Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

suse-cvrf логотип

SUSE-SU-2022:3422-1

Опубликовано: 27 сент. 2022
Источник: suse-cvrf

Описание

Security update for the Linux Kernel

The SUSE Linux Enterprise 12 SP5 RT kernel was updated to receive various security and bugfixes.

The following security bugs were fixed:

  • CVE-2021-4203: Fixed use-after-free read flaw that was found in sock_getsockopt() in net/core/sock.c due to SO_PEERCRED and SO_PEERGROUPS race with listen() (bnc#1194535).
  • CVE-2022-20368: Fixed slab-out-of-bounds access in packet_recvmsg() (bsc#1202346).
  • CVE-2022-20369: Fixed out of bounds write in v4l2_m2m_querybuf of v4l2-mem2mem.c (bnc#1202347).
  • CVE-2022-21385: Fixed a flaw in net_rds_alloc_sgs() that allowed unprivileged local users to crash the machine (bnc#1202897).
  • CVE-2022-2588: Fixed use-after-free in cls_route (bsc#1202096).
  • CVE-2022-26373: Fixed non-transparent sharing of return predictor targets between contexts in some Intel Processors (bnc#1201726).
  • CVE-2022-2663: Fixed an issue that was found in nf_conntrack_irc where the message handling could be confused and incorrectly matches the message (bnc#1202097).
  • CVE-2022-2977: Fixed reference counting for struct tpm_chip (bsc#1202672).
  • CVE-2022-3028: Fixed race condition that was found in the IP framework for transforming packets (XFRM subsystem) (bnc#1202898).
  • CVE-2022-36879: Fixed an issue in xfrm_expand_policies in net/xfrm/xfrm_policy.c where a refcount could be dropped twice (bnc#1201948).
  • CVE-2022-39188: Fixed race condition in include/asm-generic/tlb.h where a device driver can free a page while it still has stale TLB entries (bnc#1203107).

The following non-security bugs were fixed:

  • 9p: migrate from sync_inode to filemap_fdatawrite_wbc (bsc#1202528).
  • ACPI: CPPC: Do not prevent CPPC from working in the future (git-fixes).
  • Fix releasing of old bundles in xfrm_bundle_lookup() (bsc#1201264 bsc#1190397 bsc#1199617).
  • KABI: cgroup: Restore KABI of css_set (bsc#1201610).
  • KVM: PPC: Book3S HV: Context tracking exit guest context before enabling irqs (bsc#1065729).
  • KVM: arm64: Avoid setting the upper 32 bits of TCR_EL2 and CPTR_EL2 (bsc#1201442)
  • KVM: nVMX: Set UMIP bit CR4_FIXED1 MSR when emulating UMIP (bsc#1120716).
  • KVM: x86: Mark TSS busy during LTR emulation after all fault checks (git-fixes).
  • KVM: x86: Set error code to segment selector on LLDT/LTR non-canonical #GP (git-fixes).
  • PCI: dwc: Deallocate EPC memory on dw_pcie_ep_init() errors (git-fixes).
  • Revert 'USB: xhci: fix U1/U2 handling for hardware with XHCI_INTEL_HOST quirk set' (git-fixes).
  • Revert 'r8152: adjust the settings about MAC clock speed down for RTL8153' (git-fixes).
  • SUNRPC: Fix the svc_deferred_event trace class (git-fixes).
  • USB: new quirk for Dell Gen 2 devices (git-fixes).
  • USB: serial: io_ti: add Agilent E5805A support (git-fixes).
  • ata: libata: add qc->flags in ata_qc_complete_template tracepoint (git-fixes).
  • btrfs: Convert fs_info->free_chunk_space to atomic64_t (bsc#1202528).
  • btrfs: add a trace class for dumping the current ENOSPC state (bsc#1202528).
  • btrfs: add a trace point for reserve tickets (bsc#1202528).
  • btrfs: adjust the flush trace point to include the source (bsc#1202528).
  • btrfs: check reclaim_size in need_preemptive_reclaim (bsc#1202528).
  • btrfs: check worker before need_preemptive_reclaim (bsc#1202528).
  • btrfs: do not do preemptive flushing if the majority is global rsv (bsc#1202528).
  • btrfs: do not include the global rsv size in the preemptive used amount (bsc#1202528).
  • btrfs: enable a tracepoint when we fail tickets (bsc#1202528).
  • btrfs: handle preemptive delalloc flushing slightly differently (bsc#1202528).
  • btrfs: implement space clamping for preemptive flushing (bsc#1202528).
  • btrfs: improve preemptive background space flushing (bsc#1202528).
  • btrfs: include delalloc related info in dump space info tracepoint (bsc#1202528).
  • btrfs: introduce a FORCE_COMMIT_TRANS flush operation (bsc#1202528).
  • btrfs: make flush_space take a enum btrfs_flush_state instead of int (bsc#1202528).
  • btrfs: only clamp the first time we have to start flushing (bsc#1202528).
  • btrfs: only ignore delalloc if delalloc is much smaller than ordered (bsc#1202528).
  • btrfs: reduce the preemptive flushing threshold to 90% (bsc#1202528).
  • btrfs: remove FLUSH_DELAYED_REFS from data ENOSPC flushing (bsc#1202528).
  • btrfs: rename need_do_async_reclaim (bsc#1202528).
  • btrfs: rework btrfs_calc_reclaim_metadata_size (bsc#1202528).
  • btrfs: rip out btrfs_space_info::total_bytes_pinned (bsc#1202528).
  • btrfs: rip out may_commit_transaction (bsc#1202528).
  • btrfs: rip the first_ticket_bytes logic from fail_all_tickets (bsc#1202528).
  • btrfs: simplify the logic in need_preemptive_flushing (bsc#1202528).
  • btrfs: take into account global rsv in need_preemptive_reclaim (bsc#1202528).
  • btrfs: use delalloc_bytes to determine flush amount for shrink_delalloc (bsc#1202528).
  • btrfs: use percpu_read_positive instead of sum_positive for need_preempt (bsc#1202528).
  • btrfs: use the filemap_fdatawrite_wbc helper for delalloc shrinking (bsc#1202528).
  • btrfs: use the global rsv size in the preemptive thresh calculation (bsc#1202528).
  • btrfs: wait on async extents when flushing delalloc (bsc#1202528).
  • btrfs: wake up async_delalloc_pages waiters after submit (bsc#1202528).
  • ceph: do not truncate file in atomic_open (bsc#1202830).
  • cgroup: Use separate src/dst nodes when preloading css_sets for migration (bsc#1201610).
  • check sk_peer_cred pointer before put_cred() call
  • crypto: arm64/gcm - Select AEAD for GHASH_ARM64_CE (git-fixes).
  • crypto: inside-secure - Add missing MODULE_DEVICE_TABLE for of (git-fixes).
  • cxgb4: fix endian conversions for L4 ports in filters (git-fixes).
  • cxgb4: move handling L2T ARP failures to caller (git-fixes).
  • cxgb4: parse TC-U32 key values and masks natively (git-fixes).
  • drivers/perf: arm_spe: Fix consistency of SYS_PMSCR_EL1.CX (git-fixes).
  • fs: add a filemap_fdatawrite_wbc helper (bsc#1202528).
  • fuse: limit nsec (bsc#1203126).
  • iommu/vt-d: avoid invalid memory access via node_online(NUMA_NO_NODE) (git-fixes).
  • ipheth: fix EOVERFLOW in ipheth_rcvbulk_callback (git-fixes).
  • kabi/severities: add mlx5 internal symbols
  • lightnvm: Remove lightnvm implemenation (bsc#1191881 bsc#1201420 ZDI-CAN-17325).
  • md/bitmap: do not set sb values if can't pass sanity check (bsc#1197158).
  • mm/rmap.c: do not reuse anon_vma if we just want a copy (git-fixes, bsc#1203098).
  • mm/rmap: Fix anon_vma->degree ambiguity leading to double-reuse (git-fixes, bsc#1203098).
  • mvpp2: fix panic on module removal (git-fixes).
  • mvpp2: refactor the HW checksum setup (git-fixes).
  • net/mlx5: Clear LAG notifier pointer after unregister (git-fixes).
  • net/mlx5: Fix auto group size calculation (git-fixes).
  • net/mlx5: Imply MLXFW in mlx5_core (git-fixes).
  • net/mlx5e: Use the inner headers to determine tc/pedit offload limitation on decap flows (git-fixes).
  • net: dsa: mt7530: Change the LINK bit to reflect the link status (git-fixes).
  • net: emaclite: Simplify if-else statements (git-fixes).
  • net: ll_temac: Add more error handling of dma_map_single() calls (git-fixes).
  • net: ll_temac: Enable DMA when ready, not before (git-fixes).
  • net: ll_temac: Fix RX buffer descriptor handling on GFP_ATOMIC pressure (git-fixes).
  • net: ll_temac: Fix iommu/swiotlb leak (git-fixes).
  • net: ll_temac: Fix support for 64-bit platforms (git-fixes).
  • net: ll_temac: Fix support for little-endian platforms (git-fixes).
  • net: ll_temac: Fix typo bug for 32-bit (git-fixes).
  • net: sock: tracing: Fix sock_exceed_buf_limit not to dereference stale pointer (git-fixes).
  • net: stmmac: gmac4: bitrev32 returns u32 (git-fixes).
  • net: usb: lan78xx: Connect PHY before registering MAC (git-fixes).
  • net: xilinx: replace dev_kfree_skb_irq by dev_consume_skb_irq for drop profiles (git-fixes).
  • net_sched: cls_route: disallow handle of 0 (bsc#1202393).
  • objtool: Add --backtrace support (bsc#1202396).
  • objtool: Add support for intra-function calls (bsc#1202396).
  • objtool: Allow no-op CFI ops in alternatives (bsc#1202396).
  • objtool: Convert insn type to enum (bsc#1202396).
  • objtool: Do not use ignore flag for fake jumps (bsc#1202396).
  • objtool: Fix !CFI insn_state propagation (bsc#1202396).
  • objtool: Fix ORC vs alternatives (bsc#1202396).
  • objtool: Fix sibling call detection (bsc#1202396).
  • objtool: Make handle_insn_ops() unconditional (bsc#1202396).
  • objtool: Remove INSN_STACK (bsc#1202396).
  • objtool: Remove check preventing branches within alternative (bsc#1202396).
  • objtool: Rename elf_open() to prevent conflict with libelf from elftoolchain (bsc#1202396).
  • objtool: Rename struct cfi_state (bsc#1202396).
  • objtool: Rework allocating stack_ops on decode (bsc#1202396).
  • objtool: Rewrite alt->skip_orig (bsc#1202396).
  • objtool: Set insn->func for alternatives (bsc#1202396).
  • objtool: Support conditional retpolines (bsc#1202396).
  • objtool: Support multiple stack_op per instruction (bsc#1202396).
  • objtool: Track original function across branches (bsc#1202396).
  • objtool: Uniquely identify alternative instruction groups (bsc#1202396).
  • objtool: Use Elf_Scn typedef instead of assuming struct name (bsc#1202396).
  • phy: tegra: fix device-tree node lookups (git-fixes).
  • powerpc/perf: Add privileged access check for thread_imc (bsc#1054914, git-fixes).
  • powerpc/perf: Fix loop exit condition in nest_imc_event_init (bsc#1054914, git-fixes).
  • powerpc/perf: Return accordingly on invalid chip-id in (bsc#1054914, git-fixes).
  • powerpc/xive: Fix refcount leak in xive_get_max_prio (git-fixess).
  • powerpc: Enable execve syscall exit tracepoint (bsc#1065729).
  • powerpc: Use sizeof(*foo) rather than sizeof(struct foo) (bsc#1054914, git-fixes).
  • powerpc: define get_cycles macro for arch-override (bsc#1065729).
  • qed: Add EDPM mode type for user-fw compatibility (git-fixes).
  • qed: fix kABI in qed_rdma_create_qp_in_params (git-fixes).
  • scsi: smartpqi: set force_blk_mq=1.(bsc#1179310)
  • spmi: trace: fix stack-out-of-bound access in SPMI tracing functions (git-fixes).
  • squashfs: add more sanity checks in id lookup (git-fixes).
  • squashfs: add more sanity checks in inode lookup (git-fixes).
  • squashfs: add more sanity checks in xattr id lookup (git-fixes).
  • squashfs: fix divide error in calculate_skip() (git-fixes).
  • squashfs: fix inode lookup sanity checks (bsc#1203013).
  • squashfs: fix xattr id and id lookup sanity checks (bsc#1203013).
  • tracepoint: Add tracepoint_probe_register_may_exist() for BPF tracing (git-fixes).
  • tracing/perf: Use strndup_user() instead of buggy open-coded version (git-fixes).
  • tracing/uprobes: Check the return value of kstrdup() for tu->filename (git-fixes).
  • tracing: Fix race in perf_trace_buf initialization (git-fixes).
  • usb: misc: fix improper handling of refcount in uss720_probe() (git-fixes).
  • usbnet: Fix linkwatch use-after-free on disconnect (git-fixes).
  • usbnet: smsc95xx: Fix deadlock on runtime resume (git-fixes).
  • xen/xenbus: fix return type in xenbus_file_read() (git-fixes).
  • xfs: always free inline data before resetting inode fork during ifree (bsc#1202017).
  • xfs: check sb_meta_uuid for dabuf buffer recovery (bsc#1202577).
  • xprtrdma: Fix trace point use-after-free race (git-fixes).

Список пакетов

SUSE Linux Enterprise Real Time 12 SP5
cluster-md-kmp-rt-4.12.14-10.100.1
dlm-kmp-rt-4.12.14-10.100.1
gfs2-kmp-rt-4.12.14-10.100.1
kernel-devel-rt-4.12.14-10.100.1
kernel-rt-4.12.14-10.100.1
kernel-rt-base-4.12.14-10.100.1
kernel-rt-devel-4.12.14-10.100.1
kernel-rt_debug-4.12.14-10.100.1
kernel-rt_debug-devel-4.12.14-10.100.1
kernel-source-rt-4.12.14-10.100.1
kernel-syms-rt-4.12.14-10.100.1
ocfs2-kmp-rt-4.12.14-10.100.1

Ссылки

Описание

A use-after-free read flaw was found in sock_getsockopt() in net/core/sock.c due to SO_PEERCRED and SO_PEERGROUPS race with listen() (and connect()) in the Linux kernel. In this flaw, an attacker with a user privileges may crash the system or leak internal kernel information.

Затронутые продукты
SUSE Linux Enterprise Real Time 12 SP5:cluster-md-kmp-rt-4.12.14-10.100.1
SUSE Linux Enterprise Real Time 12 SP5:dlm-kmp-rt-4.12.14-10.100.1
SUSE Linux Enterprise Real Time 12 SP5:gfs2-kmp-rt-4.12.14-10.100.1
SUSE Linux Enterprise Real Time 12 SP5:kernel-devel-rt-4.12.14-10.100.1
Ссылки

Описание

Product: AndroidVersions: Android kernelAndroid ID: A-224546354References: Upstream kernel

Затронутые продукты
SUSE Linux Enterprise Real Time 12 SP5:cluster-md-kmp-rt-4.12.14-10.100.1
SUSE Linux Enterprise Real Time 12 SP5:dlm-kmp-rt-4.12.14-10.100.1
SUSE Linux Enterprise Real Time 12 SP5:gfs2-kmp-rt-4.12.14-10.100.1
SUSE Linux Enterprise Real Time 12 SP5:kernel-devel-rt-4.12.14-10.100.1
Ссылки

Описание

In v4l2_m2m_querybuf of v4l2-mem2mem.c, there is a possible out of bounds write due to improper input validation. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-223375145References: Upstream kernel

Затронутые продукты
SUSE Linux Enterprise Real Time 12 SP5:cluster-md-kmp-rt-4.12.14-10.100.1
SUSE Linux Enterprise Real Time 12 SP5:dlm-kmp-rt-4.12.14-10.100.1
SUSE Linux Enterprise Real Time 12 SP5:gfs2-kmp-rt-4.12.14-10.100.1
SUSE Linux Enterprise Real Time 12 SP5:kernel-devel-rt-4.12.14-10.100.1
Ссылки

Описание

A flaw in net_rds_alloc_sgs() in Oracle Linux kernels allows unprivileged local users to crash the machine. CVSS 3.1 Base Score 6.2 (Availability impacts). CVSS Vector (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Затронутые продукты
SUSE Linux Enterprise Real Time 12 SP5:cluster-md-kmp-rt-4.12.14-10.100.1
SUSE Linux Enterprise Real Time 12 SP5:dlm-kmp-rt-4.12.14-10.100.1
SUSE Linux Enterprise Real Time 12 SP5:gfs2-kmp-rt-4.12.14-10.100.1
SUSE Linux Enterprise Real Time 12 SP5:kernel-devel-rt-4.12.14-10.100.1
Ссылки

Описание

It was discovered that the cls_route filter implementation in the Linux kernel would not remove an old filter from the hashtable before freeing it if its handle had the value 0.

Затронутые продукты
SUSE Linux Enterprise Real Time 12 SP5:cluster-md-kmp-rt-4.12.14-10.100.1
SUSE Linux Enterprise Real Time 12 SP5:dlm-kmp-rt-4.12.14-10.100.1
SUSE Linux Enterprise Real Time 12 SP5:gfs2-kmp-rt-4.12.14-10.100.1
SUSE Linux Enterprise Real Time 12 SP5:kernel-devel-rt-4.12.14-10.100.1
Ссылки

Описание

Non-transparent sharing of return predictor targets between contexts in some Intel(R) Processors may allow an authorized user to potentially enable information disclosure via local access.

Затронутые продукты
SUSE Linux Enterprise Real Time 12 SP5:cluster-md-kmp-rt-4.12.14-10.100.1
SUSE Linux Enterprise Real Time 12 SP5:dlm-kmp-rt-4.12.14-10.100.1
SUSE Linux Enterprise Real Time 12 SP5:gfs2-kmp-rt-4.12.14-10.100.1
SUSE Linux Enterprise Real Time 12 SP5:kernel-devel-rt-4.12.14-10.100.1
Ссылки

Описание

An issue was found in the Linux kernel in nf_conntrack_irc where the message handling can be confused and incorrectly matches the message. A firewall may be able to be bypassed when users are using unencrypted IRC with nf_conntrack_irc configured.

Затронутые продукты
SUSE Linux Enterprise Real Time 12 SP5:cluster-md-kmp-rt-4.12.14-10.100.1
SUSE Linux Enterprise Real Time 12 SP5:dlm-kmp-rt-4.12.14-10.100.1
SUSE Linux Enterprise Real Time 12 SP5:gfs2-kmp-rt-4.12.14-10.100.1
SUSE Linux Enterprise Real Time 12 SP5:kernel-devel-rt-4.12.14-10.100.1
Ссылки

Описание

A flaw was found in the Linux kernel implementation of proxied virtualized TPM devices. On a system where virtualized TPM devices are configured (this is not the default) a local attacker can create a use-after-free and create a situation where it may be possible to escalate privileges on the system.

Затронутые продукты
SUSE Linux Enterprise Real Time 12 SP5:cluster-md-kmp-rt-4.12.14-10.100.1
SUSE Linux Enterprise Real Time 12 SP5:dlm-kmp-rt-4.12.14-10.100.1
SUSE Linux Enterprise Real Time 12 SP5:gfs2-kmp-rt-4.12.14-10.100.1
SUSE Linux Enterprise Real Time 12 SP5:kernel-devel-rt-4.12.14-10.100.1
Ссылки

Описание

A race condition was found in the Linux kernel's IP framework for transforming packets (XFRM subsystem) when multiple calls to xfrm_probe_algs occurred simultaneously. This flaw could allow a local attacker to potentially trigger an out-of-bounds write or leak kernel heap memory by performing an out-of-bounds read and copying it into a socket.

Затронутые продукты
SUSE Linux Enterprise Real Time 12 SP5:cluster-md-kmp-rt-4.12.14-10.100.1
SUSE Linux Enterprise Real Time 12 SP5:dlm-kmp-rt-4.12.14-10.100.1
SUSE Linux Enterprise Real Time 12 SP5:gfs2-kmp-rt-4.12.14-10.100.1
SUSE Linux Enterprise Real Time 12 SP5:kernel-devel-rt-4.12.14-10.100.1
Ссылки

Описание

An issue was discovered in the Linux kernel through 5.18.14. xfrm_expand_policies in net/xfrm/xfrm_policy.c can cause a refcount to be dropped twice.

Затронутые продукты
SUSE Linux Enterprise Real Time 12 SP5:cluster-md-kmp-rt-4.12.14-10.100.1
SUSE Linux Enterprise Real Time 12 SP5:dlm-kmp-rt-4.12.14-10.100.1
SUSE Linux Enterprise Real Time 12 SP5:gfs2-kmp-rt-4.12.14-10.100.1
SUSE Linux Enterprise Real Time 12 SP5:kernel-devel-rt-4.12.14-10.100.1
Ссылки

Описание

An issue was discovered in include/asm-generic/tlb.h in the Linux kernel before 5.19. Because of a race condition (unmap_mapping_range versus munmap), a device driver can free a page while it still has stale TLB entries. This only occurs in situations with VM_PFNMAP VMAs.

Затронутые продукты
SUSE Linux Enterprise Real Time 12 SP5:cluster-md-kmp-rt-4.12.14-10.100.1
SUSE Linux Enterprise Real Time 12 SP5:dlm-kmp-rt-4.12.14-10.100.1
SUSE Linux Enterprise Real Time 12 SP5:gfs2-kmp-rt-4.12.14-10.100.1
SUSE Linux Enterprise Real Time 12 SP5:kernel-devel-rt-4.12.14-10.100.1
Ссылки
Уязвимость SUSE-SU-2022:3422-1