Security update for the Linux Kernel SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2024:2385-1 Final 1 1 2024-07-10T13:03:41Z current 2024-07-10T13:03:41Z 2024-07-10T13:03:41Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for the Linux Kernel The SUSE Linux Enterprise 15 SP4 RT kernel was updated to receive various security bugfixes. The following security bugs were fixed: - CVE-2021-47555: net: vlan: fix underflow for the real_dev refcnt (bsc#1225467). - CVE-2021-47571: staging: rtl8192e: Fix use after free in _rtl92e_pci_disconnect() (bsc#1225518). - CVE-2023-24023: Bluetooth: Add more enc key size check (bsc#1218148). - CVE-2023-52670: rpmsg: virtio: Free driver_override when rpmsg_remove() (bsc#1224696). - CVE-2023-52752: smb: client: fix use-after-free bug in cifs_debug_data_proc_show() (bsc#1225487). - CVE-2023-52837: nbd: fix uaf in nbd_open (bsc#1224935). - CVE-2023-52846: hsr: Prevent use after free in prp_create_tagged_frame() (bsc#1225098). - CVE-2023-52881: tcp: do not accept ACK of bytes we never sent (bsc#1225611). - CVE-2024-35789: Check fast rx for non-4addr sta VLAN changes (bsc#1224749). - CVE-2024-35861: Fixed potential UAF in cifs_signal_cifsd_for_reconnect() (bsc#1224766). - CVE-2024-35862: Fixed potential UAF in smb2_is_network_name_deleted() (bsc#1224764). - CVE-2024-35864: Fixed potential UAF in smb2_is_valid_lease_break() (bsc#1224765). - CVE-2024-35950: drm/client: Fully protect modes with dev->mode_config.mutex (bsc#1224703). - CVE-2024-36894: usb: gadget: f_fs: Fix race between aio_cancel() and AIO request complete (bsc#1225749). - CVE-2024-36899: gpiolib: cdev: Fix use after free in lineinfo_changed_notify (bsc#1225737). - CVE-2024-36904: tcp: Use refcount_inc_not_zero() in tcp_twsk_unique() (bsc#1225732). - CVE-2024-36940: pinctrl: core: delete incorrect free in pinctrl_enable() (bsc#1225840). - CVE-2024-36964: fs/9p: only translate RWX permissions for plain 9P2000 (bsc#1225866). - CVE-2024-36971: net: fix __dst_negative_advice() race (bsc#1226145). - CVE-2024-38541: of: module: add buffer overflow check in of_modalias() (bsc#1226587). - CVE-2024-38545: RDMA/hns: Fix UAF for cq async event (bsc#1226595). - CVE-2024-38559: scsi: qedf: Ensure the copied buf is NUL terminated (bsc#1226785). - CVE-2024-38560: scsi: bfa: Ensure the copied buf is NUL terminated (bsc#1226786). - CVE-2024-38564: bpf: Add BPF_PROG_TYPE_CGROUP_SKB attach type enforcement in BPF_LINK_CREATE (bsc#1226789). - CVE-2024-38578: ecryptfs: Fix buffer size for tag 66 packet (bsc#1226634). The following non-security bugs were fixed: - Revert 'build initrd without systemd' (bsc#1195775) - cgroup: Add annotation for holding namespace_sem in current_cgns_cgroup_from_root() (bsc#1222254). - cgroup: Eliminate the need for cgroup_mutex in proc_cgroup_show() (bsc#1222254). - cgroup: Make operations on the cgroup root_list RCU safe (bsc#1222254). - cgroup: Remove unnecessary list_empty() (bsc#1222254). - cgroup: preserve KABI of cgroup_root (bsc#1222254). - mkspec-dtb: add toplevel symlinks also on arm - ocfs2: adjust enabling place for la window (bsc#1219224). - ocfs2: fix sparse warnings (bsc#1219224). - ocfs2: improve write IO performance when fragmentation is high (bsc#1219224). - ocfs2: speed up chain-list searching (bsc#1219224). - random: treat bootloader trust toggle the same way as cpu trust toggle (bsc#1226953). - rpm/kernel-obs-build.spec.in: Add iso9660 (bsc#1226212) Some builds do not just create an iso9660 image, but also mount it during build. - rpm/kernel-obs-build.spec.in: Add networking modules for docker (bsc#1226211) docker needs more networking modules, even legacy iptable_nat and _filter. - rpm/kernel-obs-build.spec.in: Include algif_hash, aegis128 and xts modules afgif_hash is needed by some packages (e.g. iwd) for tests, xts is used for LUKS2 volumes by default and aegis128 is useful as AEAD cipher for LUKS2. Wrap the long line to make it readable. - rpm/mkspec-dtb: dtbs have moved to vendor sub-directories in 6.5 By commit 724ba6751532 ('ARM: dts: Move .dts files to vendor sub-directories'). So switch to them. - scsi: lpfc: Remove IRQF_ONESHOT flag from threaded IRQ handling (bsc#1216124). - smb: client: ensure to try all targets when finding nested links (bsc#1224020). - smb: client: guarantee refcounted children from parent session (bsc#1224679). - x86/tsc: Trust initial offset in architectural TSC-adjust MSRs (bsc#1222015 bsc#1226962). - xfs: do not include bnobt blocks when reserving free block pool (bsc#1226270). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2024-2385,SUSE-SLE-Micro-5.3-2024-2385,SUSE-SLE-Micro-5.4-2024-2385 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2024/suse-su-20242385-1/ Link for SUSE-SU-2024:2385-1 https://lists.suse.com/pipermail/sle-updates/2024-July/035905.html E-Mail link for SUSE-SU-2024:2385-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1195775 SUSE Bug 1195775 https://bugzilla.suse.com/1216124 SUSE Bug 1216124 https://bugzilla.suse.com/1218148 SUSE Bug 1218148 https://bugzilla.suse.com/1219224 SUSE Bug 1219224 https://bugzilla.suse.com/1220492 SUSE Bug 1220492 https://bugzilla.suse.com/1222015 SUSE Bug 1222015 https://bugzilla.suse.com/1222254 SUSE Bug 1222254 https://bugzilla.suse.com/1222678 SUSE Bug 1222678 https://bugzilla.suse.com/1224020 SUSE Bug 1224020 https://bugzilla.suse.com/1224679 SUSE Bug 1224679 https://bugzilla.suse.com/1224696 SUSE Bug 1224696 https://bugzilla.suse.com/1224703 SUSE Bug 1224703 https://bugzilla.suse.com/1224749 SUSE Bug 1224749 https://bugzilla.suse.com/1224764 SUSE Bug 1224764 https://bugzilla.suse.com/1224765 SUSE Bug 1224765 https://bugzilla.suse.com/1224766 SUSE Bug 1224766 https://bugzilla.suse.com/1224935 SUSE Bug 1224935 https://bugzilla.suse.com/1225098 SUSE Bug 1225098 https://bugzilla.suse.com/1225467 SUSE Bug 1225467 https://bugzilla.suse.com/1225487 SUSE Bug 1225487 https://bugzilla.suse.com/1225518 SUSE Bug 1225518 https://bugzilla.suse.com/1225611 SUSE Bug 1225611 https://bugzilla.suse.com/1225732 SUSE Bug 1225732 https://bugzilla.suse.com/1225737 SUSE Bug 1225737 https://bugzilla.suse.com/1225749 SUSE Bug 1225749 https://bugzilla.suse.com/1225840 SUSE Bug 1225840 https://bugzilla.suse.com/1225866 SUSE Bug 1225866 https://bugzilla.suse.com/1226145 SUSE Bug 1226145 https://bugzilla.suse.com/1226211 SUSE Bug 1226211 https://bugzilla.suse.com/1226212 SUSE Bug 1226212 https://bugzilla.suse.com/1226270 SUSE Bug 1226270 https://bugzilla.suse.com/1226587 SUSE Bug 1226587 https://bugzilla.suse.com/1226595 SUSE Bug 1226595 https://bugzilla.suse.com/1226634 SUSE Bug 1226634 https://bugzilla.suse.com/1226785 SUSE Bug 1226785 https://bugzilla.suse.com/1226786 SUSE Bug 1226786 https://bugzilla.suse.com/1226789 SUSE Bug 1226789 https://bugzilla.suse.com/1226953 SUSE Bug 1226953 https://bugzilla.suse.com/1226962 SUSE Bug 1226962 https://www.suse.com/security/cve/CVE-2021-47555/ SUSE CVE CVE-2021-47555 page https://www.suse.com/security/cve/CVE-2021-47571/ SUSE CVE CVE-2021-47571 page https://www.suse.com/security/cve/CVE-2023-24023/ SUSE CVE CVE-2023-24023 page https://www.suse.com/security/cve/CVE-2023-52670/ SUSE CVE CVE-2023-52670 page https://www.suse.com/security/cve/CVE-2023-52752/ SUSE CVE CVE-2023-52752 page https://www.suse.com/security/cve/CVE-2023-52837/ SUSE CVE CVE-2023-52837 page https://www.suse.com/security/cve/CVE-2023-52846/ SUSE CVE CVE-2023-52846 page https://www.suse.com/security/cve/CVE-2023-52881/ SUSE CVE CVE-2023-52881 page https://www.suse.com/security/cve/CVE-2024-26745/ SUSE CVE CVE-2024-26745 page https://www.suse.com/security/cve/CVE-2024-35789/ SUSE CVE CVE-2024-35789 page https://www.suse.com/security/cve/CVE-2024-35861/ SUSE CVE CVE-2024-35861 page https://www.suse.com/security/cve/CVE-2024-35862/ SUSE CVE CVE-2024-35862 page https://www.suse.com/security/cve/CVE-2024-35864/ SUSE CVE CVE-2024-35864 page https://www.suse.com/security/cve/CVE-2024-35869/ SUSE CVE CVE-2024-35869 page https://www.suse.com/security/cve/CVE-2024-35950/ SUSE CVE CVE-2024-35950 page https://www.suse.com/security/cve/CVE-2024-36894/ SUSE CVE CVE-2024-36894 page https://www.suse.com/security/cve/CVE-2024-36899/ SUSE CVE CVE-2024-36899 page https://www.suse.com/security/cve/CVE-2024-36904/ SUSE CVE CVE-2024-36904 page https://www.suse.com/security/cve/CVE-2024-36940/ SUSE CVE CVE-2024-36940 page https://www.suse.com/security/cve/CVE-2024-36964/ SUSE CVE CVE-2024-36964 page https://www.suse.com/security/cve/CVE-2024-36971/ SUSE CVE CVE-2024-36971 page https://www.suse.com/security/cve/CVE-2024-38541/ SUSE CVE CVE-2024-38541 page https://www.suse.com/security/cve/CVE-2024-38545/ SUSE CVE CVE-2024-38545 page https://www.suse.com/security/cve/CVE-2024-38559/ SUSE CVE CVE-2024-38559 page https://www.suse.com/security/cve/CVE-2024-38560/ SUSE CVE CVE-2024-38560 page https://www.suse.com/security/cve/CVE-2024-38564/ SUSE CVE CVE-2024-38564 page https://www.suse.com/security/cve/CVE-2024-38578/ SUSE CVE CVE-2024-38578 page SUSE Linux Enterprise Micro 5.3 SUSE Linux Enterprise Micro 5.4 cluster-md-kmp-rt-5.14.21-150400.15.85.1 dlm-kmp-rt-5.14.21-150400.15.85.1 gfs2-kmp-rt-5.14.21-150400.15.85.1 kernel-devel-rt-5.14.21-150400.15.85.1 kernel-rt-5.14.21-150400.15.85.1 kernel-rt-devel-5.14.21-150400.15.85.1 kernel-rt-extra-5.14.21-150400.15.85.1 kernel-rt-livepatch-5.14.21-150400.15.85.1 kernel-rt-livepatch-devel-5.14.21-150400.15.85.1 kernel-rt-optional-5.14.21-150400.15.85.1 kernel-rt_debug-5.14.21-150400.15.85.1 kernel-rt_debug-devel-5.14.21-150400.15.85.1 kernel-rt_debug-livepatch-devel-5.14.21-150400.15.85.1 kernel-source-rt-5.14.21-150400.15.85.1 kernel-syms-rt-5.14.21-150400.15.85.1 kselftests-kmp-rt-5.14.21-150400.15.85.1 ocfs2-kmp-rt-5.14.21-150400.15.85.1 reiserfs-kmp-rt-5.14.21-150400.15.85.1 kernel-rt-5.14.21-150400.15.85.1 as a component of SUSE Linux Enterprise Micro 5.3 kernel-source-rt-5.14.21-150400.15.85.1 as a component of SUSE Linux Enterprise Micro 5.3 kernel-rt-5.14.21-150400.15.85.1 as a component of SUSE Linux Enterprise Micro 5.4 kernel-source-rt-5.14.21-150400.15.85.1 as a component of SUSE Linux Enterprise Micro 5.4 In the Linux kernel, the following vulnerability has been resolved: net: vlan: fix underflow for the real_dev refcnt Inject error before dev_hold(real_dev) in register_vlan_dev(), and execute the following testcase: ip link add dev dummy1 type dummy ip link add name dummy1.100 link dummy1 type vlan id 100 ip link del dev dummy1 When the dummy netdevice is removed, we will get a WARNING as following: ======================================================================= refcount_t: decrement hit 0; leaking memory. WARNING: CPU: 2 PID: 0 at lib/refcount.c:31 refcount_warn_saturate+0xbf/0x1e0 and an endless loop of: ======================================================================= unregister_netdevice: waiting for dummy1 to become free. Usage count = -1073741824 That is because dev_put(real_dev) in vlan_dev_free() be called without dev_hold(real_dev) in register_vlan_dev(). It makes the refcnt of real_dev underflow. Move the dev_hold(real_dev) to vlan_dev_init() which is the call-back of ndo_init(). That makes dev_hold() and dev_put() for vlan's real_dev symmetrical. CVE-2021-47555 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.85.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.85.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.85.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.85.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242385-1/ https://www.suse.com/security/cve/CVE-2021-47555.html CVE-2021-47555 https://bugzilla.suse.com/1225467 SUSE Bug 1225467 In the Linux kernel, the following vulnerability has been resolved: staging: rtl8192e: Fix use after free in _rtl92e_pci_disconnect() The free_rtllib() function frees the "dev" pointer so there is use after free on the next line. Re-arrange things to avoid that. CVE-2021-47571 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.85.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.85.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.85.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.85.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242385-1/ https://www.suse.com/security/cve/CVE-2021-47571.html CVE-2021-47571 https://bugzilla.suse.com/1225518 SUSE Bug 1225518 https://bugzilla.suse.com/1227551 SUSE Bug 1227551 Bluetooth BR/EDR devices with Secure Simple Pairing and Secure Connections pairing in Bluetooth Core Specification 4.2 through 5.4 allow certain man-in-the-middle attacks that force a short key length, and might lead to discovery of the encryption key and live injection, aka BLUFFS. CVE-2023-24023 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.85.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.85.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.85.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.85.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242385-1/ https://www.suse.com/security/cve/CVE-2023-24023.html CVE-2023-24023 https://bugzilla.suse.com/1218148 SUSE Bug 1218148 In the Linux kernel, the following vulnerability has been resolved: rpmsg: virtio: Free driver_override when rpmsg_remove() Free driver_override when rpmsg_remove(), otherwise the following memory leak will occur: unreferenced object 0xffff0000d55d7080 (size 128): comm "kworker/u8:2", pid 56, jiffies 4294893188 (age 214.272s) hex dump (first 32 bytes): 72 70 6d 73 67 5f 6e 73 00 00 00 00 00 00 00 00 rpmsg_ns........ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<000000009c94c9c1>] __kmem_cache_alloc_node+0x1f8/0x320 [<000000002300d89b>] __kmalloc_node_track_caller+0x44/0x70 [<00000000228a60c3>] kstrndup+0x4c/0x90 [<0000000077158695>] driver_set_override+0xd0/0x164 [<000000003e9c4ea5>] rpmsg_register_device_override+0x98/0x170 [<000000001c0c89a8>] rpmsg_ns_register_device+0x24/0x30 [<000000008bbf8fa2>] rpmsg_probe+0x2e0/0x3ec [<00000000e65a68df>] virtio_dev_probe+0x1c0/0x280 [<00000000443331cc>] really_probe+0xbc/0x2dc [<00000000391064b1>] __driver_probe_device+0x78/0xe0 [<00000000a41c9a5b>] driver_probe_device+0xd8/0x160 [<000000009c3bd5df>] __device_attach_driver+0xb8/0x140 [<0000000043cd7614>] bus_for_each_drv+0x7c/0xd4 [<000000003b929a36>] __device_attach+0x9c/0x19c [<00000000a94e0ba8>] device_initial_probe+0x14/0x20 [<000000003c999637>] bus_probe_device+0xa0/0xac CVE-2023-52670 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.85.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.85.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.85.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.85.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242385-1/ https://www.suse.com/security/cve/CVE-2023-52670.html CVE-2023-52670 https://bugzilla.suse.com/1224696 SUSE Bug 1224696 In the Linux kernel, the following vulnerability has been resolved: smb: client: fix use-after-free bug in cifs_debug_data_proc_show() Skip SMB sessions that are being teared down (e.g. @ses->ses_status == SES_EXITING) in cifs_debug_data_proc_show() to avoid use-after-free in @ses. This fixes the following GPF when reading from /proc/fs/cifs/DebugData while mounting and umounting [ 816.251274] general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6d81: 0000 [#1] PREEMPT SMP NOPTI ... [ 816.260138] Call Trace: [ 816.260329] <TASK> [ 816.260499] ? die_addr+0x36/0x90 [ 816.260762] ? exc_general_protection+0x1b3/0x410 [ 816.261126] ? asm_exc_general_protection+0x26/0x30 [ 816.261502] ? cifs_debug_tcon+0xbd/0x240 [cifs] [ 816.261878] ? cifs_debug_tcon+0xab/0x240 [cifs] [ 816.262249] cifs_debug_data_proc_show+0x516/0xdb0 [cifs] [ 816.262689] ? seq_read_iter+0x379/0x470 [ 816.262995] seq_read_iter+0x118/0x470 [ 816.263291] proc_reg_read_iter+0x53/0x90 [ 816.263596] ? srso_alias_return_thunk+0x5/0x7f [ 816.263945] vfs_read+0x201/0x350 [ 816.264211] ksys_read+0x75/0x100 [ 816.264472] do_syscall_64+0x3f/0x90 [ 816.264750] entry_SYSCALL_64_after_hwframe+0x6e/0xd8 [ 816.265135] RIP: 0033:0x7fd5e669d381 CVE-2023-52752 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.85.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.85.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.85.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.85.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242385-1/ https://www.suse.com/security/cve/CVE-2023-52752.html CVE-2023-52752 https://bugzilla.suse.com/1225487 SUSE Bug 1225487 https://bugzilla.suse.com/1225819 SUSE Bug 1225819 In the Linux kernel, the following vulnerability has been resolved: nbd: fix uaf in nbd_open Commit 4af5f2e03013 ("nbd: use blk_mq_alloc_disk and blk_cleanup_disk") cleans up disk by blk_cleanup_disk() and it won't set disk->private_data as NULL as before. UAF may be triggered in nbd_open() if someone tries to open nbd device right after nbd_put() since nbd has been free in nbd_dev_remove(). Fix this by implementing ->free_disk and free private data in it. CVE-2023-52837 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.85.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.85.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.85.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.85.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242385-1/ https://www.suse.com/security/cve/CVE-2023-52837.html CVE-2023-52837 https://bugzilla.suse.com/1224935 SUSE Bug 1224935 In the Linux kernel, the following vulnerability has been resolved: hsr: Prevent use after free in prp_create_tagged_frame() The prp_fill_rct() function can fail. In that situation, it frees the skb and returns NULL. Meanwhile on the success path, it returns the original skb. So it's straight forward to fix bug by using the returned value. CVE-2023-52846 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.85.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.85.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.85.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.85.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242385-1/ https://www.suse.com/security/cve/CVE-2023-52846.html CVE-2023-52846 https://bugzilla.suse.com/1225098 SUSE Bug 1225098 https://bugzilla.suse.com/1225099 SUSE Bug 1225099 In the Linux kernel, the following vulnerability has been resolved: tcp: do not accept ACK of bytes we never sent This patch is based on a detailed report and ideas from Yepeng Pan and Christian Rossow. ACK seq validation is currently following RFC 5961 5.2 guidelines: The ACK value is considered acceptable only if it is in the range of ((SND.UNA - MAX.SND.WND) <= SEG.ACK <= SND.NXT). All incoming segments whose ACK value doesn't satisfy the above condition MUST be discarded and an ACK sent back. It needs to be noted that RFC 793 on page 72 (fifth check) says: "If the ACK is a duplicate (SEG.ACK < SND.UNA), it can be ignored. If the ACK acknowledges something not yet sent (SEG.ACK > SND.NXT) then send an ACK, drop the segment, and return". The "ignored" above implies that the processing of the incoming data segment continues, which means the ACK value is treated as acceptable. This mitigation makes the ACK check more stringent since any ACK < SND.UNA wouldn't be accepted, instead only ACKs that are in the range ((SND.UNA - MAX.SND.WND) <= SEG.ACK <= SND.NXT) get through. This can be refined for new (and possibly spoofed) flows, by not accepting ACK for bytes that were never sent. This greatly improves TCP security at a little cost. I added a Fixes: tag to make sure this patch will reach stable trees, even if the 'blamed' patch was adhering to the RFC. tp->bytes_acked was added in linux-4.2 Following packetdrill test (courtesy of Yepeng Pan) shows the issue at hand: 0 socket(..., SOCK_STREAM, IPPROTO_TCP) = 3 +0 setsockopt(3, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0 +0 bind(3, ..., ...) = 0 +0 listen(3, 1024) = 0 // ---------------- Handshake ------------------- // // when window scale is set to 14 the window size can be extended to // 65535 * (2^14) = 1073725440. Linux would accept an ACK packet // with ack number in (Server_ISN+1-1073725440. Server_ISN+1) // ,though this ack number acknowledges some data never // sent by the server. +0 < S 0:0(0) win 65535 <mss 1400,nop,wscale 14> +0 > S. 0:0(0) ack 1 <...> +0 < . 1:1(0) ack 1 win 65535 +0 accept(3, ..., ...) = 4 // For the established connection, we send an ACK packet, // the ack packet uses ack number 1 - 1073725300 + 2^32, // where 2^32 is used to wrap around. // Note: we used 1073725300 instead of 1073725440 to avoid possible // edge cases. // 1 - 1073725300 + 2^32 = 3221241997 // Oops, old kernels happily accept this packet. +0 < . 1:1001(1000) ack 3221241997 win 65535 // After the kernel fix the following will be replaced by a challenge ACK, // and prior malicious frame would be dropped. +0 > . 1:1(0) ack 1001 CVE-2023-52881 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.85.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.85.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.85.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.85.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242385-1/ https://www.suse.com/security/cve/CVE-2023-52881.html CVE-2023-52881 https://bugzilla.suse.com/1223384 SUSE Bug 1223384 https://bugzilla.suse.com/1225611 SUSE Bug 1225611 https://bugzilla.suse.com/1226152 SUSE Bug 1226152 In the Linux kernel, the following vulnerability has been resolved: powerpc/pseries/iommu: IOMMU table is not initialized for kdump over SR-IOV When kdump kernel tries to copy dump data over SR-IOV, LPAR panics due to NULL pointer exception: Kernel attempted to read user page (0) - exploit attempt? (uid: 0) BUG: Kernel NULL pointer dereference on read at 0x00000000 Faulting instruction address: 0xc000000020847ad4 Oops: Kernel access of bad area, sig: 11 [#1] LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA pSeries Modules linked in: mlx5_core(+) vmx_crypto pseries_wdt papr_scm libnvdimm mlxfw tls psample sunrpc fuse overlay squashfs loop CPU: 12 PID: 315 Comm: systemd-udevd Not tainted 6.4.0-Test102+ #12 Hardware name: IBM,9080-HEX POWER10 (raw) 0x800200 0xf000006 of:IBM,FW1060.00 (NH1060_008) hv:phyp pSeries NIP: c000000020847ad4 LR: c00000002083b2dc CTR: 00000000006cd18c REGS: c000000029162ca0 TRAP: 0300 Not tainted (6.4.0-Test102+) MSR: 800000000280b033 <SF,VEC,VSX,EE,FP,ME,IR,DR,RI,LE> CR: 48288244 XER: 00000008 CFAR: c00000002083b2d8 DAR: 0000000000000000 DSISR: 40000000 IRQMASK: 1 ... NIP _find_next_zero_bit+0x24/0x110 LR bitmap_find_next_zero_area_off+0x5c/0xe0 Call Trace: dev_printk_emit+0x38/0x48 (unreliable) iommu_area_alloc+0xc4/0x180 iommu_range_alloc+0x1e8/0x580 iommu_alloc+0x60/0x130 iommu_alloc_coherent+0x158/0x2b0 dma_iommu_alloc_coherent+0x3c/0x50 dma_alloc_attrs+0x170/0x1f0 mlx5_cmd_init+0xc0/0x760 [mlx5_core] mlx5_function_setup+0xf0/0x510 [mlx5_core] mlx5_init_one+0x84/0x210 [mlx5_core] probe_one+0x118/0x2c0 [mlx5_core] local_pci_probe+0x68/0x110 pci_call_probe+0x68/0x200 pci_device_probe+0xbc/0x1a0 really_probe+0x104/0x540 __driver_probe_device+0xb4/0x230 driver_probe_device+0x54/0x130 __driver_attach+0x158/0x2b0 bus_for_each_dev+0xa8/0x130 driver_attach+0x34/0x50 bus_add_driver+0x16c/0x300 driver_register+0xa4/0x1b0 __pci_register_driver+0x68/0x80 mlx5_init+0xb8/0x100 [mlx5_core] do_one_initcall+0x60/0x300 do_init_module+0x7c/0x2b0 At the time of LPAR dump, before kexec hands over control to kdump kernel, DDWs (Dynamic DMA Windows) are scanned and added to the FDT. For the SR-IOV case, default DMA window "ibm,dma-window" is removed from the FDT and DDW added, for the device. Now, kexec hands over control to the kdump kernel. When the kdump kernel initializes, PCI busses are scanned and IOMMU group/tables created, in pci_dma_bus_setup_pSeriesLP(). For the SR-IOV case, there is no "ibm,dma-window". The original commit: b1fc44eaa9ba, fixes the path where memory is pre-mapped (direct mapped) to the DDW. When TCEs are direct mapped, there is no need to initialize IOMMU tables. iommu_table_setparms_lpar() only considers "ibm,dma-window" property when initiallizing IOMMU table. In the scenario where TCEs are dynamically allocated for SR-IOV, newly created IOMMU table is not initialized. Later, when the device driver tries to enter TCEs for the SR-IOV device, NULL pointer execption is thrown from iommu_area_alloc(). The fix is to initialize the IOMMU table with DDW property stored in the FDT. There are 2 points to remember: 1. For the dedicated adapter, kdump kernel would encounter both default and DDW in FDT. In this case, DDW property is used to initialize the IOMMU table. 2. A DDW could be direct or dynamic mapped. kdump kernel would initialize IOMMU table and mark the existing DDW as "dynamic". This works fine since, at the time of table initialization, iommu_table_clear() makes some space in the DDW, for some predefined number of TCEs which are needed for kdump to succeed. CVE-2024-26745 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.85.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.85.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.85.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.85.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242385-1/ https://www.suse.com/security/cve/CVE-2024-26745.html CVE-2024-26745 https://bugzilla.suse.com/1222678 SUSE Bug 1222678 In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: check/clear fast rx for non-4addr sta VLAN changes When moving a station out of a VLAN and deleting the VLAN afterwards, the fast_rx entry still holds a pointer to the VLAN's netdev, which can cause use-after-free bugs. Fix this by immediately calling ieee80211_check_fast_rx after the VLAN change. CVE-2024-35789 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.85.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.85.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.85.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.85.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242385-1/ https://www.suse.com/security/cve/CVE-2024-35789.html CVE-2024-35789 https://bugzilla.suse.com/1224749 SUSE Bug 1224749 https://bugzilla.suse.com/1227320 SUSE Bug 1227320 In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential UAF in cifs_signal_cifsd_for_reconnect() Skip sessions that are being teared down (status == SES_EXITING) to avoid UAF. CVE-2024-35861 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.85.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.85.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.85.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.85.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242385-1/ https://www.suse.com/security/cve/CVE-2024-35861.html CVE-2024-35861 https://bugzilla.suse.com/1224766 SUSE Bug 1224766 https://bugzilla.suse.com/1225312 SUSE Bug 1225312 In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential UAF in smb2_is_network_name_deleted() Skip sessions that are being teared down (status == SES_EXITING) to avoid UAF. CVE-2024-35862 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.85.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.85.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.85.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.85.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242385-1/ https://www.suse.com/security/cve/CVE-2024-35862.html CVE-2024-35862 https://bugzilla.suse.com/1224764 SUSE Bug 1224764 https://bugzilla.suse.com/1225311 SUSE Bug 1225311 In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential UAF in smb2_is_valid_lease_break() Skip sessions that are being teared down (status == SES_EXITING) to avoid UAF. CVE-2024-35864 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.85.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.85.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.85.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.85.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242385-1/ https://www.suse.com/security/cve/CVE-2024-35864.html CVE-2024-35864 https://bugzilla.suse.com/1224765 SUSE Bug 1224765 https://bugzilla.suse.com/1225309 SUSE Bug 1225309 In the Linux kernel, the following vulnerability has been resolved: smb: client: guarantee refcounted children from parent session Avoid potential use-after-free bugs when walking DFS referrals, mounting and performing DFS failover by ensuring that all children from parent @tcon->ses are also refcounted. They're all needed across the entire DFS mount. Get rid of @tcon->dfs_ses_list while we're at it, too. CVE-2024-35869 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.85.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.85.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.85.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.85.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242385-1/ https://www.suse.com/security/cve/CVE-2024-35869.html CVE-2024-35869 https://bugzilla.suse.com/1224679 SUSE Bug 1224679 https://bugzilla.suse.com/1226328 SUSE Bug 1226328 In the Linux kernel, the following vulnerability has been resolved: drm/client: Fully protect modes[] with dev->mode_config.mutex The modes[] array contains pointers to modes on the connectors' mode lists, which are protected by dev->mode_config.mutex. Thus we need to extend modes[] the same protection or by the time we use it the elements may already be pointing to freed/reused memory. CVE-2024-35950 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.85.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.85.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.85.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.85.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242385-1/ https://www.suse.com/security/cve/CVE-2024-35950.html CVE-2024-35950 https://bugzilla.suse.com/1224703 SUSE Bug 1224703 https://bugzilla.suse.com/1225310 SUSE Bug 1225310 In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_fs: Fix race between aio_cancel() and AIO request complete FFS based applications can utilize the aio_cancel() callback to dequeue pending USB requests submitted to the UDC. There is a scenario where the FFS application issues an AIO cancel call, while the UDC is handling a soft disconnect. For a DWC3 based implementation, the callstack looks like the following: DWC3 Gadget FFS Application dwc3_gadget_soft_disconnect() ... --> dwc3_stop_active_transfers() --> dwc3_gadget_giveback(-ESHUTDOWN) --> ffs_epfile_async_io_complete() ffs_aio_cancel() --> usb_ep_free_request() --> usb_ep_dequeue() There is currently no locking implemented between the AIO completion handler and AIO cancel, so the issue occurs if the completion routine is running in parallel to an AIO cancel call coming from the FFS application. As the completion call frees the USB request (io_data->req) the FFS application is also referencing it for the usb_ep_dequeue() call. This can lead to accessing a stale/hanging pointer. commit b566d38857fc ("usb: gadget: f_fs: use io_data->status consistently") relocated the usb_ep_free_request() into ffs_epfile_async_io_complete(). However, in order to properly implement locking to mitigate this issue, the spinlock can't be added to ffs_epfile_async_io_complete(), as usb_ep_dequeue() (if successfully dequeuing a USB request) will call the function driver's completion handler in the same context. Hence, leading into a deadlock. Fix this issue by moving the usb_ep_free_request() back to ffs_user_copy_worker(), and ensuring that it explicitly sets io_data->req to NULL after freeing it within the ffs->eps_lock. This resolves the race condition above, as the ffs_aio_cancel() routine will not continue attempting to dequeue a request that has already been freed, or the ffs_user_copy_work() not freeing the USB request until the AIO cancel is done referencing it. This fix depends on commit b566d38857fc ("usb: gadget: f_fs: use io_data->status consistently") CVE-2024-36894 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.85.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.85.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.85.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.85.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242385-1/ https://www.suse.com/security/cve/CVE-2024-36894.html CVE-2024-36894 https://bugzilla.suse.com/1225749 SUSE Bug 1225749 https://bugzilla.suse.com/1226139 SUSE Bug 1226139 In the Linux kernel, the following vulnerability has been resolved: gpiolib: cdev: Fix use after free in lineinfo_changed_notify The use-after-free issue occurs as follows: when the GPIO chip device file is being closed by invoking gpio_chrdev_release(), watched_lines is freed by bitmap_free(), but the unregistration of lineinfo_changed_nb notifier chain failed due to waiting write rwsem. Additionally, one of the GPIO chip's lines is also in the release process and holds the notifier chain's read rwsem. Consequently, a race condition leads to the use-after-free of watched_lines. Here is the typical stack when issue happened: [free] gpio_chrdev_release() --> bitmap_free(cdev->watched_lines) <-- freed --> blocking_notifier_chain_unregister() --> down_write(&nh->rwsem) <-- waiting rwsem --> __down_write_common() --> rwsem_down_write_slowpath() --> schedule_preempt_disabled() --> schedule() [use] st54spi_gpio_dev_release() --> gpio_free() --> gpiod_free() --> gpiod_free_commit() --> gpiod_line_state_notify() --> blocking_notifier_call_chain() --> down_read(&nh->rwsem); <-- held rwsem --> notifier_call_chain() --> lineinfo_changed_notify() --> test_bit(xxxx, cdev->watched_lines) <-- use after free The side effect of the use-after-free issue is that a GPIO line event is being generated for userspace where it shouldn't. However, since the chrdev is being closed, userspace won't have the chance to read that event anyway. To fix the issue, call the bitmap_free() function after the unregistration of lineinfo_changed_nb notifier chain. CVE-2024-36899 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.85.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.85.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.85.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.85.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242385-1/ https://www.suse.com/security/cve/CVE-2024-36899.html CVE-2024-36899 https://bugzilla.suse.com/1225737 SUSE Bug 1225737 https://bugzilla.suse.com/1225739 SUSE Bug 1225739 In the Linux kernel, the following vulnerability has been resolved: tcp: Use refcount_inc_not_zero() in tcp_twsk_unique(). Anderson Nascimento reported a use-after-free splat in tcp_twsk_unique() with nice analysis. Since commit ec94c2696f0b ("tcp/dccp: avoid one atomic operation for timewait hashdance"), inet_twsk_hashdance() sets TIME-WAIT socket's sk_refcnt after putting it into ehash and releasing the bucket lock. Thus, there is a small race window where other threads could try to reuse the port during connect() and call sock_hold() in tcp_twsk_unique() for the TIME-WAIT socket with zero refcnt. If that happens, the refcnt taken by tcp_twsk_unique() is overwritten and sock_put() will cause underflow, triggering a real use-after-free somewhere else. To avoid the use-after-free, we need to use refcount_inc_not_zero() in tcp_twsk_unique() and give up on reusing the port if it returns false. [0]: refcount_t: addition on 0; use-after-free. WARNING: CPU: 0 PID: 1039313 at lib/refcount.c:25 refcount_warn_saturate+0xe5/0x110 CPU: 0 PID: 1039313 Comm: trigger Not tainted 6.8.6-200.fc39.x86_64 #1 Hardware name: VMware, Inc. VMware20,1/440BX Desktop Reference Platform, BIOS VMW201.00V.21805430.B64.2305221830 05/22/2023 RIP: 0010:refcount_warn_saturate+0xe5/0x110 Code: 42 8e ff 0f 0b c3 cc cc cc cc 80 3d aa 13 ea 01 00 0f 85 5e ff ff ff 48 c7 c7 f8 8e b7 82 c6 05 96 13 ea 01 01 e8 7b 42 8e ff <0f> 0b c3 cc cc cc cc 48 c7 c7 50 8f b7 82 c6 05 7a 13 ea 01 01 e8 RSP: 0018:ffffc90006b43b60 EFLAGS: 00010282 RAX: 0000000000000000 RBX: ffff888009bb3ef0 RCX: 0000000000000027 RDX: ffff88807be218c8 RSI: 0000000000000001 RDI: ffff88807be218c0 RBP: 0000000000069d70 R08: 0000000000000000 R09: ffffc90006b439f0 R10: ffffc90006b439e8 R11: 0000000000000003 R12: ffff8880029ede84 R13: 0000000000004e20 R14: ffffffff84356dc0 R15: ffff888009bb3ef0 FS: 00007f62c10926c0(0000) GS:ffff88807be00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020ccb000 CR3: 000000004628c005 CR4: 0000000000f70ef0 PKRU: 55555554 Call Trace: <TASK> ? refcount_warn_saturate+0xe5/0x110 ? __warn+0x81/0x130 ? refcount_warn_saturate+0xe5/0x110 ? report_bug+0x171/0x1a0 ? refcount_warn_saturate+0xe5/0x110 ? handle_bug+0x3c/0x80 ? exc_invalid_op+0x17/0x70 ? asm_exc_invalid_op+0x1a/0x20 ? refcount_warn_saturate+0xe5/0x110 tcp_twsk_unique+0x186/0x190 __inet_check_established+0x176/0x2d0 __inet_hash_connect+0x74/0x7d0 ? __pfx___inet_check_established+0x10/0x10 tcp_v4_connect+0x278/0x530 __inet_stream_connect+0x10f/0x3d0 inet_stream_connect+0x3a/0x60 __sys_connect+0xa8/0xd0 __x64_sys_connect+0x18/0x20 do_syscall_64+0x83/0x170 entry_SYSCALL_64_after_hwframe+0x78/0x80 RIP: 0033:0x7f62c11a885d Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d a3 45 0c 00 f7 d8 64 89 01 48 RSP: 002b:00007f62c1091e58 EFLAGS: 00000296 ORIG_RAX: 000000000000002a RAX: ffffffffffffffda RBX: 0000000020ccb004 RCX: 00007f62c11a885d RDX: 0000000000000010 RSI: 0000000020ccb000 RDI: 0000000000000003 RBP: 00007f62c1091e90 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000296 R12: 00007f62c10926c0 R13: ffffffffffffff88 R14: 0000000000000000 R15: 00007ffe237885b0 </TASK> CVE-2024-36904 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.85.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.85.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.85.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.85.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242385-1/ https://www.suse.com/security/cve/CVE-2024-36904.html CVE-2024-36904 https://bugzilla.suse.com/1225732 SUSE Bug 1225732 https://bugzilla.suse.com/1225733 SUSE Bug 1225733 In the Linux kernel, the following vulnerability has been resolved: pinctrl: core: delete incorrect free in pinctrl_enable() The "pctldev" struct is allocated in devm_pinctrl_register_and_init(). It's a devm_ managed pointer that is freed by devm_pinctrl_dev_release(), so freeing it in pinctrl_enable() will lead to a double free. The devm_pinctrl_dev_release() function frees the pindescs and destroys the mutex as well. CVE-2024-36940 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.85.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.85.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.85.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.85.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242385-1/ https://www.suse.com/security/cve/CVE-2024-36940.html CVE-2024-36940 https://bugzilla.suse.com/1225840 SUSE Bug 1225840 https://bugzilla.suse.com/1225841 SUSE Bug 1225841 In the Linux kernel, the following vulnerability has been resolved: fs/9p: only translate RWX permissions for plain 9P2000 Garbage in plain 9P2000's perm bits is allowed through, which causes it to be able to set (among others) the suid bit. This was presumably not the intent since the unix extended bits are handled explicitly and conditionally on .u. CVE-2024-36964 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.85.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.85.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.85.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.85.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242385-1/ https://www.suse.com/security/cve/CVE-2024-36964.html CVE-2024-36964 https://bugzilla.suse.com/1225866 SUSE Bug 1225866 https://bugzilla.suse.com/1226325 SUSE Bug 1226325 In the Linux kernel, the following vulnerability has been resolved: net: fix __dst_negative_advice() race __dst_negative_advice() does not enforce proper RCU rules when sk->dst_cache must be cleared, leading to possible UAF. RCU rules are that we must first clear sk->sk_dst_cache, then call dst_release(old_dst). Note that sk_dst_reset(sk) is implementing this protocol correctly, while __dst_negative_advice() uses the wrong order. Given that ip6_negative_advice() has special logic against RTF_CACHE, this means each of the three ->negative_advice() existing methods must perform the sk_dst_reset() themselves. Note the check against NULL dst is centralized in __dst_negative_advice(), there is no need to duplicate it in various callbacks. Many thanks to Clement Lecigne for tracking this issue. This old bug became visible after the blamed commit, using UDP sockets. CVE-2024-36971 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.85.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.85.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.85.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.85.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242385-1/ https://www.suse.com/security/cve/CVE-2024-36971.html CVE-2024-36971 https://bugzilla.suse.com/1226145 SUSE Bug 1226145 https://bugzilla.suse.com/1226324 SUSE Bug 1226324 In the Linux kernel, the following vulnerability has been resolved: of: module: add buffer overflow check in of_modalias() In of_modalias(), if the buffer happens to be too small even for the 1st snprintf() call, the len parameter will become negative and str parameter (if not NULL initially) will point beyond the buffer's end. Add the buffer overflow check after the 1st snprintf() call and fix such check after the strlen() call (accounting for the terminating NUL char). CVE-2024-38541 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.85.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.85.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.85.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.85.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242385-1/ https://www.suse.com/security/cve/CVE-2024-38541.html CVE-2024-38541 https://bugzilla.suse.com/1226587 SUSE Bug 1226587 https://bugzilla.suse.com/1227496 SUSE Bug 1227496 In the Linux kernel, the following vulnerability has been resolved: RDMA/hns: Fix UAF for cq async event The refcount of CQ is not protected by locks. When CQ asynchronous events and CQ destruction are concurrent, CQ may have been released, which will cause UAF. Use the xa_lock() to protect the CQ refcount. CVE-2024-38545 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.85.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.85.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.85.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.85.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242385-1/ https://www.suse.com/security/cve/CVE-2024-38545.html CVE-2024-38545 https://bugzilla.suse.com/1226595 SUSE Bug 1226595 In the Linux kernel, the following vulnerability has been resolved: scsi: qedf: Ensure the copied buf is NUL terminated Currently, we allocate a count-sized kernel buffer and copy count from userspace to that buffer. Later, we use kstrtouint on this buffer but we don't ensure that the string is terminated inside the buffer, this can lead to OOB read when using kstrtouint. Fix this issue by using memdup_user_nul instead of memdup_user. CVE-2024-38559 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.85.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.85.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.85.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.85.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242385-1/ https://www.suse.com/security/cve/CVE-2024-38559.html CVE-2024-38559 https://bugzilla.suse.com/1226785 SUSE Bug 1226785 https://bugzilla.suse.com/1227495 SUSE Bug 1227495 In the Linux kernel, the following vulnerability has been resolved: scsi: bfa: Ensure the copied buf is NUL terminated Currently, we allocate a nbytes-sized kernel buffer and copy nbytes from userspace to that buffer. Later, we use sscanf on this buffer but we don't ensure that the string is terminated inside the buffer, this can lead to OOB read when using sscanf. Fix this issue by using memdup_user_nul instead of memdup_user. CVE-2024-38560 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.85.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.85.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.85.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.85.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242385-1/ https://www.suse.com/security/cve/CVE-2024-38560.html CVE-2024-38560 https://bugzilla.suse.com/1226786 SUSE Bug 1226786 https://bugzilla.suse.com/1227319 SUSE Bug 1227319 In the Linux kernel, the following vulnerability has been resolved: bpf: Add BPF_PROG_TYPE_CGROUP_SKB attach type enforcement in BPF_LINK_CREATE bpf_prog_attach uses attach_type_to_prog_type to enforce proper attach type for BPF_PROG_TYPE_CGROUP_SKB. link_create uses bpf_prog_get and relies on bpf_prog_attach_check_attach_type to properly verify prog_type <> attach_type association. Add missing attach_type enforcement for the link_create case. Otherwise, it's currently possible to attach cgroup_skb prog types to other cgroup hooks. CVE-2024-38564 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.85.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.85.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.85.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.85.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242385-1/ https://www.suse.com/security/cve/CVE-2024-38564.html CVE-2024-38564 https://bugzilla.suse.com/1226789 SUSE Bug 1226789 https://bugzilla.suse.com/1228730 SUSE Bug 1228730 In the Linux kernel, the following vulnerability has been resolved: ecryptfs: Fix buffer size for tag 66 packet The 'TAG 66 Packet Format' description is missing the cipher code and checksum fields that are packed into the message packet. As a result, the buffer allocated for the packet is 3 bytes too small and write_tag_66_packet() will write up to 3 bytes past the end of the buffer. Fix this by increasing the size of the allocation so the whole packet will always fit in the buffer. This fixes the below kasan slab-out-of-bounds bug: BUG: KASAN: slab-out-of-bounds in ecryptfs_generate_key_packet_set+0x7d6/0xde0 Write of size 1 at addr ffff88800afbb2a5 by task touch/181 CPU: 0 PID: 181 Comm: touch Not tainted 6.6.13-gnu #1 4c9534092be820851bb687b82d1f92a426598dc6 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2/GNU Guix 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x4c/0x70 print_report+0xc5/0x610 ? ecryptfs_generate_key_packet_set+0x7d6/0xde0 ? kasan_complete_mode_report_info+0x44/0x210 ? ecryptfs_generate_key_packet_set+0x7d6/0xde0 kasan_report+0xc2/0x110 ? ecryptfs_generate_key_packet_set+0x7d6/0xde0 __asan_store1+0x62/0x80 ecryptfs_generate_key_packet_set+0x7d6/0xde0 ? __pfx_ecryptfs_generate_key_packet_set+0x10/0x10 ? __alloc_pages+0x2e2/0x540 ? __pfx_ovl_open+0x10/0x10 [overlay 30837f11141636a8e1793533a02e6e2e885dad1d] ? dentry_open+0x8f/0xd0 ecryptfs_write_metadata+0x30a/0x550 ? __pfx_ecryptfs_write_metadata+0x10/0x10 ? ecryptfs_get_lower_file+0x6b/0x190 ecryptfs_initialize_file+0x77/0x150 ecryptfs_create+0x1c2/0x2f0 path_openat+0x17cf/0x1ba0 ? __pfx_path_openat+0x10/0x10 do_filp_open+0x15e/0x290 ? __pfx_do_filp_open+0x10/0x10 ? __kasan_check_write+0x18/0x30 ? _raw_spin_lock+0x86/0xf0 ? __pfx__raw_spin_lock+0x10/0x10 ? __kasan_check_write+0x18/0x30 ? alloc_fd+0xf4/0x330 do_sys_openat2+0x122/0x160 ? __pfx_do_sys_openat2+0x10/0x10 __x64_sys_openat+0xef/0x170 ? __pfx___x64_sys_openat+0x10/0x10 do_syscall_64+0x60/0xd0 entry_SYSCALL_64_after_hwframe+0x6e/0xd8 RIP: 0033:0x7f00a703fd67 Code: 25 00 00 41 00 3d 00 00 41 00 74 37 64 8b 04 25 18 00 00 00 85 c0 75 5b 44 89 e2 48 89 ee bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 0f 87 85 00 00 00 48 83 c4 68 5d 41 5c c3 0f 1f RSP: 002b:00007ffc088e30b0 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 RAX: ffffffffffffffda RBX: 00007ffc088e3368 RCX: 00007f00a703fd67 RDX: 0000000000000941 RSI: 00007ffc088e48d7 RDI: 00000000ffffff9c RBP: 00007ffc088e48d7 R08: 0000000000000001 R09: 0000000000000000 R10: 00000000000001b6 R11: 0000000000000246 R12: 0000000000000941 R13: 0000000000000000 R14: 00007ffc088e48d7 R15: 00007f00a7180040 </TASK> Allocated by task 181: kasan_save_stack+0x2f/0x60 kasan_set_track+0x29/0x40 kasan_save_alloc_info+0x25/0x40 __kasan_kmalloc+0xc5/0xd0 __kmalloc+0x66/0x160 ecryptfs_generate_key_packet_set+0x6d2/0xde0 ecryptfs_write_metadata+0x30a/0x550 ecryptfs_initialize_file+0x77/0x150 ecryptfs_create+0x1c2/0x2f0 path_openat+0x17cf/0x1ba0 do_filp_open+0x15e/0x290 do_sys_openat2+0x122/0x160 __x64_sys_openat+0xef/0x170 do_syscall_64+0x60/0xd0 entry_SYSCALL_64_after_hwframe+0x6e/0xd8 CVE-2024-38578 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.85.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.85.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.85.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.85.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242385-1/ https://www.suse.com/security/cve/CVE-2024-38578.html CVE-2024-38578 https://bugzilla.suse.com/1226634 SUSE Bug 1226634