-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================                   
Red Hat Security Advisory

Synopsis:          Important: kernel-rt security and bug fix update
Advisory ID:       RHSA-2023:2736-01
Product:           Red Hat Enterprise Linux
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:2736
Issue date:        2023-05-16
CVE Names:         CVE-2021-26341 CVE-2021-33655 CVE-2021-33656
                   CVE-2022-1462 CVE-2022-1679 CVE-2022-1789
                   CVE-2022-2196 CVE-2022-2663 CVE-2022-3028
                   CVE-2022-3239 CVE-2022-3522 CVE-2022-3524
                   CVE-2022-3564 CVE-2022-3566 CVE-2022-3567
                   CVE-2022-3619 CVE-2022-3623 CVE-2022-3625
                   CVE-2022-3628 CVE-2022-3707 CVE-2022-4129
                   CVE-2022-20141 CVE-2022-25265 CVE-2022-30594
                   CVE-2022-39188 CVE-2022-39189 CVE-2022-41218
                   CVE-2022-41674 CVE-2022-42703 CVE-2022-42720
                   CVE-2022-42721 CVE-2022-42722 CVE-2022-43750
                   CVE-2022-47929 CVE-2023-0394 CVE-2023-0461
                   CVE-2023-1195 CVE-2023-1582 CVE-2023-23454
====================================================================
1. Summary:

An update for kernel-rt is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux NFV (v. 8) - x86_64
Red Hat Enterprise Linux RT (v. 8) - x86_64

3. Description:

The kernel-rt packages provide the Real Time Linux Kernel, which enables
fine-tuning for systems with extremely high determinism requirements.

Security Fix(es):

* use-after-free caused by l2cap_reassemble_sdu() in
net/bluetooth/l2cap_core.c (CVE-2022-3564)

* net/ulp: use-after-free in listening ULP sockets (CVE-2023-0461)

* hw: cpu: AMD CPUs may transiently execute beyond unconditional direct
branch (CVE-2021-26341)

* malicious data for FBIOPUT_VSCREENINFO ioctl may cause OOB write memory
(CVE-2021-33655)

* when setting font with malicious data by ioctl PIO_FONT, kernel will
write memory out of bounds (CVE-2021-33656)

* possible race condition in drivers/tty/tty_buffers.c (CVE-2022-1462)

* use-after-free in ath9k_htc_probe_device() could cause an escalation of
privileges (CVE-2022-1679)

* KVM: NULL pointer dereference in kvm_mmu_invpcid_gva (CVE-2022-1789)

* KVM: nVMX: missing IBPB when exiting from nested guest can lead to
Spectre v2 attacks (CVE-2022-2196)

* netfilter: nf_conntrack_irc message handling issue (CVE-2022-2663)

* race condition in xfrm_probe_algs can lead to OOB read/write
(CVE-2022-3028)

* media: em28xx: initialize refcount before kref_get (CVE-2022-3239)

* race condition in hugetlb_no_page() in mm/hugetlb.c (CVE-2022-3522)

* memory leak in ipv6_renew_options() (CVE-2022-3524)

* data races around icsk->icsk_af_ops in do_ipv6_setsockopt (CVE-2022-3566)

* data races around sk->sk_prot (CVE-2022-3567)

* memory leak in l2cap_recv_acldata of the file net/bluetooth/l2cap_core.c
(CVE-2022-3619)

* denial of service in follow_page_pte in mm/gup.c due to poisoned pte
entry (CVE-2022-3623)

* use-after-free after failed devlink reload in devlink_param_get
(CVE-2022-3625)

* USB-accessible buffer overflow in brcmfmac (CVE-2022-3628)

* Double-free in split_2MB_gtt_entry when function
intel_gvt_dma_map_guest_page failed (CVE-2022-3707)

* l2tp: missing lock when clearing sk_user_data can lead to NULL pointer
dereference (CVE-2022-4129)

* igmp: use-after-free in ip_check_mc_rcu when opening and closing inet
sockets (CVE-2022-20141)

* Executable Space Protection Bypass (CVE-2022-25265)

* Unprivileged users may use PTRACE_SEIZE to set PTRACE_O_SUSPEND_SECCOMP
option (CVE-2022-30594)

* unmap_mapping_range() race with munmap() on VM_PFNMAP mappings leads to
stale TLB entry (CVE-2022-39188)

* TLB flush operations are mishandled in certain KVM_VCPU_PREEMPTED leading
to guest malfunctioning (CVE-2022-39189)

* Report vmalloc UAF in dvb-core/dmxdev (CVE-2022-41218)

* u8 overflow problem in cfg80211_update_notlisted_nontrans()
(CVE-2022-41674)

* use-after-free related to leaf anon_vma double reuse (CVE-2022-42703)

* use-after-free in bss_ref_get in net/wireless/scan.c (CVE-2022-42720)

* BSS list corruption in cfg80211_add_nontrans_list in net/wireless/scan.c
(CVE-2022-42721)

* Denial of service in beacon protection for P2P-device (CVE-2022-42722)

* memory corruption in usbmon driver (CVE-2022-43750)

* NULL pointer dereference in traffic control subsystem (CVE-2022-47929)

* NULL pointer dereference in rawv6_push_pending_frames (CVE-2023-0394)

* use-after-free caused by invalid pointer hostname in fs/cifs/connect.c
(CVE-2023-1195)

* Soft lockup occurred during __page_mapcount (CVE-2023-1582)

* slab-out-of-bounds read vulnerabilities in cbq_classify (CVE-2023-23454)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat
Enterprise Linux 8.8 Release Notes linked from the References section.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2055499 - CVE-2022-25265 kernel: Executable Space Protection Bypass
2061703 - CVE-2021-26341 hw: cpu: AMD CPUs may transiently execute beyond unconditional direct branch
2078466 - CVE-2022-1462 kernel: possible race condition in drivers/tty/tty_buffers.c
2084125 - CVE-2022-1679 kernel: use-after-free in ath9k_htc_probe_device() could cause an escalation of privileges
2085300 - CVE-2022-30594 kernel: Unprivileged users may use PTRACE_SEIZE to set PTRACE_O_SUSPEND_SECCOMP option
2090723 - CVE-2022-1789 kernel: KVM: NULL pointer dereference in kvm_mmu_invpcid_gva
2108691 - CVE-2021-33655 kernel: malicious data for FBIOPUT_VSCREENINFO ioctl may cause OOB write memory
2108696 - CVE-2021-33656 kernel: when setting font with malicious data by ioctl PIO_FONT, kernel will write memory out of bounds
2114937 - CVE-2022-20141 kernel: igmp: use-after-free in ip_check_mc_rcu when opening and closing inet sockets
2122228 - CVE-2022-3028 kernel: race condition in xfrm_probe_algs can lead to OOB read/write
2122960 - CVE-2022-41218 kernel: Report vmalloc UAF in dvb-core/dmxdev
2123056 - CVE-2022-2663 kernel: netfilter: nf_conntrack_irc message handling issue
2124788 - CVE-2022-39189 kernel: TLB flush operations are mishandled in certain KVM_VCPU_PREEMPTED leading to guest malfunctioning
2127985 - CVE-2022-3239 kernel: media: em28xx: initialize refcount before kref_get
2130141 - CVE-2022-39188 kernel: unmap_mapping_range() race with munmap() on VM_PFNMAP mappings leads to stale TLB entry
2133483 - CVE-2022-42703 kernel: use-after-free related to leaf anon_vma double reuse
2134377 - CVE-2022-41674 kernel: u8 overflow problem in cfg80211_update_notlisted_nontrans()
2134451 - CVE-2022-42720 kernel: use-after-free in bss_ref_get in net/wireless/scan.c
2134506 - CVE-2022-42721 kernel: BSS list corruption in cfg80211_add_nontrans_list in net/wireless/scan.c
2134517 - CVE-2022-42722 kernel: Denial of service in beacon protection for P2P-device
2134528 - CVE-2022-4129 kernel: l2tp: missing lock when clearing sk_user_data can lead to NULL pointer dereference
2137979 - CVE-2022-3707 kernel: Double-free in split_2MB_gtt_entry when function intel_gvt_dma_map_guest_page failed
2143893 - CVE-2022-3566 kernel: data races around icsk->icsk_af_ops in do_ipv6_setsockopt
2143943 - CVE-2022-3567 kernel: data races around sk->sk_prot
2144720 - CVE-2022-3625 kernel: use-after-free after failed devlink reload in devlink_param_get
2150947 - CVE-2022-3524 kernel: memory leak in ipv6_renew_options()
2150960 - CVE-2022-3628 kernel: USB-accessible buffer overflow in brcmfmac
2150979 - CVE-2022-3522 kernel: race condition in hugetlb_no_page() in mm/hugetlb.c
2150999 - CVE-2022-3564 kernel: use-after-free caused by l2cap_reassemble_sdu() in net/bluetooth/l2cap_core.c
2151270 - CVE-2022-43750 kernel: memory corruption in usbmon driver
2154171 - CVE-2023-1195 kernel: use-after-free caused by invalid pointer hostname in fs/cifs/connect.c
2154235 - CVE-2022-3619 kernel: memory leak in l2cap_recv_acldata of the file net/bluetooth/l2cap_core.c
2160023 - CVE-2022-2196 kernel: KVM: nVMX: missing IBPB when exiting from nested guest can lead to Spectre v2 attacks
2162120 - CVE-2023-0394 kernel: NULL pointer dereference in rawv6_push_pending_frames
2165721 - CVE-2022-3623 kernel: denial of service in follow_page_pte in mm/gup.c due to poisoned pte entry
2168246 - CVE-2022-47929 kernel: NULL pointer dereference in traffic control subsystem
2168297 - CVE-2023-23454 kernel: slab-out-of-bounds read vulnerabilities in cbq_classify
2176192 - CVE-2023-0461 kernel: net/ulp: use-after-free in listening ULP sockets
2180936 - CVE-2023-1582 kernel: Soft lockup occurred during __page_mapcount

6. Package List:

Red Hat Enterprise Linux NFV (v. 8):

Source:
kernel-rt-4.18.0-477.10.1.rt7.274.el8_8.src.rpm

x86_64:
kernel-rt-4.18.0-477.10.1.rt7.274.el8_8.x86_64.rpm
kernel-rt-core-4.18.0-477.10.1.rt7.274.el8_8.x86_64.rpm
kernel-rt-debug-4.18.0-477.10.1.rt7.274.el8_8.x86_64.rpm
kernel-rt-debug-core-4.18.0-477.10.1.rt7.274.el8_8.x86_64.rpm
kernel-rt-debug-debuginfo-4.18.0-477.10.1.rt7.274.el8_8.x86_64.rpm
kernel-rt-debug-devel-4.18.0-477.10.1.rt7.274.el8_8.x86_64.rpm
kernel-rt-debug-kvm-4.18.0-477.10.1.rt7.274.el8_8.x86_64.rpm
kernel-rt-debug-modules-4.18.0-477.10.1.rt7.274.el8_8.x86_64.rpm
kernel-rt-debug-modules-extra-4.18.0-477.10.1.rt7.274.el8_8.x86_64.rpm
kernel-rt-debuginfo-4.18.0-477.10.1.rt7.274.el8_8.x86_64.rpm
kernel-rt-debuginfo-common-x86_64-4.18.0-477.10.1.rt7.274.el8_8.x86_64.rpm
kernel-rt-devel-4.18.0-477.10.1.rt7.274.el8_8.x86_64.rpm
kernel-rt-kvm-4.18.0-477.10.1.rt7.274.el8_8.x86_64.rpm
kernel-rt-modules-4.18.0-477.10.1.rt7.274.el8_8.x86_64.rpm
kernel-rt-modules-extra-4.18.0-477.10.1.rt7.274.el8_8.x86_64.rpm

Red Hat Enterprise Linux RT (v. 8):

Source:
kernel-rt-4.18.0-477.10.1.rt7.274.el8_8.src.rpm

x86_64:
kernel-rt-4.18.0-477.10.1.rt7.274.el8_8.x86_64.rpm
kernel-rt-core-4.18.0-477.10.1.rt7.274.el8_8.x86_64.rpm
kernel-rt-debug-4.18.0-477.10.1.rt7.274.el8_8.x86_64.rpm
kernel-rt-debug-core-4.18.0-477.10.1.rt7.274.el8_8.x86_64.rpm
kernel-rt-debug-debuginfo-4.18.0-477.10.1.rt7.274.el8_8.x86_64.rpm
kernel-rt-debug-devel-4.18.0-477.10.1.rt7.274.el8_8.x86_64.rpm
kernel-rt-debug-modules-4.18.0-477.10.1.rt7.274.el8_8.x86_64.rpm
kernel-rt-debug-modules-extra-4.18.0-477.10.1.rt7.274.el8_8.x86_64.rpm
kernel-rt-debuginfo-4.18.0-477.10.1.rt7.274.el8_8.x86_64.rpm
kernel-rt-debuginfo-common-x86_64-4.18.0-477.10.1.rt7.274.el8_8.x86_64.rpm
kernel-rt-devel-4.18.0-477.10.1.rt7.274.el8_8.x86_64.rpm
kernel-rt-modules-4.18.0-477.10.1.rt7.274.el8_8.x86_64.rpm
kernel-rt-modules-extra-4.18.0-477.10.1.rt7.274.el8_8.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2021-26341
https://access.redhat.com/security/cve/CVE-2021-33655
https://access.redhat.com/security/cve/CVE-2021-33656
https://access.redhat.com/security/cve/CVE-2022-1462
https://access.redhat.com/security/cve/CVE-2022-1679
https://access.redhat.com/security/cve/CVE-2022-1789
https://access.redhat.com/security/cve/CVE-2022-2196
https://access.redhat.com/security/cve/CVE-2022-2663
https://access.redhat.com/security/cve/CVE-2022-3028
https://access.redhat.com/security/cve/CVE-2022-3239
https://access.redhat.com/security/cve/CVE-2022-3522
https://access.redhat.com/security/cve/CVE-2022-3524
https://access.redhat.com/security/cve/CVE-2022-3564
https://access.redhat.com/security/cve/CVE-2022-3566
https://access.redhat.com/security/cve/CVE-2022-3567
https://access.redhat.com/security/cve/CVE-2022-3619
https://access.redhat.com/security/cve/CVE-2022-3623
https://access.redhat.com/security/cve/CVE-2022-3625
https://access.redhat.com/security/cve/CVE-2022-3628
https://access.redhat.com/security/cve/CVE-2022-3707
https://access.redhat.com/security/cve/CVE-2022-4129
https://access.redhat.com/security/cve/CVE-2022-20141
https://access.redhat.com/security/cve/CVE-2022-25265
https://access.redhat.com/security/cve/CVE-2022-30594
https://access.redhat.com/security/cve/CVE-2022-39188
https://access.redhat.com/security/cve/CVE-2022-39189
https://access.redhat.com/security/cve/CVE-2022-41218
https://access.redhat.com/security/cve/CVE-2022-41674
https://access.redhat.com/security/cve/CVE-2022-42703
https://access.redhat.com/security/cve/CVE-2022-42720
https://access.redhat.com/security/cve/CVE-2022-42721
https://access.redhat.com/security/cve/CVE-2022-42722
https://access.redhat.com/security/cve/CVE-2022-43750
https://access.redhat.com/security/cve/CVE-2022-47929
https://access.redhat.com/security/cve/CVE-2023-0394
https://access.redhat.com/security/cve/CVE-2023-0461
https://access.redhat.com/security/cve/CVE-2023-1195
https://access.redhat.com/security/cve/CVE-2023-1582
https://access.redhat.com/security/cve/CVE-2023-23454
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.8_release_notes/index

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBZGNu2tzjgjWX9erEAQh93A/9F2L57OgQtbqD3gy1RyYVyiSnovPSukbF
MXVqHkJHDfKqynLRrFqm8FztET3BNsDC+tTmyMSDHxiZo4IF2x0ldkbi1sJ9YTx/
RdnlHnIFcmv7ubu628ATv/LvhOwCzVVw52pAJHJFQPiPEa29hGDC8aBk/YQBigXH
PqYyMMfeEocvsFkMjf22FZ4t2CN6ktUQh38goKgYbN/wqYhjwHsXtlYTw51SW5+v
TXaLFtH7VrARlC2YtzTrQZ+mvnLdutapSZJudb9lPPDTEeQGXxaqnzjgjPEUYl3y
wM480wj5NxB+taVlnZGJh1Uwy75sISoWL/b7wyQH8OHqOyZ3pY8dcYE2scbkDlPx
1hA8PqpwHSyp7nFpPBSfYXtgrAMeLSsYRVyptTLwgRr28L29mFnfjd4PE0oL+hZV
igKd6NbyVWbJ0Z7JnI305ghqp/SMr6t5nX5TRWpgOysPbWQH+mwnlf+xa72hyaCb
cgmeDa1s28jCZeIREQoW8uVk4HGKhyqr/EQ66VCXaXJhF8m7qXoVPMCpE7gr0GPA
WQ5N5haLNJQiPKFfaucuVGIS9syifMHs9nTeFLfCBXjKca4xBi/pWysj+XntceLH
y+SBHI/AQPzBbN+uMCezkfvndP+Rbo/dTgAUwlVe61wwNmZUBBSP1FwyJUoeH2AH
pumjkxlxpLs=ytDn
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce