Security update for the Linux Kernel (Live Patch 0 for SLE 15 SP6) SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2024:3880-1 Final 1 1 2024-11-04T06:33:25Z current 2024-11-04T06:33:25Z 2024-11-04T06:33:25Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for the Linux Kernel (Live Patch 0 for SLE 15 SP6) This update for the Linux Kernel 6.4.0-150600_21 fixes several issues. The following security issues were fixed: - CVE-2024-35905: Fixed int overflow for stack access size (bsc#1226327). - CVE-2024-42133: Bluetooth: Ignore too large handle values in BIG (bsc#1231419) - CVE-2024-35863: Fixed potential UAF in is_valid_oplock_break() (bsc#1225011). - CVE-2023-52752: smb: client: fix use-after-free bug in cifs_debug_data_proc_show() (bsc#1225819). - CVE-2024-35862: Fixed potential UAF in smb2_is_network_name_deleted() (bsc#1225311). - CVE-2024-35867: Fixed potential UAF in cifs_stats_proc_show() (bsc#1225012). - CVE-2024-35864: Fixed potential UAF in smb2_is_valid_lease_break() (bsc#1225309). - CVE-2024-35861: Fixed potential UAF in cifs_signal_cifsd_for_reconnect() (bsc#1225312). - CVE-2024-36899: gpiolib: cdev: Fix use after free in lineinfo_changed_notify (bsc#1225739). - CVE-2024-40954: net: do not leave a dangling sk pointer, when socket creation fails (bsc#1227808) - CVE-2024-36964: fs/9p: only translate RWX permissions for plain 9P2000 (bsc#1226325). - CVE-2023-52846: hsr: Prevent use after free in prp_create_tagged_frame() (bsc#1225099). - CVE-2024-35817: Set gtt bound flag in amdgpu_ttm_gart_bind (bsc#1225313). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2024-3880,SUSE-SLE-Module-Live-Patching-15-SP6-2024-3880 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2024/suse-su-20243880-1/ Link for SUSE-SU-2024:3880-1 https://lists.suse.com/pipermail/sle-security-updates/2024-November/019771.html E-Mail link for SUSE-SU-2024:3880-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1225011 SUSE Bug 1225011 https://bugzilla.suse.com/1225012 SUSE Bug 1225012 https://bugzilla.suse.com/1225099 SUSE Bug 1225099 https://bugzilla.suse.com/1225309 SUSE Bug 1225309 https://bugzilla.suse.com/1225311 SUSE Bug 1225311 https://bugzilla.suse.com/1225312 SUSE Bug 1225312 https://bugzilla.suse.com/1225313 SUSE Bug 1225313 https://bugzilla.suse.com/1225739 SUSE Bug 1225739 https://bugzilla.suse.com/1225819 SUSE Bug 1225819 https://bugzilla.suse.com/1226325 SUSE Bug 1226325 https://bugzilla.suse.com/1226327 SUSE Bug 1226327 https://bugzilla.suse.com/1228786 SUSE Bug 1228786 https://bugzilla.suse.com/1231419 SUSE Bug 1231419 https://www.suse.com/security/cve/CVE-2023-52752/ SUSE CVE CVE-2023-52752 page https://www.suse.com/security/cve/CVE-2023-52846/ SUSE CVE CVE-2023-52846 page https://www.suse.com/security/cve/CVE-2024-35817/ SUSE CVE CVE-2024-35817 page https://www.suse.com/security/cve/CVE-2024-35861/ SUSE CVE CVE-2024-35861 page https://www.suse.com/security/cve/CVE-2024-35862/ SUSE CVE CVE-2024-35862 page https://www.suse.com/security/cve/CVE-2024-35863/ SUSE CVE CVE-2024-35863 page https://www.suse.com/security/cve/CVE-2024-35864/ SUSE CVE CVE-2024-35864 page https://www.suse.com/security/cve/CVE-2024-35867/ SUSE CVE CVE-2024-35867 page https://www.suse.com/security/cve/CVE-2024-35905/ SUSE CVE CVE-2024-35905 page https://www.suse.com/security/cve/CVE-2024-36899/ SUSE CVE CVE-2024-36899 page https://www.suse.com/security/cve/CVE-2024-36964/ SUSE CVE CVE-2024-36964 page https://www.suse.com/security/cve/CVE-2024-40954/ SUSE CVE CVE-2024-40954 page https://www.suse.com/security/cve/CVE-2024-42133/ SUSE CVE CVE-2024-42133 page SUSE Linux Enterprise Live Patching 15 SP6 kernel-livepatch-6_4_0-150600_21-default-6-150600.4.10.1 kernel-livepatch-6_4_0-150600_21-default-6-150600.4.10.1 as a component of SUSE Linux Enterprise Live Patching 15 SP6 In the Linux kernel, the following vulnerability has been resolved: smb: client: fix use-after-free bug in cifs_debug_data_proc_show() Skip SMB sessions that are being teared down (e.g. @ses->ses_status == SES_EXITING) in cifs_debug_data_proc_show() to avoid use-after-free in @ses. This fixes the following GPF when reading from /proc/fs/cifs/DebugData while mounting and umounting [ 816.251274] general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6d81: 0000 [#1] PREEMPT SMP NOPTI ... [ 816.260138] Call Trace: [ 816.260329] <TASK> [ 816.260499] ? die_addr+0x36/0x90 [ 816.260762] ? exc_general_protection+0x1b3/0x410 [ 816.261126] ? asm_exc_general_protection+0x26/0x30 [ 816.261502] ? cifs_debug_tcon+0xbd/0x240 [cifs] [ 816.261878] ? cifs_debug_tcon+0xab/0x240 [cifs] [ 816.262249] cifs_debug_data_proc_show+0x516/0xdb0 [cifs] [ 816.262689] ? seq_read_iter+0x379/0x470 [ 816.262995] seq_read_iter+0x118/0x470 [ 816.263291] proc_reg_read_iter+0x53/0x90 [ 816.263596] ? srso_alias_return_thunk+0x5/0x7f [ 816.263945] vfs_read+0x201/0x350 [ 816.264211] ksys_read+0x75/0x100 [ 816.264472] do_syscall_64+0x3f/0x90 [ 816.264750] entry_SYSCALL_64_after_hwframe+0x6e/0xd8 [ 816.265135] RIP: 0033:0x7fd5e669d381 CVE-2023-52752 SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_21-default-6-150600.4.10.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20243880-1/ https://www.suse.com/security/cve/CVE-2023-52752.html CVE-2023-52752 https://bugzilla.suse.com/1225487 SUSE Bug 1225487 https://bugzilla.suse.com/1225819 SUSE Bug 1225819 In the Linux kernel, the following vulnerability has been resolved: hsr: Prevent use after free in prp_create_tagged_frame() The prp_fill_rct() function can fail. In that situation, it frees the skb and returns NULL. Meanwhile on the success path, it returns the original skb. So it's straight forward to fix bug by using the returned value. CVE-2023-52846 SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_21-default-6-150600.4.10.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20243880-1/ https://www.suse.com/security/cve/CVE-2023-52846.html CVE-2023-52846 https://bugzilla.suse.com/1225098 SUSE Bug 1225098 https://bugzilla.suse.com/1225099 SUSE Bug 1225099 In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: amdgpu_ttm_gart_bind set gtt bound flag Otherwise after the GTT bo is released, the GTT and gart space is freed but amdgpu_ttm_backend_unbind will not clear the gart page table entry and leave valid mapping entry pointing to the stale system page. Then if GPU access the gart address mistakely, it will read undefined value instead page fault, harder to debug and reproduce the real issue. CVE-2024-35817 SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_21-default-6-150600.4.10.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20243880-1/ https://www.suse.com/security/cve/CVE-2024-35817.html CVE-2024-35817 https://bugzilla.suse.com/1224736 SUSE Bug 1224736 https://bugzilla.suse.com/1225313 SUSE Bug 1225313 In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential UAF in cifs_signal_cifsd_for_reconnect() Skip sessions that are being teared down (status == SES_EXITING) to avoid UAF. CVE-2024-35861 SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_21-default-6-150600.4.10.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20243880-1/ https://www.suse.com/security/cve/CVE-2024-35861.html CVE-2024-35861 https://bugzilla.suse.com/1224766 SUSE Bug 1224766 https://bugzilla.suse.com/1225312 SUSE Bug 1225312 In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential UAF in smb2_is_network_name_deleted() Skip sessions that are being teared down (status == SES_EXITING) to avoid UAF. CVE-2024-35862 SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_21-default-6-150600.4.10.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20243880-1/ https://www.suse.com/security/cve/CVE-2024-35862.html CVE-2024-35862 https://bugzilla.suse.com/1224764 SUSE Bug 1224764 https://bugzilla.suse.com/1225311 SUSE Bug 1225311 In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential UAF in is_valid_oplock_break() Skip sessions that are being teared down (status == SES_EXITING) to avoid UAF. CVE-2024-35863 SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_21-default-6-150600.4.10.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20243880-1/ https://www.suse.com/security/cve/CVE-2024-35863.html CVE-2024-35863 https://bugzilla.suse.com/1224763 SUSE Bug 1224763 https://bugzilla.suse.com/1225011 SUSE Bug 1225011 In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential UAF in smb2_is_valid_lease_break() Skip sessions that are being teared down (status == SES_EXITING) to avoid UAF. CVE-2024-35864 SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_21-default-6-150600.4.10.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20243880-1/ https://www.suse.com/security/cve/CVE-2024-35864.html CVE-2024-35864 https://bugzilla.suse.com/1224765 SUSE Bug 1224765 https://bugzilla.suse.com/1225309 SUSE Bug 1225309 In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential UAF in cifs_stats_proc_show() Skip sessions that are being teared down (status == SES_EXITING) to avoid UAF. CVE-2024-35867 SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_21-default-6-150600.4.10.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20243880-1/ https://www.suse.com/security/cve/CVE-2024-35867.html CVE-2024-35867 https://bugzilla.suse.com/1224664 SUSE Bug 1224664 https://bugzilla.suse.com/1225012 SUSE Bug 1225012 In the Linux kernel, the following vulnerability has been resolved: bpf: Protect against int overflow for stack access size This patch re-introduces protection against the size of access to stack memory being negative; the access size can appear negative as a result of overflowing its signed int representation. This should not actually happen, as there are other protections along the way, but we should protect against it anyway. One code path was missing such protections (fixed in the previous patch in the series), causing out-of-bounds array accesses in check_stack_range_initialized(). This patch causes the verification of a program with such a non-sensical access size to fail. This check used to exist in a more indirect way, but was inadvertendly removed in a833a17aeac7. CVE-2024-35905 SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_21-default-6-150600.4.10.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20243880-1/ https://www.suse.com/security/cve/CVE-2024-35905.html CVE-2024-35905 https://bugzilla.suse.com/1224488 SUSE Bug 1224488 https://bugzilla.suse.com/1226327 SUSE Bug 1226327 In the Linux kernel, the following vulnerability has been resolved: gpiolib: cdev: Fix use after free in lineinfo_changed_notify The use-after-free issue occurs as follows: when the GPIO chip device file is being closed by invoking gpio_chrdev_release(), watched_lines is freed by bitmap_free(), but the unregistration of lineinfo_changed_nb notifier chain failed due to waiting write rwsem. Additionally, one of the GPIO chip's lines is also in the release process and holds the notifier chain's read rwsem. Consequently, a race condition leads to the use-after-free of watched_lines. Here is the typical stack when issue happened: [free] gpio_chrdev_release() --> bitmap_free(cdev->watched_lines) <-- freed --> blocking_notifier_chain_unregister() --> down_write(&nh->rwsem) <-- waiting rwsem --> __down_write_common() --> rwsem_down_write_slowpath() --> schedule_preempt_disabled() --> schedule() [use] st54spi_gpio_dev_release() --> gpio_free() --> gpiod_free() --> gpiod_free_commit() --> gpiod_line_state_notify() --> blocking_notifier_call_chain() --> down_read(&nh->rwsem); <-- held rwsem --> notifier_call_chain() --> lineinfo_changed_notify() --> test_bit(xxxx, cdev->watched_lines) <-- use after free The side effect of the use-after-free issue is that a GPIO line event is being generated for userspace where it shouldn't. However, since the chrdev is being closed, userspace won't have the chance to read that event anyway. To fix the issue, call the bitmap_free() function after the unregistration of lineinfo_changed_nb notifier chain. CVE-2024-36899 SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_21-default-6-150600.4.10.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20243880-1/ https://www.suse.com/security/cve/CVE-2024-36899.html CVE-2024-36899 https://bugzilla.suse.com/1225737 SUSE Bug 1225737 https://bugzilla.suse.com/1225739 SUSE Bug 1225739 In the Linux kernel, the following vulnerability has been resolved: fs/9p: only translate RWX permissions for plain 9P2000 Garbage in plain 9P2000's perm bits is allowed through, which causes it to be able to set (among others) the suid bit. This was presumably not the intent since the unix extended bits are handled explicitly and conditionally on .u. CVE-2024-36964 SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_21-default-6-150600.4.10.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20243880-1/ https://www.suse.com/security/cve/CVE-2024-36964.html CVE-2024-36964 https://bugzilla.suse.com/1225866 SUSE Bug 1225866 https://bugzilla.suse.com/1226325 SUSE Bug 1226325 In the Linux kernel, the following vulnerability has been resolved: net: do not leave a dangling sk pointer, when socket creation fails It is possible to trigger a use-after-free by: * attaching an fentry probe to __sock_release() and the probe calling the bpf_get_socket_cookie() helper * running traceroute -I 1.1.1.1 on a freshly booted VM A KASAN enabled kernel will log something like below (decoded and stripped): ================================================================== BUG: KASAN: slab-use-after-free in __sock_gen_cookie (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-instrumented.h:1611 net/core/sock_diag.c:29) Read of size 8 at addr ffff888007110dd8 by task traceroute/299 CPU: 2 PID: 299 Comm: traceroute Tainted: G E 6.10.0-rc2+ #2 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 Call Trace: <TASK> dump_stack_lvl (lib/dump_stack.c:117 (discriminator 1)) print_report (mm/kasan/report.c:378 mm/kasan/report.c:488) ? __sock_gen_cookie (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-instrumented.h:1611 net/core/sock_diag.c:29) kasan_report (mm/kasan/report.c:603) ? __sock_gen_cookie (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-instrumented.h:1611 net/core/sock_diag.c:29) kasan_check_range (mm/kasan/generic.c:183 mm/kasan/generic.c:189) __sock_gen_cookie (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-instrumented.h:1611 net/core/sock_diag.c:29) bpf_get_socket_ptr_cookie (./arch/x86/include/asm/preempt.h:94 ./include/linux/sock_diag.h:42 net/core/filter.c:5094 net/core/filter.c:5092) bpf_prog_875642cf11f1d139___sock_release+0x6e/0x8e bpf_trampoline_6442506592+0x47/0xaf __sock_release (net/socket.c:652) __sock_create (net/socket.c:1601) ... Allocated by task 299 on cpu 2 at 78.328492s: kasan_save_stack (mm/kasan/common.c:48) kasan_save_track (mm/kasan/common.c:68) __kasan_slab_alloc (mm/kasan/common.c:312 mm/kasan/common.c:338) kmem_cache_alloc_noprof (mm/slub.c:3941 mm/slub.c:4000 mm/slub.c:4007) sk_prot_alloc (net/core/sock.c:2075) sk_alloc (net/core/sock.c:2134) inet_create (net/ipv4/af_inet.c:327 net/ipv4/af_inet.c:252) __sock_create (net/socket.c:1572) __sys_socket (net/socket.c:1660 net/socket.c:1644 net/socket.c:1706) __x64_sys_socket (net/socket.c:1718) do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) Freed by task 299 on cpu 2 at 78.328502s: kasan_save_stack (mm/kasan/common.c:48) kasan_save_track (mm/kasan/common.c:68) kasan_save_free_info (mm/kasan/generic.c:582) poison_slab_object (mm/kasan/common.c:242) __kasan_slab_free (mm/kasan/common.c:256) kmem_cache_free (mm/slub.c:4437 mm/slub.c:4511) __sk_destruct (net/core/sock.c:2117 net/core/sock.c:2208) inet_create (net/ipv4/af_inet.c:397 net/ipv4/af_inet.c:252) __sock_create (net/socket.c:1572) __sys_socket (net/socket.c:1660 net/socket.c:1644 net/socket.c:1706) __x64_sys_socket (net/socket.c:1718) do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) Fix this by clearing the struct socket reference in sk_common_release() to cover all protocol families create functions, which may already attached the reference to the sk object with sock_init_data(). CVE-2024-40954 SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_21-default-6-150600.4.10.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20243880-1/ https://www.suse.com/security/cve/CVE-2024-40954.html CVE-2024-40954 https://bugzilla.suse.com/1227808 SUSE Bug 1227808 https://bugzilla.suse.com/1228786 SUSE Bug 1228786 In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Ignore too large handle values in BIG hci_le_big_sync_established_evt is necessary to filter out cases where the handle value is belonging to ida id range, otherwise ida will be erroneously released in hci_conn_cleanup. CVE-2024-42133 SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_21-default-6-150600.4.10.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20243880-1/ https://www.suse.com/security/cve/CVE-2024-42133.html CVE-2024-42133 https://bugzilla.suse.com/1228511 SUSE Bug 1228511 https://bugzilla.suse.com/1231419 SUSE Bug 1231419