http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=06c8173eb92bbfc03a0fe8bb64315857d0badd06

http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.19.2

[oss-security] 20150321 Re: CVE Request: Linux kernel unprivileged denial-of-service due to mis-protected xsave/xrstor instructions.

https://bugzilla.redhat.com/show_bug.cgi?id=1204729

https://github.com/torvalds/linux/commit/06c8173eb92bbfc03a0fe8bb64315857d0badd06

According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - An integer overflow flaw was found in the way the Linux     kernel's netfilter connection tracking implementation     loaded extensions. An attacker on a local network could     potentially send a sequence of specially crafted     packets that would initiate the loading of a large     number of extensions, causing the targeted system in     that network to crash.(CVE-2014-9715i1/4%0

  - A flaw was found in the Linux kernel which could cause     a kernel panic when restoring machine specific     registers on the PowerPC platform. Incorrect     transactional memory state registers could     inadvertently change the call path on return from     userspace and cause the kernel to enter an unknown     state and crash.(CVE-2015-8844i1/4%0

  - A timing flaw was found in the Chrome EC driver in the     Linux kernel. An attacker could abuse timing to skip     validation checks to copy additional data from     userspace possibly increasing privilege or crashing the     system.(CVE-2016-6156i1/4%0

  - A race condition flaw was found in the way the Linux     kernel's IPC subsystem initialized certain fields in an     IPC object structure that were later used for     permission checking before inserting the object into a     globally visible list. A local, unprivileged user could     potentially use this flaw to elevate their privileges     on the system.(CVE-2015-7613i1/4%0

  - A path length checking flaw was found in Linux kernels     built with UDF file system (CONFIG_UDF_FS) support. An     attacker able to mount a corrupted/malicious UDF file     system image could use this flaw to leak kernel memory     to user-space.(CVE-2014-9731i1/4%0

  - A race condition leading to a NULL pointer dereference     was found in the Linux kernel's Link Layer Control     implementation. A local attacker with access to ping     sockets could use this flaw to crash the     system.(CVE-2017-2671i1/4%0

  - The f2fs implementation in the Linux kernel, before     4.14, mishandles reference counts associated with     f2fs_wait_discard_bios calls. This allows local users     to cause a denial of service (BUG), as demonstrated by     fstrim.(CVE-2017-18200i1/4%0

  - The LIST_POISON feature in include/linux/poison.h in     the Linux kernel before 4.3, as used in Android 6.0.1     before 2016-03-01, does not properly consider the     relationship to the mmap_min_addr value, which makes it     easier for attackers to bypass a poison-pointer     protection mechanism by triggering the use of an     uninitialized list entry, aka Android internal bug     26186802, a different vulnerability than     CVE-2015-3636.(CVE-2016-0821i1/4%0

  - The xsave/xrstor implementation in     arch/x86/include/asm/xsave.h in the Linux kernel before     3.19.2 creates certain .altinstr_replacement pointers     and consequently does not provide any protection     against instruction faulting, which allows local users     to cause a denial of service (panic) by triggering a     fault, as demonstrated by an unaligned memory operand     or a non-canonical address memory     operand.(CVE-2015-2672i1/4%0

  - The n_tty_write function in drivers/tty/n_tty.c in the     Linux kernel through 3.14.3 does not properly manage     tty driver access in the 'LECHO i1/4+ !OPOST' case, which     allows local users to cause a denial of service (memory     corruption and system crash) or gain privileges by     triggering a race condition involving read and write     operations with long strings.(CVE-2014-0196i1/4%0

  - In the Linux kernel through 4.14.13,     drivers/block/loop.c mishandles lo_release     serialization, which allows attackers to cause a denial     of service (__lock_acquire use-after-free) or possibly     have unspecified other impact.(CVE-2018-5344i1/4%0

  - The lbs_debugfs_write function in     drivers/net/wireless/libertas/debugfs.c in the Linux     kernel through 3.12.1 allows local users to cause a     denial of service (OOPS) by leveraging root privileges     for a zero-length write operation.(CVE-2013-6378i1/4%0

  - A NULL-pointer dereference vulnerability was discovered     in the Linux kernel. The kernel's Reliable Datagram     Sockets (RDS) protocol implementation did not verify     that an underlying transport existed before creating a     connection to a remote server. A local system user     could exploit this flaw to crash the system by creating     sockets at specific times to trigger a NULL pointer     dereference.(CVE-2015-6937i1/4%0

  - A stack buffer overflow flaw was found in the way the     Bluetooth subsystem of the Linux kernel processed     pending L2CAP configuration responses from a client. On     systems with the stack protection feature enabled in     the kernel (CONFIG_CC_STACKPROTECTOR=y, which is     enabled on all architectures other than s390x and     ppc64le), an unauthenticated attacker able to initiate     a connection to a system via Bluetooth could use this     flaw to crash the system. Due to the nature of the     stack protection feature, code execution cannot be     fully ruled out, although we believe it is unlikely. On     systems without the stack protection feature (ppc64le     the Bluetooth modules are not built on s390x), an     unauthenticated attacker able to initiate a connection     to a system via Bluetooth could use this flaw to     remotely execute arbitrary code on the system with ring     0 (kernel) privileges.(CVE-2017-1000251i1/4%0

  - Integer signedness error in the MSM QDSP6 audio driver     for the Linux kernel 3.x, as used in Qualcomm     Innovation Center (QuIC) Android contributions for MSM     devices and other products, allows attackers to gain     privileges or cause a denial of service (memory     corruption) via a crafted application that makes an     ioctl call.(CVE-2016-2066i1/4%0

  - The bcm_char_ioctl function in     drivers/staging/bcm/Bcmchar.c in the Linux kernel     before 3.12 does not initialize a certain data     structure, which allows local users to obtain sensitive     information from kernel memory via an     IOCTL_BCM_GET_DEVICE_DRIVER_INFO ioctl     call.(CVE-2013-4515i1/4%0

  - A flaw was found in the way the Linux kernel's Stream     Control Transmission Protocol (SCTP) implementation     handled malformed Address Configuration Change Chunks     (ASCONF). A remote attacker could use either of these     flaws to crash the system.(CVE-2014-3673i1/4%0

  - It was found that paravirt_patch_call/jump() functions     in the arch/x86/kernel/paravirt.c in the Linux kernel     mishandles certain indirect calls, which makes it     easier for attackers to conduct Spectre-v2 attacks     against paravirtualized guests.(CVE-2018-15594i1/4%0

  - It was found that the Linux kernel's KVM implementation     did not ensure that the host CR4 control register value     remained unchanged across VM entries on the same     virtual CPU. A local, unprivileged user could use this     flaw to cause a denial of service on the     system.(CVE-2014-3690i1/4%0

  - A flaw was found in the Linux kernel's ext4 filesystem.
    A local user can cause an out-of-bound write in     jbd2_journal_dirty_metadata(), a denial of service, and     a system crash by mounting and operating on a crafted     ext4 filesystem image.(CVE-2018-10883i1/4%0

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - It was found that the Linux kernel's implementation of     vectored pipe read and write functionality did not take     into account the I/O vectors that were already     processed when retrying after a failed atomic access     operation, potentially resulting in memory corruption     due to an I/O vector array overrun. A local,     unprivileged user could use this flaw to crash the     system or, potentially, escalate their privileges on     the system.(CVE-2015-1805)

  - net/llc/sysctl_net_llc.c in the Linux kernel before     3.19 uses an incorrect data type in a sysctl table,     which allows local users to obtain potentially     sensitive information from kernel memory or possibly     have unspecified other impact by accessing a sysctl     entry.(CVE-2015-2041)

  - net/rds/sysctl.c in the Linux kernel before 3.19 uses     an incorrect data type in a sysctl table, which allows     local users to obtain potentially sensitive information     from kernel memory or possibly have unspecified other     impact by accessing a sysctl entry.(CVE-2015-2042)

  - Xen 3.3.x through 4.5.x and the Linux kernel through     3.19.1 do not properly restrict access to PCI command     registers, which might allow local guest OS users to     cause a denial of service (non-maskable interrupt and     host crash) by disabling the (1) memory or (2) I/O     decoding for a PCI Express device and then accessing     the device, which triggers an Unsupported Request (UR)     response.(CVE-2015-2150)

  - A stack-based buffer overflow flaw was found in the     Linux kernel's early load microcode functionality. On a     system with UEFI Secure Boot enabled, a local,     privileged user could use this flaw to increase their     privileges to the kernel (ring0) level, bypassing     intended restrictions in place.(CVE-2015-2666)

  - The xsave/xrstor implementation in     arch/x86/include/asm/xsave.h in the Linux kernel before     3.19.2 creates certain .altinstr_replacement pointers     and consequently does not provide any protection     against instruction faulting, which allows local users     to cause a denial of service (panic) by triggering a     fault, as demonstrated by an unaligned memory operand     or a non-canonical address memory     operand.(CVE-2015-2672)

  - A flaw was found in the way the Linux kernel's 32-bit     emulation implementation handled forking or closing of     a task with an 'int80' entry. A local user could     potentially use this flaw to escalate their privileges     on the system.(CVE-2015-2830)

  - It was found that the Linux kernel's TCP/IP protocol     suite implementation for IPv6 allowed the Hop Limit     value to be set to a smaller value than the default     one. An attacker on a local network could use this flaw     to prevent systems on that network from sending or     receiving network packets.(CVE-2015-2922)

  - A flaw was found in the way the Linux kernel's file     system implementation handled rename operations in     which the source was inside and the destination was     outside of a bind mount. A privileged user inside a     container could use this flaw to escape the bind mount     and, potentially, escalate their privileges on the     system.(CVE-2015-2925)

  - A race condition flaw was found in the way the Linux     kernel's SCTP implementation handled Address     Configuration lists when performing Address     Configuration Change (ASCONF). A local attacker could     use this flaw to crash the system via a race condition     triggered by setting certain ASCONF options on a     socket.(CVE-2015-3212)

  - mm/memory.c in the Linux kernel before 4.1.4 mishandles     anonymous pages, which allows local users to gain     privileges or cause a denial of service (page tainting)     via a crafted application that triggers writing to page     zero.(CVE-2015-3288)

  - A flaw was found in the way the Linux kernel's nested     NMI handler and espfix64 functionalities interacted     during NMI processing. A local, unprivileged user could     use this flaw to crash the system or, potentially,     escalate their privileges on the system.(CVE-2015-3290)

  - It was found that if a Non-Maskable Interrupt (NMI)     occurred immediately after a SYSCALL call or before a     SYSRET call with the user RSP pointing to the NMI IST     stack, the kernel could skip that NMI.(CVE-2015-3291)

  - A buffer overflow flaw was found in the way the Linux     kernel's Intel AES-NI instructions optimized version of     the RFC4106 GCM mode decryption functionality handled     fragmented packets. A remote attacker could use this     flaw to crash, or potentially escalate their privileges     on, a system over a connection with an active AES-GCM     mode IPSec security association.(CVE-2015-3331)

  - A race condition flaw was found between the chown and     execve system calls. When changing the owner of a     setuid user binary to root, the race condition could     momentarily make the binary setuid root. A local,     unprivileged user could potentially use this flaw to     escalate their privileges on the system.(CVE-2015-3339)

  - It was found that the Linux kernel's ping socket     implementation did not properly handle socket unhashing     during spurious disconnects, which could lead to a     use-after-free flaw. On x86-64 architecture systems, a     local user able to create ping sockets could use this     flaw to crash the system. On non-x86-64 architecture     systems, a local user able to create ping sockets could     use this flaw to escalate their privileges on the     system.(CVE-2015-3636)

  - An inode data validation error was found in Linux     kernels built with UDF file system (CONFIG_UDF_FS)     support. An attacker able to mount a     corrupted/malicious UDF file system image could cause     the kernel to crash.(CVE-2015-4167)

  - A flaw was discovered in the way the Linux kernel's TTY     subsystem handled the tty shutdown phase. A local,     unprivileged user could use this flaw to cause denial     of service on the system by holding a reference to the     ldisc lock during tty shutdown, causing a     deadlock.(CVE-2015-4170)

  - A flaw was discovered in the kernel's collect_mounts     function. If the kernel's audit subsystem called     collect_mounts to audit an unmounted path, it could     panic the system. With this flaw, an unprivileged user     could call umount(MNT_DETACH) to launch a     denial-of-service attack.(CVE-2015-4177)

  - A DoS flaw was found for a Linux kernel built for the     x86 architecture which had the KVM virtualization     support(CONFIG_KVM) enabled. The kernel would be     vulnerable to a NULL pointer dereference flaw in Linux     kernel's kvm_apic_has_events() function while doing an     ioctl. An unprivileged user able to access the     '/dev/kvm' device could use this flaw to crash the     system kernel.(CVE-2015-4692)

  - A flaw was found in the kernel's implementation of the     Berkeley Packet Filter (BPF). A local attacker could     craft BPF code to crash the system by creating a     situation in which the JIT compiler would fail to     correctly optimize the JIT image on the last pass. This     would lead to the CPU executing instructions that were     not part of the JIT code.(CVE-2015-4700)

  - A buffer overflow flaw was found in the way the Linux     kernel's virtio-net subsystem handled certain fraglists     when the GRO (Generic Receive Offload) functionality     was enabled in a bridged network configuration. An     attacker on the local network could potentially use     this flaw to crash the system, or, although unlikely,     elevate their privileges on the system.(CVE-2015-5156)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The 3.19.3 rebase contains improved hardware support, a number of new features, and many important fixes across the tree.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
124986	EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1533)	Nessus	Huawei Local Security Checks	high
124811	EulerOS Virtualization 3.0.1.0 : kernel (EulerOS-SA-2019-1487)	Nessus	Huawei Local Security Checks	high
82630	Fedora 20 : kernel-3.19.3-100.fc20 (2015-5024)	Nessus	Fedora Local Security Checks	medium

CVE-2015-2672

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins