An update for kernel is now available for openEuler-20.03-LTS-SP4 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2024-1297 Final 1.0 1.0 2024-03-22 Initial 2024-03-22 2024-03-22 openEuler SA Tool V1.0 2024-03-22 kernel security update An update for kernel is now available for openEuler-20.03-LTS-SP4. The Linux Kernel, the operating system core itself. Security Fix(es): In the Linux kernel, the following vulnerability has been resolved: media: pvrusb2: fix use after free on context disconnection Upon module load, a kthread is created targeting the pvr2_context_thread_func function, which may call pvr2_context_destroy and thus call kfree() on the context object. However, that might happen before the usb hub_event handler is able to notify the driver. This patch adds a sanity check before the invalid read reported by syzbot, within the context disconnection call stack.(CVE-2023-52445) In the Linux kernel, the following vulnerability has been resolved: mtd: Fix gluebi NULL pointer dereference caused by ftl notifier If both ftl.ko and gluebi.ko are loaded, the notifier of ftl triggers NULL pointer dereference when trying to access ‘gluebi->desc’ in gluebi_read(). ubi_gluebi_init ubi_register_volume_notifier ubi_enumerate_volumes ubi_notify_all gluebi_notify nb->notifier_call() gluebi_create mtd_device_register mtd_device_parse_register add_mtd_device blktrans_notify_add not->add() ftl_add_mtd tr->add_mtd() scan_header mtd_read mtd_read_oob mtd_read_oob_std gluebi_read mtd->read() gluebi->desc - NULL Detailed reproduction information available at the Link [1], In the normal case, obtain gluebi->desc in the gluebi_get_device(), and access gluebi->desc in the gluebi_read(). However, gluebi_get_device() is not executed in advance in the ftl_add_mtd() process, which leads to NULL pointer dereference. The solution for the gluebi module is to run jffs2 on the UBI volume without considering working with ftl or mtdblock [2]. Therefore, this problem can be avoided by preventing gluebi from creating the mtdblock device after creating mtd partition of the type MTD_UBIVOLUME.(CVE-2023-52449) An update for kernel is now available for openEuler-20.03-LTS-SP4. openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. High kernel https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2024-1297 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2023-52445 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2023-52449 https://nvd.nist.gov/vuln/detail/CVE-2023-52445 https://nvd.nist.gov/vuln/detail/CVE-2023-52449 openEuler-20.03-LTS-SP4 bpftool-debuginfo-4.19.90-2403.3.0.0270.oe2003sp4.aarch64.rpm kernel-debuginfo-4.19.90-2403.3.0.0270.oe2003sp4.aarch64.rpm kernel-4.19.90-2403.3.0.0270.oe2003sp4.aarch64.rpm kernel-debugsource-4.19.90-2403.3.0.0270.oe2003sp4.aarch64.rpm kernel-source-4.19.90-2403.3.0.0270.oe2003sp4.aarch64.rpm kernel-tools-devel-4.19.90-2403.3.0.0270.oe2003sp4.aarch64.rpm perf-4.19.90-2403.3.0.0270.oe2003sp4.aarch64.rpm perf-debuginfo-4.19.90-2403.3.0.0270.oe2003sp4.aarch64.rpm python2-perf-debuginfo-4.19.90-2403.3.0.0270.oe2003sp4.aarch64.rpm python3-perf-debuginfo-4.19.90-2403.3.0.0270.oe2003sp4.aarch64.rpm kernel-tools-debuginfo-4.19.90-2403.3.0.0270.oe2003sp4.aarch64.rpm python2-perf-4.19.90-2403.3.0.0270.oe2003sp4.aarch64.rpm python3-perf-4.19.90-2403.3.0.0270.oe2003sp4.aarch64.rpm kernel-devel-4.19.90-2403.3.0.0270.oe2003sp4.aarch64.rpm kernel-tools-4.19.90-2403.3.0.0270.oe2003sp4.aarch64.rpm bpftool-4.19.90-2403.3.0.0270.oe2003sp4.aarch64.rpm kernel-4.19.90-2403.3.0.0270.oe2003sp4.src.rpm python2-perf-debuginfo-4.19.90-2403.3.0.0270.oe2003sp4.x86_64.rpm kernel-tools-devel-4.19.90-2403.3.0.0270.oe2003sp4.x86_64.rpm kernel-debuginfo-4.19.90-2403.3.0.0270.oe2003sp4.x86_64.rpm bpftool-debuginfo-4.19.90-2403.3.0.0270.oe2003sp4.x86_64.rpm kernel-tools-4.19.90-2403.3.0.0270.oe2003sp4.x86_64.rpm kernel-devel-4.19.90-2403.3.0.0270.oe2003sp4.x86_64.rpm perf-4.19.90-2403.3.0.0270.oe2003sp4.x86_64.rpm kernel-debugsource-4.19.90-2403.3.0.0270.oe2003sp4.x86_64.rpm perf-debuginfo-4.19.90-2403.3.0.0270.oe2003sp4.x86_64.rpm python2-perf-4.19.90-2403.3.0.0270.oe2003sp4.x86_64.rpm kernel-4.19.90-2403.3.0.0270.oe2003sp4.x86_64.rpm kernel-tools-debuginfo-4.19.90-2403.3.0.0270.oe2003sp4.x86_64.rpm kernel-source-4.19.90-2403.3.0.0270.oe2003sp4.x86_64.rpm python3-perf-debuginfo-4.19.90-2403.3.0.0270.oe2003sp4.x86_64.rpm python3-perf-4.19.90-2403.3.0.0270.oe2003sp4.x86_64.rpm bpftool-4.19.90-2403.3.0.0270.oe2003sp4.x86_64.rpm In the Linux kernel, the following vulnerability has been resolved: media: pvrusb2: fix use after free on context disconnection Upon module load, a kthread is created targeting the pvr2_context_thread_func function, which may call pvr2_context_destroy and thus call kfree() on the context object. However, that might happen before the usb hub_event handler is able to notify the driver. This patch adds a sanity check before the invalid read reported by syzbot, within the context disconnection call stack. 2024-03-22 CVE-2023-52445 openEuler-20.03-LTS-SP4 High 7.8 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H kernel security update 2024-03-22 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2024-1297 In the Linux kernel, the following vulnerability has been resolved:mtd: Fix gluebi NULL pointer dereference caused by ftl notifierIf both ftl.ko and gluebi.ko are loaded, the notifier of ftltriggers NULL pointer dereference when trying to access‘gluebi->desc’ in gluebi_read().ubi_gluebi_init ubi_register_volume_notifier ubi_enumerate_volumes ubi_notify_all gluebi_notify nb->notifier_call() gluebi_create mtd_device_register mtd_device_parse_register add_mtd_device blktrans_notify_add not->add() ftl_add_mtd tr->add_mtd() scan_header mtd_read mtd_read_oob mtd_read_oob_std gluebi_read mtd->read() gluebi->desc - NULLDetailed reproduction information available at the Link [1],In the normal case, obtain gluebi->desc in the gluebi_get_device(),and access gluebi->desc in the gluebi_read(). However,gluebi_get_device() is not executed in advance in theftl_add_mtd() process, which leads to NULL pointer dereference.The solution for the gluebi module is to run jffs2 on the UBIvolume without considering working with ftl or mtdblock [2].Therefore, this problem can be avoided by preventing gluebi fromcreating the mtdblock device after creating mtd partition of thetype MTD_UBIVOLUME. 2024-03-22 CVE-2023-52449 openEuler-20.03-LTS-SP4 Medium 5.5 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H kernel security update 2024-03-22 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2024-1297