Now no longer upgrade 5.10.209 kernel,  later kernel will be upgraded to 6.6 version. On 2024/5/27 21:50, Ghada Khalil wrote: > CAUTION: This email comes from a non Wind River email account! > Do not click links or open attachments unless you recognize the sender and know the content is safe. > > @Yue Tao, Is there still a plan to upgrade to the 5.10.209 kernel to > pick up fixes for these CVEs? Or will this be superseded by the move to > the 6.6 kernel which is in progress for stx.10.0? > > -- > You received this bug notification because you are a bug assignee. > https://bugs.launchpad.net/bugs/2049325 > > Title: > [Debian] High CVE: > CVE-2024-0193/CVE-2023-6606/CVE-2023-6040/CVE-2024-0646 kernel : > multiple CVEs > > Status in StarlingX: > Triaged > > Bug description: > CVE-2023-52436: https://nvd.nist.gov/vuln/detail/CVE-2023-52436 > > In the Linux kernel, the following vulnerability has been resolved: > f2fs: explicitly null-terminate the xattr list When setting an xattr, > explicitly null-terminate the xattr list. This eliminates the fragile > assumption that the unused xattr space is always zeroed. > > CVE-2023-52439: https://nvd.nist.gov/vuln/detail/CVE-2023-52439 > > In the Linux kernel, the following vulnerability has been resolved: > uio: Fix use-after-free in uio_open core-1 core-2 > ------------------------------------------------------- > uio_unregister_device uio_open idev = idr_find() > device_unregister(&idev->dev) put_device(&idev->dev) > uio_device_release get_device(&idev->dev) kfree(idev) > uio_free_minor(minor) uio_release put_device(&idev->dev) kfree(idev) > ------------------------------------------------------- In the core-1 > uio_unregister_device(), the device_unregister will kfree idev when > the idev->dev kobject ref is 1. But after core-1 device_unregister, > put_device and before doing kfree, the core-2 may get_device. Then: 1. > After core-1 kfree idev, the core-2 will do use-after-free for idev. > 2. When core-2 do uio_release and put_device, the idev will be double > freed. To address this issue, we can get idev atomic & inc idev > reference with minor_lock. > > CVE-2023-52438: https://nvd.nist.gov/vuln/detail/CVE-2023-52438 > > In the Linux kernel, the following vulnerability has been resolved: > binder: fix use-after-free in shinker's callback The mmap read lock is > used during the shrinker's callback, which means that using alloc->vma > pointer isn't safe as it can race with munmap(). As of commit > dd2283f2605e ("mm: mmap: zap pages with read mmap_sem in munmap") the > mmap lock is downgraded after the vma has been isolated. I was able to > reproduce this issue by manually adding some delays and triggering > page reclaiming through the shrinker's debug sysfs. The following > KASAN report confirms the UAF: > ================================================================== > BUG: KASAN: slab-use-after-free in zap_page_range_single+0x470/0x4b8 > Read of size 8 at addr ffff356ed50e50f0 by task bash/478 CPU: 1 PID: > 478 Comm: bash Not tainted 6.6.0-rc5-00055-g1c8b86a3799f-dirty #70 > Hardware name: linux,dummy-virt (DT) Call trace: > zap_page_range_single+0x470/0x4b8 binder_alloc_free_page+0x608/0xadc > __list_lru_walk_one+0x130/0x3b0 list_lru_walk_node+0xc4/0x22c > binder_shrink_scan+0x108/0x1dc shrinker_debugfs_scan_write+0x2b4/0x500 > full_proxy_write+0xd4/0x140 vfs_write+0x1ac/0x758 > ksys_write+0xf0/0x1dc __arm64_sys_write+0x6c/0x9c Allocated by task > 492: kmem_cache_alloc+0x130/0x368 vm_area_alloc+0x2c/0x190 > mmap_region+0x258/0x18bc do_mmap+0x694/0xa60 vm_mmap_pgoff+0x170/0x29c > ksys_mmap_pgoff+0x290/0x3a0 __arm64_sys_mmap+0xcc/0x144 Freed by task > 491: kmem_cache_free+0x17c/0x3c8 vm_area_free_rcu_cb+0x74/0x98 > rcu_core+0xa38/0x26d4 rcu_core_si+0x10/0x1c __do_softirq+0x2fc/0xd24 > Last potentially related work creation: > __call_rcu_common.constprop.0+0x6c/0xba0 call_rcu+0x10/0x1c > vm_area_free+0x18/0x24 remove_vma+0xe4/0x118 > do_vmi_align_munmap.isra.0+0x718/0xb5c do_vmi_munmap+0xdc/0x1fc > __vm_munmap+0x10c/0x278 __arm64_sys_munmap+0x58/0x7c Fix this issue by > performing instead a vma_lookup() which will fail to find the vma that > was isolated before the mmap lock downgrade. Note that this option has > better performance than upgrading to a mmap write lock which would > increase contention. Plus, mmap_write_trylock() has been recently > removed anyway. > > CVE-2023-52433: https://nvd.nist.gov/vuln/detail/CVE-2023-52433 > > In the Linux kernel, the following vulnerability has been resolved: > netfilter: nft_set_rbtree: skip sync GC for new elements in this > transaction New elements in this transaction might expired before such > transaction ends. Skip sync GC for such elements otherwise commit path > might walk over an already released object. Once transaction is > finished, async GC will collect such expired element. > > CVE-2024-23196: https://nvd.nist.gov/vuln/detail/CVE-2024-23196 > > A race condition was found in the Linux kernel's sound/hda device > driver in snd_hdac_regmap_sync() function. This can result in a null > pointer dereference issue, possibly leading to a kernel panic or > denial of service issue. > > CVE-2023-51779: https://nvd.nist.gov/vuln/detail/CVE-2023-51779 > > CVE-2023-45863: https://nvd.nist.gov/vuln/detail/CVE-2023-45863 > > An issue was discovered in lib/kobject.c in the Linux kernel before > 6.2.3. With root access, an attacker can trigger a race condition that > results in a fill_kobj_path out-of-bounds write. > > CVE-2021-44879: https://nvd.nist.gov/vuln/detail/CVE-2021-44879 > > In gc_data_segment in fs/f2fs/gc.c in the Linux kernel before 5.16.3, > special files are not considered, leading to a move_data_page NULL > pointer dereference. > > CVE-2023-39198: https://nvd.nist.gov/vuln/detail/CVE-2023-39198 > > A race condition was found in the QXL driver in the Linux kernel. The > qxl_mode_dumb_create() function dereferences the qobj returned by the > qxl_gem_object_create_with_handle(), but the handle is the only one > holding a reference to it. This flaw allows an attacker to guess the > returned handle value and trigger a use-after-free issue, potentially > leading to a denial of service or privilege escalation. > > > CVE-2023-46838: https://nvd.nist.gov/vuln/detail/CVE-2023-46838 > > CVE-2023-6915: https://nvd.nist.gov/vuln/detail/CVE-2023-6915 > > A Null pointer dereference problem was found in ida_free in lib/idr.c > in the Linux Kernel. This issue may allow an attacker using this > library to cause a denial of service problem due to a missing check at > a function return. > > CVE-2023-46343: https://nvd.nist.gov/vuln/detail/CVE-2023-46343 > > In the Linux kernel before 6.5.9, there is a NULL pointer dereference > in send_acknowledge in net/nfc/nci/spi.c. > > CVE-2023-51042: https://nvd.nist.gov/vuln/detail/CVE-2023-51042 > > In the Linux kernel before 6.4.12, amdgpu_cs_wait_all_fences in > drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c has a fence use-after-free. > > CVE-2023-51043: https://nvd.nist.gov/vuln/detail/CVE-2023-51043 > > In the Linux kernel before 6.4.5, drivers/gpu/drm/drm_atomic.c has a > use-after-free during a race condition between a nonblocking atomic > commit and a driver unload. > > CVE-2024-0584: https://nvd.nist.gov/vuln/detail/CVE-2024-0584 > > A use-after-free issue was found in igmp_start_timer in > net/ipv4/igmp.c in the network sub-component in the Linux Kernel. This > flaw allows a local user to observe a refcnt use-after-free issue when > receiving an igmp query packet, leading to a kernel information leak. > > CVE-2024-0639: https://nvd.nist.gov/vuln/detail/CVE-2024-0639 > > A denial of service vulnerability due to a deadlock was found in > sctp_auto_asconf_init in net/sctp/socket.c in the Linux kernel’s SCTP > subsystem. This flaw allows guests with local user privileges to > trigger a deadlock and potentially crash the system. > > CVE-2024-0641: https://nvd.nist.gov/vuln/detail/CVE-2024-0641 > > A denial of service vulnerability was found in tipc_crypto_key_revoke > in net/tipc/crypto.c in the Linux kernel’s TIPC subsystem. This flaw > allows guests with local user privileges to trigger a deadlock and > potentially crash the system. > > CVE-2024-0646: https://nvd.nist.gov/vuln/detail/CVE-2024-0646 > > An out-of-bounds memory write flaw was found in the Linux kernel’s > Transport Layer Security functionality in how a user calls a function > splice with a ktls socket as the destination. This flaw allows a local > user to crash or potentially escalate their privileges on the system. > > CVE-2024-0775: https://nvd.nist.gov/vuln/detail/CVE-2024-0775 > > A use-after-free flaw was found in the __ext4_remount in > fs/ext4/super.c in ext4 in the Linux kernel. This flaw allows a local > user to cause an information leak problem while freeing the old quota > file names before a potential failure, leading to a use-after-free. > > CVE-2023-6040: https://nvd.nist.gov/vuln/detail/CVE-2023-6040 > > An out-of-bounds access vulnerability involving netfilter was reported > and fixed as: f1082dd31fe4 (netfilter: nf_tables: Reject tables of > unsupported family); While creating a new netfilter table, lack of a > safeguard against invalid nf_tables family (pf) values within > `nf_tables_newtable` function enables an attacker to achieve out-of- > bounds access. > > CVE-2024-0193: https://nvd.nist.gov/vuln/detail/CVE-2024-0193 > > A use-after-free flaw was found in the netfilter subsystem of the > Linux kernel. If the catchall element is garbage-collected when the > pipapo set is removed, the element can be deactivated twice. This can > cause a use-after-free issue on an NFT_CHAIN object or NFT_OBJECT > object, allowing a local unprivileged user with CAP_NET_ADMIN > capability to escalate their privileges on the system. > > CVE-2023-6606: https://nvd.nist.gov/vuln/detail/CVE-2023-6606 > > An out-of-bounds read vulnerability was found in smbCalcSize in > fs/smb/client/netmisc.c in the Linux Kernel. This issue could allow a > local attacker to crash the system or leak internal kernel > information. > > Base Score: High > > Reference: > > Upgrade Yocto Linux_5.10.209 > > To manage notifications about this bug go to: > https://bugs.launchpad.net/starlingx/+bug/2049325/+subscriptions >