An update for kernel is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2022-1621 Final 1.0 1.0 2022-04-29 Initial 2022-04-29 2022-04-29 openEuler SA Tool V1.0 2022-04-29 kernel security update An update for kernel is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS. The Linux Kernel, the operating system core itself. Security Fix(es): A heap buffer overflow flaw was found in IPsec ESP transformation code in net/ipv4/esp4.c and net/ipv6/esp6.c. This flaw allows a local attacker with a normal user privilege to overwrite kernel heap objects and may cause a local privilege escalation threat.(CVE-2022-27666) In aio_poll_complete_work of aio.c, there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-185125206References: Upstream kernel(CVE-2021-39698) Vulnerability Summary for CVE-2022-1198.(CVE-2022-1198) ems_usb_start_xmit in drivers/net/can/usb/ems_usb.c in the Linux kernel through 5.17.1 has a double free.(CVE-2022-28390) A flaw was found in the Linux kernel in net/netfilter/nf_tables_core.c:nft_do_chain, which can cause a use-after-free. This issue needs to handle return with proper preconditions, as it can lead to a kernel information leak problem caused by a local, unprivileged attacker.(CVE-2022-1016) Product: AndroidVersions: Android kernelAndroid ID: A-173788806References: Upstream kernel.(CVE-2021-39713) A use-after-free exists in the Linux Kernel in tc_new_tfilter that could allow a local attacker to gain privilege escalation. The exploit requires unprivileged user namespaces. We recommend upgrading past commit 04c2a47ffb13c29778e2a14e414ad4cb5a5db4b5.(CVE-2022-1055) Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use. If this is not the case, they assume that a following removal of the granted access will always succeed, which is not true in case the backend has mapped the granted page between those two operations. As a result the backend can keep access to the memory page of the guest no matter how the page will be used after the frontend I/O has finished. The xenbus driver has a similar problem, as it doesn t check the success of removing the granted access of a shared ring buffer. blkfront: CVE-2022-23036 netfront: CVE-2022-23037 scsifront: CVE-2022-23038 gntalloc: CVE-2022-23039 xenbus: CVE-2022-23040 blkfront, netfront, scsifront, usbfront, dmabuf, xenbus, 9p, kbdfront, and pvcalls are using a functionality to delay freeing a grant reference until it is no longer in use, but the freeing of the related data page is not synchronized with dropping the granted access. As a result the backend can keep access to the memory page even after it has been freed and then re-used for a different purpose. CVE-2022-23041 netfront will fail a BUG_ON() assertion if it fails to revoke access in the rx path. This will result in a Denial of Service (DoS) situation of the guest which can be triggered by the backend. CVE-2022-23042.(CVE-2022-23039) Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use. If this is not the case, they assume that a following removal of the granted access will always succeed, which is not true in case the backend has mapped the granted page between those two operations. As a result the backend can keep access to the memory page of the guest no matter how the page will be used after the frontend I/O has finished. The xenbus driver has a similar problem, as it doesn t check the success of removing the granted access of a shared ring buffer. blkfront: CVE-2022-23036 netfront: CVE-2022-23037 scsifront: CVE-2022-23038 gntalloc: CVE-2022-23039 xenbus: CVE-2022-23040 blkfront, netfront, scsifront, usbfront, dmabuf, xenbus, 9p, kbdfront, and pvcalls are using a functionality to delay freeing a grant reference until it is no longer in use, but the freeing of the related data page is not synchronized with dropping the granted access. As a result the backend can keep access to the memory page even after it has been freed and then re-used for a different purpose. CVE-2022-23041 netfront will fail a BUG_ON() assertion if it fails to revoke access in the rx path. This will result in a Denial of Service (DoS) situation of the guest which can be triggered by the backend. CVE-2022-23042.(CVE-2022-23040) Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use. If this is not the case, they assume that a following removal of the granted access will always succeed, which is not true in case the backend has mapped the granted page between those two operations. As a result the backend can keep access to the memory page of the guest no matter how the page will be used after the frontend I/O has finished. The xenbus driver has a similar problem, as it doesn t check the success of removing the granted access of a shared ring buffer. blkfront: CVE-2022-23036 netfront: CVE-2022-23037 scsifront: CVE-2022-23038 gntalloc: CVE-2022-23039 xenbus: CVE-2022-23040 blkfront, netfront, scsifront, usbfront, dmabuf, xenbus, 9p, kbdfront, and pvcalls are using a functionality to delay freeing a grant reference until it is no longer in use, but the freeing of the related data page is not synchronized with dropping the granted access. As a result the backend can keep access to the memory page even after it has been freed and then re-used for a different purpose. CVE-2022-23041 netfront will fail a BUG_ON() assertion if it fails to revoke access in the rx path. This will result in a Denial of Service (DoS) situation of the guest which can be triggered by the backend. CVE-2022-23042.(CVE-2022-23041) Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use. If this is not the case, they assume that a following removal of the granted access will always succeed, which is not true in case the backend has mapped the granted page between those two operations. As a result the backend can keep access to the memory page of the guest no matter how the page will be used after the frontend I/O has finished. The xenbus driver has a similar problem, as it doesn t check the success of removing the granted access of a shared ring buffer. blkfront: CVE-2022-23036 netfront: CVE-2022-23037 scsifront: CVE-2022-23038 gntalloc: CVE-2022-23039 xenbus: CVE-2022-23040 blkfront, netfront, scsifront, usbfront, dmabuf, xenbus, 9p, kbdfront, and pvcalls are using a functionality to delay freeing a grant reference until it is no longer in use, but the freeing of the related data page is not synchronized with dropping the granted access. As a result the backend can keep access to the memory page even after it has been freed and then re-used for a different purpose. CVE-2022-23041 netfront will fail a BUG_ON() assertion if it fails to revoke access in the rx path. This will result in a Denial of Service (DoS) situation of the guest which can be triggered by the backend. CVE-2022-23042.(CVE-2022-23042) The SUNRPC subsystem in the Linux kernel through 5.17.2 can call xs_xprt_free before ensuring that sockets are in the intended state.(CVE-2022-28893) An update for kernel is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS. openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. High kernel https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1621 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-27666 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2021-39698 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-1198 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-28390 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-1016 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2021-39713 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-1055 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-23039 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-23040 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-23041 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-23042 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-28893 https://nvd.nist.gov/vuln/detail/CVE-2022-27666 https://nvd.nist.gov/vuln/detail/CVE-2021-39698 https://nvd.nist.gov/vuln/detail/CVE-2022-1198 https://nvd.nist.gov/vuln/detail/CVE-2022-28390 https://nvd.nist.gov/vuln/detail/CVE-2022-1016 https://nvd.nist.gov/vuln/detail/CVE-2021-39713 https://nvd.nist.gov/vuln/detail/CVE-2022-1055 https://nvd.nist.gov/vuln/detail/CVE-2022-23039 https://nvd.nist.gov/vuln/detail/CVE-2022-23040 https://nvd.nist.gov/vuln/detail/CVE-2022-23041 https://nvd.nist.gov/vuln/detail/CVE-2022-23042 https://nvd.nist.gov/vuln/detail/CVE-2022-28893 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP2 openEuler-20.03-LTS-SP3 openEuler-22.03-LTS kernel-devel-4.19.90-2204.4.0.0147.oe1.aarch64.rpm python3-perf-debuginfo-4.19.90-2204.4.0.0147.oe1.aarch64.rpm bpftool-debuginfo-4.19.90-2204.4.0.0147.oe1.aarch64.rpm kernel-source-4.19.90-2204.4.0.0147.oe1.aarch64.rpm python3-perf-4.19.90-2204.4.0.0147.oe1.aarch64.rpm kernel-tools-devel-4.19.90-2204.4.0.0147.oe1.aarch64.rpm perf-debuginfo-4.19.90-2204.4.0.0147.oe1.aarch64.rpm perf-4.19.90-2204.4.0.0147.oe1.aarch64.rpm bpftool-4.19.90-2204.4.0.0147.oe1.aarch64.rpm kernel-tools-4.19.90-2204.4.0.0147.oe1.aarch64.rpm kernel-4.19.90-2204.4.0.0147.oe1.aarch64.rpm python2-perf-4.19.90-2204.4.0.0147.oe1.aarch64.rpm kernel-debuginfo-4.19.90-2204.4.0.0147.oe1.aarch64.rpm kernel-tools-debuginfo-4.19.90-2204.4.0.0147.oe1.aarch64.rpm python2-perf-debuginfo-4.19.90-2204.4.0.0147.oe1.aarch64.rpm kernel-debugsource-4.19.90-2204.4.0.0147.oe1.aarch64.rpm kernel-devel-4.19.90-2204.4.0.0146.oe1.aarch64.rpm python3-perf-debuginfo-4.19.90-2204.4.0.0146.oe1.aarch64.rpm bpftool-debuginfo-4.19.90-2204.4.0.0146.oe1.aarch64.rpm kernel-source-4.19.90-2204.4.0.0146.oe1.aarch64.rpm python3-perf-4.19.90-2204.4.0.0146.oe1.aarch64.rpm kernel-tools-devel-4.19.90-2204.4.0.0146.oe1.aarch64.rpm perf-debuginfo-4.19.90-2204.4.0.0146.oe1.aarch64.rpm perf-4.19.90-2204.4.0.0146.oe1.aarch64.rpm bpftool-4.19.90-2204.4.0.0146.oe1.aarch64.rpm kernel-tools-4.19.90-2204.4.0.0146.oe1.aarch64.rpm kernel-4.19.90-2204.4.0.0146.oe1.aarch64.rpm python2-perf-4.19.90-2204.4.0.0146.oe1.aarch64.rpm kernel-debuginfo-4.19.90-2204.4.0.0146.oe1.aarch64.rpm kernel-tools-debuginfo-4.19.90-2204.4.0.0146.oe1.aarch64.rpm python2-perf-debuginfo-4.19.90-2204.4.0.0146.oe1.aarch64.rpm kernel-debugsource-4.19.90-2204.4.0.0146.oe1.aarch64.rpm kernel-devel-4.19.90-2204.4.0.0147.oe1.aarch64.rpm python3-perf-debuginfo-4.19.90-2204.4.0.0147.oe1.aarch64.rpm bpftool-debuginfo-4.19.90-2204.4.0.0147.oe1.aarch64.rpm kernel-source-4.19.90-2204.4.0.0147.oe1.aarch64.rpm python3-perf-4.19.90-2204.4.0.0147.oe1.aarch64.rpm kernel-tools-devel-4.19.90-2204.4.0.0147.oe1.aarch64.rpm perf-debuginfo-4.19.90-2204.4.0.0147.oe1.aarch64.rpm perf-4.19.90-2204.4.0.0147.oe1.aarch64.rpm bpftool-4.19.90-2204.4.0.0147.oe1.aarch64.rpm kernel-tools-4.19.90-2204.4.0.0147.oe1.aarch64.rpm kernel-4.19.90-2204.4.0.0147.oe1.aarch64.rpm python2-perf-4.19.90-2204.4.0.0147.oe1.aarch64.rpm kernel-debuginfo-4.19.90-2204.4.0.0147.oe1.aarch64.rpm kernel-tools-debuginfo-4.19.90-2204.4.0.0147.oe1.aarch64.rpm python2-perf-debuginfo-4.19.90-2204.4.0.0147.oe1.aarch64.rpm kernel-debugsource-4.19.90-2204.4.0.0147.oe1.aarch64.rpm kernel-tools-debuginfo-5.10.0-60.27.0.57.oe2203.aarch64.rpm bpftool-debuginfo-5.10.0-60.27.0.57.oe2203.aarch64.rpm python3-perf-debuginfo-5.10.0-60.27.0.57.oe2203.aarch64.rpm kernel-devel-5.10.0-60.27.0.57.oe2203.aarch64.rpm perf-debuginfo-5.10.0-60.27.0.57.oe2203.aarch64.rpm kernel-headers-5.10.0-60.27.0.57.oe2203.aarch64.rpm kernel-debuginfo-5.10.0-60.27.0.57.oe2203.aarch64.rpm perf-5.10.0-60.27.0.57.oe2203.aarch64.rpm kernel-tools-5.10.0-60.27.0.57.oe2203.aarch64.rpm kernel-5.10.0-60.27.0.57.oe2203.aarch64.rpm kernel-source-5.10.0-60.27.0.57.oe2203.aarch64.rpm python3-perf-5.10.0-60.27.0.57.oe2203.aarch64.rpm kernel-debugsource-5.10.0-60.27.0.57.oe2203.aarch64.rpm kernel-tools-devel-5.10.0-60.27.0.57.oe2203.aarch64.rpm bpftool-5.10.0-60.27.0.57.oe2203.aarch64.rpm kernel-4.19.90-2204.4.0.0147.oe1.src.rpm kernel-4.19.90-2204.4.0.0146.oe1.src.rpm kernel-4.19.90-2204.4.0.0147.oe1.src.rpm kernel-5.10.0-60.27.0.57.oe2203.src.rpm kernel-tools-4.19.90-2204.4.0.0147.oe1.x86_64.rpm python3-perf-4.19.90-2204.4.0.0147.oe1.x86_64.rpm perf-debuginfo-4.19.90-2204.4.0.0147.oe1.x86_64.rpm bpftool-debuginfo-4.19.90-2204.4.0.0147.oe1.x86_64.rpm kernel-4.19.90-2204.4.0.0147.oe1.x86_64.rpm kernel-debuginfo-4.19.90-2204.4.0.0147.oe1.x86_64.rpm kernel-tools-debuginfo-4.19.90-2204.4.0.0147.oe1.x86_64.rpm python2-perf-4.19.90-2204.4.0.0147.oe1.x86_64.rpm perf-4.19.90-2204.4.0.0147.oe1.x86_64.rpm kernel-devel-4.19.90-2204.4.0.0147.oe1.x86_64.rpm python2-perf-debuginfo-4.19.90-2204.4.0.0147.oe1.x86_64.rpm python3-perf-debuginfo-4.19.90-2204.4.0.0147.oe1.x86_64.rpm bpftool-4.19.90-2204.4.0.0147.oe1.x86_64.rpm kernel-tools-devel-4.19.90-2204.4.0.0147.oe1.x86_64.rpm kernel-debugsource-4.19.90-2204.4.0.0147.oe1.x86_64.rpm kernel-source-4.19.90-2204.4.0.0147.oe1.x86_64.rpm python3-perf-4.19.90-2204.4.0.0146.oe1.x86_64.rpm kernel-tools-debuginfo-4.19.90-2204.4.0.0146.oe1.x86_64.rpm kernel-debuginfo-4.19.90-2204.4.0.0146.oe1.x86_64.rpm kernel-tools-4.19.90-2204.4.0.0146.oe1.x86_64.rpm bpftool-debuginfo-4.19.90-2204.4.0.0146.oe1.x86_64.rpm kernel-debugsource-4.19.90-2204.4.0.0146.oe1.x86_64.rpm python3-perf-debuginfo-4.19.90-2204.4.0.0146.oe1.x86_64.rpm kernel-devel-4.19.90-2204.4.0.0146.oe1.x86_64.rpm python2-perf-debuginfo-4.19.90-2204.4.0.0146.oe1.x86_64.rpm kernel-tools-devel-4.19.90-2204.4.0.0146.oe1.x86_64.rpm perf-4.19.90-2204.4.0.0146.oe1.x86_64.rpm bpftool-4.19.90-2204.4.0.0146.oe1.x86_64.rpm kernel-source-4.19.90-2204.4.0.0146.oe1.x86_64.rpm python2-perf-4.19.90-2204.4.0.0146.oe1.x86_64.rpm kernel-4.19.90-2204.4.0.0146.oe1.x86_64.rpm perf-debuginfo-4.19.90-2204.4.0.0146.oe1.x86_64.rpm kernel-devel-4.19.90-2204.4.0.0147.oe1.x86_64.rpm perf-4.19.90-2204.4.0.0147.oe1.x86_64.rpm kernel-debuginfo-4.19.90-2204.4.0.0147.oe1.x86_64.rpm kernel-source-4.19.90-2204.4.0.0147.oe1.x86_64.rpm python2-perf-4.19.90-2204.4.0.0147.oe1.x86_64.rpm python3-perf-debuginfo-4.19.90-2204.4.0.0147.oe1.x86_64.rpm python3-perf-4.19.90-2204.4.0.0147.oe1.x86_64.rpm bpftool-4.19.90-2204.4.0.0147.oe1.x86_64.rpm kernel-tools-debuginfo-4.19.90-2204.4.0.0147.oe1.x86_64.rpm python2-perf-debuginfo-4.19.90-2204.4.0.0147.oe1.x86_64.rpm kernel-tools-4.19.90-2204.4.0.0147.oe1.x86_64.rpm kernel-debugsource-4.19.90-2204.4.0.0147.oe1.x86_64.rpm kernel-4.19.90-2204.4.0.0147.oe1.x86_64.rpm kernel-tools-devel-4.19.90-2204.4.0.0147.oe1.x86_64.rpm bpftool-debuginfo-4.19.90-2204.4.0.0147.oe1.x86_64.rpm perf-debuginfo-4.19.90-2204.4.0.0147.oe1.x86_64.rpm kernel-devel-4.19.90-2204.4.0.0147.oe1.x86_64.rpm perf-4.19.90-2204.4.0.0147.oe1.x86_64.rpm kernel-debuginfo-4.19.90-2204.4.0.0147.oe1.x86_64.rpm kernel-source-4.19.90-2204.4.0.0147.oe1.x86_64.rpm python2-perf-4.19.90-2204.4.0.0147.oe1.x86_64.rpm python3-perf-debuginfo-4.19.90-2204.4.0.0147.oe1.x86_64.rpm python3-perf-4.19.90-2204.4.0.0147.oe1.x86_64.rpm bpftool-4.19.90-2204.4.0.0147.oe1.x86_64.rpm kernel-tools-debuginfo-4.19.90-2204.4.0.0147.oe1.x86_64.rpm python2-perf-debuginfo-4.19.90-2204.4.0.0147.oe1.x86_64.rpm kernel-tools-4.19.90-2204.4.0.0147.oe1.x86_64.rpm kernel-debugsource-4.19.90-2204.4.0.0147.oe1.x86_64.rpm kernel-4.19.90-2204.4.0.0147.oe1.x86_64.rpm kernel-tools-devel-4.19.90-2204.4.0.0147.oe1.x86_64.rpm bpftool-debuginfo-4.19.90-2204.4.0.0147.oe1.x86_64.rpm perf-debuginfo-4.19.90-2204.4.0.0147.oe1.x86_64.rpm kernel-tools-5.10.0-60.27.0.57.oe2203.x86_64.rpm python3-perf-5.10.0-60.27.0.57.oe2203.x86_64.rpm perf-debuginfo-5.10.0-60.27.0.57.oe2203.x86_64.rpm bpftool-debuginfo-5.10.0-60.27.0.57.oe2203.x86_64.rpm kernel-5.10.0-60.27.0.57.oe2203.x86_64.rpm kernel-debuginfo-5.10.0-60.27.0.57.oe2203.x86_64.rpm kernel-tools-debuginfo-5.10.0-60.27.0.57.oe2203.x86_64.rpm python2-perf-5.10.0-60.27.0.57.oe2203.x86_64.rpm perf-5.10.0-60.27.0.57.oe2203.x86_64.rpm kernel-devel-5.10.0-60.27.0.57.oe2203.x86_64.rpm python2-perf-debuginfo-5.10.0-60.27.0.57.oe2203.x86_64.rpm python3-perf-debuginfo-5.10.0-60.27.0.57.oe2203.x86_64.rpm bpftool-5.10.0-60.27.0.57.oe2203.x86_64.rpm kernel-tools-devel-5.10.0-60.27.0.57.oe2203.x86_64.rpm kernel-debugsource-5.10.0-60.27.0.57.oe2203.x86_64.rpm kernel-source-5.10.0-60.27.0.57.oe2203.x86_64.rpm A heap buffer overflow flaw was found in IPsec ESP transformation code in net/ipv4/esp4.c and net/ipv6/esp6.c. This flaw allows a local attacker with a normal user privilege to overwrite kernel heap objects and may cause a local privilege escalation threat. 2022-04-29 CVE-2022-27666 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP2 openEuler-20.03-LTS-SP3 openEuler-22.03-LTS High 7.8 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H kernel security update 2022-04-29 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1621 In aio_poll_complete_work of aio.c, there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-185125206References: Upstream kernel 2022-04-29 CVE-2021-39698 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP2 openEuler-20.03-LTS-SP3 High 7.8 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H kernel security update 2022-04-29 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1621 Vulnerability Summary for CVE-2022-1198 2022-04-29 CVE-2022-1198 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP2 openEuler-20.03-LTS-SP3 openEuler-22.03-LTS Medium 5.1 AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H kernel security update 2022-04-29 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1621 ems_usb_start_xmit in drivers/net/can/usb/ems_usb.c in the Linux kernel through 5.17.1 has a double free. 2022-04-29 CVE-2022-28390 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP2 openEuler-20.03-LTS-SP3 openEuler-22.03-LTS High 7.8 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H kernel security update 2022-04-29 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1621 A flaw was found in the Linux kernel in net/netfilter/nf_tables_core.c:nft_do_chain, which can cause a use-after-free. This issue needs to handle return with proper preconditions, as it can lead to a kernel information leak problem caused by a local, unprivileged attacker. 2022-04-29 CVE-2022-1016 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP2 openEuler-20.03-LTS-SP3 openEuler-22.03-LTS Low 0.0 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N kernel security update 2022-04-29 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1621 Product: AndroidVersions: Android kernelAndroid ID: A-173788806References: Upstream kernel 2022-04-29 CVE-2021-39713 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP2 openEuler-20.03-LTS-SP3 High 7.3 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H kernel security update 2022-04-29 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1621 A use-after-free exists in the Linux Kernel in tc_new_tfilter that could allow a local attacker to gain privilege escalation. The exploit requires unprivileged user namespaces. We recommend upgrading past commit 04c2a47ffb13c29778e2a14e414ad4cb5a5db4b5 2022-04-29 CVE-2022-1055 openEuler-22.03-LTS High 7.8 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H kernel security update 2022-04-29 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1621 Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use. If this is not the case, they assume that a following removal of the granted access will always succeed, which is not true in case the backend has mapped the granted page between those two operations. As a result the backend can keep access to the memory page of the guest no matter how the page will be used after the frontend I/O has finished. The xenbus driver has a similar problem, as it doesn t check the success of removing the granted access of a shared ring buffer. blkfront: CVE-2022-23036 netfront: CVE-2022-23037 scsifront: CVE-2022-23038 gntalloc: CVE-2022-23039 xenbus: CVE-2022-23040 blkfront, netfront, scsifront, usbfront, dmabuf, xenbus, 9p, kbdfront, and pvcalls are using a functionality to delay freeing a grant reference until it is no longer in use, but the freeing of the related data page is not synchronized with dropping the granted access. As a result the backend can keep access to the memory page even after it has been freed and then re-used for a different purpose. CVE-2022-23041 netfront will fail a BUG_ON() assertion if it fails to revoke access in the rx path. This will result in a Denial of Service (DoS) situation of the guest which can be triggered by the backend. CVE-2022-23042 2022-04-29 CVE-2022-23039 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP2 openEuler-20.03-LTS-SP3 openEuler-22.03-LTS High 7.0 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H kernel security update 2022-04-29 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1621 Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use. If this is not the case, they assume that a following removal of the granted access will always succeed, which is not true in case the backend has mapped the granted page between those two operations. As a result the backend can keep access to the memory page of the guest no matter how the page will be used after the frontend I/O has finished. The xenbus driver has a similar problem, as it doesn t check the success of removing the granted access of a shared ring buffer. blkfront: CVE-2022-23036 netfront: CVE-2022-23037 scsifront: CVE-2022-23038 gntalloc: CVE-2022-23039 xenbus: CVE-2022-23040 blkfront, netfront, scsifront, usbfront, dmabuf, xenbus, 9p, kbdfront, and pvcalls are using a functionality to delay freeing a grant reference until it is no longer in use, but the freeing of the related data page is not synchronized with dropping the granted access. As a result the backend can keep access to the memory page even after it has been freed and then re-used for a different purpose. CVE-2022-23041 netfront will fail a BUG_ON() assertion if it fails to revoke access in the rx path. This will result in a Denial of Service (DoS) situation of the guest which can be triggered by the backend. CVE-2022-23042 2022-04-29 CVE-2022-23040 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP2 openEuler-20.03-LTS-SP3 openEuler-22.03-LTS High 7.0 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H kernel security update 2022-04-29 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1621 Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use. If this is not the case, they assume that a following removal of the granted access will always succeed, which is not true in case the backend has mapped the granted page between those two operations. As a result the backend can keep access to the memory page of the guest no matter how the page will be used after the frontend I/O has finished. The xenbus driver has a similar problem, as it doesn t check the success of removing the granted access of a shared ring buffer. blkfront: CVE-2022-23036 netfront: CVE-2022-23037 scsifront: CVE-2022-23038 gntalloc: CVE-2022-23039 xenbus: CVE-2022-23040 blkfront, netfront, scsifront, usbfront, dmabuf, xenbus, 9p, kbdfront, and pvcalls are using a functionality to delay freeing a grant reference until it is no longer in use, but the freeing of the related data page is not synchronized with dropping the granted access. As a result the backend can keep access to the memory page even after it has been freed and then re-used for a different purpose. CVE-2022-23041 netfront will fail a BUG_ON() assertion if it fails to revoke access in the rx path. This will result in a Denial of Service (DoS) situation of the guest which can be triggered by the backend. CVE-2022-23042 2022-04-29 CVE-2022-23041 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP2 openEuler-20.03-LTS-SP3 openEuler-22.03-LTS High 7.0 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H kernel security update 2022-04-29 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1621 Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use. If this is not the case, they assume that a following removal of the granted access will always succeed, which is not true in case the backend has mapped the granted page between those two operations. As a result the backend can keep access to the memory page of the guest no matter how the page will be used after the frontend I/O has finished. The xenbus driver has a similar problem, as it doesn t check the success of removing the granted access of a shared ring buffer. blkfront: CVE-2022-23036 netfront: CVE-2022-23037 scsifront: CVE-2022-23038 gntalloc: CVE-2022-23039 xenbus: CVE-2022-23040 blkfront, netfront, scsifront, usbfront, dmabuf, xenbus, 9p, kbdfront, and pvcalls are using a functionality to delay freeing a grant reference until it is no longer in use, but the freeing of the related data page is not synchronized with dropping the granted access. As a result the backend can keep access to the memory page even after it has been freed and then re-used for a different purpose. CVE-2022-23041 netfront will fail a BUG_ON() assertion if it fails to revoke access in the rx path. This will result in a Denial of Service (DoS) situation of the guest which can be triggered by the backend. CVE-2022-23042 2022-04-29 CVE-2022-23042 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP2 openEuler-20.03-LTS-SP3 openEuler-22.03-LTS High 7.0 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H kernel security update 2022-04-29 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1621 The SUNRPC subsystem in the Linux kernel through 5.17.2 can call xs_xprt_free before ensuring that sockets are in the intended state. 2022-04-29 CVE-2022-28893 openEuler-22.03-LTS High 7.8 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H kernel security update 2022-04-29 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1621