MGASA-2022-0380 - Updated kernel-linus packages fix security vulnerabilities

Publication date: 23 Oct 2022
URL: https://advisories.mageia.org/MGASA-2022-0380.html
Type: security
Affected Mageia releases: 8
CVE: CVE-2022-0171,
     CVE-2022-2308,
     CVE-2022-2663,
     CVE-2022-2905,
     CVE-2022-3028,
     CVE-2022-3061,
     CVE-2022-3176,
     CVE-2022-3303,
     CVE-2022-3586,
     CVE-2022-20421,
     CVE-2022-39190,
     CVE-2022-39842,
     CVE-2022-40307,
     CVE-2022-40768,
     CVE-2022-42719,
     CVE-2022-42720,
     CVE-2022-42721,
     CVE-2022-42722,
     CVE-2022-41674,
     CVE-2022-42703

This kernel-linus update is based on upstream 5.15.74 and fixes at least
the following security issues:

A flaw was found in the Linux kernel. The existing KVM SEV API has a
vulnerability that allows a non-root (host) user-level application to
crash the host kernel by creating a confidential guest VM instance in
AMD CPU that supports Secure Encrypted Virtualization (SEV)
(CVE-2022-0171).

A flaw was found in vDPA with VDUSE backend. There are currently no checks
in VDUSE kernel driver to ensure the size of the device config space is in
line with the features advertised by the VDUSE userspace application. In
case of a mismatch, Virtio drivers config read helpers do not initialize
the memory indirectly passed to vduse_vdpa_get_config() returning
uninitialized memory from the stack. This could cause undefined behavior or
data leaks in Virtio drivers (CVE-2022-2308).

An issue was found in the Linux kernel in nf_conntrack_irc where the
message handling can be confused and incorrectly matches the message.
A firewall may be able to be bypassed when users are using unencrypted
IRC with nf_conntrack_irc configured (CVE-2022-2663).

An out-of-bounds memory read flaw was found in the Linux kernel's BPF
subsystem in how a user calls the bpf_tail_call function with a key
larger than the max_entries of the map. This flaw allows a local user
to gain unauthorized access to data (CVE-2022-2905).

A race condition was found in the Linux kernel's IP framework for
transforming packets (XFRM subsystem) when multiple calls to
xfrm_probe_algs occurred simultaneously. This flaw could allow a local
attacker to potentially trigger an out-of-bounds write or leak kernel
heap memory by performing an out-of-bounds read and copying it into a
socket (CVE-2022-3028).

A flaw in the i740 driver. The Userspace program could pass any values
to the driver through ioctl() interface. The driver doesn't check the
value of 'pixclock', so it may cause a divide by zero error
(CVE-2022-3061).

There exists a use-after-free in io_uring in the Linux kernel.
Signalfd_poll() and binder_poll() use a waitqueue whose lifetime is the
current task. It will send a POLLFREE notification to all waiters before
the queue is freed. Unfortunately, the io_uring poll doesn't handle
POLLFREE. This allows a use-after-free to occur if a signalfd or binder
fd is polled with io_uring poll, and the waitqueue gets freed
(CVE-2022-3176).

A race condition flaw was found in the Linux kernel sound subsystem due
to improper locking. It could lead to a NULL pointer dereference while
handling the SNDCTL_DSP_SYNC ioctl. A privileged local user (root or
member of the audio group) could use this flaw to crash the system,
resulting in a denial of service condition (CVE-2022-3303).

A flaw was found in the Linux kernel networking code. A use-after-free
was found in the way the sch_sfb enqueue function used the socket buffer
(SKB) cb field after the same SKB had been enqueued (and freed) into a
child qdisc. This flaw allows a local, unprivileged user to crash the
system, causing a denial of service (CVE-2022-3586).

In binder_inc_ref_for_node of binder.c, there is a possible way to corrupt
memory due to a use after free. This could lead to local escalation of
privilege with no additional execution privileges needed. User interaction
is not needed for exploitation (CVE-2022-20421).

An issue was discovered in net/netfilter/nf_tables_api.c in the kernel
before 5.19.6. A denial of service can occur upon binding to an already
bound chain (CVE-2022-39190).

An issue was discovered in the Linux kernel before 5.19. In pxa3xx_gcu_write
in drivers/video/fbdev/pxa3xx-gcu.c, the count parameter has a type conflict
of size_t versus int, causing an integer overflow and bypassing the size
check. After that, because it is used as the third argument to
copy_from_user(), a heap overflow may occur (CVE-2022-39842).

An issue was discovered in the Linux kernel through 5.19.8.
drivers/firmware/efi/capsule-loader.c has a race condition with a resultant
use-after-free (CVE-2022-40307).

drivers/scsi/stex.c in the Linux kernel through 5.19.9 allows local usersto obtain sensitive information from kernel memory because
stex_queuecommand_lck lacks a memset for the PASSTHRU_CMD case
(CVE-2022-40768).

A use-after-free in the mac80211 stack when parsing a multi-BSSID element
in the Linux kernel 5.2 through 5.19.x before 5.19.16 could be used by
attackers (able to inject WLAN frames) to crash the kernel and potentially
execute code (CVE-2022-42719).

Various refcounting bugs in the multi-BSS handling in the mac80211 stack
in the Linux kernel 5.1 through 5.19.x before 5.19.16 could be used by
local attackers (able to inject WLAN frames) to trigger use-after-free
conditions to potentially execute code (CVE-2022-42720).

A list management bug in BSS handling in the mac80211 stack in the Linux
kernel 5.1 through 5.19.x before 5.19.16 could be used by local attackers(able to inject WLAN frames) to corrupt a linked list and, in turn,
potentially execute code (CVE-2022-42721).

In the Linux kernel 5.8 through 5.19.x before 5.19.16, local attackersable to inject WLAN frames into the mac80211 stack could cause a NULL
pointer dereference denial-of-service attack against the beacon protection
of P2P devices (CVE-2022-42722).

An issue was discovered in the Linux kernel before 5.19.16. Attackers able
to inject WLAN frames could cause a buffer overflow in the
ieee80211_bss_info_update function in net/mac80211/scan.c (CVE-2022-41674).

mm/rmap.c in the Linux kernel before 5.19.7 has a use-after-free related
to leaf anon_vma double reuse (CVE-2022-42703).

For other upstream fixes in this update, see the referenced changelogs.

References:
- https://bugs.mageia.org/show_bug.cgi?id=30970
- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.15.63
- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.15.64
- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.15.65
- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.15.66
- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.15.67
- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.15.68
- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.15.69
- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.15.70
- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.15.71
- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.15.72
- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.15.73
- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.15.74
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0171
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2308
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2663
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2905
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3028
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3061
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3176
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3303
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3586
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-20421
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39190
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39842
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40307
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40768
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42719
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42720
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42721
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42722
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41674
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42703

SRPMS:
- 8/core/kernel-linus-5.15.74-1.mga8

Mageia 2022-0380: kernel-linus security update

This kernel-linus update is based on upstream 5.15.74 and fixes at least the following security issues: A flaw was found in the Linux kernel

Summary

This kernel-linus update is based on upstream 5.15.74 and fixes at least the following security issues:
A flaw was found in the Linux kernel. The existing KVM SEV API has a vulnerability that allows a non-root (host) user-level application to crash the host kernel by creating a confidential guest VM instance in AMD CPU that supports Secure Encrypted Virtualization (SEV) (CVE-2022-0171).
A flaw was found in vDPA with VDUSE backend. There are currently no checks in VDUSE kernel driver to ensure the size of the device config space is in line with the features advertised by the VDUSE userspace application. In case of a mismatch, Virtio drivers config read helpers do not initialize the memory indirectly passed to vduse_vdpa_get_config() returning uninitialized memory from the stack. This could cause undefined behavior or data leaks in Virtio drivers (CVE-2022-2308).
An issue was found in the Linux kernel in nf_conntrack_irc where the message handling can be confused and incorrectly match...

Read the Full Advisory

References

- https://bugs.mageia.org/show_bug.cgi?id=30970

- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.15.63

- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.15.64

- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.15.65

- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.15.66

- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.15.67

- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.15.68

- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.15.69

- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.15.70

- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.15.71

- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.15.72

- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.15.73

- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.15.74

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0171

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2308

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2663

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2905

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3028

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3061

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3176

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3303

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3586

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-20421

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39190

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39842

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40307

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40768

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42719

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42720

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42721

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42722

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41674

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42703

Resolution

MGASA-2022-0380 - Updated kernel-linus packages fix security vulnerabilities

SRPMS

- 8/core/kernel-linus-5.15.74-1.mga8

Severity
Publication date: 23 Oct 2022
URL: https://advisories.mageia.org/MGASA-2022-0380.html
Type: security
CVE: CVE-2022-0171, CVE-2022-2308, CVE-2022-2663, CVE-2022-2905, CVE-2022-3028, CVE-2022-3061, CVE-2022-3176, CVE-2022-3303, CVE-2022-3586, CVE-2022-20421, CVE-2022-39190, CVE-2022-39842, CVE-2022-40307, CVE-2022-40768, CVE-2022-42719, CVE-2022-42720, CVE-2022-42721, CVE-2022-42722, CVE-2022-41674, CVE-2022-42703

Related News

The End of the Road for Linux 6.11: A Call to Upgrade to Kernel 6.12
3 - 5 min read
The Linux kernel community recently issued an EOL announcement regarding the 6.11 kernel series, urging sysadmins to upgrade quickly to 6.12 . This
A Linux Admin
3 - 6 min read
As 2025 approaches, we Linux admins are facing new and often unseen cloud-native security obstacles. While skilled at mitigating known risks,
Leveraging Insights from the Linux Foundation
3 - 5 min read
The Linux Foundation's recent Census III report provides critical insights for Linux administrators, information security professionals, and anyone
Chrome 131 Released: Emergency Security Update Fixes Over a Dozen Significant Vulns
3 - 6 min read
Google recently unveiled a critical security update to their popular web browser, Google Chrome, addressing over a dozen significant security
From Wayland Fixes to Security Boosts: Examining Qt 6.8.1
3 - 6 min read
The recent Qt 6.8.1 release brings significant updates and improvements, strengthening its reputation as a secure and reliable application
Exploring Arch Linux 2024.12.01: Security Implications & Notable Enhancements for Linux Admins
3 - 6 min read
The Arch Linux 2024.12.01 ISO release marks an impressive milestone, offering cutting-edge updates that enhance functionality, streamline
Deck the Halls with Enhanced Security: Linux Kernel 6.13
3 - 5 min read
As Linux admins and infosec professionals prepare for the holiday season, there's much cause for celebration this year! Linus Torvalds recently made
Lessons from Bootkitty: Securing Linux Systems Against UEFI Intrusions
3 - 5 min read
New Linux security threats mark critical junctures that challenge existing policies and test security protocols to their limit. One such milestone

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved