Security update for the Linux Kernel (Live Patch 44 for SLE 15 SP3) SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2024:3039-1 Final 1 1 2024-08-27T18:03:53Z current 2024-08-27T18:03:53Z 2024-08-27T18:03:53Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for the Linux Kernel (Live Patch 44 for SLE 15 SP3) This update for the Linux Kernel 5.3.18-150300_59_161 fixes several issues. The following security issues were fixed: - CVE-2021-47402: Fixed use-after-free in fl_walk() (bsc#1225301) - CVE-2021-47378: Fixed use-after-free by destroying cm id before destroying qp (bsc#1225202). - CVE-2024-27398: Fixed use-after-free bugs caused by sco_sock_timeout (bsc#1225013). - CVE-2024-35950: drm/client: Fully protect modes with dev->mode_config.mutex (bsc#1225310). - CVE-2021-47383: Fixed out-of-bound vmalloc access in imageblit (bsc#1225211). - CVE-2024-26923: Fixed false-positive lockdep splat for spin_lock() in __unix_gc() (bsc#1223683). - CVE-2024-26828: Fixed underflow in parse_server_interfaces() (bsc#1223363). - CVE-2023-1829: Fixed a use-after-free vulnerability in the control index filter (tcindex) (bsc#1210619). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2024-3039,SUSE-2024-3051,SUSE-SLE-Module-Live-Patching-15-SP2-2024-3039,SUSE-SLE-Module-Live-Patching-15-SP3-2024-3051 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2024/suse-su-20243039-1/ Link for SUSE-SU-2024:3039-1 https://lists.suse.com/pipermail/sle-updates/2024-August/036697.html E-Mail link for SUSE-SU-2024:3039-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1210619 SUSE Bug 1210619 https://bugzilla.suse.com/1223363 SUSE Bug 1223363 https://bugzilla.suse.com/1223683 SUSE Bug 1223683 https://bugzilla.suse.com/1225013 SUSE Bug 1225013 https://bugzilla.suse.com/1225202 SUSE Bug 1225202 https://bugzilla.suse.com/1225211 SUSE Bug 1225211 https://bugzilla.suse.com/1225302 SUSE Bug 1225302 https://bugzilla.suse.com/1225310 SUSE Bug 1225310 https://www.suse.com/security/cve/CVE-2021-47378/ SUSE CVE CVE-2021-47378 page https://www.suse.com/security/cve/CVE-2021-47383/ SUSE CVE CVE-2021-47383 page https://www.suse.com/security/cve/CVE-2021-47402/ SUSE CVE CVE-2021-47402 page https://www.suse.com/security/cve/CVE-2023-1829/ SUSE CVE CVE-2023-1829 page https://www.suse.com/security/cve/CVE-2024-26828/ SUSE CVE CVE-2024-26828 page https://www.suse.com/security/cve/CVE-2024-26923/ SUSE CVE CVE-2024-26923 page https://www.suse.com/security/cve/CVE-2024-27398/ SUSE CVE CVE-2024-27398 page https://www.suse.com/security/cve/CVE-2024-35950/ SUSE CVE CVE-2024-35950 page SUSE Linux Enterprise Live Patching 15 SP2 SUSE Linux Enterprise Live Patching 15 SP3 kernel-livepatch-5_3_18-150200_24_191-default-5-150200.5.6.1 kernel-livepatch-5_3_18-150200_24_191-preempt-5-150200.5.6.1 kernel-livepatch-5_3_18-150300_59_161-default-5-150300.7.6.1 kernel-livepatch-5_3_18-150300_59_161-preempt-5-150300.7.6.1 kernel-livepatch-5_3_18-150200_24_191-default-5-150200.5.6.1 as a component of SUSE Linux Enterprise Live Patching 15 SP2 kernel-livepatch-5_3_18-150300_59_161-default-5-150300.7.6.1 as a component of SUSE Linux Enterprise Live Patching 15 SP3 In the Linux kernel, the following vulnerability has been resolved: nvme-rdma: destroy cm id before destroy qp to avoid use after free We should always destroy cm_id before destroy qp to avoid to get cma event after qp was destroyed, which may lead to use after free. In RDMA connection establishment error flow, don't destroy qp in cm event handler.Just report cm_error to upper level, qp will be destroy in nvme_rdma_alloc_queue() after destroy cm id. CVE-2021-47378 SUSE Linux Enterprise Live Patching 15 SP2:kernel-livepatch-5_3_18-150200_24_191-default-5-150200.5.6.1 SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_161-default-5-150300.7.6.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20243039-1/ https://www.suse.com/security/cve/CVE-2021-47378.html CVE-2021-47378 https://bugzilla.suse.com/1225201 SUSE Bug 1225201 https://bugzilla.suse.com/1225202 SUSE Bug 1225202 In the Linux kernel, the following vulnerability has been resolved: tty: Fix out-of-bound vmalloc access in imageblit This issue happens when a userspace program does an ioctl FBIOPUT_VSCREENINFO passing the fb_var_screeninfo struct containing only the fields xres, yres, and bits_per_pixel with values. If this struct is the same as the previous ioctl, the vc_resize() detects it and doesn't call the resize_screen(), leaving the fb_var_screeninfo incomplete. And this leads to the updatescrollmode() calculates a wrong value to fbcon_display->vrows, which makes the real_y() return a wrong value of y, and that value, eventually, causes the imageblit to access an out-of-bound address value. To solve this issue I made the resize_screen() be called even if the screen does not need any resizing, so it will "fix and fill" the fb_var_screeninfo independently. CVE-2021-47383 SUSE Linux Enterprise Live Patching 15 SP2:kernel-livepatch-5_3_18-150200_24_191-default-5-150200.5.6.1 SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_161-default-5-150300.7.6.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20243039-1/ https://www.suse.com/security/cve/CVE-2021-47383.html CVE-2021-47383 https://bugzilla.suse.com/1225208 SUSE Bug 1225208 https://bugzilla.suse.com/1225211 SUSE Bug 1225211 In the Linux kernel, the following vulnerability has been resolved: net: sched: flower: protect fl_walk() with rcu Patch that refactored fl_walk() to use idr_for_each_entry_continue_ul() also removed rcu protection of individual filters which causes following use-after-free when filter is deleted concurrently. Fix fl_walk() to obtain rcu read lock while iterating and taking the filter reference and temporary release the lock while calling arg->fn() callback that can sleep. KASAN trace: [ 352.773640] ================================================================== [ 352.775041] BUG: KASAN: use-after-free in fl_walk+0x159/0x240 [cls_flower] [ 352.776304] Read of size 4 at addr ffff8881c8251480 by task tc/2987 [ 352.777862] CPU: 3 PID: 2987 Comm: tc Not tainted 5.15.0-rc2+ #2 [ 352.778980] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 [ 352.781022] Call Trace: [ 352.781573] dump_stack_lvl+0x46/0x5a [ 352.782332] print_address_description.constprop.0+0x1f/0x140 [ 352.783400] ? fl_walk+0x159/0x240 [cls_flower] [ 352.784292] ? fl_walk+0x159/0x240 [cls_flower] [ 352.785138] kasan_report.cold+0x83/0xdf [ 352.785851] ? fl_walk+0x159/0x240 [cls_flower] [ 352.786587] kasan_check_range+0x145/0x1a0 [ 352.787337] fl_walk+0x159/0x240 [cls_flower] [ 352.788163] ? fl_put+0x10/0x10 [cls_flower] [ 352.789007] ? __mutex_unlock_slowpath.constprop.0+0x220/0x220 [ 352.790102] tcf_chain_dump+0x231/0x450 [ 352.790878] ? tcf_chain_tp_delete_empty+0x170/0x170 [ 352.791833] ? __might_sleep+0x2e/0xc0 [ 352.792594] ? tfilter_notify+0x170/0x170 [ 352.793400] ? __mutex_unlock_slowpath.constprop.0+0x220/0x220 [ 352.794477] tc_dump_tfilter+0x385/0x4b0 [ 352.795262] ? tc_new_tfilter+0x1180/0x1180 [ 352.796103] ? __mod_node_page_state+0x1f/0xc0 [ 352.796974] ? __build_skb_around+0x10e/0x130 [ 352.797826] netlink_dump+0x2c0/0x560 [ 352.798563] ? netlink_getsockopt+0x430/0x430 [ 352.799433] ? __mutex_unlock_slowpath.constprop.0+0x220/0x220 [ 352.800542] __netlink_dump_start+0x356/0x440 [ 352.801397] rtnetlink_rcv_msg+0x3ff/0x550 [ 352.802190] ? tc_new_tfilter+0x1180/0x1180 [ 352.802872] ? rtnl_calcit.isra.0+0x1f0/0x1f0 [ 352.803668] ? tc_new_tfilter+0x1180/0x1180 [ 352.804344] ? _copy_from_iter_nocache+0x800/0x800 [ 352.805202] ? kasan_set_track+0x1c/0x30 [ 352.805900] netlink_rcv_skb+0xc6/0x1f0 [ 352.806587] ? rht_deferred_worker+0x6b0/0x6b0 [ 352.807455] ? rtnl_calcit.isra.0+0x1f0/0x1f0 [ 352.808324] ? netlink_ack+0x4d0/0x4d0 [ 352.809086] ? netlink_deliver_tap+0x62/0x3d0 [ 352.809951] netlink_unicast+0x353/0x480 [ 352.810744] ? netlink_attachskb+0x430/0x430 [ 352.811586] ? __alloc_skb+0xd7/0x200 [ 352.812349] netlink_sendmsg+0x396/0x680 [ 352.813132] ? netlink_unicast+0x480/0x480 [ 352.813952] ? __import_iovec+0x192/0x210 [ 352.814759] ? netlink_unicast+0x480/0x480 [ 352.815580] sock_sendmsg+0x6c/0x80 [ 352.816299] ____sys_sendmsg+0x3a5/0x3c0 [ 352.817096] ? kernel_sendmsg+0x30/0x30 [ 352.817873] ? __ia32_sys_recvmmsg+0x150/0x150 [ 352.818753] ___sys_sendmsg+0xd8/0x140 [ 352.819518] ? sendmsg_copy_msghdr+0x110/0x110 [ 352.820402] ? ___sys_recvmsg+0xf4/0x1a0 [ 352.821110] ? __copy_msghdr_from_user+0x260/0x260 [ 352.821934] ? _raw_spin_lock+0x81/0xd0 [ 352.822680] ? __handle_mm_fault+0xef3/0x1b20 [ 352.823549] ? rb_insert_color+0x2a/0x270 [ 352.824373] ? copy_page_range+0x16b0/0x16b0 [ 352.825209] ? perf_event_update_userpage+0x2d0/0x2d0 [ 352.826190] ? __fget_light+0xd9/0xf0 [ 352.826941] __sys_sendmsg+0xb3/0x130 [ 352.827613] ? __sys_sendmsg_sock+0x20/0x20 [ 352.828377] ? do_user_addr_fault+0x2c5/0x8a0 [ 352.829184] ? fpregs_assert_state_consistent+0x52/0x60 [ 352.830001] ? exit_to_user_mode_prepare+0x32/0x160 [ 352.830845] do_syscall_64+0x35/0x80 [ 352.831445] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 352.832331] RIP: 0033:0x7f7bee973c17 [ ---truncated--- CVE-2021-47402 SUSE Linux Enterprise Live Patching 15 SP2:kernel-livepatch-5_3_18-150200_24_191-default-5-150200.5.6.1 SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_161-default-5-150300.7.6.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20243039-1/ https://www.suse.com/security/cve/CVE-2021-47402.html CVE-2021-47402 https://bugzilla.suse.com/1225301 SUSE Bug 1225301 https://bugzilla.suse.com/1225302 SUSE Bug 1225302 A use-after-free vulnerability in the Linux Kernel traffic control index filter (tcindex) can be exploited to achieve local privilege escalation. The tcindex_delete function which does not properly deactivate filters in case of a perfect hashes while deleting the underlying structure which can later lead to double freeing the structure. A local attacker user can use this vulnerability to elevate its privileges to root. We recommend upgrading past commit 8c710f75256bb3cf05ac7b1672c82b92c43f3d28. CVE-2023-1829 SUSE Linux Enterprise Live Patching 15 SP2:kernel-livepatch-5_3_18-150200_24_191-default-5-150200.5.6.1 SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_161-default-5-150300.7.6.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20243039-1/ https://www.suse.com/security/cve/CVE-2023-1829.html CVE-2023-1829 https://bugzilla.suse.com/1210335 SUSE Bug 1210335 https://bugzilla.suse.com/1210619 SUSE Bug 1210619 https://bugzilla.suse.com/1217444 SUSE Bug 1217444 https://bugzilla.suse.com/1217531 SUSE Bug 1217531 https://bugzilla.suse.com/1220886 SUSE Bug 1220886 https://bugzilla.suse.com/1228311 SUSE Bug 1228311 In the Linux kernel, the following vulnerability has been resolved: cifs: fix underflow in parse_server_interfaces() In this loop, we step through the buffer and after each item we check if the size_left is greater than the minimum size we need. However, the problem is that "bytes_left" is type ssize_t while sizeof() is type size_t. That means that because of type promotion, the comparison is done as an unsigned and if we have negative bytes left the loop continues instead of ending. CVE-2024-26828 SUSE Linux Enterprise Live Patching 15 SP2:kernel-livepatch-5_3_18-150200_24_191-default-5-150200.5.6.1 SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_161-default-5-150300.7.6.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20243039-1/ https://www.suse.com/security/cve/CVE-2024-26828.html CVE-2024-26828 https://bugzilla.suse.com/1223084 SUSE Bug 1223084 https://bugzilla.suse.com/1223363 SUSE Bug 1223363 In the Linux kernel, the following vulnerability has been resolved: af_unix: Fix garbage collector racing against connect() Garbage collector does not take into account the risk of embryo getting enqueued during the garbage collection. If such embryo has a peer that carries SCM_RIGHTS, two consecutive passes of scan_children() may see a different set of children. Leading to an incorrectly elevated inflight count, and then a dangling pointer within the gc_inflight_list. sockets are AF_UNIX/SOCK_STREAM S is an unconnected socket L is a listening in-flight socket bound to addr, not in fdtable V's fd will be passed via sendmsg(), gets inflight count bumped connect(S, addr) sendmsg(S, [V]); close(V) __unix_gc() ---------------- ------------------------- ----------- NS = unix_create1() skb1 = sock_wmalloc(NS) L = unix_find_other(addr) unix_state_lock(L) unix_peer(S) = NS // V count=1 inflight=0 NS = unix_peer(S) skb2 = sock_alloc() skb_queue_tail(NS, skb2[V]) // V became in-flight // V count=2 inflight=1 close(V) // V count=1 inflight=1 // GC candidate condition met for u in gc_inflight_list: if (total_refs == inflight_refs) add u to gc_candidates // gc_candidates={L, V} for u in gc_candidates: scan_children(u, dec_inflight) // embryo (skb1) was not // reachable from L yet, so V's // inflight remains unchanged __skb_queue_tail(L, skb1) unix_state_unlock(L) for u in gc_candidates: if (u.inflight) scan_children(u, inc_inflight_move_tail) // V count=1 inflight=2 (!) If there is a GC-candidate listening socket, lock/unlock its state. This makes GC wait until the end of any ongoing connect() to that socket. After flipping the lock, a possibly SCM-laden embryo is already enqueued. And if there is another embryo coming, it can not possibly carry SCM_RIGHTS. At this point, unix_inflight() can not happen because unix_gc_lock is already taken. Inflight graph remains unaffected. CVE-2024-26923 SUSE Linux Enterprise Live Patching 15 SP2:kernel-livepatch-5_3_18-150200_24_191-default-5-150200.5.6.1 SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_161-default-5-150300.7.6.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20243039-1/ https://www.suse.com/security/cve/CVE-2024-26923.html CVE-2024-26923 https://bugzilla.suse.com/1223384 SUSE Bug 1223384 https://bugzilla.suse.com/1223683 SUSE Bug 1223683 In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Fix use-after-free bugs caused by sco_sock_timeout When the sco connection is established and then, the sco socket is releasing, timeout_work will be scheduled to judge whether the sco disconnection is timeout. The sock will be deallocated later, but it is dereferenced again in sco_sock_timeout. As a result, the use-after-free bugs will happen. The root cause is shown below: Cleanup Thread | Worker Thread sco_sock_release | sco_sock_close | __sco_sock_close | sco_sock_set_timer | schedule_delayed_work | sco_sock_kill | (wait a time) sock_put(sk) //FREE | sco_sock_timeout | sock_hold(sk) //USE The KASAN report triggered by POC is shown below: [ 95.890016] ================================================================== [ 95.890496] BUG: KASAN: slab-use-after-free in sco_sock_timeout+0x5e/0x1c0 [ 95.890755] Write of size 4 at addr ffff88800c388080 by task kworker/0:0/7 ... [ 95.890755] Workqueue: events sco_sock_timeout [ 95.890755] Call Trace: [ 95.890755] <TASK> [ 95.890755] dump_stack_lvl+0x45/0x110 [ 95.890755] print_address_description+0x78/0x390 [ 95.890755] print_report+0x11b/0x250 [ 95.890755] ? __virt_addr_valid+0xbe/0xf0 [ 95.890755] ? sco_sock_timeout+0x5e/0x1c0 [ 95.890755] kasan_report+0x139/0x170 [ 95.890755] ? update_load_avg+0xe5/0x9f0 [ 95.890755] ? sco_sock_timeout+0x5e/0x1c0 [ 95.890755] kasan_check_range+0x2c3/0x2e0 [ 95.890755] sco_sock_timeout+0x5e/0x1c0 [ 95.890755] process_one_work+0x561/0xc50 [ 95.890755] worker_thread+0xab2/0x13c0 [ 95.890755] ? pr_cont_work+0x490/0x490 [ 95.890755] kthread+0x279/0x300 [ 95.890755] ? pr_cont_work+0x490/0x490 [ 95.890755] ? kthread_blkcg+0xa0/0xa0 [ 95.890755] ret_from_fork+0x34/0x60 [ 95.890755] ? kthread_blkcg+0xa0/0xa0 [ 95.890755] ret_from_fork_asm+0x11/0x20 [ 95.890755] </TASK> [ 95.890755] [ 95.890755] Allocated by task 506: [ 95.890755] kasan_save_track+0x3f/0x70 [ 95.890755] __kasan_kmalloc+0x86/0x90 [ 95.890755] __kmalloc+0x17f/0x360 [ 95.890755] sk_prot_alloc+0xe1/0x1a0 [ 95.890755] sk_alloc+0x31/0x4e0 [ 95.890755] bt_sock_alloc+0x2b/0x2a0 [ 95.890755] sco_sock_create+0xad/0x320 [ 95.890755] bt_sock_create+0x145/0x320 [ 95.890755] __sock_create+0x2e1/0x650 [ 95.890755] __sys_socket+0xd0/0x280 [ 95.890755] __x64_sys_socket+0x75/0x80 [ 95.890755] do_syscall_64+0xc4/0x1b0 [ 95.890755] entry_SYSCALL_64_after_hwframe+0x67/0x6f [ 95.890755] [ 95.890755] Freed by task 506: [ 95.890755] kasan_save_track+0x3f/0x70 [ 95.890755] kasan_save_free_info+0x40/0x50 [ 95.890755] poison_slab_object+0x118/0x180 [ 95.890755] __kasan_slab_free+0x12/0x30 [ 95.890755] kfree+0xb2/0x240 [ 95.890755] __sk_destruct+0x317/0x410 [ 95.890755] sco_sock_release+0x232/0x280 [ 95.890755] sock_close+0xb2/0x210 [ 95.890755] __fput+0x37f/0x770 [ 95.890755] task_work_run+0x1ae/0x210 [ 95.890755] get_signal+0xe17/0xf70 [ 95.890755] arch_do_signal_or_restart+0x3f/0x520 [ 95.890755] syscall_exit_to_user_mode+0x55/0x120 [ 95.890755] do_syscall_64+0xd1/0x1b0 [ 95.890755] entry_SYSCALL_64_after_hwframe+0x67/0x6f [ 95.890755] [ 95.890755] The buggy address belongs to the object at ffff88800c388000 [ 95.890755] which belongs to the cache kmalloc-1k of size 1024 [ 95.890755] The buggy address is located 128 bytes inside of [ 95.890755] freed 1024-byte region [ffff88800c388000, ffff88800c388400) [ 95.890755] [ 95.890755] The buggy address belongs to the physical page: [ 95.890755] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88800c38a800 pfn:0xc388 [ 95.890755] head: order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 95.890755] ano ---truncated--- CVE-2024-27398 SUSE Linux Enterprise Live Patching 15 SP2:kernel-livepatch-5_3_18-150200_24_191-default-5-150200.5.6.1 SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_161-default-5-150300.7.6.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20243039-1/ https://www.suse.com/security/cve/CVE-2024-27398.html CVE-2024-27398 https://bugzilla.suse.com/1224174 SUSE Bug 1224174 https://bugzilla.suse.com/1225013 SUSE Bug 1225013 In the Linux kernel, the following vulnerability has been resolved: drm/client: Fully protect modes[] with dev->mode_config.mutex The modes[] array contains pointers to modes on the connectors' mode lists, which are protected by dev->mode_config.mutex. Thus we need to extend modes[] the same protection or by the time we use it the elements may already be pointing to freed/reused memory. CVE-2024-35950 SUSE Linux Enterprise Live Patching 15 SP2:kernel-livepatch-5_3_18-150200_24_191-default-5-150200.5.6.1 SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_161-default-5-150300.7.6.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20243039-1/ https://www.suse.com/security/cve/CVE-2024-35950.html CVE-2024-35950 https://bugzilla.suse.com/1224703 SUSE Bug 1224703 https://bugzilla.suse.com/1225310 SUSE Bug 1225310