OESA-2022-2162
- Source
- https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2022-2162
- Import Source
- https://repo.openeuler.org/security/data/osv/OESA-2022-2162.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/OESA-2022-2162
- Upstream
- Published
- 2022-12-30T11:04:44Z
- Modified
- 2025-08-12T05:11:57.644300Z
- Summary
- kernel security update
- Details
-
Security Fix(es):
A use-after-free flaw was found in Linux kernel before 5.19.2. This issue occurs in cmdhdlfilter in drivers/staging/rtl8712/rtl8712_cmd.c, allowing an attacker to launch a local denial of service attack and gain escalation of privileges.(CVE-2022-4095)
There are null-ptr-deref vulnerabilities in drivers/net/slip of linux that allow attacker to crash linux kernel by simulating slip network card from user-space of linux.
[Root cause]
When a slip driver is detaching, the slipclose() will act to cleanup necessary resources and sl->tty is set to NULL in slipclose(). Meanwhile, the packet we transmit is blocked, sltxtimeout() will be called. Although slipclose() and sltxtimeout() use sl->lock to synchronize, we don`t judge whether sl->tty equals to NULL in sltx_timeout() and the null pointer dereference bug will happen.
(Thread 1) | (Thread 2) | slipclose() | spinlockbh(&sl->lock) | ... ... | sl->tty = NULL //(1) sltxtimeout() | spinunlockbh(&sl->lock) spinlock(&sl->lock); | ... | ... ttycharsinbuffer(sl->tty)| if (tty->ops->..) //(2) | ... | synchronizercu()
We set NULL to sl->tty in position (1) and dereference sl->tty in position (2).
------------------------------------------(CVE-2022-41858)
A flaw was found in the Linux kernel's Layer 2 Tunneling Protocol (L2TP). A missing lock when clearing skuserdata can lead to a race condition and NULL pointer dereference. A local user could use this flaw to potentially crash the system causing a denial of service.(CVE-2022-4129)
In (TBD) of (TBD), there is a possible way to corrupt kernel memory due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-220738351References: Upstream kernel(CVE-2022-20568)
In l2capchanput of l2cap_core, there is a possible use after free due to improper locking. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-165329981References: Upstream kernel(CVE-2022-20566)
Guests can trigger NIC interface reset/abort/crash via netback It is possible for a guest to trigger a NIC interface reset/abort/crash in a Linux based network backend by sending certain kinds of packets. It appears to be an (unwritten?) assumption in the rest of the Linux network stack that packet protocol headers are all contained within the linear section of the SKB and some NICs behave badly if this is not the case. This has been reported to occur with Cisco (enic) and Broadcom NetXtrem II BCM5780 (bnx2x) though it may be an issue with other NICs/drivers as well. In case the frontend is sending requests with split headers, netback will forward those violating above mentioned assumption to the networking core, resulting in said misbehavior.(CVE-2022-3643)
In verity_target of dm-verity-target.c, there is a possible way to modify read-only files due to a missing permission check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-234475629References: Upstream kernel(CVE-2022-20572)
A stack overflow flaw was found in the Linux kernel's SYSCTL subsystem in how a user changes certain kernel parameters and variables. This flaw allows a local user to crash or potentially escalate their privileges on the system.(CVE-2022-4378)
In drivers/media/dvb-core/dmxdev.c in the Linux kernel through 5.19.10, there is a use-after-free caused by refcount races, affecting dvbdemuxopen and dvbdmxdevrelease.(CVE-2022-41218)
Guests can trigger deadlock in Linux netback driver T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] The patch for XSA-392 introduced another issue which might result in a deadlock when trying to free the SKB of a packet dropped due to the XSA-392 handling (CVE-2022-42328). Additionally when dropping packages for other reasons the same deadlock could occur in case of netpoll being active for the interface the xen-netback driver is connected to (CVE-2022-42329).(CVE-2022-42328)
Guests can trigger deadlock in Linux netback driver T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] The patch for XSA-392 introduced another issue which might result in a deadlock when trying to free the SKB of a packet dropped due to the XSA-392 handling (CVE-2022-42328). Additionally when dropping packages for other reasons the same deadlock could occur in case of netpoll being active for the interface the xen-netback driver is connected to (CVE-2022-42329).(CVE-2022-42329)
An issue was discovered in the Linux kernel before 6.0.11. Missing validation of the number of channels in drivers/net/wireless/microchip/wilc1000/cfg80211.c in the WILC1000 wireless driver can trigger a heap-based buffer overflow when copying the list of operating channels from Wi-Fi management frames.(CVE-2022-47518)
An issue was discovered in the Linux kernel before 6.0.11. Missing validation of IEEE80211P2PATTROPERCHANNEL in drivers/net/wireless/microchip/wilc1000/cfg80211.c in the WILC1000 wireless driver can trigger an out-of-bounds write when parsing the channel list attribute from Wi-Fi management frames.(CVE-2022-47519)
An issue was discovered in the Linux kernel before 6.0.11. Missing offset validation in drivers/net/wireless/microchip/wilc1000/hif.c in the WILC1000 wireless driver can trigger an out-of-bounds read when parsing a Robust Security Network (RSN) information element from a Netlink packet.(CVE-2022-47520)
An issue was discovered in the Linux kernel before 6.0.11. Missing validation of IEEE80211P2PATTRCHANNELLIST in drivers/net/wireless/microchip/wilc1000/cfg80211.c in the WILC1000 wireless driver can trigger a heap-based buffer overflow when parsing the operating channel attribute from Wi-Fi management frames.(CVE-2022-47521)
An issue was discovered in the Linux kernel through 5.16-rc6. kfdparsesubtypeiolink in drivers/gpu/drm/amd/amdkfd/kfdcrat.c lacks check of the return value of kmemdup().(CVE-2022-3108)
- Database specific
{ "severity": "Critical" }- References
-
- https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-2162
- https://nvd.nist.gov/vuln/detail/CVE-2022-4095
- https://nvd.nist.gov/vuln/detail/CVE-2022-41858
- https://nvd.nist.gov/vuln/detail/CVE-2022-4129
- https://nvd.nist.gov/vuln/detail/CVE-2022-20568
- https://nvd.nist.gov/vuln/detail/CVE-2022-20566
- https://nvd.nist.gov/vuln/detail/CVE-2022-3643
- https://nvd.nist.gov/vuln/detail/CVE-2022-20572
- https://nvd.nist.gov/vuln/detail/CVE-2022-4378
- https://nvd.nist.gov/vuln/detail/CVE-2022-41218
- https://nvd.nist.gov/vuln/detail/CVE-2022-42328
- https://nvd.nist.gov/vuln/detail/CVE-2022-42329
- https://nvd.nist.gov/vuln/detail/CVE-2022-47518
- https://nvd.nist.gov/vuln/detail/CVE-2022-47519
- https://nvd.nist.gov/vuln/detail/CVE-2022-47520
- https://nvd.nist.gov/vuln/detail/CVE-2022-47521
- https://nvd.nist.gov/vuln/detail/CVE-2022-3108
Affected packages
openEuler:22.03-LTS / kernel
Package
- Name
- kernel
- Purl
- pkg:rpm/openEuler/kernel&distro=openEuler-22.03-LTS
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed5.10.0-60.74.0.98.oe2203
Ecosystem specific
{
"x86_64": [
"kernel-source-5.10.0-60.74.0.98.oe2203.x86_64.rpm",
"kernel-debugsource-5.10.0-60.74.0.98.oe2203.x86_64.rpm",
"kernel-debuginfo-5.10.0-60.74.0.98.oe2203.x86_64.rpm",
"bpftool-5.10.0-60.74.0.98.oe2203.x86_64.rpm",
"bpftool-debuginfo-5.10.0-60.74.0.98.oe2203.x86_64.rpm",
"kernel-tools-devel-5.10.0-60.74.0.98.oe2203.x86_64.rpm",
"python3-perf-debuginfo-5.10.0-60.74.0.98.oe2203.x86_64.rpm",
"kernel-devel-5.10.0-60.74.0.98.oe2203.x86_64.rpm",
"kernel-headers-5.10.0-60.74.0.98.oe2203.x86_64.rpm",
"python3-perf-5.10.0-60.74.0.98.oe2203.x86_64.rpm",
"kernel-tools-debuginfo-5.10.0-60.74.0.98.oe2203.x86_64.rpm",
"kernel-tools-5.10.0-60.74.0.98.oe2203.x86_64.rpm",
"perf-5.10.0-60.74.0.98.oe2203.x86_64.rpm",
"perf-debuginfo-5.10.0-60.74.0.98.oe2203.x86_64.rpm",
"kernel-5.10.0-60.74.0.98.oe2203.x86_64.rpm"
],
"src": [
"kernel-5.10.0-60.74.0.98.oe2203.src.rpm"
],
"aarch64": [
"kernel-headers-5.10.0-60.74.0.98.oe2203.aarch64.rpm",
"kernel-tools-devel-5.10.0-60.74.0.98.oe2203.aarch64.rpm",
"python3-perf-debuginfo-5.10.0-60.74.0.98.oe2203.aarch64.rpm",
"bpftool-debuginfo-5.10.0-60.74.0.98.oe2203.aarch64.rpm",
"perf-5.10.0-60.74.0.98.oe2203.aarch64.rpm",
"python3-perf-5.10.0-60.74.0.98.oe2203.aarch64.rpm",
"kernel-5.10.0-60.74.0.98.oe2203.aarch64.rpm",
"kernel-debuginfo-5.10.0-60.74.0.98.oe2203.aarch64.rpm",
"kernel-devel-5.10.0-60.74.0.98.oe2203.aarch64.rpm",
"bpftool-5.10.0-60.74.0.98.oe2203.aarch64.rpm",
"kernel-source-5.10.0-60.74.0.98.oe2203.aarch64.rpm",
"kernel-tools-debuginfo-5.10.0-60.74.0.98.oe2203.aarch64.rpm",
"kernel-tools-5.10.0-60.74.0.98.oe2203.aarch64.rpm",
"perf-debuginfo-5.10.0-60.74.0.98.oe2203.aarch64.rpm",
"kernel-debugsource-5.10.0-60.74.0.98.oe2203.aarch64.rpm"
]
}