Bugzilla – Bug 1198029
VUL-0: CVE-2022-1195: kernel-source: A possible race condition (use-after-free) in drivers/net/hamradio/6pack ( mkiss.c) after unregister_netdev
Last modified: 2023-01-18 17:36:23 UTC
A use-after-free vulnerability was found in drivers/net/hamradio in the Linux kernel. In this flaw, a local attacker with a user privilege may lead to a denial of service (DOS) problem, when mkiss or sixpack device is detached, and reclaim resources early. Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b2f37aead1b82a770c48b5d583f35ec22aabb61e https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=81b1d548d00bcd028303c4f3150fa753b9b8aa71 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0b9111922b1f399aba6ed1e1b8f2079c3da1aed8 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=3e0588c291d6ce225f2b891753ca41d45ba42469 ================================================================== [ 26.882075] BUG: KASAN: use-after-free in tty_insert_flip_string_fixed_flag+0xd8/0x1e0 [ 26.882075] Read of size 85 at addr ffff88800690d000 by task trigger/141 [ 26.882075] [ 26.882075] CPU: 3 PID: 141 Comm: trigger Not tainted 5.11.0 #6 [ 26.882075] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 [ 26.882075] Call Trace: [ 26.882075] dump_stack+0x7d/0xa3 [ 26.882075] print_address_description.constprop.0+0x18/0x130 [ 26.882075] ? tty_insert_flip_string_fixed_flag+0xd8/0x1e0 [ 26.882075] ? tty_insert_flip_string_fixed_flag+0xd8/0x1e0 [ 26.882075] kasan_report.cold+0x7f/0x10e [ 26.882075] ? tty_insert_flip_string_fixed_flag+0xd8/0x1e0 [ 26.882075] check_memory_region+0xf9/0x1e0 [ 26.882075] memcpy+0x20/0x60 [ 26.882075] tty_insert_flip_string_fixed_flag+0xd8/0x1e0 [ 26.882075] pty_write+0xfa/0x1b0 [ 26.882075] ? pty_set_termios+0x5d0/0x5d0 [ 26.882075] ax_encaps+0x9c9/0xb60 [ 26.882075] ax_xmit+0x36a/0x37e [ 26.882075] dev_hard_start_xmit+0x160/0x500 [ 26.882075] sch_direct_xmit+0x20b/0xa00 [ 26.882075] ? qdisc_put_unlocked+0x50/0x50 [ 26.882075] ? sysvec_apic_timer_interrupt+0x33/0xd0 [ 26.882075] ? pfifo_fast_dequeue+0x275/0xa30 [ 26.882075] __qdisc_run+0x3a0/0x1390 [ 26.882075] __dev_queue_xmit+0xabb/0x1b10 [ 26.882075] ? netdev_core_pick_tx+0x2a0/0x2a0 [ 26.882075] ? sysvec_apic_timer_interrupt+0x33/0xd0 [ 26.882075] ? memcpy+0x39/0x60 [ 26.882075] ? ax25_addr_build+0x7e/0x2a0 [ 26.882075] ax25_sendmsg+0xb70/0x1090 [ 26.882075] ? selinux_inode_notifysecctx+0x20/0x20 [ 26.882075] ? ax25_device_event+0x210/0x210 [ 26.882075] ? __fget_files+0x15b/0x210 [ 26.882075] ? ax25_device_event+0x210/0x210 [ 26.882075] sock_sendmsg+0xdf/0x110 [ 26.882075] __sys_sendto+0x19e/0x270 [ 26.882075] ? __ia32_sys_getpeername+0xa0/0xa0 [ 26.882075] ? copy_init_fpstate_to_fpregs+0x70/0x70 [ 26.882075] __x64_sys_sendto+0xd8/0x1b0 [ 26.882075] ? exit_to_user_mode_prepare+0x2c/0x120 [ 26.882075] do_syscall_64+0x33/0x40 [ 26.882075] entry_SYSCALL_64_after_hwframe+0x44/0xa9 <..> ================================================================== References: https://bugzilla.redhat.com/show_bug.cgi?id=2056381 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-1195
The ax25 stuff (and hamradio) is enabled on SLE15-SP3 and SLE15-SP4 but shipped only with kernel-*-optional for Leap.
Tracking as affected: - SLE15-SP3 - SLE15-SP4
The fixes pushed to both SLE15-SP3 and SLE15-SP4 branches. Reassigned back to security team.
SUSE-SU-2022:1163-1: An update that solves 25 vulnerabilities and has 33 fixes is now available. Category: security (important) Bug References: 1065729,1156395,1175667,1177028,1178134,1179639,1180153,1189562,1194589,1194625,1194649,1194943,1195051,1195353,1195640,1195926,1196018,1196130,1196196,1196478,1196488,1196761,1196823,1196956,1197227,1197243,1197245,1197300,1197302,1197331,1197343,1197366,1197389,1197460,1197462,1197501,1197534,1197661,1197675,1197677,1197702,1197811,1197812,1197815,1197817,1197819,1197820,1197888,1197889,1197894,1198027,1198028,1198029,1198030,1198031,1198032,1198033,1198077 CVE References: CVE-2021-39698,CVE-2021-45402,CVE-2021-45868,CVE-2022-0850,CVE-2022-0854,CVE-2022-1011,CVE-2022-1016,CVE-2022-1048,CVE-2022-1055,CVE-2022-1195,CVE-2022-1198,CVE-2022-1199,CVE-2022-1205,CVE-2022-23036,CVE-2022-23037,CVE-2022-23038,CVE-2022-23039,CVE-2022-23040,CVE-2022-23041,CVE-2022-23042,CVE-2022-27223,CVE-2022-27666,CVE-2022-28388,CVE-2022-28389,CVE-2022-28390 JIRA References: Sources used: openSUSE Leap 15.3 (src): kernel-azure-5.3.18-150300.38.53.1, kernel-source-azure-5.3.18-150300.38.53.1, kernel-syms-azure-5.3.18-150300.38.53.1 SUSE Linux Enterprise Module for Public Cloud 15-SP3 (src): kernel-azure-5.3.18-150300.38.53.1, kernel-source-azure-5.3.18-150300.38.53.1, kernel-syms-azure-5.3.18-150300.38.53.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:1183-1: An update that solves 15 vulnerabilities and has 32 fixes is now available. Category: security (important) Bug References: 1065729,1156395,1175667,1177028,1178134,1179639,1180153,1189562,1194649,1195640,1195926,1196018,1196196,1196478,1196761,1196823,1197227,1197243,1197300,1197302,1197331,1197343,1197366,1197389,1197462,1197501,1197534,1197661,1197675,1197702,1197811,1197812,1197815,1197817,1197819,1197820,1197888,1197889,1197894,1197914,1198027,1198028,1198029,1198030,1198031,1198032,1198033 CVE References: CVE-2021-45868,CVE-2022-0850,CVE-2022-0854,CVE-2022-1011,CVE-2022-1016,CVE-2022-1048,CVE-2022-1055,CVE-2022-1195,CVE-2022-1198,CVE-2022-1199,CVE-2022-1205,CVE-2022-27666,CVE-2022-28388,CVE-2022-28389,CVE-2022-28390 JIRA References: Sources used: openSUSE Leap 15.4 (src): dtb-aarch64-5.3.18-150300.59.63.1, kernel-preempt-5.3.18-150300.59.63.1 openSUSE Leap 15.3 (src): dtb-aarch64-5.3.18-150300.59.63.1, kernel-64kb-5.3.18-150300.59.63.1, kernel-debug-5.3.18-150300.59.63.1, kernel-default-5.3.18-150300.59.63.1, kernel-default-base-5.3.18-150300.59.63.1.150300.18.39.1, kernel-docs-5.3.18-150300.59.63.1, kernel-kvmsmall-5.3.18-150300.59.63.1, kernel-obs-build-5.3.18-150300.59.63.1, kernel-obs-qa-5.3.18-150300.59.63.1, kernel-preempt-5.3.18-150300.59.63.1, kernel-source-5.3.18-150300.59.63.1, kernel-syms-5.3.18-150300.59.63.1, kernel-zfcpdump-5.3.18-150300.59.63.1 SUSE Linux Enterprise Workstation Extension 15-SP3 (src): kernel-default-5.3.18-150300.59.63.1, kernel-preempt-5.3.18-150300.59.63.1 SUSE Linux Enterprise Module for Live Patching 15-SP3 (src): kernel-default-5.3.18-150300.59.63.1, kernel-livepatch-SLE15-SP3_Update_17-1-150300.7.3.1 SUSE Linux Enterprise Module for Legacy Software 15-SP3 (src): kernel-default-5.3.18-150300.59.63.1 SUSE Linux Enterprise Module for Development Tools 15-SP3 (src): kernel-docs-5.3.18-150300.59.63.1, kernel-obs-build-5.3.18-150300.59.63.1, kernel-preempt-5.3.18-150300.59.63.1, kernel-source-5.3.18-150300.59.63.1, kernel-syms-5.3.18-150300.59.63.1 SUSE Linux Enterprise Module for Basesystem 15-SP3 (src): kernel-64kb-5.3.18-150300.59.63.1, kernel-default-5.3.18-150300.59.63.1, kernel-default-base-5.3.18-150300.59.63.1.150300.18.39.1, kernel-preempt-5.3.18-150300.59.63.1, kernel-source-5.3.18-150300.59.63.1, kernel-zfcpdump-5.3.18-150300.59.63.1 SUSE Linux Enterprise Micro 5.2 (src): kernel-default-5.3.18-150300.59.63.1, kernel-default-base-5.3.18-150300.59.63.1.150300.18.39.1 SUSE Linux Enterprise Micro 5.1 (src): kernel-default-5.3.18-150300.59.63.1, kernel-default-base-5.3.18-150300.59.63.1.150300.18.39.1 SUSE Linux Enterprise High Availability 15-SP3 (src): kernel-default-5.3.18-150300.59.63.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:1407-1: An update that solves 15 vulnerabilities and has 34 fixes is now available. Category: security (important) Bug References: 1065729,1156395,1175667,1177028,1178134,1179639,1180153,1189562,1194625,1194649,1195640,1195926,1196018,1196196,1196478,1196761,1196823,1197227,1197243,1197300,1197302,1197331,1197343,1197366,1197389,1197462,1197501,1197534,1197661,1197675,1197677,1197702,1197811,1197812,1197815,1197817,1197819,1197820,1197888,1197889,1197894,1198027,1198028,1198029,1198030,1198031,1198032,1198033,1198077 CVE References: CVE-2021-45868,CVE-2022-0850,CVE-2022-0854,CVE-2022-1011,CVE-2022-1016,CVE-2022-1048,CVE-2022-1055,CVE-2022-1195,CVE-2022-1198,CVE-2022-1199,CVE-2022-1205,CVE-2022-27666,CVE-2022-28388,CVE-2022-28389,CVE-2022-28390 JIRA References: Sources used: SUSE Linux Enterprise Module for Realtime 15-SP3 (src): kernel-rt-5.3.18-150300.85.1, kernel-rt_debug-5.3.18-150300.85.1, kernel-source-rt-5.3.18-150300.85.1, kernel-syms-rt-5.3.18-150300.85.1 SUSE Linux Enterprise Micro 5.2 (src): kernel-rt-5.3.18-150300.85.1 SUSE Linux Enterprise Micro 5.1 (src): kernel-rt-5.3.18-150300.85.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.