Red Hat Security Advisory 2022-1975-01 - The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. Issues addressed include buffer overflow, denial of service, information leakage, integer overflow, out of bounds read, out of bounds write, privilege escalation, and use-after-free vulnerabilities.
76e7a83f67a9594d044f0555940c9cdc95fcacfd7cb6fe3ce07a4e4115106e22-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Important: kernel-rt security and bug fix update
Advisory ID: RHSA-2022:1975-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2022:1975
Issue date: 2022-05-10
CVE Names: CVE-2020-0404 CVE-2020-13974 CVE-2020-27820
CVE-2021-0941 CVE-2021-3612 CVE-2021-3669
CVE-2021-3743 CVE-2021-3744 CVE-2021-3752
CVE-2021-3759 CVE-2021-3764 CVE-2021-3772
CVE-2021-3773 CVE-2021-4002 CVE-2021-4037
CVE-2021-4083 CVE-2021-4157 CVE-2021-4197
CVE-2021-4203 CVE-2021-20322 CVE-2021-26401
CVE-2021-29154 CVE-2021-37159 CVE-2021-41864
CVE-2021-42739 CVE-2021-43389 CVE-2021-43976
CVE-2021-44733 CVE-2021-45485 CVE-2021-45486
CVE-2022-0001 CVE-2022-0002 CVE-2022-0286
CVE-2022-0322 CVE-2022-1011
=====================================================================
1. Summary:
An update for kernel-rt is now available for Red Hat Enterprise Linux 8.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Real Time (v. 8) - x86_64
Red Hat Enterprise Linux Real Time for NFV (v. 8) - x86_64
3. Description:
The kernel-rt packages provide the Real Time Linux Kernel, which enables
fine-tuning for systems with extremely high determinism requirements.
Security Fix(es):
* kernel: fget: check that the fd still exists after getting a ref to it
(CVE-2021-4083)
* kernel: avoid cyclic entity chains due to malformed USB descriptors
(CVE-2020-0404)
* kernel: integer overflow in k_ascii() in drivers/tty/vt/keyboard.c
(CVE-2020-13974)
* kernel: out-of-bounds read in bpf_skb_change_head() of filter.c due to a
use-after-free (CVE-2021-0941)
* kernel: joydev: zero size passed to joydev_handle_JSIOCSBTNMAP()
(CVE-2021-3612)
* kernel: reading /proc/sysvipc/shm does not scale with large shared memory
segment counts (CVE-2021-3669)
* kernel: out-of-bound Read in qrtr_endpoint_post in net/qrtr/qrtr.c
(CVE-2021-3743)
* kernel: crypto: ccp - fix resource leaks in ccp_run_aes_gcm_cmd()
(CVE-2021-3744)
* kernel: possible use-after-free in bluetooth module (CVE-2021-3752)
* kernel: unaccounted ipc objects in Linux kernel lead to breaking memcg
limits and DoS attacks (CVE-2021-3759)
* kernel: DoS in ccp_run_aes_gcm_cmd() function (CVE-2021-3764)
* kernel: sctp: Invalid chunks may be used to remotely remove existing
associations (CVE-2021-3772)
* kernel: lack of port sanity checking in natd and netfilter leads to
exploit of OpenVPN clients (CVE-2021-3773)
* kernel: possible leak or coruption of data residing on hugetlbfs
(CVE-2021-4002)
* kernel: security regression for CVE-2018-13405 (CVE-2021-4037)
* kernel: Buffer overwrite in decode_nfs_fh function (CVE-2021-4157)
* kernel: cgroup: Use open-time creds and namespace for migration perm
checks (CVE-2021-4197)
* kernel: Race condition in races in sk_peer_pid and sk_peer_cred accesses
(CVE-2021-4203)
* kernel: new DNS Cache Poisoning Attack based on ICMP fragment needed
packets replies (CVE-2021-20322)
* hw: cpu: LFENCE/JMP Mitigation Update for CVE-2017-5715 (CVE-2021-26401)
* kernel: Local privilege escalation due to incorrect BPF JIT branch
displacement computation (CVE-2021-29154)
* kernel: use-after-free in hso_free_net_device() in drivers/net/usb/hso.c
(CVE-2021-37159)
* kernel: eBPF multiplication integer overflow in
prealloc_elems_and_freelist() in kernel/bpf/stackmap.c leads to
out-of-bounds write (CVE-2021-41864)
* kernel: Heap buffer overflow in firedtv driver (CVE-2021-42739)
* kernel: an array-index-out-bounds in detach_capi_ctr in
drivers/isdn/capi/kcapi.c (CVE-2021-43389)
* kernel: mwifiex_usb_recv() in drivers/net/wireless/marvell/mwifiex/usb.c
allows an attacker to cause DoS via crafted USB device (CVE-2021-43976)
* kernel: use-after-free in the TEE subsystem (CVE-2021-44733)
* kernel: information leak in the IPv6 implementation (CVE-2021-45485)
* kernel: information leak in the IPv4 implementation (CVE-2021-45486)
* hw: cpu: intel: Branch History Injection (BHI) (CVE-2022-0001)
* hw: cpu: intel: Intra-Mode BTI (CVE-2022-0002)
* kernel: Local denial of service in bond_ipsec_add_sa (CVE-2022-0286)
* kernel: DoS in sctp_addto_chunk in net/sctp/sm_make_chunk.c
(CVE-2022-0322)
* kernel: FUSE allows UAF reads of write() buffers, allowing theft of
(partial) /etc/shadow hashes (CVE-2022-1011)
* kernel: use-after-free in nouveau kernel module (CVE-2020-27820)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat
Enterprise Linux 8.6 Release Notes linked from the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
The system must be rebooted for this update to take effect.
5. Bugs fixed (https://bugzilla.redhat.com/):
1901726 - CVE-2020-27820 kernel: use-after-free in nouveau kernel module
1903578 - kernnel-rt-debug: do not call blocking ops when !TASK_RUNNING; state=1 set at [<0000000050e86018>] handle_userfault+0x530/0x1820
1905749 - kernel-rt-debug: BUG: sleeping function called from invalid context at kernel/locking/rtmutex.c:968
1919791 - CVE-2020-0404 kernel: avoid cyclic entity chains due to malformed USB descriptors
1946684 - CVE-2021-29154 kernel: Local privilege escalation due to incorrect BPF JIT branch displacement computation
1951739 - CVE-2021-42739 kernel: Heap buffer overflow in firedtv driver
1974079 - CVE-2021-3612 kernel: joydev: zero size passed to joydev_handle_JSIOCSBTNMAP()
1985353 - CVE-2021-37159 kernel: use-after-free in hso_free_net_device() in drivers/net/usb/hso.c
1986473 - CVE-2021-3669 kernel: reading /proc/sysvipc/shm does not scale with large shared memory segment counts
1997467 - CVE-2021-3764 kernel: DoS in ccp_run_aes_gcm_cmd() function
1997961 - CVE-2021-3743 kernel: out-of-bound Read in qrtr_endpoint_post in net/qrtr/qrtr.c
1999544 - CVE-2021-3752 kernel: possible use-after-free in bluetooth module
1999675 - CVE-2021-3759 kernel: unaccounted ipc objects in Linux kernel lead to breaking memcg limits and DoS attacks
2000627 - CVE-2021-3744 kernel: crypto: ccp - fix resource leaks in ccp_run_aes_gcm_cmd()
2000694 - CVE-2021-3772 kernel: sctp: Invalid chunks may be used to remotely remove existing associations
2004949 - CVE-2021-3773 kernel: lack of port sanity checking in natd and netfilter leads to exploit of OpenVPN clients
2010463 - CVE-2021-41864 kernel: eBPF multiplication integer overflow in prealloc_elems_and_freelist() in kernel/bpf/stackmap.c leads to out-of-bounds write
2013180 - CVE-2021-43389 kernel: an array-index-out-bounds in detach_capi_ctr in drivers/isdn/capi/kcapi.c
2014230 - CVE-2021-20322 kernel: new DNS Cache Poisoning Attack based on ICMP fragment needed packets replies
2016169 - CVE-2020-13974 kernel: integer overflow in k_ascii() in drivers/tty/vt/keyboard.c
2018205 - CVE-2021-0941 kernel: out-of-bounds read in bpf_skb_change_head() of filter.c due to a use-after-free
2025003 - CVE-2021-43976 kernel: mwifiex_usb_recv() in drivers/net/wireless/marvell/mwifiex/usb.c allows an attacker to cause DoS via crafted USB device
2025726 - CVE-2021-4002 kernel: possible leak or coruption of data residing on hugetlbfs
2027239 - CVE-2021-4037 kernel: security regression for CVE-2018-13405
2029923 - CVE-2021-4083 kernel: fget: check that the fd still exists after getting a ref to it
2030747 - CVE-2021-44733 kernel: use-after-free in the TEE subsystem
2034342 - CVE-2021-4157 kernel: Buffer overwrite in decode_nfs_fh function
2035652 - CVE-2021-4197 kernel: cgroup: Use open-time creds and namespace for migration perm checks
2036934 - CVE-2021-4203 kernel: Race condition in races in sk_peer_pid and sk_peer_cred accesses
2037019 - CVE-2022-0286 kernel: Local denial of service in bond_ipsec_add_sa
2039911 - CVE-2021-45485 kernel: information leak in the IPv6 implementation
2039914 - CVE-2021-45486 kernel: information leak in the IPv4 implementation
2042822 - CVE-2022-0322 kernel: DoS in sctp_addto_chunk in net/sctp/sm_make_chunk.c
2061700 - CVE-2021-26401 hw: cpu: LFENCE/JMP Mitigation Update for CVE-2017-5715
2061712 - CVE-2022-0001 hw: cpu: intel: Branch History Injection (BHI)
2061721 - CVE-2022-0002 hw: cpu: intel: Intra-Mode BTI
2064855 - CVE-2022-1011 kernel: FUSE allows UAF reads of write() buffers, allowing theft of (partial) /etc/shadow hashes
6. Package List:
Red Hat Enterprise Linux Real Time for NFV (v. 8):
Source:
kernel-rt-4.18.0-372.9.1.rt7.166.el8.src.rpm
x86_64:
kernel-rt-4.18.0-372.9.1.rt7.166.el8.x86_64.rpm
kernel-rt-core-4.18.0-372.9.1.rt7.166.el8.x86_64.rpm
kernel-rt-debug-4.18.0-372.9.1.rt7.166.el8.x86_64.rpm
kernel-rt-debug-core-4.18.0-372.9.1.rt7.166.el8.x86_64.rpm
kernel-rt-debug-debuginfo-4.18.0-372.9.1.rt7.166.el8.x86_64.rpm
kernel-rt-debug-devel-4.18.0-372.9.1.rt7.166.el8.x86_64.rpm
kernel-rt-debug-kvm-4.18.0-372.9.1.rt7.166.el8.x86_64.rpm
kernel-rt-debug-modules-4.18.0-372.9.1.rt7.166.el8.x86_64.rpm
kernel-rt-debug-modules-extra-4.18.0-372.9.1.rt7.166.el8.x86_64.rpm
kernel-rt-debuginfo-4.18.0-372.9.1.rt7.166.el8.x86_64.rpm
kernel-rt-debuginfo-common-x86_64-4.18.0-372.9.1.rt7.166.el8.x86_64.rpm
kernel-rt-devel-4.18.0-372.9.1.rt7.166.el8.x86_64.rpm
kernel-rt-kvm-4.18.0-372.9.1.rt7.166.el8.x86_64.rpm
kernel-rt-modules-4.18.0-372.9.1.rt7.166.el8.x86_64.rpm
kernel-rt-modules-extra-4.18.0-372.9.1.rt7.166.el8.x86_64.rpm
Red Hat Enterprise Linux Real Time (v. 8):
Source:
kernel-rt-4.18.0-372.9.1.rt7.166.el8.src.rpm
x86_64:
kernel-rt-4.18.0-372.9.1.rt7.166.el8.x86_64.rpm
kernel-rt-core-4.18.0-372.9.1.rt7.166.el8.x86_64.rpm
kernel-rt-debug-4.18.0-372.9.1.rt7.166.el8.x86_64.rpm
kernel-rt-debug-core-4.18.0-372.9.1.rt7.166.el8.x86_64.rpm
kernel-rt-debug-debuginfo-4.18.0-372.9.1.rt7.166.el8.x86_64.rpm
kernel-rt-debug-devel-4.18.0-372.9.1.rt7.166.el8.x86_64.rpm
kernel-rt-debug-modules-4.18.0-372.9.1.rt7.166.el8.x86_64.rpm
kernel-rt-debug-modules-extra-4.18.0-372.9.1.rt7.166.el8.x86_64.rpm
kernel-rt-debuginfo-4.18.0-372.9.1.rt7.166.el8.x86_64.rpm
kernel-rt-debuginfo-common-x86_64-4.18.0-372.9.1.rt7.166.el8.x86_64.rpm
kernel-rt-devel-4.18.0-372.9.1.rt7.166.el8.x86_64.rpm
kernel-rt-modules-4.18.0-372.9.1.rt7.166.el8.x86_64.rpm
kernel-rt-modules-extra-4.18.0-372.9.1.rt7.166.el8.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2020-0404
https://access.redhat.com/security/cve/CVE-2020-13974
https://access.redhat.com/security/cve/CVE-2020-27820
https://access.redhat.com/security/cve/CVE-2021-0941
https://access.redhat.com/security/cve/CVE-2021-3612
https://access.redhat.com/security/cve/CVE-2021-3669
https://access.redhat.com/security/cve/CVE-2021-3743
https://access.redhat.com/security/cve/CVE-2021-3744
https://access.redhat.com/security/cve/CVE-2021-3752
https://access.redhat.com/security/cve/CVE-2021-3759
https://access.redhat.com/security/cve/CVE-2021-3764
https://access.redhat.com/security/cve/CVE-2021-3772
https://access.redhat.com/security/cve/CVE-2021-3773
https://access.redhat.com/security/cve/CVE-2021-4002
https://access.redhat.com/security/cve/CVE-2021-4037
https://access.redhat.com/security/cve/CVE-2021-4083
https://access.redhat.com/security/cve/CVE-2021-4157
https://access.redhat.com/security/cve/CVE-2021-4197
https://access.redhat.com/security/cve/CVE-2021-4203
https://access.redhat.com/security/cve/CVE-2021-20322
https://access.redhat.com/security/cve/CVE-2021-26401
https://access.redhat.com/security/cve/CVE-2021-29154
https://access.redhat.com/security/cve/CVE-2021-37159
https://access.redhat.com/security/cve/CVE-2021-41864
https://access.redhat.com/security/cve/CVE-2021-42739
https://access.redhat.com/security/cve/CVE-2021-43389
https://access.redhat.com/security/cve/CVE-2021-43976
https://access.redhat.com/security/cve/CVE-2021-44733
https://access.redhat.com/security/cve/CVE-2021-45485
https://access.redhat.com/security/cve/CVE-2021-45486
https://access.redhat.com/security/cve/CVE-2022-0001
https://access.redhat.com/security/cve/CVE-2022-0002
https://access.redhat.com/security/cve/CVE-2022-0286
https://access.redhat.com/security/cve/CVE-2022-0322
https://access.redhat.com/security/cve/CVE-2022-1011
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.6_release_notes/
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2022 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBYnqRVtzjgjWX9erEAQjwiA//R/ZVJ7xroUR7Uf1az+8xZqs4OZQADIUc
/92cDd6MRyzkvwQx5u7JmD5E6KbRf3NGfDsuoC0jVJJJcp8GT0tWkxPIjCi2RNbI
/9nlbkfp0eQqRGmpL753W/7sfzAnbiOeP47rr+lJU24OBDcbrZn5X3Ex0EdzcdeD
fmVnAxB8bsXyZwcnX9m6mVlBxY+fm6SC78O+/rPzVUHl5NhQASqi0sYSwydyqZvG
a/9p5gXd9nnyV7NtJj58pS7brxQFq4RcM5VhTjix3a/ZaZEwT+nDMj3+RXXwUhGe
HJ6AdJoNI19huMXtn/fYhomb/LIHQos+kHQrBbJ+KmaFE4DD08Uv2uHSyeEe1ksT
oUwcGcIbSta6LBNO60Lh0XVj6FgFWNnNsAGX27nxCHfzDjuJ3U4Tyh8gL+ID2K1t
3nwoQl5gxUokFS0sUIuD0pj2LFW1vg2E2pMcbzPDqFwj0MXn5DpTb4qeuiRWzA05
s+upi3Cd6XmRNKPH8DDOrGNGW0dJqJtuXhUmziZjKPMJK5Ygnhoc+3hYG/EJzGiq
S/VHXR5hnJ+RAPz2U8rETfCW2Dvz7lCUh5rJGg/8f8MCyAMCPpFqXbkNvpt3BIKy
2SLBhh0Mci1fprA35q2eNCjduntja3oxnVx+YAKPM30hzE7ejwHFEZHPGOdKB0q/
aHIZwOKDLaE=
=hqV1
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed