Security update for the Linux Kernel (Live Patch 9 for SLE 15 SP5) SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2025:0241-1 Final 1 1 2025-01-26T05:03:57Z current 2025-01-26T05:03:57Z 2025-01-26T05:03:57Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for the Linux Kernel (Live Patch 9 for SLE 15 SP5) This update for the Linux Kernel 5.14.21-150500_55_44 fixes several issues. The following security issues were fixed: - CVE-2024-41057: cachefiles: fix slab-use-after-free in cachefiles_withdraw_cookie() (bsc#1229275). - CVE-2024-36971: Fixed __dst_negative_advice() race (bsc#1226324). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2025-241,SUSE-SLE-Module-Live-Patching-15-SP5-2025-241 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2025/suse-su-20250241-1/ Link for SUSE-SU-2025:0241-1 https://lists.suse.com/pipermail/sle-security-updates/2025-January/020201.html E-Mail link for SUSE-SU-2025:0241-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1226324 SUSE Bug 1226324 https://bugzilla.suse.com/1229275 SUSE Bug 1229275 https://www.suse.com/security/cve/CVE-2024-36971/ SUSE CVE CVE-2024-36971 page https://www.suse.com/security/cve/CVE-2024-41057/ SUSE CVE CVE-2024-41057 page SUSE Linux Enterprise Live Patching 15 SP5 kernel-livepatch-5_14_21-150500_55_44-default-15-150500.2.1 kernel-livepatch-5_14_21-150500_55_44-default-15-150500.2.1 as a component of SUSE Linux Enterprise Live Patching 15 SP5 In the Linux kernel, the following vulnerability has been resolved: net: fix __dst_negative_advice() race __dst_negative_advice() does not enforce proper RCU rules when sk->dst_cache must be cleared, leading to possible UAF. RCU rules are that we must first clear sk->sk_dst_cache, then call dst_release(old_dst). Note that sk_dst_reset(sk) is implementing this protocol correctly, while __dst_negative_advice() uses the wrong order. Given that ip6_negative_advice() has special logic against RTF_CACHE, this means each of the three ->negative_advice() existing methods must perform the sk_dst_reset() themselves. Note the check against NULL dst is centralized in __dst_negative_advice(), there is no need to duplicate it in various callbacks. Many thanks to Clement Lecigne for tracking this issue. This old bug became visible after the blamed commit, using UDP sockets. CVE-2024-36971 SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_44-default-15-150500.2.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250241-1/ https://www.suse.com/security/cve/CVE-2024-36971.html CVE-2024-36971 https://bugzilla.suse.com/1226145 SUSE Bug 1226145 https://bugzilla.suse.com/1226324 SUSE Bug 1226324 In the Linux kernel, the following vulnerability has been resolved: cachefiles: fix slab-use-after-free in cachefiles_withdraw_cookie() We got the following issue in our fault injection stress test: ================================================================== BUG: KASAN: slab-use-after-free in cachefiles_withdraw_cookie+0x4d9/0x600 Read of size 8 at addr ffff888118efc000 by task kworker/u78:0/109 CPU: 13 PID: 109 Comm: kworker/u78:0 Not tainted 6.8.0-dirty #566 Call Trace: <TASK> kasan_report+0x93/0xc0 cachefiles_withdraw_cookie+0x4d9/0x600 fscache_cookie_state_machine+0x5c8/0x1230 fscache_cookie_worker+0x91/0x1c0 process_one_work+0x7fa/0x1800 [...] Allocated by task 117: kmalloc_trace+0x1b3/0x3c0 cachefiles_acquire_volume+0xf3/0x9c0 fscache_create_volume_work+0x97/0x150 process_one_work+0x7fa/0x1800 [...] Freed by task 120301: kfree+0xf1/0x2c0 cachefiles_withdraw_cache+0x3fa/0x920 cachefiles_put_unbind_pincount+0x1f6/0x250 cachefiles_daemon_release+0x13b/0x290 __fput+0x204/0xa00 task_work_run+0x139/0x230 do_exit+0x87a/0x29b0 [...] ================================================================== Following is the process that triggers the issue: p1 | p2 ------------------------------------------------------------ fscache_begin_lookup fscache_begin_volume_access fscache_cache_is_live(fscache_cache) cachefiles_daemon_release cachefiles_put_unbind_pincount cachefiles_daemon_unbind cachefiles_withdraw_cache fscache_withdraw_cache fscache_set_cache_state(cache, FSCACHE_CACHE_IS_WITHDRAWN); cachefiles_withdraw_objects(cache) fscache_wait_for_objects(fscache) atomic_read(&fscache_cache->object_count) == 0 fscache_perform_lookup cachefiles_lookup_cookie cachefiles_alloc_object refcount_set(&object->ref, 1); object->volume = volume fscache_count_object(vcookie->cache); atomic_inc(&fscache_cache->object_count) cachefiles_withdraw_volumes cachefiles_withdraw_volume fscache_withdraw_volume __cachefiles_free_volume kfree(cachefiles_volume) fscache_cookie_state_machine cachefiles_withdraw_cookie cache = object->volume->cache; // cachefiles_volume UAF !!! After setting FSCACHE_CACHE_IS_WITHDRAWN, wait for all the cookie lookups to complete first, and then wait for fscache_cache->object_count == 0 to avoid the cookie exiting after the volume has been freed and triggering the above issue. Therefore call fscache_withdraw_volume() before calling cachefiles_withdraw_objects(). This way, after setting FSCACHE_CACHE_IS_WITHDRAWN, only the following two cases will occur: 1) fscache_begin_lookup fails in fscache_begin_volume_access(). 2) fscache_withdraw_volume() will ensure that fscache_count_object() has been executed before calling fscache_wait_for_objects(). CVE-2024-41057 SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_44-default-15-150500.2.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250241-1/ https://www.suse.com/security/cve/CVE-2024-41057.html CVE-2024-41057 https://bugzilla.suse.com/1228462 SUSE Bug 1228462 https://bugzilla.suse.com/1229275 SUSE Bug 1229275