Security update for the Linux Kernel (Live Patch 49 for SLE 15 SP2) SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2024:3676-1 Final 1 1 2024-10-16T17:33:48Z current 2024-10-16T17:33:48Z 2024-10-16T17:33:48Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for the Linux Kernel (Live Patch 49 for SLE 15 SP2) This update for the Linux Kernel 5.3.18-150200_24_194 fixes several issues. The following security issues were fixed: - CVE-2024-35861: Fixed potential UAF in cifs_signal_cifsd_for_reconnect() (bsc#1225312). - CVE-2021-47291: ipv6: fix another slab-out-of-bounds in fib6_nh_flush_exceptions (bsc#1227651). - CVE-2024-41059: hfsplus: fix uninit-value in copy_name (bsc#1228573). - CVE-2024-36964: fs/9p: only translate RWX permissions for plain 9P2000 (bsc#1226325). - CVE-2024-26923: Fixed false-positive lockdep splat for spin_lock() in __unix_gc() (bsc#1223683). - CVE-2024-35950: drm/client: Fully protect modes with dev->mode_config.mutex (bsc#1225310). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2024-3676,SUSE-SLE-Module-Live-Patching-15-SP2-2024-3676 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2024/suse-su-20243676-1/ Link for SUSE-SU-2024:3676-1 https://lists.suse.com/pipermail/sle-updates/2024-October/037289.html E-Mail link for SUSE-SU-2024:3676-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1223683 SUSE Bug 1223683 https://bugzilla.suse.com/1225310 SUSE Bug 1225310 https://bugzilla.suse.com/1225312 SUSE Bug 1225312 https://bugzilla.suse.com/1226325 SUSE Bug 1226325 https://bugzilla.suse.com/1227651 SUSE Bug 1227651 https://bugzilla.suse.com/1228573 SUSE Bug 1228573 https://www.suse.com/security/cve/CVE-2021-47291/ SUSE CVE CVE-2021-47291 page https://www.suse.com/security/cve/CVE-2024-26923/ SUSE CVE CVE-2024-26923 page https://www.suse.com/security/cve/CVE-2024-35861/ SUSE CVE CVE-2024-35861 page https://www.suse.com/security/cve/CVE-2024-35950/ SUSE CVE CVE-2024-35950 page https://www.suse.com/security/cve/CVE-2024-36964/ SUSE CVE CVE-2024-36964 page https://www.suse.com/security/cve/CVE-2024-41059/ SUSE CVE CVE-2024-41059 page SUSE Linux Enterprise Live Patching 15 SP2 kernel-livepatch-5_3_18-150200_24_194-default-3-150200.5.6.1 kernel-livepatch-5_3_18-150200_24_194-preempt-3-150200.5.6.1 kernel-livepatch-5_3_18-150200_24_194-default-3-150200.5.6.1 as a component of SUSE Linux Enterprise Live Patching 15 SP2 In the Linux kernel, the following vulnerability has been resolved: ipv6: fix another slab-out-of-bounds in fib6_nh_flush_exceptions While running the self-tests on a KASAN enabled kernel, I observed a slab-out-of-bounds splat very similar to the one reported in commit 821bbf79fe46 ("ipv6: Fix KASAN: slab-out-of-bounds Read in fib6_nh_flush_exceptions"). We additionally need to take care of fib6_metrics initialization failure when the caller provides an nh. The fix is similar, explicitly free the route instead of calling fib6_info_release on a half-initialized object. CVE-2021-47291 SUSE Linux Enterprise Live Patching 15 SP2:kernel-livepatch-5_3_18-150200_24_194-default-3-150200.5.6.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20243676-1/ https://www.suse.com/security/cve/CVE-2021-47291.html CVE-2021-47291 https://bugzilla.suse.com/1224918 SUSE Bug 1224918 https://bugzilla.suse.com/1227651 SUSE Bug 1227651 In the Linux kernel, the following vulnerability has been resolved: af_unix: Fix garbage collector racing against connect() Garbage collector does not take into account the risk of embryo getting enqueued during the garbage collection. If such embryo has a peer that carries SCM_RIGHTS, two consecutive passes of scan_children() may see a different set of children. Leading to an incorrectly elevated inflight count, and then a dangling pointer within the gc_inflight_list. sockets are AF_UNIX/SOCK_STREAM S is an unconnected socket L is a listening in-flight socket bound to addr, not in fdtable V's fd will be passed via sendmsg(), gets inflight count bumped connect(S, addr) sendmsg(S, [V]); close(V) __unix_gc() ---------------- ------------------------- ----------- NS = unix_create1() skb1 = sock_wmalloc(NS) L = unix_find_other(addr) unix_state_lock(L) unix_peer(S) = NS // V count=1 inflight=0 NS = unix_peer(S) skb2 = sock_alloc() skb_queue_tail(NS, skb2[V]) // V became in-flight // V count=2 inflight=1 close(V) // V count=1 inflight=1 // GC candidate condition met for u in gc_inflight_list: if (total_refs == inflight_refs) add u to gc_candidates // gc_candidates={L, V} for u in gc_candidates: scan_children(u, dec_inflight) // embryo (skb1) was not // reachable from L yet, so V's // inflight remains unchanged __skb_queue_tail(L, skb1) unix_state_unlock(L) for u in gc_candidates: if (u.inflight) scan_children(u, inc_inflight_move_tail) // V count=1 inflight=2 (!) If there is a GC-candidate listening socket, lock/unlock its state. This makes GC wait until the end of any ongoing connect() to that socket. After flipping the lock, a possibly SCM-laden embryo is already enqueued. And if there is another embryo coming, it can not possibly carry SCM_RIGHTS. At this point, unix_inflight() can not happen because unix_gc_lock is already taken. Inflight graph remains unaffected. CVE-2024-26923 SUSE Linux Enterprise Live Patching 15 SP2:kernel-livepatch-5_3_18-150200_24_194-default-3-150200.5.6.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20243676-1/ https://www.suse.com/security/cve/CVE-2024-26923.html CVE-2024-26923 https://bugzilla.suse.com/1223384 SUSE Bug 1223384 https://bugzilla.suse.com/1223683 SUSE Bug 1223683 In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential UAF in cifs_signal_cifsd_for_reconnect() Skip sessions that are being teared down (status == SES_EXITING) to avoid UAF. CVE-2024-35861 SUSE Linux Enterprise Live Patching 15 SP2:kernel-livepatch-5_3_18-150200_24_194-default-3-150200.5.6.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20243676-1/ https://www.suse.com/security/cve/CVE-2024-35861.html CVE-2024-35861 https://bugzilla.suse.com/1224766 SUSE Bug 1224766 https://bugzilla.suse.com/1225312 SUSE Bug 1225312 In the Linux kernel, the following vulnerability has been resolved: drm/client: Fully protect modes[] with dev->mode_config.mutex The modes[] array contains pointers to modes on the connectors' mode lists, which are protected by dev->mode_config.mutex. Thus we need to extend modes[] the same protection or by the time we use it the elements may already be pointing to freed/reused memory. CVE-2024-35950 SUSE Linux Enterprise Live Patching 15 SP2:kernel-livepatch-5_3_18-150200_24_194-default-3-150200.5.6.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20243676-1/ https://www.suse.com/security/cve/CVE-2024-35950.html CVE-2024-35950 https://bugzilla.suse.com/1224703 SUSE Bug 1224703 https://bugzilla.suse.com/1225310 SUSE Bug 1225310 In the Linux kernel, the following vulnerability has been resolved: fs/9p: only translate RWX permissions for plain 9P2000 Garbage in plain 9P2000's perm bits is allowed through, which causes it to be able to set (among others) the suid bit. This was presumably not the intent since the unix extended bits are handled explicitly and conditionally on .u. CVE-2024-36964 SUSE Linux Enterprise Live Patching 15 SP2:kernel-livepatch-5_3_18-150200_24_194-default-3-150200.5.6.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20243676-1/ https://www.suse.com/security/cve/CVE-2024-36964.html CVE-2024-36964 https://bugzilla.suse.com/1225866 SUSE Bug 1225866 https://bugzilla.suse.com/1226325 SUSE Bug 1226325 In the Linux kernel, the following vulnerability has been resolved: hfsplus: fix uninit-value in copy_name [syzbot reported] BUG: KMSAN: uninit-value in sized_strscpy+0xc4/0x160 sized_strscpy+0xc4/0x160 copy_name+0x2af/0x320 fs/hfsplus/xattr.c:411 hfsplus_listxattr+0x11e9/0x1a50 fs/hfsplus/xattr.c:750 vfs_listxattr fs/xattr.c:493 [inline] listxattr+0x1f3/0x6b0 fs/xattr.c:840 path_listxattr fs/xattr.c:864 [inline] __do_sys_listxattr fs/xattr.c:876 [inline] __se_sys_listxattr fs/xattr.c:873 [inline] __x64_sys_listxattr+0x16b/0x2f0 fs/xattr.c:873 x64_sys_call+0x2ba0/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:195 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: slab_post_alloc_hook mm/slub.c:3877 [inline] slab_alloc_node mm/slub.c:3918 [inline] kmalloc_trace+0x57b/0xbe0 mm/slub.c:4065 kmalloc include/linux/slab.h:628 [inline] hfsplus_listxattr+0x4cc/0x1a50 fs/hfsplus/xattr.c:699 vfs_listxattr fs/xattr.c:493 [inline] listxattr+0x1f3/0x6b0 fs/xattr.c:840 path_listxattr fs/xattr.c:864 [inline] __do_sys_listxattr fs/xattr.c:876 [inline] __se_sys_listxattr fs/xattr.c:873 [inline] __x64_sys_listxattr+0x16b/0x2f0 fs/xattr.c:873 x64_sys_call+0x2ba0/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:195 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f [Fix] When allocating memory to strbuf, initialize memory to 0. CVE-2024-41059 SUSE Linux Enterprise Live Patching 15 SP2:kernel-livepatch-5_3_18-150200_24_194-default-3-150200.5.6.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20243676-1/ https://www.suse.com/security/cve/CVE-2024-41059.html CVE-2024-41059 https://bugzilla.suse.com/1228561 SUSE Bug 1228561 https://bugzilla.suse.com/1228573 SUSE Bug 1228573