Red Hat Product Errata RHSA-2020:4062 - Security Advisory
Issued:
2020-09-29
Updated:
2020-09-29

RHSA-2020:4062 - Security Advisory

Synopsis

Important: kernel-rt security and bug fix update

Type/Severity

Security Advisory: Important

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for kernel-rt is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.

Security Fix(es):

  • kernel: use-after-free in sound/core/timer.c (CVE-2019-19807)
  • kernel: out of bounds write in function i2c_smbus_xfer_emulated in drivers/i2c/i2c-core-smbus.c (CVE-2017-18551)
  • kernel: race condition in smp_task_timedout() and smp_task_done() in drivers/scsi/libsas/sas_expander.c leads to use-after-free (CVE-2018-20836)
  • kernel: out of bounds write in i2c driver leads to local escalation of privilege (CVE-2019-9454)
  • kernel: use after free due to race condition in the video driver leads to local privilege escalation (CVE-2019-9458)

Space precludes documenting all of the security fixes in this advisory. See the descriptions of the remaining security fixes in the related Knowledge Article:

https://access.redhat.com/articles/5442481

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.9 Release Notes linked from the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

The system must be rebooted for this update to take effect.

Affected Products

  • Red Hat Enterprise Linux for Real Time 7 x86_64
  • Red Hat Enterprise Linux for Real Time for NFV 7 x86_64

Fixes

  • BZ - 1427551 - mm/swap: Convert to percpu locked
  • BZ - 1707796 - CVE-2018-20836 kernel: race condition in smp_task_timedout() and smp_task_done() in drivers/scsi/libsas/sas_expander.c leads to use-after-free
  • BZ - 1745528 - CVE-2019-15217 kernel: null pointer dereference in drivers/media/usb/zr364xx/zr364xx.c driver
  • BZ - 1747216 - CVE-2019-15807 kernel: Memory leak in drivers/scsi/libsas/sas_expander.c
  • BZ - 1757368 - CVE-2017-18551 kernel: out of bounds write in function i2c_smbus_xfer_emulated in drivers/i2c/i2c-core-smbus.c
  • BZ - 1758242 - CVE-2019-17053 kernel: unprivileged users able to create RAW sockets in AF_IEEE802154 network protocol
  • BZ - 1758248 - CVE-2019-17055 kernel: unprivileged users able to create RAW sockets in AF_ISDN network protocol
  • BZ - 1759681 - CVE-2019-16994 kernel: Memory leak in sit_init_net() in net/ipv6/sit.c
  • BZ - 1760100 - CVE-2019-15917 kernel: use-after-free in drivers/bluetooth/hci_ldisc.c
  • BZ - 1760310 - CVE-2019-16231 kernel: null-pointer dereference in drivers/net/fjes/fjes_main.c
  • BZ - 1760420 - CVE-2019-16233 kernel: null pointer dereference in drivers/scsi/qla2xxx/qla_os.c
  • BZ - 1774988 - CVE-2019-19046 kernel: Denial Of Service in the __ipmi_bmc_register() function in drivers/char/ipmi/ipmi_msghandler.c
  • BZ - 1775015 - CVE-2019-19063 kernel: Two memory leaks in the rtl_usb_probe() function in drivers/net/wireless/realtek/rtlwifi/usb.c allow for a DoS
  • BZ - 1775021 - CVE-2019-19062 kernel: memory leak in the crypto_report() function in crypto/crypto_user_base.c allows for DoS
  • BZ - 1775042 - CVE-2019-19059 kernel: Multiple memory leaks in the iwl_pcie_ctxt_info_gen3_init() function in drivers/net/wireless/intel/iwlwifi/pcie/ctxt-info-gen3.c allows for a DoS
  • BZ - 1775047 - CVE-2019-19058 kernel: A memory leak in the alloc_sgtable() function in drivers/net/wireless/intel/iwlwifi/fw/dbg.c allows for a DoS
  • BZ - 1775074 - CVE-2019-19055 kernel: memory leak in the nl80211_get_ftm_responder_stats() function in net/wireless/nl80211.c allows DoS
  • BZ - 1777418 - CVE-2019-18808 kernel: memory leak in ccp_run_sha_cmd() function in drivers/crypto/ccp/ccp-ops.c
  • BZ - 1779594 - CVE-2019-19332 Kernel: kvm: OOB memory write via kvm_dev_ioctl_get_cpuid
  • BZ - 1781679 - CVE-2019-19447 kernel: mounting a crafted ext4 filesystem image, performing some operations, and unmounting can lead to a use-after-free in ext4_put_super in fs/ext4/super.c
  • BZ - 1783434 - CVE-2019-19523 kernel: use-after-free caused by a malicious USB device in the drivers/usb/misc/adutux.c driver
  • BZ - 1783459 - CVE-2019-19524 kernel: a malicious USB device in the drivers/input/ff-memless.c leads to use-after-free
  • BZ - 1783518 - CVE-2019-19530 kernel: use-after-free caused by a malicious USB device in the drivers/usb/class/cdc-acm.c driver
  • BZ - 1783540 - CVE-2019-19534 kernel: information leak bug caused by a malicious USB device in the drivers/net/can/usb/peak_usb/pcan_usb_core.c driver
  • BZ - 1783561 - CVE-2019-19537 kernel: race condition caused by a malicious USB device in the USB character device driver layer
  • BZ - 1786078 - CVE-2019-19807 kernel: use-after-free in sound/core/timer.c
  • BZ - 1786160 - CVE-2019-19767 kernel: use-after-free in __ext4_expand_extra_isize and ext4_xattr_set_entry related to fs/ext4/inode.c and fs/ext4/super.c
  • BZ - 1788009 - Request nx_huge_pages=N as default value to avoid kvm-rt guest large latency spike
  • BZ - 1790063 - CVE-2019-20054 kernel: Null pointer dereference in drop_sysctl_table() in fs/proc/proc_sysctl.c
  • BZ - 1791954 - CVE-2019-20095 kernel: memory leak in mwifiex_tm_cmd in drivers/net/wireless/marvell/mwifiex/cfg80211.c
  • BZ - 1802555 - CVE-2020-8649 kernel: invalid read location in vgacon_invert_region function in drivers/video/console/vgacon.c
  • BZ - 1802563 - CVE-2020-8647 kernel: out-of-bounds read in in vc_do_resize function in drivers/tty/vt/vt.c
  • BZ - 1805135 - CVE-2020-2732 Kernel: kvm: nVMX: L2 guest may trick the L0 hypervisor to access sensitive L1 resources
  • BZ - 1809833 - CVE-2020-1749 kernel: some ipv6 protocols not encrypted over ipsec tunnel
  • BZ - 1810685 - CVE-2020-9383 kernel: out-of-bounds read in set_fdc in drivers/block/floppy.c
  • BZ - 1817141 - CVE-2020-10690 kernel: use-after-free in cdev_put() when a PTP device is removed while it's chardev is open
  • BZ - 1817718 - CVE-2020-10942 kernel: vhost-net: stack overflow in get_raw_socket while checking sk_family field
  • BZ - 1818818 - CVE-2019-9454 kernel: out of bounds write in i2c driver leads to local escalation of privilege
  • BZ - 1819377 - CVE-2019-9458 kernel: use after free due to race condition in the video driver leads to local privilege escalation
  • BZ - 1822077 - CVE-2020-12826 kernel: possible to send arbitrary signals to a privileged (suidroot) parent process
  • BZ - 1824059 - CVE-2019-20636 kernel: out-of-bounds write via crafted keycode table
  • BZ - 1824918 - CVE-2020-11565 kernel: out-of-bounds write in mpol_parse_str function in mm/mempolicy.c
  • BZ - 1831399 - CVE-2020-10732 kernel: uninitialized kernel data leak in userspace coredumps
  • BZ - 1834845 - CVE-2020-12770 kernel: sg_write function lacks an sg_remove_request call in a certain failure case
  • BZ - 1835127 - CVE-2020-10742 kernel: NFS client crash due to index buffer overflow during Direct IO write causing kernel panic
  • BZ - 1839634 - CVE-2020-10751 kernel: SELinux netlink permission check bypass
  • BZ - 1850716 - CVE-2020-14305 kernel: memory corruption in Voice over IP nf_conntrack_h323 module

Red Hat Enterprise Linux for Real Time 7

SRPM
kernel-rt-3.10.0-1160.rt56.1131.el7.src.rpm SHA-256: a327e3aaa26258c429c56e0146d00eccbcbeee2d3780454fd9dffbd0725611cd
x86_64
kernel-rt-3.10.0-1160.rt56.1131.el7.x86_64.rpm SHA-256: c72af4695c00bafe85617d7f970b33535b449bfd0c96cb92c9cac6d9230f19b5
kernel-rt-debug-3.10.0-1160.rt56.1131.el7.x86_64.rpm SHA-256: 6f5048be439ce4f65fe4985aafa0bb93e21836e8e476a2e7388e23da9edf9dce
kernel-rt-debug-debuginfo-3.10.0-1160.rt56.1131.el7.x86_64.rpm SHA-256: c5535f219d505486c5996dd88605d5c27b8b17ee59b9dfd0eb84a4787e91b5e7
kernel-rt-debug-devel-3.10.0-1160.rt56.1131.el7.x86_64.rpm SHA-256: 65b04383c2a26daa6130d625d952e2840d2b470a81bf8b37f0a4024cef95a5ed
kernel-rt-debuginfo-3.10.0-1160.rt56.1131.el7.x86_64.rpm SHA-256: 561a17dbdf802217d5cb63b7e2b6cafab557f45bd14135954307043d46c007f7
kernel-rt-debuginfo-common-x86_64-3.10.0-1160.rt56.1131.el7.x86_64.rpm SHA-256: 425256bf45a2af522d5cdb02a4f3f1be028aa0d9ff88c936637955d7b7b5327c
kernel-rt-devel-3.10.0-1160.rt56.1131.el7.x86_64.rpm SHA-256: 700a549543448ca5c8652a1c81e8bb6f2ffd6a4002188969843875aab3b4f3b6
kernel-rt-doc-3.10.0-1160.rt56.1131.el7.noarch.rpm SHA-256: f8ee29416a5588aad5ba698b990ac44b2a08cc425a53afd55f46e9fb6939ac0b
kernel-rt-trace-3.10.0-1160.rt56.1131.el7.x86_64.rpm SHA-256: 77ea6a4912c8f549eb8d7f6c90357af6693cb7b90445ca797b5438a00e41c310
kernel-rt-trace-debuginfo-3.10.0-1160.rt56.1131.el7.x86_64.rpm SHA-256: 509c2331a6880065454e671376ecf1b340d225c1ca04601b4c8fe98e3797f60a
kernel-rt-trace-devel-3.10.0-1160.rt56.1131.el7.x86_64.rpm SHA-256: 3fc2a37c135911ce2fd5f6ce77f9b837de2972b1131e04e0c71aebb68a6a1779

Red Hat Enterprise Linux for Real Time for NFV 7

SRPM
kernel-rt-3.10.0-1160.rt56.1131.el7.src.rpm SHA-256: a327e3aaa26258c429c56e0146d00eccbcbeee2d3780454fd9dffbd0725611cd
x86_64
kernel-rt-3.10.0-1160.rt56.1131.el7.x86_64.rpm SHA-256: c72af4695c00bafe85617d7f970b33535b449bfd0c96cb92c9cac6d9230f19b5
kernel-rt-debug-3.10.0-1160.rt56.1131.el7.x86_64.rpm SHA-256: 6f5048be439ce4f65fe4985aafa0bb93e21836e8e476a2e7388e23da9edf9dce
kernel-rt-debug-debuginfo-3.10.0-1160.rt56.1131.el7.x86_64.rpm SHA-256: c5535f219d505486c5996dd88605d5c27b8b17ee59b9dfd0eb84a4787e91b5e7
kernel-rt-debug-devel-3.10.0-1160.rt56.1131.el7.x86_64.rpm SHA-256: 65b04383c2a26daa6130d625d952e2840d2b470a81bf8b37f0a4024cef95a5ed
kernel-rt-debug-kvm-3.10.0-1160.rt56.1131.el7.x86_64.rpm SHA-256: c05139ca188df976ebce1a9707650412aabfe03a3646f6077499d7ba7e0966f7
kernel-rt-debug-kvm-debuginfo-3.10.0-1160.rt56.1131.el7.x86_64.rpm SHA-256: ce59abd001b370b994f4e958b0eff2a033b9bea4ad999c7a977b0c6eb6e0642e
kernel-rt-debuginfo-3.10.0-1160.rt56.1131.el7.x86_64.rpm SHA-256: 561a17dbdf802217d5cb63b7e2b6cafab557f45bd14135954307043d46c007f7
kernel-rt-debuginfo-common-x86_64-3.10.0-1160.rt56.1131.el7.x86_64.rpm SHA-256: 425256bf45a2af522d5cdb02a4f3f1be028aa0d9ff88c936637955d7b7b5327c
kernel-rt-devel-3.10.0-1160.rt56.1131.el7.x86_64.rpm SHA-256: 700a549543448ca5c8652a1c81e8bb6f2ffd6a4002188969843875aab3b4f3b6
kernel-rt-doc-3.10.0-1160.rt56.1131.el7.noarch.rpm SHA-256: f8ee29416a5588aad5ba698b990ac44b2a08cc425a53afd55f46e9fb6939ac0b
kernel-rt-kvm-3.10.0-1160.rt56.1131.el7.x86_64.rpm SHA-256: 481620ea7d9ed0171745f0e93ee97cacba492226d62d9cdbf7dd3201e1cefbc1
kernel-rt-kvm-debuginfo-3.10.0-1160.rt56.1131.el7.x86_64.rpm SHA-256: 9bc8129cf3882b7fbfd13f643d94a40b70f8fa84f24b093de24a6460ec40d0bd
kernel-rt-trace-3.10.0-1160.rt56.1131.el7.x86_64.rpm SHA-256: 77ea6a4912c8f549eb8d7f6c90357af6693cb7b90445ca797b5438a00e41c310
kernel-rt-trace-debuginfo-3.10.0-1160.rt56.1131.el7.x86_64.rpm SHA-256: 509c2331a6880065454e671376ecf1b340d225c1ca04601b4c8fe98e3797f60a
kernel-rt-trace-devel-3.10.0-1160.rt56.1131.el7.x86_64.rpm SHA-256: 3fc2a37c135911ce2fd5f6ce77f9b837de2972b1131e04e0c71aebb68a6a1779
kernel-rt-trace-kvm-3.10.0-1160.rt56.1131.el7.x86_64.rpm SHA-256: 81050c4c579935a6200d7e027d5934ce70f867c62f7c1287cb794269cf07aeb6
kernel-rt-trace-kvm-debuginfo-3.10.0-1160.rt56.1131.el7.x86_64.rpm SHA-256: fcaf6f25ac53677dc70b668b40776fc9c426f8b3b87ddb9bfc6cb75f7320b814

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.