ALAS-2021-1477


Amazon Linux AMI Security Advisory: ALAS-2021-1477
Advisory Release Date: 2021-01-26 00:11 Pacific
Advisory Updated Date: 2021-01-26 19:03 Pacific
Severity: Important

Issue Overview:

In the Linux kernel 5.0.21, mounting a crafted btrfs filesystem image, performing some operations, and then making a syncfs system call can lead to a use-after-free in __mutex_lock in kernel/locking/mutex.c. This is related to mutex_can_spin_on_owner in kernel/locking/mutex.c, __btrfs_qgroup_free_meta in fs/btrfs/qgroup.c, and btrfs_insert_delayed_items in fs/btrfs/delayed-inode.c. (CVE-2019-19813 )

A flaw was found in the implementation of the BTRFS file system code in the Linux kernel. An attacker, who is able to mount a crafted BTRFS filesystem and perform common filesystem operations, can possibly cause an out-of-bounds write to memory. This could lead to memory corruption or privilege escalation. (CVE-2019-19816 )

Array index out of bounds access when setting extended attributes on journaling filesystems. (CVE-2020-27815 )

An issue was discovered in Xen through 4.14.x. Some OSes (such as Linux, FreeBSD, and NetBSD) are processing watch events using a single thread. If the events are received faster than the thread is able to handle, they will get queued. As the queue is unbounded, a guest may be able to trigger an OOM in the backend. All systems with a FreeBSD, Linux, or NetBSD (any version) dom0 are vulnerable. (CVE-2020-29568 )

An issue was discovered in the Linux kernel through 5.10.1, as used with Xen through 4.14.x. The Linux kernel PV block backend expects the kernel thread handler to reset ring->xenblkd to NULL when stopped. However, the handler may not have time to run if the frontend quickly toggles between the states connect and disconnect. As a consequence, the block backend may re-use a pointer after it was freed. A misbehaving guest can trigger a dom0 crash by continuously connecting / disconnecting a block frontend. Privilege escalation and information leaks cannot be ruled out. This only affects systems with a Linux blkback. (CVE-2020-29569 )

A locking inconsistency issue was discovered in the tty subsystem of the Linux kernel through 5.9.13. drivers/tty/tty_io.c and drivers/tty/tty_jobctrl.c may allow a read-after-free attack against TIOCGSID, aka CID-c8bcd9c5be24. (CVE-2020-29660 )

A locking vulnerability was found in the tty subsystem of the Linux kernel in drivers/tty/tty_jobctrl.c. This flaw allows a local attacker to possibly corrupt memory or escalate privileges. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. (CVE-2020-29661 )


Affected Packages:

kernel


Issue Correction:
Run yum update kernel to update your system.

New Packages:
i686:
    kernel-headers-4.14.214-118.339.amzn1.i686
    kernel-debuginfo-common-i686-4.14.214-118.339.amzn1.i686
    kernel-debuginfo-4.14.214-118.339.amzn1.i686
    kernel-tools-debuginfo-4.14.214-118.339.amzn1.i686
    kernel-devel-4.14.214-118.339.amzn1.i686
    perf-debuginfo-4.14.214-118.339.amzn1.i686
    kernel-4.14.214-118.339.amzn1.i686
    perf-4.14.214-118.339.amzn1.i686
    kernel-tools-devel-4.14.214-118.339.amzn1.i686
    kernel-tools-4.14.214-118.339.amzn1.i686

src:
    kernel-4.14.214-118.339.amzn1.src

x86_64:
    kernel-tools-devel-4.14.214-118.339.amzn1.x86_64
    kernel-headers-4.14.214-118.339.amzn1.x86_64
    kernel-tools-4.14.214-118.339.amzn1.x86_64
    perf-debuginfo-4.14.214-118.339.amzn1.x86_64
    kernel-devel-4.14.214-118.339.amzn1.x86_64
    kernel-tools-debuginfo-4.14.214-118.339.amzn1.x86_64
    kernel-debuginfo-common-x86_64-4.14.214-118.339.amzn1.x86_64
    kernel-debuginfo-4.14.214-118.339.amzn1.x86_64
    perf-4.14.214-118.339.amzn1.x86_64
    kernel-4.14.214-118.339.amzn1.x86_64