SUSE-SU-2022:1038-1

Source
https://www.suse.com/support/update/announcement/2022/suse-su-20221038-1/
Import Source
https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2022:1038-1.json
JSON Data
https://api.osv.dev/v1/vulns/SUSE-SU-2022:1038-1
Related
Published
2022-03-30T07:37:14Z
Modified
2022-03-30T07:37:14Z
Summary
Security update for the Linux Kernel
Details

The SUSE Linux Enterprise 15 SP3 RT kernel was updated to receive various security and bugfixes.

The following security bugs were fixed:

  • CVE-2022-25636: Fixed an issue which allowed a local users to gain privileges because of a heap out-of-bounds write in nfdupnetdev.c, related to nftablesoffload (bsc#1196299).
  • CVE-2022-26490: Fixed a buffer overflow in the st21nfca driver. An attacker with adjacent NFC access could trigger crash the system or corrupt system memory (bsc#1196830).
  • CVE-2022-0487: A use-after-free vulnerability was found in rtsxusbmsdrvremove() in drivers/memstick/host/rtsxusbms.c (bsc#1194516).
  • CVE-2022-0492: Fixed a privilege escalation related to cgroups v1 release_agent feature, which allowed bypassing namespace isolation unexpectedly (bsc#1195543).
  • CVE-2022-0516: Fixed missing check in ioctl related to KVM in s390 allows kernel memory read/write (bsc#1195516).
  • CVE-2022-24448: Fixed an issue if an application sets the ODIRECTORY flag, and tries to open a regular file, nfsatomic_open() performs a regular lookup. If a regular file is found, ENOTDIR should have occured, but the server instead returned uninitialized data in the file descriptor (bsc#1195612).
  • CVE-2022-0617: Fixed a null pointer dereference in UDF file system functionality. A local user could crash the system by triggering udffilewrite_iter() via a malicious UDF image. (bsc#1196079)
  • CVE-2022-0644: Fixed a denial of service by a local user. A assertion failure could be triggered in kernelreadfilefromfd(). (bsc#1196155)
  • CVE-2022-25258: The USB Gadget subsystem lacked certain validation of interface OS descriptor requests, which could have lead to memory corruption (bsc#1196096).
  • CVE-2022-24958: drivers/usb/gadget/legacy/inode.c mishandled dev->buf release (bsc#1195905).
  • CVE-2022-24959: Fixed a memory leak in yam_siocdevprivate() in drivers/net/hamradio/yam.c (bsc#1195897).
  • CVE-2022-27223: In drivers/usb/gadget/udc/udc-xilinx.c the endpoint index was not validated and could have been manipulated by the host for out-of-array access (bsc#1197245).
  • CVE-2021-44879: In gcdatasegment() in fs/f2fs/gc.c, special files were not considered, which lead to a movedatapage NULL pointer dereference (bsc#1195987).
  • CVE-2021-0920: Fixed a local privilege escalation due to a use-after-free vulnerability in unixscmtoskb of afunix (bsc#1193731).
  • CVE-2022-26966: Fixed an issue in drivers/net/usb/sr9700.c, which allowed attackers to obtain sensitive information from heap memory via crafted frame lengths from a device (bsc#1196836).
  • CVE-2021-39698: Fixed a possible memory corruption due to a use after free in aiopollcomplete_work. This could lead to local escalation of privilege with no additional execution privileges needed. (bsc#1196956)
  • CVE-2021-45402: The checkaluop function in kernel/bpf/verifier.c did not properly update bounds while handling the mov32 instruction, which allowed local users to obtain potentially sensitive address information (bsc#1196130).
  • CVE-2022-23036,CVE-2022-23037,CVE-2022-23038,CVE-2022-23039,CVE-2022-23040,CVE-2022-23041,CVE-2022-23042: Fixed multiple issues which could have lead to read/write access to memory pages or denial of service. These issues are related to the Xen PV device frontend drivers. (bsc#1196488)

The following non-security bugs were fixed:

  • ALSA: intel_hdmi: Fix reference to PCM buffer address (git-fixes).
  • arm64: dts: rockchip: Switch RK3399-Gru DP to SPDIF output (git-fixes).
  • ARM: 9182/1: mmu: fix returns from earlyparam() and _setup() functions (git-fixes).
  • ARM: Fix kgdb breakpoint for Thumb2 (git-fixes).
  • asix: fix uninit-value in asixmdioread() (git-fixes).
  • ASoC: cs4265: Fix the duplicated control name (git-fixes).
  • ASoC: ops: Shift tested values in sndsocput_volsw() by +min (git-fixes).
  • ASoC: rt5682: do not block workqueue if card is unbound (git-fixes).
  • ata: pata_hpt37x: disable primary channel on HPT371 (git-fixes).
  • ax25: Fix NULL pointer dereference in ax25killby_device (git-fixes).
  • batman-adv: Do not expect inter-netns unique iflink indices (git-fixes).
  • batman-adv: Request iflink once in batadvgetreal_netdevice (git-fixes).
  • batman-adv: Request iflink once in batadv-on-batadv check (git-fixes).
  • blk-mq: do not free tags if the tag_set is used by other device in queue initialztion (bsc#1193787).
  • Bluetooth: btusb: Add missing Chicony device for Realtek RTL8723BE (bsc#1196779).
  • bnxt_en: Fix active FEC reporting to ethtool (jsc#SLE-16649).
  • bnxt_en: Fix incorrect multicast rx mask setting when not requested (git-fixes).
  • bnxt_en: Fix occasional ethtool -t loopback test failures (git-fixes).
  • bnxt_en: Fix offline ethtool selftest with RDMA enabled (git-fixes).
  • bonding: force carrier update when releasing slave (git-fixes).
  • can: gsusb: change activechannels's type from atomic_t to u8 (git-fixes).
  • cgroup/cpuset: Fix 'suspicious RCU usage' lockdep warning (bsc#1196868).
  • cgroup-v1: Correct privileges check in release_agent writes (bsc#1196723).
  • clk: jz4725b: fix mmc0 clock gating (git-fixes).
  • constraints: Also adjust disk requirement for x86 and s390.
  • constraints: Increase disk space for aarch64
  • cpufreq: schedutil: Use kobject release() method to free (git-fixes)
  • cpuset: Fix the bug that subpartcpus updated wrongly in updatecpumask() (bsc#1196866).
  • cputime, cpuacct: Include guest time in user time in (git-fixes)
  • dma-direct: Fix potential NULL pointer dereference (bsc#1196472 ltc#192278).
  • dmaengine: shdma: Fix runtime PM imbalance on error (git-fixes).
  • dma-mapping: Allow mixing bypass and mapped DMA operation (bsc#1196472 ltc#192278).
  • drm/amdgpu: disable MMHUB PG for Picasso (git-fixes).
  • drm/edid: Always set RGB444 (git-fixes).
  • drm/i915/dg1: Wait for pcode/uncore handshake at startup (bsc#1195211).
  • drm/i915/gen11+: Only load DRAM information from pcode (bsc#1195211).
  • drm/i915: Nuke not needed members of dram_info (bsc#1195211).
  • drm/i915: Remove memory frequency calculation (bsc#1195211).
  • drm/i915: Rename is16gbdimm to wmlv0adjustneeded (bsc#1195211).
  • drm/sun4i: mixer: Fix P010 and P210 format numbers (git-fixes).
  • EDAC/altera: Fix deferred probing (bsc#1178134).
  • EDAC: Fix calculation of returned address and next offset in edacalignptr() (bsc#1178134).
  • efivars: Respect 'block' flag in efivarentryset_safe() (git-fixes).
  • exfat: fix i_blocks for files truncated over 4 GiB (git-fixes).
  • exfat: fix incorrect loading of i_blocks for large files (git-fixes).
  • firmware: armscmi: Remove space in MODULEALIAS name (git-fixes).
  • gianfar: ethtool: Fix refcount leak in gfargetts_info (git-fixes).
  • gpiolib: acpi: Convert ACPI value of debounce to microseconds (git-fixes).
  • gpio: rockchip: Reset int_bothedge when changing trigger (git-fixes).
  • gpio: tegra186: Fix chip_data type confusion (git-fixes).
  • gpio: ts4900: Do not set DAT and OE together (git-fixes).
  • gtp: remove useless rcureadlock() (git-fixes).
  • hamradio: fix macro redefine warning (git-fixes).
  • Hand over the maintainership to SLE15-SP3 maintainers
  • HID: add mapping for KEYALLAPPLICATIONS (git-fixes).
  • HID: add mapping for KEY_DICTATE (git-fixes).
  • i2c: bcm2835: Avoid clock stretching timeouts (git-fixes).
  • iavf: Fix missing check for running netdev (git-fixes).
  • IB/hfi1: Correct guard on eager buffer deallocation (git-fixes).
  • IB/hfi1: Fix early init panic (git-fixes).
  • IB/hfi1: Fix leak of rcvhdrtaildummykvaddr (git-fixes).
  • IB/hfi1: Insure use of smpprocessorid() is preempt disabled (git-fixes).
  • IB/rdmavt: Validate remote_addr during loopback atomic tests (git-fixes).
  • ice: initialize local variable 'tlv' (jsc#SLE-12878).
  • igc: igcreadphyreggpy: drop premature return (git-fixes).
  • igc: igcwritephyreggpy: drop premature return (git-fixes).
  • iio: adc: ad7124: fix mask used for setting AINBUFP & AINBUFM bits (git-fixes).
  • iio: adc: menz188adc: Fix a resource leak in an error handling path (git-fixes).
  • iio: Fix error handling for PM (git-fixes).
  • Input: clear BTN_RIGHT/MIDDLE on buttonpads (git-fixes).
  • Input: elan_i2c - fix regulator enable count imbalance after suspend/resume (git-fixes).
  • Input: elani2c - move regulator[en|dis]able() out of elan[en|dis]ablepower() (git-fixes).
  • ixgbe: xsk: change !netifcarrierok() handling in ixgbexmitzc() (git-fixes).
  • mac80211: fix forwarded mesh frames AC & queue selection (git-fixes).
  • mac80211hwsim: initialize ieee80211txinfo at hwscan_work (git-fixes).
  • mac80211hwsim: report NOACK frames in txstatus (git-fixes).
  • mask out added spinlock in rndis_params (git-fixes).
  • mmc: meson: Fix usage of mesonmmcpost_req() (git-fixes).
  • net: dsa: mv88e6xxx: MV88E6097 does not support jumbo configuration (git-fixes).
  • net: ethernet: ti: cpsw: disable PTPv1 hw timestamping advertisement (git-fixes).
  • netfilter: nf_tables: fix memory leak during stateful obj update (bsc#1176447).
  • net: fix up skbs deltatruesize in UDP GRO fraglist (bsc#1176447).
  • net: hns3: Clear the CMDQ registers before unmapping BAR region (git-fixes).
  • net/mlx5e: Fix modify header actions memory leak (git-fixes).
  • net/mlx5e: Fix page DMA map/unmap attributes (bsc#1196468).
  • net/mlx5e: Fix wrong return value on ioctl EEPROM query failure (git-fixes).
  • net/mlx5e: kTLS, Use CHECKSUM_UNNECESSARY for device-offloaded packets (jsc#SLE-15172).
  • net/mlx5e: TC, Reject rules with drop and modify hdr action (git-fixes).
  • net/mlx5e: TC, Reject rules with forward and drop actions (git-fixes).
  • net/mlx5: Fix possible deadlock on rule deletion (git-fixes).
  • net/mlx5: Fix wrong limitation of metadata match on ecpf (git-fixes).
  • net/mlx5: Update the list of the PCI supported devices (git-fixes).
  • net: phy: DP83822: clear MISR2 register to disable interrupts (git-fixes).
  • net/sched: act_ct: Fix flow table lookup after ct clear or switching zones (jsc#SLE-15172).
  • netsec: ignore 'phy-mode' device property on ACPI systems (git-fixes).
  • net: sfc: Replace in_interrupt() usage (git-fixes).
  • net: tipc: validate domain record count on input (bsc#1195254).
  • net: usb: cdc_mbim: avoid altsetting toggling for Telit FN990 (git-fixes).
  • NFC: port100: fix use-after-free in port100sendcomplete (git-fixes).
  • nfp: flower: Fix a potential leak in nfptunneladdsharedmac() (git-fixes).
  • nl80211: Handle nlamemdup failures in handlenan_filter (git-fixes).
  • ntb: intel: fix port config status offset for SPR (git-fixes).
  • nvme: fix a possible use-after-free in controller reset during load (git-fixes).
  • nvme-multipath: use vmalloc for ANA log buffer (bsc#1193787).
  • nvme-rdma: fix possible use-after-free in transport error_recovery work (git-fixes).
  • nvme-tcp: fix possible use-after-free in transport error_recovery work (git-fixes).
  • powerpc/dma: Fallback to dma_ops when persistent memory present (bsc#1196472 ltc#192278).
  • powerpc/fadump: register for fadump as early as possible (bsc#1179439 ltc#190038).
  • powerpc/mm: Remove dcache flush from memory remove (bsc#1196433 ltc#196449).
  • powerpc/powernv/memtrace: Fix dcache flushing (bsc#1196433 ltc#196449).
  • powerpc/pseries/iommu: Fix window size for direct mapping with pmem (bsc#1196472 ltc#192278).
  • RDMA/bnxt_re: Scan the whole bitmap when checking if 'disabling RCFW with pending cmd-bit' (git-fixes).
  • RDMA/cma: Do not change route.addr.src_addr outside state checks (bsc#1181147).
  • RDMA/cma: Let cmaresolveib_dev() continue search even after empty entry (git-fixes).
  • RDMA/cma: Remove open coding of overflow checking for privatedatalen (git-fixes).
  • RDMA/core: Do not infoleak GRH fields (git-fixes).
  • RDMA/core: Let ibfindgid() continue search even after empty entry (git-fixes).
  • RDMA/cxgb4: Set queue pair state when being queried (git-fixes).
  • RDMA/hns: Validate the pkey index (git-fixes).
  • RDMA/ib_srp: Fix a deadlock (git-fixes).
  • RDMA/mlx4: Do not continue event handler after memory allocation failure (git-fixes).
  • RDMA/rtrs-clt: Fix possible double free in error case (jsc#SLE-15176).
  • RDMA/rxe: Fix a typo in opcode name (git-fixes).
  • RDMA/siw: Fix broken RDMA Read Fence/Resume logic (git-fixes).
  • RDMA/uverbs: Check for null return of kmalloc_array (git-fixes).
  • RDMA/uverbs: Remove the unnecessary assignment (git-fixes).
  • README.BRANCH: Add Frederic Weisbecker as branch maintainer
  • README.BRANCH: Remove Davidlohr Bueso as a branch maintainer
  • rpm/arch-symbols,guards,*driver: Replace Novell with SUSE.
  • rpm: SC2006: Use $(...) notation instead of legacy backticked ....
  • sched/core: Mitigate race (git-fixes)
  • scsi: bnx2fc: Flush destroywork queue before calling bnx2fcinterface_put() (git-fixes).
  • scsi: bnx2fc: Make bnx2fcrecvframe() mp safe (git-fixes).
  • scsi: lpfc: Terminate string in lpfcdebugfsnvmeiotrcwrite() (git-fixes).
  • scsi: nsp_cs: Check of ioremap return value (git-fixes).
  • scsi: qedf: Fix potential dereference of NULL pointer (git-fixes).
  • scsi: smartpqi: Add PCI IDs (bsc#1196627).
  • scsi: ufs: Fix race conditions related to driver data (git-fixes).
  • selftests: mlxsw: tcpolicescale: Make test more robust (bsc#1176774).
  • soc: fsl: Correct MAINTAINERS database (QUICC ENGINE LIBRARY) (git-fixes).
  • soc: fsl: Correct MAINTAINERS database (SOC) (git-fixes).
  • soc: fsl: qe: Check of ioremap return value (git-fixes).
  • spi: spi-zynq-qspi: Fix a NULL pointer dereference in zynqqspiexecmemop() (git-fixes).
  • sr9700: sanity check for packet length (bsc#1196836).
  • staging: gdm724x: fix use after free in gdmlterx() (git-fixes).
  • SUNRPC: avoid race between modtimer() and deltimer_sync() (bnc#1195403).
  • tracing: Fix return value of __setup handlers (git-fixes).
  • tty: n_gsm: fix encoding of control signal octet bit DV (git-fixes).
  • tty: n_gsm: fix proper link termination after failed open (git-fixes).
  • usb: dwc2: Fix Stalling a Non-Isochronous OUT EP (git-fixes).
  • usb: dwc2: gadget: Fix GOUTNAK flow for Slave mode (git-fixes).
  • usb: dwc2: gadget: Fix killallrequests race (git-fixes).
  • usb: dwc2: use well defined macros for power_down (git-fixes).
  • usb: dwc3: gadget: Let the interrupt handler disable bottom halves (git-fixes).
  • usb: dwc3: meson-g12a: Disable the regulator in the error handling path of the probe (git-fixes).
  • usb: dwc3: pci: Fix Bay Trail phy GPIO mappings (git-fixes).
  • usb: gadget: rndis: add spinlock for rndis response list (git-fixes).
  • USB: gadget: validate endpoint index for xilinx udc (git-fixes).
  • USB: gadget: validate interface OS descriptor requests (git-fixes).
  • usb: host: xen-hcd: add missing unlock in error path (git-fixes).
  • USB: hub: Clean up use of port initialization schemes and retries (git-fixes).
  • usb: hub: Fix locking issues with address0_mutex (git-fixes).
  • usb: hub: Fix usb enumeration issue due to address0 race (git-fixes).
  • USB: serial: option: add support for DW5829e (git-fixes).
  • USB: serial: option: add Telit LE910R1 compositions (git-fixes).
  • USB: zaurus: support another broken Zaurus (git-fixes).
  • vrf: Fix fast path output packet handling with async Netfilter rules (git-fixes).
  • xen/usb: do not use gnttabendforeignaccess() in xenhcdgnttab_done() (bsc#1196488, XSA-396).
  • xhci: Prevent futile URB re-submissions due to incorrect return value (git-fixes).
  • xhci: re-initialize the HC during resume if HCE was set (git-fixes).
References

Affected packages

SUSE:Real Time Module 15 SP3 / kernel-rt

Package

Name
kernel-rt
Purl
pkg:rpm/suse/kernel-rt&distro=SUSE%20Real%20Time%20Module%2015%20SP3

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.3.18-150300.82.1

Ecosystem specific

{
    "binaries": [
        {
            "kernel-devel-rt": "5.3.18-150300.82.1",
            "dlm-kmp-rt": "5.3.18-150300.82.1",
            "kernel-rt-devel": "5.3.18-150300.82.1",
            "cluster-md-kmp-rt": "5.3.18-150300.82.1",
            "kernel-rt_debug-devel": "5.3.18-150300.82.1",
            "kernel-source-rt": "5.3.18-150300.82.1",
            "kernel-rt": "5.3.18-150300.82.1",
            "ocfs2-kmp-rt": "5.3.18-150300.82.1",
            "gfs2-kmp-rt": "5.3.18-150300.82.1",
            "kernel-syms-rt": "5.3.18-150300.82.1"
        }
    ]
}

SUSE:Real Time Module 15 SP3 / kernel-rt_debug

Package

Name
kernel-rt_debug
Purl
pkg:rpm/suse/kernel-rt_debug&distro=SUSE%20Real%20Time%20Module%2015%20SP3

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.3.18-150300.82.1

Ecosystem specific

{
    "binaries": [
        {
            "kernel-devel-rt": "5.3.18-150300.82.1",
            "dlm-kmp-rt": "5.3.18-150300.82.1",
            "kernel-rt-devel": "5.3.18-150300.82.1",
            "cluster-md-kmp-rt": "5.3.18-150300.82.1",
            "kernel-rt_debug-devel": "5.3.18-150300.82.1",
            "kernel-source-rt": "5.3.18-150300.82.1",
            "kernel-rt": "5.3.18-150300.82.1",
            "ocfs2-kmp-rt": "5.3.18-150300.82.1",
            "gfs2-kmp-rt": "5.3.18-150300.82.1",
            "kernel-syms-rt": "5.3.18-150300.82.1"
        }
    ]
}

SUSE:Real Time Module 15 SP3 / kernel-source-rt

Package

Name
kernel-source-rt
Purl
pkg:rpm/suse/kernel-source-rt&distro=SUSE%20Real%20Time%20Module%2015%20SP3

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.3.18-150300.82.1

Ecosystem specific

{
    "binaries": [
        {
            "kernel-devel-rt": "5.3.18-150300.82.1",
            "dlm-kmp-rt": "5.3.18-150300.82.1",
            "kernel-rt-devel": "5.3.18-150300.82.1",
            "cluster-md-kmp-rt": "5.3.18-150300.82.1",
            "kernel-rt_debug-devel": "5.3.18-150300.82.1",
            "kernel-source-rt": "5.3.18-150300.82.1",
            "kernel-rt": "5.3.18-150300.82.1",
            "ocfs2-kmp-rt": "5.3.18-150300.82.1",
            "gfs2-kmp-rt": "5.3.18-150300.82.1",
            "kernel-syms-rt": "5.3.18-150300.82.1"
        }
    ]
}

SUSE:Real Time Module 15 SP3 / kernel-syms-rt

Package

Name
kernel-syms-rt
Purl
pkg:rpm/suse/kernel-syms-rt&distro=SUSE%20Real%20Time%20Module%2015%20SP3

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.3.18-150300.82.1

Ecosystem specific

{
    "binaries": [
        {
            "kernel-devel-rt": "5.3.18-150300.82.1",
            "dlm-kmp-rt": "5.3.18-150300.82.1",
            "kernel-rt-devel": "5.3.18-150300.82.1",
            "cluster-md-kmp-rt": "5.3.18-150300.82.1",
            "kernel-rt_debug-devel": "5.3.18-150300.82.1",
            "kernel-source-rt": "5.3.18-150300.82.1",
            "kernel-rt": "5.3.18-150300.82.1",
            "ocfs2-kmp-rt": "5.3.18-150300.82.1",
            "gfs2-kmp-rt": "5.3.18-150300.82.1",
            "kernel-syms-rt": "5.3.18-150300.82.1"
        }
    ]
}

SUSE:Linux Enterprise Micro 5.1 / kernel-rt

Package

Name
kernel-rt
Purl
pkg:rpm/suse/kernel-rt&distro=SUSE%20Linux%20Enterprise%20Micro%205.1

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.3.18-150300.82.1

Ecosystem specific

{
    "binaries": [
        {
            "kernel-rt": "5.3.18-150300.82.1"
        }
    ]
}