Security update for the Linux Kernel (Live Patch 27 for SLE 15 SP4) SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2024:3365-1 Final 1 1 2024-09-23T01:40:09Z current 2024-09-23T01:40:09Z 2024-09-23T01:40:09Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for the Linux Kernel (Live Patch 27 for SLE 15 SP4) This update for the Linux Kernel 5.14.21-150400_24_122 fixes several issues. The following security issues were fixed: - CVE-2023-52846: Prevent use after free in prp_create_tagged_frame() (bsc#1225099). - CVE-2024-26923: Fixed false-positive lockdep splat for spin_lock() in __unix_gc() (bsc#1223683). - CVE-2024-35950: Fully protect modes with dev->mode_config.mutex (bsc#1225310). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2024-3365,SUSE-SLE-Module-Live-Patching-15-SP4-2024-3365 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2024/suse-su-20243365-1/ Link for SUSE-SU-2024:3365-1 https://lists.suse.com/pipermail/sle-security-updates/2024-September/019490.html E-Mail link for SUSE-SU-2024:3365-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1223683 SUSE Bug 1223683 https://bugzilla.suse.com/1225099 SUSE Bug 1225099 https://bugzilla.suse.com/1225310 SUSE Bug 1225310 https://www.suse.com/security/cve/CVE-2023-52846/ SUSE CVE CVE-2023-52846 page https://www.suse.com/security/cve/CVE-2024-26923/ SUSE CVE CVE-2024-26923 page https://www.suse.com/security/cve/CVE-2024-35950/ SUSE CVE CVE-2024-35950 page SUSE Linux Enterprise Live Patching 15 SP4 kernel-livepatch-5_14_21-150400_24_122-default-3-150400.9.6.2 kernel-livepatch-5_14_21-150400_24_122-default-3-150400.9.6.2 as a component of SUSE Linux Enterprise Live Patching 15 SP4 In the Linux kernel, the following vulnerability has been resolved: hsr: Prevent use after free in prp_create_tagged_frame() The prp_fill_rct() function can fail. In that situation, it frees the skb and returns NULL. Meanwhile on the success path, it returns the original skb. So it's straight forward to fix bug by using the returned value. CVE-2023-52846 SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_122-default-3-150400.9.6.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20243365-1/ https://www.suse.com/security/cve/CVE-2023-52846.html CVE-2023-52846 https://bugzilla.suse.com/1225098 SUSE Bug 1225098 https://bugzilla.suse.com/1225099 SUSE Bug 1225099 In the Linux kernel, the following vulnerability has been resolved: af_unix: Fix garbage collector racing against connect() Garbage collector does not take into account the risk of embryo getting enqueued during the garbage collection. If such embryo has a peer that carries SCM_RIGHTS, two consecutive passes of scan_children() may see a different set of children. Leading to an incorrectly elevated inflight count, and then a dangling pointer within the gc_inflight_list. sockets are AF_UNIX/SOCK_STREAM S is an unconnected socket L is a listening in-flight socket bound to addr, not in fdtable V's fd will be passed via sendmsg(), gets inflight count bumped connect(S, addr) sendmsg(S, [V]); close(V) __unix_gc() ---------------- ------------------------- ----------- NS = unix_create1() skb1 = sock_wmalloc(NS) L = unix_find_other(addr) unix_state_lock(L) unix_peer(S) = NS // V count=1 inflight=0 NS = unix_peer(S) skb2 = sock_alloc() skb_queue_tail(NS, skb2[V]) // V became in-flight // V count=2 inflight=1 close(V) // V count=1 inflight=1 // GC candidate condition met for u in gc_inflight_list: if (total_refs == inflight_refs) add u to gc_candidates // gc_candidates={L, V} for u in gc_candidates: scan_children(u, dec_inflight) // embryo (skb1) was not // reachable from L yet, so V's // inflight remains unchanged __skb_queue_tail(L, skb1) unix_state_unlock(L) for u in gc_candidates: if (u.inflight) scan_children(u, inc_inflight_move_tail) // V count=1 inflight=2 (!) If there is a GC-candidate listening socket, lock/unlock its state. This makes GC wait until the end of any ongoing connect() to that socket. After flipping the lock, a possibly SCM-laden embryo is already enqueued. And if there is another embryo coming, it can not possibly carry SCM_RIGHTS. At this point, unix_inflight() can not happen because unix_gc_lock is already taken. Inflight graph remains unaffected. CVE-2024-26923 SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_122-default-3-150400.9.6.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20243365-1/ https://www.suse.com/security/cve/CVE-2024-26923.html CVE-2024-26923 https://bugzilla.suse.com/1223384 SUSE Bug 1223384 https://bugzilla.suse.com/1223683 SUSE Bug 1223683 In the Linux kernel, the following vulnerability has been resolved: drm/client: Fully protect modes[] with dev->mode_config.mutex The modes[] array contains pointers to modes on the connectors' mode lists, which are protected by dev->mode_config.mutex. Thus we need to extend modes[] the same protection or by the time we use it the elements may already be pointing to freed/reused memory. CVE-2024-35950 SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_122-default-3-150400.9.6.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20243365-1/ https://www.suse.com/security/cve/CVE-2024-35950.html CVE-2024-35950 https://bugzilla.suse.com/1224703 SUSE Bug 1224703 https://bugzilla.suse.com/1225310 SUSE Bug 1225310