: * fix suse build * selinux: fix selinux build (#114) * test: align CXX Flags * sshca: Make the implementation more C++ like * sshca: Add a SysLog wrapper * oslogin_utils: introduce AuthorizeUser() API * sshca: move it out of pam dir * pam: start disabling the use of oslogin_sshca * sshca: consider sshca API to assume a cert only * authorized principals: introduce the new command * authorize keys: update to use new APIs * pam modules: remove pam_*_admin and update pam_*_login * cache_refresh: should be catching by reference. - Update to version 20230823.00 * selinux: Add sshd_key_t type enforcement to trusted user ca (#113) - from version 20230822.00 * sshca: Add tests with fingerprint and multiple extensions (#111) - from version 20230821.01 * sshca: Support method token and handle multi line (#109) - from version 20230821.00 * Update owners (#110) - Update to version 20230808.00 * byoid: extract and apply the ca fingerprint to policy call (#106) - Update to version 20230502.00 * Improve the URL in 2fa prompt (#104) - from version 20230406.02 * Check open files (#101) - from version 20230406.01 * Initialize variables (#100) * Fix formatting (#102) - from version 20230406.00 * PAM cleanup: remove duplicates (#97) - from version 20230405.00 * NSS cleanup (#98) - from version 20230403.01 * Cleanup Makefiles (#95) - from version 20230403.00 * Add anandadalton to the owners list (#96) - Update to version 20230217.00 * Update OWNERS (#91) - from version 20230202.00 * Update owners file (#89) - Update to version 20220721.00 (bsc#1202100, bsc#1202101) * prune outdated info from readme (#86) - from version 20220714.00 * strip json-c version symbol (#84) - from version 20220622.00 * pam login: split conditions for logging (#83) - use pam_moduledir (boo#1191036) * Support UsrMerge project - Update to version 20220411.00 * pam login: split conditions for logging (#83) Package ncurses was updated: - Add patch ncurses-5.9-bsc1220061.patch (bsc#1220061, CVE-2023-45918) * Backport from ncurses-6.4-20230615.patch improve checks in convert_string() for corrupt terminfo entry Package runc was updated: - Add upstream patch &lt;https://github.com/opencontainers/runc/pull/4219&gt; to properly fix -ENOSYS stub on ppc64le. bsc#1192051 bsc#1221050 + 0001-bsc1221050-libct-seccomp-patchbpf-rm-duplicated-code.patch + 0002-bsc1221050-seccomp-patchbpf-rename-nativeArch-linuxA.patch + 0003-bsc1221050-seccomp-patchbpf-always-include-native-ar.patch Package shim was updated: - Update shim to 15.8-150300.4.20.2 from SLE15-SP3 + Version: 15.8, &quot;Thu Apr 18 2024&quot; + Update the SLE signatures + Include the fixes for (bsc#1215099,CVE-2023-40546), (bsc#1215098,CVE-2023-40547), (bsc#1215103,CVE-2023-40551), (bsc#1215102,CVE-2023-40550), (bsc#1215101,CVE-2023-40549), (bsc#1215100,CVE-2023-40548), bsc#1205588, bsc#1202120, bsc#1201066, (bsc#1198458, CVE-2022-28737), bsc#1198101, bsc#1193315, bsc#1193282 Package kernel-default was updated: - blacklist.conf: update blacklist- commit 7f77e9d - Fix backport of : NFS: Fix error handling for O_DIRECT write scheduling (bsc#1224785). - commit e968faa - ALSA: usb-audio: Fix an out-of-bounds bug in __snd_usb_parse_audio_interface() (CVE-2022-48701 bsc#1223921). - commit 6f798e9 - Update patches.suse/SUNRPC-fix-some-memleaks-in-gssx_dec_option_array.patch (git-fixes CVE-2024-27388 bsc#1223744). - Update patches.suse/s390-Once-the-discipline-is-associated-with-the-device-de.patch (bsc#1141539 git-fixes CVE-2024-27054 bsc#1223819). - Update patches.suse/scsi-qla2xxx-Fix-command-flush-on-cable-pull.patch (bsc1221816 CVE-2024-26931 bsc#1223627). - Update patches.suse/scsi-qla2xxx-Fix-double-free-of-fcport.patch (bsc1221816 CVE-2024-26929 bsc#1223715). - Update patches.suse/scsi-qla2xxx-Fix-double-free-of-the-ha-vp_map-pointe.patch (bsc1221816 CVE-2024-26930 bsc#1223626). - commit daf9a87 - Update patches.suse/SUNRPC-fix-a-memleak-in-gss_import_v2_context.patch (git-fixes CVE-2023-52653 bsc#1223712). - Update patches.suse/aio-fix-mremap-after-fork-null-deref.patch (git-fixes CVE-2023-52646 bsc#1223432). - commit 793a07e - Update patches.suse/i40e-Fix-kernel-crash-during-module-removal.patch (git-fixes CVE-2022-48688 bsc#1223953). - Update patches.suse/ipv6-sr-fix-out-of-bounds-read-when-setting-HMAC-dat.patch (bsc#1211592 CVE-2023-2860 CVE-2022-48687 bsc#1223952). - Update patches.suse/s390-dasd-fix-Oops-in-dasd_alias_get_start_dev-due-to-missing-pavgroup (git-fixes CVE-2022-48636 bsc#1223512). - Update patches.suse/scsi-mpt3sas-Fix-use-after-free-warning.patch (git-fixes CVE-2022-48695 bsc#1223941). - Update patches.suse/scsi-qla2xxx-Fix-memory-leak-in-__qlt_24xx_handle_ab.patch (bsc#1203935 CVE-2022-48650 bsc#1223509). - commit cc68904 - Update patches.suse/net-dsa-fix-a-crash-if-get_sset_count-fails.patch (CVE-2021-47146 bsc#1221979 CVE-2021-47159 bsc#1221967). - Update patches.suse/scsi-ufs-core-Improve-SCSI-abort-handling.patch (bsc#11222671 CVE-2021-47188 bsc#1222671). - commit 5a613f4 - Fix references of patches.suse/net-dsa-fix-a-crash-if-get_sset_count-fails.patch This fix actually refers to different CVE and bug report. Fix the error. - commit b797fc2 - drm/tegra: dsi: Add missing check for of_find_device_by_node (CVE-2023-52650 bsc#1223770) - commit 52453b3 - fs: sysfs: Fix reference leak in sysfs_break_active_protection() (CVE-2024-26993 bsc#1223693) - commit d5b445d - usb: dwc2: Fix memory leak in dwc2_hcd_init. - commit b68c644 - Input: ipaq-micro-keys - add error handling for devm_kmemdup. - commit 8755dbb - Input: xpad - add PXN V900 support. - commit fbd5f3f - Input: adxl34x - do not hardcode interrupt trigger type (git-fixes). - commit 926a03d - blacklist.conf: cleanup surpressing a warning - commit 922f659 - Input: drv260x - sleep between polling GO bit (git-fixes). - commit e9e8d04 - blacklist.conf: cleanup, not a fix, no code change - commit 9cb5758 - blacklist.conf: driver not compiled - commit a3fa3df - blacklist.conf: driver not compiled - commit 9dfacec - blacklist.conf: driver not compiled - commit 1aef6fe - drm/amd/display: Add a dc_state NULL check in dc_state_release (CVE-2024-26948 bsc#1223664) - commit 04ae1fa - blacklist.conf: this patch enables features only - commit b3e7c52 - blacklist.conf: false positive - commit 88b62ef - USB: core: Fix deadlock in usb_deauthorize_interface(). - commit ab56ab9 - USB: usb-storage: Prevent divide-by-0 error in isd200_ata_command (git-fixes). - commit f114b54 - usb: roles: don't get/set_role() when usb_role_switch is unregistered. - commit d121124 - usb: mon: Fix atomicity violation in mon_bin_vma_fault (git-fixes). - commit 0605a2c - blacklist.conf: not enabled - commit 7aaa582 - blacklist.conf: kABI - commit d241153 - drivers: usb: host: Fix deadlock in oxu_bus_suspend() (git-fixes). - commit 4bfa035 - blacklist.conf: add two fuse commits from git-fixes - commit 57c7ed8 - fuse: don't unhash root (bsc#1223954). - commit 4838661 - tun: limit printing rate when illegal packet received by tun dev (bsc#1223745 CVE-2024-27013). - net/mlx5e: Prevent deadlock while disabling aRFS (bsc#1223735 CVE-2024-27014). - nfp: flower: handle acti_netdevs allocation failure (bsc#1223827 CVE-2024-27046). - commit bb18705 - tipc: fix a possible memleak in tipc_buf_append (bsc#1221977 CVE-2021-47162). - commit 503e448 - media: usbtv: Remove useless locks in usbtv_video_free() (CVE-2024-27072 bsc#1223837). - commit 784e536 - media: dvb-frontends: avoid stack overflow warnings with clang (CVE-2024-27075 bsc#1223842). - commit 134dc5e - media: ttpci: fix two memleaks in budget_av_attach (CVE-2024-27073 bsc#1223843). - commit 13b28d2 - media: go7007: fix a memleak in go7007_load_encoder (CVE-2024-27074 bsc#1223844). - commit 54185dc - media: edia: dvbdev: fix a use-after-free (CVE-2024-27043 bsc#1223824). - commit 2732be2 - s390/mm: Fix storage key clearing for guest huge pages (git-fixes bsc#1223885). - commit cd536ee - s390/mm: Fix clearing storage keys for huge pages (git-fixes bsc#1223883). - commit a8f7fd9 - media: v4l2-tpg: fix some memleaks in tpg_alloc (CVE-2024-27078 bsc#1223781). - commit 9ec09ea - NTB: fix possible name leak in ntb_register_device() (CVE-2023-52652 bsc#1223686). - commit ca5484d - scsi: ufs: core: Improve SCSI abort handling (bsc#11222671, CVE-2021-47188). - blacklist.conf: remove 3ff1f6b - commit 9ba0cd1 - kABI workaround for cec_adapter (CVE-2024-23848 bsc#1219104). - media: cec: core: avoid recursive cec_claim_log_addrs (CVE-2024-23848 bsc#1219104). - media: cec: core: avoid confusing &quot;transmit timed out&quot; message (CVE-2024-23848 bsc#1219104). - media: cec: cec-api: add locking in cec_release() (CVE-2024-23848 bsc#1219104). - media: cec: cec-adap: always cancel work in cec_transmit_msg_fh (CVE-2024-23848 bsc#1219104). - commit 6debb18 - media: cec: abort if the current transmit was canceled (CVE-2024-23848 bsc#1219104). - commit 331f0d4 - cachefiles: fix memory leak in cachefiles_add_cache() (bsc#1222976 CVE-2024-26840). - commit 7ab2bde - net/bnx2x: Prevent access to a freed page in page_pool (bsc#1223049 CVE-2024-26859). - commit d2c8d25 - spi: spi-fsl-dspi: Fix a resource leak in an error handling path (CVE-2021-47161 bsc#1221966). - commit 86c2723 - amdkfd: use calloc instead of kzalloc to avoid integer overflow (CVE-2024-26817 bsc#1222812) - commit e67f0f8 - blacklist.conf: Append 'drm/amdgpu: fix use-after-free bug' - commit f438d4d - Update patches.suse/smb3-fix-temporary-data-corruption-in-insert-range.patch (bsc#1190317 CVE-2022-48667 bsc#1223518). - commit 91d9162 - Update patches.suse/smb3-fix-temporary-data-corruption-in-collapse-range.patch (bsc#1190317 CVE-2022-48668 bsc#1223516). - commit 10d5c12 - net: fujitsu: fix potential null-ptr-deref (bsc#1221972 CVE-2021-47149). - commit 9abeb19 - tipc: skb_linearize the head skb when reassembling msgs (bsc#1221977 CVE-2021-47162). - commit ba440f6 - net: dsa: fix a crash if -&gt;get_sset_count() fails (CVE-2021-47146 bsc#1221979). - commit 599796c - mld: fix panic in mld_newpack() (CVE-2021-47146 bsc#1221979). - commit e3d5602 - netfilter: nf_tables: disallow timeout for anonymous sets (CVE-2023-52620 bsc#1221825). - commit f690b72 - net/ipv6: avoid possible UAF in ip6_route_mpath_notify() (CVE-2024-26852 bsc#1223057) - commit 598df4c - Update patches.suse/s390-Once-the-discipline-is-associated-with-the-device-de.patch (bsc#1141539 git-fixes). - commit b8b94c0 - quota: Fix potential NULL pointer dereference (bsc#1223060 CVE-2024-26878). - commit 983d363 - do_sys_name_to_handle(): use kzalloc() to fix kernel-infoleak (bsc#1223198 CVE-2024-26901). - commit 2f53016 - blk-mq: fix IO hang from sbitmap wakeup race (bsc#1222357 CVE-2024-26671). - commit ecdc50b - ext4: avoid allocating blocks from corrupted group in ext4_mb_find_by_goal() (bsc#1222613 CVE-2024-26772). - commit 3d3003a - PM / devfreq: Fix buffer overflow in trans_stat_show (CVE-2023-52614 bsc#1221617). - commit ad2729f - net: ice: Fix potential NULL pointer dereference in ice_bridge_setlink() (bsc#1223051 CVE-2024-26855). - geneve: make sure to pull inner header in geneve_rx() (bsc#1223058 CVE-2024-26857). - ppp_async: limit MRU to 64K (bsc#1222379 CVE-2024-26675). - ipvlan: Fix out-of-bound bugs caused by unset skb-&gt;mac_header (bsc#1223513 CVE-2022-48651). - commit bc8fe89 - RDMA/mlx5: Fix fortify source warning while accessing Eth segment (bsc#1223203 CVE-2024-26907) - commit 1c532b6 - regmap: prevent noinc writes from clobbering cache (bsc#1221162 CVE-2023-52488). - regmap: fix page selection for noinc writes (bsc#1221162 CVE-2023-52488). - regmap: fix page selection for noinc reads (bsc#1221162 CVE-2023-52488). - commit dc5bde0 - scripts/common-functions: cve2cvss fix CVE matching CVE-2023-4244: cvss: - version: 3.1 score: 7 vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2023-42445: cvss: - version: 3.1 score: 6.8 vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:H CVE-2023-4244 will mismatch. Thanks to Marcus for spotting! - commit 1e0c847 - blacklist.conf: false positive - commit 17b05a2 - usb: dwc2: check return value after calling platform_get_resource() (git-fixes). - commit 831627d - usb: dwc3: gadget: Ignore EP queue requests during bus reset (git-fixes). - commit 270950d - drm/amdgpu: validate the parameters of bo mapping operations more (CVE-2024-26922 bsc#1223315) - commit 1a7d0fd - i40e: Fix NULL ptr dereference on VSI filter sync (bsc#1222666 CVE-2021-47184). - commit 1ad3e1d - usb: gadget: Fix issue with config_ep_by_speed function (git-fixes). - commit e3f4200 - x86/boot: Ignore relocations in .notes sections in walk_relocs() too (bsc#1222624 CVE-2024-26816). - commit b878a00 - x86, relocs: Ignore relocations in .notes section (bsc#1222624 CVE-2024-26816). - commit d091560 - blacklist.conf: Add 246f80a0b17f8 (&quot;sh: push-switch: Reorder cleanup operations to avoid use-after-free bug&quot;) - commit 8e38656 - PM / devfreq: Synchronize devfreq_monitor_[start/stop] (CVE-2023-52635 bsc#1222294). - commit faf3604 - Update patches.suse/Bluetooth-rfcomm-Fix-null-ptr-deref-in-rfcomm_check_-2535b848.patch (bsc#1219170 CVE-2024-22099 CVE-2024-26903 bsc#1223187). - Update patches.suse/aoe-fix-the-potential-use-after-free-problem-in-aoec.patch (bsc#1218562 CVE-2023-6270 CVE-2024-26898 bsc#1223016). - Update patches.suse/net-sched-act_mirred-don-t-override-retval-if-we-alr.patch (CVE-2024-26733 bsc#1222585 CVE-2024-26739 bsc#1222559). - Update patches.suse/sr9800-Add-check-for-usbnet_get_endpoints.patch (git-fixes CVE-2024-26651 bsc#1221337). - commit f0c3935 - Update patches.suse/msft-hv-2480-x86-hyperv-Fix-NULL-deref-in-set_hv_tscchange_cb-if-.patch (git-fixes CVE-2021-47217 bsc#1222836). - Update patches.suse/net-dpaa2-eth-fix-use-after-free-in-dpaa2_eth_remove.patch (git-fixes CVE-2021-47204 bsc#1222787). - Update patches.suse/scsi-advansys-Fix-kernel-pointer-leak.patch (git-fixes CVE-2021-47216 bsc#1222876). - Update patches.suse/scsi-lpfc-Fix-use-after-free-in-lpfc_unreg_rpi-routi.patch (bsc#1192145 CVE-2021-47198 bsc#1222883). - commit 1aa3f8e - scripts/check-kernel-fix: hide add references hint We would like to handle reference updates in batches by mass-cve tooling so prevent potential races when people add references manually. Still show this in the verbose mode though. - commit 44b9e4b - scripts/install-git-hooks: Use --git-common-dir for $GIT_DIR This option works better for the repo via git-worktree - commit 5ef3652 - bpf: Fix stackmap overflow check on 32-bit arches (bsc#1223035 CVE-2024-26883). - bpf: Fix hashtab overflow check on 32-bit arches (bsc#1223189 CVE-2024-26884). - bpf: Check for integer overflow when using roundup_pow_of_two() (bsc#1223035 CVE-2024-26883). - commit 4249641 - scripts/check-kernel-fix: add -c CVE-XXXX-YYY support Older CVEs are not tracked by VULNS_GIT so give those a chance to use the same workflow by just giving the CVE number. - commit eac99ec - scripts/check-kernel-fix: integrate suse-get-maintainers - commit fd66b07 - IB/hfi1: Fix a memleak in init_credit_return (CVE-2024-26839 bsc#1222975) - commit 1b9aeec - Refresh patches.suse/NFS-add-atomic_open-for-NFSv3-to-handle-O_TRUNC-corr.patch. Handle too-long file names. - commit d3b61d6 - scripts/check-kernel-fix: improve branch output elimination If the merge origin branch is only missing references then it doesn't make sense to report missing patch or references in the target branch as it will get all from the merge origin. - commit 5728eb5 - scripts/check-kernel-fix: improve branch output elimination ./scripts/check-kernel-fix CVE-2024-26805 661779e1fcaf (&quot;netlink: Fix kernel-infoleak-after-free in __skb_datagram_iter&quot;) merged v6.8-rc7~26^2~35 Fixes: 1853c9496460 (&quot;netlink, mmap: transform mmap skb into full skb on taps&quot;) merged v4.3-rc3~13^2~83 Security fix for CVE-2024-26805 bsc#1222630 with CVSS 5.5 .............................. ACTION NEEDED! SLE15-SP6-RT: MANUAL: backport 661779e1fcafe1b74b3f3fe8e980c1e207fea1fd (Fixes 1853c9496460) ALP-current-RT: MANUAL: backport 661779e1fcafe1b74b3f3fe8e980c1e207fea1fd (Fixes 1853c9496460) SLE15-SP5-RT: MANUAL: backport 661779e1fcafe1b74b3f3fe8e980c1e207fea1fd (Fixes 1853c9496460) SLE12-SP3-TD: MANUAL: backport 661779e1fcafe1b74b3f3fe8e980c1e207fea1fd (Fixes 1853c9496460) Note how *RT branches are printed even though SLE15-SP6 resp SLE15-SP5 already have the fix. The current elimination logic only drops branches which are in the same state as their merge origin. mb_line processing is incorrect when that state differs. Fix that by looking up the state rather than play with sed and grep for identical output. With this patch applied [...] ACTION NEEDED! SLE12-SP3-TD: MANUAL: backport 661779e1fcafe1b74b3f3fe8e980c1e207fea1fd (Fixes 1853c9496460) - commit 2e74804 - wifi: b43: Stop/wake correct queue in DMA Tx path when QoS is disabled (CVE-2023-52644 bsc#1222961). - commit 411fc96 - clk: sunxi-ng: Unregister clocks/resets when unbinding (CVE-2021-47205 bsc#1222888). - commit 67523b6 - ALSA: usb-audio: fix null pointer dereference on pointer cs_desc (CVE-2021-47211 bsc#1222869). - commit a86f817 - Update patches.suse/scsi-lpfc-Fix-list_add-corruption-in-lpfc_drain_txq.patch (bsc#1190576 CVE-2021-47203 bsc#1222881). - commit 2cb2a3c - ALSA: gus: fix null pointer dereference on pointer block (CVE-2021-47207 bsc#1222790). - commit 2c3256c - wifi: mac80211: fix race condition on enabling fast-xmit (CVE-2024-26779 bsc#1222772). - commit 5e02fca - wifi: rt2x00: restart beacon queue when hardware reset (CVE-2023-52595 bsc#1221046). - commit 671852b - ceph: prevent use-after-free in encode_cap_msg() (bsc#1222503 CVE-2024-26689). - commit 09813ff - blacklist.conf: Append 'drm/amdgpu: Fix variable 'mca_funcs' dereferenced before NULL check in 'amdgpu_mca_smu_get_mca_entry()'' - commit cde121c - Update patches.suse/arp-Prevent-overflow-in-arp_req_get.patch - fix build warning - commit f10c34a - kABI: regmap: Add regmap_noinc_read/write API (bsc#1221162 CVE-2023-52488). - commit fb0c9d2 - regmap: Add regmap_noinc_write API (bsc#1221162 CVE-2023-52488). - regmap: Add regmap_noinc_read API (bsc#1221162 CVE-2023-52488). - commit 60efad2 - usb: roles: fix NULL pointer issue when put module's reference (bsc#1222609 CVE-2024-26747). - commit 73af327 - serial: sc16is7xx: convert from _raw_ to _noinc_ regmap functions for FIFO (bsc#1221162 CVE-2023-52488). - commit a689f3e - Refresh patches.kabi/cpufeatures-kabi-fix.patch (bsc#1222952) Don't call set_cpu_caps when calling set_cpu_bug, this causes problems with overlapping feature/bug ints. Directly call set_bit witht he correct parameters. - commit 16e52e8 - scripts/check-kernel-fix: allow explicit git fixes - scripts/common-functions: change -f from flat mode to -f fixes and use -t for the flat mode. It seems that the security team is not using the flat mode anyway so we might drop it eventually. Let's keep it to play around, it is a trivial code anyway. - f &quot;sha&quot; now allows to specify explicit Fixes commit shas which would extend existing ones. - commit 468ac9c - md/raid5: fix atomicity violation in raid5_cache_count (bsc#1219169, CVE-2024-23307). - commit c0dbc35 - ext4: avoid allocating blocks from corrupted group in ext4_mb_try_best_found() (bsc#1222618 CVE-2024-26773). - commit 4110538 - thermal: Fix NULL pointer dereferences in of_thermal_ functions (CVE-2021-47202 bsc#1222878) - commit 08cf92c - md/raid5: fix atomicity violation in raid5_cache_count (bsc#1219169, CVE-2024-23307). - commit 391774d - fbdev: sis: Error out if pixclock equals zero (bsc#1222765 CVE-2024-26777) - commit 283e632 - fbdev: savage: Error out if pixclock equals zero (bsc#1222770 CVE-2024-26778) - commit c2c54cf - drm: Don't unref the same fb many times by mistake due to deadlock handling (CVE-2023-52486 bsc#1221277). - commit 5843530 - blacklist.conf: add one more PCI git-fixes - commit 7baca5d - IB/ipoib: Fix mcast list locking (CVE-2023-52587 bsc#1221082) - commit 94cde16 - RDMA/IPoIB: Fix error code return in ipoib_mcast_join (bsc#1221082) - commit 348c98c - RDMA/srp: Do not call scsi_done() from srp_abort() (CVE-2023-52515 bsc#1221048) - commit d5d3a97 - RDMA/qedr: Fix qedr_create_user_qp error flow (bsc#1222677 CVE-2024-26743) - commit c49697b - RDMA/srpt: Support specifying the srpt_service_guid parameter (bsc#1222449 CVE-2024-26744) - commit 00d0add - NFS: avoid spurious warning of lost lock that is being unlocked (bsc#1221791). - commit 63a2e3f - Update patches.suse/NFS-add-atomic_open-for-NFSv3-to-handle-O_TRUNC-corr.patch (bsc#1219847 bsc#1221862). Fix a NULL-pointer-deref bug. Make the patch closer to the patch I sent upstream. - commit 5f62723 - dm-crypt: don't modify the data when using authenticated encryption (bsc#1222720, CVE-2024-26763). - commit 3e74213 - scsi: core: Fix scsi_mode_sense() buffer length handling (bsc#1222662 CVE-2021-47182). - commit 09c6ab5 - scripts/check-kernel-fix: Do not report missing references for EB branches After discussion with Christian Hueller (EB branches maintainer) we have concluded that updating references to CVE fixes which are already in EB branches is not really adding any value so let's just not report them - commit 0fddb67 - scripts/check-kernel-fix: require both bsc and cvss for security fixes cve2bsc DB might be out of sync. This could be annoying when dealing with freshly coming CVE bugs where the bsc# is known and proposed references addition miss the bug number. Enforce both bsc and CVSS data for security bugs and allow to provide/override the bug number by -b bsc#NUMBER parameter. - commit cc2be7b - dmaengine: ti: edma: Add some null pointer checks to the edma_probe (CVE-2024-26771 bsc#1222610) - commit 01a7e9c - netlink: Fix kernel-infoleak-after-free in __skb_datagram_iter (bsc#1222630 CVE-2024-26805). - commit ad84c88 - Update patches.suse/gtp-fix-use-after-free-and-null-ptr-deref-in-gtp_gen.patch (bsc#1222428 CVE-2024-26793 CVE-2024-26754 bsc#1222632). - commit b4d8fa6 - Update patches.suse/btrfs-fix-memory-ordering-between-normal-and-ordered-work-functions.patch (git-fixes CVE-2021-47189 bsc#1222706). - commit d1ad6f0 - tty: tty_buffer: Fix the softlockup issue in flush_to_ldisc (bsc#1222669 CVE-2021-47185). - commit 24cc88e - PCI: pciehp: Add pciehp_set_indicators() to set both indicators (git-fixes). - commit deaddb6 - PCI/ASPM: Reduce severity of common clock config message (git-fixes). - commit 00c0986 - PCI/ASPM: Don't warn if already in common clock mode (git-fixes). - commit 231253b - PCI/ASPM: Factor out pcie_wait_for_retrain() (git-fixes). - PCI/ASPM: Return 0 or -ETIMEDOUT from pcie_retrain_link() (git-fixes). - PCI: Rework pcie_retrain_link() wait loop (git-fixes). - commit 4a0cd5a - scripts/check-kernel-fix: bail out without CVSS score cve2cvss DB takes quite some time to sync and it is less confusing to enfore cache refresh or provide manual scoring (via -s) as that tends to be available in bugzilla most of the time. - commit bdee7f8 - Refresh patches.kabi/cpufeatures-kabi-fix.patch. - commit 70aa480 - Refresh patches.suse/x86-bhi-Add-BHI-mitigation-knob.patch. Check for bug presence with cpu_has_bug rather than cpu_has so that overlapping bug/feature bits are handled correctly - commit ec98c66 - Update patches.suse/scsi-lpfc-Fix-link-down-processing-to-address-NULL-p.patch (bsc#1192145 CVE-2021-47183 bsc#1222664). - commit b599f2b - Update patches.suse/usb-musb-tusb6010-check-return-value-after-calling-p.patch (git-fixes CVE-2021-47181 bsc#1222660). - commit a0f1eaa - scripts/common-functions: cve2sha: fix multiline output from vulns DB $ ./scripts/check-kernel-fix -s 5.5 CVE-2021-47181 failes with uknown sha for the given CVE because vulns.git cve_search returns unexpected multi-line output $ scripts/cve_search CVE-2021-47181 CVE-2021-47181 is assigned to git id 14651496a3de6807a17c310f63c894ea0c5d858e f08adf5add9a071160c68bb2a61d697f39ab0758 Filter out the first line only to handle that - commit 970f746 - tty: n_gsm: require CAP_NET_ADMIN to attach N_GSM0710 ldisc (bsc#1222619). - commit 94fc6e9 - PCI: Mark 3ware-9650SE Root Port Extended Tags as broken (git-fixes). - PCI/DPC: Print all TLP Prefixes, not just the first (git-fixes). - PCI/MSI: Prevent MSI hardware interrupt number truncation (git-fixes). - PCI/sysfs: Protect driver's D3cold preference from user space (git-fixes). - PCI/ASPM: Use RMW accessors for changing LNKCTL (git-fixes). - PCI: pciehp: Use RMW accessors for changing LNKCTL (git-fixes). - PCI: Make link retraining use RMW accessors for changing LNKCTL (git-fixes). - PCI: Add locking to RMW PCI Express Capability Register accessors (git-fixes). - kABI: PCI: Add locking to RMW PCI Express Capability Register accessors (kabi). - PCI: qcom: Use DWC helpers for modifying the read-only DBI registers (git-fixes). - PCI: qcom: Disable write access to read only registers for IP v2.3.3 (git-fixes). - PCI: Add function 1 DMA alias quirk for Marvell 88SE9235 (git-fixes). - PCI: pciehp: Cancel bringup sequence if card is not present (git-fixes). - PCI/ASPM: Avoid link retraining race (git-fixes). - commit 5d813c6 - arp: Prevent overflow in arp_req_get() (CVE-2024-26733 bsc#1222585). - commit 64afd8b - net/sched: act_mirred: don't override retval if we already lost the skb (CVE-2024-26733 bsc#1222585). - commit ec837ad - blacklist.conf: update blacklist - commit f1ca6cb - PCI/ASPM: Disable ASPM on MFD function removal to avoid use-after-free (git-fixes). - PCI: pciehp: Fix AB-BA deadlock between reset_lock and device_lock (git-fixes). - PCI: switchtec: Return -EFAULT for copy_to_user() errors (git-fixes). - PCI: Avoid FLR for AMD FCH AHCI adapters (git-fixes). - PCI/IOV: Enlarge virtfn sysfs name buffer (git-fixes). - PCI: hotplug: Allow marking devices as disconnected during bind/unbind (git-fixes). - PCI: dwc: Add unroll iATU space support to dw_pcie_disable_atu() (git-fixes). - PCI: Add ACS quirk for Broadcom BCM5750x NICs (git-fixes). - commit 60d94f2 - PCI: endpoint: Don't stop controller when unbinding endpoint function (git-fixes). - PCI: qcom: Fix unbalanced PHY init on probe errors (git-fixes). - PCI: Avoid pci_dev_lock() AB/BA deadlock with sriov_numvfs_store() (git-fixes). - PCI/PM: Power up all devices during runtime resume (git-fixes). - PCI/AER: Clear MULTI_ERR_COR/UNCOR_RCV bits (git-fixes). - PCI: aardvark: Fix setting MSI address (git-fixes). - PCI: aardvark: Fix support for MSI interrupts (git-fixes). - commit fd2813d - Refresh patches.suse/Bluetooth-btsdio-fix-use-after-free-bug-in-btsdio_re.patch. Add alternate ID for stable - commit 38c4e25 - Bluetooth: btqcomsmd: Fix command timeout after setting BD address (git-fixes). - commit de57587 - Bluetooth: hci_intel: Add check for platform_driver_register (git-fixes). - commit 0e58b3a - Bluetooth: btqca: Introduce HCI_EV_VENDOR and use it (git-fixes). - commit 7e74176 - Bluetooth: btqca: Fixed a coding style error (git-fixes). - commit 0f83a52 - blacklist.conf: false positive (introduced v5.14, not backported) - commit e867532 - ext4: fix double-free of blocks due to wrong extents moved_len (bsc#1222422 CVE-2024-26704). - commit da029ac - Refresh patches.suse/bpf-sockmap-Prevent-lock-inversion-deadlock-in-map-d.patch. - commit 6490813 - gtp: fix use-after-free and null-ptr-deref in gtp_newlink() (bsc#1222428 CVE-2024-26793). - gtp: fix use-after-free and null-ptr-deref in gtp_genl_dump_pdp() (bsc#1222428 CVE-2024-26793). - commit 9c6b7d6 - scripts/git_sort/git_sort.py: Add Len Brown's kernel subtree - commit 3e92416 - nfsd: Fix error cleanup path in nfsd_rename() (bsc#1221044 CVE-2023-52591). - commit b8b869c - usb: musb: Modify the &quot;HWVers&quot; register address (git-fixes). - commit d99cd58 - blacklist.conf: This is a feature, not a fix - commit f6334d7 - sr9800: Add check for usbnet_get_endpoints (git-fixes). - commit 24ceaa4 - blacklist.conf: add unneeded PCI git-fixes - commit beed85d - Refresh patches.kabi/cpufeatures-kabi-fix.patch. Fix aliasing problems if we have an extended capability which aliases a non-extended bug bit. The fix is to always ensure that bug bits related functionality doesn't use the &quot;generic&quot; cap functionality. - commit c674af2 - Update patches.suse/KVM-s390-vsie-fix-race-during-shadow-creation.patch (git-fixes bsc#1220613 CVE-2023-52639 bsc#1222300). - Update patches.suse/netfilter-nftables-exthdr-fix-4-byte-stack-OOB-write.patch (CVE-2023-4881 bsc#1215221 CVE-2023-52628 bsc#1222117). - commit 5564fa1 - mass-cve: Case insensitive references detection Only add reference when it is new (regardless of case). - commit 9944f70 - scripts/check-kernel-fix: implement -s CVSS option - commit b759632 - scripts/check-kernel-fix: clarify no CVSS assignment - commit 3d658ea - mass-cve: Fix path to git repos Specifying only --git-dir ends up with checking out files to CWD and to under $VULNS_GIT. `git -C` should fix all various setups (worktrees or not). - commit ad32354 - nfsd: Fix error cleanup path in nfsd_rename() (git-fixes). - commit c8d258d - scripts/check-kernel-fix: Handled unknown branches more gracefully - scripts/common-functions: This doesn't happen often. Usually when branches.conf doesn't match the kernel-source.git tree because of renaming. git fetch should fix those so be more helpuful to poor users. - commit 7d296f5 - scripts/common-functions: silenc errors when forcibly removing cache files - commit f76f1c4 - x86/bhi: Mitigate KVM by default (bsc#1217339 CVE-2024-2201). - commit 7079142 - scripts/common-functions: call out upstream patches with no Fixes tag - commit 4d33f71 - x86/bhi: Add BHI mitigation knob (bsc#1217339 CVE-2024-2201). - Update config files. - commit 41d6371 - x86/bhi: Enumerate Branch History Injection (BHI) bug (bsc#1217339 CVE-2024-2201). - commit 2432a6f - x86/bhi: Define SPEC_CTRL_BHI_DIS_S (bsc#1217339 CVE-2024-2201). - commit fe53768 - x86/bhi: Add support for clearing branch history at syscall entry (bsc#1217339 CVE-2024-2201). - Refresh patches.kabi/cpufeatures-kabi-fix.patch. - commit 955ab56 - Fixup NULL ptr dereference due to mistake in backporting in patches.suse/ext2-Avoid-reading-renamed-directory-if-parent-does-.patch. - commit 55001e0 - Delete patches.suse/x86-bugs-Fix-the-SRSO-mitigation-on-Zen3-4.patch. the kernel fails to boot on x86: [ 0.048461] MDS: Vulnerable: Clear CPU buffers attempted, no microcode [ 0.048698] MMIO Stale Data: Unknown: No mitigations qemu-system-x86_64: terminating on signal 15 from pid 42034 (timeout) - commit 035c88f - x86/cpufeature: Add missing leaf enumeration (bsc#1217339 CVE-2024-2201). - commit 248bb60 - Update references - commit 1bab65d - scsi: lpfc: Fix a possible data race in lpfc_unregister_fcf_rescan() (bsc#1219618 CVE-2024-24855). - commit 6004b44 - scripts/check-kernel-fix: document LINUX_GIT requirement - scripts/common-functions: - commit 4f88751 - media: xc4000: Fix atomicity violation in xc4000_get_frequency (git-fixes bsc#1219623 CVE-2024-24861). - commit ad0b314 - scripts/check-kernel-fix: add flat mode Talked to Robert Frohl from the security team and he exaplained that they would appreciate a mode which doesn't do any filtering because the team has to track even those products which are not required to publish fixes. -f should achieve that - commit dfb0710 - x86/bugs: Fix the SRSO mitigation on Zen3/4 (git-fixes). - commit 8032e89 - mass-cve: Hide unimportant make messages Hide data preprocessing messages, preserve messages that relate to git operations. - commit d5ea4b9 - bpf, sockmap: Prevent lock inversion deadlock in map delete elem (bsc#1209657 CVE-2023-0160). - commit 40497a8 - bpf, sockmap: Fix preempt_rt splat when using raw_spin_lock_t (git-fixes). - commit 3c6384f - bnx2x: Fix enabling network interfaces without VFs (git-fixes). - commit b60bea3 - ethernet: myri10ge: Fix missing error code in myri10ge_probe() (git-fixes). - commit 71a7d56 - bnx2x: Fix missing error code in bnx2x_iov_init_one() (git-fixes). - commit 813cb9c - net: macb: ensure the device is available before accessing GEMGXL control registers (git-fixes). - commit 1742349 - net/qla3xxx: fix schedule while atomic in ql_sem_spinlock (git-fixes). - commit 8e475cb - blacklist.conf: update blacklist - commit a7a5329 - netfilter: nf_tables: disallow anonymous set with timeout flag (CVE-2024-26642 bsc#1221830). - commit b3d18fd - netfilter: ctnetlink: fix possible refcount leak in ctnetlink_create_conntrack() (CVE-2023-7192 bsc#1218479). - commit 0774a95 - net: allwinner: Fix some resources leak in the error handling path of the probe and in the remove function (git-fixes). - commit d464181 - ethernet: ucc_geth: fix definition and size of ucc_geth_tx_global_pram (git-fixes). - commit 6895e10 - net/mlx5: Properly convey driver version to firmware (git-fixes). - commit 09bc4c8 - net: stmmac: free tx skb buffer in stmmac_resume() (git-fixes). - commit 7769206 - tun: honor IOCB_NOWAIT flag (git-fixes). - commit 1f0149b - atl1e: fix error return code in atl1e_probe() (git-fixes). - commit da6dd80 - atl1c: fix error return code in atl1c_probe() (git-fixes). - commit 56e0459 - net: atheros: switch from 'pci_' to 'dma_' API (git-fixes). - commit 47ce14b - blacklist.conf: update blacklist - commit dc2abcd - mass-cve: Fail nicely if env is not set - commit 7d0c68a - mass-cve: Invalidate cache when scanned branch is updated - commit cf71c00 - README.BRANCH: Remove copy of branch name - commit 26f4895 - usb: dwc3: core: Do not perform GCTL_CORE_SOFTRESET during bootup (bsc#1220628 CVE-2021-46941). - commit ebce255 - usb: dwc3: core: balance phy init and exit (bsc#1220628 CVE-2021-46941). - commit 8f693d2 - USB: usbfs: Don't WARN about excessively large memory allocations. - commit 8172f18 - ipv6: init the accept_queue's spinlocks in inet6_create (bsc#1221293 CVE-2024-26614). - commit 6bea6a5 - tcp: make sure init the accept_queue's spinlocks once (bsc#1221293 CVE-2024-26614). - commit 800aa0a - userfaultfd: release page in error path to avoid BUG_ON (CVE-2021-46988 bsc#1220706). - commit bcafeec - powerpc/mm: Fix null-pointer dereference in pgtable_cache_add (CVE-2023-52607 bsc#1221061). - commit af6f33a - mass-cve: Lazily pull from vulns DB git - commit cf62cc6 - mass-cve: Allow calling make -f Makefile from anywhere - commit 96ccd46 - mass-cve: Add README - commit d223050 - Update patches.suse/net-nfc-llcp-Add-lock-when-modifying-device-list.patch (git-fixes CVE-2023-52524 bsc#1220927). - Update patches.suse/net-usb-smsc75xx-Fix-uninit-value-access-in-__smsc75.patch (git-fixes CVE-2023-52528 bsc#1220843). - Update patches.suse/nvmet-tcp-Fix-a-kernel-panic-when-host-sends-an-inva.patch (bsc#1217987 bsc#1217988 bsc#1217989 CVE-2023-6535 CVE-2023-6536 CVE-2023-6356 CVE-2023-52454 bsc#1220320). - Update patches.suse/ocfs2-Avoid-touching-renamed-directory-if-parent-doe.patch (bsc#1221044 CVE-2023-52591 CVE-2023-52590 bsc#1221088). - Update patches.suse/ravb-Fix-use-after-free-issue-in-ravb_tx_timeout_wor.patch (bsc#1212514 CVE-2023-35827 CVE-2023-52509 bsc#1220836). - Update patches.suse/x86-srso-fix-sbpb-enablement-for-spec_rstack_overflow-off.patch (git-fixes CVE-2023-52575 bsc#1220871). - commit 2258ead - Update patches.suse/mmc-moxart_remove-Fix-UAF.patch (bsc#1194516 CVE-2022-0487 CVE-2022-48626 bsc#1220366). - commit 10fc152 - Update patches.suse/0019-dm-rq-fix-double-free-of-blk_mq_tag_set-in-dev-remov.patch (git fixes CVE-2021-46938 bsc#1220554). - Update patches.suse/ACPI-custom_method-fix-potential-use-after-free-issu.patch (git-fixes CVE-2021-46966 bsc#1220572). - Update patches.suse/ARM-footbridge-fix-PCI-interrupt-mapping.patch (git-fixes CVE-2021-46909 bsc#1220442). - Update patches.suse/IB-qib-Fix-memory-leak-in-qib_user_sdma_queue_pkts.patch (git-fixes CVE-2021-47104 bsc#1220960). - Update patches.suse/NFC-nci-fix-memory-leak-in-nci_allocate_device.patch (git-fixes CVE-2021-47180 bsc#1221999). - Update patches.suse/NFS-Don-t-corrupt-the-value-of-pg_bytes_written-in-n.patch (git-fixes CVE-2021-47166 bsc#1221998). - Update patches.suse/NFS-Fix-an-Oopsable-condition-in-__nfs_pageio_add_re.patch (git-fixes CVE-2021-47167 bsc#1221991). - Update patches.suse/NFS-fix-an-incorrect-limit-in-filelayout_decode_layo.patch (git-fixes CVE-2021-47168 bsc#1222002). - Update patches.suse/NFSv4-Fix-a-NULL-pointer-dereference-in-pnfs_mark_ma.patch (git-fixes CVE-2021-47179 bsc#1222001). - Update patches.suse/asix-fix-uninit-value-in-asix_mdio_read.patch (git-fixes CVE-2021-47101 bsc#1220987). - Update patches.suse/bnxt_en-Fix-RX-consumer-index-logic-in-the-error-pat.patch (git-fixes CVE-2021-47015 bsc#1220794). - Update patches.suse/btrfs-fix-race-between-transaction-aborts-and-fsyncs.patch (bsc#1186441 CVE-2021-46958 bsc#1220521). - Update patches.suse/cifs-Return-correct-error-code-from-smb2_get_enc_key.patch (git-fixes CVE-2021-46960 bsc#1220528). - Update patches.suse/crypto-qat-ADF_STATUS_PF_RUNNING-should-be-set-after.patch (git-fixes CVE-2021-47056 bsc#1220769). - Update patches.suse/cxgb4-avoid-accessing-registers-when-clearing-filter.patch (bsc#1136345 jsc#SLE-4681 CVE-2021-47138 bsc#1221934). - Update patches.suse/drm-amdgpu-Fix-a-use-after-free.patch (git-fixes CVE-2021-47142 bsc#1221952). - Update patches.suse/drm-meson-fix-shutdown-crash-when-component-not-prob.patch (git-fixes CVE-2021-47165 bsc#1221965). - Update patches.suse/ethernet-enic-Fix-a-use-after-free-bug-in-enic_hard_.patch (bsc#1113431 CVE-2021-46998 bsc#1220625). - Update patches.suse/ext4-fix-bug-on-in-ext4_es_cache_extent-as-ext4_spli.patch (bsc#1187408 CVE-2021-47117 bsc#1221575). - Update patches.suse/ext4-fix-memory-leak-in-ext4_fill_super.patch (bsc#1187409 CVE-2021-47119 bsc#1221608). - Update patches.suse/gve-Add-NULL-pointer-checks-when-freeing-irqs.patch (bsc#1176940 CVE-2021-47141 bsc#1221949). - Update patches.suse/i2c-i801-Don-t-generate-an-interrupt-on-bus-reset.patch (git-fixes CVE-2021-47153 bsc#1221969). - Update patches.suse/iommu-vt-d-fix-sysfs-leak-in-alloc_iommu (bsc#1189272 CVE-2021-47177 bsc#1221997). - Update patches.suse/ipmi-Fix-UAF-when-uninstall-ipmi_si-and-ipmi_msghand.patch (git-fixes CVE-2021-47100 bsc#1220985). - Update patches.suse/kvm-destroy-i-o-bus-devices-on-unregister-failure-after_-sync-ing-srcu (CVE-2020-36312 bsc#1184509 CVE-2021-47061 bsc#1220745). - Update patches.suse/kvm-stop-looking-for-coalesced-mmio-zones-if-the-bus-is-destroyed (CVE-2020-36312 bsc#1184509 CVE-2021-47060 bsc#1220742). - Update patches.suse/md-raid1-properly-indicate-failure-when-ending-a-fai.patch (bsc#1185680 CVE-2021-46950 bsc#1220662). - Update patches.suse/misc-uss720-fix-memory-leak-in-uss720_probe.patch (git-fixes CVE-2021-47173 bsc#1221993). - Update patches.suse/msft-hv-2305-Drivers-hv-vmbus-Use-after-free-in-__vmbus_open.patch (git-fixes CVE-2021-47049 bsc#1220692). - Update patches.suse/msft-hv-2316-uio_hv_generic-Fix-a-memory-leak-in-error-handling-p.patch (git-fixes CVE-2021-47071 bsc#1220846). - Update patches.suse/msft-hv-2317-uio_hv_generic-Fix-another-memory-leak-in-error-hand.patch (git-fixes CVE-2021-47070 bsc#1220829). - Update patches.suse/mtd-require-write-permissions-for-locking-and-badblo.patch (git-fixes CVE-2021-47055 bsc#1220768). - Update patches.suse/nbd-Fix-NULL-pointer-in-flush_workqueue-79eb.patch (git-fixes CVE-2021-46981 bsc#1220611). - Update patches.suse/net-fec-fix-the-potential-memory-leak-in-fec_enet_in.patch (git-fixes CVE-2021-47150 bsc#1221973). - Update patches.suse/net-nfc-fix-use-after-free-llcp_sock_bind-connect.patch (CVE-2021-23134 bsc#1186060 CVE-2021-47068 bsc#1220739). - Update patches.suse/net-smc-remove-device-from-smcd_dev_list-after-failed-device_add (git-fixes CVE-2021-47143 bsc#1221988). - Update patches.suse/net-usb-fix-memory-leak-in-smsc75xx_bind.patch (git-fixes CVE-2021-47171 bsc#1221994). - Update patches.suse/ocfs2-fix-data-corruption-by-fallocate.patch (bsc#1187412 CVE-2021-47114 bsc#1221548). - Update patches.suse/pid-take-a-reference-when-initializing-cad_pid.patch (bsc#1114648 CVE-2021-47118 bsc#1221605). - Update patches.suse/platform-x86-dell-smbios-wmi-Fix-oops-on-rmmod-dell_.patch (git-fixes CVE-2021-47073 bsc#1220850). - Update patches.suse/powerpc-64s-Fix-crashes-when-toggling-entry-flush-ba.patch (bsc#1177666 git-fixes bsc#1186460 ltc#192531 CVE-2021-46990 bsc#1220743). - Update patches.suse/powerpc-64s-Fix-pte-update-for-kernel-memory-on-radi.patch (bsc#1055117 git-fixes CVE-2021-47034 bsc#1220687). - Update patches.suse/scsi-lpfc-Fix-null-pointer-dereference-in-lpfc_prep_.patch (bsc#1182574 CVE-2021-47045 bsc#1220640). - Update patches.suse/scsi-qla2xxx-Fix-crash-in-qla2xxx_mqueuecommand.patch (bsc#1185491 CVE-2021-46963 bsc#1220536). - Update patches.suse/scsi-qla2xxx-Reserve-extra-IRQ-vectors.patch (bsc#1185491 CVE-2021-46964 bsc#1220538). - Update patches.suse/serial-rp2-use-request_firmware-instead-of-request_f.patch (git-fixes CVE-2021-47169 bsc#1222000). - Update patches.suse/tracing-Restructure-trace_clock_global-to-never-block.patch (git-fixes CVE-2021-46939 bsc#1220580). - Update patches.suse/vsock-virtio-free-queued-packets-when-closing-socket.patch (git-fixes CVE-2021-47024 bsc#1220637). - Update patches.suse/x86-kvm-Disable-kvmclock-on-all-CPUs-on-shutdown.patch (bsc#1185308 CVE-2021-47110 bsc#1221532). - Update patches.suse/x86-kvm-Teardown-PV-features-on-boot-CPU-as-well.patch (bsc#1185308 CVE-2021-47112 bsc#1221541). - commit fa763cd - Update patches.suse/netlabel-fix-out-of-bounds-memory-accesses.patch (networking-stable-19_03_07 CVE-2019-25160 bsc#1220394). - commit cfd1daa - scripts/check-kernel-fix: print summary of the commit to check - commit b73a330 - scripts/check-kernel-fix: be more conservative when proposing branches to backport to non CVE patches If a kernel fix doesn't have any CVE assigned (e.g. a regular git-fixes candidate) then do not propose branches that have higher bar to accept changes (e.g. LTSS branches) - commit 5988064 - scripts/common-functions: sha_in_upstream: do not assume origin/HEAD points to origin/master - commit ac1161f - scripts/cve_tools/cve2metadata.sh: clarify the error message - commit b222dc5 - scripts/common-functions: sha_in_upstream refinements. - commit ef93b37 - IB/hfi1: Fix bugs with non-PAGE_SIZE-end multi-iovec user SDMA requests (bsc#1220445 CVE-2023-52474) - commit 71ecb14 - scripts/common-functions: for_each_build_branch: do not consider stable and slowroll branches - commit da10c28 - scripts/check-kernel-fix: Print RUN command with current references helper - commit 72f7f72 - s390/vtime: fix average steal time calculation (git-fixes bsc#1221953). - commit ccf7a1f - s390/ptrace: handle setting of fpc register correctly (CVE-2023-52598 bsc#1221060 git-fixes). - commit 0d179a3 - scripts/check-kernel-fix: refine the help message - commit 339f56a - scripts/check-kernel-fix: unify VULNS_GIT variable - scripts/common-functions: - commit 2d74673 - mass-cve: Exclude partial commits Commit references with various decorations like '(partial)' are treated conservatively, i.e. do not assume we have a functional patch. - commit 0391bef - scripts/check-kernel-fix: add support for -r (metadata refresh) - scripts/common-functions: - commit c47714a - scripts/check-kernel-fix: drop -s mode (not really useful) - commit 837a2ae - scripts/check-kernel-fix: drop -c parameter and search cve branches by default - scripts/common-functions: - commit 5031df0 - scripts/check-kernel-fix: improve help message - commit 426748a - scripts/check-kernel-fix: Make the check of CVSS affected branches more reliable Make the check of branches ignoring lower CVSS score more reliable by the checking matching also the dash. Also rename the function to make more clear what success means. - commit 9a730a8 - scripts/check-kernel-fix: Remove unused check_branch_references function It did not provide any helpful information - commit 9be7356 - wifi: ath10k: fix NULL pointer dereference in ath10k_wmi_tlv_op_pull_mgmt_tx_compl_ev() (bsc#1218336 CVE-2023-7042). - commit 1463c4a - scripts/cve_tools/cve2metadata.sh: s@VULNS_GIT_PATH@VULNS_GIT@ to be more in line with git tree env vars - commit e3ddb5d - scripts/check-kernel-fix: add cvss based filtering TODO GA kernels are not settled yet - commit 5ea28e0 - scripts/common-functions: cope with redirects in fetch_cache - commit 0b72687 - scripts/sequence-patch.sh: add missing template to find -exec Recent fix for space handling lacks the '{}' template in find -exec command so that this command fails and no chmod is executed. Fixes: 622d2088f344 (&quot;scripts/sequence-patch.sh: handle spaces in file names&quot;) - commit 26808f8 - x86/CPU/AMD: Update the Zenbleed microcode revisions (git-fixes). - commit 11a703b - kabi fix for pNFS: Fix the pnfs block driver's calculation of layoutget size (git-fixes). - commit 188e451 - pNFS: Fix the pnfs block driver's calculation of layoutget size (git-fixes). - NFS: Fix O_DIRECT locking issues (git-fixes). - NFS: Fix direct WRITE throughput regression (git-fixes). - commit 53dafcd - NFS: Fix an off by one in root_nfs_cat() (git-fixes). - net: sunrpc: Fix an off by one in rpc_sockaddr2uaddr() (git-fixes). - SUNRPC: fix a memleak in gss_import_v2_context (git-fixes). - NFS: More O_DIRECT accounting fixes for error paths (git-fixes). - NFS: Fix error handling for O_DIRECT write scheduling (git-fixes). - nfs: only issue commit in DIO codepath if we have uncommitted data (git-fixes). - NFS: Fix a request reference leak in nfs_direct_write_clear_reqs() (git-fixes). - NFS: Fix O_DIRECT commit verifier handling (git-fixes). - NFS: commit errors should be fatal (git-fixes). - commit c3fe0ca - scripts/sequence-patch.sh: handle spaces in file names The &quot;find | xargs&quot; pattern without -print0 and -0 does not handle file names with spaces correctly. As there is no actual need for xargs, rewrite the line to uses &quot;find -exec&quot; instead. - commit 622d208 - scripts/check-kernel-fix: allow CVE argument - commit 9f07d91 - scripts/check-kernel-fix: simplify to only get sha argument and resolve references automagically - commit c317a1e - scripts/common-functions: implement cve2sha and sha2cve - commit d016ea0 - scripts/check-kernel-fix: Enhancements and cleanups Allow to check which branches have a given reference without passing a particular sha. Actions are not printed in this case. Show actions when &quot;sha&quot; is passed by default. Add [-q] option to do not show progress when checking state of each branch. Do not show action for a branch when the merge branch already has the patch with all references. Check each branch only once for the given sha and all references. It allowed to reduce git grep calls. Also it removed the need to merge branch states. It improved speed and simplified the logic. - commit 0278113 - Bluetooth: rfcomm: Fix null-ptr-deref in rfcomm_check_security (bsc#1219170 CVE-2024-22099). - commit f6c10f5 - scripts/patch-tag: remove bitkeeper format handling Drop code that deals with bk-style comments and tags. The last branch to include any patch exported from bk was SLE10-SP4, and it is not likely that we will need to handle bk again in the future. - commit 1c94ff0 - scsi: qla2xxx: Update version to 10.02.09.200-k (bsc1221816). - scsi: qla2xxx: Delay I/O Abort on PCI error (bsc1221816). - scsi: qla2xxx: Change debug message during driver unload (bsc1221816). - scsi: qla2xxx: Fix double free of fcport (bsc1221816). - scsi: qla2xxx: Fix double free of the ha-&gt;vp_map pointer (bsc1221816). - scsi: qla2xxx: Fix command flush on cable pull (bsc1221816). - scsi: qla2xxx: NVME|FCP prefer flag not being honored (bsc1221816). - scsi: qla2xxx: Update manufacturer detail (bsc1221816). - scsi: qla2xxx: Split FCE|EFT trace control (bsc1221816). - scsi: qla2xxx: Fix N2N stuck connection (bsc1221816). - scsi: qla2xxx: Prevent command send on chip reset (bsc1221816). - commit 61951e8 - drm: bridge/panel: Cleanup connector on bridge detach (bsc#1220777, CVE-2021-47063) Backporting changes: - add patch at the top of panel_bridge_detach() - commit 760a99d - aoe: fix the potential use-after-free problem in aoecmd_cfg_pkts (bsc#1218562 CVE-2023-6270). - commit 4e659c8 - scripts/common-functions: - scripts/cve_tools/cve2metadata.sh: cve2cvss do not assume consumer and do not preformat the output - commit 8a1b4cc - scripts/cve_tools/cve2metadata.sh: resolve CVE or sha into metadata Examples $ ./scripts/cve_tools/cve2metadata.sh CVE-2021-46975 2671fa4dc0109d3fb581bc3078fdf17b5d9080f6 score: 3.2 CVE-2021-46975 bsc#1220505 ./scripts/cve_tools/cve2metadata.sh CVE-2021-46907 04c4f2ee3f68c9a4bf1653d15f1a9a435ae33f7a score: unknown CVE-2021-46907 bsc#1220422 - commit 5e5b19b - scripts/common-functions: silence fetch_cache - commit dfd8093 - scripts/common-functions: implement cve-&gt;cvss - commit 4d69061 - scripts/common-functions: implement cve -&gt; bsc mapping - commit 2b5ac8e - scripts/common-functions: abstract CACHED_BRANCHES downloading we will have more cached files to use - commit 3194c25 - net: Fix features skip in for_each_netdev_feature() (git-fixes). - commit b1996ba - rename(): avoid a deadlock in the case of parents having no common ancestor (bsc#1221044 CVE-2023-52591). - commit 16f9b33 - kill lock_two_inodes() (bsc#1221044 CVE-2023-52591). - commit c8410b2 - rename(): fix the locking of subdirectories (bsc#1221044 CVE-2023-52591). - commit b34d065 - f2fs: Avoid reading renamed directory if parent does not change (bsc#1221044 CVE-2023-52591). - commit 95ecb76 - ext4: don't access the source subdirectory content on same-directory rename (bsc#1221044 CVE-2023-52591). - commit e81c5d2 - ext2: Avoid reading renamed directory if parent does not change (bsc#1221044 CVE-2023-52591). - commit 47af51c - udf_rename(): only access the child content on cross-directory rename (bsc#1221044 CVE-2023-52591). - commit 3e77e59 - ocfs2: Avoid touching renamed directory if parent does not change (bsc#1221044 CVE-2023-52591). - commit ef44829 - reiserfs: Avoid touching renamed directory if parent does not change (git-fixes bsc#1221044 CVE-2023-52591). Refresh patches.suse/reiserfs-add-check-to-detect-corrupted-directory-entry.patch Refresh patches.suse/reiserfs-don-t-panic-on-bad-directory-entries.patch - commit 304c6b9 - fs: don't assume arguments are non-NULL (bsc#1221044 CVE-2023-52591). - commit 74a158f - fs: Restrict lock_two_nondirectories() to non-directory inodes (bsc#1221044 CVE-2023-52591). - commit 2042147 - fs: ocfs2: check status values (bsc#1221044 CVE-2023-52591). - commit 24568a1 - fs: no need to check source (bsc#1221044 CVE-2023-52591). - commit 95711fd - fs: Lock moved directories (bsc#1221044 CVE-2023-52591). - commit 2b2136e - fs: Establish locking order for unrelated directories (bsc#1221044 CVE-2023-52591). - commit c49cfde - fs: introduce lock_rename_child() helper (bsc#1221044 CVE-2023-52591). - commit 84b4b7d - dwc3: switch to a global mutex (bsc#1220628 CVE-2021-46941). - commit d93342d - usb: dwc3: core: Do core softreset when switch mode (bsc#1220628 CVE-2021-46941). - blacklist.conf: needed after all for a CVE - Refresh patches.suse/USB-dwc3-fix-runtime-pm-imbalance-on-probe-errors.patch. - Refresh patches.suse/usb-dwc3-Fix-race-between-dwc3_set_mode-and-__dwc3_s.patch. - commit 7ca4d31 - Input: add bounds checking to input_set_capability() (bsc#1218220 CVE-2022-48619). - commit f42351b - NFSD: Retransmit callbacks after client reconnects (git-fixes). - NFSD: Reset cb_seq_status after NFS4ERR_DELAY (git-fixes). - SUNRPC: fix some memleaks in gssx_dec_option_array (git-fixes). - NFSv4.1/pnfs: Ensure we handle the error NFS4ERR_RETURNCONFLICT (git-fixes). - SUNRPC: Fix RPC client cleaned up the freed pipefs dentries (git-fixes). - nfsd: lock_rename() needs both directories to live on the same fs (git-fixes). - pNFS/flexfiles: Check the layout validity in ff_layout_mirror_prepare_stats (git-fixes). - commit 311216b - mass-cve: Switch to cve2bugzilla database The map cve2bugzilla is not unique, add only first bug to references - commit 8b6d26b - perf/x86/lbr: Filter vsyscall addresses (bsc#1220703, CVE-2023-52476). - commit ff86f16 - mass-cve: Add processing of all known history - commit 1e9ec1d - x86/mmio: Disable KVM mitigation when X86_FEATURE_CLEAR_CPU_BUF is set (bsc#1213456 CVE-2023-28746). - commit c5b2dec - Sort patches that are already upstream - Refresh patches.suse/Documentation-hw-vuln-Add-documentation-for-RFDS.patch. - Refresh patches.suse/KVM-x86-Export-RFDS_NO-and-RFDS_CLEAR-to-guests.patch. - Refresh patches.suse/x86-rfds-Mitigate-Register-File-Data-Sampling-RFDS.patch. - commit 031146a - mass-cve: Parametrize with branch and do commit - mass-cve: Add add-missing-reference helper - commit aba83bd - mass-cve: Add bsc# resolution - commit 3cd075a - iommu/amd: Set DTE[IntTabLen] to represent 512 IRTEs (git-fixes). - commit ea9ae09 - iommu: Check if group is NULL before remove device (git-fixes). - commit a7b6fa2 - iommu/amd: Silence warnings under memory pressure (git-fixes). - commit cdec216 - iommu/amd: Increase interrupt remapping table limit to 512 entries (git-fixes). - commit c290a72 - iommu/amd: Mark interrupt as managed (git-fixes). - commit 34b8fef - ARM: 9064/1: hw_breakpoint: Do not directly check the event's overflow_handler hook (bsc#1220751 CVE-2021-47006). - commit 605e3a7 - Refresh patches.kabi/team-Hide-new-member-header-ops.patch. Fix for kABI workaround. - commit f1bcdf5 - mass-cve: Add Makefile to process vulns.git database - commit 5a5d01b - scripts: Remove unused script gen-aseries - commit 03b8697 - scripts: Remove unused patch-report - commit fa154b6 - usb: typec: class: fix typec_altmode_put_partner to put plugs (git-fixes). - commit 4350c0c - ceph: fix deadlock or deadcode of misusing dget() (bsc#1221058 CVE-2023-52583). - commit a413cb6 - usb: hub: Guard against accesses to uninitialized BOS descriptors (bsc#1220790 CVE-2023-52477). - commit bf5af19 - Refresh patches.kabi/cpufeatures-kabi-fix.patch. (bsc#1221287) X86_FEATURE_LFENCE_RDTSC became an extended bit and was set via cpu_set_cap as opposed to setup_force_cpu_cap. So extend the infrastructure to also cover cpu_set_cap. - commit 3fcb500 - net: lan78xx: fix runtime PM count underflow on link stop (git-fixes). - commit 7281e3e - lan78xx: Fix race conditions in suspend/resume handling (git-fixes). - commit 91c55e5 - lan78xx: Fix partial packet errors on suspend/resume (git-fixes). - commit 99adbef - lan78xx: Add missing return code checks (git-fixes). - Refresh patches.suse/bsc1084332-0003-lan78xx-Enable-LEDs-and-auto-negotiation.patch. - Refresh patches.suse/lan78xx-Fix-exception-on-link-speed-change.patch. - commit 5704b69 - scripts: Add check-kernel-fix - commit 9ef3bf8 - scripts: Add commond-functions - scripts: Support log2 --no-edit option This allows &quot;unattended&quot; calls of scripts/log - commit 2516937 - lan78xx: Fix exception on link speed change (git-fixes). - commit dbfd125 - lan78xx: Fix white space and style issues (git-fixes). - commit eb3a9cf - net: usb: lan78xx: Remove lots of set but unused 'ret' variables (git-fixes). - commit 378d7a7 - net: lan78xx: remove set but not used variable 'event' (git-fixes). - commit b7f01b9 - net: lan78xx: Merge memcpy + lexx_to_cpus to get_unaligned_lexx (git-fixes). - lan78xx: Do not access skb_queue_head list pointers directly (git-fixes). - commit f2cbfb9 - net: lan78xx: Make declaration style consistent (git-fixes). - commit be1816d - net:usb: Use ARRAY_SIZE instead of calculating the array size (git-fixes). - commit 360121f - net: lan78xx: Allow for VLAN headers in timeout calcs (git-fixes). - commit d43b68c - lan78xx: Modify error messages (git-fixes). - commit afd21b5 - lan78xx: Add support to dump lan78xx registers (git-fixes). - commit c4b2e78 - lan78xx: enable auto speed configuration for LAN7850 if no EEPROM is detected (git-fixes). - commit 3edfed0 - drm/radeon: check the alloc_workqueue return value in radeon_crtc_init() (bsc#1220413 CVE-2023-52470). - commit f1a2e90 - drivers/amd/pm: fix a use-after-free in kv_parse_power_table (bsc#1220411 CVE-2023-52469). - commit 3357315 - group-source-files.pl: Quote filenames (boo#1221077). The kernel source now contains a file with a space in the name. Add quotes in group-source-files.pl to avoid splitting the filename. Also use -print0 / -0 when updating timestamps. - commit a005e42 - blacklist.conf: update blacklist The entries added in the commit are temporary ones so once MU is done I'll revert the commit - commit 874c87d - Update patches.suse/net-hso-fix-NULL-deref-on-disconnect-regression.patch (bsc#1220416 bsc#1220418 CVE-2021-46905 CVE-2021-46904). Added second CVE reference - commit f72c3a5 - gve: Fix skb truesize underestimation (git-fixes). - commit 983edc4 - Revert &quot;md/raid5: Wait for MD_SB_CHANGE_PENDING in raid5d&quot; (git-fixes). - commit 3ea2575 - phy: ti: phy-omap-usb2: Fix NULL pointer dereference for SRP (bsc#1220340,CVE-2024-26600) - commit 20e2c08 - RDMA/rxe: Clear all QP fields if creation failed (bsc#1220863 CVE-2021-47078) - commit f8dcd39 - RDMA/rxe: Return CQE error if invalid lkey was supplied (bsc#1220860 CVE-2021-47076) - commit 3f60a4e - ACPI: extlog: fix NULL pointer dereference check (bsc#1221039 CVE-2023-52605). - commit b0968bd - scripts/git_sort/git_sort.py: Add perf-tools and perf-tools-next repos - commit 32e922e - blacklist.conf: Add d4ccd54d28d3 exit: Put an upper limit on how often we can oops and its dependant. - commit 64ce341 - KVM: s390: fix setting of fpc register (bsc#1221040 CVE-2023-52597). - commit 0f89ca1 - net: hso: fix NULL-deref on disconnect regression (bsc#1220416 CVE-2021-46904). - commit fe1eee0 - net: hso: fix null-ptr-deref during tty device unregistration (bsc#1220416 CVE-2021-46904). - commit d61504e - kernel-binary: Fix i386 build Fixes: 89eaf4cdce05 (&quot;rpm templates: Move macro definitions below buildrequires&quot;) - commit f7c6351 - net: usb: dm9601: fix wrong return value in dm9601_mdio_read (git-fixes). - commit d69a5b8 - net: nfc: llcp: Add lock when modifying device list (git-fixes). - commit b462198 - igb: clean up in all error paths when enabling SR-IOV (git-fixes). - commit 0f0e6a7 - net/sched: tcindex: search key must be 16 bits (git-fixes). - commit 190e0f5 - stmmac: fix potential division by 0 (git-fixes). - commit 40876e6 - kcm: fix strp_init() order and cleanup (git-fixes). - commit b31a598 - ipv6: fix typos in __ip6_finish_output() (git-fixes). - commit 54553b6 - kabi: team: Hide new member header_ops (bsc#1220870 CVE-2023-52574). - commit 9fab77a - blacklist.conf: update blacklist - commit 9263a68 - wcn36xx: fix RX BD rate mapping for 5GHz legacy rates (git-fixes). - commit c4e8a82 - wcn36xx: Fix discarded frames due to wrong sequence number (git-fixes). - commit 8553436 - x86/srso: Add SRSO mitigation for Hygon processors (bsc#1220735 CVE-2023-52482). - commit c7d3dd8 - Revert &quot;wcn36xx: Disable bmps when encryption is disabled&quot; (git-fixes). - commit e5924b8 - vt: fix memory overlapping when deleting chars in the buffer (bsc#1220845 CVE-2022-48627). - commit 6d7d615 - wcn36xx: Fix (QoS) null data frame bitrate/modulation (git-fixes). - commit 405ced7 - ipv6: Fix handling of LLA with VRF and sockets bound to VRF (git-fixes). - commit 519a8b2 - kcm: Call strp_stop before strp_done in kcm_attach (git-fixes). - commit b01e9bb - blacklist.conf: update blacklist - commit 347e348 - kernel-binary: vdso: fix filelist for non-usrmerged kernel Fixes: a6ad8af207e6 (&quot;rpm templates: Always define usrmerged&quot;) - commit fb3f221 - KVM: x86: Export RFDS_NO and RFDS_CLEAR to guests (bsc#1213456 CVE-2023-28746). - commit 789616b - x86/rfds: Mitigate Register File Data Sampling (RFDS) (bsc#1213456 CVE-2023-28746). - Update config files. - Refresh patches.kabi/cpufeatures-kabi-fix.patch. - commit 47b68f4 - Documentation/hw-vuln: Add documentation for RFDS (bsc#1213456 CVE-2023-28746). - commit 959a93f - NFS: add atomic_open for NFSv3 to handle O_TRUNC correctly (bsc#1219847). - commit 43a81fc - scsi: qedf: Add pointer checks in qedf_update_link_speed() (bsc#1220861 CVE-2021-47077). - commit 499d19e - Refresh patches.suse/0001-powerpc-pseries-memhp-Fix-access-beyond-end-of-drmem.patch. Refresh patch metadata and sort. - commit 15cb428 - ravb: Fix use-after-free issue in ravb_tx_timeout_work() (bsc#1212514 CVE-2023-35827). - team: fix null-ptr-deref when team device type is changed (bsc#1220870 CVE-2023-52574). - commit 36ef587 - net: mana: Fix TX CQE error handling (bsc#1220932 CVE-2023-52532). - commit d388327 - Update reference of bpf-Fix-masking-negation-logic-upon-negative-dst-reg.patch (bsc#1186484,CVE-2021-33200,bsc#1220700,CVE-2021-46974). - commit d334f65 - nfsd: Do not refuse to serve out of cache (bsc#1220957). - commit 828470f - wifi: mac80211: fix potential key use-after-free (CVE-2023-52530 bsc#1220930). - wifi: iwlwifi: mvm: Fix a memory corruption issue (CVE-2023-52531 bsc#1220931). - commit 4749167 - USB: serial: option: add Fibocom L7xx modules (git-fixes). - commit 5053dd2 - USB: serial: option: don't claim interface 4 for ZTE MF290 (git-fixes). - commit a0c4a2e - usb: storage: set 1.50 as the lower bcdDevice for older &quot;Super Top&quot; compatibility (git-fixes). - commit 680e979 - net: nfc: fix races in nfc_llcp_sock_get() and nfc_llcp_sock_get_sn() (CVE-2023-52502 bsc#1220831). - commit d0dd97d - tls: fix race between tx work scheduling and socket close (CVE-2024-26585 bsc#1220187). - commit 2d824be - kabi: restore return type of dst_ops::gc() callback (CVE-2023-52340 bsc#1219295). - ipv6: remove max_size check inline with ipv4 (CVE-2023-52340 bsc#1219295). - commit dd00c24 - netfilter: nf_tables: fix 64-bit load issue in nft_byteorder_eval() (CVE-2024-0607 bsc#1218915). - netfilter: nf_tables: fix pointer math issue in nft_byteorder_eval() (CVE-2024-0607 bsc#1218915). - commit b635ad7 - Update patches.suse/sctp-use-call_rcu-to-free-endpoint.patch (CVE-2022-20154 CVE-2021-46929 bsc#1200599 bsc#1220482). - commit 23c3231 - tomoyo: fix UAF write bug in tomoyo_write_control() (bsc#1220825 CVE-2024-26622). - commit e934259 - doc/README.SUSE: Update information about module support status (jsc#PED-5759) Following the code change in SLE15-SP6 to have externally supported modules no longer taint the kernel, update the respective documentation in README.SUSE: * Describe that support status can be obtained at runtime for each module from /sys/module/$MODULE/supported and for the entire system from /sys/kernel/supported. This provides a way how to now check that the kernel has any externally supported modules loaded. * Remove a mention that externally supported modules taint the kernel, but keep the information about bit 16 (X) and add a note that it is still tracked per module and can be read from /sys/module/$MODULE/taint. This per-module information also appears in Oopses. - commit 9ed8107 - Bluetooth: hci_ll: don't call kfree_skb() under spin_lock_irqsave() (git-fixes). - commit 8e9750e - Bluetooth: hci_h5: don't call kfree_skb() under spin_lock_irqsave() (git-fixes). - commit e3ec875 - scripts/git-commit-msg: Detect renames (hides some references changes) The following change | --- a/patches.suse/drm-amd-Stop-evicting-resources-on-APUs-in-suspend.patch | +++ b/patches.kernel.org/6.7.7-001-drm-amd-Stop-evicting-resources-on-APUs-in-susp.patch | @@ -1,12 +1,14 @@ | From: Mario Limonciello &lt;mario.limonciello@amd.com&gt; | Date: Wed, 7 Feb 2024 23:52:55 -0600 | -Subject: drm/amd: Stop evicting resources on APUs in suspend | +Subject: [PATCH] drm/amd: Stop evicting resources on APUs in suspend | MIME-Version: 1.0 | Content-Type: text/plain; charset=UTF-8 | Content-Transfer-Encoding: 8bit | +Patch-mainline: 6.7.7 | +References: bsc#1012628 https://gitlab.freedesktop.org/drm/amd/-/issues/3132 | Git-commit: 3a9626c816db901def438dc2513622e281186d39 | -Patch-mainline: 6.8-rc5 | -References: https://gitlab.freedesktop.org/drm/amd/-/issues/3132 is detected as a rename by git and scripts/log would filter the added reference. Therefore apply git's rename detection also in git-commit-msg hook to avoid having the check more strict than the generator. (After going through all of this, I realize script/log should be actually implemented via prepare-commit-msg hook.) - commit 99e1385 - scripts/git-commit-msg: Ignore empty message that cancels commit - commit 8bcca6f - locking/qrwlock: Fix ordering in queued_write_lock_slowpath() (CVE-2021-46921 bsc#1220468 bsc#1185041). - commit 9f2e845 - locking/barriers: Introduce smp_cond_load_relaxed() and atomic_cond_read_relaxed() (bsc#1220468 bsc#1050549). - commit 76b2073 - scripts/git-commit-msg: Count changed references globally, not per file Per-file counting would be too strict in requirement on commit message since it would miss source file of a possible rename. - commit 45a8c42 - Bluetooth: hci_bcsp: don't call kfree_skb() under spin_lock_irqsave() (git-fixes). - commit 3114978 - Bluetooth: hci_qca: don't call kfree_skb() under spin_lock_irqsave() (git-fixes). - commit 40c2728 - Input: appletouch - initialize work before device registration (CVE-2021-46932 bsc#1220444). - commit 02010d5 - powerpc/pseries/memhp: Fix access beyond end of drmem array (bsc#1220250,CVE-2023-52451). - commit 22d7587 - ACPI: GTDT: Don't corrupt interrupt mappings on watchdow probe failure (bsc#1220599 CVE-2021-46953). - commit 69d8de2 - scripts/update-symvers: Fix reading symtypes after usrmerge symytypes file is stored in /usr/lib/modules/* now. - commit cbf0ce3 - mtd: Fix gluebi NULL pointer dereference caused by ftl notifier (bsc#1220238 CVE-2023-52449). - commit a845e8b - Input: powermate - fix use-after-free in powermate_config_complete (CVE-2023-52475 bsc#1220649). - HID: logitech-hidpp: Fix kernel crash on receiver USB disconnect (CVE-2023-52478 bsc#1220796). - commit 6daf909 - i2c: Fix a potential use after free (bsc#1220409 CVE-2019-25162). - commit 0be34df - i2c: cadence: fix reference leak when pm_runtime_get_sync fails (bsc#1220570 CVE-2020-36784). - commit 8727379 - bus: qcom: Put child node before return (CVE-2021-47054 bsc#1220767). - commit 0c0fa8d - NFC: st21nfca: Fix memory leak in device probe and remove (CVE-2021-46924 bsc#1220459). - commit 01b7814 - netfilter: nft_limit: avoid possible divide error in nft_limit_init (CVE-2021-46915 bsc#1220436). - commit 9130a3d - HID: usbhid: fix info leak in hid_submit_ctrl (CVE-2021-46906 bsc#1220421). - commit 1d243b9 - media: pvrusb2: fix use after free on context disconnection (CVE-2023-52445 bsc#1220241). - commit f8f3542 - media: dvbdev: Fix memory leak in dvb_media_device_free() (CVE-2020-36777 bsc#1220526). - commit cd311ab - apparmor: avoid crash when parsed profile name is empty (CVE-2023-52443 bsc#1220240). - commit 8387a56 - nfc: nci: fix possible NULL pointer dereference in send_acknowledge() (bsc#1219125 CVE-2023-46343). - commit 7ff1724 - md: bypass block throttle for superblock update (git-fixes). - commit e6ba7c9 - blacklist.conf: add non-backport md git-fixes commits. - commit d3c59de - tcp: fix tcp_mtup_probe_success vs wrong snd_cwnd (bsc#1218450). - commit 4a3997c - netfilter: nftables: avoid overflows in nft_hash_buckets() (CVE-2021-46992 bsc#1220638). - commit c79b980 - netfilter: nft_set_hash: add nft_hash_buckets() (CVE-2021-46992 bsc#1220638). - commit 5542c1b - net:emac/emac-mac: Fix a use after free in emac_mac_tx_buf_send (CVE-2021-47013 bsc#1220641). - commit a848ac2 - net: fec: Better handle pm_runtime_get() failing in .remove() (git-fixes). - commit 60e6dbc - net: fec: fix use-after-free in fec_drv_remove (git-fixes). - commit 192ab42 - i40e: Fix use-after-free in i40e_client_subtask() (CVE-2021-46991 bsc#1220575). - commit 27d6f39 - KVM: s390: vsie: fix race during shadow creation (git-fixes bsc#1220613). - commit a2a5381 - s390: use the correct count for __iowrite64_copy() (git-fixes bsc#1220607). - commit 0823e37 - mlxsw: spectrum_acl_tcam: Fix NULL pointer dereference in error path (bsc#1220344 CVE-2024-26595). - commit 71c942e - net: fec: fix clock count mis-match (git-fixes). - commit 90008dd - net: hns3: add compatible handling for MAC VLAN switch parameter configuration (git-fixes). - commit 9cbe2e0 - scripts/git-commit-msg: Skip References: check in merge commits Merging a branch may bring many new references but we don't need them in merge commit's message. Disable the check if it is triggered as part of merge commit message creation. Also make parsing more robust to references delimited with commas. - commit 5af4476 - net: phy: initialise phydev speed and duplex sanely (git-fixes). - commit 5fc404a - bnx2x: Fix PF-VF communication over multi-cos queues (git-fixes). - commit 58f28c6 - ixgbe: protect TX timestamping from API misuse (git-fixes). - commit c740900 - net: phy: dp83867: enable robust auto-mdix (git-fixes). - commit 51f918b - net: fec: add missed clk_disable_unprepare in remove (git-fixes). - commit 26193da - e1000: fix memory leaks (git-fixes). - commit 63cea05 - igb: Fix constant media auto sense switching when no cable is connected (git-fixes). - commit ecbd46c - net: hisilicon: Fix usage of uninitialized variable in function mdio_sc_cfg_reg_write() (git-fixes). - commit 467a700 - net: hns3: not allow SSU loopback while execute ethtool -t dev (git-fixes). - commit feac716 - net/mlx5e: ethtool, Avoid setting speed to 56GBASE when autoneg off (git-fixes). - commit 38e0f13 - blacklist.conf: update blacklist - commit 803afb1 - blacklist.conf: add ep93xx_eth the config option is not enabled - commit aed74c8 - blacklist.conf: add emac_rockchip the config option is not enabled - commit 27c4413 - Update metadata - commit fca1f53 - net: openvswitch: limit the number of recursions from action sets (bsc#1219835 CVE-2024-1151). - commit 9353f4f - EDAC/thunderx: Fix possible out-of-bounds string access (bsc#1220330, CVE-2023-52464) - commit a228c17 - rpm templates: Always define usrmerged usrmerged is now defined in kernel-spec-macros and not the distribution. Only check if it's defined in kernel-spec-macros, not everywhere where it's used. - commit a6ad8af - KVM: x86: work around QEMU issue with synthetic CPUID leaves (git-fixes). - commit 7dad6e2 - blacklist.conf: Blacklist a clang fix - commit e954d52 - net: lpc-enet: fix printk format strings (git-fixes). - commit dcd5e66 - net: tundra: tsi108: use spin_lock_irqsave instead of spin_lock_irq in IRQ context (git-fixes). - commit 3fddc2a - net: hisilicon: Fix dma_map_single failed on arm64 (git-fixes). - commit 65f9c53 - net: hisilicon: fix hip04-xmit never return TX_BUSY (git-fixes). - commit b56984b - net: hisilicon: make hip04_tx_reclaim non-reentrant (git-fixes). - Refresh patches.suse/net-hisilicon-Fix-ping-latency-when-deal-with-high-t.patch. - commit 1de9297 - net: sfp: add mutex to prevent concurrent state checks (git-fixes). - commit 4badb38 - blacklist.conf: update blacklist - commit eb0a485 - rpm templates: Move macro definitions below buildrequires Many of the rpm macros defined in the kernel packages depend directly or indirectly on script execution. OBS cannot execute scripts which means values of these macros cannot be used in tags that are required for OBS to see such as package name, buildrequires or buildarch. Accumulate macro definitions that are not directly expanded by mkspec below buildrequires and buildarch to make this distinction clear. - commit 89eaf4c - media: usb: dvd-usb: fix uninit-value bug in dibusb_read_eeprom_byte() (git-fixes). - commit 4772961 - media: uvcvideo: Set capability in s_param (git-fixes). - commit df9234c - media: dw2102: Fix use after free (git-fixes). - commit 6909f5e - media: dw2102: make dvb_usb_device_description structures const (git-fixes). - Refresh patches.suse/media-dw2102-Fix-memleak-on-sequence-of-probes.patch. - commit cfe8bf2 - media: dvb-usb: Add memory free on error path in dw2102_probe() (git-fixes). - Refresh patches.suse/media-dw2102-Fix-memleak-on-sequence-of-probes.patch. - commit 60bfc4d - [media] media drivers: annotate fall-through (git-fixes). - commit 550adce - rpm/check-for-config-changes: add GCC_ASM_GOTO_OUTPUT_WORKAROUND to IGNORED_CONFIGS_RE Introduced by commit 68fb3ca0e408 (&quot;update workarounds for gcc &quot;asm goto&quot; issue&quot;). - commit be1bdab - media: rc: ir-rc6-decoder: enable toggle bit for Kathrein RCU-676 remote (git-fixes). - commit 40a7cdd - media: rc: do not remove first bit if leader pulse is present (git-fixes). - commit 055036d - blacklist.conf: feature fixed hasn't been backported - commit 299071b - media: coda: reuse coda_s_fmt_vid_cap to propagate format in coda_s_fmt_vid_out (git-fixes). - commit 346be28 - media: coda: set min_buffers_needed (git-fixes). - commit 9e4f67c - media: coda: constify platform_device_id (git-fixes). - commit da6a628 - media: coda: reduce iram size to leave space for suspend to ram (git-fixes). - commit 015f50d - media: coda: explicitly request exclusive reset control (git-fixes). - commit 19dcce2 - media: coda: wake up capture queue on encoder stop after output streamoff (git-fixes). - Refresh patches.suse/media-coda-fix-last-buffer-handling-in-V4L2_ENC_CMD_.patch. - commit 4fba70d - [media] coda: simplify optional reset handling (git-fixes). - commit bc3f552 - [media] media: platform: coda: remove variable self assignment (git-fixes). - commit 6d6901a - blacklist.conf: driver not backported - commit c5ae253 - media: dvb-usb: dw2102: fix uninit-value in su3000_read_mac_address (git-fixes). - commit abccca4 - media: dvb-usb: m920x: Fix a potential memory leak in m920x_i2c_xfer() (git-fixes). - commit 4716702 - media: m920x: don't use stack on USB reads (git-fixes). - commit 45368d1 - media: dw2102: Fix memleak on sequence of probes (git-fixes). - commit d5c69b6 - blacklist.conf: false positive - commit 7722626 - blacklist.conf: renames a module. direct breakage of user space - commit bf0df5d - usb: musb: dsps: Fix the probe error path (git-fixes). - commit 2f6dfb0 - usb: musb: tusb6010: check return value after calling platform_get_resource() (git-fixes). - commit 3b8e34e - usb: musb: musb_dsps: request_irq() after initializing musb (git-fixes). - commit 9ef2688 - usb: host: fotg210: fix the actual_length of an iso packet (git-fixes). - commit bcd63df - usb: host: fotg210: fix the endpoint's transactional opportunities calculation (git-fixes). - commit f16fc26 - compute-PATCHVERSION: Do not produce output when awk fails compute-PATCHVERSION uses awk to produce a shell script that is subsequently executed to update shell variables which are then printed as the patchversion. Some versions of awk, most notably bysybox-gawk do not understand the awk program and fail to run. This results in no script generated as output, and printing the initial values of the shell variables as the patchversion. When the awk program fails to run produce 'exit 1' as the shell script to run instead. That prevents printing the stale values, generates no output, and generates invalid rpm spec file down the line. Then the problem is flagged early and should be easier to diagnose. - commit 8ef8383 - x86/cpu, kvm: Move X86_FEATURE_LFENCE_RDTSC to its native leaf (git-fixes). - commit 55e0925 - KVM: x86: Move open-coded CPUID leaf 0x80000021 EAX bit propagation code (git-fixes). - commit aebeb2d - KVM: x86: synthesize CPUID leaf 0x80000021h if useful (git-fixes). - commit 9c96097 - KVM: x86: add support for CPUID leaf 0x80000021 (git-fixes). - commit 5a997a6 - x86/asm: Add _ASM_RIP() macro for x86-64 (%rip) suffix (git-fixes). - commit 54b16df - KVM: VMX: Move VERW closer to VMentry for MDS mitigation (git-fixes). - KVM: VMX: Use BT+JNC, i.e. EFLAGS.CF to select VMRESUME vs. VMLAUNCH (git-fixes). - x86/bugs: Use ALTERNATIVE() instead of mds_user_clear static key (git-fixes). Also add mds_user_clear to kABI severity as it's used purely for mitigation so it's low risk. - x86/entry_32: Add VERW just before userspace transition (git-fixes). - x86/entry_64: Add VERW just before userspace transition (git-fixes). - x86/bugs: Add asm helpers for executing VERW (bsc#1213456). - commit 7cd11ce - net/rds: Fix UBSAN: array-index-out-of-bounds in rds_cmsg_recv (bsc#1219127 CVE-2024-23849). - commit e941df3 - USB: hub: check for alternate port before enabling A_ALT_HNP_SUPPORT (bsc#1218527). - commit aaefb30 - blacklist.conf: add macsonic ethernet driver - commit 1c0cfbf - kernel-binary: Move build script to the end All other spec templates have the build script at the end, only kernel-binary has it in the middle. Align with the other templates. - commit 98cbdd0 - blacklist.conf: update blacklist - commit b541c7e - rpm templates: Aggregate subpackage descriptions While in some cases the package tags, description, scriptlets and filelist are located together in other cases they are all across the spec file. Aggregate the information related to a subpackage in one place. - commit 8eeb08c - net: bonding: debug: avoid printing debug logs when bond is not notifying peers (git-fixes). - commit f58ad69 - rpm templates: sort rpm tags The rpm tags in kernel spec files are sorted at random. Make the order of rpm tags somewhat more consistent across rpm spec templates. - commit 8875c35 - usb: typec: tcpci: clear the fault status bit (git-fixes). - commit fbeda7b - PCI: Prevent xHCI driver from claiming AMD VanGogh USB3 DRD device (git-fixes). - commit 2012056 - Update to add CVE-2024-23851 tag, patches.suse/dm-limit-the-number-of-targets-and-parameter-size-ar.patch (bsc#1219827, bsc#1219146, CVE-2023-52429, CVE-2024-23851). - commit 7dd5c42 - blacklist.conf: cleanup of comments - commit d4049bd - blacklist.conf: documentation only - commit 3d84250 - audit: fix possible soft lockup in __audit_inode_child() (git-fixes). - commit a347e97 - blacklist.conf: not a fix but a cleanup - commit a5da3c1 - blacklist.conf: only comments cleanup - commit 2e15690 - blacklist.conf: at this time kerneldocs no longer matter - commit ed23d03 - ASN.1: Fix check for strdup() success (git-fixes). - commit 26b2327 - blacklist.conf: attributed to wrong commit id in fixes tag - commit 652fa5d - dm: limit the number of targets and parameter size area (bsc#1219827, bsc#1219146, CVE-2023-52429). - commit 3ddaf98 - scripts/PMU: Add option to skip livepatch submission Kernel resubmissions that don't involve livepatches can be done without kgraft package(s) and channel updates. - commit 8373df8 Package libzypp was updated: - applydeltaprm: Create target directory if it does not exist (bsc#1219442) - version 16.22.12 (0) Package docker was updated: [NOTE: This update was only ever released in SLES and Leap.]- Update to Docker 25.0.5-ce. See upstream changelog online at &lt;https://docs.docker.com/engine/release-notes/25.0/#2505&gt; bsc#1223409 - Rebase patches: * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch * 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch * 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch * cli-0001-docs-include-required-tools-in-source-tree.patch - Remove upstreamed patches: - 0007-daemon-overlay2-remove-world-writable-permission-fro.patch - Update --add-runtime to point to correct binary path. [NOTE: This update was only ever released in SLES and Leap.] - Add patch to fix bsc#1220339 * 0007-daemon-overlay2-remove-world-writable-permission-fro.patch - rebase patches: * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch * 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch * 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch * 0006-Vendor-in-latest-buildkit-v0.11-branch-including-CVE.patch - Allow to disable apparmor support (ALP supports only SELinux) - Update to Docker 25.0.3-ce. See upstream changelog online at &lt;https://docs.docker.com/engine/release-notes/25.0/#2503&gt; - Fixes: * bsc#1219267 - CVE-2024-23651 * bsc#1219268 - CVE-2024-23652 * bsc#1219438 - CVE-2024-23653 - Rebase patches: * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch * 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch * 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch * cli-0001-docs-include-required-tools-in-source-tree.patch - Remove upstreamed patches: - 0006-Vendor-in-latest-buildkit-v0.11-branch-including-CVE.patch Package systemd was updated: - Import commit 15ca9f01c18a8037bf26b1a85fee344c65944268 eedf77456d util: improve comments why we ignore EACCES and EPERM 2018a0d492 util: bind_remount_recursive_with_mountinfo(): ignore submounts which cannot be accessed 4c98cb57e2 namespace: don't fail on masked mounts (#3794) (bsc#1220285) 7dd5e84ab6 man: Document ranges for distributions config files and local config files 7282534592 Recommend drop-ins over modifications to the main config file 29e632c34a man: reword the description of &quot;main conf file&quot; e903f529e8 man: rework section about configuration file precedence 4438e1be12 man: document paths under /usr/local in standard-conf.xml Package nghttp2 was updated: - security update- added patches fix CVE-2024-28182 [bsc#1221399], HTTP/2 CONTINUATION frames can be utilized for DoS attacks + nghttp2-CVE-2024-28182-1.patch fix CVE-2024-28182-2 [bsc#1221399], HTTP/2 CONTINUATION frames can be utilized for DoS attacks + nghttp2-CVE-2024-28182-2.patch Package krb5 was updated: - Fix warning executing %postun scriptlet; (bsc#1223122); - Fix memory leaks, add patch 0015-Fix-two-unlikely-memory-leaks.patch * CVE-2024-26458, bsc#1220770 * CVE-2024-26461, bsc#1220771 - Update to krb5 1.16.3 (jsc#PED-7884). Most relevant changes: * Remove the triple-DES and RC4 encryption types from the default value of supported_enctypes, which determines the default key and salt types for new password-derived keys. By default, keys will only created only for AES128 and AES256. This mitigates some types of password guessing attacks. * Add support for the AES-SHA2 enctypes, which allows sites to conform to Suite B crypto requirements. - Removed patches, useless or upstreamed * krb5-1.10-kpasswd_tcp.patch * krb5-1.7-doublelog.patch * krb5-1.9-kprop-mktemp.patch * krb5-1.10-ksu-access.patch * krb5-kvno-230379.patch * krb5-1.12-doxygen.patch * bnc#897874-CVE-2014-5351.diff * krb5-1.13-work-around-replay-cache-creation-race.patch * 0104-Verify-decoded-kadmin-C-strings-CVE-2015-8629.patch * 0105-Fix-leaks-in-kadmin-server-stubs-CVE-2015-8631.patch * 0106-Check-for-null-kadm5-policy-name-CVE-2015-8630.patch * 0109-Preserve-GSS-context-on-init-accept-failure.patch * 0115-Remove-incorrect-KDC-assertion.patch * 0116-Implement-GSS_KRB5_CRED_NO_CI_FLAGS_X-cred-option.patch * 0117-Add-tests-for-GSS_KRB5_CRED_NO_CI_FLAGS_X.patch * 0118-Implement-GSS_KRB5_CRED_NO_CI_FLAGS_X-for-SPNEGO.patch * 0119-Load-mechglue-config-files-from-etc-gss-mech.d.patch * 0120-Document-etc-gss-mech.d-.conf.patch * 0121-Fix-impersonate_name-to-work-with-interposers.patch * 0122-Use-preauth-options-when-changing-password.patch * 0123-Improve-extended-gic-option-support.patch * 0124-Use-responder-for-non-preauth-AS-requests.patch - New patches: * 0011-Fix-KDC-null-deref-on-bad-encrypted-challenge.patch * Fix KDC null pointer dereference via a FAST inner body that lacks a server field; (CVE-2021-37750); (bsc#1189929); 0012-Fix-KDC-null-deref-on-TGS-inner-body-null-server.patch - Renamed patches: * Patch krb5-1.12-pam.patch -&gt; 0001-krb5-1.12-pam.patch * Patch krb5-1.9-manpaths.dif -&gt; 0002-krb5-1.9-manpaths.patch * Patch krb5-1.12-buildconf.patch -&gt; 0003-krb5-1.12-buildconf.patch * Patch krb5-1.6.3-gssapi_improve_errormessages.dif -&gt; 0004-krb5-1.6.3-gssapi_improve_errormessages.patch * Patch krb5-1.6.3-ktutil-manpage.dif -&gt; 0005-krb5-1.6.3-ktutil-manpage.patch * Patch krb5-1.12-api.patch -&gt; 0006-krb5-1.12-api.patch * Patch krb5-1.12-ksu-path.patch -&gt; 0007-krb5-1.12-ksu-path.patch * Patch krb5-1.12-selinux-label.patch -&gt; 0008-krb5-1.12-selinux-label.patch * Patch krb5-1.9-debuginfo.patch -&gt; 0009-krb5-1.9-debuginfo.patch * Patch 0125-Add-recursion-limit-for-ASN.1-indefinite-lengths.patch -&gt; 0010-Add-recursion-limit-for-ASN.1-indefinite-lengths.patch * Patch 0126-Fix-integer-overflows-in-PAC-parsing.patch -&gt; 0013-Fix-integer-overflows-in-PAC-parsing.patch * Patch 0127-Ensure-array-count-consistency-in-kadm5-RPC.patch -&gt; 0014-Ensure-array-count-consistency-in-kadm5-RPC.patch Package python36 was updated: - Add bpo38361-syslog-no-slash-ident.patch (bsc#1222109, gh#python/cpython!16557) fixes syslog making default &quot;ident&quot; from sys.argv[0]. - Update CVE-2023-52425-libexpat-2.6.0-backport.patch so that it uses features sniffing, not just comparing version number (bsc#1220664, bsc#1219559, bsc#1221563, bsc#1222075). - Remove support-expat-CVE-2022-25236-patched.patch, which was the previous name of this patch. - Add CVE-2023-52425-remove-reparse_deferral-tests.patch skipping failing tests. - Refresh patches: - CVE-2023-27043-email-parsing-errors.patch - fix_configure_rst.patch - skip_if_buildbot-extend.patch - bsc#1221854 (CVE-2024-0450) Add CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch detecting the vulnerability of the &quot;quoted-overlap&quot; zipbomb (from gh#python/cpython!110016). - Add bh42369-thread-safety-zipfile-SharedFile.patch (from gh#python/cpython!26974) required by the previous patch. - Add expat-260-test_xml_etree-reparse-deferral.patch to make the interpreter work with patched libexpat in our distros. - Move all patches from locally sourced to the branch opensuse-3.6 branch at GitHub repo, and move all metadata to commits themselves (readable in the headers of each patch). - Add bpo-41675-modernize-siginterrupt.patch to make Python build cleanly even on more recent SPs of SLE-15 (gh#python/cpython#85841). - Remove patches: - bpo36263-Fix_hashlib_scrypt.patch - fix against bug in OpenSSL fixed in 1.1.1c (gh#openssl/openssl!8483), so this patch is redundant on all SUSE-supported distros - python-3.3.0b1-test-posix_fadvise.patch - protection against the kernel issues which has been fixed in gh#torvalds/linux@3d3727cdb07f, which has been included in all our kernels more recent than SLE-11. - python-3.3.3-skip-distutils-test_sysconfig_module.patch - skips a test, which should be relevant only for testing on Mac OS X systems with universal builds. I have no valid record, that this test would be ever problematic on Linux. - bpo-36576-skip_tests_for_OpenSSL-111.patch, which was included already in Python 3.5. - (bsc#1219666, CVE-2023-6597) Add CVE-2023-6597-TempDir-cleaning-symlink.patch (patch from gh#python/cpython!99930) fixing symlink bug in cleanup of tempfile.TemporaryDirectory. - Merge together bpo-36576-skip_tests_for_OpenSSL-111.patch into skip_SSL_tests.patch, and make them include all conditionals. Package _product:sle-sdk-release was updated: Package less was updated: - Fix CVE-2024-32487, mishandling of \n character in paths when LESSOPEN is set leads to OS command execution (CVE-2024-32487, bsc#1222849) * CVE-2024-32487.patch - Fix CVE-2022-48624, LESSCLOSE handling in less does not quote shell metacharacters, bsc#1219901 * CVE-2022-48624.patch Package python-base was updated: - bsc#1221854 (CVE-2024-0450) Add CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch detecting the vulnerability of the &quot;quoted-overlap&quot; zipbomb (from gh#python/cpython!110016). - Switch to using the system libexpat (bsc#1219559, CVE-2023-52425) - Make sure to remove all embedded versions of other packages (including expat). - Add CVE-2023-52425-libexpat-2.6.0-remove-failing-tests.patch removing failing test fixing bpo#3151, which we just not support. - Remove patches over those embedded packages (cffi): - python-2.7-libffi-aarch64.patch - sparc_longdouble.patch - Modify CVE-2023-27043-email-parsing-errors.patch to fix the unicode string handling in email.utils.parseaddr() (bsc#1222537). - Revert CVE-2022-48560-after-free-heappushpop.patch, the fix was unneeded. - Switch off tests. ONLY FOR FACTORY!!! (bsc#1219306) - Build with -std=gnu89 to build correctly with gcc14, bsc#1220970 Package python-typing was updated: - Update to 3.10.0.0 * Implement TypeGuard (PEP 649) * backport ParamSpecArgs/Kwargs * Fixed required/optional keys with old-style TypedDict * Bring in protocol’s __init__ behaviour same like in python &gt; 3.8 * Support PEP 612 in typing_extensions (Python 3) * Also run python 3.9 in CI * Add OrderedDict to typing_extensions * Only allow installing this package for Python 2.7 and 3.4 * Document availability of Annotated * Update test_typing_extensions.py * Apply get_args fix from bpo-40398 to typing_extensions * Fix tests failing with 3.10.0a2+ * Fix stray close paren * Update README * Disable 3.5.1 build -- can't install psutils needed by pytest-xdist * Bump typing_extensions version to 3.7.4.3 * Remove extra 'use' in readme - from version 3.7.4.3 * Revert last two changes; bump version to 3.7.4.3 - from version 3.7.4.2 * Disallow installation on 3.5+ * Add tox.ini for typing_extensions * Add PEP 613 TypeAlias to typing_extensions * Make tests for Annotated work with Python 3.9 * Remove Python 3.3 from tox.ini * Fix flake8 failure by using Python 3.8 * Add SupportsIndex, added in Python 3.8 * Update package metadata * Bump typing_extensions version to 3.7.4.2 * Fix ForwardRef hash and equality checks * Fix required and optional keys inheritance for TypedDict * Replace asyncio.coroutine with async-await * Reuse stdlib PEP 593 implementation in typing_extensions if present * Add .vscode and .egg-info to gitignore * Backport get_origin() and get_args() * Add clarification to package description * Track optional TypdeDict keys * Accept arbitrary keyword names in NamedTuple() and TypedDict() * Bump typing_extensions version * Add missing objects in typing_extensions/README.rst - from version 3.7.4.1 * Fix isinstance() with generic protocol subclasses after subscripting * Try fixing Travis build + fix tests for non-default interpreters * Use environment marker to specify typing dependency * Fix unions of protocols on Python 2 * Bump typing_extensions version and typing dependency version - from version 3.7.4 * Fix subclassing builtin protocols on older Python versions * Move Protocol, runtime_checkable, Final, final, Literal, and TypedDict to typing * Add support for Python 3.8 in typing_extensions * Unify the implementation of annotated in src_py2 and src_py3 * Add Annotated in python2 * Pep 593 py3 * Drop support of Python 3.3 * [typing-extensions] Simple implementation for IntVar * Add a python 3.7+ version of Annotated to typing_extensions * Add SupportsIndex * Add TypedDict to typing_extensions * .travis.yml: The 'sudo' tag is now deprecated in Travis CI * Add Final to the README * Run the tests using the current Python executable * Fix GeneralMeta.__instancecheck__() for old style classes * Bump typing_extensions version * Add Literal[...] types to typing_extensions * Fix instance/subclass checks of functions against runtime protocols * Bump typing_extension version * Improve PyPI entry for typing_extensions * Add Final to typing_extensions - from version 3.6.6 * Include license file for typing-extensions and in wheels * Fix IO.closed to be property * Backport Generic.__new__ fix * Bump typing_extensions version before release * Add missing 'NoReturn' to __all__ in typing.py * Add annotations to NamedTuple children __new__ constructors * Fix typing_extensions to support PEP 560 * Fix for issue #524 * Pass *args and **kwargs to superclass in Generic.__new__ - Rename README.rst to README.md in %doc section Package google-guest-configs was updated: - Update to version 20240307.00 (bsc#1221146, bsc#1221900, bsc#1221901) * Support dot in NVMe device ids (#68) - from version 20240304.00 * google_set_hostname: Extract rsyslog service name with a regexp for valid systemd unit names (#67) - from version 20240228.00 * Remove quintonamore from OWNERS (#64) - from version 20240119.00 * Setup smp affinity for IRQs and XPS on A3+ VMs (#63) - Update to version 20231214.00 * set multiqueue: A3 check set timeout the MDS call in 1s (#62) - from version 20231103.00 * Update owners (#61) * Update owners (#58) - Update to version 20230929.00 * Update multinic filter to pick only pci devices (#59) Package openssh was updated: - also remember the active state of the service, so openssh8.4 can pick it up. bsc#1220110 - handle these when we do go from openssh8.4-server back to openssh Package lifecycle-data-sle-module-toolchain was updated: - Added expiration data for GCC 12 yearly update for the Toolchain/Development modules. (bsc#1221352) Package util-linux-systemd was updated: - Properly neutralize escape sequences in wall (util-linux-CVE-2024-28085.patch, bsc#1221831, CVE-2024-28085, and its prerequisites: util-linux-fputs_careful1.patch, util-linux-wall-migrate-to-memstream.patch util-linux-fputs_careful2.patch). Package cpio was updated: - Fix cpio not working after the fix in bsc#1218571, fixes bsc#1219238 * fix-bsc1219238.patch Package nfs-utils was updated: - Add 0208-mountd-add-support-for-case-insensitive-file-names.patch Fix for bsc#1221774 - support case-insensivtive file names Package python3 was updated: - bsc#1221854 (CVE-2024-0450) Add CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch detecting the vulnerability of the &quot;quoted-overlap&quot; zipbomb (from gh#python/cpython!110016). - Add CVE-2023-52425-libexpat-2.6.0-backport.patch fixing etree XMLPullParser tests for Expat &gt;=2.6.0 with reparse deferral (fixing CVE-2023-52425 or bsc#1219559). Package curl was updated: - Security fix: [bsc#1221665, CVE-2024-2004] * Usage of disabled protocol * Add curl-CVE-2024-2004.patch - Security fix: [bsc#1221667, CVE-2024-2398] * curl: HTTP/2 push headers memory-leak * Add curl-CVE-2024-2398.patch Package google-guest-agent was updated: - Update to version 20240314.00 (bsc#1221900, bsc#1221901) * NetworkManager: only set secondary interfaces as up (#378) * address manager: make sure we check for oldMetadata (#375) * network: early setup network (#374) * NetworkManager: fix ipv6 and ipv4 mode attribute (#373) * Network Manager: make sure we clean up ifcfg files (#371) * metadata script runner: fix script download (#370) * oslogin: avoid adding extra empty line at the end of /etc/security/group.conf (#369) * Dynamic vlan (#361) * Check for nil response (#366) * Create NetworkManager implementation (#362) * Skip interface manager on Windows (#363) * network: remove ignore setup (#360) * Create wicked network service implementation and its respective unit (#356) * Update metadata script runner, add tests (#357) * Refactor guest-agent to use common retry util (#355) * Flush logs before exiting #358 (#359) - Refresh patches for new version * dont_overwrite_ifcfg.patch - No need for double %setup. - Use %patch -P N instead of deprecated %patchN. - Update to version 20240213.00 * Create systemd-networkd unit tests (#354) - from version 20240209.00 * Update network manager unit tests (#351) - from version 20240207.02 * Implement retry util (#350) - from version 20240207.01 * Refactor utils package to not dump everything unrelated into one file (#352) - from version 20240207.00 * Set version on metadata script runner (#353) * Implement cleanup of deprecated configuration directives (#348) * Ignore DHCP offered routes only for secondary nics (#347) * Deprecate DHClient in favor of systemd-networkd (#342) * Generate windows and linux licenses (#346) - from version 20240122.00 * Remove quintonamore from OWNERS (#345) - from version 20240111.00 * Delete integration tests (#343) - from version 20240109.00 * Update licenses with dependencies of go-winio (#339) * Add github.com/Microsoft/go-winio to third party licensing (#337) - Add explicit versioned dependency on google-guest-oslogin (bsc#1219642) - Refresh patches for new version * dont_overwrite_ifcfg.patch - Update to version 20231214.00 * Fix snapshot test failure (#336) - from version 20231212.00 * Implement json-based command messaging system for guest-agent (#326) - from version 20231118.00 * sshca: Remove certificate caching (#334) - from version 20231115.00 * revert: 3ddd9d4a496f7a9c591ded58c3f541fd9cc7e317 (#333) * Update script runner to use common cfg package (#331) - Update to version 20231110.00 * Update Google UEFI variable (#329) * Update owners (#328) - from version 20231103.00 * Make config parsing order consistent (#327) - Update to version 20231031.01 (bsc#1216547, bsc#1216751) * Add prefix to scheduler logs (#325) - from version 20231030.00 * Test configuration files are loaded in the documented order. Fix initial integration test. (#324) * Enable mTLS by default (#323) - from version 20231026.00 * Rotate MDS root certificate (#322) - from version 20231020.00 * Update response struct, add tests (#315) * Don't try to schedule mTLS job twice (#317) - from version 20231019.00 * snapshot: Add context cancellation handling (#318) - Bump the golang compiler version to 1.21 (bsc#1216546) - Update to version 20231016.00 * instance setup: trust/rely on metadata package's retry (#316) - from version 20231013.01 * Update known cert dirs for updaters (#314) - from version 20231011.00 * Verify cert refresher is enabled before running (#312) - from version 20231009.00 * Add support for the SSH key options (#296) - from version 20231006.01 * Events interface improvement (#290) - from version 20231006.00 * Refactor script runner to use common metadata package (#311) * Schedule MTLS job before notifying systemd (#310) * Refactor authorized keys to use metadata package (#300) - from version 20231005.00 * docs update: add configuration and event manager's docs. (#309) - from version 20231004.01 * Fix license header (#301) * packaging(deb): add epoch to oslogin dep declaration (#308) - from version 20231004.00 * packaging(deb): ignore suffix of version (#306) * packaging: force epoch and ignore suffix of version (#305) - from version 20231003.01 * oslogin: declare explicitly dependency (#304) * oslogin: remove Unstable.pamless_auth_stack feature flag (#303) - from version 20231003.00 * oslogin: resort ssh configuration keys (#299) - from version 20230925.00 * oslogin: introduce a feature flag to cert auth (#298) - from version 20230923.00 * gitignore: unify ignore in the root dir (#297) - from version 20230921.01 * managers: we accidentally disabled addressMgr, bring it back (#295) * cfg: fix typos (#294) * cfg: config typos (#293) * cfg: introduce a configuration management package (#288) - from version 20230921.00 * mtls: bring it back (#292) - from version 20230920.01 * Fix permissions on file created by SaferWriteFile() (#291) - from version 20230920.00 * sshca: re-enable the event watcher &amp; handler (#289) - from version 20230919.01 * oslogin: add PAMless Authorization Stack configuration (#285) - from version 20230919.00 * Preparing it for review (#287) * sshca: make sure to restore SELinux context of the pipe (#286) * remove deprecated usage, fix warnings (#282) * Update system store (#278) * Update workload certificate endpoints, use metadata package (#275) * metadata: use url package to form metadata URLs (#284) - from version 20230913.00 * release prep: disable ssh trusted ca module (#281) - from version 20230912.00 * New Guest Agent Release (#280) - from version 20230909.00 * Revert &quot;service: remove the use of the service library (#273)&quot; (#276) * service: remove the use of the service library (#273) - from version 20230906.01 * Store keys to machine keyset (#272) - from version 20230905.00 * restorecon: first try to determine if it's installed (#271) * run: change all commands to use CommandContext (#268) * Notify systemd after scheduling required jobs (#270) * Store certs in ProgramData instead of Program Files (#269) * metadata watcher: remove local retry &amp; implement unit tests (#267) * run: split command running utilities into its own package (#265) - Update to version 20230828.00 * snapshot: Use main context rather than create its own (#266) - from version 20230825.01 * Verify if cert was successfully added to certpool (#264) - from version 20230825.00 * Find previous cert for cleanup using one stored on disk (#263) - from version 20230823.00 * Revert &quot;sshtrustedca: configure selinux context for sshtrustedca pipe (#256)&quot; (#262) * Update credentials directory on Linux (#260) - from version 20230821.00 * Update owners (#261) - from version 20230819.00 * Revert &quot;guest-agent: prepare for public release (#258)&quot; (#259) - from version 20230817.00 * guest-agent: prepare for public release (#258) - from version 20230816.01 * Enable telemetry collection by default (#253) - from version 20230816.00 * Add pkcs12 license and update retry logic (#257) * sshtrustedca: Configure selinux context for sshtrustedca pipe (#256) * Store windows certs in certstore (#255) * events: Multiplex event watchers (#250) * Scheduler fixes (#254) * Update license files (#251) * Run telemetry every 24 hours, record pretty name on linux (#248) - Update to version 20230811.00 * sshca: move the event handler to its own package (#247) - from version 20230809.02 * Move scheduler package to google_guest_agent (#249) - from version 20230809.01 * Add scheduler utility to run jobs at interval (#244) - from version 20230809.00 * sshca: transform the format from json to openssh (#246) - from version 20230803.00 * Add support for reading UEFI variables on windows (#243) - from version 20230801.03 * sshtrustedca watcher: fix concurrency error (#242) - from version 20230801.02 * metadata: add a delta between http client timeout and hang (#241) - from version 20230801.00 * metadata: properly set request config (#240) * main: bring back the mds client initialization (#239) * metadata: don't try to use metadata before agentInit() is done (#238) * Add (disabled) telemetry logic to GuestAgent (#219) * metadata event handler: updates and bug fixes (#235) * Verify client credentials are signed by root CA before writing on disk (#236) * metadata: properly handle context cancelation (#234) * metadata: fix context cancelation error check (#233) * metadata: remove the sleep around metadata in instance setup (#232) * metadata: implement backoff strategy (#231) * Decrypt and store client credentials on disk (#230) * Upgrade Go version 1.20 (#228) * Fetch guest credentials and add MDS response proto (#226) * metadata: pass main context to WriteGuestAttributes() (#227) * Support for reading &amp; writing Root CA cert from UEFI variable (#225) * ssh_trusted_ca: enable the feature (#224) * sshTrustedCA: add pipe event handler (#222) * events: start using events layer (#223) - from version 20230726.00 * events: introducing a events handling subsystem (#221) - from version 20230725.00 * metadata: add metadata client interface (#220) - from version 20230711.00 * metadata: moving to its own package (#218) - from version 20230707.00 * snapshot: fix request handling error (#217) - Bump Go API version to 1.20 Package cloud-netconfig was updated: - Update to version 1.14 + Use '-s' instead of '--no-progress-meter' for curl (bsc#1221757) - Add version settings to Provides/Obsoletes - Update to version 1.12 (bsc#1221202) + If token access succeeds using IPv4 do not use the IPv6 endpoint only use the IPv6 IMDS endpoint if IPv4 access fails. - Add Provides/Obsoletes for dropped cloud-netconfig-nm - Install dispatcher script into /etc/NetworkManager/dispatcher.d on older distributions - Add BuildReqires: NetworkManager to avoid owning dispatcher.d parent directory - Update to version 1.11: + Revert address metadata lookup in GCE to local lookup (bsc#1219454) + Fix hang on warning log messages + Check whether getting IPv4 addresses from metadata failed and abort if true + Only delete policy rules if they exist + Skip adding/removing IPv4 ranges if metdata lookup failed + Improve error handling and logging in Azure + Set SCRIPTDIR when installing netconfig wrapper - Update to version 1.10: + Drop cloud-netconfig-nm sub package and include NM dispatcher script in main packages (bsc#1219007) + Spec file cleanup - Update to version 1.9: + Drop package dependency on sysconfig-netconfig + Improve log level handling + Support IPv6 IMDS endpoint in EC2 (bsc#1218069) Package wicked was updated: - client: fix ifreload to pull UP ports/links again when the config of their master/lower changed (bsc#1224100,gh#openSUSE/wicked#1014). [+ 0001-ifreload-pull-UP-again-on-master-lower-changes-bsc1224100.patch] - Update to version 0.6.75: - cleanup: fix ni_fsm_state_t enum-int-mismatch warnings - cleanup: fix overflow warnings in a socket testcase on i586 - ifcheck: report new and deleted configs as changed (bsc#1218926) - man: improve ARP configuration options in the wicked-config.5 - bond: add ports when master is UP to avoid port MTU revert (bsc#1219108) - cleanup: fix interface dependencies and shutdown order (bsc#1205604) - Remove port arrays from bond,team,bridge,ovs-bridge (redundant) and consistently use config and state info attached to the port interface as in rtnetlink(7). - Cleanup ifcfg parsing, schema configuration and service properties - Migrate ports in xml config and policies already applied in nanny - Remove &quot;missed config&quot; generation from finite state machine, which is completed while parsing the config or while xml config migration. - Issue a warning when &quot;lower&quot; interface (e.g. eth0) config is missed while parsing config depending on it (e.g. eth0.42 vlan). - Resolve ovs master to the effective bridge in config and wickedd - Implement netif-check-state require checks using system relations from wickedd/kernel instead of config relations for ifdown and add linkDown and deleteDevice checks to all master and lower references. - Add a `wicked &lt;ifup|ifdown|ifreload&gt; --dry-run …` option to show the system/config interface hierarchies as notice with +/- marked interfaces to setup and/or shutdown. - Removed patches included in the source archive: [- 0001-addrconf-fix-fallback-lease-drop-bsc-1220996.patch] [- 0002-extensions-nbft-replace-nvme-show-nbft-with-nvme-nbf.patch] [- 0003-move-all-attribute-definitions-to-compiler-h.patch] [- 0004-hide-secrets-in-debug-log-bsc-1221194.patch] [- 0005-client-do-to-not-convert-sec-to-msec-twice-bsc-1222105.patch] - client: do not convert sec to msec twice (bsc#1222105) [+ 0005-client-do-to-not-convert-sec-to-msec-twice-bsc-1222105.patch] - addrconf: fix fallback-lease drop (bsc#1220996) [+ 0001-addrconf-fix-fallback-lease-drop-bsc-1220996.patch] - extensions/nbft: use upstream `nvme nbft show` (bsc#1221358) [+ 0002-extensions-nbft-replace-nvme-show-nbft-with-nvme-nbf.patch] - hide secrets in debug log (bsc#1221194) [+ 0003-move-all-attribute-definitions-to-compiler-h.patch] [+ 0004-hide-secrets-in-debug-log-bsc-1221194.patch] - update to version 0.6.74 + team: add new options like link_watch_policy (jsc#PED-7183) + Fix memory leaks in dbus variant destroy and fsm free (gh#openSUSE/wicked#1001) + xpath: allow underscore in node identifier (gh#openSUSE/wicked#999) + vxlan: don't format unknown rtnl attrs (bsc#1219751) - removed patches included in the source archive: [- 0009-ifreload-VLAN-changes-require-device-deletion-bsc-12.patch] [- 0008-ifcheck-fix-config-changed-check-bsc-1218926.patch] [- 0007-Fix-ifstatus-exit-code-for-NI_WICKED_ST_NO_CARRIER-s.patch] [- 0006-dhcp6-omit-the-SO_REUSEPORT-option-bsc-1215692.patch] [- 0005-duid-fix-comment-for-v6time.patch] [- 0004-rtnl-parse-peer-address-on-non-ptp-interfaces.patch] [- 0003-rtnl-pass-ifname-in-newaddr-parsing-and-logging.patch] [- 0002-system-updater-Parse-updater-format-from-XML-configu.patch] [- 0001-fix_arp_notify_loop_and_burst_sending.patch] - ifreload: VLAN changes require device deletion (bsc#1218927) [+ 0009-ifreload-VLAN-changes-require-device-deletion-bsc-12.patch] - ifcheck: fix config changed check (bsc#1218926) [+ 0008-ifcheck-fix-config-changed-check-bsc-1218926.patch] - client: fix exit code for no-carrier status (bsc#1219265) [+ 0007-Fix-ifstatus-exit-code-for-NI_WICKED_ST_NO_CARRIER-s.patch] - dhcp6: omit the SO_REUSEPORT option (bsc#1215692) [+ 0006-dhcp6-omit-the-SO_REUSEPORT-option-bsc-1215692.patch] - duid: fix comment for v6time (https://github.com/openSUSE/wicked/pull/989) [+ 0005-duid-fix-comment-for-v6time.patch] - rtnl: fix peer address parsing for non ptp-interfaces (https://github.com/openSUSE/wicked/pull/987, https://github.com/openSUSE/wicked/pull/988) [+ 0003-rtnl-pass-ifname-in-newaddr-parsing-and-logging.patch] [+ 0004-rtnl-parse-peer-address-on-non-ptp-interfaces.patch] - system-updater: Parse updater format from XML configuration to ensure install calls can run. (https://github.com/openSUSE/wicked/pull/985) [+ 0002-system-updater-Parse-updater-format-from-XML-configu.patch] Package _product:SLES-release was updated: Package sudo was updated: - Fix NOPASSWD issue introduced by patches for CVE-2023-42465 [bsc#1221151, bsc#1221134] * Update sudo-CVE-2023-42465-1of2.patch sudo-CVE-2023-42465-2of2.patch * Enable running regression selftests during build time. Package avahi was updated: - Add avahi-CVE-2023-38472.patch: Fix reachable assertion in avahi_rdata_parse (bsc#1216853, CVE-2023-38472). - Add avahi-CVE-2023-38470.patch: Ensure each label is at least one byte long (bsc#1215947, CVE-2023-38470). - Add avahi-CVE-2023-38471.patch: Extract host name usin avahi_unescape_label (bsc#1216594, CVE-2023-38471). - Add avahi-CVE-2023-38469.patch: Reject overly long TXT resource records (bsc#1216598, CVE-2023-38469). Package python was updated: - bsc#1221854 (CVE-2024-0450) Add CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch detecting the vulnerability of the &quot;quoted-overlap&quot; zipbomb (from gh#python/cpython!110016). - Switch to using the system libexpat (bsc#1219559, CVE-2023-52425) - Make sure to remove all embedded versions of other packages (including expat). - Add CVE-2023-52425-libexpat-2.6.0-remove-failing-tests.patch removing failing test fixing bpo#3151, which we just not support. - Remove patches over those embedded packages (cffi): - python-2.7-libffi-aarch64.patch - sparc_longdouble.patch - Modify CVE-2023-27043-email-parsing-errors.patch to fix the unicode string handling in email.utils.parseaddr() (bsc#1222537). - Revert CVE-2022-48560-after-free-heappushpop.patch, the fix was unneeded. - Switch off tests. ONLY FOR FACTORY!!! (bsc#1219306) - Build with -std=gnu89 to build correctly with gcc14, bsc#1220970 Package regionServiceClientConfigGCE was updated: - Update to version 4.1.0 + Replace 162.222.182.90 and 35.187.193.56 (length 4096): rgnsrv-gce-asia-northeast1 -&gt; 162.222.182.90 expires in 9 years rgnsrv-gce-us-central1 -&gt; 35.187.193.56 expires in 10 years Package bind was updated: - Security Fixes: * Validating DNS messages containing a lot of DNSSEC signatures could cause excessive CPU load, leading to a denial-of-service condition. This has been fixed. (CVE-2023-50387) [bsc#1219823, bind-CVE-2023-50387-CVE-2023-50868.patch] * Preparing an NSEC3 closest encloser proof could cause excessiv CPU load, leading to a denial-of-service condition. This has been fixed. (CVE-2023-50868) [bsc#1219826, bind-CVE-2023-50387-CVE-2023-50868.patch] * Parsing DNS messages with many different names could cause excessive CPU load. This has been fixed. (CVE-2023-4408) [bsc#1219851, bind-CVE-2023-4408.patch] Package google-osconfig-agent was updated: - Update to version 20240320.00 (bsc#1221900, bsc#1221901) * Enable OSConfig agent to read GPG keys files with multiple entities (#537) - from version 20240314.00 * Update OWNERS file to replace mahmoudn GitHub username by personal email GitHub username (#534) - from version 20240313.01 * Bump google.golang.org/protobuf from 1.30.0 to 1.33.0 in /e2e_tests (#535) - from version 20240313.00 * Adds a console and gcloud example policies (#533) - from version 20240228.00 * GuestPolicies e2e: Remove ed package if exist for zypper startup_script in recipe-steps tests (#532) - from version 20240126.00 * Fix Enterprise Linux Recipe-Steps tests to install info dependency package in the startup-script (#530) - from version 20240125.01 * Fix SUSE pkg-update and pkg-no-update e2e tests (#529) - from version 20240125.00 * Fix zypper patch info parser to consider conflicts-pkgs float versions (#528) - from version 20240123.01 * Fix SUSE package update e2e tests to use another existing package (#527) - from version 20240123.00 * Update cis-exclude-check-once-a-day.yaml (#526) - Update to version 20231219.00 * Bump golang.org/x/crypto from 0.14.0 to 0.17.0 (#524) - from version 20231207.01 * Some change to create an agent release (#523) - from version 20231207.00 * Some change to create an agent release (#522) - from version 20231205.00 * Some change to create an agent release (#521) - from version 20231130.02 * Merge pull request #519 from Gulio/just-release * Merge branch 'master' into just-release * Some change to create an agent release * Some change to create an agent release - from version 20231130.00 * Some change to create an agent release (#518) - from version 20231129.00 * Fix parse yum updates to consider the packages under installing-dependencies keyword (#502) * Update feature names in the README file (#517) - from version 20231128.00 * Updating owners (#508) - from version 20231127.00 * Move OS policy CIS examples under the console folder (#514) - from version 20231123.01 * Adds three more OS Policy examples to CIS folder (#509) * Added ekrementeskii and MahmoudNada0 to OWNERS (#505) - from version 20231123.00 * docs(osconfig):add OS policy examples for CIS scanning (#503) - from version 20231121.02 * Added SCODE to Windows error description (#504) - from version 20231121.01 * Update OWNERS (#501) * Update go version to 1.21 (#507) - from version 20231121.00 * Call fqdn (#481) - from version 20231116.00 * Removing obsolete MS Windows 2019 images (#500) - from version 20231107.00 * Update owners. (#498) - from version 20231103.02 * Increasing test timeouts (#499) * Update OWNERS (#497) - from version 20231103.01 * Bump google.golang.org/grpc from 1.53.0 to 1.56.3 in /e2e_tests (#493) * Bump google.golang.org/grpc from 1.53.0 to 1.56.3 (#494) - from version 20231103.00 * Removing deprecated Win for containers OSs (#496) - from version 20231027.00 * Shortening the reported image names (#495) - from version 20231025.00 * Merge pull request #492 from GoogleCloudPlatform/michaljankowiak-patch-1 * Merge branch 'master' into michaljankowiak-patch-1 * Fixing name changes * Fixing rename issue * Fixed formatting * Fixed formatting * Fixing formatting * Removing support for RHEL 6, adding RHEL 9 * Removing support for RHEL 6, adding for RHEL 9 * Removing support for RHEL 6 and adding for RHEL 9 * Removing step needed for RHEL 6 * Fixing build issues * Removing nonexistent images and adding new ones - from version 20231024.00 * Removing obsolete OS images and adding new ones (#491) - from version 20231020.00 * Change debug messages when parsing zypper patch output (#490) - from version 20231013.00 * Bump golang.org/x/net from 0.7.0 to 0.17.0 (#489) - from version 20231010.00 * Revert &quot;Added [main] section with gpgcheck to the agent-managed repo file (#484)&quot; (#488) - from version 20231003.00 * Bump google.golang.org/grpc from 1.42.0 to 1.53.0 in /e2e_tests (#478) - from version 20230920.00 * Update OWNERS (#485) - from version 20230912.00 * Added [main] section with gpgcheck to the agent-managed repo file (#484) * Migrate empty interface to any (#483) - Bump the golang compiler version to 1.21 (bsc#1216546) - Update to version 20230829.00 * Added burov, dowgird, paulinakania and Gulio to OWNERS (#482) &gt;&gt;&gt;&gt;&gt;&gt;&gt; ./google-osconfig-agent.changes.new Package perl-Bootloader was updated: - merge gh#openSUSE/perl-bootloader#166- log grub2-install errors correctly (bsc#1221470) - 0.947 - merge gh#openSUSE/perl-bootloader#161 - support old grub versions (&lt;= 2.02) that used /usr/lib (bsc#1218842) - create EFI boot fallback directory if necessary - 0.946 - merge gh#openSUSE/perl-bootloader#157 - bootloader_entry script can have an optional 'force-default' argument (bsc#1215064) - skip warning about unsupported options when in compat mode - 0.945 Package openssl-1_1 was updated: - Security fix: [bsc#1219243, CVE-2024-0727] * Add NULL checks where ContentInfo data can be NULL * Add openssl-CVE-2024-0727.patch Package suseconnect-ng was updated: - Update to version 1.9.0 * Fix certificate import for Yast when using a registration proxy with self-signed SSL certificate (bsc#1223107) - Update to version 1.8.0 * Allow &quot;--rollback&quot; flag to run on readonly filesystem (bsc#1220679) Package util-linux was updated: - Properly neutralize escape sequences in wall (util-linux-CVE-2024-28085.patch, bsc#1221831, CVE-2024-28085, and its prerequisites: util-linux-fputs_careful1.patch, util-linux-wall-migrate-to-memstream.patch util-linux-fputs_careful2.patch). Package python-idna was updated: - Add CVE-2024-3651.patch, backported from upstream commit gh#kjd/idna#172/commits/5beb28b9dd77912c0dd656d8b0fdba3eb80222e7 (bsc#1222842, CVE-2024-3651) Package glibc was updated: - nscd-Fix-use-after-free-in-addgetnetgrentX.patch: nscd: Fix use-after-free in addgetnetgrentX (BZ #23520) - glibc-CVE-2024-33599-nscd-Stack-based-buffer-overflow-in-n.patch: nscd: Stack-based buffer overflow in netgroup cache (CVE-2024-33599, bsc#1223423, BZ #31677) - glibc-CVE-2024-33600-nscd-Avoid-null-pointer-crashes-after.patch: nscd: Avoid null pointer crashes after notfound response (CVE-2024-33600, bsc#1223424, BZ #31678) - glibc-CVE-2024-33600-nscd-Do-not-send-missing-not-found-re.patch: nscd: Do not send missing not-found response in addgetnetgrentX (CVE-2024-33600, bsc#1223424, BZ #31678) - glibc-CVE-2024-33601-CVE-2024-33602-nscd-netgroup-Use-two.patch: netgroup: Use two buffers in addgetnetgrentX (CVE-2024-33601, CVE-2024-33602, bsc#1223425, BZ #31680) - nscd-netgroup-cache-timeout.patch: Use time_t for return type of addgetnetgrentX (CVE-2024-33602, bsc#1223425) - elf-ifunc-subtests-nonpie.patch: elf: Disable some subtests of ifuncmain1, ifuncmain5 for !PIE - iconv-iso-2022-cn-ext.patch: iconv: ISO-2022-CN-EXT: fix out-of-bound writes when writing escape sequence (CVE-2024-2961, bsc#1222992) Package vim was updated: - Updated to version 9.1 with patch level 0330, fixes the following problems * Fixing bsc#1220763 - vim gets Segmentation fault after updating to version 9.1.0111-150500.20.9.1 - refreshed vim-7.3-filetype_spec.patch - refreshed vim-7.3-filetype_ftl.patch - Update spec.skeleton to use autosetup in place of setup macro. - for the complete list of changes see https://github.com/vim/vim/compare/v9.1.0111...v9.1.0330 Package python3-base was updated: - bsc#1221854 (CVE-2024-0450) Add CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch detecting the vulnerability of the &quot;quoted-overlap&quot; zipbomb (from gh#python/cpython!110016). - Add CVE-2023-52425-libexpat-2.6.0-backport.patch fixing etree XMLPullParser tests for Expat &gt;=2.6.0 with reparse deferral (fixing CVE-2023-52425 or bsc#1219559). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://publiccloudimagechangeinfo.suse.com/google/sles-12-sp5-v20240609-x86-64/ Public Cloud Image Info https://www.suse.com/support/security/rating/ SUSE Security Ratings Public Cloud Image google/sles-12-sp5-v20240609-x86-64 bind-utils-9.11.22-3.52.1 cloud-netconfig-gce-1.14-35.1 cpio-2.11-36.21.1 curl-8.0.1-11.86.2 docker-25.0.5_ce-98.112.1 fdupes-1.61-8.3.1 glib2-tools-2.48.2-12.37.1 glibc-2.22-114.34.1 glibc-i18ndata-2.22-114.34.1 glibc-locale-2.22-114.34.1 google-guest-agent-20240314.00-1.38.2 google-guest-configs-20240307.00-1.29.1 google-guest-oslogin-20240311.00-1.34.1 google-osconfig-agent-20240320.00-1.26.3 kernel-default-4.12.14-122.216.1 krb5-1.16.3-46.12.1 krb5-client-1.16.3-46.12.1 less-458-7.15.1 libavahi-client3-0.6.32-32.27.1 libavahi-common3-0.6.32-32.27.1 libbind9-161-9.11.22-3.52.1 libblkid1-2.33.2-4.36.1 libcurl4-8.0.1-11.86.2 libdns1110-9.11.22-3.52.1 libfastjson4-0.99.8-3.6.1 libfdisk1-2.33.2-4.36.1 libgio-2_0-0-2.48.2-12.37.1 libglib-2_0-0-2.48.2-12.37.1 libgmodule-2_0-0-2.48.2-12.37.1 libgobject-2_0-0-2.48.2-12.37.1 libirs161-9.11.22-3.52.1 libisc1107-9.11.22-3.52.1 libisccc161-9.11.22-3.52.1 libisccfg163-9.11.22-3.52.1 liblwres161-9.11.22-3.52.1 libmount1-2.33.2-4.36.1 libncurses5-5.9-88.1 libncurses6-5.9-88.1 libnghttp2-14-1.39.2-3.18.1 libopenssl1_0_0-1.0.2p-3.90.1 libopenssl1_1-1.1.1d-2.104.1 libpython2_7-1_0-2.7.18-33.35.1 libpython3_4m1_0-3.4.10-25.130.1 libpython3_6m1_0-3.6.15-55.1 libsmartcols1-2.33.2-4.36.1 libsuseconnect-1.9.0-3.15.4 libsystemd0-228-157.60.1 libudev1-228-157.60.1 libuuid1-2.33.2-4.36.1 libzypp-16.22.12-62.1 lifecycle-data-sle-module-toolchain-1-3.28.1 ncurses-utils-5.9-88.1 nfs-client-1.3.0-34.53.5 nfs-kernel-server-1.3.0-34.53.5 nscd-2.22-114.34.1 openssh-7.2p2-81.17.1 openssl-1_0_0-1.0.2p-3.90.1 perl-Bootloader-0.947-3.9.1 python-2.7.18-33.35.1 python-base-2.7.18-33.35.1 python-bind-9.11.22-3.52.1 python-xml-2.7.18-33.35.1 python3-3.4.10-25.130.1 python3-base-3.4.10-25.130.1 python3-idna-2.5-3.13.1 python3-pyOpenSSL-17.1.0-4.26.1 python3-typing-3.10.0.0-3.3.1 python36-base-3.6.15-55.1 regionServiceClientConfigGCE-4.1.0-5.15.1 runc-1.1.12-16.49.1 shadow-4.2.1-36.9.1 shim-15.8-25.30.1 sudo-1.8.27-4.48.2 suseconnect-ng-1.9.0-3.15.4 suseconnect-ruby-bindings-1.9.0-3.15.4 systemd-228-157.60.1 systemd-sysvinit-228-157.60.1 sysuser-shadow-2.0-1.9.1 terminfo-5.9-88.1 terminfo-base-5.9-88.1 udev-228-157.60.1 util-linux-2.33.2-4.36.1 util-linux-systemd-2.33.2-4.36.1 vim-9.1.0330-17.33.1 vim-data-common-9.1.0330-17.33.1 wicked-0.6.75-3.40.1 wicked-service-0.6.75-3.40.1 bind-utils-9.11.22-3.52.1 as a component of Public Cloud Image google/sles-12-sp5-v20240609-x86-64 cloud-netconfig-gce-1.14-35.1 as a component of Public Cloud Image google/sles-12-sp5-v20240609-x86-64 cpio-2.11-36.21.1 as a component of Public Cloud Image google/sles-12-sp5-v20240609-x86-64 curl-8.0.1-11.86.2 as a component of Public Cloud Image google/sles-12-sp5-v20240609-x86-64 docker-25.0.5_ce-98.112.1 as a component of Public Cloud Image google/sles-12-sp5-v20240609-x86-64 fdupes-1.61-8.3.1 as a component of Public Cloud Image google/sles-12-sp5-v20240609-x86-64 glib2-tools-2.48.2-12.37.1 as a component of Public Cloud Image google/sles-12-sp5-v20240609-x86-64 glibc-2.22-114.34.1 as a component of Public Cloud Image google/sles-12-sp5-v20240609-x86-64 glibc-i18ndata-2.22-114.34.1 as a component of Public Cloud Image google/sles-12-sp5-v20240609-x86-64 glibc-locale-2.22-114.34.1 as a component of Public Cloud Image google/sles-12-sp5-v20240609-x86-64 google-guest-agent-20240314.00-1.38.2 as a component of Public Cloud Image google/sles-12-sp5-v20240609-x86-64 google-guest-configs-20240307.00-1.29.1 as a component of Public Cloud Image google/sles-12-sp5-v20240609-x86-64 google-guest-oslogin-20240311.00-1.34.1 as a component of Public Cloud Image google/sles-12-sp5-v20240609-x86-64 google-osconfig-agent-20240320.00-1.26.3 as a component of Public Cloud Image google/sles-12-sp5-v20240609-x86-64 kernel-default-4.12.14-122.216.1 as a component of Public Cloud Image google/sles-12-sp5-v20240609-x86-64 krb5-1.16.3-46.12.1 as a component of Public Cloud Image google/sles-12-sp5-v20240609-x86-64 krb5-client-1.16.3-46.12.1 as a component of Public Cloud Image google/sles-12-sp5-v20240609-x86-64 less-458-7.15.1 as a component of Public Cloud Image google/sles-12-sp5-v20240609-x86-64 libavahi-client3-0.6.32-32.27.1 as a component of Public Cloud Image google/sles-12-sp5-v20240609-x86-64 libavahi-common3-0.6.32-32.27.1 as a component of Public Cloud Image google/sles-12-sp5-v20240609-x86-64 libbind9-161-9.11.22-3.52.1 as a component of Public Cloud Image google/sles-12-sp5-v20240609-x86-64 libblkid1-2.33.2-4.36.1 as a component of Public Cloud Image google/sles-12-sp5-v20240609-x86-64 libcurl4-8.0.1-11.86.2 as a component of Public Cloud Image google/sles-12-sp5-v20240609-x86-64 libdns1110-9.11.22-3.52.1 as a component of Public Cloud Image google/sles-12-sp5-v20240609-x86-64 libfastjson4-0.99.8-3.6.1 as a component of Public Cloud Image google/sles-12-sp5-v20240609-x86-64 libfdisk1-2.33.2-4.36.1 as a component of Public Cloud Image google/sles-12-sp5-v20240609-x86-64 libgio-2_0-0-2.48.2-12.37.1 as a component of Public Cloud Image google/sles-12-sp5-v20240609-x86-64 libglib-2_0-0-2.48.2-12.37.1 as a component of Public Cloud Image google/sles-12-sp5-v20240609-x86-64 libgmodule-2_0-0-2.48.2-12.37.1 as a component of Public Cloud Image google/sles-12-sp5-v20240609-x86-64 libgobject-2_0-0-2.48.2-12.37.1 as a component of Public Cloud Image google/sles-12-sp5-v20240609-x86-64 libirs161-9.11.22-3.52.1 as a component of Public Cloud Image google/sles-12-sp5-v20240609-x86-64 libisc1107-9.11.22-3.52.1 as a component of Public Cloud Image google/sles-12-sp5-v20240609-x86-64 libisccc161-9.11.22-3.52.1 as a component of Public Cloud Image google/sles-12-sp5-v20240609-x86-64 libisccfg163-9.11.22-3.52.1 as a component of Public Cloud Image google/sles-12-sp5-v20240609-x86-64 liblwres161-9.11.22-3.52.1 as a component of Public Cloud Image google/sles-12-sp5-v20240609-x86-64 libmount1-2.33.2-4.36.1 as a component of Public Cloud Image google/sles-12-sp5-v20240609-x86-64 libncurses5-5.9-88.1 as a component of Public Cloud Image google/sles-12-sp5-v20240609-x86-64 libncurses6-5.9-88.1 as a component of Public Cloud Image google/sles-12-sp5-v20240609-x86-64 libnghttp2-14-1.39.2-3.18.1 as a component of Public Cloud Image google/sles-12-sp5-v20240609-x86-64 libopenssl1_0_0-1.0.2p-3.90.1 as a component of Public Cloud Image google/sles-12-sp5-v20240609-x86-64 libopenssl1_1-1.1.1d-2.104.1 as a component of Public Cloud Image google/sles-12-sp5-v20240609-x86-64 libpython2_7-1_0-2.7.18-33.35.1 as a component of Public Cloud Image google/sles-12-sp5-v20240609-x86-64 libpython3_4m1_0-3.4.10-25.130.1 as a component of Public Cloud Image google/sles-12-sp5-v20240609-x86-64 libpython3_6m1_0-3.6.15-55.1 as a component of Public Cloud Image google/sles-12-sp5-v20240609-x86-64 libsmartcols1-2.33.2-4.36.1 as a component of Public Cloud Image google/sles-12-sp5-v20240609-x86-64 libsuseconnect-1.9.0-3.15.4 as a component of Public Cloud Image google/sles-12-sp5-v20240609-x86-64 libsystemd0-228-157.60.1 as a component of Public Cloud Image google/sles-12-sp5-v20240609-x86-64 libudev1-228-157.60.1 as a component of Public Cloud Image google/sles-12-sp5-v20240609-x86-64 libuuid1-2.33.2-4.36.1 as a component of Public Cloud Image google/sles-12-sp5-v20240609-x86-64 libzypp-16.22.12-62.1 as a component of Public Cloud Image google/sles-12-sp5-v20240609-x86-64 lifecycle-data-sle-module-toolchain-1-3.28.1 as a component of Public Cloud Image google/sles-12-sp5-v20240609-x86-64 ncurses-utils-5.9-88.1 as a component of Public Cloud Image google/sles-12-sp5-v20240609-x86-64 nfs-client-1.3.0-34.53.5 as a component of Public Cloud Image google/sles-12-sp5-v20240609-x86-64 nfs-kernel-server-1.3.0-34.53.5 as a component of Public Cloud Image google/sles-12-sp5-v20240609-x86-64 nscd-2.22-114.34.1 as a component of Public Cloud Image google/sles-12-sp5-v20240609-x86-64 openssh-7.2p2-81.17.1 as a component of Public Cloud Image google/sles-12-sp5-v20240609-x86-64 openssl-1_0_0-1.0.2p-3.90.1 as a component of Public Cloud Image google/sles-12-sp5-v20240609-x86-64 perl-Bootloader-0.947-3.9.1 as a component of Public Cloud Image google/sles-12-sp5-v20240609-x86-64 python-2.7.18-33.35.1 as a component of Public Cloud Image google/sles-12-sp5-v20240609-x86-64 python-base-2.7.18-33.35.1 as a component of Public Cloud Image google/sles-12-sp5-v20240609-x86-64 python-bind-9.11.22-3.52.1 as a component of Public Cloud Image google/sles-12-sp5-v20240609-x86-64 python-xml-2.7.18-33.35.1 as a component of Public Cloud Image google/sles-12-sp5-v20240609-x86-64 python3-3.4.10-25.130.1 as a component of Public Cloud Image google/sles-12-sp5-v20240609-x86-64 python3-base-3.4.10-25.130.1 as a component of Public Cloud Image google/sles-12-sp5-v20240609-x86-64 python3-idna-2.5-3.13.1 as a component of Public Cloud Image google/sles-12-sp5-v20240609-x86-64 python3-pyOpenSSL-17.1.0-4.26.1 as a component of Public Cloud Image google/sles-12-sp5-v20240609-x86-64 python3-typing-3.10.0.0-3.3.1 as a component of Public Cloud Image google/sles-12-sp5-v20240609-x86-64 python36-base-3.6.15-55.1 as a component of Public Cloud Image google/sles-12-sp5-v20240609-x86-64 regionServiceClientConfigGCE-4.1.0-5.15.1 as a component of Public Cloud Image google/sles-12-sp5-v20240609-x86-64 runc-1.1.12-16.49.1 as a component of Public Cloud Image google/sles-12-sp5-v20240609-x86-64 shadow-4.2.1-36.9.1 as a component of Public Cloud Image google/sles-12-sp5-v20240609-x86-64 shim-15.8-25.30.1 as a component of Public Cloud Image google/sles-12-sp5-v20240609-x86-64 sudo-1.8.27-4.48.2 as a component of Public Cloud Image google/sles-12-sp5-v20240609-x86-64 suseconnect-ng-1.9.0-3.15.4 as a component of Public Cloud Image google/sles-12-sp5-v20240609-x86-64 suseconnect-ruby-bindings-1.9.0-3.15.4 as a component of Public Cloud Image google/sles-12-sp5-v20240609-x86-64 systemd-228-157.60.1 as a component of Public Cloud Image google/sles-12-sp5-v20240609-x86-64 systemd-sysvinit-228-157.60.1 as a component of Public Cloud Image google/sles-12-sp5-v20240609-x86-64 sysuser-shadow-2.0-1.9.1 as a component of Public Cloud Image google/sles-12-sp5-v20240609-x86-64 terminfo-5.9-88.1 as a component of Public Cloud Image google/sles-12-sp5-v20240609-x86-64 terminfo-base-5.9-88.1 as a component of Public Cloud Image google/sles-12-sp5-v20240609-x86-64 udev-228-157.60.1 as a component of Public Cloud Image google/sles-12-sp5-v20240609-x86-64 util-linux-2.33.2-4.36.1 as a component of Public Cloud Image google/sles-12-sp5-v20240609-x86-64 util-linux-systemd-2.33.2-4.36.1 as a component of Public Cloud Image google/sles-12-sp5-v20240609-x86-64 vim-9.1.0330-17.33.1 as a component of Public Cloud Image google/sles-12-sp5-v20240609-x86-64 vim-data-common-9.1.0330-17.33.1 as a component of Public Cloud Image google/sles-12-sp5-v20240609-x86-64 wicked-0.6.75-3.40.1 as a component of Public Cloud Image google/sles-12-sp5-v20240609-x86-64 wicked-service-0.6.75-3.40.1 as a component of Public Cloud Image google/sles-12-sp5-v20240609-x86-64 The kadm5_randkey_principal_3 function in lib/kadm5/srv/svr_principal.c in kadmind in MIT Kerberos 5 (aka krb5) before 1.13 sends old keys in a response to a -randkey -keepold request, which allows remote authenticated users to forge tickets by leveraging administrative access. CVE-2014-5351 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:krb5-1.16.3-46.12.1 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:krb5-client-1.16.3-46.12.1 moderate 2.1 AV:N/AC:H/Au:S/C:P/I:N/A:N The xdr_nullstring function in lib/kadm5/kadm_rpc_xdr.c in kadmind in MIT Kerberos 5 (aka krb5) before 1.13.4 and 1.14.x before 1.14.1 does not verify whether '\0' characters exist as expected, which allows remote authenticated users to obtain sensitive information or cause a denial of service (out-of-bounds read) via a crafted string. CVE-2015-8629 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:krb5-1.16.3-46.12.1 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:krb5-client-1.16.3-46.12.1 low 2.1 AV:N/AC:H/Au:S/C:P/I:N/A:N The (1) kadm5_create_principal_3 and (2) kadm5_modify_principal functions in lib/kadm5/srv/svr_principal.c in kadmind in MIT Kerberos 5 (aka krb5) 1.12.x and 1.13.x before 1.13.4 and 1.14.x before 1.14.1 allow remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) by specifying KADM5_POLICY with a NULL policy name. CVE-2015-8630 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:krb5-1.16.3-46.12.1 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:krb5-client-1.16.3-46.12.1 low 5 AV:N/AC:L/Au:N/C:N/I:N/A:P Multiple memory leaks in kadmin/server/server_stubs.c in kadmind in MIT Kerberos 5 (aka krb5) before 1.13.4 and 1.14.x before 1.14.1 allow remote authenticated users to cause a denial of service (memory consumption) via a request specifying a NULL principal name. CVE-2015-8631 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:krb5-1.16.3-46.12.1 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:krb5-client-1.16.3-46.12.1 moderate 4 AV:N/AC:L/Au:S/C:N/I:N/A:P Python Cryptographic Authority pyopenssl version prior to version 17.5.0 contains a CWE-416: Use After Free vulnerability in X509 object handling that can result in Use after free can lead to possible denial of service or remote code execution.. This attack appear to be exploitable via Depends on the calling application and if it retains a reference to the memory.. This vulnerability appears to have been fixed in 17.5.0. CVE-2018-1000807 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:python3-pyOpenSSL-17.1.0-4.26.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P In the Linux kernel, the following vulnerability has been resolved: netlabel: fix out-of-bounds memory accesses There are two array out-of-bounds memory accesses, one in cipso_v4_map_lvl_valid(), the other in netlbl_bitmap_walk(). Both errors are embarassingly simple, and the fixes are straightforward. As a FYI for anyone backporting this patch to kernels prior to v4.8, you'll want to apply the netlbl_bitmap_walk() patch to cipso_v4_bitmap_walk() as netlbl_bitmap_walk() doesn't exist before Linux v4.8. CVE-2019-25160 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: i2c: Fix a potential use after free Free the adap structure only after we are done using it. This patch just moves the put_device() down a bit to avoid the use after free. [wsa: added comment to the code, added Fixes tag] CVE-2019-25162 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate json-c through 0.14 has an integer overflow and out-of-bounds write via a large JSON file, as demonstrated by printbuf_memappend. CVE-2020-12762 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:libfastjson4-0.99.8-3.6.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P An issue was discovered in the Linux kernel before 5.8.10. virt/kvm/kvm_main.c has a kvm_io_bus_unregister_dev memory leak upon a kmalloc failure, aka CID-f65886606c2d. CVE-2020-36312 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 low 2.1 AV:L/AC:L/Au:N/C:N/I:N/A:P In the Linux kernel, the following vulnerability has been resolved: media: dvbdev: Fix memory leak in dvb_media_device_free() dvb_media_device_free() is leaking memory. Free `dvbdev->adapter->conn` before setting it to NULL, as documented in include/media/media-device.h: "The media_entity instance itself must be freed explicitly by the driver if required." CVE-2020-36777 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: i2c: cadence: fix reference leak when pm_runtime_get_sync fails The PM reference count is not expected to be incremented on return in functions cdns_i2c_master_xfer and cdns_reg_slave. However, pm_runtime_get_sync will increment pm usage counter even failed. Forgetting to putting operation will result in a reference leak here. Replace it with pm_runtime_resume_and_get to keep usage counter balanced. CVE-2020-36784 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.4 allows local attackers to elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local user with the CAP_NET_RAW capability. CVE-2021-23134 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 important 4.6 AV:L/AC:L/Au:N/C:P/I:P/A:P kernel/bpf/verifier.c in the Linux kernel through 5.12.7 enforces incorrect limits for pointer arithmetic operations, aka CID-bb01a1bba579. This can be abused to perform out-of-bounds reads and writes in kernel memory, leading to local privilege escalation to root. In particular, there is a corner case where the off reg causes a masking direction change, which then results in an incorrect final aux->alu_limit. CVE-2021-33200 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 important 7.2 AV:L/AC:L/Au:N/C:C/I:C/A:C The Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.18.5 and 1.19.x before 1.19.3 has a NULL pointer dereference in kdc/do_tgs_req.c via a FAST inner body that lacks a server field. CVE-2021-37750 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:krb5-1.16.3-46.12.1 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:krb5-client-1.16.3-46.12.1 moderate 4 AV:N/AC:L/Au:S/C:N/I:N/A:P In the Linux kernel, the following vulnerability has been resolved: net: hso: fix null-ptr-deref during tty device unregistration Multiple ttys try to claim the same the minor number causing a double unregistration of the same device. The first unregistration succeeds but the next one results in a null-ptr-deref. The get_free_serial_index() function returns an available minor number but doesn't assign it immediately. The assignment is done by the caller later. But before this assignment, calls to get_free_serial_index() would return the same minor number. Fix this by modifying get_free_serial_index to assign the minor number immediately after one is found to be and rename it to obtain_minor() to better reflect what it does. Similary, rename set_serial_by_index() to release_minor() and modify it to free up the minor number of the given hso_serial. Every obtain_minor() should have corresponding release_minor() call. CVE-2021-46904 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: hso: fix NULL-deref on disconnect regression Commit 8a12f8836145 ("net: hso: fix null-ptr-deref during tty device unregistration") fixed the racy minor allocation reported by syzbot, but introduced an unconditional NULL-pointer dereference on every disconnect instead. Specifically, the serial device table must no longer be accessed after the minor has been released by hso_serial_tty_unregister(). CVE-2021-46905 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: HID: usbhid: fix info leak in hid_submit_ctrl In hid_submit_ctrl(), the way of calculating the report length doesn't take into account that report->size can be zero. When running the syzkaller reproducer, a report of size 0 causes hid_submit_ctrl) to calculate transfer_buffer_length as 16384. When this urb is passed to the usb core layer, KMSAN reports an info leak of 16384 bytes. To fix this, first modify hid_report_len() to account for the zero report size case by using DIV_ROUND_UP for the division. Then, call it from hid_submit_ctrl(). CVE-2021-46906 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate ** REJECT ** This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. CVE-2021-46907 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: ARM: footbridge: fix PCI interrupt mapping Since commit 30fdfb929e82 ("PCI: Add a call to pci_assign_irq() in pci_device_probe()"), the PCI code will call the IRQ mapping function whenever a PCI driver is probed. If these are marked as __init, this causes an oops if a PCI driver is loaded or bound after the kernel has initialised. CVE-2021-46909 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_limit: avoid possible divide error in nft_limit_init div_u64() divides u64 by u32. nft_limit_init() wants to divide u64 by u64, use the appropriate math function (div64_u64) divide error: 0000 [#1] PREEMPT SMP KASAN CPU: 1 PID: 8390 Comm: syz-executor188 Not tainted 5.12.0-rc4-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:div_u64_rem include/linux/math64.h:28 [inline] RIP: 0010:div_u64 include/linux/math64.h:127 [inline] RIP: 0010:nft_limit_init+0x2a2/0x5e0 net/netfilter/nft_limit.c:85 Code: ef 4c 01 eb 41 0f 92 c7 48 89 de e8 38 a5 22 fa 4d 85 ff 0f 85 97 02 00 00 e8 ea 9e 22 fa 4c 0f af f3 45 89 ed 31 d2 4c 89 f0 <49> f7 f5 49 89 c6 e8 d3 9e 22 fa 48 8d 7d 48 48 b8 00 00 00 00 00 RSP: 0018:ffffc90009447198 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 0000200000000000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffffff875152e6 RDI: 0000000000000003 RBP: ffff888020f80908 R08: 0000200000000000 R09: 0000000000000000 R10: ffffffff875152d8 R11: 0000000000000000 R12: ffffc90009447270 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 FS: 000000000097a300(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000200001c4 CR3: 0000000026a52000 CR4: 00000000001506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: nf_tables_newexpr net/netfilter/nf_tables_api.c:2675 [inline] nft_expr_init+0x145/0x2d0 net/netfilter/nf_tables_api.c:2713 nft_set_elem_expr_alloc+0x27/0x280 net/netfilter/nf_tables_api.c:5160 nf_tables_newset+0x1997/0x3150 net/netfilter/nf_tables_api.c:4321 nfnetlink_rcv_batch+0x85a/0x21b0 net/netfilter/nfnetlink.c:456 nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:580 [inline] nfnetlink_rcv+0x3af/0x420 net/netfilter/nfnetlink.c:598 netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline] netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1338 netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1927 sock_sendmsg_nosec net/socket.c:654 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:674 ____sys_sendmsg+0x6e8/0x810 net/socket.c:2350 ___sys_sendmsg+0xf3/0x170 net/socket.c:2404 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2433 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xae CVE-2021-46915 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: locking/qrwlock: Fix ordering in queued_write_lock_slowpath() While this code is executed with the wait_lock held, a reader can acquire the lock without holding wait_lock. The writer side loops checking the value with the atomic_cond_read_acquire(), but only truly acquires the lock when the compare-and-exchange is completed successfully which isn't ordered. This exposes the window between the acquire and the cmpxchg to an A-B-A problem which allows reads following the lock acquisition to observe values speculatively before the write lock is truly acquired. We've seen a problem in epoll where the reader does a xchg while holding the read lock, but the writer can see a value change out from under it. Writer | Reader -------------------------------------------------------------------------------- ep_scan_ready_list() | |- write_lock_irq() | |- queued_write_lock_slowpath() | |- atomic_cond_read_acquire() | | read_lock_irqsave(&ep->lock, flags); --> (observes value before unlock) | chain_epi_lockless() | | epi->next = xchg(&ep->ovflist, epi); | | read_unlock_irqrestore(&ep->lock, flags); | | | atomic_cmpxchg_relaxed() | |-- READ_ONCE(ep->ovflist); | A core can order the read of the ovflist ahead of the atomic_cmpxchg_relaxed(). Switching the cmpxchg to use acquire semantics addresses this issue at which point the atomic_cond_read can be switched to use relaxed semantics. [peterz: use try_cmpxchg()] CVE-2021-46921 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: NFC: st21nfca: Fix memory leak in device probe and remove 'phy->pending_skb' is alloced when device probe, but forgot to free in the error handling path and remove path, this cause memory leak as follows: unreferenced object 0xffff88800bc06800 (size 512): comm "8", pid 11775, jiffies 4295159829 (age 9.032s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<00000000d66c09ce>] __kmalloc_node_track_caller+0x1ed/0x450 [<00000000c93382b3>] kmalloc_reserve+0x37/0xd0 [<000000005fea522c>] __alloc_skb+0x124/0x380 [<0000000019f29f9a>] st21nfca_hci_i2c_probe+0x170/0x8f2 Fix it by freeing 'pending_skb' in error and remove. CVE-2021-46924 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: Input: appletouch - initialize work before device registration Syzbot has reported warning in __flush_work(). This warning is caused by work->func == NULL, which means missing work initialization. This may happen, since input_dev->close() calls cancel_work_sync(&dev->work), but dev->work initalization happens _after_ input_register_device() call. So this patch moves dev->work initialization before registering input device CVE-2021-46932 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 low In the Linux kernel, the following vulnerability has been resolved: dm rq: fix double free of blk_mq_tag_set in dev remove after table load fails When loading a device-mapper table for a request-based mapped device, and the allocation/initialization of the blk_mq_tag_set for the device fails, a following device remove will cause a double free. E.g. (dmesg): device-mapper: core: Cannot initialize queue for request-based dm-mq mapped device device-mapper: ioctl: unable to set up device queue for new table. Unable to handle kernel pointer dereference in virtual kernel address space Failing address: 0305e098835de000 TEID: 0305e098835de803 Fault in home space mode while using kernel ASCE. AS:000000025efe0007 R3:0000000000000024 Oops: 0038 ilc:3 [#1] SMP Modules linked in: ... lots of modules ... Supported: Yes, External CPU: 0 PID: 7348 Comm: multipathd Kdump: loaded Tainted: G W X 5.3.18-53-default #1 SLE15-SP3 Hardware name: IBM 8561 T01 7I2 (LPAR) Krnl PSW : 0704e00180000000 000000025e368eca (kfree+0x42/0x330) R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:2 PM:0 RI:0 EA:3 Krnl GPRS: 000000000000004a 000000025efe5230 c1773200d779968d 0000000000000000 000000025e520270 000000025e8d1b40 0000000000000003 00000007aae10000 000000025e5202a2 0000000000000001 c1773200d779968d 0305e098835de640 00000007a8170000 000003ff80138650 000000025e5202a2 000003e00396faa8 Krnl Code: 000000025e368eb8: c4180041e100 lgrl %r1,25eba50b8 000000025e368ebe: ecba06b93a55 risbg %r11,%r10,6,185,58 #000000025e368ec4: e3b010000008 ag %r11,0(%r1) >000000025e368eca: e310b0080004 lg %r1,8(%r11) 000000025e368ed0: a7110001 tmll %r1,1 000000025e368ed4: a7740129 brc 7,25e369126 000000025e368ed8: e320b0080004 lg %r2,8(%r11) 000000025e368ede: b904001b lgr %r1,%r11 Call Trace: [<000000025e368eca>] kfree+0x42/0x330 [<000000025e5202a2>] blk_mq_free_tag_set+0x72/0xb8 [<000003ff801316a8>] dm_mq_cleanup_mapped_device+0x38/0x50 [dm_mod] [<000003ff80120082>] free_dev+0x52/0xd0 [dm_mod] [<000003ff801233f0>] __dm_destroy+0x150/0x1d0 [dm_mod] [<000003ff8012bb9a>] dev_remove+0x162/0x1c0 [dm_mod] [<000003ff8012a988>] ctl_ioctl+0x198/0x478 [dm_mod] [<000003ff8012ac8a>] dm_ctl_ioctl+0x22/0x38 [dm_mod] [<000000025e3b11ee>] ksys_ioctl+0xbe/0xe0 [<000000025e3b127a>] __s390x_sys_ioctl+0x2a/0x40 [<000000025e8c15ac>] system_call+0xd8/0x2c8 Last Breaking-Event-Address: [<000000025e52029c>] blk_mq_free_tag_set+0x6c/0xb8 Kernel panic - not syncing: Fatal exception: panic_on_oops When allocation/initialization of the blk_mq_tag_set fails in dm_mq_init_request_queue(), it is uninitialized/freed, but the pointer is not reset to NULL; so when dev_remove() later gets into dm_mq_cleanup_mapped_device() it sees the pointer and tries to uninitialize and free it again. Fix this by setting the pointer to NULL in dm_mq_init_request_queue() error-handling. Also set it to NULL in dm_mq_cleanup_mapped_device(). CVE-2021-46938 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: tracing: Restructure trace_clock_global() to never block It was reported that a fix to the ring buffer recursion detection would cause a hung machine when performing suspend / resume testing. The following backtrace was extracted from debugging that case: Call Trace: trace_clock_global+0x91/0xa0 __rb_reserve_next+0x237/0x460 ring_buffer_lock_reserve+0x12a/0x3f0 trace_buffer_lock_reserve+0x10/0x50 __trace_graph_return+0x1f/0x80 trace_graph_return+0xb7/0xf0 ? trace_clock_global+0x91/0xa0 ftrace_return_to_handler+0x8b/0xf0 ? pv_hash+0xa0/0xa0 return_to_handler+0x15/0x30 ? ftrace_graph_caller+0xa0/0xa0 ? trace_clock_global+0x91/0xa0 ? __rb_reserve_next+0x237/0x460 ? ring_buffer_lock_reserve+0x12a/0x3f0 ? trace_event_buffer_lock_reserve+0x3c/0x120 ? trace_event_buffer_reserve+0x6b/0xc0 ? trace_event_raw_event_device_pm_callback_start+0x125/0x2d0 ? dpm_run_callback+0x3b/0xc0 ? pm_ops_is_empty+0x50/0x50 ? platform_get_irq_byname_optional+0x90/0x90 ? trace_device_pm_callback_start+0x82/0xd0 ? dpm_run_callback+0x49/0xc0 With the following RIP: RIP: 0010:native_queued_spin_lock_slowpath+0x69/0x200 Since the fix to the recursion detection would allow a single recursion to happen while tracing, this lead to the trace_clock_global() taking a spin lock and then trying to take it again: ring_buffer_lock_reserve() { trace_clock_global() { arch_spin_lock() { queued_spin_lock_slowpath() { /* lock taken */ (something else gets traced by function graph tracer) ring_buffer_lock_reserve() { trace_clock_global() { arch_spin_lock() { queued_spin_lock_slowpath() { /* DEAD LOCK! */ Tracing should *never* block, as it can lead to strange lockups like the above. Restructure the trace_clock_global() code to instead of simply taking a lock to update the recorded "prev_time" simply use it, as two events happening on two different CPUs that calls this at the same time, really doesn't matter which one goes first. Use a trylock to grab the lock for updating the prev_time, and if it fails, simply try again the next time. If it failed to be taken, that means something else is already updating it. Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=212761 CVE-2021-46939 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: usb: dwc3: core: Do core softreset when switch mode According to the programming guide, to switch mode for DRD controller, the driver needs to do the following. To switch from device to host: 1. Reset controller with GCTL.CoreSoftReset 2. Set GCTL.PrtCapDir(host mode) 3. Reset the host with USBCMD.HCRESET 4. Then follow up with the initializing host registers sequence To switch from host to device: 1. Reset controller with GCTL.CoreSoftReset 2. Set GCTL.PrtCapDir(device mode) 3. Reset the device with DCTL.CSftRst 4. Then follow up with the initializing registers sequence Currently we're missing step 1) to do GCTL.CoreSoftReset and step 3) of switching from host to device. John Stult reported a lockup issue seen with HiKey960 platform without these steps[1]. Similar issue is observed with Ferry's testing platform[2]. So, apply the required steps along with some fixes to Yu Chen's and John Stultz's version. The main fixes to their versions are the missing wait for clocks synchronization before clearing GCTL.CoreSoftReset and only apply DCTL.CSftRst when switching from host to device. [1] https://lore.kernel.org/linux-usb/20210108015115.27920-1-john.stultz@linaro.org/ [2] https://lore.kernel.org/linux-usb/0ba7a6ba-e6a7-9cd4-0695-64fc927e01f1@gmail.com/ CVE-2021-46941 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: md/raid1: properly indicate failure when ending a failed write request This patch addresses a data corruption bug in raid1 arrays using bitmaps. Without this fix, the bitmap bits for the failed I/O end up being cleared. Since we are in the failure leg of raid1_end_write_request, the request either needs to be retried (R1BIO_WriteError) or failed (R1BIO_Degraded). CVE-2021-46950 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: ACPI: GTDT: Don't corrupt interrupt mappings on watchdow probe failure When failing the driver probe because of invalid firmware properties, the GTDT driver unmaps the interrupt that it mapped earlier. However, it never checks whether the mapping of the interrupt actially succeeded. Even more, should the firmware report an illegal interrupt number that overlaps with the GIC SGI range, this can result in an IPI being unmapped, and subsequent fireworks (as reported by Dann Frazier). Rework the driver to have a slightly saner behaviour and actually check whether the interrupt has been mapped before unmapping things. CVE-2021-46953 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: btrfs: fix race between transaction aborts and fsyncs leading to use-after-free There is a race between a task aborting a transaction during a commit, a task doing an fsync and the transaction kthread, which leads to an use-after-free of the log root tree. When this happens, it results in a stack trace like the following: BTRFS info (device dm-0): forced readonly BTRFS warning (device dm-0): Skipping commit of aborted transaction. BTRFS: error (device dm-0) in cleanup_transaction:1958: errno=-5 IO failure BTRFS warning (device dm-0): lost page write due to IO error on /dev/mapper/error-test (-5) BTRFS warning (device dm-0): Skipping commit of aborted transaction. BTRFS warning (device dm-0): direct IO failed ino 261 rw 0,0 sector 0xa4e8 len 4096 err no 10 BTRFS error (device dm-0): error writing primary super block to device 1 BTRFS warning (device dm-0): direct IO failed ino 261 rw 0,0 sector 0x12e000 len 4096 err no 10 BTRFS warning (device dm-0): direct IO failed ino 261 rw 0,0 sector 0x12e008 len 4096 err no 10 BTRFS warning (device dm-0): direct IO failed ino 261 rw 0,0 sector 0x12e010 len 4096 err no 10 BTRFS: error (device dm-0) in write_all_supers:4110: errno=-5 IO failure (1 errors while writing supers) BTRFS: error (device dm-0) in btrfs_sync_log:3308: errno=-5 IO failure general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6b68: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC PTI CPU: 2 PID: 2458471 Comm: fsstress Not tainted 5.12.0-rc5-btrfs-next-84 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 RIP: 0010:__mutex_lock+0x139/0xa40 Code: c0 74 19 (...) RSP: 0018:ffff9f18830d7b00 EFLAGS: 00010202 RAX: 6b6b6b6b6b6b6b68 RBX: 0000000000000001 RCX: 0000000000000002 RDX: ffffffffb9c54d13 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ffff9f18830d7bc0 R08: 0000000000000000 R09: 0000000000000000 R10: ffff9f18830d7be0 R11: 0000000000000001 R12: ffff8c6cd199c040 R13: ffff8c6c95821358 R14: 00000000fffffffb R15: ffff8c6cbcf01358 FS: 00007fa9140c2b80(0000) GS:ffff8c6fac600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fa913d52000 CR3: 000000013d2b4003 CR4: 0000000000370ee0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: ? __btrfs_handle_fs_error+0xde/0x146 [btrfs] ? btrfs_sync_log+0x7c1/0xf20 [btrfs] ? btrfs_sync_log+0x7c1/0xf20 [btrfs] btrfs_sync_log+0x7c1/0xf20 [btrfs] btrfs_sync_file+0x40c/0x580 [btrfs] do_fsync+0x38/0x70 __x64_sys_fsync+0x10/0x20 do_syscall_64+0x33/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7fa9142a55c3 Code: 8b 15 09 (...) RSP: 002b:00007fff26278d48 EFLAGS: 00000246 ORIG_RAX: 000000000000004a RAX: ffffffffffffffda RBX: 0000563c83cb4560 RCX: 00007fa9142a55c3 RDX: 00007fff26278cb0 RSI: 00007fff26278cb0 RDI: 0000000000000005 RBP: 0000000000000005 R08: 0000000000000001 R09: 00007fff26278d5c R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000340 R13: 00007fff26278de0 R14: 00007fff26278d96 R15: 0000563c83ca57c0 Modules linked in: btrfs dm_zero dm_snapshot dm_thin_pool (...) ---[ end trace ee2f1b19327d791d ]--- The steps that lead to this crash are the following: 1) We are at transaction N; 2) We have two tasks with a transaction handle attached to transaction N. Task A and Task B. Task B is doing an fsync; 3) Task B is at btrfs_sync_log(), and has saved fs_info->log_root_tree into a local variable named 'log_root_tree' at the top of btrfs_sync_log(). Task B is about to call write_all_supers(), but before that... 4) Task A calls btrfs_commit_transaction(), and after it sets the transaction state to TRANS_STATE_COMMIT_START, an error happens before it w ---truncated--- CVE-2021-46958 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: cifs: Return correct error code from smb2_get_enc_key Avoid a warning if the error percolates back up: [440700.376476] CIFS VFS: \\otters.example.com crypt_message: Could not get encryption key [440700.386947] ------------[ cut here ]------------ [440700.386948] err = 1 [440700.386977] WARNING: CPU: 11 PID: 2733 at /build/linux-hwe-5.4-p6lk6L/linux-hwe-5.4-5.4.0/lib/errseq.c:74 errseq_set+0x5c/0x70 ... [440700.397304] CPU: 11 PID: 2733 Comm: tar Tainted: G OE 5.4.0-70-generic #78~18.04.1-Ubuntu ... [440700.397334] Call Trace: [440700.397346] __filemap_set_wb_err+0x1a/0x70 [440700.397419] cifs_writepages+0x9c7/0xb30 [cifs] [440700.397426] do_writepages+0x4b/0xe0 [440700.397444] __filemap_fdatawrite_range+0xcb/0x100 [440700.397455] filemap_write_and_wait+0x42/0xa0 [440700.397486] cifs_setattr+0x68b/0xf30 [cifs] [440700.397493] notify_change+0x358/0x4a0 [440700.397500] utimes_common+0xe9/0x1c0 [440700.397510] do_utimes+0xc5/0x150 [440700.397520] __x64_sys_utimensat+0x88/0xd0 CVE-2021-46960 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Fix crash in qla2xxx_mqueuecommand() RIP: 0010:kmem_cache_free+0xfa/0x1b0 Call Trace: qla2xxx_mqueuecommand+0x2b5/0x2c0 [qla2xxx] scsi_queue_rq+0x5e2/0xa40 __blk_mq_try_issue_directly+0x128/0x1d0 blk_mq_request_issue_directly+0x4e/0xb0 Fix incorrect call to free srb in qla2xxx_mqueuecommand(), as srb is now allocated by upper layers. This fixes smatch warning of srb unintended free. CVE-2021-46963 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Reserve extra IRQ vectors Commit a6dcfe08487e ("scsi: qla2xxx: Limit interrupt vectors to number of CPUs") lowers the number of allocated MSI-X vectors to the number of CPUs. That breaks vector allocation assumptions in qla83xx_iospace_config(), qla24xx_enable_msix() and qla2x00_iospace_config(). Either of the functions computes maximum number of qpairs as: ha->max_qpairs = ha->msix_count - 1 (MB interrupt) - 1 (default response queue) - 1 (ATIO, in dual or pure target mode) max_qpairs is set to zero in case of two CPUs and initiator mode. The number is then used to allocate ha->queue_pair_map inside qla2x00_alloc_queues(). No allocation happens and ha->queue_pair_map is left NULL but the driver thinks there are queue pairs available. qla2xxx_queuecommand() tries to find a qpair in the map and crashes: if (ha->mqenable) { uint32_t tag; uint16_t hwq; struct qla_qpair *qpair = NULL; tag = blk_mq_unique_tag(cmd->request); hwq = blk_mq_unique_tag_to_hwq(tag); qpair = ha->queue_pair_map[hwq]; # <- HERE if (qpair) return qla2xxx_mqueuecommand(host, cmd, qpair); } BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] SMP PTI CPU: 0 PID: 72 Comm: kworker/u4:3 Tainted: G W 5.10.0-rc1+ #25 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.0.0-prebuilt.qemu-project.org 04/01/2014 Workqueue: scsi_wq_7 fc_scsi_scan_rport [scsi_transport_fc] RIP: 0010:qla2xxx_queuecommand+0x16b/0x3f0 [qla2xxx] Call Trace: scsi_queue_rq+0x58c/0xa60 blk_mq_dispatch_rq_list+0x2b7/0x6f0 ? __sbitmap_get_word+0x2a/0x80 __blk_mq_sched_dispatch_requests+0xb8/0x170 blk_mq_sched_dispatch_requests+0x2b/0x50 __blk_mq_run_hw_queue+0x49/0xb0 __blk_mq_delay_run_hw_queue+0xfb/0x150 blk_mq_sched_insert_request+0xbe/0x110 blk_execute_rq+0x45/0x70 __scsi_execute+0x10e/0x250 scsi_probe_and_add_lun+0x228/0xda0 __scsi_scan_target+0xf4/0x620 ? __pm_runtime_resume+0x4f/0x70 scsi_scan_target+0x100/0x110 fc_scsi_scan_rport+0xa1/0xb0 [scsi_transport_fc] process_one_work+0x1ea/0x3b0 worker_thread+0x28/0x3b0 ? process_one_work+0x3b0/0x3b0 kthread+0x112/0x130 ? kthread_park+0x80/0x80 ret_from_fork+0x22/0x30 The driver should allocate enough vectors to provide every CPU it's own HW queue and still handle reserved (MB, RSP, ATIO) interrupts. The change fixes the crash on dual core VM and prevents unbalanced QP allocation where nr_hw_queues is two less than the number of CPUs. CVE-2021-46964 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: ACPI: custom_method: fix potential use-after-free issue In cm_write(), buf is always freed when reaching the end of the function. If the requested count is less than table.length, the allocated buffer will be freed but subsequent calls to cm_write() will still try to access it. Remove the unconditional kfree(buf) at the end of the function and set the buf to NULL in the -EINVAL error path to match the rest of function. CVE-2021-46966 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate ** REJECT ** This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. CVE-2021-46975 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: nbd: Fix NULL pointer in flush_workqueue Open /dev/nbdX first, the config_refs will be 1 and the pointers in nbd_device are still null. Disconnect /dev/nbdX, then reference a null recv_workq. The protection by config_refs in nbd_genl_disconnect is useless. [ 656.366194] BUG: kernel NULL pointer dereference, address: 0000000000000020 [ 656.368943] #PF: supervisor write access in kernel mode [ 656.369844] #PF: error_code(0x0002) - not-present page [ 656.370717] PGD 10cc87067 P4D 10cc87067 PUD 1074b4067 PMD 0 [ 656.371693] Oops: 0002 [#1] SMP [ 656.372242] CPU: 5 PID: 7977 Comm: nbd-client Not tainted 5.11.0-rc5-00040-g76c057c84d28 #1 [ 656.373661] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20190727_073836-buildvm-ppc64le-16.ppc.fedoraproject.org-3.fc31 04/01/2014 [ 656.375904] RIP: 0010:mutex_lock+0x29/0x60 [ 656.376627] Code: 00 0f 1f 44 00 00 55 48 89 fd 48 83 05 6f d7 fe 08 01 e8 7a c3 ff ff 48 83 05 6a d7 fe 08 01 31 c0 65 48 8b 14 25 00 6d 01 00 <f0> 48 0f b1 55 d [ 656.378934] RSP: 0018:ffffc900005eb9b0 EFLAGS: 00010246 [ 656.379350] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 [ 656.379915] RDX: ffff888104cf2600 RSI: ffffffffaae8f452 RDI: 0000000000000020 [ 656.380473] RBP: 0000000000000020 R08: 0000000000000000 R09: ffff88813bd6b318 [ 656.381039] R10: 00000000000000c7 R11: fefefefefefefeff R12: ffff888102710b40 [ 656.381599] R13: ffffc900005eb9e0 R14: ffffffffb2930680 R15: ffff88810770ef00 [ 656.382166] FS: 00007fdf117ebb40(0000) GS:ffff88813bd40000(0000) knlGS:0000000000000000 [ 656.382806] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 656.383261] CR2: 0000000000000020 CR3: 0000000100c84000 CR4: 00000000000006e0 [ 656.383819] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 656.384370] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 656.384927] Call Trace: [ 656.385111] flush_workqueue+0x92/0x6c0 [ 656.385395] nbd_disconnect_and_put+0x81/0xd0 [ 656.385716] nbd_genl_disconnect+0x125/0x2a0 [ 656.386034] genl_family_rcv_msg_doit.isra.0+0x102/0x1b0 [ 656.386422] genl_rcv_msg+0xfc/0x2b0 [ 656.386685] ? nbd_ioctl+0x490/0x490 [ 656.386954] ? genl_family_rcv_msg_doit.isra.0+0x1b0/0x1b0 [ 656.387354] netlink_rcv_skb+0x62/0x180 [ 656.387638] genl_rcv+0x34/0x60 [ 656.387874] netlink_unicast+0x26d/0x590 [ 656.388162] netlink_sendmsg+0x398/0x6c0 [ 656.388451] ? netlink_rcv_skb+0x180/0x180 [ 656.388750] ____sys_sendmsg+0x1da/0x320 [ 656.389038] ? ____sys_recvmsg+0x130/0x220 [ 656.389334] ___sys_sendmsg+0x8e/0xf0 [ 656.389605] ? ___sys_recvmsg+0xa2/0xf0 [ 656.389889] ? handle_mm_fault+0x1671/0x21d0 [ 656.390201] __sys_sendmsg+0x6d/0xe0 [ 656.390464] __x64_sys_sendmsg+0x23/0x30 [ 656.390751] do_syscall_64+0x45/0x70 [ 656.391017] entry_SYSCALL_64_after_hwframe+0x44/0xa9 To fix it, just add if (nbd->recv_workq) to nbd_disconnect_and_put(). CVE-2021-46981 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: userfaultfd: release page in error path to avoid BUG_ON Consider the following sequence of events: 1. Userspace issues a UFFD ioctl, which ends up calling into shmem_mfill_atomic_pte(). We successfully account the blocks, we shmem_alloc_page(), but then the copy_from_user() fails. We return -ENOENT. We don't release the page we allocated. 2. Our caller detects this error code, tries the copy_from_user() after dropping the mmap_lock, and retries, calling back into shmem_mfill_atomic_pte(). 3. Meanwhile, let's say another process filled up the tmpfs being used. 4. So shmem_mfill_atomic_pte() fails to account blocks this time, and immediately returns - without releasing the page. This triggers a BUG_ON in our caller, which asserts that the page should always be consumed, unless -ENOENT is returned. To fix this, detect if we have such a "dangling" page when accounting fails, and if so, release it before returning. CVE-2021-46988 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: powerpc/64s: Fix crashes when toggling entry flush barrier The entry flush mitigation can be enabled/disabled at runtime via a debugfs file (entry_flush), which causes the kernel to patch itself to enable/disable the relevant mitigations. However depending on which mitigation we're using, it may not be safe to do that patching while other CPUs are active. For example the following crash: sleeper[15639]: segfault (11) at c000000000004c20 nip c000000000004c20 lr c000000000004c20 Shows that we returned to userspace with a corrupted LR that points into the kernel, due to executing the partially patched call to the fallback entry flush (ie. we missed the LR restore). Fix it by doing the patching under stop machine. The CPUs that aren't doing the patching will be spinning in the core of the stop machine logic. That is currently sufficient for our purposes, because none of the patching we do is to that code or anywhere in the vicinity. CVE-2021-46990 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: i40e: Fix use-after-free in i40e_client_subtask() Currently the call to i40e_client_del_instance frees the object pf->cinst, however pf->cinst->lan_info is being accessed after the free. Fix this by adding the missing return. Addresses-Coverity: ("Read from pointer after free") CVE-2021-46991 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: netfilter: nftables: avoid overflows in nft_hash_buckets() Number of buckets being stored in 32bit variables, we have to ensure that no overflows occur in nft_hash_buckets() syzbot injected a size == 0x40000000 and reported: UBSAN: shift-out-of-bounds in ./include/linux/log2.h:57:13 shift exponent 64 is too large for 64-bit type 'long unsigned int' CPU: 1 PID: 29539 Comm: syz-executor.4 Not tainted 5.12.0-rc7-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x141/0x1d7 lib/dump_stack.c:120 ubsan_epilogue+0xb/0x5a lib/ubsan.c:148 __ubsan_handle_shift_out_of_bounds.cold+0xb1/0x181 lib/ubsan.c:327 __roundup_pow_of_two include/linux/log2.h:57 [inline] nft_hash_buckets net/netfilter/nft_set_hash.c:411 [inline] nft_hash_estimate.cold+0x19/0x1e net/netfilter/nft_set_hash.c:652 nft_select_set_ops net/netfilter/nf_tables_api.c:3586 [inline] nf_tables_newset+0xe62/0x3110 net/netfilter/nf_tables_api.c:4322 nfnetlink_rcv_batch+0xa09/0x24b0 net/netfilter/nfnetlink.c:488 nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:612 [inline] nfnetlink_rcv+0x3af/0x420 net/netfilter/nfnetlink.c:630 netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline] netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1338 netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1927 sock_sendmsg_nosec net/socket.c:654 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:674 ____sys_sendmsg+0x6e8/0x810 net/socket.c:2350 ___sys_sendmsg+0xf3/0x170 net/socket.c:2404 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2433 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 CVE-2021-46992 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: ethernet:enic: Fix a use after free bug in enic_hard_start_xmit In enic_hard_start_xmit, it calls enic_queue_wq_skb(). Inside enic_queue_wq_skb, if some error happens, the skb will be freed by dev_kfree_skb(skb). But the freed skb is still used in skb_tx_timestamp(skb). My patch makes enic_queue_wq_skb() return error and goto spin_unlock() incase of error. The solution is provided by Govind. See https://lkml.org/lkml/2021/4/30/961. CVE-2021-46998 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: ARM: 9064/1: hw_breakpoint: Do not directly check the event's overflow_handler hook The commit 1879445dfa7b ("perf/core: Set event's default ::overflow_handler()") set a default event->overflow_handler in perf_event_alloc(), and replace the check event->overflow_handler with is_default_overflow_handler(), but one is missing. Currently, the bp->overflow_handler can not be NULL. As a result, enable_single_step() is always not invoked. Comments from Zhen Lei: https://patchwork.kernel.org/project/linux-arm-kernel/patch/20210207105934.2001-1-thunder.leizhen@huawei.com/ CVE-2021-47006 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: net:emac/emac-mac: Fix a use after free in emac_mac_tx_buf_send In emac_mac_tx_buf_send, it calls emac_tx_fill_tpd(..,skb,..). If some error happens in emac_tx_fill_tpd(), the skb will be freed via dev_kfree_skb(skb) in error branch of emac_tx_fill_tpd(). But the freed skb is still used via skb->len by netdev_sent_queue(,skb->len). As i observed that emac_tx_fill_tpd() haven't modified the value of skb->len, thus my patch assigns skb->len to 'len' before the possible free and use 'len' instead of skb->len later. CVE-2021-47013 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Fix RX consumer index logic in the error path. In bnxt_rx_pkt(), the RX buffers are expected to complete in order. If the RX consumer index indicates an out of order buffer completion, it means we are hitting a hardware bug and the driver will abort all remaining RX packets and reset the RX ring. The RX consumer index that we pass to bnxt_discard_rx() is not correct. We should be passing the current index (tmp_raw_cons) instead of the old index (raw_cons). This bug can cause us to be at the wrong index when trying to abort the next RX packet. It can crash like this: #0 [ffff9bbcdf5c39a8] machine_kexec at ffffffff9b05e007 #1 [ffff9bbcdf5c3a00] __crash_kexec at ffffffff9b111232 #2 [ffff9bbcdf5c3ad0] panic at ffffffff9b07d61e #3 [ffff9bbcdf5c3b50] oops_end at ffffffff9b030978 #4 [ffff9bbcdf5c3b78] no_context at ffffffff9b06aaf0 #5 [ffff9bbcdf5c3bd8] __bad_area_nosemaphore at ffffffff9b06ae2e #6 [ffff9bbcdf5c3c28] bad_area_nosemaphore at ffffffff9b06af24 #7 [ffff9bbcdf5c3c38] __do_page_fault at ffffffff9b06b67e #8 [ffff9bbcdf5c3cb0] do_page_fault at ffffffff9b06bb12 #9 [ffff9bbcdf5c3ce0] page_fault at ffffffff9bc015c5 [exception RIP: bnxt_rx_pkt+237] RIP: ffffffffc0259cdd RSP: ffff9bbcdf5c3d98 RFLAGS: 00010213 RAX: 000000005dd8097f RBX: ffff9ba4cb11b7e0 RCX: ffffa923cf6e9000 RDX: 0000000000000fff RSI: 0000000000000627 RDI: 0000000000001000 RBP: ffff9bbcdf5c3e60 R8: 0000000000420003 R9: 000000000000020d R10: ffffa923cf6ec138 R11: ffff9bbcdf5c3e83 R12: ffff9ba4d6f928c0 R13: ffff9ba4cac28080 R14: ffff9ba4cb11b7f0 R15: ffff9ba4d5a30000 ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018 CVE-2021-47015 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: vsock/virtio: free queued packets when closing socket As reported by syzbot [1], there is a memory leak while closing the socket. We partially solved this issue with commit ac03046ece2b ("vsock/virtio: free packets during the socket release"), but we forgot to drain the RX queue when the socket is definitely closed by the scheduled work. To avoid future issues, let's use the new virtio_transport_remove_sock() to drain the RX queue before removing the socket from the af_vsock lists calling vsock_remove_sock(). [1] https://syzkaller.appspot.com/bug?extid=24452624fc4c571eedd9 CVE-2021-47024 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: powerpc/64s: Fix pte update for kernel memory on radix When adding a PTE a ptesync is needed to order the update of the PTE with subsequent accesses otherwise a spurious fault may be raised. radix__set_pte_at() does not do this for performance gains. For non-kernel memory this is not an issue as any faults of this kind are corrected by the page fault handler. For kernel memory these faults are not handled. The current solution is that there is a ptesync in flush_cache_vmap() which should be called when mapping from the vmalloc region. However, map_kernel_page() does not call flush_cache_vmap(). This is troublesome in particular for code patching with Strict RWX on radix. In do_patch_instruction() the page frame that contains the instruction to be patched is mapped and then immediately patched. With no ordering or synchronization between setting up the PTE and writing to the page it is possible for faults. As the code patching is done using __put_user_asm_goto() the resulting fault is obscured - but using a normal store instead it can be seen: BUG: Unable to handle kernel data access on write at 0xc008000008f24a3c Faulting instruction address: 0xc00000000008bd74 Oops: Kernel access of bad area, sig: 11 [#1] LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA PowerNV Modules linked in: nop_module(PO+) [last unloaded: nop_module] CPU: 4 PID: 757 Comm: sh Tainted: P O 5.10.0-rc5-01361-ge3c1b78c8440-dirty #43 NIP: c00000000008bd74 LR: c00000000008bd50 CTR: c000000000025810 REGS: c000000016f634a0 TRAP: 0300 Tainted: P O (5.10.0-rc5-01361-ge3c1b78c8440-dirty) MSR: 9000000000009033 <SF,HV,EE,ME,IR,DR,RI,LE> CR: 44002884 XER: 00000000 CFAR: c00000000007c68c DAR: c008000008f24a3c DSISR: 42000000 IRQMASK: 1 This results in the kind of issue reported here: https://lore.kernel.org/linuxppc-dev/15AC5B0E-A221-4B8C-9039-FA96B8EF7C88@lca.pw/ Chris Riedl suggested a reliable way to reproduce the issue: $ mount -t debugfs none /sys/kernel/debug $ (while true; do echo function > /sys/kernel/debug/tracing/current_tracer ; echo nop > /sys/kernel/debug/tracing/current_tracer ; done) & Turning ftrace on and off does a large amount of code patching which in usually less then 5min will crash giving a trace like: ftrace-powerpc: (____ptrval____): replaced (4b473b11) != old (60000000) ------------[ ftrace bug ]------------ ftrace failed to modify [<c000000000bf8e5c>] napi_busy_loop+0xc/0x390 actual: 11:3b:47:4b Setting ftrace call site to call ftrace function ftrace record flags: 80000001 (1) expected tramp: c00000000006c96c ------------[ cut here ]------------ WARNING: CPU: 4 PID: 809 at kernel/trace/ftrace.c:2065 ftrace_bug+0x28c/0x2e8 Modules linked in: nop_module(PO-) [last unloaded: nop_module] CPU: 4 PID: 809 Comm: sh Tainted: P O 5.10.0-rc5-01360-gf878ccaf250a #1 NIP: c00000000024f334 LR: c00000000024f330 CTR: c0000000001a5af0 REGS: c000000004c8b760 TRAP: 0700 Tainted: P O (5.10.0-rc5-01360-gf878ccaf250a) MSR: 900000000282b033 <SF,HV,VEC,VSX,EE,FP,ME,IR,DR,RI,LE> CR: 28008848 XER: 20040000 CFAR: c0000000001a9c98 IRQMASK: 0 GPR00: c00000000024f330 c000000004c8b9f0 c000000002770600 0000000000000022 GPR04: 00000000ffff7fff c000000004c8b6d0 0000000000000027 c0000007fe9bcdd8 GPR08: 0000000000000023 ffffffffffffffd8 0000000000000027 c000000002613118 GPR12: 0000000000008000 c0000007fffdca00 0000000000000000 0000000000000000 GPR16: 0000000023ec37c5 0000000000000000 0000000000000000 0000000000000008 GPR20: c000000004c8bc90 c0000000027a2d20 c000000004c8bcd0 c000000002612fe8 GPR24: 0000000000000038 0000000000000030 0000000000000028 0000000000000020 GPR28: c000000000ff1b68 c000000000bf8e5c c00000000312f700 c000000000fbb9b0 NIP ftrace_bug+0x28c/0x2e8 LR ftrace_bug+0x288/0x2e8 Call T ---truncated--- CVE-2021-47034 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Fix null pointer dereference in lpfc_prep_els_iocb() It is possible to call lpfc_issue_els_plogi() passing a did for which no matching ndlp is found. A call is then made to lpfc_prep_els_iocb() with a null pointer to a lpfc_nodelist structure resulting in a null pointer dereference. Fix by returning an error status if no valid ndlp is found. Fix up comments regarding ndlp reference counting. CVE-2021-47045 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: Drivers: hv: vmbus: Use after free in __vmbus_open() The "open_info" variable is added to the &vmbus_connection.chn_msg_list, but the error handling frees "open_info" without removing it from the list. This will result in a use after free. First remove it from the list, and then free it. CVE-2021-47049 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: bus: qcom: Put child node before return Put child node before return to fix potential reference count leak. Generally, the reference count of child is incremented and decremented automatically in the macro for_each_available_child_of_node() and should be decremented manually if the loop is broken in loop body. CVE-2021-47054 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: mtd: require write permissions for locking and badblock ioctls MEMLOCK, MEMUNLOCK and OTPLOCK modify protection bits. Thus require write permission. Depending on the hardware MEMLOCK might even be write-once, e.g. for SPI-NOR flashes with their WP# tied to GND. OTPLOCK is always write-once. MEMSETBADBLOCK modifies the bad block table. CVE-2021-47055 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: crypto: qat - ADF_STATUS_PF_RUNNING should be set after adf_dev_init ADF_STATUS_PF_RUNNING is (only) used and checked by adf_vf2pf_shutdown() before calling adf_iov_putmsg()->mutex_lock(vf2pf_lock), however the vf2pf_lock is initialized in adf_dev_init(), which can fail and when it fail, the vf2pf_lock is either not initialized or destroyed, a subsequent use of vf2pf_lock will cause issue. To fix this issue, only set this flag if adf_dev_init() returns 0. [ 7.178404] BUG: KASAN: user-memory-access in __mutex_lock.isra.0+0x1ac/0x7c0 [ 7.180345] Call Trace: [ 7.182576] mutex_lock+0xc9/0xd0 [ 7.183257] adf_iov_putmsg+0x118/0x1a0 [intel_qat] [ 7.183541] adf_vf2pf_shutdown+0x4d/0x7b [intel_qat] [ 7.183834] adf_dev_shutdown+0x172/0x2b0 [intel_qat] [ 7.184127] adf_probe+0x5e9/0x600 [qat_dh895xccvf] CVE-2021-47056 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm: bridge/panel: Cleanup connector on bridge detach If we don't call drm_connector_cleanup() manually in panel_bridge_detach(), the connector will be cleaned up with the other DRM objects in the call to drm_mode_config_cleanup(). However, since our drm_connector is devm-allocated, by the time drm_mode_config_cleanup() will be called, our connector will be long gone. Therefore, the connector must be cleaned up when the bridge is detached to avoid use-after-free conditions. v2: Cleanup connector only if it was created v3: Add FIXME v4: (Use connector->dev) directly in if() block CVE-2021-47063 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: uio_hv_generic: Fix another memory leak in error handling paths Memory allocated by 'vmbus_alloc_ring()' at the beginning of the probe function is never freed in the error handling path. Add the missing 'vmbus_free_ring()' call. Note that it is already freed in the .remove function. CVE-2021-47070 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: uio_hv_generic: Fix a memory leak in error handling paths If 'vmbus_establish_gpadl()' fails, the (recv|send)_gpadl will not be updated and 'hv_uio_cleanup()' in the error handling path will not be able to free the corresponding buffer. In such a case, we need to free the buffer explicitly. CVE-2021-47071 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: platform/x86: dell-smbios-wmi: Fix oops on rmmod dell_smbios init_dell_smbios_wmi() only registers the dell_smbios_wmi_driver on systems where the Dell WMI interface is supported. While exit_dell_smbios_wmi() unregisters it unconditionally, this leads to the following oops: [ 175.722921] ------------[ cut here ]------------ [ 175.722925] Unexpected driver unregister! [ 175.722939] WARNING: CPU: 1 PID: 3630 at drivers/base/driver.c:194 driver_unregister+0x38/0x40 ... [ 175.723089] Call Trace: [ 175.723094] cleanup_module+0x5/0xedd [dell_smbios] ... [ 175.723148] ---[ end trace 064c34e1ad49509d ]--- Make the unregister happen on the same condition the register happens to fix this. CVE-2021-47073 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Return CQE error if invalid lkey was supplied RXE is missing update of WQE status in LOCAL_WRITE failures. This caused the following kernel panic if someone sent an atomic operation with an explicitly wrong lkey. [leonro@vm ~]$ mkt test test_atomic_invalid_lkey (tests.test_atomic.AtomicTest) ... WARNING: CPU: 5 PID: 263 at drivers/infiniband/sw/rxe/rxe_comp.c:740 rxe_completer+0x1a6d/0x2e30 [rdma_rxe] Modules linked in: crc32_generic rdma_rxe ip6_udp_tunnel udp_tunnel rdma_ucm rdma_cm ib_umad ib_ipoib iw_cm ib_cm mlx5_ib ib_uverbs ib_core mlx5_core ptp pps_core CPU: 5 PID: 263 Comm: python3 Not tainted 5.13.0-rc1+ #2936 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:rxe_completer+0x1a6d/0x2e30 [rdma_rxe] Code: 03 0f 8e 65 0e 00 00 3b 93 10 06 00 00 0f 84 82 0a 00 00 4c 89 ff 4c 89 44 24 38 e8 2d 74 a9 e1 4c 8b 44 24 38 e9 1c f5 ff ff <0f> 0b e9 0c e8 ff ff b8 05 00 00 00 41 bf 05 00 00 00 e9 ab e7 ff RSP: 0018:ffff8880158af090 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff888016a78000 RCX: ffffffffa0cf1652 RDX: 1ffff9200004b442 RSI: 0000000000000004 RDI: ffffc9000025a210 RBP: dffffc0000000000 R08: 00000000ffffffea R09: ffff88801617740b R10: ffffed1002c2ee81 R11: 0000000000000007 R12: ffff88800f3b63e8 R13: ffff888016a78008 R14: ffffc9000025a180 R15: 000000000000000c FS: 00007f88b622a740(0000) GS:ffff88806d540000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f88b5a1fa10 CR3: 000000000d848004 CR4: 0000000000370ea0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: rxe_do_task+0x130/0x230 [rdma_rxe] rxe_rcv+0xb11/0x1df0 [rdma_rxe] rxe_loopback+0x157/0x1e0 [rdma_rxe] rxe_responder+0x5532/0x7620 [rdma_rxe] rxe_do_task+0x130/0x230 [rdma_rxe] rxe_rcv+0x9c8/0x1df0 [rdma_rxe] rxe_loopback+0x157/0x1e0 [rdma_rxe] rxe_requester+0x1efd/0x58c0 [rdma_rxe] rxe_do_task+0x130/0x230 [rdma_rxe] rxe_post_send+0x998/0x1860 [rdma_rxe] ib_uverbs_post_send+0xd5f/0x1220 [ib_uverbs] ib_uverbs_write+0x847/0xc80 [ib_uverbs] vfs_write+0x1c5/0x840 ksys_write+0x176/0x1d0 do_syscall_64+0x3f/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xae CVE-2021-47076 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: qedf: Add pointer checks in qedf_update_link_speed() The following trace was observed: [ 14.042059] Call Trace: [ 14.042061] <IRQ> [ 14.042068] qedf_link_update+0x144/0x1f0 [qedf] [ 14.042117] qed_link_update+0x5c/0x80 [qed] [ 14.042135] qed_mcp_handle_link_change+0x2d2/0x410 [qed] [ 14.042155] ? qed_set_ptt+0x70/0x80 [qed] [ 14.042170] ? qed_set_ptt+0x70/0x80 [qed] [ 14.042186] ? qed_rd+0x13/0x40 [qed] [ 14.042205] qed_mcp_handle_events+0x437/0x690 [qed] [ 14.042221] ? qed_set_ptt+0x70/0x80 [qed] [ 14.042239] qed_int_sp_dpc+0x3a6/0x3e0 [qed] [ 14.042245] tasklet_action_common.isra.14+0x5a/0x100 [ 14.042250] __do_softirq+0xe4/0x2f8 [ 14.042253] irq_exit+0xf7/0x100 [ 14.042255] do_IRQ+0x7f/0xd0 [ 14.042257] common_interrupt+0xf/0xf [ 14.042259] </IRQ> API qedf_link_update() is getting called from QED but by that time shost_data is not initialised. This results in a NULL pointer dereference when we try to dereference shost_data while updating supported_speeds. Add a NULL pointer check before dereferencing shost_data. CVE-2021-47077 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Clear all QP fields if creation failed rxe_qp_do_cleanup() relies on valid pointer values in QP for the properly created ones, but in case rxe_qp_from_init() failed it was filled with garbage and caused tot the following error. refcount_t: underflow; use-after-free. WARNING: CPU: 1 PID: 12560 at lib/refcount.c:28 refcount_warn_saturate+0x1d1/0x1e0 lib/refcount.c:28 Modules linked in: CPU: 1 PID: 12560 Comm: syz-executor.4 Not tainted 5.12.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:refcount_warn_saturate+0x1d1/0x1e0 lib/refcount.c:28 Code: e9 db fe ff ff 48 89 df e8 2c c2 ea fd e9 8a fe ff ff e8 72 6a a7 fd 48 c7 c7 e0 b2 c1 89 c6 05 dc 3a e6 09 01 e8 ee 74 fb 04 <0f> 0b e9 af fe ff ff 0f 1f 84 00 00 00 00 00 41 56 41 55 41 54 55 RSP: 0018:ffffc900097ceba8 EFLAGS: 00010286 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000040000 RSI: ffffffff815bb075 RDI: fffff520012f9d67 RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000 R10: ffffffff815b4eae R11: 0000000000000000 R12: ffff8880322a4800 R13: ffff8880322a4940 R14: ffff888033044e00 R15: 0000000000000000 FS: 00007f6eb2be3700(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fdbe5d41000 CR3: 000000001d181000 CR4: 00000000001506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: __refcount_sub_and_test include/linux/refcount.h:283 [inline] __refcount_dec_and_test include/linux/refcount.h:315 [inline] refcount_dec_and_test include/linux/refcount.h:333 [inline] kref_put include/linux/kref.h:64 [inline] rxe_qp_do_cleanup+0x96f/0xaf0 drivers/infiniband/sw/rxe/rxe_qp.c:805 execute_in_process_context+0x37/0x150 kernel/workqueue.c:3327 rxe_elem_release+0x9f/0x180 drivers/infiniband/sw/rxe/rxe_pool.c:391 kref_put include/linux/kref.h:65 [inline] rxe_create_qp+0x2cd/0x310 drivers/infiniband/sw/rxe/rxe_verbs.c:425 _ib_create_qp drivers/infiniband/core/core_priv.h:331 [inline] ib_create_named_qp+0x2ad/0x1370 drivers/infiniband/core/verbs.c:1231 ib_create_qp include/rdma/ib_verbs.h:3644 [inline] create_mad_qp+0x177/0x2d0 drivers/infiniband/core/mad.c:2920 ib_mad_port_open drivers/infiniband/core/mad.c:3001 [inline] ib_mad_init_device+0xd6f/0x1400 drivers/infiniband/core/mad.c:3092 add_client_context+0x405/0x5e0 drivers/infiniband/core/device.c:717 enable_device_and_get+0x1cd/0x3b0 drivers/infiniband/core/device.c:1331 ib_register_device drivers/infiniband/core/device.c:1413 [inline] ib_register_device+0x7c7/0xa50 drivers/infiniband/core/device.c:1365 rxe_register_device+0x3d5/0x4a0 drivers/infiniband/sw/rxe/rxe_verbs.c:1147 rxe_add+0x12fe/0x16d0 drivers/infiniband/sw/rxe/rxe.c:247 rxe_net_add+0x8c/0xe0 drivers/infiniband/sw/rxe/rxe_net.c:503 rxe_newlink drivers/infiniband/sw/rxe/rxe.c:269 [inline] rxe_newlink+0xb7/0xe0 drivers/infiniband/sw/rxe/rxe.c:250 nldev_newlink+0x30e/0x550 drivers/infiniband/core/nldev.c:1555 rdma_nl_rcv_msg+0x36d/0x690 drivers/infiniband/core/netlink.c:195 rdma_nl_rcv_skb drivers/infiniband/core/netlink.c:239 [inline] rdma_nl_rcv+0x2ee/0x430 drivers/infiniband/core/netlink.c:259 netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline] netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1338 netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1927 sock_sendmsg_nosec net/socket.c:654 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:674 ____sys_sendmsg+0x6e8/0x810 net/socket.c:2350 ___sys_sendmsg+0xf3/0x170 net/socket.c:2404 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2433 do_syscall_64+0x3a/0xb0 arch/x86/entry/common.c:47 entry_SYSCALL_64_after_hwframe+0 ---truncated--- CVE-2021-47078 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: ipmi: Fix UAF when uninstall ipmi_si and ipmi_msghandler module Hi, When testing install and uninstall of ipmi_si.ko and ipmi_msghandler.ko, the system crashed. The log as follows: [ 141.087026] BUG: unable to handle kernel paging request at ffffffffc09b3a5a [ 141.087241] PGD 8fe4c0d067 P4D 8fe4c0d067 PUD 8fe4c0f067 PMD 103ad89067 PTE 0 [ 141.087464] Oops: 0010 [#1] SMP NOPTI [ 141.087580] CPU: 67 PID: 668 Comm: kworker/67:1 Kdump: loaded Not tainted 4.18.0.x86_64 #47 [ 141.088009] Workqueue: events 0xffffffffc09b3a40 [ 141.088009] RIP: 0010:0xffffffffc09b3a5a [ 141.088009] Code: Bad RIP value. [ 141.088009] RSP: 0018:ffffb9094e2c3e88 EFLAGS: 00010246 [ 141.088009] RAX: 0000000000000000 RBX: ffff9abfdb1f04a0 RCX: 0000000000000000 [ 141.088009] RDX: 0000000000000000 RSI: 0000000000000246 RDI: 0000000000000246 [ 141.088009] RBP: 0000000000000000 R08: ffff9abfffee3cb8 R09: 00000000000002e1 [ 141.088009] R10: ffffb9094cb73d90 R11: 00000000000f4240 R12: ffff9abfffee8700 [ 141.088009] R13: 0000000000000000 R14: ffff9abfdb1f04a0 R15: ffff9abfdb1f04a8 [ 141.088009] FS: 0000000000000000(0000) GS:ffff9abfffec0000(0000) knlGS:0000000000000000 [ 141.088009] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 141.088009] CR2: ffffffffc09b3a30 CR3: 0000008fe4c0a001 CR4: 00000000007606e0 [ 141.088009] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 141.088009] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 141.088009] PKRU: 55555554 [ 141.088009] Call Trace: [ 141.088009] ? process_one_work+0x195/0x390 [ 141.088009] ? worker_thread+0x30/0x390 [ 141.088009] ? process_one_work+0x390/0x390 [ 141.088009] ? kthread+0x10d/0x130 [ 141.088009] ? kthread_flush_work_fn+0x10/0x10 [ 141.088009] ? ret_from_fork+0x35/0x40] BUG: unable to handle kernel paging request at ffffffffc0b28a5a [ 200.223240] PGD 97fe00d067 P4D 97fe00d067 PUD 97fe00f067 PMD a580cbf067 PTE 0 [ 200.223464] Oops: 0010 [#1] SMP NOPTI [ 200.223579] CPU: 63 PID: 664 Comm: kworker/63:1 Kdump: loaded Not tainted 4.18.0.x86_64 #46 [ 200.224008] Workqueue: events 0xffffffffc0b28a40 [ 200.224008] RIP: 0010:0xffffffffc0b28a5a [ 200.224008] Code: Bad RIP value. [ 200.224008] RSP: 0018:ffffbf3c8e2a3e88 EFLAGS: 00010246 [ 200.224008] RAX: 0000000000000000 RBX: ffffa0799ad6bca0 RCX: 0000000000000000 [ 200.224008] RDX: 0000000000000000 RSI: 0000000000000246 RDI: 0000000000000246 [ 200.224008] RBP: 0000000000000000 R08: ffff9fe43fde3cb8 R09: 00000000000000d5 [ 200.224008] R10: ffffbf3c8cb53d90 R11: 00000000000f4240 R12: ffff9fe43fde8700 [ 200.224008] R13: 0000000000000000 R14: ffffa0799ad6bca0 R15: ffffa0799ad6bca8 [ 200.224008] FS: 0000000000000000(0000) GS:ffff9fe43fdc0000(0000) knlGS:0000000000000000 [ 200.224008] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 200.224008] CR2: ffffffffc0b28a30 CR3: 00000097fe00a002 CR4: 00000000007606e0 [ 200.224008] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 200.224008] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 200.224008] PKRU: 55555554 [ 200.224008] Call Trace: [ 200.224008] ? process_one_work+0x195/0x390 [ 200.224008] ? worker_thread+0x30/0x390 [ 200.224008] ? process_one_work+0x390/0x390 [ 200.224008] ? kthread+0x10d/0x130 [ 200.224008] ? kthread_flush_work_fn+0x10/0x10 [ 200.224008] ? ret_from_fork+0x35/0x40 [ 200.224008] kernel fault(0x1) notification starting on CPU 63 [ 200.224008] kernel fault(0x1) notification finished on CPU 63 [ 200.224008] CR2: ffffffffc0b28a5a [ 200.224008] ---[ end trace c82a412d93f57412 ]--- The reason is as follows: T1: rmmod ipmi_si. ->ipmi_unregister_smi() -> ipmi_bmc_unregister() -> __ipmi_bmc_unregister() -> kref_put(&bmc->usecount, cleanup_bmc_device); -> schedule_work(&bmc->remove_work); T2: rmmod ipmi_msghandl ---truncated--- CVE-2021-47100 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: asix: fix uninit-value in asix_mdio_read() asix_read_cmd() may read less than sizeof(smsr) bytes and in this case smsr will be uninitialized. Fail log: BUG: KMSAN: uninit-value in asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline] BUG: KMSAN: uninit-value in asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline] drivers/net/usb/asix_common.c:497 BUG: KMSAN: uninit-value in asix_mdio_read+0x3c1/0xb00 drivers/net/usb/asix_common.c:497 drivers/net/usb/asix_common.c:497 asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline] asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline] drivers/net/usb/asix_common.c:497 asix_mdio_read+0x3c1/0xb00 drivers/net/usb/asix_common.c:497 drivers/net/usb/asix_common.c:497 CVE-2021-47101 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 low In the Linux kernel, the following vulnerability has been resolved: IB/qib: Fix memory leak in qib_user_sdma_queue_pkts() The wrong goto label was used for the error case and missed cleanup of the pkt allocation. Addresses-Coverity-ID: 1493352 ("Resource leak") CVE-2021-47104 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: x86/kvm: Disable kvmclock on all CPUs on shutdown Currenly, we disable kvmclock from machine_shutdown() hook and this only happens for boot CPU. We need to disable it for all CPUs to guard against memory corruption e.g. on restore from hibernate. Note, writing '0' to kvmclock MSR doesn't clear memory location, it just prevents hypervisor from updating the location so for the short while after write and while CPU is still alive, the clock remains usable and correct so we don't need to switch to some other clocksource. CVE-2021-47110 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: x86/kvm: Teardown PV features on boot CPU as well Various PV features (Async PF, PV EOI, steal time) work through memory shared with hypervisor and when we restore from hibernation we must properly teardown all these features to make sure hypervisor doesn't write to stale locations after we jump to the previously hibernated kernel (which can try to place anything there). For secondary CPUs the job is already done by kvm_cpu_down_prepare(), register syscore ops to do the same for boot CPU. CVE-2021-47112 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix data corruption by fallocate When fallocate punches holes out of inode size, if original isize is in the middle of last cluster, then the part from isize to the end of the cluster will be zeroed with buffer write, at that time isize is not yet updated to match the new size, if writeback is kicked in, it will invoke ocfs2_writepage()->block_write_full_page() where the pages out of inode size will be dropped. That will cause file corruption. Fix this by zero out eof blocks when extending the inode size. Running the following command with qemu-image 4.2.1 can get a corrupted coverted image file easily. qemu-img convert -p -t none -T none -f qcow2 $qcow_image \ -O qcow2 -o compat=1.1 $qcow_image.conv The usage of fallocate in qemu is like this, it first punches holes out of inode size, then extend the inode size. fallocate(11, FALLOC_FL_KEEP_SIZE|FALLOC_FL_PUNCH_HOLE, 2276196352, 65536) = 0 fallocate(11, 0, 2276196352, 65536) = 0 v1: https://www.spinics.net/lists/linux-fsdevel/msg193999.html v2: https://lore.kernel.org/linux-fsdevel/20210525093034.GB4112@quack2.suse.cz/T/ CVE-2021-47114 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: ext4: fix bug on in ext4_es_cache_extent as ext4_split_extent_at failed We got follow bug_on when run fsstress with injecting IO fault: [130747.323114] kernel BUG at fs/ext4/extents_status.c:762! [130747.323117] Internal error: Oops - BUG: 0 [#1] SMP ...... [130747.334329] Call trace: [130747.334553] ext4_es_cache_extent+0x150/0x168 [ext4] [130747.334975] ext4_cache_extents+0x64/0xe8 [ext4] [130747.335368] ext4_find_extent+0x300/0x330 [ext4] [130747.335759] ext4_ext_map_blocks+0x74/0x1178 [ext4] [130747.336179] ext4_map_blocks+0x2f4/0x5f0 [ext4] [130747.336567] ext4_mpage_readpages+0x4a8/0x7a8 [ext4] [130747.336995] ext4_readpage+0x54/0x100 [ext4] [130747.337359] generic_file_buffered_read+0x410/0xae8 [130747.337767] generic_file_read_iter+0x114/0x190 [130747.338152] ext4_file_read_iter+0x5c/0x140 [ext4] [130747.338556] __vfs_read+0x11c/0x188 [130747.338851] vfs_read+0x94/0x150 [130747.339110] ksys_read+0x74/0xf0 This patch's modification is according to Jan Kara's suggestion in: https://patchwork.ozlabs.org/project/linux-ext4/patch/20210428085158.3728201-1-yebin10@huawei.com/ "I see. Now I understand your patch. Honestly, seeing how fragile is trying to fix extent tree after split has failed in the middle, I would probably go even further and make sure we fix the tree properly in case of ENOSPC and EDQUOT (those are easily user triggerable). Anything else indicates a HW problem or fs corruption so I'd rather leave the extent tree as is and don't try to fix it (which also means we will not create overlapping extents)." CVE-2021-47117 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: pid: take a reference when initializing `cad_pid` During boot, kernel_init_freeable() initializes `cad_pid` to the init task's struct pid. Later on, we may change `cad_pid` via a sysctl, and when this happens proc_do_cad_pid() will increment the refcount on the new pid via get_pid(), and will decrement the refcount on the old pid via put_pid(). As we never called get_pid() when we initialized `cad_pid`, we decrement a reference we never incremented, can therefore free the init task's struct pid early. As there can be dangling references to the struct pid, we can later encounter a use-after-free (e.g. when delivering signals). This was spotted when fuzzing v5.13-rc3 with Syzkaller, but seems to have been around since the conversion of `cad_pid` to struct pid in commit 9ec52099e4b8 ("[PATCH] replace cad_pid by a struct pid") from the pre-KASAN stone age of v2.6.19. Fix this by getting a reference to the init task's struct pid when we assign it to `cad_pid`. Full KASAN splat below. ================================================================== BUG: KASAN: use-after-free in ns_of_pid include/linux/pid.h:153 [inline] BUG: KASAN: use-after-free in task_active_pid_ns+0xc0/0xc8 kernel/pid.c:509 Read of size 4 at addr ffff23794dda0004 by task syz-executor.0/273 CPU: 1 PID: 273 Comm: syz-executor.0 Not tainted 5.12.0-00001-g9aef892b2d15 #1 Hardware name: linux,dummy-virt (DT) Call trace: ns_of_pid include/linux/pid.h:153 [inline] task_active_pid_ns+0xc0/0xc8 kernel/pid.c:509 do_notify_parent+0x308/0xe60 kernel/signal.c:1950 exit_notify kernel/exit.c:682 [inline] do_exit+0x2334/0x2bd0 kernel/exit.c:845 do_group_exit+0x108/0x2c8 kernel/exit.c:922 get_signal+0x4e4/0x2a88 kernel/signal.c:2781 do_signal arch/arm64/kernel/signal.c:882 [inline] do_notify_resume+0x300/0x970 arch/arm64/kernel/signal.c:936 work_pending+0xc/0x2dc Allocated by task 0: slab_post_alloc_hook+0x50/0x5c0 mm/slab.h:516 slab_alloc_node mm/slub.c:2907 [inline] slab_alloc mm/slub.c:2915 [inline] kmem_cache_alloc+0x1f4/0x4c0 mm/slub.c:2920 alloc_pid+0xdc/0xc00 kernel/pid.c:180 copy_process+0x2794/0x5e18 kernel/fork.c:2129 kernel_clone+0x194/0x13c8 kernel/fork.c:2500 kernel_thread+0xd4/0x110 kernel/fork.c:2552 rest_init+0x44/0x4a0 init/main.c:687 arch_call_rest_init+0x1c/0x28 start_kernel+0x520/0x554 init/main.c:1064 0x0 Freed by task 270: slab_free_hook mm/slub.c:1562 [inline] slab_free_freelist_hook+0x98/0x260 mm/slub.c:1600 slab_free mm/slub.c:3161 [inline] kmem_cache_free+0x224/0x8e0 mm/slub.c:3177 put_pid.part.4+0xe0/0x1a8 kernel/pid.c:114 put_pid+0x30/0x48 kernel/pid.c:109 proc_do_cad_pid+0x190/0x1b0 kernel/sysctl.c:1401 proc_sys_call_handler+0x338/0x4b0 fs/proc/proc_sysctl.c:591 proc_sys_write+0x34/0x48 fs/proc/proc_sysctl.c:617 call_write_iter include/linux/fs.h:1977 [inline] new_sync_write+0x3ac/0x510 fs/read_write.c:518 vfs_write fs/read_write.c:605 [inline] vfs_write+0x9c4/0x1018 fs/read_write.c:585 ksys_write+0x124/0x240 fs/read_write.c:658 __do_sys_write fs/read_write.c:670 [inline] __se_sys_write fs/read_write.c:667 [inline] __arm64_sys_write+0x78/0xb0 fs/read_write.c:667 __invoke_syscall arch/arm64/kernel/syscall.c:37 [inline] invoke_syscall arch/arm64/kernel/syscall.c:49 [inline] el0_svc_common.constprop.1+0x16c/0x388 arch/arm64/kernel/syscall.c:129 do_el0_svc+0xf8/0x150 arch/arm64/kernel/syscall.c:168 el0_svc+0x28/0x38 arch/arm64/kernel/entry-common.c:416 el0_sync_handler+0x134/0x180 arch/arm64/kernel/entry-common.c:432 el0_sync+0x154/0x180 arch/arm64/kernel/entry.S:701 The buggy address belongs to the object at ffff23794dda0000 which belongs to the cache pid of size 224 The buggy address is located 4 bytes inside of 224-byte region [ff ---truncated--- CVE-2021-47118 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: ext4: fix memory leak in ext4_fill_super Buffer head references must be released before calling kill_bdev(); otherwise the buffer head (and its page referenced by b_data) will not be freed by kill_bdev, and subsequently that bh will be leaked. If blocksizes differ, sb_set_blocksize() will kill current buffers and page cache by using kill_bdev(). And then super block will be reread again but using correct blocksize this time. sb_set_blocksize() didn't fully free superblock page and buffer head, and being busy, they were not freed and instead leaked. This can easily be reproduced by calling an infinite loop of: systemctl start <ext4_on_lvm>.mount, and systemctl stop <ext4_on_lvm>.mount ... since systemd creates a cgroup for each slice which it mounts, and the bh leak get amplified by a dying memory cgroup that also never gets freed, and memory consumption is much more easily noticed. CVE-2021-47119 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: cxgb4: avoid accessing registers when clearing filters Hardware register having the server TID base can contain invalid values when adapter is in bad state (for example, due to AER fatal error). Reading these invalid values in the register can lead to out-of-bound memory access. So, fix by using the saved server TID base when clearing filters. CVE-2021-47138 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: gve: Add NULL pointer checks when freeing irqs. When freeing notification blocks, we index priv->msix_vectors. If we failed to allocate priv->msix_vectors (see abort_with_msix_vectors) this could lead to a NULL pointer dereference if the driver is unloaded. CVE-2021-47141 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix a use-after-free looks like we forget to set ttm->sg to NULL. Hit panic below [ 1235.844104] general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b7b4b: 0000 [#1] SMP DEBUG_PAGEALLOC NOPTI [ 1235.989074] Call Trace: [ 1235.991751] sg_free_table+0x17/0x20 [ 1235.995667] amdgpu_ttm_backend_unbind.cold+0x4d/0xf7 [amdgpu] [ 1236.002288] amdgpu_ttm_backend_destroy+0x29/0x130 [amdgpu] [ 1236.008464] ttm_tt_destroy+0x1e/0x30 [ttm] [ 1236.013066] ttm_bo_cleanup_memtype_use+0x51/0xa0 [ttm] [ 1236.018783] ttm_bo_release+0x262/0xa50 [ttm] [ 1236.023547] ttm_bo_put+0x82/0xd0 [ttm] [ 1236.027766] amdgpu_bo_unref+0x26/0x50 [amdgpu] [ 1236.032809] amdgpu_amdkfd_gpuvm_alloc_memory_of_gpu+0x7aa/0xd90 [amdgpu] [ 1236.040400] kfd_ioctl_alloc_memory_of_gpu+0xe2/0x330 [amdgpu] [ 1236.046912] kfd_ioctl+0x463/0x690 [amdgpu] CVE-2021-47142 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: net/smc: remove device from smcd_dev_list after failed device_add() If the device_add() for a smcd_dev fails, there's no cleanup step that rolls back the earlier list_add(). The device subsequently gets freed, and we end up with a corrupted list. Add some error handling that removes the device from the list. CVE-2021-47143 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: mld: fix panic in mld_newpack() mld_newpack() doesn't allow to allocate high order page, only order-0 allocation is allowed. If headroom size is too large, a kernel panic could occur in skb_put(). Test commands: ip netns del A ip netns del B ip netns add A ip netns add B ip link add veth0 type veth peer name veth1 ip link set veth0 netns A ip link set veth1 netns B ip netns exec A ip link set lo up ip netns exec A ip link set veth0 up ip netns exec A ip -6 a a 2001:db8:0::1/64 dev veth0 ip netns exec B ip link set lo up ip netns exec B ip link set veth1 up ip netns exec B ip -6 a a 2001:db8:0::2/64 dev veth1 for i in {1..99} do let A=$i-1 ip netns exec A ip link add ip6gre$i type ip6gre \ local 2001:db8:$A::1 remote 2001:db8:$A::2 encaplimit 100 ip netns exec A ip -6 a a 2001:db8:$i::1/64 dev ip6gre$i ip netns exec A ip link set ip6gre$i up ip netns exec B ip link add ip6gre$i type ip6gre \ local 2001:db8:$A::2 remote 2001:db8:$A::1 encaplimit 100 ip netns exec B ip -6 a a 2001:db8:$i::2/64 dev ip6gre$i ip netns exec B ip link set ip6gre$i up done Splat looks like: kernel BUG at net/core/skbuff.c:110! invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN PTI CPU: 0 PID: 7 Comm: kworker/0:1 Not tainted 5.12.0+ #891 Workqueue: ipv6_addrconf addrconf_dad_work RIP: 0010:skb_panic+0x15d/0x15f Code: 92 fe 4c 8b 4c 24 10 53 8b 4d 70 45 89 e0 48 c7 c7 00 ae 79 83 41 57 41 56 41 55 48 8b 54 24 a6 26 f9 ff <0f> 0b 48 8b 6c 24 20 89 34 24 e8 4a 4e 92 fe 8b 34 24 48 c7 c1 20 RSP: 0018:ffff88810091f820 EFLAGS: 00010282 RAX: 0000000000000089 RBX: ffff8881086e9000 RCX: 0000000000000000 RDX: 0000000000000089 RSI: 0000000000000008 RDI: ffffed1020123efb RBP: ffff888005f6eac0 R08: ffffed1022fc0031 R09: ffffed1022fc0031 R10: ffff888117e00187 R11: ffffed1022fc0030 R12: 0000000000000028 R13: ffff888008284eb0 R14: 0000000000000ed8 R15: 0000000000000ec0 FS: 0000000000000000(0000) GS:ffff888117c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f8b801c5640 CR3: 0000000033c2c006 CR4: 00000000003706f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: ? ip6_mc_hdr.isra.26.constprop.46+0x12a/0x600 ? ip6_mc_hdr.isra.26.constprop.46+0x12a/0x600 skb_put.cold.104+0x22/0x22 ip6_mc_hdr.isra.26.constprop.46+0x12a/0x600 ? rcu_read_lock_sched_held+0x91/0xc0 mld_newpack+0x398/0x8f0 ? ip6_mc_hdr.isra.26.constprop.46+0x600/0x600 ? lock_contended+0xc40/0xc40 add_grhead.isra.33+0x280/0x380 add_grec+0x5ca/0xff0 ? mld_sendpack+0xf40/0xf40 ? lock_downgrade+0x690/0x690 mld_send_initial_cr.part.34+0xb9/0x180 ipv6_mc_dad_complete+0x15d/0x1b0 addrconf_dad_completed+0x8d2/0xbb0 ? lock_downgrade+0x690/0x690 ? addrconf_rs_timer+0x660/0x660 ? addrconf_dad_work+0x73c/0x10e0 addrconf_dad_work+0x73c/0x10e0 Allowing high order page allocation could fix this problem. CVE-2021-47146 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: fujitsu: fix potential null-ptr-deref In fmvj18x_get_hwinfo(), if ioremap fails there will be NULL pointer deref. To fix this, check the return value of ioremap and return -1 to the caller in case of failure. CVE-2021-47149 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: fec: fix the potential memory leak in fec_enet_init() If the memory allocated for cbd_base is failed, it should free the memory allocated for the queues, otherwise it causes memory leak. And if the memory allocated for the queues is failed, it can return error directly. CVE-2021-47150 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: i2c: i801: Don't generate an interrupt on bus reset Now that the i2c-i801 driver supports interrupts, setting the KILL bit in a attempt to recover from a timed out transaction triggers an interrupt. Unfortunately, the interrupt handler (i801_isr) is not prepared for this situation and will try to process the interrupt as if it was signaling the end of a successful transaction. In the case of a block transaction, this can result in an out-of-range memory access. This condition was reproduced several times by syzbot: https://syzkaller.appspot.com/bug?extid=ed71512d469895b5b34e https://syzkaller.appspot.com/bug?extid=8c8dedc0ba9e03f6c79e https://syzkaller.appspot.com/bug?extid=c8ff0b6d6c73d81b610e https://syzkaller.appspot.com/bug?extid=33f6c360821c399d69eb https://syzkaller.appspot.com/bug?extid=be15dc0b1933f04b043a https://syzkaller.appspot.com/bug?extid=b4d3fd1dfd53e90afd79 So disable interrupts while trying to reset the bus. Interrupts will be enabled again for the following transaction. CVE-2021-47153 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: spi: spi-fsl-dspi: Fix a resource leak in an error handling path 'dspi_request_dma()' should be undone by a 'dspi_release_dma()' call in the error handling path of the probe function, as already done in the remove function CVE-2021-47161 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: tipc: skb_linearize the head skb when reassembling msgs It's not a good idea to append the frag skb to a skb's frag_list if the frag_list already has skbs from elsewhere, such as this skb was created by pskb_copy() where the frag_list was cloned (all the skbs in it were skb_get'ed) and shared by multiple skbs. However, the new appended frag skb should have been only seen by the current skb. Otherwise, it will cause use after free crashes as this appended frag skb are seen by multiple skbs but it only got skb_get called once. The same thing happens with a skb updated by pskb_may_pull() with a skb_cloned skb. Li Shuang has reported quite a few crashes caused by this when doing testing over macvlan devices: [] kernel BUG at net/core/skbuff.c:1970! [] Call Trace: [] skb_clone+0x4d/0xb0 [] macvlan_broadcast+0xd8/0x160 [macvlan] [] macvlan_process_broadcast+0x148/0x150 [macvlan] [] process_one_work+0x1a7/0x360 [] worker_thread+0x30/0x390 [] kernel BUG at mm/usercopy.c:102! [] Call Trace: [] __check_heap_object+0xd3/0x100 [] __check_object_size+0xff/0x16b [] simple_copy_to_iter+0x1c/0x30 [] __skb_datagram_iter+0x7d/0x310 [] __skb_datagram_iter+0x2a5/0x310 [] skb_copy_datagram_iter+0x3b/0x90 [] tipc_recvmsg+0x14a/0x3a0 [tipc] [] ____sys_recvmsg+0x91/0x150 [] ___sys_recvmsg+0x7b/0xc0 [] kernel BUG at mm/slub.c:305! [] Call Trace: [] <IRQ> [] kmem_cache_free+0x3ff/0x400 [] __netif_receive_skb_core+0x12c/0xc40 [] ? kmem_cache_alloc+0x12e/0x270 [] netif_receive_skb_internal+0x3d/0xb0 [] ? get_rx_page_info+0x8e/0xa0 [be2net] [] be_poll+0x6ef/0xd00 [be2net] [] ? irq_exit+0x4f/0x100 [] net_rx_action+0x149/0x3b0 ... This patch is to fix it by linearizing the head skb if it has frag_list set in tipc_buf_append(). Note that we choose to do this before calling skb_unshare(), as __skb_linearize() will avoid skb_copy(). Also, we can not just drop the frag_list either as the early time. CVE-2021-47162 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/meson: fix shutdown crash when component not probed When main component is not probed, by example when the dw-hdmi module is not loaded yet or in probe defer, the following crash appears on shutdown: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000038 ... pc : meson_drv_shutdown+0x24/0x50 lr : platform_drv_shutdown+0x20/0x30 ... Call trace: meson_drv_shutdown+0x24/0x50 platform_drv_shutdown+0x20/0x30 device_shutdown+0x158/0x360 kernel_restart_prepare+0x38/0x48 kernel_restart+0x18/0x68 __do_sys_reboot+0x224/0x250 __arm64_sys_reboot+0x24/0x30 ... Simply check if the priv struct has been allocated before using it. CVE-2021-47165 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: NFS: Don't corrupt the value of pg_bytes_written in nfs_do_recoalesce() The value of mirror->pg_bytes_written should only be updated after a successful attempt to flush out the requests on the list. CVE-2021-47166 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: NFS: Fix an Oopsable condition in __nfs_pageio_add_request() Ensure that nfs_pageio_error_cleanup() resets the mirror array contents, so that the structure reflects the fact that it is now empty. Also change the test in nfs_pageio_do_add_request() to be more robust by checking whether or not the list is empty rather than relying on the value of pg_count. CVE-2021-47167 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: NFS: fix an incorrect limit in filelayout_decode_layout() The "sizeof(struct nfs_fh)" is two bytes too large and could lead to memory corruption. It should be NFS_MAXFHSIZE because that's the size of the ->data[] buffer. I reversed the size of the arguments to put the variable on the left. CVE-2021-47168 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: serial: rp2: use 'request_firmware' instead of 'request_firmware_nowait' In 'rp2_probe', the driver registers 'rp2_uart_interrupt' then calls 'rp2_fw_cb' through 'request_firmware_nowait'. In 'rp2_fw_cb', if the firmware don't exists, function just return without initializing ports of 'rp2_card'. But now the interrupt handler function has been registered, and when an interrupt comes, 'rp2_uart_interrupt' may access those ports then causing NULL pointer dereference or other bugs. Because the driver does some initialization work in 'rp2_fw_cb', in order to make the driver ready to handle interrupts, 'request_firmware' should be used instead of asynchronous 'request_firmware_nowait'. This report reveals it: INFO: trying to register non-static key. the code is fine but needs lockdep annotation. turning off the locking correctness validator. CPU: 2 PID: 0 Comm: swapper/2 Not tainted 4.19.177-gdba4159c14ef-dirty #45 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59- gc9ba5276e321-prebuilt.qemu.org 04/01/2014 Call Trace: <IRQ> __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0xec/0x156 lib/dump_stack.c:118 assign_lock_key kernel/locking/lockdep.c:727 [inline] register_lock_class+0x14e5/0x1ba0 kernel/locking/lockdep.c:753 __lock_acquire+0x187/0x3750 kernel/locking/lockdep.c:3303 lock_acquire+0x124/0x340 kernel/locking/lockdep.c:3907 __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline] _raw_spin_lock+0x32/0x50 kernel/locking/spinlock.c:144 spin_lock include/linux/spinlock.h:329 [inline] rp2_ch_interrupt drivers/tty/serial/rp2.c:466 [inline] rp2_asic_interrupt.isra.9+0x15d/0x990 drivers/tty/serial/rp2.c:493 rp2_uart_interrupt+0x49/0xe0 drivers/tty/serial/rp2.c:504 __handle_irq_event_percpu+0xfb/0x770 kernel/irq/handle.c:149 handle_irq_event_percpu+0x79/0x150 kernel/irq/handle.c:189 handle_irq_event+0xac/0x140 kernel/irq/handle.c:206 handle_fasteoi_irq+0x232/0x5c0 kernel/irq/chip.c:725 generic_handle_irq_desc include/linux/irqdesc.h:155 [inline] handle_irq+0x230/0x3a0 arch/x86/kernel/irq_64.c:87 do_IRQ+0xa7/0x1e0 arch/x86/kernel/irq.c:247 common_interrupt+0xf/0xf arch/x86/entry/entry_64.S:670 </IRQ> RIP: 0010:native_safe_halt+0x28/0x30 arch/x86/include/asm/irqflags.h:61 Code: 00 00 55 be 04 00 00 00 48 c7 c7 00 c2 2f 8c 48 89 e5 e8 fb 31 e7 f8 8b 05 75 af 8d 03 85 c0 7e 07 0f 00 2d 8a 61 65 00 fb f4 <5d> c3 90 90 90 90 90 90 0f 1f 44 00 00 55 48 89 e5 41 57 41 56 41 RSP: 0018:ffff88806b71fcc8 EFLAGS: 00000246 ORIG_RAX: ffffffffffffffde RAX: 0000000000000000 RBX: ffffffff8bde7e48 RCX: ffffffff88a21285 RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffffffff8c2fc200 RBP: ffff88806b71fcc8 R08: fffffbfff185f840 R09: fffffbfff185f840 R10: 0000000000000001 R11: fffffbfff185f840 R12: 0000000000000002 R13: ffffffff8bea18a0 R14: 0000000000000000 R15: 0000000000000000 arch_safe_halt arch/x86/include/asm/paravirt.h:94 [inline] default_idle+0x6f/0x360 arch/x86/kernel/process.c:557 arch_cpu_idle+0xf/0x20 arch/x86/kernel/process.c:548 default_idle_call+0x3b/0x60 kernel/sched/idle.c:93 cpuidle_idle_call kernel/sched/idle.c:153 [inline] do_idle+0x2ab/0x3c0 kernel/sched/idle.c:263 cpu_startup_entry+0xcb/0xe0 kernel/sched/idle.c:369 start_secondary+0x3b8/0x4e0 arch/x86/kernel/smpboot.c:271 secondary_startup_64+0xa4/0xb0 arch/x86/kernel/head_64.S:243 BUG: unable to handle kernel NULL pointer dereference at 0000000000000010 PGD 8000000056d27067 P4D 8000000056d27067 PUD 56d28067 PMD 0 Oops: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 2 PID: 0 Comm: swapper/2 Not tainted 4.19.177-gdba4159c14ef-dirty #45 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59- gc9ba5276e321-prebuilt.qemu.org 04/01/2014 RIP: 0010:readl arch/x86/include/asm/io.h:59 [inline] RIP: 0010:rp2_ch_interrupt drivers/tty/serial/rp2.c:472 [inline] RIP: 0010:rp2_asic_interrupt.isra.9+0x181/0x990 drivers/tty/serial/rp2.c: 493 Co ---truncated--- CVE-2021-47169 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: usb: fix memory leak in smsc75xx_bind Syzbot reported memory leak in smsc75xx_bind(). The problem was is non-freed memory in case of errors after memory allocation. backtrace: [<ffffffff84245b62>] kmalloc include/linux/slab.h:556 [inline] [<ffffffff84245b62>] kzalloc include/linux/slab.h:686 [inline] [<ffffffff84245b62>] smsc75xx_bind+0x7a/0x334 drivers/net/usb/smsc75xx.c:1460 [<ffffffff82b5b2e6>] usbnet_probe+0x3b6/0xc30 drivers/net/usb/usbnet.c:1728 CVE-2021-47171 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: misc/uss720: fix memory leak in uss720_probe uss720_probe forgets to decrease the refcount of usbdev in uss720_probe. Fix this by decreasing the refcount of usbdev by usb_put_dev. BUG: memory leak unreferenced object 0xffff888101113800 (size 2048): comm "kworker/0:1", pid 7, jiffies 4294956777 (age 28.870s) hex dump (first 32 bytes): ff ff ff ff 31 00 00 00 00 00 00 00 00 00 00 00 ....1........... 00 00 00 00 00 00 00 00 00 00 00 00 03 00 00 00 ................ backtrace: [<ffffffff82b8e822>] kmalloc include/linux/slab.h:554 [inline] [<ffffffff82b8e822>] kzalloc include/linux/slab.h:684 [inline] [<ffffffff82b8e822>] usb_alloc_dev+0x32/0x450 drivers/usb/core/usb.c:582 [<ffffffff82b98441>] hub_port_connect drivers/usb/core/hub.c:5129 [inline] [<ffffffff82b98441>] hub_port_connect_change drivers/usb/core/hub.c:5363 [inline] [<ffffffff82b98441>] port_event drivers/usb/core/hub.c:5509 [inline] [<ffffffff82b98441>] hub_event+0x1171/0x20c0 drivers/usb/core/hub.c:5591 [<ffffffff81259229>] process_one_work+0x2c9/0x600 kernel/workqueue.c:2275 [<ffffffff81259b19>] worker_thread+0x59/0x5d0 kernel/workqueue.c:2421 [<ffffffff81261228>] kthread+0x178/0x1b0 kernel/kthread.c:292 [<ffffffff8100227f>] ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294 CVE-2021-47173 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Fix sysfs leak in alloc_iommu() iommu_device_sysfs_add() is called before, so is has to be cleaned on subsequent errors. CVE-2021-47177 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: NFSv4: Fix a NULL pointer dereference in pnfs_mark_matching_lsegs_return() Commit de144ff4234f changes _pnfs_return_layout() to call pnfs_mark_matching_lsegs_return() passing NULL as the struct pnfs_layout_range argument. Unfortunately, pnfs_mark_matching_lsegs_return() doesn't check if we have a value here before dereferencing it, causing an oops. I'm able to hit this crash consistently when running connectathon basic tests on NFS v4.1/v4.2 against Ontap. CVE-2021-47179 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: NFC: nci: fix memory leak in nci_allocate_device nfcmrvl_disconnect fails to free the hci_dev field in struct nci_dev. Fix this by freeing hci_dev in nci_free_device. BUG: memory leak unreferenced object 0xffff888111ea6800 (size 1024): comm "kworker/1:0", pid 19, jiffies 4294942308 (age 13.580s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 60 fd 0c 81 88 ff ff .........`...... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<000000004bc25d43>] kmalloc include/linux/slab.h:552 [inline] [<000000004bc25d43>] kzalloc include/linux/slab.h:682 [inline] [<000000004bc25d43>] nci_hci_allocate+0x21/0xd0 net/nfc/nci/hci.c:784 [<00000000c59cff92>] nci_allocate_device net/nfc/nci/core.c:1170 [inline] [<00000000c59cff92>] nci_allocate_device+0x10b/0x160 net/nfc/nci/core.c:1132 [<00000000006e0a8e>] nfcmrvl_nci_register_dev+0x10a/0x1c0 drivers/nfc/nfcmrvl/main.c:153 [<000000004da1b57e>] nfcmrvl_probe+0x223/0x290 drivers/nfc/nfcmrvl/usb.c:345 [<00000000d506aed9>] usb_probe_interface+0x177/0x370 drivers/usb/core/driver.c:396 [<00000000bc632c92>] really_probe+0x159/0x4a0 drivers/base/dd.c:554 [<00000000f5009125>] driver_probe_device+0x84/0x100 drivers/base/dd.c:740 [<000000000ce658ca>] __device_attach_driver+0xee/0x110 drivers/base/dd.c:846 [<000000007067d05f>] bus_for_each_drv+0xb7/0x100 drivers/base/bus.c:431 [<00000000f8e13372>] __device_attach+0x122/0x250 drivers/base/dd.c:914 [<000000009cf68860>] bus_probe_device+0xc6/0xe0 drivers/base/bus.c:491 [<00000000359c965a>] device_add+0x5be/0xc30 drivers/base/core.c:3109 [<00000000086e4bd3>] usb_set_configuration+0x9d9/0xb90 drivers/usb/core/message.c:2164 [<00000000ca036872>] usb_generic_driver_probe+0x8c/0xc0 drivers/usb/core/generic.c:238 [<00000000d40d36f6>] usb_probe_device+0x5c/0x140 drivers/usb/core/driver.c:293 [<00000000bc632c92>] really_probe+0x159/0x4a0 drivers/base/dd.c:554 CVE-2021-47180 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: usb: musb: tusb6010: check return value after calling platform_get_resource() It will cause null-ptr-deref if platform_get_resource() returns NULL, we need check the return value. CVE-2021-47181 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: core: Fix scsi_mode_sense() buffer length handling Several problems exist with scsi_mode_sense() buffer length handling: 1) The allocation length field of the MODE SENSE(10) command is 16-bits, occupying bytes 7 and 8 of the CDB. With this command, access to mode pages larger than 255 bytes is thus possible. However, the CDB allocation length field is set by assigning len to byte 8 only, thus truncating buffer length larger than 255. 2) If scsi_mode_sense() is called with len smaller than 8 with sdev->use_10_for_ms set, or smaller than 4 otherwise, the buffer length is increased to 8 and 4 respectively, and the buffer is zero filled with these increased values, thus corrupting the memory following the buffer. Fix these 2 problems by using put_unaligned_be16() to set the allocation length field of MODE SENSE(10) CDB and by returning an error when len is too small. Furthermore, if len is larger than 255B, always try MODE SENSE(10) first, even if the device driver did not set sdev->use_10_for_ms. In case of invalid opcode error for MODE SENSE(10), access to mode pages larger than 255 bytes are not retried using MODE SENSE(6). To avoid buffer length overflows for the MODE_SENSE(10) case, check that len is smaller than 65535 bytes. While at it, also fix the folowing: * Use get_unaligned_be16() to retrieve the mode data length and block descriptor length fields of the mode sense reply header instead of using an open coded calculation. * Fix the kdoc dbd argument explanation: the DBD bit stands for Disable Block Descriptor, which is the opposite of what the dbd argument description was. CVE-2021-47182 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Fix link down processing to address NULL pointer dereference If an FC link down transition while PLOGIs are outstanding to fabric well known addresses, outstanding ABTS requests may result in a NULL pointer dereference. Driver unload requests may hang with repeated "2878" log messages. The Link down processing results in ABTS requests for outstanding ELS requests. The Abort WQEs are sent for the ELSs before the driver had set the link state to down. Thus the driver is sending the Abort with the expectation that an ABTS will be sent on the wire. The Abort request is stalled waiting for the link to come up. In some conditions the driver may auto-complete the ELSs thus if the link does come up, the Abort completions may reference an invalid structure. Fix by ensuring that Abort set the flag to avoid link traffic if issued due to conditions where the link failed. CVE-2021-47183 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: i40e: Fix NULL ptr dereference on VSI filter sync Remove the reason of null pointer dereference in sync VSI filters. Added new I40E_VSI_RELEASING flag to signalize deleting and releasing of VSI resources to sync this thread with sync filters subtask. Without this patch it is possible to start update the VSI filter list after VSI is removed, that's causing a kernel oops. CVE-2021-47184 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: tty: tty_buffer: Fix the softlockup issue in flush_to_ldisc When running ltp testcase(ltp/testcases/kernel/pty/pty04.c) with arm64, there is a soft lockup, which look like this one: Workqueue: events_unbound flush_to_ldisc Call trace: dump_backtrace+0x0/0x1ec show_stack+0x24/0x30 dump_stack+0xd0/0x128 panic+0x15c/0x374 watchdog_timer_fn+0x2b8/0x304 __run_hrtimer+0x88/0x2c0 __hrtimer_run_queues+0xa4/0x120 hrtimer_interrupt+0xfc/0x270 arch_timer_handler_phys+0x40/0x50 handle_percpu_devid_irq+0x94/0x220 __handle_domain_irq+0x88/0xf0 gic_handle_irq+0x84/0xfc el1_irq+0xc8/0x180 slip_unesc+0x80/0x214 [slip] tty_ldisc_receive_buf+0x64/0x80 tty_port_default_receive_buf+0x50/0x90 flush_to_ldisc+0xbc/0x110 process_one_work+0x1d4/0x4b0 worker_thread+0x180/0x430 kthread+0x11c/0x120 In the testcase pty04, The first process call the write syscall to send data to the pty master. At the same time, the workqueue will do the flush_to_ldisc to pop data in a loop until there is no more data left. When the sender and workqueue running in different core, the sender sends data fastly in full time which will result in workqueue doing work in loop for a long time and occuring softlockup in flush_to_ldisc with kernel configured without preempt. So I add need_resched check and cond_resched in the flush_to_ldisc loop to avoid it. CVE-2021-47185 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Improve SCSI abort handling The following has been observed on a test setup: WARNING: CPU: 4 PID: 250 at drivers/scsi/ufs/ufshcd.c:2737 ufshcd_queuecommand+0x468/0x65c Call trace: ufshcd_queuecommand+0x468/0x65c scsi_send_eh_cmnd+0x224/0x6a0 scsi_eh_test_devices+0x248/0x418 scsi_eh_ready_devs+0xc34/0xe58 scsi_error_handler+0x204/0x80c kthread+0x150/0x1b4 ret_from_fork+0x10/0x30 That warning is triggered by the following statement: WARN_ON(lrbp->cmd); Fix this warning by clearing lrbp->cmd from the abort handler. CVE-2021-47188 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: btrfs: fix memory ordering between normal and ordered work functions Ordered work functions aren't guaranteed to be handled by the same thread which executed the normal work functions. The only way execution between normal/ordered functions is synchronized is via the WORK_DONE_BIT, unfortunately the used bitops don't guarantee any ordering whatsoever. This manifested as seemingly inexplicable crashes on ARM64, where async_chunk::inode is seen as non-null in async_cow_submit which causes submit_compressed_extents to be called and crash occurs because async_chunk::inode suddenly became NULL. The call trace was similar to: pc : submit_compressed_extents+0x38/0x3d0 lr : async_cow_submit+0x50/0xd0 sp : ffff800015d4bc20 <registers omitted for brevity> Call trace: submit_compressed_extents+0x38/0x3d0 async_cow_submit+0x50/0xd0 run_ordered_work+0xc8/0x280 btrfs_work_helper+0x98/0x250 process_one_work+0x1f0/0x4ac worker_thread+0x188/0x504 kthread+0x110/0x114 ret_from_fork+0x10/0x18 Fix this by adding respective barrier calls which ensure that all accesses preceding setting of WORK_DONE_BIT are strictly ordered before setting the flag. At the same time add a read barrier after reading of WORK_DONE_BIT in run_ordered_work which ensures all subsequent loads would be strictly ordered after reading the bit. This in turn ensures are all accesses before WORK_DONE_BIT are going to be strictly ordered before any access that can occur in ordered_func. CVE-2021-47189 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Fix use-after-free in lpfc_unreg_rpi() routine An error is detected with the following report when unloading the driver: "KASAN: use-after-free in lpfc_unreg_rpi+0x1b1b" The NLP_REG_LOGIN_SEND nlp_flag is set in lpfc_reg_fab_ctrl_node(), but the flag is not cleared upon completion of the login. This allows a second call to lpfc_unreg_rpi() to proceed with nlp_rpi set to LPFC_RPI_ALLOW_ERROR. This results in a use after free access when used as an rpi_ids array index. Fix by clearing the NLP_REG_LOGIN_SEND nlp_flag in lpfc_mbx_cmpl_fc_reg_login(). CVE-2021-47198 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: thermal: Fix NULL pointer dereferences in of_thermal_ functions of_parse_thermal_zones() parses the thermal-zones node and registers a thermal_zone device for each subnode. However, if a thermal zone is consuming a thermal sensor and that thermal sensor device hasn't probed yet, an attempt to set trip_point_*_temp for that thermal zone device can cause a NULL pointer dereference. Fix it. console:/sys/class/thermal/thermal_zone87 # echo 120000 > trip_point_0_temp ... Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020 ... Call trace: of_thermal_set_trip_temp+0x40/0xc4 trip_point_temp_store+0xc0/0x1dc dev_attr_store+0x38/0x88 sysfs_kf_write+0x64/0xc0 kernfs_fop_write_iter+0x108/0x1d0 vfs_write+0x2f4/0x368 ksys_write+0x7c/0xec __arm64_sys_write+0x20/0x30 el0_svc_common.llvm.7279915941325364641+0xbc/0x1bc do_el0_svc+0x28/0xa0 el0_svc+0x14/0x24 el0_sync_handler+0x88/0xec el0_sync+0x1c0/0x200 While at it, fix the possible NULL pointer dereference in other functions as well: of_thermal_get_temp(), of_thermal_set_emul_temp(), of_thermal_get_trend(). CVE-2021-47202 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Fix list_add() corruption in lpfc_drain_txq() When parsing the txq list in lpfc_drain_txq(), the driver attempts to pass the requests to the adapter. If such an attempt fails, a local "fail_msg" string is set and a log message output. The job is then added to a completions list for cancellation. Processing of any further jobs from the txq list continues, but since "fail_msg" remains set, jobs are added to the completions list regardless of whether a wqe was passed to the adapter. If successfully added to txcmplq, jobs are added to both lists resulting in list corruption. Fix by clearing the fail_msg string after adding a job to the completions list. This stops the subsequent jobs from being added to the completions list unless they had an appropriate failure. CVE-2021-47203 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: dpaa2-eth: fix use-after-free in dpaa2_eth_remove Access to netdev after free_netdev() will cause use-after-free bug. Move debug log before free_netdev() call to avoid it. CVE-2021-47204 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: clk: sunxi-ng: Unregister clocks/resets when unbinding Currently, unbinding a CCU driver unmaps the device's MMIO region, while leaving its clocks/resets and their providers registered. This can cause a page fault later when some clock operation tries to perform MMIO. Fix this by separating the CCU initialization from the memory allocation, and then using a devres callback to unregister the clocks and resets. This also fixes a memory leak of the `struct ccu_reset`, and uses the correct owner (the specific platform driver) for the clocks and resets. Early OF clock providers are never unregistered, and limited error handling is possible, so they are mostly unchanged. The error reporting is made more consistent by moving the message inside of_sunxi_ccu_probe. CVE-2021-47205 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: ALSA: gus: fix null pointer dereference on pointer block The pointer block return from snd_gf1_dma_next_block could be null, so there is a potential null pointer dereference issue. Fix this by adding a null check before dereference. CVE-2021-47207 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: fix null pointer dereference on pointer cs_desc The pointer cs_desc return from snd_usb_find_clock_source could be null, so there is a potential null pointer dereference issue. Fix this by adding a null check before dereference. CVE-2021-47211 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: advansys: Fix kernel pointer leak Pointers should be printed with %p or %px rather than cast to 'unsigned long' and printed with %lx. Change %lx to %p to print the hashed pointer. CVE-2021-47216 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 low In the Linux kernel, the following vulnerability has been resolved: x86/hyperv: Fix NULL deref in set_hv_tscchange_cb() if Hyper-V setup fails Check for a valid hv_vp_index array prior to derefencing hv_vp_index when setting Hyper-V's TSC change callback. If Hyper-V setup failed in hyperv_init(), the kernel will still report that it's running under Hyper-V, but will have silently disabled nearly all functionality. BUG: kernel NULL pointer dereference, address: 0000000000000010 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] SMP CPU: 4 PID: 1 Comm: swapper/0 Not tainted 5.15.0-rc2+ #75 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 RIP: 0010:set_hv_tscchange_cb+0x15/0xa0 Code: <8b> 04 82 8b 15 12 17 85 01 48 c1 e0 20 48 0d ee 00 01 00 f6 c6 08 ... Call Trace: kvm_arch_init+0x17c/0x280 kvm_init+0x31/0x330 vmx_init+0xba/0x13a do_one_initcall+0x41/0x1c0 kernel_init_freeable+0x1f2/0x23b kernel_init+0x16/0x120 ret_from_fork+0x22/0x30 CVE-2021-47217 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate A use-after-free vulnerability was found in rtsx_usb_ms_drv_remove in drivers/memstick/host/rtsx_usb_ms.c in memstick in the Linux kernel. In this flaw, a local attacker with a user privilege may impact system Confidentiality. This flaw affects kernel versions prior to 5.14 rc1. CVE-2022-0487 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate 2.1 AV:L/AC:L/Au:N/C:P/I:N/A:N In lock_sock_nested of sock.c, there is a possible use after free due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-174846563References: Upstream kernel CVE-2022-20154 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate 4.4 AV:L/AC:M/Au:N/C:P/I:P/A:P xmlparse.c in Expat (aka libexpat) before 2.4.5 allows attackers to insert namespace-separator characters into namespace URIs. CVE-2022-25236 important 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P There's a possible overflow in handle_image() when shim tries to load and execute crafted EFI executables; The handle_image() function takes into account the SizeOfRawData field from each section to be loaded. An attacker can leverage this to perform out-of-bound writes into memory. Arbitrary code execution is not discarded in such scenario. CVE-2022-28737 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:shim-15.8-25.30.1 important A use-after-free exists in Python through 3.9 via heappushpop in heapq. CVE-2022-48560 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:libpython2_7-1_0-2.7.18-33.35.1 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:python-2.7.18-33.35.1 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:python-base-2.7.18-33.35.1 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:python-xml-2.7.18-33.35.1 moderate An issue was discovered in drivers/input/input.c in the Linux kernel before 5.17.10. An attacker can cause a denial of service (panic) because input_set_capability mishandles the situation in which an event code falls outside of a bitmap. CVE-2022-48619 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate close_altfile in filename.c in less before 606 omits shell_quote calls for LESSCLOSE. CVE-2022-48624 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:less-458-7.15.1 important In the Linux kernel, the following vulnerability has been resolved: vt: fix memory overlapping when deleting chars in the buffer A memory overlapping copy occurs when deleting a long line. This memory overlapping copy can cause data corruption when scr_memcpyw is optimized to memcpy because memcpy does not ensure its behavior if the destination buffer overlaps with the source buffer. The line buffer is not always broken, because the memcpy utilizes the hardware acceleration, whose result is not deterministic. Fix this problem by using replacing the scr_memcpyw with scr_memmovew. CVE-2022-48627 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: s390/dasd: fix Oops in dasd_alias_get_start_dev due to missing pavgroup Fix Oops in dasd_alias_get_start_dev() function caused by the pavgroup pointer being NULL. The pavgroup pointer is checked on the entrance of the function but without the lcu->lock being held. Therefore there is a race window between dasd_alias_get_start_dev() and _lcu_update() which sets pavgroup to NULL with the lcu->lock held. Fix by checking the pavgroup pointer with lcu->lock held. CVE-2022-48636 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Fix memory leak in __qlt_24xx_handle_abts() Commit 8f394da36a36 ("scsi: qla2xxx: Drop TARGET_SCF_LOOKUP_LUN_FROM_TAG") made the __qlt_24xx_handle_abts() function return early if tcm_qla2xxx_find_cmd_by_tag() didn't find a command, but it missed to clean up the allocated memory for the management command. CVE-2022-48650 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: ipvlan: Fix out-of-bound bugs caused by unset skb->mac_header If an AF_PACKET socket is used to send packets through ipvlan and the default xmit function of the AF_PACKET socket is changed from dev_queue_xmit() to packet_direct_xmit() via setsockopt() with the option name of PACKET_QDISC_BYPASS, the skb->mac_header may not be reset and remains as the initial value of 65535, this may trigger slab-out-of-bounds bugs as following: ================================================================= UG: KASAN: slab-out-of-bounds in ipvlan_xmit_mode_l2+0xdb/0x330 [ipvlan] PU: 2 PID: 1768 Comm: raw_send Kdump: loaded Not tainted 6.0.0-rc4+ #6 ardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc33 all Trace: print_address_description.constprop.0+0x1d/0x160 print_report.cold+0x4f/0x112 kasan_report+0xa3/0x130 ipvlan_xmit_mode_l2+0xdb/0x330 [ipvlan] ipvlan_start_xmit+0x29/0xa0 [ipvlan] __dev_direct_xmit+0x2e2/0x380 packet_direct_xmit+0x22/0x60 packet_snd+0x7c9/0xc40 sock_sendmsg+0x9a/0xa0 __sys_sendto+0x18a/0x230 __x64_sys_sendto+0x74/0x90 do_syscall_64+0x3b/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcd The root cause is: 1. packet_snd() only reset skb->mac_header when sock->type is SOCK_RAW and skb->protocol is not specified as in packet_parse_headers() 2. packet_direct_xmit() doesn't reset skb->mac_header as dev_queue_xmit() In this case, skb->mac_header is 65535 when ipvlan_xmit_mode_l2() is called. So when ipvlan_xmit_mode_l2() gets mac header with eth_hdr() which use "skb->head + skb->mac_header", out-of-bound access occurs. This patch replaces eth_hdr() with skb_eth_hdr() in ipvlan_xmit_mode_l2() and reset mac header in multicast to solve this out-of-bound bug. CVE-2022-48651 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 important In the Linux kernel, the following vulnerability has been resolved: smb3: fix temporary data corruption in insert range insert range doesn't discard the affected cached region so can risk temporarily corrupting file data. Also includes some minor cleanup (avoiding rereading inode size repeatedly unnecessarily) to make it clearer. CVE-2022-48667 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: smb3: fix temporary data corruption in collapse range collapse range doesn't discard the affected cached region so can risk temporarily corrupting the file data. This fixes xfstest generic/031 I also decided to merge a minor cleanup to this into the same patch (avoiding rereading inode size repeatedly unnecessarily) to make it clearer. CVE-2022-48668 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: i40e: Fix kernel crash during module removal The driver incorrectly frees client instance and subsequent i40e module removal leads to kernel crash. Reproducer: 1. Do ethtool offline test followed immediately by another one host# ethtool -t eth0 offline; ethtool -t eth0 offline 2. Remove recursively irdma module that also removes i40e module host# modprobe -r irdma Result: [ 8675.035651] i40e 0000:3d:00.0 eno1: offline testing starting [ 8675.193774] i40e 0000:3d:00.0 eno1: testing finished [ 8675.201316] i40e 0000:3d:00.0 eno1: offline testing starting [ 8675.358921] i40e 0000:3d:00.0 eno1: testing finished [ 8675.496921] i40e 0000:3d:00.0: IRDMA hardware initialization FAILED init_state=2 status=-110 [ 8686.188955] i40e 0000:3d:00.1: i40e_ptp_stop: removed PHC on eno2 [ 8686.943890] i40e 0000:3d:00.1: Deleted LAN device PF1 bus=0x3d dev=0x00 func=0x01 [ 8686.952669] i40e 0000:3d:00.0: i40e_ptp_stop: removed PHC on eno1 [ 8687.761787] BUG: kernel NULL pointer dereference, address: 0000000000000030 [ 8687.768755] #PF: supervisor read access in kernel mode [ 8687.773895] #PF: error_code(0x0000) - not-present page [ 8687.779034] PGD 0 P4D 0 [ 8687.781575] Oops: 0000 [#1] PREEMPT SMP NOPTI [ 8687.785935] CPU: 51 PID: 172891 Comm: rmmod Kdump: loaded Tainted: G W I 5.19.0+ #2 [ 8687.794800] Hardware name: Intel Corporation S2600WFD/S2600WFD, BIOS SE5C620.86B.0X.02.0001.051420190324 05/14/2019 [ 8687.805222] RIP: 0010:i40e_lan_del_device+0x13/0xb0 [i40e] [ 8687.810719] Code: d4 84 c0 0f 84 b8 25 01 00 e9 9c 25 01 00 41 bc f4 ff ff ff eb 91 90 0f 1f 44 00 00 41 54 55 53 48 8b 87 58 08 00 00 48 89 fb <48> 8b 68 30 48 89 ef e8 21 8a 0f d5 48 89 ef e8 a9 78 0f d5 48 8b [ 8687.829462] RSP: 0018:ffffa604072efce0 EFLAGS: 00010202 [ 8687.834689] RAX: 0000000000000000 RBX: ffff8f43833b2000 RCX: 0000000000000000 [ 8687.841821] RDX: 0000000000000000 RSI: ffff8f4b0545b298 RDI: ffff8f43833b2000 [ 8687.848955] RBP: ffff8f43833b2000 R08: 0000000000000001 R09: 0000000000000000 [ 8687.856086] R10: 0000000000000000 R11: 000ffffffffff000 R12: ffff8f43833b2ef0 [ 8687.863218] R13: ffff8f43833b2ef0 R14: ffff915103966000 R15: ffff8f43833b2008 [ 8687.870342] FS: 00007f79501c3740(0000) GS:ffff8f4adffc0000(0000) knlGS:0000000000000000 [ 8687.878427] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 8687.884174] CR2: 0000000000000030 CR3: 000000014276e004 CR4: 00000000007706e0 [ 8687.891306] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 8687.898441] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 8687.905572] PKRU: 55555554 [ 8687.908286] Call Trace: [ 8687.910737] <TASK> [ 8687.912843] i40e_remove+0x2c0/0x330 [i40e] [ 8687.917040] pci_device_remove+0x33/0xa0 [ 8687.920962] device_release_driver_internal+0x1aa/0x230 [ 8687.926188] driver_detach+0x44/0x90 [ 8687.929770] bus_remove_driver+0x55/0xe0 [ 8687.933693] pci_unregister_driver+0x2a/0xb0 [ 8687.937967] i40e_exit_module+0xc/0xf48 [i40e] Two offline tests cause IRDMA driver failure (ETIMEDOUT) and this failure is indicated back to i40e_client_subtask() that calls i40e_client_del_instance() to free client instance referenced by pf->cinst and sets this pointer to NULL. During the module removal i40e_remove() calls i40e_lan_del_device() that dereferences pf->cinst that is NULL -> crash. Do not remove client instance when client open callbacks fails and just clear __I40E_CLIENT_INSTANCE_OPENED bit. The driver also needs to take care about this situation (when netdev is up and client is NOT opened) in i40e_notify_client_of_netdev_close() and calls client close callback only when __I40E_CLIENT_INSTANCE_OPENED is set. CVE-2022-48688 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: mpt3sas: Fix use-after-free warning Fix the following use-after-free warning which is observed during controller reset: refcount_t: underflow; use-after-free. WARNING: CPU: 23 PID: 5399 at lib/refcount.c:28 refcount_warn_saturate+0xa6/0xf0 CVE-2022-48695 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix an out-of-bounds bug in __snd_usb_parse_audio_interface() There may be a bad USB audio device with a USB ID of (0x04fa, 0x4201) and the number of it's interfaces less than 4, an out-of-bounds read bug occurs when parsing the interface descriptor for this device. Fix this by checking the number of interfaces. CVE-2022-48701 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 low A deadlock flaw was found in the Linux kernel's BPF subsystem. This flaw allows a local user to potentially crash the system. CVE-2023-0160 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup). This occurs in email/_parseaddr.py in recent versions of Python. CVE-2023-27043 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:libpython2_7-1_0-2.7.18-33.35.1 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:python-2.7.18-33.35.1 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:python-base-2.7.18-33.35.1 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:python-xml-2.7.18-33.35.1 moderate An out-of-bounds read vulnerability was found in the SR-IPv6 implementation in the Linux kernel. The flaw exists within the processing of seg6 attributes. The issue results from the improper validation of user-supplied data, which can result in a read past the end of an allocated buffer. This flaw allows a privileged local user to disclose sensitive information on affected installations of the Linux kernel. CVE-2023-2860 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate Information exposure through microarchitectural state after transient execution from some register files for some Intel(R) Atom(R) Processors may allow an authenticated user to potentially enable information disclosure via local access. CVE-2023-28746 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate An issue was discovered in the Linux kernel through 6.3.8. A use-after-free was found in ravb_remove in drivers/net/ethernet/renesas/ravb_main.c. CVE-2023-35827 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate A vulnerability was found in Avahi, where a reachable assertion exists in avahi_dns_packet_append_record. CVE-2023-38469 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:libavahi-client3-0.6.32-32.27.1 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:libavahi-common3-0.6.32-32.27.1 moderate A vulnerability was found in Avahi. A reachable assertion exists in the avahi_escape_label() function. CVE-2023-38470 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:libavahi-client3-0.6.32-32.27.1 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:libavahi-common3-0.6.32-32.27.1 moderate A vulnerability was found in Avahi. A reachable assertion exists in the dbus_set_host_name function. CVE-2023-38471 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:libavahi-client3-0.6.32-32.27.1 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:libavahi-common3-0.6.32-32.27.1 moderate A vulnerability was found in Avahi. A reachable assertion exists in the avahi_rdata_parse() function. CVE-2023-38472 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:libavahi-client3-0.6.32-32.27.1 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:libavahi-common3-0.6.32-32.27.1 moderate A flaw was found in Shim when an error happened while creating a new ESL variable. If Shim fails to create the new variable, it tries to print an error message to the user; however, the number of parameters used by the logging function doesn't match the format string used by it, leading to a crash under certain circumstances. CVE-2023-40546 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:shim-15.8-25.30.1 moderate A remote code execution vulnerability was found in Shim. The Shim boot support trusts attacker-controlled values when parsing an HTTP response. This flaw allows an attacker to craft a specific malicious HTTP request, leading to a completely controlled out-of-bounds write primitive and complete system compromise. This flaw is only exploitable during the early boot phase, an attacker needs to perform a Man-in-the-Middle or compromise the boot server to be able to exploit this vulnerability successfully. CVE-2023-40547 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:shim-15.8-25.30.1 moderate A buffer overflow was found in Shim in the 32-bit system. The overflow happens due to an addition operation involving a user-controlled value parsed from the PE binary being used by Shim. This value is further used for memory allocation operations, leading to a heap-based buffer overflow. This flaw causes memory corruption and can lead to a crash or data integrity issues during the boot phase. CVE-2023-40548 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:shim-15.8-25.30.1 moderate An out-of-bounds read flaw was found in Shim when it tried to validate the SBAT information. This issue may expose sensitive data during the system's boot phase. CVE-2023-40550 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:shim-15.8-25.30.1 moderate A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation. Due to a race condition between nf_tables netlink control plane transaction and nft_set element garbage collection, it is possible to underflow the reference counter causing a use-after-free vulnerability. We recommend upgrading past commit 3e91b0ebd994635df2346353322ac51ce84ce6d8. CVE-2023-4244 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate Gradle is a build tool with a focus on build automation and support for multi-language development. In some cases, when Gradle parses XML files, resolving XML external entities is not disabled. Combined with an Out Of Band XXE attack (OOB-XXE), just parsing XML can lead to exfiltration of local text files to a remote server. Gradle parses XML files for several purposes. Most of the time, Gradle parses XML files it generated or were already present locally. Only Ivy XML descriptors and Maven POM files can be fetched from remote repositories and parsed by Gradle. In Gradle 7.6.3 and 8.4, resolving XML external entities has been disabled for all use cases to protect against this vulnerability. Gradle will now refuse to parse XML files that have XML external entities. CVE-2023-42445 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate Sudo before 1.9.15 might allow row hammer attacks (for authentication bypass or privilege escalation) because application logic sometimes is based on not equaling an error value (instead of equaling a success value), and because the values do not resist flips of a single bit. CVE-2023-42465 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:sudo-1.8.27-4.48.2 moderate The DNS message parsing code in `named` includes a section whose computational complexity is overly high. It does not cause problems for typical DNS traffic, but crafted queries and responses may cause excessive CPU load on the affected `named` instance by exploiting this flaw. This issue affects both authoritative servers and recursive resolvers. This issue affects BIND 9 versions 9.0.0 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.9.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.45-S1, and 9.18.11-S1 through 9.18.21-S1. CVE-2023-4408 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:bind-utils-9.11.22-3.52.1 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:libbind9-161-9.11.22-3.52.1 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:libdns1110-9.11.22-3.52.1 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:libirs161-9.11.22-3.52.1 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:libisc1107-9.11.22-3.52.1 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:libisccc161-9.11.22-3.52.1 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:libisccfg163-9.11.22-3.52.1 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:liblwres161-9.11.22-3.52.1 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:python-bind-9.11.22-3.52.1 important ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none. CVE-2023-45918 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:libncurses5-5.9-88.1 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:libncurses6-5.9-88.1 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:ncurses-utils-5.9-88.1 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:terminfo-5.9-88.1 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:terminfo-base-5.9-88.1 low In the Linux kernel before 6.5.9, there is a NULL pointer dereference in send_acknowledge in net/nfc/nci/spi.c. CVE-2023-46343 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate ** REJECT ** CVE-2023-4881 was wrongly assigned to a bug that was deemed to be a non-security issue by the Linux kernel security team. CVE-2023-4881 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the "KeyTrap" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records. CVE-2023-50387 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:bind-utils-9.11.22-3.52.1 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:libbind9-161-9.11.22-3.52.1 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:libdns1110-9.11.22-3.52.1 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:libirs161-9.11.22-3.52.1 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:libisc1107-9.11.22-3.52.1 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:libisccc161-9.11.22-3.52.1 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:libisccfg163-9.11.22-3.52.1 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:liblwres161-9.11.22-3.52.1 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:python-bind-9.11.22-3.52.1 important The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the "NSEC3" issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations. CVE-2023-50868 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:bind-utils-9.11.22-3.52.1 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:libbind9-161-9.11.22-3.52.1 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:libdns1110-9.11.22-3.52.1 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:libirs161-9.11.22-3.52.1 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:libisc1107-9.11.22-3.52.1 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:libisccc161-9.11.22-3.52.1 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:libisccfg163-9.11.22-3.52.1 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:liblwres161-9.11.22-3.52.1 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:python-bind-9.11.22-3.52.1 important The IPv6 implementation in the Linux kernel before 6.3 has a net/ipv6/route.c max_size threshold that can be consumed easily, e.g., leading to a denial of service (network is unreachable errors) when IPv6 packets are sent in a loop via a raw socket. CVE-2023-52340 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 important libexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in the case of a large token for which multiple buffer fills are needed. CVE-2023-52425 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:libpython2_7-1_0-2.7.18-33.35.1 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:libpython3_4m1_0-3.4.10-25.130.1 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:python-2.7.18-33.35.1 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:python-base-2.7.18-33.35.1 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:python-xml-2.7.18-33.35.1 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:python3-3.4.10-25.130.1 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:python3-base-3.4.10-25.130.1 moderate dm_table_create in drivers/md/dm-table.c in the Linux kernel through 6.7.4 can attempt to (in alloc_targets) allocate more than INT_MAX bytes, and crash, because of a missing check for struct dm_ioctl.target_count. CVE-2023-52429 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: apparmor: avoid crash when parsed profile name is empty When processing a packed profile in unpack_profile() described like "profile :ns::samba-dcerpcd /usr/lib*/samba/{,samba/}samba-dcerpcd {...}" a string ":samba-dcerpcd" is unpacked as a fully-qualified name and then passed to aa_splitn_fqname(). aa_splitn_fqname() treats ":samba-dcerpcd" as only containing a namespace. Thus it returns NULL for tmpname, meanwhile tmpns is non-NULL. Later aa_alloc_profile() crashes as the new profile name is NULL now. general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] CPU: 6 PID: 1657 Comm: apparmor_parser Not tainted 6.7.0-rc2-dirty #16 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014 RIP: 0010:strlen+0x1e/0xa0 Call Trace: <TASK> ? strlen+0x1e/0xa0 aa_policy_init+0x1bb/0x230 aa_alloc_profile+0xb1/0x480 unpack_profile+0x3bc/0x4960 aa_unpack+0x309/0x15e0 aa_replace_profiles+0x213/0x33c0 policy_update+0x261/0x370 profile_replace+0x20e/0x2a0 vfs_write+0x2af/0xe00 ksys_write+0x126/0x250 do_syscall_64+0x46/0xf0 entry_SYSCALL_64_after_hwframe+0x6e/0x76 </TASK> ---[ end trace 0000000000000000 ]--- RIP: 0010:strlen+0x1e/0xa0 It seems such behaviour of aa_splitn_fqname() is expected and checked in other places where it is called (e.g. aa_remove_profiles). Well, there is an explicit comment "a ns name without a following profile is allowed" inside. AFAICS, nothing can prevent unpacked "name" to be in form like ":samba-dcerpcd" - it is passed from userspace. Deny the whole profile set replacement in such case and inform user with EPROTO and an explaining message. Found by Linux Verification Center (linuxtesting.org). CVE-2023-52443 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: media: pvrusb2: fix use after free on context disconnection Upon module load, a kthread is created targeting the pvr2_context_thread_func function, which may call pvr2_context_destroy and thus call kfree() on the context object. However, that might happen before the usb hub_event handler is able to notify the driver. This patch adds a sanity check before the invalid read reported by syzbot, within the context disconnection call stack. CVE-2023-52445 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: mtd: Fix gluebi NULL pointer dereference caused by ftl notifier If both ftl.ko and gluebi.ko are loaded, the notifier of ftl triggers NULL pointer dereference when trying to access 'gluebi->desc' in gluebi_read(). ubi_gluebi_init ubi_register_volume_notifier ubi_enumerate_volumes ubi_notify_all gluebi_notify nb->notifier_call() gluebi_create mtd_device_register mtd_device_parse_register add_mtd_device blktrans_notify_add not->add() ftl_add_mtd tr->add_mtd() scan_header mtd_read mtd_read_oob mtd_read_oob_std gluebi_read mtd->read() gluebi->desc - NULL Detailed reproduction information available at the Link [1], In the normal case, obtain gluebi->desc in the gluebi_get_device(), and access gluebi->desc in the gluebi_read(). However, gluebi_get_device() is not executed in advance in the ftl_add_mtd() process, which leads to NULL pointer dereference. The solution for the gluebi module is to run jffs2 on the UBI volume without considering working with ftl or mtdblock [2]. Therefore, this problem can be avoided by preventing gluebi from creating the mtdblock device after creating mtd partition of the type MTD_UBIVOLUME. CVE-2023-52449 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: powerpc/pseries/memhp: Fix access beyond end of drmem array dlpar_memory_remove_by_index() may access beyond the bounds of the drmem lmb array when the LMB lookup fails to match an entry with the given DRC index. When the search fails, the cursor is left pointing to &drmem_info->lmbs[drmem_info->n_lmbs], which is one element past the last valid entry in the array. The debug message at the end of the function then dereferences this pointer: pr_debug("Failed to hot-remove memory at %llx\n", lmb->base_addr); This was found by inspection and confirmed with KASAN: pseries-hotplug-mem: Attempting to hot-remove LMB, drc index 1234 ================================================================== BUG: KASAN: slab-out-of-bounds in dlpar_memory+0x298/0x1658 Read of size 8 at addr c000000364e97fd0 by task bash/949 dump_stack_lvl+0xa4/0xfc (unreliable) print_report+0x214/0x63c kasan_report+0x140/0x2e0 __asan_load8+0xa8/0xe0 dlpar_memory+0x298/0x1658 handle_dlpar_errorlog+0x130/0x1d0 dlpar_store+0x18c/0x3e0 kobj_attr_store+0x68/0xa0 sysfs_kf_write+0xc4/0x110 kernfs_fop_write_iter+0x26c/0x390 vfs_write+0x2d4/0x4e0 ksys_write+0xac/0x1a0 system_call_exception+0x268/0x530 system_call_vectored_common+0x15c/0x2ec Allocated by task 1: kasan_save_stack+0x48/0x80 kasan_set_track+0x34/0x50 kasan_save_alloc_info+0x34/0x50 __kasan_kmalloc+0xd0/0x120 __kmalloc+0x8c/0x320 kmalloc_array.constprop.0+0x48/0x5c drmem_init+0x2a0/0x41c do_one_initcall+0xe0/0x5c0 kernel_init_freeable+0x4ec/0x5a0 kernel_init+0x30/0x1e0 ret_from_kernel_user_thread+0x14/0x1c The buggy address belongs to the object at c000000364e80000 which belongs to the cache kmalloc-128k of size 131072 The buggy address is located 0 bytes to the right of allocated 98256-byte region [c000000364e80000, c000000364e97fd0) ================================================================== pseries-hotplug-mem: Failed to hot-remove memory at 0 Log failed lookups with a separate message and dereference the cursor only when it points to a valid entry. CVE-2023-52451 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: EDAC/thunderx: Fix possible out-of-bounds string access Enabling -Wstringop-overflow globally exposes a warning for a common bug in the usage of strncat(): drivers/edac/thunderx_edac.c: In function 'thunderx_ocx_com_threaded_isr': drivers/edac/thunderx_edac.c:1136:17: error: 'strncat' specified bound 1024 equals destination size [-Werror=stringop-overflow=] 1136 | strncat(msg, other, OCX_MESSAGE_SIZE); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ... 1145 | strncat(msg, other, OCX_MESSAGE_SIZE); ... 1150 | strncat(msg, other, OCX_MESSAGE_SIZE); ... Apparently the author of this driver expected strncat() to behave the way that strlcat() does, which uses the size of the destination buffer as its third argument rather than the length of the source buffer. The result is that there is no check on the size of the allocated buffer. Change it to strlcat(). [ bp: Trim compiler output, fixup commit message. ] CVE-2023-52464 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: drivers/amd/pm: fix a use-after-free in kv_parse_power_table When ps allocated by kzalloc equals to NULL, kv_parse_power_table frees adev->pm.dpm.ps that allocated before. However, after the control flow goes through the following call chains: kv_parse_power_table |-> kv_dpm_init |-> kv_dpm_sw_init |-> kv_dpm_fini The adev->pm.dpm.ps is used in the for loop of kv_dpm_fini after its first free in kv_parse_power_table and causes a use-after-free bug. CVE-2023-52469 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/radeon: check the alloc_workqueue return value in radeon_crtc_init() check the alloc_workqueue return value in radeon_crtc_init() to avoid null-ptr-deref. CVE-2023-52470 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: IB/hfi1: Fix bugs with non-PAGE_SIZE-end multi-iovec user SDMA requests hfi1 user SDMA request processing has two bugs that can cause data corruption for user SDMA requests that have multiple payload iovecs where an iovec other than the tail iovec does not run up to the page boundary for the buffer pointed to by that iovec.a Here are the specific bugs: 1. user_sdma_txadd() does not use struct user_sdma_iovec->iov.iov_len. Rather, user_sdma_txadd() will add up to PAGE_SIZE bytes from iovec to the packet, even if some of those bytes are past iovec->iov.iov_len and are thus not intended to be in the packet. 2. user_sdma_txadd() and user_sdma_send_pkts() fail to advance to the next iovec in user_sdma_request->iovs when the current iovec is not PAGE_SIZE and does not contain enough data to complete the packet. The transmitted packet will contain the wrong data from the iovec pages. This has not been an issue with SDMA packets from hfi1 Verbs or PSM2 because they only produce iovecs that end short of PAGE_SIZE as the tail iovec of an SDMA request. Fixing these bugs exposes other bugs with the SDMA pin cache (struct mmu_rb_handler) that get in way of supporting user SDMA requests with multiple payload iovecs whose buffers do not end at PAGE_SIZE. So this commit fixes those issues as well. Here are the mmu_rb_handler bugs that non-PAGE_SIZE-end multi-iovec payload user SDMA requests can hit: 1. Overlapping memory ranges in mmu_rb_handler will result in duplicate pinnings. 2. When extending an existing mmu_rb_handler entry (struct mmu_rb_node), the mmu_rb code (1) removes the existing entry under a lock, (2) releases that lock, pins the new pages, (3) then reacquires the lock to insert the extended mmu_rb_node. If someone else comes in and inserts an overlapping entry between (2) and (3), insert in (3) will fail. The failure path code in this case unpins _all_ pages in either the original mmu_rb_node or the new mmu_rb_node that was inserted between (2) and (3). 3. In hfi1_mmu_rb_remove_unless_exact(), mmu_rb_node->refcount is incremented outside of mmu_rb_handler->lock. As a result, mmu_rb_node could be evicted by another thread that gets mmu_rb_handler->lock and checks mmu_rb_node->refcount before mmu_rb_node->refcount is incremented. 4. Related to #2 above, SDMA request submission failure path does not check mmu_rb_node->refcount before freeing mmu_rb_node object. If there are other SDMA requests in progress whose iovecs have pointers to the now-freed mmu_rb_node(s), those pointers to the now-freed mmu_rb nodes will be dereferenced when those SDMA requests complete. CVE-2023-52474 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 low In the Linux kernel, the following vulnerability has been resolved: Input: powermate - fix use-after-free in powermate_config_complete syzbot has found a use-after-free bug [1] in the powermate driver. This happens when the device is disconnected, which leads to a memory free from the powermate_device struct. When an asynchronous control message completes after the kfree and its callback is invoked, the lock does not exist anymore and hence the bug. Use usb_kill_urb() on pm->config to cancel any in-progress requests upon device disconnection. [1] https://syzkaller.appspot.com/bug?extid=0434ac83f907a1dbdd1e CVE-2023-52475 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: perf/x86/lbr: Filter vsyscall addresses We found that a panic can occur when a vsyscall is made while LBR sampling is active. If the vsyscall is interrupted (NMI) for perf sampling, this call sequence can occur (most recent at top): __insn_get_emulate_prefix() insn_get_emulate_prefix() insn_get_prefixes() insn_get_opcode() decode_branch_type() get_branch_type() intel_pmu_lbr_filter() intel_pmu_handle_irq() perf_event_nmi_handler() Within __insn_get_emulate_prefix() at frame 0, a macro is called: peek_nbyte_next(insn_byte_t, insn, i) Within this macro, this dereference occurs: (insn)->next_byte Inspecting registers at this point, the value of the next_byte field is the address of the vsyscall made, for example the location of the vsyscall version of gettimeofday() at 0xffffffffff600000. The access to an address in the vsyscall region will trigger an oops due to an unhandled page fault. To fix the bug, filtering for vsyscalls can be done when determining the branch type. This patch will return a "none" branch if a kernel address if found to lie in the vsyscall region. CVE-2023-52476 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: usb: hub: Guard against accesses to uninitialized BOS descriptors Many functions in drivers/usb/core/hub.c and drivers/usb/core/hub.h access fields inside udev->bos without checking if it was allocated and initialized. If usb_get_bos_descriptor() fails for whatever reason, udev->bos will be NULL and those accesses will result in a crash: BUG: kernel NULL pointer dereference, address: 0000000000000018 PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 5 PID: 17818 Comm: kworker/5:1 Tainted: G W 5.15.108-18910-gab0e1cb584e1 #1 <HASH:1f9e 1> Hardware name: Google Kindred/Kindred, BIOS Google_Kindred.12672.413.0 02/03/2021 Workqueue: usb_hub_wq hub_event RIP: 0010:hub_port_reset+0x193/0x788 Code: 89 f7 e8 20 f7 15 00 48 8b 43 08 80 b8 96 03 00 00 03 75 36 0f b7 88 92 03 00 00 81 f9 10 03 00 00 72 27 48 8b 80 a8 03 00 00 <48> 83 78 18 00 74 19 48 89 df 48 8b 75 b0 ba 02 00 00 00 4c 89 e9 RSP: 0018:ffffab740c53fcf8 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffffa1bc5f678000 RCX: 0000000000000310 RDX: fffffffffffffdff RSI: 0000000000000286 RDI: ffffa1be9655b840 RBP: ffffab740c53fd70 R08: 00001b7d5edaa20c R09: ffffffffb005e060 R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000 R13: ffffab740c53fd3e R14: 0000000000000032 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffffa1be96540000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000018 CR3: 000000022e80c005 CR4: 00000000003706e0 Call Trace: hub_event+0x73f/0x156e ? hub_activate+0x5b7/0x68f process_one_work+0x1a2/0x487 worker_thread+0x11a/0x288 kthread+0x13a/0x152 ? process_one_work+0x487/0x487 ? kthread_associate_blkcg+0x70/0x70 ret_from_fork+0x1f/0x30 Fall back to a default behavior if the BOS descriptor isn't accessible and skip all the functionalities that depend on it: LPM support checks, Super Speed capabilitiy checks, U1/U2 states setup. CVE-2023-52477 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: HID: logitech-hidpp: Fix kernel crash on receiver USB disconnect hidpp_connect_event() has *four* time-of-check vs time-of-use (TOCTOU) races when it races with itself. hidpp_connect_event() primarily runs from a workqueue but it also runs on probe() and if a "device-connected" packet is received by the hw when the thread running hidpp_connect_event() from probe() is waiting on the hw, then a second thread running hidpp_connect_event() will be started from the workqueue. This opens the following races (note the below code is simplified): 1. Retrieving + printing the protocol (harmless race): if (!hidpp->protocol_major) { hidpp_root_get_protocol_version() hidpp->protocol_major = response.rap.params[0]; } We can actually see this race hit in the dmesg in the abrt output attached to rhbz#2227968: [ 3064.624215] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected. [ 3064.658184] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected. Testing with extra logging added has shown that after this the 2 threads take turn grabbing the hw access mutex (send_mutex) so they ping-pong through all the other TOCTOU cases managing to hit all of them: 2. Updating the name to the HIDPP name (harmless race): if (hidpp->name == hdev->name) { ... hidpp->name = new_name; } 3. Initializing the power_supply class for the battery (problematic!): hidpp_initialize_battery() { if (hidpp->battery.ps) return 0; probe_battery(); /* Blocks, threads take turns executing this */ hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg); } 4. Creating delayed input_device (potentially problematic): if (hidpp->delayed_input) return; hidpp->delayed_input = hidpp_allocate_input(hdev); The really big problem here is 3. Hitting the race leads to the following sequence: hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg); ... hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg); So now we have registered 2 power supplies for the same battery, which looks a bit weird from userspace's pov but this is not even the really big problem. Notice how: 1. This is all devm-maganaged 2. The hidpp->battery.desc struct is shared between the 2 power supplies 3. hidpp->battery.desc.properties points to the result from the second devm_kmemdup() This causes a use after free scenario on USB disconnect of the receiver: 1. The last registered power supply class device gets unregistered 2. The memory from the last devm_kmemdup() call gets freed, hidpp->battery.desc.properties now points to freed memory 3. The first registered power supply class device gets unregistered, this involves sending a remove uevent to userspace which invokes power_supply_uevent() to fill the uevent data 4. power_supply_uevent() uses hidpp->battery.desc.properties which now points to freed memory leading to backtraces like this one: Sep 22 20:01:35 eric kernel: BUG: unable to handle page fault for address: ffffb2140e017f08 ... Sep 22 20:01:35 eric kernel: Workqueue: usb_hub_wq hub_event Sep 22 20:01:35 eric kernel: RIP: 0010:power_supply_uevent+0xee/0x1d0 ... Sep 22 20:01:35 eric kernel: ? asm_exc_page_fault+0x26/0x30 Sep 22 20:01:35 eric kernel: ? power_supply_uevent+0xee/0x1d0 Sep 22 20:01:35 eric kernel: ? power_supply_uevent+0x10d/0x1d0 Sep 22 20:01:35 eric kernel: dev_uevent+0x10f/0x2d0 Sep 22 20:01:35 eric kernel: kobject_uevent_env+0x291/0x680 Sep 22 20:01:35 eric kernel: ---truncated--- CVE-2023-52478 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: x86/srso: Add SRSO mitigation for Hygon processors Add mitigation for the speculative return stack overflow vulnerability which exists on Hygon processors too. CVE-2023-52482 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm: Don't unref the same fb many times by mistake due to deadlock handling If we get a deadlock after the fb lookup in drm_mode_page_flip_ioctl() we proceed to unref the fb and then retry the whole thing from the top. But we forget to reset the fb pointer back to NULL, and so if we then get another error during the retry, before the fb lookup, we proceed the unref the same fb again without having gotten another reference. The end result is that the fb will (eventually) end up being freed while it's still in use. Reset fb to NULL once we've unreffed it to avoid doing it again until we've done another fb lookup. This turned out to be pretty easy to hit on a DG2 when doing async flips (and CONFIG_DEBUG_WW_MUTEX_SLOWPATH=y). The first symptom I saw that drm_closefb() simply got stuck in a busy loop while walking the framebuffer list. Fortunately I was able to convince it to oops instead, and from there it was easier to track down the culprit. CVE-2023-52486 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: serial: sc16is7xx: convert from _raw_ to _noinc_ regmap functions for FIFO The SC16IS7XX IC supports a burst mode to access the FIFOs where the initial register address is sent ($00), followed by all the FIFO data without having to resend the register address each time. In this mode, the IC doesn't increment the register address for each R/W byte. The regmap_raw_read() and regmap_raw_write() are functions which can perform IO over multiple registers. They are currently used to read/write from/to the FIFO, and although they operate correctly in this burst mode on the SPI bus, they would corrupt the regmap cache if it was not disabled manually. The reason is that when the R/W size is more than 1 byte, these functions assume that the register address is incremented and handle the cache accordingly. Convert FIFO R/W functions to use the regmap _noinc_ versions in order to remove the manual cache control which was a workaround when using the _raw_ versions. FIFO registers are properly declared as volatile so cache will not be used/updated for FIFO accesses. CVE-2023-52488 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: nfc: fix races in nfc_llcp_sock_get() and nfc_llcp_sock_get_sn() Sili Luo reported a race in nfc_llcp_sock_get(), leading to UAF. Getting a reference on the socket found in a lookup while holding a lock should happen before releasing the lock. nfc_llcp_sock_get_sn() has a similar problem. Finally nfc_llcp_recv_snl() needs to make sure the socket found by nfc_llcp_sock_from_sn() does not disappear. CVE-2023-52502 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: RDMA/srp: Do not call scsi_done() from srp_abort() After scmd_eh_abort_handler() has called the SCSI LLD eh_abort_handler callback, it performs one of the following actions: * Call scsi_queue_insert(). * Call scsi_finish_command(). * Call scsi_eh_scmd_add(). Hence, SCSI abort handlers must not call scsi_done(). Otherwise all the above actions would trigger a use-after-free. Hence remove the scsi_done() call from srp_abort(). Keep the srp_free_req() call before returning SUCCESS because we may not see the command again if SUCCESS is returned. CVE-2023-52515 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: nfc: llcp: Add lock when modifying device list The device list needs its associated lock held when modifying it, or the list could become corrupted, as syzbot discovered. CVE-2023-52524 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: usb: smsc75xx: Fix uninit-value access in __smsc75xx_read_reg syzbot reported the following uninit-value access issue: ===================================================== BUG: KMSAN: uninit-value in smsc75xx_wait_ready drivers/net/usb/smsc75xx.c:975 [inline] BUG: KMSAN: uninit-value in smsc75xx_bind+0x5c9/0x11e0 drivers/net/usb/smsc75xx.c:1482 CPU: 0 PID: 8696 Comm: kworker/0:3 Not tainted 5.8.0-rc5-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: usb_hub_wq hub_event Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x21c/0x280 lib/dump_stack.c:118 kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:121 __msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:215 smsc75xx_wait_ready drivers/net/usb/smsc75xx.c:975 [inline] smsc75xx_bind+0x5c9/0x11e0 drivers/net/usb/smsc75xx.c:1482 usbnet_probe+0x1152/0x3f90 drivers/net/usb/usbnet.c:1737 usb_probe_interface+0xece/0x1550 drivers/usb/core/driver.c:374 really_probe+0xf20/0x20b0 drivers/base/dd.c:529 driver_probe_device+0x293/0x390 drivers/base/dd.c:701 __device_attach_driver+0x63f/0x830 drivers/base/dd.c:807 bus_for_each_drv+0x2ca/0x3f0 drivers/base/bus.c:431 __device_attach+0x4e2/0x7f0 drivers/base/dd.c:873 device_initial_probe+0x4a/0x60 drivers/base/dd.c:920 bus_probe_device+0x177/0x3d0 drivers/base/bus.c:491 device_add+0x3b0e/0x40d0 drivers/base/core.c:2680 usb_set_configuration+0x380f/0x3f10 drivers/usb/core/message.c:2032 usb_generic_driver_probe+0x138/0x300 drivers/usb/core/generic.c:241 usb_probe_device+0x311/0x490 drivers/usb/core/driver.c:272 really_probe+0xf20/0x20b0 drivers/base/dd.c:529 driver_probe_device+0x293/0x390 drivers/base/dd.c:701 __device_attach_driver+0x63f/0x830 drivers/base/dd.c:807 bus_for_each_drv+0x2ca/0x3f0 drivers/base/bus.c:431 __device_attach+0x4e2/0x7f0 drivers/base/dd.c:873 device_initial_probe+0x4a/0x60 drivers/base/dd.c:920 bus_probe_device+0x177/0x3d0 drivers/base/bus.c:491 device_add+0x3b0e/0x40d0 drivers/base/core.c:2680 usb_new_device+0x1bd4/0x2a30 drivers/usb/core/hub.c:2554 hub_port_connect drivers/usb/core/hub.c:5208 [inline] hub_port_connect_change drivers/usb/core/hub.c:5348 [inline] port_event drivers/usb/core/hub.c:5494 [inline] hub_event+0x5e7b/0x8a70 drivers/usb/core/hub.c:5576 process_one_work+0x1688/0x2140 kernel/workqueue.c:2269 worker_thread+0x10bc/0x2730 kernel/workqueue.c:2415 kthread+0x551/0x590 kernel/kthread.c:292 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:293 Local variable ----buf.i87@smsc75xx_bind created at: __smsc75xx_read_reg drivers/net/usb/smsc75xx.c:83 [inline] smsc75xx_wait_ready drivers/net/usb/smsc75xx.c:968 [inline] smsc75xx_bind+0x485/0x11e0 drivers/net/usb/smsc75xx.c:1482 __smsc75xx_read_reg drivers/net/usb/smsc75xx.c:83 [inline] smsc75xx_wait_ready drivers/net/usb/smsc75xx.c:968 [inline] smsc75xx_bind+0x485/0x11e0 drivers/net/usb/smsc75xx.c:1482 This issue is caused because usbnet_read_cmd() reads less bytes than requested (zero byte in the reproducer). In this case, 'buf' is not properly filled. This patch fixes the issue by returning -ENODATA if usbnet_read_cmd() reads less bytes than requested. CVE-2023-52528 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 low In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: fix potential key use-after-free When ieee80211_key_link() is called by ieee80211_gtk_rekey_add() but returns 0 due to KRACK protection (identical key reinstall), ieee80211_gtk_rekey_add() will still return a pointer into the key, in a potential use-after-free. This normally doesn't happen since it's only called by iwlwifi in case of WoWLAN rekey offload which has its own KRACK protection, but still better to fix, do that by returning an error code and converting that to success on the cfg80211 boundary only, leaving the error for bad callers of ieee80211_gtk_rekey_add(). CVE-2023-52530 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mvm: Fix a memory corruption issue A few lines above, space is kzalloc()'ed for: sizeof(struct iwl_nvm_data) + sizeof(struct ieee80211_channel) + sizeof(struct ieee80211_rate) 'mvm->nvm_data' is a 'struct iwl_nvm_data', so it is fine. At the end of this structure, there is the 'channels' flex array. Each element is of type 'struct ieee80211_channel'. So only 1 element is allocated in this array. When doing: mvm->nvm_data->bands[0].channels = mvm->nvm_data->channels; We point at the first element of the 'channels' flex array. So this is fine. However, when doing: mvm->nvm_data->bands[0].bitrates = (void *)((u8 *)mvm->nvm_data->channels + 1); because of the "(u8 *)" cast, we add only 1 to the address of the beginning of the flex array. It is likely that we want point at the 'struct ieee80211_rate' allocated just after. Remove the spurious casting so that the pointer arithmetic works as expected. CVE-2023-52531 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: mana: Fix TX CQE error handling For an unknown TX CQE error type (probably from a newer hardware), still free the SKB, update the queue tail, etc., otherwise the accounting will be wrong. Also, TX errors can be triggered by injecting corrupted packets, so replace the WARN_ONCE to ratelimited error logging. CVE-2023-52532 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: team: fix null-ptr-deref when team device type is changed Get a null-ptr-deref bug as follows with reproducer [1]. BUG: kernel NULL pointer dereference, address: 0000000000000228 ... RIP: 0010:vlan_dev_hard_header+0x35/0x140 [8021q] ... Call Trace: <TASK> ? __die+0x24/0x70 ? page_fault_oops+0x82/0x150 ? exc_page_fault+0x69/0x150 ? asm_exc_page_fault+0x26/0x30 ? vlan_dev_hard_header+0x35/0x140 [8021q] ? vlan_dev_hard_header+0x8e/0x140 [8021q] neigh_connected_output+0xb2/0x100 ip6_finish_output2+0x1cb/0x520 ? nf_hook_slow+0x43/0xc0 ? ip6_mtu+0x46/0x80 ip6_finish_output+0x2a/0xb0 mld_sendpack+0x18f/0x250 mld_ifc_work+0x39/0x160 process_one_work+0x1e6/0x3f0 worker_thread+0x4d/0x2f0 ? __pfx_worker_thread+0x10/0x10 kthread+0xe5/0x120 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x34/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1b/0x30 [1] $ teamd -t team0 -d -c '{"runner": {"name": "loadbalance"}}' $ ip link add name t-dummy type dummy $ ip link add link t-dummy name t-dummy.100 type vlan id 100 $ ip link add name t-nlmon type nlmon $ ip link set t-nlmon master team0 $ ip link set t-nlmon nomaster $ ip link set t-dummy up $ ip link set team0 up $ ip link set t-dummy.100 down $ ip link set t-dummy.100 master team0 When enslave a vlan device to team device and team device type is changed from non-ether to ether, header_ops of team device is changed to vlan_header_ops. That is incorrect and will trigger null-ptr-deref for vlan->real_dev in vlan_dev_hard_header() because team device is not a vlan device. Cache eth_header_ops in team_setup(), then assign cached header_ops to header_ops of team net device when its type is changed from non-ether to ether to fix the bug. CVE-2023-52574 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate ** REJECT ** This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. CVE-2023-52575 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: ceph: fix deadlock or deadcode of misusing dget() The lock order is incorrect between denty and its parent, we should always make sure that the parent get the lock first. But since this deadcode is never used and the parent dir will always be set from the callers, let's just remove it. CVE-2023-52583 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: IB/ipoib: Fix mcast list locking Releasing the `priv->lock` while iterating the `priv->multicast_list` in `ipoib_mcast_join_task()` opens a window for `ipoib_mcast_dev_flush()` to remove the items while in the middle of iteration. If the mcast is removed while the lock was dropped, the for loop spins forever resulting in a hard lockup (as was reported on RHEL 4.18.0-372.75.1.el8_6 kernel): Task A (kworker/u72:2 below) | Task B (kworker/u72:0 below) -----------------------------------+----------------------------------- ipoib_mcast_join_task(work) | ipoib_ib_dev_flush_light(work) spin_lock_irq(&priv->lock) | __ipoib_ib_dev_flush(priv, ...) list_for_each_entry(mcast, | ipoib_mcast_dev_flush(dev = priv->dev) &priv->multicast_list, list) | ipoib_mcast_join(dev, mcast) | spin_unlock_irq(&priv->lock) | | spin_lock_irqsave(&priv->lock, flags) | list_for_each_entry_safe(mcast, tmcast, | &priv->multicast_list, list) | list_del(&mcast->list); | list_add_tail(&mcast->list, &remove_list) | spin_unlock_irqrestore(&priv->lock, flags) spin_lock_irq(&priv->lock) | | ipoib_mcast_remove_list(&remove_list) (Here, `mcast` is no longer on the | list_for_each_entry_safe(mcast, tmcast, `priv->multicast_list` and we keep | remove_list, list) spinning on the `remove_list` of | >>> wait_for_completion(&mcast->done) the other thread which is blocked | and the list is still valid on | it's stack.) Fix this by keeping the lock held and changing to GFP_ATOMIC to prevent eventual sleeps. Unfortunately we could not reproduce the lockup and confirm this fix but based on the code review I think this fix should address such lockups. crash> bc 31 PID: 747 TASK: ff1c6a1a007e8000 CPU: 31 COMMAND: "kworker/u72:2" -- [exception RIP: ipoib_mcast_join_task+0x1b1] RIP: ffffffffc0944ac1 RSP: ff646f199a8c7e00 RFLAGS: 00000002 RAX: 0000000000000000 RBX: ff1c6a1a04dc82f8 RCX: 0000000000000000 work (&priv->mcast_task{,.work}) RDX: ff1c6a192d60ac68 RSI: 0000000000000286 RDI: ff1c6a1a04dc8000 &mcast->list RBP: ff646f199a8c7e90 R8: ff1c699980019420 R9: ff1c6a1920c9a000 R10: ff646f199a8c7e00 R11: ff1c6a191a7d9800 R12: ff1c6a192d60ac00 mcast R13: ff1c6a1d82200000 R14: ff1c6a1a04dc8000 R15: ff1c6a1a04dc82d8 dev priv (&priv->lock) &priv->multicast_list (aka head) ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018 --- <NMI exception stack> --- #5 [ff646f199a8c7e00] ipoib_mcast_join_task+0x1b1 at ffffffffc0944ac1 [ib_ipoib] #6 [ff646f199a8c7e98] process_one_work+0x1a7 at ffffffff9bf10967 crash> rx ff646f199a8c7e68 ff646f199a8c7e68: ff1c6a1a04dc82f8 <<< work = &priv->mcast_task.work crash> list -hO ipoib_dev_priv.multicast_list ff1c6a1a04dc8000 (empty) crash> ipoib_dev_priv.mcast_task.work.func,mcast_mutex.owner.counter ff1c6a1a04dc8000 mcast_task.work.func = 0xffffffffc0944910 <ipoib_mcast_join_task>, mcast_mutex.owner.counter = 0xff1c69998efec000 crash> b 8 PID: 8 TASK: ff1c69998efec000 CPU: 33 COMMAND: "kworker/u72:0" -- #3 [ff646f1980153d50] wait_for_completion+0x96 at ffffffff9c7d7646 #4 [ff646f1980153d90] ipoib_mcast_remove_list+0x56 at ffffffffc0944dc6 [ib_ipoib] #5 [ff646f1980153de8] ipoib_mcast_dev_flush+0x1a7 at ffffffffc09455a7 [ib_ipoib] #6 [ff646f1980153e58] __ipoib_ib_dev_flush+0x1a4 at ffffffffc09431a4 [ib_ipoib] #7 [ff ---truncated--- CVE-2023-52587 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: reiserfs: Avoid touching renamed directory if parent does not change The VFS will not be locking moved directory if its parent does not change. Change reiserfs rename code to avoid touching renamed directory if its parent does not change as without locking that can corrupt the filesystem. CVE-2023-52591 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 important In the Linux kernel, the following vulnerability has been resolved: wifi: rt2x00: restart beacon queue when hardware reset When a hardware reset is triggered, all registers are reset, so all queues are forced to stop in hardware interface. However, mac80211 will not automatically stop the queue. If we don't manually stop the beacon queue, the queue will be deadlocked and unable to start again. This patch fixes the issue where Apple devices cannot connect to the AP after calling ieee80211_restart_hw(). CVE-2023-52595 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: KVM: s390: fix setting of fpc register kvm_arch_vcpu_ioctl_set_fpu() allows to set the floating point control (fpc) register of a guest cpu. The new value is tested for validity by temporarily loading it into the fpc register. This may lead to corruption of the fpc register of the host process: if an interrupt happens while the value is temporarily loaded into the fpc register, and within interrupt context floating point or vector registers are used, the current fp/vx registers are saved with save_fpu_regs() assuming they belong to user space and will be loaded into fp/vx registers when returning to user space. test_fp_ctl() restores the original user space / host process fpc register value, however it will be discarded, when returning to user space. In result the host process will incorrectly continue to run with the value that was supposed to be used for a guest cpu. Fix this by simply removing the test. There is another test right before the SIE context is entered which will handles invalid values. This results in a change of behaviour: invalid values will now be accepted instead of that the ioctl fails with -EINVAL. This seems to be acceptable, given that this interface is most likely not used anymore, and this is in addition the same behaviour implemented with the memory mapped interface (replace invalid values with zero) - see sync_regs() in kvm-s390.c. CVE-2023-52597 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: s390/ptrace: handle setting of fpc register correctly If the content of the floating point control (fpc) register of a traced process is modified with the ptrace interface the new value is tested for validity by temporarily loading it into the fpc register. This may lead to corruption of the fpc register of the tracing process: if an interrupt happens while the value is temporarily loaded into the fpc register, and within interrupt context floating point or vector registers are used, the current fp/vx registers are saved with save_fpu_regs() assuming they belong to user space and will be loaded into fp/vx registers when returning to user space. test_fp_ctl() restores the original user space fpc register value, however it will be discarded, when returning to user space. In result the tracer will incorrectly continue to run with the value that was supposed to be used for the traced process. Fix this by saving fpu register contents with save_fpu_regs() before using test_fp_ctl(). CVE-2023-52598 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate ** REJECT ** This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. CVE-2023-52605 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: powerpc/mm: Fix null-pointer dereference in pgtable_cache_add kasprintf() returns a pointer to dynamically allocated memory which can be NULL upon failure. Ensure the allocation was successful by checking the pointer validity. CVE-2023-52607 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: PM / devfreq: Fix buffer overflow in trans_stat_show Fix buffer overflow in trans_stat_show(). Convert simple snprintf to the more secure scnprintf with size of PAGE_SIZE. Add condition checking if we are exceeding PAGE_SIZE and exit early from loop. Also add at the end a warning that we exceeded PAGE_SIZE and that stats is disabled. Return -EFBIG in the case where we don't have enough space to write the full transition table. Also document in the ABI that this function can return -EFBIG error. CVE-2023-52614 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: disallow timeout for anonymous sets Never used from userspace, disallow these parameters. CVE-2023-52620 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: PM / devfreq: Synchronize devfreq_monitor_[start/stop] There is a chance if a frequent switch of the governor done in a loop result in timer list corruption where timer cancel being done from two place one from cancel_delayed_work_sync() and followed by expire_timers() can be seen from the traces[1]. while true do echo "simple_ondemand" > /sys/class/devfreq/1d84000.ufshc/governor echo "performance" > /sys/class/devfreq/1d84000.ufshc/governor done It looks to be issue with devfreq driver where device_monitor_[start/stop] need to synchronized so that delayed work should get corrupted while it is either being queued or running or being cancelled. Let's use polling flag and devfreq lock to synchronize the queueing the timer instance twice and work data being corrupted. [1] ... .. <idle>-0 [003] 9436.209662: timer_cancel timer=0xffffff80444f0428 <idle>-0 [003] 9436.209664: timer_expire_entry timer=0xffffff80444f0428 now=0x10022da1c function=__typeid__ZTSFvP10timer_listE_global_addr baseclk=0x10022da1c <idle>-0 [003] 9436.209718: timer_expire_exit timer=0xffffff80444f0428 kworker/u16:6-14217 [003] 9436.209863: timer_start timer=0xffffff80444f0428 function=__typeid__ZTSFvP10timer_listE_global_addr expires=0x10022da2b now=0x10022da1c flags=182452227 vendor.xxxyyy.ha-1593 [004] 9436.209888: timer_cancel timer=0xffffff80444f0428 vendor.xxxyyy.ha-1593 [004] 9436.216390: timer_init timer=0xffffff80444f0428 vendor.xxxyyy.ha-1593 [004] 9436.216392: timer_start timer=0xffffff80444f0428 function=__typeid__ZTSFvP10timer_listE_global_addr expires=0x10022da2c now=0x10022da1d flags=186646532 vendor.xxxyyy.ha-1593 [005] 9436.220992: timer_cancel timer=0xffffff80444f0428 xxxyyyTraceManag-7795 [004] 9436.261641: timer_cancel timer=0xffffff80444f0428 [2] 9436.261653][ C4] Unable to handle kernel paging request at virtual address dead00000000012a [ 9436.261664][ C4] Mem abort info: [ 9436.261666][ C4] ESR = 0x96000044 [ 9436.261669][ C4] EC = 0x25: DABT (current EL), IL = 32 bits [ 9436.261671][ C4] SET = 0, FnV = 0 [ 9436.261673][ C4] EA = 0, S1PTW = 0 [ 9436.261675][ C4] Data abort info: [ 9436.261677][ C4] ISV = 0, ISS = 0x00000044 [ 9436.261680][ C4] CM = 0, WnR = 1 [ 9436.261682][ C4] [dead00000000012a] address between user and kernel address ranges [ 9436.261685][ C4] Internal error: Oops: 96000044 [#1] PREEMPT SMP [ 9436.261701][ C4] Skip md ftrace buffer dump for: 0x3a982d0 ... [ 9436.262138][ C4] CPU: 4 PID: 7795 Comm: TraceManag Tainted: G S W O 5.10.149-android12-9-o-g17f915d29d0c #1 [ 9436.262141][ C4] Hardware name: Qualcomm Technologies, Inc. (DT) [ 9436.262144][ C4] pstate: 22400085 (nzCv daIf +PAN -UAO +TCO BTYPE=--) [ 9436.262161][ C4] pc : expire_timers+0x9c/0x438 [ 9436.262164][ C4] lr : expire_timers+0x2a4/0x438 [ 9436.262168][ C4] sp : ffffffc010023dd0 [ 9436.262171][ C4] x29: ffffffc010023df0 x28: ffffffd0636fdc18 [ 9436.262178][ C4] x27: ffffffd063569dd0 x26: ffffffd063536008 [ 9436.262182][ C4] x25: 0000000000000001 x24: ffffff88f7c69280 [ 9436.262185][ C4] x23: 00000000000000e0 x22: dead000000000122 [ 9436.262188][ C4] x21: 000000010022da29 x20: ffffff8af72b4e80 [ 9436.262191][ C4] x19: ffffffc010023e50 x18: ffffffc010025038 [ 9436.262195][ C4] x17: 0000000000000240 x16: 0000000000000201 [ 9436.262199][ C4] x15: ffffffffffffffff x14: ffffff889f3c3100 [ 9436.262203][ C4] x13: ffffff889f3c3100 x12: 00000000049f56b8 [ 9436.262207][ C4] x11: 00000000049f56b8 x10: 00000000ffffffff [ 9436.262212][ C4] x9 : ffffffc010023e50 x8 : dead000000000122 [ 9436.262216][ C4] x7 : ffffffffffffffff x6 : ffffffc0100239d8 [ 9436.262220][ C4] x5 : 0000000000000000 x4 : 0000000000000101 [ 9436.262223][ C4] x3 : 0000000000000080 x2 : ffffff8 ---truncated--- CVE-2023-52635 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: KVM: s390: vsie: fix race during shadow creation Right now it is possible to see gmap->private being zero in kvm_s390_vsie_gmap_notifier resulting in a crash. This is due to the fact that we add gmap->private == kvm after creation: static int acquire_gmap_shadow(struct kvm_vcpu *vcpu, struct vsie_page *vsie_page) { [...] gmap = gmap_shadow(vcpu->arch.gmap, asce, edat); if (IS_ERR(gmap)) return PTR_ERR(gmap); gmap->private = vcpu->kvm; Let children inherit the private field of the parent. CVE-2023-52639 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: b43: Stop/wake correct queue in DMA Tx path when QoS is disabled When QoS is disabled, the queue priority value will not map to the correct ieee80211 queue since there is only one queue. Stop/wake queue 0 when QoS is disabled to prevent trying to stop/wake a non-existent queue and failing to stop/wake the actual queue instantiated. Log of issue before change (with kernel parameter qos=0): [ +5.112651] ------------[ cut here ]------------ [ +0.000005] WARNING: CPU: 7 PID: 25513 at net/mac80211/util.c:449 __ieee80211_wake_queue+0xd5/0x180 [mac80211] [ +0.000067] Modules linked in: b43(O) snd_seq_dummy snd_hrtimer snd_seq snd_seq_device nft_chain_nat xt_MASQUERADE nf_nat xfrm_user xfrm_algo xt_addrtype overlay ccm af_packet amdgpu snd_hda_codec_cirrus snd_hda_codec_generic ledtrig_audio drm_exec amdxcp gpu_sched xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip6t_rpfilter ipt_rpfilter xt_pkttype xt_LOG nf_log_syslog xt_tcpudp nft_compat nf_tables nfnetlink sch_fq_codel btusb uinput iTCO_wdt ctr btrtl intel_pmc_bxt i915 intel_rapl_msr mei_hdcp mei_pxp joydev at24 watchdog btintel atkbd libps2 serio radeon btbcm vivaldi_fmap btmtk intel_rapl_common snd_hda_codec_hdmi bluetooth uvcvideo nls_iso8859_1 applesmc nls_cp437 x86_pkg_temp_thermal snd_hda_intel intel_powerclamp vfat videobuf2_vmalloc coretemp fat snd_intel_dspcfg crc32_pclmul uvc polyval_clmulni snd_intel_sdw_acpi loop videobuf2_memops snd_hda_codec tun drm_suballoc_helper polyval_generic drm_ttm_helper drm_buddy tap ecdh_generic videobuf2_v4l2 gf128mul macvlan ttm ghash_clmulni_intel ecc tg3 [ +0.000044] videodev bridge snd_hda_core rapl crc16 drm_display_helper cec mousedev snd_hwdep evdev intel_cstate bcm5974 hid_appleir videobuf2_common stp mac_hid libphy snd_pcm drm_kms_helper acpi_als mei_me intel_uncore llc mc snd_timer intel_gtt industrialio_triggered_buffer apple_mfi_fastcharge i2c_i801 mei snd lpc_ich agpgart ptp i2c_smbus thunderbolt apple_gmux i2c_algo_bit kfifo_buf video industrialio soundcore pps_core wmi tiny_power_button sbs sbshc button ac cordic bcma mac80211 cfg80211 ssb rfkill libarc4 kvm_intel kvm drm irqbypass fuse backlight firmware_class efi_pstore configfs efivarfs dmi_sysfs ip_tables x_tables autofs4 dm_crypt cbc encrypted_keys trusted asn1_encoder tee tpm rng_core input_leds hid_apple led_class hid_generic usbhid hid sd_mod t10_pi crc64_rocksoft crc64 crc_t10dif crct10dif_generic ahci libahci libata uhci_hcd ehci_pci ehci_hcd crct10dif_pclmul crct10dif_common sha512_ssse3 sha512_generic sha256_ssse3 sha1_ssse3 aesni_intel usbcore scsi_mod libaes crypto_simd cryptd scsi_common [ +0.000055] usb_common rtc_cmos btrfs blake2b_generic libcrc32c crc32c_generic crc32c_intel xor raid6_pq dm_snapshot dm_bufio dm_mod dax [last unloaded: b43(O)] [ +0.000009] CPU: 7 PID: 25513 Comm: irq/17-b43 Tainted: G W O 6.6.7 #1-NixOS [ +0.000003] Hardware name: Apple Inc. MacBookPro8,3/Mac-942459F5819B171B, BIOS 87.0.0.0.0 06/13/2019 [ +0.000001] RIP: 0010:__ieee80211_wake_queue+0xd5/0x180 [mac80211] [ +0.000046] Code: 00 45 85 e4 0f 85 9b 00 00 00 48 8d bd 40 09 00 00 f0 48 0f ba ad 48 09 00 00 00 72 0f 5b 5d 41 5c 41 5d 41 5e e9 cb 6d 3c d0 <0f> 0b 5b 5d 41 5c 41 5d 41 5e c3 cc cc cc cc 48 8d b4 16 94 00 00 [ +0.000002] RSP: 0018:ffffc90003c77d60 EFLAGS: 00010097 [ +0.000001] RAX: 0000000000000001 RBX: 0000000000000002 RCX: 0000000000000000 [ +0.000001] RDX: 0000000000000000 RSI: 0000000000000002 RDI: ffff88820b924900 [ +0.000002] RBP: ffff88820b924900 R08: ffffc90003c77d90 R09: 000000000003bfd0 [ +0.000001] R10: ffff88820b924900 R11: ffffc90003c77c68 R12: 0000000000000000 [ +0.000001] R13: 0000000000000000 R14: ffffc90003c77d90 R15: ffffffffc0fa6f40 [ +0.000001] FS: 0000000000000000(0000) GS:ffff88846fb80000(0000) knlGS:0000000000000000 [ +0.000001] CS: 0010 DS: 0 ---truncated--- CVE-2023-52644 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: aio: fix mremap after fork null-deref Commit e4a0d3e720e7 ("aio: Make it possible to remap aio ring") introduced a null-deref if mremap is called on an old aio mapping after fork as mm->ioctx_table will be set to NULL. [jmoyer@redhat.com: fix 80 column issue] CVE-2023-52646 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/tegra: dsi: Add missing check for of_find_device_by_node Add check for the return value of of_find_device_by_node() and return the error if it fails in order to avoid NULL pointer dereference. CVE-2023-52650 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: NTB: fix possible name leak in ntb_register_device() If device_register() fails in ntb_register_device(), the device name allocated by dev_set_name() should be freed. As per the comment in device_register(), callers should use put_device() to give up the reference in the error path. So fix this by calling put_device() in the error path so that the name can be freed in kobject_cleanup(). As a result of this, put_device() in the error path of ntb_register_device() is removed and the actual error is returned. [mani: reworded commit message] CVE-2023-52652 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 low In the Linux kernel, the following vulnerability has been resolved: SUNRPC: fix a memleak in gss_import_v2_context The ctx->mech_used.data allocated by kmemdup is not freed in neither gss_import_v2_context nor it only caller gss_krb5_import_sec_context, which frees ctx on error. Thus, this patch reform the last call of gss_import_v2_context to the gss_krb5_import_ctx_v2, preventing the memleak while keepping the return formation. CVE-2023-52653 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 low A flaw was found in the ATA over Ethernet (AoE) driver in the Linux kernel. The aoecmd_cfg_pkts() function improperly updates the refcnt on `struct net_device`, and a use-after-free can be triggered by racing between the free on the struct and the access through the `skbtxq` global queue. This could lead to a denial of service condition or potential code execution. CVE-2023-6270 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate A flaw was found in the Linux kernel's NVMe driver. This issue may allow an unauthenticated malicious actor to send a set of crafted TCP packages when using NVMe over TCP, leading the NVMe driver to a NULL pointer dereference in the NVMe driver and causing kernel panic and a denial of service. CVE-2023-6356 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate A flaw was found in the Linux kernel's NVMe driver. This issue may allow an unauthenticated malicious actor to send a set of crafted TCP packages when using NVMe over TCP, leading the NVMe driver to a NULL pointer dereference in the NVMe driver, causing kernel panic and a denial of service. CVE-2023-6535 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate An issue was found in the CPython `tempfile.TemporaryDirectory` class affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior. The tempfile.TemporaryDirectory class would dereference symlinks during cleanup of permissions-related errors. This means users which can run privileged programs are potentially able to modify permissions of files referenced by symlinks in some circumstances. CVE-2023-6597 important A null pointer dereference vulnerability was found in ath10k_wmi_tlv_op_pull_mgmt_tx_compl_ev() in drivers/net/wireless/ath/ath10k/wmi-tlv.c in the Linux kernel. This issue could be exploited to trigger a denial of service. CVE-2023-7042 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate A memory leak problem was found in ctnetlink_create_conntrack in net/netfilter/nf_conntrack_netlink.c in the Linux Kernel. This issue may allow a local attacker with CAP_NET_ADMIN privileges to cause a denial of service (DoS) attack due to a refcount overflow. CVE-2023-7192 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate An issue was found in the CPython `zipfile` module affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior. The zipfile module is vulnerable to "quoted-overlap" zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython makes the zipfile module reject zip archives which overlap entries in the archive. CVE-2024-0450 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:libpython2_7-1_0-2.7.18-33.35.1 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:libpython3_4m1_0-3.4.10-25.130.1 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:python-2.7.18-33.35.1 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:python-base-2.7.18-33.35.1 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:python-xml-2.7.18-33.35.1 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:python3-3.4.10-25.130.1 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:python3-base-3.4.10-25.130.1 moderate A flaw was found in the Netfilter subsystem in the Linux kernel. The issue is in the nft_byteorder_eval() function, where the code iterates through a loop and writes to the `dst` array. On each iteration, 8 bytes are written, but `dst` is an array of u32, so each element only has space for 4 bytes. That means every iteration overwrites part of the previous element corrupting this array of u32. This flaw allows a local user to cause a denial of service or potentially break NetFilter functionality. CVE-2024-0607 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate Issue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL to crash leading to a potential Denial of Service attack Impact summary: Applications loading files in the PKCS12 format from untrusted sources might terminate abruptly. A file in PKCS12 format can contain certificates and keys and may come from an untrusted source. The PKCS12 specification allows certain fields to be NULL, but OpenSSL does not correctly check for this case. This can lead to a NULL pointer dereference that results in OpenSSL crashing. If an application processes PKCS12 files from an untrusted source using the OpenSSL APIs then that application will be vulnerable to this issue. OpenSSL APIs that are vulnerable to this are: PKCS12_parse(), PKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes() and PKCS12_newpass(). We have also fixed a similar issue in SMIME_write_PKCS7(). However since this function is related to writing data we do not consider it security significant. The FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue. CVE-2024-0727 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:libopenssl1_0_0-1.0.2p-3.90.1 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:libopenssl1_1-1.1.1d-2.104.1 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:openssl-1_0_0-1.0.2p-3.90.1 low A vulnerability was reported in the Open vSwitch sub-component in the Linux Kernel. The flaw occurs when a recursive operation of code push recursively calls into the code block. The OVS module does not validate the stack depth, pushing too many frames and causing a stack overflow. As a result, this can lead to a crash or other related issues. CVE-2024-1151 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate When a protocol selection parameter option disables all protocols without adding any then the default set of protocols would remain in the allowed set due to an error in the logic for removing protocols. The below command would perform a request to curl.se with a plaintext protocol which has been explicitly disabled. curl --proto -all,-http http://curl.se The flaw is only present if the set of selected protocols disables the entire set of available protocols, in itself a command with no practical use and therefore unlikely to be encountered in real situations. The curl security team has thus assessed this to be low severity bug. CVE-2024-2004 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:curl-8.0.1-11.86.2 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:libcurl4-8.0.1-11.86.2 low A cross-privilege Spectre v2 vulnerability allows attackers to bypass all deployed mitigations, including the recent Fine(IBT), and to leak arbitrary Linux kernel memory on Intel systems. CVE-2024-2201 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate NULL Pointer Dereference vulnerability in Linux Linux kernel kernel on Linux, x86, ARM (net, bluetooth modules) allows Overflow Buffers. This vulnerability is associated with program files /net/bluetooth/rfcomm/core.C. This issue affects Linux kernel: v2.6.12-rc2. CVE-2024-22099 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate Integer Overflow or Wraparound vulnerability in Linux Linux kernel kernel on Linux, x86, ARM (md, raid, raid5 modules) allows Forced Integer Overflow. CVE-2024-23307 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 important BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. Two malicious build steps running in parallel sharing the same cache mounts with subpaths could cause a race condition that can lead to files from the host system being accessible to the build container. The issue has been fixed in v0.12.5. Workarounds include, avoiding using BuildKit frontend from an untrusted source or building an untrusted Dockerfile containing cache mounts with --mount=type=cache,source=... options. CVE-2024-23651 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:docker-25.0.5_ce-98.112.1 important BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. A malicious BuildKit frontend or Dockerfile using RUN --mount could trick the feature that removes empty files created for the mountpoints into removing a file outside the container, from the host system. The issue has been fixed in v0.12.5. Workarounds include avoiding using BuildKit frontends from an untrusted source or building an untrusted Dockerfile containing RUN --mount feature. CVE-2024-23652 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:docker-25.0.5_ce-98.112.1 moderate BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. In addition to running containers as build steps, BuildKit also provides APIs for running interactive containers based on built images. It was possible to use these APIs to ask BuildKit to run a container with elevated privileges. Normally, running such containers is only allowed if special `security.insecure` entitlement is enabled both by buildkitd configuration and allowed by the user initializing the build request. The issue has been fixed in v0.12.5 . Avoid using BuildKit frontends from untrusted sources. CVE-2024-23653 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:docker-25.0.5_ce-98.112.1 moderate In the Linux kernel through 6.7.1, there is a use-after-free in cec_queue_msg_fh, related to drivers/media/cec/core/cec-adap.c and drivers/media/cec/core/cec-api.c. CVE-2024-23848 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In rds_recv_track_latency in net/rds/af_rds.c in the Linux kernel through 6.7.1, there is an off-by-one error for an RDS_MSG_RX_DGRAM_TRACE_MAX comparison, resulting in out-of-bounds access. CVE-2024-23849 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate copy_params in drivers/md/dm-ioctl.c in the Linux kernel through 6.7.1 can attempt to allocate more than INT_MAX bytes, and crash, because of a missing param_kernel->data_size check. This is related to ctl_ioctl. CVE-2024-23851 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate When an application tells libcurl it wants to allow HTTP/2 server push, and the amount of received headers for the push surpasses the maximum allowed limit (1000), libcurl aborts the server push. When aborting, libcurl inadvertently does not free all the previously allocated headers and instead leaks the memory. Further, this error condition fails silently and is therefore not easily detected by an application. CVE-2024-2398 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:curl-8.0.1-11.86.2 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:libcurl4-8.0.1-11.86.2 moderate A race condition was found in the Linux kernel's scsi device driver in lpfc_unregister_fcf_rescan() function. This can result in a null pointer dereference issue, possibly leading to a kernel panic or denial of service issue. CVE-2024-24855 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate A race condition was found in the Linux kernel's media/xc4000 device driver in xc4000 xc4000_get_frequency() function. This can result in return value overflow issue, possibly leading to malfunction or denial of service issue. CVE-2024-24861 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in /krb5/src/lib/rpc/pmap_rmt.c. CVE-2024-26458 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:krb5-1.16.3-46.12.1 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:krb5-client-1.16.3-46.12.1 important Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/lib/gssapi/krb5/k5sealv3.c. CVE-2024-26461 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:krb5-1.16.3-46.12.1 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:krb5-client-1.16.3-46.12.1 moderate In the Linux kernel, the following vulnerability has been resolved: tls: fix race between tx work scheduling and socket close Similarly to previous commit, the submitting thread (recvmsg/sendmsg) may exit as soon as the async crypto handler calls complete(). Reorder scheduling the work before calling complete(). This seems more logical in the first place, as it's the inverse order of what the submitting thread will do. CVE-2024-26585 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: mlxsw: spectrum_acl_tcam: Fix NULL pointer dereference in error path When calling mlxsw_sp_acl_tcam_region_destroy() from an error path after failing to attach the region to an ACL group, we hit a NULL pointer dereference upon 'region->group->tcam' [1]. Fix by retrieving the 'tcam' pointer using mlxsw_sp_acl_to_tcam(). [1] BUG: kernel NULL pointer dereference, address: 0000000000000000 [...] RIP: 0010:mlxsw_sp_acl_tcam_region_destroy+0xa0/0xd0 [...] Call Trace: mlxsw_sp_acl_tcam_vchunk_get+0x88b/0xa20 mlxsw_sp_acl_tcam_ventry_add+0x25/0xe0 mlxsw_sp_acl_rule_add+0x47/0x240 mlxsw_sp_flower_replace+0x1a9/0x1d0 tc_setup_cb_add+0xdc/0x1c0 fl_hw_replace_filter+0x146/0x1f0 fl_change+0xc17/0x1360 tc_new_tfilter+0x472/0xb90 rtnetlink_rcv_msg+0x313/0x3b0 netlink_rcv_skb+0x58/0x100 netlink_unicast+0x244/0x390 netlink_sendmsg+0x1e4/0x440 ____sys_sendmsg+0x164/0x260 ___sys_sendmsg+0x9a/0xe0 __sys_sendmsg+0x7a/0xc0 do_syscall_64+0x40/0xe0 entry_SYSCALL_64_after_hwframe+0x63/0x6b CVE-2024-26595 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: phy: ti: phy-omap-usb2: Fix NULL pointer dereference for SRP If the external phy working together with phy-omap-usb2 does not implement send_srp(), we may still attempt to call it. This can happen on an idle Ethernet gadget triggering a wakeup for example: configfs-gadget.g1 gadget.0: ECM Suspend configfs-gadget.g1 gadget.0: Port suspended. Triggering wakeup ... Unable to handle kernel NULL pointer dereference at virtual address 00000000 when execute ... PC is at 0x0 LR is at musb_gadget_wakeup+0x1d4/0x254 [musb_hdrc] ... musb_gadget_wakeup [musb_hdrc] from usb_gadget_wakeup+0x1c/0x3c [udc_core] usb_gadget_wakeup [udc_core] from eth_start_xmit+0x3b0/0x3d4 [u_ether] eth_start_xmit [u_ether] from dev_hard_start_xmit+0x94/0x24c dev_hard_start_xmit from sch_direct_xmit+0x104/0x2e4 sch_direct_xmit from __dev_queue_xmit+0x334/0xd88 __dev_queue_xmit from arp_solicit+0xf0/0x268 arp_solicit from neigh_probe+0x54/0x7c neigh_probe from __neigh_event_send+0x22c/0x47c __neigh_event_send from neigh_resolve_output+0x14c/0x1c0 neigh_resolve_output from ip_finish_output2+0x1c8/0x628 ip_finish_output2 from ip_send_skb+0x40/0xd8 ip_send_skb from udp_send_skb+0x124/0x340 udp_send_skb from udp_sendmsg+0x780/0x984 udp_sendmsg from __sys_sendto+0xd8/0x158 __sys_sendto from ret_fast_syscall+0x0/0x58 Let's fix the issue by checking for send_srp() and set_vbus() before calling them. For USB peripheral only cases these both could be NULL. CVE-2024-26600 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: tcp: make sure init the accept_queue's spinlocks once When I run syz's reproduction C program locally, it causes the following issue: pvqspinlock: lock 0xffff9d181cd5c660 has corrupted value 0x0! WARNING: CPU: 19 PID: 21160 at __pv_queued_spin_unlock_slowpath (kernel/locking/qspinlock_paravirt.h:508) Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011 RIP: 0010:__pv_queued_spin_unlock_slowpath (kernel/locking/qspinlock_paravirt.h:508) Code: 73 56 3a ff 90 c3 cc cc cc cc 8b 05 bb 1f 48 01 85 c0 74 05 c3 cc cc cc cc 8b 17 48 89 fe 48 c7 c7 30 20 ce 8f e8 ad 56 42 ff <0f> 0b c3 cc cc cc cc 0f 0b 0f 1f 40 00 90 90 90 90 90 90 90 90 90 RSP: 0018:ffffa8d200604cb8 EFLAGS: 00010282 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff9d1ef60e0908 RDX: 00000000ffffffd8 RSI: 0000000000000027 RDI: ffff9d1ef60e0900 RBP: ffff9d181cd5c280 R08: 0000000000000000 R09: 00000000ffff7fff R10: ffffa8d200604b68 R11: ffffffff907dcdc8 R12: 0000000000000000 R13: ffff9d181cd5c660 R14: ffff9d1813a3f330 R15: 0000000000001000 FS: 00007fa110184640(0000) GS:ffff9d1ef60c0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020000000 CR3: 000000011f65e000 CR4: 00000000000006f0 Call Trace: <IRQ> _raw_spin_unlock (kernel/locking/spinlock.c:186) inet_csk_reqsk_queue_add (net/ipv4/inet_connection_sock.c:1321) inet_csk_complete_hashdance (net/ipv4/inet_connection_sock.c:1358) tcp_check_req (net/ipv4/tcp_minisocks.c:868) tcp_v4_rcv (net/ipv4/tcp_ipv4.c:2260) ip_protocol_deliver_rcu (net/ipv4/ip_input.c:205) ip_local_deliver_finish (net/ipv4/ip_input.c:234) __netif_receive_skb_one_core (net/core/dev.c:5529) process_backlog (./include/linux/rcupdate.h:779) __napi_poll (net/core/dev.c:6533) net_rx_action (net/core/dev.c:6604) __do_softirq (./arch/x86/include/asm/jump_label.h:27) do_softirq (kernel/softirq.c:454 kernel/softirq.c:441) </IRQ> <TASK> __local_bh_enable_ip (kernel/softirq.c:381) __dev_queue_xmit (net/core/dev.c:4374) ip_finish_output2 (./include/net/neighbour.h:540 net/ipv4/ip_output.c:235) __ip_queue_xmit (net/ipv4/ip_output.c:535) __tcp_transmit_skb (net/ipv4/tcp_output.c:1462) tcp_rcv_synsent_state_process (net/ipv4/tcp_input.c:6469) tcp_rcv_state_process (net/ipv4/tcp_input.c:6657) tcp_v4_do_rcv (net/ipv4/tcp_ipv4.c:1929) __release_sock (./include/net/sock.h:1121 net/core/sock.c:2968) release_sock (net/core/sock.c:3536) inet_wait_for_connect (net/ipv4/af_inet.c:609) __inet_stream_connect (net/ipv4/af_inet.c:702) inet_stream_connect (net/ipv4/af_inet.c:748) __sys_connect (./include/linux/file.h:45 net/socket.c:2064) __x64_sys_connect (net/socket.c:2073 net/socket.c:2070 net/socket.c:2070) do_syscall_64 (arch/x86/entry/common.c:51 arch/x86/entry/common.c:82) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:129) RIP: 0033:0x7fa10ff05a3d Code: 5b 41 5c c3 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ab a3 0e 00 f7 d8 64 89 01 48 RSP: 002b:00007fa110183de8 EFLAGS: 00000202 ORIG_RAX: 000000000000002a RAX: ffffffffffffffda RBX: 0000000020000054 RCX: 00007fa10ff05a3d RDX: 000000000000001c RSI: 0000000020000040 RDI: 0000000000000003 RBP: 00007fa110183e20 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000202 R12: 00007fa110184640 R13: 0000000000000000 R14: 00007fa10fe8b060 R15: 00007fff73e23b20 </TASK> The issue triggering process is analyzed as follows: Thread A Thread B tcp_v4_rcv //receive ack TCP packet inet_shutdown tcp_check_req tcp_disconnect //disconnect sock ... tcp_set_state(sk, TCP_CLOSE) inet_csk_complete_hashdance ... inet_csk_reqsk_queue_add ---truncated--- CVE-2024-26614 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: tomoyo: fix UAF write bug in tomoyo_write_control() Since tomoyo_write_control() updates head->write_buf when write() of long lines is requested, we need to fetch head->write_buf after head->io_sem is held. Otherwise, concurrent write() requests can cause use-after-free-write and double-free problems. CVE-2024-26622 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 important In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: disallow anonymous set with timeout flag Anonymous sets are never used with timeout from userspace, reject this. Exception to this rule is NFT_SET_EVAL to ensure legacy meters still work. CVE-2024-26642 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: sr9800: Add check for usbnet_get_endpoints Add check for usbnet_get_endpoints() and return the error if it fails in order to transfer the error. CVE-2024-26651 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: blk-mq: fix IO hang from sbitmap wakeup race In blk_mq_mark_tag_wait(), __add_wait_queue() may be re-ordered with the following blk_mq_get_driver_tag() in case of getting driver tag failure. Then in __sbitmap_queue_wake_up(), waitqueue_active() may not observe the added waiter in blk_mq_mark_tag_wait() and wake up nothing, meantime blk_mq_mark_tag_wait() can't get driver tag successfully. This issue can be reproduced by running the following test in loop, and fio hang can be observed in < 30min when running it on my test VM in laptop. modprobe -r scsi_debug modprobe scsi_debug delay=0 dev_size_mb=4096 max_queue=1 host_max_queue=1 submit_queues=4 dev=`ls -d /sys/bus/pseudo/drivers/scsi_debug/adapter*/host*/target*/*/block/* | head -1 | xargs basename` fio --filename=/dev/"$dev" --direct=1 --rw=randrw --bs=4k --iodepth=1 \ --runtime=100 --numjobs=40 --time_based --name=test \ --ioengine=libaio Fix the issue by adding one explicit barrier in blk_mq_mark_tag_wait(), which is just fine in case of running out of tag. CVE-2024-26671 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: ppp_async: limit MRU to 64K syzbot triggered a warning [1] in __alloc_pages(): WARN_ON_ONCE_GFP(order > MAX_PAGE_ORDER, gfp) Willem fixed a similar issue in commit c0a2a1b0d631 ("ppp: limit MRU to 64K") Adopt the same sanity check for ppp_async_ioctl(PPPIOCSMRU) [1]: WARNING: CPU: 1 PID: 11 at mm/page_alloc.c:4543 __alloc_pages+0x308/0x698 mm/page_alloc.c:4543 Modules linked in: CPU: 1 PID: 11 Comm: kworker/u4:0 Not tainted 6.8.0-rc2-syzkaller-g41bccc98fb79 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023 Workqueue: events_unbound flush_to_ldisc pstate: 204000c5 (nzCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : __alloc_pages+0x308/0x698 mm/page_alloc.c:4543 lr : __alloc_pages+0xc8/0x698 mm/page_alloc.c:4537 sp : ffff800093967580 x29: ffff800093967660 x28: ffff8000939675a0 x27: dfff800000000000 x26: ffff70001272ceb4 x25: 0000000000000000 x24: ffff8000939675c0 x23: 0000000000000000 x22: 0000000000060820 x21: 1ffff0001272ceb8 x20: ffff8000939675e0 x19: 0000000000000010 x18: ffff800093967120 x17: ffff800083bded5c x16: ffff80008ac97500 x15: 0000000000000005 x14: 1ffff0001272cebc x13: 0000000000000000 x12: 0000000000000000 x11: ffff70001272cec1 x10: 1ffff0001272cec0 x9 : 0000000000000001 x8 : ffff800091c91000 x7 : 0000000000000000 x6 : 000000000000003f x5 : 00000000ffffffff x4 : 0000000000000000 x3 : 0000000000000020 x2 : 0000000000000008 x1 : 0000000000000000 x0 : ffff8000939675e0 Call trace: __alloc_pages+0x308/0x698 mm/page_alloc.c:4543 __alloc_pages_node include/linux/gfp.h:238 [inline] alloc_pages_node include/linux/gfp.h:261 [inline] __kmalloc_large_node+0xbc/0x1fc mm/slub.c:3926 __do_kmalloc_node mm/slub.c:3969 [inline] __kmalloc_node_track_caller+0x418/0x620 mm/slub.c:4001 kmalloc_reserve+0x17c/0x23c net/core/skbuff.c:590 __alloc_skb+0x1c8/0x3d8 net/core/skbuff.c:651 __netdev_alloc_skb+0xb8/0x3e8 net/core/skbuff.c:715 netdev_alloc_skb include/linux/skbuff.h:3235 [inline] dev_alloc_skb include/linux/skbuff.h:3248 [inline] ppp_async_input drivers/net/ppp/ppp_async.c:863 [inline] ppp_asynctty_receive+0x588/0x186c drivers/net/ppp/ppp_async.c:341 tty_ldisc_receive_buf+0x12c/0x15c drivers/tty/tty_buffer.c:390 tty_port_default_receive_buf+0x74/0xac drivers/tty/tty_port.c:37 receive_buf drivers/tty/tty_buffer.c:444 [inline] flush_to_ldisc+0x284/0x6e4 drivers/tty/tty_buffer.c:494 process_one_work+0x694/0x1204 kernel/workqueue.c:2633 process_scheduled_works kernel/workqueue.c:2706 [inline] worker_thread+0x938/0xef4 kernel/workqueue.c:2787 kthread+0x288/0x310 kernel/kthread.c:388 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860 CVE-2024-26675 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: ceph: prevent use-after-free in encode_cap_msg() In fs/ceph/caps.c, in encode_cap_msg(), "use after free" error was caught by KASAN at this line - 'ceph_buffer_get(arg->xattr_buf);'. This implies before the refcount could be increment here, it was freed. In same file, in "handle_cap_grant()" refcount is decremented by this line - 'ceph_buffer_put(ci->i_xattrs.blob);'. It appears that a race occurred and resource was freed by the latter line before the former line could increment it. encode_cap_msg() is called by __send_cap() and __send_cap() is called by ceph_check_caps() after calling __prep_cap(). __prep_cap() is where arg->xattr_buf is assigned to ci->i_xattrs.blob. This is the spot where the refcount must be increased to prevent "use after free" error. CVE-2024-26689 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: ext4: fix double-free of blocks due to wrong extents moved_len In ext4_move_extents(), moved_len is only updated when all moves are successfully executed, and only discards orig_inode and donor_inode preallocations when moved_len is not zero. When the loop fails to exit after successfully moving some extents, moved_len is not updated and remains at 0, so it does not discard the preallocations. If the moved extents overlap with the preallocated extents, the overlapped extents are freed twice in ext4_mb_release_inode_pa() and ext4_process_freed_data() (as described in commit 94d7c16cbbbd ("ext4: Fix double-free of blocks with EXT4_IOC_MOVE_EXT")), and bb_free is incremented twice. Hence when trim is executed, a zero-division bug is triggered in mb_update_avg_fragment_size() because bb_free is not zero and bb_fragments is zero. Therefore, update move_len after each extent move to avoid the issue. CVE-2024-26704 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: arp: Prevent overflow in arp_req_get(). syzkaller reported an overflown write in arp_req_get(). [0] When ioctl(SIOCGARP) is issued, arp_req_get() looks up an neighbour entry and copies neigh->ha to struct arpreq.arp_ha.sa_data. The arp_ha here is struct sockaddr, not struct sockaddr_storage, so the sa_data buffer is just 14 bytes. In the splat below, 2 bytes are overflown to the next int field, arp_flags. We initialise the field just after the memcpy(), so it's not a problem. However, when dev->addr_len is greater than 22 (e.g. MAX_ADDR_LEN), arp_netmask is overwritten, which could be set as htonl(0xFFFFFFFFUL) in arp_ioctl() before calling arp_req_get(). To avoid the overflow, let's limit the max length of memcpy(). Note that commit b5f0de6df6dc ("net: dev: Convert sa_data to flexible array in struct sockaddr") just silenced syzkaller. [0]: memcpy: detected field-spanning write (size 16) of single field "r->arp_ha.sa_data" at net/ipv4/arp.c:1128 (size 14) WARNING: CPU: 0 PID: 144638 at net/ipv4/arp.c:1128 arp_req_get+0x411/0x4a0 net/ipv4/arp.c:1128 Modules linked in: CPU: 0 PID: 144638 Comm: syz-executor.4 Not tainted 6.1.74 #31 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-5 04/01/2014 RIP: 0010:arp_req_get+0x411/0x4a0 net/ipv4/arp.c:1128 Code: fd ff ff e8 41 42 de fb b9 0e 00 00 00 4c 89 fe 48 c7 c2 20 6d ab 87 48 c7 c7 80 6d ab 87 c6 05 25 af 72 04 01 e8 5f 8d ad fb <0f> 0b e9 6c fd ff ff e8 13 42 de fb be 03 00 00 00 4c 89 e7 e8 a6 RSP: 0018:ffffc900050b7998 EFLAGS: 00010286 RAX: 0000000000000000 RBX: ffff88803a815000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffffff8641a44a RDI: 0000000000000001 RBP: ffffc900050b7a98 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000000 R11: 203a7970636d656d R12: ffff888039c54000 R13: 1ffff92000a16f37 R14: ffff88803a815084 R15: 0000000000000010 FS: 00007f172bf306c0(0000) GS:ffff88805aa00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f172b3569f0 CR3: 0000000057f12005 CR4: 0000000000770ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <TASK> arp_ioctl+0x33f/0x4b0 net/ipv4/arp.c:1261 inet_ioctl+0x314/0x3a0 net/ipv4/af_inet.c:981 sock_do_ioctl+0xdf/0x260 net/socket.c:1204 sock_ioctl+0x3ef/0x650 net/socket.c:1321 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:870 [inline] __se_sys_ioctl fs/ioctl.c:856 [inline] __x64_sys_ioctl+0x18e/0x220 fs/ioctl.c:856 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x37/0x90 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x64/0xce RIP: 0033:0x7f172b262b8d Code: 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f172bf300b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007f172b3abf80 RCX: 00007f172b262b8d RDX: 0000000020000000 RSI: 0000000000008954 RDI: 0000000000000003 RBP: 00007f172b2d3493 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000000b R14: 00007f172b3abf80 R15: 00007f172bf10000 </TASK> CVE-2024-26733 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: RDMA/qedr: Fix qedr_create_user_qp error flow Avoid the following warning by making sure to free the allocated resources in case that qedr_init_user_queue() fail. -----------[ cut here ]----------- WARNING: CPU: 0 PID: 143192 at drivers/infiniband/core/rdma_core.c:874 uverbs_destroy_ufile_hw+0xcf/0xf0 [ib_uverbs] Modules linked in: tls target_core_user uio target_core_pscsi target_core_file target_core_iblock ib_srpt ib_srp scsi_transport_srp nfsd nfs_acl rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace fscache netfs 8021q garp mrp stp llc ext4 mbcache jbd2 opa_vnic ib_umad ib_ipoib sunrpc rdma_ucm ib_isert iscsi_target_mod target_core_mod ib_iser libiscsi scsi_transport_iscsi rdma_cm iw_cm ib_cm hfi1 intel_rapl_msr intel_rapl_common mgag200 qedr sb_edac drm_shmem_helper rdmavt x86_pkg_temp_thermal drm_kms_helper intel_powerclamp ib_uverbs coretemp i2c_algo_bit kvm_intel dell_wmi_descriptor ipmi_ssif sparse_keymap kvm ib_core rfkill syscopyarea sysfillrect video sysimgblt irqbypass ipmi_si ipmi_devintf fb_sys_fops rapl iTCO_wdt mxm_wmi iTCO_vendor_support intel_cstate pcspkr dcdbas intel_uncore ipmi_msghandler lpc_ich acpi_power_meter mei_me mei fuse drm xfs libcrc32c qede sd_mod ahci libahci t10_pi sg crct10dif_pclmul crc32_pclmul crc32c_intel qed libata tg3 ghash_clmulni_intel megaraid_sas crc8 wmi [last unloaded: ib_srpt] CPU: 0 PID: 143192 Comm: fi_rdm_tagged_p Kdump: loaded Not tainted 5.14.0-408.el9.x86_64 #1 Hardware name: Dell Inc. PowerEdge R430/03XKDV, BIOS 2.14.0 01/25/2022 RIP: 0010:uverbs_destroy_ufile_hw+0xcf/0xf0 [ib_uverbs] Code: 5d 41 5c 41 5d 41 5e e9 0f 26 1b dd 48 89 df e8 67 6a ff ff 49 8b 86 10 01 00 00 48 85 c0 74 9c 4c 89 e7 e8 83 c0 cb dd eb 92 <0f> 0b eb be 0f 0b be 04 00 00 00 48 89 df e8 8e f5 ff ff e9 6d ff RSP: 0018:ffffb7c6cadfbc60 EFLAGS: 00010286 RAX: ffff8f0889ee3f60 RBX: ffff8f088c1a5200 RCX: 00000000802a0016 RDX: 00000000802a0017 RSI: 0000000000000001 RDI: ffff8f0880042600 RBP: 0000000000000001 R08: 0000000000000001 R09: 0000000000000000 R10: ffff8f11fffd5000 R11: 0000000000039000 R12: ffff8f0d5b36cd80 R13: ffff8f088c1a5250 R14: ffff8f1206d91000 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff8f11d7c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000147069200e20 CR3: 00000001c7210002 CR4: 00000000001706f0 Call Trace: <TASK> ? show_trace_log_lvl+0x1c4/0x2df ? show_trace_log_lvl+0x1c4/0x2df ? ib_uverbs_close+0x1f/0xb0 [ib_uverbs] ? uverbs_destroy_ufile_hw+0xcf/0xf0 [ib_uverbs] ? __warn+0x81/0x110 ? uverbs_destroy_ufile_hw+0xcf/0xf0 [ib_uverbs] ? report_bug+0x10a/0x140 ? handle_bug+0x3c/0x70 ? exc_invalid_op+0x14/0x70 ? asm_exc_invalid_op+0x16/0x20 ? uverbs_destroy_ufile_hw+0xcf/0xf0 [ib_uverbs] ib_uverbs_close+0x1f/0xb0 [ib_uverbs] __fput+0x94/0x250 task_work_run+0x5c/0x90 do_exit+0x270/0x4a0 do_group_exit+0x2d/0x90 get_signal+0x87c/0x8c0 arch_do_signal_or_restart+0x25/0x100 ? ib_uverbs_ioctl+0xc2/0x110 [ib_uverbs] exit_to_user_mode_loop+0x9c/0x130 exit_to_user_mode_prepare+0xb6/0x100 syscall_exit_to_user_mode+0x12/0x40 do_syscall_64+0x69/0x90 ? syscall_exit_work+0x103/0x130 ? syscall_exit_to_user_mode+0x22/0x40 ? do_syscall_64+0x69/0x90 ? syscall_exit_work+0x103/0x130 ? syscall_exit_to_user_mode+0x22/0x40 ? do_syscall_64+0x69/0x90 ? do_syscall_64+0x69/0x90 ? common_interrupt+0x43/0xa0 entry_SYSCALL_64_after_hwframe+0x72/0xdc RIP: 0033:0x1470abe3ec6b Code: Unable to access opcode bytes at RIP 0x1470abe3ec41. RSP: 002b:00007fff13ce9108 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: fffffffffffffffc RBX: 00007fff13ce9218 RCX: 00001470abe3ec6b RDX: 00007fff13ce9200 RSI: 00000000c0181b01 RDI: 0000000000000004 RBP: 00007fff13ce91e0 R08: 0000558d9655da10 R09: 0000558d9655dd00 R10: 00007fff13ce95c0 R11: 0000000000000246 R12: 00007fff13ce9358 R13: 0000000000000013 R14: 0000558d9655db50 R15: 00007fff13ce9470 </TASK> --[ end trace 888a9b92e04c5c97 ]-- CVE-2024-26743 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 low In the Linux kernel, the following vulnerability has been resolved: RDMA/srpt: Support specifying the srpt_service_guid parameter Make loading ib_srpt with this parameter set work. The current behavior is that setting that parameter while loading the ib_srpt kernel module triggers the following kernel crash: BUG: kernel NULL pointer dereference, address: 0000000000000000 Call Trace: <TASK> parse_one+0x18c/0x1d0 parse_args+0xe1/0x230 load_module+0x8de/0xa60 init_module_from_file+0x8b/0xd0 idempotent_init_module+0x181/0x240 __x64_sys_finit_module+0x5a/0xb0 do_syscall_64+0x5f/0xe0 entry_SYSCALL_64_after_hwframe+0x6e/0x76 CVE-2024-26744 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: usb: roles: fix NULL pointer issue when put module's reference In current design, usb role class driver will get usb_role_switch parent's module reference after the user get usb_role_switch device and put the reference after the user put the usb_role_switch device. However, the parent device of usb_role_switch may be removed before the user put the usb_role_switch. If so, then, NULL pointer issue will be met when the user put the parent module's reference. This will save the module pointer in structure of usb_role_switch. Then, we don't need to find module by iterating long relations. CVE-2024-26747 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: dm-crypt: don't modify the data when using authenticated encryption It was said that authenticated encryption could produce invalid tag when the data that is being encrypted is modified [1]. So, fix this problem by copying the data into the clone bio first and then encrypt them inside the clone bio. This may reduce performance, but it is needed to prevent the user from corrupting the device by writing data with O_DIRECT and modifying them at the same time. [1] https://lore.kernel.org/all/20240207004723.GA35324@sol.localdomain/T/ CVE-2024-26763 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: dmaengine: ti: edma: Add some null pointer checks to the edma_probe devm_kasprintf() returns a pointer to dynamically allocated memory which can be NULL upon failure. Ensure the allocation was successful by checking the pointer validity. CVE-2024-26771 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: ext4: avoid allocating blocks from corrupted group in ext4_mb_find_by_goal() Places the logic for checking if the group's block bitmap is corrupt under the protection of the group lock to avoid allocating blocks from the group with a corrupted block bitmap. CVE-2024-26772 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: ext4: avoid allocating blocks from corrupted group in ext4_mb_try_best_found() Determine if the group block bitmap is corrupted before using ac_b_ex in ext4_mb_try_best_found() to avoid allocating blocks from a group with a corrupted block bitmap in the following concurrency and making the situation worse. ext4_mb_regular_allocator ext4_lock_group(sb, group) ext4_mb_good_group // check if the group bbitmap is corrupted ext4_mb_complex_scan_group // Scan group gets ac_b_ex but doesn't use it ext4_unlock_group(sb, group) ext4_mark_group_bitmap_corrupted(group) // The block bitmap was corrupted during // the group unlock gap. ext4_mb_try_best_found ext4_lock_group(ac->ac_sb, group) ext4_mb_use_best_found mb_mark_used // Allocating blocks in block bitmap corrupted group CVE-2024-26773 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: fbdev: sis: Error out if pixclock equals zero The userspace program could pass any values to the driver through ioctl() interface. If the driver doesn't check the value of pixclock, it may cause divide-by-zero error. In sisfb_check_var(), var->pixclock is used as a divisor to caculate drate before it is checked against zero. Fix this by checking it at the beginning. This is similar to CVE-2022-3061 in i740fb which was fixed by commit 15cf0b8. CVE-2024-26777 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: fbdev: savage: Error out if pixclock equals zero The userspace program could pass any values to the driver through ioctl() interface. If the driver doesn't check the value of pixclock, it may cause divide-by-zero error. Although pixclock is checked in savagefb_decode_var(), but it is not checked properly in savagefb_probe(). Fix this by checking whether pixclock is zero in the function savagefb_check_var() before info->var.pixclock is used as the divisor. This is similar to CVE-2022-3061 in i740fb which was fixed by commit 15cf0b8. CVE-2024-26778 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: fix race condition on enabling fast-xmit fast-xmit must only be enabled after the sta has been uploaded to the driver, otherwise it could end up passing the not-yet-uploaded sta via drv_tx calls to the driver, leading to potential crashes because of uninitialized drv_priv data. Add a missing sta->uploaded check and re-check fast xmit after inserting a sta. CVE-2024-26779 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: gtp: fix use-after-free and null-ptr-deref in gtp_newlink() The gtp_link_ops operations structure for the subsystem must be registered after registering the gtp_net_ops pernet operations structure. Syzkaller hit 'general protection fault in gtp_genl_dump_pdp' bug: [ 1010.702740] gtp: GTP module unloaded [ 1010.715877] general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] SMP KASAN NOPTI [ 1010.715888] KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] [ 1010.715895] CPU: 1 PID: 128616 Comm: a.out Not tainted 6.8.0-rc6-std-def-alt1 #1 [ 1010.715899] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.0-alt1 04/01/2014 [ 1010.715908] RIP: 0010:gtp_newlink+0x4d7/0x9c0 [gtp] [ 1010.715915] Code: 80 3c 02 00 0f 85 41 04 00 00 48 8b bb d8 05 00 00 e8 ed f6 ff ff 48 89 c2 48 89 c5 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 4f 04 00 00 4c 89 e2 4c 8b 6d 00 48 b8 00 00 00 [ 1010.715920] RSP: 0018:ffff888020fbf180 EFLAGS: 00010203 [ 1010.715929] RAX: dffffc0000000000 RBX: ffff88800399c000 RCX: 0000000000000000 [ 1010.715933] RDX: 0000000000000001 RSI: ffffffff84805280 RDI: 0000000000000282 [ 1010.715938] RBP: 000000000000000d R08: 0000000000000001 R09: 0000000000000000 [ 1010.715942] R10: 0000000000000001 R11: 0000000000000001 R12: ffff88800399cc80 [ 1010.715947] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000400 [ 1010.715953] FS: 00007fd1509ab5c0(0000) GS:ffff88805b300000(0000) knlGS:0000000000000000 [ 1010.715958] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 1010.715962] CR2: 0000000000000000 CR3: 000000001c07a000 CR4: 0000000000750ee0 [ 1010.715968] PKRU: 55555554 [ 1010.715972] Call Trace: [ 1010.715985] ? __die_body.cold+0x1a/0x1f [ 1010.715995] ? die_addr+0x43/0x70 [ 1010.716002] ? exc_general_protection+0x199/0x2f0 [ 1010.716016] ? asm_exc_general_protection+0x1e/0x30 [ 1010.716026] ? gtp_newlink+0x4d7/0x9c0 [gtp] [ 1010.716034] ? gtp_net_exit+0x150/0x150 [gtp] [ 1010.716042] __rtnl_newlink+0x1063/0x1700 [ 1010.716051] ? rtnl_setlink+0x3c0/0x3c0 [ 1010.716063] ? is_bpf_text_address+0xc0/0x1f0 [ 1010.716070] ? kernel_text_address.part.0+0xbb/0xd0 [ 1010.716076] ? __kernel_text_address+0x56/0xa0 [ 1010.716084] ? unwind_get_return_address+0x5a/0xa0 [ 1010.716091] ? create_prof_cpu_mask+0x30/0x30 [ 1010.716098] ? arch_stack_walk+0x9e/0xf0 [ 1010.716106] ? stack_trace_save+0x91/0xd0 [ 1010.716113] ? stack_trace_consume_entry+0x170/0x170 [ 1010.716121] ? __lock_acquire+0x15c5/0x5380 [ 1010.716139] ? mark_held_locks+0x9e/0xe0 [ 1010.716148] ? kmem_cache_alloc_trace+0x35f/0x3c0 [ 1010.716155] ? __rtnl_newlink+0x1700/0x1700 [ 1010.716160] rtnl_newlink+0x69/0xa0 [ 1010.716166] rtnetlink_rcv_msg+0x43b/0xc50 [ 1010.716172] ? rtnl_fdb_dump+0x9f0/0x9f0 [ 1010.716179] ? lock_acquire+0x1fe/0x560 [ 1010.716188] ? netlink_deliver_tap+0x12f/0xd50 [ 1010.716196] netlink_rcv_skb+0x14d/0x440 [ 1010.716202] ? rtnl_fdb_dump+0x9f0/0x9f0 [ 1010.716208] ? netlink_ack+0xab0/0xab0 [ 1010.716213] ? netlink_deliver_tap+0x202/0xd50 [ 1010.716220] ? netlink_deliver_tap+0x218/0xd50 [ 1010.716226] ? __virt_addr_valid+0x30b/0x590 [ 1010.716233] netlink_unicast+0x54b/0x800 [ 1010.716240] ? netlink_attachskb+0x870/0x870 [ 1010.716248] ? __check_object_size+0x2de/0x3b0 [ 1010.716254] netlink_sendmsg+0x938/0xe40 [ 1010.716261] ? netlink_unicast+0x800/0x800 [ 1010.716269] ? __import_iovec+0x292/0x510 [ 1010.716276] ? netlink_unicast+0x800/0x800 [ 1010.716284] __sock_sendmsg+0x159/0x190 [ 1010.716290] ____sys_sendmsg+0x712/0x880 [ 1010.716297] ? sock_write_iter+0x3d0/0x3d0 [ 1010.716304] ? __ia32_sys_recvmmsg+0x270/0x270 [ 1010.716309] ? lock_acquire+0x1fe/0x560 [ 1010.716315] ? drain_array_locked+0x90/0x90 [ 1010.716324] ___sys_sendmsg+0xf8/0x170 [ 1010.716331] ? sendmsg_copy_msghdr+0x170/0x170 [ 1010.716337] ? lockdep_init_map ---truncated--- CVE-2024-26793 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: netlink: Fix kernel-infoleak-after-free in __skb_datagram_iter syzbot reported the following uninit-value access issue [1]: netlink_to_full_skb() creates a new `skb` and puts the `skb->data` passed as a 1st arg of netlink_to_full_skb() onto new `skb`. The data size is specified as `len` and passed to skb_put_data(). This `len` is based on `skb->end` that is not data offset but buffer offset. The `skb->end` contains data and tailroom. Since the tailroom is not initialized when the new `skb` created, KMSAN detects uninitialized memory area when copying the data. This patch resolved this issue by correct the len from `skb->end` to `skb->len`, which is the actual data offset. BUG: KMSAN: kernel-infoleak-after-free in instrument_copy_to_user include/linux/instrumented.h:114 [inline] BUG: KMSAN: kernel-infoleak-after-free in copy_to_user_iter lib/iov_iter.c:24 [inline] BUG: KMSAN: kernel-infoleak-after-free in iterate_ubuf include/linux/iov_iter.h:29 [inline] BUG: KMSAN: kernel-infoleak-after-free in iterate_and_advance2 include/linux/iov_iter.h:245 [inline] BUG: KMSAN: kernel-infoleak-after-free in iterate_and_advance include/linux/iov_iter.h:271 [inline] BUG: KMSAN: kernel-infoleak-after-free in _copy_to_iter+0x364/0x2520 lib/iov_iter.c:186 instrument_copy_to_user include/linux/instrumented.h:114 [inline] copy_to_user_iter lib/iov_iter.c:24 [inline] iterate_ubuf include/linux/iov_iter.h:29 [inline] iterate_and_advance2 include/linux/iov_iter.h:245 [inline] iterate_and_advance include/linux/iov_iter.h:271 [inline] _copy_to_iter+0x364/0x2520 lib/iov_iter.c:186 copy_to_iter include/linux/uio.h:197 [inline] simple_copy_to_iter+0x68/0xa0 net/core/datagram.c:532 __skb_datagram_iter+0x123/0xdc0 net/core/datagram.c:420 skb_copy_datagram_iter+0x5c/0x200 net/core/datagram.c:546 skb_copy_datagram_msg include/linux/skbuff.h:3960 [inline] packet_recvmsg+0xd9c/0x2000 net/packet/af_packet.c:3482 sock_recvmsg_nosec net/socket.c:1044 [inline] sock_recvmsg net/socket.c:1066 [inline] sock_read_iter+0x467/0x580 net/socket.c:1136 call_read_iter include/linux/fs.h:2014 [inline] new_sync_read fs/read_write.c:389 [inline] vfs_read+0x8f6/0xe00 fs/read_write.c:470 ksys_read+0x20f/0x4c0 fs/read_write.c:613 __do_sys_read fs/read_write.c:623 [inline] __se_sys_read fs/read_write.c:621 [inline] __x64_sys_read+0x93/0xd0 fs/read_write.c:621 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b Uninit was stored to memory at: skb_put_data include/linux/skbuff.h:2622 [inline] netlink_to_full_skb net/netlink/af_netlink.c:181 [inline] __netlink_deliver_tap_skb net/netlink/af_netlink.c:298 [inline] __netlink_deliver_tap+0x5be/0xc90 net/netlink/af_netlink.c:325 netlink_deliver_tap net/netlink/af_netlink.c:338 [inline] netlink_deliver_tap_kernel net/netlink/af_netlink.c:347 [inline] netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline] netlink_unicast+0x10f1/0x1250 net/netlink/af_netlink.c:1368 netlink_sendmsg+0x1238/0x13d0 net/netlink/af_netlink.c:1910 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg net/socket.c:745 [inline] ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638 __sys_sendmsg net/socket.c:2667 [inline] __do_sys_sendmsg net/socket.c:2676 [inline] __se_sys_sendmsg net/socket.c:2674 [inline] __x64_sys_sendmsg+0x307/0x490 net/socket.c:2674 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b Uninit was created at: free_pages_prepare mm/page_alloc.c:1087 [inline] free_unref_page_prepare+0xb0/0xa40 mm/page_alloc.c:2347 free_unref_page_list+0xeb/0x1100 mm/page_alloc.c:2533 release_pages+0x23d3/0x2410 mm/swap.c:1042 free_pages_and_swap_cache+0xd9/0xf0 mm/swap_state.c:316 tlb_batch_pages ---truncated--- CVE-2024-26805 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: x86, relocs: Ignore relocations in .notes section When building with CONFIG_XEN_PV=y, .text symbols are emitted into the .notes section so that Xen can find the "startup_xen" entry point. This information is used prior to booting the kernel, so relocations are not useful. In fact, performing relocations against the .notes section means that the KASLR base is exposed since /sys/kernel/notes is world-readable. To avoid leaking the KASLR base without breaking unprivileged tools that are expecting to read /sys/kernel/notes, skip performing relocations in the .notes section. The values readable in .notes are then identical to those found in System.map. CVE-2024-26816 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: amdkfd: use calloc instead of kzalloc to avoid integer overflow This uses calloc instead of doing the multiplication which might overflow. CVE-2024-26817 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: IB/hfi1: Fix a memleak in init_credit_return When dma_alloc_coherent fails to allocate dd->cr_base[i].va, init_credit_return should deallocate dd->cr_base and dd->cr_base[i] that allocated before. Or those resources would be never freed and a memleak is triggered. CVE-2024-26839 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: cachefiles: fix memory leak in cachefiles_add_cache() The following memory leak was reported after unbinding /dev/cachefiles: ================================================================== unreferenced object 0xffff9b674176e3c0 (size 192): comm "cachefilesd2", pid 680, jiffies 4294881224 hex dump (first 32 bytes): 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace (crc ea38a44b): [<ffffffff8eb8a1a5>] kmem_cache_alloc+0x2d5/0x370 [<ffffffff8e917f86>] prepare_creds+0x26/0x2e0 [<ffffffffc002eeef>] cachefiles_determine_cache_security+0x1f/0x120 [<ffffffffc00243ec>] cachefiles_add_cache+0x13c/0x3a0 [<ffffffffc0025216>] cachefiles_daemon_write+0x146/0x1c0 [<ffffffff8ebc4a3b>] vfs_write+0xcb/0x520 [<ffffffff8ebc5069>] ksys_write+0x69/0xf0 [<ffffffff8f6d4662>] do_syscall_64+0x72/0x140 [<ffffffff8f8000aa>] entry_SYSCALL_64_after_hwframe+0x6e/0x76 ================================================================== Put the reference count of cache_cred in cachefiles_daemon_unbind() to fix the problem. And also put cache_cred in cachefiles_add_cache() error branch to avoid memory leaks. CVE-2024-26840 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: net/ipv6: avoid possible UAF in ip6_route_mpath_notify() syzbot found another use-after-free in ip6_route_mpath_notify() [1] Commit f7225172f25a ("net/ipv6: prevent use after free in ip6_route_mpath_notify") was not able to fix the root cause. We need to defer the fib6_info_release() calls after ip6_route_mpath_notify(), in the cleanup phase. [1] BUG: KASAN: slab-use-after-free in rt6_fill_node+0x1460/0x1ac0 Read of size 4 at addr ffff88809a07fc64 by task syz-executor.2/23037 CPU: 0 PID: 23037 Comm: syz-executor.2 Not tainted 6.8.0-rc4-syzkaller-01035-gea7f3cfaa588 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x1e7/0x2e0 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:377 [inline] print_report+0x167/0x540 mm/kasan/report.c:488 kasan_report+0x142/0x180 mm/kasan/report.c:601 rt6_fill_node+0x1460/0x1ac0 inet6_rt_notify+0x13b/0x290 net/ipv6/route.c:6184 ip6_route_mpath_notify net/ipv6/route.c:5198 [inline] ip6_route_multipath_add net/ipv6/route.c:5404 [inline] inet6_rtm_newroute+0x1d0f/0x2300 net/ipv6/route.c:5517 rtnetlink_rcv_msg+0x885/0x1040 net/core/rtnetlink.c:6597 netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2543 netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline] netlink_unicast+0x7ea/0x980 net/netlink/af_netlink.c:1367 netlink_sendmsg+0xa3b/0xd70 net/netlink/af_netlink.c:1908 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x221/0x270 net/socket.c:745 ____sys_sendmsg+0x525/0x7d0 net/socket.c:2584 ___sys_sendmsg net/socket.c:2638 [inline] __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2667 do_syscall_64+0xf9/0x240 entry_SYSCALL_64_after_hwframe+0x6f/0x77 RIP: 0033:0x7f73dd87dda9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f73de6550c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007f73dd9ac050 RCX: 00007f73dd87dda9 RDX: 0000000000000000 RSI: 0000000020000140 RDI: 0000000000000005 RBP: 00007f73dd8ca47a R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000006e R14: 00007f73dd9ac050 R15: 00007ffdbdeb7858 </TASK> Allocated by task 23037: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:372 [inline] __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:389 kasan_kmalloc include/linux/kasan.h:211 [inline] __do_kmalloc_node mm/slub.c:3981 [inline] __kmalloc+0x22e/0x490 mm/slub.c:3994 kmalloc include/linux/slab.h:594 [inline] kzalloc include/linux/slab.h:711 [inline] fib6_info_alloc+0x2e/0xf0 net/ipv6/ip6_fib.c:155 ip6_route_info_create+0x445/0x12b0 net/ipv6/route.c:3758 ip6_route_multipath_add net/ipv6/route.c:5298 [inline] inet6_rtm_newroute+0x744/0x2300 net/ipv6/route.c:5517 rtnetlink_rcv_msg+0x885/0x1040 net/core/rtnetlink.c:6597 netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2543 netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline] netlink_unicast+0x7ea/0x980 net/netlink/af_netlink.c:1367 netlink_sendmsg+0xa3b/0xd70 net/netlink/af_netlink.c:1908 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x221/0x270 net/socket.c:745 ____sys_sendmsg+0x525/0x7d0 net/socket.c:2584 ___sys_sendmsg net/socket.c:2638 [inline] __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2667 do_syscall_64+0xf9/0x240 entry_SYSCALL_64_after_hwframe+0x6f/0x77 Freed by task 16: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 kasan_save_free_info+0x4e/0x60 mm/kasan/generic.c:640 poison_slab_object+0xa6/0xe0 m ---truncated--- CVE-2024-26852 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 important In the Linux kernel, the following vulnerability has been resolved: net: ice: Fix potential NULL pointer dereference in ice_bridge_setlink() The function ice_bridge_setlink() may encounter a NULL pointer dereference if nlmsg_find_attr() returns NULL and br_spec is dereferenced subsequently in nla_for_each_nested(). To address this issue, add a check to ensure that br_spec is not NULL before proceeding with the nested attribute iteration. CVE-2024-26855 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: geneve: make sure to pull inner header in geneve_rx() syzbot triggered a bug in geneve_rx() [1] Issue is similar to the one I fixed in commit 8d975c15c0cd ("ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv()") We have to save skb->network_header in a temporary variable in order to be able to recompute the network_header pointer after a pskb_inet_may_pull() call. pskb_inet_may_pull() makes sure the needed headers are in skb->head. [1] BUG: KMSAN: uninit-value in IP_ECN_decapsulate include/net/inet_ecn.h:302 [inline] BUG: KMSAN: uninit-value in geneve_rx drivers/net/geneve.c:279 [inline] BUG: KMSAN: uninit-value in geneve_udp_encap_recv+0x36f9/0x3c10 drivers/net/geneve.c:391 IP_ECN_decapsulate include/net/inet_ecn.h:302 [inline] geneve_rx drivers/net/geneve.c:279 [inline] geneve_udp_encap_recv+0x36f9/0x3c10 drivers/net/geneve.c:391 udp_queue_rcv_one_skb+0x1d39/0x1f20 net/ipv4/udp.c:2108 udp_queue_rcv_skb+0x6ae/0x6e0 net/ipv4/udp.c:2186 udp_unicast_rcv_skb+0x184/0x4b0 net/ipv4/udp.c:2346 __udp4_lib_rcv+0x1c6b/0x3010 net/ipv4/udp.c:2422 udp_rcv+0x7d/0xa0 net/ipv4/udp.c:2604 ip_protocol_deliver_rcu+0x264/0x1300 net/ipv4/ip_input.c:205 ip_local_deliver_finish+0x2b8/0x440 net/ipv4/ip_input.c:233 NF_HOOK include/linux/netfilter.h:314 [inline] ip_local_deliver+0x21f/0x490 net/ipv4/ip_input.c:254 dst_input include/net/dst.h:461 [inline] ip_rcv_finish net/ipv4/ip_input.c:449 [inline] NF_HOOK include/linux/netfilter.h:314 [inline] ip_rcv+0x46f/0x760 net/ipv4/ip_input.c:569 __netif_receive_skb_one_core net/core/dev.c:5534 [inline] __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5648 process_backlog+0x480/0x8b0 net/core/dev.c:5976 __napi_poll+0xe3/0x980 net/core/dev.c:6576 napi_poll net/core/dev.c:6645 [inline] net_rx_action+0x8b8/0x1870 net/core/dev.c:6778 __do_softirq+0x1b7/0x7c5 kernel/softirq.c:553 do_softirq+0x9a/0xf0 kernel/softirq.c:454 __local_bh_enable_ip+0x9b/0xa0 kernel/softirq.c:381 local_bh_enable include/linux/bottom_half.h:33 [inline] rcu_read_unlock_bh include/linux/rcupdate.h:820 [inline] __dev_queue_xmit+0x2768/0x51c0 net/core/dev.c:4378 dev_queue_xmit include/linux/netdevice.h:3171 [inline] packet_xmit+0x9c/0x6b0 net/packet/af_packet.c:276 packet_snd net/packet/af_packet.c:3081 [inline] packet_sendmsg+0x8aef/0x9f10 net/packet/af_packet.c:3113 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg net/socket.c:745 [inline] __sys_sendto+0x735/0xa10 net/socket.c:2191 __do_sys_sendto net/socket.c:2203 [inline] __se_sys_sendto net/socket.c:2199 [inline] __x64_sys_sendto+0x125/0x1c0 net/socket.c:2199 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b Uninit was created at: slab_post_alloc_hook mm/slub.c:3819 [inline] slab_alloc_node mm/slub.c:3860 [inline] kmem_cache_alloc_node+0x5cb/0xbc0 mm/slub.c:3903 kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:560 __alloc_skb+0x352/0x790 net/core/skbuff.c:651 alloc_skb include/linux/skbuff.h:1296 [inline] alloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6394 sock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2783 packet_alloc_skb net/packet/af_packet.c:2930 [inline] packet_snd net/packet/af_packet.c:3024 [inline] packet_sendmsg+0x70c2/0x9f10 net/packet/af_packet.c:3113 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg net/socket.c:745 [inline] __sys_sendto+0x735/0xa10 net/socket.c:2191 __do_sys_sendto net/socket.c:2203 [inline] __se_sys_sendto net/socket.c:2199 [inline] __x64_sys_sendto+0x125/0x1c0 net/socket.c:2199 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b CVE-2024-26857 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: net/bnx2x: Prevent access to a freed page in page_pool Fix race condition leading to system crash during EEH error handling During EEH error recovery, the bnx2x driver's transmit timeout logic could cause a race condition when handling reset tasks. The bnx2x_tx_timeout() schedules reset tasks via bnx2x_sp_rtnl_task(), which ultimately leads to bnx2x_nic_unload(). In bnx2x_nic_unload() SGEs are freed using bnx2x_free_rx_sge_range(). However, this could overlap with the EEH driver's attempt to reset the device using bnx2x_io_slot_reset(), which also tries to free SGEs. This race condition can result in system crashes due to accessing freed memory locations in bnx2x_free_rx_sge() 799 static inline void bnx2x_free_rx_sge(struct bnx2x *bp, 800 struct bnx2x_fastpath *fp, u16 index) 801 { 802 struct sw_rx_page *sw_buf = &fp->rx_page_ring[index]; 803 struct page *page = sw_buf->page; .... where sw_buf was set to NULL after the call to dma_unmap_page() by the preceding thread. EEH: Beginning: 'slot_reset' PCI 0011:01:00.0#10000: EEH: Invoking bnx2x->slot_reset() bnx2x: [bnx2x_io_slot_reset:14228(eth1)]IO slot reset initializing... bnx2x 0011:01:00.0: enabling device (0140 -> 0142) bnx2x: [bnx2x_io_slot_reset:14244(eth1)]IO slot reset --> driver unload Kernel attempted to read user page (0) - exploit attempt? (uid: 0) BUG: Kernel NULL pointer dereference on read at 0x00000000 Faulting instruction address: 0xc0080000025065fc Oops: Kernel access of bad area, sig: 11 [#1] ..... Call Trace: [c000000003c67a20] [c00800000250658c] bnx2x_io_slot_reset+0x204/0x610 [bnx2x] (unreliable) [c000000003c67af0] [c0000000000518a8] eeh_report_reset+0xb8/0xf0 [c000000003c67b60] [c000000000052130] eeh_pe_report+0x180/0x550 [c000000003c67c70] [c00000000005318c] eeh_handle_normal_event+0x84c/0xa60 [c000000003c67d50] [c000000000053a84] eeh_event_handler+0xf4/0x170 [c000000003c67da0] [c000000000194c58] kthread+0x1c8/0x1d0 [c000000003c67e10] [c00000000000cf64] ret_from_kernel_thread+0x5c/0x64 To solve this issue, we need to verify page pool allocations before freeing. CVE-2024-26859 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: quota: Fix potential NULL pointer dereference Below race may cause NULL pointer dereference P1 P2 dquot_free_inode quota_off drop_dquot_ref remove_dquot_ref dquots = i_dquot(inode) dquots = i_dquot(inode) srcu_read_lock dquots[cnt]) != NULL (1) dquots[type] = NULL (2) spin_lock(&dquots[cnt]->dq_dqb_lock) (3) .... If dquot_free_inode(or other routines) checks inode's quota pointers (1) before quota_off sets it to NULL(2) and use it (3) after that, NULL pointer dereference will be triggered. So let's fix it by using a temporary pointer to avoid this issue. CVE-2024-26878 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: bpf: Fix stackmap overflow check on 32-bit arches The stackmap code relies on roundup_pow_of_two() to compute the number of hash buckets, and contains an overflow check by checking if the resulting value is 0. However, on 32-bit arches, the roundup code itself can overflow by doing a 32-bit left-shift of an unsigned long value, which is undefined behaviour, so it is not guaranteed to truncate neatly. This was triggered by syzbot on the DEVMAP_HASH type, which contains the same check, copied from the hashtab code. The commit in the fixes tag actually attempted to fix this, but the fix did not account for the UB, so the fix only works on CPUs where an overflow does result in a neat truncation to zero, which is not guaranteed. Checking the value before rounding does not have this problem. CVE-2024-26883 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: bpf: Fix hashtab overflow check on 32-bit arches The hashtab code relies on roundup_pow_of_two() to compute the number of hash buckets, and contains an overflow check by checking if the resulting value is 0. However, on 32-bit arches, the roundup code itself can overflow by doing a 32-bit left-shift of an unsigned long value, which is undefined behaviour, so it is not guaranteed to truncate neatly. This was triggered by syzbot on the DEVMAP_HASH type, which contains the same check, copied from the hashtab code. So apply the same fix to hashtab, by moving the overflow check to before the roundup. CVE-2024-26884 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: do_sys_name_to_handle(): use kzalloc() to fix kernel-infoleak syzbot identified a kernel information leak vulnerability in do_sys_name_to_handle() and issued the following report [1]. [1] "BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline] BUG: KMSAN: kernel-infoleak in _copy_to_user+0xbc/0x100 lib/usercopy.c:40 instrument_copy_to_user include/linux/instrumented.h:114 [inline] _copy_to_user+0xbc/0x100 lib/usercopy.c:40 copy_to_user include/linux/uaccess.h:191 [inline] do_sys_name_to_handle fs/fhandle.c:73 [inline] __do_sys_name_to_handle_at fs/fhandle.c:112 [inline] __se_sys_name_to_handle_at+0x949/0xb10 fs/fhandle.c:94 __x64_sys_name_to_handle_at+0xe4/0x140 fs/fhandle.c:94 ... Uninit was created at: slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768 slab_alloc_node mm/slub.c:3478 [inline] __kmem_cache_alloc_node+0x5c9/0x970 mm/slub.c:3517 __do_kmalloc_node mm/slab_common.c:1006 [inline] __kmalloc+0x121/0x3c0 mm/slab_common.c:1020 kmalloc include/linux/slab.h:604 [inline] do_sys_name_to_handle fs/fhandle.c:39 [inline] __do_sys_name_to_handle_at fs/fhandle.c:112 [inline] __se_sys_name_to_handle_at+0x441/0xb10 fs/fhandle.c:94 __x64_sys_name_to_handle_at+0xe4/0x140 fs/fhandle.c:94 ... Bytes 18-19 of 20 are uninitialized Memory access of size 20 starts at ffff888128a46380 Data copied to user address 0000000020000240" Per Chuck Lever's suggestion, use kzalloc() instead of kmalloc() to solve the problem. CVE-2024-26901 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 low In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx5: Fix fortify source warning while accessing Eth segment ------------[ cut here ]------------ memcpy: detected field-spanning write (size 56) of single field "eseg->inline_hdr.start" at /var/lib/dkms/mlnx-ofed-kernel/5.8/build/drivers/infiniband/hw/mlx5/wr.c:131 (size 2) WARNING: CPU: 0 PID: 293779 at /var/lib/dkms/mlnx-ofed-kernel/5.8/build/drivers/infiniband/hw/mlx5/wr.c:131 mlx5_ib_post_send+0x191b/0x1a60 [mlx5_ib] Modules linked in: 8021q garp mrp stp llc rdma_ucm(OE) rdma_cm(OE) iw_cm(OE) ib_ipoib(OE) ib_cm(OE) ib_umad(OE) mlx5_ib(OE) ib_uverbs(OE) ib_core(OE) mlx5_core(OE) pci_hyperv_intf mlxdevm(OE) mlx_compat(OE) tls mlxfw(OE) psample nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set nf_tables libcrc32c nfnetlink mst_pciconf(OE) knem(OE) vfio_pci vfio_pci_core vfio_iommu_type1 vfio iommufd irqbypass cuse nfsv3 nfs fscache netfs xfrm_user xfrm_algo ipmi_devintf ipmi_msghandler binfmt_misc crct10dif_pclmul crc32_pclmul polyval_clmulni polyval_generic ghash_clmulni_intel sha512_ssse3 snd_pcsp aesni_intel crypto_simd cryptd snd_pcm snd_timer joydev snd soundcore input_leds serio_raw evbug nfsd auth_rpcgss nfs_acl lockd grace sch_fq_codel sunrpc drm efi_pstore ip_tables x_tables autofs4 psmouse virtio_net net_failover failover floppy [last unloaded: mlx_compat(OE)] CPU: 0 PID: 293779 Comm: ssh Tainted: G OE 6.2.0-32-generic #32~22.04.1-Ubuntu Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011 RIP: 0010:mlx5_ib_post_send+0x191b/0x1a60 [mlx5_ib] Code: 0c 01 00 a8 01 75 25 48 8b 75 a0 b9 02 00 00 00 48 c7 c2 10 5b fd c0 48 c7 c7 80 5b fd c0 c6 05 57 0c 03 00 01 e8 95 4d 93 da <0f> 0b 44 8b 4d b0 4c 8b 45 c8 48 8b 4d c0 e9 49 fb ff ff 41 0f b7 RSP: 0018:ffffb5b48478b570 EFLAGS: 00010046 RAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ffffb5b48478b628 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: ffffb5b48478b5e8 R13: ffff963a3c609b5e R14: ffff9639c3fbd800 R15: ffffb5b480475a80 FS: 00007fc03b444c80(0000) GS:ffff963a3dc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000556f46bdf000 CR3: 0000000006ac6003 CR4: 00000000003706f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> ? show_regs+0x72/0x90 ? mlx5_ib_post_send+0x191b/0x1a60 [mlx5_ib] ? __warn+0x8d/0x160 ? mlx5_ib_post_send+0x191b/0x1a60 [mlx5_ib] ? report_bug+0x1bb/0x1d0 ? handle_bug+0x46/0x90 ? exc_invalid_op+0x19/0x80 ? asm_exc_invalid_op+0x1b/0x20 ? mlx5_ib_post_send+0x191b/0x1a60 [mlx5_ib] mlx5_ib_post_send_nodrain+0xb/0x20 [mlx5_ib] ipoib_send+0x2ec/0x770 [ib_ipoib] ipoib_start_xmit+0x5a0/0x770 [ib_ipoib] dev_hard_start_xmit+0x8e/0x1e0 ? validate_xmit_skb_list+0x4d/0x80 sch_direct_xmit+0x116/0x3a0 __dev_xmit_skb+0x1fd/0x580 __dev_queue_xmit+0x284/0x6b0 ? _raw_spin_unlock_irq+0xe/0x50 ? __flush_work.isra.0+0x20d/0x370 ? push_pseudo_header+0x17/0x40 [ib_ipoib] neigh_connected_output+0xcd/0x110 ip_finish_output2+0x179/0x480 ? __smp_call_single_queue+0x61/0xa0 __ip_finish_output+0xc3/0x190 ip_finish_output+0x2e/0xf0 ip_output+0x78/0x110 ? __pfx_ip_finish_output+0x10/0x10 ip_local_out+0x64/0x70 __ip_queue_xmit+0x18a/0x460 ip_queue_xmit+0x15/0x30 __tcp_transmit_skb+0x914/0x9c0 tcp_write_xmit+0x334/0x8d0 tcp_push_one+0x3c/0x60 tcp_sendmsg_locked+0x2e1/0xac0 tcp_sendmsg+0x2d/0x50 inet_sendmsg+0x43/0x90 sock_sendmsg+0x68/0x80 sock_write_iter+0x93/0x100 vfs_write+0x326/0x3c0 ksys_write+0xbd/0xf0 ? do_syscall_64+0x69/0x90 __x64_sys_write+0x19/0x30 do_syscall_ ---truncated--- CVE-2024-26907 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: validate the parameters of bo mapping operations more clearly Verify the parameters of amdgpu_vm_bo_(map/replace_map/clearing_mappings) in one common place. CVE-2024-26922 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate ** REJECT ** This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. CVE-2024-26929 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 important In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Fix double free of the ha->vp_map pointer Coverity scan reported potential risk of double free of the pointer ha->vp_map. ha->vp_map was freed in qla2x00_mem_alloc(), and again freed in function qla2x00_mem_free(ha). Assign NULL to vp_map and kfree take care of NULL. CVE-2024-26930 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 important In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Fix command flush on cable pull System crash due to command failed to flush back to SCSI layer. BUG: unable to handle kernel NULL pointer dereference at 0000000000000000 PGD 0 P4D 0 Oops: 0000 [#1] SMP NOPTI CPU: 27 PID: 793455 Comm: kworker/u130:6 Kdump: loaded Tainted: G OE --------- - - 4.18.0-372.9.1.el8.x86_64 #1 Hardware name: HPE ProLiant DL360 Gen10/ProLiant DL360 Gen10, BIOS U32 09/03/2021 Workqueue: nvme-wq nvme_fc_connect_ctrl_work [nvme_fc] RIP: 0010:__wake_up_common+0x4c/0x190 Code: 24 10 4d 85 c9 74 0a 41 f6 01 04 0f 85 9d 00 00 00 48 8b 43 08 48 83 c3 08 4c 8d 48 e8 49 8d 41 18 48 39 c3 0f 84 f0 00 00 00 <49> 8b 41 18 89 54 24 08 31 ed 4c 8d 70 e8 45 8b 29 41 f6 c5 04 75 RSP: 0018:ffff95f3e0cb7cd0 EFLAGS: 00010086 RAX: 0000000000000000 RBX: ffff8b08d3b26328 RCX: 0000000000000000 RDX: 0000000000000001 RSI: 0000000000000003 RDI: ffff8b08d3b26320 RBP: 0000000000000001 R08: 0000000000000000 R09: ffffffffffffffe8 R10: 0000000000000000 R11: ffff95f3e0cb7a60 R12: ffff95f3e0cb7d20 R13: 0000000000000003 R14: 0000000000000000 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff8b2fdf6c0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 0000002f1e410002 CR4: 00000000007706e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: __wake_up_common_lock+0x7c/0xc0 qla_nvme_ls_req+0x355/0x4c0 [qla2xxx] qla2xxx [0000:12:00.1]-f084:3: qlt_free_session_done: se_sess 0000000000000000 / sess ffff8ae1407ca000 from port 21:32:00:02:ac:07:ee:b8 loop_id 0x02 s_id 01:02:00 logout 1 keep 0 els_logo 0 ? __nvme_fc_send_ls_req+0x260/0x380 [nvme_fc] qla2xxx [0000:12:00.1]-207d:3: FCPort 21:32:00:02:ac:07:ee:b8 state transitioned from ONLINE to LOST - portid=010200. ? nvme_fc_send_ls_req.constprop.42+0x1a/0x45 [nvme_fc] qla2xxx [0000:12:00.1]-2109:3: qla2x00_schedule_rport_del 21320002ac07eeb8. rport ffff8ae598122000 roles 1 ? nvme_fc_connect_ctrl_work.cold.63+0x1e3/0xa7d [nvme_fc] qla2xxx [0000:12:00.1]-f084:3: qlt_free_session_done: se_sess 0000000000000000 / sess ffff8ae14801e000 from port 21:32:01:02:ad:f7:ee:b8 loop_id 0x04 s_id 01:02:01 logout 1 keep 0 els_logo 0 ? __switch_to+0x10c/0x450 ? process_one_work+0x1a7/0x360 qla2xxx [0000:12:00.1]-207d:3: FCPort 21:32:01:02:ad:f7:ee:b8 state transitioned from ONLINE to LOST - portid=010201. ? worker_thread+0x1ce/0x390 ? create_worker+0x1a0/0x1a0 qla2xxx [0000:12:00.1]-2109:3: qla2x00_schedule_rport_del 21320102adf7eeb8. rport ffff8ae3b2312800 roles 70 ? kthread+0x10a/0x120 qla2xxx [0000:12:00.1]-2112:3: qla_nvme_unregister_remote_port: unregister remoteport on ffff8ae14801e000 21320102adf7eeb8 ? set_kthread_struct+0x40/0x40 qla2xxx [0000:12:00.1]-2110:3: remoteport_delete of ffff8ae14801e000 21320102adf7eeb8 completed. ? ret_from_fork+0x1f/0x40 qla2xxx [0000:12:00.1]-f086:3: qlt_free_session_done: waiting for sess ffff8ae14801e000 logout The system was under memory stress where driver was not able to allocate an SRB to carry out error recovery of cable pull. The failure to flush causes upper layer to start modifying scsi_cmnd. When the system frees up some memory, the subsequent cable pull trigger another command flush. At this point the driver access a null pointer when attempting to DMA unmap the SGL. Add a check to make sure commands are flush back on session tear down to prevent the null pointer access. CVE-2024-26931 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Add a dc_state NULL check in dc_state_release [How] Check wheather state is NULL before releasing it. CVE-2024-26948 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: fs: sysfs: Fix reference leak in sysfs_break_active_protection() The sysfs_break_active_protection() routine has an obvious reference leak in its error path. If the call to kernfs_find_and_get() fails then kn will be NULL, so the companion sysfs_unbreak_active_protection() routine won't get called (and would only cause an access violation by trying to dereference kn->parent if it was called). As a result, the reference to kobj acquired at the start of the function will never be released. Fix the leak by adding an explicit kobject_put() call when kn is NULL. CVE-2024-26993 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: tun: limit printing rate when illegal packet received by tun dev vhost_worker will call tun call backs to receive packets. If too many illegal packets arrives, tun_do_read will keep dumping packet contents. When console is enabled, it will costs much more cpu time to dump packet and soft lockup will be detected. net_ratelimit mechanism can be used to limit the dumping rate. PID: 33036 TASK: ffff949da6f20000 CPU: 23 COMMAND: "vhost-32980" #0 [fffffe00003fce50] crash_nmi_callback at ffffffff89249253 #1 [fffffe00003fce58] nmi_handle at ffffffff89225fa3 #2 [fffffe00003fceb0] default_do_nmi at ffffffff8922642e #3 [fffffe00003fced0] do_nmi at ffffffff8922660d #4 [fffffe00003fcef0] end_repeat_nmi at ffffffff89c01663 [exception RIP: io_serial_in+20] RIP: ffffffff89792594 RSP: ffffa655314979e8 RFLAGS: 00000002 RAX: ffffffff89792500 RBX: ffffffff8af428a0 RCX: 0000000000000000 RDX: 00000000000003fd RSI: 0000000000000005 RDI: ffffffff8af428a0 RBP: 0000000000002710 R8: 0000000000000004 R9: 000000000000000f R10: 0000000000000000 R11: ffffffff8acbf64f R12: 0000000000000020 R13: ffffffff8acbf698 R14: 0000000000000058 R15: 0000000000000000 ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018 #5 [ffffa655314979e8] io_serial_in at ffffffff89792594 #6 [ffffa655314979e8] wait_for_xmitr at ffffffff89793470 #7 [ffffa65531497a08] serial8250_console_putchar at ffffffff897934f6 #8 [ffffa65531497a20] uart_console_write at ffffffff8978b605 #9 [ffffa65531497a48] serial8250_console_write at ffffffff89796558 #10 [ffffa65531497ac8] console_unlock at ffffffff89316124 #11 [ffffa65531497b10] vprintk_emit at ffffffff89317c07 #12 [ffffa65531497b68] printk at ffffffff89318306 #13 [ffffa65531497bc8] print_hex_dump at ffffffff89650765 #14 [ffffa65531497ca8] tun_do_read at ffffffffc0b06c27 [tun] #15 [ffffa65531497d38] tun_recvmsg at ffffffffc0b06e34 [tun] #16 [ffffa65531497d68] handle_rx at ffffffffc0c5d682 [vhost_net] #17 [ffffa65531497ed0] vhost_worker at ffffffffc0c644dc [vhost] #18 [ffffa65531497f10] kthread at ffffffff892d2e72 #19 [ffffa65531497f50] ret_from_fork at ffffffff89c0022f CVE-2024-27013 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Prevent deadlock while disabling aRFS When disabling aRFS under the `priv->state_lock`, any scheduled aRFS works are canceled using the `cancel_work_sync` function, which waits for the work to end if it has already started. However, while waiting for the work handler, the handler will try to acquire the `state_lock` which is already acquired. The worker acquires the lock to delete the rules if the state is down, which is not the worker's responsibility since disabling aRFS deletes the rules. Add an aRFS state variable, which indicates whether the aRFS is enabled and prevent adding rules when the aRFS is disabled. Kernel log: ====================================================== WARNING: possible circular locking dependency detected 6.7.0-rc4_net_next_mlx5_5483eb2 #1 Tainted: G I ------------------------------------------------------ ethtool/386089 is trying to acquire lock: ffff88810f21ce68 ((work_completion)(&rule->arfs_work)){+.+.}-{0:0}, at: __flush_work+0x74/0x4e0 but task is already holding lock: ffff8884a1808cc0 (&priv->state_lock){+.+.}-{3:3}, at: mlx5e_ethtool_set_channels+0x53/0x200 [mlx5_core] which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (&priv->state_lock){+.+.}-{3:3}: __mutex_lock+0x80/0xc90 arfs_handle_work+0x4b/0x3b0 [mlx5_core] process_one_work+0x1dc/0x4a0 worker_thread+0x1bf/0x3c0 kthread+0xd7/0x100 ret_from_fork+0x2d/0x50 ret_from_fork_asm+0x11/0x20 -> #0 ((work_completion)(&rule->arfs_work)){+.+.}-{0:0}: __lock_acquire+0x17b4/0x2c80 lock_acquire+0xd0/0x2b0 __flush_work+0x7a/0x4e0 __cancel_work_timer+0x131/0x1c0 arfs_del_rules+0x143/0x1e0 [mlx5_core] mlx5e_arfs_disable+0x1b/0x30 [mlx5_core] mlx5e_ethtool_set_channels+0xcb/0x200 [mlx5_core] ethnl_set_channels+0x28f/0x3b0 ethnl_default_set_doit+0xec/0x240 genl_family_rcv_msg_doit+0xd0/0x120 genl_rcv_msg+0x188/0x2c0 netlink_rcv_skb+0x54/0x100 genl_rcv+0x24/0x40 netlink_unicast+0x1a1/0x270 netlink_sendmsg+0x214/0x460 __sock_sendmsg+0x38/0x60 __sys_sendto+0x113/0x170 __x64_sys_sendto+0x20/0x30 do_syscall_64+0x40/0xe0 entry_SYSCALL_64_after_hwframe+0x46/0x4e other info that might help us debug this: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&priv->state_lock); lock((work_completion)(&rule->arfs_work)); lock(&priv->state_lock); lock((work_completion)(&rule->arfs_work)); *** DEADLOCK *** 3 locks held by ethtool/386089: #0: ffffffff82ea7210 (cb_lock){++++}-{3:3}, at: genl_rcv+0x15/0x40 #1: ffffffff82e94c88 (rtnl_mutex){+.+.}-{3:3}, at: ethnl_default_set_doit+0xd3/0x240 #2: ffff8884a1808cc0 (&priv->state_lock){+.+.}-{3:3}, at: mlx5e_ethtool_set_channels+0x53/0x200 [mlx5_core] stack backtrace: CPU: 15 PID: 386089 Comm: ethtool Tainted: G I 6.7.0-rc4_net_next_mlx5_5483eb2 #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x60/0xa0 check_noncircular+0x144/0x160 __lock_acquire+0x17b4/0x2c80 lock_acquire+0xd0/0x2b0 ? __flush_work+0x74/0x4e0 ? save_trace+0x3e/0x360 ? __flush_work+0x74/0x4e0 __flush_work+0x7a/0x4e0 ? __flush_work+0x74/0x4e0 ? __lock_acquire+0xa78/0x2c80 ? lock_acquire+0xd0/0x2b0 ? mark_held_locks+0x49/0x70 __cancel_work_timer+0x131/0x1c0 ? mark_held_locks+0x49/0x70 arfs_del_rules+0x143/0x1e0 [mlx5_core] mlx5e_arfs_disable+0x1b/0x30 [mlx5_core] mlx5e_ethtool_set_channels+0xcb/0x200 [mlx5_core] ethnl_set_channels+0x28f/0x3b0 ethnl_default_set_doit+0xec/0x240 genl_family_rcv_msg_doit+0xd0/0x120 genl_rcv_msg+0x188/0x2c0 ? ethn ---truncated--- CVE-2024-27014 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: media: edia: dvbdev: fix a use-after-free In dvb_register_device, *pdvbdev is set equal to dvbdev, which is freed in several error-handling paths. However, *pdvbdev is not set to NULL after dvbdev's deallocation, causing use-after-frees in many places, for example, in the following call chain: budget_register |-> dvb_dmxdev_init |-> dvb_register_device |-> dvb_dmxdev_release |-> dvb_unregister_device |-> dvb_remove_device |-> dvb_device_put |-> kref_put When calling dvb_unregister_device, dmxdev->dvbdev (i.e. *pdvbdev in dvb_register_device) could point to memory that had been freed in dvb_register_device. Thereafter, this pointer is transferred to kref_put and triggering a use-after-free. CVE-2024-27043 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 important In the Linux kernel, the following vulnerability has been resolved: nfp: flower: handle acti_netdevs allocation failure The kmalloc_array() in nfp_fl_lag_do_work() will return null, if the physical memory has run out. As a result, if we dereference the acti_netdevs, the null pointer dereference bugs will happen. This patch adds a check to judge whether allocation failure occurs. If it happens, the delayed work will be rescheduled and try again. CVE-2024-27046 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: s390/dasd: fix double module refcount decrement Once the discipline is associated with the device, deleting the device takes care of decrementing the module's refcount. Doing it manually on this error path causes refcount to artificially decrease on each error while it should just stay the same. CVE-2024-27054 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: media: usbtv: Remove useless locks in usbtv_video_free() Remove locks calls in usbtv_video_free() because are useless and may led to a deadlock as reported here: https://syzkaller.appspot.com/x/bisect.txt?x=166dc872180000 Also remove usbtv_stop() call since it will be called when unregistering the device. Before 'c838530d230b' this issue would only be noticed if you disconnect while streaming and now it is noticeable even when disconnecting while not streaming. [hverkuil: fix minor spelling mistake in log message] CVE-2024-27072 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: media: ttpci: fix two memleaks in budget_av_attach When saa7146_register_device and saa7146_vv_init fails, budget_av_attach should free the resources it allocates, like the error-handling of ttpci_budget_init does. Besides, there are two fixme comment refers to such deallocations. CVE-2024-27073 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: media: go7007: fix a memleak in go7007_load_encoder In go7007_load_encoder, bounce(i.e. go->boot_fw), is allocated without a deallocation thereafter. After the following call chain: saa7134_go7007_init |-> go7007_boot_encoder |-> go7007_load_encoder |-> kfree(go) go is freed and thus bounce is leaked. CVE-2024-27074 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: media: dvb-frontends: avoid stack overflow warnings with clang A previous patch worked around a KASAN issue in stv0367, now a similar problem showed up with clang: drivers/media/dvb-frontends/stv0367.c:1222:12: error: stack frame size (3624) exceeds limit (2048) in 'stv0367ter_set_frontend' [-Werror,-Wframe-larger-than] 1214 | static int stv0367ter_set_frontend(struct dvb_frontend *fe) Rework the stv0367_writereg() function to be simpler and mark both register access functions as noinline_for_stack so the temporary i2c_msg structures do not get duplicated on the stack when KASAN_STACK is enabled. CVE-2024-27075 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: media: v4l2-tpg: fix some memleaks in tpg_alloc In tpg_alloc, resources should be deallocated in each and every error-handling paths, since they are allocated in for statements. Otherwise there would be memleaks because tpg_free is called only when tpg_alloc return 0. CVE-2024-27078 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate In the Linux kernel, the following vulnerability has been resolved: SUNRPC: fix some memleaks in gssx_dec_option_array The creds and oa->data need to be freed in the error-handling paths after their allocation. So this patch add these deallocations in the corresponding paths. CVE-2024-27388 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:kernel-default-4.12.14-122.216.1 moderate wall in util-linux through 2.40, often installed with setgid tty permissions, allows escape sequences to be sent to other users' terminals through argv. (Specifically, escape sequences received from stdin are blocked, but escape sequences received from argv are not blocked.) There may be plausible scenarios where this leads to account takeover. CVE-2024-28085 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:libblkid1-2.33.2-4.36.1 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:libfdisk1-2.33.2-4.36.1 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:libmount1-2.33.2-4.36.1 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:libsmartcols1-2.33.2-4.36.1 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:libuuid1-2.33.2-4.36.1 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:util-linux-2.33.2-4.36.1 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:util-linux-systemd-2.33.2-4.36.1 important nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. The nghttp2 library prior to version 1.61.0 keeps reading the unbounded number of HTTP/2 CONTINUATION frames even after a stream is reset to keep HPACK context in sync. This causes excessive CPU usage to decode HPACK stream. nghttp2 v1.61.0 mitigates this vulnerability by limiting the number of CONTINUATION frames it accepts per stream. There is no workaround for this vulnerability. CVE-2024-28182 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:libnghttp2-14-1.39.2-3.18.1 important The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable. CVE-2024-2961 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:glibc-2.22-114.34.1 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:glibc-i18ndata-2.22-114.34.1 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:glibc-locale-2.22-114.34.1 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:nscd-2.22-114.34.1 important less through 653 allows OS command execution via a newline character in the name of a file, because quoting is mishandled in filename.c. Exploitation typically requires use with attacker-controlled file names, such as the files extracted from an untrusted archive. Exploitation also requires the LESSOPEN environment variable, but this is set by default in many common cases. CVE-2024-32487 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:less-458-7.15.1 important nscd: Stack-based buffer overflow in netgroup cache If the Name Service Cache Daemon's (nscd) fixed size cache is exhausted by client requests then a subsequent client request for netgroup data may result in a stack-based buffer overflow. This flaw was introduced in glibc 2.15 when the cache was added to nscd. This vulnerability is only present in the nscd binary. CVE-2024-33599 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:glibc-2.22-114.34.1 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:glibc-i18ndata-2.22-114.34.1 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:glibc-locale-2.22-114.34.1 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:nscd-2.22-114.34.1 important nscd: Null pointer crashes after notfound response If the Name Service Cache Daemon's (nscd) cache fails to add a not-found netgroup response to the cache, the client request can result in a null pointer dereference. This flaw was introduced in glibc 2.15 when the cache was added to nscd. This vulnerability is only present in the nscd binary. CVE-2024-33600 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:glibc-2.22-114.34.1 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:glibc-i18ndata-2.22-114.34.1 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:glibc-locale-2.22-114.34.1 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:nscd-2.22-114.34.1 important nscd: netgroup cache may terminate daemon on memory allocation failure The Name Service Cache Daemon's (nscd) netgroup cache uses xmalloc or xrealloc and these functions may terminate the process due to a memory allocation failure resulting in a denial of service to the clients. The flaw was introduced in glibc 2.15 when the cache was added to nscd. This vulnerability is only present in the nscd binary. CVE-2024-33601 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:glibc-2.22-114.34.1 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:glibc-i18ndata-2.22-114.34.1 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:glibc-locale-2.22-114.34.1 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:nscd-2.22-114.34.1 moderate nscd: netgroup cache assumes NSS callback uses in-buffer strings The Name Service Cache Daemon's (nscd) netgroup cache can corrupt memory when the NSS callback does not store all strings in the provided buffer. The flaw was introduced in glibc 2.15 when the cache was added to nscd. This vulnerability is only present in the nscd binary. CVE-2024-33602 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:glibc-2.22-114.34.1 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:glibc-i18ndata-2.22-114.34.1 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:glibc-locale-2.22-114.34.1 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:nscd-2.22-114.34.1 low An issue was discovered in GNOME GLib before 2.78.5, and 2.79.x and 2.80.x before 2.80.1. When a GDBus-based client subscribes to signals from a trusted system service such as NetworkManager on a shared computer, other users of the same computer can send spoofed D-Bus signals that the GDBus-based client will wrongly interpret as having been sent by the trusted system service. This could lead to the GDBus-based client behaving incorrectly, with an application-dependent impact. CVE-2024-34397 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:glib2-tools-2.48.2-12.37.1 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:libgio-2_0-0-2.48.2-12.37.1 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:libglib-2_0-0-2.48.2-12.37.1 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:libgmodule-2_0-0-2.48.2-12.37.1 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:libgobject-2_0-0-2.48.2-12.37.1 low A vulnerability was identified in the kjd/idna library, specifically within the `idna.encode()` function, affecting version 3.6. The issue arises from the function's handling of crafted input strings, which can lead to quadratic complexity and consequently, a denial of service condition. This vulnerability is triggered by a crafted input that causes the `idna.encode()` function to process the input with considerable computational load, significantly increasing the processing time in a quadratic manner relative to the input size. CVE-2024-3651 Public Cloud Image google/sles-12-sp5-v20240609-x86-64:python3-idna-2.5-3.13.1 moderate