|
The following security bugs were fixed:
- CVE-2022-0185: Incorrect param length parsing in legacy_parse_param
which could have led to a local privilege escalation (bsc#1194517).
- CVE-2022-0322: Fixed a denial of service in SCTP sctp_addto_chunk
(bsc#1194985).
- CVE-2021-44733: Fixed a use-after-free exists in drivers/tee/tee_shm.c
in the TEE subsystem in the Linux kernel that occured because of a race
condition in tee_shm_get_from_id during an attempt to free a shared
memory object (bnc#1193767).
- CVE-2021-4197: Fixed a cgroup issue where lower privileged processes
could write to fds of lower privileged ones that could lead to privilege
escalation (bsc#1194302).
- CVE-2021-4135: Fixed an information leak in the nsim_bpf_map_alloc
function (bsc#1193927).
- CVE-2021-4202: Fixed a race condition during NFC device remove which
could lead to a use-after-free memory corruption (bsc#1194529)
- CVE-2021-4083: A read-after-free memory flaw was found in the Linux
kernel's garbage collection for Unix domain socket file handlers in the
way users call close() and fget() simultaneously and can potentially
trigger a race condition. This flaw allowed a local user to crash the
system or escalate their privileges on the system. (bnc#1193727).
- CVE-2021-4149: Fixed a locking condition in btrfs which could lead to
system deadlocks (bsc#1194001).
- CVE-2021-45485: The IPv6 implementation in net/ipv6/output_core.c had an
information leak because of certain use of a hash table which, although
big, doesn't properly consider that IPv6-based attackers can typically
choose among many IPv6 source addresses (bnc#1194094).
- CVE-2021-45486: The IPv4 implementation in net/ipv4/route.c had an
information leak because the hash table is very small (bnc#1194087).
- CVE-2021-4001: A race condition was found in the Linux kernel's ebpf
verifier between bpf_map_update_elem and bpf_map_freeze due to a missing
lock in kernel/bpf/syscall.c. In this flaw, a local user with a special
privilege (cap_sys_admin or cap_bpf) can modify the frozen mapped
address space. (bnc#1192990).
- CVE-2021-28715: Guest can force Linux netback driver to hog large
amounts of kernel memory. Incoming data packets for a guest in the Linux
kernel's netback driver are buffered until the guest is ready to process
them. There are some measures taken for avoiding to pile up too much
data, but those can be bypassed by the guest: There was a timeout how
long the client side of an interface can stop consuming new packets
before it is assumed to have stalled, but this timeout is rather long
(60 seconds by default). Using a UDP connection on a fast interface can
easily accumulate gigabytes of data in that time. (CVE-2021-28715) The
timeout could even never trigger if the guest manages to have only one
free slot in its RX queue ring page and the next package would require
more than one free slot, which may be the case when using GSO, XDP, or
software hashing. ()
- CVE-2021-28714: Guest can force Linux netback driver to hog large
amounts of kernel memory. Incoming data packets for a guest in the Linux
kernel's netback driver are buffered until the guest is ready to process
them. There are some measures taken for avoiding to pile up too much
data, but those can be bypassed by the guest: There was a timeout how
long the client side of an interface can stop consuming new packets
before it is assumed to have stalled, but this timeout is rather long
(60 seconds by default). Using a UDP connection on a fast interface can
easily accumulate gigabytes of data in that time. (CVE-2021-28715) The
timeout could even never trigger if the guest manages to have only one
free slot in its RX queue ring page and the next package would require
more than one free slot, which may be the case when using GSO, XDP, or
software hashing (bnc#1193442).
- CVE-2021-28713: Rogue backends can cause DoS of guests via high
frequency events. Xen offers the ability to run PV backends in regular
unprivileged guests, typically referred to as "driver domains". Running
PV backends in driver domains has one primary security advantage: if a
driver domain gets compromised, it doesn't have the privileges to take
over the system. However, a malicious driver domain could try to attack
other guests via sending events at a high frequency leading to a Denial
of Service in the guest due to trying to service interrupts for
elongated amounts of time. (bsc#1193440)
- CVE-2021-28712: Rogue backends can cause DoS of guests via high
frequency events. Xen offers the ability to run PV backends in regular
unprivileged guests, typically referred to as "driver domains". Running
PV backends in driver domains has one primary security advantage: if a
driver domain gets compromised, it doesn't have the privileges to take
over the system. However, a malicious driver domain could try to attack
other guests via sending events at a high frequency leading to a Denial
of Service in the guest due to trying to service interrupts for
elongated amounts of time. (bsc#1193440)
- CVE-2021-28711: Rogue backends can cause DoS of guests via high
frequency events. Xen offers the ability to run PV backends in regular
unprivileged guests, typically referred to as "driver domains". Running
PV backends in driver domains has one primary security advantage: if a
driver domain gets compromised, it doesn't have the privileges to take
over the system. However, a malicious driver domain could try to attack
other guests via sending events at a high frequency leading to a Denial
of Service in the guest due to trying to service interrupts for
elongated amounts of time (bnc#1193440).
- CVE-2020-27825: A use-after-free flaw was found in
kernel/trace/ring_buffer.c. There was a race problem in trace_open and
resize of cpu buffer running parallely on different cpus, may cause a
denial of service problem (DOS). This flaw could even allow a local
attacker with special user privilege to a kernel information leak threat
(bnc#1179960).
- CVE-2021-43975: hw_atl_utils_fw_rpc_wait in
drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_utils.c allowed an
attacker (who can introduce a crafted device) to trigger an
out-of-bounds write via a crafted length value (bnc#1192845).
- CVE-2021-33098: Improper input validation in the Intel(R) Ethernet ixgbe
driver for Linux before version 3.17.3 may have allowed an authenticated
user to potentially enable denial of service via local access
(bnc#1192877).
- CVE-2021-43976: mwifiex_usb_recv in
drivers/net/wireless/marvell/mwifiex/usb.c allowed an attacker (who can
connect a crafted USB device) to cause a denial of service
(skb_over_panic) (bnc#1192847).
- CVE-2021-4002: Incorrect TLBs flushing after huge_pmd_unshare could lead
to exposing hugepages to other users (bsc#1192946).
- CVE-2020-27820: A use-after-frees in nouveau's postclose() handler could
happen if removing device (that is not common to remove video card
physically without power-off, but same happens if "unbind" the driver)
(bnc#1179599).
The following non-security bugs were fixed:
https://lists.suse.com/pipermail/sle-security-updates/2022-January/010080.html
|