MGASA-2022-0443

This kernel-linus update is based on upstream 5.15.79 and fixes at least the following security issues:

A flaw was found in the Linux kernel. A race issue occurs between an io_uring request and the Unix socket garbage collector, allowing an attacker local privilege escalation (CVE-2022-2602).

A vulnerability was found in Linux Kernel. It has been declared as problematic. Affected by this vulnerability is the function ipv6renewoptions of the component IPv6 Handler. The manipulation leads to memory leak. The attack can be launched remotely (CVE-2022-3524).

A vulnerability classified as problematic was found in Linux Kernel. Affected by this vulnerability is the function mvpp2dbgfsportinit of the file drivers/net/ethernet/marvell/mvpp2/mvpp2debugfs.c of the component mvpp2. The manipulation leads to memory leak (CVE-2022-3535).

A vulnerability classified as problematic was found in Linux Kernel. This vulnerability affects the function bnx2xtpastop of the file drivers/net/ ethernet/broadcom/bnx2x/bnx2x_cmn.c of the component BPF. The manipulation leads to memory leak (CVE-2022-3542).

A vulnerability, which was classified as problematic, has been found in Linux Kernel. This issue affects the function unixsockdestructor/ unixreleasesock of the file net/unix/af_unix.c of the component BPF. The manipulation leads to memory leak (CVE-2022-3543).

A vulnerability classified as critical was found in Linux Kernel. Affected by this vulnerability is the function l2capreassemblesdu of the file net/bluetooth/l2cap_core.c of the component Bluetooth. The manipulation leads to use after free (CVE-2022-3564).

A vulnerability, which was classified as critical, has been found in Linux Kernel. Affected by this issue is the function deltimer of the file drivers/isdn/mISDN/l1oipcore.c of the component Bluetooth. The manipulation leads to use after free (CVE-2022-3565).

A vulnerability was found in Linux Kernel. It has been declared as problematic. Affected by this vulnerability is the function intr_callback of the file drivers/net/usb/r8152.c of the component BPF. The manipulation leads to logging of excessive data. The attack can be launched remotely (CVE-2022-3594).

A vulnerability has been found in Linux Kernel and classified as problematic. This vulnerability affects the function l2caprecvacldata of the file net/bluetooth/l2cap_core.c of the component Bluetooth. The manipulation leads to memory leak (CVE-2022-3619).

A vulnerability was found in Linux Kernel. It has been declared as problematic. Affected by this vulnerability is the function followpagepte of the file mm/gup.c of the component BPF. The manipulation leads to race condition (CVE-2022-3623).

An intra-object buffer overflow was found in brcmfmac, which can be triggered by a malicious USB causing a Denial-of-Service (CVE-2022-3628).

drivers/video/fbdev/smscufx.c in the Linux kernel through 5.19.12 has a race condition and resultant use-after-free if a physically proximate attacker removes a USB device while calling open(), aka a race condition between ufxopsopen and ufxusbdisconnect (CVE-2022-41849).

occatreportevent in drivers/hid/hid-roccat.c in the Linux kernel through 5.19.12 has a race condition and resultant use-after-free in certain situations where a report is received while copying a report->value is in progress (CVE-2022-41850).

There is an infoleak vulnerability in the Linux kernel's net/bluetooth/ l2capcore.c's l2capparseconfreq function which can be used to leak kernel pointers remotely (CVE-2022-42895).

There are use-after-free vulnerabilities in the Linux kernel's net/bluetooth/l2capcore.c's l2capconnect and l2capleconnect_req functions which may allow code execution and leaking kernel memory (respectively) remotely via Bluetooth. A remote attacker could execute code leaking kernel memory via Bluetooth if within proximity of the victim (CVE-2022-42896).

The Linux kernel NFSD implementation prior to versions 5.19.17 and 6.0.2 are vulnerable to buffer overflow. NFSD tracks the number of pages held by each NFSD thread by combining the receive and send buffers of a remote procedure call (RPC) into a single array of pages. A client can force the send buffer to shrink by sending an RPC message over TCP with garbage data added at the end of the message. The RPC message with garbage data is still correctly formed according to the specification and is passed forward to handlers. Vulnerable code in NFSD is not expecting the oversized request and writes beyond the allocated buffer space (CVE-2022-43945).

For other upstream fixes in this update, see the referenced changelogs.