CentOS 9:kernel-5.14.0-572.el9
high Nessus Plugin ID 232849
語言:
概要
遠端 CentOS 主機缺少一個或多個核心安全性更新。說明
遠端 CentOS Linux 9 主機上安裝的套件受到 kernel-5.14.0-572.el9 版本變更記錄中提及的多個弱點影響。- 在 Linux 核心中,已經解決下列弱點:arm64:cacheinfo:避免超出邊界寫入 cacheinfo 陣列偵測/填入快取資訊的迴圈已針對陣列大小進行邊界檢查,但未考慮快取具有獨立資料/指令快取的層級。藉由增加任何已填入的分葉 (而非任何已填入的層級) 的索引來修正此問題。(CVE-2025-21785)
- 在 Linux 核心中,已經解決下列弱點:powerpc/xive/spapr:更正點陣圖配置大小 kasan 偵測到超出 xibm->點陣圖配置結尾的存取:錯誤:KASAN:_find_first_zero_bit 中的 slab-out-of-bounds +0x40/0x140 工作 swapper/0/1 CPU:0x40/0x140 在 addr c00000001d1d0118 讀取大小為 8 的 CPU:0 PID:1 Comm:swapper/0 未受污染的 5.19.0-rc2-00001-g90df023b36dd #28 呼叫追踪:
[c00000001d98f770] [c0000000012baab8] dump_stack_lvl+0xac/0x108 (unreliable) [c00000001d98f7b0] [c00000000068faac] print_report+0x37c/0x710 [c00000001d98f880] [c0000000006902c0] kasan_report+0x110/0x354 [c00000001d98f950] [c000000000692324] __asan_load8+0xa4/0xe0 [c00000001d98f970] [c0000000011c6ed0]
_find_first_zero_bit+0x40/0x140 [c00000001d98f9b0] [c0000000000dbfbc] xive_spapr_get_ipi+0xcc/0x260 [c00000001d98fa70] [c0000000000d6d28] xive_setup_cpu_ipi+0x1e8/0x450 [c00000001d98fb30] [c000000004032a20] pSeries_smp_probe+0x5c/0x118 [c00000001d98fb60] [c000000004018b44] smp_prepare_cpus+0x944/0x9ac [ c00000001d98fc90] [c000000004009f9c] kernel_init_freeable+0x2d4/0x640 [c00000001d98fd90] [c0000000000131e8] kernel_init+0x28/0x1d0 [c00000001d98fe10] [c00000000000cd54] ret_from_kernel_thread+0x5c/0x64 依工作 0 配置:kasan_save_stack+0x34/0x70 __kasan_kmalloc+0xb4/0xf0
__kmalloc+0x268/0x540 xive_spapr_init+0x4d0/0x77c pseries_init_irq+0x40/0x27c init_IRQ+0x44/0x84 start_kernel+0x2a4/0x538 start_here_common+0x1c/0x20 有問題的地址屬於以下位置的物件 c00000001d1d0118 其屬於大小 8 的快取 kmalloc-8 有問題的位址位於 8 位元組區域內的 0 位元組處 [c00000001d1d0118, c00000001d1d0120) 有問題的地址屬於實體頁面:page:c00c000000074740 refcount:1 mapcount:0 mapping:0000000000000000 index:0xc00000001d1d0558 pfn:0x1d1d flags: 0x7ffff000000200(slab|node=0|zone=0|lastcpupid=0x7ffff) raw: 007ffff000000200 c00000001d0003c8 c00000001d0003c8 c00000001d010480 raw: c00000001d1d0558 0000000001e1000a 00000001ffffffff 0000000000000000 頁面傾印原因:kasan: 偵測到錯誤存取 有問題位址周圍的記憶體狀態:
c00000001d1d0000: fc 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc c00000001d1d0080: fc fc 00 fc fc fc fc fc fc fc fc fc fc fc fc fc >c00000001d1d0100: fc fc fc 02 fc fc fc fc fc fc fc fc fc fc fc fc ^ c00000001d1d0180: fc fc fc fc 04 fc fc fc fc fc fc fc fc fc fc fc c00000001d1d0200: fc fc fc fc fc 04 fc fc fc fc fc fc fc fc fc fc 發生此情況的原因是配置使用錯誤單位 (位元),但實際上應該傳遞 (BITS_TO_LONGS(count) * sizeof(long)) 或等值。若使用少量的位元,配置的物件可能會小於 sizeof(long),進而導致無效的存取。使用 bitmap_zalloc() 配置和初始化 irq 點陣圖,並且搭配 bitmap_free() 使用以確保一致性。(CVE-2022-49623)
- 在 Linux 核心中,已經解決下列弱點: soc:qcom:cmd-db:將共用記憶體對應為 WC,非 WB Linux 不會寫入 cmd-db 區域。此記憶體區域受到 XPU 的寫入保護。
XPU 有時可能會將乾淨的快取置換錯誤地偵測為寫入至寫入保護的區域,導致安全中斷,進而在信任區域的某處造成無限迴圈。它現在可以運作的唯一原因是 Qualcomm Hypervisor 將相同的區域對應為第 2 階段轉譯表格中的非可快取記憶體。如果我們要使用不清楚有關這些特定對應的任何其他 Hypervisor (例如 Xen 或 KVM),就會出現此問題。將 cmd-db 記憶體的對應從 MEMREMAP_WB 變更為 MEMREMAP_WT/WC,會移除第 2 階段表格中正確對應的相依性。此修補程式透過更新 MEMREMAP_WC 的對應來修正此問題。我在 SA8155P 上使用 Xen 對此進行了測試。(CVE-2024-46689)
- 在 Linux 核心中,已經解決下列弱點:io_uring:檢查溢位排清期間是否需要重新排程。就一般應用程式使用而言,此清單將一律為空。如果應用程式確實有一點溢位,它將會有一些項目。不過,顯然沒有什麼能阻止 syzbot 執行會產生大量溢位項目的測試案例,同時排清這些項目可能需要相當長的時間。檢查是否需要在排清時重新排程,並且視需要中斷我們的鎖定。
此處沒有要維護的狀態,因為溢位一律會從清單開頭剪除,因此可以在迴圈結尾放置並重新取得鎖定。 (CVE-2024-50060)
- 在 Linux 核心中,已經解決下列弱點:io_uring/rw:修正遺漏的 NOWAIT 檢查以便讓 O_DIRECT 開始寫入。當 io_uring 開始寫入時,它會呼叫 kiocb_start_write() 以提升超級區塊 rwsem,避免該寫入在進行時發生任何凍結。凍結端會抓取該 rwsem 進行寫入,排除任何新的編寫器發生,並等待現有寫入完成。但是 io_uring 會無條件地使用 kiocb_start_write(),倘若目前有人嘗試凍結裝載點,將會加以封鎖。此情況會造成鎖死,其中凍結正在等待先前的寫入完成,但是先前的寫入無法完成,因為原本應該完成寫入的工作在開始新的寫入時遭到封鎖。這樣會導致下列停滯追踪顯示寫入封鎖的相依性開始新的寫入:task:fio state:D stack:0 pid:886 tgid:886 ppid:876 呼叫追踪:__switch_to+0x1d8/0x348 __schedule+0x8e8/0x2248 schedule+0x110/0x3f0 percpu_rwsem_wait+0x1e8/0x3f8
__percpu_down_read+0xe8/0x500 io_write+0xbb8/0xff8 io_issue_sqe+0x10c/0x1020 io_submit_sqes+0x614/0x2110
__arm64_sys_io_uring_enter+0x524/0x1038 invoke_syscall+0x74/0x268 el0_svc_common.constprop.0+0x160/0x238 do_el0_svc+0x44/0x60 el0_svc+0x44/0xb0 el0t_64_sync_handler+0x118/0x128 el0t_64_sync+0x168/0x170 INFO:
工作 fsfreeze:7364 遭到封鎖超過 15 秒。未受污染 6.12.0-rc5-00063-g76aaf945701c #7963 (因嘗試的 freezer 導致) 在嘗試抓取 rwsem 時停滯:task:fsfreeze state:D stack:0 pid:7364 tgid:7364 ppid:995 呼叫追踪:__switch_to+0x1d8/0x348 __schedule+0x8e8/0x2248 schedule+0x110/0x3f0 percpu_down_write+0x2b0/0x680 freeze_super+0x248/0x8a8 do_vfs_ioctl+0x149c/0x1b18
__arm64_sys_ioctl+0xd0/0x1a0 invoke_syscall+0x74/0x268 el0_svc_common.constprop.0+0x160/0x238 do_el0_svc+0x44/0x60 el0_svc+0x44/0xb0 el0t_64_sync_handler+0x118/0x128 el0t_64_sync+0x168/0x170 修正此問題的方式是讓 io_uring 端允許 honor IOCB_NOWAIT,並且僅在未設定時才嘗試封鎖超級區塊 rwsem 的抓取。針對一律設定 IOCB_NOWAIT 的一般問題,這樣會傳回 -EAGAIN,其可讓 io_uring 核心發出封鎖寫入嘗試。反過來,這也會讓完成項目執行,確保向前進行。由於凍結首先需要 CAP_SYS_ADMIN,因此一般使用者無法觸發。(CVE-2024-53052)
請注意,Nessus 並未測試這些問題,而是僅依據應用程式自我報告的版本號碼作出判斷。
解決方案
更新 CentOS 9 Stream 核心套件。另請參閱
https://kojihub.stream.centos.org/koji/buildinfo?buildID=75925
Plugin 詳細資訊
嚴重性: High
ID: 232849
檔案名稱: centos9_kernel-5_14_0-572_75925.nasl
版本: 1.1
類型: local
代理程式: unix
已發布: 2025/3/19
已更新: 2025/3/19
支援的感應器: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Agentless Assessment, Continuous Assessment, Nessus
風險資訊
VPR
風險因素: Medium
分數: 6.7
CVSS v2
風險因素: Medium
基本分數: 6.8
時間性分數: 5
媒介: CVSS2#AV:L/AC:L/Au:S/C:C/I:C/A:C
CVSS 評分資料來源: CVE-2025-21785
CVSS v3
風險因素: High
基本分數: 7.8
時間性分數: 6.8
媒介: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
時間媒介: CVSS:3.0/E:U/RL:O/RC:C
弱點資訊
CPE: p-cpe:/a:centos:centos:kernel-rt-devel-matched, p-cpe:/a:centos:centos:kernel-rt-modules-core, p-cpe:/a:centos:centos:kernel-debug-devel, p-cpe:/a:centos:centos:kernel-devel, p-cpe:/a:centos:centos:kernel-rt-64k-modules, p-cpe:/a:centos:centos:kernel-64k-debug, p-cpe:/a:centos:centos:kernel-rt-64k-modules-internal, p-cpe:/a:centos:centos:libperf, p-cpe:/a:centos:centos:kernel-rt-core, p-cpe:/a:centos:centos:kernel-modules-partner, p-cpe:/a:centos:centos:kernel-rt-64k-debug-kvm, p-cpe:/a:centos:centos:kernel-ipaclones-internal, p-cpe:/a:centos:centos:kernel-debug, p-cpe:/a:centos:centos:rtla, p-cpe:/a:centos:centos:kernel-rt-64k-modules-extra, p-cpe:/a:centos:centos:kernel-rt-64k-devel-matched, cpe:/a:centos:centos:9, p-cpe:/a:centos:centos:kernel-64k-debug-modules, p-cpe:/a:centos:centos:kernel-zfcpdump-modules-extra, p-cpe:/a:centos:centos:kernel-selftests-internal, p-cpe:/a:centos:centos:kernel-modules-internal, p-cpe:/a:centos:centos:kernel-debug-modules, p-cpe:/a:centos:centos:kernel-rt-64k-debug, p-cpe:/a:centos:centos:kernel-64k-modules-extra, p-cpe:/a:centos:centos:kernel-64k-modules-core, p-cpe:/a:centos:centos:kernel-64k-modules-partner, p-cpe:/a:centos:centos:kernel-64k-modules, p-cpe:/a:centos:centos:kernel-rt-devel, p-cpe:/a:centos:centos:kernel-debug-uki-virt-addons, p-cpe:/a:centos:centos:kernel-rt-modules-extra, p-cpe:/a:centos:centos:python3-perf, p-cpe:/a:centos:centos:kernel-64k-debug-modules-partner, p-cpe:/a:centos:centos:kernel-zfcpdump, p-cpe:/a:centos:centos:kernel-64k-debug-core, p-cpe:/a:centos:centos:kernel-64k-debug-modules-internal, p-cpe:/a:centos:centos:kernel-rt-64k-core, p-cpe:/a:centos:centos:kernel-zfcpdump-modules-partner, p-cpe:/a:centos:centos:kernel-zfcpdump-devel-matched, p-cpe:/a:centos:centos:kernel-debug-devel-matched, p-cpe:/a:centos:centos:kernel-rt-64k-debug-modules-extra, p-cpe:/a:centos:centos:kernel-64k-devel, p-cpe:/a:centos:centos:kernel-headers, p-cpe:/a:centos:centos:kernel-rt-modules, p-cpe:/a:centos:centos:kernel-64k-debug-devel-matched, p-cpe:/a:centos:centos:kernel-debug-core, p-cpe:/a:centos:centos:kernel-tools-libs-devel, p-cpe:/a:centos:centos:kernel-64k-core, p-cpe:/a:centos:centos:kernel-debug-modules-internal, p-cpe:/a:centos:centos:kernel-zfcpdump-modules-core, p-cpe:/a:centos:centos:kernel-rt-debug-modules-core, p-cpe:/a:centos:centos:kernel-rt-64k-debug-modules-partner, p-cpe:/a:centos:centos:kernel-rt-64k-debug-modules-core, p-cpe:/a:centos:centos:kernel-modules-extra, p-cpe:/a:centos:centos:kernel-cross-headers, p-cpe:/a:centos:centos:kernel-rt-kvm, p-cpe:/a:centos:centos:kernel-rt-debug-modules-partner, p-cpe:/a:centos:centos:kernel-rt, p-cpe:/a:centos:centos:kernel-rt-modules-internal, p-cpe:/a:centos:centos:kernel-tools, p-cpe:/a:centos:centos:kernel-rt-debug-modules-extra, p-cpe:/a:centos:centos:kernel-debug-uki-virt, p-cpe:/a:centos:centos:kernel-rt-modules-partner, p-cpe:/a:centos:centos:kernel-rt-64k-debug-modules, p-cpe:/a:centos:centos:kernel-rt-debug, p-cpe:/a:centos:centos:kernel-abi-stablelists, p-cpe:/a:centos:centos:kernel-rt-64k-modules-partner, p-cpe:/a:centos:centos:kernel-rt-64k-debug-core, p-cpe:/a:centos:centos:kernel-rt-debug-devel-matched, p-cpe:/a:centos:centos:kernel-rt-64k-modules-core, p-cpe:/a:centos:centos:kernel-zfcpdump-core, p-cpe:/a:centos:centos:kernel-64k-debug-modules-extra, p-cpe:/a:centos:centos:kernel-zfcpdump-devel, p-cpe:/a:centos:centos:kernel-tools-libs, p-cpe:/a:centos:centos:libperf-devel, p-cpe:/a:centos:centos:kernel-64k, p-cpe:/a:centos:centos:kernel-64k-modules-internal, p-cpe:/a:centos:centos:kernel-rt-64k-debug-devel, p-cpe:/a:centos:centos:rv, p-cpe:/a:centos:centos:kernel-rt-64k-debug-modules-internal, p-cpe:/a:centos:centos:kernel-zfcpdump-modules, p-cpe:/a:centos:centos:kernel-64k-debug-devel, p-cpe:/a:centos:centos:perf, p-cpe:/a:centos:centos:kernel-rt-debug-kvm, p-cpe:/a:centos:centos:kernel-modules, p-cpe:/a:centos:centos:kernel-zfcpdump-modules-internal, p-cpe:/a:centos:centos:kernel-rt-debug-modules-internal, p-cpe:/a:centos:centos:kernel-64k-devel-matched, p-cpe:/a:centos:centos:kernel-64k-debug-modules-core, p-cpe:/a:centos:centos:kernel-rt-debug-devel, p-cpe:/a:centos:centos:kernel-modules-core, p-cpe:/a:centos:centos:kernel-core, p-cpe:/a:centos:centos:kernel-rt-64k-kvm, p-cpe:/a:centos:centos:kernel-debug-modules-partner, p-cpe:/a:centos:centos:kernel-debug-modules-extra, p-cpe:/a:centos:centos:kernel-rt-debug-core, p-cpe:/a:centos:centos:kernel-devel-matched, p-cpe:/a:centos:centos:kernel-rt-64k-devel, p-cpe:/a:centos:centos:kernel-rt-debug-modules, p-cpe:/a:centos:centos:kernel-rt-64k, p-cpe:/a:centos:centos:kernel, p-cpe:/a:centos:centos:kernel-debug-modules-core, p-cpe:/a:centos:centos:kernel-rt-64k-debug-devel-matched, p-cpe:/a:centos:centos:kernel-uki-virt-addons, p-cpe:/a:centos:centos:kernel-uki-virt
必要的 KB 項目: Host/local_checks_enabled, Host/cpu, Host/CentOS/release, Host/CentOS/rpm-list
可輕鬆利用: No known exploits are available
修補程式發佈日期: 2025/3/13
弱點發布日期: 2024/9/13
參考資訊
CVE: CVE-2022-49623, CVE-2024-46689, CVE-2024-50060, CVE-2024-53052, CVE-2024-56690, CVE-2024-56709, CVE-2025-21785