http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=fc3a9157d3148ab91039c75423da8ef97be3e105

SUSE-SU-2015:0652

http://mirror.linux.org.au/linux/kernel/v2.6/ChangeLog-2.6.38

RHSA-2016:0855

[oss-security] 20141113 CVE-2014-7842 Linux kernel: kvm: reporting emulation failures to userspace

http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html

http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html

http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html

71363

https://bugzilla.redhat.com/show_bug.cgi?id=1163762

https://github.com/torvalds/linux/commit/fc3a9157d3148ab91039c75423da8ef97be3e105

Security Fix(es) :

  - It was found that reporting emulation failures to user     space could lead to either a local (CVE-2014-7842) or a     L2->L1 (CVE-2010-5313) denial of service. In the case of     a local denial of service, an attacker must have access     to the MMIO area or be able to access an I/O port.
    Please note that on certain systems, HPET is mapped to     userspace as part of vdso (vvar) and thus an     unprivileged user may generate MMIO transactions (and     enter the emulator) this way. (CVE-2010-5313,     CVE-2014-7842, Moderate)

  - It was found that the Linux kernel did not properly     account file descriptors passed over the unix socket     against the process limit. A local user could use this     flaw to exhaust all available memory on the system.
    (CVE-2013-4312, Moderate)

  - A buffer overflow flaw was found in the way the Linux     kernel's virtio- net subsystem handled certain fraglists     when the GRO (Generic Receive Offload) functionality was     enabled in a bridged network configuration. An attacker     on the local network could potentially use this flaw to     crash the system, or, although unlikely, elevate their     privileges on the system. (CVE-2015-5156, Moderate)

  - It was found that the Linux kernel's IPv6 network stack     did not properly validate the value of the MTU variable     when it was set. A remote attacker could potentially use     this flaw to disrupt a target system's networking     (packet loss) by setting an invalid MTU value, for     example, via a NetworkManager daemon that is processing     router advertisement packets running on the target     system. (CVE-2015-8215, Moderate)

  - A NULL pointer dereference flaw was found in the way the     Linux kernel's network subsystem handled socket creation     with an invalid protocol identifier. A local user could     use this flaw to crash the system. (CVE-2015-8543,     Moderate)

  - It was found that the espfix functionality does not work     for 32-bit KVM paravirtualized guests. A local,     unprivileged guest user could potentially use this flaw     to leak kernel stack addresses. (CVE-2014-8134, Low)

  - A flaw was found in the way the Linux kernel's ext4 file     system driver handled non-journal file systems with an     orphan list. An attacker with physical access to the     system could use this flaw to crash the system or,     although unlikely, escalate their privileges on the     system. (CVE-2015-7509, Low)

  - A NULL pointer dereference flaw was found in the way the     Linux kernel's ext4 file system driver handled certain     corrupted file system images. An attacker with physical     access to the system could use this flaw to crash the     system. (CVE-2015-8324, Low)

Notes :

  - Problems have been reported with this kernel and     VirtualBox. More info is available in the notes for the     VirtualBox ticket here: <a     href='https://www.virtualbox.org/ticket/14866'     target='_blank'>https://www.virtualbox.org/ticket/14866<     /a>

From Red Hat Security Advisory 2016:0855 :

An update for kernel is now available for Red Hat Enterprise Linux 6.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es) :

* It was found that reporting emulation failures to user space could lead to either a local (CVE-2014-7842) or a L2->L1 (CVE-2010-5313) denial of service. In the case of a local denial of service, an attacker must have access to the MMIO area or be able to access an I/O port. Please note that on certain systems, HPET is mapped to userspace as part of vdso (vvar) and thus an unprivileged user may generate MMIO transactions (and enter the emulator) this way. (CVE-2010-5313, CVE-2014-7842, Moderate)

* It was found that the Linux kernel did not properly account file descriptors passed over the unix socket against the process limit. A local user could use this flaw to exhaust all available memory on the system. (CVE-2013-4312, Moderate)

* A buffer overflow flaw was found in the way the Linux kernel's virtio-net subsystem handled certain fraglists when the GRO (Generic Receive Offload) functionality was enabled in a bridged network configuration. An attacker on the local network could potentially use this flaw to crash the system, or, although unlikely, elevate their privileges on the system. (CVE-2015-5156, Moderate)

* It was found that the Linux kernel's IPv6 network stack did not properly validate the value of the MTU variable when it was set. A remote attacker could potentially use this flaw to disrupt a target system's networking (packet loss) by setting an invalid MTU value, for example, via a NetworkManager daemon that is processing router advertisement packets running on the target system. (CVE-2015-8215, Moderate)

* A NULL pointer dereference flaw was found in the way the Linux kernel's network subsystem handled socket creation with an invalid protocol identifier. A local user could use this flaw to crash the system. (CVE-2015-8543, Moderate)

* It was found that the espfix functionality does not work for 32-bit KVM paravirtualized guests. A local, unprivileged guest user could potentially use this flaw to leak kernel stack addresses.
(CVE-2014-8134, Low)

* A flaw was found in the way the Linux kernel's ext4 file system driver handled non-journal file systems with an orphan list. An attacker with physical access to the system could use this flaw to crash the system or, although unlikely, escalate their privileges on the system. (CVE-2015-7509, Low)

* A NULL pointer dereference flaw was found in the way the Linux kernel's ext4 file system driver handled certain corrupted file system images. An attacker with physical access to the system could use this flaw to crash the system. (CVE-2015-8324, Low)

Red Hat would like to thank Nadav Amit for reporting CVE-2010-5313 and CVE-2014-7842, Andy Lutomirski for reporting CVE-2014-8134, and Dmitriy Monakhov (OpenVZ) for reporting CVE-2015-8324. The CVE-2015-5156 issue was discovered by Jason Wang (Red Hat).

Additional Changes :

* Refer to Red Hat Enterprise Linux 6.8 Release Notes for information on new kernel features and known issues, and Red Hat Enterprise Linux Technical Notes for information on device driver updates, important changes to external kernel parameters, notable bug fixes, and technology previews. Both of these documents are linked to in the References section.

An update for kernel is now available for Red Hat Enterprise Linux 6.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es) :

* It was found that reporting emulation failures to user space could lead to either a local (CVE-2014-7842) or a L2->L1 (CVE-2010-5313) denial of service. In the case of a local denial of service, an attacker must have access to the MMIO area or be able to access an I/O port. Please note that on certain systems, HPET is mapped to userspace as part of vdso (vvar) and thus an unprivileged user may generate MMIO transactions (and enter the emulator) this way. (CVE-2010-5313, CVE-2014-7842, Moderate)

* It was found that the Linux kernel did not properly account file descriptors passed over the unix socket against the process limit. A local user could use this flaw to exhaust all available memory on the system. (CVE-2013-4312, Moderate)

* A buffer overflow flaw was found in the way the Linux kernel's virtio-net subsystem handled certain fraglists when the GRO (Generic Receive Offload) functionality was enabled in a bridged network configuration. An attacker on the local network could potentially use this flaw to crash the system, or, although unlikely, elevate their privileges on the system. (CVE-2015-5156, Moderate)

* It was found that the Linux kernel's IPv6 network stack did not properly validate the value of the MTU variable when it was set. A remote attacker could potentially use this flaw to disrupt a target system's networking (packet loss) by setting an invalid MTU value, for example, via a NetworkManager daemon that is processing router advertisement packets running on the target system. (CVE-2015-8215, Moderate)

* A NULL pointer dereference flaw was found in the way the Linux kernel's network subsystem handled socket creation with an invalid protocol identifier. A local user could use this flaw to crash the system. (CVE-2015-8543, Moderate)

* It was found that the espfix functionality does not work for 32-bit KVM paravirtualized guests. A local, unprivileged guest user could potentially use this flaw to leak kernel stack addresses.
(CVE-2014-8134, Low)

* A flaw was found in the way the Linux kernel's ext4 file system driver handled non-journal file systems with an orphan list. An attacker with physical access to the system could use this flaw to crash the system or, although unlikely, escalate their privileges on the system. (CVE-2015-7509, Low)

* A NULL pointer dereference flaw was found in the way the Linux kernel's ext4 file system driver handled certain corrupted file system images. An attacker with physical access to the system could use this flaw to crash the system. (CVE-2015-8324, Low)

Red Hat would like to thank Nadav Amit for reporting CVE-2010-5313 and CVE-2014-7842, Andy Lutomirski for reporting CVE-2014-8134, and Dmitriy Monakhov (OpenVZ) for reporting CVE-2015-8324. The CVE-2015-5156 issue was discovered by Jason Wang (Red Hat).

Additional Changes :

* Refer to Red Hat Enterprise Linux 6.8 Release Notes for information on new kernel features and known issues, and Red Hat Enterprise Linux Technical Notes for information on device driver updates, important changes to external kernel parameters, notable bug fixes, and technology previews. Both of these documents are linked to in the References section.

The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2016-0037 for details.

CVE-2010-5313 Race condition in arch/x86/kvm/x86.c in the Linux kernel before 2.6.38 allows L2 guest OS users to cause a denial of service (L1 guest OS crash) via a crafted instruction that triggers an L2 emulation failure report, a similar issue to CVE-2014-7842.

CVE-2014-7842 Race condition in arch/x86/kvm/x86.c in the Linux kernel before 3.17.4 allows guest OS users to cause a denial of service (guest OS crash) via a crafted application that performs an MMIO transaction or a PIO transaction to trigger a guest userspace emulation error report, a similar issue to CVE-2010-5313.

Description of changes:

[2.6.39-400.264.13.el6uek]
- KEYS: Don't permit request_key() to construct a new keyring (David Howells)  [Orabug: 22373449]  {CVE-2015-7872}

[2.6.39-400.264.12.el6uek]
- crypto: add missing crypto module aliases (Mathias Krause)  [Orabug: 22249656]  {CVE-2013-7421} {CVE-2014-9644}
- crypto: include crypto- module prefix in template (Kees Cook) [Orabug: 22249656]  {CVE-2013-7421} {CVE-2014-9644}
- crypto: prefix module autoloading with 'crypto-' (Kees Cook)  [Orabug: 22249656]  {CVE-2013-7421} {CVE-2014-9644}

[2.6.39-400.264.11.el6uek]
- KVM: x86: Don't report guest userspace emulation error to userspace (Nadav Amit)  [Orabug: 22249615]  {CVE-2010-5313} {CVE-2014-7842}

[2.6.39-400.264.9.el6uek]
- msg_unlock() in wrong spot after applying 'Initialize msg/shm IPC objects before doing ipc_addid()' (Chuck Anderson)  [Orabug: 22250044] {CVE-2015-7613} {CVE-2015-7613}

[2.6.39-400.264.8.el6uek]
- ipc/sem.c: fully initialize sem_array before making it visible (Manfred Spraul)  [Orabug: 22250044]  {CVE-2015-7613}
- Initialize msg/shm IPC objects before doing ipc_addid() (Linus Torvalds)  [Orabug: 22250044]  {CVE-2015-7613}

[2.6.39-400.264.7.el6uek]
- KVM: svm: unconditionally intercept #DB (Paolo Bonzini)  [Orabug: 22333698]  {CVE-2015-8104} {CVE-2015-8104}
- KVM: x86: work around infinite loop in microcode when #AC is delivered (Eric Northup)  [Orabug: 22333689]  {CVE-2015-5307} {CVE-2015-5307}

[2.6.39-400.264.6.el6uek]
- mlx4_core: Introduce restrictions for PD update (Ajaykumar Hotchandani)  - IPoIB: Drop priv->lock before calling ipoib_send() (Wengang Wang)  - IPoIB: serialize changing on tx_outstanding (Wengang Wang)  [Orabug: 21861366] - IB/mlx4: Implement IB_QP_CREATE_USE_GFP_NOIO (Jiri Kosina)  - IB: Add a QP creation flag to use GFP_NOIO allocations (Or Gerlitz)  - IB: Return error for unsupported QP creation flags (Or Gerlitz)  - IB/ipoib: Calculate csum only when skb->ip_summed is CHECKSUM_PARTIAL (Yuval Shaia)  [Orabug: 20873175]

* A flaw was found in the way the Linux kernel's file system implementation handled rename operations in which the source was inside and the destination was outside of a bind mount. A privileged user inside a container could use this flaw to escape the bind mount and, potentially, escalate their privileges on the system.
(CVE-2015-2925, Important)

* A race condition flaw was found in the way the Linux kernel's IPC subsystem initialized certain fields in an IPC object structure that were later used for permission checking before inserting the object into a globally visible list. A local, unprivileged user could potentially use this flaw to elevate their privileges on the system.
(CVE-2015-7613, Important)

* It was found that reporting emulation failures to user space could lead to either a local (CVE-2014-7842) or a L2->L1 (CVE-2010-5313) denial of service. In the case of a local denial of service, an attacker must have access to the MMIO area or be able to access an I/O port. (CVE-2010-5313, CVE-2014-7842, Moderate)

* A flaw was found in the way the Linux kernel's KVM subsystem handled non-canonical addresses when emulating instructions that change the RIP (for example, branches or calls). A guest user with access to an I/O or MMIO region could use this flaw to crash the guest.
(CVE-2014-3647, Moderate)

* It was found that the Linux kernel memory resource controller's (memcg) handling of OOM (out of memory) conditions could lead to deadlocks. An attacker could use this flaw to lock up the system.
(CVE-2014-8171, Moderate)

* A race condition flaw was found between the chown and execve system calls. A local, unprivileged user could potentially use this flaw to escalate their privileges on the system. (CVE-2015-3339, Moderate)

* A flaw was discovered in the way the Linux kernel's TTY subsystem handled the tty shutdown phase. A local, unprivileged user could use this flaw to cause a denial of service on the system. (CVE-2015-4170, Moderate)

* A NULL pointer dereference flaw was found in the SCTP implementation. A local user could use this flaw to cause a denial of service on the system by triggering a kernel panic when creating multiple sockets in parallel while the system did not have the SCTP module loaded. (CVE-2015-5283, Moderate)

* A flaw was found in the way the Linux kernel's perf subsystem retrieved userlevel stack traces on PowerPC systems. A local, unprivileged user could use this flaw to cause a denial of service on the system. (CVE-2015-6526, Moderate)

* A flaw was found in the way the Linux kernel's Crypto subsystem handled automatic loading of kernel modules. A local user could use this flaw to load any installed kernel module, and thus increase the attack surface of the running kernel. (CVE-2013-7421, CVE-2014-9644, Low)

* An information leak flaw was found in the way the Linux kernel changed certain segment registers and thread-local storage (TLS) during a context switch. A local, unprivileged user could use this flaw to leak the user space TLS base address of an arbitrary process.
(CVE-2014-9419, Low)

* It was found that the Linux kernel KVM subsystem's sysenter instruction emulation was not sufficient. An unprivileged guest user could use this flaw to escalate their privileges by tricking the hypervisor to emulate a SYSENTER instruction in 16-bit mode, if the guest OS did not initialize the SYSENTER model-specific registers (MSRs). Note: Certified guest operating systems for Scientific Linux with KVM do initialize the SYSENTER MSRs and are thus not vulnerable to this issue when running on a KVM hypervisor. (CVE-2015-0239, Low)

* A flaw was found in the way the Linux kernel handled the securelevel functionality after performing a kexec operation. A local attacker could use this flaw to bypass the security mechanism of the securelevel/secureboot combination. (CVE-2015-7837, Low)

Updated kernel packages that fix multiple security issues, address several hundred bugs, and add numerous enhancements are now available as part of the ongoing support and maintenance of Red Hat Enterprise Linux version 7. This is the second regular update.

Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

* A flaw was found in the way the Linux kernel's file system implementation handled rename operations in which the source was inside and the destination was outside of a bind mount. A privileged user inside a container could use this flaw to escape the bind mount and, potentially, escalate their privileges on the system.
(CVE-2015-2925, Important)

* A race condition flaw was found in the way the Linux kernel's IPC subsystem initialized certain fields in an IPC object structure that were later used for permission checking before inserting the object into a globally visible list. A local, unprivileged user could potentially use this flaw to elevate their privileges on the system.
(CVE-2015-7613, Important)

* It was found that reporting emulation failures to user space could lead to either a local (CVE-2014-7842) or a L2->L1 (CVE-2010-5313) denial of service. In the case of a local denial of service, an attacker must have access to the MMIO area or be able to access an I/O port. (CVE-2010-5313, CVE-2014-7842, Moderate)

* A flaw was found in the way the Linux kernel's KVM subsystem handled non-canonical addresses when emulating instructions that change the RIP (for example, branches or calls). A guest user with access to an I/O or MMIO region could use this flaw to crash the guest.
(CVE-2014-3647, Moderate)

* It was found that the Linux kernel memory resource controller's (memcg) handling of OOM (out of memory) conditions could lead to deadlocks. An attacker could use this flaw to lock up the system.
(CVE-2014-8171, Moderate)

* A race condition flaw was found between the chown and execve system calls. A local, unprivileged user could potentially use this flaw to escalate their privileges on the system. (CVE-2015-3339, Moderate)

* A flaw was discovered in the way the Linux kernel's TTY subsystem handled the tty shutdown phase. A local, unprivileged user could use this flaw to cause a denial of service on the system. (CVE-2015-4170, Moderate)

* A NULL pointer dereference flaw was found in the SCTP implementation. A local user could use this flaw to cause a denial of service on the system by triggering a kernel panic when creating multiple sockets in parallel while the system did not have the SCTP module loaded. (CVE-2015-5283, Moderate)

* A flaw was found in the way the Linux kernel's perf subsystem retrieved userlevel stack traces on PowerPC systems. A local, unprivileged user could use this flaw to cause a denial of service on the system. (CVE-2015-6526, Moderate)

* A flaw was found in the way the Linux kernel's Crypto subsystem handled automatic loading of kernel modules. A local user could use this flaw to load any installed kernel module, and thus increase the attack surface of the running kernel. (CVE-2013-7421, CVE-2014-9644, Low)

* An information leak flaw was found in the way the Linux kernel changed certain segment registers and thread-local storage (TLS) during a context switch. A local, unprivileged user could use this flaw to leak the user space TLS base address of an arbitrary process.
(CVE-2014-9419, Low)

* It was found that the Linux kernel KVM subsystem's sysenter instruction emulation was not sufficient. An unprivileged guest user could use this flaw to escalate their privileges by tricking the hypervisor to emulate a SYSENTER instruction in 16-bit mode, if the guest OS did not initialize the SYSENTER model-specific registers (MSRs). Note: Certified guest operating systems for Red Hat Enterprise Linux with KVM do initialize the SYSENTER MSRs and are thus not vulnerable to this issue when running on a KVM hypervisor.
(CVE-2015-0239, Low)

* A flaw was found in the way the Linux kernel handled the securelevel functionality after performing a kexec operation. A local attacker could use this flaw to bypass the security mechanism of the securelevel/secureboot combination. (CVE-2015-7837, Low)

From Red Hat Security Advisory 2015:2152 :

Updated kernel packages that fix multiple security issues, address several hundred bugs, and add numerous enhancements are now available as part of the ongoing support and maintenance of Red Hat Enterprise Linux version 7. This is the second regular update.

Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

* A flaw was found in the way the Linux kernel's file system implementation handled rename operations in which the source was inside and the destination was outside of a bind mount. A privileged user inside a container could use this flaw to escape the bind mount and, potentially, escalate their privileges on the system.
(CVE-2015-2925, Important)

* A race condition flaw was found in the way the Linux kernel's IPC subsystem initialized certain fields in an IPC object structure that were later used for permission checking before inserting the object into a globally visible list. A local, unprivileged user could potentially use this flaw to elevate their privileges on the system.
(CVE-2015-7613, Important)

* It was found that reporting emulation failures to user space could lead to either a local (CVE-2014-7842) or a L2->L1 (CVE-2010-5313) denial of service. In the case of a local denial of service, an attacker must have access to the MMIO area or be able to access an I/O port. (CVE-2010-5313, CVE-2014-7842, Moderate)

* A flaw was found in the way the Linux kernel's KVM subsystem handled non-canonical addresses when emulating instructions that change the RIP (for example, branches or calls). A guest user with access to an I/O or MMIO region could use this flaw to crash the guest.
(CVE-2014-3647, Moderate)

* It was found that the Linux kernel memory resource controller's (memcg) handling of OOM (out of memory) conditions could lead to deadlocks. An attacker could use this flaw to lock up the system.
(CVE-2014-8171, Moderate)

* A race condition flaw was found between the chown and execve system calls. A local, unprivileged user could potentially use this flaw to escalate their privileges on the system. (CVE-2015-3339, Moderate)

* A flaw was discovered in the way the Linux kernel's TTY subsystem handled the tty shutdown phase. A local, unprivileged user could use this flaw to cause a denial of service on the system. (CVE-2015-4170, Moderate)

* A NULL pointer dereference flaw was found in the SCTP implementation. A local user could use this flaw to cause a denial of service on the system by triggering a kernel panic when creating multiple sockets in parallel while the system did not have the SCTP module loaded. (CVE-2015-5283, Moderate)

* A flaw was found in the way the Linux kernel's perf subsystem retrieved userlevel stack traces on PowerPC systems. A local, unprivileged user could use this flaw to cause a denial of service on the system. (CVE-2015-6526, Moderate)

* A flaw was found in the way the Linux kernel's Crypto subsystem handled automatic loading of kernel modules. A local user could use this flaw to load any installed kernel module, and thus increase the attack surface of the running kernel. (CVE-2013-7421, CVE-2014-9644, Low)

* An information leak flaw was found in the way the Linux kernel changed certain segment registers and thread-local storage (TLS) during a context switch. A local, unprivileged user could use this flaw to leak the user space TLS base address of an arbitrary process.
(CVE-2014-9419, Low)

* It was found that the Linux kernel KVM subsystem's sysenter instruction emulation was not sufficient. An unprivileged guest user could use this flaw to escalate their privileges by tricking the hypervisor to emulate a SYSENTER instruction in 16-bit mode, if the guest OS did not initialize the SYSENTER model-specific registers (MSRs). Note: Certified guest operating systems for Red Hat Enterprise Linux with KVM do initialize the SYSENTER MSRs and are thus not vulnerable to this issue when running on a KVM hypervisor.
(CVE-2015-0239, Low)

* A flaw was found in the way the Linux kernel handled the securelevel functionality after performing a kexec operation. A local attacker could use this flaw to bypass the security mechanism of the securelevel/secureboot combination. (CVE-2015-7837, Low)

The SUSE Linux Enterprise 11 Service Pack 1 LTSS kernel was updated to fix security issues on kernels on the x86_64 architecture.

The following security bugs have been fixed :

  - CVE-2013-4299: Interpretation conflict in     drivers/md/dm-snap-persistent.c in the Linux kernel     through 3.11.6 allowed remote authenticated users to     obtain sensitive information or modify data via a     crafted mapping to a snapshot block device (bnc#846404).

  - CVE-2014-8160: SCTP firewalling failed until the SCTP     module was loaded (bnc#913059).

  - CVE-2014-9584: The parse_rock_ridge_inode_internal     function in fs/isofs/rock.c in the Linux kernel before     3.18.2 did not validate a length value in the Extensions     Reference (ER) System Use Field, which allowed local     users to obtain sensitive information from kernel memory     via a crafted iso9660 image (bnc#912654).

  - CVE-2014-9585: The vdso_addr function in     arch/x86/vdso/vma.c in the Linux kernel through 3.18.2     did not properly choose memory locations for the vDSO     area, which made it easier for local users to bypass the     ASLR protection mechanism by guessing a location at the     end of a PMD (bnc#912705).

  - CVE-2014-9420: The rock_continue function in     fs/isofs/rock.c in the Linux kernel through 3.18.1 did     not restrict the number of Rock Ridge continuation     entries, which allowed local users to cause a denial of     service (infinite loop, and system crash or hang) via a     crafted iso9660 image (bnc#911325).

  - CVE-2014-0181: The Netlink implementation in the Linux     kernel through 3.14.1 did not provide a mechanism for     authorizing socket operations based on the opener of a     socket, which allowed local users to bypass intended     access restrictions and modify network configurations by     using a Netlink socket for the (1) stdout or (2) stderr     of a setuid program (bnc#875051).

  - CVE-2010-5313: Race condition in arch/x86/kvm/x86.c in     the Linux kernel before 2.6.38 allowed L2 guest OS users     to cause a denial of service (L1 guest OS crash) via a     crafted instruction that triggers an L2 emulation     failure report, a similar issue to CVE-2014-7842     (bnc#907822).

  - CVE-2014-7842: Race condition in arch/x86/kvm/x86.c in     the Linux kernel before 3.17.4 allowed guest OS users to     cause a denial of service (guest OS crash) via a crafted     application that performs an MMIO transaction or a PIO     transaction to trigger a guest userspace emulation error     report, a similar issue to CVE-2010-5313 (bnc#905312).

  - CVE-2014-3688: The SCTP implementation in the Linux     kernel before 3.17.4 allowed remote attackers to cause a     denial of service (memory consumption) by triggering a     large number of chunks in an associations output queue,     as demonstrated by ASCONF probes, related to     net/sctp/inqueue.c and net/sctp/sm_statefuns.c     (bnc#902351).

  - CVE-2014-3687: The sctp_assoc_lookup_asconf_ack function     in net/sctp/associola.c in the SCTP implementation in     the Linux kernel through 3.17.2 allowed remote attackers     to cause a denial of service (panic) via duplicate     ASCONF chunks that trigger an incorrect uncork within     the side-effect interpreter (bnc#902349).

  - CVE-2014-3673: The SCTP implementation in the Linux     kernel through 3.17.2 allowed remote attackers to cause     a denial of service (system crash) via a malformed     ASCONF chunk, related to net/sctp/sm_make_chunk.c and     net/sctp/sm_statefuns.c (bnc#902346).

  - CVE-2014-7841: The sctp_process_param function in     net/sctp/sm_make_chunk.c in the SCTP implementation in     the Linux kernel before 3.17.4, when ASCONF is used,     allowed remote attackers to cause a denial of service     (NULL pointer dereference and system crash) via a     malformed INIT chunk (bnc#905100).

  - CVE-2014-8709: The ieee80211_fragment function in     net/mac80211/tx.c in the Linux kernel before 3.13.5 did     not properly maintain a certain tail pointer, which     allowed remote attackers to obtain sensitive cleartext     information by reading packets (bnc#904700).

  - CVE-2013-7263: The Linux kernel before 3.12.4 updated     certain length values before ensuring that associated     data structures have been initialized, which allowed     local users to obtain sensitive information from kernel     stack memory via a (1) recvfrom, (2) recvmmsg, or (3)     recvmsg system call, related to net/ipv4/ping.c,     net/ipv4/raw.c, net/ipv4/udp.c, net/ipv6/raw.c, and     net/ipv6/udp.c (bnc#857643).

  - CVE-2012-6657: The sock_setsockopt function in     net/core/sock.c in the Linux kernel before 3.5.7 did not     ensure that a keepalive action is associated with a     stream socket, which allowed local users to cause a     denial of service (system crash) by leveraging the     ability to create a raw socket (bnc#896779).

  - CVE-2014-3185: Multiple buffer overflows in the     command_port_read_callback function in     drivers/usb/serial/whiteheat.c in the Whiteheat USB     Serial Driver in the Linux kernel before 3.16.2 allowed     physically proximate attackers to execute arbitrary code     or cause a denial of service (memory corruption and     system crash) via a crafted device that provides a large     amount of (1) EHCI or (2) XHCI data associated with a     bulk response (bnc#896391).

  - CVE-2014-3184: The report_fixup functions in the HID     subsystem in the Linux kernel before 3.16.2 might allow     physically proximate attackers to cause a denial of     service (out-of-bounds write) via a crafted device that     provides a small report descriptor, related to (1)     drivers/hid/hid-cherry.c, (2) drivers/hid/hid-kye.c, (3)     drivers/hid/hid-lg.c, (4) drivers/hid/hid-monterey.c,     (5) drivers/hid/hid-petalynx.c, and (6)     drivers/hid/hid-sunplus.c (bnc#896390).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 11 Service Pack 2 LTSS kernel has been updated to fix security issues on kernels on the x86_64 architecture.

The following security bugs have been fixed :

  - CVE-2012-4398: The __request_module function in     kernel/kmod.c in the Linux kernel before 3.4 did not set     a certain killable attribute, which allowed local users     to cause a denial of service (memory consumption) via a     crafted application (bnc#779488).

  - CVE-2013-2893: The Human Interface Device (HID)     subsystem in the Linux kernel through 3.11, when     CONFIG_LOGITECH_FF, CONFIG_LOGIG940_FF, or     CONFIG_LOGIWHEELS_FF is enabled, allowed physically     proximate attackers to cause a denial of service     (heap-based out-of-bounds write) via a crafted device,     related to (1) drivers/hid/hid-lgff.c, (2)     drivers/hid/hid-lg3ff.c, and (3) drivers/hid/hid-lg4ff.c     (bnc#835839).

  - CVE-2013-2897: Multiple array index errors in     drivers/hid/hid-multitouch.c in the Human Interface     Device (HID) subsystem in the Linux kernel through 3.11,     when CONFIG_HID_MULTITOUCH is enabled, allowed     physically proximate attackers to cause a denial of     service (heap memory corruption, or NULL pointer     dereference and OOPS) via a crafted device (bnc#835839).

  - CVE-2013-2899: drivers/hid/hid-picolcd_core.c in the     Human Interface Device (HID) subsystem in the Linux     kernel through 3.11, when CONFIG_HID_PICOLCD is enabled,     allowed physically proximate attackers to cause a denial     of service (NULL pointer dereference and OOPS) via a     crafted device (bnc#835839).

  - CVE-2013-2929: The Linux kernel before 3.12.2 did not     properly use the get_dumpable function, which allowed     local users to bypass intended ptrace restrictions or     obtain sensitive information from IA64 scratch registers     via a crafted application, related to kernel/ptrace.c     and arch/ia64/include/asm/processor.h (bnc#847652).

  - CVE-2013-7263: The Linux kernel before 3.12.4 updates     certain length values before ensuring that associated     data structures have been initialized, which allowed     local users to obtain sensitive information from kernel     stack memory via a (1) recvfrom, (2) recvmmsg, or (3)     recvmsg system call, related to net/ipv4/ping.c,     net/ipv4/raw.c, net/ipv4/udp.c, net/ipv6/raw.c, and     net/ipv6/udp.c (bnc#857643).

  - CVE-2014-0131: Use-after-free vulnerability in the     skb_segment function in net/core/skbuff.c in the Linux     kernel through 3.13.6 allowed attackers to obtain     sensitive information from kernel memory by leveraging     the absence of a certain orphaning operation     (bnc#867723).

  - CVE-2014-0181: The Netlink implementation in the Linux     kernel through 3.14.1 did not provide a mechanism for     authorizing socket operations based on the opener of a     socket, which allowed local users to bypass intended     access restrictions and modify network configurations by     using a Netlink socket for the (1) stdout or (2) stderr     of a setuid program (bnc#875051).

  - CVE-2014-2309: The ip6_route_add function in     net/ipv6/route.c in the Linux kernel through 3.13.6 did     not properly count the addition of routes, which allowed     remote attackers to cause a denial of service (memory     consumption) via a flood of ICMPv6 Router Advertisement     packets (bnc#867531).

  - CVE-2014-3181: Multiple stack-based buffer overflows in     the magicmouse_raw_event function in     drivers/hid/hid-magicmouse.c in the Magic Mouse HID     driver in the Linux kernel through 3.16.3 allowed     physically proximate attackers to cause a denial of     service (system crash) or possibly execute arbitrary     code via a crafted device that provides a large amount     of (1) EHCI or (2) XHCI data associated with an event     (bnc#896382).

  - CVE-2014-3184: The report_fixup functions in the HID     subsystem in the Linux kernel before 3.16.2 might have     allowed physically proximate attackers to cause a denial     of service (out-of-bounds write) via a crafted device     that provides a small report descriptor, related to (1)     drivers/hid/hid-cherry.c, (2) drivers/hid/hid-kye.c, (3)     drivers/hid/hid-lg.c, (4) drivers/hid/hid-monterey.c,     (5) drivers/hid/hid-petalynx.c, and (6)     drivers/hid/hid-sunplus.c (bnc#896390).

  - CVE-2014-3185: Multiple buffer overflows in the     command_port_read_callback function in     drivers/usb/serial/whiteheat.c in the Whiteheat USB     Serial Driver in the Linux kernel before 3.16.2 allowed     physically proximate attackers to execute arbitrary code     or cause a denial of service (memory corruption and     system crash) via a crafted device that provides a large     amount of (1) EHCI or (2) XHCI data associated with a     bulk response (bnc#896391).

  - CVE-2014-3186: Buffer overflow in the picolcd_raw_event     function in devices/hid/hid-picolcd_core.c in the     PicoLCD HID device driver in the Linux kernel through     3.16.3, as used in Android on Nexus 7 devices, allowed     physically proximate attackers to cause a denial of     service (system crash) or possibly execute arbitrary     code via a crafted device that sends a large report     (bnc#896392).

  - CVE-2014-3601: The kvm_iommu_map_pages function in     virt/kvm/iommu.c in the Linux kernel through 3.16.1     miscalculates the number of pages during the handling of     a mapping failure, which allowed guest OS users to (1)     cause a denial of service (host OS memory corruption) or     possibly have unspecified other impact by triggering a     large gfn value or (2) cause a denial of service (host     OS memory consumption) by triggering a small gfn value     that leads to permanently pinned pages (bnc#892782).

  - CVE-2014-3610: The WRMSR processing functionality in the     KVM subsystem in the Linux kernel through 3.17.2 did not     properly handle the writing of a non-canonical address     to a model-specific register, which allowed guest OS     users to cause a denial of service (host OS crash) by     leveraging guest OS privileges, related to the     wrmsr_interception function in arch/x86/kvm/svm.c and     the handle_wrmsr function in arch/x86/kvm/vmx.c     (bnc#899192).

  - CVE-2014-3646: arch/x86/kvm/vmx.c in the KVM subsystem     in the Linux kernel through 3.17.2 did not have an exit     handler for the INVVPID instruction, which allowed guest     OS users to cause a denial of service (guest OS crash)     via a crafted application (bnc#899192).

  - CVE-2014-3647: arch/x86/kvm/emulate.c in the KVM     subsystem in the Linux kernel through 3.17.2 did not     properly perform RIP changes, which allowed guest OS     users to cause a denial of service (guest OS crash) via     a crafted application (bnc#899192).

  - CVE-2014-3673: The SCTP implementation in the Linux     kernel through 3.17.2 allowed remote attackers to cause     a denial of service (system crash) via a malformed     ASCONF chunk, related to net/sctp/sm_make_chunk.c and     net/sctp/sm_statefuns.c (bnc#902346).

  - CVE-2014-3687: The sctp_assoc_lookup_asconf_ack function     in net/sctp/associola.c in the SCTP implementation in     the Linux kernel through 3.17.2 allowed remote attackers     to cause a denial of service (panic) via duplicate     ASCONF chunks that trigger an incorrect uncork within     the side-effect interpreter (bnc#902349).

  - CVE-2014-3688: The SCTP implementation in the Linux     kernel before 3.17.4 allowed remote attackers to cause a     denial of service (memory consumption) by triggering a     large number of chunks in an associations output queue,     as demonstrated by ASCONF probes, related to     net/sctp/inqueue.c and net/sctp/sm_statefuns.c     (bnc#902351).

  - CVE-2014-3690: arch/x86/kvm/vmx.c in the KVM subsystem     in the Linux kernel before 3.17.2 on Intel processors     did not ensure that the value in the CR4 control     register remains the same after a VM entry, which     allowed host OS users to kill arbitrary processes or     cause a denial of service (system disruption) by     leveraging /dev/kvm access, as demonstrated by     PR_SET_TSC prctl calls within a modified copy of QEMU     (bnc#902232).

  - CVE-2014-4608: Multiple integer overflows in the     lzo1x_decompress_safe function in     lib/lzo/lzo1x_decompress_safe.c in the LZO decompressor     in the Linux kernel before 3.15.2 allowed     context-dependent attackers to cause a denial of service     (memory corruption) via a crafted Literal Run     (bnc#883948).

  - CVE-2014-4943: The PPPoL2TP feature in     net/l2tp/l2tp_ppp.c in the Linux kernel through 3.15.6     allowed local users to gain privileges by leveraging     data-structure differences between an l2tp socket and an     inet socket (bnc#887082).

  - CVE-2014-5471: Stack consumption vulnerability in the     parse_rock_ridge_inode_internal function in     fs/isofs/rock.c in the Linux kernel through 3.16.1     allowed local users to cause a denial of service     (uncontrolled recursion, and system crash or reboot) via     a crafted iso9660 image with a CL entry referring to a     directory entry that has a CL entry (bnc#892490).

  - CVE-2014-5472: The parse_rock_ridge_inode_internal     function in fs/isofs/rock.c in the Linux kernel through     3.16.1 allowed local users to cause a denial of service     (unkillable mount process) via a crafted iso9660 image     with a self-referential CL entry (bnc#892490).

  - CVE-2014-7826: kernel/trace/trace_syscalls.c in the     Linux kernel through 3.17.2 did not properly handle     private syscall numbers during use of the ftrace     subsystem, which allowed local users to gain privileges     or cause a denial of service (invalid pointer     dereference) via a crafted application (bnc#904013).

  - CVE-2014-7841: The sctp_process_param function in     net/sctp/sm_make_chunk.c in the SCTP implementation in     the Linux kernel before 3.17.4, when ASCONF is used,     allowed remote attackers to cause a denial of service     (NULL pointer dereference and system crash) via a     malformed INIT chunk (bnc#905100).

  - CVE-2014-7842: Race condition in arch/x86/kvm/x86.c in     the Linux kernel before 3.17.4 allowed guest OS users to     cause a denial of service (guest OS crash) via a crafted     application that performs an MMIO transaction or a PIO     transaction to trigger a guest userspace emulation error     report, a similar issue to CVE-2010-5313 (bnc#905312).

  - CVE-2014-8134: The paravirt_ops_setup function in     arch/x86/kernel/kvm.c in the Linux kernel through 3.18     uses an improper paravirt_enabled setting for KVM guest     kernels, which made it easier for guest OS users to     bypass the ASLR protection mechanism via a crafted     application that reads a 16-bit value (bnc#909078).

  - CVE-2014-8369: The kvm_iommu_map_pages function in     virt/kvm/iommu.c in the Linux kernel through 3.17.2     miscalculates the number of pages during the handling of     a mapping failure, which allowed guest OS users to cause     a denial of service (host OS page unpinning) or possibly     have unspecified other impact by leveraging guest OS     privileges. NOTE: this vulnerability exists because of     an incorrect fix for CVE-2014-3601 (bnc#902675).

  - CVE-2014-8559: The d_walk function in fs/dcache.c in the     Linux kernel through 3.17.2 did not properly maintain     the semantics of rename_lock, which allowed local users     to cause a denial of service (deadlock and system hang)     via a crafted application (bnc#903640).

  - CVE-2014-8709: The ieee80211_fragment function in     net/mac80211/tx.c in the Linux kernel before 3.13.5 did     not properly maintain a certain tail pointer, which     allowed remote attackers to obtain sensitive cleartext     information by reading packets (bnc#904700).

  - CVE-2014-9584: The parse_rock_ridge_inode_internal     function in fs/isofs/rock.c in the Linux kernel before     3.18.2 did not validate a length value in the Extensions     Reference (ER) System Use Field, which allowed local     users to obtain sensitive information from kernel memory     via a crafted iso9660 image (bnc#912654).

  - CVE-2014-9585: The vdso_addr function in     arch/x86/vdso/vma.c in the Linux kernel through 3.18.2     did not properly choose memory locations for the vDSO     area, which made it easier for local users to bypass the     ASLR protection mechanism by guessing a location at the     end of a PMD (bnc#912705).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The 3.14.27 stable update contains a number of important fixes across the tree.\nThe 3.14.26 update contains a number of important fixes across the tree\nThe 3.14.25 stable update contains a number of important fixes across the tree.\nThe 3.14.24 stable update contains a number of important fixes across the tree.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
91643	Scientific Linux Security Update : kernel on SL6.x i386/x86_64 (20160510)	Nessus	Scientific Linux Local Security Checks	medium
91210	Oracle Linux 6 : kernel (ELSA-2016-0855)	Nessus	Oracle Linux Local Security Checks	high
91170	CentOS 6 : kernel (CESA-2016:0855)	Nessus	CentOS Local Security Checks	high
91077	RHEL 6 : kernel (RHSA-2016:0855)	Nessus	Red Hat Local Security Checks	high
90019	OracleVM 3.2 : kernel-uek (OVMSA-2016-0037)	Nessus	OracleVM Local Security Checks	critical
88066	F5 Networks BIG-IP : Linux kernel vulnerabilities (K62700573)	Nessus	F5 Networks Local Security Checks	medium
87835	Oracle Linux 5 / 6 : Unbreakable Enterprise kernel (ELSA-2016-3502)	Nessus	Oracle Linux Local Security Checks	medium
87559	Scientific Linux Security Update : kernel on SL7.x x86_64 (20151119)	Nessus	Scientific Linux Local Security Checks	medium
87135	CentOS 7 : kernel (CESA-2015:2152)	Nessus	CentOS Local Security Checks	high
87090	Oracle Linux 7 : kernel (ELSA-2015-2152)	Nessus	Oracle Linux Local Security Checks	high
86972	RHEL 7 : kernel (RHSA-2015:2152)	Nessus	Red Hat Local Security Checks	high
83708	SUSE SLES11 Security Update : kernel (SUSE-SU-2015:0652-1)	Nessus	SuSE Local Security Checks	high
83696	SUSE SLES11 Security Update : kernel (SUSE-SU-2015:0481-1)	Nessus	SuSE Local Security Checks	high
82020	SuSE 11.3 Security Update : Linux Kernel (SAT Patch Numbers 10412 / 10415 / 10416)	Nessus	SuSE Local Security Checks	high
80376	Fedora 19 : kernel-3.14.27-100.fc19 (2014-17244)	Nessus	Fedora Local Security Checks	medium

CVE-2010-5313

Description

References

Details

Risk Information

CVSS v2.0

Vulnerable Software

Configuration 1

Tenable Plugins