Bug 1198029 - (CVE-2022-1195) VUL-0: CVE-2022-1195: kernel-source: A possible race condition (use-after-free) in drivers/net/hamradio/6pack ( mkiss.c) after unregister_netdev
(CVE-2022-1195)
VUL-0: CVE-2022-1195: kernel-source: A possible race condition (use-after-fre...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/327765/
CVSSv3.1:SUSE:CVE-2022-1195:5.5:(AV:L...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-04-04 14:33 UTC by Gabriele Sonnu
Modified: 2022-12-02 08:19 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Gabriele Sonnu 2022-04-04 14:33:26 UTC
A use-after-free vulnerability was found in drivers/net/hamradio in the Linux kernel. In this flaw, a local attacker with a user privilege may lead to a denial of service (DOS) problem, when mkiss or sixpack device is detached, and reclaim resources early.

Reference:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b2f37aead1b82a770c48b5d583f35ec22aabb61e
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=81b1d548d00bcd028303c4f3150fa753b9b8aa71
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0b9111922b1f399aba6ed1e1b8f2079c3da1aed8
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=3e0588c291d6ce225f2b891753ca41d45ba42469


==================================================================
[   26.882075] BUG: KASAN: use-after-free in
tty_insert_flip_string_fixed_flag+0xd8/0x1e0
[   26.882075] Read of size 85 at addr ffff88800690d000 by task trigger/141
[   26.882075]
[   26.882075] CPU: 3 PID: 141 Comm: trigger Not tainted 5.11.0 #6
[   26.882075] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
[   26.882075] Call Trace:
[   26.882075]  dump_stack+0x7d/0xa3
[   26.882075]  print_address_description.constprop.0+0x18/0x130
[   26.882075]  ? tty_insert_flip_string_fixed_flag+0xd8/0x1e0
[   26.882075]  ? tty_insert_flip_string_fixed_flag+0xd8/0x1e0
[   26.882075]  kasan_report.cold+0x7f/0x10e
[   26.882075]  ? tty_insert_flip_string_fixed_flag+0xd8/0x1e0
[   26.882075]  check_memory_region+0xf9/0x1e0
[   26.882075]  memcpy+0x20/0x60
[   26.882075]  tty_insert_flip_string_fixed_flag+0xd8/0x1e0
[   26.882075]  pty_write+0xfa/0x1b0
[   26.882075]  ? pty_set_termios+0x5d0/0x5d0
[   26.882075]  ax_encaps+0x9c9/0xb60
[   26.882075]  ax_xmit+0x36a/0x37e
[   26.882075]  dev_hard_start_xmit+0x160/0x500
[   26.882075]  sch_direct_xmit+0x20b/0xa00
[   26.882075]  ? qdisc_put_unlocked+0x50/0x50
[   26.882075]  ? sysvec_apic_timer_interrupt+0x33/0xd0
[   26.882075]  ? pfifo_fast_dequeue+0x275/0xa30
[   26.882075]  __qdisc_run+0x3a0/0x1390
[   26.882075]  __dev_queue_xmit+0xabb/0x1b10
[   26.882075]  ? netdev_core_pick_tx+0x2a0/0x2a0
[   26.882075]  ? sysvec_apic_timer_interrupt+0x33/0xd0
[   26.882075]  ? memcpy+0x39/0x60
[   26.882075]  ? ax25_addr_build+0x7e/0x2a0
[   26.882075]  ax25_sendmsg+0xb70/0x1090
[   26.882075]  ? selinux_inode_notifysecctx+0x20/0x20
[   26.882075]  ? ax25_device_event+0x210/0x210
[   26.882075]  ? __fget_files+0x15b/0x210
[   26.882075]  ? ax25_device_event+0x210/0x210
[   26.882075]  sock_sendmsg+0xdf/0x110
[   26.882075]  __sys_sendto+0x19e/0x270
[   26.882075]  ? __ia32_sys_getpeername+0xa0/0xa0
[   26.882075]  ? copy_init_fpstate_to_fpregs+0x70/0x70
[   26.882075]  __x64_sys_sendto+0xd8/0x1b0
[   26.882075]  ? exit_to_user_mode_prepare+0x2c/0x120
[   26.882075]  do_syscall_64+0x33/0x40
[   26.882075]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
<..>
==================================================================

References:
https://bugzilla.redhat.com/show_bug.cgi?id=2056381
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-1195
Comment 1 Takashi Iwai 2022-04-04 15:37:35 UTC
The ax25 stuff (and hamradio) is enabled on SLE15-SP3 and SLE15-SP4 but shipped only with kernel-*-optional for Leap.
Comment 2 Gabriele Sonnu 2022-04-04 15:56:35 UTC
Tracking as affected:

- SLE15-SP3 
- SLE15-SP4
Comment 3 Takashi Iwai 2022-04-05 06:37:08 UTC
The fixes pushed to both SLE15-SP3 and SLE15-SP4 branches.

Reassigned back to security team.
Comment 8 Swamp Workflow Management 2022-04-12 16:28:04 UTC
SUSE-SU-2022:1163-1: An update that solves 25 vulnerabilities and has 33 fixes is now available.

Category: security (important)
Bug References: 1065729,1156395,1175667,1177028,1178134,1179639,1180153,1189562,1194589,1194625,1194649,1194943,1195051,1195353,1195640,1195926,1196018,1196130,1196196,1196478,1196488,1196761,1196823,1196956,1197227,1197243,1197245,1197300,1197302,1197331,1197343,1197366,1197389,1197460,1197462,1197501,1197534,1197661,1197675,1197677,1197702,1197811,1197812,1197815,1197817,1197819,1197820,1197888,1197889,1197894,1198027,1198028,1198029,1198030,1198031,1198032,1198033,1198077
CVE References: CVE-2021-39698,CVE-2021-45402,CVE-2021-45868,CVE-2022-0850,CVE-2022-0854,CVE-2022-1011,CVE-2022-1016,CVE-2022-1048,CVE-2022-1055,CVE-2022-1195,CVE-2022-1198,CVE-2022-1199,CVE-2022-1205,CVE-2022-23036,CVE-2022-23037,CVE-2022-23038,CVE-2022-23039,CVE-2022-23040,CVE-2022-23041,CVE-2022-23042,CVE-2022-27223,CVE-2022-27666,CVE-2022-28388,CVE-2022-28389,CVE-2022-28390
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    kernel-azure-5.3.18-150300.38.53.1, kernel-source-azure-5.3.18-150300.38.53.1, kernel-syms-azure-5.3.18-150300.38.53.1
SUSE Linux Enterprise Module for Public Cloud 15-SP3 (src):    kernel-azure-5.3.18-150300.38.53.1, kernel-source-azure-5.3.18-150300.38.53.1, kernel-syms-azure-5.3.18-150300.38.53.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Swamp Workflow Management 2022-04-13 19:24:16 UTC
SUSE-SU-2022:1183-1: An update that solves 15 vulnerabilities and has 32 fixes is now available.

Category: security (important)
Bug References: 1065729,1156395,1175667,1177028,1178134,1179639,1180153,1189562,1194649,1195640,1195926,1196018,1196196,1196478,1196761,1196823,1197227,1197243,1197300,1197302,1197331,1197343,1197366,1197389,1197462,1197501,1197534,1197661,1197675,1197702,1197811,1197812,1197815,1197817,1197819,1197820,1197888,1197889,1197894,1197914,1198027,1198028,1198029,1198030,1198031,1198032,1198033
CVE References: CVE-2021-45868,CVE-2022-0850,CVE-2022-0854,CVE-2022-1011,CVE-2022-1016,CVE-2022-1048,CVE-2022-1055,CVE-2022-1195,CVE-2022-1198,CVE-2022-1199,CVE-2022-1205,CVE-2022-27666,CVE-2022-28388,CVE-2022-28389,CVE-2022-28390
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    dtb-aarch64-5.3.18-150300.59.63.1, kernel-preempt-5.3.18-150300.59.63.1
openSUSE Leap 15.3 (src):    dtb-aarch64-5.3.18-150300.59.63.1, kernel-64kb-5.3.18-150300.59.63.1, kernel-debug-5.3.18-150300.59.63.1, kernel-default-5.3.18-150300.59.63.1, kernel-default-base-5.3.18-150300.59.63.1.150300.18.39.1, kernel-docs-5.3.18-150300.59.63.1, kernel-kvmsmall-5.3.18-150300.59.63.1, kernel-obs-build-5.3.18-150300.59.63.1, kernel-obs-qa-5.3.18-150300.59.63.1, kernel-preempt-5.3.18-150300.59.63.1, kernel-source-5.3.18-150300.59.63.1, kernel-syms-5.3.18-150300.59.63.1, kernel-zfcpdump-5.3.18-150300.59.63.1
SUSE Linux Enterprise Workstation Extension 15-SP3 (src):    kernel-default-5.3.18-150300.59.63.1, kernel-preempt-5.3.18-150300.59.63.1
SUSE Linux Enterprise Module for Live Patching 15-SP3 (src):    kernel-default-5.3.18-150300.59.63.1, kernel-livepatch-SLE15-SP3_Update_17-1-150300.7.3.1
SUSE Linux Enterprise Module for Legacy Software 15-SP3 (src):    kernel-default-5.3.18-150300.59.63.1
SUSE Linux Enterprise Module for Development Tools 15-SP3 (src):    kernel-docs-5.3.18-150300.59.63.1, kernel-obs-build-5.3.18-150300.59.63.1, kernel-preempt-5.3.18-150300.59.63.1, kernel-source-5.3.18-150300.59.63.1, kernel-syms-5.3.18-150300.59.63.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    kernel-64kb-5.3.18-150300.59.63.1, kernel-default-5.3.18-150300.59.63.1, kernel-default-base-5.3.18-150300.59.63.1.150300.18.39.1, kernel-preempt-5.3.18-150300.59.63.1, kernel-source-5.3.18-150300.59.63.1, kernel-zfcpdump-5.3.18-150300.59.63.1
SUSE Linux Enterprise Micro 5.2 (src):    kernel-default-5.3.18-150300.59.63.1, kernel-default-base-5.3.18-150300.59.63.1.150300.18.39.1
SUSE Linux Enterprise Micro 5.1 (src):    kernel-default-5.3.18-150300.59.63.1, kernel-default-base-5.3.18-150300.59.63.1.150300.18.39.1
SUSE Linux Enterprise High Availability 15-SP3 (src):    kernel-default-5.3.18-150300.59.63.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Swamp Workflow Management 2022-04-26 16:23:05 UTC
SUSE-SU-2022:1407-1: An update that solves 15 vulnerabilities and has 34 fixes is now available.

Category: security (important)
Bug References: 1065729,1156395,1175667,1177028,1178134,1179639,1180153,1189562,1194625,1194649,1195640,1195926,1196018,1196196,1196478,1196761,1196823,1197227,1197243,1197300,1197302,1197331,1197343,1197366,1197389,1197462,1197501,1197534,1197661,1197675,1197677,1197702,1197811,1197812,1197815,1197817,1197819,1197820,1197888,1197889,1197894,1198027,1198028,1198029,1198030,1198031,1198032,1198033,1198077
CVE References: CVE-2021-45868,CVE-2022-0850,CVE-2022-0854,CVE-2022-1011,CVE-2022-1016,CVE-2022-1048,CVE-2022-1055,CVE-2022-1195,CVE-2022-1198,CVE-2022-1199,CVE-2022-1205,CVE-2022-27666,CVE-2022-28388,CVE-2022-28389,CVE-2022-28390
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Realtime 15-SP3 (src):    kernel-rt-5.3.18-150300.85.1, kernel-rt_debug-5.3.18-150300.85.1, kernel-source-rt-5.3.18-150300.85.1, kernel-syms-rt-5.3.18-150300.85.1
SUSE Linux Enterprise Micro 5.2 (src):    kernel-rt-5.3.18-150300.85.1
SUSE Linux Enterprise Micro 5.1 (src):    kernel-rt-5.3.18-150300.85.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.