Security update for the Linux Kernel (Live Patch 20 for SLE 15 SP5) SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2025:01677-1 Final 1 1 2025-05-22T20:04:28Z current 2025-05-22T20:04:28Z 2025-05-22T20:04:28Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for the Linux Kernel (Live Patch 20 for SLE 15 SP5) This update for the Linux Kernel 5.14.21-150500_55_83 fixes several issues. The following security issues were fixed: - CVE-2024-53156: wifi: ath9k: add range check for conn_rsp_epid in htc_connect_service() (bsc#1234847). - CVE-2024-50115: KVM: nSVM: Ignore nCR3[4:0] when loading PDPTEs from memory (bsc#1233019). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2025-1677,SUSE-2025-1678,SUSE-2025-1679,SUSE-2025-1681,SUSE-SLE-Module-Live-Patching-15-SP4-2025-1679,SUSE-SLE-Module-Live-Patching-15-SP5-2025-1681 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2025/suse-su-202501677-1/ Link for SUSE-SU-2025:01677-1 https://lists.suse.com/pipermail/sle-updates/2025-May/039321.html E-Mail link for SUSE-SU-2025:01677-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1233019 SUSE Bug 1233019 https://bugzilla.suse.com/1234847 SUSE Bug 1234847 https://www.suse.com/security/cve/CVE-2024-50115/ SUSE CVE CVE-2024-50115 page https://www.suse.com/security/cve/CVE-2024-53156/ SUSE CVE CVE-2024-53156 page SUSE Linux Enterprise Live Patching 15 SP4 SUSE Linux Enterprise Live Patching 15 SP5 kernel-livepatch-5_14_21-150400_24_133-default-8-150400.2.2 kernel-livepatch-5_14_21-150400_24_136-default-8-150400.2.2 kernel-livepatch-5_14_21-150400_24_141-default-7-150400.2.2 kernel-livepatch-5_14_21-150500_55_83-default-8-150500.2.2 kernel-livepatch-5_14_21-150400_24_141-default-7-150400.2.2 as a component of SUSE Linux Enterprise Live Patching 15 SP4 kernel-livepatch-5_14_21-150500_55_83-default-8-150500.2.2 as a component of SUSE Linux Enterprise Live Patching 15 SP5 In the Linux kernel, the following vulnerability has been resolved: KVM: nSVM: Ignore nCR3[4:0] when loading PDPTEs from memory Ignore nCR3[4:0] when loading PDPTEs from memory for nested SVM, as bits 4:0 of CR3 are ignored when PAE paging is used, and thus VMRUN doesn't enforce 32-byte alignment of nCR3. In the absolute worst case scenario, failure to ignore bits 4:0 can result in an out-of-bounds read, e.g. if the target page is at the end of a memslot, and the VMM isn't using guard pages. Per the APM: The CR3 register points to the base address of the page-directory-pointer table. The page-directory-pointer table is aligned on a 32-byte boundary, with the low 5 address bits 4:0 assumed to be 0. And the SDM's much more explicit: 4:0 Ignored Note, KVM gets this right when loading PDPTRs, it's only the nSVM flow that is broken. CVE-2024-50115 SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_141-default-7-150400.2.2 SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_83-default-8-150500.2.2 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202501677-1/ https://www.suse.com/security/cve/CVE-2024-50115.html CVE-2024-50115 https://bugzilla.suse.com/1225742 SUSE Bug 1225742 https://bugzilla.suse.com/1232919 SUSE Bug 1232919 https://bugzilla.suse.com/1233019 SUSE Bug 1233019 In the Linux kernel, the following vulnerability has been resolved: wifi: ath9k: add range check for conn_rsp_epid in htc_connect_service() I found the following bug in my fuzzer: UBSAN: array-index-out-of-bounds in drivers/net/wireless/ath/ath9k/htc_hst.c:26:51 index 255 is out of range for type 'htc_endpoint [22]' CPU: 0 UID: 0 PID: 8 Comm: kworker/0:0 Not tainted 6.11.0-rc6-dirty #14 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Workqueue: events request_firmware_work_func Call Trace: <TASK> dump_stack_lvl+0x180/0x1b0 __ubsan_handle_out_of_bounds+0xd4/0x130 htc_issue_send.constprop.0+0x20c/0x230 ? _raw_spin_unlock_irqrestore+0x3c/0x70 ath9k_wmi_cmd+0x41d/0x610 ? mark_held_locks+0x9f/0xe0 ... Since this bug has been confirmed to be caused by insufficient verification of conn_rsp_epid, I think it would be appropriate to add a range check for conn_rsp_epid to htc_connect_service() to prevent the bug from occurring. CVE-2024-53156 SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_141-default-7-150400.2.2 SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_83-default-8-150500.2.2 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202501677-1/ https://www.suse.com/security/cve/CVE-2024-53156.html CVE-2024-53156 https://bugzilla.suse.com/1234846 SUSE Bug 1234846 https://bugzilla.suse.com/1234847 SUSE Bug 1234847 https://bugzilla.suse.com/1234853 SUSE Bug 1234853