Alma Linux: CVE-2024-36286: Important: kernel security update (Multiple Advisories)

Alma Linux: CVE-2024-36286: Important: kernel security update (Multiple Advisories)

Severity

5

CVSS

(AV:L/AC:L/Au:S/C:N/I:N/A:C)

Published

06/21/2024

Created

08/13/2024

Added

08/12/2024

Modified

01/28/2025

Description

In the Linux kernel, the following vulnerability has been resolved: netfilter: nfnetlink_queue: acquire rcu_read_lock() in instance_destroy_rcu() syzbot reported that nf_reinject() could be called without rcu_read_lock() : WARNING: suspicious RCU usage 6.9.0-rc7-syzkaller-02060-g5c1672705a1a #0 Not tainted net/netfilter/nfnetlink_queue.c:263 suspicious rcu_dereference_check() usage! other info that might help us debug this: rcu_scheduler_active = 2, debug_locks = 1 2 locks held by syz-executor.4/13427: #0: ffffffff8e334f60 (rcu_callback){....}-{0:0}, at: rcu_lock_acquire include/linux/rcupdate.h:329 [inline] #0: ffffffff8e334f60 (rcu_callback){....}-{0:0}, at: rcu_do_batch kernel/rcu/tree.c:2190 [inline] #0: ffffffff8e334f60 (rcu_callback){....}-{0:0}, at: rcu_core+0xa86/0x1830 kernel/rcu/tree.c:2471 #1: ffff88801ca92958 (&inst->lock){+.-.}-{2:2}, at: spin_lock_bh include/linux/spinlock.h:356 [inline] #1: ffff88801ca92958 (&inst->lock){+.-.}-{2:2}, at: nfqnl_flush net/netfilter/nfnetlink_queue.c:405 [inline] #1: ffff88801ca92958 (&inst->lock){+.-.}-{2:2}, at: instance_destroy_rcu+0x30/0x220 net/netfilter/nfnetlink_queue.c:172 stack backtrace: CPU: 0 PID: 13427 Comm: syz-executor.4 Not tainted 6.9.0-rc7-syzkaller-02060-g5c1672705a1a #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024 Call Trace: <IRQ> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114 lockdep_rcu_suspicious+0x221/0x340 kernel/locking/lockdep.c:6712 nf_reinject net/netfilter/nfnetlink_queue.c:323 [inline] nfqnl_reinject+0x6ec/0x1120 net/netfilter/nfnetlink_queue.c:397 nfqnl_flush net/netfilter/nfnetlink_queue.c:410 [inline] instance_destroy_rcu+0x1ae/0x220 net/netfilter/nfnetlink_queue.c:172 rcu_do_batch kernel/rcu/tree.c:2196 [inline] rcu_core+0xafd/0x1830 kernel/rcu/tree.c:2471 handle_softirqs+0x2d6/0x990 kernel/softirq.c:554 __do_softirq kernel/softirq.c:588 [inline] invoke_softirq kernel/softirq.c:428 [inline] __irq_exit_rcu+0xf4/0x1c0 kernel/softirq.c:637 irq_exit_rcu+0x9/0x30 kernel/softirq.c:649 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline] sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1043 </IRQ> <TASK>

Solution(s)

• alma-upgrade-bpftool
• alma-upgrade-kernel
• alma-upgrade-kernel-abi-stablelists
• alma-upgrade-kernel-core
• alma-upgrade-kernel-cross-headers
• alma-upgrade-kernel-debug
• alma-upgrade-kernel-debug-core
• alma-upgrade-kernel-debug-devel
• alma-upgrade-kernel-debug-modules
• alma-upgrade-kernel-debug-modules-extra
• alma-upgrade-kernel-devel
• alma-upgrade-kernel-doc
• alma-upgrade-kernel-headers
• alma-upgrade-kernel-modules
• alma-upgrade-kernel-modules-extra
• alma-upgrade-kernel-rt
• alma-upgrade-kernel-rt-core
• alma-upgrade-kernel-rt-debug
• alma-upgrade-kernel-rt-debug-core
• alma-upgrade-kernel-rt-debug-devel
• alma-upgrade-kernel-rt-debug-kvm
• alma-upgrade-kernel-rt-debug-modules
• alma-upgrade-kernel-rt-debug-modules-extra
• alma-upgrade-kernel-rt-devel
• alma-upgrade-kernel-rt-kvm
• alma-upgrade-kernel-rt-modules
• alma-upgrade-kernel-rt-modules-extra
• alma-upgrade-kernel-tools
• alma-upgrade-kernel-tools-libs
• alma-upgrade-kernel-tools-libs-devel
• alma-upgrade-kernel-zfcpdump
• alma-upgrade-kernel-zfcpdump-core
• alma-upgrade-kernel-zfcpdump-devel
• alma-upgrade-kernel-zfcpdump-modules
• alma-upgrade-kernel-zfcpdump-modules-extra
• alma-upgrade-perf
• alma-upgrade-python3-perf

References

• https://attackerkb.com/topics/cve-2024-36286
• CVE - 2024-36286
• https://errata.almalinux.org/8/ALSA-2024-5101.html
• https://errata.almalinux.org/8/ALSA-2024-5102.html