LSN-0083-1: Kernel Live Patch Security Notice
6 January 2022
Several security issues were fixed in the kernel.
Releases
Software Description
- aws - Linux kernel for Amazon Web Services (AWS) systems - (>= 4.15.0-1054, >= 5.4.0-1009, >= 4.4.0-1098, >= 4.4.0-1129)
- azure - Linux kernel for Microsoft Azure Cloud systems - (>= 5.4.0-1010, >= 4.15.0-1063, >= 4.15.0-1078, >= 4.15.0-1114)
- gcp - Linux kernel for Google Cloud Platform (GCP) systems - (>= 5.4.0-1009)
- generic-4.15 - Linux hardware enablement (HWE) kernel - (>= 4.15.0-69, >= 4.15.0-143, >= 4.15.0-69)
- generic-4.4 - Linux kernel - (>= 4.4.0-211, >= 4.4.0-168)
- generic-5.4 - Linux kernel - (>= 5.4.0-26)
- gke - Linux kernel for Google Container Engine (GKE) systems - (>= 5.4.0-1033)
- gke-4.15 - Linux kernel for Google Container Engine (GKE) systems - (>= 4.15.0-1076)
- gke-5.4 - Linux kernel for Google Container Engine (GKE) systems - (>= 5.4.0-1009)
- gkeop - Linux kernel for Google Container Engine (GKE) systems - (>= 5.4.0-1009)
- gkeop-5.4 - Linux kernel for Google Container Engine (GKE) systems - (>= 5.4.0-1007)
- lowlatency-4.15 - Linux hardware enablement (HWE) kernel - (>= 4.15.0-69, >= 4.15.0-143, >= 4.15.0-69)
- lowlatency-4.4 - Linux kernel - (>= 4.4.0-211, >= 4.4.0-168)
- lowlatency-5.4 - Linux kernel - (>= 5.4.0-26)
- oem - Linux kernel for OEM systems - (>= 4.15.0-1063)
Details
The BPF subsystem in the Linux kernel before 4.17 mishandles
situations with a long jump over an instruction sequence where inner
instructions require substantial expansions into multiple BPF instructions,
leading to an overflow. This affects kernel/bpf/core.c and
net/core/filter.c.(CVE-2018-25020)
Maxim Levitsky discovered that the KVM hypervisor implementation for AMD
processors in the Linux kernel did not properly prevent a guest VM from
enabling AVIC in nested guest VMs. An attacker in a guest VM could use this
to write to portions of the host's physical memory.(CVE-2021-3653)
Nadav Amit discovered that the hugetlb implementation in the Linux kernel
did not perform TLB flushes under certain conditions. A local attacker
could use this to leak or alter data from other processes that use huge
pages.(CVE-2021-4002)
Andy Nguyen discovered that the netfilter subsystem in the Linux kernel
contained an out-of-bounds write in its setsockopt() implementation. A
local attacker could use this to cause a denial of service (system crash)
or possibly execute arbitrary code.(CVE-2021-22555)
It was discovered that the virtual file system implementation in the Linux
kernel contained an unsigned to signed integer conversion error. A local
attacker could use this to cause a denial of service (system crash) or
execute arbitrary code.(CVE-2021-33909)
Checking update status
The problem can be corrected in these Livepatch versions:
| Kernel type | 20.04 | 18.04 | 16.04 |
|---|---|---|---|
| aws | 83.1 | 83.1 | 83.1 |
| azure | 83.1 | — | 83.1 |
| gcp | 83.1 | — | — |
| generic-4.15 | — | 83.1 | 83.1 |
| generic-4.4 | — | — | 83.1 |
| generic-5.4 | 83.1 | — | — |
| gke | 83.2 | — | — |
| gke-4.15 | — | 83.1 | — |
| gke-5.4 | — | 83.2 | — |
| gkeop | 83.2 | — | — |
| gkeop-5.4 | — | 83.2 | — |
| lowlatency-4.15 | — | 83.1 | 83.1 |
| lowlatency-4.4 | — | — | 83.1 |
| lowlatency-5.4 | 83.1 | — | — |
| oem | — | 83.1 | — |
To check your kernel type and Livepatch version, enter this command:
canonical-livepatch status