OESA-2025-1112
- Source
- https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2025-1112
- Import Source
- https://repo.openeuler.org/security/data/osv/OESA-2025-1112.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/OESA-2025-1112
- Upstream
- Published
- 2025-02-14T12:12:36Z
- Modified
- 2025-08-12T05:46:29.043677Z
- Summary
- kernel security update
- Details
-
The Linux Kernel, the operating system core itself.
Security Fix(es):
In the Linux kernel, the following vulnerability has been resolved:
spi: mpc52xx: Add cancelworksync before module remove
If we remove the module which will call mpc52xxspiremove it will free 'ms' through spiunregistercontroller. while the work ms->work will be used. The sequence of operations that may lead to a UAF bug.
Fix it by ensuring that the work is canceled before proceeding with the cleanup in mpc52xxspiremove.(CVE-2024-50051)
In the Linux kernel, the following vulnerability has been resolved:
scsi: bfa: Fix use-after-free in bfadimmodule_exit()
BUG: KASAN: slab-use-after-free in _lockacquire+0x2aca/0x3a20 Read of size 8 at addr ffff8881082d80c8 by task modprobe/25303
Call Trace: <TASK> dumpstacklvl+0x95/0xe0 printreport+0xcb/0x620 kasanreport+0xbd/0xf0 _lockacquire+0x2aca/0x3a20 lockacquire+0x19b/0x520 _rawspinlock+0x2b/0x40 attributecontainerunregister+0x30/0x160 fcreleasetransport+0x19/0x90 [scsitransportfc] bfadimmoduleexit+0x23/0x60 [bfa] bfadinit+0xdb/0xff0 [bfa] dooneinitcall+0xdc/0x550 doinitmodule+0x22d/0x6b0 loadmodule+0x4e96/0x5ff0 initmodulefromfile+0xcd/0x130 idempotentinitmodule+0x330/0x620 _x64sysfinitmodule+0xb3/0x110 dosyscall64+0xc1/0x1d0 entrySYSCALL64after_hwframe+0x77/0x7f </TASK>
Allocated by task 25303: kasansavestack+0x24/0x50 kasansavetrack+0x14/0x30 _kasankmalloc+0x7f/0x90 fcattachtransport+0x4f/0x4740 [scsitransportfc] bfadimmoduleinit+0x17/0x80 [bfa] bfadinit+0x23/0xff0 [bfa] dooneinitcall+0xdc/0x550 doinitmodule+0x22d/0x6b0 loadmodule+0x4e96/0x5ff0 initmodulefromfile+0xcd/0x130 idempotentinitmodule+0x330/0x620 _x64sysfinitmodule+0xb3/0x110 dosyscall64+0xc1/0x1d0 entrySYSCALL64afterhwframe+0x77/0x7f
Freed by task 25303: kasansavestack+0x24/0x50 kasansavetrack+0x14/0x30 kasansavefreeinfo+0x3b/0x60 _kasanslabfree+0x38/0x50 kfree+0x212/0x480 bfadimmoduleinit+0x7e/0x80 [bfa] bfadinit+0x23/0xff0 [bfa] dooneinitcall+0xdc/0x550 doinitmodule+0x22d/0x6b0 loadmodule+0x4e96/0x5ff0 initmodulefromfile+0xcd/0x130 idempotentinitmodule+0x330/0x620 _x64sysfinitmodule+0xb3/0x110 dosyscall64+0xc1/0x1d0 entrySYSCALL64afterhwframe+0x77/0x7f
Above issue happens as follows:
bfadinit error = bfadimmoduleinit() fcreleasetransport(bfadimscsitransporttemplate); if (error) goto ext;
ext: bfadimmoduleexit(); fcreleasetransport(bfadimscsitransport_template); --> Trigger double release
Don't call bfadimmoduleexit() if bfadimmoduleinit() failed.(CVE-2024-53227)
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: RFCOMM: avoid leaving dangling sk pointer in rfcommsockalloc()
btsockalloc() attaches allocated sk object to the provided sock object. If rfcommdlcalloc() fails, we release the sk object, but leave the dangling pointer in the sock object, which may cause use-after-free.
Fix this by swapping calls to btsockalloc() and rfcommdlcalloc().(CVE-2024-56604)
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: L2CAP: do not leave dangling sk pointer on error in l2capsockcreate()
btsockalloc() allocates the sk object and attaches it to the provided sock object. On error l2capsockalloc() frees the sk object, but the dangling pointer is still attached to the sock object, which may create use-after-free in other code.(CVE-2024-56605)
In the Linux kernel, the following vulnerability has been resolved:
drm: adv7511: Fix use-after-free in adv7533attachdsi()
The hostnode pointer was assigned and freed in adv7533parsedt(), and later, adv7533attachdsi() uses the same. Fix this use-after-free issue by dropping ofnodeput() in adv7533parsedt() and calling ofnode_put() in error path of probe() and also in the remove().(CVE-2024-57887)
In the Linux kernel, the following vulnerability has been resolved:
ALSA: seq: oss: Fix races at processing SysEx messages
OSS sequencer handles the SysEx messages split in 6 bytes packets, and ALSA sequencer OSS layer tries to combine those. It stores the data in the internal buffer and this access is racy as of now, which may lead to the out-of-bounds access.
As a temporary band-aid fix, introduce a mutex for serializing the process of the SysEx message packets.(CVE-2024-57893)
- Database specific
{ "severity": "High" }- References
-
- https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1112
- https://nvd.nist.gov/vuln/detail/CVE-2024-50051
- https://nvd.nist.gov/vuln/detail/CVE-2024-53227
- https://nvd.nist.gov/vuln/detail/CVE-2024-56604
- https://nvd.nist.gov/vuln/detail/CVE-2024-56605
- https://nvd.nist.gov/vuln/detail/CVE-2024-57887
- https://nvd.nist.gov/vuln/detail/CVE-2024-57893
Affected packages
openEuler:20.03-LTS-SP4 / kernel
Package
- Name
- kernel
- Purl
- pkg:rpm/openEuler/kernel&distro=openEuler-20.03-LTS-SP4
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed4.19.90-2502.2.0.0315.oe2003sp4
Ecosystem specific
{
"x86_64": [
"bpftool-4.19.90-2502.2.0.0315.oe2003sp4.x86_64.rpm",
"bpftool-debuginfo-4.19.90-2502.2.0.0315.oe2003sp4.x86_64.rpm",
"kernel-4.19.90-2502.2.0.0315.oe2003sp4.x86_64.rpm",
"kernel-debuginfo-4.19.90-2502.2.0.0315.oe2003sp4.x86_64.rpm",
"kernel-debugsource-4.19.90-2502.2.0.0315.oe2003sp4.x86_64.rpm",
"kernel-devel-4.19.90-2502.2.0.0315.oe2003sp4.x86_64.rpm",
"kernel-source-4.19.90-2502.2.0.0315.oe2003sp4.x86_64.rpm",
"kernel-tools-4.19.90-2502.2.0.0315.oe2003sp4.x86_64.rpm",
"kernel-tools-debuginfo-4.19.90-2502.2.0.0315.oe2003sp4.x86_64.rpm",
"kernel-tools-devel-4.19.90-2502.2.0.0315.oe2003sp4.x86_64.rpm",
"perf-4.19.90-2502.2.0.0315.oe2003sp4.x86_64.rpm",
"perf-debuginfo-4.19.90-2502.2.0.0315.oe2003sp4.x86_64.rpm",
"python2-perf-4.19.90-2502.2.0.0315.oe2003sp4.x86_64.rpm",
"python2-perf-debuginfo-4.19.90-2502.2.0.0315.oe2003sp4.x86_64.rpm",
"python3-perf-4.19.90-2502.2.0.0315.oe2003sp4.x86_64.rpm",
"python3-perf-debuginfo-4.19.90-2502.2.0.0315.oe2003sp4.x86_64.rpm"
],
"aarch64": [
"bpftool-4.19.90-2502.2.0.0315.oe2003sp4.aarch64.rpm",
"bpftool-debuginfo-4.19.90-2502.2.0.0315.oe2003sp4.aarch64.rpm",
"kernel-4.19.90-2502.2.0.0315.oe2003sp4.aarch64.rpm",
"kernel-debuginfo-4.19.90-2502.2.0.0315.oe2003sp4.aarch64.rpm",
"kernel-debugsource-4.19.90-2502.2.0.0315.oe2003sp4.aarch64.rpm",
"kernel-devel-4.19.90-2502.2.0.0315.oe2003sp4.aarch64.rpm",
"kernel-source-4.19.90-2502.2.0.0315.oe2003sp4.aarch64.rpm",
"kernel-tools-4.19.90-2502.2.0.0315.oe2003sp4.aarch64.rpm",
"kernel-tools-debuginfo-4.19.90-2502.2.0.0315.oe2003sp4.aarch64.rpm",
"kernel-tools-devel-4.19.90-2502.2.0.0315.oe2003sp4.aarch64.rpm",
"perf-4.19.90-2502.2.0.0315.oe2003sp4.aarch64.rpm",
"perf-debuginfo-4.19.90-2502.2.0.0315.oe2003sp4.aarch64.rpm",
"python2-perf-4.19.90-2502.2.0.0315.oe2003sp4.aarch64.rpm",
"python2-perf-debuginfo-4.19.90-2502.2.0.0315.oe2003sp4.aarch64.rpm",
"python3-perf-4.19.90-2502.2.0.0315.oe2003sp4.aarch64.rpm",
"python3-perf-debuginfo-4.19.90-2502.2.0.0315.oe2003sp4.aarch64.rpm"
],
"src": [
"kernel-4.19.90-2502.2.0.0315.oe2003sp4.src.rpm"
]
}