-------------------------------------------------------------------------Debian LTS Advisory DLA-3403-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                        Ben Hutchings
May 3, 2023                                   https://wiki.debian.org/LTS
-------------------------------------------------------------------------Package        : linux
Version        : 4.19.282-1
CVE ID         : CVE-2022-2873 CVE-2022-3424 CVE-2022-3545 CVE-2022-3707
                 CVE-2022-4744 CVE-2022-36280 CVE-2022-41218 CVE-2022-45934
                 CVE-2022-47929 CVE-2023-0045 CVE-2023-0266 CVE-2023-0394
                 CVE-2023-0458 CVE-2023-0459 CVE-2023-0461 CVE-2023-1073
                 CVE-2023-1074 CVE-2023-1078 CVE-2023-1079 CVE-2023-1118
                 CVE-2023-1281 CVE-2023-1513 CVE-2023-1670 CVE-2023-1829
                 CVE-2023-1855 CVE-2023-1859 CVE-2023-1989 CVE-2023-1990
                 CVE-2023-1998 CVE-2023-2162 CVE-2023-2194 CVE-2023-23454
                 CVE-2023-23455 CVE-2023-23559 CVE-2023-26545 CVE-2023-28328
                 CVE-2023-30456 CVE-2023-30772
Debian Bug     : 825141

Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation, denial of service, or information
leak.

CVE-2022-2873

    Zheyu Ma discovered that an out-of-bounds memory access flaw in
    the Intel iSMT SMBus 2.0 host controller driver may result in
    denial of service (system crash).

CVE-2022-3424

    Zheng Wang and Zhuorao Yang reported a flaw in the SGI GRU driver
    which could lead to a use-after-free.  On systems where this driver
    is used, a local user can explit this for denial of service (crash
    or memory corruption) or possibly for privilege escalation.

    This driver is not enabled in Debian's official kernel
    configurations.

CVE-2022-3545

    It was discovered that the Netronome Flow Processor (NFP) driver
    contained a use-after-free flaw in area_cache_get(), which may
    result in denial of service or the execution of arbitrary code.

CVE-2022-3707

    Zheng Wang reported a flaw in the i915 graphics driver's
    virtualisation (GVT-g) support that could lead to a double-free.
    On systems where this feature is used, a guest can exploit this
    for denial of service (crash or memory corruption) or possibly for
    privilege escalation.

CVE-2022-4744

    The syzkaller tool found a flaw in the TUN/TAP network driver,
    which can lead to a double-free.  A local user can exploit this
    for denial of service (crash or memory corruption) or possibly for
    privilege escalation.

CVE-2022-36280

    An out-of-bounds memory write vulnerability was discovered in the
    vmwgfx driver, which may allow a local unprivileged user to cause
    a denial of service (system crash).

CVE-2022-41218

    Hyunwoo Kim reported a use-after-free flaw in the Media DVB core
    subsystem caused by refcount races, which may allow a local user
    to cause a denial of service or escalate privileges.

CVE-2022-45934

    An integer overflow in l2cap_config_req() in the Bluetooth
    subsystem was discovered, which may allow a physically proximate
    attacker to cause a denial of service (system crash).

CVE-2022-47929

    Frederick Lawler reported a NULL pointer dereference in the
    traffic control subsystem allowing an unprivileged user to cause a
    denial of service by setting up a specially crafted traffic
    control configuration.

CVE-2023-0045

    Rodrigo Branco and Rafael Correa De Ysasi reported that when a
    user-space task told the kernel to enable Spectre v2 mitigation
    for it, the mitigation was not enabled until the task was next
    rescheduled.  This might be exploitable by a local or remote
    attacker to leak sensitive information from such an application.

CVE-2023-0266

    A use-after-free flaw in the sound subsystem due to missing
    locking may result in denial of service or privilege escalation.

CVE-2023-0394

    Kyle Zeng discovered a NULL pointer dereference flaw in
    rawv6_push_pending_frames() in the network subsystem allowing a
    local user to cause a denial of service (system crash).

CVE-2023-0458

    Jordy Zimmer and Alexandra Sandulescu found that getrlimit() and
    related system calls were vulnerable to speculative execution
    attacks such as Spectre v1.  A local user could explot this to
    leak sensitive information from the kernel.

CVE-2023-0459

    Jordy Zimmer and Alexandra Sandulescu found a regression in
    Spectre v1 mitigation in the user-copy functions for the amd64
    (64-bit PC) architecture.  Where the CPUs do not implement SMAP or
    it is disabled, a local user could exploit this to leak sensitive
    information from the kernel.  Other architectures may also be
    affected.

CVE-2023-0461

    "slipper" reported a flaw in the kernel's support for ULPs (Upper
    Layer Protocols) on top of TCP that can lead to a double-free when
    using kernel TLS sockets.  A local user can exploit this for
    denial of service (crash or memory corruption) or possibly for
    privilege escalation.

    Kernel TLS is not enabled in Debian's official kernel
    configurations.

CVE-2023-1073

    Pietro Borrello reported a type confusion flaw in the HID (Human
    Interface Device) subsystem.  An attacker able to insert and
    remove USB devices might be able to use this to cause a denial of
    service (crash or memory corruption) or possibly to run arbitrary
    code in the kernel.

CVE-2023-1074

    Pietro Borrello reported a type confusion flaw in the SCTP
    protocol implementation which can lead to a memory leak.  A local
    user could exploit this to cause a denial of service (resource
    exhaustion).

CVE-2023-1078

    Pietro Borrello reported a type confusion flaw in the RDS protocol
    implementation.  A local user could exploit this to cause a denial
    of service (crash or memory corruption) or possibly for privilege
    escalation.

CVE-2023-1079

    Pietro Borrello reported a race condition in the hid-asus HID
    driver which could lead to a use-after-free.  An attacker able to
    insert and remove USB devices can use this to cause a denial of
    service (crash or memory corruption) or possibly to run arbitrary
    code in the kernel.

CVE-2023-1118

    Duoming Zhou reported a race condition in the ene_ir remote
    control driver that can lead to a use-after-free if the driver
    is unbound.  It is not clear what the security impact of this is.

CVE-2023-1281, CVE-2023-1829

    "valis" reported two flaws in the cls_tcindex network traffic
    classifier which could lead to a use-after-free.  A local user can
    exploit these for privilege escalation.  This update removes
    cls_tcindex entirely.

CVE-2023-1513

    Xingyuan Mo reported an information leak in the KVM implementation
    for the i386 (32-bit PC) architecture.  A local user could exploit
    this to leak sensitive information from the kernel.

CVE-2023-1670

    Zheng Wang reported a race condition in the xirc2ps_cs network
    driver which can lead to a use-after-free.  An attacker able to
    insert and remove PCMCIA devices can use this to cause a denial of
    service (crash or memory corruption) or possibly to run arbitrary
    code in the kernel.

CVE-2023-1855

    Zheng Wang reported a race condition in the xgene-hwmon hardware
    monitoring driver that may lead to a use-after-free.  It is not
    clear what the security impact of this is.

CVE-2023-1859

    Zheng Wang reported a race condition in the 9pnet_xen transport
    for the 9P filesystem on Xen, which can lead to a use-after-free.
    On systems where this feature is used, a backend driver in another
    domain can use this to cause a denial of service (crash or memory
    corruption) or possibly to run arbitrary code in the vulnerable
    domain.

CVE-2023-1989

    Zheng Wang reported a race condition in the btsdio Bluetooth
    adapter driver that can lead to a use-after-free.  An attacker
    able to insert and remove SDIO devices can use this to cause a
    denial of service (crash or memory corruption) or possibly to run
    arbitrary code in the kernel.

CVE-2023-1990

    Zheng Wang reported a race condition in the st-nci NFC adapter
    driver that can lead to a use-after-free.  It is not clear what
    the security impact of this is.

    This driver is not enabled in Debian's official kernel
    configurations.    

CVE-2023-1998

    José Oliveira and Rodrigo Branco reported a regression in Spectre
    v2 mitigation for user-space on x86 CPUs supporting IBRS but not
    eIBRS.  This might be exploitable by a local or remote attacker to
    leak sensitive information from a user-space application.

CVE-2023-2162

    Mike Christie reported a race condition in the iSCSI TCP transport
    that can lead to a use-after-free.  On systems where this feature
    is used, a local user might be able to use this to cause a denial
    of service (crash or memory corruption) or possibly for privilege
    escalation.

CVE-2023-2194

    Wei Chen reported a potential heap buffer overflow in the
    i2c-xgene-slimpro I²C adapter driver.  A local user with
    permission to access such a device can use this to cause a denial
    of service (crash or memory corruption) and probably for privilege
    escalation.

CVE-2023-23454

    Kyle Zeng reported that the Class Based Queueing (CBQ) network
    scheduler was prone to denial of service due to interpreting
    classification results before checking the classification return
    code.

CVE-2023-23455

    Kyle Zeng reported that the ATM Virtual Circuits (ATM) network
    scheduler was prone to a denial of service due to interpreting
    classification results before checking the classification return
    code.

CVE-2023-23559

    Szymon Heidrich reported incorrect bounds checks in the rndis_wlan
    Wi-Fi driver which may lead to a heap buffer overflow or overread.
    An attacker able to insert and remove USB devices can use this to
    cause a denial of service (crash or memory corruption) or
    information leak, or possibly to run arbitrary code in the kernel.

CVE-2023-26545

    Lianhui Tang reported a flaw in the MPLS protocol implementation
    that could lead to a double-free.  A local user might be able to
    exploit this to cause a denial of service (crash or memory
    corruption) or possibl for privilege escalation.

CVE-2023-28328

    Wei Chen reported a flaw in the az6927 DVB driver that can lead to
    a null pointer dereference.  A local user permitted to access an
    I²C adapter device that this driver creates can use this to cause
    a denial of service (crash).

CVE-2023-30456

    Reima ISHII reported a flaw in the KVM implementation for Intel
    CPUs affecting nested virtualisation.  When KVM was used as the L0
    hypervisor, and EPT and/or unrestricted guest mode was disabled,
    it did not prevent an L2 guest from being configured with an
    architecturally invalid protection/paging mode.  A malicious guest
    could exploit this to cause a denial of service (crash).

CVE-2023-30772

    Zheng Wang reported a race condition in the da9150 charger driver
    which could lead to a use-after-free.  It is not clear what the
    security impact of this is.

    This driver is not enabled in Debian's official kernel
    configurations.    

For Debian 10 buster, these problems have been fixed in version
4.19.282-1.  This update additionally fixes Debian bug #825141, and
includes many more bug fixes from stable updates 4.19.270-4.19.282
inclusive.

We recommend that you upgrade your linux packages.

For the detailed security status of linux please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/source-package/linux

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

Debian LTS: DLA-3403-1: linux security update

May 3, 2023
Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service, or information leak

Summary

Zheyu Ma discovered that an out-of-bounds memory access flaw in
the Intel iSMT SMBus 2.0 host controller driver may result in
denial of service (system crash).

CVE-2022-3424

Zheng Wang and Zhuorao Yang reported a flaw in the SGI GRU driver
which could lead to a use-after-free. On systems where this driver
is used, a local user can explit this for denial of service (crash
or memory corruption) or possibly for privilege escalation.

This driver is not enabled in Debian's official kernel
configurations.

CVE-2022-3545

It was discovered that the Netronome Flow Processor (NFP) driver
contained a use-after-free flaw in area_cache_get(), which may
result in denial of service or the execution of arbitrary code.

CVE-2022-3707

Zheng Wang reported a flaw in the i915 graphics driver's
virtualisation (GVT-g) support that could lead to a double-free.
On systems where this feature is used, a guest can exploit this
for denial of service (crash or memory corruption) or possibly for
privilege escalation.

CVE-2022-4744

The syzkaller tool found a flaw in the TUN/TAP network driver,
which can lead to a double-free. A local user can exploit this
for denial of service (crash or memory corruption) or possibly for
privilege escalation.

CVE-2022-36280

An out-of-bounds memory write vulnerability was discovered in the
vmwgfx driver, which may allow a local unprivileged user to cause
a denial of service (system crash).

CVE-2022-41218

Hyunwoo Kim reported a use-after-free flaw in the Media DVB core
subsystem caused by refcount races, which may allow a local user
to cause a denial of service or escalate privileges.

CVE-2022-45934

An integer overflow in l2cap_config_req() in the Bluetooth
subsystem was discovered, which may allow a physically proximate
attacker to cause a denial of service (system crash).

CVE-2022-47929

Frederick Lawler reported a NULL pointer dereference in the
traffic control subsystem allowing an unprivileged user to cause a
denial of service by setting up a specially crafted traffic
control configuration.

CVE-2023-0045

Rodrigo Branco and Rafael Correa De Ysasi reported that when a
user-space task told the kernel to enable Spectre v2 mitigation
for it, the mitigation was not enabled until the task was next
rescheduled. This might be exploitable by a local or remote
attacker to leak sensitive information from such an application.

CVE-2023-0266

A use-after-free flaw in the sound subsystem due to missing
locking may result in denial of service or privilege escalation.

CVE-2023-0394

Kyle Zeng discovered a NULL pointer dereference flaw in
rawv6_push_pending_frames() in the network subsystem allowing a
local user to cause a denial of service (system crash).

CVE-2023-0458

Jordy Zimmer and Alexandra Sandulescu found that getrlimit() and
related system calls were vulnerable to speculative execution
attacks such as Spectre v1. A local user could explot this to
leak sensitive information from the kernel.

CVE-2023-0459

Jordy Zimmer and Alexandra Sandulescu found a regression in
Spectre v1 mitigation in the user-copy functions for the amd64
(64-bit PC) architecture. Where the CPUs do not implement SMAP or
it is disabled, a local user could exploit this to leak sensitive
information from the kernel. Other architectures may also be
affected.

CVE-2023-0461

"slipper" reported a flaw in the kernel's support for ULPs (Upper
Layer Protocols) on top of TCP that can lead to a double-free when
using kernel TLS sockets. A local user can exploit this for
denial of service (crash or memory corruption) or possibly for
privilege escalation.

Kernel TLS is not enabled in Debian's official kernel
configurations.

CVE-2023-1073

Pietro Borrello reported a type confusion flaw in the HID (Human
Interface Device) subsystem. An attacker able to insert and
remove USB devices might be able to use this to cause a denial of
service (crash or memory corruption) or possibly to run arbitrary
code in the kernel.

CVE-2023-1074

Pietro Borrello reported a type confusion flaw in the SCTP
protocol implementation which can lead to a memory leak. A local
user could exploit this to cause a denial of service (resource
exhaustion).

CVE-2023-1078

Pietro Borrello reported a type confusion flaw in the RDS protocol
implementation. A local user could exploit this to cause a denial
of service (crash or memory corruption) or possibly for privilege
escalation.

CVE-2023-1079

Pietro Borrello reported a race condition in the hid-asus HID
driver which could lead to a use-after-free. An attacker able to
insert and remove USB devices can use this to cause a denial of
service (crash or memory corruption) or possibly to run arbitrary
code in the kernel.

CVE-2023-1118

Duoming Zhou reported a race condition in the ene_ir remote
control driver that can lead to a use-after-free if the driver
is unbound. It is not clear what the security impact of this is.

CVE-2023-1281, CVE-2023-1829

"valis" reported two flaws in the cls_tcindex network traffic
classifier which could lead to a use-after-free. A local user can
exploit these for privilege escalation. This update removes
cls_tcindex entirely.

CVE-2023-1513

Xingyuan Mo reported an information leak in the KVM implementation
for the i386 (32-bit PC) architecture. A local user could exploit
this to leak sensitive information from the kernel.

CVE-2023-1670

Zheng Wang reported a race condition in the xirc2ps_cs network
driver which can lead to a use-after-free. An attacker able to
insert and remove PCMCIA devices can use this to cause a denial of
service (crash or memory corruption) or possibly to run arbitrary
code in the kernel.

CVE-2023-1855

Zheng Wang reported a race condition in the xgene-hwmon hardware
monitoring driver that may lead to a use-after-free. It is not
clear what the security impact of this is.

CVE-2023-1859

Zheng Wang reported a race condition in the 9pnet_xen transport
for the 9P filesystem on Xen, which can lead to a use-after-free.
On systems where this feature is used, a backend driver in another
domain can use this to cause a denial of service (crash or memory
corruption) or possibly to run arbitrary code in the vulnerable
domain.

CVE-2023-1989

Zheng Wang reported a race condition in the btsdio Bluetooth
adapter driver that can lead to a use-after-free. An attacker
able to insert and remove SDIO devices can use this to cause a
denial of service (crash or memory corruption) or possibly to run
arbitrary code in the kernel.

CVE-2023-1990

Zheng Wang reported a race condition in the st-nci NFC adapter
driver that can lead to a use-after-free. It is not clear what
the security impact of this is.

This driver is not enabled in Debian's official kernel
configurations.

CVE-2023-1998

José Oliveira and Rodrigo Branco reported a regression in Spectre
v2 mitigation for user-space on x86 CPUs supporting IBRS but not
eIBRS. This might be exploitable by a local or remote attacker to
leak sensitive information from a user-space application.

CVE-2023-2162

Mike Christie reported a race condition in the iSCSI TCP transport
that can lead to a use-after-free. On systems where this feature
is used, a local user might be able to use this to cause a denial
of service (crash or memory corruption) or possibly for privilege
escalation.

CVE-2023-2194

Wei Chen reported a potential heap buffer overflow in the
i2c-xgene-slimpro I²C adapter driver. A local user with
permission to access such a device can use this to cause a denial
of service (crash or memory corruption) and probably for privilege
escalation.

CVE-2023-23454

Kyle Zeng reported that the Class Based Queueing (CBQ) network
scheduler was prone to denial of service due to interpreting
classification results before checking the classification return
code.

CVE-2023-23455

Kyle Zeng reported that the ATM Virtual Circuits (ATM) network
scheduler was prone to a denial of service due to interpreting
classification results before checking the classification return
code.

CVE-2023-23559

Szymon Heidrich reported incorrect bounds checks in the rndis_wlan
Wi-Fi driver which may lead to a heap buffer overflow or overread.
An attacker able to insert and remove USB devices can use this to
cause a denial of service (crash or memory corruption) or
information leak, or possibly to run arbitrary code in the kernel.

CVE-2023-26545

Lianhui Tang reported a flaw in the MPLS protocol implementation
that could lead to a double-free. A local user might be able to
exploit this to cause a denial of service (crash or memory
corruption) or possibl for privilege escalation.

CVE-2023-28328

Wei Chen reported a flaw in the az6927 DVB driver that can lead to
a null pointer dereference. A local user permitted to access an
I²C adapter device that this driver creates can use this to cause
a denial of service (crash).

CVE-2023-30456

Reima ISHII reported a flaw in the KVM implementation for Intel
CPUs affecting nested virtualisation. When KVM was used as the L0
hypervisor, and EPT and/or unrestricted guest mode was disabled,
it did not prevent an L2 guest from being configured with an
architecturally invalid protection/paging mode. A malicious guest
could exploit this to cause a denial of service (crash).

CVE-2023-30772

Zheng Wang reported a race condition in the da9150 charger driver
which could lead to a use-after-free. It is not clear what the
security impact of this is.

This driver is not enabled in Debian's official kernel
configurations.

For Debian 10 buster, these problems have been fixed in version
4.19.282-1. This update additionally fixes Debian bug #825141, and
includes many more bug fixes from stable updates 4.19.270-4.19.282
inclusive.

We recommend that you upgrade your linux packages.

For the detailed security status of linux please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/source-package/linux

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


Severity
-------------------------------------------------------------------------Package : linux
Version : 4.19.282-1
CVE ID : CVE-2022-2873 CVE-2022-3424 CVE-2022-3545 CVE-2022-3707
Debian Bug : 825141

Related News