{"release":{"tag":{"name":"4.19.90-2205.1.0","path":"/openeuler/kernel/tags/4.19.90-2205.1.0","tree_path":"/openeuler/kernel/tree/4.19.90-2205.1.0","message":"4.19.90-2205.1.0","commit":{"id":"c46a8e3369dfc7231551ce48cf0039d4836ad9a8","short_id":"c46a8e3","title":"hamradio: improve the incomplete fix to avoid NPD","title_markdown":"hamradio: improve the incomplete fix to avoid NPD","description":"\nstable inclusion\nfrom stable-v4.19.223\ncommit b68f41c6320b2b7fbb54a95f07a69f3dc7e56c59\ncategory: bugfix\nbugzilla: https://gitee.com/src-openeuler/kernel/issues/I55483\nCVE: CVE-2022-1195\n\n-------------------------------------------------\n\ncommit b2f37aead1b82a770c48b5d583f35ec22aabb61e upstream.\n\nThe previous commit 3e0588c291d6 (\"hamradio: defer ax25 kfree after\nunregister_netdev\") reorder the kfree operations and unregister_netdev\noperation to prevent UAF.\n\nThis commit improves the previous one by also deferring the nullify of\nthe ax-\u003Etty pointer. Otherwise, a NULL pointer dereference bug occurs.\nPartial of the stack trace is shown below.\n\nBUG: kernel NULL pointer dereference, address: 0000000000000538\nRIP: 0010:ax_xmit+0x1f9/0x400\n...\nCall Trace:\n dev_hard_start_xmit+0xec/0x320\n sch_direct_xmit+0xea/0x240\n __qdisc_run+0x166/0x5c0\n __dev_queue_xmit+0x2c7/0xaf0\n ax25_std_establish_data_link+0x59/0x60\n ax25_connect+0x3a0/0x500\n ? security_socket_connect+0x2b/0x40\n __sys_connect+0x96/0xc0\n ? __hrtimer_init+0xc0/0xc0\n ? common_nsleep+0x2e/0x50\n ? switch_fpu_return+0x139/0x1a0\n __x64_sys_connect+0x11/0x20\n do_syscall_64+0x33/0x40\n entry_SYSCALL_64_after_hwframe+0x44/0xa9\n\nThe crash point is shown as below\n\nstatic void ax_encaps(...) {\n  ...\n  set_bit(TTY_DO_WRITE_WAKEUP, \u0026ax-\u003Etty-\u003Eflags); // ax-\u003Etty = NULL!\n  ...\n}\n\nBy placing the nullify action after the unregister_netdev, the ax-\u003Etty\npointer won't be assigned as NULL net_device framework layer is well\nsynchronized.\n\nSigned-off-by: Lin Ma \u003Clinma@zju.edu.cn\u003E\nSigned-off-by: David S. Miller \u003Cdavem@davemloft.net\u003E\nSigned-off-by: Greg Kroah-Hartman \u003Cgregkh@linuxfoundation.org\u003E\nSigned-off-by: Huang Guobin \u003Chuangguobin4@huawei.com\u003E\nReviewed-by: Wei Yongjun \u003Cweiyongjun1@huawei.com\u003E\nReviewed-by: Xiu Jianfeng \u003Cxiujianfeng@huawei.com\u003E\nSigned-off-by: Yongqiang Liu \u003Cliuyongqiang13@huawei.com\u003E","description_markdown":"stable inclusion\nfrom stable-v4.19.223\ncommit b68f41c6320b2b7fbb54a95f07a69f3dc7e56c59\ncategory: bugfix\nbugzilla: \u003Ca title=\"Issue: CVE-2022-1195\" class=\"gfm gfm-issue\" href=\"/open_euler/dashboard?issue_id=I55483\"\u003E#I55483\u003C/a\u003ECVE: CVE-2022-1195\n-------------------------------------------------\ncommit b2f37aead1b82a770c48b5d583f35ec22aabb61e upstream.\nThe previous commit 3e0588c291d6 (\"hamradio: defer ax25 kfree after\nunregister_netdev\") reorder the kfree operations and unregister_netdev\noperation to prevent UAF.\nThis commit improves the previous one by also deferring the nullify of\nthe ax-\u0026gt;tty pointer. Otherwise, a NULL pointer dereference bug occurs.\nPartial of the stack trace is shown below.\nBUG: kernel NULL pointer dereference, address: 0000000000000538\nRIP: 0010:ax_xmit+0x1f9/0x400\n...\nCall Trace:\ndev_hard_start_xmit+0xec/0x320\nsch_direct_xmit+0xea/0x240\n__qdisc_run+0x166/0x5c0\n__dev_queue_xmit+0x2c7/0xaf0\nax25_std_establish_data_link+0x59/0x60\nax25_connect+0x3a0/0x500\n? security_socket_connect+0x2b/0x40\n__sys_connect+0x96/0xc0\n? __hrtimer_init+0xc0/0xc0\n? common_nsleep+0x2e/0x50\n? switch_fpu_return+0x139/0x1a0\n__x64_sys_connect+0x11/0x20\ndo_syscall_64+0x33/0x40\nentry_SYSCALL_64_after_hwframe+0x44/0xa9\nThe crash point is shown as below\nstatic void ax_encaps(...) {\n...\nset_bit(TTY_DO_WRITE_WAKEUP, \u0026amp;ax-\u0026gt;tty-\u0026gt;flags); // ax-\u0026gt;tty = NULL!\n...\n}\nBy placing the nullify action after the unregister_netdev, the ax-\u0026gt;tty\npointer won't be assigned as NULL net_device framework layer is well\nsynchronized.\nSigned-off-by: Lin Ma \u003Ca href=\"mailto:linma@zju.edu.cn\"\u003Elinma@zju.edu.cn\u003C/a\u003E\nSigned-off-by: David S. Miller \u003Ca href=\"mailto:davem@davemloft.net\"\u003Edavem@davemloft.net\u003C/a\u003E\nSigned-off-by: Greg Kroah-Hartman \u003Ca href=\"mailto:gregkh@linuxfoundation.org\"\u003Egregkh@linuxfoundation.org\u003C/a\u003E\nSigned-off-by: Huang Guobin \u003Ca href=\"mailto:huangguobin4@huawei.com\"\u003Ehuangguobin4@huawei.com\u003C/a\u003E\nReviewed-by: Wei Yongjun \u003Ca href=\"mailto:weiyongjun1@huawei.com\"\u003Eweiyongjun1@huawei.com\u003C/a\u003E\nReviewed-by: Xiu Jianfeng \u003Ca href=\"mailto:xiujianfeng@huawei.com\"\u003Exiujianfeng@huawei.com\u003C/a\u003E\nSigned-off-by: Yongqiang Liu \u003Ca href=\"mailto:liuyongqiang13@huawei.com\"\u003Eliuyongqiang13@huawei.com\u003C/a\u003E","message":"hamradio: improve the incomplete fix to avoid NPD\n\nstable inclusion\nfrom stable-v4.19.223\ncommit b68f41c6320b2b7fbb54a95f07a69f3dc7e56c59\ncategory: bugfix\nbugzilla: https://gitee.com/src-openeuler/kernel/issues/I55483\nCVE: CVE-2022-1195\n\n-------------------------------------------------\n\ncommit b2f37aead1b82a770c48b5d583f35ec22aabb61e upstream.\n\nThe previous commit 3e0588c291d6 (\"hamradio: defer ax25 kfree after\nunregister_netdev\") reorder the kfree operations and unregister_netdev\noperation to prevent UAF.\n\nThis commit improves the previous one by also deferring the nullify of\nthe ax-\u003Etty pointer. Otherwise, a NULL pointer dereference bug occurs.\nPartial of the stack trace is shown below.\n\nBUG: kernel NULL pointer dereference, address: 0000000000000538\nRIP: 0010:ax_xmit+0x1f9/0x400\n...\nCall Trace:\n dev_hard_start_xmit+0xec/0x320\n sch_direct_xmit+0xea/0x240\n __qdisc_run+0x166/0x5c0\n __dev_queue_xmit+0x2c7/0xaf0\n ax25_std_establish_data_link+0x59/0x60\n ax25_connect+0x3a0/0x500\n ? security_socket_connect+0x2b/0x40\n __sys_connect+0x96/0xc0\n ? __hrtimer_init+0xc0/0xc0\n ? common_nsleep+0x2e/0x50\n ? switch_fpu_return+0x139/0x1a0\n __x64_sys_connect+0x11/0x20\n do_syscall_64+0x33/0x40\n entry_SYSCALL_64_after_hwframe+0x44/0xa9\n\nThe crash point is shown as below\n\nstatic void ax_encaps(...) {\n  ...\n  set_bit(TTY_DO_WRITE_WAKEUP, \u0026ax-\u003Etty-\u003Eflags); // ax-\u003Etty = NULL!\n  ...\n}\n\nBy placing the nullify action after the unregister_netdev, the ax-\u003Etty\npointer won't be assigned as NULL net_device framework layer is well\nsynchronized.\n\nSigned-off-by: Lin Ma \u003Clinma@zju.edu.cn\u003E\nSigned-off-by: David S. Miller \u003Cdavem@davemloft.net\u003E\nSigned-off-by: Greg Kroah-Hartman \u003Cgregkh@linuxfoundation.org\u003E\nSigned-off-by: Huang Guobin \u003Chuangguobin4@huawei.com\u003E\nReviewed-by: Wei Yongjun \u003Cweiyongjun1@huawei.com\u003E\nReviewed-by: Xiu Jianfeng \u003Cxiujianfeng@huawei.com\u003E\nSigned-off-by: Yongqiang Liu \u003Cliuyongqiang13@huawei.com\u003E\n","message_markdown":"hamradio: improve the incomplete fix to avoid NPD\nstable inclusion\nfrom stable-v4.19.223\ncommit b68f41c6320b2b7fbb54a95f07a69f3dc7e56c59\ncategory: bugfix\nbugzilla: \u003Ca title=\"Issue: CVE-2022-1195\" class=\"gfm gfm-issue\" href=\"/open_euler/dashboard?issue_id=I55483\"\u003E#I55483\u003C/a\u003ECVE: CVE-2022-1195\n-------------------------------------------------\ncommit b2f37aead1b82a770c48b5d583f35ec22aabb61e upstream.\nThe previous commit 3e0588c291d6 (\"hamradio: defer ax25 kfree after\nunregister_netdev\") reorder the kfree operations and unregister_netdev\noperation to prevent UAF.\nThis commit improves the previous one by also deferring the nullify of\nthe ax-\u0026gt;tty pointer. Otherwise, a NULL pointer dereference bug occurs.\nPartial of the stack trace is shown below.\nBUG: kernel NULL pointer dereference, address: 0000000000000538\nRIP: 0010:ax_xmit+0x1f9/0x400\n...\nCall Trace:\ndev_hard_start_xmit+0xec/0x320\nsch_direct_xmit+0xea/0x240\n__qdisc_run+0x166/0x5c0\n__dev_queue_xmit+0x2c7/0xaf0\nax25_std_establish_data_link+0x59/0x60\nax25_connect+0x3a0/0x500\n? security_socket_connect+0x2b/0x40\n__sys_connect+0x96/0xc0\n? __hrtimer_init+0xc0/0xc0\n? common_nsleep+0x2e/0x50\n? switch_fpu_return+0x139/0x1a0\n__x64_sys_connect+0x11/0x20\ndo_syscall_64+0x33/0x40\nentry_SYSCALL_64_after_hwframe+0x44/0xa9\nThe crash point is shown as below\nstatic void ax_encaps(...) {\n...\nset_bit(TTY_DO_WRITE_WAKEUP, \u0026amp;ax-\u0026gt;tty-\u0026gt;flags); // ax-\u0026gt;tty = NULL!\n...\n}\nBy placing the nullify action after the unregister_netdev, the ax-\u0026gt;tty\npointer won't be assigned as NULL net_device framework layer is well\nsynchronized.\nSigned-off-by: Lin Ma \u003Ca href=\"mailto:linma@zju.edu.cn\"\u003Elinma@zju.edu.cn\u003C/a\u003E\nSigned-off-by: David S. Miller \u003Ca href=\"mailto:davem@davemloft.net\"\u003Edavem@davemloft.net\u003C/a\u003E\nSigned-off-by: Greg Kroah-Hartman \u003Ca href=\"mailto:gregkh@linuxfoundation.org\"\u003Egregkh@linuxfoundation.org\u003C/a\u003E\nSigned-off-by: Huang Guobin \u003Ca href=\"mailto:huangguobin4@huawei.com\"\u003Ehuangguobin4@huawei.com\u003C/a\u003E\nReviewed-by: Wei Yongjun \u003Ca href=\"mailto:weiyongjun1@huawei.com\"\u003Eweiyongjun1@huawei.com\u003C/a\u003E\nReviewed-by: Xiu Jianfeng \u003Ca href=\"mailto:xiujianfeng@huawei.com\"\u003Exiujianfeng@huawei.com\u003C/a\u003E\nSigned-off-by: Yongqiang Liu \u003Ca href=\"mailto:liuyongqiang13@huawei.com\"\u003Eliuyongqiang13@huawei.com\u003C/a\u003E","detail_path":"/openeuler/kernel/commit/c46a8e3369dfc7231551ce48cf0039d4836ad9a8","commits_path":"/openeuler/kernel/commits/c46a8e3369dfc7231551ce48cf0039d4836ad9a8","tree_path":"/openeuler/kernel/tree/c46a8e3369dfc7231551ce48cf0039d4836ad9a8","author":{"name":"matr1xL","email":"linma@zju.edu.cn","username":"matr1xl","user_path":"/matr1xl","enterprise_user_path":null,"image_path":"no_portrait.png#matr1xL-matr1xl","is_gitee_user":true,"is_enterprise_user":false,"widget_url":""},"committer":{"name":"刘勇强","email":"liuyongqiang13@huawei.com","username":"LiuYongQiang0816","user_path":"/LiuYongQiang0816","enterprise_user_path":null,"image_path":"no_portrait.png#刘勇强-LiuYongQiang0816","is_gitee_user":true,"is_enterprise_user":false,"widget_url":""},"authored_date":"2022-04-29T03:33:48+00:00","committed_date":"2022-04-29T16:11:42+08:00","signature":null,"build_state":null},"archive_path":"/openeuler/kernel/repository/archive/4.19.90-2205.1.0","signature":null},"operating":{"edit":false,"download":true,"destroy":false,"enterprise_forbid_zip":false},"release":{"title":"openEuler 20.03 update 4.19.90-2205.1.0","path":"/openeuler/kernel/releases/tag/4.19.90-2205.1.0","tag_path":"/openeuler/kernel/tree/4.19.90-2205.1.0","project_id":7696525,"created_at":"2022-05-06T09:03:08+08:00","is_prerelease":false,"description":"# 1TASK\r\n-------\r\n\r\n# 4.19.90-2204.4.0~1...4.19.90-2205.1.0\r\n-------\r\n| TASK | COMMIT |\r\n|:----:|:------:|\r\n|     bugzilla: https://gitee.com/src-openeuler/kernel/issues/I55483 | c46a8e3369df hamradio: improve the incomplete fix to avoid NPD\u003Cbr\u003E7b9501c21752 hamradio: defer ax25 kfree after unregister_netdev\u003Cbr\u003E |\r\n|     bugzilla: https://gitee.com/src-openeuler/kernel/issues/I51YBN | 7883a93a82b9 can: mcba_usb: mcba_usb_start_xmit(): fix double dev_kfree_skb in error path\u003Cbr\u003Eb694ae58e996 llc: only change llc-\u003Edev when bind() succeeds\u003Cbr\u003Eca0c52d1c8c6 netdevice: add the case if dev is NULL\u003Cbr\u003Ef63bceddbb8f llc: fix netdevice reference leaks in llc_ui_bind()\u003Cbr\u003E |\r\n|     bugzilla: 186460, https://gitee.com/src-openeuler/kernel/issues/I53MHA | f442b1f0811c ARM: fix Thumb2 regression with Spectre BHB\u003Cbr\u003Ef22ff1005176 ARM: Spectre-BHB: provide empty stub for non-config\u003Cbr\u003Ed61ef7e2bb00 ARM: fix build warning in proc-v7-bugs.c\u003Cbr\u003Ed4d9408b275f ARM: Do not use NOCROSSREFS directive with ld.lld\u003Cbr\u003Eeda81c50f279 ARM: fix co-processor register typo\u003Cbr\u003E8534f17effd5 ARM: fix build error when BPF_SYSCALL is disabled\u003Cbr\u003Ea16c8564c6f7 ARM: include unprivileged BPF status in Spectre V2 reporting\u003Cbr\u003E7d063048fddf ARM: Spectre-BHB workaround\u003Cbr\u003E6700224fee30 ARM: use LOADADDR() to get load address of sections\u003Cbr\u003Eabcacb285da8 ARM: early traps initialisation\u003Cbr\u003E1f3f6c4947da ARM: report Spectre v2 status through sysfs\u003Cbr\u003E |\r\n|     bugzilla: https://gitee.com/src-openeuler/kernel/issues/I51YBQ | b1ee3b19cbd9 can: usb_8dev: usb_8dev_start_xmit(): fix double dev_kfree_skb() in error path\u003Cbr\u003E |\r\n\r\n# 2CVE\r\n-------\r\n\r\n| CVE | issue |\r\n|:---:|:-----:|\r\n| CVE-2022-1195 | #I55483 |\r\n| CVE-2022-23960 | #I53MHA |\r\n| CVE-2022-28356 | #I51YBN |\r\n| CVE-2022-28388 | #I51YBQ |\r\n| CVE-2022-28389 | #I51YBO |\r\n","author":{"name":"Qiuuuuu","username":"qiuuuuu","path":"/qiuuuuu","avatar_url":"no_portrait.png#Qiuuuuu-qiuuuuu"},"attach_files":[],"zip_download_url":"/openeuler/kernel/releases/tag/4.19.90-2205.1.0.zip","tar_download_url":"/openeuler/kernel/releases/tag/4.19.90-2205.1.0.tar.gz"}}}