An update for kernel is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2022-1631 Final 1.0 1.0 2022-05-11 Initial 2022-05-11 2022-05-11 openEuler SA Tool V1.0 2022-05-11 kernel security update An update for kernel is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS. The Linux Kernel, the operating system core itself. Security Fix(es): A NULL pointer dereference flaw was found in the Linux kernel’s Amateur Radio AX.25 protocol functionality in the way a user connects with the protocol. This flaw allows a local user to crash the system(CVE-2022-1205) A flaw was found in the Linux kernel. This flaw allows an attacker to crash the Linux kernel by simulating amateur radio from the user space, resulting in a null-ptr-deref vulnerability and a use-after-free vulnerability.(CVE-2022-1199) A vulnerability was found in the pfkey_register function in net/key/af_key.c in the Linux kernel. This flaw allows a local, unprivileged user to gain access to kernel memory, leading to a system crash or a leak of internal kernel information.(CVE-2022-1353) Certain Arm Cortex and Neoverse processors through 2022-03-08 do not properly restrict cache speculation, aka Spectre-BHB. An attacker can leverage the shared branch history in the Branch History Buffer (BHB) to influence mispredicted branches. Then, cache allocation can allow the attacker to obtain sensitive information.(CVE-2022-23960) drivers/infiniband/ulp/rtrs/rtrs-clt.c in the Linux kernel before 5.16.12 has a double free related to rtrs_clt_dev_release.(CVE-2022-29156) A flaw was found in unrestricted eBPF usage by the BPF_BTF_LOAD, leading to a possible out-of-bounds memory write in the Linux kernel’s BPF subsystem due to the way a user loads BTF. This flaw allows a local user to crash or escalate their privileges on the system.(CVE-2022-0500) Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use. If this is not the case, they assume that a following removal of the granted access will always succeed, which is not true in case the backend has mapped the granted page between those two operations. As a result the backend can keep access to the memory page of the guest no matter how the page will be used after the frontend I/O has finished. The xenbus driver has a similar problem, as it doesn t check the success of removing the granted access of a shared ring buffer. blkfront: CVE-2022-23036 netfront: CVE-2022-23037 scsifront: CVE-2022-23038 gntalloc: CVE-2022-23039 xenbus: CVE-2022-23040 blkfront, netfront, scsifront, usbfront, dmabuf, xenbus, 9p, kbdfront, and pvcalls are using a functionality to delay freeing a grant reference until it is no longer in use, but the freeing of the related data page is not synchronized with dropping the granted access. As a result the backend can keep access to the memory page even after it has been freed and then re-used for a different purpose. CVE-2022-23041 netfront will fail a BUG_ON() assertion if it fails to revoke access in the rx path. This will result in a Denial of Service (DoS) situation of the guest which can be triggered by the backend. CVE-2022-23042(CVE-2022-23036) In several functions of binder.c, there is a possible way to represent the wrong domain to SELinux due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-200688826References: Upstream kernel(CVE-2021-39686) Non-transparent sharing of branch predictor selectors between contexts in some Intel(R) Processors may allow an authorized user to potentially enable information disclosure via local access.(CVE-2022-0001) Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use. If this is not the case, they assume that a following removal of the granted access will always succeed, which is not true in case the backend has mapped the granted page between those two operations. As a result the backend can keep access to the memory page of the guest no matter how the page will be used after the frontend I/O has finished. The xenbus driver has a similar problem, as it doesn t check the success of removing the granted access of a shared ring buffer. blkfront: CVE-2022-23036 netfront: CVE-2022-23037 scsifront: CVE-2022-23038 gntalloc: CVE-2022-23039 xenbus: CVE-2022-23040 blkfront, netfront, scsifront, usbfront, dmabuf, xenbus, 9p, kbdfront, and pvcalls are using a functionality to delay freeing a grant reference until it is no longer in use, but the freeing of the related data page is not synchronized with dropping the granted access. As a result the backend can keep access to the memory page even after it has been freed and then re-used for a different purpose. CVE-2022-23041 netfront will fail a BUG_ON() assertion if it fails to revoke access in the rx path. This will result in a Denial of Service (DoS) situation of the guest which can be triggered by the backend. CVE-2022-23042(CVE-2022-23038) Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use. If this is not the case, they assume that a following removal of the granted access will always succeed, which is not true in case the backend has mapped the granted page between those two operations. As a result the backend can keep access to the memory page of the guest no matter how the page will be used after the frontend I/O has finished. The xenbus driver has a similar problem, as it doesn t check the success of removing the granted access of a shared ring buffer. blkfront: CVE-2022-23036 netfront: CVE-2022-23037 scsifront: CVE-2022-23038 gntalloc: CVE-2022-23039 xenbus: CVE-2022-23040 blkfront, netfront, scsifront, usbfront, dmabuf, xenbus, 9p, kbdfront, and pvcalls are using a functionality to delay freeing a grant reference until it is no longer in use, but the freeing of the related data page is not synchronized with dropping the granted access. As a result the backend can keep access to the memory page even after it has been freed and then re-used for a different purpose. CVE-2022-23041 netfront will fail a BUG_ON() assertion if it fails to revoke access in the rx path. This will result in a Denial of Service (DoS) situation of the guest which can be triggered by the backend. CVE-2022-23042(CVE-2022-23037) An update for kernel is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS. openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. High kernel https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1631 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-1205 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-1199 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-1353 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-23960 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-29156 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-0500 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-23036 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2021-39686 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-0001 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-23038 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-23037 https://nvd.nist.gov/vuln/detail/CVE-2022-1205 https://nvd.nist.gov/vuln/detail/CVE-2022-1199 https://nvd.nist.gov/vuln/detail/CVE-2022-1353 https://nvd.nist.gov/vuln/detail/CVE-2022-23960 https://nvd.nist.gov/vuln/detail/CVE-2022-29156 https://nvd.nist.gov/vuln/detail/CVE-2022-0500 https://nvd.nist.gov/vuln/detail/CVE-2022-23036 https://nvd.nist.gov/vuln/detail/CVE-2021-39686 https://nvd.nist.gov/vuln/detail/CVE-2022-0001 https://nvd.nist.gov/vuln/detail/CVE-2022-23038 https://nvd.nist.gov/vuln/detail/CVE-2022-23037 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP3 openEuler-22.03-LTS kernel-devel-4.19.90-2204.4.0.0148.oe1.aarch64.rpm python3-perf-debuginfo-4.19.90-2204.4.0.0148.oe1.aarch64.rpm bpftool-debuginfo-4.19.90-2204.4.0.0148.oe1.aarch64.rpm kernel-source-4.19.90-2204.4.0.0148.oe1.aarch64.rpm python3-perf-4.19.90-2204.4.0.0148.oe1.aarch64.rpm kernel-tools-devel-4.19.90-2204.4.0.0148.oe1.aarch64.rpm perf-debuginfo-4.19.90-2204.4.0.0148.oe1.aarch64.rpm perf-4.19.90-2204.4.0.0148.oe1.aarch64.rpm bpftool-4.19.90-2204.4.0.0148.oe1.aarch64.rpm kernel-tools-4.19.90-2204.4.0.0148.oe1.aarch64.rpm kernel-4.19.90-2204.4.0.0148.oe1.aarch64.rpm python2-perf-4.19.90-2204.4.0.0148.oe1.aarch64.rpm kernel-debuginfo-4.19.90-2204.4.0.0148.oe1.aarch64.rpm kernel-tools-debuginfo-4.19.90-2204.4.0.0148.oe1.aarch64.rpm python2-perf-debuginfo-4.19.90-2204.4.0.0148.oe1.aarch64.rpm kernel-debugsource-4.19.90-2204.4.0.0148.oe1.aarch64.rpm kernel-devel-4.19.90-2204.4.0.0148.oe1.aarch64.rpm python3-perf-debuginfo-4.19.90-2204.4.0.0148.oe1.aarch64.rpm bpftool-debuginfo-4.19.90-2204.4.0.0148.oe1.aarch64.rpm kernel-source-4.19.90-2204.4.0.0148.oe1.aarch64.rpm python3-perf-4.19.90-2204.4.0.0148.oe1.aarch64.rpm kernel-tools-devel-4.19.90-2204.4.0.0148.oe1.aarch64.rpm perf-debuginfo-4.19.90-2204.4.0.0148.oe1.aarch64.rpm perf-4.19.90-2204.4.0.0148.oe1.aarch64.rpm bpftool-4.19.90-2204.4.0.0148.oe1.aarch64.rpm kernel-tools-4.19.90-2204.4.0.0148.oe1.aarch64.rpm kernel-4.19.90-2204.4.0.0148.oe1.aarch64.rpm python2-perf-4.19.90-2204.4.0.0148.oe1.aarch64.rpm kernel-debuginfo-4.19.90-2204.4.0.0148.oe1.aarch64.rpm kernel-tools-debuginfo-4.19.90-2204.4.0.0148.oe1.aarch64.rpm python2-perf-debuginfo-4.19.90-2204.4.0.0148.oe1.aarch64.rpm kernel-debugsource-4.19.90-2204.4.0.0148.oe1.aarch64.rpm perf-5.10.0-60.39.0.68.oe2203.aarch64.rpm bpftool-5.10.0-60.39.0.68.oe2203.aarch64.rpm kernel-devel-5.10.0-60.39.0.68.oe2203.aarch64.rpm bpftool-debuginfo-5.10.0-60.39.0.68.oe2203.aarch64.rpm python3-perf-debuginfo-5.10.0-60.39.0.68.oe2203.aarch64.rpm kernel-debuginfo-5.10.0-60.39.0.68.oe2203.aarch64.rpm kernel-source-5.10.0-60.39.0.68.oe2203.aarch64.rpm kernel-tools-5.10.0-60.39.0.68.oe2203.aarch64.rpm python3-perf-5.10.0-60.39.0.68.oe2203.aarch64.rpm kernel-headers-5.10.0-60.39.0.68.oe2203.aarch64.rpm perf-debuginfo-5.10.0-60.39.0.68.oe2203.aarch64.rpm kernel-debugsource-5.10.0-60.39.0.68.oe2203.aarch64.rpm kernel-tools-devel-5.10.0-60.39.0.68.oe2203.aarch64.rpm kernel-tools-debuginfo-5.10.0-60.39.0.68.oe2203.aarch64.rpm kernel-5.10.0-60.39.0.68.oe2203.aarch64.rpm kernel-4.19.90-2204.4.0.0148.oe1.src.rpm kernel-4.19.90-2204.4.0.0148.oe1.src.rpm kernel-5.10.0-60.39.0.68.oe2203.src.rpm kernel-tools-4.19.90-2204.4.0.0148.oe1.x86_64.rpm python3-perf-4.19.90-2204.4.0.0148.oe1.x86_64.rpm perf-debuginfo-4.19.90-2204.4.0.0148.oe1.x86_64.rpm bpftool-debuginfo-4.19.90-2204.4.0.0148.oe1.x86_64.rpm kernel-4.19.90-2204.4.0.0148.oe1.x86_64.rpm kernel-debuginfo-4.19.90-2204.4.0.0148.oe1.x86_64.rpm kernel-tools-debuginfo-4.19.90-2204.4.0.0148.oe1.x86_64.rpm python2-perf-4.19.90-2204.4.0.0148.oe1.x86_64.rpm perf-4.19.90-2204.4.0.0148.oe1.x86_64.rpm kernel-devel-4.19.90-2204.4.0.0148.oe1.x86_64.rpm python2-perf-debuginfo-4.19.90-2204.4.0.0148.oe1.x86_64.rpm python3-perf-debuginfo-4.19.90-2204.4.0.0148.oe1.x86_64.rpm bpftool-4.19.90-2204.4.0.0148.oe1.x86_64.rpm kernel-tools-devel-4.19.90-2204.4.0.0148.oe1.x86_64.rpm kernel-debugsource-4.19.90-2204.4.0.0148.oe1.x86_64.rpm kernel-source-4.19.90-2204.4.0.0148.oe1.x86_64.rpm kernel-devel-4.19.90-2204.4.0.0148.oe1.x86_64.rpm perf-4.19.90-2204.4.0.0148.oe1.x86_64.rpm kernel-debuginfo-4.19.90-2204.4.0.0148.oe1.x86_64.rpm kernel-source-4.19.90-2204.4.0.0148.oe1.x86_64.rpm python2-perf-4.19.90-2204.4.0.0148.oe1.x86_64.rpm python3-perf-debuginfo-4.19.90-2204.4.0.0148.oe1.x86_64.rpm python3-perf-4.19.90-2204.4.0.0148.oe1.x86_64.rpm bpftool-4.19.90-2204.4.0.0148.oe1.x86_64.rpm kernel-tools-debuginfo-4.19.90-2204.4.0.0148.oe1.x86_64.rpm python2-perf-debuginfo-4.19.90-2204.4.0.0148.oe1.x86_64.rpm kernel-tools-4.19.90-2204.4.0.0148.oe1.x86_64.rpm kernel-debugsource-4.19.90-2204.4.0.0148.oe1.x86_64.rpm kernel-4.19.90-2204.4.0.0148.oe1.x86_64.rpm kernel-tools-devel-4.19.90-2204.4.0.0148.oe1.x86_64.rpm bpftool-debuginfo-4.19.90-2204.4.0.0148.oe1.x86_64.rpm perf-debuginfo-4.19.90-2204.4.0.0148.oe1.x86_64.rpm kernel-devel-4.19.90-2204.4.0.0148.oe1.x86_64.rpm perf-4.19.90-2204.4.0.0148.oe1.x86_64.rpm kernel-debuginfo-4.19.90-2204.4.0.0148.oe1.x86_64.rpm kernel-source-4.19.90-2204.4.0.0148.oe1.x86_64.rpm python2-perf-4.19.90-2204.4.0.0148.oe1.x86_64.rpm python3-perf-debuginfo-4.19.90-2204.4.0.0148.oe1.x86_64.rpm python3-perf-4.19.90-2204.4.0.0148.oe1.x86_64.rpm bpftool-4.19.90-2204.4.0.0148.oe1.x86_64.rpm kernel-tools-debuginfo-4.19.90-2204.4.0.0148.oe1.x86_64.rpm python2-perf-debuginfo-4.19.90-2204.4.0.0148.oe1.x86_64.rpm kernel-tools-4.19.90-2204.4.0.0148.oe1.x86_64.rpm kernel-debugsource-4.19.90-2204.4.0.0148.oe1.x86_64.rpm kernel-4.19.90-2204.4.0.0148.oe1.x86_64.rpm kernel-tools-devel-4.19.90-2204.4.0.0148.oe1.x86_64.rpm bpftool-debuginfo-4.19.90-2204.4.0.0148.oe1.x86_64.rpm perf-debuginfo-4.19.90-2204.4.0.0148.oe1.x86_64.rpm kernel-devel-5.10.0-60.39.0.68.oe2203.x86_64.rpm kernel-tools-5.10.0-60.39.0.68.oe2203.x86_64.rpm kernel-debugsource-5.10.0-60.39.0.68.oe2203.x86_64.rpm kernel-tools-debuginfo-5.10.0-60.39.0.68.oe2203.x86_64.rpm bpftool-5.10.0-60.39.0.68.oe2203.x86_64.rpm kernel-source-5.10.0-60.39.0.68.oe2203.x86_64.rpm kernel-tools-devel-5.10.0-60.39.0.68.oe2203.x86_64.rpm kernel-debuginfo-5.10.0-60.39.0.68.oe2203.x86_64.rpm perf-5.10.0-60.39.0.68.oe2203.x86_64.rpm kernel-headers-5.10.0-60.39.0.68.oe2203.x86_64.rpm python3-perf-5.10.0-60.39.0.68.oe2203.x86_64.rpm perf-debuginfo-5.10.0-60.39.0.68.oe2203.x86_64.rpm bpftool-debuginfo-5.10.0-60.39.0.68.oe2203.x86_64.rpm kernel-5.10.0-60.39.0.68.oe2203.x86_64.rpm python3-perf-debuginfo-5.10.0-60.39.0.68.oe2203.x86_64.rpm A NULL pointer dereference flaw was found in the Linux kernel’s Amateur Radio AX.25 protocol functionality in the way a user connects with the protocol. This flaw allows a local user to crash the system. 2022-05-11 CVE-2022-1205 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP3 openEuler-22.03-LTS Medium 5.1 AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H kernel security update 2022-05-11 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1631 A flaw was found in the Linux kernel. This flaw allows an attacker to crash the Linux kernel by simulating amateur radio from the user space, resulting in a null-ptr-deref vulnerability and a use-after-free vulnerability. 2022-05-11 CVE-2022-1199 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP3 openEuler-22.03-LTS Medium 5.1 AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H kernel security update 2022-05-11 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1631 A vulnerability was found in the pfkey_register function in net/key/af_key.c in the Linux kernel. This flaw allows a local, unprivileged user to gain access to kernel memory, leading to a system crash or a leak of internal kernel information. 2022-05-11 CVE-2022-1353 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP3 openEuler-22.03-LTS Medium 6.1 AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H kernel security update 2022-05-11 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1631 Certain Arm Cortex and Neoverse processors through 2022-03-08 do not properly restrict cache speculation, aka Spectre-BHB. An attacker can leverage the shared branch history in the Branch History Buffer (BHB) to influence mispredicted branches. Then, cache allocation can allow the attacker to obtain sensitive information. 2022-05-11 CVE-2022-23960 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP3 openEuler-22.03-LTS Medium 5.6 AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N kernel security update 2022-05-11 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1631 drivers/infiniband/ulp/rtrs/rtrs-clt.c in the Linux kernel before 5.16.12 has a double free related to rtrs_clt_dev_release. 2022-05-11 CVE-2022-29156 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP3 openEuler-22.03-LTS High 7.8 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H kernel security update 2022-05-11 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1631 A flaw was found in unrestricted eBPF usage by the BPF_BTF_LOAD, leading to a possible out-of-bounds memory write in the Linux kernel’s BPF subsystem due to the way a user loads BTF. This flaw allows a local user to crash or escalate their privileges on the system. 2022-05-11 CVE-2022-0500 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP3 openEuler-22.03-LTS High 7.8 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H kernel security update 2022-05-11 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1631 Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use. If this is not the case, they assume that a following removal of the granted access will always succeed, which is not true in case the backend has mapped the granted page between those two operations. As a result the backend can keep access to the memory page of the guest no matter how the page will be used after the frontend I/O has finished. The xenbus driver has a similar problem, as it doesn t check the success of removing the granted access of a shared ring buffer. blkfront: CVE-2022-23036 netfront: CVE-2022-23037 scsifront: CVE-2022-23038 gntalloc: CVE-2022-23039 xenbus: CVE-2022-23040 blkfront, netfront, scsifront, usbfront, dmabuf, xenbus, 9p, kbdfront, and pvcalls are using a functionality to delay freeing a grant reference until it is no longer in use, but the freeing of the related data page is not synchronized with dropping the granted access. As a result the backend can keep access to the memory page even after it has been freed and then re-used for a different purpose. CVE-2022-23041 netfront will fail a BUG_ON() assertion if it fails to revoke access in the rx path. This will result in a Denial of Service (DoS) situation of the guest which can be triggered by the backend. CVE-2022-23042 2022-05-11 CVE-2022-23036 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP3 openEuler-22.03-LTS High 7.0 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H kernel security update 2022-05-11 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1631 In several functions of binder.c, there is a possible way to represent the wrong domain to SELinux due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-200688826References: Upstream kernel 2022-05-11 CVE-2021-39686 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP3 High 7.0 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H kernel security update 2022-05-11 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1631 Non-transparent sharing of branch predictor selectors between contexts in some Intel(R) Processors may allow an authorized user to potentially enable information disclosure via local access. 2022-05-11 CVE-2022-0001 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP3 openEuler-22.03-LTS Medium 6.5 AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N kernel security update 2022-05-11 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1631 Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use. If this is not the case, they assume that a following removal of the granted access will always succeed, which is not true in case the backend has mapped the granted page between those two operations. As a result the backend can keep access to the memory page of the guest no matter how the page will be used after the frontend I/O has finished. The xenbus driver has a similar problem, as it doesn t check the success of removing the granted access of a shared ring buffer. blkfront: CVE-2022-23036 netfront: CVE-2022-23037 scsifront: CVE-2022-23038 gntalloc: CVE-2022-23039 xenbus: CVE-2022-23040 blkfront, netfront, scsifront, usbfront, dmabuf, xenbus, 9p, kbdfront, and pvcalls are using a functionality to delay freeing a grant reference until it is no longer in use, but the freeing of the related data page is not synchronized with dropping the granted access. As a result the backend can keep access to the memory page even after it has been freed and then re-used for a different purpose. CVE-2022-23041 netfront will fail a BUG_ON() assertion if it fails to revoke access in the rx path. This will result in a Denial of Service (DoS) situation of the guest which can be triggered by the backend. CVE-2022-23042 2022-05-11 CVE-2022-23038 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP3 openEuler-22.03-LTS High 7.0 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H kernel security update 2022-05-11 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1631 Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use. If this is not the case, they assume that a following removal of the granted access will always succeed, which is not true in case the backend has mapped the granted page between those two operations. As a result the backend can keep access to the memory page of the guest no matter how the page will be used after the frontend I/O has finished. The xenbus driver has a similar problem, as it doesn t check the success of removing the granted access of a shared ring buffer. blkfront: CVE-2022-23036 netfront: CVE-2022-23037 scsifront: CVE-2022-23038 gntalloc: CVE-2022-23039 xenbus: CVE-2022-23040 blkfront, netfront, scsifront, usbfront, dmabuf, xenbus, 9p, kbdfront, and pvcalls are using a functionality to delay freeing a grant reference until it is no longer in use, but the freeing of the related data page is not synchronized with dropping the granted access. As a result the backend can keep access to the memory page even after it has been freed and then re-used for a different purpose. CVE-2022-23041 netfront will fail a BUG_ON() assertion if it fails to revoke access in the rx path. This will result in a Denial of Service (DoS) situation of the guest which can be triggered by the backend. CVE-2022-23042 2022-05-11 CVE-2022-23037 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP3 openEuler-22.03-LTS High 7.0 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H kernel security update 2022-05-11 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1631