摘要:
kernel security update
安全等级: High
公告ID: KylinSec-SA-2025-2722
发布日期: 2025年6月11日
关联CVE: CVE-2025-21935 CVE-2023-52935 CVE-2025-21781 CVE-2025-21780 CVE-2023-53010 CVE-2025-22035 CVE-2025-21877 CVE-2025-21898 CVE-2025-21993
The Linux Kernel, the operating system core itself.
Security Fix(es):
In the Linux kernel, the following vulnerability has been resolved:
mm/khugepaged: fix ->anon_vma race
If an ->anon_vma is attached to the VMA, collapse_and_free_pmd() requires
it to be locked.
Page table traversal is allowed under any one of the mmap lock, the
anon_vma lock (if the VMA is associated with an anon_vma), and the
mapping lock (if the VMA is associated with a mapping); and so to be
able to remove page tables, we must hold all three of them.
retract_page_tables() bails out if an ->anon_vma is attached, but does
this check before holding the mmap lock (as the comment above the check
explains).
If we racily merged an existing ->anon_vma (shared with a child
process) from a neighboring VMA, subsequent rmap traversals on pages
belonging to the child will be able to see the page tables that we are
concurrently removing while assuming that nothing else can access them.
Repeat the ->anon_vma check once we hold the mmap lock to ensure that
there really is no concurrent page table access.
Hitting this bug causes a lockdep warning in collapse_and_free_pmd(),
in the line "lockdep_assert_held_write(&vma->anon_vma->root->rwsem)".
It can also lead to use-after-free access.(CVE-2023-52935)
In the Linux kernel, the following vulnerability has been resolved:
bnxt: Do not read past the end of test names
Test names were being concatenated based on a offset beyond the end of
the first name, which tripped the buffer overflow detection logic:
detected buffer overflow in strnlen
[...]
Call Trace:
bnxt_ethtool_init.cold+0x18/0x18
Refactor struct hwrm_selftest_qlist_output to use an actual array,
and adjust the concatenation to use snprintf() rather than a series of
strncat() calls.(CVE-2023-53010)
In the Linux kernel, the following vulnerability has been resolved:
drm/amdgpu: avoid buffer overflow attach in smu_sys_set_pp_table()
It malicious user provides a small pptable through sysfs and then
a bigger pptable, it may cause buffer overflow attack in function
smu_sys_set_pp_table().(CVE-2025-21780)
In the Linux kernel, the following vulnerability has been resolved:
batman-adv: fix panic during interface removal
Reference counting is used to ensure that
batadv_hardif_neigh_node and batadv_hard_iface
are not freed before/during
batadv_v_elp_throughput_metric_update work is
finished.
But there isn't a guarantee that the hard if will
remain associated with a soft interface up until
the work is finished.
This fixes a crash triggered by reboot that looks
like this:
Call trace:
batadv_v_mesh_free+0xd0/0x4dc [batman_adv]
batadv_v_elp_throughput_metric_update+0x1c/0xa4
process_one_work+0x178/0x398
worker_thread+0x2e8/0x4d0
kthread+0xd8/0xdc
ret_from_fork+0x10/0x20
(the batadv_v_mesh_free call is misleading,
and does not actually happen)
I was able to make the issue happen more reliably
by changing hardif_neigh->bat_v.metric_work work
to be delayed work. This allowed me to track down
and confirm the fix.
[sven@narfation.org: prevent entering batadv_v_elp_get_throughput without
soft_iface](CVE-2025-21781)
In the Linux kernel, the following vulnerability has been resolved:
usbnet: gl620a: fix endpoint checking in genelink_bind()
Syzbot reports [1] a warning in usb_submit_urb() triggered by
inconsistencies between expected and actually present endpoints
in gl620a driver. Since genelink_bind() does not properly
verify whether specified eps are in fact provided by the device,
in this case, an artificially manufactured one, one may get a
mismatch.
Fix the issue by resorting to a usbnet utility function
usbnet_get_endpoints(), usually reserved for this very problem.
Check for endpoints and return early before proceeding further if
any are missing.
[1] Syzbot report:
usb 5-1: Manufacturer: syz
usb 5-1: SerialNumber: syz
usb 5-1: config 0 descriptor??
gl620a 5-1:0.23 usb0: register 'gl620a' at usb-dummy_hcd.0-1...
------------[ cut here ]------------
usb 5-1: BOGUS urb xfer, pipe 3 != type 1
WARNING: CPU: 2 PID: 1841 at drivers/usb/core/urb.c:503 usb_submit_urb+0xe4b/0x1730 drivers/usb/core/urb.c:503
Modules linked in:
CPU: 2 UID: 0 PID: 1841 Comm: kworker/2:2 Not tainted 6.12.0-syzkaller-07834-g06afb0f36106 #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Workqueue: mld mld_ifc_work
RIP: 0010:usb_submit_urb+0xe4b/0x1730 drivers/usb/core/urb.c:503
...
Call Trace:
<TASK>
usbnet_start_xmit+0x6be/0x2780 drivers/net/usb/usbnet.c:1467
__netdev_start_xmit include/linux/netdevice.h:5002 [inline]
netdev_start_xmit include/linux/netdevice.h:5011 [inline]
xmit_one net/core/dev.c:3590 [inline]
dev_hard_start_xmit+0x9a/0x7b0 net/core/dev.c:3606
sch_direct_xmit+0x1ae/0xc30 net/sched/sch_generic.c:343
__dev_xmit_skb net/core/dev.c:3827 [inline]
__dev_queue_xmit+0x13d4/0x43e0 net/core/dev.c:4400
dev_queue_xmit include/linux/netdevice.h:3168 [inline]
neigh_resolve_output net/core/neighbour.c:1514 [inline]
neigh_resolve_output+0x5bc/0x950 net/core/neighbour.c:1494
neigh_output include/net/neighbour.h:539 [inline]
ip6_finish_output2+0xb1b/0x2070 net/ipv6/ip6_output.c:141
__ip6_finish_output net/ipv6/ip6_output.c:215 [inline]
ip6_finish_output+0x3f9/0x1360 net/ipv6/ip6_output.c:226
NF_HOOK_COND include/linux/netfilter.h:303 [inline]
ip6_output+0x1f8/0x540 net/ipv6/ip6_output.c:247
dst_output include/net/dst.h:450 [inline]
NF_HOOK include/linux/netfilter.h:314 [inline]
NF_HOOK include/linux/netfilter.h:308 [inline]
mld_sendpack+0x9f0/0x11d0 net/ipv6/mcast.c:1819
mld_send_cr net/ipv6/mcast.c:2120 [inline]
mld_ifc_work+0x740/0xca0 net/ipv6/mcast.c:2651
process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229
process_scheduled_works kernel/workqueue.c:3310 [inline]
worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391
kthread+0x2c1/0x3a0 kernel/kthread.c:389
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>(CVE-2025-21877)
In the Linux kernel, the following vulnerability has been resolved:
ftrace: Avoid potential division by zero in function_stat_show()
Check whether denominator expression x * (x - 1) * 1000 mod {2^32, 2^64}
produce zero and skip stddev computation in that case.
For now don't care about rec->counter * rec->counter overflow because
rec->time * rec->time overflow will likely happen earlier.(CVE-2025-21898)
In the Linux kernel, the following vulnerability has been resolved:
rapidio: add check for rio_add_net() in rio_scan_alloc_net()
The return value of rio_add_net() should be checked. If it fails,
put_device() should be called to free the memory and give up the reference
initialized in rio_add_net().(CVE-2025-21935)
In the Linux kernel, the following vulnerability has been resolved:
iscsi_ibft: Fix UBSAN shift-out-of-bounds warning in ibft_attr_show_nic()
When performing an iSCSI boot using IPv6, iscsistart still reads the
/sys/firmware/ibft/ethernetX/subnet-mask entry. Since the IPv6 prefix
length is 64, this causes the shift exponent to become negative,
triggering a UBSAN warning. As the concept of a subnet mask does not
apply to IPv6, the value is set to ~0 to suppress the warning message.(CVE-2025-21993)
In the Linux kernel, the following vulnerability has been resolved:
tracing: Fix use-after-free in print_graph_function_flags during tracer switching
Kairui reported a UAF issue in print_graph_function_flags() during
ftrace stress testing [1]. This issue can be reproduced if puting a
'mdelay(10)' after 'mutex_unlock(&trace_types_lock)' in s_start(),
and executing the following script:
$ echo function_graph > current_tracer
$ cat trace > /dev/null &
$ sleep 5 # Ensure the 'cat' reaches the 'mdelay(10)' point
$ echo timerlat > current_tracer
The root cause lies in the two calls to print_graph_function_flags
within print_trace_line during each s_show():
* One through 'iter->trace->print_line()';
* Another through 'event->funcs->trace()', which is hidden in
print_trace_fmt() before print_trace_line returns.
Tracer switching only updates the former, while the latter continues
to use the print_line function of the old tracer, which in the script
above is print_graph_function_flags.
Moreover, when switching from the 'function_graph' tracer to the
'timerlat' tracer, s_start only calls graph_trace_close of the
'function_graph' tracer to free 'iter->private', but does not set
it to NULL. This provides an opportunity for 'event->funcs->trace()'
to use an invalid 'iter->private'.
To fix this issue, set 'iter->private' to NULL immediately after
freeing it in graph_trace_close(), ensuring that an invalid pointer
is not passed to other tracers. Additionally, clean up the unnecessary
'iter->private = NULL' during each 'cat trace' when using wakeup and
irqsoff tracers.
[1] https://lore.kernel.org/all/20231112150030.84609-1-ryncsn@gmail.com/(CVE-2025-22035)
| cve名称 | 产品 | 组件 | 是否受影响 |
|---|---|---|---|
| CVE-2025-21935 | KY3.5.3 | kernel | Fixed |
| CVE-2025-21935 | KY3.5.2 | kernel | Fixed |
| CVE-2023-52935 | KY3.5.3 | kernel | Fixed |
| CVE-2023-52935 | KY3.5.2 | kernel | Fixed |
| CVE-2025-21781 | KY3.5.3 | kernel | Fixed |
| CVE-2025-21781 | KY3.5.2 | kernel | Fixed |
| CVE-2025-21780 | KY3.5.3 | kernel | Fixed |
| CVE-2025-21780 | KY3.5.2 | kernel | Fixed |
| CVE-2023-53010 | KY3.5.3 | kernel | Fixed |
| CVE-2023-53010 | KY3.5.2 | kernel | Fixed |
| CVE-2025-22035 | KY3.5.3 | kernel | Fixed |
| CVE-2025-22035 | KY3.5.2 | kernel | Fixed |
| CVE-2025-21877 | KY3.5.3 | kernel | Fixed |
| CVE-2025-21877 | KY3.5.2 | kernel | Fixed |
| CVE-2025-21898 | KY3.5.3 | kernel | Fixed |
| CVE-2025-21898 | KY3.5.2 | kernel | Fixed |
| CVE-2025-21993 | KY3.5.3 | kernel | Fixed |
| CVE-2025-21993 | KY3.5.2 | kernel | Fixed |
| 软件名称 | 架构 | 版本号 |
|---|---|---|
| bpftool | x86_64 | 5.10.0-236.0.0.rt62.63.ky3_5 |
| kernel | x86_64 | 5.10.0-216.0.0.115.kb9.ky3_5 |
| kernel-devel | x86_64 | 5.10.0-216.0.0.115.kb9.ky3_5 |
| kernel-headers | x86_64 | 5.10.0-216.0.0.115.kb9.ky3_5 |
| kernel-source | x86_64 | 5.10.0-216.0.0.115.kb9.ky3_5 |
| kernel-tools | x86_64 | 5.10.0-216.0.0.115.kb9.ky3_5 |
| kernel-tools-devel | x86_64 | 5.10.0-216.0.0.115.kb9.ky3_5 |
| perf | x86_64 | 5.10.0-236.0.0.rt62.63.ky3_5 |
| python3-perf | x86_64 | 5.10.0-236.0.0.rt62.63.ky3_5 |
| bpftool | aarch64 | 5.10.0-236.0.0.rt62.63.ky3_5 |
| kernel | aarch64 | 5.10.0-216.0.0.115.kb9.ky3_5 |
| kernel-devel | aarch64 | 5.10.0-216.0.0.115.kb9.ky3_5 |
| kernel-headers | aarch64 | 5.10.0-216.0.0.115.kb9.ky3_5 |
| kernel-source | aarch64 | 5.10.0-216.0.0.115.kb9.ky3_5 |
| kernel-tools | aarch64 | 5.10.0-216.0.0.115.kb9.ky3_5 |
| kernel-tools-devel | aarch64 | 5.10.0-216.0.0.115.kb9.ky3_5 |
| perf | aarch64 | 5.10.0-236.0.0.rt62.63.ky3_5 |
| python3-perf | aarch64 | 5.10.0-236.0.0.rt62.63.ky3_5 |
| 软件名称 | 架构 | 版本号 |
|---|---|---|
| bpftool | x86_64 | 5.10.0-216.0.0.115.kb13.ky3_5 |
| kernel | x86_64 | 5.10.0-216.0.0.115.kb13.ky3_5 |
| kernel-devel | x86_64 | 5.10.0-216.0.0.115.kb13.ky3_5 |
| kernel-headers | x86_64 | 5.10.0-216.0.0.115.kb13.ky3_5 |
| kernel-source | x86_64 | 5.10.0-216.0.0.115.kb13.ky3_5 |
| kernel-tools | x86_64 | 5.10.0-216.0.0.115.kb13.ky3_5 |
| kernel-tools-devel | x86_64 | 5.10.0-216.0.0.115.kb13.ky3_5 |
| perf | x86_64 | 5.10.0-216.0.0.115.kb13.ky3_5 |
| python3-perf | x86_64 | 5.10.0-216.0.0.115.kb13.ky3_5 |
| bpftool | aarch64 | 5.10.0-216.0.0.115.kb13.ky3_5 |
| kernel | aarch64 | 5.10.0-216.0.0.115.kb13.ky3_5 |
| kernel-devel | aarch64 | 5.10.0-216.0.0.115.kb13.ky3_5 |
| kernel-headers | aarch64 | 5.10.0-216.0.0.115.kb13.ky3_5 |
| kernel-source | aarch64 | 5.10.0-216.0.0.115.kb13.ky3_5 |
| kernel-tools | aarch64 | 5.10.0-216.0.0.115.kb13.ky3_5 |
| kernel-tools-devel | aarch64 | 5.10.0-216.0.0.115.kb13.ky3_5 |
| perf | aarch64 | 5.10.0-216.0.0.115.kb13.ky3_5 |
| python3-perf | aarch64 | 5.10.0-216.0.0.115.kb13.ky3_5 |
方法一:下载安装包进行升级安装
1、通过下载链接下载需要升级的升级包保存,如 xxx.rpm
2、通过rpm命令升级,如 rpm -Uvh xxx.rpm
方法二:通过软件源进行升级安装
1、保持能够连接上互联网
2、通过yum命令升级指定的包,如 yum install 包名
