The SUSE Linux Enterprise 15 SP3 Azure kernel was updated to receive various security and bugfixes.
The following security bugs were fixed:
CVE-2021-33200: Enforcing incorrect limits for pointer arithmetic operations by the BPF verifier could be abused to perform out-of-bounds reads and writes in kernel memory (bsc#1186484).
CVE-2021-33034: Fixed a use-after-free when destroying an hci_chan. This could lead to writing an arbitrary values. (bsc#1186111)
CVE-2020-26139: Fixed a denial-of-service when an Access Point (AP) forwards EAPOL frames to other clients even though the sender has not yet successfully authenticated to the AP. (bnc#1186062)
CVE-2021-23134: A Use After Free vulnerability in nfc sockets allowed local attackers to elevate their privileges. (bnc#1186060)
CVE-2021-3491: Fixed a potential heap overflow in memrw(). This vulnerability is related to the PROVIDEBUFFERS operation, which allowed the MAXRWCOUNT limit to be bypassed (bsc#1185642).
CVE-2021-32399: Fixed a race condition when removing the HCI controller (bnc#1184611).
CVE-2020-24586: The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a network. Under the right circumstances this can be abused to inject arbitrary network packets and/or exfiltrate user data (bnc#1185859).
CVE-2020-24587: The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP encryption key is periodically renewed (bnc#1185859 bnc#1185862).
CVE-2020-24588: The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated. Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an adversary can abuse this to inject arbitrary network packets. (bnc#1185861)
CVE-2020-26147: The WEP, WPA, WPA2, and WPA3 implementations reassemble fragments, even though some of them were sent in plaintext. This vulnerability can be abused to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used (bnc#1185859).
CVE-2020-26145: An issue was discovered with Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets independent of the network configuration. (bnc#1185860)
CVE-2020-26141: An issue was discovered in the ALFA driver for AWUS036H, where the Message Integrity Check (authenticity) of fragmented TKIP frames was not verified. An adversary can abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-confidentiality protocol. (bnc#1185987)
CVE-2021-29650: Fixed an issue with the netfilter subsystem that allowed attackers to cause a denial of service (panic) because net/netfilter/xtables.c and include/linux/netfilter/xtables.h lack a full memory barrier upon the assignment of a new table value (bnc#1184208).
CVE-2021-29155: Fixed an issue that was discovered in kernel/bpf/verifier.c that performs undesirable out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory. Specifically, for sequences of pointer arithmetic operations, the pointer modification performed by the first operation was not correctly accounted for when restricting subsequent operations (bnc#1184942).
CVE-2021-3444: Fixed an issue with the bpf verifier which did not properly handle mod32 destination register truncation when the source register was known to be 0 leading to out of bounds read (bsc#1184170).
CVE-2021-3428: Fixed an integer overflow in ext4escache_extent (bsc#1173485).
CVE-2021-29647: Fixed an issue in qrtr_recvmsg which could have allowed attackers to obtain sensitive information from kernel memory because of a partially uninitialized data structure (bsc#1184192 ).
CVE-2021-29265: Fixed an issue in usbipsockfdstore which could have allowed attackers to cause a denial of service due to race conditions during an update of the local and shared status (bsc#1184167).
CVE-2021-29264: Fixed an issue in the Freescale Gianfar Ethernet driver which could have allowed attackers to cause a system crash due to a calculation of negative fragment size (bsc#1184168).
CVE-2021-28972: Fixed a user-tolerable buffer overflow when writing a new device name to the driver from userspace, allowing userspace to write data to the kernel stack frame directly (bsc#1184198).
CVE-2021-28971: Fixed an issue in intelpmudrainpebsnhm which could have caused a system crash because the PEBS status in a PEBS record was mishandled (bsc#1184196 ).
CVE-2021-28964: Fixed a race condition in getoldroot which could have allowed attackers to cause a denial of service (bsc#1184193).
CVE-2021-28688: Fixed an issue introduced by XSA-365 (bsc#1183646).
CVE-2021-28660: Fixed an out of bounds write in rtwwxset_scan (bsc#1183593 ).
CVE-2021-28375: Fixed an issue in fastrpcinternalinvoke which did not prevent user applications from sending kernel RPC messages (bsc#1183596).
CVE-2021-28038: Fixed an issue with the netback driver which was lacking necessary treatment of errors such as failed memory allocations (bsc#1183022).
CVE-2021-27365: Fixed an issue where an unprivileged user can send a Netlink message that is associated with iSCSI, and has a length up to the maximum length of a Netlink message (bsc#1182715).
CVE-2021-27364: Fixed an issue where an attacker could craft Netlink messages (bsc#1182717).
CVE-2021-27363: Fixed a kernel pointer leak which could have been used to determine the address of the iscsi_transport structure (bsc#1182716).
CVE-2020-35519: Fixed an out-of-bounds memory access was found in x25_bind (bsc#1183696).
CVE-2020-27815: Fixed an issue in JFS filesystem where could have allowed an attacker to execute code (bsc#1179454).
CVE-2020-27171: Fixed an off-by-one error affecting out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory (bsc#1183775).
CVE-2020-27170: Fixed potential side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory (bsc#1183686).
CVE-2019-19769: Fixed a use-after-free in the perftracelock_acquire function (bsc#1159280 ).
CVE-2019-18814: Fixed a use-after-free when aalabelparse() fails in aaauditrule_init() (bsc#1156256).
CVE-2021-3483: Fixed a use-after-free in nosy.c (bsc#1184393).
CVE-2021-30002: Fixed a memory leak for large arguments in video_usercopy (bsc#1184120).
CVE-2021-28950: Fixed an issue in fs/fuse/fuse_i.h due to a retry loop continually was finding the same bad inode (bsc#1184194).
CVE-2021-28952: Fixed a buffer overflow in the soundwire device driver, triggered when an unexpected port ID number is encountered. (bnc#1184197).
CVE-2021-20268: Fixed an out-of-bounds access flaw in the implementation of the eBPF code verifier. This flaw allowed a local user to crash the system or possibly escalate their privileges. (bnc#1183077)
CVE-2020-27673: Fixed a vulnerability with xen, where guest OS users could cause a denial of service (host OS hang) via a high rate of events to dom0 (bnc#1177411).
CVE-2020-36312: Fixed a memory leak upon a kmalloc failure (bsc#1184509 ).
CVE-2020-36311: Fixed a denial of service (soft lockup) by triggering destruction of a large SEV VM (bsc#1184511).
CVE-2020-36310: Fixed infinite loop for certain nested page faults (bsc#1184512).
CVE-2021-3489: Fixed an issue where the eBPF RINGBUF bpfringbufreserve did not check that the allocated size was smaller than the ringbuf size (bnc#1185640).
CVE-2021-3490: Fixed an issue where the eBPF ALU32 bounds tracking for bitwise ops (AND, OR and XOR) did not update the 32-bit bounds (bnc#1185641 bnc#1185796 ).
CVE-2020-36322: Fixed an issue was discovered in FUSE filesystem implementation which could have caused a system crash (bsc#1184211).