CentOS 9 : kernel-5.14.0-585.el9
high Nessus プラグイン ID 236987
Language:
概要
リモートの CentOS ホストに 1 つ以上の kernel 用セキュリティ更新プログラムがありません。説明
リモートの CentOS Linux 9 ホストに、kernel-5.14.0-585.el9 ビルド変更ログに記載されている複数の脆弱性の影響を受けるパッケージがインストールされています。- Linux カーネルでは、以下の脆弱性が解決されています: ext4: fix OOB read when checking dotdot dir Mounting a corrupted filesystem with directory which contains '.' dir entry with rec_len == block size results in out-of-bounds read (later on, when the corrupted directory is removed).
ext4_empty_dir() assumes every ext4 directory contains at least '.' and '..' as directory entries in the first data block. It first loads the '.' dir entry, performs sanity checks by calling ext4_check_dir_entry() and then uses its rec_len member to compute the location of '..' dir entry (in ext4_next_entry). It assumes the '..' dir entry fits into the same data block. If the rec_len of '.' is precisely one block (4KB), it slips through the sanity checks (it is considered the last directory entry in the data block) and leaves struct ext4_dir_entry_2 *de point exactly past the memory slot allocated to the data block. The following call to ext4_check_dir_entry() on new value of de then dereferences this pointer which results in out-of-bounds mem access. Fix this by extending __ext4_check_dir_entry() to check for '.' dir entries that reach the end of data block. Make sure to ignore the phony dir entries for checksum (by checking name_len for non-zero). Note: This is reported by KASAN as use-after-free in case another structure was recently freed from the slot past the bound, but it is really an OOB read. This issue was found by syzkaller tool. Call Trace: [ 38.594108] BUG: KASAN: slab-use-after-free in
__ext4_check_dir_entry+0x67e/0x710 [ 38.594649] Read of size 2 at addr ffff88802b41a004 by task syz-executor/5375 [ 38.595158] [ 38.595288] CPU: 0 UID: 0 PID: 5375 Comm: syz-executor Not tainted 6.14.0-rc7 #1 [ 38.595298] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 [ 38.595304] Call Trace: [ 38.595308] <TASK> [38.595311] dump_stack_lvl+0xa7/0xd0 [ 38.595325] print_address_description.constprop.0+0x2c/0x3f0 [38.595339] ? __ext4_check_dir_entry+0x67e/0x710 [ 38.595349] print_report+0xaa/0x250 [ 38.595359] ?
__ext4_check_dir_entry+0x67e/0x710 [ 38.595368] ? kasan_addr_to_slab+0x9/0x90 [ 38.595378] kasan_report+0xab/0xe0 [ 38.595389] ? __ext4_check_dir_entry+0x67e/0x710 [ 38.595400]
__ext4_check_dir_entry+0x67e/0x710 [ 38.595410] ext4_empty_dir+0x465/0x990 [ 38.595421] ?
__pfx_ext4_empty_dir+0x10/0x10 [ 38.595432] ext4_rmdir.part.0+0x29a/0xd10 [ 38.595441] ?
__dquot_initialize+0x2a7/0xbf0 [ 38.595455] ? __pfx_ext4_rmdir.part.0+0x10/0x10 [ 38.595464] ?
__pfx___dquot_initialize+0x10/0x10 [ 38.595478] ? down_write+0xdb/0x140 [ 38.595487] ?
__pfx_down_write+0x10/0x10 [ 38.595497] ext4_rmdir+0xee/0x140 [ 38.595506] vfs_rmdir+0x209/0x670 [38.595517] ? lookup_one_qstr_excl+0x3b/0x190 [ 38.595529] do_rmdir+0x363/0x3c0 [ 38.595537] ?
__pfx_do_rmdir+0x10/0x10 [ 38.595544] ? strncpy_from_user+0x1ff/0x2e0 [ 38.595561]
__x64_sys_unlinkat+0xf0/0x130 [ 38.595570] do_syscall_64+0x5b/0x180 [ 38.595583] entry_SYSCALL_64_after_hwframe+0x76/0x7e (CVE-2025-37785)
- Linux カーネルでは、以下の脆弱性が解決されています: RDMA/rxe: Fix the qp flush warnings in req When the qp is in error state, the status of WQEs in the queue should be set to error. Or else the following will appear. [ 920.617269] WARNING: CPU: 1 PID: 21 at drivers/infiniband/sw/rxe/rxe_comp.c:756 rxe_completer+0x989/0xcc0 [rdma_rxe] [ 920.617744] Modules linked in: rnbd_client(O) rtrs_client(O) rtrs_core(O) rdma_ucm rdma_cm iw_cm ib_cm crc32_generic rdma_rxe ip6_udp_tunnel udp_tunnel ib_uverbs ib_core loop brd null_blk ipv6 [ 920.618516] CPU: 1 PID: 21 Comm: ksoftirqd/1 Tainted: G O 6.1.113-storage+ #65 [ 920.618986] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 [ 920.619396] RIP: 0010:rxe_completer+0x989/0xcc0 [rdma_rxe] [ 920.619658] Code: 0f b6 84 24 3a 02 00 00 41 89 84 24 44 04 00 00 e9 2a f7 ff ff 39 ca bb 03 00 00 00 b8 0e 00 00 00 48 0f 45 d8 e9 15 f7 ff ff <0f> 0b e9 cb f8 ff ff 41 bf f5 ff ff ff e9 08 f8 ff ff 49 8d bc 24 [ 920.620482] RSP:
0018:ffff97b7c00bbc38 EFLAGS: 00010246 [ 920.620817] RAX: 0000000000000000 RBX: 000000000000000c RCX:
0000000000000008 [ 920.621183] RDX: ffff960dc396ebc0 RSI: 0000000000005400 RDI: ffff960dc4e2fbac [920.621548] RBP: 0000000000000000 R08: 0000000000000001 R09: ffffffffac406450 [ 920.621884] R10:
ffffffffac4060c0 R11: 0000000000000001 R12: ffff960dc4e2f800 [ 920.622254] R13: ffff960dc4e2f928 R14:
ffff97b7c029c580 R15: 0000000000000000 [ 920.622609] FS: 0000000000000000(0000) GS:ffff960ef7d00000(0000) knlGS:0000000000000000 [ 920.622979] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 920.623245] CR2:
00007fa056965e90 CR3: 00000001107f1000 CR4: 00000000000006e0 [ 920.623680] Call Trace: [ 920.623815] <TASK> [ 920.623933] ? __warn+0x79/0xc0 [ 920.624116] ? rxe_completer+0x989/0xcc0 [rdma_rxe] [ 920.624356] ? report_bug+0xfb/0x150 [ 920.624594] ? handle_bug+0x3c/0x60 [ 920.624796] ? exc_invalid_op+0x14/0x70 [920.624976] ? asm_exc_invalid_op+0x16/0x20 [ 920.625203] ? rxe_completer+0x989/0xcc0 [rdma_rxe] [920.625474] ? rxe_completer+0x329/0xcc0 [rdma_rxe] [ 920.625749] rxe_do_task+0x80/0x110 [rdma_rxe] [920.626037] rxe_requester+0x625/0xde0 [rdma_rxe] [ 920.626310] ? rxe_cq_post+0xe2/0x180 [rdma_rxe] [920.626583] ? do_complete+0x18d/0x220 [rdma_rxe] [ 920.626812] ? rxe_completer+0x1a3/0xcc0 [rdma_rxe] [920.627050] rxe_do_task+0x80/0x110 [rdma_rxe] [ 920.627285] tasklet_action_common.constprop.0+0xa4/0x120 [920.627522] handle_softirqs+0xc2/0x250 [ 920.627728] ? sort_range+0x20/0x20 [ 920.627942] run_ksoftirqd+0x1f/0x30 [ 920.628158] smpboot_thread_fn+0xc7/0x1b0 [ 920.628334] kthread+0xd6/0x100 [920.628504] ? kthread_complete_and_exit+0x20/0x20 [ 920.628709] ret_from_fork+0x1f/0x30 [ 920.628892] </TASK> (CVE-2024-53229)
- Linux カーネルでは、以下の脆弱性が解決されています: vsock: Keep the binding until socket destruction Preserve sockets bindings; this includes both resulting from an explicit bind() and those implicitly bound through autobind during connect(). Prevents socket unbinding during a transport reassignment, which fixes a use-after-free: 1. vsock_create() (refcnt=1) calls vsock_insert_unbound() (refcnt=2) 2. transport->release() calls vsock_remove_bound() without checking if sk was bound and moved to bound list (refcnt=1) 3. vsock_bind() assumes sk is in unbound list and before
__vsock_insert_bound(vsock_bound_sockets()) calls __vsock_remove_bound() which does:
list_del_init(&vsk->bound_table); // nop sock_put(&vsk->sk); // refcnt=0 BUG: KASAN: slab-use-after-free in __vsock_bind+0x62e/0x730 Read of size 4 at addr ffff88816b46a74c by task a.out/2057 dump_stack_lvl+0x68/0x90 print_report+0x174/0x4f6 kasan_report+0xb9/0x190 __vsock_bind+0x62e/0x730 vsock_bind+0x97/0xe0 __sys_bind+0x154/0x1f0 __x64_sys_bind+0x6e/0xb0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e Allocated by task 2057: kasan_save_stack+0x1e/0x40 kasan_save_track+0x10/0x30 __kasan_slab_alloc+0x85/0x90 kmem_cache_alloc_noprof+0x131/0x450 sk_prot_alloc+0x5b/0x220 sk_alloc+0x2c/0x870 __vsock_create.constprop.0+0x2e/0xb60 vsock_create+0xe4/0x420
__sock_create+0x241/0x650 __sys_socket+0xf2/0x1a0 __x64_sys_socket+0x6e/0xb0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e Freed by task 2057: kasan_save_stack+0x1e/0x40 kasan_save_track+0x10/0x30 kasan_save_free_info+0x37/0x60 __kasan_slab_free+0x4b/0x70 kmem_cache_free+0x1a1/0x590 __sk_destruct+0x388/0x5a0 __vsock_bind+0x5e1/0x730 vsock_bind+0x97/0xe0
__sys_bind+0x154/0x1f0 __x64_sys_bind+0x6e/0xb0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e refcount_t: addition on 0; use-after-free. WARNING: CPU: 7 PID:
2057 at lib/refcount.c:25 refcount_warn_saturate+0xce/0x150 RIP: 0010:refcount_warn_saturate+0xce/0x150
__vsock_bind+0x66d/0x730 vsock_bind+0x97/0xe0 __sys_bind+0x154/0x1f0 __x64_sys_bind+0x6e/0xb0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e refcount_t: underflow; use-after-free.
WARNING: CPU: 7 PID: 2057 at lib/refcount.c:28 refcount_warn_saturate+0xee/0x150 RIP:
0010:refcount_warn_saturate+0xee/0x150 vsock_remove_bound+0x187/0x1e0 __vsock_release+0x383/0x4a0 vsock_release+0x90/0x120 __sock_release+0xa3/0x250 sock_close+0x14/0x20 __fput+0x359/0xa80 task_work_run+0x107/0x1d0 do_exit+0x847/0x2560 do_group_exit+0xb8/0x250 __x64_sys_exit_group+0x3a/0x50 x64_sys_call+0xfec/0x14f0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e (CVE-2025-21756)
- Linux カーネルでは、以下の脆弱性が解決されています: smb: client: Add check for next_buffer in receive_encrypted_standard() Add check for the return value of cifs_buf_get() and cifs_small_buf_get() in receive_encrypted_standard() to prevent null pointer dereference. (CVE-2025-21844)
- Linux カーネルでは、以下の脆弱性が解決されています: net: ppp: Add bound checking for skb data on ppp_sync_txmung Ensure we have enough data in linear buffer from skb before accessing initial bytes. This prevents potential out-of-bounds accesses when processing short packets. When ppp_sync_txmung receives an incoming package with an empty payload: (remote) gef p *(struct pppoe_hdr *) (skb->head + skb->network_header) $18 = { type = 0x1, ver = 0x1, code = 0x0, sid = 0x2, length = 0x0, tag = 0xffff8880371cdb96 } from the skb struct (trimmed) tail = 0x16, end = 0x140, head = 0xffff88803346f400 4, data = 0xffff88803346f416 :\377, truesize = 0x380, len = 0x0, data_len = 0x0, mac_len = 0xe, hdr_len = 0x0, it is not safe to access data[2]. [[email protected]: fixed subj typo] (CVE-2025-37749)
Nessus はこれらの問題をテストしておらず、代わりにアプリケーションが自己報告するバージョン番号にのみ依存していることに注意してください。
ソリューション
CentOS 9 Stream kernel パッケージを更新してください。参考資料
https://kojihub.stream.centos.org/koji/buildinfo?buildID=77887
プラグインの詳細
深刻度: High
ID: 236987
ファイル名: centos9_kernel-5_14_0-585_77887.nasl
バージョン: 1.1
タイプ: local
エージェント: unix
ファミリー: CentOS Local Security Checks
公開日: 2025/5/20
更新日: 2025/5/20
サポートされているセンサー: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Continuous Assessment, Nessus
リスク情報
VPR
リスクファクター: Critical
スコア: 9.2
CVSS v2
リスクファクター: Medium
基本値: 6.2
現状値: 4.9
ベクトル: CVSS2#AV:L/AC:L/Au:S/C:C/I:N/A:C
CVSS スコアのソース: CVE-2025-37785
CVSS v3
リスクファクター: High
基本値: 7.1
現状値: 6.4
ベクトル: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
現状ベクトル: CVSS:3.0/E:P/RL:O/RC:C
脆弱性情報
CPE: p-cpe:/a:centos:centos:kernel-zfcpdump, p-cpe:/a:centos:centos:kernel-64k-debug-core, p-cpe:/a:centos:centos:kernel-64k-debug-modules-internal, p-cpe:/a:centos:centos:kernel-rt-64k-core, p-cpe:/a:centos:centos:kernel-zfcpdump-modules-partner, p-cpe:/a:centos:centos:kernel-zfcpdump-devel-matched, p-cpe:/a:centos:centos:kernel-debug-devel-matched, p-cpe:/a:centos:centos:kernel-rt-64k-debug-modules-extra, p-cpe:/a:centos:centos:kernel-64k-devel, p-cpe:/a:centos:centos:kernel-headers, p-cpe:/a:centos:centos:kernel-rt-modules, p-cpe:/a:centos:centos:kernel-64k-debug-devel-matched, p-cpe:/a:centos:centos:kernel-debug-core, p-cpe:/a:centos:centos:kernel-tools-libs-devel, p-cpe:/a:centos:centos:kernel-64k-core, p-cpe:/a:centos:centos:kernel-debug-modules-internal, p-cpe:/a:centos:centos:kernel-zfcpdump-modules-core, p-cpe:/a:centos:centos:kernel-rt-debug-modules-core, p-cpe:/a:centos:centos:kernel-rt-64k-debug-modules-partner, p-cpe:/a:centos:centos:kernel-rt-64k-debug-modules-core, p-cpe:/a:centos:centos:kernel-modules-extra, p-cpe:/a:centos:centos:kernel-cross-headers, p-cpe:/a:centos:centos:kernel-rt-debug-modules-partner, p-cpe:/a:centos:centos:kernel-rt, p-cpe:/a:centos:centos:kernel-rt-modules-internal, p-cpe:/a:centos:centos:kernel-tools, p-cpe:/a:centos:centos:kernel-rt-debug-modules-extra, p-cpe:/a:centos:centos:kernel-debug-uki-virt, p-cpe:/a:centos:centos:kernel-rt-modules-partner, p-cpe:/a:centos:centos:kernel-rt-64k-debug-modules, p-cpe:/a:centos:centos:kernel-rt-debug, p-cpe:/a:centos:centos:kernel-abi-stablelists, p-cpe:/a:centos:centos:kernel-rt-64k-modules-partner, p-cpe:/a:centos:centos:kernel-rt-64k-debug-core, p-cpe:/a:centos:centos:kernel-rt-debug-devel-matched, p-cpe:/a:centos:centos:kernel-rt-64k-modules-core, p-cpe:/a:centos:centos:kernel-zfcpdump-core, p-cpe:/a:centos:centos:kernel-64k-debug-modules-extra, p-cpe:/a:centos:centos:kernel-zfcpdump-devel, p-cpe:/a:centos:centos:kernel-tools-libs, p-cpe:/a:centos:centos:libperf-devel, p-cpe:/a:centos:centos:kernel-64k, p-cpe:/a:centos:centos:kernel-64k-modules-internal, p-cpe:/a:centos:centos:kernel-debug, p-cpe:/a:centos:centos:rtla, p-cpe:/a:centos:centos:kernel-rt-64k-modules-extra, p-cpe:/a:centos:centos:kernel-rt-64k-devel-matched, cpe:/a:centos:centos:9, p-cpe:/a:centos:centos:kernel-64k-debug-modules, p-cpe:/a:centos:centos:kernel-zfcpdump-modules-extra, p-cpe:/a:centos:centos:kernel-selftests-internal, p-cpe:/a:centos:centos:kernel-modules-internal, p-cpe:/a:centos:centos:kernel-debug-modules, p-cpe:/a:centos:centos:kernel-rt-64k-debug, p-cpe:/a:centos:centos:kernel-rt-64k-debug-devel, p-cpe:/a:centos:centos:rv, p-cpe:/a:centos:centos:kernel-rt-64k-debug-modules-internal, p-cpe:/a:centos:centos:kernel-zfcpdump-modules, p-cpe:/a:centos:centos:kernel-64k-debug-devel, p-cpe:/a:centos:centos:perf, p-cpe:/a:centos:centos:kernel-modules, p-cpe:/a:centos:centos:kernel-zfcpdump-modules-internal, p-cpe:/a:centos:centos:kernel-rt-debug-modules-internal, p-cpe:/a:centos:centos:kernel-64k-devel-matched, p-cpe:/a:centos:centos:kernel-64k-debug-modules-core, p-cpe:/a:centos:centos:kernel-rt-debug-devel, p-cpe:/a:centos:centos:kernel-modules-core, p-cpe:/a:centos:centos:kernel-core, p-cpe:/a:centos:centos:kernel-debug-modules-partner, p-cpe:/a:centos:centos:kernel-debug-modules-extra, p-cpe:/a:centos:centos:kernel-rt-debug-core, p-cpe:/a:centos:centos:kernel-devel-matched, p-cpe:/a:centos:centos:kernel-rt-64k-devel, p-cpe:/a:centos:centos:kernel-rt-debug-modules, p-cpe:/a:centos:centos:kernel-rt-64k, p-cpe:/a:centos:centos:kernel, p-cpe:/a:centos:centos:kernel-debug-modules-core, p-cpe:/a:centos:centos:kernel-rt-64k-debug-devel-matched, p-cpe:/a:centos:centos:kernel-uki-virt-addons, p-cpe:/a:centos:centos:kernel-uki-virt, p-cpe:/a:centos:centos:kernel-rt-devel-matched, p-cpe:/a:centos:centos:kernel-rt-modules-core, p-cpe:/a:centos:centos:kernel-debug-devel, p-cpe:/a:centos:centos:kernel-devel, p-cpe:/a:centos:centos:kernel-rt-64k-modules, p-cpe:/a:centos:centos:kernel-64k-debug, p-cpe:/a:centos:centos:kernel-rt-64k-modules-internal, p-cpe:/a:centos:centos:libperf, p-cpe:/a:centos:centos:kernel-rt-core, p-cpe:/a:centos:centos:kernel-modules-partner, p-cpe:/a:centos:centos:kernel-64k-modules-extra, p-cpe:/a:centos:centos:kernel-64k-modules-core, p-cpe:/a:centos:centos:kernel-64k-modules-partner, p-cpe:/a:centos:centos:kernel-64k-modules, p-cpe:/a:centos:centos:kernel-rt-devel, p-cpe:/a:centos:centos:kernel-debug-uki-virt-addons, p-cpe:/a:centos:centos:kernel-rt-modules-extra, p-cpe:/a:centos:centos:python3-perf, p-cpe:/a:centos:centos:kernel-64k-debug-modules-partner
必要な KB アイテム: Host/local_checks_enabled, Host/cpu, Host/CentOS/release, Host/CentOS/rpm-list
エクスプロイトが利用可能: true
エクスプロイトの容易さ: Exploits are available
パッチ公開日: 2025/5/14
脆弱性公開日: 2024/12/27
参照情報
CVE: CVE-2024-53229, CVE-2025-21756, CVE-2025-21844, CVE-2025-37749, CVE-2025-37785