MGASA-2021-0215

This kernel-linus update is based on upstream 5.10.37 and fixes at least the following security issues:

It was discovered that the iouring implementation of the Linux kernel did not properly enforce the MAXRW_COUNT limit in some situations. A local attacker could use this to cause a denial of service (system crash) or execute arbitrary code (CVE-2021-3491).

An out-of-bounds (OOB) memory access flaw was found in fs/f2fs/node.c in the f2fs module in the Linux kernel in versions before 5.12.0-rc4. A bounds check failure allows a local attacker to gain access to out-of-bounds memory leading to a system crash or a leak of internal kernel information (CVE-2021-3506).

A race condition in Linux kernel SCTP sockets (net/sctp/socket.c) before 5.12-rc8 can lead to kernel privilege escalation from the context of a network service or an unprivileged process. If sctpdestroysock is called without socknet(sk)->sctp.addrwqlock then an element is removed from the autoasconfsplist list without any proper locking. This can be exploited by an attacker with network service privileges to escalate to root or from the context of an unprivileged user directly if a BPFCGROUPINETSOCK_CREATE is attached which denies creation of some SCTP socket. NOTE! This already had a fix in kernel-5.10.33, but that fix caused some systems to deadlock, so this is now fixed in a better way (CVE-2021-23133).

bpf: Fix propagation of 32 bit unsigned bounds from 64 bit bounds (CVE-2021-31440).

kernel/bpf/verifier.c in the Linux kernel through 5.12.1 performs undesirable speculative loads, leading to disclosure of stack content via side-channel attacks. The specific concern is not protecting the BPF stack area against speculative loads. Also, the BPF stack can contain uninitialized data that might represent sensitive information previously operated on by the kernel (CVE-2021-31829).

net/bluetooth/hci_request.c in the Linux kernel through 5.12.2 has a race condition for removal of the HCI controller (CVE-2021-32399).

In the Linux kernel before 5.12.4, net/bluetooth/hcievent.c has a use-after-free when destroying an hcichan. This leads to writing an arbitrary value. (CVE-2021-33034).

For other upstream fixes, see the referenced changelogs.