An update for kernel is now available for openEuler-22.03-LTS Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2022-2162 Final 1.0 1.0 2022-12-30 Initial 2022-12-30 2022-12-30 openEuler SA Tool V1.0 2022-12-30 kernel security update An update for kernel is now available for openEuler-22.03-LTS. Security Fix(es): A use-after-free flaw was found in Linux kernel before 5.19.2. This issue occurs in cmd_hdl_filter in drivers/staging/rtl8712/rtl8712_cmd.c, allowing an attacker to launch a local denial of service attack and gain escalation of privileges.(CVE-2022-4095) There are null-ptr-deref vulnerabilities in drivers/net/slip of linux that allow attacker to crash linux kernel by simulating slip network card from user-space of linux. ------------------------------------------ [Root cause] When a slip driver is detaching, the slip_close() will act to cleanup necessary resources and sl->tty is set to NULL in slip_close(). Meanwhile, the packet we transmit is blocked, sl_tx_timeout() will be called. Although slip_close() and sl_tx_timeout() use sl->lock to synchronize, we don`t judge whether sl->tty equals to NULL in sl_tx_timeout() and the null pointer dereference bug will happen. (Thread 1) | (Thread 2) | slip_close() | spin_lock_bh(&sl->lock) | ... ... | sl->tty = NULL //(1) sl_tx_timeout() | spin_unlock_bh(&sl->lock) spin_lock(&sl->lock); | ... | ... tty_chars_in_buffer(sl->tty)| if (tty->ops->..) //(2) | ... | synchronize_rcu() We set NULL to sl->tty in position (1) and dereference sl->tty in position (2). ------------------------------------------(CVE-2022-41858) A flaw was found in the Linux kernel's Layer 2 Tunneling Protocol (L2TP). A missing lock when clearing sk_user_data can lead to a race condition and NULL pointer dereference. A local user could use this flaw to potentially crash the system causing a denial of service.(CVE-2022-4129) In (TBD) of (TBD), there is a possible way to corrupt kernel memory due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-220738351References: Upstream kernel(CVE-2022-20568) In l2cap_chan_put of l2cap_core, there is a possible use after free due to improper locking. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-165329981References: Upstream kernel(CVE-2022-20566) Guests can trigger NIC interface reset/abort/crash via netback It is possible for a guest to trigger a NIC interface reset/abort/crash in a Linux based network backend by sending certain kinds of packets. It appears to be an (unwritten?) assumption in the rest of the Linux network stack that packet protocol headers are all contained within the linear section of the SKB and some NICs behave badly if this is not the case. This has been reported to occur with Cisco (enic) and Broadcom NetXtrem II BCM5780 (bnx2x) though it may be an issue with other NICs/drivers as well. In case the frontend is sending requests with split headers, netback will forward those violating above mentioned assumption to the networking core, resulting in said misbehavior.(CVE-2022-3643) In verity_target of dm-verity-target.c, there is a possible way to modify read-only files due to a missing permission check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-234475629References: Upstream kernel(CVE-2022-20572) A stack overflow flaw was found in the Linux kernel's SYSCTL subsystem in how a user changes certain kernel parameters and variables. This flaw allows a local user to crash or potentially escalate their privileges on the system.(CVE-2022-4378) In drivers/media/dvb-core/dmxdev.c in the Linux kernel through 5.19.10, there is a use-after-free caused by refcount races, affecting dvb_demux_open and dvb_dmxdev_release.(CVE-2022-41218) Guests can trigger deadlock in Linux netback driver T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] The patch for XSA-392 introduced another issue which might result in a deadlock when trying to free the SKB of a packet dropped due to the XSA-392 handling (CVE-2022-42328). Additionally when dropping packages for other reasons the same deadlock could occur in case of netpoll being active for the interface the xen-netback driver is connected to (CVE-2022-42329).(CVE-2022-42328) Guests can trigger deadlock in Linux netback driver T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] The patch for XSA-392 introduced another issue which might result in a deadlock when trying to free the SKB of a packet dropped due to the XSA-392 handling (CVE-2022-42328). Additionally when dropping packages for other reasons the same deadlock could occur in case of netpoll being active for the interface the xen-netback driver is connected to (CVE-2022-42329).(CVE-2022-42329) An issue was discovered in the Linux kernel before 6.0.11. Missing validation of the number of channels in drivers/net/wireless/microchip/wilc1000/cfg80211.c in the WILC1000 wireless driver can trigger a heap-based buffer overflow when copying the list of operating channels from Wi-Fi management frames.(CVE-2022-47518) An issue was discovered in the Linux kernel before 6.0.11. Missing validation of IEEE80211_P2P_ATTR_OPER_CHANNEL in drivers/net/wireless/microchip/wilc1000/cfg80211.c in the WILC1000 wireless driver can trigger an out-of-bounds write when parsing the channel list attribute from Wi-Fi management frames.(CVE-2022-47519) An issue was discovered in the Linux kernel before 6.0.11. Missing offset validation in drivers/net/wireless/microchip/wilc1000/hif.c in the WILC1000 wireless driver can trigger an out-of-bounds read when parsing a Robust Security Network (RSN) information element from a Netlink packet.(CVE-2022-47520) An issue was discovered in the Linux kernel before 6.0.11. Missing validation of IEEE80211_P2P_ATTR_CHANNEL_LIST in drivers/net/wireless/microchip/wilc1000/cfg80211.c in the WILC1000 wireless driver can trigger a heap-based buffer overflow when parsing the operating channel attribute from Wi-Fi management frames.(CVE-2022-47521) An issue was discovered in the Linux kernel through 5.16-rc6. kfd_parse_subtype_iolink in drivers/gpu/drm/amd/amdkfd/kfd_crat.c lacks check of the return value of kmemdup().(CVE-2022-3108) An update for kernel is now available for openEuler-22.03-LTS. openEuler Security has rated this update as having a security impact of critical. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. Critical kernel https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-2162 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-4095 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-41858 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-4129 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-20568 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-20566 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-3643 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-20572 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-4378 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-41218 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-42328 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-42329 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-47518 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-47519 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-47520 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-47521 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-3108 https://nvd.nist.gov/vuln/detail/CVE-2022-4095 https://nvd.nist.gov/vuln/detail/CVE-2022-41858 https://nvd.nist.gov/vuln/detail/CVE-2022-4129 https://nvd.nist.gov/vuln/detail/CVE-2022-20568 https://nvd.nist.gov/vuln/detail/CVE-2022-20566 https://nvd.nist.gov/vuln/detail/CVE-2022-3643 https://nvd.nist.gov/vuln/detail/CVE-2022-20572 https://nvd.nist.gov/vuln/detail/CVE-2022-4378 https://nvd.nist.gov/vuln/detail/CVE-2022-41218 https://nvd.nist.gov/vuln/detail/CVE-2022-42328 https://nvd.nist.gov/vuln/detail/CVE-2022-42329 https://nvd.nist.gov/vuln/detail/CVE-2022-47518 https://nvd.nist.gov/vuln/detail/CVE-2022-47519 https://nvd.nist.gov/vuln/detail/CVE-2022-47520 https://nvd.nist.gov/vuln/detail/CVE-2022-47521 https://nvd.nist.gov/vuln/detail/CVE-2022-3108 openEuler-22.03-LTS kernel-headers-5.10.0-60.74.0.98.oe2203.aarch64.rpm kernel-tools-devel-5.10.0-60.74.0.98.oe2203.aarch64.rpm python3-perf-debuginfo-5.10.0-60.74.0.98.oe2203.aarch64.rpm bpftool-debuginfo-5.10.0-60.74.0.98.oe2203.aarch64.rpm perf-5.10.0-60.74.0.98.oe2203.aarch64.rpm python3-perf-5.10.0-60.74.0.98.oe2203.aarch64.rpm kernel-5.10.0-60.74.0.98.oe2203.aarch64.rpm kernel-debuginfo-5.10.0-60.74.0.98.oe2203.aarch64.rpm kernel-devel-5.10.0-60.74.0.98.oe2203.aarch64.rpm bpftool-5.10.0-60.74.0.98.oe2203.aarch64.rpm kernel-source-5.10.0-60.74.0.98.oe2203.aarch64.rpm kernel-tools-debuginfo-5.10.0-60.74.0.98.oe2203.aarch64.rpm kernel-tools-5.10.0-60.74.0.98.oe2203.aarch64.rpm perf-debuginfo-5.10.0-60.74.0.98.oe2203.aarch64.rpm kernel-debugsource-5.10.0-60.74.0.98.oe2203.aarch64.rpm kernel-5.10.0-60.74.0.98.oe2203.src.rpm kernel-source-5.10.0-60.74.0.98.oe2203.x86_64.rpm kernel-debugsource-5.10.0-60.74.0.98.oe2203.x86_64.rpm kernel-debuginfo-5.10.0-60.74.0.98.oe2203.x86_64.rpm bpftool-5.10.0-60.74.0.98.oe2203.x86_64.rpm bpftool-debuginfo-5.10.0-60.74.0.98.oe2203.x86_64.rpm kernel-tools-devel-5.10.0-60.74.0.98.oe2203.x86_64.rpm python3-perf-debuginfo-5.10.0-60.74.0.98.oe2203.x86_64.rpm kernel-devel-5.10.0-60.74.0.98.oe2203.x86_64.rpm kernel-headers-5.10.0-60.74.0.98.oe2203.x86_64.rpm python3-perf-5.10.0-60.74.0.98.oe2203.x86_64.rpm kernel-tools-debuginfo-5.10.0-60.74.0.98.oe2203.x86_64.rpm kernel-tools-5.10.0-60.74.0.98.oe2203.x86_64.rpm perf-5.10.0-60.74.0.98.oe2203.x86_64.rpm perf-debuginfo-5.10.0-60.74.0.98.oe2203.x86_64.rpm kernel-5.10.0-60.74.0.98.oe2203.x86_64.rpm A use-after-free flaw was found in Linux kernel before 5.19.2. This issue occurs in cmd_hdl_filter in drivers/staging/rtl8712/rtl8712_cmd.c, allowing an attacker to launch a local denial of service attack and gain escalation of privileges. 2022-12-30 CVE-2022-4095 openEuler-22.03-LTS Medium 6.3 AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H kernel security update 2022-12-30 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-2162 There are null-ptr-deref vulnerabilities in drivers/net/slip of linux that allow attacker tocrash linux kernel by simulating slip network card from user-space of linux.------------------------------------------[Root cause]When a slip driver is detaching, the slip_close() will act tocleanup necessary resources and sl->tty is set to NULL inslip_close(). Meanwhile, the packet we transmit is blocked,sl_tx_timeout() will be called. Although slip_close() andsl_tx_timeout() use sl->lock to synchronize, we don`t judgewhether sl->tty equals to NULL in sl_tx_timeout() and thenull pointer dereference bug will happen.(Thread 1) | (Thread 2)| slip_close()| spin_lock_bh(&sl->lock)| ...... | sl->tty = NULL //(1)sl_tx_timeout() | spin_unlock_bh(&sl->lock)spin_lock(&sl->lock); |... | ...tty_chars_in_buffer(sl->tty)|if (tty->ops->..) //(2) |... | synchronize_rcu()We set NULL to sl->tty in position (1) and dereference sl->ttyin position (2).------------------------------------------ 2022-12-30 CVE-2022-41858 openEuler-22.03-LTS Medium 4.7 AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H kernel security update 2022-12-30 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-2162 A flaw was found in the Linux kernel s Layer 2 Tunneling Protocol (L2TP). A missing lock when clearing sk_user_data can lead to a race condition and NULL pointer dereference. A local user could use this flaw to potentially crash the system causing a denial of service. 2022-12-30 CVE-2022-4129 openEuler-22.03-LTS Medium 5.5 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H kernel security update 2022-12-30 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-2162 In (TBD) of (TBD), there is a possible way to corrupt kernel memory due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-220738351References: Upstream kernel 2022-12-30 CVE-2022-20568 openEuler-22.03-LTS High 7.8 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H kernel security update 2022-12-30 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-2162 In l2cap_chan_put of l2cap_core, there is a possible use after free due to improper locking. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-165329981References: Upstream kernel 2022-12-30 CVE-2022-20566 openEuler-22.03-LTS High 7.8 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H kernel security update 2022-12-30 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-2162 Guests can trigger NIC interface reset/abort/crash via netback It is possible for a guest to trigger a NIC interface reset/abort/crash in a Linux based network backend by sending certain kinds of packets. It appears to be an (unwritten?) assumption in the rest of the Linux network stack that packet protocol headers are all contained within the linear section of the SKB and some NICs behave badly if this is not the case. This has been reported to occur with Cisco (enic) and Broadcom NetXtrem II BCM5780 (bnx2x) though it may be an issue with other NICs/drivers as well. In case the frontend is sending requests with split headers, netback will forward those violating above mentioned assumption to the networking core, resulting in said misbehavior. 2022-12-30 CVE-2022-3643 openEuler-22.03-LTS Critical 10.0 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H kernel security update 2022-12-30 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-2162 In verity_target of dm-verity-target.c, there is a possible way to modify read-only files due to a missing permission check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-234475629References: Upstream kernel 2022-12-30 CVE-2022-20572 openEuler-22.03-LTS Medium 6.7 AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H kernel security update 2022-12-30 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-2162 A stack overflow flaw was found in the Linux kernel s SYSCTL subsystem in how a user changes certain kernel parameters and variables. This flaw allows a local user to crash or potentially escalate their privileges on the system. 2022-12-30 CVE-2022-4378 openEuler-22.03-LTS High 8.4 AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H kernel security update 2022-12-30 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-2162 In drivers/media/dvb-core/dmxdev.c in the Linux kernel through 5.19.10, there is a use-after-free caused by refcount races, affecting dvb_demux_open and dvb_dmxdev_release. 2022-12-30 CVE-2022-41218 openEuler-22.03-LTS Medium 5.5 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H kernel security update 2022-12-30 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-2162 Guests can trigger deadlock in Linux netback driver T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] The patch for XSA-392 introduced another issue which might result in a deadlock when trying to free the SKB of a packet dropped due to the XSA-392 handling (CVE-2022-42328). Additionally when dropping packages for other reasons the same deadlock could occur in case of netpoll being active for the interface the xen-netback driver is connected to (CVE-2022-42329). 2022-12-30 CVE-2022-42328 openEuler-22.03-LTS Medium 5.5 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H kernel security update 2022-12-30 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-2162 Guests can trigger deadlock in Linux netback driver T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] The patch for XSA-392 introduced another issue which might result in a deadlock when trying to free the SKB of a packet dropped due to the XSA-392 handling (CVE-2022-42328). Additionally when dropping packages for other reasons the same deadlock could occur in case of netpoll being active for the interface the xen-netback driver is connected to (CVE-2022-42329). 2022-12-30 CVE-2022-42329 openEuler-22.03-LTS Medium 5.5 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H kernel security update 2022-12-30 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-2162 An issue was discovered in the Linux kernel before 6.0.11. Missing validation of the number of channels in drivers/net/wireless/microchip/wilc1000/cfg80211.c in the WILC1000 wireless driver can trigger a heap-based buffer overflow when copying the list of operating channels from Wi-Fi management frames. 2022-12-30 CVE-2022-47518 openEuler-22.03-LTS High 7.8 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H kernel security update 2022-12-30 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-2162 An issue was discovered in the Linux kernel before 6.0.11. Missing validation of IEEE80211_P2P_ATTR_OPER_CHANNEL in drivers/net/wireless/microchip/wilc1000/cfg80211.c in the WILC1000 wireless driver can trigger an out-of-bounds write when parsing the channel list attribute from Wi-Fi management frames. 2022-12-30 CVE-2022-47519 openEuler-22.03-LTS High 7.8 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H kernel security update 2022-12-30 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-2162 An issue was discovered in the Linux kernel before 6.0.11. Missing offset validation in drivers/net/wireless/microchip/wilc1000/hif.c in the WILC1000 wireless driver can trigger an out-of-bounds read when parsing a Robust Security Network (RSN) information element from a Netlink packet. 2022-12-30 CVE-2022-47520 openEuler-22.03-LTS High 7.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H kernel security update 2022-12-30 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-2162 An issue was discovered in the Linux kernel before 6.0.11. Missing validation of IEEE80211_P2P_ATTR_CHANNEL_LIST in drivers/net/wireless/microchip/wilc1000/cfg80211.c in the WILC1000 wireless driver can trigger a heap-based buffer overflow when parsing the operating channel attribute from Wi-Fi management frames. 2022-12-30 CVE-2022-47521 openEuler-22.03-LTS High 7.8 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H kernel security update 2022-12-30 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-2162 An issue was discovered in the Linux kernel through 5.16-rc6. kfd_parse_subtype_iolink in drivers/gpu/drm/amd/amdkfd/kfd_crat.c lacks check of the return value of kmemdup(). 2022-12-30 CVE-2022-3108 openEuler-22.03-LTS Medium 5.5 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H kernel security update 2022-12-30 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-2162