MGASA-2023-0173

This kernel-linus update is based on upstream 5.15.110 and fixes atleast the following security issues:

A slab-out-of-bound read problem was found in brcmfgetassocies in drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c. This issue could occur when associnfo->reqlen data is bigger than the size of the buffer, defined as WLEXTRABUFMAX, leading to a denial of service (CVE-2023-1380).

It was discovered that a race condition existed in the Xen transport layer implementation for the 9P file system protocol in the Linux kernel, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service or expose sensitive information (CVE-2023-1859).

An insufficient permission check has been found in the Bluetooth subsystem of the Linux kernel when handling ioctl system calls of HCI sockets. This causes tasks without the proper CAPNETADMIN capability can easily mark HCI sockets as trusted. Trusted sockets are intended to enable the sending and receiving of management commands and events, such as pairing or connecting with a new device. As a result, unprivileged users can acquire a trusted socket, leading to unauthorized execution of management commands (CVE-2023-2002).

A heap out-of-bounds read/write vulnerability in the Linux Kernel traffic control (QoS) subsystem can be exploited to achieve local privilege escalation. The qfqchangeclass function does not properly limit the lmax variable which can lead to out-of-bounds read/write. If the TCAQFQLMAX value is not offered through nlattr, lmax is determined by the MTU value of the network device. The MTU of the loopback device can be set up to 2^31-1 and as a result, it is possible to have an lmax value that exceeds QFQMINLMAX (CVE-2023-2248).

qfqchangeclass in net/sched/schqfq.c in the Linux kernel before 6.2.13 allows an out-of-bounds write because lmax can exceed QFQMIN_LMAX (CVE-2023-31436).

For other upstream fixes in this update, see the referenced changelogs.