{ "summary": { "snap": { "added": [], "removed": [], "diff": [] }, "deb": { "added": [ "linux-headers-5.15.0-134", "linux-headers-5.15.0-134-generic", "linux-image-5.15.0-134-generic", "linux-modules-5.15.0-134-generic" ], "removed": [ "linux-headers-5.15.0-133", "linux-headers-5.15.0-133-generic", "linux-image-5.15.0-133-generic", "linux-modules-5.15.0-133-generic" ], "diff": [ "libgssapi-krb5-2:ppc64el", "libk5crypto3:ppc64el", "libkrb5-3:ppc64el", "libkrb5support0:ppc64el", "linux-headers-generic", "linux-headers-virtual", "linux-image-virtual", "linux-virtual" ] } }, "diff": { "deb": [ { "name": "libgssapi-krb5-2:ppc64el", "from_version": { "source_package_name": "krb5", "source_package_version": "1.19.2-2ubuntu0.5", "version": "1.19.2-2ubuntu0.5" }, "to_version": { "source_package_name": "krb5", "source_package_version": "1.19.2-2ubuntu0.6", "version": "1.19.2-2ubuntu0.6" }, "cves": [ { "cve": "CVE-2024-26458", "url": "https://ubuntu.com/security/CVE-2024-26458", "cve_description": "Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in /krb5/src/lib/rpc/pmap_rmt.c.", "cve_priority": "negligible", "cve_public_date": "2024-02-29 01:44:00 UTC" }, { "cve": "CVE-2024-26461", "url": "https://ubuntu.com/security/CVE-2024-26461", "cve_description": "Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/lib/gssapi/krb5/k5sealv3.c.", "cve_priority": "low", "cve_public_date": "2024-02-29 01:44:00 UTC" }, { "cve": "CVE-2025-24528", "url": "https://ubuntu.com/security/CVE-2025-24528", "cve_description": "In MIT krb5 release 1.7 and later with incremental propagation enabled, an authenticated attacker can cause kadmind to write beyond the end of the mapped region for the iprop log file, likely causing a process crash.", "cve_priority": "medium", "cve_public_date": "2025-01-31" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-26458", "url": "https://ubuntu.com/security/CVE-2024-26458", "cve_description": "Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in /krb5/src/lib/rpc/pmap_rmt.c.", "cve_priority": "negligible", "cve_public_date": "2024-02-29 01:44:00 UTC" }, { "cve": "CVE-2024-26461", "url": "https://ubuntu.com/security/CVE-2024-26461", "cve_description": "Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/lib/gssapi/krb5/k5sealv3.c.", "cve_priority": "low", "cve_public_date": "2024-02-29 01:44:00 UTC" }, { "cve": "CVE-2025-24528", "url": "https://ubuntu.com/security/CVE-2025-24528", "cve_description": "In MIT krb5 release 1.7 and later with incremental propagation enabled, an authenticated attacker can cause kadmind to write beyond the end of the mapped region for the iprop log file, likely causing a process crash.", "cve_priority": "medium", "cve_public_date": "2025-01-31" } ], "log": [ "", " * SECURITY UPDATE: denial of service via two memory leaks", " - debian/patches/CVE-2024-26458.patch: fix two unlikely memory leaks in", " src/lib/gssapi/krb5/k5sealv3.c, src/lib/rpc/pmap_rmt.c.", " - CVE-2024-26458", " - CVE-2024-26461", " * SECURITY UPDATE: kadmind DoS via iprop log file", " - debian/patches/CVE-2025-24528.patch: prevent overflow when", " calculating ulog block size in src/lib/kdb/kdb_log.c.", " - CVE-2025-24528", "" ], "package": "krb5", "version": "1.19.2-2ubuntu0.6", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Tue, 25 Feb 2025 12:26:06 -0500" } ], "notes": null }, { "name": "libk5crypto3:ppc64el", "from_version": { "source_package_name": "krb5", "source_package_version": "1.19.2-2ubuntu0.5", "version": "1.19.2-2ubuntu0.5" }, "to_version": { "source_package_name": "krb5", "source_package_version": "1.19.2-2ubuntu0.6", "version": "1.19.2-2ubuntu0.6" }, "cves": [ { "cve": "CVE-2024-26458", "url": "https://ubuntu.com/security/CVE-2024-26458", "cve_description": "Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in /krb5/src/lib/rpc/pmap_rmt.c.", "cve_priority": "negligible", "cve_public_date": "2024-02-29 01:44:00 UTC" }, { "cve": "CVE-2024-26461", "url": "https://ubuntu.com/security/CVE-2024-26461", "cve_description": "Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/lib/gssapi/krb5/k5sealv3.c.", "cve_priority": "low", "cve_public_date": "2024-02-29 01:44:00 UTC" }, { "cve": "CVE-2025-24528", "url": "https://ubuntu.com/security/CVE-2025-24528", "cve_description": "In MIT krb5 release 1.7 and later with incremental propagation enabled, an authenticated attacker can cause kadmind to write beyond the end of the mapped region for the iprop log file, likely causing a process crash.", "cve_priority": "medium", "cve_public_date": "2025-01-31" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-26458", "url": "https://ubuntu.com/security/CVE-2024-26458", "cve_description": "Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in /krb5/src/lib/rpc/pmap_rmt.c.", "cve_priority": "negligible", "cve_public_date": "2024-02-29 01:44:00 UTC" }, { "cve": "CVE-2024-26461", "url": "https://ubuntu.com/security/CVE-2024-26461", "cve_description": "Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/lib/gssapi/krb5/k5sealv3.c.", "cve_priority": "low", "cve_public_date": "2024-02-29 01:44:00 UTC" }, { "cve": "CVE-2025-24528", "url": "https://ubuntu.com/security/CVE-2025-24528", "cve_description": "In MIT krb5 release 1.7 and later with incremental propagation enabled, an authenticated attacker can cause kadmind to write beyond the end of the mapped region for the iprop log file, likely causing a process crash.", "cve_priority": "medium", "cve_public_date": "2025-01-31" } ], "log": [ "", " * SECURITY UPDATE: denial of service via two memory leaks", " - debian/patches/CVE-2024-26458.patch: fix two unlikely memory leaks in", " src/lib/gssapi/krb5/k5sealv3.c, src/lib/rpc/pmap_rmt.c.", " - CVE-2024-26458", " - CVE-2024-26461", " * SECURITY UPDATE: kadmind DoS via iprop log file", " - debian/patches/CVE-2025-24528.patch: prevent overflow when", " calculating ulog block size in src/lib/kdb/kdb_log.c.", " - CVE-2025-24528", "" ], "package": "krb5", "version": "1.19.2-2ubuntu0.6", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Tue, 25 Feb 2025 12:26:06 -0500" } ], "notes": null }, { "name": "libkrb5-3:ppc64el", "from_version": { "source_package_name": "krb5", "source_package_version": "1.19.2-2ubuntu0.5", "version": "1.19.2-2ubuntu0.5" }, "to_version": { "source_package_name": "krb5", "source_package_version": "1.19.2-2ubuntu0.6", "version": "1.19.2-2ubuntu0.6" }, "cves": [ { "cve": "CVE-2024-26458", "url": "https://ubuntu.com/security/CVE-2024-26458", "cve_description": "Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in /krb5/src/lib/rpc/pmap_rmt.c.", "cve_priority": "negligible", "cve_public_date": "2024-02-29 01:44:00 UTC" }, { "cve": "CVE-2024-26461", "url": "https://ubuntu.com/security/CVE-2024-26461", "cve_description": "Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/lib/gssapi/krb5/k5sealv3.c.", "cve_priority": "low", "cve_public_date": "2024-02-29 01:44:00 UTC" }, { "cve": "CVE-2025-24528", "url": "https://ubuntu.com/security/CVE-2025-24528", "cve_description": "In MIT krb5 release 1.7 and later with incremental propagation enabled, an authenticated attacker can cause kadmind to write beyond the end of the mapped region for the iprop log file, likely causing a process crash.", "cve_priority": "medium", "cve_public_date": "2025-01-31" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-26458", "url": "https://ubuntu.com/security/CVE-2024-26458", "cve_description": "Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in /krb5/src/lib/rpc/pmap_rmt.c.", "cve_priority": "negligible", "cve_public_date": "2024-02-29 01:44:00 UTC" }, { "cve": "CVE-2024-26461", "url": "https://ubuntu.com/security/CVE-2024-26461", "cve_description": "Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/lib/gssapi/krb5/k5sealv3.c.", "cve_priority": "low", "cve_public_date": "2024-02-29 01:44:00 UTC" }, { "cve": "CVE-2025-24528", "url": "https://ubuntu.com/security/CVE-2025-24528", "cve_description": "In MIT krb5 release 1.7 and later with incremental propagation enabled, an authenticated attacker can cause kadmind to write beyond the end of the mapped region for the iprop log file, likely causing a process crash.", "cve_priority": "medium", "cve_public_date": "2025-01-31" } ], "log": [ "", " * SECURITY UPDATE: denial of service via two memory leaks", " - debian/patches/CVE-2024-26458.patch: fix two unlikely memory leaks in", " src/lib/gssapi/krb5/k5sealv3.c, src/lib/rpc/pmap_rmt.c.", " - CVE-2024-26458", " - CVE-2024-26461", " * SECURITY UPDATE: kadmind DoS via iprop log file", " - debian/patches/CVE-2025-24528.patch: prevent overflow when", " calculating ulog block size in src/lib/kdb/kdb_log.c.", " - CVE-2025-24528", "" ], "package": "krb5", "version": "1.19.2-2ubuntu0.6", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Tue, 25 Feb 2025 12:26:06 -0500" } ], "notes": null }, { "name": "libkrb5support0:ppc64el", "from_version": { "source_package_name": "krb5", "source_package_version": "1.19.2-2ubuntu0.5", "version": "1.19.2-2ubuntu0.5" }, "to_version": { "source_package_name": "krb5", "source_package_version": "1.19.2-2ubuntu0.6", "version": "1.19.2-2ubuntu0.6" }, "cves": [ { "cve": "CVE-2024-26458", "url": "https://ubuntu.com/security/CVE-2024-26458", "cve_description": "Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in /krb5/src/lib/rpc/pmap_rmt.c.", "cve_priority": "negligible", "cve_public_date": "2024-02-29 01:44:00 UTC" }, { "cve": "CVE-2024-26461", "url": "https://ubuntu.com/security/CVE-2024-26461", "cve_description": "Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/lib/gssapi/krb5/k5sealv3.c.", "cve_priority": "low", "cve_public_date": "2024-02-29 01:44:00 UTC" }, { "cve": "CVE-2025-24528", "url": "https://ubuntu.com/security/CVE-2025-24528", "cve_description": "In MIT krb5 release 1.7 and later with incremental propagation enabled, an authenticated attacker can cause kadmind to write beyond the end of the mapped region for the iprop log file, likely causing a process crash.", "cve_priority": "medium", "cve_public_date": "2025-01-31" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-26458", "url": "https://ubuntu.com/security/CVE-2024-26458", "cve_description": "Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in /krb5/src/lib/rpc/pmap_rmt.c.", "cve_priority": "negligible", "cve_public_date": "2024-02-29 01:44:00 UTC" }, { "cve": "CVE-2024-26461", "url": "https://ubuntu.com/security/CVE-2024-26461", "cve_description": "Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/lib/gssapi/krb5/k5sealv3.c.", "cve_priority": "low", "cve_public_date": "2024-02-29 01:44:00 UTC" }, { "cve": "CVE-2025-24528", "url": "https://ubuntu.com/security/CVE-2025-24528", "cve_description": "In MIT krb5 release 1.7 and later with incremental propagation enabled, an authenticated attacker can cause kadmind to write beyond the end of the mapped region for the iprop log file, likely causing a process crash.", "cve_priority": "medium", "cve_public_date": "2025-01-31" } ], "log": [ "", " * SECURITY UPDATE: denial of service via two memory leaks", " - debian/patches/CVE-2024-26458.patch: fix two unlikely memory leaks in", " src/lib/gssapi/krb5/k5sealv3.c, src/lib/rpc/pmap_rmt.c.", " - CVE-2024-26458", " - CVE-2024-26461", " * SECURITY UPDATE: kadmind DoS via iprop log file", " - debian/patches/CVE-2025-24528.patch: prevent overflow when", " calculating ulog block size in src/lib/kdb/kdb_log.c.", " - CVE-2025-24528", "" ], "package": "krb5", "version": "1.19.2-2ubuntu0.6", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Tue, 25 Feb 2025 12:26:06 -0500" } ], "notes": null }, { "name": "linux-headers-generic", "from_version": { "source_package_name": "linux-meta", "source_package_version": "5.15.0.133.132", "version": "5.15.0.133.132" }, "to_version": { "source_package_name": "linux-meta", "source_package_version": "5.15.0.134.133", "version": "5.15.0.134.133" }, "cves": [], "launchpad_bugs_fixed": [ 1786013 ], "changes": [ { "cves": [], "log": [ "", " * Bump ABI 5.15.0-134", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/dkms-versions -- resync from main package", "" ], "package": "linux-meta", "version": "5.15.0.134.133", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 1786013 ], "author": "Manuel Diewald ", "date": "Wed, 12 Feb 2025 20:36:15 +0100" } ], "notes": null }, { "name": "linux-headers-virtual", "from_version": { "source_package_name": "linux-meta", "source_package_version": "5.15.0.133.132", "version": "5.15.0.133.132" }, "to_version": { "source_package_name": "linux-meta", "source_package_version": "5.15.0.134.133", "version": "5.15.0.134.133" }, "cves": [], "launchpad_bugs_fixed": [ 1786013 ], "changes": [ { "cves": [], "log": [ "", " * Bump ABI 5.15.0-134", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/dkms-versions -- resync from main package", "" ], "package": "linux-meta", "version": "5.15.0.134.133", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 1786013 ], "author": "Manuel Diewald ", "date": "Wed, 12 Feb 2025 20:36:15 +0100" } ], "notes": null }, { "name": "linux-image-virtual", "from_version": { "source_package_name": "linux-meta", "source_package_version": "5.15.0.133.132", "version": "5.15.0.133.132" }, "to_version": { "source_package_name": "linux-meta", "source_package_version": "5.15.0.134.133", "version": "5.15.0.134.133" }, "cves": [], "launchpad_bugs_fixed": [ 1786013 ], "changes": [ { "cves": [], "log": [ "", " * Bump ABI 5.15.0-134", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/dkms-versions -- resync from main package", "" ], "package": "linux-meta", "version": "5.15.0.134.133", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 1786013 ], "author": "Manuel Diewald ", "date": "Wed, 12 Feb 2025 20:36:15 +0100" } ], "notes": null }, { "name": "linux-virtual", "from_version": { "source_package_name": "linux-meta", "source_package_version": "5.15.0.133.132", "version": "5.15.0.133.132" }, "to_version": { "source_package_name": "linux-meta", "source_package_version": "5.15.0.134.133", "version": "5.15.0.134.133" }, "cves": [], "launchpad_bugs_fixed": [ 1786013 ], "changes": [ { "cves": [], "log": [ "", " * Bump ABI 5.15.0-134", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/dkms-versions -- resync from main package", "" ], "package": "linux-meta", "version": "5.15.0.134.133", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 1786013 ], "author": "Manuel Diewald ", "date": "Wed, 12 Feb 2025 20:36:15 +0100" } ], "notes": null } ], "snap": [] }, "added": { "deb": [ { "name": "linux-headers-5.15.0-134", "from_version": { "source_package_name": "linux", "source_package_version": "5.15.0-133.144", "version": null }, "to_version": { "source_package_name": "linux", "source_package_version": "5.15.0-134.145", "version": "5.15.0-134.145" }, "cves": [ { "cve": "CVE-2024-56672", "url": "https://ubuntu.com/security/CVE-2024-56672", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: blk-cgroup: Fix UAF in blkcg_unpin_online() blkcg_unpin_online() walks up the blkcg hierarchy putting the online pin. To walk up, it uses blkcg_parent(blkcg) but it was calling that after blkcg_destroy_blkgs(blkcg) which could free the blkcg, leading to the following UAF: ================================================================== BUG: KASAN: slab-use-after-free in blkcg_unpin_online+0x15a/0x270 Read of size 8 at addr ffff8881057678c0 by task kworker/9:1/117 CPU: 9 UID: 0 PID: 117 Comm: kworker/9:1 Not tainted 6.13.0-rc1-work-00182-gb8f52214c61a-dirty #48 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS unknown 02/02/2022 Workqueue: cgwb_release cgwb_release_workfn Call Trace: dump_stack_lvl+0x27/0x80 print_report+0x151/0x710 kasan_report+0xc0/0x100 blkcg_unpin_online+0x15a/0x270 cgwb_release_workfn+0x194/0x480 process_scheduled_works+0x71b/0xe20 worker_thread+0x82a/0xbd0 kthread+0x242/0x2c0 ret_from_fork+0x33/0x70 ret_from_fork_asm+0x1a/0x30 ... Freed by task 1944: kasan_save_track+0x2b/0x70 kasan_save_free_info+0x3c/0x50 __kasan_slab_free+0x33/0x50 kfree+0x10c/0x330 css_free_rwork_fn+0xe6/0xb30 process_scheduled_works+0x71b/0xe20 worker_thread+0x82a/0xbd0 kthread+0x242/0x2c0 ret_from_fork+0x33/0x70 ret_from_fork_asm+0x1a/0x30 Note that the UAF is not easy to trigger as the free path is indirected behind a couple RCU grace periods and a work item execution. I could only trigger it with artifical msleep() injected in blkcg_unpin_online(). Fix it by reading the parent pointer before destroying the blkcg's blkg's.", "cve_priority": "high", "cve_public_date": "2024-12-27 15:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2097944, 1786013 ], "changes": [ { "cves": [ { "cve": "CVE-2024-56672", "url": "https://ubuntu.com/security/CVE-2024-56672", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: blk-cgroup: Fix UAF in blkcg_unpin_online() blkcg_unpin_online() walks up the blkcg hierarchy putting the online pin. To walk up, it uses blkcg_parent(blkcg) but it was calling that after blkcg_destroy_blkgs(blkcg) which could free the blkcg, leading to the following UAF: ================================================================== BUG: KASAN: slab-use-after-free in blkcg_unpin_online+0x15a/0x270 Read of size 8 at addr ffff8881057678c0 by task kworker/9:1/117 CPU: 9 UID: 0 PID: 117 Comm: kworker/9:1 Not tainted 6.13.0-rc1-work-00182-gb8f52214c61a-dirty #48 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS unknown 02/02/2022 Workqueue: cgwb_release cgwb_release_workfn Call Trace: dump_stack_lvl+0x27/0x80 print_report+0x151/0x710 kasan_report+0xc0/0x100 blkcg_unpin_online+0x15a/0x270 cgwb_release_workfn+0x194/0x480 process_scheduled_works+0x71b/0xe20 worker_thread+0x82a/0xbd0 kthread+0x242/0x2c0 ret_from_fork+0x33/0x70 ret_from_fork_asm+0x1a/0x30 ... Freed by task 1944: kasan_save_track+0x2b/0x70 kasan_save_free_info+0x3c/0x50 __kasan_slab_free+0x33/0x50 kfree+0x10c/0x330 css_free_rwork_fn+0xe6/0xb30 process_scheduled_works+0x71b/0xe20 worker_thread+0x82a/0xbd0 kthread+0x242/0x2c0 ret_from_fork+0x33/0x70 ret_from_fork_asm+0x1a/0x30 Note that the UAF is not easy to trigger as the free path is indirected behind a couple RCU grace periods and a work item execution. I could only trigger it with artifical msleep() injected in blkcg_unpin_online(). Fix it by reading the parent pointer before destroying the blkcg's blkg's.", "cve_priority": "high", "cve_public_date": "2024-12-27 15:15:00 UTC" } ], "log": [ "", " * jammy/linux: 5.15.0-134.145 -proposed tracker (LP: #2097944)", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian.master/dkms-versions -- update from kernel-versions", " (main/s2025.01.13)", "", " * CVE-2024-56672", " - blk-cgroup: Fix UAF in blkcg_unpin_online()", "" ], "package": "linux", "version": "5.15.0-134.145", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2097944, 1786013 ], "author": "Manuel Diewald ", "date": "Wed, 12 Feb 2025 19:47:13 +0100" } ], "notes": "linux-headers-5.15.0-134 version '5.15.0-134.145' (source package linux version '5.15.0-134.145') was added. linux-headers-5.15.0-134 version '5.15.0-134.145' has the same source package name, linux, as removed package linux-headers-5.15.0-133. As such we can use the source package version of the removed package, '5.15.0-133.144', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package." }, { "name": "linux-headers-5.15.0-134-generic", "from_version": { "source_package_name": "linux", "source_package_version": "5.15.0-133.144", "version": null }, "to_version": { "source_package_name": "linux", "source_package_version": "5.15.0-134.145", "version": "5.15.0-134.145" }, "cves": [ { "cve": "CVE-2024-56672", "url": "https://ubuntu.com/security/CVE-2024-56672", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: blk-cgroup: Fix UAF in blkcg_unpin_online() blkcg_unpin_online() walks up the blkcg hierarchy putting the online pin. To walk up, it uses blkcg_parent(blkcg) but it was calling that after blkcg_destroy_blkgs(blkcg) which could free the blkcg, leading to the following UAF: ================================================================== BUG: KASAN: slab-use-after-free in blkcg_unpin_online+0x15a/0x270 Read of size 8 at addr ffff8881057678c0 by task kworker/9:1/117 CPU: 9 UID: 0 PID: 117 Comm: kworker/9:1 Not tainted 6.13.0-rc1-work-00182-gb8f52214c61a-dirty #48 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS unknown 02/02/2022 Workqueue: cgwb_release cgwb_release_workfn Call Trace: dump_stack_lvl+0x27/0x80 print_report+0x151/0x710 kasan_report+0xc0/0x100 blkcg_unpin_online+0x15a/0x270 cgwb_release_workfn+0x194/0x480 process_scheduled_works+0x71b/0xe20 worker_thread+0x82a/0xbd0 kthread+0x242/0x2c0 ret_from_fork+0x33/0x70 ret_from_fork_asm+0x1a/0x30 ... Freed by task 1944: kasan_save_track+0x2b/0x70 kasan_save_free_info+0x3c/0x50 __kasan_slab_free+0x33/0x50 kfree+0x10c/0x330 css_free_rwork_fn+0xe6/0xb30 process_scheduled_works+0x71b/0xe20 worker_thread+0x82a/0xbd0 kthread+0x242/0x2c0 ret_from_fork+0x33/0x70 ret_from_fork_asm+0x1a/0x30 Note that the UAF is not easy to trigger as the free path is indirected behind a couple RCU grace periods and a work item execution. I could only trigger it with artifical msleep() injected in blkcg_unpin_online(). Fix it by reading the parent pointer before destroying the blkcg's blkg's.", "cve_priority": "high", "cve_public_date": "2024-12-27 15:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2097944, 1786013 ], "changes": [ { "cves": [ { "cve": "CVE-2024-56672", "url": "https://ubuntu.com/security/CVE-2024-56672", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: blk-cgroup: Fix UAF in blkcg_unpin_online() blkcg_unpin_online() walks up the blkcg hierarchy putting the online pin. To walk up, it uses blkcg_parent(blkcg) but it was calling that after blkcg_destroy_blkgs(blkcg) which could free the blkcg, leading to the following UAF: ================================================================== BUG: KASAN: slab-use-after-free in blkcg_unpin_online+0x15a/0x270 Read of size 8 at addr ffff8881057678c0 by task kworker/9:1/117 CPU: 9 UID: 0 PID: 117 Comm: kworker/9:1 Not tainted 6.13.0-rc1-work-00182-gb8f52214c61a-dirty #48 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS unknown 02/02/2022 Workqueue: cgwb_release cgwb_release_workfn Call Trace: dump_stack_lvl+0x27/0x80 print_report+0x151/0x710 kasan_report+0xc0/0x100 blkcg_unpin_online+0x15a/0x270 cgwb_release_workfn+0x194/0x480 process_scheduled_works+0x71b/0xe20 worker_thread+0x82a/0xbd0 kthread+0x242/0x2c0 ret_from_fork+0x33/0x70 ret_from_fork_asm+0x1a/0x30 ... Freed by task 1944: kasan_save_track+0x2b/0x70 kasan_save_free_info+0x3c/0x50 __kasan_slab_free+0x33/0x50 kfree+0x10c/0x330 css_free_rwork_fn+0xe6/0xb30 process_scheduled_works+0x71b/0xe20 worker_thread+0x82a/0xbd0 kthread+0x242/0x2c0 ret_from_fork+0x33/0x70 ret_from_fork_asm+0x1a/0x30 Note that the UAF is not easy to trigger as the free path is indirected behind a couple RCU grace periods and a work item execution. I could only trigger it with artifical msleep() injected in blkcg_unpin_online(). Fix it by reading the parent pointer before destroying the blkcg's blkg's.", "cve_priority": "high", "cve_public_date": "2024-12-27 15:15:00 UTC" } ], "log": [ "", " * jammy/linux: 5.15.0-134.145 -proposed tracker (LP: #2097944)", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian.master/dkms-versions -- update from kernel-versions", " (main/s2025.01.13)", "", " * CVE-2024-56672", " - blk-cgroup: Fix UAF in blkcg_unpin_online()", "" ], "package": "linux", "version": "5.15.0-134.145", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2097944, 1786013 ], "author": "Manuel Diewald ", "date": "Wed, 12 Feb 2025 19:47:13 +0100" } ], "notes": "linux-headers-5.15.0-134-generic version '5.15.0-134.145' (source package linux version '5.15.0-134.145') was added. linux-headers-5.15.0-134-generic version '5.15.0-134.145' has the same source package name, linux, as removed package linux-headers-5.15.0-133. As such we can use the source package version of the removed package, '5.15.0-133.144', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package." }, { "name": "linux-image-5.15.0-134-generic", "from_version": { "source_package_name": "linux-signed", "source_package_version": "5.15.0-133.144", "version": null }, "to_version": { "source_package_name": "linux-signed", "source_package_version": "5.15.0-134.145", "version": "5.15.0-134.145" }, "cves": [], "launchpad_bugs_fixed": [ 1786013 ], "changes": [ { "cves": [], "log": [ "", " * Main version: 5.15.0-134.145", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/tracking-bug -- resync from main package", "" ], "package": "linux-signed", "version": "5.15.0-134.145", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 1786013 ], "author": "Manuel Diewald ", "date": "Wed, 12 Feb 2025 20:36:23 +0100" } ], "notes": "linux-image-5.15.0-134-generic version '5.15.0-134.145' (source package linux-signed version '5.15.0-134.145') was added. linux-image-5.15.0-134-generic version '5.15.0-134.145' has the same source package name, linux-signed, as removed package linux-image-5.15.0-133-generic. As such we can use the source package version of the removed package, '5.15.0-133.144', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package." }, { "name": "linux-modules-5.15.0-134-generic", "from_version": { "source_package_name": "linux", "source_package_version": "5.15.0-133.144", "version": null }, "to_version": { "source_package_name": "linux", "source_package_version": "5.15.0-134.145", "version": "5.15.0-134.145" }, "cves": [ { "cve": "CVE-2024-56672", "url": "https://ubuntu.com/security/CVE-2024-56672", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: blk-cgroup: Fix UAF in blkcg_unpin_online() blkcg_unpin_online() walks up the blkcg hierarchy putting the online pin. To walk up, it uses blkcg_parent(blkcg) but it was calling that after blkcg_destroy_blkgs(blkcg) which could free the blkcg, leading to the following UAF: ================================================================== BUG: KASAN: slab-use-after-free in blkcg_unpin_online+0x15a/0x270 Read of size 8 at addr ffff8881057678c0 by task kworker/9:1/117 CPU: 9 UID: 0 PID: 117 Comm: kworker/9:1 Not tainted 6.13.0-rc1-work-00182-gb8f52214c61a-dirty #48 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS unknown 02/02/2022 Workqueue: cgwb_release cgwb_release_workfn Call Trace: dump_stack_lvl+0x27/0x80 print_report+0x151/0x710 kasan_report+0xc0/0x100 blkcg_unpin_online+0x15a/0x270 cgwb_release_workfn+0x194/0x480 process_scheduled_works+0x71b/0xe20 worker_thread+0x82a/0xbd0 kthread+0x242/0x2c0 ret_from_fork+0x33/0x70 ret_from_fork_asm+0x1a/0x30 ... Freed by task 1944: kasan_save_track+0x2b/0x70 kasan_save_free_info+0x3c/0x50 __kasan_slab_free+0x33/0x50 kfree+0x10c/0x330 css_free_rwork_fn+0xe6/0xb30 process_scheduled_works+0x71b/0xe20 worker_thread+0x82a/0xbd0 kthread+0x242/0x2c0 ret_from_fork+0x33/0x70 ret_from_fork_asm+0x1a/0x30 Note that the UAF is not easy to trigger as the free path is indirected behind a couple RCU grace periods and a work item execution. I could only trigger it with artifical msleep() injected in blkcg_unpin_online(). Fix it by reading the parent pointer before destroying the blkcg's blkg's.", "cve_priority": "high", "cve_public_date": "2024-12-27 15:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2097944, 1786013 ], "changes": [ { "cves": [ { "cve": "CVE-2024-56672", "url": "https://ubuntu.com/security/CVE-2024-56672", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: blk-cgroup: Fix UAF in blkcg_unpin_online() blkcg_unpin_online() walks up the blkcg hierarchy putting the online pin. To walk up, it uses blkcg_parent(blkcg) but it was calling that after blkcg_destroy_blkgs(blkcg) which could free the blkcg, leading to the following UAF: ================================================================== BUG: KASAN: slab-use-after-free in blkcg_unpin_online+0x15a/0x270 Read of size 8 at addr ffff8881057678c0 by task kworker/9:1/117 CPU: 9 UID: 0 PID: 117 Comm: kworker/9:1 Not tainted 6.13.0-rc1-work-00182-gb8f52214c61a-dirty #48 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS unknown 02/02/2022 Workqueue: cgwb_release cgwb_release_workfn Call Trace: dump_stack_lvl+0x27/0x80 print_report+0x151/0x710 kasan_report+0xc0/0x100 blkcg_unpin_online+0x15a/0x270 cgwb_release_workfn+0x194/0x480 process_scheduled_works+0x71b/0xe20 worker_thread+0x82a/0xbd0 kthread+0x242/0x2c0 ret_from_fork+0x33/0x70 ret_from_fork_asm+0x1a/0x30 ... Freed by task 1944: kasan_save_track+0x2b/0x70 kasan_save_free_info+0x3c/0x50 __kasan_slab_free+0x33/0x50 kfree+0x10c/0x330 css_free_rwork_fn+0xe6/0xb30 process_scheduled_works+0x71b/0xe20 worker_thread+0x82a/0xbd0 kthread+0x242/0x2c0 ret_from_fork+0x33/0x70 ret_from_fork_asm+0x1a/0x30 Note that the UAF is not easy to trigger as the free path is indirected behind a couple RCU grace periods and a work item execution. I could only trigger it with artifical msleep() injected in blkcg_unpin_online(). Fix it by reading the parent pointer before destroying the blkcg's blkg's.", "cve_priority": "high", "cve_public_date": "2024-12-27 15:15:00 UTC" } ], "log": [ "", " * jammy/linux: 5.15.0-134.145 -proposed tracker (LP: #2097944)", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian.master/dkms-versions -- update from kernel-versions", " (main/s2025.01.13)", "", " * CVE-2024-56672", " - blk-cgroup: Fix UAF in blkcg_unpin_online()", "" ], "package": "linux", "version": "5.15.0-134.145", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2097944, 1786013 ], "author": "Manuel Diewald ", "date": "Wed, 12 Feb 2025 19:47:13 +0100" } ], "notes": "linux-modules-5.15.0-134-generic version '5.15.0-134.145' (source package linux version '5.15.0-134.145') was added. linux-modules-5.15.0-134-generic version '5.15.0-134.145' has the same source package name, linux, as removed package linux-headers-5.15.0-133. As such we can use the source package version of the removed package, '5.15.0-133.144', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package." } ], "snap": [] }, "removed": { "deb": [ { "name": "linux-headers-5.15.0-133", "from_version": { "source_package_name": "linux", "source_package_version": "5.15.0-133.144", "version": "5.15.0-133.144" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null }, { "name": "linux-headers-5.15.0-133-generic", "from_version": { "source_package_name": "linux", "source_package_version": "5.15.0-133.144", "version": "5.15.0-133.144" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null }, { "name": "linux-image-5.15.0-133-generic", "from_version": { "source_package_name": "linux-signed", "source_package_version": "5.15.0-133.144", "version": "5.15.0-133.144" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null }, { "name": "linux-modules-5.15.0-133-generic", "from_version": { "source_package_name": "linux", "source_package_version": "5.15.0-133.144", "version": "5.15.0-133.144" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null } ], "snap": [] }, "notes": "Changelog diff for Ubuntu 22.04 jammy image from release image serial 20250228 to 20250305", "from_series": "jammy", "to_series": "jammy", "from_serial": "20250228", "to_serial": "20250305", "from_manifest_filename": "release_manifest.previous", "to_manifest_filename": "manifest.current" }