{"id":"MGASA-2021-0215","summary":"Updated kernel-linus packages fix security vulnerabilities","details":"This kernel-linus update is based on upstream 5.10.37 and fixes at least the\nfollowing security issues:\n\nIt was discovered that the io_uring implementation of the Linux kernel did\nnot properly enforce the MAX_RW_COUNT limit in some situations. A local\nattacker could use this to cause a denial of service (system crash) or\nexecute arbitrary code (CVE-2021-3491).\n\nAn out-of-bounds (OOB) memory access flaw was found in fs/f2fs/node.c in\nthe f2fs module in the Linux kernel in versions before 5.12.0-rc4. A bounds\ncheck failure allows a local attacker to gain access to out-of-bounds\nmemory leading to a system crash or a leak of internal kernel information\n(CVE-2021-3506).\n\nA race condition in Linux kernel SCTP sockets (net/sctp/socket.c) before\n5.12-rc8 can lead to kernel privilege escalation from the context of a\nnetwork service or an unprivileged process. If sctp_destroy_sock is called\nwithout sock_net(sk)-\u003esctp.addr_wq_lock then an element is removed from\nthe auto_asconf_splist list without any proper locking. This can be\nexploited by an attacker with network service privileges to escalate to\nroot or from the context of an unprivileged user directly if a\nBPF_CGROUP_INET_SOCK_CREATE is attached which denies creation of some\nSCTP socket. \nNOTE! This already had a fix in kernel-5.10.33, but that fix caused some\nsystems to deadlock, so this is now fixed in a better way (CVE-2021-23133).\n\nbpf: Fix propagation of 32 bit unsigned bounds from 64 bit bounds\n(CVE-2021-31440).\n\nkernel/bpf/verifier.c in the Linux kernel through 5.12.1 performs undesirable\nspeculative loads, leading to disclosure of stack content via side-channel\nattacks. The specific concern is not protecting the BPF stack area against\nspeculative loads. Also, the BPF stack can contain uninitialized data that\nmight represent sensitive information previously operated on by the kernel\n(CVE-2021-31829).\n\nnet/bluetooth/hci_request.c in the Linux kernel through 5.12.2 has a race\ncondition for removal of the HCI controller (CVE-2021-32399).\n\nIn the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a\nuse-after-free when destroying an hci_chan. This leads to writing an\narbitrary value. (CVE-2021-33034).\n\nFor other upstream fixes, see the referenced changelogs.\n","modified":"2026-02-01T16:36:39.444800Z","published":"2021-05-19T19:29:59Z","related":["CVE-2021-23133","CVE-2021-31440","CVE-2021-31829","CVE-2021-32399","CVE-2021-33034","CVE-2021-3491","CVE-2021-3506"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2021-0215.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=28917"},{"type":"REPORT","url":"https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.34"},{"type":"REPORT","url":"https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.35"},{"type":"REPORT","url":"https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.36"},{"type":"REPORT","url":"https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.37"}],"affected":[{"package":{"name":"kernel-linus","ecosystem":"Mageia:7","purl":"pkg:rpm/mageia/kernel-linus?arch=source&distro=mageia-7"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"5.10.37-1.mga7"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2021-0215.json"}},{"package":{"name":"kernel-linus","ecosystem":"Mageia:8","purl":"pkg:rpm/mageia/kernel-linus?arch=source&distro=mageia-8"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"5.10.37-1.mga8"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2021-0215.json"}}],"schema_version":"1.7.3","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}