LSN-0079-1: Kernel Live Patch Security Notice

26 July 2021

Several security issues were fixed in the kernel.

Releases

Software Description

  • gcp - Linux kernel for Google Cloud Platform (GCP) systems - (>= 5.4.0-1009)
  • generic-4.15 - Linux kernel - (>= 4.15.0-69)
  • generic-4.4 - Linux kernel - (>= 4.4.0-168, >= 4.4.0-168)
  • generic-5.4 - Linux kernel - (>= 5.4.0-26, >= 5.4.0-26)
  • gke - Linux kernel for Google Container Engine (GKE) systems - (>= 5.4.0-1033)
  • gke-4.15 - Linux kernel for Google Container Engine (GKE) systems - (>= 4.15.0-1076)
  • gke-5.4 - Linux kernel for Google Container Engine (GKE) systems - (>= 5.4.0-1009)
  • gkeop - Linux kernel for Google Container Engine (GKE) systems - (>= 5.4.0-1009)
  • gkeop-5.4 - Linux kernel for Google Container Engine (GKE) systems - (>= 5.4.0-1007)
  • lowlatency-4.15 - Linux kernel - (>= 4.15.0-69)
  • lowlatency-4.4 - Linux kernel - (>= 4.4.0-168, >= 4.4.0-168)
  • lowlatency-5.4 - Linux kernel - (>= 5.4.0-26, >= 5.4.0-26)
  • oem - Linux kernel for OEM systems - (>= 4.15.0-1063)

Details

It was discovered that the eBPF implementation in the Linux kernel did not
properly track bounds information for 32 bit registers when performing div
and mod operations. A local attacker could use this to possibly execute
arbitrary code.(CVE-2021-3600)

It was discovered that the virtual file system implementation in the Linux
kernel contained an unsigned to signed integer conversion error. A local
attacker could use this to cause a denial of service (system crash) or
execute arbitrary code.(CVE-2021-33909)

Checking update status

The problem can be corrected in these Livepatch versions:

Kernel type 20.04 18.04 16.04 14.04
gcp 79.1
generic-4.15 79.1
generic-4.4 79.1 79.1
generic-5.4 79.1 79.1
gke 79.1
gke-4.15 79.1
gke-5.4 79.1
gkeop 79.1
gkeop-5.4 79.1
lowlatency-4.15 79.1
lowlatency-4.4 79.1 79.1
lowlatency-5.4 79.1 79.1
oem 79.1

To check your kernel type and Livepatch version, enter this command:

canonical-livepatch status