Oracle Linux Security Advisory ELSA-2024-12581

http://linux.oracle.com/errata/ELSA-2024-12581.html

The following updated rpms for Oracle Linux 8 have been uploaded to the Unbreakable Linux Network:

x86_64:
kernel-uek-5.4.17-2136.334.6.el8uek.x86_64.rpm
kernel-uek-debug-5.4.17-2136.334.6.el8uek.x86_64.rpm
kernel-uek-debug-devel-5.4.17-2136.334.6.el8uek.x86_64.rpm
kernel-uek-devel-5.4.17-2136.334.6.el8uek.x86_64.rpm
kernel-uek-doc-5.4.17-2136.334.6.el8uek.noarch.rpm


SRPMS:
http://oss.oracle.com/ol8/SRPMS-updates//kernel-uek-5.4.17-2136.334.6.el8uek.src.rpm

Related CVEs:

CVE-2024-33621
CVE-2024-35976
CVE-2024-36014
CVE-2024-36015
CVE-2024-36016
CVE-2024-36270
CVE-2024-36286
CVE-2024-36288
CVE-2024-36971
CVE-2024-37353
CVE-2024-37356
CVE-2024-38549
CVE-2024-38552
CVE-2024-38558
CVE-2024-38559
CVE-2024-38560
CVE-2024-38565
CVE-2024-38567
CVE-2024-38578
CVE-2024-38579
CVE-2024-38582
CVE-2024-38583
CVE-2024-38589
CVE-2024-38596
CVE-2024-38598
CVE-2024-38599
CVE-2024-38601
CVE-2024-38612
CVE-2024-38613
CVE-2024-38615
CVE-2024-38618
CVE-2024-38621
CVE-2024-38627
CVE-2024-38633
CVE-2024-38634
CVE-2024-38635
CVE-2024-38637
CVE-2024-38659
CVE-2024-38661
CVE-2024-38780
CVE-2024-39276
CVE-2024-39292
CVE-2024-39301
CVE-2024-39467
CVE-2024-39471
CVE-2024-39480
CVE-2024-39488
CVE-2024-39489
CVE-2024-39503
CVE-2024-40916
CVE-2024-41090
CVE-2024-41091




Description of changes:

[5.4.17-2136.334.6.el8uek]
- loop: Fix a race between loop detach and loop open (Gulam Mohamed)  [Orabug: 36197800]
- x86/bhi: Do not enable unnecessary BHI mitigation in OCI and Exadata VMs (Alexandre Chartre)  [Orabug: 36672495]
- x86/bhi: Avoid warning in #DB handler due to BHI mitigation (Alexandre Chartre)  [Orabug: 36642472]
- wifi: wilc1000: fix ies_len type in connect path (Jozef Hopko) 
- net/mlx5e: drop shorter ethernet frames (Manjunath Patil)  [Orabug: 36879157]  {CVE-2024-41090} {CVE-2024-41091}

[5.4.17-2136.334.5.el8uek]
- Fix incorrect syntax in UEK6 OL8 kernel-uek.spec (Sherry Yang)  [Orabug: 36847358]
- rds/ib: decrement ib_rx_total_incs after releasing associated cache (Arumugam Kolappan)  [Orabug: 36722026]

[5.4.17-2136.334.4.el8uek]
- Bluetooth: L2CAP: Fix rejecting L2CAP_CONN_PARAM_UPDATE_REQ (Luiz Augusto von Dentz) 
- netfilter: ipset: Fix race between namespace cleanup and gc in the list:set type (Jozsef Kadlecsik) [Orabug: 36835599] {CVE-2024-39503}
- drm/exynos: hdmi: report safe 640x480 mode as a fallback when no EDID found (Marek Szyprowski) [Orabug: 36836328] {CVE-2024-40916}
- vxlan: Fix regression when dropping packets due to invalid src addresses (Daniel Borkmann)

[5.4.17-2136.334.3.el8uek]
- rds/rdma: Send info to userspace, even if connnection is down. (Juan Garcia)  [Orabug: 36529562]
- pci: add hotplug patch support for SOLIDIGM Aura10 AIC 0x025e:0x0b60 (Alan Adamson)  [Orabug: 36762919]

[5.4.17-2136.334.2.el8uek]
- LTS tag: v5.4.278 (Alok Tiwari) 
- x86/tsc: Trust initial offset in architectural TSC-adjust MSRs (Daniel J Blueman) 
- io_uring: fail NOP if non-zero op flags is passed in (Ming Lei) 
- nfs: fix undefined behavior in nfs_block_bits() (Sergey Shtylyov) 
- s390/ap: Fix crash in AP internal function modify_bitmap() (Harald Freudenberger) [Orabug: 36774592] {CVE-2024-38661}
- ext4: fix mb_cache_entry's e_refcnt leak in ext4_xattr_block_cache_find() (Baokun Li) [Orabug: 36774598] {CVE-2024-39276}
- sparc: move struct termio to asm/termios.h (Mike Gilbert) 
- xsk: validate user input for XDP_{UMEM|COMPLETION}_FILL_RING (Eric Dumazet) [Orabug: 36643449] {CVE-2024-35976}
- net: fix __dst_negative_advice() race (Eric Dumazet) [Orabug: 36720417] {CVE-2024-36971}
- kdb: Use format-specifiers rather than memset() for padding in kdb_read() (Daniel Thompson) 
- kdb: Merge identical case statements in kdb_read() (Daniel Thompson) 
- kdb: Fix console handling when editing and tab-completing commands (Daniel Thompson) 
- kdb: Use format-strings rather than '- kdb: Fix buffer overflow during tab-complete (Daniel Thompson) [Orabug: 36809288] {CVE-2024-39480}
- sparc64: Fix number of online CPUs (Sam Ravnborg) 
- intel_th: pci: Add Meteor Lake-S CPU support (Alexander Shishkin) 
- net/9p: fix uninit-value in p9_client_rpc() (Nikita Zhandarovich) [Orabug: 36774612] {CVE-2024-39301}
- net/ipv6: Fix route deleting failure when metric equals 0 (xu xin) 
- crypto: ecrdsa - Fix module auto-load on add_key (Vitaly Chikunov) 
- KVM: arm64: Allow AArch32 PSTATE.M to be restored as System mode (Marc Zyngier) 
- media: v4l2-core: hold videodev_lock until dev reg, finishes (Hans Verkuil) 
- media: mxl5xx: Move xpt structures off stack (Nathan Chancellor) 
- media: mc: mark the media devnode as registered from the, start (Hans Verkuil) 
- arm64: dts: hi3798cv200: fix the size of GICR (Yang Xiwen) 
- wifi: rtl8xxxu: Fix the TX power of RTL8192CU, RTL8723AU (Bitterblue Smith) 
- arm64: tegra: Correct Tegra132 I2C alias (Krzysztof Kozlowski) 
- ACPI: resource: Do IRQ override on TongFang GXxHRXx and GMxHGxx (Christoffer Sandberg) 
- ata: pata_legacy: make legacy_exit() work again (Sergey Shtylyov) 
- drm/amdgpu: add error handle to avoid out-of-bounds (Bob Zhou) [Orabug: 36774657] {CVE-2024-39471}
- media: lgdt3306a: Add a check against null-pointer-def (Zheyu Ma) 
- f2fs: fix to do sanity check on i_xattr_nid in sanity_check_inode() (Chao Yu) [Orabug: 36774636] {CVE-2024-39467}
- x86/mm: Remove broken vsyscall emulation code from the page fault code (Linus Torvalds) 
- nilfs2: fix use-after-free of timer for log writer thread (Ryusuke Konishi) [Orabug: 36753564] {CVE-2024-38583}
- afs: Don't cross .backup mountpoint from backup volume (Marc Dionne) 
- mmc: core: Do not force a retune before RPMB switch (Jorge Ramirez-Ortiz) 
- binder: fix max_thread type inconsistency (Carlos Llamas) 
- SUNRPC: Fix loop termination condition in gss_free_in_token_pages() (Chuck Lever) [Orabug: 36809512] {CVE-2024-36288}
- ALSA: timer: Set lower bound of start tick time (Takashi Iwai) [Orabug: 36753729] {CVE-2024-38618}
- ipvlan: Dont Use skb->sk in ipvlan_process_v{4,6}_outbound (Yue Haibing) [Orabug: 36763551] {CVE-2024-33621}
- spi: stm32: Don't warn about spurious interrupts (Uwe Kleine-König) 
- kconfig: fix comparison to constant symbols, 'm', 'n' (Masahiro Yamada) 
- netfilter: tproxy: bail out if IP has been disabled on the device (Florian Westphal) [Orabug: 36763563] {CVE-2024-36270}
- net:fec: Add fec_enet_deinit() (Xiaolei Wang) 
- net: usb: smsc95xx: fix changing LED_SEL bit value updated from EEPROM (Parthiban Veerasooran) 
- smsc95xx: use usbnet->driver_priv (Andre Edich) 
- smsc95xx: remove redundant function arguments (Andre Edich) 
- enic: Validate length of nl attributes in enic_set_vf_port (Roded Zats) [Orabug: 36763836] {CVE-2024-38659}
- dma-buf/sw-sync: don't enable IRQ from sync_print_obj() (Tetsuo Handa) [Orabug: 36763844] {CVE-2024-38780}
- net/mlx5e: Use rx_missed_errors instead of rx_dropped for reporting buffer exhaustion (Carolina Jubran) 
- nvmet: fix ns enable/disable possible hang (Sagi Grimberg) 
- spi: Don't mark message DMA mapped when no transfer in it is (Andy Shevchenko) 
- netfilter: nfnetlink_queue: acquire rcu_read_lock() in instance_destroy_rcu() (Eric Dumazet) [Orabug: 36763570] {CVE-2024-36286}
- net: fec: avoid lock evasion when reading pps_enable (Wei Fang) 
- virtio: delete vq in vp_find_vqs_msix() when request_irq() fails (Jiri Pirko) [Orabug: 36763587] {CVE-2024-37353}
- arm64: asm-bug: Add .align 2 to the end of __BUG_ENTRY (Jiangfeng Xiao) [Orabug: 36825258] {CVE-2024-39488}
- openvswitch: Set the skbuff pkt_type for proper pmtud support. (Aaron Conole) 
- tcp: Fix shift-out-of-bounds in dctcp_update_alpha(). (Kuniyuki Iwashima) [Orabug: 36763591] {CVE-2024-37356}
- params: lift param_set_uint_minmax to common code (Sagi Grimberg) 
- ipv6: sr: fix memleak in seg6_hmac_init_algo (Hangbin Liu) [Orabug: 36825262] {CVE-2024-39489}
- sunrpc: fix NFSACL RPC retry on soft mount (Dan Aloni) 
- x86/kconfig: Select ARCH_WANT_FRAME_POINTERS again when UNWINDER_FRAME_POINTER=y (Masahiro Yamada) 
- null_blk: Fix the WARNING: modpost: missing MODULE_DESCRIPTION() (Zhu Yanjun) 
- media: cec: cec-api: add locking in cec_release() (Hans Verkuil) 
- media: cec: cec-adap: always cancel work in cec_transmit_msg_fh (Hans Verkuil) 
- um: Fix the -Wmissing-prototypes warning for __switch_mm (Tiwei Bie) 
- powerpc/pseries: Add failure related checks for h_get_mpp and h_get_ppp (Shrikanth Hegde) 
- scsi: qla2xxx: Replace all non-returning strlcpy() with strscpy() (Azeem Shaikh) 
- media: stk1160: fix bounds checking in stk1160_copy_video() (Dan Carpenter) [Orabug: 36763602] {CVE-2024-38621}
- um: Add winch to winch_handlers before registering winch IRQ (Roberto Sassu) [Orabug: 36768583] {CVE-2024-39292}
- um: Fix return value in ubd_init() (Duoming Zhou) 
- drm/msm/dpu: Always flush the slave INTF on the CTL (Marijn Suijten) 
- Input: pm8xxx-vibrator - correct VIB_MAX_LEVELS calculation (Fenglin Wu) 
- Input: ims-pcu - fix printf string overflow (Arnd Bergmann) 
- libsubcmd: Fix parse-options memory leak (Ian Rogers) 
- serial: sh-sci: protect invalidating RXDMA on shutdown (Wolfram Sang) 
- f2fs: fix to release node block count in error path of f2fs_new_node_page() (Chao Yu) 
- extcon: max8997: select IRQ_DOMAIN instead of depending on it (Randy Dunlap) 
- ppdev: Add an error check in register_device (Huai-Yuan Liu) [Orabug: 36678064] {CVE-2024-36015}
- ppdev: Remove usage of the deprecated ida_simple_xx() API (Christophe JAILLET) 
- stm class: Fix a double free in stm_register_device() (Dan Carpenter) [Orabug: 36763763] {CVE-2024-38627}
- usb: gadget: u_audio: Clear uac pointer when freed. (Chris Wulff) 
- microblaze: Remove early printk call from cpuinfo-static.c (Michal Simek) 
- microblaze: Remove gcc flag for non existing early_printk.c file (Michal Simek) 
- iio: pressure: dps310: support negative temperature values (Thomas Haemmerle) 
- greybus: arche-ctrl: move device table to its right location (Arnd Bergmann) 
- serial: max3100: Fix bitwise types (Andy Shevchenko) 
- serial: max3100: Update uart_driver_registered on driver removal (Andy Shevchenko) [Orabug: 36763814] {CVE-2024-38633}
- serial: max3100: Lock port->lock when calling uart_handle_cts_change() (Andy Shevchenko) [Orabug: 36763819] {CVE-2024-38634}
- firmware: dmi-id: add a release callback function (Arnd Bergmann) 
- dmaengine: idma64: Add check for dma_set_max_seg_size (Chen Ni) 
- soundwire: cadence: fix invalid PDI offset (Pierre-Louis Bossart) [Orabug: 36763825] {CVE-2024-38635}
- soundwire: cadence_master: improve PDI allocation (Bard Liao) 
- soundwire: intel: don't filter out PDI0/1 (Pierre-Louis Bossart) 
- soundwire: cadence/intel: simplify PDI/port mapping (Pierre-Louis Bossart) 
- greybus: lights: check return of get_channel_from_mode (Rui Miguel Silva) [Orabug: 36763832] {CVE-2024-38637}
- sched/fair: Allow disabling sched_balance_newidle with sched_relax_domain_level (Vitalii Bursov) 
- af_packet: do not call packet_read_pending() from tpacket_destruct_skb() (Eric Dumazet) 
- netrom: fix possible dead-lock in nr_rt_ioctl() (Eric Dumazet) [Orabug: 36753581] {CVE-2024-38589}
- RDMA/IPoIB: Fix format truncation compilation errors (Leon Romanovsky) 
- selftests/kcmp: remove unused open mode (Edward Liaw) 
- selftests/kcmp: Make the test output consistent and clear (Gautam Menghani) 
- SUNRPC: Fix gss_free_in_token_pages() (Chuck Lever) 
- sunrpc: removed redundant procp check (Aleksandr Aprelkov) 
- ext4: avoid excessive credit estimate in ext4_tmpfile() (Jan Kara) 
- x86/insn: Fix PUSH instruction in x86 instruction decoder opcode map (Adrian Hunter) 
- RDMA/hns: Use complete parentheses in macros (Chengchang Tang) 
- drm/panel: simple: Add missing Innolux G121X1-L03 format, flags, connector (Marek Vasut) 
- ASoC: tracing: Export SND_SOC_DAPM_DIR_OUT to its value (Steven Rostedt) 
- drm/arm/malidp: fix a possible null pointer dereference (Huai-Yuan Liu) [Orabug: 36678061] {CVE-2024-36014}
- fbdev: sh7760fb: allow modular build (Randy Dunlap) 
- platform/x86: wmi: Make two functions static (YueHaibing) 
- media: radio-shark2: Avoid led_names truncations (Ricardo Ribalda) 
- media: ngene: Add dvb_ca_en50221_init return value check (Aleksandr Burakov) 
- fbdev: sisfb: hide unused variables (Arnd Bergmann) 
- powerpc/fsl-soc: hide unused const variable (Arnd Bergmann) 
- drm/mediatek: Add 0 size check to mtk_drm_gem_obj (Justin Green) [Orabug: 36753414] {CVE-2024-38549}
- fbdev: shmobile: fix snprintf truncation (Arnd Bergmann) 
- mtd: rawnand: hynix: fixed typo (Maxim Korotkov) 
- drm/amd/display: Fix potential index out of bounds in color transformation function (Srinivasan Shanmugam) [Orabug: 36753424] {CVE-2024-38552}
- ipv6: sr: fix invalid unregister error path (Hangbin Liu) [Orabug: 36753710] {CVE-2024-38612}
- ipv6: sr: add missing seg6_local_exit (Hangbin Liu) 
- net: openvswitch: fix overwriting ct original tuple for ICMPv6 (Ilya Maximets) [Orabug: 36753462] {CVE-2024-38558}
- net: usb: smsc95xx: stop lying about skb->truesize (Eric Dumazet) 
- af_unix: Fix data races in unix_release_sock/unix_stream_sendmsg (Breno Leitao) [Orabug: 36753599] {CVE-2024-38596}
- net: ethernet: cortina: Locking fixes (Linus Walleij) 
- m68k: mac: Fix reboot hang on Mac IIci (Finn Thain) 
- m68k: Fix spinlock race in kernel thread creation (Michael Schmitz) [Orabug: 36753714] {CVE-2024-38613}
- net: usb: sr9700: stop lying about skb->truesize (Eric Dumazet) 
- usb: aqc111: stop lying about skb->truesize (Eric Dumazet) 
- wifi: mwl8k: initialize cmd->addr[] properly (Dan Carpenter) 
- scsi: qedf: Ensure the copied buf is NUL terminated (Bui Quang Minh) [Orabug: 36753467] {CVE-2024-38559}
- scsi: bfa: Ensure the copied buf is NUL terminated (Bui Quang Minh) [Orabug: 36753472] {CVE-2024-38560}
- HID: intel-ish-hid: ipc: Add check for pci_alloc_irq_vectors (Chen Ni) 
- Revert "sh: Handle calling csum_partial with misaligned data" (Guenter Roeck) 
- sh: kprobes: Merge arch_copy_kprobe() into arch_prepare_kprobe() (Geert Uytterhoeven) 
- wifi: ar5523: enable proper endpoint verification (Nikita Zhandarovich) [Orabug: 36753485] {CVE-2024-38565}
- wifi: carl9170: add a proper sanity check for endpoints (Nikita Zhandarovich) [Orabug: 36753508] {CVE-2024-38567}
- macintosh/via-macii: Fix "BUG: sleeping function called from invalid context" (Finn Thain) 
- tcp: avoid premature drops in tcp_add_backlog() (Eric Dumazet) 
- tcp: fix a signed-integer-overflow bug in tcp_add_backlog() (Lu Wei) 
- tcp: minor optimization in tcp_add_backlog() (Eric Dumazet) 
- wifi: ath10k: populate board data for WCN3990 (Dmitry Baryshkov) 
- wifi: ath10k: Fix an error code problem in ath10k_dbg_sta_write_peer_debug_trigger() (Su Hui) 
- x86/purgatory: Switch to the position-independent small code model (Ard Biesheuvel) 
- scsi: hpsa: Fix allocation size for Scsi_Host private data (Yuri Karpov) 
- scsi: libsas: Fix the failure of adding phy with zero-address to port (Xingui Yang) 
- cpufreq: exit() callback is optional (Viresh Kumar) [Orabug: 36753721] {CVE-2024-38615}
- cpufreq: Rearrange locking in cpufreq_remove_dev() (Rafael J. Wysocki) 
- cpufreq: Split cpufreq_offline() (Rafael J. Wysocki) 
- cpufreq: Reorganize checks in cpufreq_offline() (Rafael J. Wysocki) 
- ACPI: disable -Wstringop-truncation (Arnd Bergmann) 
- irqchip/alpine-msi: Fix off-by-one in allocation error path (Zenghui Yu) 
- scsi: ufs: core: Perform read back after disabling UIC_COMMAND_COMPL (Andrew Halaney) 
- scsi: ufs: core: Perform read back after disabling interrupts (Andrew Halaney) 
- scsi: ufs: cdns-pltfrm: Perform read back after writing HCLKDIV (Andrew Halaney) 
- scsi: ufs: qcom: Perform read back after writing reset bit (Andrew Halaney) 
- qed: avoid truncating work queue length (Arnd Bergmann) 
- wifi: ath10k: poll service ready message before failing (Baochen Qiang) 
- md: fix resync softlockup when bitmap size is less than array size (Yu Kuai) [Orabug: 36753648] {CVE-2024-38598}
- null_blk: Fix missing mutex_destroy() at module removal (Zhu Yanjun) 
- jffs2: prevent xattr node from overflowing the eraseblock (Ilya Denisyev) [Orabug: 36753651] {CVE-2024-38599}
- s390/cio: fix tracepoint subchannel type field (Peter Oberparleiter) 
- crypto: ccp - drop platform ifdef checks (Arnd Bergmann) 
- parisc: add missing export of __cmpxchg_u8() (Al Viro) 
- nilfs2: fix out-of-range warning (Arnd Bergmann) 
- ecryptfs: Fix buffer size for tag 66 packet (Brian Kubisiak) [Orabug: 36753536] {CVE-2024-38578}
- firmware: raspberrypi: Use correct device for DMA mappings (Laurent Pinchart) 
- crypto: bcm - Fix pointer arithmetic (Aleksandr Mishin) [Orabug: 36753541] {CVE-2024-38579}
- openpromfs: finish conversion to the new mount API (Eric Sandeen) 
- nvme: find numa distance only if controller has valid numa id (Nilay Shroff) 
- drm/amdkfd: Flush the process wq before creating a kfd_process (Lancelot SIX) 
- ASoC: da7219-aad: fix usage of device_get_named_child_node() (Pierre-Louis Bossart) 
- ASoC: dt-bindings: rt5645: add cbj sleeve gpio property (Derek Fang) 
- ASoC: rt5645: Fix the electric noise due to the CBJ contacts floating (Derek Fang) 
- drm/amd/display: Set color_mgmt_changed to true on unsuspend (Joshua Ashton) 
- net: usb: qmi_wwan: add Telit FN920C04 compositions (Daniele Palmas) 
- wifi: cfg80211: fix the order of arguments for trace events of the tx_rx_evt class (Igor Artemiev) 
- nilfs2: fix potential hang in nilfs_detach_log_writer() (Ryusuke Konishi) [Orabug: 36753557] {CVE-2024-38582}
- nilfs2: fix unexpected freezing of nilfs_segctor_sync() (Ryusuke Konishi) 
- net: smc91x: Fix m68k kernel compilation for ColdFire CPU (Thorsten Blum) 
- ring-buffer: Fix a race between readers and resize checks (Petr Pavlu) [Orabug: 36753661] {CVE-2024-38601}
- tty: n_gsm: fix possible out-of-bounds in gsm0_receive() (Daniel Starke) [Orabug: 36678068] {CVE-2024-36016}

[5.4.17-2136.334.1.el8uek]
- rds/rdma: Track rds_message in send, retrans and recv queue (Juan Garcia)  [Orabug: 36529583]
- xfs: make sure sb_fdblocks is non-negative (Wengang Wang)  [Orabug: 36596998]
- xfs: fix sb write verify for lazysbcount (Long Li)  [Orabug: 36596998]
- rds/rdma: Clear rds_info_socket before use (Juan Garcia)  [Orabug: 36613125]


_______________________________________________
El-errata mailing list
El-errata@oss.oracle.com
https://oss.oracle.com/mailman/listinfo/el-errata