Security update for the Linux Kernel (Live Patch 1 for SLE 15 SP5) SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2024:2488-1 Final 1 1 2024-07-15T15:03:44Z current 2024-07-15T15:03:44Z 2024-07-15T15:03:44Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for the Linux Kernel (Live Patch 1 for SLE 15 SP5) This update for the Linux Kernel 5.14.21-150500_55_7 fixes several issues. The following security issues were fixed: - CVE-2024-26923: Fixed false-positive lockdep splat for spin_lock() in __unix_gc() (bsc#1223683). - CVE-2024-26930: Fixed double free of the ha->vp_map pointer (bsc#1223681). - CVE-2024-26828: Fixed underflow in parse_server_interfaces() (bsc#1223363). - CVE-2024-23307: Fixed Integer Overflow or Wraparound vulnerability in x86 and ARM md, raid, raid5 modules (bsc#1220145). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2024-2488,SUSE-2024-2489,SUSE-2024-2490,SUSE-SLE-Module-Live-Patching-15-SP5-2024-2488 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2024/suse-su-20242488-1/ Link for SUSE-SU-2024:2488-1 https://lists.suse.com/pipermail/sle-security-updates/2024-July/018970.html E-Mail link for SUSE-SU-2024:2488-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1220145 SUSE Bug 1220145 https://bugzilla.suse.com/1223363 SUSE Bug 1223363 https://bugzilla.suse.com/1223681 SUSE Bug 1223681 https://bugzilla.suse.com/1223683 SUSE Bug 1223683 https://www.suse.com/security/cve/CVE-2024-23307/ SUSE CVE CVE-2024-23307 page https://www.suse.com/security/cve/CVE-2024-26828/ SUSE CVE CVE-2024-26828 page https://www.suse.com/security/cve/CVE-2024-26923/ SUSE CVE CVE-2024-26923 page https://www.suse.com/security/cve/CVE-2024-26930/ SUSE CVE CVE-2024-26930 page SUSE Linux Enterprise Live Patching 15 SP5 kernel-livepatch-5_14_21-150500_55_7-default-13-150500.2.1 kernel-livepatch-5_14_21-150500_55_12-default-13-150500.2.1 kernel-livepatch-5_14_21-150500_55_19-default-12-150500.2.1 kernel-livepatch-5_14_21-150500_55_7-default-13-150500.2.1 as a component of SUSE Linux Enterprise Live Patching 15 SP5 Integer Overflow or Wraparound vulnerability in Linux Linux kernel kernel on Linux, x86, ARM (md, raid, raid5 modules) allows Forced Integer Overflow. CVE-2024-23307 SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_7-default-13-150500.2.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242488-1/ https://www.suse.com/security/cve/CVE-2024-23307.html CVE-2024-23307 https://bugzilla.suse.com/1219169 SUSE Bug 1219169 https://bugzilla.suse.com/1220145 SUSE Bug 1220145 In the Linux kernel, the following vulnerability has been resolved: cifs: fix underflow in parse_server_interfaces() In this loop, we step through the buffer and after each item we check if the size_left is greater than the minimum size we need. However, the problem is that "bytes_left" is type ssize_t while sizeof() is type size_t. That means that because of type promotion, the comparison is done as an unsigned and if we have negative bytes left the loop continues instead of ending. CVE-2024-26828 SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_7-default-13-150500.2.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242488-1/ https://www.suse.com/security/cve/CVE-2024-26828.html CVE-2024-26828 https://bugzilla.suse.com/1223084 SUSE Bug 1223084 https://bugzilla.suse.com/1223363 SUSE Bug 1223363 In the Linux kernel, the following vulnerability has been resolved: af_unix: Fix garbage collector racing against connect() Garbage collector does not take into account the risk of embryo getting enqueued during the garbage collection. If such embryo has a peer that carries SCM_RIGHTS, two consecutive passes of scan_children() may see a different set of children. Leading to an incorrectly elevated inflight count, and then a dangling pointer within the gc_inflight_list. sockets are AF_UNIX/SOCK_STREAM S is an unconnected socket L is a listening in-flight socket bound to addr, not in fdtable V's fd will be passed via sendmsg(), gets inflight count bumped connect(S, addr) sendmsg(S, [V]); close(V) __unix_gc() ---------------- ------------------------- ----------- NS = unix_create1() skb1 = sock_wmalloc(NS) L = unix_find_other(addr) unix_state_lock(L) unix_peer(S) = NS // V count=1 inflight=0 NS = unix_peer(S) skb2 = sock_alloc() skb_queue_tail(NS, skb2[V]) // V became in-flight // V count=2 inflight=1 close(V) // V count=1 inflight=1 // GC candidate condition met for u in gc_inflight_list: if (total_refs == inflight_refs) add u to gc_candidates // gc_candidates={L, V} for u in gc_candidates: scan_children(u, dec_inflight) // embryo (skb1) was not // reachable from L yet, so V's // inflight remains unchanged __skb_queue_tail(L, skb1) unix_state_unlock(L) for u in gc_candidates: if (u.inflight) scan_children(u, inc_inflight_move_tail) // V count=1 inflight=2 (!) If there is a GC-candidate listening socket, lock/unlock its state. This makes GC wait until the end of any ongoing connect() to that socket. After flipping the lock, a possibly SCM-laden embryo is already enqueued. And if there is another embryo coming, it can not possibly carry SCM_RIGHTS. At this point, unix_inflight() can not happen because unix_gc_lock is already taken. Inflight graph remains unaffected. CVE-2024-26923 SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_7-default-13-150500.2.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242488-1/ https://www.suse.com/security/cve/CVE-2024-26923.html CVE-2024-26923 https://bugzilla.suse.com/1223384 SUSE Bug 1223384 https://bugzilla.suse.com/1223683 SUSE Bug 1223683 In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Fix double free of the ha->vp_map pointer Coverity scan reported potential risk of double free of the pointer ha->vp_map. ha->vp_map was freed in qla2x00_mem_alloc(), and again freed in function qla2x00_mem_free(ha). Assign NULL to vp_map and kfree take care of NULL. CVE-2024-26930 SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_7-default-13-150500.2.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242488-1/ https://www.suse.com/security/cve/CVE-2024-26930.html CVE-2024-26930 https://bugzilla.suse.com/1223626 SUSE Bug 1223626 https://bugzilla.suse.com/1223681 SUSE Bug 1223681