LSN-0111-1: Kernel Live Patch Security Notice
16 April 2025
Several security issues were fixed in the kernel.
Releases
Software Description
- aws - Linux kernel for Amazon Web Services (AWS) systems - (>= 4.15.0-1159, >= 5.4.0-1009, >= 5.4.0-1061, >= 5.15.0-1000, >= 6.8.0-1008)
- aws-5.15 - Linux kernel for Amazon Web Services (AWS) systems - (>= 5.15.0-1000)
- aws-hwe - Linux kernel for Amazon Web Services (AWS-HWE) systems - (>= 4.15.0-1126)
- azure - Linux kernel for Microsoft Azure Cloud systems - (>= 5.4.0-1010, >= 5.15.0-1000, >= 6.8.0-1007, >= 4.15.0-1114)
- azure-4.15 - Linux kernel for Microsoft Azure Cloud systems - (>= 4.15.0-1168)
- azure-5.15 - Linux kernel for Microsoft Azure cloud systems - (>= 5.15.0-1069)
- gcp - Linux kernel for Google Cloud Platform (GCP) systems - (>= 5.4.0-1009, >= 5.15.0-1000, >= 6.8.0-1007, >= 4.15.0-1118)
- gcp-4.15 - Linux kernel for Google Cloud Platform (GCP) systems - (>= 4.15.0-1154)
- gcp-5.15 - Linux kernel for Google Cloud Platform (GCP) systems - (>= 5.15.0-1000)
- generic-4.15 - Linux hardware enablement (HWE) kernel - (>= 4.15.0-214, >= 4.15.0-143)
- generic-4.4 - Linux hardware enablement kernel from Xenial for Trusty - (>= 4.4.0-168)
- generic-5.15 - Linux hardware enablement (HWE) kernel - (>= 5.15.0-0)
- generic-5.4 - Linux kernel - (>= 5.4.0-150, >= 5.4.0-26)
- gke - Linux kernel for Google Container Engine (GKE) systems - (>= 5.15.0-1000)
- gkeop - Linux kernel for Google Container Engine (GKE) systems - (>= 5.4.0-1009)
- ibm - Linux kernel for IBM cloud systems - (>= 5.4.0-1009, >= 5.15.0-1000, >= 6.8.0-1005)
- ibm-5.15 - Linux kernel for IBM cloud systems - (>= 5.15.0-1000)
- linux - Linux kernel - (>= 5.15.0-71, >= 5.15.0-24, >= 6.8.0-1)
- lowlatency-4.15 - Linux hardware enablement (HWE) kernel - (>= 4.15.0-214, >= 4.15.0-143)
- lowlatency-4.4 - Linux hardware enablement kernel from Xenial for Trusty - (>= 4.4.0-168)
- lowlatency-5.15 - Linux hardware enablement (HWE) kernel - (>= 5.15.0-0)
- lowlatency-5.4 - Linux kernel - (>= 5.4.0-150, >= 5.4.0-26)
- oracle - Linux kernel for Oracle Cloud systems - (>= 4.15.0-1129, >= 5.4.0-1121, >= 5.15.0-1055)
- oracle-5.15 - Linux kernel for Oracle Cloud systems - (>= 5.15.0-1055)
Details
It was discovered that the watch_queue event notification system contained
an out-of-bounds write vulnerability. A local attacker could use this to
cause a denial of service or escalate their privileges.)(CVE-2022-0995)
In the Linux kernel, the following vulnerability has been
resolved: smb: client: fix potential UAF in cifs_debug_files_proc_show()
Skip sessions that are being teared down (status == SES_EXITING) to avoid
UAF.)(CVE-2024-26928)
In the Linux kernel, the following vulnerability has been
resolved: smb: client: fix potential UAF in smb2_is_valid_lease_break()
Skip sessions that are being teared down (status == SES_EXITING) to avoid
UAF.)(CVE-2024-35864)
In the Linux kernel, the following vulnerability has been
resolved: HID: core: zero-initialize the report buffer Since the report
buffer is used by all kinds of drivers in various ways, let's zero-
initialize it during allocation to make sure that it can't be ever used to
leak kernel memory via specially-crafted report.)(CVE-2024-50302)
In the Linux kernel, the following vulnerability has been
resolved: media: dvbdev: prevent the risk of out of memory access The
dvbdev contains a static variable used to store dvb minors. The behavior of
it depends if CONFIG_DVB_DYNAMIC_MINORS is set or not. When not set,
dvb_register_device() won't check for boundaries, as it will rely that a
previous call to dvb_register_adapter() would already be enforcing it. On a
similar way, dvb_device_open() uses the assumption that the register
functions already did the needed checks. This can be fragile if some device
ends using different calls. This also generate warnings on static check
analysers like Coverity. So, add explicit guards to prevent potential risk
of OOM issues.)(CVE-2024-53063)
In the Linux kernel, the following vulnerability has been
resolved: jfs: add a check to prevent array-index-out-of-bounds in
dbAdjTree When the value of lp is 0 at the beginning of the for loop, it
will become negative in the next assignment and we should bail out.)(CVE-2024-56595)
In the Linux kernel, the following vulnerability has been
resolved: blk-cgroup: Fix UAF in blkcg_unpin_online() blkcg_unpin_online()
walks up the blkcg hierarchy putting the online pin. To walk up, it uses
blkcg_parent(blkcg) but it was calling that after
blkcg_destroy_blkgs(blkcg) which could free the blkcg, leading to the
following UAF:
================================================================== BUG:
KASAN: slab-use-after-free in blkcg_unpin_online+0x15a/0x270 Read of size 8
at addr ffff8881057678c0 by task kworker/9:1/117 CPU: 9 UID: 0 PID: 117
Comm: kworker/9:1 Not tainted 6.13.0-rc1-work-00182-gb8f52214c61a-dirty #48
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS unknown
02/02/2022 Workqueue: cgwb_release cgwb_release_workfn Call Trace:
kasan_save_free_info+0x3c/0x50 __kasan_slab_free+0x33/0x50
kfree+0x10c/0x330 css_free_rwork_fn+0xe6/0xb30
process_scheduled_works+0x71b/0xe20 worker_thread+0x82a/0xbd0
kthread+0x242/0x2c0 ret_from_fork+0x33/0x70 ret_from_fork_asm+0x1a/0x30
Note that the UAF is not easy to trigger as the free path is indirected
behind a couple RCU grace periods and a work item execution. I could only
trigger it with artifical msleep() injected in blkcg_unpin_online(). Fix it
by reading the parent pointer before destroying the blkcg's blkg's.)(CVE-2024-56672)
In the Linux kernel, the following vulnerability has been
resolved: drm/dp_mst: Ensure mst_primary pointer is valid in
drm_dp_mst_handle_up_req() While receiving an MST up request message from
one thread in drm_dp_mst_handle_up_req(), the MST topology could be removed
from another thread via drm_dp_mst_topology_mgr_set_mst(false), freeing
mst_primary and setting drm_dp_mst_topology_mgr::mst_primary to NULL. This
could lead to a NULL deref/use-after-free of mst_primary in
drm_dp_mst_handle_up_req(). Avoid the above by holding a reference for
mst_primary in drm_dp_mst_handle_up_req() while it's used. v2: Fix kfreeing
the request if getting an mst_primary reference fails.)(CVE-2024-57798)
Checking update status
The problem can be corrected in these Livepatch versions:
| Kernel type | 24.04 | 22.04 | 20.04 | 18.04 | 16.04 | 14.04 |
|---|---|---|---|---|---|---|
| aws | 111.1 | 111.1 | 111.1 | 111.1 | — | — |
| aws-5.15 | — | — | 111.1 | — | — | — |
| aws-hwe | — | — | — | — | 111.1 | — |
| azure | 111.1 | 111.1 | 111.1 | — | 111.1 | — |
| azure-4.15 | — | — | — | 111.1 | — | — |
| azure-5.15 | — | — | 111.1 | — | — | — |
| gcp | 111.1 | 111.1 | 111.1 | — | 111.1 | — |
| gcp-4.15 | — | — | — | 111.1 | — | — |
| gcp-5.15 | — | — | 111.1 | — | — | — |
| generic-4.15 | — | — | — | 111.1 | 111.1 | — |
| generic-4.4 | — | — | — | — | — | 111.1 |
| generic-5.15 | — | — | 111.1 | — | — | — |
| generic-5.4 | — | — | 111.1 | 111.1 | — | — |
| gke | — | 111.1 | — | — | — | — |
| gkeop | — | — | 111.1 | — | — | — |
| ibm | 111.1 | 111.1 | 111.1 | — | — | — |
| ibm-5.15 | — | — | 111.1 | — | — | — |
| linux | 111.1 | 111.1 | — | — | — | — |
| lowlatency-4.15 | — | — | — | 111.1 | 111.1 | — |
| lowlatency-4.4 | — | — | — | — | — | 111.1 |
| lowlatency-5.15 | — | — | 111.1 | — | — | — |
| lowlatency-5.4 | — | — | 111.1 | 111.1 | — | — |
| oracle | — | 111.1 | 111.1 | 111.1 | — | — |
| oracle-5.15 | — | — | 111.1 | — | — | — |
To check your kernel type and Livepatch version, enter this command:
canonical-livepatch status