SB2023012565 - SUSE update for the Linux Kernel
Published: January 25, 2023
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 11 secuirty vulnerabilities.
1) Memory leak (CVE-ID: CVE-2019-19083)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to memory leak within the "clock_source_create()" functions under drivers/gpu/drm/amd/display/dc in the Linux kernel before 5.3.8 allow a local user to cause a denial of service (memory consumption).
This vulnerability affects the following functions:
- dce112_clock_source_create() function in drivers/gpu/drm/amd/display/dc/dce112/dce112_resource.c
- dce100_clock_source_create() function in drivers/gpu/drm/amd/display/dc/dce100/dce100_resource.c
- dcn10_clock_source_create() function in drivers/gpu/drm/amd/display/dc/dcn10/dcn10_resource.c
- dcn20_clock_source_create() function in drivers/gpu/drm/amd/display/dc/dcn20/dcn20_resource.c
- dce120_clock_source_create() function in drivers/gpu/drm/amd/display/dc/dce120/dce120_resource.c
- dce110_clock_source_create() function in drivers/gpu/drm/amd/display/dc/dce110/dce110_resource.c
- dce80_clock_source_create() function in drivers/gpu/drm/amd/display/dc/dce80/dce80_resource.c
2) NULL pointer dereference (CVE-ID: CVE-2022-3105)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error within the uapi_finalize() function in drivers/infiniband/core/uverbs_uapi.c. A local user can perform a denial of service (DoS) attack.
3) NULL pointer dereference (CVE-ID: CVE-2022-3106)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error within the ef100_update_stats() function in drivers/net/ethernet/sfc/ef100_nic.c. A local user can perform a denial of service (DoS) attack.
4) NULL pointer dereference (CVE-ID: CVE-2022-3107)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error within the netvsc_get_ethtool_stats() function in drivers/net/hyperv/netvsc_drv.c. A local user can perform a denial of service (DoS) attack.
5) Unchecked Return Value (CVE-ID: CVE-2022-3108)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to unchecked return value within the kfd_parse_subtype_iolink() function in drivers/gpu/drm/amd/amdkfd/kfd_crat.c. A local user can crash the kernel.
6) NULL pointer dereference (CVE-ID: CVE-2022-3111)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error within the free_charger_irq() function in drivers/power/supply/wm8350_power.c. A local user can perform a denial of service (DoS) attack.
7) Out-of-bounds read (CVE-ID: CVE-2022-3435)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition within the fib_nh_match() function in net/ipv4/fib_semantics.c IPv4 handler. A remote attacker can send specially crafted data to the system, trigger an out-of-bounds read error and read contents of memory on the system.
8) Input validation error (CVE-ID: CVE-2022-3643)
The vulnerability allows an attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of network packets. An attacker with access to the guest OS can trigger the related physical NIC on the host to reset, abort, or crash by sending certain kinds of packets.
9) Resource management error (CVE-ID: CVE-2022-42328)
The vulnerability allows an attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper management of internal resources. An attacker with access to the guest OS can trigger deadlock in Linux netback driver and perform a denial of service (DoS) attack of the host via the paravirtualized network interface.
10) Resource management error (CVE-ID: CVE-2022-42329)
The vulnerability allows an attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper management of internal resources. An attacker with access to the guest OS can trigger deadlock in Linux netback driver and perform a denial of service (DoS) attack of the host via the paravirtualized network interface.
11) Improper access control (CVE-ID: CVE-2022-4662)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper access restrictions in the Linux kernel USB core subsystem in the way user attaches usb device. A local user can perform a denial of service (DoS) attack.
Remediation
Install update from vendor's website.