kernel-5.14.0-162.6.1.el9_1

エラータID: AXSA:2023-4648:01

Release date: 
Tuesday, January 10, 2023 - 09:10
Subject: 
kernel-5.14.0-162.6.1.el9_1
Affected Channels: 
MIRACLE LINUX 9 for x86_64
Severity: 
Moderate
Description: 

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es):

* off-path attacker may inject data or terminate victim's TCP session (CVE-2020-36516)
* use-after-free vulnerability in function sco_sock_sendmsg() (CVE-2021-3640)
* smb2_ioctl_query_info NULL pointer dereference (CVE-2022-0168)
* NULL pointer dereference in udf_expand_file_adinicbdue() during writeback (CVE-2022-0617)
* swiotlb information leak with DMA_FROM_DEVICE (CVE-2022-0854)
* uninitialized registers on stack in nft_do_chain can cause kernel pointer leakage to UM (CVE-2022-1016)
* race condition in snd_pcm_hw_free leading to use-after-free (CVE-2022-1048)
* use-after-free and memory errors in ext4 when mounting and operating on a corrupted image (CVE-2022-1184)
* concurrency use-after-free between drm_setmaster_ioctl and drm_mode_getresources (CVE-2022-1280)
* kernel info leak issue in pfkey_register (CVE-2022-1353)
* use-after-free in ath9k_htc_probe_device() could cause an escalation of privileges (CVE-2022-1679)
* NULL pointer dereference in x86_emulate_insn may lead to DoS (CVE-2022-1852)
* fanotify misuses fd_install() which could lead to use-after-free (CVE-2022-1998)
* nf_tables cross-table potential use-after-free may lead to local privilege escalation (CVE-2022-2586)
* integer underflow leads to out-of-bounds write in reserve_sfa_size() (CVE-2022-2639)
* slab-out-of-bounds access in packet_recvmsg() (CVE-2022-20368)
* incomplete clean-up of multi-core shared buffers (aka SBDR) (CVE-2022-21123)
* incomplete clean-up of microarchitectural fill buffers (aka SBDS) (CVE-2022-21125)
* incomplete clean-up in specific special register write operations (aka DRPW) (CVE-2022-21166)
* possible to use the debugger to write zero into a location of choice (CVE-2022-21499)
* AMD: RetBleed Arbitrary Speculative Code Execution with Return Instructions (CVE-2022-23816, CVE-2022-29900)
* AMD: Branch Type Confusion (non-retbleed) (CVE-2022-23825)
* Intel: Post-barrier Return Stack Buffer Predictions (CVE-2022-26373)
* double free in ems_usb_start_xmit in drivers/net/can/usb/ems_usb.c (CVE-2022-28390)
* use after free in SUNRPC subsystem (CVE-2022-28893)
* use-after-free due to improper update of reference count in net/sched/cls_u32.c (CVE-2022-29581)
* Intel: RetBleed Arbitrary Speculative Code Execution with Return Instructions (CVE-2022-29901)
* DoS in nfqnl_mangle in net/netfilter/nfnetlink_queue.c (CVE-2022-36946)
* nf_tables disallow binding to already bound chain (CVE-2022-39190)
* nfs_atomic_open() returns uninitialized data instead of ENOTDIR (CVE-2022-24448)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2020-36516
An issue was discovered in the Linux kernel through 5.16.11. The mixed IPID assignment method with the hash-based IPID assignment policy allows an off-path attacker to inject data into a victim's TCP session or terminate that session.
CVE-2021-3640
A flaw use-after-free in function sco_sock_sendmsg() of the Linux kernel HCI subsystem was found in the way user calls ioct UFFDIO_REGISTER or other way triggers race condition of the call sco_conn_del() together with the call sco_sock_sendmsg() with the expected controllable faulting memory page. A privileged local user could use this flaw to crash the system or escalate their privileges on the system.
CVE-2022-0168
A denial of service (DOS) issue was found in the Linux kernel’s smb2_ioctl_query_info function in the fs/cifs/smb2ops.c Common Internet File System (CIFS) due to an incorrect return from the memdup_user function. This flaw allows a local, privileged (CAP_SYS_ADMIN) attacker to crash the system.
CVE-2022-0617
A flaw null pointer dereference in the Linux kernel UDF file system functionality was found in the way user triggers udf_file_write_iter function for the malicious UDF image. A local user could use this flaw to crash the system. Actual from Linux kernel 4.2-rc1 till 5.17-rc2.
CVE-2022-0854
A memory leak flaw was found in the Linux kernel’s DMA subsystem, in the way a user calls DMA_FROM_DEVICE. This flaw allows a local user to read random memory from the kernel space.
CVE-2022-1016
A flaw was found in the Linux kernel in net/netfilter/nf_tables_core.c:nft_do_chain, which can cause a use-after-free. This issue needs to handle 'return' with proper preconditions, as it can lead to a kernel information leak problem caused by a local, unprivileged attacker.
CVE-2022-1048
A use-after-free flaw was found in the Linux kernel’s sound subsystem in the way a user triggers concurrent calls of PCM hw_params. The hw_free ioctls or similar race condition happens inside ALSA PCM for other ioctls. This flaw allows a local user to crash or potentially escalate their privileges on the system.
CVE-2022-1184
A use-after-free flaw was found in fs/ext4/namei.c:dx_insert_block() in the Linux kernel’s filesystem sub-component. This flaw allows a local attacker with a user privilege to cause a denial of service.
CVE-2022-1280
A use-after-free vulnerability was found in drm_lease_held in drivers/gpu/drm/drm_lease.c in the Linux kernel due to a race problem. This flaw allows a local user privilege attacker to cause a denial of service (DoS) or a kernel information leak.
CVE-2022-1353
A vulnerability was found in the pfkey_register function in net/key/af_key.c in the Linux kernel. This flaw allows a local, unprivileged user to gain access to kernel memory, leading to a system crash or a leak of internal kernel information.
CVE-2022-1679
A use-after-free flaw was found in the Linux kernel’s Atheros wireless adapter driver in the way a user forces the ath9k_htc_wait_for_target function to fail with some input messages. This flaw allows a local user to crash or potentially escalate their privileges on the system.
CVE-2022-1852
A NULL pointer dereference flaw was found in the Linux kernel’s KVM module, which can lead to a denial of service in the x86_emulate_insn in arch/x86/kvm/emulate.c. This flaw occurs while executing an illegal instruction in guest in the Intel CPU.
CVE-2022-1998
A use after free in the Linux kernel File System notify functionality was found in the way user triggers copy_info_records_to_user() call to fail in copy_event_to_user(). A local user could use this flaw to crash the system or potentially escalate their privileges on the system.
CVE-2022-20368
Product: AndroidVersions: Android kernelAndroid ID: A-224546354References: Upstream kernel
CVE-2022-21123
Incomplete cleanup of multi-core shared buffers for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.
CVE-2022-21125
Incomplete cleanup of microarchitectural fill buffers on some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.
CVE-2022-21166
Incomplete cleanup in specific special register write operations for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.
CVE-2022-21499
KGDB and KDB allow read and write access to kernel memory, and thus should be restricted during lockdown. An attacker with access to a serial port could trigger the debugger so it is important that the debugger respect the lockdown mode when/if it is triggered. CVSS 3.1 Base Score 6.7 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).
CVE-2022-23816
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
CVE-2022-23825
Aliases in the branch predictor may cause some AMD processors to predict the wrong branch type potentially leading to information disclosure.
CVE-2022-24448
An issue was discovered in fs/nfs/dir.c in the Linux kernel before 5.16.5. If an application sets the O_DIRECTORY flag, and tries to open a regular file, nfs_atomic_open() performs a regular lookup. If a regular file is found, ENOTDIR should occur, but the server instead returns uninitialized data in the file descriptor.
CVE-2022-2586
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
CVE-2022-26373
Non-transparent sharing of return predictor targets between contexts in some Intel(R) Processors may allow an authorized user to potentially enable information disclosure via local access.
CVE-2022-2639
An integer coercion error was found in the openvswitch kernel module. Given a sufficiently large number of actions, while copying and reserving memory for a new action of a new flow, the reserve_sfa_size() function does not return -EMSGSIZE as expected, potentially leading to an out-of-bounds write access. This flaw allows a local user to crash or potentially escalate their privileges on the system.
CVE-2022-28390
ems_usb_start_xmit in drivers/net/can/usb/ems_usb.c in the Linux kernel through 5.17.1 has a double free.
CVE-2022-28893
The SUNRPC subsystem in the Linux kernel through 5.17.2 can call xs_xprt_free before ensuring that sockets are in the intended state.
CVE-2022-29581
Improper Update of Reference Count vulnerability in net/sched of Linux Kernel allows local attacker to cause privilege escalation to root. This issue affects: Linux Kernel versions prior to 5.18; version 4.14 and later versions.
CVE-2022-29900
Mis-trained branch predictions for return instructions may allow arbitrary speculative code execution under certain microarchitecture-dependent conditions.
CVE-2022-29901
Intel microprocessor generations 6 to 8 are affected by a new Spectre variant that is able to bypass their retpoline mitigation in the kernel to leak arbitrary data. An attacker with unprivileged user access can hijack return instructions to achieve arbitrary speculative code execution under certain microarchitecture-dependent conditions.
CVE-2022-36946
nfqnl_mangle in net/netfilter/nfnetlink_queue.c in the Linux kernel through 5.18.14 allows remote attackers to cause a denial of service (panic) because, in the case of an nf_queue verdict with a one-byte nfta_payload attribute, an skb_pull can encounter a negative skb->len.
CVE-2022-39190
An issue was discovered in net/netfilter/nf_tables_api.c in the Linux kernel before 5.19.6. A denial of service can occur upon binding to an already bound chain.

Solution: 

Update packages.

CVEs: 
CVE-2020-36516
An issue was discovered in the Linux kernel through 5.16.11. The mixed IPID assignment method with the hash-based IPID assignment policy allows an off-path attacker to inject data into a victim's TCP session or terminate that session.
CVE-2021-3640
A flaw use-after-free in function sco_sock_sendmsg() of the Linux kernel HCI subsystem was found in the way user calls ioct UFFDIO_REGISTER or other way triggers race condition of the call sco_conn_del() together with the call sco_sock_sendmsg() with the expected controllable faulting memory page. A privileged local user could use this flaw to crash the system or escalate their privileges on the system.
CVE-2022-0168
A denial of service (DOS) issue was found in the Linux kernel’s smb2_ioctl_query_info function in the fs/cifs/smb2ops.c Common Internet File System (CIFS) due to an incorrect return from the memdup_user function. This flaw allows a local, privileged (CAP_SYS_ADMIN) attacker to crash the system.
CVE-2022-0617
A flaw null pointer dereference in the Linux kernel UDF file system functionality was found in the way user triggers udf_file_write_iter function for the malicious UDF image. A local user could use this flaw to crash the system. Actual from Linux kernel 4.2-rc1 till 5.17-rc2.
CVE-2022-0854
A memory leak flaw was found in the Linux kernel’s DMA subsystem, in the way a user calls DMA_FROM_DEVICE. This flaw allows a local user to read random memory from the kernel space.
CVE-2022-1016
A flaw was found in the Linux kernel in net/netfilter/nf_tables_core.c:nft_do_chain, which can cause a use-after-free. This issue needs to handle 'return' with proper preconditions, as it can lead to a kernel information leak problem caused by a local, unprivileged attacker.
CVE-2022-1048
A use-after-free flaw was found in the Linux kernel’s sound subsystem in the way a user triggers concurrent calls of PCM hw_params. The hw_free ioctls or similar race condition happens inside ALSA PCM for other ioctls. This flaw allows a local user to crash or potentially escalate their privileges on the system.
CVE-2022-1184
A use-after-free flaw was found in fs/ext4/namei.c:dx_insert_block() in the Linux kernel’s filesystem sub-component. This flaw allows a local attacker with a user privilege to cause a denial of service.
CVE-2022-1280
A use-after-free vulnerability was found in drm_lease_held in drivers/gpu/drm/drm_lease.c in the Linux kernel due to a race problem. This flaw allows a local user privilege attacker to cause a denial of service (DoS) or a kernel information leak.
CVE-2022-1353
A vulnerability was found in the pfkey_register function in net/key/af_key.c in the Linux kernel. This flaw allows a local, unprivileged user to gain access to kernel memory, leading to a system crash or a leak of internal kernel information.
CVE-2022-1679
A use-after-free flaw was found in the Linux kernel’s Atheros wireless adapter driver in the way a user forces the ath9k_htc_wait_for_target function to fail with some input messages. This flaw allows a local user to crash or potentially escalate their privileges on the system.
CVE-2022-1852
A NULL pointer dereference flaw was found in the Linux kernel’s KVM module, which can lead to a denial of service in the x86_emulate_insn in arch/x86/kvm/emulate.c. This flaw occurs while executing an illegal instruction in guest in the Intel CPU.
CVE-2022-1998
A use after free in the Linux kernel File System notify functionality was found in the way user triggers copy_info_records_to_user() call to fail in copy_event_to_user(). A local user could use this flaw to crash the system or potentially escalate their privileges on the system.
CVE-2022-20368
Product: AndroidVersions: Android kernelAndroid ID: A-224546354References: Upstream kernel
CVE-2022-21123
Incomplete cleanup of multi-core shared buffers for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.
CVE-2022-21125
Incomplete cleanup of microarchitectural fill buffers on some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.
CVE-2022-21166
Incomplete cleanup in specific special register write operations for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.
CVE-2022-21499
KGDB and KDB allow read and write access to kernel memory, and thus should be restricted during lockdown. An attacker with access to a serial port could trigger the debugger so it is important that the debugger respect the lockdown mode when/if it is triggered. CVSS 3.1 Base Score 6.7 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).
CVE-2022-23816
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
CVE-2022-23825
Aliases in the branch predictor may cause some AMD processors to predict the wrong branch type potentially leading to information disclosure.
CVE-2022-24448
An issue was discovered in fs/nfs/dir.c in the Linux kernel before 5.16.5. If an application sets the O_DIRECTORY flag, and tries to open a regular file, nfs_atomic_open() performs a regular lookup. If a regular file is found, ENOTDIR should occur, but the server instead returns uninitialized data in the file descriptor.
CVE-2022-2586
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
CVE-2022-26373
Non-transparent sharing of return predictor targets between contexts in some Intel(R) Processors may allow an authorized user to potentially enable information disclosure via local access.
CVE-2022-2639
An integer coercion error was found in the openvswitch kernel module. Given a sufficiently large number of actions, while copying and reserving memory for a new action of a new flow, the reserve_sfa_size() function does not return -EMSGSIZE as expected, potentially leading to an out-of-bounds write access. This flaw allows a local user to crash or potentially escalate their privileges on the system.
CVE-2022-28390
ems_usb_start_xmit in drivers/net/can/usb/ems_usb.c in the Linux kernel through 5.17.1 has a double free.
CVE-2022-28893
The SUNRPC subsystem in the Linux kernel through 5.17.2 can call xs_xprt_free before ensuring that sockets are in the intended state.
CVE-2022-29581
Improper Update of Reference Count vulnerability in net/sched of Linux Kernel allows local attacker to cause privilege escalation to root. This issue affects: Linux Kernel versions prior to 5.18; version 4.14 and later versions.
CVE-2022-29900
Mis-trained branch predictions for return instructions may allow arbitrary speculative code execution under certain microarchitecture-dependent conditions.
CVE-2022-29901
Intel microprocessor generations 6 to 8 are affected by a new Spectre variant that is able to bypass their retpoline mitigation in the kernel to leak arbitrary data. An attacker with unprivileged user access can hijack return instructions to achieve arbitrary speculative code execution under certain microarchitecture-dependent conditions.
CVE-2022-36946
nfqnl_mangle in net/netfilter/nfnetlink_queue.c in the Linux kernel through 5.18.14 allows remote attackers to cause a denial of service (panic) because, in the case of an nf_queue verdict with a one-byte nfta_payload attribute, an skb_pull can encounter a negative skb->len.
CVE-2022-39190
An issue was discovered in net/netfilter/nf_tables_api.c in the Linux kernel before 5.19.6. A denial of service can occur upon binding to an already bound chain.
Additional Info: 

N/A

Download: 

SRPMS
  1. kernel-5.14.0-162.6.1.el9_1.src.rpm
    MD5: 807312489e1f3d0015234356fd57dacb
    SHA-256: 88efc55af49cb0cf3f0805e36dd0c35a3e92c137a599551e67965f532a34aaff
    Size: 130.99 MB

Asianux Server 9 for x86_64
  1. bpftool-5.14.0-162.6.1.el9_1.x86_64.rpm
    MD5: 4d6c012da3f6c4dff79242bc45741e39
    SHA-256: fa50980158823bef9816e354f17c42d8ddf7774bdcb17a3acdb8d8d5b4e01900
    Size: 2.57 MB
  2. kernel-5.14.0-162.6.1.el9_1.x86_64.rpm
    MD5: 732eb039b07ff9f5e3776e575cac2b94
    SHA-256: 1201872295ad7cc249d536800ad4243d6dee275fc4c6697536b454a023a8b6e0
    Size: 1.85 MB
  3. kernel-abi-stablelists-5.14.0-162.6.1.el9_1.noarch.rpm
    MD5: 56e90e8aad92895c8037707d8397c3d2
    SHA-256: fc84e81a5f7914f1a3bfc0972b2f7689e62f99ee835a399c4dab2ace5a227a63
    Size: 1.85 MB
  4. kernel-core-5.14.0-162.6.1.el9_1.x86_64.rpm
    MD5: fe79e070ce4da12cba6716cd31c032ce
    SHA-256: acefdcd145a47fcc738df7f4c9c04a364bceb22a28972c936b1e9852e00c243e
    Size: 45.41 MB
  5. kernel-cross-headers-5.14.0-162.6.1.el9_1.x86_64.rpm
    MD5: eca4ff9ad1cc4643893a66315cc48053
    SHA-256: e9e876e836ae6f53820f37049029ef817a852ea64125d518bbfa5fe6aa60e1c8
    Size: 7.32 MB
  6. kernel-debug-5.14.0-162.6.1.el9_1.x86_64.rpm
    MD5: 013c4d843ddce7a2b45e6432cb819647
    SHA-256: 2f21d1cd234b315316f371475042fe9b878ab3f081259d60beb2eaea1872e0ab
    Size: 1.85 MB
  7. kernel-debug-core-5.14.0-162.6.1.el9_1.x86_64.rpm
    MD5: 1974f9c8c6d1ce49876421c63455ed81
    SHA-256: d004c85bf9cbf3eb63c71e388f8632508dbc6f35a95dc239b57389d51a5b024d
    Size: 67.07 MB
  8. kernel-debug-devel-5.14.0-162.6.1.el9_1.x86_64.rpm
    MD5: 5aad9d3f70ffd22df0ecb0266852cac9
    SHA-256: 6fe4aa9c7f26a7750b6b5ab4dcd1c71dd2dd739ede14b0f29ae8d2da8cab8e8c
    Size: 16.68 MB
  9. kernel-debug-devel-matched-5.14.0-162.6.1.el9_1.x86_64.rpm
    MD5: 2a7ebc3ed5d07d4a2b994a246624545a
    SHA-256: 8a2156749b606fc88490a9ed50930344dde92c71cc03d8e99df5729a7fce22b4
    Size: 1.85 MB
  10. kernel-debug-modules-5.14.0-162.6.1.el9_1.x86_64.rpm
    MD5: 5ff89f216322a3619eb8dc0cedbb3bc6
    SHA-256: 6a1e47e73c9ed18d5e7ad0c1bdcded518e5b13af6ebabc66bcdede0efd8e303d
    Size: 52.26 MB
  11. kernel-debug-modules-extra-5.14.0-162.6.1.el9_1.x86_64.rpm
    MD5: 2e574f287cbab96ea4d69ed0062ea456
    SHA-256: 4a62e5835029122da0c29936b0f14b9c574f77e4e92a283c181f9325d02d2cd1
    Size: 2.66 MB
  12. kernel-devel-5.14.0-162.6.1.el9_1.x86_64.rpm
    MD5: 2dd082c081fb7f0a5d2c4168730a99b3
    SHA-256: d12447017fc3f62fdca5ff11ddb1475657a7b418759f9ee195f94b862d2e99e5
    Size: 16.57 MB
  13. kernel-devel-matched-5.14.0-162.6.1.el9_1.x86_64.rpm
    MD5: f8533cb07b22ae844bebd97896f22193
    SHA-256: d311549324ef82c32ab879826b7056cad57fb7413452bc57bc4f99f47e6d3be3
    Size: 1.85 MB
  14. kernel-doc-5.14.0-162.6.1.el9_1.noarch.rpm
    MD5: c5314a6ab9d79220c7af20a321036972
    SHA-256: 107fde7fcb0dd46c12156d11dc915c0fb9519ab168e999a567407631613cdeba
    Size: 29.90 MB
  15. kernel-headers-5.14.0-162.6.1.el9_1.x86_64.rpm
    MD5: 27ebf0f348429ee3980f356ea214fa3f
    SHA-256: 8e605ef942984b2e4d9db5195c95b4cdb59f3f2760cf2450763a47d64a3547bf
    Size: 3.23 MB
  16. kernel-modules-5.14.0-162.6.1.el9_1.x86_64.rpm
    MD5: addcf5ed01b93cd145489feb749c7ab5
    SHA-256: 64cfb786ebb0e56e137120169c5fe12021402a51e9f186291cb31f06fc4014f5
    Size: 33.43 MB
  17. kernel-modules-extra-5.14.0-162.6.1.el9_1.x86_64.rpm
    MD5: f64e3f3367f45ca461d713486de5ee6a
    SHA-256: b17547505604a3c19ea608bd5c530604858a0bfee0e474d0925a132e5ab3888d
    Size: 2.56 MB
  18. kernel-tools-5.14.0-162.6.1.el9_1.x86_64.rpm
    MD5: 44592ac903a7e9b82f3111a9036a186c
    SHA-256: 2bc5532ca9961ad453aa6851742f12a608f6932679acd5d1996570164bb819f8
    Size: 2.07 MB
  19. kernel-tools-libs-5.14.0-162.6.1.el9_1.x86_64.rpm
    MD5: 12900a7209db34e0c9452407b92c805d
    SHA-256: 4879ed444b1a195dea893111313d7a7e8fa5f18aae57819ab2a5a2fe57c03d24
    Size: 1.86 MB
  20. kernel-tools-libs-devel-5.14.0-162.6.1.el9_1.x86_64.rpm
    MD5: 49d0ca71b5f0b247d5a6f1d63a64f771
    SHA-256: 1f7987896fd57588a7fc0fb39eea9ddff1dd2f120276ea8037f5fc19dd902a44
    Size: 1.85 MB
  21. perf-5.14.0-162.6.1.el9_1.x86_64.rpm
    MD5: 83a5297c0fdc0266ff79ecd488fb2010
    SHA-256: 74f4217debe6a7659328a16806f00b8622f83bde34eb659d19646a6db4b7d25a
    Size: 4.17 MB
  22. python3-perf-5.14.0-162.6.1.el9_1.x86_64.rpm
    MD5: 66162200599d95f30ece474f9414b4ac
    SHA-256: 03874e3ce9f748af3bc5e9c6accbb1421d42aad4196c917794b2e3b091e3c1c6
    Size: 1.98 MB