Amazon Linux 2023 Security Advisory: ALAS-2024-549
Advisory Release Date: 2024-02-29 10:29 Pacific
Advisory Updated Date: 2024-12-05 20:34 Pacific
FAQs regarding Amazon Linux ALAS/CVE Severity
2024-12-05: CVE-2024-26696 was added to this advisory.
2024-12-05: CVE-2024-26704 was added to this advisory.
2024-08-14: CVE-2024-26826 was added to this advisory.
2024-08-14: CVE-2024-26688 was added to this advisory.
2024-08-14: CVE-2024-26920 was added to this advisory.
2024-08-14: CVE-2024-26689 was added to this advisory.
2024-08-14: CVE-2024-26698 was added to this advisory.
2024-08-14: CVE-2024-26718 was added to this advisory.
2024-08-14: CVE-2024-26828 was added to this advisory.
2024-08-14: CVE-2024-26679 was added to this advisory.
2024-08-14: CVE-2024-26681 was added to this advisory.
2024-08-14: CVE-2024-26727 was added to this advisory.
2024-08-14: CVE-2024-26676 was added to this advisory.
2024-08-14: CVE-2024-26820 was added to this advisory.
2024-08-14: CVE-2024-26720 was added to this advisory.
2024-08-14: CVE-2024-26726 was added to this advisory.
2024-08-14: CVE-2024-26707 was added to this advisory.
2024-08-14: CVE-2024-26910 was added to this advisory.
2024-08-14: CVE-2023-52631 was added to this advisory.
2024-07-03: CVE-2024-26629 was added to this advisory.
2024-07-03: CVE-2024-0841 was added to this advisory.
2024-07-03: CVE-2023-52616 was added to this advisory.
2024-05-23: CVE-2024-26665 was added to this advisory.
2024-04-25: CVE-2024-26601 was added to this advisory.
2024-04-25: CVE-2024-26602 was added to this advisory.
2024-04-10: CVE-2024-26603 was added to this advisory.
2024-03-27: CVE-2024-2193 was added to this advisory.
2024-03-27: CVE-2024-26581 was added to this advisory.
dm_table_create in drivers/md/dm-table.c in the Linux kernel through 6.7.4 can attempt to (in alloc_targets) allocate more than INT_MAX bytes, and crash, because of a missing check for struct dm_ioctl.target_count. (CVE-2023-52429)
A flaw was found in the smb client in the Linux kernel. A potential out-of-bounds error was seen in the smb2_parse_contexts() function. Validate offsets and lengths before dereferencing create contexts in smb2_parse_contexts(). (CVE-2023-52434)
In the Linux kernel, the following vulnerability has been resolved:
net: prevent mss overflow in skb_segment()
Once again syzbot is able to crash the kernel in skb_segment() [1]
GSO_BY_FRAGS is a forbidden value, but unfortunately the following
computation in skb_segment() can reach it quite easily :
mss = mss * partial_segs;
65535 = 3 * 5 * 17 * 257, so many initial values of mss can lead to
a bad final result.
Make sure to limit segmentation so that the new mss value is smaller
than GSO_BY_FRAGS.
[1]
general protection fault, probably for non-canonical address 0xdffffc000000000e: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077]
CPU: 1 PID: 5079 Comm: syz-executor993 Not tainted 6.7.0-rc4-syzkaller-00141-g1ae4cd3cbdd0 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023
RIP: 0010:skb_segment+0x181d/0x3f30 net/core/skbuff.c:4551
Code: 83 e3 02 e9 fb ed ff ff e8 90 68 1c f9 48 8b 84 24 f8 00 00 00 48 8d 78 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e 8a 21 00 00 48 8b 84 24 f8 00
RSP: 0018:ffffc900043473d0 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: 0000000000010046 RCX: ffffffff886b1597
RDX: 000000000000000e RSI: ffffffff886b2520 RDI: 0000000000000070
RBP: ffffc90004347578 R08: 0000000000000005 R09: 000000000000ffff
R10: 000000000000ffff R11: 0000000000000002 R12: ffff888063202ac0
R13: 0000000000010000 R14: 000000000000ffff R15: 0000000000000046
FS: 0000555556e7e380(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020010000 CR3: 0000000027ee2000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
udp6_ufo_fragment+0xa0e/0xd00 net/ipv6/udp_offload.c:109
ipv6_gso_segment+0x534/0x17e0 net/ipv6/ip6_offload.c:120
skb_mac_gso_segment+0x290/0x610 net/core/gso.c:53
__skb_gso_segment+0x339/0x710 net/core/gso.c:124
skb_gso_segment include/net/gso.h:83 [inline]
validate_xmit_skb+0x36c/0xeb0 net/core/dev.c:3626
__dev_queue_xmit+0x6f3/0x3d60 net/core/dev.c:4338
dev_queue_xmit include/linux/netdevice.h:3134 [inline]
packet_xmit+0x257/0x380 net/packet/af_packet.c:276
packet_snd net/packet/af_packet.c:3087 [inline]
packet_sendmsg+0x24c6/0x5220 net/packet/af_packet.c:3119
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg+0xd5/0x180 net/socket.c:745
__sys_sendto+0x255/0x340 net/socket.c:2190
__do_sys_sendto net/socket.c:2202 [inline]
__se_sys_sendto net/socket.c:2198 [inline]
__x64_sys_sendto+0xe0/0x1b0 net/socket.c:2198
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b
RIP: 0033:0x7f8692032aa9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 d1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff8d685418 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f8692032aa9
RDX: 0000000000010048 RSI: 00000000200000c0 RDI: 0000000000000003
RBP: 00000000000f4240 R08: 0000000020000540 R09: 0000000000000014
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fff8d685480
R13: 0000000000000001 R14: 00007fff8d685480 R15: 0000000000000003
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:skb_segment+0x181d/0x3f30 net/core/skbuff.c:4551
Code: 83 e3 02 e9 fb ed ff ff e8 90 68 1c f9 48 8b 84 24 f8 00 00 00 48 8d 78 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e 8a 21 00 00 48 8b 84 24 f8 00
RSP: 0018:ffffc900043473d0 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: 0000000000010046 RCX: ffffffff886b1597
RDX: 000000000000000e RSI: ffffffff886b2520 RDI: 0000000000000070
RBP: ffffc90004347578 R0
---truncated--- (CVE-2023-52435)
In the Linux kernel, the following vulnerability has been resolved:
crypto: lib/mpi - Fix unexpected pointer access in mpi_ec_init (CVE-2023-52616)
In the Linux kernel, the following vulnerability has been resolved:
fs/ntfs3: Fix an NULL dereference bug (CVE-2023-52631)
A vulnerability was found in vhost_new_msg in drivers/vhost/vhost.c in the Linux kernel, which does not properly initialize memory in messages passed between virtual guests and the host operating system in the vhost/vhost.c:vhost_new_msg() function. This issue can allow local privileged users to read some kernel memory contents when reading from the /dev/vhost-net device file. (CVE-2024-0340)
A null pointer dereference flaw was found in the hugetlbfs_fill_super function in the Linux kernel hugetlbfs (HugeTLB pages) functionality. This issue may allow a local user to crash the system or potentially escalate their privileges on the system. (CVE-2024-0841)
A vulnerability was reported in the Open vSwitch sub-component in the Linux Kernel. The flaw occurs when a recursive operation of code push recursively calls into the code block. The OVS module does not validate the stack depth, pushing too many frames and causing a stack overflow. As a result, this can lead to a crash or other related issues. (CVE-2024-1151)
A Speculative Race Condition (SRC) vulnerability that impacts modern CPU architectures supporting speculative execution (related to Spectre V1) has been disclosed. An unauthenticated attacker can exploit this vulnerability to disclose arbitrary data from the CPU using race conditions to access the speculative executable code paths. (CVE-2024-2193)
In btrfs_get_root_ref in fs/btrfs/disk-io.c in the Linux kernel through 6.7.1, there can be an assertion failure and crash because a subvolume can be read out too soon after its root item is inserted upon subvolume creation. (CVE-2024-23850)
copy_params in drivers/md/dm-ioctl.c in the Linux kernel through 6.7.1 can attempt to allocate more than INT_MAX bytes, and crash, because of a missing param_kernel->data_size check. This is related to ctl_ioctl. (CVE-2024-23851)
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nft_set_rbtree: skip end interval element from gc
rbtree lazy gc on insert might collect an end interval element that has
been just added in this transactions, skip end interval elements that
are not yet active. (CVE-2024-26581)
In the Linux kernel, the following vulnerability has been resolved:
net: tls: fix use-after-free with partial reads and async decrypt
tls_decrypt_sg doesn't take a reference on the pages from clear_skb,
so the put_page() in tls_decrypt_done releases them, and we trigger
a use-after-free in process_rx_list when we try to read from the
partially-read skb. (CVE-2024-26582)
In the Linux kernel, the following vulnerability has been resolved:
tls: fix race between async notify and socket close
The submitting thread (one which called recvmsg/sendmsg)
may exit as soon as the async crypto handler calls complete()
so any code past that point risks touching already freed data.
Try to avoid the locking and extra flags altogether.
Have the main thread hold an extra reference, this way
we can depend solely on the atomic ref counter for
synchronization.
Don't futz with reiniting the completion, either, we are now
tightly controlling when completion fires. (CVE-2024-26583)
In the Linux kernel, the following vulnerability has been resolved:
ext4: regenerate buddy after block freeing failed if under fc replay
This mostly reverts commit 6bd97bf273bd ("ext4: remove redundant
mb_regenerate_buddy()") and reintroduces mb_regenerate_buddy(). Based on
code in mb_free_blocks(), fast commit replay can end up marking as free
blocks that are already marked as such. This causes corruption of the
buddy bitmap so we need to regenerate it in that case. (CVE-2024-26601)
In the Linux kernel, the following vulnerability has been resolved:
sched/membarrier: reduce the ability to hammer on sys_membarrier
On some systems, sys_membarrier can be very expensive, causing overall
slowdowns for everything. So put a lock on the path in order to
serialize the accesses to prevent the ability for this to be called at
too high of a frequency and saturate the machine. (CVE-2024-26602)
In the Linux kernel, the following vulnerability has been resolved:
x86/fpu: Stop relying on userspace for info to fault in xsave buffer
Before this change, the expected size of the user space buffer was
taken from fx_sw->xstate_size. fx_sw->xstate_size can be changed
from user-space, so it is possible construct a sigreturn frame where:
* fx_sw->xstate_size is smaller than the size required by valid bits in
fx_sw->xfeatures.
* user-space unmaps parts of the sigrame fpu buffer so that not all of
the buffer required by xrstor is accessible.
In this case, xrstor tries to restore and accesses the unmapped area
which results in a fault. But fault_in_readable succeeds because buf +
fx_sw->xstate_size is within the still mapped area, so it goes back and
tries xrstor again. It will spin in this loop forever.
Instead, fault in the maximum size which can be touched by XRSTOR (taken
from fpstate->user_size).
[ dhansen: tweak subject / changelog ] (CVE-2024-26603)
In the Linux kernel, the following vulnerability has been resolved:
nfsd: fix RELEASE_LOCKOWNER (CVE-2024-26629)
In the Linux kernel, the following vulnerability has been resolved:
tunnels: fix out of bounds access when building IPv6 PMTU error (CVE-2024-26665)
In the Linux kernel, the following vulnerability has been resolved:
af_unix: Call kfree_skb() for dead unix_(sk)->oob_skb in GC. (CVE-2024-26676)
In the Linux kernel, the following vulnerability has been resolved:
inet: read sk->sk_family once in inet_recv_error() (CVE-2024-26679)
In the Linux kernel, the following vulnerability has been resolved:
netdevsim: avoid potential loop in nsim_dev_trap_report_work() (CVE-2024-26681)
In the Linux kernel, the following vulnerability has been resolved:
fs,hugetlb: fix NULL pointer dereference in hugetlbs_fill_super (CVE-2024-26688)
In the Linux kernel, the following vulnerability has been resolved:
ceph: prevent use-after-free in encode_cap_msg() (CVE-2024-26689)
In the Linux kernel, the following vulnerability has been resolved:
nilfs2: fix hang in nilfs_lookup_dirty_data_buffers() (CVE-2024-26696)
In the Linux kernel, the following vulnerability has been resolved:
hv_netvsc: Fix race condition between netvsc_probe and netvsc_remove (CVE-2024-26698)
In the Linux kernel, the following vulnerability has been resolved:
ext4: fix double-free of blocks due to wrong extents moved_len (CVE-2024-26704)
In the Linux kernel, the following vulnerability has been resolved:
net: hsr: remove WARN_ONCE() in send_hsr_supervision_frame() (CVE-2024-26707)
In the Linux kernel, the following vulnerability has been resolved:
dm-crypt, dm-verity: disable tasklets (CVE-2024-26718)
In the Linux kernel, the following vulnerability has been resolved:
mm/writeback: fix possible divide-by-zero in wb_dirty_limits(), again (CVE-2024-26720)
In the Linux kernel, the following vulnerability has been resolved:
btrfs: don't drop extent_map for free space inode on write error (CVE-2024-26726)
In the Linux kernel, the following vulnerability has been resolved:
btrfs: do not ASSERT() if the newly created subvolume already got read (CVE-2024-26727)
In the Linux kernel, the following vulnerability has been resolved:
hv_netvsc: Register VF in netvsc_probe if NET_DEVICE_REGISTER missed (CVE-2024-26820)
In the Linux kernel, the following vulnerability has been resolved:
mptcp: fix data re-injection from stale subflow (CVE-2024-26826)
In the Linux kernel, the following vulnerability has been resolved:
cifs: fix underflow in parse_server_interfaces() (CVE-2024-26828)
In the Linux kernel, the following vulnerability has been resolved:
netfilter: ipset: fix performance regression in swap operation (CVE-2024-26910)
In the Linux kernel, the following vulnerability has been resolved:
tracing/trigger: Fix to return error if failed to alloc snapshot (CVE-2024-26920)
Affected Packages:
kernel
Issue Correction:
Run dnf update kernel --releasever 2023.3.20240304 to update your system.
aarch64:
kernel-libbpf-static-6.1.79-99.164.amzn2023.aarch64
kernel-modules-extra-6.1.79-99.164.amzn2023.aarch64
python3-perf-6.1.79-99.164.amzn2023.aarch64
kernel-modules-extra-common-6.1.79-99.164.amzn2023.aarch64
kernel-libbpf-devel-6.1.79-99.164.amzn2023.aarch64
kernel-headers-6.1.79-99.164.amzn2023.aarch64
perf-debuginfo-6.1.79-99.164.amzn2023.aarch64
kernel-tools-6.1.79-99.164.amzn2023.aarch64
perf-6.1.79-99.164.amzn2023.aarch64
kernel-libbpf-6.1.79-99.164.amzn2023.aarch64
bpftool-debuginfo-6.1.79-99.164.amzn2023.aarch64
python3-perf-debuginfo-6.1.79-99.164.amzn2023.aarch64
bpftool-6.1.79-99.164.amzn2023.aarch64
kernel-tools-debuginfo-6.1.79-99.164.amzn2023.aarch64
kernel-debuginfo-6.1.79-99.164.amzn2023.aarch64
kernel-livepatch-6.1.79-99.164-1.0-0.amzn2023.aarch64
kernel-tools-devel-6.1.79-99.164.amzn2023.aarch64
kernel-6.1.79-99.164.amzn2023.aarch64
kernel-debuginfo-common-aarch64-6.1.79-99.164.amzn2023.aarch64
kernel-devel-6.1.79-99.164.amzn2023.aarch64
src:
kernel-6.1.79-99.164.amzn2023.src
x86_64:
bpftool-debuginfo-6.1.79-99.164.amzn2023.x86_64
kernel-tools-devel-6.1.79-99.164.amzn2023.x86_64
kernel-tools-debuginfo-6.1.79-99.164.amzn2023.x86_64
perf-debuginfo-6.1.79-99.164.amzn2023.x86_64
python3-perf-debuginfo-6.1.79-99.164.amzn2023.x86_64
kernel-tools-6.1.79-99.164.amzn2023.x86_64
kernel-headers-6.1.79-99.164.amzn2023.x86_64
kernel-modules-extra-6.1.79-99.164.amzn2023.x86_64
bpftool-6.1.79-99.164.amzn2023.x86_64
python3-perf-6.1.79-99.164.amzn2023.x86_64
kernel-modules-extra-common-6.1.79-99.164.amzn2023.x86_64
kernel-libbpf-devel-6.1.79-99.164.amzn2023.x86_64
perf-6.1.79-99.164.amzn2023.x86_64
kernel-livepatch-6.1.79-99.164-1.0-0.amzn2023.x86_64
kernel-libbpf-6.1.79-99.164.amzn2023.x86_64
kernel-libbpf-static-6.1.79-99.164.amzn2023.x86_64
kernel-debuginfo-6.1.79-99.164.amzn2023.x86_64
kernel-6.1.79-99.164.amzn2023.x86_64
kernel-debuginfo-common-x86_64-6.1.79-99.164.amzn2023.x86_64
kernel-devel-6.1.79-99.164.amzn2023.x86_64