Security update for the Linux Kernel RT (Live Patch 3 for SLE 15 SP5) SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2024:3361-1 Final 1 1 2024-09-23T05:35:47Z current 2024-09-23T05:35:47Z 2024-09-23T05:35:47Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for the Linux Kernel RT (Live Patch 3 for SLE 15 SP5) This update for the Linux Kernel 5.14.21-150500_13_11 fixes several issues. The following security issues were fixed: - CVE-2023-52846: Prevent use after free in prp_create_tagged_frame() (bsc#1225099). - CVE-2022-48662: Fixed a general protection fault (GPF) in i915_perf_open_ioctl (bsc#1223521). - CVE-2022-48662: Fixed GPF in i915_perf_open_ioctl (bsc#1223521). - CVE-2024-35817: Set gtt bound flag in amdgpu_ttm_gart_bind (bsc#1225313). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2024-3361,SUSE-2024-3364,SUSE-2024-3376,SUSE-2024-3380,SUSE-2024-3381,SUSE-2024-3382,SUSE-SLE-Module-Live-Patching-15-SP4-2024-3362,SUSE-SLE-Module-Live-Patching-15-SP5-2024-3380 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2024/suse-su-20243361-1/ Link for SUSE-SU-2024:3361-1 https://lists.suse.com/pipermail/sle-security-updates/2024-September/019492.html E-Mail link for SUSE-SU-2024:3361-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1223521 SUSE Bug 1223521 https://bugzilla.suse.com/1225099 SUSE Bug 1225099 https://bugzilla.suse.com/1225313 SUSE Bug 1225313 https://www.suse.com/security/cve/CVE-2022-48662/ SUSE CVE CVE-2022-48662 page https://www.suse.com/security/cve/CVE-2023-52846/ SUSE CVE CVE-2023-52846 page https://www.suse.com/security/cve/CVE-2024-35817/ SUSE CVE CVE-2024-35817 page SUSE Linux Enterprise Live Patching 15 SP4 SUSE Linux Enterprise Live Patching 15 SP5 kernel-livepatch-5_14_21-150400_24_81-default-14-150400.2.2 kernel-livepatch-5_14_21-150500_13_18-rt-13-150500.2.1 kernel-livepatch-5_14_21-150500_13_21-rt-12-150500.2.1 kernel-livepatch-5_14_21-150500_13_11-rt-14-150500.2.1 kernel-livepatch-5_14_21-150400_24_100-default-11-150400.2.2 kernel-livepatch-5_14_21-150400_24_103-default-9-150400.2.2 kernel-livepatch-5_14_21-150400_24_92-default-12-150400.2.2 kernel-livepatch-5_14_21-150400_24_92-default-12-150400.2.2 as a component of SUSE Linux Enterprise Live Patching 15 SP4 kernel-livepatch-5_14_21-150500_13_11-rt-14-150500.2.1 as a component of SUSE Linux Enterprise Live Patching 15 SP5 In the Linux kernel, the following vulnerability has been resolved: drm/i915/gem: Really move i915_gem_context.link under ref protection i915_perf assumes that it can use the i915_gem_context reference to protect its i915->gem.contexts.list iteration. However, this requires that we do not remove the context from the list until after we drop the final reference and release the struct. If, as currently, we remove the context from the list during context_close(), the link.next pointer may be poisoned while we are holding the context reference and cause a GPF: [ 4070.573157] i915 0000:00:02.0: [drm:i915_perf_open_ioctl [i915]] filtering on ctx_id=0x1fffff ctx_id_mask=0x1fffff [ 4070.574881] general protection fault, probably for non-canonical address 0xdead000000000100: 0000 [#1] PREEMPT SMP [ 4070.574897] CPU: 1 PID: 284392 Comm: amd_performance Tainted: G E 5.17.9 #180 [ 4070.574903] Hardware name: Intel Corporation NUC7i5BNK/NUC7i5BNB, BIOS BNKBL357.86A.0052.2017.0918.1346 09/18/2017 [ 4070.574907] RIP: 0010:oa_configure_all_contexts.isra.0+0x222/0x350 [i915] [ 4070.574982] Code: 08 e8 32 6e 10 e1 4d 8b 6d 50 b8 ff ff ff ff 49 83 ed 50 f0 41 0f c1 04 24 83 f8 01 0f 84 e3 00 00 00 85 c0 0f 8e fa 00 00 00 <49> 8b 45 50 48 8d 70 b0 49 8d 45 50 48 39 44 24 10 0f 85 34 fe ff [ 4070.574990] RSP: 0018:ffffc90002077b78 EFLAGS: 00010202 [ 4070.574995] RAX: 0000000000000002 RBX: 0000000000000002 RCX: 0000000000000000 [ 4070.575000] RDX: 0000000000000001 RSI: ffffc90002077b20 RDI: ffff88810ddc7c68 [ 4070.575004] RBP: 0000000000000001 R08: ffff888103242648 R09: fffffffffffffffc [ 4070.575008] R10: ffffffff82c50bc0 R11: 0000000000025c80 R12: ffff888101bf1860 [ 4070.575012] R13: dead0000000000b0 R14: ffffc90002077c04 R15: ffff88810be5cabc [ 4070.575016] FS: 00007f1ed50c0780(0000) GS:ffff88885ec80000(0000) knlGS:0000000000000000 [ 4070.575021] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 4070.575025] CR2: 00007f1ed5590280 CR3: 000000010ef6f005 CR4: 00000000003706e0 [ 4070.575029] Call Trace: [ 4070.575033] <TASK> [ 4070.575037] lrc_configure_all_contexts+0x13e/0x150 [i915] [ 4070.575103] gen8_enable_metric_set+0x4d/0x90 [i915] [ 4070.575164] i915_perf_open_ioctl+0xbc0/0x1500 [i915] [ 4070.575224] ? asm_common_interrupt+0x1e/0x40 [ 4070.575232] ? i915_oa_init_reg_state+0x110/0x110 [i915] [ 4070.575290] drm_ioctl_kernel+0x85/0x110 [ 4070.575296] ? update_load_avg+0x5f/0x5e0 [ 4070.575302] drm_ioctl+0x1d3/0x370 [ 4070.575307] ? i915_oa_init_reg_state+0x110/0x110 [i915] [ 4070.575382] ? gen8_gt_irq_handler+0x46/0x130 [i915] [ 4070.575445] __x64_sys_ioctl+0x3c4/0x8d0 [ 4070.575451] ? __do_softirq+0xaa/0x1d2 [ 4070.575456] do_syscall_64+0x35/0x80 [ 4070.575461] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 4070.575467] RIP: 0033:0x7f1ed5c10397 [ 4070.575471] Code: 3c 1c e8 1c ff ff ff 85 c0 79 87 49 c7 c4 ff ff ff ff 5b 5d 4c 89 e0 41 5c c3 66 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d a9 da 0d 00 f7 d8 64 89 01 48 [ 4070.575478] RSP: 002b:00007ffd65c8d7a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 4070.575484] RAX: ffffffffffffffda RBX: 0000000000000006 RCX: 00007f1ed5c10397 [ 4070.575488] RDX: 00007ffd65c8d7c0 RSI: 0000000040106476 RDI: 0000000000000006 [ 4070.575492] RBP: 00005620972f9c60 R08: 000000000000000a R09: 0000000000000005 [ 4070.575496] R10: 000000000000000d R11: 0000000000000246 R12: 000000000000000a [ 4070.575500] R13: 000000000000000d R14: 0000000000000000 R15: 00007ffd65c8d7c0 [ 4070.575505] </TASK> [ 4070.575507] Modules linked in: nls_ascii(E) nls_cp437(E) vfat(E) fat(E) i915(E) x86_pkg_temp_thermal(E) intel_powerclamp(E) crct10dif_pclmul(E) crc32_pclmul(E) crc32c_intel(E) aesni_intel(E) crypto_simd(E) intel_gtt(E) cryptd(E) ttm(E) rapl(E) intel_cstate(E) drm_kms_helper(E) cfbfillrect(E) syscopyarea(E) cfbimgblt(E) intel_uncore(E) sysfillrect(E) mei_me(E) sysimgblt(E) i2c_i801(E) fb_sys_fops(E) mei(E) intel_pch_thermal(E) i2c_smbus ---truncated--- CVE-2022-48662 SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_92-default-12-150400.2.2 SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_13_11-rt-14-150500.2.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20243361-1/ https://www.suse.com/security/cve/CVE-2022-48662.html CVE-2022-48662 https://bugzilla.suse.com/1223505 SUSE Bug 1223505 https://bugzilla.suse.com/1223521 SUSE Bug 1223521 In the Linux kernel, the following vulnerability has been resolved: hsr: Prevent use after free in prp_create_tagged_frame() The prp_fill_rct() function can fail. In that situation, it frees the skb and returns NULL. Meanwhile on the success path, it returns the original skb. So it's straight forward to fix bug by using the returned value. CVE-2023-52846 SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_92-default-12-150400.2.2 SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_13_11-rt-14-150500.2.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20243361-1/ https://www.suse.com/security/cve/CVE-2023-52846.html CVE-2023-52846 https://bugzilla.suse.com/1225098 SUSE Bug 1225098 https://bugzilla.suse.com/1225099 SUSE Bug 1225099 In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: amdgpu_ttm_gart_bind set gtt bound flag Otherwise after the GTT bo is released, the GTT and gart space is freed but amdgpu_ttm_backend_unbind will not clear the gart page table entry and leave valid mapping entry pointing to the stale system page. Then if GPU access the gart address mistakely, it will read undefined value instead page fault, harder to debug and reproduce the real issue. CVE-2024-35817 SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_92-default-12-150400.2.2 SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_13_11-rt-14-150500.2.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20243361-1/ https://www.suse.com/security/cve/CVE-2024-35817.html CVE-2024-35817 https://bugzilla.suse.com/1224736 SUSE Bug 1224736 https://bugzilla.suse.com/1225313 SUSE Bug 1225313