MGASA-2021-0214 - Updated kernel packages fix security vulnerabilities

Publication date: 19 May 2021
URL: https://advisories.mageia.org/MGASA-2021-0214.html
Type: security
Affected Mageia releases: 7, 8
CVE: CVE-2021-3491,
     CVE-2021-3506,
     CVE-2021-23133,
     CVE-2021-31440,
     CVE-2021-31829,
     CVE-2021-32399,
     CVE-2021-33034

This kernel update is based on upstream 5.10.37 and fixes atleast the
following security issues:

It was discovered that the io_uring implementation of the Linux kernel did
not properly enforce the MAX_RW_COUNT limit in some situations. A local
attacker could use this to cause a denial of service (system crash) or
execute arbitrary code (CVE-2021-3491).

An out-of-bounds (OOB) memory access flaw was found in fs/f2fs/node.c in
the f2fs module in the Linux kernel in versions before 5.12.0-rc4. A bounds
check failure allows a local attacker to gain access to out-of-bounds
memory leading to a system crash or a leak of internal kernel information
(CVE-2021-3506).

A race condition in Linux kernel SCTP sockets (net/sctp/socket.c) before
5.12-rc8 can lead to kernel privilege escalation from the context of a
network service or an unprivileged process. If sctp_destroy_sock is called
without sock_net(sk)->sctp.addr_wq_lock then an element is removed from
the auto_asconf_splist list without any proper locking. This can be
exploited by an attacker with network service privileges to escalate to
root or from the context of an unprivileged user directly if a
BPF_CGROUP_INET_SOCK_CREATE is attached which denies creation of some
SCTP socket. 
NOTE! This already had a fix in kernel-5.10.33, but that fix caused some
systems to deadlock, so this is now fixed in a better way (CVE-2021-23133).

bpf: Fix propagation of 32 bit unsigned bounds from 64 bit bounds
(CVE-2021-31440).

kernel/bpf/verifier.c in the Linux kernel through 5.12.1 performs undesirable
speculative loads, leading to disclosure of stack content via side-channel
attacks. The specific concern is not protecting the BPF stack area against
speculative loads. Also, the BPF stack can contain uninitialized data that
might represent sensitive information previously operated on by the kernel
(CVE-2021-31829).

net/bluetooth/hci_request.c in the Linux kernel through 5.12.2 has a race
condition for removal of the HCI controller (CVE-2021-32399).

In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a
use-after-free when destroying an hci_chan. This leads to writing an
arbitrary value. (CVE-2021-33034).

Other fixes in this update:
- Revert upstream iommu/vt-d fixes causing systems to hang at boot:
  * "iommu/vt-d: Preset Access/Dirty bits for IOVA over FL"
  * "iommu/vt-d: Remove WO permissions on second-level paging entries"
- Revert "irqbypass: do not start cons/prod when failed connect" as
  it may cause VM freeze on arm64 with GICv4
- ACPI / EC: Fix media keys not working problem on more Asus laptops
- ACPI: PM: Add ACPI ID of Alder Lake Fan
- iwlwifi: add new pci id for 6235
- usb: xhci: Add reset resume quirk for AMD xhci controller
- usb: xhci: Increase timeout for HC halt

For other upstream fixes, see the referenced changelogs.

References:
- https://bugs.mageia.org/show_bug.cgi?id=28908
- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.34
- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.35
- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.36
- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.37
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3491
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3506
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23133
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31440
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31829
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32399
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33034

SRPMS:
- 7/core/kernel-5.10.37-2.mga7
- 7/core/kmod-virtualbox-6.1.22-1.4.mga7
- 7/core/kmod-xtables-addons-3.13-26.mga7
- 8/core/kernel-5.10.37-2.mga8
- 8/core/kmod-virtualbox-6.1.22-1.4.mga8
- 8/core/kmod-xtables-addons-3.18-1.4.mga8

Mageia 2021-0214: kernel security update

This kernel update is based on upstream 5.10.37 and fixes atleast the following security issues: It was discovered that the io_uring implementation of the Linux kernel did not pro...

Summary

This kernel update is based on upstream 5.10.37 and fixes atleast the following security issues:
It was discovered that the io_uring implementation of the Linux kernel did not properly enforce the MAX_RW_COUNT limit in some situations. A local attacker could use this to cause a denial of service (system crash) or execute arbitrary code (CVE-2021-3491).
An out-of-bounds (OOB) memory access flaw was found in fs/f2fs/node.c in the f2fs module in the Linux kernel in versions before 5.12.0-rc4. A bounds check failure allows a local attacker to gain access to out-of-bounds memory leading to a system crash or a leak of internal kernel information (CVE-2021-3506).
A race condition in Linux kernel SCTP sockets (net/sctp/socket.c) before 5.12-rc8 can lead to kernel privilege escalation from the context of a network service or an unprivileged process. If sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock then an element is removed from the auto_asconf_splist list without any proper locking. This can be exploited by an attacker with network service privileges to escalate to root or from the context of an unprivileged user directly if a BPF_CGROUP_INET_SOCK_CREATE is attached which denies creation of some SCTP socket. NOTE! This already had a fix in kernel-5.10.33, but that fix caused some systems to deadlock, so this is now fixed in a better way (CVE-2021-23133).
bpf: Fix propagation of 32 bit unsigned bounds from 64 bit bounds (CVE-2021-31440).
kernel/bpf/verifier.c in the Linux kernel through 5.12.1 performs undesirable speculative loads, leading to disclosure of stack content via side-channel attacks. The specific concern is not protecting the BPF stack area against speculative loads. Also, the BPF stack can contain uninitialized data that might represent sensitive information previously operated on by the kernel (CVE-2021-31829).
net/bluetooth/hci_request.c in the Linux kernel through 5.12.2 has a race condition for removal of the HCI controller (CVE-2021-32399).
In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an hci_chan. This leads to writing an arbitrary value. (CVE-2021-33034).
Other fixes in this update: - Revert upstream iommu/vt-d fixes causing systems to hang at boot: * "iommu/vt-d: Preset Access/Dirty bits for IOVA over FL" * "iommu/vt-d: Remove WO permissions on second-level paging entries" - Revert "irqbypass: do not start cons/prod when failed connect" as it may cause VM freeze on arm64 with GICv4 - ACPI / EC: Fix media keys not working problem on more Asus laptops - ACPI: PM: Add ACPI ID of Alder Lake Fan - iwlwifi: add new pci id for 6235 - usb: xhci: Add reset resume quirk for AMD xhci controller - usb: xhci: Increase timeout for HC halt
For other upstream fixes, see the referenced changelogs.

References

- https://bugs.mageia.org/show_bug.cgi?id=28908

- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.34

- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.35

- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.36

- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.37

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3491

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3506

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23133

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31440

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31829

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32399

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33034

Resolution

MGASA-2021-0214 - Updated kernel packages fix security vulnerabilities

SRPMS

- 7/core/kernel-5.10.37-2.mga7

- 7/core/kmod-virtualbox-6.1.22-1.4.mga7

- 7/core/kmod-xtables-addons-3.13-26.mga7

- 8/core/kernel-5.10.37-2.mga8

- 8/core/kmod-virtualbox-6.1.22-1.4.mga8

- 8/core/kmod-xtables-addons-3.18-1.4.mga8

Severity
Publication date: 19 May 2021
URL: https://advisories.mageia.org/MGASA-2021-0214.html
Type: security
CVE: CVE-2021-3491, CVE-2021-3506, CVE-2021-23133, CVE-2021-31440, CVE-2021-31829, CVE-2021-32399, CVE-2021-33034

Related News

23.Tablet Connections Esm H320
2 - 3 min read
The release of Ubuntu 24.04 LTS , also known as Noble Numbat, brings various security enhancements and exciting new features . These improvements
4.Lock AbstractDigital Esm H320
2 - 3 min read
Tails 6.2 is a new Linux distribution release that expands its multilingual support and improves security features. The distribution is a
19.Laptop Bed Esm H320
2 - 3 min read
AlmaLinux 9.4 beta has been released and provides compelling reasons to consider it for desktop usage. While AlmaLinux is primarily known as a
32.Lock Code Circular Esm H320
2 - 3 min read
Linux admins and security practitioners face significant challenges in keeping their Linux systems secure amidst the constant threat of kernel bugs.
1.Penguin Landscape Esm H320
2 - 3 min read
A significant security threat, known as the Spectre v2 exploit, has been observed targeting Linux systems running on modern Intel processors. Let's
10.FingerPrint Locks Esm H320
2 - 3 min read
The recent release of I2P 2.5.0 , an anonymous P2P network that protects against online censorship, surveillance, and monitoring, has brought a slew
24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved