-------------------------------------------------------------------------
Debian LTS Advisory DLA-2941-1                [email protected]
https://www.debian.org/lts/security/                        Ben Hutchings
March 09, 2022                                https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package        : linux-4.19
Version        : 4.19.232-1~deb9u1
CVE ID         : CVE-2020-29374 CVE-2020-36322 CVE-2021-3640 CVE-2021-3744
                 CVE-2021-3752 CVE-2021-3760 CVE-2021-3764 CVE-2021-3772
                 CVE-2021-4002 CVE-2021-4083 CVE-2021-4135 CVE-2021-4155
                 CVE-2021-4203 CVE-2021-20317 CVE-2021-20321 CVE-2021-20322
                 CVE-2021-22600 CVE-2021-28711 CVE-2021-28712 CVE-2021-28713
                 CVE-2021-28714 CVE-2021-28715 CVE-2021-28950 CVE-2021-38300
                 CVE-2021-39685 CVE-2021-39686 CVE-2021-39698 CVE-2021-39713
                 CVE-2021-41864 CVE-2021-42739 CVE-2021-43389 CVE-2021-43975
                 CVE-2021-43976 CVE-2021-44733 CVE-2021-45095 CVE-2021-45469
                 CVE-2021-45480 CVE-2022-0001 CVE-2022-0002 CVE-2022-0322
                 CVE-2022-0330 CVE-2022-0435 CVE-2022-0487 CVE-2022-0492
                 CVE-2022-0617 CVE-2022-0644 CVE-2022-22942 CVE-2022-24448
                 CVE-2022-24959 CVE-2022-25258 CVE-2022-25375
Debian Bug     : 988044 989285 990411 994050

Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation, denial of service or information
leaks.

CVE-2020-29374

    Jann Horn of Google reported a flaw in Linux's virtual memory
    management.  A parent and child process initially share all their
    memory, but when either writes to a shared page, the page is
    duplicated and unshared (copy-on-write).  However, in case an
    operation such as vmsplice() required the kernel to take an
    additional reference to a shared page, and a copy-on-write occurs
    during this operation, the kernel might have accessed the wrong
    process's memory.  For some programs, this could lead to an
    information leak or data corruption.

    This issue was already fixed for most architectures, but not on
    MIPS and System z.  This update corrects that.

CVE-2020-36322, CVE-2021-28950

    The syzbot tool found that the FUSE (filesystem-in-user-space)
    implementation did not correctly handle a FUSE server returning
    invalid attributes for a file.  A local user permitted to run a
    FUSE server could use this to cause a denial of service (crash).

    The original fix for this introduced a different potential denial
    of service (infinite loop in kernel space), which has also been
    fixed.

CVE-2021-3640

    Lin Ma discovered a race condiiton in the Bluetooth protocol
    implementation that can lead to a use-after-free.  A local
    user could exploit this to cause a denial of service (memory
    corruption or crash) or possibly for privilege escalation.

CVE-2021-3744, CVE-2021-3764

    minihanshen reported bugs in the ccp driver for AMD
    Cryptographic Coprocessors that could lead to a resource leak.
    On systems using this driver, a local user could exploit this to
    cause a denial of service.

CVE-2021-3752

    Likang Luo of NSFOCUS Security Team discovered a flaw in the
    Bluetooth L2CAP implementation that can lead to a user-after-free.
    A local user could exploit this to cause a denial of service
    (memory corruption or crash) or possibly for privilege escalation.

CVE-2021-3760, CVE-2021-4202

    Lin Ma discovered race conditions in the NCI (NFC Controller
    Interface) driver, which could lead to a use-after-free.  A local
    user could exploit this to cause a denial of service (memory
    corruption or crash) or possibly for privilege escalation.

    This driver is not enabled in Debian's official kernel
    configurations.

CVE-2021-3772

    A flaw was found in the SCTP protocol implementation, which would
    allow a networked attacker to break an SCTP association.  The
    attacker would only need to know or guess the IP addresses and
    ports for the association.

CVE-2021-4002

    It was discovered that hugetlbfs, the virtual filesystem used by
    applications to allocate huge pages in RAM, did not flush the
    CPU's TLB in one case where it was necessary.  In some
    circumstances a local user would be able to read and write huge
    pages after they are freed and reallocated to a different process.
    This could lead to privilege escalation, denial of service or
    information leaks.

CVE-2021-4083

    Jann Horn reported a race condition in the local (Unix) sockets
    garbage collector, that can lead to use-after-free.  A local user
    could exploit this to cause a denial of service (memory corruption
    or crash) or possibly for privilege escalation.

CVE-2021-4135

    A flaw was found in the netdevsim driver which would lead to an
    information leak.

    This driver is not enabled in Debian's official kernel
    configurations.

CVE-2021-4155

    Kirill Tkhai discovered a data leak in the way the XFS_IOC_ALLOCSP
    IOCTL in the XFS filesystem allowed for a size increase of files
    with unaligned size. A local attacker can take advantage of this
    flaw to leak data on the XFS filesystem.

CVE-2021-4203

    Jann Horn reported a race condition in the local (Unix) sockets
    implementation that can lead to a use-after-free.  A local user
    could exploit this to leak sensitive information from the kernel.

CVE-2021-20317

    It was discovered that the timer queue structure could become
    corrupt, leading to waiting tasks never being woken up.  A local
    user with certain privileges could exploit this to cause a denial
    of service (system hang).

CVE-2021-20321

    A race condition was discovered in the overlayfs filesystem
    driver.  A local user with access to an overlayfs mount and to its
    underlying upper directory could exploit this for privilege
    escalation.

CVE-2021-20322

    An information leak was discovered in the IPv4 implementation.  A
    remote attacker could exploit this to quickly discover which UDP
    ports a system is using, making it easier for them to carry out a
    DNS poisoning attack against that system.

CVE-2021-22600

    The syzbot tool found a flaw in the packet socket (AF_PACKET)
    implementation which could lead to incorrectly freeing memory.  A
    local user with CAP_NET_RAW capability (in any user namespace)
    could exploit this for denial of service (memory corruption or
    crash) or possibly for privilege escalation.

CVE-2021-28711, CVE-2021-28712, CVE-2021-28713 (XSA-391)

    Juergen Gross reported that malicious PV backends can cause a denial
    of service to guests being serviced by those backends via high
    frequency events, even if those backends are running in a less
    privileged environment.

CVE-2021-28714, CVE-2021-28715 (XSA-392)

    Juergen Gross discovered that Xen guests can force the Linux
    netback driver to hog large amounts of kernel memory, resulting in
    denial of service.

CVE-2021-38300

    Piotr Krysiuk discovered a flaw in the classic BPF (cBPF) JIT
    compiler for MIPS architectures.  A local user could exploit
    this to excute arbitrary code in the kernel.

    This issue is mitigated by setting sysctl
    net.core.bpf_jit_enable=0, which is the default.  It is *not*
    mitigated by disabling unprivileged use of eBPF.

CVE-2021-39685

    Szymon Heidrich discovered a buffer overflow vulnerability in the
    USB gadget subsystem, resulting in information disclosure, denial of
    service or privilege escalation.

CVE-2021-39686

    A race condition was discovered in the Android binder driver, that
    could lead to incorrect security checks.  On systems where the
    binder driver is loaded, a local user could exploit this for
    privilege escalation.

CVE-2021-39698

    Linus Torvalds reported a flaw in the file polling implementation,
    which could lead to a use-after-free.  A local user could exploit
    this for denial of service (memory corruption or crash) or
    possibly for privilege escalation.

CVE-2021-39713

    The syzbot tool found a race condition in the network scheduling
    subsystem which could lead to a use-after-free.  A local user
    could exploit this for denial of service (memory corruption or
    crash) or possibly for privilege escalation.

CVE-2021-41864

    An integer overflow was discovered in the Extended BPF (eBPF)
    subsystem.  A local user could exploit this for denial of service
    (memory corruption or crash), or possibly for privilege
    escalation.

    This can be mitigated by setting sysctl
    kernel.unprivileged_bpf_disabled=1, which disables eBPF use by
    unprivileged users.

CVE-2021-42739

    A heap buffer overflow was discovered in the firedtv driver for
    FireWire-connected DVB receivers.  A local user with access to a
    firedtv device could exploit this for denial of service (memory
    corruption or crash), or possibly for privilege escalation.

CVE-2021-43389

    The Active Defense Lab of Venustech discovered a flaw in the CMTP
    subsystem as used by Bluetooth, which could lead to an
    out-of-bounds read and object type confusion.  A local user with
    CAP_NET_ADMIN capability in the initial user namespace could
    exploit this for denial of service (memory corruption or crash),
    or possibly for privilege escalation.

CVE-2021-43975

    Brendan Dolan-Gavitt reported a flaw in the
    hw_atl_utils_fw_rpc_wait() function in the aQuantia AQtion ethernet
    device driver which can result in denial of service or the execution
    of arbitrary code.

CVE-2021-43976

    Zekun Shen and Brendan Dolan-Gavitt discovered a flaw in the
    mwifiex_usb_recv() function of the Marvell WiFi-Ex USB Driver. An
    attacker able to connect a crafted USB device can take advantage of
    this flaw to cause a denial of service.

CVE-2021-44733

    A race condition was discovered in the Trusted Execution
    Environment (TEE) subsystem for Arm processors, which could lead
    to a use-after-free.  A local user permitted to access a TEE
    device could exploit this for denial of service (memory corruption
    or crash) or possibly for privilege escalation.

CVE-2021-45095

    It was discovered that the Phone Network protocol (PhoNet) driver
    has a reference count leak in the pep_sock_accept() function.

CVE-2021-45469

    Wenqing Liu reported an out-of-bounds memory access in the f2fs
    implementation if an inode has an invalid last xattr entry. An
    attacker able to mount a specially crafted image can take advantage
    of this flaw for denial of service.

CVE-2021-45480

    A memory leak flaw was discovered in the __rds_conn_create()
    function in the RDS (Reliable Datagram Sockets) protocol subsystem.

CVE-2022-0001 (INTEL-SA-00598)

    Researchers at VUSec discovered that the Branch History Buffer in
    Intel processors can be exploited to create information side-
    channels with speculative execution.  This issue is similar to
    Spectre variant 2, but requires additional mitigations on some
    processors.

    This can be exploited to obtain sensitive information from a
    different security context, such as from user-space to the kernel,
    or from a KVM guest to the kernel.

CVE-2022-0002 (INTEL-SA-00598)

    This is a similar issue to CVE-2022-0001, but covers exploitation
    within a security context, such as from JIT-compiled code in a
    sandbox to hosting code in the same process.

    This can be partly mitigated by disabling eBPF for unprivileged
    users with the sysctl: kernel.unprivileged_bpf_disabled=2.  This
    update does that by default.

CVE-2022-0322

    Eiichi Tsukata discovered a flaw in the sctp_make_strreset_req()
    function in the SCTP network protocol implementation which can
    result in denial of service.

CVE-2022-0330

    Sushma Venkatesh Reddy discovered a missing GPU TLB flush in the
    i915 driver, resulting in denial of service or privilege escalation.

CVE-2022-0435

    Samuel Page and Eric Dumazet reported a stack overflow in the
    networking module for the Transparent Inter-Process Communication
    (TIPC) protocol, resulting in denial of service or potentially the
    execution of arbitrary code.

CVE-2022-0487

    A use-after-free was discovered in the MOXART SD/MMC Host Controller
    support driver. This flaw does not impact the Debian binary packages
    as CONFIG_MMC_MOXART is not set.

CVE-2022-0492

    Yiqi Sun and Kevin Wang reported that the cgroup-v1 subsystem does
    not properly restrict access to the release-agent feature. A local
    user can take advantage of this flaw for privilege escalation and
    bypass of namespace isolation.

CVE-2022-0617

    butt3rflyh4ck discovered a NULL pointer dereference in the UDF
    filesystem. A local user that can mount a specially crafted UDF
    image can use this flaw to crash the system.

CVE-2022-0644

    Hao Sun reported a missing check for file read permission in the
    finit_module() and kexec_file_load() system calls.  The security
    impact of this is unclear, since these system calls are usually
    only available to the root user.

CVE-2022-22942

    It was discovered that wrong file file descriptor handling in the
    VMware Virtual GPU driver (vmwgfx) could result in information leak
    or privilege escalation.

CVE-2022-24448

    Lyu Tao reported a flaw in the NFS implementation in the Linux
    kernel when handling requests to open a directory on a regular file,
    which could result in a information leak.

CVE-2022-24959

    A memory leak was discovered in the yam_siocdevprivate() function of
    the YAM driver for AX.25, which could result in denial of service.

CVE-2022-25258

    Szymon Heidrich reported the USB Gadget subsystem lacks certain
    validation of interface OS descriptor requests, resulting in memory
    corruption.

CVE-2022-25375

    Szymon Heidrich reported that the RNDIS USB gadget lacks validation
    of the size of the RNDIS_MSG_SET command, resulting in information
    leak from kernel memory.

For Debian 9 stretch, these problems have been fixed in version
4.19.232-1~deb9u1.  This update additionally includes many more bug
fixes from stable updates 4.19.209-4.19.232 inclusive.

We recommend that you upgrade your linux-4.19 packages.

For the detailed security status of linux-4.19 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/linux-4.19

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS