Security update for the Linux Kernel SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2024:1645-1 Final 1 1 2024-05-14T14:30:22Z current 2024-05-14T14:30:22Z 2024-05-14T14:30:22Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for the Linux Kernel The SUSE Linux Enterprise 15 SP3 RT kernel was updated to receive various security bugfixes. The following security bugs were fixed: - CVE-2024-26840: Fixed a memory leak in cachefiles_add_cache() (bsc#1222976). - CVE-2021-47113: Abort btrfs rename_exchange if we fail to insert the second ref (bsc#1221543). - CVE-2021-47131: Fixed a use-after-free after the TLS device goes down and up (bsc#1221545). - CVE-2024-26852: Fixed net/ipv6 to avoid possible UAF in ip6_route_mpath_notify() (bsc#1223057). - CVE-2021-46955: Fixed an out-of-bounds read with openvswitch, when fragmenting IPv4 packets (bsc#1220513). - CVE-2024-26862: Fixed packet annotate data-races around ignore_outgoing (bsc#1223111). - CVE-2024-0639: Fixed a denial-of-service vulnerability due to a deadlock found in sctp_auto_asconf_init in net/sctp/socket.c (bsc#1218917). - CVE-2024-27043: Fixed a use-after-free in edia/dvbdev in different places (bsc#1223824). - CVE-2022-48631: Fixed a bug in ext4, when parsing extents where eh_entries == 0 and eh_depth > 0 (bsc#1223475). - CVE-2024-23307: Fixed Integer Overflow or Wraparound vulnerability in x86 and ARM md, raid, raid5 modules (bsc#1219169). - CVE-2022-48651: Fixed an out-of-bound bug in ipvlan caused by unset skb->mac_header (bsc#1223513). - CVE-2024-26906: Disallowed vsyscall page read for copy_from_kernel_nofault() (bsc#1223202). - CVE-2024-26816: Fixed relocations in .notes section when building with CONFIG_XEN_PV=y by ignoring them (bsc#1222624). - CVE-2021-47207: Fixed a null pointer dereference on pointer block in gus (bsc#1222790). - CVE-2024-26610: Fixed memory corruption in wifi/iwlwifi (bsc#1221299). - CVE-2024-26689: Fixed a use-after-free in encode_cap_msg() (bsc#1222503). - CVE-2021-47041: Don't set sk_user_data without write_lock (bsc#1220755). - CVE-2021-47074: Fixed memory leak in nvme_loop_create_ctrl() (bsc#1220854). - CVE-2024-26744: Fixed null pointer dereference in srpt_service_guid parameter in rdma/srpt (bsc#1222449). The following non-security bugs were fixed: - dm rq: do not queue request to blk-mq during DM suspend (bsc#1221113). - dm: rearrange core declarations for extended use from dm-zone.c (bsc#1221113). - net/tls: Remove the context from the list in tls_device_down (bsc#1221545). - tls: Fix context leak on tls_device_down (bsc#1221545). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2024-1645,SUSE-SUSE-MicroOS-5.1-2024-1645,SUSE-SUSE-MicroOS-5.2-2024-1645 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2024/suse-su-20241645-1/ Link for SUSE-SU-2024:1645-1 https://lists.suse.com/pipermail/sle-updates/2024-May/035262.html E-Mail link for SUSE-SU-2024:1645-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1190576 SUSE Bug 1190576 https://bugzilla.suse.com/1192145 SUSE Bug 1192145 https://bugzilla.suse.com/1200313 SUSE Bug 1200313 https://bugzilla.suse.com/1201489 SUSE Bug 1201489 https://bugzilla.suse.com/1203906 SUSE Bug 1203906 https://bugzilla.suse.com/1203935 SUSE Bug 1203935 https://bugzilla.suse.com/1204614 SUSE Bug 1204614 https://bugzilla.suse.com/1211592 SUSE Bug 1211592 https://bugzilla.suse.com/1218562 SUSE Bug 1218562 https://bugzilla.suse.com/1218917 SUSE Bug 1218917 https://bugzilla.suse.com/1219169 SUSE Bug 1219169 https://bugzilla.suse.com/1219170 SUSE Bug 1219170 https://bugzilla.suse.com/1219264 SUSE Bug 1219264 https://bugzilla.suse.com/1220513 SUSE Bug 1220513 https://bugzilla.suse.com/1220755 SUSE Bug 1220755 https://bugzilla.suse.com/1220854 SUSE Bug 1220854 https://bugzilla.suse.com/1221113 SUSE Bug 1221113 https://bugzilla.suse.com/1221299 SUSE Bug 1221299 https://bugzilla.suse.com/1221543 SUSE Bug 1221543 https://bugzilla.suse.com/1221545 SUSE Bug 1221545 https://bugzilla.suse.com/1222449 SUSE Bug 1222449 https://bugzilla.suse.com/1222482 SUSE Bug 1222482 https://bugzilla.suse.com/1222503 SUSE Bug 1222503 https://bugzilla.suse.com/1222559 SUSE Bug 1222559 https://bugzilla.suse.com/1222624 SUSE Bug 1222624 https://bugzilla.suse.com/1222666 SUSE Bug 1222666 https://bugzilla.suse.com/1222709 SUSE Bug 1222709 https://bugzilla.suse.com/1222790 SUSE Bug 1222790 https://bugzilla.suse.com/1222792 SUSE Bug 1222792 https://bugzilla.suse.com/1222829 SUSE Bug 1222829 https://bugzilla.suse.com/1222876 SUSE Bug 1222876 https://bugzilla.suse.com/1222881 SUSE Bug 1222881 https://bugzilla.suse.com/1222883 SUSE Bug 1222883 https://bugzilla.suse.com/1222894 SUSE Bug 1222894 https://bugzilla.suse.com/1222976 SUSE Bug 1222976 https://bugzilla.suse.com/1223016 SUSE Bug 1223016 https://bugzilla.suse.com/1223057 SUSE Bug 1223057 https://bugzilla.suse.com/1223111 SUSE Bug 1223111 https://bugzilla.suse.com/1223187 SUSE Bug 1223187 https://bugzilla.suse.com/1223202 SUSE Bug 1223202 https://bugzilla.suse.com/1223475 SUSE Bug 1223475 https://bugzilla.suse.com/1223482 SUSE Bug 1223482 https://bugzilla.suse.com/1223509 SUSE Bug 1223509 https://bugzilla.suse.com/1223513 SUSE Bug 1223513 https://bugzilla.suse.com/1223522 SUSE Bug 1223522 https://bugzilla.suse.com/1223824 SUSE Bug 1223824 https://bugzilla.suse.com/1223921 SUSE Bug 1223921 https://bugzilla.suse.com/1223923 SUSE Bug 1223923 https://bugzilla.suse.com/1223931 SUSE Bug 1223931 https://bugzilla.suse.com/1223941 SUSE Bug 1223941 https://bugzilla.suse.com/1223948 SUSE Bug 1223948 https://bugzilla.suse.com/1223952 SUSE Bug 1223952 https://bugzilla.suse.com/1223963 SUSE Bug 1223963 https://www.suse.com/security/cve/CVE-2021-46955/ SUSE CVE CVE-2021-46955 page https://www.suse.com/security/cve/CVE-2021-47041/ SUSE CVE CVE-2021-47041 page https://www.suse.com/security/cve/CVE-2021-47074/ SUSE CVE CVE-2021-47074 page https://www.suse.com/security/cve/CVE-2021-47113/ SUSE CVE CVE-2021-47113 page https://www.suse.com/security/cve/CVE-2021-47131/ SUSE CVE CVE-2021-47131 page https://www.suse.com/security/cve/CVE-2021-47184/ SUSE CVE CVE-2021-47184 page https://www.suse.com/security/cve/CVE-2021-47194/ SUSE CVE CVE-2021-47194 page https://www.suse.com/security/cve/CVE-2021-47198/ SUSE CVE CVE-2021-47198 page https://www.suse.com/security/cve/CVE-2021-47201/ SUSE CVE CVE-2021-47201 page https://www.suse.com/security/cve/CVE-2021-47203/ SUSE CVE CVE-2021-47203 page https://www.suse.com/security/cve/CVE-2021-47206/ SUSE CVE CVE-2021-47206 page https://www.suse.com/security/cve/CVE-2021-47207/ SUSE CVE CVE-2021-47207 page https://www.suse.com/security/cve/CVE-2021-47212/ SUSE CVE CVE-2021-47212 page https://www.suse.com/security/cve/CVE-2021-47216/ SUSE CVE CVE-2021-47216 page https://www.suse.com/security/cve/CVE-2022-48631/ SUSE CVE CVE-2022-48631 page https://www.suse.com/security/cve/CVE-2022-48638/ SUSE CVE CVE-2022-48638 page https://www.suse.com/security/cve/CVE-2022-48650/ SUSE CVE CVE-2022-48650 page https://www.suse.com/security/cve/CVE-2022-48651/ SUSE CVE CVE-2022-48651 page https://www.suse.com/security/cve/CVE-2022-48654/ SUSE CVE CVE-2022-48654 page https://www.suse.com/security/cve/CVE-2022-48672/ SUSE CVE CVE-2022-48672 page https://www.suse.com/security/cve/CVE-2022-48686/ SUSE CVE CVE-2022-48686 page https://www.suse.com/security/cve/CVE-2022-48687/ SUSE CVE CVE-2022-48687 page https://www.suse.com/security/cve/CVE-2022-48693/ SUSE CVE CVE-2022-48693 page https://www.suse.com/security/cve/CVE-2022-48695/ SUSE CVE CVE-2022-48695 page https://www.suse.com/security/cve/CVE-2022-48701/ SUSE CVE CVE-2022-48701 page https://www.suse.com/security/cve/CVE-2022-48702/ SUSE CVE CVE-2022-48702 page https://www.suse.com/security/cve/CVE-2024-0639/ SUSE CVE CVE-2024-0639 page https://www.suse.com/security/cve/CVE-2024-23307/ SUSE CVE CVE-2024-23307 page https://www.suse.com/security/cve/CVE-2024-26610/ SUSE CVE CVE-2024-26610 page https://www.suse.com/security/cve/CVE-2024-26688/ SUSE CVE CVE-2024-26688 page https://www.suse.com/security/cve/CVE-2024-26689/ SUSE CVE CVE-2024-26689 page https://www.suse.com/security/cve/CVE-2024-26739/ SUSE CVE CVE-2024-26739 page https://www.suse.com/security/cve/CVE-2024-26744/ SUSE CVE CVE-2024-26744 page https://www.suse.com/security/cve/CVE-2024-26816/ SUSE CVE CVE-2024-26816 page https://www.suse.com/security/cve/CVE-2024-26840/ SUSE CVE CVE-2024-26840 page https://www.suse.com/security/cve/CVE-2024-26852/ SUSE CVE CVE-2024-26852 page https://www.suse.com/security/cve/CVE-2024-26862/ SUSE CVE CVE-2024-26862 page https://www.suse.com/security/cve/CVE-2024-26898/ SUSE CVE CVE-2024-26898 page https://www.suse.com/security/cve/CVE-2024-26903/ SUSE CVE CVE-2024-26903 page https://www.suse.com/security/cve/CVE-2024-26906/ SUSE CVE CVE-2024-26906 page https://www.suse.com/security/cve/CVE-2024-27043/ SUSE CVE CVE-2024-27043 page SUSE Linux Enterprise Micro 5.1 SUSE Linux Enterprise Micro 5.2 cluster-md-kmp-rt-5.3.18-150300.169.1 cluster-md-kmp-rt_debug-5.3.18-150300.169.1 dlm-kmp-rt-5.3.18-150300.169.1 dlm-kmp-rt_debug-5.3.18-150300.169.1 gfs2-kmp-rt-5.3.18-150300.169.1 gfs2-kmp-rt_debug-5.3.18-150300.169.1 kernel-devel-rt-5.3.18-150300.169.1 kernel-rt-5.3.18-150300.169.1 kernel-rt-devel-5.3.18-150300.169.1 kernel-rt-extra-5.3.18-150300.169.1 kernel-rt-livepatch-devel-5.3.18-150300.169.1 kernel-rt-optional-5.3.18-150300.169.1 kernel-rt_debug-5.3.18-150300.169.1 kernel-rt_debug-devel-5.3.18-150300.169.1 kernel-rt_debug-extra-5.3.18-150300.169.1 kernel-rt_debug-livepatch-devel-5.3.18-150300.169.1 kernel-rt_debug-optional-5.3.18-150300.169.1 kernel-source-rt-5.3.18-150300.169.1 kernel-syms-rt-5.3.18-150300.169.1 kselftests-kmp-rt-5.3.18-150300.169.1 kselftests-kmp-rt_debug-5.3.18-150300.169.1 ocfs2-kmp-rt-5.3.18-150300.169.1 ocfs2-kmp-rt_debug-5.3.18-150300.169.1 reiserfs-kmp-rt-5.3.18-150300.169.1 reiserfs-kmp-rt_debug-5.3.18-150300.169.1 kernel-rt-5.3.18-150300.169.1 as a component of SUSE Linux Enterprise Micro 5.1 kernel-source-rt-5.3.18-150300.169.1 as a component of SUSE Linux Enterprise Micro 5.1 kernel-rt-5.3.18-150300.169.1 as a component of SUSE Linux Enterprise Micro 5.2 kernel-source-rt-5.3.18-150300.169.1 as a component of SUSE Linux Enterprise Micro 5.2 In the Linux kernel, the following vulnerability has been resolved: openvswitch: fix stack OOB read while fragmenting IPv4 packets running openvswitch on kernels built with KASAN, it's possible to see the following splat while testing fragmentation of IPv4 packets: BUG: KASAN: stack-out-of-bounds in ip_do_fragment+0x1b03/0x1f60 Read of size 1 at addr ffff888112fc713c by task handler2/1367 CPU: 0 PID: 1367 Comm: handler2 Not tainted 5.12.0-rc6+ #418 Hardware name: Red Hat KVM, BIOS 1.11.1-4.module+el8.1.0+4066+0f1aadab 04/01/2014 Call Trace: dump_stack+0x92/0xc1 print_address_description.constprop.7+0x1a/0x150 kasan_report.cold.13+0x7f/0x111 ip_do_fragment+0x1b03/0x1f60 ovs_fragment+0x5bf/0x840 [openvswitch] do_execute_actions+0x1bd5/0x2400 [openvswitch] ovs_execute_actions+0xc8/0x3d0 [openvswitch] ovs_packet_cmd_execute+0xa39/0x1150 [openvswitch] genl_family_rcv_msg_doit.isra.15+0x227/0x2d0 genl_rcv_msg+0x287/0x490 netlink_rcv_skb+0x120/0x380 genl_rcv+0x24/0x40 netlink_unicast+0x439/0x630 netlink_sendmsg+0x719/0xbf0 sock_sendmsg+0xe2/0x110 ____sys_sendmsg+0x5ba/0x890 ___sys_sendmsg+0xe9/0x160 __sys_sendmsg+0xd3/0x170 do_syscall_64+0x33/0x40 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f957079db07 Code: c3 66 90 41 54 41 89 d4 55 48 89 f5 53 89 fb 48 83 ec 10 e8 eb ec ff ff 44 89 e2 48 89 ee 89 df 41 89 c0 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 48 89 44 24 08 e8 24 ed ff ff 48 RSP: 002b:00007f956ce35a50 EFLAGS: 00000293 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 0000000000000019 RCX: 00007f957079db07 RDX: 0000000000000000 RSI: 00007f956ce35ae0 RDI: 0000000000000019 RBP: 00007f956ce35ae0 R08: 0000000000000000 R09: 00007f9558006730 R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000 R13: 00007f956ce37308 R14: 00007f956ce35f80 R15: 00007f956ce35ae0 The buggy address belongs to the page: page:00000000af2a1d93 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x112fc7 flags: 0x17ffffc0000000() raw: 0017ffffc0000000 0000000000000000 dead000000000122 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected addr ffff888112fc713c is located in stack of task handler2/1367 at offset 180 in frame: ovs_fragment+0x0/0x840 [openvswitch] this frame has 2 objects: [32, 144) 'ovs_dst' [192, 424) 'ovs_rt' Memory state around the buggy address: ffff888112fc7000: f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff888112fc7080: 00 f1 f1 f1 f1 00 00 00 00 00 00 00 00 00 00 00 >ffff888112fc7100: 00 00 00 f2 f2 f2 f2 f2 f2 00 00 00 00 00 00 00 ^ ffff888112fc7180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff888112fc7200: 00 00 00 00 00 00 f2 f2 f2 00 00 00 00 00 00 00 for IPv4 packets, ovs_fragment() uses a temporary struct dst_entry. Then, in the following call graph: ip_do_fragment() ip_skb_dst_mtu() ip_dst_mtu_maybe_forward() ip_mtu_locked() the pointer to struct dst_entry is used as pointer to struct rtable: this turns the access to struct members like rt_mtu_locked into an OOB read in the stack. Fix this changing the temporary variable used for IPv4 packets in ovs_fragment(), similarly to what is done for IPv6 few lines below. CVE-2021-46955 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.169.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20241645-1/ https://www.suse.com/security/cve/CVE-2021-46955.html CVE-2021-46955 https://bugzilla.suse.com/1220513 SUSE Bug 1220513 https://bugzilla.suse.com/1220537 SUSE Bug 1220537 In the Linux kernel, the following vulnerability has been resolved: nvmet-tcp: fix incorrect locking in state_change sk callback We are not changing anything in the TCP connection state so we should not take a write_lock but rather a read lock. This caused a deadlock when running nvmet-tcp and nvme-tcp on the same system, where state_change callbacks on the host and on the controller side have causal relationship and made lockdep report on this with blktests: ================================ WARNING: inconsistent lock state 5.12.0-rc3 #1 Tainted: G I -------------------------------- inconsistent {IN-SOFTIRQ-W} -> {SOFTIRQ-ON-R} usage. nvme/1324 [HC0[0]:SC0[0]:HE1:SE1] takes: ffff888363151000 (clock-AF_INET){++-?}-{2:2}, at: nvme_tcp_state_change+0x21/0x150 [nvme_tcp] {IN-SOFTIRQ-W} state was registered at: __lock_acquire+0x79b/0x18d0 lock_acquire+0x1ca/0x480 _raw_write_lock_bh+0x39/0x80 nvmet_tcp_state_change+0x21/0x170 [nvmet_tcp] tcp_fin+0x2a8/0x780 tcp_data_queue+0xf94/0x1f20 tcp_rcv_established+0x6ba/0x1f00 tcp_v4_do_rcv+0x502/0x760 tcp_v4_rcv+0x257e/0x3430 ip_protocol_deliver_rcu+0x69/0x6a0 ip_local_deliver_finish+0x1e2/0x2f0 ip_local_deliver+0x1a2/0x420 ip_rcv+0x4fb/0x6b0 __netif_receive_skb_one_core+0x162/0x1b0 process_backlog+0x1ff/0x770 __napi_poll.constprop.0+0xa9/0x5c0 net_rx_action+0x7b3/0xb30 __do_softirq+0x1f0/0x940 do_softirq+0xa1/0xd0 __local_bh_enable_ip+0xd8/0x100 ip_finish_output2+0x6b7/0x18a0 __ip_queue_xmit+0x706/0x1aa0 __tcp_transmit_skb+0x2068/0x2e20 tcp_write_xmit+0xc9e/0x2bb0 __tcp_push_pending_frames+0x92/0x310 inet_shutdown+0x158/0x300 __nvme_tcp_stop_queue+0x36/0x270 [nvme_tcp] nvme_tcp_stop_queue+0x87/0xb0 [nvme_tcp] nvme_tcp_teardown_admin_queue+0x69/0xe0 [nvme_tcp] nvme_do_delete_ctrl+0x100/0x10c [nvme_core] nvme_sysfs_delete.cold+0x8/0xd [nvme_core] kernfs_fop_write_iter+0x2c7/0x460 new_sync_write+0x36c/0x610 vfs_write+0x5c0/0x870 ksys_write+0xf9/0x1d0 do_syscall_64+0x33/0x40 entry_SYSCALL_64_after_hwframe+0x44/0xae irq event stamp: 10687 hardirqs last enabled at (10687): [<ffffffff9ec376bd>] _raw_spin_unlock_irqrestore+0x2d/0x40 hardirqs last disabled at (10686): [<ffffffff9ec374d8>] _raw_spin_lock_irqsave+0x68/0x90 softirqs last enabled at (10684): [<ffffffff9f000608>] __do_softirq+0x608/0x940 softirqs last disabled at (10649): [<ffffffff9cdedd31>] do_softirq+0xa1/0xd0 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(clock-AF_INET); <Interrupt> lock(clock-AF_INET); *** DEADLOCK *** 5 locks held by nvme/1324: #0: ffff8884a01fe470 (sb_writers#4){.+.+}-{0:0}, at: ksys_write+0xf9/0x1d0 #1: ffff8886e435c090 (&of->mutex){+.+.}-{3:3}, at: kernfs_fop_write_iter+0x216/0x460 #2: ffff888104d90c38 (kn->active#255){++++}-{0:0}, at: kernfs_remove_self+0x22d/0x330 #3: ffff8884634538d0 (&queue->queue_lock){+.+.}-{3:3}, at: nvme_tcp_stop_queue+0x52/0xb0 [nvme_tcp] #4: ffff888363150d30 (sk_lock-AF_INET){+.+.}-{0:0}, at: inet_shutdown+0x59/0x300 stack backtrace: CPU: 26 PID: 1324 Comm: nvme Tainted: G I 5.12.0-rc3 #1 Hardware name: Dell Inc. PowerEdge R640/06NR82, BIOS 2.10.0 11/12/2020 Call Trace: dump_stack+0x93/0xc2 mark_lock_irq.cold+0x2c/0xb3 ? verify_lock_unused+0x390/0x390 ? stack_trace_consume_entry+0x160/0x160 ? lock_downgrade+0x100/0x100 ? save_trace+0x88/0x5e0 ? _raw_spin_unlock_irqrestore+0x2d/0x40 mark_lock+0x530/0x1470 ? mark_lock_irq+0x1d10/0x1d10 ? enqueue_timer+0x660/0x660 mark_usage+0x215/0x2a0 __lock_acquire+0x79b/0x18d0 ? tcp_schedule_loss_probe.part.0+0x38c/0x520 lock_acquire+0x1ca/0x480 ? nvme_tcp_state_change+0x21/0x150 [nvme_tcp] ? rcu_read_unlock+0x40/0x40 ? tcp_mtu_probe+0x1ae0/0x1ae0 ? kmalloc_reserve+0xa0/0xa0 ? sysfs_file_ops+0x170/0x170 _raw_read_lock+0x3d/0xa0 ? nvme_tcp_state_change+0x21/0x150 [nvme_tcp] nvme_tcp_state_change+0x21/0x150 [nvme_tcp] ? sysfs_file_ops ---truncated--- CVE-2021-47041 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.169.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20241645-1/ https://www.suse.com/security/cve/CVE-2021-47041.html CVE-2021-47041 https://bugzilla.suse.com/1220755 SUSE Bug 1220755 In the Linux kernel, the following vulnerability has been resolved: nvme-loop: fix memory leak in nvme_loop_create_ctrl() When creating loop ctrl in nvme_loop_create_ctrl(), if nvme_init_ctrl() fails, the loop ctrl should be freed before jumping to the "out" label. CVE-2021-47074 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.169.1 low To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20241645-1/ https://www.suse.com/security/cve/CVE-2021-47074.html CVE-2021-47074 https://bugzilla.suse.com/1220854 SUSE Bug 1220854 In the Linux kernel, the following vulnerability has been resolved: btrfs: abort in rename_exchange if we fail to insert the second ref Error injection stress uncovered a problem where we'd leave a dangling inode ref if we failed during a rename_exchange. This happens because we insert the inode ref for one side of the rename, and then for the other side. If this second inode ref insert fails we'll leave the first one dangling and leave a corrupt file system behind. Fix this by aborting if we did the insert for the first inode ref. CVE-2021-47113 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.169.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20241645-1/ https://www.suse.com/security/cve/CVE-2021-47113.html CVE-2021-47113 https://bugzilla.suse.com/1221543 SUSE Bug 1221543 In the Linux kernel, the following vulnerability has been resolved: net/tls: Fix use-after-free after the TLS device goes down and up When a netdev with active TLS offload goes down, tls_device_down is called to stop the offload and tear down the TLS context. However, the socket stays alive, and it still points to the TLS context, which is now deallocated. If a netdev goes up, while the connection is still active, and the data flow resumes after a number of TCP retransmissions, it will lead to a use-after-free of the TLS context. This commit addresses this bug by keeping the context alive until its normal destruction, and implements the necessary fallbacks, so that the connection can resume in software (non-offloaded) kTLS mode. On the TX side tls_sw_fallback is used to encrypt all packets. The RX side already has all the necessary fallbacks, because receiving non-decrypted packets is supported. The thing needed on the RX side is to block resync requests, which are normally produced after receiving non-decrypted packets. The necessary synchronization is implemented for a graceful teardown: first the fallbacks are deployed, then the driver resources are released (it used to be possible to have a tls_dev_resync after tls_dev_del). A new flag called TLS_RX_DEV_DEGRADED is added to indicate the fallback mode. It's used to skip the RX resync logic completely, as it becomes useless, and some objects may be released (for example, resync_async, which is allocated and freed by the driver). CVE-2021-47131 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.169.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20241645-1/ https://www.suse.com/security/cve/CVE-2021-47131.html CVE-2021-47131 https://bugzilla.suse.com/1221545 SUSE Bug 1221545 https://bugzilla.suse.com/1222402 SUSE Bug 1222402 In the Linux kernel, the following vulnerability has been resolved: i40e: Fix NULL ptr dereference on VSI filter sync Remove the reason of null pointer dereference in sync VSI filters. Added new I40E_VSI_RELEASING flag to signalize deleting and releasing of VSI resources to sync this thread with sync filters subtask. Without this patch it is possible to start update the VSI filter list after VSI is removed, that's causing a kernel oops. CVE-2021-47184 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.169.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20241645-1/ https://www.suse.com/security/cve/CVE-2021-47184.html CVE-2021-47184 https://bugzilla.suse.com/1222666 SUSE Bug 1222666 In the Linux kernel, the following vulnerability has been resolved: cfg80211: call cfg80211_stop_ap when switch from P2P_GO type If the userspace tools switch from NL80211_IFTYPE_P2P_GO to NL80211_IFTYPE_ADHOC via send_msg(NL80211_CMD_SET_INTERFACE), it does not call the cleanup cfg80211_stop_ap(), this leads to the initialization of in-use data. For example, this path re-init the sdata->assigned_chanctx_list while it is still an element of assigned_vifs list, and makes that linked list corrupt. CVE-2021-47194 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.169.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20241645-1/ https://www.suse.com/security/cve/CVE-2021-47194.html CVE-2021-47194 https://bugzilla.suse.com/1222829 SUSE Bug 1222829 In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Fix use-after-free in lpfc_unreg_rpi() routine An error is detected with the following report when unloading the driver: "KASAN: use-after-free in lpfc_unreg_rpi+0x1b1b" The NLP_REG_LOGIN_SEND nlp_flag is set in lpfc_reg_fab_ctrl_node(), but the flag is not cleared upon completion of the login. This allows a second call to lpfc_unreg_rpi() to proceed with nlp_rpi set to LPFC_RPI_ALLOW_ERROR. This results in a use after free access when used as an rpi_ids array index. Fix by clearing the NLP_REG_LOGIN_SEND nlp_flag in lpfc_mbx_cmpl_fc_reg_login(). CVE-2021-47198 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.169.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20241645-1/ https://www.suse.com/security/cve/CVE-2021-47198.html CVE-2021-47198 https://bugzilla.suse.com/1222883 SUSE Bug 1222883 In the Linux kernel, the following vulnerability has been resolved: iavf: free q_vectors before queues in iavf_disable_vf iavf_free_queues() clears adapter->num_active_queues, which iavf_free_q_vectors() relies on, so swap the order of these two function calls in iavf_disable_vf(). This resolves a panic encountered when the interface is disabled and then later brought up again after PF communication is restored. CVE-2021-47201 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.169.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20241645-1/ https://www.suse.com/security/cve/CVE-2021-47201.html CVE-2021-47201 https://bugzilla.suse.com/1222792 SUSE Bug 1222792 In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Fix list_add() corruption in lpfc_drain_txq() When parsing the txq list in lpfc_drain_txq(), the driver attempts to pass the requests to the adapter. If such an attempt fails, a local "fail_msg" string is set and a log message output. The job is then added to a completions list for cancellation. Processing of any further jobs from the txq list continues, but since "fail_msg" remains set, jobs are added to the completions list regardless of whether a wqe was passed to the adapter. If successfully added to txcmplq, jobs are added to both lists resulting in list corruption. Fix by clearing the fail_msg string after adding a job to the completions list. This stops the subsequent jobs from being added to the completions list unless they had an appropriate failure. CVE-2021-47203 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.169.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20241645-1/ https://www.suse.com/security/cve/CVE-2021-47203.html CVE-2021-47203 https://bugzilla.suse.com/1222881 SUSE Bug 1222881 In the Linux kernel, the following vulnerability has been resolved: usb: host: ohci-tmio: check return value after calling platform_get_resource() It will cause null-ptr-deref if platform_get_resource() returns NULL, we need check the return value. CVE-2021-47206 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.169.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20241645-1/ https://www.suse.com/security/cve/CVE-2021-47206.html CVE-2021-47206 https://bugzilla.suse.com/1222894 SUSE Bug 1222894 In the Linux kernel, the following vulnerability has been resolved: ALSA: gus: fix null pointer dereference on pointer block The pointer block return from snd_gf1_dma_next_block could be null, so there is a potential null pointer dereference issue. Fix this by adding a null check before dereference. CVE-2021-47207 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.169.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20241645-1/ https://www.suse.com/security/cve/CVE-2021-47207.html CVE-2021-47207 https://bugzilla.suse.com/1222790 SUSE Bug 1222790 In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Update error handler for UCTX and UMEM In the fast unload flow, the device state is set to internal error, which indicates that the driver started the destroy process. In this case, when a destroy command is being executed, it should return MLX5_CMD_STAT_OK. Fix MLX5_CMD_OP_DESTROY_UCTX and MLX5_CMD_OP_DESTROY_UMEM to return OK instead of EIO. This fixes a call trace in the umem release process - [ 2633.536695] Call Trace: [ 2633.537518] ib_uverbs_remove_one+0xc3/0x140 [ib_uverbs] [ 2633.538596] remove_client_context+0x8b/0xd0 [ib_core] [ 2633.539641] disable_device+0x8c/0x130 [ib_core] [ 2633.540615] __ib_unregister_device+0x35/0xa0 [ib_core] [ 2633.541640] ib_unregister_device+0x21/0x30 [ib_core] [ 2633.542663] __mlx5_ib_remove+0x38/0x90 [mlx5_ib] [ 2633.543640] auxiliary_bus_remove+0x1e/0x30 [auxiliary] [ 2633.544661] device_release_driver_internal+0x103/0x1f0 [ 2633.545679] bus_remove_device+0xf7/0x170 [ 2633.546640] device_del+0x181/0x410 [ 2633.547606] mlx5_rescan_drivers_locked.part.10+0x63/0x160 [mlx5_core] [ 2633.548777] mlx5_unregister_device+0x27/0x40 [mlx5_core] [ 2633.549841] mlx5_uninit_one+0x21/0xc0 [mlx5_core] [ 2633.550864] remove_one+0x69/0xe0 [mlx5_core] [ 2633.551819] pci_device_remove+0x3b/0xc0 [ 2633.552731] device_release_driver_internal+0x103/0x1f0 [ 2633.553746] unbind_store+0xf6/0x130 [ 2633.554657] kernfs_fop_write+0x116/0x190 [ 2633.555567] vfs_write+0xa5/0x1a0 [ 2633.556407] ksys_write+0x4f/0xb0 [ 2633.557233] do_syscall_64+0x5b/0x1a0 [ 2633.558071] entry_SYSCALL_64_after_hwframe+0x65/0xca [ 2633.559018] RIP: 0033:0x7f9977132648 [ 2633.559821] Code: 89 02 48 c7 c0 ff ff ff ff eb b3 0f 1f 80 00 00 00 00 f3 0f 1e fa 48 8d 05 55 6f 2d 00 8b 00 85 c0 75 17 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 58 c3 0f 1f 80 00 00 00 00 41 54 49 89 d4 55 [ 2633.562332] RSP: 002b:00007fffb1a83888 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 2633.563472] RAX: ffffffffffffffda RBX: 000000000000000c RCX: 00007f9977132648 [ 2633.564541] RDX: 000000000000000c RSI: 000055b90546e230 RDI: 0000000000000001 [ 2633.565596] RBP: 000055b90546e230 R08: 00007f9977406860 R09: 00007f9977a54740 [ 2633.566653] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f99774056e0 [ 2633.567692] R13: 000000000000000c R14: 00007f9977400880 R15: 000000000000000c [ 2633.568725] ---[ end trace 10b4fe52945e544d ]--- CVE-2021-47212 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.169.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20241645-1/ https://www.suse.com/security/cve/CVE-2021-47212.html CVE-2021-47212 https://bugzilla.suse.com/1222709 SUSE Bug 1222709 In the Linux kernel, the following vulnerability has been resolved: scsi: advansys: Fix kernel pointer leak Pointers should be printed with %p or %px rather than cast to 'unsigned long' and printed with %lx. Change %lx to %p to print the hashed pointer. CVE-2021-47216 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.169.1 low To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20241645-1/ https://www.suse.com/security/cve/CVE-2021-47216.html CVE-2021-47216 https://bugzilla.suse.com/1222876 SUSE Bug 1222876 In the Linux kernel, the following vulnerability has been resolved: ext4: fix bug in extents parsing when eh_entries == 0 and eh_depth > 0 When walking through an inode extents, the ext4_ext_binsearch_idx() function assumes that the extent header has been previously validated. However, there are no checks that verify that the number of entries (eh->eh_entries) is non-zero when depth is > 0. And this will lead to problems because the EXT_FIRST_INDEX() and EXT_LAST_INDEX() will return garbage and result in this: [ 135.245946] ------------[ cut here ]------------ [ 135.247579] kernel BUG at fs/ext4/extents.c:2258! [ 135.249045] invalid opcode: 0000 [#1] PREEMPT SMP [ 135.250320] CPU: 2 PID: 238 Comm: tmp118 Not tainted 5.19.0-rc8+ #4 [ 135.252067] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.15.0-0-g2dd4b9b-rebuilt.opensuse.org 04/01/2014 [ 135.255065] RIP: 0010:ext4_ext_map_blocks+0xc20/0xcb0 [ 135.256475] Code: [ 135.261433] RSP: 0018:ffffc900005939f8 EFLAGS: 00010246 [ 135.262847] RAX: 0000000000000024 RBX: ffffc90000593b70 RCX: 0000000000000023 [ 135.264765] RDX: ffff8880038e5f10 RSI: 0000000000000003 RDI: ffff8880046e922c [ 135.266670] RBP: ffff8880046e9348 R08: 0000000000000001 R09: ffff888002ca580c [ 135.268576] R10: 0000000000002602 R11: 0000000000000000 R12: 0000000000000024 [ 135.270477] R13: 0000000000000000 R14: 0000000000000024 R15: 0000000000000000 [ 135.272394] FS: 00007fdabdc56740(0000) GS:ffff88807dd00000(0000) knlGS:0000000000000000 [ 135.274510] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 135.276075] CR2: 00007ffc26bd4f00 CR3: 0000000006261004 CR4: 0000000000170ea0 [ 135.277952] Call Trace: [ 135.278635] <TASK> [ 135.279247] ? preempt_count_add+0x6d/0xa0 [ 135.280358] ? percpu_counter_add_batch+0x55/0xb0 [ 135.281612] ? _raw_read_unlock+0x18/0x30 [ 135.282704] ext4_map_blocks+0x294/0x5a0 [ 135.283745] ? xa_load+0x6f/0xa0 [ 135.284562] ext4_mpage_readpages+0x3d6/0x770 [ 135.285646] read_pages+0x67/0x1d0 [ 135.286492] ? folio_add_lru+0x51/0x80 [ 135.287441] page_cache_ra_unbounded+0x124/0x170 [ 135.288510] filemap_get_pages+0x23d/0x5a0 [ 135.289457] ? path_openat+0xa72/0xdd0 [ 135.290332] filemap_read+0xbf/0x300 [ 135.291158] ? _raw_spin_lock_irqsave+0x17/0x40 [ 135.292192] new_sync_read+0x103/0x170 [ 135.293014] vfs_read+0x15d/0x180 [ 135.293745] ksys_read+0xa1/0xe0 [ 135.294461] do_syscall_64+0x3c/0x80 [ 135.295284] entry_SYSCALL_64_after_hwframe+0x46/0xb0 This patch simply adds an extra check in __ext4_ext_check(), verifying that eh_entries is not 0 when eh_depth is > 0. CVE-2022-48631 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.169.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20241645-1/ https://www.suse.com/security/cve/CVE-2022-48631.html CVE-2022-48631 https://bugzilla.suse.com/1223475 SUSE Bug 1223475 In the Linux kernel, the following vulnerability has been resolved: cgroup: cgroup_get_from_id() must check the looked-up kn is a directory cgroup has to be one kernfs dir, otherwise kernel panic is caused, especially cgroup id is provide from userspace. CVE-2022-48638 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.169.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20241645-1/ https://www.suse.com/security/cve/CVE-2022-48638.html CVE-2022-48638 https://bugzilla.suse.com/1223522 SUSE Bug 1223522 In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Fix memory leak in __qlt_24xx_handle_abts() Commit 8f394da36a36 ("scsi: qla2xxx: Drop TARGET_SCF_LOOKUP_LUN_FROM_TAG") made the __qlt_24xx_handle_abts() function return early if tcm_qla2xxx_find_cmd_by_tag() didn't find a command, but it missed to clean up the allocated memory for the management command. CVE-2022-48650 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.169.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20241645-1/ https://www.suse.com/security/cve/CVE-2022-48650.html CVE-2022-48650 https://bugzilla.suse.com/1223509 SUSE Bug 1223509 In the Linux kernel, the following vulnerability has been resolved: ipvlan: Fix out-of-bound bugs caused by unset skb->mac_header If an AF_PACKET socket is used to send packets through ipvlan and the default xmit function of the AF_PACKET socket is changed from dev_queue_xmit() to packet_direct_xmit() via setsockopt() with the option name of PACKET_QDISC_BYPASS, the skb->mac_header may not be reset and remains as the initial value of 65535, this may trigger slab-out-of-bounds bugs as following: ================================================================= UG: KASAN: slab-out-of-bounds in ipvlan_xmit_mode_l2+0xdb/0x330 [ipvlan] PU: 2 PID: 1768 Comm: raw_send Kdump: loaded Not tainted 6.0.0-rc4+ #6 ardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc33 all Trace: print_address_description.constprop.0+0x1d/0x160 print_report.cold+0x4f/0x112 kasan_report+0xa3/0x130 ipvlan_xmit_mode_l2+0xdb/0x330 [ipvlan] ipvlan_start_xmit+0x29/0xa0 [ipvlan] __dev_direct_xmit+0x2e2/0x380 packet_direct_xmit+0x22/0x60 packet_snd+0x7c9/0xc40 sock_sendmsg+0x9a/0xa0 __sys_sendto+0x18a/0x230 __x64_sys_sendto+0x74/0x90 do_syscall_64+0x3b/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcd The root cause is: 1. packet_snd() only reset skb->mac_header when sock->type is SOCK_RAW and skb->protocol is not specified as in packet_parse_headers() 2. packet_direct_xmit() doesn't reset skb->mac_header as dev_queue_xmit() In this case, skb->mac_header is 65535 when ipvlan_xmit_mode_l2() is called. So when ipvlan_xmit_mode_l2() gets mac header with eth_hdr() which use "skb->head + skb->mac_header", out-of-bound access occurs. This patch replaces eth_hdr() with skb_eth_hdr() in ipvlan_xmit_mode_l2() and reset mac header in multicast to solve this out-of-bound bug. CVE-2022-48651 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.169.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20241645-1/ https://www.suse.com/security/cve/CVE-2022-48651.html CVE-2022-48651 https://bugzilla.suse.com/1223513 SUSE Bug 1223513 https://bugzilla.suse.com/1223514 SUSE Bug 1223514 In the Linux kernel, the following vulnerability has been resolved: netfilter: nfnetlink_osf: fix possible bogus match in nf_osf_find() nf_osf_find() incorrectly returns true on mismatch, this leads to copying uninitialized memory area in nft_osf which can be used to leak stale kernel stack data to userspace. CVE-2022-48654 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.169.1 low To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20241645-1/ https://www.suse.com/security/cve/CVE-2022-48654.html CVE-2022-48654 https://bugzilla.suse.com/1223482 SUSE Bug 1223482 In the Linux kernel, the following vulnerability has been resolved: of: fdt: fix off-by-one error in unflatten_dt_nodes() Commit 78c44d910d3e ("drivers/of: Fix depth when unflattening devicetree") forgot to fix up the depth check in the loop body in unflatten_dt_nodes() which makes it possible to overflow the nps[] buffer... Found by Linux Verification Center (linuxtesting.org) with the SVACE static analysis tool. CVE-2022-48672 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.169.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20241645-1/ https://www.suse.com/security/cve/CVE-2022-48672.html CVE-2022-48672 https://bugzilla.suse.com/1223931 SUSE Bug 1223931 In the Linux kernel, the following vulnerability has been resolved: nvme-tcp: fix UAF when detecting digest errors We should also bail from the io_work loop when we set rd_enabled to true, so we don't attempt to read data from the socket when the TCP stream is already out-of-sync or corrupted. CVE-2022-48686 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.169.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20241645-1/ https://www.suse.com/security/cve/CVE-2022-48686.html CVE-2022-48686 https://bugzilla.suse.com/1223948 SUSE Bug 1223948 https://bugzilla.suse.com/1226337 SUSE Bug 1226337 In the Linux kernel, the following vulnerability has been resolved: ipv6: sr: fix out-of-bounds read when setting HMAC data. The SRv6 layer allows defining HMAC data that can later be used to sign IPv6 Segment Routing Headers. This configuration is realised via netlink through four attributes: SEG6_ATTR_HMACKEYID, SEG6_ATTR_SECRET, SEG6_ATTR_SECRETLEN and SEG6_ATTR_ALGID. Because the SECRETLEN attribute is decoupled from the actual length of the SECRET attribute, it is possible to provide invalid combinations (e.g., secret = "", secretlen = 64). This case is not checked in the code and with an appropriately crafted netlink message, an out-of-bounds read of up to 64 bytes (max secret length) can occur past the skb end pointer and into skb_shared_info: Breakpoint 1, seg6_genl_sethmac (skb=<optimized out>, info=<optimized out>) at net/ipv6/seg6.c:208 208 memcpy(hinfo->secret, secret, slen); (gdb) bt #0 seg6_genl_sethmac (skb=<optimized out>, info=<optimized out>) at net/ipv6/seg6.c:208 #1 0xffffffff81e012e9 in genl_family_rcv_msg_doit (skb=skb@entry=0xffff88800b1f9f00, nlh=nlh@entry=0xffff88800b1b7600, extack=extack@entry=0xffffc90000ba7af0, ops=ops@entry=0xffffc90000ba7a80, hdrlen=4, net=0xffffffff84237580 <init_net>, family=<optimized out>, family=<optimized out>) at net/netlink/genetlink.c:731 #2 0xffffffff81e01435 in genl_family_rcv_msg (extack=0xffffc90000ba7af0, nlh=0xffff88800b1b7600, skb=0xffff88800b1f9f00, family=0xffffffff82fef6c0 <seg6_genl_family>) at net/netlink/genetlink.c:775 #3 genl_rcv_msg (skb=0xffff88800b1f9f00, nlh=0xffff88800b1b7600, extack=0xffffc90000ba7af0) at net/netlink/genetlink.c:792 #4 0xffffffff81dfffc3 in netlink_rcv_skb (skb=skb@entry=0xffff88800b1f9f00, cb=cb@entry=0xffffffff81e01350 <genl_rcv_msg>) at net/netlink/af_netlink.c:2501 #5 0xffffffff81e00919 in genl_rcv (skb=0xffff88800b1f9f00) at net/netlink/genetlink.c:803 #6 0xffffffff81dff6ae in netlink_unicast_kernel (ssk=0xffff888010eec800, skb=0xffff88800b1f9f00, sk=0xffff888004aed000) at net/netlink/af_netlink.c:1319 #7 netlink_unicast (ssk=ssk@entry=0xffff888010eec800, skb=skb@entry=0xffff88800b1f9f00, portid=portid@entry=0, nonblock=<optimized out>) at net/netlink/af_netlink.c:1345 #8 0xffffffff81dff9a4 in netlink_sendmsg (sock=<optimized out>, msg=0xffffc90000ba7e48, len=<optimized out>) at net/netlink/af_netlink.c:1921 ... (gdb) p/x ((struct sk_buff *)0xffff88800b1f9f00)->head + ((struct sk_buff *)0xffff88800b1f9f00)->end $1 = 0xffff88800b1b76c0 (gdb) p/x secret $2 = 0xffff88800b1b76c0 (gdb) p slen $3 = 64 '@' The OOB data can then be read back from userspace by dumping HMAC state. This commit fixes this by ensuring SECRETLEN cannot exceed the actual length of SECRET. CVE-2022-48687 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.169.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20241645-1/ https://www.suse.com/security/cve/CVE-2022-48687.html CVE-2022-48687 https://bugzilla.suse.com/1223952 SUSE Bug 1223952 https://bugzilla.suse.com/1224043 SUSE Bug 1224043 In the Linux kernel, the following vulnerability has been resolved: soc: brcmstb: pm-arm: Fix refcount leak and __iomem leak bugs In brcmstb_pm_probe(), there are two kinds of leak bugs: (1) we need to add of_node_put() when for_each__matching_node() breaks (2) we need to add iounmap() for each iomap in fail path CVE-2022-48693 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.169.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20241645-1/ https://www.suse.com/security/cve/CVE-2022-48693.html CVE-2022-48693 https://bugzilla.suse.com/1223963 SUSE Bug 1223963 In the Linux kernel, the following vulnerability has been resolved: scsi: mpt3sas: Fix use-after-free warning Fix the following use-after-free warning which is observed during controller reset: refcount_t: underflow; use-after-free. WARNING: CPU: 23 PID: 5399 at lib/refcount.c:28 refcount_warn_saturate+0xa6/0xf0 CVE-2022-48695 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.169.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20241645-1/ https://www.suse.com/security/cve/CVE-2022-48695.html CVE-2022-48695 https://bugzilla.suse.com/1223941 SUSE Bug 1223941 In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix an out-of-bounds bug in __snd_usb_parse_audio_interface() There may be a bad USB audio device with a USB ID of (0x04fa, 0x4201) and the number of it's interfaces less than 4, an out-of-bounds read bug occurs when parsing the interface descriptor for this device. Fix this by checking the number of interfaces. CVE-2022-48701 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.169.1 low To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20241645-1/ https://www.suse.com/security/cve/CVE-2022-48701.html CVE-2022-48701 https://bugzilla.suse.com/1223921 SUSE Bug 1223921 In the Linux kernel, the following vulnerability has been resolved: ALSA: emu10k1: Fix out of bounds access in snd_emu10k1_pcm_channel_alloc() The voice allocator sometimes begins allocating from near the end of the array and then wraps around, however snd_emu10k1_pcm_channel_alloc() accesses the newly allocated voices as if it never wrapped around. This results in out of bounds access if the first voice has a high enough index so that first_voice + requested_voice_count > NUM_G (64). The more voices are requested, the more likely it is for this to occur. This was initially discovered using PipeWire, however it can be reproduced by calling aplay multiple times with 16 channels: aplay -r 48000 -D plughw:CARD=Live,DEV=3 -c 16 /dev/zero UBSAN: array-index-out-of-bounds in sound/pci/emu10k1/emupcm.c:127:40 index 65 is out of range for type 'snd_emu10k1_voice [64]' CPU: 1 PID: 31977 Comm: aplay Tainted: G W IOE 6.0.0-rc2-emu10k1+ #7 Hardware name: ASUSTEK COMPUTER INC P5W DH Deluxe/P5W DH Deluxe, BIOS 3002 07/22/2010 Call Trace: <TASK> dump_stack_lvl+0x49/0x63 dump_stack+0x10/0x16 ubsan_epilogue+0x9/0x3f __ubsan_handle_out_of_bounds.cold+0x44/0x49 snd_emu10k1_playback_hw_params+0x3bc/0x420 [snd_emu10k1] snd_pcm_hw_params+0x29f/0x600 [snd_pcm] snd_pcm_common_ioctl+0x188/0x1410 [snd_pcm] ? exit_to_user_mode_prepare+0x35/0x170 ? do_syscall_64+0x69/0x90 ? syscall_exit_to_user_mode+0x26/0x50 ? do_syscall_64+0x69/0x90 ? exit_to_user_mode_prepare+0x35/0x170 snd_pcm_ioctl+0x27/0x40 [snd_pcm] __x64_sys_ioctl+0x95/0xd0 do_syscall_64+0x5c/0x90 ? do_syscall_64+0x69/0x90 ? do_syscall_64+0x69/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcd CVE-2022-48702 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.169.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20241645-1/ https://www.suse.com/security/cve/CVE-2022-48702.html CVE-2022-48702 https://bugzilla.suse.com/1223923 SUSE Bug 1223923 A denial of service vulnerability due to a deadlock was found in sctp_auto_asconf_init in net/sctp/socket.c in the Linux kernel's SCTP subsystem. This flaw allows guests with local user privileges to trigger a deadlock and potentially crash the system. CVE-2024-0639 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.169.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20241645-1/ https://www.suse.com/security/cve/CVE-2024-0639.html CVE-2024-0639 https://bugzilla.suse.com/1218917 SUSE Bug 1218917 Integer Overflow or Wraparound vulnerability in Linux Linux kernel kernel on Linux, x86, ARM (md, raid, raid5 modules) allows Forced Integer Overflow. CVE-2024-23307 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.169.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20241645-1/ https://www.suse.com/security/cve/CVE-2024-23307.html CVE-2024-23307 https://bugzilla.suse.com/1219169 SUSE Bug 1219169 https://bugzilla.suse.com/1220145 SUSE Bug 1220145 In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: fix a memory corruption iwl_fw_ini_trigger_tlv::data is a pointer to a __le32, which means that if we copy to iwl_fw_ini_trigger_tlv::data + offset while offset is in bytes, we'll write past the buffer. CVE-2024-26610 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.169.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20241645-1/ https://www.suse.com/security/cve/CVE-2024-26610.html CVE-2024-26610 https://bugzilla.suse.com/1221299 SUSE Bug 1221299 https://bugzilla.suse.com/1221302 SUSE Bug 1221302 In the Linux kernel, the following vulnerability has been resolved: fs,hugetlb: fix NULL pointer dereference in hugetlbs_fill_super When configuring a hugetlb filesystem via the fsconfig() syscall, there is a possible NULL dereference in hugetlbfs_fill_super() caused by assigning NULL to ctx->hstate in hugetlbfs_parse_param() when the requested pagesize is non valid. E.g: Taking the following steps: fd = fsopen("hugetlbfs", FSOPEN_CLOEXEC); fsconfig(fd, FSCONFIG_SET_STRING, "pagesize", "1024", 0); fsconfig(fd, FSCONFIG_CMD_CREATE, NULL, NULL, 0); Given that the requested "pagesize" is invalid, ctxt->hstate will be replaced with NULL, losing its previous value, and we will print an error: ... ... case Opt_pagesize: ps = memparse(param->string, &rest); ctx->hstate = h; if (!ctx->hstate) { pr_err("Unsupported page size %lu MB\n", ps / SZ_1M); return -EINVAL; } return 0; ... ... This is a problem because later on, we will dereference ctxt->hstate in hugetlbfs_fill_super() ... ... sb->s_blocksize = huge_page_size(ctx->hstate); ... ... Causing below Oops. Fix this by replacing cxt->hstate value only when then pagesize is known to be valid. kernel: hugetlbfs: Unsupported page size 0 MB kernel: BUG: kernel NULL pointer dereference, address: 0000000000000028 kernel: #PF: supervisor read access in kernel mode kernel: #PF: error_code(0x0000) - not-present page kernel: PGD 800000010f66c067 P4D 800000010f66c067 PUD 1b22f8067 PMD 0 kernel: Oops: 0000 [#1] PREEMPT SMP PTI kernel: CPU: 4 PID: 5659 Comm: syscall Tainted: G E 6.8.0-rc2-default+ #22 5a47c3fef76212addcc6eb71344aabc35190ae8f kernel: Hardware name: Intel Corp. GROVEPORT/GROVEPORT, BIOS GVPRCRB1.86B.0016.D04.1705030402 05/03/2017 kernel: RIP: 0010:hugetlbfs_fill_super+0xb4/0x1a0 kernel: Code: 48 8b 3b e8 3e c6 ed ff 48 85 c0 48 89 45 20 0f 84 d6 00 00 00 48 b8 ff ff ff ff ff ff ff 7f 4c 89 e7 49 89 44 24 20 48 8b 03 <8b> 48 28 b8 00 10 00 00 48 d3 e0 49 89 44 24 18 48 8b 03 8b 40 28 kernel: RSP: 0018:ffffbe9960fcbd48 EFLAGS: 00010246 kernel: RAX: 0000000000000000 RBX: ffff9af5272ae780 RCX: 0000000000372004 kernel: RDX: ffffffffffffffff RSI: ffffffffffffffff RDI: ffff9af555e9b000 kernel: RBP: ffff9af52ee66b00 R08: 0000000000000040 R09: 0000000000370004 kernel: R10: ffffbe9960fcbd48 R11: 0000000000000040 R12: ffff9af555e9b000 kernel: R13: ffffffffa66b86c0 R14: ffff9af507d2f400 R15: ffff9af507d2f400 kernel: FS: 00007ffbc0ba4740(0000) GS:ffff9b0bd7000000(0000) knlGS:0000000000000000 kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 kernel: CR2: 0000000000000028 CR3: 00000001b1ee0000 CR4: 00000000001506f0 kernel: Call Trace: kernel: <TASK> kernel: ? __die_body+0x1a/0x60 kernel: ? page_fault_oops+0x16f/0x4a0 kernel: ? search_bpf_extables+0x65/0x70 kernel: ? fixup_exception+0x22/0x310 kernel: ? exc_page_fault+0x69/0x150 kernel: ? asm_exc_page_fault+0x22/0x30 kernel: ? __pfx_hugetlbfs_fill_super+0x10/0x10 kernel: ? hugetlbfs_fill_super+0xb4/0x1a0 kernel: ? hugetlbfs_fill_super+0x28/0x1a0 kernel: ? __pfx_hugetlbfs_fill_super+0x10/0x10 kernel: vfs_get_super+0x40/0xa0 kernel: ? __pfx_bpf_lsm_capable+0x10/0x10 kernel: vfs_get_tree+0x25/0xd0 kernel: vfs_cmd_create+0x64/0xe0 kernel: __x64_sys_fsconfig+0x395/0x410 kernel: do_syscall_64+0x80/0x160 kernel: ? syscall_exit_to_user_mode+0x82/0x240 kernel: ? do_syscall_64+0x8d/0x160 kernel: ? syscall_exit_to_user_mode+0x82/0x240 kernel: ? do_syscall_64+0x8d/0x160 kernel: ? exc_page_fault+0x69/0x150 kernel: entry_SYSCALL_64_after_hwframe+0x6e/0x76 kernel: RIP: 0033:0x7ffbc0cb87c9 kernel: Code: 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 97 96 0d 00 f7 d8 64 89 01 48 kernel: RSP: 002b:00007ffc29d2f388 EFLAGS: 00000206 ORIG_RAX: 00000000000001af kernel: RAX: fffffffffff ---truncated--- CVE-2024-26688 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.169.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20241645-1/ https://www.suse.com/security/cve/CVE-2024-26688.html CVE-2024-26688 https://bugzilla.suse.com/1222482 SUSE Bug 1222482 In the Linux kernel, the following vulnerability has been resolved: ceph: prevent use-after-free in encode_cap_msg() In fs/ceph/caps.c, in encode_cap_msg(), "use after free" error was caught by KASAN at this line - 'ceph_buffer_get(arg->xattr_buf);'. This implies before the refcount could be increment here, it was freed. In same file, in "handle_cap_grant()" refcount is decremented by this line - 'ceph_buffer_put(ci->i_xattrs.blob);'. It appears that a race occurred and resource was freed by the latter line before the former line could increment it. encode_cap_msg() is called by __send_cap() and __send_cap() is called by ceph_check_caps() after calling __prep_cap(). __prep_cap() is where arg->xattr_buf is assigned to ci->i_xattrs.blob. This is the spot where the refcount must be increased to prevent "use after free" error. CVE-2024-26689 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.169.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20241645-1/ https://www.suse.com/security/cve/CVE-2024-26689.html CVE-2024-26689 https://bugzilla.suse.com/1222503 SUSE Bug 1222503 In the Linux kernel, the following vulnerability has been resolved: net/sched: act_mirred: don't override retval if we already lost the skb If we're redirecting the skb, and haven't called tcf_mirred_forward(), yet, we need to tell the core to drop the skb by setting the retcode to SHOT. If we have called tcf_mirred_forward(), however, the skb is out of our hands and returning SHOT will lead to UaF. Move the retval override to the error path which actually need it. CVE-2024-26739 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.169.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20241645-1/ https://www.suse.com/security/cve/CVE-2024-26739.html CVE-2024-26739 https://bugzilla.suse.com/1222559 SUSE Bug 1222559 In the Linux kernel, the following vulnerability has been resolved: RDMA/srpt: Support specifying the srpt_service_guid parameter Make loading ib_srpt with this parameter set work. The current behavior is that setting that parameter while loading the ib_srpt kernel module triggers the following kernel crash: BUG: kernel NULL pointer dereference, address: 0000000000000000 Call Trace: <TASK> parse_one+0x18c/0x1d0 parse_args+0xe1/0x230 load_module+0x8de/0xa60 init_module_from_file+0x8b/0xd0 idempotent_init_module+0x181/0x240 __x64_sys_finit_module+0x5a/0xb0 do_syscall_64+0x5f/0xe0 entry_SYSCALL_64_after_hwframe+0x6e/0x76 CVE-2024-26744 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.169.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20241645-1/ https://www.suse.com/security/cve/CVE-2024-26744.html CVE-2024-26744 https://bugzilla.suse.com/1222449 SUSE Bug 1222449 In the Linux kernel, the following vulnerability has been resolved: x86, relocs: Ignore relocations in .notes section When building with CONFIG_XEN_PV=y, .text symbols are emitted into the .notes section so that Xen can find the "startup_xen" entry point. This information is used prior to booting the kernel, so relocations are not useful. In fact, performing relocations against the .notes section means that the KASLR base is exposed since /sys/kernel/notes is world-readable. To avoid leaking the KASLR base without breaking unprivileged tools that are expecting to read /sys/kernel/notes, skip performing relocations in the .notes section. The values readable in .notes are then identical to those found in System.map. CVE-2024-26816 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.169.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20241645-1/ https://www.suse.com/security/cve/CVE-2024-26816.html CVE-2024-26816 https://bugzilla.suse.com/1222624 SUSE Bug 1222624 In the Linux kernel, the following vulnerability has been resolved: cachefiles: fix memory leak in cachefiles_add_cache() The following memory leak was reported after unbinding /dev/cachefiles: ================================================================== unreferenced object 0xffff9b674176e3c0 (size 192): comm "cachefilesd2", pid 680, jiffies 4294881224 hex dump (first 32 bytes): 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace (crc ea38a44b): [<ffffffff8eb8a1a5>] kmem_cache_alloc+0x2d5/0x370 [<ffffffff8e917f86>] prepare_creds+0x26/0x2e0 [<ffffffffc002eeef>] cachefiles_determine_cache_security+0x1f/0x120 [<ffffffffc00243ec>] cachefiles_add_cache+0x13c/0x3a0 [<ffffffffc0025216>] cachefiles_daemon_write+0x146/0x1c0 [<ffffffff8ebc4a3b>] vfs_write+0xcb/0x520 [<ffffffff8ebc5069>] ksys_write+0x69/0xf0 [<ffffffff8f6d4662>] do_syscall_64+0x72/0x140 [<ffffffff8f8000aa>] entry_SYSCALL_64_after_hwframe+0x6e/0x76 ================================================================== Put the reference count of cache_cred in cachefiles_daemon_unbind() to fix the problem. And also put cache_cred in cachefiles_add_cache() error branch to avoid memory leaks. CVE-2024-26840 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.169.1 low To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20241645-1/ https://www.suse.com/security/cve/CVE-2024-26840.html CVE-2024-26840 https://bugzilla.suse.com/1222976 SUSE Bug 1222976 In the Linux kernel, the following vulnerability has been resolved: net/ipv6: avoid possible UAF in ip6_route_mpath_notify() syzbot found another use-after-free in ip6_route_mpath_notify() [1] Commit f7225172f25a ("net/ipv6: prevent use after free in ip6_route_mpath_notify") was not able to fix the root cause. We need to defer the fib6_info_release() calls after ip6_route_mpath_notify(), in the cleanup phase. [1] BUG: KASAN: slab-use-after-free in rt6_fill_node+0x1460/0x1ac0 Read of size 4 at addr ffff88809a07fc64 by task syz-executor.2/23037 CPU: 0 PID: 23037 Comm: syz-executor.2 Not tainted 6.8.0-rc4-syzkaller-01035-gea7f3cfaa588 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x1e7/0x2e0 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:377 [inline] print_report+0x167/0x540 mm/kasan/report.c:488 kasan_report+0x142/0x180 mm/kasan/report.c:601 rt6_fill_node+0x1460/0x1ac0 inet6_rt_notify+0x13b/0x290 net/ipv6/route.c:6184 ip6_route_mpath_notify net/ipv6/route.c:5198 [inline] ip6_route_multipath_add net/ipv6/route.c:5404 [inline] inet6_rtm_newroute+0x1d0f/0x2300 net/ipv6/route.c:5517 rtnetlink_rcv_msg+0x885/0x1040 net/core/rtnetlink.c:6597 netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2543 netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline] netlink_unicast+0x7ea/0x980 net/netlink/af_netlink.c:1367 netlink_sendmsg+0xa3b/0xd70 net/netlink/af_netlink.c:1908 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x221/0x270 net/socket.c:745 ____sys_sendmsg+0x525/0x7d0 net/socket.c:2584 ___sys_sendmsg net/socket.c:2638 [inline] __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2667 do_syscall_64+0xf9/0x240 entry_SYSCALL_64_after_hwframe+0x6f/0x77 RIP: 0033:0x7f73dd87dda9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f73de6550c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007f73dd9ac050 RCX: 00007f73dd87dda9 RDX: 0000000000000000 RSI: 0000000020000140 RDI: 0000000000000005 RBP: 00007f73dd8ca47a R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000006e R14: 00007f73dd9ac050 R15: 00007ffdbdeb7858 </TASK> Allocated by task 23037: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:372 [inline] __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:389 kasan_kmalloc include/linux/kasan.h:211 [inline] __do_kmalloc_node mm/slub.c:3981 [inline] __kmalloc+0x22e/0x490 mm/slub.c:3994 kmalloc include/linux/slab.h:594 [inline] kzalloc include/linux/slab.h:711 [inline] fib6_info_alloc+0x2e/0xf0 net/ipv6/ip6_fib.c:155 ip6_route_info_create+0x445/0x12b0 net/ipv6/route.c:3758 ip6_route_multipath_add net/ipv6/route.c:5298 [inline] inet6_rtm_newroute+0x744/0x2300 net/ipv6/route.c:5517 rtnetlink_rcv_msg+0x885/0x1040 net/core/rtnetlink.c:6597 netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2543 netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline] netlink_unicast+0x7ea/0x980 net/netlink/af_netlink.c:1367 netlink_sendmsg+0xa3b/0xd70 net/netlink/af_netlink.c:1908 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x221/0x270 net/socket.c:745 ____sys_sendmsg+0x525/0x7d0 net/socket.c:2584 ___sys_sendmsg net/socket.c:2638 [inline] __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2667 do_syscall_64+0xf9/0x240 entry_SYSCALL_64_after_hwframe+0x6f/0x77 Freed by task 16: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 kasan_save_free_info+0x4e/0x60 mm/kasan/generic.c:640 poison_slab_object+0xa6/0xe0 m ---truncated--- CVE-2024-26852 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.169.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20241645-1/ https://www.suse.com/security/cve/CVE-2024-26852.html CVE-2024-26852 https://bugzilla.suse.com/1223057 SUSE Bug 1223057 https://bugzilla.suse.com/1223059 SUSE Bug 1223059 In the Linux kernel, the following vulnerability has been resolved: packet: annotate data-races around ignore_outgoing ignore_outgoing is read locklessly from dev_queue_xmit_nit() and packet_getsockopt() Add appropriate READ_ONCE()/WRITE_ONCE() annotations. syzbot reported: BUG: KCSAN: data-race in dev_queue_xmit_nit / packet_setsockopt write to 0xffff888107804542 of 1 bytes by task 22618 on cpu 0: packet_setsockopt+0xd83/0xfd0 net/packet/af_packet.c:4003 do_sock_setsockopt net/socket.c:2311 [inline] __sys_setsockopt+0x1d8/0x250 net/socket.c:2334 __do_sys_setsockopt net/socket.c:2343 [inline] __se_sys_setsockopt net/socket.c:2340 [inline] __x64_sys_setsockopt+0x66/0x80 net/socket.c:2340 do_syscall_64+0xd3/0x1d0 entry_SYSCALL_64_after_hwframe+0x6d/0x75 read to 0xffff888107804542 of 1 bytes by task 27 on cpu 1: dev_queue_xmit_nit+0x82/0x620 net/core/dev.c:2248 xmit_one net/core/dev.c:3527 [inline] dev_hard_start_xmit+0xcc/0x3f0 net/core/dev.c:3547 __dev_queue_xmit+0xf24/0x1dd0 net/core/dev.c:4335 dev_queue_xmit include/linux/netdevice.h:3091 [inline] batadv_send_skb_packet+0x264/0x300 net/batman-adv/send.c:108 batadv_send_broadcast_skb+0x24/0x30 net/batman-adv/send.c:127 batadv_iv_ogm_send_to_if net/batman-adv/bat_iv_ogm.c:392 [inline] batadv_iv_ogm_emit net/batman-adv/bat_iv_ogm.c:420 [inline] batadv_iv_send_outstanding_bat_ogm_packet+0x3f0/0x4b0 net/batman-adv/bat_iv_ogm.c:1700 process_one_work kernel/workqueue.c:3254 [inline] process_scheduled_works+0x465/0x990 kernel/workqueue.c:3335 worker_thread+0x526/0x730 kernel/workqueue.c:3416 kthread+0x1d1/0x210 kernel/kthread.c:388 ret_from_fork+0x4b/0x60 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:243 value changed: 0x00 -> 0x01 Reported by Kernel Concurrency Sanitizer on: CPU: 1 PID: 27 Comm: kworker/u8:1 Tainted: G W 6.8.0-syzkaller-08073-g480e035fc4c7 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024 Workqueue: bat_events batadv_iv_send_outstanding_bat_ogm_packet CVE-2024-26862 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.169.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20241645-1/ https://www.suse.com/security/cve/CVE-2024-26862.html CVE-2024-26862 https://bugzilla.suse.com/1223111 SUSE Bug 1223111 In the Linux kernel, the following vulnerability has been resolved: aoe: fix the potential use-after-free problem in aoecmd_cfg_pkts This patch is against CVE-2023-6270. The description of cve is: A flaw was found in the ATA over Ethernet (AoE) driver in the Linux kernel. The aoecmd_cfg_pkts() function improperly updates the refcnt on `struct net_device`, and a use-after-free can be triggered by racing between the free on the struct and the access through the `skbtxq` global queue. This could lead to a denial of service condition or potential code execution. In aoecmd_cfg_pkts(), it always calls dev_put(ifp) when skb initial code is finished. But the net_device ifp will still be used in later tx()->dev_queue_xmit() in kthread. Which means that the dev_put(ifp) should NOT be called in the success path of skb initial code in aoecmd_cfg_pkts(). Otherwise tx() may run into use-after-free because the net_device is freed. This patch removed the dev_put(ifp) in the success path in aoecmd_cfg_pkts(), and added dev_put() after skb xmit in tx(). CVE-2024-26898 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.169.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20241645-1/ https://www.suse.com/security/cve/CVE-2024-26898.html CVE-2024-26898 https://bugzilla.suse.com/1218562 SUSE Bug 1218562 https://bugzilla.suse.com/1223016 SUSE Bug 1223016 https://bugzilla.suse.com/1223017 SUSE Bug 1223017 In the Linux kernel, the following vulnerability has been resolved: Bluetooth: rfcomm: Fix null-ptr-deref in rfcomm_check_security During our fuzz testing of the connection and disconnection process at the RFCOMM layer, we discovered this bug. By comparing the packets from a normal connection and disconnection process with the testcase that triggered a KASAN report. We analyzed the cause of this bug as follows: 1. In the packets captured during a normal connection, the host sends a `Read Encryption Key Size` type of `HCI_CMD` packet (Command Opcode: 0x1408) to the controller to inquire the length of encryption key.After receiving this packet, the controller immediately replies with a Command Completepacket (Event Code: 0x0e) to return the Encryption Key Size. 2. In our fuzz test case, the timing of the controller's response to this packet was delayed to an unexpected point: after the RFCOMM and L2CAP layers had disconnected but before the HCI layer had disconnected. 3. After receiving the Encryption Key Size Response at the time described in point 2, the host still called the rfcomm_check_security function. However, by this time `struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;` had already been released, and when the function executed `return hci_conn_security(conn->hcon, d->sec_level, auth_type, d->out);`, specifically when accessing `conn->hcon`, a null-ptr-deref error occurred. To fix this bug, check if `sk->sk_state` is BT_CLOSED before calling rfcomm_recv_frame in rfcomm_process_rx. CVE-2024-26903 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.169.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20241645-1/ https://www.suse.com/security/cve/CVE-2024-26903.html CVE-2024-26903 https://bugzilla.suse.com/1223187 SUSE Bug 1223187 In the Linux kernel, the following vulnerability has been resolved: x86/mm: Disallow vsyscall page read for copy_from_kernel_nofault() When trying to use copy_from_kernel_nofault() to read vsyscall page through a bpf program, the following oops was reported: BUG: unable to handle page fault for address: ffffffffff600000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 3231067 P4D 3231067 PUD 3233067 PMD 3235067 PTE 0 Oops: 0000 [#1] PREEMPT SMP PTI CPU: 1 PID: 20390 Comm: test_progs ...... 6.7.0+ #58 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) ...... RIP: 0010:copy_from_kernel_nofault+0x6f/0x110 ...... Call Trace: <TASK> ? copy_from_kernel_nofault+0x6f/0x110 bpf_probe_read_kernel+0x1d/0x50 bpf_prog_2061065e56845f08_do_probe_read+0x51/0x8d trace_call_bpf+0xc5/0x1c0 perf_call_bpf_enter.isra.0+0x69/0xb0 perf_syscall_enter+0x13e/0x200 syscall_trace_enter+0x188/0x1c0 do_syscall_64+0xb5/0xe0 entry_SYSCALL_64_after_hwframe+0x6e/0x76 </TASK> ...... ---[ end trace 0000000000000000 ]--- The oops is triggered when: 1) A bpf program uses bpf_probe_read_kernel() to read from the vsyscall page and invokes copy_from_kernel_nofault() which in turn calls __get_user_asm(). 2) Because the vsyscall page address is not readable from kernel space, a page fault exception is triggered accordingly. 3) handle_page_fault() considers the vsyscall page address as a user space address instead of a kernel space address. This results in the fix-up setup by bpf not being applied and a page_fault_oops() is invoked due to SMAP. Considering handle_page_fault() has already considered the vsyscall page address as a userspace address, fix the problem by disallowing vsyscall page read for copy_from_kernel_nofault(). CVE-2024-26906 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.169.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20241645-1/ https://www.suse.com/security/cve/CVE-2024-26906.html CVE-2024-26906 https://bugzilla.suse.com/1223202 SUSE Bug 1223202 In the Linux kernel, the following vulnerability has been resolved: media: edia: dvbdev: fix a use-after-free In dvb_register_device, *pdvbdev is set equal to dvbdev, which is freed in several error-handling paths. However, *pdvbdev is not set to NULL after dvbdev's deallocation, causing use-after-frees in many places, for example, in the following call chain: budget_register |-> dvb_dmxdev_init |-> dvb_register_device |-> dvb_dmxdev_release |-> dvb_unregister_device |-> dvb_remove_device |-> dvb_device_put |-> kref_put When calling dvb_unregister_device, dmxdev->dvbdev (i.e. *pdvbdev in dvb_register_device) could point to memory that had been freed in dvb_register_device. Thereafter, this pointer is transferred to kref_put and triggering a use-after-free. CVE-2024-27043 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.169.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.169.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20241645-1/ https://www.suse.com/security/cve/CVE-2024-27043.html CVE-2024-27043 https://bugzilla.suse.com/1218562 SUSE Bug 1218562 https://bugzilla.suse.com/1223824 SUSE Bug 1223824 https://bugzilla.suse.com/1223825 SUSE Bug 1223825