http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=0f2af21aae11972fa924374ddcf52e88347cf5a8

RHSA-2015:1778

RHSA-2015:1787

[oss-security] 20150223 CVE-2015-0275 -- Linux kernel: fs: ext4: fallocate zero range page size > block size BUG()

http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html

75139

1034454

[linux-ext4] 20150218 [PATCH] ext4: Allocate entire range in zero range

https://bugzilla.redhat.com/show_bug.cgi?id=1193907

https://github.com/torvalds/linux/commit/0f2af21aae11972fa924374ddcf52e88347cf5a8

https://support.f5.com/csp/article/K05211147

According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - In the Linux kernel through 4.19, a use-after-free can     occur due to a race condition between fanout_add from     setsockopt and bind on an AF_PACKET socket. This issue     exists because of the     15fe076edea787807a7cdc168df832544b58eba6 incomplete fix     for a race condition. The code mishandles a certain     multithreaded case involving a packet_do_bind     unregister action followed by a packet_notifier     register action. Later, packet_release operates on only     one of the two applicable linked lists. The attacker     can achieve Program Counter control.(CVE-2018-18559)

  - The acpi_ns_terminate() function in     drivers/acpi/acpica/nsutils.c in the Linux kernel     before 4.12 does not flush the operand cache and causes     a kernel stack dump. A local users could obtain     sensitive information from kernel memory and bypass the     KASLR protection mechanism (in the kernel through 4.9)     via a crafted ACPI table.(CVE-2017-11472)

  - Race condition in net/packet/af_packet.c in the Linux     kernel allows local users to cause a denial of service     (use-after-free) or possibly have unspecified other     impact via a multithreaded application that makes     PACKET_FANOUT setsockopt system calls.(CVE-2017-6346)

  - Multiple race conditions in ipc/shm.c in the Linux     kernel before 3.12.2 allow local users to cause a     denial of service (use-after-free and system crash) or     possibly have unspecified other impact via a crafted     application that uses shmctl IPC_RMID operations in     conjunction with other shm system calls.(CVE-2013-7026)

  - An issue was discovered in the Linux kernel. A NULL     pointer dereference and panic in hfsplus_lookup() in     the fs/hfsplus/dir.c function can occur when opening a     file (that is purportedly a hard link) in an hfs+     filesystem that has malformed catalog data, and is     mounted read-only without a metadata     directory.(CVE-2018-14617)

  - The treo_attach function in drivers/usb/serial/visor.c     in the Linux kernel before 4.5 allows physically     proximate attackers to cause a denial of service (NULL     pointer dereference and system crash) or possibly have     unspecified other impact by inserting a USB device that     lacks a (1) bulk-in or (2) interrupt-in     endpoint.(CVE-2016-2782)

  - An information-exposure flaw was found in the Linux     kernel where the pcpu_embed_first_chunk() function in     mm/percpu.c allows local users to obtain kernel-object     address information by reading the kernel log (dmesg).
    However, this address is not static and cannot be used     to commit a further attack.(CVE-2018-5995)

  - Buffer overflow in net/ceph/auth_x.c in Ceph, as used     in the Linux kernel before 3.16.3, allows remote     attackers to cause a denial of service (memory     corruption and panic) or possibly have unspecified     other impact via a long unencrypted auth     ticket.(CVE-2014-6416)

  - It was found that the Linux kernel's ptrace subsystem     allowed a traced process' instruction pointer to be set     to a non-canonical memory address without forcing the     non-sysret code path when returning to user space. A     local, unprivileged user could use this flaw to crash     the system or, potentially, escalate their privileges     on the system.Note: The CVE-2014-4699 issue only     affected systems using an Intel CPU.(CVE-2014-4699)

  - The snd_compr_tstamp function in     sound/core/compress_offload.c in the Linux kernel     through 4.7, as used in Android before 2016-08-05 on     Nexus 5 and 7 (2013) devices, does not properly     initialize a timestamp data structure, which allows     attackers to obtain sensitive information via a crafted     application, aka Android internal bug 28770164 and     Qualcomm internal bug CR568717.(CVE-2014-9892)

  - A flaw was found in the way the Linux kernel's ext4     file system handled the 'page size > block size'     condition when the fallocate zero range functionality     was used. A local attacker could use this flaw to crash     the system.(CVE-2015-0275)

  - An information leak flaw was found in the way the Linux     kernel's ISO9660 file system implementation accessed     data on an ISO9660 image with RockRidge Extension     Reference (ER) records. An attacker with physical     access to the system could use this flaw to disclose up     to 255 bytes of kernel memory.(CVE-2014-9584)

  - The pivot_root implementation in fs/namespace.c in the     Linux kernel through 3.17 does not properly interact     with certain locations of a chroot directory, which     allows local users to cause a denial of service     (mount-tree loop) via . (dot) values in both arguments     to the pivot_root system call.(CVE-2014-7970)

  - arch/x86/kvm/emulate.c in the Linux kernel before     4.8.12 does not properly initialize Code Segment (CS)     in certain error cases, which allows local users to     obtain sensitive information from kernel stack memory     via a crafted application.(CVE-2016-9756)

  - A flaw was found in the Linux kernel where the     swiotlb_print_info() function in lib/swiotlb.c allows     local users to obtain some kernel address information     by reading the kernel log (dmesg). This address is not     useful to commit a further attack.(CVE-2018-5953)

  - A flaw was found in the way the Linux kernel's file     system implementation handled rename operations in     which the source was inside and the destination was     outside of a bind mount. A privileged user inside a     container could use this flaw to escape the bind mount     and, potentially, escalate their privileges on the     system.(CVE-2015-2925)

  - A use-after-free fault in the Linux kernel's usbtv     driver could allow an attacker to cause a denial of     service (system crash), or have unspecified other     impacts, by triggering failure of audio registration of     USB hardware using the usbtv kernel     module.(CVE-2017-17975)

  - The mm subsystem in the Linux kernel through 4.10.10     does not properly enforce the CONFIG_STRICT_DEVMEM     protection mechanism, which allows local users to read     or write to kernel memory locations in the first     megabyte (and bypass slab-allocation access     restrictions) via an application that opens the     /dev/mem file, related to arch/x86/mm/init.c and     drivers/char/mem.c.(CVE-2017-7889)

  - A flaw was discovered in the way the kernel allows     stackable filesystems to overlay. A local attacker who     is able to mount filesystems can abuse this flaw to     escalate privileges.(CVE-2014-9922)

  - sound/core/timer.c in the Linux kernel before 4.4.1     retains certain linked lists after a close or stop     action, which allows local users to cause a denial of     service (system crash) via a crafted ioctl call,     related to the (1) snd_timer_close and (2)
    _snd_timer_stop functions.(CVE-2016-2548)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - A flaw was found in the way the Linux kernel's Crypto     subsystem handled automatic loading of kernel modules.
    A local user could use this flaw to load any installed     kernel module, and thus increase the attack surface of     the running kernel.(CVE-2014-9644)

  - The Btrfs implementation in the Linux kernel before     3.19 does not ensure that the visible xattr state is     consistent with a requested replacement, which allows     local users to bypass intended ACL settings and gain     privileges via standard filesystem operations (1)     during an xattr-replacement time window, related to a     race condition, or (2) after an xattr-replacement     attempt that fails because the data does not     fit.(CVE-2014-9710)

  - An integer overflow flaw was found in the way the Linux     kernel's netfilter connection tracking implementation     loaded extensions. An attacker on a local network could     potentially send a sequence of specially crafted     packets that would initiate the loading of a large     number of extensions, causing the targeted system in     that network to crash.(CVE-2014-9715)

  - A symlink size validation was missing in Linux kernels     built with UDF file system (CONFIG_UDF_FS) support,     allowing the corruption of kernel memory. An attacker     able to mount a corrupted/malicious UDF file system     image could cause the kernel to crash.(CVE-2014-9728)

  - A symlink size validation was missing in Linux kernels     built with UDF file system (CONFIG_UDF_FS) support,     allowing the corruption of kernel memory. An attacker     able to mount a corrupted/malicious UDF file system     image could cause the kernel to crash.(CVE-2014-9729)

  - A symlink size validation was missing in Linux kernels     built with UDF file system (CONFIG_UDF_FS) support,     allowing the corruption of kernel memory. An attacker     able to mount a corrupted/malicious UDF file system     image could cause the kernel to crash.(CVE-2014-9730)

  - A path length checking flaw was found in Linux kernels     built with UDF file system (CONFIG_UDF_FS) support. An     attacker able to mount a corrupted/malicious UDF file     system image could use this flaw to leak kernel memory     to user-space.(CVE-2014-9731)

  - The snd_compr_tstamp function in     sound/core/compress_offload.c in the Linux kernel     through 4.7, as used in Android before 2016-08-05 on     Nexus 5 and 7 (2013) devices, does not properly     initialize a timestamp data structure, which allows     attackers to obtain sensitive information via a crafted     application, aka Android internal bug 28770164 and     Qualcomm internal bug CR568717.(CVE-2014-9892)

  - drivers/media/media-device.c in the Linux kernel before     3.11, as used in Android before 2016-08-05 on Nexus 5     and 7 (2013) devices, does not properly initialize     certain data structures, which allows local users to     obtain sensitive information via a crafted application,     aka Android internal bug 28750150 and Qualcomm internal     bug CR570757, a different vulnerability than     CVE-2014-1739.(CVE-2014-9895)

  - The ethtool_get_wol function in net/core/ethtool.c in     the Linux kernel through 4.7, as used in Android before     2016-08-05 on Nexus 5 and 7 (2013) devices, does not     initialize a certain data structure, which allows local     users to obtain sensitive information via a crafted     application, aka Android internal bug 28803952 and     Qualcomm internal bug CR570754.(CVE-2014-9900)

  - The snd_compress_check_input function in     sound/core/compress_offload.c in the ALSA subsystem in     the Linux kernel before 3.17 does not properly check     for an integer overflow, which allows local users to     cause a denial of service (insufficient memory     allocation) or possibly have unspecified other impact     via a crafted SNDRV_COMPRESS_SET_PARAMS ioctl     call.(CVE-2014-9904)

  - A race condition in the ip4_datagram_release_cb     function in net/ipv4/datagram.c in the Linux kernel     allows local users to gain privileges or cause a denial     of service (use-after-free) by leveraging incorrect     expectations about locking during multithreaded access     to internal data structures for IPv4 UDP     sockets.(CVE-2014-9914)

  - A flaw was discovered in the way the kernel allows     stackable filesystems to overlay. A local attacker who     is able to mount filesystems can abuse this flaw to     escalate privileges.(CVE-2014-9922)

  - The regulator_ena_gpio_free function in     drivers/regulator/core.c in the Linux kernel allows     local users to gain privileges or cause a denial of     service (use-after-free) via a crafted     application.(CVE-2014-9940)

  - It was found that the Linux kernel KVM subsystem's     sysenter instruction emulation was not sufficient. An     unprivileged guest user could use this flaw to escalate     their privileges by tricking the hypervisor to emulate     a SYSENTER instruction in 16-bit mode, if the guest OS     did not initialize the SYSENTER model-specific     registers (MSRs). Note: Certified guest operating     systems for Red Hat Enterprise Linux with KVM do     initialize the SYSENTER MSRs and are thus not     vulnerable to this issue when running on a KVM     hypervisor.(CVE-2015-0239)

  - A flaw was found in the way the Linux kernel's XFS file     system handled replacing of remote attributes under     certain conditions. A local user with access to XFS     file system mount could potentially use this flaw to     escalate their privileges on the system.(CVE-2015-0274)

  - A flaw was found in the way the Linux kernel's ext4     file system handled the 'page size > block size'     condition when the fallocate zero range functionality     was used. A local attacker could use this flaw to crash     the system.(CVE-2015-0275)

  - It was found that the Linux kernel's keyring     implementation would leak memory when adding a key to a     keyring via the add_key() function. A local attacker     could use this flaw to exhaust all available memory on     the system.(CVE-2015-1333)

  - Race condition in the handle_to_path function in     fs/fhandle.c in the Linux kernel through 3.19.1 allows     local users to bypass intended size restrictions and     trigger read operations on additional memory locations     by changing the handle_bytes value of a file handle     during the execution of this function.(CVE-2015-1420)

  - A use-after-free flaw was found in the way the Linux     kernel's SCTP implementation handled authentication key     reference counting during INIT collisions. A remote     attacker could use this flaw to crash the system or,     potentially, escalate their privileges on the     system.(CVE-2015-1421)

  - The IPv4 implementation in the Linux kernel before     3.18.8 does not properly consider the length of the     Read-Copy Update (RCU) grace period for redirecting     lookups in the absence of caching, which allows remote     attackers to cause a denial of service (memory     consumption or system crash) via a flood of     packets.(CVE-2015-1465)

  - A flaw was found in the way the nft_flush_table()     function of the Linux kernel's netfilter tables     implementation flushed rules that were referencing     deleted chains. A local user who has the CAP_NET_ADMIN     capability could use this flaw to crash the     system.(CVE-2015-1573)

  - An integer overflow flaw was found in the way the Linux     kernel randomized the stack for processes on certain     64-bit architecture systems, such as x86-64, causing     the stack entropy to be reduced by four.(CVE-2015-1593)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

* A flaw was found in the kernel's implementation of the Berkeley Packet Filter (BPF). A local attacker could craft BPF code to crash the system by creating a situation in which the JIT compiler would fail to correctly optimize the JIT image on the last pass. This would lead to the CPU executing instructions that were not part of the JIT code. (CVE-2015-4700, Important)

* Two flaws were found in the way the Linux kernel's networking implementation handled UDP packets with incorrect checksum values. A remote attacker could potentially use these flaws to trigger an infinite loop in the kernel, resulting in a denial of service on the system, or cause a denial of service in applications using the edge triggered epoll functionality. (CVE-2015-5364, CVE-2015-5366, Important)

* A flaw was found in the way the Linux kernel's ext4 file system handled the 'page size > block size' condition when the fallocate zero range functionality was used. A local attacker could use this flaw to crash the system. (CVE-2015-0275, Moderate)

* It was found that the Linux kernel's keyring implementation would leak memory when adding a key to a keyring via the add_key() function.
A local attacker could use this flaw to exhaust all available memory on the system. (CVE-2015-1333, Moderate)

* A race condition flaw was found in the way the Linux kernel's SCTP implementation handled Address Configuration lists when performing Address Configuration Change (ASCONF). A local attacker could use this flaw to crash the system via a race condition triggered by setting certain ASCONF options on a socket. (CVE-2015-3212, Moderate)

* An information leak flaw was found in the way the Linux kernel's Virtual Dynamic Shared Object (vDSO) implementation performed address randomization. A local, unprivileged user could use this flaw to leak kernel memory addresses to user-space. (CVE-2014-9585, Low)

Red Hat would like to thank Daniel Borkmann for reporting CVE-2015-4700, and Canonical for reporting the CVE-2015-1333 issue.
The CVE-2015-0275 issue was discovered by Xiong Zhou of Red Hat, and the CVE-2015-3212 issue was discovered by Ji Jianwen of Red Hat Engineering.

This update also fixes several bugs. Refer to the following Knowledgebase article for further information :

https://access.redhat.com/articles/1614563

All kernel users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.

Updated kernel-rt packages that fix multiple security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The kernel-rt packages contain the Linux kernel, the core of any Linux operating system.

* A flaw was found in the kernel's implementation of the Berkeley Packet Filter (BPF). A local attacker could craft BPF code to crash the system by creating a situation in which the JIT compiler would fail to correctly optimize the JIT image on the last pass. This would lead to the CPU executing instructions that were not part of the JIT code. (CVE-2015-4700, Important)

* Two flaws were found in the way the Linux kernel's networking implementation handled UDP packets with incorrect checksum values. A remote attacker could potentially use these flaws to trigger an infinite loop in the kernel, resulting in a denial of service on the system, or cause a denial of service in applications using the edge triggered epoll functionality. (CVE-2015-5364, CVE-2015-5366, Important)

* A flaw was found in the way the Linux kernel's ext4 file system handled the 'page size > block size' condition when the fallocate zero range functionality was used. A local attacker could use this flaw to crash the system. (CVE-2015-0275, Moderate)

* It was found that the Linux kernel's keyring implementation would leak memory when adding a key to a keyring via the add_key() function.
A local attacker could use this flaw to exhaust all available memory on the system. (CVE-2015-1333, Moderate)

* A race condition flaw was found in the way the Linux kernel's SCTP implementation handled Address Configuration lists when performing Address Configuration Change (ASCONF). A local attacker could use this flaw to crash the system via a race condition triggered by setting certain ASCONF options on a socket. (CVE-2015-3212, Moderate)

* An information leak flaw was found in the way the Linux kernel's Virtual Dynamic Shared Object (vDSO) implementation performed address randomization. A local, unprivileged user could use this flaw to leak kernel memory addresses to user-space. (CVE-2014-9585, Low)

Red Hat would like to thank Daniel Borkmann for reporting CVE-2015-4700, and Canonical for reporting the CVE-2015-1333 issue.
The CVE-2015-0275 issue was discovered by Xiong Zhou of Red Hat, and the CVE-2015-3212 issue was discovered by Ji Jianwen of Red Hat Engineering.

The kernel-rt packages have been upgraded to version 3.10.0-229.13.1, which provides a number of bug fixes and enhancements over the previous version, including :

* Fix regression in scsi_send_eh_cmnd()

* boot hangs at 'Console: switching to colour dummy device 80x25'

* Update tcp stack to 3.17 kernel

* Missing some code from patch '(...) Fix VGA switcheroo problem related to hotplug'

* ksoftirqd high CPU usage due to stray tasklet from ioatdma driver

* During Live Partition Mobility (LPM) testing, RHEL 7.1 LPARs will crash in kmem_cache_alloc

(BZ#1253809)

This update also fixes the following bug :

* The hwlat_detector.ko module samples the clock and records any intervals between reads that exceed a specified threshold. However, the module previously tracked the maximum interval seen for the 'inner' interval but did not record when the 'outer' interval was greater. A patch has been applied to fix this bug, and hwlat_detector.ko now correctly records if the outer interval is the maximal interval encountered during the run. (BZ#1252365)

All kernel-rt users are advised to upgrade to these updated packages, which correct these issues and add these enhancements. The system must be rebooted for this update to take effect.

Updated kernel-rt packages that fix multiple security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The kernel-rt packages contain the Linux kernel, the core of any Linux operating system.

* Two flaws were found in the way the Linux kernel's networking implementation handled UDP packets with incorrect checksum values. A remote attacker could potentially use these flaws to trigger an infinite loop in the kernel, resulting in a denial of service on the system, or cause a denial of service in applications using the edge triggered epoll functionality. (CVE-2015-5364, CVE-2015-5366, Important)

* A flaw was found in the way the Linux kernel's ext4 file system handled the 'page size > block size' condition when the fallocate zero range functionality was used. A local attacker could use this flaw to crash the system. (CVE-2015-0275, Moderate)

* It was found that the Linux kernel's keyring implementation would leak memory when adding a key to a keyring via the add_key() function.
A local attacker could use this flaw to exhaust all available memory on the system. (CVE-2015-1333, Moderate)

* A race condition flaw was found in the way the Linux kernel's SCTP implementation handled Address Configuration lists when performing Address Configuration Change (ASCONF). A local attacker could use this flaw to crash the system via a race condition triggered by setting certain ASCONF options on a socket. (CVE-2015-3212, Moderate)

* An information leak flaw was found in the way the Linux kernel's Virtual Dynamic Shared Object (vDSO) implementation performed address randomization. A local, unprivileged user could use this flaw to leak kernel memory addresses to user-space. (CVE-2014-9585, Low)

Red Hat would like to thank Canonical for reporting the CVE-2015-1333 issue. The CVE-2015-0275 issue was discovered by Xiong Zhou of Red Hat, and the CVE-2015-3212 issue was discovered by Ji Jianwen of Red Hat Engineering.

This update provides a build of the kernel-rt package for Red Hat Enterprise MRG 2.5 that is layered on Red Hat Enterprise Linux 6, and fixes the following issues :

* Fix regression in scsi_send_eh_cmnd()

* boot hangs at 'Console: switching to colour dummy device 80x25'

* Update tcp stack to 3.17 kernel

* ksoftirqd high CPU usage due to stray tasklet from ioatdma driver

(BZ#1245345)

This update also fixes the following bugs :

* The configuration option CONFIG_RTC_HCTOSYS was disabled on the realtime kernel causing the RTC clock to be adjusted with the UTC time even if the system is configured to set the RTC to the local time. By enabling the CONFIG_RTC_HCTOSYS configuration option, when the system is configured to use local time, RTC will correctly update with the local time and not try to use another timezone. (BZ#1248047)

* In the realtime kernel, if a rt_mutex was taken while in interrupt context the normal priority inheritance protocol would falsely identify a deadlock and trigger a kernel crash. The patch that added the rt_mutex in this interrupt context was reverted. (BZ#1250649)

All kernel-rt users are advised to upgrade to these updated packages, which correct these issues and add these enhancements. The system must be rebooted for this update to take effect.

* A flaw was found in the kernel's implementation of the Berkeley Packet Filter (BPF). A local attacker could craft BPF code to crash the system by creating a situation in which the JIT compiler would fail to correctly optimize the JIT image on the last pass. This would lead to the CPU executing instructions that were not part of the JIT code. (CVE-2015-4700, Important)

* Two flaws were found in the way the Linux kernel's networking implementation handled UDP packets with incorrect checksum values. A remote attacker could potentially use these flaws to trigger an infinite loop in the kernel, resulting in a denial of service on the system, or cause a denial of service in applications using the edge triggered epoll functionality. (CVE-2015-5364, CVE-2015-5366, Important)

* A flaw was found in the way the Linux kernel's ext4 file system handled the 'page size > block size' condition when the fallocate zero range functionality was used. A local attacker could use this flaw to crash the system. (CVE-2015-0275, Moderate)

* It was found that the Linux kernel's keyring implementation would leak memory when adding a key to a keyring via the add_key() function.
A local attacker could use this flaw to exhaust all available memory on the system. (CVE-2015-1333, Moderate)

* A race condition flaw was found in the way the Linux kernel's SCTP implementation handled Address Configuration lists when performing Address Configuration Change (ASCONF). A local attacker could use this flaw to crash the system via a race condition triggered by setting certain ASCONF options on a socket. (CVE-2015-3212, Moderate)

* An information leak flaw was found in the way the Linux kernel's Virtual Dynamic Shared Object (vDSO) implementation performed address randomization. A local, unprivileged user could use this flaw to leak kernel memory addresses to user-space. (CVE-2014-9585, Low)

This update also fixes several bugs.

The system must be rebooted for this update to take effect.

From Red Hat Security Advisory 2015:1778 :

Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

* A flaw was found in the kernel's implementation of the Berkeley Packet Filter (BPF). A local attacker could craft BPF code to crash the system by creating a situation in which the JIT compiler would fail to correctly optimize the JIT image on the last pass. This would lead to the CPU executing instructions that were not part of the JIT code. (CVE-2015-4700, Important)

* Two flaws were found in the way the Linux kernel's networking implementation handled UDP packets with incorrect checksum values. A remote attacker could potentially use these flaws to trigger an infinite loop in the kernel, resulting in a denial of service on the system, or cause a denial of service in applications using the edge triggered epoll functionality. (CVE-2015-5364, CVE-2015-5366, Important)

* A flaw was found in the way the Linux kernel's ext4 file system handled the 'page size > block size' condition when the fallocate zero range functionality was used. A local attacker could use this flaw to crash the system. (CVE-2015-0275, Moderate)

* It was found that the Linux kernel's keyring implementation would leak memory when adding a key to a keyring via the add_key() function.
A local attacker could use this flaw to exhaust all available memory on the system. (CVE-2015-1333, Moderate)

* A race condition flaw was found in the way the Linux kernel's SCTP implementation handled Address Configuration lists when performing Address Configuration Change (ASCONF). A local attacker could use this flaw to crash the system via a race condition triggered by setting certain ASCONF options on a socket. (CVE-2015-3212, Moderate)

* An information leak flaw was found in the way the Linux kernel's Virtual Dynamic Shared Object (vDSO) implementation performed address randomization. A local, unprivileged user could use this flaw to leak kernel memory addresses to user-space. (CVE-2014-9585, Low)

Red Hat would like to thank Daniel Borkmann for reporting CVE-2015-4700, and Canonical for reporting the CVE-2015-1333 issue.
The CVE-2015-0275 issue was discovered by Xiong Zhou of Red Hat, and the CVE-2015-3212 issue was discovered by Ji Jianwen of Red Hat Engineering.

This update also fixes several bugs. Refer to the following Knowledgebase article for further information :

https://access.redhat.com/articles/1614563

All kernel users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.

Xiong Zhou discovered a bug in the way the EXT4 filesystem handles fallocate zero range functionality when the page size is greater than the block size. A local attacker could exploit this flaw to cause a denial of service (system crash). (CVE-2015-0275)

Wen Xu discovered a use-after-free flaw in the Linux kernel's ipv4 ping support. A local user could exploit this flaw to cause a denial of service (system crash) or gain administrative privileges on the system. (CVE-2015-3636)

A memory corruption flaw was discovered in the Linux kernel's scsi subsystem. A local attacker could potentially exploit this flaw to cause a denial of service (system crash). (CVE-2015-4036).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Xiong Zhou discovered a bug in the way the EXT4 filesystem handles fallocate zero range functionality when the page size is greater than the block size. A local attacker could exploit this flaw to cause a denial of service (system crash). (CVE-2015-0275)

Wen Xu discovered a use-after-free flaw in the Linux kernel's ipv4 ping support. A local user could exploit this flaw to cause a denial of service (system crash) or gain administrative privileges on the system. (CVE-2015-3636).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The Linux kernel was updated to fix bugs and security issues :

Following security issues were fixed: CVE-2015-2830: A flaw was found in the way the Linux kernels 32-bit emulation implementation handled forking or closing of a task with an int80 entry. A local user could have potentially used this flaw to escalate their privileges on the system.

CVE-2015-2042: A kernel information leak in rds sysctl files was fixed.

CVE-2014-9683: Off-by-one error in the ecryptfs_decode_from_filename function in fs/ecryptfs/crypto.c in the eCryptfs subsystem in the Linux kernel allowed local users to cause a denial of service (buffer overflow and system crash) or possibly gain privileges via a crafted filename.

CVE-2015-0275: A BUG_ON in ext4 was fixed which could be triggered by local users.

CVE-2015-2666: A buffer overflow when loading microcode files into the kernel could be used by the administrator to execute code in the kernel, bypassing secure boot measures.

  - CVE-2015-1421: Use-after-free vulnerability in the     sctp_assoc_update function in net/sctp/associola.c in     the Linux kernel allowed remote attackers to cause a     denial of service (slab corruption and panic) or     possibly have unspecified other impact by triggering an     INIT collision that leads to improper handling of     shared-key data.

  - CVE-2015-2150: XSA-120: Guests were permitted to modify     all bits of the PCI command register of passed through     cards, which could lead to Host system crashes.

  - CVE-2015-0777: The XEN usb backend could leak     information to the guest system due to copying     uninitialized memory.

  - CVE-2015-1593: A integer overflow reduced the     effectiveness of the stack randomization on 64-bit     systems.

  - CVE-2014-9419: The __switch_to function in     arch/x86/kernel/process_64.c in the Linux kernel did not     ensure that Thread Local Storage (TLS) descriptors are     loaded before proceeding with other steps, which made it     easier for local users to bypass the ASLR protection     mechanism via a crafted application that reads a TLS     base address.

  - CVE-2014-9428: The batadv_frag_merge_packets function in     net/batman-adv/fragmentation.c in the B.A.T.M.A.N.
    implementation in the Linux kernel used an incorrect     length field during a calculation of an amount of     memory, which allowed remote attackers to cause a denial     of service (mesh-node system crash) via fragmented     packets.

  - CVE-2014-8160:
    net/netfilter/nf_conntrack_proto_generic.c in the Linux     kernel generated incorrect conntrack entries during     handling of certain iptables rule sets for the SCTP,     DCCP, GRE, and UDP-Lite protocols, which allowed remote     attackers to bypass intended access restrictions via     packets with disallowed port numbers.

  - CVE-2014-9529: Race condition in the key_gc_unused_keys     function in security/keys/gc.c in the Linux kernel     allowed local users to cause a denial of service (memory     corruption or panic) or possibly have unspecified other     impact via keyctl commands that trigger access to a key     structure member during garbage collection of a key.

  - CVE-2014-9420: The rock_continue function in     fs/isofs/rock.c in the Linux kernel did not restrict the     number of Rock Ridge continuation entries, which allowed     local users to cause a denial of service (infinite loop,     and system crash or hang) via a crafted iso9660 image.

  - CVE-2014-9584: The parse_rock_ridge_inode_internal     function in fs/isofs/rock.c in the Linux kernel did not     validate a length value in the Extensions Reference (ER)     System Use Field, which allowed local users to obtain     sensitive information from kernel memory via a crafted     iso9660 image.

  - CVE-2014-9585: The vdso_addr function in     arch/x86/vdso/vma.c in the Linux kernel did not properly     choose memory locations for the vDSO area, which made it     easier for local users to bypass the ASLR protection     mechanism by guessing a location at the end of a PMD.

  - CVE-2014-8559: The d_walk function in fs/dcache.c in the     Linux kernel through did not properly maintain the     semantics of rename_lock, which allowed local users to     cause a denial of service (deadlock and system hang) via     a crafted application.

  - CVE-2014-8134: The paravirt_ops_setup function in     arch/x86/kernel/kvm.c in the Linux kernel used an     improper paravirt_enabled setting for KVM guest kernels,     which made it easier for guest OS users to bypass the     ASLR protection mechanism via a crafted application that     reads a 16-bit value.

Following bugs were fixed :

  - powerpc/pci: Fix IO space breakage after     of_pci_range_to_resource() change (bnc#922542).

  - cifs: fix use-after-free bug in find_writable_file     (bnc#909477).

  - usb: Do not allow usb_alloc_streams on unconfigured     devices (bsc#920581).

  - fuse: honour max_read and max_write in direct_io mode     (bnc#918954).

  - switch iov_iter_get_pages() to passing maximal number of     pages (bnc#918954).

  - bcache: fix a livelock in btree lock v2 (bnc#910440)     (bnc#910440). Updated because another version went     upstream

  - drm/i915: Initialise userptr mmu_notifier serial to 1     (bnc#918970).

  - NFS: Don't try to reclaim delegation open state if     recovery failed (boo#909634).

  - NFSv4: Ensure that we call FREE_STATEID when NFSv4.x     stateids are revoked (boo#909634).

  - NFSv4: Fix races between nfs_remove_bad_delegation() and     delegation return (boo#909634).

  - NFSv4: Ensure that we remove NFSv4.0 delegations when     state has expired (boo#909634).

  - Fixing lease renewal (boo#909634).

  - bcache: Fix a bug when detaching (bsc#908582).

  - fix a leak in bch_cached_dev_run() (bnc#910440).

  - bcache: unregister reboot notifier when bcache fails to     register a block device (bnc#910440).

  - bcache: fix a livelock in btree lock (bnc#910440).

  - bcache: [BUG] clear BCACHE_DEV_UNLINK_DONE flag when     attaching a backing device (bnc#910440).

  - bcache: Add a cond_resched() call to gc (bnc#910440).

  - storvsc: ring buffer failures may result in I/O freeze     (bnc#914175).

  - ALSA: seq-dummy: remove deadlock-causing events on close     (boo#916608).

  - ALSA: pcm: Zero-clear reserved fields of PCM status     ioctl in compat mode (boo#916608).

  - ALSA: bebob: Uninitialized id returned by     saffirepro_both_clk_src_get (boo#916608).

  - ALSA: hda - Fix built-in mic on Compaq Presario CQ60     (bnc#920604).

  - ALSA: hda - Fix regression of HD-audio controller     fallback modes (bsc#921313).

  - [media] sound: Update au0828 quirks table (boo#916608).

  - [media] sound: simplify au0828 quirk table (boo#916608).

  - ALSA: usb-audio: Add mic volume fix quirk for Logitech     Webcam C210 (boo#916608).

  - ALSA: usb-audio: extend KEF X300A FU 10 tweak to Arcam     rPAC (boo#916608).

  - ALSA: usb-audio: Add ctrl message delay quirk for     Marantz/Denon devices (boo#916608).

  - ALSA: usb-audio: Fix memory leak in FTU quirk     (boo#916608).

  - ALSA: usb-audio: Fix device_del() sysfs warnings at     disconnect (boo#916608).

  - ALSA: hda - Add new GPU codec ID 0x10de0072 to snd-hda     (boo#916608).

  - ALSA: hda - Fix wrong gpio_dir & gpio_mask hint setups     for IDT/STAC codecs (boo#916608).

  - ALSA: hda/realtek - New codec support for ALC298     (boo#916608).

  - ALSA: hda/realtek - New codec support for ALC256     (boo#916608).

  - ALSA: hda/realtek - Add new Dell desktop for ALC3234     headset mode (boo#916608).

  - ALSA: hda - Add EAPD fixup for ASUS Z99He laptop     (boo#916608).

  - ALSA: hda - Fix built-in mic at resume on Lenovo Ideapad     S210 (boo#916608).

  - ALSA: hda/realtek - Add headset Mic support for new Dell     machine (boo#916608).

  - ALSA: hda_intel: Add DeviceIDs for Sunrise Point-LP     (boo#916608).

  - ALSA: hda_intel: Add Device IDs for Intel Sunrise Point     PCH (boo#916608).

  - ALSA: hda - add codec ID for Braswell display audio     codec (boo#916608).

  - ALSA: hda - add PCI IDs for Intel Braswell (boo#916608).

  - ALSA: hda - Add dock support for Thinkpad T440     (17aa:2212) (boo#916608).

  - ALSA: hda - Set up GPIO for Toshiba Satellite S50D     (bnc#915858).

  - rpm/kernel-binary.spec.in: Fix build if there is no
    *.crt file

  - mm, vmscan: prevent kswapd livelock due to     pfmemalloc-throttled process being killed (VM     Functionality bnc#910150).

  - Input: evdev - fix EVIOCG{type} ioctl (bnc#904899).

  - mnt: Implicitly add MNT_NODEV on remount when it was     implicitly added by mount (bsc#907988).

  - Btrfs: fix scrub race leading to use-after-free     (bnc#915456).

  - Btrfs: fix setup_leaf_for_split() to avoid leaf     corruption (bnc#915454).

  - Btrfs: fix fsync log replay for inodes with a mix of     regular refs and extrefs (bnc#915425).

  - Btrfs: fix fsync when extend references are added to an     inode (bnc#915425).

  - Btrfs: fix directory inconsistency after fsync log     replay (bnc#915425).

  - Btrfs: make xattr replace operations atomic     (bnc#913466).

  - Btrfs: fix directory recovery from fsync log     (bnc#895797).

  - Btrfs: simplify insert_orphan_item (boo#926385).

  - Btrfs: set proper message level for skinny metadata.

  - Btrfs: make sure we wait on logged extents when fsycning     two subvols.

  - Btrfs: fix lost return value due to variable shadowing.

  - Btrfs: fix leak of path in btrfs_find_item.

  - Btrfs: fix fsync data loss after adding hard link to     inode.

  - Btrfs: fix fs corruption on transaction abort if device     supports discard.

  - Btrfs: fix data loss in the fast fsync path.

  - Btrfs: don't delay inode ref updates during log replay.

  - Btrfs: do not move em to modified list when unpinning.

  - Btrfs:__add_inode_ref: out of bounds memory read when     looking for extended ref.

  - Btrfs: fix inode eviction infinite loop after cloning     into it (boo#905088).

  - bcache: add mutex lock for bch_is_open (bnc#908612).

  - bcache: Correct printing of btree_gc_max_duration_ms     (bnc#908610).

  - bcache: fix crash with incomplete cache set     (bnc#908608).

  - bcache: fix memory corruption in init error path     (bnc#908606).

  - bcache: Fix more early shutdown bugs (bnc#908605).

  - bcache: fix use-after-free in btree_gc_coalesce()     (bnc#908604).

  - bcache: Fix an infinite loop in journal replay     (bnc#908603).

  - bcache: fix typo in bch_bkey_equal_header (bnc#908598).

  - bcache: Make sure to pass GFP_WAIT to mempool_alloc()     (bnc#908596).

  - bcache: fix crash on shutdown in passthrough mode     (bnc#908594).

  - bcache: fix lockdep warnings on shutdown (bnc#908593).

  - bcache allocator: send discards with correct size     (bnc#908592).

  - bcache: Fix to remove the rcu_sched stalls (bnc#908589).

  - bcache: Fix a journal replay bug (bnc#908588).

  - Update x86_64 config files: CONFIG_SENSORS_NCT6683=m The     nct6683 driver is already enabled on i386 and history     suggests that it not being enabled on x86_64 is by     mistake.

  - rpm/kernel-binary.spec.in: Own the modules directory in     the devel package (bnc#910322)

  - Revert 'iwlwifi: mvm: treat EAPOLs like mgmt frames wrt     rate' (bnc#900811).

  - mm: free compound page with correct order (bnc#913695).

  - drm/i915: More cautious with pch fifo underruns     (boo#907039).

  - Refresh patches.arch/arm64-0039-generic-pci.patch (fix     PCI bridge support)

  - x86/microcode/intel: Fish out the stashed microcode for     the BSP (bsc#903589).

  - x86, microcode: Reload microcode on resume (bsc#903589).

  - x86, microcode: Don't initialize microcode code on     paravirt (bsc#903589).

  - x86, microcode, intel: Drop unused parameter     (bsc#903589).

  - x86, microcode, AMD: Do not use smp_processor_id() in     preemtible context (bsc#903589).

  - x86, microcode: Update BSPs microcode on resume     (bsc#903589).

  - x86, microcode, AMD: Fix ucode patch stashing on 32-bit     (bsc#903589).

  - x86, microcode: Fix accessing dis_ucode_ldr on 32-bit     (bsc#903589).

  - x86, microcode, AMD: Fix early ucode loading on 32-bit     (bsc#903589).

  - Bluetooth: Add support for Broadcom BCM20702A0 variants     firmware download (bnc#911311).

  - drm/radeon: fix sad_count check for dce3 (bnc#911356).

  - drm/i915: Don't call intel_prepare_page_flip() multiple     times on gen2-4 (bnc#911835).

  - udf: Check component length before reading it.

  - udf: Check path length when reading symlink.

  - udf: Verify symlink size before loading it.

  - udf: Verify i_size when loading inode.

  - arm64: Enable DRM

  - arm64: Enable generic PHB driver (bnc#912061).

  - ACPI / video: Add some Samsung models to     disable_native_backlight list (boo#905681).

  - asus-nb-wmi: Add another wapf=4 quirk (boo#911438).

  - asus-nb-wmi: Add wapf4 quirk for the X550VB     (boo#911438).

  - asus-nb-wmi: Add wapf4 quirk for the U32U (boo#911438).

  - asus-nb-wmi: Add wapf4 quirk for the X550CC     (boo#911438).

  - asus-nb-wmi: Constify asus_quirks DMI table     (boo#911438).

  - asus-nb-wmi: Add wapf4 quirk for the X550CL     (boo#911438).

  - asus-nb-wmi.c: Rename x401u quirk to wapf4 (boo#911438).

  - asus-nb-wmi: Add ASUSTeK COMPUTER INC. X200CA     (boo#911438).

  - WAPF 4 for ASUSTeK COMPUTER INC. X75VBP WLAN ON     (boo#911438).

  - Input: synaptics - gate forcepad support by DMI check     (bnc#911578).

  - ext4: introduce aging to extent status tree     (bnc#893428).

  - ext4: cleanup flag definitions for extent status tree     (bnc#893428).

  - ext4: limit number of scanned extents in status tree     shrinker (bnc#893428).

  - ext4: move handling of list of shrinkable inodes into     extent status code (bnc#893428).

  - ext4: change LRU to round-robin in extent status tree     shrinker (bnc#893428).

  - ext4: cache extent hole in extent status tree for     ext4_da_map_blocks() (bnc#893428).

  - ext4: fix block reservation for bigalloc filesystems     (bnc#893428).

  - ext4: track extent status tree shrinker delay statictics     (bnc#893428).

  - ext4: improve extents status tree trace point     (bnc#893428).

  - rpm/kernel-binary.spec.in: Provide name-version-release     for kgraft packages (bnc#901925)

  - rpm/kernel-binary.spec.in: Fix including the secure boot     cert in /etc/uefi/certs

  - doc/README.SUSE: update Solid Driver team contacts

  - rpm/kernel-binary.spec.in: Do not sign firmware files     (bnc#867199)

  - Port module signing changes from SLE11-SP3 (fate#314508)

  - doc/README.PATCH-POLICY.SUSE: add patch policy / best     practices document after installation.

  - Update config files. (boo#925479) Do not set     CONFIG_SYSTEM_TRUSTED_KEYRING until we need it in future     openSUSE version: e.g. MODULE_SIG, IMA, PKCS7(new),     KEXEC_BZIMAGE_VERIFY_SIG(new)

  - Input: xpad - use proper endpoint type (bnc#926397).

  - md: don't require sync_min to be a multiple of     chunk_size (bnc#910500).

The 3.18.9 stable update contains a number of important fixes across the tree. Update to the latest stable upstream release, Linux v3.18.8.
Numerous fixes across the tree.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Update to latest upstream stable release, Linux v3.18.8. Numerous bugfixes across the tree.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
124977	EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1524)	Nessus	Huawei Local Security Checks	high
124809	EulerOS Virtualization 3.0.1.0 : kernel (EulerOS-SA-2019-1485)	Nessus	Huawei Local Security Checks	critical
86702	RHEL 7 : kernel (RHSA-2015:1778)	Nessus	Red Hat Local Security Checks	high
86511	CentOS 7 : kernel (CESA-2015:1778)	Nessus	CentOS Local Security Checks	high
85980	RHEL 7 : kernel-rt (RHSA-2015:1788)	Nessus	Red Hat Local Security Checks	high
85979	RHEL 6 : kernel-rt (RHSA-2015:1787)	Nessus	Red Hat Local Security Checks	high
85960	Scientific Linux Security Update : kernel on SL7.x x86_64	Nessus	Scientific Linux Local Security Checks	high
85958	Oracle Linux 7 : kernel (ELSA-2015-1778)	Nessus	Oracle Linux Local Security Checks	high
84125	Ubuntu 15.04 : linux vulnerabilities (USN-2638-1)	Nessus	Ubuntu Local Security Checks	high
84124	Ubuntu 14.10 : linux vulnerabilities (USN-2637-1)	Nessus	Ubuntu Local Security Checks	medium
84123	Ubuntu 14.04 LTS : linux-lts-vivid vulnerabilities (USN-2636-1)	Nessus	Ubuntu Local Security Checks	high
84122	Ubuntu 14.04 LTS : linux-lts-utopic vulnerabilities (USN-2635-1)	Nessus	Ubuntu Local Security Checks	medium
82756	openSUSE Security Update : Linux Kernel (openSUSE-2015-302)	Nessus	SuSE Local Security Checks	critical
81863	Fedora 20 : kernel-3.18.9-100.fc20 (2015-3594)	Nessus	Fedora Local Security Checks	critical
81717	Fedora 21 : kernel-3.18.8-201.fc21 (2015-3011)	Nessus	Fedora Local Security Checks	critical

CVE-2015-0275

Description

References

Details

Risk Information

CVSS v2.0

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins