Linux kernel vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

-   Ubuntu 20.04 LTS
-   Ubuntu 18.04 LTS
-   Ubuntu 16.04 LTS
-   Ubuntu 22.04 LTS
-   Ubuntu 14.04 LTS

Summary

Several security issues were fixed in the kernel.

Software Description

-   linux - Linux kernel
-   linux-aws - Linux kernel for Amazon Web Services (AWS) systems
-   linux-azure - Linux kernel for Microsoft Azure Cloud systems
-   linux-gcp - Linux kernel for Google Cloud Platform (GCP) systems
-   linux-gke - Linux kernel for Google Container Engine (GKE) systems
-   linux-gkeop - Linux kernel for Google Container Engine (GKE) systems
-   linux-ibm - Linux kernel for IBM cloud systems
-   linux-oracle - Linux kernel for Oracle Cloud systems

Details

It was discovered that the watch_queue event notification system
contained an out-of-bounds write vulnerability. A local attacker could
use this to cause a denial of service or escalate their privileges.
(CVE-2022-0995)

In the Linux kernel, the following vulnerability has been resolved: smb:
client: fix potential UAF in cifs_debug_files_proc_show() Skip sessions
that are being teared down (status == SES_EXITING) to avoid UAF.
(CVE-2024-26928)

In the Linux kernel, the following vulnerability has been resolved: smb:
client: fix potential UAF in smb2_is_valid_lease_break() Skip sessions
that are being teared down (status == SES_EXITING) to avoid UAF.
(CVE-2024-35864)

In the Linux kernel, the following vulnerability has been resolved: HID:
core: zero-initialize the report buffer Since the report buffer is used
by all kinds of drivers in various ways, let’s zero- initialize it
during allocation to make sure that it can’t be ever used to leak kernel
memory via specially-crafted report. (CVE-2024-50302)

In the Linux kernel, the following vulnerability has been resolved:
media: dvbdev: prevent the risk of out of memory access The dvbdev
contains a static variable used to store dvb minors. The behavior of it
depends if CONFIG_DVB_DYNAMIC_MINORS is set or not. When not set,
dvb_register_device() won’t check for boundaries, as it will rely that a
previous call to dvb_register_adapter() would already be enforcing it.
On a similar way, dvb_device_open() uses the assumption that the
register functions already did the needed checks. This can be fragile if
some device ends using different calls. This also generate warnings on
static check analysers like Coverity. So, add explicit guards to prevent
potential risk of OOM issues. (CVE-2024-53063)

In the Linux kernel, the following vulnerability has been resolved: jfs:
add a check to prevent array-index-out-of-bounds in dbAdjTree When the
value of lp is 0 at the beginning of the for loop, it will become
negative in the next assignment and we should bail out. (CVE-2024-56595)

In the Linux kernel, the following vulnerability has been resolved:
blk-cgroup: Fix UAF in blkcg_unpin_online() blkcg_unpin_online() walks
up the blkcg hierarchy putting the online pin. To walk up, it uses
blkcg_parent(blkcg) but it was calling that after
blkcg_destroy_blkgs(blkcg) which could free the blkcg, leading to the
following UAF:
================================================================== BUG:
KASAN: slab-use-after-free in blkcg_unpin_online+0x15a/0x270 Read of
size 8 at addr ffff8881057678c0 by task kworker/9:1/117 CPU: 9 UID: 0
PID: 117 Comm: kworker/9:1 Not tainted
6.13.0-rc1-work-00182-gb8f52214c61a-dirty #48 Hardware name: QEMU
Standard PC (i440FX + PIIX, 1996), BIOS unknown 02/02/2022 Workqueue:
cgwb_release cgwb_release_workfn Call Trace:
dump_stack_lvl+0x27/0x80 print_report+0x151/0x710
kasan_report+0xc0/0x100 blkcg_unpin_online+0x15a/0x270
cgwb_release_workfn+0x194/0x480 process_scheduled_works+0x71b/0xe20
worker_thread+0x82a/0xbd0 kthread+0x242/0x2c0 ret_from_fork+0x33/0x70
ret_from_fork_asm+0x1a/0x30
… Freed by task 1944: kasan_save_track+0x2b/0x70
kasan_save_free_info+0x3c/0x50 __kasan_slab_free+0x33/0x50
kfree+0x10c/0x330 css_free_rwork_fn+0xe6/0xb30
process_scheduled_works+0x71b/0xe20 worker_thread+0x82a/0xbd0
kthread+0x242/0x2c0 ret_from_fork+0x33/0x70 ret_from_fork_asm+0x1a/0x30
Note that the UAF is not easy to trigger as the free path is indirected
behind a couple RCU grace periods and a work item execution. I could
only trigger it with artifical msleep() injected in
blkcg_unpin_online(). Fix it by reading the parent pointer before
destroying the blkcg’s blkg’s. (CVE-2024-56672)

In the Linux kernel, the following vulnerability has been resolved:
drm/dp_mst: Ensure mst_primary pointer is valid in
drm_dp_mst_handle_up_req() While receiving an MST up request message
from one thread in drm_dp_mst_handle_up_req(), the MST topology could be
removed from another thread via drm_dp_mst_topology_mgr_set_mst(false),
freeing mst_primary and setting drm_dp_mst_topology_mgr::mst_primary to
NULL. This could lead to a NULL deref/use-after-free of mst_primary in
drm_dp_mst_handle_up_req(). Avoid the above by holding a reference for
mst_primary in drm_dp_mst_handle_up_req() while it’s used. v2: Fix
kfreeing the request if getting an mst_primary reference fails.
(CVE-2024-57798)

Update instructions

The problem can be corrected by updating your kernel livepatch to the
following versions:

Ubuntu 20.04 LTS
    aws - 111.1
    azure - 111.1
    gcp - 111.1
    generic - 111.1
    gkeop - 111.1
    ibm - 111.1
    lowlatency - 111.1
    oracle - 111.1

Ubuntu 18.04 LTS
    aws - 111.1
    azure - 111.1
    gcp - 111.1
    generic - 111.1
    lowlatency - 111.1
    oracle - 111.1

Ubuntu 16.04 LTS
    aws - 111.1
    azure - 111.1
    gcp - 111.1
    generic - 111.1
    lowlatency - 111.1

Ubuntu 22.04 LTS
    aws - 111.1
    azure - 111.1
    gcp - 111.1
    generic - 111.1
    gke - 111.1
    ibm - 111.1
    oracle - 111.1

Ubuntu 14.04 LTS
    generic - 111.1
    lowlatency - 111.1

Support Information

Livepatches for supported LTS kernels will receive upgrades for a period
of up to 13 months after the build date of the kernel.

Livepatches for supported HWE kernels which are not based on an LTS
kernel version will receive upgrades for a period of up to 9 months
after the build date of the kernel, or until the end of support for that
kernel’s non-LTS distro release version, whichever is sooner.

References

-   CVE-2022-0995
-   CVE-2024-26928
-   CVE-2024-35864
-   CVE-2024-50302
-   CVE-2024-53063
-   CVE-2024-56595
-   CVE-2024-56672
-   CVE-2024-57798