检测

MagicLinux 7kernel-3.10.0-1160.119.1.0.1.el7.AXS7 (AXSA:2024-8651:24)

high Nessus 插件 ID 292383

语言:

简介

远程iraclelinux 主机缺少一个或多个安全更新。

描述

远程iraclelinux 7 主机上存在安装的程序包该程序包受到 AXSA:2024-8651:24 公告中提及的多个漏洞的影响。

 - kvm在将所有 kvm_debugregs 结构发送至用户空间前对其进行初始化 {CVE-2023-1513}
 - wifimac80211修复 MBSSID 解析释放后使用 {CVE-2022-42719}
 - mac80211始终分配 struct ieee802_11_elems {CVE-2022-42719}
 - netfilter: nf_tables初始化 nft_do_chain() 中的寄存器 {CVE-2022-1016}
 - xprtrdma修复不正确的标头大小计算 {CVE-2022-0812}
 - netusb修复 smsc75xx_bind 中的内存泄漏 {CVE-2021-47171}
 - i2ci801总线重置时不要生成中断 {CVE-2021-47153}
 - pid初始化“cad_pid”时获取引用 {CVE-2021-47118}
 - Inputappletouch - 设备注册前初始化工作 {CVE-2021-46932}
 - HIDusbhid修复 hid_submit_ctrl 中的信息泄漏 {CVE-2021-46906}
 - quota读取配额文件中的区块时检查区块编号 {CVE-2021-45868}
 - mwifiex修复 mwifiex_usb_recv() 中的 skb_over_panic {CVE-2021-43976}
 - atlantic修复 hw_atl_utils_fw_rpc_wait 中的 OOB 读取和写入 {CVE-2021-43975}
 - isdncpai检查 ctr->cnr 以避免数组索引越界 {CVE-2021-43389}
 - usbhso修复 hso_create_net_device 处理代码时的错误 {CVE-2021-37159}
 - canbcm修复 struct bcm_msg_head {CVE-2021-34693} 中的信息泄漏
 - dm ioctl修复 no 设备时的越界数组访问 {CVE-2021-31916}
 - KVMx86hyper-v修复 Hyper-V 上下文 null-ptr-deref {CVE-2021-30178}
 - perf/x86/intel修复了零 PEBS 状态造成的崩溃 {CVE-2021-28971}
 - btrfs修复旧根倒带期间克隆范围缓冲区时的争用 {CVE-2021-28964}
 - ovl修复 ovl_rename() 中缺少的负 dentry 检查 {CVE-2021-20321}
 - drm/ttm/nouveau分配失败时不调用 tt 销毁回调。 {CVE-2021-20292}
 - bpfVerifieradjust_scalar_min_max_vals以始终调用 update_reg_bounds() {CVE-2021-4159}
 - btrfs发生错误 {CVE-2021-4149} 后解锁新分配的盘区缓冲区
 - tracing修复 rb_per_cpu_empty() 中可能造成死循环的缺陷。 {CVE-2021-3679}
 - netmac802154修复一般保护错误 {CVE-2021-3659}
 - nfsd4readdirplus 不应返回导出 {CVE-2021-3178} 的父项
 - BluetoothSMP如果远程和本地公钥相同则失败 {CVE-2021-0129}
 - drm/nouveau清除设备删除上的所有客户端 {CVE-2020-27820}
 - drm/nouveau为客户端列表添加专用互斥体 {CVE-2020-27820}
 - drm/nouveau在设备删除期间使用 drm_dev_unplug() {CVE-2020-27820}
 - BluetoothSMP如果远程和本地公钥相同则失败 {CVE-2020-26555}
 - vsock修复 vsock_connect() 中的内存泄漏 {CVE-2022-3629}
 - RDMA/core请勿信息泄漏 GRH 字段 {CVE-2021-3923}
 - xen/netfront当后端不受信任时强制数据退回 {CVE-2022-33741}
 - net重命名并导出 copy_skb_header
 - floppy使用静态分配的错误计数器 {CVE-2022-1652}
 - fuse修复 direct_io 的管道缓冲区生命周期 {CVE-2022-1011}
 - aoe修复 aoecmd_cfg_pkts 中潜在的释放后使用问题 {CVE-2024-26898}
 - smbclient修复 cifs_debug_data_proc_show() 中的释放后使用缺陷CVE-2023-52752}
 - mediapvrusb2修复上下文断开时的释放后使用 {CVE-2023-52445}
 - mediadm1105修复 dm1105_remove 中因争用条件造成的释放后使用缺陷 {CVE-2023-35824}
 - perf修复 perf_event_validate_size() lockdep splat {CVE-2023-6931}
 - perf修复 perf_event_validate_size() {CVE-2023-6931}
 - net/schedsch_hfsc确保内部类具有 fsc 曲线 {CVE-2023-4623}
 - repeatfs修复 repeat_file_read 中的越界访问 {CVE-2023-3268}
 - xfs跳过日志重播时验证缓冲区内容CVE-2023-2124}
 - Bluetoothbtsdio修复 btsdio_remove 中因争用条件导致的释放后使用缺陷 {CVE-2023-1989}
 - 修复 vhost_net_set_backend() 中的双重 fget() {CVE-2023-1838}
 - net/schedcls_tcindex降级到不完全哈希 {CVE-2023-1829}
 - xen/netfront修复共享页面中泄漏的数据 {CVE-2022-33740}
 - canems_usbems_usb_start_xmit()修复错误路径中的双重 dev_kfree_skb() {CVE-2022-28390}
 - xen/blkfront修复共享页面中泄漏的数据 {CVE-2022-26365}
 - mISDN修复 l1oip 定时器处理程序中的释放后使用缺陷 {CVE-2022-3565}
 - drm/vgem关闭 vgem_gem_create 中的释放后使用争用 {CVE-2022-1419}
 - cfg80211从 P2P_GO 类型切换时调用 cfg80211_stop_ap {CVE-2021-47194}
 - net修复 tw_timer_handler 中的释放后使用CVE-2021-46936}
 - ext4修复当 inline_data 文件的 xattrs 更改时写入到 inline_data 文件的争用 {CVE-2021-40490}
 - virtio_console确保限制设备中已使用的长度 {CVE-2021-38160}
 - pNFS/flexfiles修复 decode_nfs_fh() 中不正确的大小检查 {CVE-2021-4157}
 - Bluetoothsco修复 memcpy_from_msg() 造成的 lock_sock() 阻断 {CVE-2021-3640}
 - Inputjoydev - 防止在 JSIOCSBTNMAP ioctl 中使用未验证的数据CVE-2021-3612}
 - Inputjoydev - 防止 ioctl 中潜在的读取溢出CVE-2021-3612}
 - canbcmsynchronize_rcu() {CVE-2021-3609} 后延迟释放 struct bcm_op
 - vtkeyboard避免 k_ascii {CVE-2020-13974} 中带符号的整数溢出
 - i2c修复潜在的释放后使用 {CVE-2019-25162}
 - driversnetslip修复 sl_tx_timeout() 中的 NPD 缺陷 {CVE-2022-41858}
 - BluetoothL2CAP修复 u8 溢出 {CVE-2022-45934}
 - btrfs如果事务提交在 prepare_to_relocate() 中失败则未设置重定位控制 {CVE-2023-3111}
 - memstickr592修复 r592_remove 中因争用条件造成的 UAF 缺陷 {CVE-2023-3141}
 - mediarc修复 ene_tx_irqsim() 造成的释放后使用缺陷 {CVE-2023-1118}
 - vc_screen移动 vcs_read() 中结构 vc_data 指针的负载以避免 UAF {CVE-2023-3567}
 - BluetoothL2CAP修复 l2cap_sock_ready_cb 中的释放后使用 {CVE-2023-40283}
 - wifibrcmfmacbrcmf_get_assoc_ies() 中的 slab 越界读取 {CVE-2023-1380}
 - tcp修复有关 icsk->icsk_af_ops 的数据争用。 {CVE-2022-3566}
 - stagingrtl8712修复释放后使用缺陷 {CVE-2022-4095}
 - ext4修复通过 ext4_extent_header 的内核信息泄漏 {CVE-2022-0850}
 - af_key为函数 pfkey_register 中的 compose_sadb_supported 添加 __GFP_ZERO 标记 {CVE-2022-1353}
 - miscsgi-gru修复 gru_set_context_option、gru_fault 和 gru_handle_user_call_os 中的释放后使用错误 {CVE-2022-3424}
 - x86/elf禁用 64 位上的自动 READ_IMPLIES_EXEC {CVE-2022-25265}
 - x86/elf从可执行文件 PT_GNU_STACK 中拆分 READ_IMPLIES_EXEC {CVE-2022-25265}
 - x86/elf将表添加到文档 READ_IMPLIES_EXEC {CVE-2022-25265}
 - ipv6使用 prandom_u32() 进行 ID 生成 {CVE-2021-45485}
 - bpf修复了 prealloc_elems_and_freelist() 中的整数溢出 {CVE-2021-41864}
 - ipv4降低异常缓存的可预测性 {CVE-2021-20322}
 - ipv4在 fnhe_hashfun() 中使用 siphash 而非 Jenkins {CVE-2021-20322}
 - netvmxnet3修复 vmxnet3_rq_alloc_rx_buf() 中可能的释放后使用缺陷 {CVE-2023-4387}
 - netfilterconntrackdccp将整个标头复制到堆栈缓冲区而不仅仅是基本的 {CVE-2023-39197}
 - ipv4igmp修复接收 igmp 查询数据包时的 refcnt uaf 问题 {CVE-2023-6932}
 - smb: client修复 smb2_dump_detail() 中潜在的 OOB {CVE-2023-6610}
 - smbclient修复 smbCalcSize() 中的 OOB {CVE-2023-6606}
 - atm修复 do_vcc_ioctl 中的释放后使用CVE-2023-51780}
 - drm/amdgpu修复潜在的屏蔽释放后使用 v2 {CVE-2023-51042}
 - sched/rtpick_next_rt_entity()检查 list_entry {CVE-2023-1077}
 - ath9k修复 ath9k_hif_usb_rx_cb 中的释放后使用CVE-2022-1679}
 - net防止 skb_segment() 中的 mss 溢出 {CVE-2023-52435}
 - drm/atomic修复非阻塞提交中潜在的释放后使用 {CVE-2023-42753}
 - debug锁定 kgdb {CVE-2022-21499} CVE-2023-1513 在 KVM 中发现一个缺陷。在 32 位系统上调用 KVM_GET_DEBUGREGS ioctl 时可能存在 kvm_debugregs 结构的某些未初始化部分可被复制到用户空间从而导致信息泄漏。
 CVE-2022-42719 解析 [ 5.2 至 5.19.165.19.x 之前的 Linux 内核中的多 BSSID 元素时mac80211 堆栈中存在释放后使用攻击者能够注入 WLAN 帧导致内核崩溃并可能执行code。
 CVE-2022-1016 在 Linux 内核的 net/netfilter/nf_tables_core.c:nft_do_chain 中发现一个缺陷可造成释放后使用。此问题需要在正确的先决条件下处理“return”因为它可导致由本地非特权攻击者造成的内核信息泄漏问题。
 CVE-2022-0812 在 Linux 内核的 net/sunrpc/xprtrdma/rpc_rdma.c 中通过 RDMA 的 NFS 中发现信息泄漏缺陷。此缺陷允许具有正常用户特权的攻击者泄漏内核信息。
 CVE-2021-47171 在 Linux 内核中已解决以下漏洞 net: usb: fix memory leak in smsc75xx_bind Syzbot reported memory leak in smsc75xx_bind(). The problem was is non-freed memory in case of errors after memory allocation. backtrace: [] kmalloc include/linux/slab.h:556 [inline] [] kzalloc include/linux/slab.h:686 [inline] [] smsc75xx_bind+0x7a/0x334 drivers/net/usb/smsc75xx.c:1460 [] usbnet_probe+0x3b6/0xc30 drivers/net/usb/usbnet.c:1728 CVE-2021-47153 In the Linux kernel, the following vulnerability has been resolved: i2c: i801: Don't generate an interrupt on bus reset Now that the i2c-i801 driver supports interrupts, setting the KILL bit in a attempt to recover from a timed out transaction triggers an interrupt. Unfortunately, the interrupt handler (i801_isr) is not prepared for this situation and will try to process the interrupt as if it was signaling the end of a successful transaction. In the case of a block transaction, this can result in an out-of-range memory access. This condition was reproduced several times by syzbot:
 https://syzkaller.appspot.com/bug?extid=ed71512d469895b5b34e https://syzkaller.appspot.com/bug?extid=8c8dedc0ba9e03f6c79e https://syzkaller.appspot.com/bug?extid=c8ff0b6d6c73d81b610e https://syzkaller.appspot.com/bug?extid=33f6c360821c399d69eb https://syzkaller.appspot.com/bug?extid=be15dc0b1933f04b043a https://syzkaller.appspot.com/bug?extid=b4d3fd1dfd53e90afd79 So disable interrupts while trying to reset the bus. Interrupts will be enabled again for the following transaction.
 CVE-2021-47118 In the Linux kernel, the following vulnerability has been resolved: pid: take a reference when initializing `cad_pid` During boot, kernel_init_freeable() initializes `cad_pid` to the init task's struct pid. Later on, we may change `cad_pid` via a sysctl, and when this happens proc_do_cad_pid() will increment the refcount on the new pid via get_pid(), and will decrement the refcount on the old pid via put_pid(). As we never called get_pid() when we initialized `cad_pid`, we decrement a reference we never incremented, can therefore free the init task's struct pid early. As there can be dangling references to the struct pid, we can later encounter a use-after-free (e.g. when delivering signals). This was spotted when fuzzing v5.13-rc3 with Syzkaller, but seems to have been around since the conversion of `cad_pid` to struct pid in commit 9ec52099e4b8 ([PATCH] replace cad_pid by a struct pid) from the pre-KASAN stone age of v2.6.19. Fix this by getting a reference to the init task's struct pid when we assign it to `cad_pid`.
 Full KASAN splat below. ================================================================== BUG: KASAN:
 use-after-free in ns_of_pid include/linux/pid.h:153 [inline] BUG: KASAN: use-after-free in task_active_pid_ns+0xc0/0xc8 kernel/pid.c:509 Read of size 4 at addr ffff23794dda0004 by task syz-executor.0/273 CPU: 1 PID: 273 Comm: syz-executor.0 Not tainted 5.12.0-00001-g9aef892b2d15 #1 Hardware name: linux,dummy-virt (DT) Call trace: ns_of_pid include/linux/pid.h:153 [inline] task_active_pid_ns+0xc0/0xc8 kernel/pid.c:509 do_notify_parent+0x308/0xe60 kernel/signal.c:1950 exit_notify kernel/exit.c:682 [inline] do_exit+0x2334/0x2bd0 kernel/exit.c:845 do_group_exit+0x108/0x2c8 kernel/exit.c:922 get_signal+0x4e4/0x2a88 kernel/signal.c:2781 do_signal arch/arm64/kernel/signal.c:882 [inline] do_notify_resume+0x300/0x970 arch/arm64/kernel/signal.c:936 work_pending+0xc/0x2dc Allocated by task 0: slab_post_alloc_hook+0x50/0x5c0 mm/slab.h:516 slab_alloc_node mm/slub.c:2907 [inline] slab_alloc mm/slub.c:2915 [inline] kmem_cache_alloc+0x1f4/0x4c0 mm/slub.c:2920 alloc_pid+0xdc/0xc00 kernel/pid.c:180 copy_process+0x2794/0x5e18 kernel/fork.c:2129 kernel_clone+0x194/0x13c8 kernel/fork.c:2500 kernel_thread+0xd4/0x110 kernel/fork.c:2552 rest_init+0x44/0x4a0 init/main.c:687 arch_call_rest_init+0x1c/0x28 start_kernel+0x520/0x554 init/main.c:1064 0x0 Freed by task 270:
 slab_free_hook mm/slub.c:1562 [inline] slab_free_freelist_hook+0x98/0x260 mm/slub.c:1600 slab_free mm/slub.c:3161 [inline] kmem_cache_free+0x224/0x8e0 mm/slub.c:3177 put_pid.part.4+0xe0/0x1a8 kernel/pid.c:114 put_pid+0x30/0x48 kernel/pid.c:109 proc_do_cad_pid+0x190/0x1b0 kernel/sysctl.c:1401 proc_sys_call_handler+0x338/0x4b0 fs/proc/proc_sysctl.c:591 proc_sys_write+0x34/0x48 fs/proc/proc_sysctl.c:617 call_write_iter include/linux/fs.h:1977 [inline] new_sync_write+0x3ac/0x510 fs/read_write.c:518 vfs_write fs/read_write.c:605 [inline] vfs_write+0x9c4/0x1018 fs/read_write.c:585 ksys_write+0x124/0x240 fs/read_write.c:658 __do_sys_write fs/read_write.c:670 [inline] __se_sys_write fs/read_write.c:667 [inline] __arm64_sys_write+0x78/0xb0 fs/read_write.c:667 __invoke_syscall arch/arm64/kernel/syscall.c:37 [inline] invoke_syscall arch/arm64/kernel/syscall.c:49 [inline] el0_svc_common.constprop.1+0x16c/0x388 arch/arm64/kernel/syscall.c:129 do_el0_svc+0xf8/0x150 arch/arm64/kernel/syscall.c:168 el0_svc+0x28/0x38 arch/arm64/kernel/entry-common.c:416 el0_sync_handler+0x134/0x180 arch/arm64/kernel/entry-common.c:432 el0_sync+0x154/0x180 arch/arm64/kernel/entry.S:701 The buggy address belongs to the object at ffff23794dda0000 which belongs to the cache pid of size 224 The buggy address is located 4 bytes inside of 224-byte region [ff
 ---truncated--- CVE-2021-46932 In the Linux kernel, the following vulnerability has been resolved: Input: appletouch - initialize work before device registration Syzbot has reported warning in __flush_work(). This warning is caused by work->func == NULL, which means missing work initialization. This may happen, since input_dev->close() calls cancel_work_sync(&dev->work), but dev->work initalization happens _after_ input_register_device() call. So this patch moves dev->work initialization before registering input device CVE-2021-46906 In the Linux kernel, the following vulnerability has been resolved: HID: usbhid: fix info leak in hid_submit_ctrl In hid_submit_ctrl(), the way of calculating the report length doesn't take into account that report->size can be zero. When running the syzkaller reproducer, a report of size 0 causes hid_submit_ctrl) to calculate transfer_buffer_length as 16384. When this urb is passed to the usb core layer, KMSAN reports an info leak of 16384 bytes. To fix this, first modify hid_report_len() to account for the zero report size case by using DIV_ROUND_UP for the division. Then, call it from hid_submit_ctrl().
 CVE-2021-45868 In the Linux kernel before 5.15.3, fs/quota/quota_tree.c does not validate the block number in the quota tree (on disk). This can, for example, lead to a kernel/locking/rwsem.c use-after-free if there is a corrupted quota file.
 CVE-2021-43976 In the Linux kernel through 5.15.2, mwifiex_usb_recv in drivers/net/wireless/marvell/mwifiex/usb.c allows an attacker (who can connect a crafted USB device) to cause a denial of service (skb_over_panic).
 CVE-2021-43975 In the Linux kernel through 5.15.2, hw_atl_utils_fw_rpc_wait in drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_utils.c allows an attacker (who can introduce a crafted device) to trigger an out-of-bounds write via a crafted length value.
 CVE-2021-43389 An issue was discovered in the Linux kernel before 5.14.15. There is an array-index-out-of-bounds flaw in the detach_capi_ctr function in drivers/isdn/capi/kcapi.c.
 CVE-2021-37159 hso_free_net_device in drivers/net/usb/hso.c in the Linux kernel through 5.13.4 calls unregister_netdev without checking for the NETREG_REGISTERED state, leading to a use-after-free and a double free.
 CVE-2021-34693 net/can/bcm.c in the Linux kernel through 5.12.10 allows local users to obtain sensitive information from kernel stack memory because parts of a data structure are uninitialized.
 CVE-2021-31916 An out-of-bounds (OOB) memory write flaw was found in list_devices in drivers/md/dm-ioctl.c in the Multi-device driver module in the Linux kernel before 5.12. A bound check failure allows an attacker with special user (CAP_SYS_ADMIN) privilege to gain access to out-of-bounds memory leading to a system crash or a leak of internal kernel information. The highest threat from this vulnerability is to system availability.
 CVE-2021-30178 An issue was discovered in the Linux kernel through 5.11.11. synic_get in arch/x86/kvm/hyperv.c has a NULL pointer dereference for certain accesses to the SynIC Hyper-V context, aka CID-919f4ebc5987.
 CVE-2021-28971 In intel_pmu_drain_pebs_nhm in arch/x86/events/intel/ds.c in the Linux kernel through 5.11.8 on some Haswell CPUs, userspace applications (such as perf-fuzzer) can cause a system crash because the PEBS status in a PEBS record is mishandled, aka CID-d88d05a9e0b6.
 CVE-2021-28964 A race condition was discovered in get_old_root in fs/btrfs/ctree.c in the Linux kernel through 5.11.8. It allows attackers to cause a denial of service (BUG) because of a lack of locking on an extent buffer before a cloning operation, aka CID-dbcc7d57bffc.
 CVE-2021-20321 A race condition accessing file object in the Linux kernel OverlayFS subsystem was found in the way users do rename in specific way with OverlayFS. A local user could use this flaw to crash the system.
 CVE-2021-20292 There is a flaw reported in the Linux kernel in versions before 5.9 in drivers/gpu/drm/nouveau/nouveau_sgdma.c in nouveau_sgdma_create_ttm in Nouveau DRM subsystem. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker with a local account with a root privilege, can leverage this vulnerability to escalate privileges and execute code in the context of the kernel.
 CVE-2021-4159 A vulnerability was found in the Linux kernel's EBPF verifier when handling internal data structures.
 Internal memory locations could be returned to userspace. A local attacker with the permissions to insert eBPF code to the kernel can use this to leak internal kernel memory details defeating some of the exploit mitigations in place for the kernel.
 CVE-2021-4149 A vulnerability was found in btrfs_alloc_tree_b in fs/btrfs/extent-tree.c in the Linux kernel due to an improper lock operation in btrfs. In this flaw, a user with a local privilege may cause a denial of service (DOS) due to a deadlock problem.
 CVE-2021-3679 A lack of CPU resource in the Linux kernel tracing module functionality in versions prior to 5.14-rc3 was found in the way user uses trace ring buffer in a specific way. Only privileged local users (with CAP_SYS_ADMIN capability) could use this flaw to starve the resources causing denial of service.
 CVE-2021-3659 A NULL pointer dereference flaw was found in the Linux kernels IEEE 802.15.4 wireless networking subsystem in the way the user closes the LR-WPAN connection. This flaw allows a local user to crash the system. The highest threat from this vulnerability is to system availability.
 CVE-2021-3178
 ** DISPUTED ** fs/nfsd/nfs3xdr.c in the Linux kernel through 5.10.8, when there is an NFS export of a subdirectory of a filesystem, allows remote attackers to traverse to other parts of the filesystem via READDIRPLUS. NOTE: some parties argue that such a subdirectory export is not intended to prevent this attack; see also the exports(5) no_subtree_check default behavior.
 CVE-2021-0129 Improper access control in BlueZ may allow an authenticated user to potentially enable information disclosure via adjacent access.
 CVE-2020-27820 A vulnerability was found in Linux kernel, where a use-after-frees in nouveau's postclose() handler could happen if removing device (that is not common to remove video card physically without power-off, but same happens if unbind the driver).
 CVE-2020-26555 Bluetooth legacy BR/EDR PIN code pairing in Bluetooth Core Specification 1.0B through 5.2 may permit an unauthenticated nearby device to spoof the BD_ADDR of the peer device to complete pairing without knowledge of the PIN.
 CVE-2022-3629 A vulnerability was found in Linux Kernel. It has been declared as problematic. This vulnerability affects the function vsock_connect of the file net/vmw_vsock/af_vsock.c. The manipulation leads to memory leak.
 The complexity of an attack is rather high. The exploitation appears to be difficult. It is recommended to apply a patch to fix this issue. VDB-211930 is the identifier assigned to this vulnerability.
 CVE-2021-3923 A flaw was found in the Linux kernel's implementation of RDMA over infiniband. An attacker with a privileged local account can leak kernel stack information when issuing commands to the /dev/infiniband/rdma_cm device node. While this access is unlikely to leak sensitive user information, it can be further used to defeat existing kernel protection mechanisms.
 CVE-2022-33741 Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740).
 Additionally the granularity of the grant table doesn't allow sharing less than a 4K page, leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE-2022-33741, CVE-2022-33742).
 CVE-2022-1652 Linux Kernel could allow a local attacker to execute arbitrary code on the system, caused by a concurrency use-after-free flaw in the bad_flp_intr function. By executing a specially-crafted program, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service condition on the system.
 CVE-2022-1011 A use-after-free flaw was found in the Linux kernels FUSE filesystem in the way a user triggers write().
 This flaw allows a local user to gain unauthorized access to data from the FUSE filesystem, resulting in privilege escalation.
 CVE-2024-26898 In the Linux kernel, the following vulnerability has been resolved: aoe: fix the potential use-after-free problem in aoecmd_cfg_pkts This patch is against CVE-2023-6270. The description of cve is: A flaw was found in the ATA over Ethernet (AoE) driver in the Linux kernel. The aoecmd_cfg_pkts() function improperly updates the refcnt on `struct net_device`, and a use-after-free can be triggered by racing between the free on the struct and the access through the `skbtxq` global queue. This could lead to a denial of service condition or potential code execution. In aoecmd_cfg_pkts(), it always calls dev_put(ifp) when skb initial code is finished. But the net_device ifp will still be used in later tx()->dev_queue_xmit() in kthread. Which means that the dev_put(ifp) should NOT be called in the success path of skb initial code in aoecmd_cfg_pkts(). Otherwise tx() may run into use-after-free because the net_device is freed. This patch removed the dev_put(ifp) in the success path in aoecmd_cfg_pkts(), and added dev_put() after skb xmit in tx().
 CVE-2023-52752 In the Linux kernel, the following vulnerability has been resolved: smb: client: fix use-after-free bug in cifs_debug_data_proc_show() Skip SMB sessions that are being teared down (e.g. @ses->ses_status == SES_EXITING) in cifs_debug_data_proc_show() to avoid use-after-free in @ses. This fixes the following GPF when reading from /proc/fs/cifs/DebugData while mounting and umounting [ 816.251274] general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6d81: 0000 [#1] PREEMPT SMP NOPTI ... [816.260138] Call Trace: [ 816.260329] [ 816.260499] ? die_addr+0x36/0x90 [ 816.260762] ? exc_general_protection+0x1b3/0x410 [ 816.261126] ? asm_exc_general_protection+0x26/0x30 [ 816.261502] ? cifs_debug_tcon+0xbd/0x240 [cifs] [ 816.261878] ? cifs_debug_tcon+0xab/0x240 [cifs] [ 816.262249] cifs_debug_data_proc_show+0x516/0xdb0 [cifs] [ 816.262689] ? seq_read_iter+0x379/0x470 [ 816.262995] seq_read_iter+0x118/0x470 [ 816.263291] proc_reg_read_iter+0x53/0x90 [ 816.263596] ? srso_alias_return_thunk+0x5/0x7f [ 816.263945] vfs_read+0x201/0x350 [ 816.264211] ksys_read+0x75/0x100 [816.264472] do_syscall_64+0x3f/0x90 [ 816.264750] entry_SYSCALL_64_after_hwframe+0x6e/0xd8 [ 816.265135] RIP: 0033:0x7fd5e669d381 CVE-2023-52445 In the Linux kernel, the following vulnerability has been resolved: media: pvrusb2: fix use after free on context disconnection Upon module load, a kthread is created targeting the pvr2_context_thread_func function, which may call pvr2_context_destroy and thus call kfree() on the context object. However, that might happen before the usb hub_event handler is able to notify the driver. This patch adds a sanity check before the invalid read reported by syzbot, within the context disconnection call stack.
 CVE-2023-35824 An issue was discovered in the Linux kernel before 6.3.2. A use-after-free was found in dm1105_remove in drivers/media/pci/dm1105/dm1105.c.
 CVE-2023-6931 A heap out-of-bounds write vulnerability in the Linux kernel's Performance Events system component can be exploited to achieve local privilege escalation. A perf_event's read_size can overflow, leading to an heap out-of-bounds increment or write in perf_read_group(). We recommend upgrading past commit 382c27f4ed28f803b1f1473ac2d8db0afc795a1b.
 CVE-2023-4623 A use-after-free vulnerability in the Linux kernel's net/sched: sch_hfsc (HFSC qdisc traffic control) component can be exploited to achieve local privilege escalation. If a class with a link-sharing curve (i.e. with the HFSC_FSC flag set) has a parent without a link-sharing curve, then init_vf() will call vttree_insert() on the parent, but vttree_remove() will be skipped in update_vf(). This leaves a dangling pointer that can cause a use-after-free. We recommend upgrading past commit b3d26c5702c7d6c45456326e56d2ccf3f103e60f.
 CVE-2023-3268 An out of bounds (OOB) memory access flaw was found in the Linux kernel in relay_file_read_start_pos in kernel/relay.c in the relayfs. This flaw could allow a local attacker to crash the system or leak kernel internal information.
 CVE-2023-2124 An out-of-bounds memory access flaw was found in the Linux kernels XFS file system in how a user restores an XFS image after failure (with a dirty log journal). This flaw allows a local user to crash or potentially escalate their privileges on the sys ...

 请注意此描述因长度原因已被截断。请参阅供应商公告中的完整说明。

Tenable 已直接从MiracleLinux 安全公告中提取上述描述块。

请注意,Nessus 尚未测试这些问题,而是只依据应用程序自我报告的版本号进行判断。

解决方案

更新受影响的程序包。

另见

https://tsn.miraclelinux.com/en/node/19835

插件详情

严重性: High

ID: 292383

文件名: miracle_linux_AXSA-2024-8651.nasl

版本: 1.1

类型: local

发布时间: 2026/1/20

最近更新时间: 2026/1/20

支持的传感器: Nessus Agent, Nessus

风险信息

VPR

风险因素: High

分数: 7.4

Vendor

Vendor Severity: High

CVSS v2

风险因素: High

基本分数: 7.4

时间分数: 5.8

矢量: CVSS2#AV:A/AC:M/Au:S/C:C/I:C/A:C

CVSS 分数来源: CVE-2021-4157

CVSS v3

风险因素: High

基本分数: 8.8

时间分数: 7.9

矢量: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

时间矢量: CVSS:3.0/E:P/RL:O/RC:C

CVSS 分数来源: CVE-2022-42719

漏洞信息

CPE: p-cpe:/a:miracle:linux:kernel-tools, cpe:/o:miracle:linux:7, p-cpe:/a:miracle:linux:kernel-debug, p-cpe:/a:miracle:linux:kernel-tools-libs, p-cpe:/a:miracle:linux:python-perf, p-cpe:/a:miracle:linux:perf, p-cpe:/a:miracle:linux:bpftool, p-cpe:/a:miracle:linux:kernel-headers, p-cpe:/a:miracle:linux:kernel-devel, p-cpe:/a:miracle:linux:kernel-abi-whitelists, p-cpe:/a:miracle:linux:kernel-debug-devel, p-cpe:/a:miracle:linux:kernel

必需的 KB 项: Host/local_checks_enabled, Host/cpu, Host/MiracleLinux/release, Host/MiracleLinux/rpm-list

可利用: true

易利用性: Exploits are available

补丁发布日期: 2024/8/9

漏洞发布日期: 2020/6/9

参考资料信息

CVE: CVE-2019-25162, CVE-2020-13974, CVE-2020-26555, CVE-2020-27820, CVE-2021-0129, CVE-2021-20292, CVE-2021-20321, CVE-2021-20322, CVE-2021-28964, CVE-2021-28971, CVE-2021-30178, CVE-2021-3178, CVE-2021-31916, CVE-2021-34693, CVE-2021-3609, CVE-2021-3612, CVE-2021-3640, CVE-2021-3659, CVE-2021-3679, CVE-2021-37159, CVE-2021-38160, CVE-2021-3923, CVE-2021-40490, CVE-2021-4149, CVE-2021-4157, CVE-2021-4159, CVE-2021-41864, CVE-2021-43389, CVE-2021-43975, CVE-2021-43976, CVE-2021-45485, CVE-2021-45868, CVE-2021-46906, CVE-2021-46932, CVE-2021-46936, CVE-2021-47118, CVE-2021-47153, CVE-2021-47171, CVE-2021-47194, CVE-2022-0812, CVE-2022-0850, CVE-2022-1011, CVE-2022-1016, CVE-2022-1353, CVE-2022-1419, CVE-2022-1652, CVE-2022-1679, CVE-2022-21499, CVE-2022-25265, CVE-2022-26365, CVE-2022-28390, CVE-2022-33740, CVE-2022-33741, CVE-2022-3424, CVE-2022-3565, CVE-2022-3566, CVE-2022-3629, CVE-2022-4095, CVE-2022-41858, CVE-2022-42719, CVE-2022-45934, CVE-2023-1077, CVE-2023-1118, CVE-2023-1380, CVE-2023-1513, CVE-2023-1829, CVE-2023-1838, CVE-2023-1989, CVE-2023-2124, CVE-2023-3111, CVE-2023-3141, CVE-2023-3268, CVE-2023-3567, CVE-2023-35824, CVE-2023-39197, CVE-2023-40283, CVE-2023-42753, CVE-2023-4387, CVE-2023-4623, CVE-2023-51042, CVE-2023-51780, CVE-2023-52435, CVE-2023-52445, CVE-2023-52752, CVE-2023-6606, CVE-2023-6610, CVE-2023-6931, CVE-2023-6932, CVE-2024-26898