(RHSA-2024:1250) Important: kernel security and bug fix update

Security Fix(es):

• kernel: use-after-free in smb2_is_status_io_timeout() (CVE-2023-1192)

• kernel: nfp: use-after-free in area_cache_get() (CVE-2022-3545)

• kernel: NULL pointer dereference in can_rcv_filter (CVE-2023-2166)

• kernel: Slab-out-of-bound read in compare_netdev_and_ip (CVE-2023-2176)

• kernel: UAF in nftables when nft_set_lookup_global triggered after handling named and anonymous sets in batch requests (CVE-2023-3390)

• kernel: out-of-bounds access in relay_file_read (CVE-2023-3268)

• kernel: vmxnet3: NULL pointer dereference in vmxnet3_rq_cleanup() (CVE-2023-4459)

• hw: Intel: Gather Data Sampling (GDS) side channel vulnerability (CVE-2022-40982,Downfall)

• kernel: net/sched: cls_u32 component reference counter leak if tcf_change_indev() fails (CVE-2023-3609)

• kernel: fbcon: out-of-sync arrays in fbcon_mode_deleted due to wrong con2fb_map assignment (CVE-2023-38409)

• kernel: Race Condition leading to UAF in Unix Socket could happen in sk_receive_queue ()

• kernel: use-after-free in l2cap_sock_release in net/bluetooth/l2cap_sock.c (CVE-2023-40283)

• kernel: use after free in unix_stream_sendpage (CVE-2023-4622)

• kernel: bpf: Incorrect verifier pruning leads to unsafe code paths being incorrectly marked as safe (CVE-2023-2163)

• kernel: A heap out-of-bounds write when function perf_read_group is called and sibling_list is smaller than its child’s sibling_list (CVE-2023-5717)

• kernel: ktls overwrites readonly memory pages when using function splice with a ktls socket as destination (CVE-2024-0646)

• kernel: use-after-free in IPv4 IGMP (CVE-2023-6932)

• kernel: refcount leak in ctnetlink_create_conntrack() (CVE-2023-7192)

Bug Fix(es):

• kernel: fbcon: out-of-sync arrays in fbcon_mode_deleted due to wrong con2fb_map assignment (JIRA:RHEL-1104)

• [SanityOnly][kernel]BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:35 at: sock_map_update_elem_sys+0x85/0x2a0 (JIRA:RHEL-17572)

• kernel: vmxnet3: NULL pointer dereference in vmxnet3_rq_cleanup() (JIRA:RHEL-18084)

• kernel: NULL pointer dereference in can_rcv_filter (JIRA:RHEL-19463)

• kernel: hw: Intel: Gather Data Sampling (GDS) side channel vulnerability (JIRA:RHEL-8592)

• kernel: A heap out-of-bounds write (JIRA:RHEL-18008)

• kernel: Slab-out-of-bound read in compare_netdev_and_ip (JIRA:RHEL-19356)

• kernel: A flaw leading to a use-after-free in area_cache_get() (JIRA:RHEL-19454)

• kernel: bpf: Incorrect verifier pruning leads to unsafe code paths being incorrectly marked as safe (JIRA:RHEL-8978)

• kernel: use-after-free in smb2_is_status_io_timeout() (JIRA:RHEL-15167)

• kernel: various flaws (JIRA:RHEL-16148)

• kernel: use-after-free in l2cap_sock_release in net/bluetooth/l2cap_sock.c (JIRA:RHEL-19001)

• kernel: refcount leak in ctnetlink_create_conntrack() (JIRA:RHEL-20307)

• RHEL9.0 - s390/qeth: recovery and set offline lose routes and IPv6 addr (JIRA:RHEL-17885)

• kernel: ktls overwrites readonly memory pages when using function splice with a ktls socket as destination (JIRA:RHEL-22092)

• dm multipath device suspend deadlocks waiting on a flush request (JIRA:RHEL-19103)

• 5.14.0-70.87.1.el9_0: aarch64 BUG: arch topology borken / the CLS domain not a subset of the MC domain (JIRA:RHEL-22501)

• RHEL-9.0 TEST-17-Setup-struct-perf-event-attr / bz1308907 test failure on Ice Lake (JIRA:RHEL-23085)

• Unbounded memory usage by TCP for receive buffers (JIRA:RHEL-16127)

• kernel: use-after-free in IPv4 IGMP (JIRA:RHEL-21648)

• rbd: don’t move requests to the running list on errors (JIRA:RHEL-23861)

• kernel: memcg does not limit the number of POSIX file locks allowing memory exhaustion (CVE-2022-0480)

• kernel: GSM multiplexing race condition leads to privilege escalation (CVE-2023-6546)

• kernel: vmxgfx: NULL pointer dereference in vmw_cmd_dx_define_query (CVE-2022-38096)

• kernel: sched/membarrier: reduce the ability to hammer on sys_membarrier (CVE-2024-26602)