OESA-2022-1631

Source
https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2022-1631
Import Source
https://repo.openeuler.org/security/data/osv/OESA-2022-1631.json
JSON Data
https://api.test.osv.dev/v1/vulns/OESA-2022-1631
Upstream
Published
2022-05-11T11:03:44Z
Modified
2025-08-12T05:09:51.062360Z
Summary
kernel security update
Details

The Linux Kernel, the operating system core itself.

Security Fix(es):

A NULL pointer dereference flaw was found in the Linux kernel’s Amateur Radio AX.25 protocol functionality in the way a user connects with the protocol. This flaw allows a local user to crash the system(CVE-2022-1205)

A flaw was found in the Linux kernel. This flaw allows an attacker to crash the Linux kernel by simulating amateur radio from the user space, resulting in a null-ptr-deref vulnerability and a use-after-free vulnerability.(CVE-2022-1199)

A vulnerability was found in the pfkeyregister function in net/key/afkey.c in the Linux kernel. This flaw allows a local, unprivileged user to gain access to kernel memory, leading to a system crash or a leak of internal kernel information.(CVE-2022-1353)

Certain Arm Cortex and Neoverse processors through 2022-03-08 do not properly restrict cache speculation, aka Spectre-BHB. An attacker can leverage the shared branch history in the Branch History Buffer (BHB) to influence mispredicted branches. Then, cache allocation can allow the attacker to obtain sensitive information.(CVE-2022-23960)

drivers/infiniband/ulp/rtrs/rtrs-clt.c in the Linux kernel before 5.16.12 has a double free related to rtrscltdev_release.(CVE-2022-29156)

A flaw was found in unrestricted eBPF usage by the BPFBTFLOAD, leading to a possible out-of-bounds memory write in the Linux kernel’s BPF subsystem due to the way a user loads BTF. This flaw allows a local user to crash or escalate their privileges on the system.(CVE-2022-0500)

Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use. If this is not the case, they assume that a following removal of the granted access will always succeed, which is not true in case the backend has mapped the granted page between those two operations. As a result the backend can keep access to the memory page of the guest no matter how the page will be used after the frontend I/O has finished. The xenbus driver has a similar problem, as it doesn t check the success of removing the granted access of a shared ring buffer. blkfront: CVE-2022-23036 netfront: CVE-2022-23037 scsifront: CVE-2022-23038 gntalloc: CVE-2022-23039 xenbus: CVE-2022-23040 blkfront, netfront, scsifront, usbfront, dmabuf, xenbus, 9p, kbdfront, and pvcalls are using a functionality to delay freeing a grant reference until it is no longer in use, but the freeing of the related data page is not synchronized with dropping the granted access. As a result the backend can keep access to the memory page even after it has been freed and then re-used for a different purpose. CVE-2022-23041 netfront will fail a BUG_ON() assertion if it fails to revoke access in the rx path. This will result in a Denial of Service (DoS) situation of the guest which can be triggered by the backend. CVE-2022-23042(CVE-2022-23036)

In several functions of binder.c, there is a possible way to represent the wrong domain to SELinux due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-200688826References: Upstream kernel(CVE-2021-39686)

Non-transparent sharing of branch predictor selectors between contexts in some Intel(R) Processors may allow an authorized user to potentially enable information disclosure via local access.(CVE-2022-0001)

Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use. If this is not the case, they assume that a following removal of the granted access will always succeed, which is not true in case the backend has mapped the granted page between those two operations. As a result the backend can keep access to the memory page of the guest no matter how the page will be used after the frontend I/O has finished. The xenbus driver has a similar problem, as it doesn t check the success of removing the granted access of a shared ring buffer. blkfront: CVE-2022-23036 netfront: CVE-2022-23037 scsifront: CVE-2022-23038 gntalloc: CVE-2022-23039 xenbus: CVE-2022-23040 blkfront, netfront, scsifront, usbfront, dmabuf, xenbus, 9p, kbdfront, and pvcalls are using a functionality to delay freeing a grant reference until it is no longer in use, but the freeing of the related data page is not synchronized with dropping the granted access. As a result the backend can keep access to the memory page even after it has been freed and then re-used for a different purpose. CVE-2022-23041 netfront will fail a BUG_ON() assertion if it fails to revoke access in the rx path. This will result in a Denial of Service (DoS) situation of the guest which can be triggered by the backend. CVE-2022-23042(CVE-2022-23038)

Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use. If this is not the case, they assume that a following removal of the granted access will always succeed, which is not true in case the backend has mapped the granted page between those two operations. As a result the backend can keep access to the memory page of the guest no matter how the page will be used after the frontend I/O has finished. The xenbus driver has a similar problem, as it doesn t check the success of removing the granted access of a shared ring buffer. blkfront: CVE-2022-23036 netfront: CVE-2022-23037 scsifront: CVE-2022-23038 gntalloc: CVE-2022-23039 xenbus: CVE-2022-23040 blkfront, netfront, scsifront, usbfront, dmabuf, xenbus, 9p, kbdfront, and pvcalls are using a functionality to delay freeing a grant reference until it is no longer in use, but the freeing of the related data page is not synchronized with dropping the granted access. As a result the backend can keep access to the memory page even after it has been freed and then re-used for a different purpose. CVE-2022-23041 netfront will fail a BUG_ON() assertion if it fails to revoke access in the rx path. This will result in a Denial of Service (DoS) situation of the guest which can be triggered by the backend. CVE-2022-23042(CVE-2022-23037)

Database specific
{
    "severity": "High"
}
References

Affected packages

openEuler:20.03-LTS-SP1 / kernel

Package

Name
kernel
Purl
pkg:rpm/openEuler/kernel&distro=openEuler-20.03-LTS-SP1

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.19.90-2204.4.0.0148.oe1

Ecosystem specific

{
    "src": [
        "kernel-4.19.90-2204.4.0.0148.oe1.src.rpm"
    ],
    "aarch64": [
        "kernel-devel-4.19.90-2204.4.0.0148.oe1.aarch64.rpm",
        "python3-perf-debuginfo-4.19.90-2204.4.0.0148.oe1.aarch64.rpm",
        "bpftool-debuginfo-4.19.90-2204.4.0.0148.oe1.aarch64.rpm",
        "kernel-source-4.19.90-2204.4.0.0148.oe1.aarch64.rpm",
        "python3-perf-4.19.90-2204.4.0.0148.oe1.aarch64.rpm",
        "kernel-tools-devel-4.19.90-2204.4.0.0148.oe1.aarch64.rpm",
        "perf-debuginfo-4.19.90-2204.4.0.0148.oe1.aarch64.rpm",
        "perf-4.19.90-2204.4.0.0148.oe1.aarch64.rpm",
        "bpftool-4.19.90-2204.4.0.0148.oe1.aarch64.rpm",
        "kernel-tools-4.19.90-2204.4.0.0148.oe1.aarch64.rpm",
        "kernel-4.19.90-2204.4.0.0148.oe1.aarch64.rpm",
        "python2-perf-4.19.90-2204.4.0.0148.oe1.aarch64.rpm",
        "kernel-debuginfo-4.19.90-2204.4.0.0148.oe1.aarch64.rpm",
        "kernel-tools-debuginfo-4.19.90-2204.4.0.0148.oe1.aarch64.rpm",
        "python2-perf-debuginfo-4.19.90-2204.4.0.0148.oe1.aarch64.rpm",
        "kernel-debugsource-4.19.90-2204.4.0.0148.oe1.aarch64.rpm"
    ],
    "x86_64": [
        "kernel-tools-4.19.90-2204.4.0.0148.oe1.x86_64.rpm",
        "python3-perf-4.19.90-2204.4.0.0148.oe1.x86_64.rpm",
        "perf-debuginfo-4.19.90-2204.4.0.0148.oe1.x86_64.rpm",
        "bpftool-debuginfo-4.19.90-2204.4.0.0148.oe1.x86_64.rpm",
        "kernel-4.19.90-2204.4.0.0148.oe1.x86_64.rpm",
        "kernel-debuginfo-4.19.90-2204.4.0.0148.oe1.x86_64.rpm",
        "kernel-tools-debuginfo-4.19.90-2204.4.0.0148.oe1.x86_64.rpm",
        "python2-perf-4.19.90-2204.4.0.0148.oe1.x86_64.rpm",
        "perf-4.19.90-2204.4.0.0148.oe1.x86_64.rpm",
        "kernel-devel-4.19.90-2204.4.0.0148.oe1.x86_64.rpm",
        "python2-perf-debuginfo-4.19.90-2204.4.0.0148.oe1.x86_64.rpm",
        "python3-perf-debuginfo-4.19.90-2204.4.0.0148.oe1.x86_64.rpm",
        "bpftool-4.19.90-2204.4.0.0148.oe1.x86_64.rpm",
        "kernel-tools-devel-4.19.90-2204.4.0.0148.oe1.x86_64.rpm",
        "kernel-debugsource-4.19.90-2204.4.0.0148.oe1.x86_64.rpm",
        "kernel-source-4.19.90-2204.4.0.0148.oe1.x86_64.rpm"
    ]
}

openEuler:20.03-LTS-SP3 / kernel

Package

Name
kernel
Purl
pkg:rpm/openEuler/kernel&distro=openEuler-20.03-LTS-SP3

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.19.90-2204.4.0.0148.oe1

Ecosystem specific

{
    "src": [
        "kernel-4.19.90-2204.4.0.0148.oe1.src.rpm"
    ],
    "aarch64": [
        "kernel-devel-4.19.90-2204.4.0.0148.oe1.aarch64.rpm",
        "python3-perf-debuginfo-4.19.90-2204.4.0.0148.oe1.aarch64.rpm",
        "bpftool-debuginfo-4.19.90-2204.4.0.0148.oe1.aarch64.rpm",
        "kernel-source-4.19.90-2204.4.0.0148.oe1.aarch64.rpm",
        "python3-perf-4.19.90-2204.4.0.0148.oe1.aarch64.rpm",
        "kernel-tools-devel-4.19.90-2204.4.0.0148.oe1.aarch64.rpm",
        "perf-debuginfo-4.19.90-2204.4.0.0148.oe1.aarch64.rpm",
        "perf-4.19.90-2204.4.0.0148.oe1.aarch64.rpm",
        "bpftool-4.19.90-2204.4.0.0148.oe1.aarch64.rpm",
        "kernel-tools-4.19.90-2204.4.0.0148.oe1.aarch64.rpm",
        "kernel-4.19.90-2204.4.0.0148.oe1.aarch64.rpm",
        "python2-perf-4.19.90-2204.4.0.0148.oe1.aarch64.rpm",
        "kernel-debuginfo-4.19.90-2204.4.0.0148.oe1.aarch64.rpm",
        "kernel-tools-debuginfo-4.19.90-2204.4.0.0148.oe1.aarch64.rpm",
        "python2-perf-debuginfo-4.19.90-2204.4.0.0148.oe1.aarch64.rpm",
        "kernel-debugsource-4.19.90-2204.4.0.0148.oe1.aarch64.rpm"
    ],
    "x86_64": [
        "kernel-devel-4.19.90-2204.4.0.0148.oe1.x86_64.rpm",
        "perf-4.19.90-2204.4.0.0148.oe1.x86_64.rpm",
        "kernel-debuginfo-4.19.90-2204.4.0.0148.oe1.x86_64.rpm",
        "kernel-source-4.19.90-2204.4.0.0148.oe1.x86_64.rpm",
        "python2-perf-4.19.90-2204.4.0.0148.oe1.x86_64.rpm",
        "python3-perf-debuginfo-4.19.90-2204.4.0.0148.oe1.x86_64.rpm",
        "python3-perf-4.19.90-2204.4.0.0148.oe1.x86_64.rpm",
        "bpftool-4.19.90-2204.4.0.0148.oe1.x86_64.rpm",
        "kernel-tools-debuginfo-4.19.90-2204.4.0.0148.oe1.x86_64.rpm",
        "python2-perf-debuginfo-4.19.90-2204.4.0.0148.oe1.x86_64.rpm",
        "kernel-tools-4.19.90-2204.4.0.0148.oe1.x86_64.rpm",
        "kernel-debugsource-4.19.90-2204.4.0.0148.oe1.x86_64.rpm",
        "kernel-4.19.90-2204.4.0.0148.oe1.x86_64.rpm",
        "kernel-tools-devel-4.19.90-2204.4.0.0148.oe1.x86_64.rpm",
        "bpftool-debuginfo-4.19.90-2204.4.0.0148.oe1.x86_64.rpm",
        "perf-debuginfo-4.19.90-2204.4.0.0148.oe1.x86_64.rpm",
        "kernel-devel-4.19.90-2204.4.0.0148.oe1.x86_64.rpm",
        "perf-4.19.90-2204.4.0.0148.oe1.x86_64.rpm",
        "kernel-debuginfo-4.19.90-2204.4.0.0148.oe1.x86_64.rpm",
        "kernel-source-4.19.90-2204.4.0.0148.oe1.x86_64.rpm",
        "python2-perf-4.19.90-2204.4.0.0148.oe1.x86_64.rpm",
        "python3-perf-debuginfo-4.19.90-2204.4.0.0148.oe1.x86_64.rpm",
        "python3-perf-4.19.90-2204.4.0.0148.oe1.x86_64.rpm",
        "bpftool-4.19.90-2204.4.0.0148.oe1.x86_64.rpm",
        "kernel-tools-debuginfo-4.19.90-2204.4.0.0148.oe1.x86_64.rpm",
        "python2-perf-debuginfo-4.19.90-2204.4.0.0148.oe1.x86_64.rpm",
        "kernel-tools-4.19.90-2204.4.0.0148.oe1.x86_64.rpm",
        "kernel-debugsource-4.19.90-2204.4.0.0148.oe1.x86_64.rpm",
        "kernel-4.19.90-2204.4.0.0148.oe1.x86_64.rpm",
        "kernel-tools-devel-4.19.90-2204.4.0.0148.oe1.x86_64.rpm",
        "bpftool-debuginfo-4.19.90-2204.4.0.0148.oe1.x86_64.rpm",
        "perf-debuginfo-4.19.90-2204.4.0.0148.oe1.x86_64.rpm"
    ]
}

openEuler:22.03-LTS / kernel

Package

Name
kernel
Purl
pkg:rpm/openEuler/kernel&distro=openEuler-22.03-LTS

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.10.0-60.39.0.68.oe2203

Ecosystem specific

{
    "src": [
        "kernel-5.10.0-60.39.0.68.oe2203.src.rpm"
    ],
    "aarch64": [
        "perf-5.10.0-60.39.0.68.oe2203.aarch64.rpm",
        "bpftool-5.10.0-60.39.0.68.oe2203.aarch64.rpm",
        "kernel-devel-5.10.0-60.39.0.68.oe2203.aarch64.rpm",
        "bpftool-debuginfo-5.10.0-60.39.0.68.oe2203.aarch64.rpm",
        "python3-perf-debuginfo-5.10.0-60.39.0.68.oe2203.aarch64.rpm",
        "kernel-debuginfo-5.10.0-60.39.0.68.oe2203.aarch64.rpm",
        "kernel-source-5.10.0-60.39.0.68.oe2203.aarch64.rpm",
        "kernel-tools-5.10.0-60.39.0.68.oe2203.aarch64.rpm",
        "python3-perf-5.10.0-60.39.0.68.oe2203.aarch64.rpm",
        "kernel-headers-5.10.0-60.39.0.68.oe2203.aarch64.rpm",
        "perf-debuginfo-5.10.0-60.39.0.68.oe2203.aarch64.rpm",
        "kernel-debugsource-5.10.0-60.39.0.68.oe2203.aarch64.rpm",
        "kernel-tools-devel-5.10.0-60.39.0.68.oe2203.aarch64.rpm",
        "kernel-tools-debuginfo-5.10.0-60.39.0.68.oe2203.aarch64.rpm",
        "kernel-5.10.0-60.39.0.68.oe2203.aarch64.rpm"
    ],
    "x86_64": [
        "kernel-devel-5.10.0-60.39.0.68.oe2203.x86_64.rpm",
        "kernel-tools-5.10.0-60.39.0.68.oe2203.x86_64.rpm",
        "kernel-debugsource-5.10.0-60.39.0.68.oe2203.x86_64.rpm",
        "kernel-tools-debuginfo-5.10.0-60.39.0.68.oe2203.x86_64.rpm",
        "bpftool-5.10.0-60.39.0.68.oe2203.x86_64.rpm",
        "kernel-source-5.10.0-60.39.0.68.oe2203.x86_64.rpm",
        "kernel-tools-devel-5.10.0-60.39.0.68.oe2203.x86_64.rpm",
        "kernel-debuginfo-5.10.0-60.39.0.68.oe2203.x86_64.rpm",
        "perf-5.10.0-60.39.0.68.oe2203.x86_64.rpm",
        "kernel-headers-5.10.0-60.39.0.68.oe2203.x86_64.rpm",
        "python3-perf-5.10.0-60.39.0.68.oe2203.x86_64.rpm",
        "perf-debuginfo-5.10.0-60.39.0.68.oe2203.x86_64.rpm",
        "bpftool-debuginfo-5.10.0-60.39.0.68.oe2203.x86_64.rpm",
        "kernel-5.10.0-60.39.0.68.oe2203.x86_64.rpm",
        "python3-perf-debuginfo-5.10.0-60.39.0.68.oe2203.x86_64.rpm"
    ]
}