MGASA-2021-0152 - Updated kernel-linus packages fix security issues

Publication date: 22 Mar 2021
URL: https://advisories.mageia.org/MGASA-2021-0152.html
Type: security
Affected Mageia releases: 7, 8
CVE: CVE-2020-25639,
     CVE-2020-27170,
     CVE-2020-27171,
     CVE-2021-27363,
     CVE-2021-27364,
     CVE-2021-27365,
     CVE-2021-28038,
     CVE-2021-28039,
     CVE-2021-28375

This kernel-linus update is based on upstream 5.10.25 and fixes atleast the
following security issues:

A NULL pointer dereference flaw was found in the Linux kernel's GPU Nouveau
driver functionality in versions prior to 5.12-rc1 in the way the user calls
ioctl DRM_IOCTL_NOUVEAU_CHANNEL_ALLOC. This flaw allows a local user to
crash the system. (CVE-2020-25639).

Unprivileged BPF programs running on affected systems can bypass the
protection and execute speculatively out-of-bounds loads from any location
within the kernel memory. This can be abused to extract contents of kernel
memory via side-channel (CVE-2020-27170).

Unprivileged BPF programs running on affected 64-bit systems can exploit
this to execute speculatively out-of-bounds loads from 4GB window within
the kernel memory. This can be abused to extract contents of kernel memory
via side-channel (CVE-2020-27171).

An issue was discovered in the Linux kernel through 5.11.3. A kernel pointer
leak can be used to determine the address of the iscsi_transport structure.
When an iSCSI transport is registered with the iSCSI subsystem, the
transport's handle is available to unprivileged users via the sysfs file
system, at /sys/class/iscsi_transport/$TRANSPORT_NAME/handle. When read, the
show_transport_handle function (in drivers/scsi/scsi_transport_iscsi.c) is
called, which leaks the handle. This handle is actually the pointer to an
iscsi_transport struct in the kernel module's global variables
(CVE-2021-27363).

An issue was discovered in the Linux kernel through 5.11.3. drivers/scsi/
scsi_transport_iscsi.c is adversely affected by the ability of an
unprivileged user to craft Netlink messages (CVE-2021-27364).

An issue was discovered in the Linux kernel through 5.11.3. Certain iSCSI
data structures do not have appropriate length constraints or checks, and
can exceed the PAGE_SIZE value. An unprivileged user can send a Netlink
message that is associated with iSCSI, and has a length up to the maximum
length of a Netlink message (CVE-2021-27365).

An issue was discovered in the Linux kernel through 5.11.3, as used with
Xen PV. A certain part of the netback driver lacks necessary treatment of
errors such as failed memory allocations (as a result of changes to the
handling of grant mapping errors). A host OS denial of service may occur
during misbehavior of a networking frontend driver. NOTE: this issue
exists because of an incomplete fix for CVE-2021-26931.
(CVE-2021-28038 / XSA-367)

An issue was discovered in the Linux kernel 5.9.x through 5.11.3, as used
with Xen. In some less-common configurations, an x86 PV guest OS user can
crash a Dom0 or driver domain via a large amount of I/O activity. The
issue relates to misuse of guest physical addresses when a configuration
has CONFIG_XEN_UNPOPULATED_ALLOC but not CONFIG_XEN_BALLOON_MEMORY_HOTPLUG.
(CVE-2021-28039 / XSA-369)

An issue was discovered in the Linux kernel through 5.11.6.
fastrpc_internal_invoke in drivers/misc/fastrpc.c does not prevent user
applications from sending kernel RPC messages (CVE-2021-28375).

It also adds a critical fix for filesystem level corruption:
- on setups with swapfiles on filesystems sitting on top of brd, zram,
  btt or pmem, then when the system starts to swap out pages, at which
  point it corrupts filesystem blocks that don't belong to the swapfile.

It also adds the following fixes:
- arm(64): enable W1_MASTER_GPIO (mga#28596)

For other upstream fixes, see the referenced changelogs.

References:
- https://bugs.mageia.org/show_bug.cgi?id=28611
- https://bugs.mageia.org/show_bug.cgi?id=28596
- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.20
- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.21
- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.22
- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.23
- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.24
- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.25
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25639
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27170
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27171
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27363
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27364
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27365
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28038
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28039
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28375

SRPMS:
- 7/core/kernel-linus-5.10.25-1.mga7
- 8/core/kernel-linus-5.10.25-1.mga8