ALAS-2025-809

References: CVE-2024-27407  CVE-2024-41014  CVE-2024-42252  CVE-2024-47745  CVE-2024-49861  CVE-2024-49926  CVE-2024-49934  CVE-2024-50055  CVE-2024-50121  CVE-2024-50146  CVE-2024-50248  CVE-2024-50258  CVE-2024-50275  CVE-2024-53173  CVE-2024-53206  CVE-2024-56581  CVE-2024-56582  CVE-2024-56600  CVE-2024-56606  CVE-2024-56642  CVE-2024-56658  CVE-2024-56672  CVE-2024-56751  CVE-2024-57798 
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

In the Linux kernel, the following vulnerability has been resolved:

fs/ntfs3: Fixed overflow check in mi_enum_attr() (CVE-2024-27407)

In the Linux kernel, the following vulnerability has been resolved:

xfs: add bounds checking to xlog_recover_process_data (CVE-2024-41014)

In the Linux kernel, the following vulnerability has been resolved:

closures: Change BUG_ON() to WARN_ON() (CVE-2024-42252)

In the Linux kernel, the following vulnerability has been resolved:

mm: call the security_mmap_file() LSM hook in remap_file_pages() (CVE-2024-47745)

In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix helper writes to read-only maps (CVE-2024-49861)

In the Linux kernel, the following vulnerability has been resolved:

rcu-tasks: Fix access non-existent percpu rtpcp variable in rcu_tasks_need_gpcb() (CVE-2024-49926)

In the Linux kernel, the following vulnerability has been resolved:

fs/inode: Prevent dump_mapping() accessing invalid dentry.d_name.name (CVE-2024-49934)

In the Linux kernel, the following vulnerability has been resolved:

driver core: bus: Fix double free in driver API bus_register() (CVE-2024-50055)

In the Linux kernel, the following vulnerability has been resolved:

nfsd: cancel nfsd_shrinker_work using sync mode in nfs4_state_shutdown_net (CVE-2024-50121)

In the Linux kernel, the following vulnerability has been resolved:

net/mlx5e: Don't call cleanup on profile rollback failure (CVE-2024-50146)

In the Linux kernel, the following vulnerability has been resolved:

ntfs3: Add bounds checking to mi_enum_attr() (CVE-2024-50248)

In the Linux kernel, the following vulnerability has been resolved:

net: fix crash when config small gso_max_size/gso_ipv4_max_size (CVE-2024-50258)

In the Linux kernel, the following vulnerability has been resolved:

arm64/sve: Discard stale CPU state when handling SVE traps (CVE-2024-50275)

In the Linux kernel, the following vulnerability has been resolved:

NFSv4.0: Fix a use-after-free problem in the asynchronous open() (CVE-2024-53173)

In the Linux kernel, the following vulnerability has been resolved:

tcp: Fix use-after-free of nreq in reqsk_timer_handler(). (CVE-2024-53206)

In the Linux kernel, the following vulnerability has been resolved:

btrfs: ref-verify: fix use-after-free after invalid ref action (CVE-2024-56581)

In the Linux kernel, the following vulnerability has been resolved:

btrfs: fix use-after-free in btrfs_encoded_read_endio() (CVE-2024-56582)

In the Linux kernel, the following vulnerability has been resolved:

net: inet6: do not leave a dangling sk pointer in inet6_create() (CVE-2024-56600)

In the Linux kernel, the following vulnerability has been resolved:

af_packet: avoid erroring out after sock_init_data() in packet_create() (CVE-2024-56606)

In the Linux kernel, the following vulnerability has been resolved:

tipc: Fix use-after-free of kernel socket in cleanup_bearer(). (CVE-2024-56642)

In the Linux kernel, the following vulnerability has been resolved:

net: defer final 'struct net' free in netns dismantle (CVE-2024-56658)

In the Linux kernel, the following vulnerability has been resolved:

blk-cgroup: Fix UAF in blkcg_unpin_online() (CVE-2024-56672)

In the Linux kernel, the following vulnerability has been resolved:

ipv6: release nexthop on device removal

The CI is hitting some aperiodic hangup at device removal time in the
pmtu.sh self-test:

unregister_netdevice: waiting for veth_A-R1 to become free. Usage count = 6
ref_tracker: veth_A-R1@ffff888013df15d8 has 1/5 users at
dst_init+0x84/0x4a0
dst_alloc+0x97/0x150
ip6_dst_alloc+0x23/0x90
ip6_rt_pcpu_alloc+0x1e6/0x520
ip6_pol_route+0x56f/0x840
fib6_rule_lookup+0x334/0x630
ip6_route_output_flags+0x259/0x480
ip6_dst_lookup_tail.constprop.0+0x5c2/0x940
ip6_dst_lookup_flow+0x88/0x190
udp_tunnel6_dst_lookup+0x2a7/0x4c0
vxlan_xmit_one+0xbde/0x4a50 [vxlan]
vxlan_xmit+0x9ad/0xf20 [vxlan]
dev_hard_start_xmit+0x10e/0x360
__dev_queue_xmit+0xf95/0x18c0
arp_solicit+0x4a2/0xe00
neigh_probe+0xaa/0xf0

While the first suspect is the dst_cache, explicitly tracking the dst
owing the last device reference via probes proved such dst is held by
the nexthop in the originating fib6_info.

Similar to commit f5b51fe804ec ("ipv6: route: purge exception on
removal"), we need to explicitly release the originating fib info when
disconnecting a to-be-removed device from a live ipv6 dst: move the
fib6_info cleanup into ip6_dst_ifdown().

Tested running:

./pmtu.sh cleanup_ipv6_exception

in a tight loop for more than 400 iterations with no spat, running an
unpatched kernel I observed a splat every ~10 iterations. (CVE-2024-56751)

In the Linux kernel, the following vulnerability has been resolved:

drm/dp_mst: Ensure mst_primary pointer is valid in drm_dp_mst_handle_up_req() (CVE-2024-57798)

Issue Correction:
Run dnf update kernel --releasever 2023.6.20250123 to update your system.
System reboot is required in order to complete this update.

New Packages:

aarch64:
    kernel-libbpf-static-6.1.124-134.200.amzn2023.aarch64
    python3-perf-6.1.124-134.200.amzn2023.aarch64
    kernel-livepatch-6.1.124-134.200-1.0-0.amzn2023.aarch64
    kernel-tools-debuginfo-6.1.124-134.200.amzn2023.aarch64
    kernel-headers-6.1.124-134.200.amzn2023.aarch64
    perf-6.1.124-134.200.amzn2023.aarch64
    perf-debuginfo-6.1.124-134.200.amzn2023.aarch64
    kernel-modules-extra-6.1.124-134.200.amzn2023.aarch64
    kernel-tools-devel-6.1.124-134.200.amzn2023.aarch64
    kernel-libbpf-6.1.124-134.200.amzn2023.aarch64
    bpftool-6.1.124-134.200.amzn2023.aarch64
    kernel-tools-6.1.124-134.200.amzn2023.aarch64
    kernel-modules-extra-common-6.1.124-134.200.amzn2023.aarch64
    python3-perf-debuginfo-6.1.124-134.200.amzn2023.aarch64
    bpftool-debuginfo-6.1.124-134.200.amzn2023.aarch64
    kernel-6.1.124-134.200.amzn2023.aarch64
    kernel-libbpf-devel-6.1.124-134.200.amzn2023.aarch64
    kernel-debuginfo-6.1.124-134.200.amzn2023.aarch64
    kernel-debuginfo-common-aarch64-6.1.124-134.200.amzn2023.aarch64
    kernel-devel-6.1.124-134.200.amzn2023.aarch64

src:
    kernel-6.1.124-134.200.amzn2023.src

x86_64:
    kernel-libbpf-devel-6.1.124-134.200.amzn2023.x86_64
    python3-perf-debuginfo-6.1.124-134.200.amzn2023.x86_64
    kernel-tools-debuginfo-6.1.124-134.200.amzn2023.x86_64
    kernel-livepatch-6.1.124-134.200-1.0-0.amzn2023.x86_64
    python3-perf-6.1.124-134.200.amzn2023.x86_64
    bpftool-debuginfo-6.1.124-134.200.amzn2023.x86_64
    kernel-libbpf-6.1.124-134.200.amzn2023.x86_64
    kernel-headers-6.1.124-134.200.amzn2023.x86_64
    bpftool-6.1.124-134.200.amzn2023.x86_64
    perf-debuginfo-6.1.124-134.200.amzn2023.x86_64
    perf-6.1.124-134.200.amzn2023.x86_64
    kernel-modules-extra-6.1.124-134.200.amzn2023.x86_64
    kernel-tools-6.1.124-134.200.amzn2023.x86_64
    kernel-libbpf-static-6.1.124-134.200.amzn2023.x86_64
    kernel-tools-devel-6.1.124-134.200.amzn2023.x86_64
    kernel-modules-extra-common-6.1.124-134.200.amzn2023.x86_64
    kernel-debuginfo-6.1.124-134.200.amzn2023.x86_64
    kernel-6.1.124-134.200.amzn2023.x86_64
    kernel-debuginfo-common-x86_64-6.1.124-134.200.amzn2023.x86_64
    kernel-devel-6.1.124-134.200.amzn2023.x86_64