An update for kernel is now available for openEuler-24.03-LTS Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2024-1794 Final 1.0 1.0 2024-07-05 Initial 2024-07-05 2024-07-05 openEuler SA Tool V1.0 2024-07-05 kernel security update An update for kernel is now available for openEuler-24.03-LTS The Linux Kernel, the operating system core itself. Security Fix(es): In the Linux kernel, the following vulnerability has been resolved: clk: sunxi-ng: h6: Reparent CPUX during PLL CPUX rate change While PLL CPUX clock rate change when CPU is running from it works in vast majority of cases, now and then it causes instability. This leads to system crashes and other undefined behaviour. After a lot of testing (30+ hours) while also doing a lot of frequency switches, we can't observe any instability issues anymore when doing reparenting to stable clock like 24 MHz oscillator.(CVE-2023-52882) In the Linux kernel, the following vulnerability has been resolved: usb: gadget: uvc: use correct buffer size when parsing configfs lists This commit fixes uvc gadget support on 32-bit platforms. Commit 0df28607c5cb ("usb: gadget: uvc: Generalise helper functions for reuse") introduced a helper function __uvcg_iter_item_entries() to aid with parsing lists of items on configfs attributes stores. This function is a generalization of another very similar function, which used a stack-allocated temporary buffer of fixed size for each item in the list and used the sizeof() operator to check for potential buffer overruns. The new function was changed to allocate the now variably sized temp buffer on heap, but wasn't properly updated to also check for max buffer size using the computed size instead of sizeof() operator. As a result, the maximum item size was 7 (plus null terminator) on 64-bit platforms, and 3 on 32-bit ones. While 7 is accidentally just barely enough, 3 is definitely too small for some of UVC configfs attributes. For example, dwFrameInteval, specified in 100ns units, usually has 6-digit item values, e.g. 166666 for 60fps.(CVE-2024-36895) In the Linux kernel, the following vulnerability has been resolved: firewire: ohci: mask bus reset interrupts between ISR and bottom half In the FireWire OHCI interrupt handler, if a bus reset interrupt has occurred, mask bus reset interrupts until bus_reset_work has serviced and cleared the interrupt. Normally, we always leave bus reset interrupts masked. We infer the bus reset from the self-ID interrupt that happens shortly thereafter. A scenario where we unmask bus reset interrupts was introduced in 2008 in a007bb857e0b26f5d8b73c2ff90782d9c0972620: If OHCI_PARAM_DEBUG_BUSRESETS (8) is set in the debug parameter bitmask, we will unmask bus reset interrupts so we can log them. irq_handler logs the bus reset interrupt. However, we can't clear the bus reset event flag in irq_handler, because we won't service the event until later. irq_handler exits with the event flag still set. If the corresponding interrupt is still unmasked, the first bus reset will usually freeze the system due to irq_handler being called again each time it exits. This freeze can be reproduced by loading firewire_ohci with "modprobe firewire_ohci debug=-1" (to enable all debugging output). Apparently there are also some cases where bus_reset_work will get called soon enough to clear the event, and operation will continue normally. This freeze was first reported a few months after a007bb85 was committed, but until now it was never fixed. The debug level could safely be set to -1 through sysfs after the module was loaded, but this would be ineffectual in logging bus reset interrupts since they were only unmasked during initialization. irq_handler will now leave the event flag set but mask bus reset interrupts, so irq_handler won't be called again and there will be no freeze. If OHCI_PARAM_DEBUG_BUSRESETS is enabled, bus_reset_work will unmask the interrupt after servicing the event, so future interrupts will be caught as desired. As a side effect to this change, OHCI_PARAM_DEBUG_BUSRESETS can now be enabled through sysfs in addition to during initial module loading. However, when enabled through sysfs, logging of bus reset interrupts will be effective only starting with the second bus reset, after bus_reset_work has executed.(CVE-2024-36950) An update for kernel is now available for openEuler-24.03-LTS. openEuler Security has rated this update as having a security impact of medium. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. Medium kernel https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1794 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2023-52882 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2024-36895 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2024-36950 https://nvd.nist.gov/vuln/detail/CVE-2023-52882 https://nvd.nist.gov/vuln/detail/CVE-2024-36895 https://nvd.nist.gov/vuln/detail/CVE-2024-36950 openEuler-24.03-LTS bpftool-6.6.0-31.0.0.39.oe2403.aarch64.rpm bpftool-debuginfo-6.6.0-31.0.0.39.oe2403.aarch64.rpm kernel-6.6.0-31.0.0.39.oe2403.aarch64.rpm kernel-debuginfo-6.6.0-31.0.0.39.oe2403.aarch64.rpm kernel-debugsource-6.6.0-31.0.0.39.oe2403.aarch64.rpm kernel-devel-6.6.0-31.0.0.39.oe2403.aarch64.rpm kernel-headers-6.6.0-31.0.0.39.oe2403.aarch64.rpm kernel-source-6.6.0-31.0.0.39.oe2403.aarch64.rpm kernel-tools-6.6.0-31.0.0.39.oe2403.aarch64.rpm kernel-tools-debuginfo-6.6.0-31.0.0.39.oe2403.aarch64.rpm kernel-tools-devel-6.6.0-31.0.0.39.oe2403.aarch64.rpm perf-6.6.0-31.0.0.39.oe2403.aarch64.rpm perf-debuginfo-6.6.0-31.0.0.39.oe2403.aarch64.rpm python3-perf-6.6.0-31.0.0.39.oe2403.aarch64.rpm python3-perf-debuginfo-6.6.0-31.0.0.39.oe2403.aarch64.rpm bpftool-6.6.0-31.0.0.39.oe2403.x86_64.rpm bpftool-debuginfo-6.6.0-31.0.0.39.oe2403.x86_64.rpm kernel-6.6.0-31.0.0.39.oe2403.x86_64.rpm kernel-debuginfo-6.6.0-31.0.0.39.oe2403.x86_64.rpm kernel-debugsource-6.6.0-31.0.0.39.oe2403.x86_64.rpm kernel-devel-6.6.0-31.0.0.39.oe2403.x86_64.rpm kernel-headers-6.6.0-31.0.0.39.oe2403.x86_64.rpm kernel-source-6.6.0-31.0.0.39.oe2403.x86_64.rpm kernel-tools-6.6.0-31.0.0.39.oe2403.x86_64.rpm kernel-tools-debuginfo-6.6.0-31.0.0.39.oe2403.x86_64.rpm kernel-tools-devel-6.6.0-31.0.0.39.oe2403.x86_64.rpm perf-6.6.0-31.0.0.39.oe2403.x86_64.rpm perf-debuginfo-6.6.0-31.0.0.39.oe2403.x86_64.rpm python3-perf-6.6.0-31.0.0.39.oe2403.x86_64.rpm python3-perf-debuginfo-6.6.0-31.0.0.39.oe2403.x86_64.rpm kernel-6.6.0-31.0.0.39.oe2403.src.rpm In the Linux kernel, the following vulnerability has been resolved: clk: sunxi-ng: h6: Reparent CPUX during PLL CPUX rate change While PLL CPUX clock rate change when CPU is running from it works in vast majority of cases, now and then it causes instability. This leads to system crashes and other undefined behaviour. After a lot of testing (30+ hours) while also doing a lot of frequency switches, we can't observe any instability issues anymore when doing reparenting to stable clock like 24 MHz oscillator. 2024-07-05 CVE-2023-52882 openEuler-24.03-LTS Medium 5.5 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H kernel security update 2024-07-05 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1794 In the Linux kernel, the following vulnerability has been resolved: usb: gadget: uvc: use correct buffer size when parsing configfs lists This commit fixes uvc gadget support on 32-bit platforms. Commit 0df28607c5cb ("usb: gadget: uvc: Generalise helper functions for reuse") introduced a helper function __uvcg_iter_item_entries() to aid with parsing lists of items on configfs attributes stores. This function is a generalization of another very similar function, which used a stack-allocated temporary buffer of fixed size for each item in the list and used the sizeof() operator to check for potential buffer overruns. The new function was changed to allocate the now variably sized temp buffer on heap, but wasn't properly updated to also check for max buffer size using the computed size instead of sizeof() operator. As a result, the maximum item size was 7 (plus null terminator) on 64-bit platforms, and 3 on 32-bit ones. While 7 is accidentally just barely enough, 3 is definitely too small for some of UVC configfs attributes. For example, dwFrameInteval, specified in 100ns units, usually has 6-digit item values, e.g. 166666 for 60fps. 2024-07-05 CVE-2024-36895 openEuler-24.03-LTS None 3.9 AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L kernel security update 2024-07-05 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1794 In the Linux kernel, the following vulnerability has been resolved: firewire: ohci: mask bus reset interrupts between ISR and bottom half In the FireWire OHCI interrupt handler, if a bus reset interrupt has occurred, mask bus reset interrupts until bus_reset_work has serviced and cleared the interrupt. Normally, we always leave bus reset interrupts masked. We infer the bus reset from the self-ID interrupt that happens shortly thereafter. A scenario where we unmask bus reset interrupts was introduced in 2008 in a007bb857e0b26f5d8b73c2ff90782d9c0972620: If OHCI_PARAM_DEBUG_BUSRESETS (8) is set in the debug parameter bitmask, we will unmask bus reset interrupts so we can log them. irq_handler logs the bus reset interrupt. However, we can't clear the bus reset event flag in irq_handler, because we won't service the event until later. irq_handler exits with the event flag still set. If the corresponding interrupt is still unmasked, the first bus reset will usually freeze the system due to irq_handler being called again each time it exits. This freeze can be reproduced by loading firewire_ohci with "modprobe firewire_ohci debug=-1" (to enable all debugging output). Apparently there are also some cases where bus_reset_work will get called soon enough to clear the event, and operation will continue normally. This freeze was first reported a few months after a007bb85 was committed, but until now it was never fixed. The debug level could safely be set to -1 through sysfs after the module was loaded, but this would be ineffectual in logging bus reset interrupts since they were only unmasked during initialization. irq_handler will now leave the event flag set but mask bus reset interrupts, so irq_handler won't be called again and there will be no freeze. If OHCI_PARAM_DEBUG_BUSRESETS is enabled, bus_reset_work will unmask the interrupt after servicing the event, so future interrupts will be caught as desired. As a side effect to this change, OHCI_PARAM_DEBUG_BUSRESETS can now be enabled through sysfs in addition to during initial module loading. However, when enabled through sysfs, logging of bus reset interrupts will be effective only starting with the second bus reset, after bus_reset_work has executed. 2024-07-05 CVE-2024-36950 openEuler-24.03-LTS None 4.4 AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H kernel security update 2024-07-05 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1794