http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=a430c9166312e1aa3d80bce32374233bdbfeba32

62042

[kvm] 20141013 [PATCH 0/2] KVM: x86: Fixing clflush/hint_nop/prefetch

[oss-security] 20141023 CVE Request: Linux 3.17 guest-triggerable KVM OOPS

https://bugzilla.redhat.com/show_bug.cgi?id=1156615

https://github.com/torvalds/linux/commit/a430c9166312e1aa3d80bce32374233bdbfeba32

According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - The kernel package contains the Linux kernel (vmlinuz),     the core of any Linux operating system. The kernel     handles the basic functions of the operating system:
    memory allocation, process allocation, device input and     output, etc.Security Fix(es):A flaw named FragmentSmack     was found in the way the Linux kernel handled     reassembly of fragmented IPv4 and IPv6 packets. A     remote attacker could use this flaw to trigger time and     calculation expensive fragment reassembly algorithm by     sending specially crafted packets which could lead to a     CPU saturation and hence a denial of service on the     system.(CVE-2018-5391)Multiple out-of-bounds write     flaws were found in the way the Cherry Cymotion     keyboard driver, KYE/Genius device drivers, Logitech     device drivers, Monterey Genius KB29E keyboard driver,     Petalynx Maxter remote control driver, and Sunplus     wireless desktop driver handled HID reports with an     invalid report descriptor size. An attacker with     physical access to the system could use either of these     flaws to write data past an allocated memory     buffer.(CVE-2014-3184)The __get_data_block function in     fs/f2fs/data.c in the Linux kernel before 4.11 allows     local users to cause a denial of service (integer     overflow and loop) via crafted use of the open and     fallocate system calls with an FS_IOC_FIEMAP     ioctl.(CVE-2017-18257)netetfilter/xt_osf.c in the Linux     kernel through 4.14.4 does not require the     CAP_NET_ADMIN capability for add_callback and     remove_callback operations. This allows local users to     bypass intended access restrictions because the     xt_osf_fingers data structure is shared across all     network namespaces.(CVE-2017-17450)A denial of service     flaw was discovered in the Linux kernel, where a race     condition caused a NULL pointer dereference in the RDS     socket-creation code. A local attacker could use this     flaw to create a situation in which a NULL pointer     crashed the kernel.(CVE-2015-7990)An issue was     discovered in the Linux kernel before 4.19.9. The USB     subsystem mishandles size checks during the reading of     an extra descriptor, related to
    __usb_get_extra_descriptor in     drivers/usb/core/usb.c.(CVE-2018-20169)mm/memory.c in     the Linux kernel before 4.1.4 mishandles anonymous     pages, which allows local users to gain privileges or     cause a denial of service (page tainting) via a crafted     application that triggers writing to page     zero.(CVE-2015-3288)The ovl_setattr function in     fs/overlayfs/inode.c in the Linux kernel through 4.3.3     attempts to merge distinct setattr operations, which     allows local users to bypass intended access     restrictions and modify the attributes of arbitrary     overlay files via a crafted     application.(CVE-2015-8660)A flaw was found in the     Linux kernel where a local user with a shell account     can abuse the userfaultfd syscall when using hugetlbfs.
    A missing size check in hugetlb_mcopy_atomic_pte could     create an invalid inode variable, leading to a kernel     panic.(CVE-2017-15128)An integer overflow flaw was     found in the way the lzo1x_decompress_safe() function     of the Linux kernel's LZO implementation processed     Literal Runs. A local attacker could, in extremely rare     cases, use this flaw to crash the system or,     potentially, escalate their privileges on the     system.(CVE-2014-4608)It was found that Linux kernel's     ptrace subsystem did not properly sanitize the     address-space-control bits when the program-status word     (PSW) was being set. On IBM S/390 systems, a local,     unprivileged user could use this flaw to set     address-space-control bits to the kernel space, and     thus gain read and write access to kernel     memory.(CVE-2014-3534)A use-after-free flaw was found     in the Linux kernel's file system encryption     implementation. A local user could revoke keyring keys     being used for ext4, f2fs, or ubifs encryption, causing     a denial of service on the system.(CVE-2017-7374)The     usbip_recv_xbuff function in     drivers/usb/usbip/usbip_common.c in the Linux kernel     before 4.5.3 allows remote attackers to cause a denial     of service (out-of-bounds write) or possibly have     unspecified other impact via a crafted length value in     a USB/IP packet.(CVE-2016-3955)A flaw was found in the     patches used to fix the 'dirtycow' vulnerability     (CVE-2016-5195). An attacker, able to run local code,     can exploit a race condition in transparent huge pages     to modify usually read-only huge     pages.(CVE-2017-1000405)The aio_mount function in     fs/aio.c in the Linux kernel does not properly restrict     execute access, which makes it easier for local users     to bypass intended SELinux W^X policy     restrictions.(CVE-2016-10044)The Serial Attached SCSI     (SAS) implementation in the Linux kernel mishandles a     mutex within libsas. This allows local users to cause a     denial of service (deadlock) by triggering certain     error-handling code.(CVE-2017-18232)A use-after-free     vulnerability was found in tcp_xmit_retransmit_queue     and other tcp_* functions. This condition could allow     an attacker to send an incorrect selective     acknowledgment to existing connections, possibly     resetting a connection.(CVE-2016-6828)The instruction     decoder in arch/x86/kvm/emulate.c in the KVM subsystem     in the Linux kernel before 3.18-rc2 does not properly     handle invalid instructions, which allows guest OS     users to cause a denial of service (NULL pointer     dereference and host OS crash) via a crafted     application that triggers (1) an improperly fetched     instruction or (2) an instruction that occupies too     many bytes. NOTE: this vulnerability exists because of     an incomplete fix for CVE-2014-8480.(CVE-2014-8481)The     snd_compress_check_input function in     sound/core/compress_offload.c in the ALSA subsystem in     the Linux kernel before 3.17 does not properly check     for an integer overflow, which allows local users to     cause a denial of service (insufficient memory     allocation) or possibly have unspecified other impact     via a crafted SNDRV_COMPRESS_SET_PARAMS ioctl     call.(CVE-2014-9904)The resv_map_release function in     mm/hugetlb.c in the Linux kernel, through 4.15.7,     allows local users to cause a denial of service (BUG)     via a crafted application that makes mmap system calls     and has a large pgoff argument to the remap_file_pages     system call.(CVE-2018-7740)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - A flaw was found in the way the Linux kernel's SCTP     implementation validated INIT chunks when performing     Address Configuration Change (ASCONF). A remote     attacker could use this flaw to crash the system by     sending a specially crafted SCTP packet to trigger a     NULL pointer dereference on the system.(CVE-2014-7841)

  - It was found that reporting emulation failures to user     space could lead to either a local (CVE-2014-7842) or a     L2-i1/4zL1 (CVE-2010-5313) denial of service. In the case     of a local denial of service, an attacker must have     access to the MMIO area or be able to access an I/O     port. Please note that on certain systems, HPET is     mapped to userspace as part of vdso (vvar) and thus an     unprivileged user may generate MMIO transactions (and     enter the emulator) this way.(CVE-2014-7842)

  - The pivot_root implementation in fs/namespace.c in the     Linux kernel through 3.17 does not properly interact     with certain locations of a chroot directory, which     allows local users to cause a denial of service     (mount-tree loop) via . (dot) values in both arguments     to the pivot_root system call.(CVE-2014-7970)

  - The do_umount function in fs/namespace.c in the Linux     kernel through 3.17 does not require the CAP_SYS_ADMIN     capability for do_remount_sb calls that change the root     filesystem to read-only, which allows local users to     cause a denial of service (loss of writability) by     making certain unshare system calls, clearing the /     MNT_LOCKED flag, and making an MNT_FORCE umount system     call.(CVE-2014-7975)

  - A race condition flaw was found in the Linux kernel's     ext4 file system implementation that allowed a local,     unprivileged user to crash the system by simultaneously     writing to a file and toggling the O_DIRECT flag using     fcntl(F_SETFL) on that file.(CVE-2014-8086)

  - A flaw was found in the way the Linux kernel's     netfilter subsystem handled generic protocol tracking.
    As demonstrated in the Stream Control Transmission     Protocol (SCTP) case, a remote attacker could use this     flaw to bypass intended iptables rule restrictions when     the associated connection tracking module was not     loaded on the system.(CVE-2014-8160)

  - It was found that due to excessive files_lock locking,     a soft lockup could be triggered in the Linux kernel     when performing asynchronous I/O operations. A local,     unprivileged user could use this flaw to crash the     system.(CVE-2014-8172)

  - A NULL pointer dereference flaw was found in the way     the Linux kernel's madvise MADV_WILLNEED functionality     handled page table locking. A local, unprivileged user     could use this flaw to crash the system.(CVE-2014-8173)

  - It was found that the fix for CVE-2014-3601 was     incomplete: the Linux kernel's kvm_iommu_map_pages()     function still handled IOMMU mapping failures     incorrectly. A privileged user in a guest with an     assigned host device could use this flaw to crash the     host.(CVE-2014-8369)

  - The instruction decoder in arch/x86/kvm/emulate.c in     the KVM subsystem in the Linux kernel before 3.18-rc2     lacks intended decoder-table flags for certain     RIP-relative instructions, which allows guest OS users     to cause a denial of service (NULL pointer dereference     and host OS crash) via a crafted     application.(CVE-2014-8480)

  - The instruction decoder in arch/x86/kvm/emulate.c in     the KVM subsystem in the Linux kernel before 3.18-rc2     does not properly handle invalid instructions, which     allows guest OS users to cause a denial of service     (NULL pointer dereference and host OS crash) via a     crafted application that triggers (1) an improperly     fetched instruction or (2) an instruction that occupies     too many bytes. NOTE: this vulnerability exists because     of an incomplete fix for CVE-2014-8480.(CVE-2014-8481)

  - A flaw was found in the way the Linux kernel's VFS     subsystem handled file system locks. A local,     unprivileged user could use this flaw to trigger a     deadlock in the kernel, causing a denial of service on     the system.(CVE-2014-8559)

  - An information leak flaw was found in the Linux     kernel's IEEE 802.11 wireless networking     implementation. When software encryption was used, a     remote attacker could use this flaw to leak up to 8     bytes of plaintext.(CVE-2014-8709)

  - A stack-based buffer overflow flaw was found in the     TechnoTrend/Hauppauge DEC USB device driver. A local     user with write access to the corresponding device     could use this flaw to crash the kernel or,     potentially, elevate their privileges on the     system.(CVE-2014-8884)

  - The do_double_fault function in arch/x86/kernel/traps.c     in the Linux kernel through 3.17.4 does not properly     handle faults associated with the Stack Segment (SS)     segment register, which allows local users to cause a     denial of service (panic) via a modify_ldt system call,     as demonstrated by sigreturn_32 in the     linux-clock-tests test suite.(CVE-2014-9090)

  - A flaw was found in the way the Linux kernel handled GS     segment register base switching when recovering from a     #SS (stack segment) fault on an erroneous return to     user space. A local, unprivileged user could use this     flaw to escalate their privileges on the     system.(CVE-2014-9322)

  - An information leak flaw was found in the way the Linux     kernel changed certain segment registers and     thread-local storage (TLS) during a context switch. A     local, unprivileged user could use this flaw to leak     the user space TLS base address of an arbitrary     process.(CVE-2014-9419)

  - It was found that the Linux kernel's ISO file system     implementation did not correctly limit the traversal of     Rock Ridge extension Continuation Entries (CE). An     attacker with physical access to the system could use     this flaw to trigger an infinite loop in the kernel,     resulting in a denial of service.(CVE-2014-9420)

  - A race condition flaw was found in the way the Linux     kernel keys management subsystem performed key garbage     collection. A local attacker could attempt accessing a     key while it was being garbage collected, which would     cause the system to crash.(CVE-2014-9529)

  - An information leak flaw was found in the way the Linux     kernel's ISO9660 file system implementation accessed     data on an ISO9660 image with RockRidge Extension     Reference (ER) records. An attacker with physical     access to the system could use this flaw to disclose up     to 255 bytes of kernel memory.(CVE-2014-9584)

  - An information leak flaw was found in the way the Linux     kernel's Virtual Dynamic Shared Object (vDSO)     implementation performed address randomization. A     local, unprivileged user could use this flaw to leak     kernel memory addresses to user-space.(CVE-2014-9585)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Linux v3.17.2. A wide variety of fixes across the tree. Even more KVM CVE fixes CVE fixes for KVM and SCTP.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
124828	EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1505)	Nessus	Huawei Local Security Checks	critical
124807	EulerOS Virtualization 3.0.1.0 : kernel (EulerOS-SA-2019-1483)	Nessus	Huawei Local Security Checks	high
78814	Fedora 21 : kernel-3.17.2-300.fc21 (2014-14126)	Nessus	Fedora Local Security Checks	high

CVE-2014-8481

MEDIUM

Description

References

Details

Risk Information

CVSS v2.0

Vulnerable Software

Configuration 1

Tenable Plugins

critical

high

high