OESA-2024-1284
- Source
- https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2024-1284
- Import Source
- https://repo.openeuler.org/security/data/osv/OESA-2024-1284.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/OESA-2024-1284
- Upstream
- Published
- 2024-03-15T11:07:12Z
- Modified
- 2025-08-12T05:24:17.414192Z
- Summary
- kernel security update
- Details
-
The Linux Kernel, the operating system core itself.
Security Fix(es):
In the Linux kernel, the following vulnerability has been resolved:
f2fs: explicitly null-terminate the xattr list
When setting an xattr, explicitly null-terminate the xattr list. This eliminates the fragile assumption that the unused xattr space is always zeroed.(CVE-2023-52436)
In the Linux kernel, the following vulnerability has been resolved:
binder: fix use-after-free in shinker's callback
The mmap read lock is used during the shrinker's callback, which means that using alloc->vma pointer isn't safe as it can race with munmap(). As of commit dd2283f2605e ("mm: mmap: zap pages with read mmap_sem in munmap") the mmap lock is downgraded after the vma has been isolated.
I was able to reproduce this issue by manually adding some delays and triggering page reclaiming through the shrinker's debug sysfs. The following KASAN report confirms the UAF:
================================================================== BUG: KASAN: slab-use-after-free in zappagerange_single+0x470/0x4b8 Read of size 8 at addr ffff356ed50e50f0 by task bash/478
CPU: 1 PID: 478 Comm: bash Not tainted 6.6.0-rc5-00055-g1c8b86a3799f-dirty #70 Hardware name: linux,dummy-virt (DT) Call trace: zappagerangesingle+0x470/0x4b8 binderallocfreepage+0x608/0xadc _listlruwalkone+0x130/0x3b0 listlruwalknode+0xc4/0x22c bindershrinkscan+0x108/0x1dc shrinkerdebugfsscanwrite+0x2b4/0x500 fullproxywrite+0xd4/0x140 vfswrite+0x1ac/0x758 ksyswrite+0xf0/0x1dc _arm64sys_write+0x6c/0x9c
Allocated by task 492: kmemcachealloc+0x130/0x368 vmareaalloc+0x2c/0x190 mmapregion+0x258/0x18bc dommap+0x694/0xa60 vmmmappgoff+0x170/0x29c ksysmmappgoff+0x290/0x3a0 _arm64sys_mmap+0xcc/0x144
Freed by task 491: kmemcachefree+0x17c/0x3c8 vmareafreercucb+0x74/0x98 rcucore+0xa38/0x26d4 rcucoresi+0x10/0x1c _do_softirq+0x2fc/0xd24
Last potentially related work creation: _callrcucommon.constprop.0+0x6c/0xba0 callrcu+0x10/0x1c vmareafree+0x18/0x24 removevma+0xe4/0x118 dovmialignmunmap.isra.0+0x718/0xb5c dovmimunmap+0xdc/0x1fc _vmmunmap+0x10c/0x278 _arm64sys_munmap+0x58/0x7c
Fix this issue by performing instead a vmalookup() which will fail to find the vma that was isolated before the mmap lock downgrade. Note that this option has better performance than upgrading to a mmap write lock which would increase contention. Plus, mmapwrite_trylock() has been recently removed anyway.(CVE-2023-52438)
In the Linux kernel, the following vulnerability has been resolved:
uio: Fix use-after-free in uio_open
core-1 core-2
uiounregisterdevice uioopen idev = idrfind() deviceunregister(&idev->dev) putdevice(&idev->dev) uiodevicerelease getdevice(&idev->dev) kfree(idev) uiofreeminor(minor) uiorelease put_device(&idev->dev)
kfree(idev)
In the core-1 uiounregisterdevice(), the deviceunregister will kfree idev when the idev->dev kobject ref is 1. But after core-1 deviceunregister, putdevice and before doing kfree, the core-2 may getdevice. Then: 1. After core-1 kfree idev, the core-2 will do use-after-free for idev. 2. When core-2 do uiorelease and putdevice, the idev will be double freed.
To address this issue, we can get idev atomic & inc idev reference with minor_lock.(CVE-2023-52439)
NULL Pointer Dereference vulnerability in Linux Linux kernel kernel on Linux, x86, ARM (net, bluetooth modules) allows Overflow Buffers. This vulnerability is associated with program files /net/bluetooth/rfcomm/core.C.
This issue affects Linux kernel: v2.6.12-rc2.
(CVE-2024-22099)
In btrfsgetroot_ref in fs/btrfs/disk-io.c in the Linux kernel through 6.7.1, there can be an assertion failure and crash because a subvolume can be read out too soon after its root item is inserted upon subvolume creation.(CVE-2024-23850)
copyparams in drivers/md/dm-ioctl.c in the Linux kernel through 6.7.1 can attempt to allocate more than INTMAX bytes, and crash, because of a missing paramkernel->datasize check. This is related to ctl_ioctl.(CVE-2024-23851)
In the Linux kernel, the following vulnerability has been resolved:
tls: fix race between async notify and socket close
The submitting thread (one which called recvmsg/sendmsg) may exit as soon as the async crypto handler calls complete() so any code past that point risks touching already freed data.
Try to avoid the locking and extra flags altogether. Have the main thread hold an extra reference, this way we can depend solely on the atomic ref counter for synchronization.
Don't futz with reiniting the completion, either, we are now tightly controlling when completion fires.(CVE-2024-26583)
- Database specific
{ "severity": "High" }- References
-
- https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2024-1284
- https://nvd.nist.gov/vuln/detail/CVE-2023-52436
- https://nvd.nist.gov/vuln/detail/CVE-2023-52438
- https://nvd.nist.gov/vuln/detail/CVE-2023-52439
- https://nvd.nist.gov/vuln/detail/CVE-2024-22099
- https://nvd.nist.gov/vuln/detail/CVE-2024-23850
- https://nvd.nist.gov/vuln/detail/CVE-2024-23851
- https://nvd.nist.gov/vuln/detail/CVE-2024-26583
Affected packages
openEuler:22.03-LTS-SP1 / kernel
Package
- Name
- kernel
- Purl
- pkg:rpm/openEuler/kernel&distro=openEuler-22.03-LTS-SP1
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed5.10.0-136.67.0.147.oe2203sp1
Ecosystem specific
{
"x86_64": [
"perf-5.10.0-136.67.0.147.oe2203sp1.x86_64.rpm",
"kernel-tools-5.10.0-136.67.0.147.oe2203sp1.x86_64.rpm",
"perf-debuginfo-5.10.0-136.67.0.147.oe2203sp1.x86_64.rpm",
"kernel-5.10.0-136.67.0.147.oe2203sp1.x86_64.rpm",
"python3-perf-debuginfo-5.10.0-136.67.0.147.oe2203sp1.x86_64.rpm",
"kernel-debuginfo-5.10.0-136.67.0.147.oe2203sp1.x86_64.rpm",
"kernel-devel-5.10.0-136.67.0.147.oe2203sp1.x86_64.rpm",
"kernel-source-5.10.0-136.67.0.147.oe2203sp1.x86_64.rpm",
"kernel-headers-5.10.0-136.67.0.147.oe2203sp1.x86_64.rpm",
"python3-perf-5.10.0-136.67.0.147.oe2203sp1.x86_64.rpm",
"kernel-debugsource-5.10.0-136.67.0.147.oe2203sp1.x86_64.rpm",
"kernel-tools-debuginfo-5.10.0-136.67.0.147.oe2203sp1.x86_64.rpm",
"kernel-tools-devel-5.10.0-136.67.0.147.oe2203sp1.x86_64.rpm"
],
"src": [
"kernel-5.10.0-136.67.0.147.oe2203sp1.src.rpm"
],
"aarch64": [
"perf-5.10.0-136.67.0.147.oe2203sp1.aarch64.rpm",
"kernel-headers-5.10.0-136.67.0.147.oe2203sp1.aarch64.rpm",
"kernel-tools-5.10.0-136.67.0.147.oe2203sp1.aarch64.rpm",
"kernel-devel-5.10.0-136.67.0.147.oe2203sp1.aarch64.rpm",
"kernel-tools-debuginfo-5.10.0-136.67.0.147.oe2203sp1.aarch64.rpm",
"kernel-tools-devel-5.10.0-136.67.0.147.oe2203sp1.aarch64.rpm",
"python3-perf-debuginfo-5.10.0-136.67.0.147.oe2203sp1.aarch64.rpm",
"kernel-source-5.10.0-136.67.0.147.oe2203sp1.aarch64.rpm",
"perf-debuginfo-5.10.0-136.67.0.147.oe2203sp1.aarch64.rpm",
"python3-perf-5.10.0-136.67.0.147.oe2203sp1.aarch64.rpm",
"kernel-5.10.0-136.67.0.147.oe2203sp1.aarch64.rpm",
"kernel-debuginfo-5.10.0-136.67.0.147.oe2203sp1.aarch64.rpm",
"kernel-debugsource-5.10.0-136.67.0.147.oe2203sp1.aarch64.rpm"
]
}