OESA-2024-1837

The Linux Kernel, the operating system core itself.

Security Fix(es):

In the Linux kernel, the following vulnerability has been resolved:

ARM: 9170/1: fix panic when kasan and kprobe are enabled

arm32 uses software to simulate the instruction replaced by kprobe. some instructions may be simulated by constructing assembly functions. therefore, before executing instruction simulation, it is necessary to construct assembly function execution environment in C language through binding registers. after kasan is enabled, the register binding relationship will be destroyed, resulting in instruction simulation errors and causing kernel panic.

the kprobe emulate instruction function is distributed in three files: actions-common.c actions-arm.c actions-thumb.c, so disable KASAN when compiling these files.

for example, use kprobe insert on capcapable+20 after kasan enabled, the capcapable assembly code is as follows: <capcapable>: e92d47f0 push {r4, r5, r6, r7, r8, r9, sl, lr} e1a05000 mov r5, r0 e280006c add r0, r0, #108 ; 0x6c e1a04001 mov r4, r1 e1a06002 mov r6, r2 e59fa090 ldr sl, [pc, #144] ; ebfc7bf8 bl c03aa4b4 <asanload4> e595706c ldr r7, [r5, #108] ; 0x6c e2859014 add r9, r5, #20 ...... The emulateldr assembly code after enabling kasan is as follows: c06f1384 <emulateldr>: e92d47f0 push {r4, r5, r6, r7, r8, r9, sl, lr} e282803c add r8, r2, #60 ; 0x3c e1a05000 mov r5, r0 e7e37855 ubfx r7, r5, #16, #4 e1a00008 mov r0, r8 e1a09001 mov r9, r1 e1a04002 mov r4, r2 ebf35462 bl c03c6530 <asanload4> e357000f cmp r7, #15 e7e36655 ubfx r6, r5, #12, #4 e205a00f and sl, r5, #15 0a000001 beq c06f13bc <emulateldr+0x38> e0840107 add r0, r4, r7, lsl #2 ebf3545c bl c03c6530 <asanload4> e084010a add r0, r4, sl, lsl #2 ebf3545a bl c03c6530 <asanload4> e2890010 add r0, r9, #16 ebf35458 bl c03c6530 <_asanload4> e5990010 ldr r0, [r9, #16] e12fff30 blx r0 e356000f cm r6, #15 1a000014 bne c06f1430 <emulate_ldr+0xac> e1a06000 mov r6, r0 e2840040 add r0, r4, #64 ; 0x40 ......

when running in emulateldr to simulate the ldr instruction, panic occurred, and the log is as follows: Unable to handle kernel NULL pointer dereference at virtual address 00000090 pgd = ecb46400 [00000090] *pgd=2e0fa003, *pmd=00000000 Internal error: Oops: 206 [#1] SMP ARM PC is at capcapable+0x14/0xb0 LR is at emulateldr+0x50/0xc0 psr: 600d0293 sp : ecd63af8 ip : 00000004 fp : c0a7c30c r10: 00000000 r9 : c30897f4 r8 : ecd63cd4 r7 : 0000000f r6 : 0000000a r5 : e59fa090 r4 : ecd63c98 r3 : c06ae294 r2 : 00000000 r1 : b7611300 r0 : bf4ec008 Flags: nZCv IRQs off FIQs on Mode SVC32 ISA ARM Segment user Control: 32c5387d Table: 2d546400 DAC: 55555555 Process bash (pid: 1643, stack limit = 0xecd60190) (capcapable) from (kprobehandler+0x218/0x340) (kprobehandler) from (kprobetraphandler+0x24/0x48) (kprobetraphandler) from (doundefinstr+0x13c/0x364) (doundefinstr) from (undsvcfinish+0x0/0x30) (undsvcfinish) from (capcapable+0x18/0xb0) (capcapable) from (capvmenoughmemory+0x38/0x48) (capvmenoughmemory) from (securityvmenoughmemorymm+0x48/0x6c) (securityvmenoughmemorymm) from (copyprocess.constprop.5+0x16b4/0x25c8) (copyprocess.constprop.5) from (dofork+0xe8/0x55c) (dofork) from (SySclone+0x1c/0x24) (SySclone) from (systrace_return+0x0/0x10) Code: 0050a0e1 6c0080e2 0140a0e1 0260a0e1 (f801f0e7)(CVE-2021-47618)

In the Linux kernel, the following vulnerability has been resolved:

ax25: Fix reference count leak issue of net_device

There is a reference count leak issue of the object "netdevice" in ax25devdevicedown(). When the ax25 device is shutting down, the ax25devdevicedown() drops the reference count of netdevice one or zero times depending on if we goto unlock_put or not, which will cause memory leak.

In order to solve the above issue, decrease the reference count of netdevice after dev->ax25ptr is set to null.(CVE-2024-38554)

In the Linux kernel, the following vulnerability has been resolved:

nilfs2: fix potential hang in nilfsdetachlog_writer()

Syzbot has reported a potential hang in nilfsdetachlog_writer() called during nilfs2 unmount.

Analysis revealed that this is because nilfssegctorsync(), which synchronizes with the log writer thread, can be called after nilfssegctordestroy() terminates that thread, as shown in the call trace below:

nilfsdetachlogwriter nilfssegctordestroy nilfssegctorkillthread --> Shut down log writer thread flushwork nilfsiputworkfunc nilfsdisposelist iput nilfsevictinode nilfstransactioncommit nilfsconstructsegment (if inode needs sync) nilfssegctorsync --> Attempt to synchronize with log writer thread * DEADLOCK *

Fix this issue by changing nilfssegctorsync() so that the log writer thread returns normally without synchronizing after it terminates, and by forcing tasks that are already waiting to complete once after the thread terminates.

The skipped inode metadata flushout will then be processed together in the subsequent cleanup work in nilfssegctordestroy().(CVE-2024-38582)

In the Linux kernel, the following vulnerability has been resolved:

nilfs2: fix use-after-free of timer for log writer thread

Patch series "nilfs2: fix log writer related issues".

This bug fix series covers three nilfs2 log writer-related issues, including a timer use-after-free issue and potential deadlock issue on unmount, and a potential freeze issue in event synchronization found during their analysis. Details are described in each commit log.

This patch (of 3):

A use-after-free issue has been reported regarding the timer sctimer on the nilfssc_info structure.

The problem is that even though it is used to wake up a sleeping log writer thread, sctimer is not shut down until the nilfssc_info structure is about to be freed, and is used regardless of the thread's lifetime.

Fix this issue by limiting the use of sc_timer only while the log writer thread is alive.(CVE-2024-38583)

In the Linux kernel, the following vulnerability has been resolved:

fs/ntfs3: Check 'folio' pointer for NULL

It can be NULL if bmap is called.(CVE-2024-38625)