Security update for the Linux Kernel RT (Live Patch 6 for SLE 15 SP5) SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2024:3824-1 Final 1 1 2024-10-30T18:33:36Z current 2024-10-30T18:33:36Z 2024-10-30T18:33:36Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for the Linux Kernel RT (Live Patch 6 for SLE 15 SP5) This update for the Linux Kernel 5.14.21-150500_13_21 fixes several issues. The following security issues were fixed: - CVE-2024-35905: Fixed int overflow for stack access size (bsc#1226327). - CVE-2021-47598: sch_cake: do not call cake_destroy() from cake_init() (bsc#1227471). - CVE-2024-35863: Fixed potential UAF in is_valid_oplock_break() (bsc#1225011). - CVE-2023-52752: smb: client: fix use-after-free bug in cifs_debug_data_proc_show() (bsc#1225819). - CVE-2024-35862: Fixed potential UAF in smb2_is_network_name_deleted() (bsc#1225311). - CVE-2024-35867: Fixed potential UAF in cifs_stats_proc_show() (bsc#1225012). - CVE-2024-35864: Fixed potential UAF in smb2_is_valid_lease_break() (bsc#1225309). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2024-3824,SUSE-2024-3826,SUSE-2024-3827,SUSE-2024-3828,SUSE-SLE-Module-Live-Patching-15-SP5-2024-3825 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2024/suse-su-20243824-1/ Link for SUSE-SU-2024:3824-1 https://lists.suse.com/pipermail/sle-security-updates/2024-October/019727.html E-Mail link for SUSE-SU-2024:3824-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1225011 SUSE Bug 1225011 https://bugzilla.suse.com/1225012 SUSE Bug 1225012 https://bugzilla.suse.com/1225309 SUSE Bug 1225309 https://bugzilla.suse.com/1225311 SUSE Bug 1225311 https://bugzilla.suse.com/1225819 SUSE Bug 1225819 https://bugzilla.suse.com/1226327 SUSE Bug 1226327 https://bugzilla.suse.com/1227471 SUSE Bug 1227471 https://www.suse.com/security/cve/CVE-2021-47598/ SUSE CVE CVE-2021-47598 page https://www.suse.com/security/cve/CVE-2023-52752/ SUSE CVE CVE-2023-52752 page https://www.suse.com/security/cve/CVE-2024-35862/ SUSE CVE CVE-2024-35862 page https://www.suse.com/security/cve/CVE-2024-35863/ SUSE CVE CVE-2024-35863 page https://www.suse.com/security/cve/CVE-2024-35864/ SUSE CVE CVE-2024-35864 page https://www.suse.com/security/cve/CVE-2024-35867/ SUSE CVE CVE-2024-35867 page https://www.suse.com/security/cve/CVE-2024-35905/ SUSE CVE CVE-2024-35905 page SUSE Linux Enterprise Live Patching 15 SP5 kernel-livepatch-5_14_21-150500_13_18-rt-15-150500.2.1 kernel-livepatch-5_14_21-150500_13_24-rt-14-150500.2.1 kernel-livepatch-5_14_21-150500_13_27-rt-13-150500.2.1 kernel-livepatch-5_14_21-150500_13_30-rt-12-150500.2.1 kernel-livepatch-5_14_21-150500_13_21-rt-14-150500.2.1 kernel-livepatch-5_14_21-150500_13_21-rt-14-150500.2.1 as a component of SUSE Linux Enterprise Live Patching 15 SP5 In the Linux kernel, the following vulnerability has been resolved: sch_cake: do not call cake_destroy() from cake_init() qdiscs are not supposed to call their own destroy() method from init(), because core stack already does that. syzbot was able to trigger use after free: DEBUG_LOCKS_WARN_ON(lock->magic != lock) WARNING: CPU: 0 PID: 21902 at kernel/locking/mutex.c:586 __mutex_lock_common kernel/locking/mutex.c:586 [inline] WARNING: CPU: 0 PID: 21902 at kernel/locking/mutex.c:586 __mutex_lock+0x9ec/0x12f0 kernel/locking/mutex.c:740 Modules linked in: CPU: 0 PID: 21902 Comm: syz-executor189 Not tainted 5.16.0-rc4-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:__mutex_lock_common kernel/locking/mutex.c:586 [inline] RIP: 0010:__mutex_lock+0x9ec/0x12f0 kernel/locking/mutex.c:740 Code: 08 84 d2 0f 85 19 08 00 00 8b 05 97 38 4b 04 85 c0 0f 85 27 f7 ff ff 48 c7 c6 20 00 ac 89 48 c7 c7 a0 fe ab 89 e8 bf 76 ba ff <0f> 0b e9 0d f7 ff ff 48 8b 44 24 40 48 8d b8 c8 08 00 00 48 89 f8 RSP: 0018:ffffc9000627f290 EFLAGS: 00010282 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: ffff88802315d700 RSI: ffffffff815f1db8 RDI: fffff52000c4fe44 RBP: ffff88818f28e000 R08: 0000000000000000 R09: 0000000000000000 R10: ffffffff815ebb5e R11: 0000000000000000 R12: 0000000000000000 R13: dffffc0000000000 R14: ffffc9000627f458 R15: 0000000093c30000 FS: 0000555556abc400(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fda689c3303 CR3: 000000001cfbb000 CR4: 0000000000350ef0 Call Trace: <TASK> tcf_chain0_head_change_cb_del+0x2e/0x3d0 net/sched/cls_api.c:810 tcf_block_put_ext net/sched/cls_api.c:1381 [inline] tcf_block_put_ext net/sched/cls_api.c:1376 [inline] tcf_block_put+0xbc/0x130 net/sched/cls_api.c:1394 cake_destroy+0x3f/0x80 net/sched/sch_cake.c:2695 qdisc_create.constprop.0+0x9da/0x10f0 net/sched/sch_api.c:1293 tc_modify_qdisc+0x4c5/0x1980 net/sched/sch_api.c:1660 rtnetlink_rcv_msg+0x413/0xb80 net/core/rtnetlink.c:5571 netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2496 netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline] netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1345 netlink_sendmsg+0x904/0xdf0 net/netlink/af_netlink.c:1921 sock_sendmsg_nosec net/socket.c:704 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:724 ____sys_sendmsg+0x6e8/0x810 net/socket.c:2409 ___sys_sendmsg+0xf3/0x170 net/socket.c:2463 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2492 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f1bb06badb9 Code: Unable to access opcode bytes at RIP 0x7f1bb06bad8f. RSP: 002b:00007fff3012a658 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f1bb06badb9 RDX: 0000000000000000 RSI: 00000000200007c0 RDI: 0000000000000003 RBP: 0000000000000000 R08: 0000000000000003 R09: 0000000000000003 R10: 0000000000000003 R11: 0000000000000246 R12: 00007fff3012a688 R13: 00007fff3012a6a0 R14: 00007fff3012a6e0 R15: 00000000000013c2 </TASK> CVE-2021-47598 SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_13_21-rt-14-150500.2.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20243824-1/ https://www.suse.com/security/cve/CVE-2021-47598.html CVE-2021-47598 https://bugzilla.suse.com/1226574 SUSE Bug 1226574 https://bugzilla.suse.com/1227471 SUSE Bug 1227471 In the Linux kernel, the following vulnerability has been resolved: smb: client: fix use-after-free bug in cifs_debug_data_proc_show() Skip SMB sessions that are being teared down (e.g. @ses->ses_status == SES_EXITING) in cifs_debug_data_proc_show() to avoid use-after-free in @ses. This fixes the following GPF when reading from /proc/fs/cifs/DebugData while mounting and umounting [ 816.251274] general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6d81: 0000 [#1] PREEMPT SMP NOPTI ... [ 816.260138] Call Trace: [ 816.260329] <TASK> [ 816.260499] ? die_addr+0x36/0x90 [ 816.260762] ? exc_general_protection+0x1b3/0x410 [ 816.261126] ? asm_exc_general_protection+0x26/0x30 [ 816.261502] ? cifs_debug_tcon+0xbd/0x240 [cifs] [ 816.261878] ? cifs_debug_tcon+0xab/0x240 [cifs] [ 816.262249] cifs_debug_data_proc_show+0x516/0xdb0 [cifs] [ 816.262689] ? seq_read_iter+0x379/0x470 [ 816.262995] seq_read_iter+0x118/0x470 [ 816.263291] proc_reg_read_iter+0x53/0x90 [ 816.263596] ? srso_alias_return_thunk+0x5/0x7f [ 816.263945] vfs_read+0x201/0x350 [ 816.264211] ksys_read+0x75/0x100 [ 816.264472] do_syscall_64+0x3f/0x90 [ 816.264750] entry_SYSCALL_64_after_hwframe+0x6e/0xd8 [ 816.265135] RIP: 0033:0x7fd5e669d381 CVE-2023-52752 SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_13_21-rt-14-150500.2.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20243824-1/ https://www.suse.com/security/cve/CVE-2023-52752.html CVE-2023-52752 https://bugzilla.suse.com/1225487 SUSE Bug 1225487 https://bugzilla.suse.com/1225819 SUSE Bug 1225819 In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential UAF in smb2_is_network_name_deleted() Skip sessions that are being teared down (status == SES_EXITING) to avoid UAF. CVE-2024-35862 SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_13_21-rt-14-150500.2.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20243824-1/ https://www.suse.com/security/cve/CVE-2024-35862.html CVE-2024-35862 https://bugzilla.suse.com/1224764 SUSE Bug 1224764 https://bugzilla.suse.com/1225311 SUSE Bug 1225311 In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential UAF in is_valid_oplock_break() Skip sessions that are being teared down (status == SES_EXITING) to avoid UAF. CVE-2024-35863 SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_13_21-rt-14-150500.2.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20243824-1/ https://www.suse.com/security/cve/CVE-2024-35863.html CVE-2024-35863 https://bugzilla.suse.com/1224763 SUSE Bug 1224763 https://bugzilla.suse.com/1225011 SUSE Bug 1225011 In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential UAF in smb2_is_valid_lease_break() Skip sessions that are being teared down (status == SES_EXITING) to avoid UAF. CVE-2024-35864 SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_13_21-rt-14-150500.2.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20243824-1/ https://www.suse.com/security/cve/CVE-2024-35864.html CVE-2024-35864 https://bugzilla.suse.com/1224765 SUSE Bug 1224765 https://bugzilla.suse.com/1225309 SUSE Bug 1225309 In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential UAF in cifs_stats_proc_show() Skip sessions that are being teared down (status == SES_EXITING) to avoid UAF. CVE-2024-35867 SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_13_21-rt-14-150500.2.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20243824-1/ https://www.suse.com/security/cve/CVE-2024-35867.html CVE-2024-35867 https://bugzilla.suse.com/1224664 SUSE Bug 1224664 https://bugzilla.suse.com/1225012 SUSE Bug 1225012 In the Linux kernel, the following vulnerability has been resolved: bpf: Protect against int overflow for stack access size This patch re-introduces protection against the size of access to stack memory being negative; the access size can appear negative as a result of overflowing its signed int representation. This should not actually happen, as there are other protections along the way, but we should protect against it anyway. One code path was missing such protections (fixed in the previous patch in the series), causing out-of-bounds array accesses in check_stack_range_initialized(). This patch causes the verification of a program with such a non-sensical access size to fail. This check used to exist in a more indirect way, but was inadvertendly removed in a833a17aeac7. CVE-2024-35905 SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_13_21-rt-14-150500.2.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20243824-1/ https://www.suse.com/security/cve/CVE-2024-35905.html CVE-2024-35905 https://bugzilla.suse.com/1224488 SUSE Bug 1224488 https://bugzilla.suse.com/1226327 SUSE Bug 1226327