-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: kernel-rt security and bug fix update
Advisory ID:       RHSA-2022:1975-01
Product:           Red Hat Enterprise Linux
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:1975
Issue date:        2022-05-10
CVE Names:         CVE-2020-0404 CVE-2020-13974 CVE-2020-27820 
                   CVE-2021-0941 CVE-2021-3612 CVE-2021-3669 
                   CVE-2021-3743 CVE-2021-3744 CVE-2021-3752 
                   CVE-2021-3759 CVE-2021-3764 CVE-2021-3772 
                   CVE-2021-3773 CVE-2021-4002 CVE-2021-4037 
                   CVE-2021-4083 CVE-2021-4157 CVE-2021-4197 
                   CVE-2021-4203 CVE-2021-20322 CVE-2021-26401 
                   CVE-2021-29154 CVE-2021-37159 CVE-2021-41864 
                   CVE-2021-42739 CVE-2021-43389 CVE-2021-43976 
                   CVE-2021-44733 CVE-2021-45485 CVE-2021-45486 
                   CVE-2022-0001 CVE-2022-0002 CVE-2022-0286 
                   CVE-2022-0322 CVE-2022-1011 
=====================================================================

1. Summary:

An update for kernel-rt is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Real Time (v. 8) - x86_64
Red Hat Enterprise Linux Real Time for NFV (v. 8) - x86_64

3. Description:

The kernel-rt packages provide the Real Time Linux Kernel, which enables
fine-tuning for systems with extremely high determinism requirements.

Security Fix(es):

* kernel: fget: check that the fd still exists after getting a ref to it
(CVE-2021-4083)

* kernel: avoid cyclic entity chains due to malformed USB descriptors
(CVE-2020-0404)

* kernel: integer overflow in k_ascii() in drivers/tty/vt/keyboard.c
(CVE-2020-13974)

* kernel: out-of-bounds read in bpf_skb_change_head() of filter.c due to a
use-after-free (CVE-2021-0941)

* kernel: joydev: zero size passed to joydev_handle_JSIOCSBTNMAP()
(CVE-2021-3612)

* kernel: reading /proc/sysvipc/shm does not scale with large shared memory
segment counts (CVE-2021-3669)

* kernel: out-of-bound Read in qrtr_endpoint_post in net/qrtr/qrtr.c
(CVE-2021-3743)

* kernel: crypto: ccp - fix resource leaks in ccp_run_aes_gcm_cmd()
(CVE-2021-3744)

* kernel: possible use-after-free in bluetooth module (CVE-2021-3752)

* kernel: unaccounted ipc objects in Linux kernel lead to breaking memcg
limits and DoS attacks (CVE-2021-3759)

* kernel: DoS in ccp_run_aes_gcm_cmd() function (CVE-2021-3764)

* kernel: sctp: Invalid chunks may be used to remotely remove existing
associations (CVE-2021-3772)

* kernel: lack of port sanity checking in natd and netfilter leads to
exploit of OpenVPN clients (CVE-2021-3773)

* kernel: possible leak or coruption of data residing on hugetlbfs
(CVE-2021-4002)

* kernel: security regression for CVE-2018-13405 (CVE-2021-4037)

* kernel: Buffer overwrite in decode_nfs_fh function (CVE-2021-4157)

* kernel: cgroup: Use open-time creds and namespace for migration perm
checks (CVE-2021-4197)

* kernel: Race condition in races in sk_peer_pid and sk_peer_cred accesses
(CVE-2021-4203)

* kernel: new DNS Cache Poisoning Attack based on ICMP fragment needed
packets replies (CVE-2021-20322)

* hw: cpu: LFENCE/JMP Mitigation Update for CVE-2017-5715 (CVE-2021-26401)

* kernel: Local privilege escalation due to incorrect BPF JIT branch
displacement computation (CVE-2021-29154)

* kernel: use-after-free in hso_free_net_device() in drivers/net/usb/hso.c
(CVE-2021-37159)

* kernel: eBPF multiplication integer overflow in
prealloc_elems_and_freelist() in kernel/bpf/stackmap.c leads to
out-of-bounds write (CVE-2021-41864)

* kernel: Heap buffer overflow in firedtv driver (CVE-2021-42739)

* kernel: an array-index-out-bounds in detach_capi_ctr in
drivers/isdn/capi/kcapi.c (CVE-2021-43389)

* kernel: mwifiex_usb_recv() in drivers/net/wireless/marvell/mwifiex/usb.c
allows an attacker to cause DoS via crafted USB device (CVE-2021-43976)

* kernel: use-after-free in the TEE subsystem (CVE-2021-44733)

* kernel: information leak in the IPv6 implementation (CVE-2021-45485)

* kernel: information leak in the IPv4 implementation (CVE-2021-45486)

* hw: cpu: intel: Branch History Injection (BHI) (CVE-2022-0001)

* hw: cpu: intel: Intra-Mode BTI (CVE-2022-0002)

* kernel: Local denial of service in bond_ipsec_add_sa (CVE-2022-0286)

* kernel: DoS in sctp_addto_chunk in net/sctp/sm_make_chunk.c
(CVE-2022-0322)

* kernel: FUSE allows UAF reads of write() buffers, allowing theft of
(partial) /etc/shadow hashes (CVE-2022-1011)

* kernel: use-after-free in nouveau kernel module (CVE-2020-27820)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat
Enterprise Linux 8.6 Release Notes linked from the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

The system must be rebooted for this update to take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

1901726 - CVE-2020-27820 kernel: use-after-free in nouveau kernel module
1903578 - kernnel-rt-debug: do not call blocking ops when !TASK_RUNNING; state=1 set at [<0000000050e86018>] handle_userfault+0x530/0x1820
1905749 - kernel-rt-debug: BUG: sleeping function called from invalid context at kernel/locking/rtmutex.c:968
1919791 - CVE-2020-0404 kernel: avoid cyclic entity chains due to malformed USB descriptors
1946684 - CVE-2021-29154 kernel: Local privilege escalation due to incorrect BPF JIT branch displacement computation
1951739 - CVE-2021-42739 kernel: Heap buffer overflow in firedtv driver
1974079 - CVE-2021-3612 kernel: joydev: zero size passed to joydev_handle_JSIOCSBTNMAP()
1985353 - CVE-2021-37159 kernel: use-after-free in hso_free_net_device() in drivers/net/usb/hso.c
1986473 - CVE-2021-3669 kernel: reading /proc/sysvipc/shm does not scale with large shared memory segment counts
1997467 - CVE-2021-3764 kernel: DoS in ccp_run_aes_gcm_cmd() function
1997961 - CVE-2021-3743 kernel: out-of-bound Read in qrtr_endpoint_post in net/qrtr/qrtr.c
1999544 - CVE-2021-3752 kernel: possible use-after-free in bluetooth module
1999675 - CVE-2021-3759 kernel: unaccounted ipc objects in Linux kernel lead to breaking memcg limits and DoS attacks
2000627 - CVE-2021-3744 kernel: crypto: ccp - fix resource leaks in ccp_run_aes_gcm_cmd()
2000694 - CVE-2021-3772 kernel: sctp: Invalid chunks may be used to remotely remove existing associations
2004949 - CVE-2021-3773 kernel: lack of port sanity checking in natd and netfilter leads to exploit of OpenVPN clients
2010463 - CVE-2021-41864 kernel: eBPF multiplication integer overflow in prealloc_elems_and_freelist() in kernel/bpf/stackmap.c leads to out-of-bounds write
2013180 - CVE-2021-43389 kernel: an array-index-out-bounds in detach_capi_ctr in drivers/isdn/capi/kcapi.c
2014230 - CVE-2021-20322 kernel: new DNS Cache Poisoning Attack based on ICMP fragment needed packets replies
2016169 - CVE-2020-13974 kernel: integer overflow in k_ascii() in drivers/tty/vt/keyboard.c
2018205 - CVE-2021-0941 kernel: out-of-bounds read in bpf_skb_change_head() of filter.c due to a use-after-free
2025003 - CVE-2021-43976 kernel: mwifiex_usb_recv() in drivers/net/wireless/marvell/mwifiex/usb.c allows an attacker to cause DoS via crafted USB device
2025726 - CVE-2021-4002 kernel: possible leak or coruption of data residing on hugetlbfs
2027239 - CVE-2021-4037 kernel: security regression for CVE-2018-13405
2029923 - CVE-2021-4083 kernel: fget: check that the fd still exists after getting a ref to it
2030747 - CVE-2021-44733 kernel: use-after-free in the TEE subsystem
2034342 - CVE-2021-4157 kernel: Buffer overwrite in decode_nfs_fh function
2035652 - CVE-2021-4197 kernel: cgroup: Use open-time creds and namespace for migration perm checks
2036934 - CVE-2021-4203 kernel: Race condition in races in sk_peer_pid and sk_peer_cred accesses
2037019 - CVE-2022-0286 kernel: Local denial of service in bond_ipsec_add_sa
2039911 - CVE-2021-45485 kernel: information leak in the IPv6 implementation
2039914 - CVE-2021-45486 kernel: information leak in the IPv4 implementation
2042822 - CVE-2022-0322 kernel: DoS in sctp_addto_chunk in net/sctp/sm_make_chunk.c
2061700 - CVE-2021-26401 hw: cpu: LFENCE/JMP Mitigation Update for CVE-2017-5715
2061712 - CVE-2022-0001 hw: cpu: intel: Branch History Injection (BHI)
2061721 - CVE-2022-0002 hw: cpu: intel: Intra-Mode BTI
2064855 - CVE-2022-1011 kernel: FUSE allows UAF reads of write() buffers, allowing theft of (partial) /etc/shadow hashes

6. Package List:

Red Hat Enterprise Linux Real Time for NFV (v. 8):

Source:
kernel-rt-4.18.0-372.9.1.rt7.166.el8.src.rpm

x86_64:
kernel-rt-4.18.0-372.9.1.rt7.166.el8.x86_64.rpm
kernel-rt-core-4.18.0-372.9.1.rt7.166.el8.x86_64.rpm
kernel-rt-debug-4.18.0-372.9.1.rt7.166.el8.x86_64.rpm
kernel-rt-debug-core-4.18.0-372.9.1.rt7.166.el8.x86_64.rpm
kernel-rt-debug-debuginfo-4.18.0-372.9.1.rt7.166.el8.x86_64.rpm
kernel-rt-debug-devel-4.18.0-372.9.1.rt7.166.el8.x86_64.rpm
kernel-rt-debug-kvm-4.18.0-372.9.1.rt7.166.el8.x86_64.rpm
kernel-rt-debug-modules-4.18.0-372.9.1.rt7.166.el8.x86_64.rpm
kernel-rt-debug-modules-extra-4.18.0-372.9.1.rt7.166.el8.x86_64.rpm
kernel-rt-debuginfo-4.18.0-372.9.1.rt7.166.el8.x86_64.rpm
kernel-rt-debuginfo-common-x86_64-4.18.0-372.9.1.rt7.166.el8.x86_64.rpm
kernel-rt-devel-4.18.0-372.9.1.rt7.166.el8.x86_64.rpm
kernel-rt-kvm-4.18.0-372.9.1.rt7.166.el8.x86_64.rpm
kernel-rt-modules-4.18.0-372.9.1.rt7.166.el8.x86_64.rpm
kernel-rt-modules-extra-4.18.0-372.9.1.rt7.166.el8.x86_64.rpm

Red Hat Enterprise Linux Real Time (v. 8):

Source:
kernel-rt-4.18.0-372.9.1.rt7.166.el8.src.rpm

x86_64:
kernel-rt-4.18.0-372.9.1.rt7.166.el8.x86_64.rpm
kernel-rt-core-4.18.0-372.9.1.rt7.166.el8.x86_64.rpm
kernel-rt-debug-4.18.0-372.9.1.rt7.166.el8.x86_64.rpm
kernel-rt-debug-core-4.18.0-372.9.1.rt7.166.el8.x86_64.rpm
kernel-rt-debug-debuginfo-4.18.0-372.9.1.rt7.166.el8.x86_64.rpm
kernel-rt-debug-devel-4.18.0-372.9.1.rt7.166.el8.x86_64.rpm
kernel-rt-debug-modules-4.18.0-372.9.1.rt7.166.el8.x86_64.rpm
kernel-rt-debug-modules-extra-4.18.0-372.9.1.rt7.166.el8.x86_64.rpm
kernel-rt-debuginfo-4.18.0-372.9.1.rt7.166.el8.x86_64.rpm
kernel-rt-debuginfo-common-x86_64-4.18.0-372.9.1.rt7.166.el8.x86_64.rpm
kernel-rt-devel-4.18.0-372.9.1.rt7.166.el8.x86_64.rpm
kernel-rt-modules-4.18.0-372.9.1.rt7.166.el8.x86_64.rpm
kernel-rt-modules-extra-4.18.0-372.9.1.rt7.166.el8.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2020-0404
https://access.redhat.com/security/cve/CVE-2020-13974
https://access.redhat.com/security/cve/CVE-2020-27820
https://access.redhat.com/security/cve/CVE-2021-0941
https://access.redhat.com/security/cve/CVE-2021-3612
https://access.redhat.com/security/cve/CVE-2021-3669
https://access.redhat.com/security/cve/CVE-2021-3743
https://access.redhat.com/security/cve/CVE-2021-3744
https://access.redhat.com/security/cve/CVE-2021-3752
https://access.redhat.com/security/cve/CVE-2021-3759
https://access.redhat.com/security/cve/CVE-2021-3764
https://access.redhat.com/security/cve/CVE-2021-3772
https://access.redhat.com/security/cve/CVE-2021-3773
https://access.redhat.com/security/cve/CVE-2021-4002
https://access.redhat.com/security/cve/CVE-2021-4037
https://access.redhat.com/security/cve/CVE-2021-4083
https://access.redhat.com/security/cve/CVE-2021-4157
https://access.redhat.com/security/cve/CVE-2021-4197
https://access.redhat.com/security/cve/CVE-2021-4203
https://access.redhat.com/security/cve/CVE-2021-20322
https://access.redhat.com/security/cve/CVE-2021-26401
https://access.redhat.com/security/cve/CVE-2021-29154
https://access.redhat.com/security/cve/CVE-2021-37159
https://access.redhat.com/security/cve/CVE-2021-41864
https://access.redhat.com/security/cve/CVE-2021-42739
https://access.redhat.com/security/cve/CVE-2021-43389
https://access.redhat.com/security/cve/CVE-2021-43976
https://access.redhat.com/security/cve/CVE-2021-44733
https://access.redhat.com/security/cve/CVE-2021-45485
https://access.redhat.com/security/cve/CVE-2021-45486
https://access.redhat.com/security/cve/CVE-2022-0001
https://access.redhat.com/security/cve/CVE-2022-0002
https://access.redhat.com/security/cve/CVE-2022-0286
https://access.redhat.com/security/cve/CVE-2022-0322
https://access.redhat.com/security/cve/CVE-2022-1011
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.6_release_notes/

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYnqRVtzjgjWX9erEAQjwiA//R/ZVJ7xroUR7Uf1az+8xZqs4OZQADIUc
/92cDd6MRyzkvwQx5u7JmD5E6KbRf3NGfDsuoC0jVJJJcp8GT0tWkxPIjCi2RNbI
/9nlbkfp0eQqRGmpL753W/7sfzAnbiOeP47rr+lJU24OBDcbrZn5X3Ex0EdzcdeD
fmVnAxB8bsXyZwcnX9m6mVlBxY+fm6SC78O+/rPzVUHl5NhQASqi0sYSwydyqZvG
a/9p5gXd9nnyV7NtJj58pS7brxQFq4RcM5VhTjix3a/ZaZEwT+nDMj3+RXXwUhGe
HJ6AdJoNI19huMXtn/fYhomb/LIHQos+kHQrBbJ+KmaFE4DD08Uv2uHSyeEe1ksT
oUwcGcIbSta6LBNO60Lh0XVj6FgFWNnNsAGX27nxCHfzDjuJ3U4Tyh8gL+ID2K1t
3nwoQl5gxUokFS0sUIuD0pj2LFW1vg2E2pMcbzPDqFwj0MXn5DpTb4qeuiRWzA05
s+upi3Cd6XmRNKPH8DDOrGNGW0dJqJtuXhUmziZjKPMJK5Ygnhoc+3hYG/EJzGiq
S/VHXR5hnJ+RAPz2U8rETfCW2Dvz7lCUh5rJGg/8f8MCyAMCPpFqXbkNvpt3BIKy
2SLBhh0Mci1fprA35q2eNCjduntja3oxnVx+YAKPM30hzE7ejwHFEZHPGOdKB0q/
aHIZwOKDLaE=
=hqV1
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce