http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=a70b52ec1aaeaf60f4739edb1b422827cb6f3893

http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.4.1

[oss-security] 20160302 Re: CVE Request: Linux: aio write triggers integer overflow in some network protocols

RHSA-2018:1854

https://bugzilla.redhat.com/show_bug.cgi?id=1314288

https://github.com/torvalds/linux/commit/a70b52ec1aaeaf60f4739edb1b422827cb6f3893

The remote NewStart CGSL host, running version MAIN 4.05, has kernel packages installed that are affected by multiple vulnerabilities:

  - It was found that AIO interface didn't use the proper     rw_verify_area() helper function with extended     functionality, for example, mandatory locking on the     file. Also rw_verify_area() makes extended checks, for     example, that the size of the access doesn't cause     overflow of the provided offset limits. This integer     overflow in fs/aio.c in the Linux kernel before 3.4.1     allows local users to cause a denial of service or     possibly have unspecified other impact via a large AIO     iovec. (CVE-2012-6701)

  - Integer overflow in the aio_setup_single_vector function     in fs/aio.c in the Linux kernel 4.0 allows local users     to cause a denial of service or possibly have     unspecified other impact via a large AIO iovec. NOTE:
    this vulnerability exists because of a CVE-2012-6701     regression. (CVE-2015-8830)

  - It was discovered that a remote attacker could leverage     the generation of IPv6 atomic fragments to trigger the     use of fragmentation in an arbitrary IPv6 flow (in     scenarios in which actual fragmentation of packets is     not needed) and could subsequently perform any type of a     fragmentation-based attack against legacy IPv6 nodes     that do not implement RFC6946. (CVE-2016-10142)

  - A race condition flaw was found in the ioctl_send_fib()     function in the Linux kernel's aacraid implementation. A     local attacker could use this flaw to cause a denial of     service (out-of-bounds access or system crash) by     changing a certain size value. (CVE-2016-6480)

  - It was found that when the gcc stack protector was     enabled, reading the /proc/keys file could cause a panic     in the Linux kernel due to stack corruption. This     happened because an incorrect buffer size was used to     hold a 64-bit timeout value rendered as weeks.
    (CVE-2016-7042)

  - It was found that when file permissions were modified     via chmod and the user modifying them was not in the     owning group or capable of CAP_FSETID, the setgid bit     would be cleared. Setting a POSIX ACL via setxattr sets     the file permissions as well as the new ACL, but doesn't     clear the setgid bit in a similar way. This could allow     a local user to gain group privileges via certain setgid     applications. (CVE-2016-7097)

  - A flaw was found in the Linux networking subsystem where     a local attacker with CAP_NET_ADMIN capabilities could     cause an out-of-bounds memory access by creating a     smaller-than-expected ICMP header and sending to its     destination via sendto(). (CVE-2016-8399)

  - A flaw was found in the Linux kernel key management     subsystem in which a local attacker could crash the     kernel or corrupt the stack and additional memory     (denial of service) by supplying a specially crafted RSA     key. This flaw panics the machine during the     verification of the RSA key. (CVE-2016-8650)

  - Use-after-free vulnerability in the snd_pcm_info()     function in the ALSA subsystem in the Linux kernel     allows attackers to induce a kernel memory corruption     and possibly crash or lock up a system. Due to the     nature of the flaw, a privilege escalation cannot be     fully ruled out, although we believe it is unlikely.
    (CVE-2017-0861)

  - A race condition issue was found in the way the raw     packet socket implementation in the Linux kernel     networking subsystem handled synchronization. A local     user able to open a raw packet socket (requires the     CAP_NET_RAW capability) could use this to waste     resources in the kernel's ring buffer or possibly cause     an out-of-bounds read on the heap leading to a system     crash. (CVE-2017-1000111)

  - A use-after-free flaw was found in the Netlink     functionality of the Linux kernel networking subsystem.
    Due to the insufficient cleanup in the mq_notify     function, a local attacker could potentially use this     flaw to escalate their privileges on the system.
    (CVE-2017-11176)

  - It was found that in the Linux kernel through v4.14-rc5,     bio_map_user_iov() and bio_unmap_user() in 'block/bio.c'     do unbalanced pages refcounting if IO vector has small     consecutive buffers belonging to the same page.
    bio_add_pc_page() merges them into one, but the page     reference is never dropped, causing a memory leak and     possible system lockup due to out-of-memory condition.
    (CVE-2017-12190)

  - A divide-by-zero vulnerability was found in the
    __tcp_select_window function in the Linux kernel. This     can result in a kernel panic causing a local denial of     service. (CVE-2017-14106)

  - A non-privileged user is able to mount a fuse filesystem     on RHEL 6 or 7 and crash a system if an application     punches a hole in a file that does not end aligned to a     page boundary. (CVE-2017-15121)

  - A use-after-free vulnerability was found when issuing an     ioctl to a sound device. This could allow a user to     exploit a race condition and create memory corruption or     possibly privilege escalation. (CVE-2017-15265)

  - The Linux kernel, before version 4.14.3, is vulnerable     to a denial of service in     drivers/md/dm.c:dm_get_from_kobject() which can be     caused by local users leveraging a race condition with
    __dm_destroy() during creation and removal of DM     devices. Only privileged local users (with CAP_SYS_ADMIN     capability) can directly perform the ioctl operations     for dm device creation and removal and this would     typically be outside the direct control of the     unprivileged attacker. (CVE-2017-18203)

  - A race condition leading to a NULL pointer dereference     was found in the Linux kernel's Link Layer Control     implementation. A local attacker with access to ping     sockets could use this flaw to crash the system.
    (CVE-2017-2671)

  - It was found that the original fix for CVE-2016-6786 was     incomplete. There exist a race between two concurrent     sys_perf_event_open() calls when both try and move the     same pre-existing software group into a hardware     context. (CVE-2017-6001)

  - A flaw was found in the Linux kernel's handling of     packets with the URG flag. Applications using the     splice() and tcp_splice_read() functionality could allow     a remote attacker to force the kernel to enter a     condition in which it could loop indefinitely.
    (CVE-2017-6214)

  - Kernel memory corruption due to a buffer overflow was     found in brcmf_cfg80211_mgmt_tx() function in Linux     kernels from v3.9-rc1 to v4.13-rc1. The vulnerability     can be triggered by sending a crafted NL80211_CMD_FRAME     packet via netlink. This flaw is unlikely to be     triggered remotely as certain userspace code is needed     for this. An unprivileged local user could use this flaw     to induce kernel memory corruption on the system,     leading to a crash. Due to the nature of the flaw,     privilege escalation cannot be fully ruled out, although     it is unlikely. (CVE-2017-7541)

  - An integer overflow vulnerability in     ip6_find_1stfragopt() function was found. A local     attacker that has privileges (of CAP_NET_RAW) to open     raw socket can cause an infinite loop inside the     ip6_find_1stfragopt() function. (CVE-2017-7542)

  - Incorrect error handling in the set_mempolicy() and     mbind() compat syscalls in 'mm/mempolicy.c' in the Linux     kernel allows local users to obtain sensitive     information from uninitialized stack data by triggering     failure of a certain bitmap operation. (CVE-2017-7616)

  - The mm subsystem in the Linux kernel through 4.10.10     does not properly enforce the CONFIG_STRICT_DEVMEM     protection mechanism, which allows local users to read     or write to kernel memory locations in the first     megabyte (and bypass slab-allocation access     restrictions) via an application that opens the /dev/mem     file, related to arch/x86/mm/init.c and     drivers/char/mem.c. (CVE-2017-7889)

  - The IPv6 fragmentation implementation in the Linux     kernel does not consider that the nexthdr field may be     associated with an invalid option, which allows local     users to cause a denial of service (out-of-bounds read     and BUG) or possibly have unspecified other impact via     crafted socket and send system calls. Due to the nature     of the flaw, privilege escalation cannot be fully ruled     out, although we believe it is unlikely. (CVE-2017-9074)

  - In the Linux kernel versions 4.12, 3.10, 2.6, and     possibly earlier, a race condition vulnerability exists     in the sound system allowing for a potential deadlock     and memory corruption due to use-after-free condition     and thus denial of service. Due to the nature of the     flaw, privilege escalation cannot be fully ruled out,     although we believe it is unlikely. (CVE-2018-1000004)

  - A null pointer dereference in dccp_write_xmit() function     in net/dccp/output.c in the Linux kernel allows a local     user to cause a denial of service by a number of certain     crafted system calls. (CVE-2018-1130)

  - Modern Intel microprocessors implement hardware-level     micro-optimizations to improve the performance of     writing data back to CPU caches. The write operation is     split into STA (STore Address) and STD (STore Data) sub-     operations. These sub-operations allow the processor to     hand-off address generation logic into these sub-     operations for optimized writes. Both of these sub-     operations write to a shared distributed processor     structure called the 'processor store buffer'. As a     result, an unprivileged attacker could use this flaw to     read private data resident within the CPU's processor     store buffer. (CVE-2018-12126)

  - Microprocessors use a load port subcomponent to     perform load operations from memory or IO. During a load     operation, the load port receives data from the memory     or IO subsystem and then provides the data to the CPU     registers and operations in the CPUs pipelines. Stale     load operations results are stored in the 'load port'     table until overwritten by newer operations. Certain     load-port operations triggered by an attacker can be     used to reveal data about previous stale requests     leaking data back to the attacker via a timing side-     channel. (CVE-2018-12127)

  - A flaw was found in the implementation of the fill     buffer, a mechanism used by modern CPUs when a cache-     miss is made on L1 CPU cache. If an attacker can     generate a load operation that would create a page     fault, the execution will continue speculatively with     incorrect data from the fill buffer while the data is     fetched from higher level caches. This response time can     be measured to infer data in the fill buffer.
    (CVE-2018-12130)

  - A vulnerability was found in the     fs/inode.c:inode_init_owner() function logic of the     LInux kernel that allows local users to create files     with an unintended group ownership and with group     execution and SGID permission bits set, in a scenario     where a directory is SGID and belongs to a certain group     and is writable by a user who is not a member of this     group. This can lead to excessive permissions granted in     case when they should not. (CVE-2018-13405)

  - A Floating Point Unit (FPU) state information leakage     flaw was found in the way the Linux kernel saved and     restored the FPU state during task switch. Linux kernels     that follow the Lazy FPU Restore scheme are vulnerable     to the FPU state information leakage issue. An     unprivileged local attacker could use this flaw to read     FPU state bits by conducting targeted cache side-channel     attacks, similar to the Meltdown vulnerability disclosed     earlier this year. (CVE-2018-3665)

  - An error in the _sctp_make_chunk() function     (net/sctp/sm_make_chunk.c) when handling SCTP, packet     length can be exploited by a malicious local user to     cause a kernel crash and a DoS. (CVE-2018-5803)

  - ALSA sequencer core initializes the event pool on demand     by invoking snd_seq_pool_init() when the first write     happens and the pool is empty. A user can reset the pool     size manually via ioctl concurrently, and this may lead     to UAF or out-of-bound access. (CVE-2018-7566)

  - Uncacheable memory on some microprocessors utilizing     speculative execution may allow an authenticated user to     potentially enable information disclosure via a side     channel with local access. (CVE-2019-11091)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Security Fix(es) :

  - An industry-wide issue was found in the way many modern     microprocessor designs have implemented speculative     execution of Load &amp; Store instructions (a commonly     used performance optimization). It relies on the     presence of a precisely-defined instruction sequence in     the privileged code as well as the fact that memory read     from address to which a recent memory write has occurred     may see an older value and subsequently cause an update     into the microprocessor's data cache even for     speculatively executed instructions that never actually     commit (retire). As a result, an unprivileged attacker     could use this flaw to read privileged memory by     conducting targeted cache side-channel attacks.
    (CVE-2018-3639, PowerPC)

  - kernel: net/packet: overflow in check for priv area size     (CVE-2017-7308)

  - kernel: AIO interface didn't use rw_verify_area() for     checking mandatory locking on files and size of access     (CVE-2012-6701)

  - kernel: AIO write triggers integer overflow in some     protocols (CVE-2015-8830)

  - kernel: NULL pointer dereference via keyctl     (CVE-2016-8650)

  - kernel: ping socket / AF_LLC connect() sin_family race     (CVE-2017-2671)

  - kernel: Race condition between multiple     sys_perf_event_open() calls (CVE-2017-6001)

  - kernel: Incorrect error handling in the set_mempolicy     and mbind compat syscalls in mm/mempolicy.c     (CVE-2017-7616)

  - kernel: mm subsystem does not properly enforce the     CONFIG_STRICT_DEVMEM protection mechanism     (CVE-2017-7889)

  - kernel: Double free in the inet_csk_clone_lock function     in net/ipv4/inet_connection_sock.c (CVE-2017-8890)

  - kernel: net: sctp_v6_create_accept_sk function     mishandles inheritance (CVE-2017-9075)

  - kernel: net: IPv6 DCCP implementation mishandles     inheritance (CVE-2017-9076)

  - kernel: net: tcp_v6_syn_recv_sock function mishandles     inheritance (CVE-2017-9077)

  - kernel: memory leak when merging buffers in SCSI IO     vectors (CVE-2017-12190)

  - kernel: vfs: BUG in truncate_inode_pages_range() and     fuse client (CVE-2017-15121)

  - kernel: Race condition in     drivers/md/dm.c:dm_get_from_kobject() allows local users     to cause a denial of service (CVE-2017-18203)

  - kernel: a NULL pointer dereference in     net/dccp/output.c:dccp_write_xmit() leads to a system     crash (CVE-2018-1130)

  - kernel: Missing length check of payload in     net/sctp/sm_make_chunk.c:_sctp_make_chunk() function     allows denial of service (CVE-2018-5803)

From Red Hat Security Advisory 2018:1854 :

An update for kernel is now available for Red Hat Enterprise Linux 6.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es) :

* An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of Load & Store instructions (a commonly used performance optimization). It relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the fact that memory read from address to which a recent memory write has occurred may see an older value and subsequently cause an update into the microprocessor's data cache even for speculatively executed instructions that never actually commit (retire). As a result, an unprivileged attacker could use this flaw to read privileged memory by conducting targeted cache side-channel attacks. (CVE-2018-3639, PowerPC)

* kernel: net/packet: overflow in check for priv area size (CVE-2017-7308)

* kernel: AIO interface didn't use rw_verify_area() for checking mandatory locking on files and size of access (CVE-2012-6701)

* kernel: AIO write triggers integer overflow in some protocols (CVE-2015-8830)

* kernel: NULL pointer dereference via keyctl (CVE-2016-8650)

* kernel: ping socket / AF_LLC connect() sin_family race (CVE-2017-2671)

* kernel: Race condition between multiple sys_perf_event_open() calls (CVE-2017-6001)

* kernel: Incorrect error handling in the set_mempolicy and mbind compat syscalls in mm/mempolicy.c (CVE-2017-7616)

* kernel: mm subsystem does not properly enforce the CONFIG_STRICT_DEVMEM protection mechanism (CVE-2017-7889)

* kernel: Double free in the inet_csk_clone_lock function in net/ipv4/ inet_connection_sock.c (CVE-2017-8890)

* kernel: net: sctp_v6_create_accept_sk function mishandles inheritance (CVE-2017-9075)

* kernel: net: IPv6 DCCP implementation mishandles inheritance (CVE-2017-9076)

* kernel: net: tcp_v6_syn_recv_sock function mishandles inheritance (CVE-2017-9077)

* kernel: memory leak when merging buffers in SCSI IO vectors (CVE-2017-12190)

* kernel: vfs: BUG in truncate_inode_pages_range() and fuse client (CVE-2017-15121)

* kernel: Race condition in drivers/md/dm.c:dm_get_from_kobject() allows local users to cause a denial of service (CVE-2017-18203)

* kernel: a NULL pointer dereference in net/dccp/output.c:dccp_write_xmit() leads to a system crash (CVE-2018-1130)

* kernel: Missing length check of payload in net/sctp/ sm_make_chunk.c:_sctp_make_chunk() function allows denial of service (CVE-2018-5803)

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Red Hat would like to thank Ken Johnson (Microsoft Security Response Center) and Jann Horn (Google Project Zero) for reporting CVE-2018-3639; Vitaly Mayatskih for reporting CVE-2017-12190; and Evgenii Shatokhin (Virtuozzo Team) for reporting CVE-2018-1130. The CVE-2017-15121 issue was discovered by Miklos Szeredi (Red Hat).

Additional Changes :

For detailed information on changes in this release, see the Red Hat Enterprise Linux 6.10 Release Notes and Red Hat Enterprise Linux 6.10 Technical Notes linked from the References section.

According to the versions of the parallels-server-bm-release / vzkernel / etc packages installed, the Virtuozzo installation on the remote host is affected by the following vulnerabilities :

  - The do_get_mempolicy() function in 'mm/mempolicy.c' in     the Linux kernel allows local users to hit a     use-after-free bug via crafted system calls and thus     cause a denial of service (DoS) or possibly have     unspecified other impact. Due to the nature of the     flaw, privilege escalation cannot be fully ruled out.

  - It was found that AIO interface didn't use the proper     rw_verify_area() helper function with extended     functionality, for example, mandatory locking on the     file. Also rw_verify_area() makes extended checks, for     example, that the size of the access doesn't cause     overflow of the provided offset limits. This integer     overflow in fs/aio.c in the Linux kernel before 3.4.1     allows local users to cause a denial of service or     possibly have unspecified other impact via a large AIO     iovec.

  - Integer overflow in the aio_setup_single_vector     function in fs/aio.c in the Linux kernel 4.0 allows     local users to cause a denial of service or possibly     have unspecified other impact via a large AIO iovec.
    NOTE: this vulnerability exists because of a     CVE-2012-6701 regression.

  - A flaw was found in the Linux kernel key management     subsystem in which a local attacker could crash the     kernel or corrupt the stack and additional memory     (denial of service) by supplying a specially crafted     RSA key. This flaw panics the machine during the     verification of the RSA key.

  - A race condition leading to a NULL pointer dereference     was found in the Linux kernel's Link Layer Control     implementation. A local attacker with access to ping     sockets could use this flaw to crash the system.

  - It was found that the original fix for CVE-2016-6786     was incomplete. There exist a race between two     concurrent sys_perf_event_open() calls when both try     and move the same pre-existing software group into a     hardware context.

  - Incorrect error handling in the set_mempolicy() and     mbind() compat syscalls in 'mm/mempolicy.c' in the     Linux kernel allows local users to obtain sensitive     information from uninitialized stack data by triggering     failure of a certain bitmap operation.

  - The mm subsystem in the Linux kernel through 4.10.10     does not properly enforce the CONFIG_STRICT_DEVMEM     protection mechanism, which allows local users to read     or write to kernel memory locations in the first     megabyte (and bypass slab-allocation access     restrictions) via an application that opens the     /dev/mem file, related to arch/x86/mm/init.c and     drivers/char/mem.c.

  - It was found that in the Linux kernel through     v4.14-rc5, bio_map_user_iov() and bio_unmap_user() in     'block/bio.c' do unbalanced pages refcounting if IO     vector has small consecutive buffers belonging to the     same page. bio_add_pc_page() merges them into one, but     the page reference is never dropped, causing a memory     leak and possible system lockup due to out-of-memory     condition.

  - The Linux kernel, before version 4.14.3, is vulnerable     to a denial of service in     drivers/md/dm.c:dm_get_from_kobject() which can be     caused by local users leveraging a race condition with
    __dm_destroy() during creation and removal of DM     devices. Only privileged local users (with     CAP_SYS_ADMIN capability) can directly perform the     ioctl operations for dm device creation and removal and     this would typically be outside the direct control of     the unprivileged attacker.

  - An error in the '_sctp_make_chunk()' function     (net/sctp/sm_make_chunk.c) when handling SCTP, packet     length can be exploited by a malicious local user to     cause a kernel crash and a DoS.

  - Memory leak in the sas_smp_get_phy_events function in     drivers/scsi/libsas/sas_expander.c in the Linux kernel     allows local users to cause a denial of service (kernel     memory exhaustion) via multiple read accesses to files     in the /sys/class/sas_phy directory.

Note that Tenable Network Security has extracted the preceding description block directly from the Virtuozzo security advisory.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

An update for kernel is now available for Red Hat Enterprise Linux 6.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es) :

* An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of Load & Store instructions (a commonly used performance optimization). It relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the fact that memory read from address to which a recent memory write has occurred may see an older value and subsequently cause an update into the microprocessor's data cache even for speculatively executed instructions that never actually commit (retire). As a result, an unprivileged attacker could use this flaw to read privileged memory by conducting targeted cache side-channel attacks. (CVE-2018-3639, PowerPC)

* kernel: net/packet: overflow in check for priv area size (CVE-2017-7308)

* kernel: AIO interface didn't use rw_verify_area() for checking mandatory locking on files and size of access (CVE-2012-6701)

* kernel: AIO write triggers integer overflow in some protocols (CVE-2015-8830)

* kernel: NULL pointer dereference via keyctl (CVE-2016-8650)

* kernel: ping socket / AF_LLC connect() sin_family race (CVE-2017-2671)

* kernel: Race condition between multiple sys_perf_event_open() calls (CVE-2017-6001)

* kernel: Incorrect error handling in the set_mempolicy and mbind compat syscalls in mm/mempolicy.c (CVE-2017-7616)

* kernel: mm subsystem does not properly enforce the CONFIG_STRICT_DEVMEM protection mechanism (CVE-2017-7889)

* kernel: Double free in the inet_csk_clone_lock function in net/ipv4/ inet_connection_sock.c (CVE-2017-8890)

* kernel: net: sctp_v6_create_accept_sk function mishandles inheritance (CVE-2017-9075)

* kernel: net: IPv6 DCCP implementation mishandles inheritance (CVE-2017-9076)

* kernel: net: tcp_v6_syn_recv_sock function mishandles inheritance (CVE-2017-9077)

* kernel: memory leak when merging buffers in SCSI IO vectors (CVE-2017-12190)

* kernel: vfs: BUG in truncate_inode_pages_range() and fuse client (CVE-2017-15121)

* kernel: Race condition in drivers/md/dm.c:dm_get_from_kobject() allows local users to cause a denial of service (CVE-2017-18203)

* kernel: a NULL pointer dereference in net/dccp/output.c:dccp_write_xmit() leads to a system crash (CVE-2018-1130)

* kernel: Missing length check of payload in net/sctp/ sm_make_chunk.c:_sctp_make_chunk() function allows denial of service (CVE-2018-5803)

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Red Hat would like to thank Ken Johnson (Microsoft Security Response Center) and Jann Horn (Google Project Zero) for reporting CVE-2018-3639; Vitaly Mayatskih for reporting CVE-2017-12190; and Evgenii Shatokhin (Virtuozzo Team) for reporting CVE-2018-1130. The CVE-2017-15121 issue was discovered by Miklos Szeredi (Red Hat).

Additional Changes :

For detailed information on changes in this release, see the Red Hat Enterprise Linux 6.10 Release Notes and Red Hat Enterprise Linux 6.10 Technical Notes linked from the References section.

The openSUSE 13.2 kernel was updated to fix various bugs and security issues.

The following security bugs were fixed :

  - CVE-2016-1583: Prevent the usage of mmap when the lower     file system does not allow it. This could have lead to     local privilege escalation when ecryptfs-utils was     installed and /sbin/mount.ecryptfs_private was setuid     (bsc#983143).

  - CVE-2016-4913: The get_rock_ridge_filename function in     fs/isofs/rock.c in the Linux kernel mishandles NM (aka     alternate name) entries containing \0 characters, which     allowed local users to obtain sensitive information from     kernel memory or possibly have unspecified other impact     via a crafted isofs filesystem (bnc#980725).

  - CVE-2016-4580: The x25_negotiate_facilities function in     net/x25/x25_facilities.c in the Linux kernel did not     properly initialize a certain data structure, which     allowed attackers to obtain sensitive information from     kernel stack memory via an X.25 Call Request     (bnc#981267).

  - CVE-2016-0758: Tags with indefinite length could have     corrupted pointers in asn1_find_indefinite_length     (bsc#979867).

  - CVE-2016-2053: The asn1_ber_decoder function in     lib/asn1_decoder.c in the Linux kernel allowed attackers     to cause a denial of service (panic) via an ASN.1 BER     file that lacks a public key, leading to mishandling by     the public_key_verify_signature function in     crypto/asymmetric_keys/public_key.c (bnc#963762).

  - CVE-2016-2187: The gtco_probe function in     drivers/input/tablet/gtco.c in the Linux kernel allowed     physically proximate attackers to cause a denial of     service (NULL pointer dereference and system crash) via     a crafted endpoints value in a USB device descriptor     (bnc#971919 971944).

  - CVE-2016-4482: The proc_connectinfo function in     drivers/usb/core/devio.c in the Linux kernel did not     initialize a certain data structure, which allowed local     users to obtain sensitive information from kernel stack     memory via a crafted USBDEVFS_CONNECTINFO ioctl call     (bnc#978401 bsc#978445).

  - CVE-2016-4565: The InfiniBand (aka IB) stack in the     Linux kernel incorrectly relies on the write system     call, which allowed local users to cause a denial of     service (kernel memory write operation) or possibly have     unspecified other impact via a uAPI interface     (bnc#979548 bsc#980363).

  - CVE-2016-3672: The arch_pick_mmap_layout function in     arch/x86/mm/mmap.c in the Linux kernel did not properly     randomize the legacy base address, which made it easier     for local users to defeat the intended restrictions on     the ADDR_NO_RANDOMIZE flag, and bypass the ASLR     protection mechanism for a setuid or setgid program, by     disabling stack-consumption resource limits     (bnc#974308).

  - CVE-2016-4581: fs/pnode.c in the Linux kernel did not     properly traverse a mount propagation tree in a certain     case involving a slave mount, which allowed local users     to cause a denial of service (NULL pointer dereference     and OOPS) via a crafted series of mount system calls     (bnc#979913).

  - CVE-2016-4485: The llc_cmsg_rcv function in     net/llc/af_llc.c in the Linux kernel did not initialize     a certain data structure, which allowed attackers to     obtain sensitive information from kernel stack memory by     reading a message (bnc#978821).

  - CVE-2015-3288: A security flaw was found in the Linux     kernel that there was a way to arbitrary change zero     page memory. (bnc#979021).

  - CVE-2016-4578: sound/core/timer.c in the Linux kernel     did not initialize certain r1 data structures, which     allowed local users to obtain sensitive information from     kernel stack memory via crafted use of the ALSA timer     interface, related to the (1) snd_timer_user_ccallback     and (2) snd_timer_user_tinterrupt functions     (bnc#979879).

  - CVE-2016-3134: The netfilter subsystem in the Linux     kernel did not validate certain offset fields, which     allowed local users to gain privileges or cause a denial     of service (heap memory corruption) via an     IPT_SO_SET_REPLACE setsockopt call (bnc#971126).

  - CVE-2016-4486: The rtnl_fill_link_ifmap function in     net/core/rtnetlink.c in the Linux kernel did not     initialize a certain data structure, which allowed local     users to obtain sensitive information from kernel stack     memory by reading a Netlink message (bnc#978822).

  - CVE-2013-7446: Use-after-free vulnerability in     net/unix/af_unix.c in the Linux kernel allowed local     users to bypass intended AF_UNIX socket permissions or     cause a denial of service (panic) via crafted epoll_ctl     calls (bnc#955654).

  - CVE-2016-4569: The snd_timer_user_params function in     sound/core/timer.c in the Linux kernel did not     initialize a certain data structure, which allowed local     users to obtain sensitive information from kernel stack     memory via crafted use of the ALSA timer interface     (bnc#979213).

  - CVE-2016-2847: fs/pipe.c in the Linux kernel did not     limit the amount of unread data in pipes, which allowed     local users to cause a denial of service (memory     consumption) by creating many pipes with non-default     sizes (bnc#970948 974646).

  - CVE-2016-3136: The mct_u232_msr_to_state function in     drivers/usb/serial/mct_u232.c in the Linux kernel     allowed physically proximate attackers to cause a denial     of service (NULL pointer dereference and system crash)     via a crafted USB device without two interrupt-in     endpoint descriptors (bnc#970955).

  - CVE-2016-2188: The iowarrior_probe function in     drivers/usb/misc/iowarrior.c in the Linux kernel allowed     physically proximate attackers to cause a denial of     service (NULL pointer dereference and system crash) via     a crafted endpoints value in a USB device descriptor     (bnc#970956).

  - CVE-2016-3138: The acm_probe function in     drivers/usb/class/cdc-acm.c in the Linux kernel allowed     physically proximate attackers to cause a denial of     service (NULL pointer dereference and system crash) via     a USB device without both a control and a data endpoint     descriptor (bnc#970911).

  - CVE-2016-3137: drivers/usb/serial/cypress_m8.c in the     Linux kernel allowed physically proximate attackers to     cause a denial of service (NULL pointer dereference and     system crash) via a USB device without both an     interrupt-in and an interrupt-out endpoint descriptor,     related to the cypress_generic_port_probe and     cypress_open functions (bnc#970970).

  - CVE-2016-3951: Double free vulnerability in     drivers/net/usb/cdc_ncm.c in the Linux kernel allowed     physically proximate attackers to cause a denial of     service (system crash) or possibly have unspecified     other impact by inserting a USB device with an invalid     USB descriptor (bnc#974418).

  - CVE-2016-3140: The digi_port_init function in     drivers/usb/serial/digi_acceleport.c in the Linux kernel     allowed physically proximate attackers to cause a denial     of service (NULL pointer dereference and system crash)     via a crafted endpoints value in a USB device descriptor     (bnc#970892).

  - CVE-2016-2186: The powermate_probe function in     drivers/input/misc/powermate.c in the Linux kernel     allowed physically proximate attackers to cause a denial     of service (NULL pointer dereference and system crash)     via a crafted endpoints value in a USB device descriptor     (bnc#970958).

  - CVE-2016-2185: The ati_remote2_probe function in     drivers/input/misc/ati_remote2.c in the Linux kernel     allowed physically proximate attackers to cause a denial     of service (NULL pointer dereference and system crash)     via a crafted endpoints value in a USB device descriptor     (bnc#971124).

  - CVE-2016-3689: The ims_pcu_parse_cdc_data function in     drivers/input/misc/ims-pcu.c in the Linux kernel allowed     physically proximate attackers to cause a denial of     service (system crash) via a USB device without both a     master and a slave interface (bnc#971628).

  - CVE-2016-3156: The IPv4 implementation in the Linux     kernel mishandles destruction of device objects, which     allowed guest OS users to cause a denial of service     (host OS networking outage) by arranging for a large     number of IP addresses (bnc#971360).

  - CVE-2016-2184: The create_fixed_stream_quirk function in     sound/usb/quirks.c in the snd-usb-audio driver in the     Linux kernel allowed physically proximate attackers to     cause a denial of service (NULL pointer dereference or     double free, and system crash) via a crafted endpoints     value in a USB device descriptor (bnc#971125).

  - CVE-2016-3139: The wacom_probe function in     drivers/input/tablet/wacom_sys.c in the Linux kernel     allowed physically proximate attackers to cause a denial     of service (NULL pointer dereference and system crash)     via a crafted endpoints value in a USB device descriptor     (bnc#970909).

  - CVE-2015-8830: Integer overflow in the     aio_setup_single_vector function in fs/aio.c in the     Linux kernel 4.0 allowed local users to cause a denial     of service or possibly have unspecified other impact via     a large AIO iovec. NOTE: this vulnerability exists     because of a CVE-2012-6701 regression (bnc#969354     bsc#969355).

  - CVE-2016-2782: The treo_attach function in     drivers/usb/serial/visor.c in the Linux kernel allowed     physically proximate attackers to cause a denial of     service (NULL pointer dereference and system crash) or     possibly have unspecified other impact by inserting a     USB device that lacks a (1) bulk-in or (2) interrupt-in     endpoint (bnc#968670).

  - CVE-2015-8816: The hub_activate function in     drivers/usb/core/hub.c in the Linux kernel did not     properly maintain a hub-interface data structure, which     allowed physically proximate attackers to cause a denial     of service (invalid memory access and system crash) or     possibly have unspecified other impact by unplugging a     USB hub device (bnc#968010).

  - CVE-2015-7566: The clie_5_attach function in     drivers/usb/serial/visor.c in the Linux kernel allowed     physically proximate attackers to cause a denial of     service (NULL pointer dereference and system crash) or     possibly have unspecified other impact by inserting a     USB device that lacks a bulk-out endpoint (bnc#961512).

  - CVE-2016-2549: sound/core/hrtimer.c in the Linux kernel     did not prevent recursive callback access, which allowed     local users to cause a denial of service (deadlock) via     a crafted ioctl call (bnc#968013).

  - CVE-2016-2547: sound/core/timer.c in the Linux kernel     employs a locking approach that did not consider slave     timer instances, which allowed local users to cause a     denial of service (race condition, use-after-free, and     system crash) via a crafted ioctl call (bnc#968011).

  - CVE-2016-2548: sound/core/timer.c in the Linux kernel     retains certain linked lists after a close or stop     action, which allowed local users to cause a denial of     service (system crash) via a crafted ioctl call, related     to the (1) snd_timer_close and (2) _snd_timer_stop     functions (bnc#968012).

  - CVE-2016-2546: sound/core/timer.c in the Linux kernel     uses an incorrect type of mutex, which allowed local     users to cause a denial of service (race condition,     use-after-free, and system crash) via a crafted ioctl     call (bnc#967975).

  - CVE-2016-2545: The snd_timer_interrupt function in     sound/core/timer.c in the Linux kernel did not properly     maintain a certain linked list, which allowed local     users to cause a denial of service (race condition and     system crash) via a crafted ioctl call (bnc#967974).

  - CVE-2016-2544: Race condition in the queue_delete     function in sound/core/seq/seq_queue.c in the Linux     kernel allowed local users to cause a denial of service     (use-after-free and system crash) by making an ioctl     call at a certain time (bnc#967973).

  - CVE-2016-2543: The snd_seq_ioctl_remove_events function     in sound/core/seq/seq_clientmgr.c in the Linux kernel     did not verify FIFO assignment before proceeding with     FIFO clearing, which allowed local users to cause a     denial of service (NULL pointer dereference and OOPS)     via a crafted ioctl call (bnc#967972).

  - CVE-2015-8709: ** DISPUTED ** kernel/ptrace.c in the     Linux kernel mishandles uid and gid mappings, which     allowed local users to gain privileges by establishing a     user namespace, waiting for a root process to enter that     namespace with an unsafe uid or gid, and then using the     ptrace system call. NOTE: the vendor states 'there is no     kernel bug here (bnc#959709 960561 ).

  - CVE-2015-8812: drivers/infiniband/hw/cxgb3/iwch_cm.c in     the Linux kernel did not properly identify error     conditions, which allowed remote attackers to execute     arbitrary code or cause a denial of service     (use-after-free) via crafted packets (bnc#966437).

  - CVE-2016-2384: Double free vulnerability in the     snd_usbmidi_create function in sound/usb/midi.c in the     Linux kernel allowed physically proximate attackers to     cause a denial of service (panic) or possibly have     unspecified other impact via vectors involving an     invalid USB descriptor (bnc#966693).

  - CVE-2015-8785: The fuse_fill_write_pages function in     fs/fuse/file.c in the Linux kernel allowed local users     to cause a denial of service (infinite loop) via a     writev system call that triggers a zero length for the     first segment of an iov (bnc#963765).

  - CVE-2014-9904: The snd_compress_check_input function in     sound/core/compress_offload.c in the ALSA subsystem in     the Linux kernel did not properly check for an integer     overflow, which allowed local users to cause a denial of     service (insufficient memory allocation) or possibly     have unspecified other impact via a crafted     SNDRV_COMPRESS_SET_PARAMS ioctl call (bnc#986811).

  - CVE-2016-5829: Multiple heap-based buffer overflows in     the hiddev_ioctl_usage function in     drivers/hid/usbhid/hiddev.c in the Linux kernel allow     local users to cause a denial of service or possibly     have unspecified other impact via a crafted (1)     HIDIOCGUSAGES or (2) HIDIOCSUSAGES ioctl call     (bnc#986572 986573).

  - CVE-2016-4997: The compat IPT_SO_SET_REPLACE setsockopt     implementation in the netfilter subsystem in the Linux     kernel allowed local users to gain privileges or cause a     denial of service (memory corruption) by leveraging     in-container root access to provide a crafted offset     value that triggers an unintended decrement (bnc#986362     986365 986377).

  - CVE-2016-4805: Use-after-free vulnerability in     drivers/net/ppp/ppp_generic.c in the Linux kernel     allowed local users to cause a denial of service (memory     corruption and system crash, or spinlock) or possibly     have unspecified other impact by removing a network     namespace, related to the ppp_register_net_channel and     ppp_unregister_channel functions (bnc#980371).

  - CVE-2016-4470: The key_reject_and_link function in     security/keys/key.c in the Linux kernel did not ensure     that a certain data structure is initialized, which     allowed local users to cause a denial of service (system     crash) via vectors involving a crafted keyctl request2     command (bnc#984755 984764).

  - CVE-2015-6526: The perf_callchain_user_64 function in     arch/powerpc/perf/callchain.c in the Linux kernel on     ppc64 platforms allowed local users to cause a denial of     service (infinite loop) via a deep 64-bit userspace     backtrace (bnc#942702).

  - CVE-2016-5244: The rds_inc_info_copy function in     net/rds/recv.c in the Linux kernel did not initialize a     certain structure member, which allowed remote attackers     to obtain sensitive information from kernel stack memory     by reading an RDS message (bnc#983213).

The following non-security bugs were fixed :

  - ALSA: hrtimer: Handle start/stop more properly     (bsc#973378).

  - ALSA: pcm: Fix potential deadlock in OSS emulation     (bsc#968018).

  - ALSA: rawmidi: Fix race at copying & updating the     position (bsc#968018).

  - ALSA: rawmidi: Make snd_rawmidi_transmit() race-free     (bsc#968018).

  - ALSA: seq: Fix double port list deletion (bsc#968018).

  - ALSA: seq: Fix incorrect sanity check at     snd_seq_oss_synth_cleanup() (bsc#968018).

  - ALSA: seq: Fix leak of pool buffer at concurrent writes     (bsc#968018).

  - ALSA: seq: Fix lockdep warnings due to double mutex     locks (bsc#968018).

  - ALSA: seq: Fix race at closing in virmidi driver     (bsc#968018).

  - ALSA: seq: Fix yet another races among ALSA timer     accesses (bsc#968018).

  - ALSA: timer: Call notifier in the same spinlock     (bsc#973378).

  - ALSA: timer: Code cleanup (bsc#968018).

  - ALSA: timer: Fix leftover link at closing (bsc#968018).

  - ALSA: timer: Fix link corruption due to double start or     stop (bsc#968018).

  - ALSA: timer: Fix race between stop and interrupt     (bsc#968018).

  - ALSA: timer: Fix wrong instance passed to slave     callbacks (bsc#968018).

  - ALSA: timer: Protect the whole snd_timer_close() with     open race (bsc#973378).

  - ALSA: timer: Sync timer deletion at closing the system     timer (bsc#973378).

  - ALSA: timer: Use mod_timer() for rearming the system     timer (bsc#973378).

  - Bluetooth: vhci: Fix race at creating hci device     (bsc#971799,bsc#966849).

  - Bluetooth: vhci: fix open_timeout vs. hdev race     (bsc#971799,bsc#966849).

  - Bluetooth: vhci: purge unhandled skbs     (bsc#971799,bsc#966849).

  - Btrfs: do not use src fd for printk (bsc#980348).

  - Refresh     patches.drivers/ALSA-hrtimer-Handle-start-stop-more-prop     erly. Fix the build error on 32bit architectures.

  - Refresh patches.xen/xen-netback-coalesce: Restore     copying of SKBs with head exceeding page size     (bsc#978469).

  - Refresh patches.xen/xen3-patch-3.14: Suppress atomic     file position updates on /proc/xen/xenbus (bsc#970275).

  - Subject: [PATCH] USB: xhci: Add broken streams quirk for     Frescologic device id 1009 (bnc#982706).

  - USB: usbip: fix potential out-of-bounds write     (bnc#975945).

  - af_unix: Guard against other == sk in unix_dgram_sendmsg     (bsc#973570).

  - backends: guarantee one time reads of shared ring     contents (bsc#957988).

  - btrfs: do not go readonly on existing qgroup items     (bsc#957052).

  - btrfs: remove error message from search ioctl for     nonexistent tree.

  - drm/i915: Fix missing backlight update during panel     disablement (bsc#941113 boo#901754).

  - enic: set netdev->vlan_features (bsc#966245).

  - ext4: fix races between buffered IO and collapse /     insert range (bsc#972174).

  - ext4: fix races between page faults and hole punching     (bsc#972174).

  - ext4: fix races of writeback with punch hole and zero     range (bsc#972174).

  - ext4: move unlocked dio protection from     ext4_alloc_file_blocks() (bsc#972174).

  - ipv4/fib: do not warn when primary address is missing if     in_dev is dead (bsc#971360).

  - ipvs: count pre-established TCP states as active     (bsc#970114).

  - net: core: Correct an over-stringent device loop     detection (bsc#945219).

  - netback: do not use last request to determine minimum Tx     credit (bsc#957988).

  - pciback: Check PF instead of VF for PCI_COMMAND_MEMORY.

  - pciback: Save the number of MSI-X entries to be copied     later.

  - pciback: guarantee one time reads of shared ring     contents (bsc#957988).

  - series.conf: move cxgb3 patch to network drivers section

  - usb: quirk to stop runtime PM for Intel 7260     (bnc#984464).

  - x86: standardize mmap_rnd() usage (bnc#974308).

ID	Name	Product	Family	Severity
127425	NewStart CGSL MAIN 4.05 : kernel Multiple Vulnerabilities (NS-SA-2019-0152)	Nessus	NewStart CGSL Local Security Checks	high
110887	Scientific Linux Security Update : kernel on SL6.x i386/x86_64 (20180619) (Spectre)	Nessus	Scientific Linux Local Security Checks	high
110701	Oracle Linux 6 : kernel (ELSA-2018-1854) (Spectre)	Nessus	Oracle Linux Local Security Checks	high
110694	Virtuozzo 6 : parallels-server-bm-release / vzkernel / etc (VZA-2018-041)	Nessus	Virtuozzo Local Security Checks	high
110645	CentOS 6 : kernel (CESA-2018:1854) (Spectre)	Nessus	CentOS Local Security Checks	critical
110600	RHEL 6 : kernel (RHSA-2018:1854) (Spectre)	Nessus	Red Hat Local Security Checks	high
93104	openSUSE Security Update : the Linux Kernel (openSUSE-2016-1015)	Nessus	SuSE Local Security Checks	critical

CVE-2012-6701

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins