-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================                   
Red Hat Security Advisory

Synopsis:          Important: kernel-rt security and bug fix update
Advisory ID:       RHSA-2023:2148-01
Product:           Red Hat Enterprise Linux
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:2148
Issue date:        2023-05-09
CVE Names:         CVE-2021-26341 CVE-2021-33655 CVE-2022-1462
                   CVE-2022-1789 CVE-2022-1882 CVE-2022-2196
                   CVE-2022-2663 CVE-2022-3028 CVE-2022-3435
                   CVE-2022-3522 CVE-2022-3524 CVE-2022-3566
                   CVE-2022-3567 CVE-2022-3619 CVE-2022-3623
                   CVE-2022-3625 CVE-2022-3628 CVE-2022-3640
                   CVE-2022-3707 CVE-2022-4128 CVE-2022-4129
                   CVE-2022-20141 CVE-2022-21505 CVE-2022-28388
                   CVE-2022-33743 CVE-2022-39188 CVE-2022-39189
                   CVE-2022-41674 CVE-2022-42703 CVE-2022-42720
                   CVE-2022-42721 CVE-2022-42722 CVE-2022-42896
                   CVE-2022-43750 CVE-2022-47929 CVE-2023-0394
                   CVE-2023-0461 CVE-2023-0590 CVE-2023-1195
                   CVE-2023-1382
====================================================================
1. Summary:

An update for kernel-rt is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux NFV (v. 9) - x86_64
Red Hat Enterprise Linux RT (v. 9) - x86_64

3. Description:

The kernel-rt packages provide the Real Time Linux Kernel, which enables
fine-tuning for systems with extremely high determinism requirements.

Security Fix(es):

* use-after-free in l2cap_connect and l2cap_le_connect_req in
net/bluetooth/l2cap_core.c (CVE-2022-42896)

* net/ulp: use-after-free in listening ULP sockets (CVE-2023-0461)

* hw: cpu: AMD CPUs may transiently execute beyond unconditional direct
branch (CVE-2021-26341)

* malicious data for FBIOPUT_VSCREENINFO ioctl may cause OOB write memory
(CVE-2021-33655)

* possible race condition in drivers/tty/tty_buffers.c (CVE-2022-1462)

* KVM: NULL pointer dereference in kvm_mmu_invpcid_gva (CVE-2022-1789)

* use-after-free in free_pipe_info() could lead to privilege escalation
(CVE-2022-1882)

* KVM: nVMX: missing IBPB when exiting from nested guest can lead to
Spectre v2 attacks (CVE-2022-2196)

* netfilter: nf_conntrack_irc message handling issue (CVE-2022-2663)

* race condition in xfrm_probe_algs can lead to OOB read/write
(CVE-2022-3028)

* out-of-bounds read in fib_nh_match of the file net/ipv4/fib_semantics.c
(CVE-2022-3435)

* race condition in hugetlb_no_page() in mm/hugetlb.c (CVE-2022-3522)

* memory leak in ipv6_renew_options() (CVE-2022-3524)

* data races around icsk->icsk_af_ops in do_ipv6_setsockopt (CVE-2022-3566)

* data races around sk->sk_prot (CVE-2022-3567)

* memory leak in l2cap_recv_acldata of the file net/bluetooth/l2cap_core.c
(CVE-2022-3619)

* denial of service in follow_page_pte in mm/gup.c due to poisoned pte
entry (CVE-2022-3623)

* use-after-free after failed devlink reload in devlink_param_get
(CVE-2022-3625)

* USB-accessible buffer overflow in brcmfmac (CVE-2022-3628)

* use after free flaw in l2cap_conn_del in net/bluetooth/l2cap_core.c
(CVE-2022-3640)

* Double-free in split_2MB_gtt_entry when function
intel_gvt_dma_map_guest_page failed (CVE-2022-3707)

* mptcp: NULL pointer dereference in subflow traversal at disconnect time
(CVE-2022-4128)

* l2tp: missing lock when clearing sk_user_data can lead to NULL pointer
dereference (CVE-2022-4129)

* igmp: use-after-free in ip_check_mc_rcu when opening and closing inet
sockets (CVE-2022-20141)

* lockdown bypass using IMA (CVE-2022-21505)

* double free in usb_8dev_start_xmit in drivers/net/can/usb/usb_8dev.c
(CVE-2022-28388)

* network backend may cause Linux netfront to use freed SKBs (XSA-405)
(CVE-2022-33743)

* unmap_mapping_range() race with munmap() on VM_PFNMAP mappings leads to
stale TLB entry (CVE-2022-39188)

* TLB flush operations are mishandled in certain KVM_VCPU_PREEMPTED leading
to guest malfunctioning (CVE-2022-39189)

* u8 overflow problem in cfg80211_update_notlisted_nontrans()
(CVE-2022-41674)

* use-after-free related to leaf anon_vma double reuse (CVE-2022-42703)

* use-after-free in bss_ref_get in net/wireless/scan.c (CVE-2022-42720)

* BSS list corruption in cfg80211_add_nontrans_list in net/wireless/scan.c
(CVE-2022-42721)

* Denial of service in beacon protection for P2P-device (CVE-2022-42722)

* memory corruption in usbmon driver (CVE-2022-43750)

* NULL pointer dereference in traffic control subsystem (CVE-2022-47929)

* NULL pointer dereference in rawv6_push_pending_frames (CVE-2023-0394)

* use-after-free due to race condition in qdisc_graft() (CVE-2023-0590)

* use-after-free caused by invalid pointer hostname in fs/cifs/connect.c
(CVE-2023-1195)

* denial of service in tipc_conn_close (CVE-2023-1382)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat
Enterprise Linux 9.2 Release Notes linked from the References section.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2061703 - CVE-2021-26341 hw: cpu: AMD CPUs may transiently execute beyond unconditional direct branch
2073091 - CVE-2022-28388 kernel: double free in usb_8dev_start_xmit in drivers/net/can/usb/usb_8dev.c
2078466 - CVE-2022-1462 kernel: possible race condition in drivers/tty/tty_buffers.c
2089701 - CVE-2022-1882 kernel: use-after-free in free_pipe_info() could lead to privilege escalation
2090723 - CVE-2022-1789 kernel: KVM: NULL pointer dereference in kvm_mmu_invpcid_gva
2106830 - CVE-2022-21505 kernel: lockdown bypass using IMA
2107924 - CVE-2022-33743 kernel: network backend may cause Linux netfront to use freed SKBs (XSA-405)
2108691 - CVE-2021-33655 kernel: malicious data for FBIOPUT_VSCREENINFO ioctl may cause OOB write memory
2114937 - CVE-2022-20141 kernel: igmp: use-after-free in ip_check_mc_rcu when opening and closing inet sockets
2122228 - CVE-2022-3028 kernel: race condition in xfrm_probe_algs can lead to OOB read/write
2123056 - CVE-2022-2663 kernel: netfilter: nf_conntrack_irc message handling issue
2124788 - CVE-2022-39189 kernel: TLB flush operations are mishandled in certain KVM_VCPU_PREEMPTED leading to guest malfunctioning
2130141 - CVE-2022-39188 kernel: unmap_mapping_range() race with munmap() on VM_PFNMAP mappings leads to stale TLB entry
2133483 - CVE-2022-42703 kernel: use-after-free related to leaf anon_vma double reuse
2133490 - CVE-2022-3435 kernel: out-of-bounds read in fib_nh_match of the file net/ipv4/fib_semantics.c
2134377 - CVE-2022-41674 kernel: u8 overflow problem in cfg80211_update_notlisted_nontrans()
2134380 - CVE-2022-4128 kernel: mptcp: NULL pointer dereference in subflow traversal at disconnect time
2134451 - CVE-2022-42720 kernel: use-after-free in bss_ref_get in net/wireless/scan.c
2134506 - CVE-2022-42721 kernel: BSS list corruption in cfg80211_add_nontrans_list in net/wireless/scan.c
2134517 - CVE-2022-42722 kernel: Denial of service in beacon protection for P2P-device
2134528 - CVE-2022-4129 kernel: l2tp: missing lock when clearing sk_user_data can lead to NULL pointer dereference
2137979 - CVE-2022-3707 kernel: Double-free in split_2MB_gtt_entry when function intel_gvt_dma_map_guest_page failed
2139610 - CVE-2022-3640 kernel: use after free flaw in l2cap_conn_del in net/bluetooth/l2cap_core.c
2143893 - CVE-2022-3566 kernel: data races around icsk->icsk_af_ops in do_ipv6_setsockopt
2143943 - CVE-2022-3567 kernel: data races around sk->sk_prot
2144720 - CVE-2022-3625 kernel: use-after-free after failed devlink reload in devlink_param_get
2147364 - CVE-2022-42896 kernel: use-after-free in l2cap_connect and l2cap_le_connect_req in net/bluetooth/l2cap_core.c
2150947 - CVE-2022-3524 kernel: memory leak in ipv6_renew_options()
2150960 - CVE-2022-3628 kernel: USB-accessible buffer overflow in brcmfmac
2150979 - CVE-2022-3522 kernel: race condition in hugetlb_no_page() in mm/hugetlb.c
2151270 - CVE-2022-43750 kernel: memory corruption in usbmon driver
2154171 - CVE-2023-1195 kernel: use-after-free caused by invalid pointer hostname in fs/cifs/connect.c
2154235 - CVE-2022-3619 kernel: memory leak in l2cap_recv_acldata of the file net/bluetooth/l2cap_core.c
2160023 - CVE-2022-2196 kernel: KVM: nVMX: missing IBPB when exiting from nested guest can lead to Spectre v2 attacks
2162120 - CVE-2023-0394 kernel: NULL pointer dereference in rawv6_push_pending_frames
2165721 - CVE-2022-3623 kernel: denial of service in follow_page_pte in mm/gup.c due to poisoned pte entry
2165741 - CVE-2023-0590 kernel: use-after-free due to race condition in qdisc_graft()
2168246 - CVE-2022-47929 kernel: NULL pointer dereference in traffic control subsystem
2176192 - CVE-2023-0461 kernel: net/ulp: use-after-free in listening ULP sockets
2177371 - CVE-2023-1382 kernel: denial of service in tipc_conn_close

6. Package List:

Red Hat Enterprise Linux NFV (v. 9):

Source:
kernel-rt-5.14.0-284.11.1.rt14.296.el9_2.src.rpm

x86_64:
kernel-rt-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm
kernel-rt-core-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm
kernel-rt-debug-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm
kernel-rt-debug-core-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm
kernel-rt-debug-debuginfo-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm
kernel-rt-debug-devel-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm
kernel-rt-debug-kvm-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm
kernel-rt-debug-modules-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm
kernel-rt-debug-modules-core-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm
kernel-rt-debug-modules-extra-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm
kernel-rt-debuginfo-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm
kernel-rt-debuginfo-common-x86_64-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm
kernel-rt-devel-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm
kernel-rt-kvm-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm
kernel-rt-modules-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm
kernel-rt-modules-core-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm
kernel-rt-modules-extra-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm

Red Hat Enterprise Linux RT (v. 9):

Source:
kernel-rt-5.14.0-284.11.1.rt14.296.el9_2.src.rpm

x86_64:
kernel-rt-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm
kernel-rt-core-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm
kernel-rt-debug-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm
kernel-rt-debug-core-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm
kernel-rt-debug-debuginfo-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm
kernel-rt-debug-devel-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm
kernel-rt-debug-modules-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm
kernel-rt-debug-modules-core-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm
kernel-rt-debug-modules-extra-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm
kernel-rt-debuginfo-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm
kernel-rt-debuginfo-common-x86_64-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm
kernel-rt-devel-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm
kernel-rt-modules-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm
kernel-rt-modules-core-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm
kernel-rt-modules-extra-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2021-26341
https://access.redhat.com/security/cve/CVE-2021-33655
https://access.redhat.com/security/cve/CVE-2022-1462
https://access.redhat.com/security/cve/CVE-2022-1789
https://access.redhat.com/security/cve/CVE-2022-1882
https://access.redhat.com/security/cve/CVE-2022-2196
https://access.redhat.com/security/cve/CVE-2022-2663
https://access.redhat.com/security/cve/CVE-2022-3028
https://access.redhat.com/security/cve/CVE-2022-3435
https://access.redhat.com/security/cve/CVE-2022-3522
https://access.redhat.com/security/cve/CVE-2022-3524
https://access.redhat.com/security/cve/CVE-2022-3566
https://access.redhat.com/security/cve/CVE-2022-3567
https://access.redhat.com/security/cve/CVE-2022-3619
https://access.redhat.com/security/cve/CVE-2022-3623
https://access.redhat.com/security/cve/CVE-2022-3625
https://access.redhat.com/security/cve/CVE-2022-3628
https://access.redhat.com/security/cve/CVE-2022-3640
https://access.redhat.com/security/cve/CVE-2022-3707
https://access.redhat.com/security/cve/CVE-2022-4128
https://access.redhat.com/security/cve/CVE-2022-4129
https://access.redhat.com/security/cve/CVE-2022-20141
https://access.redhat.com/security/cve/CVE-2022-21505
https://access.redhat.com/security/cve/CVE-2022-28388
https://access.redhat.com/security/cve/CVE-2022-33743
https://access.redhat.com/security/cve/CVE-2022-39188
https://access.redhat.com/security/cve/CVE-2022-39189
https://access.redhat.com/security/cve/CVE-2022-41674
https://access.redhat.com/security/cve/CVE-2022-42703
https://access.redhat.com/security/cve/CVE-2022-42720
https://access.redhat.com/security/cve/CVE-2022-42721
https://access.redhat.com/security/cve/CVE-2022-42722
https://access.redhat.com/security/cve/CVE-2022-42896
https://access.redhat.com/security/cve/CVE-2022-43750
https://access.redhat.com/security/cve/CVE-2022-47929
https://access.redhat.com/security/cve/CVE-2023-0394
https://access.redhat.com/security/cve/CVE-2023-0461
https://access.redhat.com/security/cve/CVE-2023-0590
https://access.redhat.com/security/cve/CVE-2023-1195
https://access.redhat.com/security/cve/CVE-2023-1382
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.2_release_notes/index

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBZFo0NtzjgjWX9erEAQhskQ//eAqMI93djEsADoo5zb3EO3xEGrb//Im2
ptPycHLLL6ZG+t/+1PiMk/e8LwhV2hrxz7nzc4xh8tNO4TRuF0WK/sR8Iv4y6/Fs
95X25NgEndOlHk7uUVgEdTYvZnpNh27XJwyEHDu6HV8suxY6gfbYHqV7zlkGBi43
zQA+sfEDXFVfvLug/RpaD0J7wXc0JyUoG4OratWV1E37zw9mNPSX1P0bFy4QoKXL
rhG1Xc+qSWK3kjnJjpeU8nIJGhL2oJDFVuICkiC+aEp7C//DE1TA7L7u3Z+7Tou/
BpPmjMyfXF/UQYZtJCrCRiTj/RsRIqaUSoy3/3MO8jxVMR6FIm/QTjY63JCGfj6A
OahLv77oKDJXuHQQ7JkHycKMOc+JfX/ZNtxtgn2gYFfpjPTY/klTJP8iM9KhnTuQ
2lF5jvYJihYhGio+cyl5Ad/XmzsHh7cTQR3XKtNa7p9/+QkAKt10LhbzxvebThFd
cZtLUsdph4wO6T+RrZ5XdwvOSox1C40mfOnwJO41M/9GXPHoxhmwrZYBWKE1PY0J
Jq9m+pYgKv+ioTW1FWloM22mu0PW/L5F3djzAVujShX0iRgfW2Aao3n+L8A22bYD
Q+5LbFsWZwpeK7zXgXocJlY7j667sT9UGqBwk4xMfAiS5A0p2Zo1rkIre2lvmF2D
JJU7NBGa9VU=YrUX
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce