Detections
Analytics

TencentOS Server 3: kernel (TSSA-2024:1027)

high Nessus Plugin ID 276196

Synopsis

The remote TencentOS Server 3 host is missing one or more security updates.

Description

The version of Tencent Linux installed on the remote TencentOS Server 3 host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the TSSA-2024:1027 advisory.

 Package updates are available for TencentOS Server 3 that fix the following vulnerabilities:

 CVE-2024-36007:
 In the Linux kernel, the following vulnerability has been resolved:

 mlxsw: spectrum_acl_tcam: Fix warning during rehash

 As previously explained, the rehash delayed work migrates filters from one region to another. This is done by iterating over all chunks (all the filters with the same priority) in the region and in each chunk iterating over all the filters.

 When the work runs out of credits it stores the current chunk and entry as markers in the per-work context so that it would know where to resume the migration from the next time the work is scheduled.

 Upon error, the chunk marker is reset to NULL, but without resetting the entry markers despite being relative to it. This can result in migration being resumed from an entry that does not belong to the chunk being migrated. In turn, this will eventually lead to a chunk being iterated over as if it is an entry. Because of how the two structures happen to be defined, this does not lead to KASAN splats, but to warnings such as [1].

 Fix by creating a helper that resets all the markers and call it from all the places the currently only reset the chunk marker. For good measures also call it when starting a completely new rehash. Add a warning to avoid future cases.

 [1] WARNING: CPU: 7 PID: 1076 at drivers/net/ethernet/mellanox/mlxsw/core_acl_flex_keys.c:407 mlxsw_afk_encode+0x242/0x2f0 Modules linked in:
 CPU: 7 PID: 1076 Comm: kworker/7:24 Tainted: G W 6.9.0-rc3-custom-00880-g29e61d91b77b #29 Hardware name: Mellanox Technologies Ltd. MSN3700/VMOD0005, BIOS 5.11 01/06/2019 Workqueue: mlxsw_core mlxsw_sp_acl_tcam_vregion_rehash_work RIP: 0010:mlxsw_afk_encode+0x242/0x2f0 [...] Call Trace:
 <TASK> mlxsw_sp_acl_atcam_entry_add+0xd9/0x3c0 mlxsw_sp_acl_tcam_entry_create+0x5e/0xa0 mlxsw_sp_acl_tcam_vchunk_migrate_all+0x109/0x290 mlxsw_sp_acl_tcam_vregion_rehash_work+0x6c/0x470 process_one_work+0x151/0x370 worker_thread+0x2cb/0x3e0 kthread+0xd0/0x100 ret_from_fork+0x34/0x50 </TASK>

 CVE-2024-36006:
 In the Linux kernel, the following vulnerability has been resolved:

 mlxsw: spectrum_acl_tcam: Fix incorrect list API usage

 Both the function that migrates all the chunks within a region and the function that migrates all the entries within a chunk call list_first_entry() on the respective lists without checking that the lists are not empty. This is incorrect usage of the API, which leads to the following warning [1].

 Fix by returning if the lists are empty as there is nothing to migrate in this case.

 [1] WARNING: CPU: 0 PID: 6437 at drivers/net/ethernet/mellanox/mlxsw/spectrum_acl_tcam.c:1266 mlxsw_sp_acl_tcam_vchunk_migrate_all+0x1f1/0> Modules linked in:
 CPU: 0 PID: 6437 Comm: kworker/0:37 Not tainted 6.9.0-rc3-custom-00883-g94a65f079ef6 #39 Hardware name: Mellanox Technologies Ltd. MSN3700/VMOD0005, BIOS 5.11 01/06/2019 Workqueue: mlxsw_core mlxsw_sp_acl_tcam_vregion_rehash_work RIP: 0010:mlxsw_sp_acl_tcam_vchunk_migrate_all+0x1f1/0x2c0 [...] Call Trace:
 <TASK> mlxsw_sp_acl_tcam_vregion_rehash_work+0x6c/0x4a0 process_one_work+0x151/0x370 worker_thread+0x2cb/0x3e0 kthread+0xd0/0x100 ret_from_fork+0x34/0x50 ret_from_fork_asm+0x1a/0x30 </TASK>

 CVE-2024-36004:
 In the Linux kernel, the following vulnerability has been resolved:

 i40e: Do not use WQ_MEM_RECLAIM flag for workqueue

 Issue reported by customer during SRIOV testing, call trace:
 When both i40e and the i40iw driver are loaded, a warning in check_flush_dependency is being triggered. This seems to be because of the i40e driver workqueue is allocated with the WQ_MEM_RECLAIM flag, and the i40iw one is not.

 Similar error was encountered on ice too and it was fixed by removing the flag. Do the same for i40e too.

 [Feb 9 09:08] ------------[ cut here ]------------ [ +0.000004] workqueue: WQ_MEM_RECLAIM i40e:i40e_service_task [i40e] is flushing !WQ_MEM_RECLAIM infiniband:0x0 [ +0.000060] WARNING: CPU: 0 PID: 937 at kernel/workqueue.c:2966 check_flush_dependency+0x10b/0x120 [ +0.000007] Modules linked in: snd_seq_dummy snd_hrtimer snd_seq snd_timer snd_seq_device snd soundcore nls_utf8 cifs cifs_arc4 nls_ucs2_utils rdma_cm iw_cm ib_cm cifs_md4 dns_resolver netfs qrtr rfkill sunrpc vfat fat intel_rapl_msr intel_rapl_common irdma intel_uncore_frequency intel_uncore_frequency_common ice ipmi_ssif isst_if_common skx_edac nfit libnvdimm x86_pkg_temp_thermal intel_powerclamp gnss coretemp ib_uverbs rapl intel_cstate ib_core iTCO_wdt iTCO_vendor_support acpi_ipmi mei_me ipmi_si intel_uncore ioatdma i2c_i801 joydev pcspkr mei ipmi_devintf lpc_ich intel_pch_thermal i2c_smbus ipmi_msghandler acpi_power_meter acpi_pad xfs libcrc32c ast sd_mod drm_shmem_helper t10_pi drm_kms_helper sg ixgbe drm i40e ahci crct10dif_pclmul libahci crc32_pclmul igb crc32c_intel libata ghash_clmulni_intel i2c_algo_bit mdio dca wmi dm_mirror dm_region_hash dm_log dm_mod fuse [ +0.000050] CPU: 0 PID: 937 Comm: kworker/0:3 Kdump: loaded Not tainted 6.8.0-rc2-Feb-net_dev-Qiueue-00279-gbd43c5687e05 #1 [ +0.000003] Hardware name: Intel Corporation S2600BPB/S2600BPB, BIOS SE5C620.86B.02.01.0013.121520200651 12/15/2020 [ +0.000001] Workqueue: i40e i40e_service_task [i40e] [ +0.000024] RIP: 0010:check_flush_dependency+0x10b/0x120 [ +0.000003] Code: ff 49 8b 54 24 18 48 8d 8b b0 00 00 00 49 89 e8 48 81 c6 b0 00 00 00 48 c7 c7 b0 97 fa 9f c6 05 8a cc 1f 02 01 e8 35 b3 fd ff <0f> 0b e9 10 ff ff ff 80 3d 78 cc 1f 02 00 75 94 e9 46 ff ff ff 90 [ +0.000002] RSP: 0018:ffffbd294976bcf8 EFLAGS: 00010282 [ +0.000002] RAX: 0000000000000000 RBX: ffff94d4c483c000 RCX:
 0000000000000027 [ +0.000001] RDX: ffff94d47f620bc8 RSI: 0000000000000001 RDI:
 ffff94d47f620bc0 [ +0.000001] RBP: 0000000000000000 R08: 0000000000000000 R09:
 00000000ffff7fff [ +0.000001] R10: ffffbd294976bb98 R11: ffffffffa0be65e8 R12:
 ffff94c5451ea180 [ +0.000001] R13: ffff94c5ab5e8000 R14: ffff94c5c20b6e05 R15:
 ffff94c5f1330ab0 [ +0.000001] FS: 0000000000000000(0000) GS:ffff94d47f600000(0000) knlGS:0000000000000000 [ +0.000002] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ +0.000001] CR2: 00007f9e6f1fca70 CR3: 0000000038e20004 CR4:
 00000000007706f0 [ +0.000000] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
 0000000000000000 [ +0.000001] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:
 0000000000000400 [ +0.000001] PKRU: 55555554 [ +0.000001] Call Trace:
 [ +0.000001] <TASK> [ +0.000002] ? __warn+0x80/0x130 [ +0.000003] ? check_flush_dependency+0x10b/0x120 [ +0.000002] ? report_bug+0x195/0x1a0 [ +0.000005] ? handle_bug+0x3c/0x70 [ +0.000003] ? exc_invalid_op+0x14/0x70 [ +0.000002] ? asm_exc_invalid_op+0x16/0x20 [ +0.000006] ? check_flush_dependency+0x10b/0x120 [ +0.000002] ? check_flush_dependency+0x10b/0x120 [ +0.000002] __flush_workqueue+0x126/0x3f0 [ +0.000015] ib_cache_cleanup_one+0x1c/0xe0 [ib_core] [ +0.000056] __ib_unregister_device+0x6a/0xb0 [ib_core] [ +0.000023] ib_unregister_device_and_put+0x34/0x50 [ib_core] [ +0.000020] i40iw_close+0x4b/0x90 [irdma] [ +0.000022] i40e_notify_client_of_netdev_close+0x54/0xc0 [i40e] [ +0.000035] i40e_service_task+0x126/0x190 [i40e] [ +0.000024] process_one_work+0x174/0x340 [ +0.000003] worker_th
 ---truncated---

 CVE-2024-35998:
 In the Linux kernel, the following vulnerability has been resolved:

 smb3: fix lock ordering potential deadlock in cifs_sync_mid_result

 Coverity spotted that the cifs_sync_mid_result function could deadlock

 Thread deadlock (ORDER_REVERSAL) lock_order: Calling spin_lock acquires lock TCP_Server_Info.srv_lock while holding lock TCP_Server_Info.mid_lock

 Addresses-Coverity: 1590401 (Thread deadlock (ORDER_REVERSAL))

 CVE-2024-35982:
 In the Linux kernel, the following vulnerability has been resolved:

 batman-adv: Avoid infinite loop trying to resize local TT

 If the MTU of one of an attached interface becomes too small to transmit the local translation table then it must be resized to fit inside all fragments (when enabled) or a single packet.

 But if the MTU becomes too low to transmit even the header + the VLAN specific part then the resizing of the local TT will never succeed. This can for example happen when the usable space is 110 bytes and 11 VLANs are on top of batman-adv. In this case, at least 116 byte would be needed.
 There will just be an endless spam of

 batman_adv: batadv0: Forced to purge local tt entries to fit new maximum fragment MTU (110)

 in the log but the function will never finish. Problem here is that the timeout will be halved all the time and will then stagnate at 0 and therefore never be able to reduce the table even more.

 There are other scenarios possible with a similar result. The number of BATADV_TT_CLIENT_NOPURGE entries in the local TT can for example be too high to fit inside a packet. Such a scenario can therefore happen also with only a single VLAN + 7 non-purgable addresses - requiring at least 120 bytes.

 While this should be handled proactively when:

 * interface with too low MTU is added
 * VLAN is added
 * non-purgeable local mac is added
 * MTU of an attached interface is reduced
 * fragmentation setting gets disabled (which most likely requires dropping attached interfaces)

 not all of these scenarios can be prevented because batman-adv is only consuming events without the the possibility to prevent these actions (non-purgable MAC address added, MTU of an attached interface is reduced).
 It is therefore necessary to also make sure that the code is able to handle also the situations when there were already incompatible system configuration are present.

 CVE-2024-35969:
 In the Linux kernel, the following vulnerability has been resolved:

 ipv6: fix race condition between ipv6_get_ifaddr and ipv6_del_addr

 Although ipv6_get_ifaddr walks inet6_addr_lst under the RCU lock, it still means hlist_for_each_entry_rcu can return an item that got removed from the list. The memory itself of such item is not freed thanks to RCU but nothing guarantees the actual content of the memory is sane.

 In particular, the reference count can be zero. This can happen if ipv6_del_addr is called in parallel. ipv6_del_addr removes the entry from inet6_addr_lst (hlist_del_init_rcu(&ifp->addr_lst)) and drops all references (__in6_ifa_put(ifp) + in6_ifa_put(ifp)). With bad enough timing, this can happen:

 1. In ipv6_get_ifaddr, hlist_for_each_entry_rcu returns an entry.

 2. Then, the whole ipv6_del_addr is executed for the given entry. The reference count drops to zero and kfree_rcu is scheduled.

 3. ipv6_get_ifaddr continues and tries to increments the reference count (in6_ifa_hold).

 4. The rcu is unlocked and the entry is freed.

 5. The freed entry is returned.

 Prevent increasing of the reference count in such case. The name in6_ifa_hold_safe is chosen to mimic the existing fib6_info_hold_safe.

 [ 41.506330] refcount_t: addition on 0; use-after-free.
 [ 41.506760] WARNING: CPU: 0 PID: 595 at lib/refcount.c:25 refcount_warn_saturate+0xa5/0x130 [ 41.507413] Modules linked in: veth bridge stp llc [ 41.507821] CPU: 0 PID: 595 Comm: python3 Not tainted 6.9.0-rc2.main-00208-g49563be82afa #14 [ 41.508479] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) [ 41.509163] RIP: 0010:refcount_warn_saturate+0xa5/0x130 [ 41.509586] Code: ad ff 90 0f 0b 90 90 c3 cc cc cc cc 80 3d c0 30 ad 01 00 75 a0 c6 05 b7 30 ad 01 01 90 48 c7 c7 38 cc 7a 8c e8 cc 18 ad ff 90 <0f> 0b 90 90 c3 cc cc cc cc 80 3d 98 30 ad 01 00 0f 85 75 ff ff ff [ 41.510956] RSP: 0018:ffffbda3c026baf0 EFLAGS: 00010282 [ 41.511368] RAX: 0000000000000000 RBX: ffff9e9c46914800 RCX: 0000000000000000 [ 41.511910] RDX: ffff9e9c7ec29c00 RSI: ffff9e9c7ec1c900 RDI: ffff9e9c7ec1c900 [ 41.512445] RBP: ffff9e9c43660c9c R08: 0000000000009ffb R09: 00000000ffffdfff [ 41.512998] R10: 00000000ffffdfff R11: ffffffff8ca58a40 R12: ffff9e9c4339a000 [ 41.513534] R13: 0000000000000001 R14: ffff9e9c438a0000 R15: ffffbda3c026bb48 [ 41.514086] FS: 00007fbc4cda1740(0000) GS:ffff9e9c7ec00000(0000) knlGS:0000000000000000 [ 41.514726] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 41.515176] CR2: 000056233b337d88 CR3: 000000000376e006 CR4: 0000000000370ef0 [ 41.515713] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 41.516252] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 41.516799] Call Trace:
 [ 41.517037] <TASK> [ 41.517249] ? __warn+0x7b/0x120 [ 41.517535] ? refcount_warn_saturate+0xa5/0x130 [ 41.517923] ? report_bug+0x164/0x190 [ 41.518240] ? handle_bug+0x3d/0x70 [ 41.518541] ? exc_invalid_op+0x17/0x70 [ 41.520972] ? asm_exc_invalid_op+0x1a/0x20 [ 41.521325] ? refcount_warn_saturate+0xa5/0x130 [ 41.521708] ipv6_get_ifaddr+0xda/0xe0 [ 41.522035] inet6_rtm_getaddr+0x342/0x3f0 [ 41.522376] ? __pfx_inet6_rtm_getaddr+0x10/0x10 [ 41.522758] rtnetlink_rcv_msg+0x334/0x3d0 [ 41.523102] ? netlink_unicast+0x30f/0x390 [ 41.523445] ? __pfx_rtnetlink_rcv_msg+0x10/0x10 [ 41.523832] netlink_rcv_skb+0x53/0x100 [ 41.524157] netlink_unicast+0x23b/0x390 [ 41.524484] netlink_sendmsg+0x1f2/0x440 [ 41.524826] __sys_sendto+0x1d8/0x1f0 [ 41.525145] __x64_sys_sendto+0x1f/0x30 [ 41.525467] do_syscall_64+0xa5/0x1b0 [ 41.525794] entry_SYSCALL_64_after_hwframe+0x72/0x7a [ 41.526213] RIP: 0033:0x7fbc4cfcea9a [ 41.526528] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 7e c3 0f 1f 44 00 00 41 54 48 83 ec 30 44 89 [ 41.527942] RSP: 002b:00007f
 ---truncated---

 CVE-2024-35936:
 In the Linux kernel, the following vulnerability has been resolved:

 btrfs: handle chunk tree lookup error in btrfs_relocate_sys_chunks()

 The unhandled case in btrfs_relocate_sys_chunks() loop is a corruption, as it could be caused only by two impossible conditions:

 - at first the search key is set up to look for a chunk tree item, with offset -1, this is an inexact search and the key->offset will contain the correct offset upon a successful search, a valid chunk tree item cannot have an offset -1

 - after first successful search, the found_key corresponds to a chunk item, the offset is decremented by 1 before the next loop, it's impossible to find a chunk item there due to alignment and size constraints

 CVE-2024-35935:
 In the Linux kernel, the following vulnerability has been resolved:

 btrfs: send: handle path ref underflow in header iterate_inode_ref()

 Change BUG_ON to proper error handling if building the path buffer fails. The pointers are not printed so we don't accidentally leak kernel addresses.

 CVE-2024-35925:
 In the Linux kernel, the following vulnerability has been resolved:

 block: prevent division by zero in blk_rq_stat_sum()

 The expression dst->nr_samples + src->nr_samples may have zero value on overflow. It is necessary to add a check to avoid division by zero.

 Found by Linux Verification Center (linuxtesting.org) with Svace.

 CVE-2024-27388:
 In the Linux kernel, the following vulnerability has been resolved:

 SUNRPC: fix some memleaks in gssx_dec_option_array

 The creds and oa->data need to be freed in the error-handling paths after their allocation. So this patch add these deallocations in the corresponding paths.

 CVE-2024-27044:
 In the Linux kernel, the following vulnerability has been resolved:

 drm/amd/display: Fix potential NULL pointer dereferences in 'dcn10_set_output_transfer_func()'

 The 'stream' pointer is used in dcn10_set_output_transfer_func() before the check if 'stream' is NULL.

 Fixes the below:
 drivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn10/dcn10_hwseq.c:1892 dcn10_set_output_transfer_func() warn: variable dereferenced before check 'stream' (see line 1875)

 CVE-2024-27038:
 In the Linux kernel, the following vulnerability has been resolved:

 clk: Fix clk_core_get NULL dereference

 It is possible for clk_core_get to dereference a NULL in the following sequence:

 clk_core_get() of_clk_get_hw_from_clkspec()
 __of_clk_get_hw_from_provider()
 __clk_get_hw()

 __clk_get_hw() can return NULL which is dereferenced by clk_core_get() at hw->core.

 Prior to commit dde4eff47c82 (clk: Look for parents with clkdev based clk_lookups) the check IS_ERR_OR_NULL() was performed which would have caught the NULL.

 Reading the description of this function it talks about returning NULL but that cannot be so at the moment.

 Update the function to check for hw before dereferencing it and return NULL if hw is NULL.

 CVE-2024-27025:
 In the Linux kernel, the following vulnerability has been resolved:

 nbd: null check for nla_nest_start

 nla_nest_start() may fail and return NULL. Insert a check and set errno based on other call sites within the same source code.

 CVE-2024-26973:
 In the Linux kernel, the following vulnerability has been resolved:

 fat: fix uninitialized field in nostale filehandles

 When fat_encode_fh_nostale() encodes file handle without a parent it stores only first 10 bytes of the file handle. However the length of the file handle must be a multiple of 4 so the file handle is actually 12 bytes long and the last two bytes remain uninitialized. This is not great at we potentially leak uninitialized information with the handle to userspace. Properly initialize the full handle length.

 CVE-2024-26972:
 In the Linux kernel, the following vulnerability has been resolved:

 ubifs: ubifs_symlink: Fix memleak of inode->i_link in error path

 For error handling path in ubifs_symlink(), inode will be marked as bad first, then iput() is invoked. If inode->i_link is initialized by fscrypt_encrypt_symlink() in encryption scenario, inode->i_link won't be freed by callchain ubifs_free_inode -> fscrypt_free_inode in error handling path, because make_bad_inode() has changed 'inode->i_mode' as 'S_IFREG'.
 Following kmemleak is easy to be reproduced by injecting error in ubifs_jnl_update() when doing symlink in encryption scenario:
 unreferenced object 0xffff888103da3d98 (size 8):
 comm ln, pid 1692, jiffies 4294914701 (age 12.045s) backtrace:
 kmemdup+0x32/0x70
 __fscrypt_encrypt_symlink+0xed/0x1c0 ubifs_symlink+0x210/0x300 [ubifs] vfs_symlink+0x216/0x360 do_symlinkat+0x11a/0x190 do_syscall_64+0x3b/0xe0 There are two ways fixing it:
 1. Remove make_bad_inode() in error handling path. We can do that because ubifs_evict_inode() will do same processes for good symlink inode and bad symlink inode, for inode->i_nlink checking is before is_bad_inode().
 2. Free inode->i_link before marking inode bad.
 Method 2 is picked, it has less influence, personally, I think.

 CVE-2024-26965:
 In the Linux kernel, the following vulnerability has been resolved:

 clk: qcom: mmcc-msm8974: fix terminating of frequency table arrays

 The frequency table arrays are supposed to be terminated with an empty element. Add such entry to the end of the arrays where it is missing in order to avoid possible out-of-bound access when the table is traversed by functions like qcom_find_freq() or qcom_find_freq_floor().

 Only compile tested.

 CVE-2024-26956:
 In the Linux kernel, the following vulnerability has been resolved:

 nilfs2: fix failure to detect DAT corruption in btree and direct mappings

 Patch series nilfs2: fix kernel bug at submit_bh_wbc().

 This resolves a kernel BUG reported by syzbot. Since there are two flaws involved, I've made each one a separate patch.

 The first patch alone resolves the syzbot-reported bug, but I think both fixes should be sent to stable, so I've tagged them as such.


 This patch (of 2):

 Syzbot has reported a kernel bug in submit_bh_wbc() when writing file data to a nilfs2 file system whose metadata is corrupted.

 There are two flaws involved in this issue.

 The first flaw is that when nilfs_get_block() locates a data block using btree or direct mapping, if the disk address translation routine nilfs_dat_translate() fails with internal code -ENOENT due to DAT metadata corruption, it can be passed back to nilfs_get_block(). This causes nilfs_get_block() to misidentify an existing block as non-existent, causing both data block lookup and insertion to fail inconsistently.

 The second flaw is that nilfs_get_block() returns a successful status in this inconsistent state. This causes the caller __block_write_begin_int() or others to request a read even though the buffer is not mapped, resulting in a BUG_ON check for the BH_Mapped flag in submit_bh_wbc() failing.

 This fixes the first issue by changing the return value to code -EINVAL when a conversion using DAT fails with code -ENOENT, avoiding the conflicting condition that leads to the kernel bug described above. Here, code -EINVAL indicates that metadata corruption was detected during the block lookup, which will be properly handled as a file system error and converted to -EIO when passing through the nilfs2 bmap layer.

 CVE-2024-26955:
 In the Linux kernel, the following vulnerability has been resolved:

 nilfs2: prevent kernel bug at submit_bh_wbc()

 Fix a bug where nilfs_get_block() returns a successful status when searching and inserting the specified block both fail inconsistently. If this inconsistent behavior is not due to a previously fixed bug, then an unexpected race is occurring, so return a temporary error -EAGAIN instead.

 This prevents callers such as __block_write_begin_int() from requesting a read into a buffer that is not mapped, which would cause the BUG_ON check for the BH_Mapped flag in submit_bh_wbc() to fail.

 CVE-2024-26923:
 In the Linux kernel, the following vulnerability has been resolved:

 af_unix: Fix garbage collector racing against connect()

 Garbage collector does not take into account the risk of embryo getting enqueued during the garbage collection. If such embryo has a peer that carries SCM_RIGHTS, two consecutive passes of scan_children() may see a different set of children. Leading to an incorrectly elevated inflight count, and then a dangling pointer within the gc_inflight_list.

 sockets are AF_UNIX/SOCK_STREAM S is an unconnected socket L is a listening in-flight socket bound to addr, not in fdtable V's fd will be passed via sendmsg(), gets inflight count bumped

 connect(S, addr) sendmsg(S, [V]); close(V) __unix_gc()
 ---------------- ------------------------- -----------

 NS = unix_create1() skb1 = sock_wmalloc(NS) L = unix_find_other(addr) unix_state_lock(L) unix_peer(S) = NS // V count=1 inflight=0

 NS = unix_peer(S) skb2 = sock_alloc() skb_queue_tail(NS, skb2[V])

 // V became in-flight // V count=2 inflight=1

 close(V)

 // V count=1 inflight=1 // GC candidate condition met

 for u in gc_inflight_list:
 if (total_refs == inflight_refs) add u to gc_candidates

 // gc_candidates={L, V}

 for u in gc_candidates:
 scan_children(u, dec_inflight)

 // embryo (skb1) was not // reachable from L yet, so V's // inflight remains unchanged
 __skb_queue_tail(L, skb1) unix_state_unlock(L) for u in gc_candidates:
 if (u.inflight) scan_children(u, inc_inflight_move_tail)

 // V count=1 inflight=2 (!)

 If there is a GC-candidate listening socket, lock/unlock its state. This makes GC wait until the end of any ongoing connect() to that socket. After flipping the lock, a possibly SCM-laden embryo is already enqueued. And if there is another embryo coming, it can not possibly carry SCM_RIGHTS. At this point, unix_inflight() can not happen because unix_gc_lock is already taken. Inflight graph remains unaffected.

 CVE-2024-26910:
 In the Linux kernel, the following vulnerability has been resolved:

 netfilter: ipset: fix performance regression in swap operation

 The patch netfilter: ipset: fix race condition between swap/destroy and kernel side add/del/test, commit 28628fa9 fixes a race condition.
 But the synchronize_rcu() added to the swap function unnecessarily slows it down: it can safely be moved to destroy and use call_rcu() instead.

 Eric Dumazet pointed out that simply calling the destroy functions as rcu callback does not work: sets with timeout use garbage collectors which need cancelling at destroy which can wait. Therefore the destroy functions are split into two: cancelling garbage collectors safely at executing the command received by netlink and moving the remaining part only into the rcu callback.

 CVE-2024-26898:
 In the Linux kernel, the following vulnerability has been resolved:

 aoe: fix the potential use-after-free problem in aoecmd_cfg_pkts

 This patch is against CVE-2023-6270. The description of cve is:

 A flaw was found in the ATA over Ethernet (AoE) driver in the Linux kernel. The aoecmd_cfg_pkts() function improperly updates the refcnt on `struct net_device`, and a use-after-free can be triggered by racing between the free on the struct and the access through the `skbtxq` global queue. This could lead to a denial of service condition or potential code execution.

 In aoecmd_cfg_pkts(), it always calls dev_put(ifp) when skb initial code is finished. But the net_device ifp will still be used in later tx()->dev_queue_xmit() in kthread. Which means that the dev_put(ifp) should NOT be called in the success path of skb initial code in aoecmd_cfg_pkts(). Otherwise tx() may run in ...

 Please note that the description has been truncated due to length. Please refer to vendor advisory for the full description.

Tenable has extracted the preceding description block directly from the Tencent Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://mirrors.tencent.com/tlinux/errata/tssa-20241027.xml

Plugin Details

Severity: High

ID: 276196

File Name: tencentos_TSSA_2024_1027.nasl

Version: 1.1

Type: local

Published: 11/20/2025

Updated: 11/20/2025

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: High

Score: 7.4

CVSS v2

Risk Factor: Medium

Base Score: 6.9

Temporal Score: 5.7

Vector: CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2021-42008

CVSS v3

Risk Factor: High

Base Score: 7.8

Temporal Score: 7.2

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

CVSS Score Source: CVE-2024-26898

Vulnerability Information

CPE: cpe:/o:tencent:tencentos_server:3, p-cpe:/a:tencent:tencentos_server:kernel

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/etc/os-release, Host/TencentOS/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 12/4/2024

Vulnerability Publication Date: 7/21/2021

CISA Known Exploited Vulnerability Due Dates: 4/20/2023

Reference Information

CVE: CVE-2019-25162, CVE-2021-37159, CVE-2021-42008, CVE-2021-46906, CVE-2021-46985, CVE-2021-46991, CVE-2021-46998, CVE-2021-47015, CVE-2021-47082, CVE-2021-47100, CVE-2021-47114, CVE-2021-47117, CVE-2021-47120, CVE-2021-47122, CVE-2021-47126, CVE-2021-47129, CVE-2021-47145, CVE-2021-47166, CVE-2021-47168, CVE-2021-47184, CVE-2021-47190, CVE-2021-47379, CVE-2021-47483, CVE-2021-47497, CVE-2021-47499, CVE-2021-47508, CVE-2021-47547, CVE-2021-47548, CVE-2021-47552, CVE-2021-47566, CVE-2021-47572, CVE-2022-2873, CVE-2022-3107, CVE-2022-3111, CVE-2022-48688, CVE-2023-0266, CVE-2023-1073, CVE-2023-1075, CVE-2023-1670, CVE-2023-1829, CVE-2023-1855, CVE-2023-28327, CVE-2023-28466, CVE-2023-28772, CVE-2023-39197, CVE-2023-52435, CVE-2023-52509, CVE-2023-52510, CVE-2023-52522, CVE-2023-52525, CVE-2023-52527, CVE-2023-52528, CVE-2023-52574, CVE-2023-52577, CVE-2023-52609, CVE-2023-52615, CVE-2023-52619, CVE-2023-52623, CVE-2023-52635, CVE-2023-52644, CVE-2023-52705, CVE-2023-52821, CVE-2023-52826, CVE-2023-52828, CVE-2023-52840, CVE-2023-52847, CVE-2023-52855, CVE-2023-6040, CVE-2023-6932, CVE-2023-7192, CVE-2024-0607, CVE-2024-0646, CVE-2024-26635, CVE-2024-26636, CVE-2024-26638, CVE-2024-26663, CVE-2024-26671, CVE-2024-26673, CVE-2024-26675, CVE-2024-26686, CVE-2024-26696, CVE-2024-26704, CVE-2024-26735, CVE-2024-26737, CVE-2024-26752, CVE-2024-26772, CVE-2024-26791, CVE-2024-26804, CVE-2024-26820, CVE-2024-26825, CVE-2024-26828, CVE-2024-26840, CVE-2024-26845, CVE-2024-26883, CVE-2024-26884, CVE-2024-26885, CVE-2024-26898, CVE-2024-26910, CVE-2024-26923, CVE-2024-26955, CVE-2024-26956, CVE-2024-26965, CVE-2024-26973, CVE-2024-27025, CVE-2024-27038, CVE-2024-27044, CVE-2024-27388, CVE-2024-35925, CVE-2024-35935, CVE-2024-35936, CVE-2024-35969, CVE-2024-35982, CVE-2024-35998, CVE-2024-36004, CVE-2024-36006, CVE-2024-36007