http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ce40cd3fc7fa40a6119e5fe6c0f2bc0eb4541009

FEDORA-2015-10677

FEDORA-2015-10678

SUSE-SU-2015:1324

openSUSE-SU-2015:1382

DSA-3329

[oss-security] 20150620 Re: CVE request -- Linux kernel - kvm: x86: NULL pointer dereference in kvm_apic_has_events function

75142

1032798

USN-2680-1

USN-2681-1

USN-2682-1

USN-2683-1

USN-2684-1

https://bugzilla.redhat.com/show_bug.cgi?id=1230770

https://github.com/torvalds/linux/commit/ce40cd3fc7fa40a6119e5fe6c0f2bc0eb4541009

According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - The ims_pcu_get_cdc_union_desc function in     drivers/input/misc/ims-pcu.c in the Linux kernel,     through 4.13.11, allows local users to cause a denial     of service (ims_pcu_parse_cdc_data out-of-bounds read     and system crash) or possibly have unspecified other     impact via a crafted USB device.(CVE-2017-16645i1/4%0

  - It was found that due to excessive files_lock locking,     a soft lockup could be triggered in the Linux kernel     when performing asynchronous I/O operations. A local,     unprivileged user could use this flaw to crash the     system.(CVE-2014-8172i1/4%0

  - A flaw was discovered in the kernel's collect_mounts     function. If the kernel's audit subsystem called     collect_mounts to audit an unmounted path, it could     panic the system. With this flaw, an unprivileged user     could call umount(MNT_DETACH) to launch a     denial-of-service attack.(CVE-2015-4177i1/4%0

  - A flaw was found in the way the Linux kernel's floppy     driver handled user space provided data in certain     error code paths while processing FDRAWCMD IOCTL     commands. A local user with write access to /dev/fdX     could use this flaw to free (using the kfree()     function) arbitrary kernel memory. (CVE-2014-1737,     Important) was found that the Linux kernel's floppy     driver leaked internal kernel memory addresses to user     space during the processing of the FDRAWCMD IOCTL     command. A local user with write access to /dev/fdX     could use this flaw to obtain information about the     kernel heap arrangement. (CVE-2014-1738, Low)Note: A     local user with write access to /dev/fdX could use     these two flaws (CVE-2014-1737 in combination with     CVE-2014-1738) to escalate their privileges on the     system.(CVE-2014-1738i1/4%0

  - A reference counter leak in Linux kernel in     ipxitf_ioctl function was found which results in a use     after free vulnerability that's triggerable from     unprivileged userspace when IPX interface is     configured.(CVE-2017-7487i1/4%0

  - The x25_recvmsg function in net/x25/af_x25.c in the     Linux kernel before 3.12.4 updates a certain length     value without ensuring that an associated data     structure has been initialized, which allows local     users to obtain sensitive information from kernel     memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg     system call.(CVE-2013-7271i1/4%0

  - An inode data validation error was found in Linux     kernels built with UDF file system (CONFIG_UDF_FS)     support. An attacker able to mount a     corrupted/malicious UDF file system image could cause     the kernel to crash.(CVE-2015-4167i1/4%0

  - Double free vulnerability in the ioctx_alloc function     in fs/aio.c in the Linux kernel before 3.12.4 allows     local users to cause a denial of service (system crash)     or possibly have unspecified other impact via vectors     involving an error condition in the aio_setup_ring     function.(CVE-2013-7348i1/4%0

  - A flaw was found in the Linux kernel's implementation     of setsockopt for the SO_{SND|RCV}BUFFORCE setsockopt()     system call. Users with non-namespace CAP_NET_ADMIN are     able to trigger this call and create a situation in     which the sockets sendbuff data size could be negative.
    This could adversely affect memory allocations and     create situations where the system could crash or cause     memory corruption.(CVE-2016-9793i1/4%0

  - Use-after-free vulnerability in the     ffs_user_copy_worker function in     drivers/usb/gadget/function/f_fs.c in the Linux kernel     before 4.5.3 allows local users to gain privileges by     accessing an I/O data structure after a certain     callback call. Due to the nature of the flaw, privilege     escalation cannot be fully ruled out, although we     believe it is unlikely.(CVE-2016-7912i1/4%0

  - A flaw was found in the way the get_dumpable() function     return value was interpreted in the ptrace subsystem of     the Linux kernel. When 'fs.suid_dumpable' was set to 2,     a local, unprivileged local user could use this flaw to     bypass intended ptrace restrictions and obtain     potentially sensitive information.(CVE-2013-2929i1/4%0

  - A DoS flaw was found for a Linux kernel built for the     x86 architecture which had the KVM virtualization     support(CONFIG_KVM) enabled. The kernel would be     vulnerable to a NULL pointer dereference flaw in Linux     kernel's kvm_apic_has_events() function while doing an     ioctl. An unprivileged user able to access the     '/dev/kvm' device could use this flaw to crash the     system kernel.(CVE-2015-4692i1/4%0

  - The intr function in sound/oss/msnd_pinnacle.c in the     Linux kernel through 4.11.7 allows local users to cause     a denial of service (over-boundary access) or possibly     have unspecified other impact by changing the value of     a message queue head pointer between two kernel reads     of that value, aka a 'double fetch'     vulnerability.(CVE-2017-9986i1/4%0

  - sound/soc/msm/qdsp6v2/msm-audio-effects-q6-v2.c in the     MSM QDSP6 audio driver for the Linux kernel 3.x, as     used in Qualcomm Innovation Center (QuIC) Android     contributions for MSM devices and other products,     allows attackers to cause a denial of service (buffer     over-read) or possibly have unspecified other impact     via a crafted application that makes an ioctl call     specifying many commands.(CVE-2016-2064i1/4%0

  - The digi_port_init function in     drivers/usb/serial/digi_acceleport.c in the Linux     kernel before 4.5.1 allows physically proximate     attackers to cause a denial of service (NULL pointer     dereference and system crash) via a crafted endpoints     value in a USB device descriptor.(CVE-2016-3140i1/4%0

  - In the Linux kernel through 4.14.13, the     rds_cmsg_atomic function in net/rds/rdma.c mishandles     cases where page pinning fails or an invalid address is     supplied, leading to an rds_atomic_free_op NULL pointer     dereference.(CVE-2018-5333i1/4%0

  - Multiple buffer underflows in the XFS implementation in     the Linux kernel through 3.12.1 allow local users to     cause a denial of service (memory corruption) or     possibly have unspecified other impact by leveraging     the CAP_SYS_ADMIN capability for a (1)     XFS_IOC_ATTRLIST_BY_HANDLE or (2)     XFS_IOC_ATTRLIST_BY_HANDLE_32 ioctl call with a crafted     length value, related to the xfs_attrlist_by_handle     function in fs/xfs/xfs_ioctl.c and the     xfs_compat_attrlist_by_handle function in     fs/xfs/xfs_ioctl32.c.(CVE-2013-6382i1/4%0

  - In the Linux kernel through 5.0.2, the function     inotify_update_existing_watch() in     fs/notify/inotify/inotify_user.c neglects to call     fsnotify_put_mark() with IN_MASK_CREATE after     fsnotify_find_mark(), which will cause a memory leak     (aka refcount leak). Finally, this will cause a denial     of service.(CVE-2019-9857i1/4%0

  - It was found that stacking a file system over procfs in     the Linux kernel could lead to a kernel stack overflow     due to deep nesting, as demonstrated by mounting     ecryptfs over procfs and creating a recursion by     mapping /proc/environ. An unprivileged, local user     could potentially use this flaw to escalate their     privileges on the system.(CVE-2016-1583i1/4%0

  - A heap-based buffer overflow vulnerability was found in     the Linux kernel's hiddev driver. This flaw could allow     a local attacker to corrupt kernel memory, possible     privilege escalation or crashing the     system.(CVE-2016-5829i1/4%0

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - It was found that the Linux kernel's implementation of     vectored pipe read and write functionality did not take     into account the I/O vectors that were already     processed when retrying after a failed atomic access     operation, potentially resulting in memory corruption     due to an I/O vector array overrun. A local,     unprivileged user could use this flaw to crash the     system or, potentially, escalate their privileges on     the system.(CVE-2015-1805)

  - net/llc/sysctl_net_llc.c in the Linux kernel before     3.19 uses an incorrect data type in a sysctl table,     which allows local users to obtain potentially     sensitive information from kernel memory or possibly     have unspecified other impact by accessing a sysctl     entry.(CVE-2015-2041)

  - net/rds/sysctl.c in the Linux kernel before 3.19 uses     an incorrect data type in a sysctl table, which allows     local users to obtain potentially sensitive information     from kernel memory or possibly have unspecified other     impact by accessing a sysctl entry.(CVE-2015-2042)

  - Xen 3.3.x through 4.5.x and the Linux kernel through     3.19.1 do not properly restrict access to PCI command     registers, which might allow local guest OS users to     cause a denial of service (non-maskable interrupt and     host crash) by disabling the (1) memory or (2) I/O     decoding for a PCI Express device and then accessing     the device, which triggers an Unsupported Request (UR)     response.(CVE-2015-2150)

  - A stack-based buffer overflow flaw was found in the     Linux kernel's early load microcode functionality. On a     system with UEFI Secure Boot enabled, a local,     privileged user could use this flaw to increase their     privileges to the kernel (ring0) level, bypassing     intended restrictions in place.(CVE-2015-2666)

  - The xsave/xrstor implementation in     arch/x86/include/asm/xsave.h in the Linux kernel before     3.19.2 creates certain .altinstr_replacement pointers     and consequently does not provide any protection     against instruction faulting, which allows local users     to cause a denial of service (panic) by triggering a     fault, as demonstrated by an unaligned memory operand     or a non-canonical address memory     operand.(CVE-2015-2672)

  - A flaw was found in the way the Linux kernel's 32-bit     emulation implementation handled forking or closing of     a task with an 'int80' entry. A local user could     potentially use this flaw to escalate their privileges     on the system.(CVE-2015-2830)

  - It was found that the Linux kernel's TCP/IP protocol     suite implementation for IPv6 allowed the Hop Limit     value to be set to a smaller value than the default     one. An attacker on a local network could use this flaw     to prevent systems on that network from sending or     receiving network packets.(CVE-2015-2922)

  - A flaw was found in the way the Linux kernel's file     system implementation handled rename operations in     which the source was inside and the destination was     outside of a bind mount. A privileged user inside a     container could use this flaw to escape the bind mount     and, potentially, escalate their privileges on the     system.(CVE-2015-2925)

  - A race condition flaw was found in the way the Linux     kernel's SCTP implementation handled Address     Configuration lists when performing Address     Configuration Change (ASCONF). A local attacker could     use this flaw to crash the system via a race condition     triggered by setting certain ASCONF options on a     socket.(CVE-2015-3212)

  - mm/memory.c in the Linux kernel before 4.1.4 mishandles     anonymous pages, which allows local users to gain     privileges or cause a denial of service (page tainting)     via a crafted application that triggers writing to page     zero.(CVE-2015-3288)

  - A flaw was found in the way the Linux kernel's nested     NMI handler and espfix64 functionalities interacted     during NMI processing. A local, unprivileged user could     use this flaw to crash the system or, potentially,     escalate their privileges on the system.(CVE-2015-3290)

  - It was found that if a Non-Maskable Interrupt (NMI)     occurred immediately after a SYSCALL call or before a     SYSRET call with the user RSP pointing to the NMI IST     stack, the kernel could skip that NMI.(CVE-2015-3291)

  - A buffer overflow flaw was found in the way the Linux     kernel's Intel AES-NI instructions optimized version of     the RFC4106 GCM mode decryption functionality handled     fragmented packets. A remote attacker could use this     flaw to crash, or potentially escalate their privileges     on, a system over a connection with an active AES-GCM     mode IPSec security association.(CVE-2015-3331)

  - A race condition flaw was found between the chown and     execve system calls. When changing the owner of a     setuid user binary to root, the race condition could     momentarily make the binary setuid root. A local,     unprivileged user could potentially use this flaw to     escalate their privileges on the system.(CVE-2015-3339)

  - It was found that the Linux kernel's ping socket     implementation did not properly handle socket unhashing     during spurious disconnects, which could lead to a     use-after-free flaw. On x86-64 architecture systems, a     local user able to create ping sockets could use this     flaw to crash the system. On non-x86-64 architecture     systems, a local user able to create ping sockets could     use this flaw to escalate their privileges on the     system.(CVE-2015-3636)

  - An inode data validation error was found in Linux     kernels built with UDF file system (CONFIG_UDF_FS)     support. An attacker able to mount a     corrupted/malicious UDF file system image could cause     the kernel to crash.(CVE-2015-4167)

  - A flaw was discovered in the way the Linux kernel's TTY     subsystem handled the tty shutdown phase. A local,     unprivileged user could use this flaw to cause denial     of service on the system by holding a reference to the     ldisc lock during tty shutdown, causing a     deadlock.(CVE-2015-4170)

  - A flaw was discovered in the kernel's collect_mounts     function. If the kernel's audit subsystem called     collect_mounts to audit an unmounted path, it could     panic the system. With this flaw, an unprivileged user     could call umount(MNT_DETACH) to launch a     denial-of-service attack.(CVE-2015-4177)

  - A DoS flaw was found for a Linux kernel built for the     x86 architecture which had the KVM virtualization     support(CONFIG_KVM) enabled. The kernel would be     vulnerable to a NULL pointer dereference flaw in Linux     kernel's kvm_apic_has_events() function while doing an     ioctl. An unprivileged user able to access the     '/dev/kvm' device could use this flaw to crash the     system kernel.(CVE-2015-4692)

  - A flaw was found in the kernel's implementation of the     Berkeley Packet Filter (BPF). A local attacker could     craft BPF code to crash the system by creating a     situation in which the JIT compiler would fail to     correctly optimize the JIT image on the last pass. This     would lead to the CPU executing instructions that were     not part of the JIT code.(CVE-2015-4700)

  - A buffer overflow flaw was found in the way the Linux     kernel's virtio-net subsystem handled certain fraglists     when the GRO (Generic Receive Offload) functionality     was enabled in a bridged network configuration. An     attacker on the local network could potentially use     this flaw to crash the system, or, although unlikely,     elevate their privileges on the system.(CVE-2015-5156)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The openSUSE 13.1 kernel was updated to receive various security and bugfixes.

Following security bugs were fixed :

  - CVE-2016-0728: A reference leak in keyring handling with     join_session_keyring() could lead to local attackers     gain root privileges. (bsc#962075).

  - CVE-2015-7550: A local user could have triggered a race     between read and revoke in keyctl (bnc#958951).

  - CVE-2015-8569: The (1) pptp_bind and (2) pptp_connect     functions in drivers/net/ppp/pptp.c in the Linux kernel     did not verify an address length, which allowed local     users to obtain sensitive information from kernel memory     and bypass the KASLR protection mechanism via a crafted     application (bnc#959190).

  - CVE-2015-8543: The networking implementation in the     Linux kernel did not validate protocol identifiers for     certain protocol families, which allowed local users to     cause a denial of service (NULL function pointer     dereference and system crash) or possibly gain     privileges by leveraging CLONE_NEWUSER support to     execute a crafted SOCK_RAW application (bnc#958886).

  - CVE-2014-8989: The Linux kernel did not properly     restrict dropping of supplemental group memberships in     certain namespace scenarios, which allowed local users     to bypass intended file permissions by leveraging a     POSIX ACL containing an entry for the group category     that is more restrictive than the entry for the other     category, aka a 'negative groups' issue, related to     kernel/groups.c, kernel/uid16.c, and     kernel/user_namespace.c (bnc#906545).

  - CVE-2015-5157: arch/x86/entry/entry_64.S in the Linux     kernel on the x86_64 platform mishandles IRET faults in     processing NMIs that occurred during userspace     execution, which might allow local users to gain     privileges by triggering an NMI (bnc#937969).

  - CVE-2015-7799: The slhc_init function in     drivers/net/slip/slhc.c in the Linux kernel through     4.2.3 did not ensure that certain slot numbers are     valid, which allowed local users to cause a denial of     service (NULL pointer dereference and system crash) via     a crafted PPPIOCSMAXCID ioctl call (bnc#949936).

  - CVE-2015-8104: The KVM subsystem in the Linux kernel     through 4.2.6, and Xen 4.3.x through 4.6.x, allowed     guest OS users to cause a denial of service (host OS     panic or hang) by triggering many #DB (aka Debug)     exceptions, related to svm.c (bnc#954404).

  - CVE-2015-5307: The KVM subsystem in the Linux kernel     through 4.2.6, and Xen 4.3.x through 4.6.x, allowed     guest OS users to cause a denial of service (host OS     panic or hang) by triggering many #AC (aka Alignment     Check) exceptions, related to svm.c and vmx.c     (bnc#953527).

  - CVE-2014-9529: Race condition in the key_gc_unused_keys     function in security/keys/gc.c in the Linux kernel     allowed local users to cause a denial of service (memory     corruption or panic) or possibly have unspecified other     impact via keyctl commands that trigger access to a key     structure member during garbage collection of a key     (bnc#912202).

  - CVE-2015-7990: Race condition in the rds_sendmsg     function in net/rds/sendmsg.c in the Linux kernel     allowed local users to cause a denial of service (NULL     pointer dereference and system crash) or possibly have     unspecified other impact by using a socket that was not     properly bound. NOTE: this vulnerability exists because     of an incomplete fix for CVE-2015-6937 (bnc#952384     953052).

  - CVE-2015-6937: The __rds_conn_create function in     net/rds/connection.c in the Linux kernel allowed local     users to cause a denial of service (NULL pointer     dereference and system crash) or possibly have     unspecified other impact by using a socket that was not     properly bound (bnc#945825).

  - CVE-2015-7885: The dgnc_mgmt_ioctl function in     drivers/staging/dgnc/dgnc_mgmt.c in the Linux kernel     through 4.3.3 did not initialize a certain structure     member, which allowed local users to obtain sensitive     information from kernel memory via a crafted application     (bnc#951627).

  - CVE-2015-8215: net/ipv6/addrconf.c in the IPv6 stack in     the Linux kernel did not validate attempted changes to     the MTU value, which allowed context-dependent attackers     to cause a denial of service (packet loss) via a value     that is (1) smaller than the minimum compliant value or     (2) larger than the MTU of an interface, as demonstrated     by a Router Advertisement (RA) message that is not     validated by a daemon, a different vulnerability than     CVE-2015-0272. NOTE: the scope of CVE-2015-0272 is     limited to the NetworkManager product (bnc#955354).

  - CVE-2015-8767: A case can occur when sctp_accept() is     called by the user during a heartbeat timeout event     after the 4-way handshake. Since sctp_assoc_migrate()     changes both assoc->base.sk and assoc->ep, the     bh_sock_lock in sctp_generate_heartbeat_event() will be     taken with the listening socket but released with the     new association socket. The result is a deadlock on any     future attempts to take the listening socket lock.
    (bsc#961509)

  - CVE-2015-8575: Validate socket address length in     sco_sock_bind() to prevent information leak     (bsc#959399).

  - CVE-2015-8551, CVE-2015-8552: xen/pciback: For     XEN_PCI_OP_disable_msi[|x] only disable if device has     MSI(X) enabled (bsc#957990).

  - CVE-2015-8550: Compiler optimizations in the XEN PV     backend drivers could have lead to double fetch     vulnerabilities, causing denial of service or arbitrary     code execution (depending on the configuration)     (bsc#957988).

The following non-security bugs were fixed :

  - ALSA: hda - Disable 64bit address for Creative HDA     controllers (bnc#814440).

  - ALSA: hda - Fix noise problems on Thinkpad T440s     (boo#958504).

  - Input: aiptek - fix crash on detecting device without     endpoints (bnc#956708).

  - KEYS: Make /proc/keys unconditional if CONFIG_KEYS=y     (boo#956934).

  - KVM: x86: update masterclock values on TSC writes     (bsc#961739).

  - NFS: Fix a NULL pointer dereference of migration     recovery ops for v4.2 client (bsc#960839).

  - apparmor: allow SYS_CAP_RESOURCE to be sufficient to     prlimit another task (bsc#921949).

  - blktap: also call blkif_disconnect() when frontend     switched to closed (bsc#952976).

  - blktap: refine mm tracking (bsc#952976).

  - cdrom: Random writing support for BD-RE media     (bnc#959568).

  - genksyms: Handle string literals with spaces in     reference files (bsc#958510).

  - ipv4: Do not increase PMTU with Datagram Too Big message     (bsc#955224).

  - ipv6: distinguish frag queues by device for multicast     and link-local packets (bsc#955422).

  - ipv6: fix tunnel error handling (bsc#952579).

  - route: Use ipv4_mtu instead of raw rt_pmtu (bsc#955224).

  - uas: Add response iu handling (bnc#954138).

  - usbvision fix overflow of interfaces array (bnc#950998).

  - x86/evtchn: make use of PHYSDEVOP_map_pirq.

  - xen/pciback: Do not allow MSI-X ops if     PCI_COMMAND_MEMORY is not set (bsc#957990 XSA-157).

The openSUSE 13.2 kernel was updated to receive various security and bugfixes.

Following security bugs were fixed :

  - CVE-2015-3290: A flaw was found in the way the Linux     kernels nested NMI handler and espfix64 functionalities     interacted during NMI processing. A local, unprivileged     user could use this flaw to crash the system or,     potentially, escalate their privileges on the system.

  - CVE-2015-3212: A race condition flaw was found in the     way the Linux kernels SCTP implementation handled     Address Configuration lists when performing Address     Configuration Change (ASCONF). A local attacker could     use this flaw to crash the system via a race condition     triggered by setting certain ASCONF options on a socket.

  - CVE-2015-5364: A remote denial of service (hang) via UDP     flood with incorrect package checksums was fixed.
    (bsc#936831).

  - CVE-2015-5366: A remote denial of service (unexpected     error returns) via UDP flood with incorrect package     checksums was fixed. (bsc#936831).

  - CVE-2015-4700: A local user could have created a bad     instruction in the JIT processed BPF code, leading to a     kernel crash (bnc#935705).

  - CVE-2015-1420: Race condition in the handle_to_path     function in fs/fhandle.c in the Linux kernel allowed     local users to bypass intended size restrictions and     trigger read operations on additional memory locations     by changing the handle_bytes value of a file handle     during the execution of this function (bnc#915517).

  - CVE-2015-4692: The kvm_apic_has_events function in     arch/x86/kvm/lapic.h in the Linux kernel allowed local     users to cause a denial of service (NULL pointer     dereference and system crash) or possibly have     unspecified other impact by leveraging /dev/kvm access     for an ioctl call (bnc#935542).

  - CVE-2015-4167 CVE-2014-9728 CVE-2014-9730 CVE-2014-9729     CVE-2014-9731: Various problems in the UDF filesystem     were fixed that could lead to crashes when mounting     prepared udf filesystems.

  - CVE-2015-4002: drivers/staging/ozwpan/ozusbsvc1.c in the     OZWPAN driver in the Linux kernel did not ensure that     certain length values are sufficiently large, which     allowed remote attackers to cause a denial of service     (system crash or large loop) or possibly execute     arbitrary code via a crafted packet, related to the (1)     oz_usb_rx and (2) oz_usb_handle_ep_data functions     (bnc#933934).

  - CVE-2015-4003: The oz_usb_handle_ep_data function in     drivers/staging/ozwpan/ozusbsvc1.c in the OZWPAN driver     in the Linux kernel allowed remote attackers to cause a     denial of service (divide-by-zero error and system     crash) via a crafted packet (bnc#933934).

  - CVE-2015-4001: Integer signedness error in the     oz_hcd_get_desc_cnf function in     drivers/staging/ozwpan/ozhcd.c in the OZWPAN driver in     the Linux kernel allowed remote attackers to cause a     denial of service (system crash) or possibly execute     arbitrary code via a crafted packet (bnc#933934).

  - CVE-2015-4036: A potential memory corruption in     vhost/scsi was fixed.

  - CVE-2015-2922: The ndisc_router_discovery function in     net/ipv6/ndisc.c in the Neighbor Discovery (ND) protocol     implementation in the IPv6 stack in the Linux kernel     allowed remote attackers to reconfigure a hop-limit     setting via a small hop_limit value in a Router     Advertisement (RA) message (bnc#922583).

  - CVE-2015-3636: It was found that the Linux kernels ping     socket implementation did not properly handle socket     unhashing during spurious disconnects, which could lead     to a use-after-free flaw. On x86-64 architecture     systems, a local user able to create ping sockets could     use this flaw to crash the system. On non-x86-64     architecture systems, a local user able to create ping     sockets could use this flaw to escalate their privileges     on the system.

  - CVE-2015-2041: net/llc/sysctl_net_llc.c in the Linux     kernel used an incorrect data type in a sysctl table,     which allowed local users to obtain potentially     sensitive information from kernel memory or possibly     have unspecified other impact by accessing a sysctl     entry (bnc#919007).

  - CVE-2015-3339: Race condition in the prepare_binprm     function in fs/exec.c in the Linux kernel allowed local     users to gain privileges by executing a setuid program     at a time instant when a chown to root is in progress,     and the ownership is changed but the setuid bit is not     yet stripped.

  - CVE-2015-1465: The IPv4 implementation in the Linux     kernel did not properly consider the length of the     Read-Copy Update (RCU) grace period for redirecting     lookups in the absence of caching, which allowed remote     attackers to cause a denial of service (memory     consumption or system crash) via a flood of packets     (bnc#916225).

The following non-security bugs were fixed :

  - ALSA: ak411x: Fix stall in work callback (boo#934755).

  - ALSA: emu10k1: Emu10k2 32 bit DMA mode (boo#934755).

  - ALSA: emu10k1: Fix card shortname string buffer overflow     (boo#934755).

  - ALSA: emu10k1: do not deadlock in proc-functions     (boo#934755).

  - ALSA: emux: Fix mutex deadlock at unloading     (boo#934755).

  - ALSA: emux: Fix mutex deadlock in OSS emulation     (boo#934755).

  - ALSA: hda - Add AZX_DCAPS_SNOOP_OFF (and refactor snoop     setup) (boo#934755).

  - ALSA: hda - Add Conexant codecs CX20721, CX20722,     CX20723 and CX20724 (boo#934755).

  - ALSA: hda - Add common pin macros for ALC269 family     (boo#934755).

  - ALSA: hda - Add dock support for ThinkPad X250     (17aa:2226) (boo#934755).

  - ALSA: hda - Add dock support for Thinkpad T450s     (17aa:5036) (boo#934755).

  - ALSA: hda - Add headphone quirk for Lifebook E752     (boo#934755).

  - ALSA: hda - Add headset mic quirk for Dell Inspiron 5548     (boo#934755).

  - ALSA: hda - Add mute-LED mode control to Thinkpad     (boo#934755).

  - ALSA: hda - Add one more node in the EAPD supporting     candidate list (boo#934755).

  - ALSA: hda - Add pin configs for ASUS mobo with IDT     92HD73XX codec (boo#934755).

  - ALSA: hda - Add ultra dock support for Thinkpad X240     (boo#934755).

  - ALSA: hda - Add workaround for CMI8888 snoop behavior     (boo#934755).

  - ALSA: hda - Add workaround for MacBook Air 5,2 built-in     mic (boo#934755).

  - ALSA: hda - Disable runtime PM for Panther Point again     (boo#934755).

  - ALSA: hda - Do not access stereo amps for mono channel     widgets (boo#934755).

  - ALSA: hda - Fix Dock Headphone on Thinkpad X250 seen as     a Line Out (boo#934755).

  - ALSA: hda - Fix headphone pin config for Lifebook T731     (boo#934755).

  - ALSA: hda - Fix noise on AMD radeon 290x controller     (boo#934755).

  - ALSA: hda - Fix probing and stuttering on CMI8888     HD-audio controller (boo#934755).

  - ALSA: hda - One more Dell macine needs     DELL1_MIC_NO_PRESENCE quirk (boo#934755).

  - ALSA: hda - One more HP machine needs to change mute led     quirk (boo#934755).

  - ALSA: hda - Set GPIO 4 low for a few HP machines     (boo#934755).

  - ALSA: hda - Set single_adc_amp flag for CS420x codecs     (boo#934755).

  - ALSA: hda - Treat stereo-to-mono mix properly     (boo#934755).

  - ALSA: hda - change three SSID quirks to one pin quirk     (boo#934755).

  - ALSA: hda - fix 'num_steps = 0' error on ALC256     (boo#934755).

  - ALSA: hda - fix a typo by changing mute_led_nid to     cap_mute_led_nid (boo#934755).

  - ALSA: hda - fix headset mic detection problem for one     more machine (boo#934755).

  - ALSA: hda - fix mute led problem for three HP laptops     (boo#934755).

  - ALSA: hda - set proper caps for newer AMD hda audio in     KB/KV (boo#934755).

  - ALSA: hda/realtek - ALC292 dock fix for Thinkpad L450     (boo#934755).

  - ALSA: hda/realtek - Add a fixup for another Acer Aspire     9420 (boo#934755).

  - ALSA: hda/realtek - Enable the ALC292 dock fixup on the     Thinkpad T450 (boo#934755).

  - ALSA: hda/realtek - Fix Headphone Mic does not recording     for ALC256 (boo#934755).

  - ALSA: hda/realtek - Make more stable to get pin sense     for ALC283 (boo#934755).

  - ALSA: hda/realtek - Support Dell headset mode for ALC256     (boo#934755).

  - ALSA: hda/realtek - Support HP mute led for output and     input (boo#934755).

  - ALSA: hda/realtek - move HP_LINE1_MIC1_LED quirk for     alc282 (boo#934755).

  - ALSA: hda/realtek - move HP_MUTE_LED_MIC1 quirk for     alc282 (boo#934755).

  - ALSA: hdspm - Constrain periods to 2 on older cards     (boo#934755).

  - ALSA: pcm: Do not leave PREPARED state after draining     (boo#934755).

  - ALSA: snd-usb: add quirks for Roland UA-22 (boo#934755).

  - ALSA: usb - Creative USB X-Fi Pro SB1095 volume knob     support (boo#934755).

  - ALSA: usb-audio: Add mic volume fix quirk for Logitech     Quickcam Fusion (boo#934755).

  - ALSA: usb-audio: Add quirk for MS LifeCam HD-3000     (boo#934755).

  - ALSA: usb-audio: Add quirk for MS LifeCam Studio     (boo#934755).

  - ALSA: usb-audio: Do not attempt to get Lifecam HD-5000     sample rate (boo#934755).

  - ALSA: usb-audio: Do not attempt to get Microsoft Lifecam     Cinema sample rate (boo#934755).

  - ALSA: usb-audio: add MAYA44 USB+ mixer control names     (boo#934755).

  - ALSA: usb-audio: do not try to get Benchmark DAC1 sample     rate (boo#934755).

  - ALSA: usb-audio: do not try to get Outlaw RR2150 sample     rate (boo#934755).

  - ALSA: usb-audio: fix missing input volume controls in     MAYA44 USB(+) (boo#934755).

  - Automatically Provide/Obsolete all subpackages of old     flavors (bnc#925567)

  - Fix kABI for ak411x structs (boo#934755).

  - Fix kABI for snd_emu10k1 struct (boo#934755).

  - HID: add ALWAYS_POLL quirk for a Logitech 0xc007     (bnc#929624).

  - HID: add HP OEM mouse to quirk ALWAYS_POLL (bnc#929624).

  - HID: add quirk for PIXART OEM mouse used by HP     (bnc#929624).

  - HID: usbhid: add always-poll quirk (bnc#929624).

  - HID: usbhid: add another mouse that needs     QUIRK_ALWAYS_POLL (bnc#929624).

  - HID: usbhid: enable always-poll quirk for Elan     Touchscreen (bnc#929624).

  - HID: usbhid: enable always-poll quirk for Elan     Touchscreen 009b (bnc#929624).

  - HID: usbhid: enable always-poll quirk for Elan     Touchscreen 0103 (bnc#929624).

  - HID: usbhid: enable always-poll quirk for Elan     Touchscreen 016f (bnc#929624).

  - HID: usbhid: fix PIXART optical mouse (bnc#929624).

  - HID: usbhid: more mice with ALWAYS_POLL (bnc#929624).

  - HID: usbhid: yet another mouse with ALWAYS_POLL     (bnc#929624).

  - HID: yet another buggy ELAN touchscreen (bnc#929624).

  - Input: synaptics - handle spurious release of trackstick     buttons (bnc#928693).

  - Input: synaptics - re-route tracksticks buttons on the     Lenovo 2015 series (bnc#928693).

  - Input: synaptics - remove TOPBUTTONPAD property for     Lenovos 2015 (bnc#928693).

  - Input: synaptics - retrieve the extended capabilities in     query $10 (bnc#928693).

  - NFSv4: When returning a delegation, do not reclaim an     incompatible open mode (bnc#934202).

  - Refresh patches.xen/xen-blkfront-indirect (bsc#922235).

  - Update config files: extend CONFIG_DPM_WATCHDOG_TIMEOUT     to 60 (bnc#934397)

  - arm64: mm: Remove hack in mmap randomized layout Fix     commit id and mainlined information

  - bnx2x: Fix kdump when iommu=on (bug#921769).

  - client MUST ignore EncryptionKeyLength if     CAP_EXTENDED_SECURITY is set (bnc#932348).

  - config/armv7hl: Disable AMD_XGBE_PHY The AMD XGBE     ethernet chip is only used on ARM64 systems.

  - config: disable XGBE on non-ARM hardware It is     documented as being present only on AMD SoCs.

  - cpufreq: fix a NULL pointer dereference in
    __cpufreq_governor() (bsc#924664).

  - drm/i915/bdw: PCI IDs ending in 0xb are ULT     (boo#935913).

  - drm/i915/chv: Remove Wait for a previous gfx force-off     (boo#935913).

  - drm/i915/dp: only use training pattern 3 on platforms     that support it (boo#935913).

  - drm/i915/dp: there is no audio on port A (boo#935913).

  - drm/i915/hsw: Fix workaround for server AUX channel     clock divisor (boo#935913).

  - drm/i915/vlv: remove wait for previous GFX clk disable     request (boo#935913).

  - drm/i915/vlv: save/restore the power context base reg     (boo#935913).

  - drm/i915: Add missing MacBook Pro models with dual     channel LVDS (boo#935913).

  - drm/i915: BDW Fix Halo PCI IDs marked as ULT     (boo#935913).

  - drm/i915: Ban Haswell from using RCS flips (boo#935913).

  - drm/i915: Check obj->vma_list under the struct_mutex     (boo#935913).

  - drm/i915: Correct the IOSF Dev_FN field for IOSF     transfers (boo#935913).

  - drm/i915: Dell Chromebook 11 has PWM backlight     (boo#935913).

  - drm/i915: Disable caches for Global GTT (boo#935913).

  - drm/i915: Do a dummy DPCD read before the actual read     (bnc#907714).

  - drm/i915: Do not complain about stolen conflicts on gen3     (boo#935913).

  - drm/i915: Do not leak pages when freeing userptr objects     (boo#935913).

  - drm/i915: Dont enable CS_PARSER_ERROR interrupts at all     (boo#935913).

  - drm/i915: Evict CS TLBs between batches (boo#935913).

  - drm/i915: Fix DDC probe for passive adapters     (boo#935913).

  - drm/i915: Fix and clean BDW PCH identification     (boo#935913).

  - drm/i915: Force the CS stall for invalidate flushes     (boo#935913).

  - drm/i915: Handle failure to kick out a conflicting fb     driver (boo#935913).

  - drm/i915: Ignore SURFLIVE and flip counter when the GPU     gets reset (boo#935913).

  - drm/i915: Ignore VBT backlight check on Macbook 2, 1     (boo#935913).

  - drm/i915: Invalidate media caches on gen7 (boo#935913).

  - drm/i915: Kick fbdev before vgacon (boo#935913).

  - drm/i915: Only fence tiled region of object     (boo#935913).

  - drm/i915: Only warn the first time we attempt to mmio     whilst suspended (boo#935913).

  - drm/i915: Unlock panel even when LVDS is disabled     (boo#935913).

  - drm/i915: Use IS_HSW_ULT() in a HSW specific code path     (boo#935913).

  - drm/i915: cope with large i2c transfers (boo#935913).

  - drm/i915: do not warn if backlight unexpectedly enabled     (boo#935913).

  - drm/i915: drop WaSetupGtModeTdRowDispatch:snb     (boo#935913).

  - drm/i915: save/restore GMBUS freq across suspend/resume     on gen4 (boo#935913).

  - drm/i915: vlv: fix IRQ masking when uninstalling     interrupts (boo#935913).

  - drm/i915: vlv: fix save/restore of GFX_MAX_REQ_COUNT reg     (boo#935913).

  - drm/radeon: retry dcpd fetch (bnc#931580).

  - ftrace/x86/xen: use kernel identity mapping only when     really needed (bsc#873195, bsc#886272, bsc#903727,     bsc#927725)

  - guards: Add support for an external filelist in --check     mode This will allow us to run --check without a     kernel-source.git work tree.

  - guards: Include the file name also in the 'Not found'     error

  - guards: Simplify help text

  - hyperv: Add processing of MTU reduced by the host     (bnc#919596).

  - ideapad_laptop: Lenovo G50-30 fix rfkill reports     wireless blocked (boo#939394).

  - ipv6: do not delete previously existing ECMP routes if     add fails (bsc#930399).

  - ipv6: fix ECMP route replacement (bsc#930399).

  - ipv6: replacing a rt6_info needs to purge possible     propagated rt6_infos too (bsc#930399).

  - kABI: protect linux/slab.h include in of/address.

  - kabi/severities: ignore already-broken but acceptable     kABI changes - SYSTEM_TRUSTED_KEYRING=n change removed     system_trusted_keyring - Commits 3688875f852 and     ea5ed8c70e9 changed iov_iter_get_pages prototype - KVM     changes are intermodule dependencies

  - kabi: Fix CRC for dma_get_required_mask.

  - kabi: add kABI reference files

  - libata: Blacklist queued TRIM on Samsung SSD 850 Pro     (bsc#926156).

  - libata: Blacklist queued TRIM on all Samsung 800-series     (bnc#930599).

  - net: ppp: Do not call bpf_prog_create() in ppp_lock     (bnc#930488).

  - rpm/kernel-obs-qa.spec.in: Do not fail if the kernel     versions do not match

  - rt2x00: do not align payload on modern H/W (bnc#932844).

  - rtlwifi: rtl8192cu: Fix kernel deadlock (bnc#927786).

  - thermal: step_wise: Revert optimization (boo#925961).

  - tty: Fix pty master poll() after slave closes v2     (bsc#937138). arm64: mm: Remove hack in mmap randomize     layout (bsc#937033)

  - udf: Remove repeated loads blocksize (bsc#933907).

  - usb: core: Fix USB 3.0 devices lost in NOTATTACHED state     after a hub port reset (bnc#937226).

  - x86, apic: Handle a bad TSC more gracefully     (boo#935530).

  - x86/PCI: Use host bridge _CRS info on Foxconn     K8M890-8237A (bnc#907092).

  - x86/PCI: Use host bridge _CRS info on systems with >32     bit addressing (bnc#907092).

  - x86/microcode/amd: Do not overwrite final patch levels     (bsc#913996).

  - x86/microcode/amd: Extract current patch level read to a     function (bsc#913996).

  - x86/mm: Improve AMD Bulldozer ASLR workaround     (bsc#937032).

  - xenbus: add proper handling of XS_ERROR from Xenbus for     transactions.

  - xhci: Calculate old endpoints correctly on device reset     (bnc#938976).

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leak.

  - CVE-2015-1333     Colin Ian King discovered a flaw in the add_key function     of the Linux kernel's keyring subsystem. A local user     can exploit this flaw to cause a denial of service due     to memory exhaustion.

  - CVE-2015-3212     Ji Jianwen of Red Hat Engineering discovered a flaw in     the handling of the SCTPs automatic handling of dynamic     multi-homed connections. A local attacker could use this     flaw to cause a crash or potentially for privilege     escalation.

  - CVE-2015-4692     A NULL pointer dereference flaw was found in the     kvm_apic_has_events function in the KVM subsystem. A     unprivileged local user could exploit this flaw to crash     the system kernel resulting in denial of service.

  - CVE-2015-4700     Daniel Borkmann discovered a flaw in the Linux kernel     implementation of the Berkeley Packet Filter which can     be used by a local user to crash the system.

  - CVE-2015-5364     It was discovered that the Linux kernel does not     properly handle invalid UDP checksums. A remote attacker     could exploit this flaw to cause a denial of service     using a flood of UDP packets with invalid checksums.

  - CVE-2015-5366     It was discovered that the Linux kernel does not     properly handle invalid UDP checksums. A remote attacker     can cause a denial of service against applications that     use epoll by injecting a single packet with an invalid     checksum.

  - CVE-2015-5697     A flaw was discovered in the md driver in the Linux     kernel leading to an information leak.

  - CVE-2015-5706     An user triggerable use-after-free vulnerability in path     lookup in the Linux kernel could potentially lead to     privilege escalation.

  - CVE-2015-5707     An integer overflow in the SCSI generic driver in the     Linux kernel was discovered. A local user with write     permission on a SCSI generic device could potentially     exploit this flaw for privilege escalation.

The SUSE Linux Enterprise 12 kernel was updated to 3.12.44 to receive various security and bugfixes.

These features were added :

  - mpt2sas: Added Reply Descriptor Post Queue (RDPQ) Array     support (bsc#854824).

  - mpt3sas: Bump mpt3sas driver version to 04.100.00.00     (bsc#854817).

Following security bugs were fixed :

  - CVE-2015-1805: iov overrun for failed atomic copy could     have lead to DoS or privilege escalation (bsc#933429).

  - CVE-2015-3212: A race condition in the way the Linux     kernel handled lists of associations in SCTP sockets     could have lead to list corruption and kernel panics     (bsc#936502).

  - CVE-2015-4036: DoS via memory corruption in vhost/scsi     driver (bsc#931988).

  - CVE-2015-4167: Linux kernel built with the UDF file     system(CONFIG_UDF_FS) support was vulnerable to a crash.
    It occurred while fetching inode information from a     corrupted/malicious udf file system image (bsc#933907).

  - CVE-2015-4692: DoS via NULL pointer dereference in     kvm_apic_has_events function (bsc#935542).

  - CVE-2015-5364: Remote DoS via flood of UDP packets with     invalid checksums (bsc#936831).

  - CVE-2015-5366: Remote DoS of EPOLLET epoll applications     via flood of UDP packets with invalid checksums     (bsc#936831).

Security issues already fixed in the previous update but not referenced by CVE :

  - CVE-2014-9728: Kernel built with the UDF file     system(CONFIG_UDF_FS) support were vulnerable to a crash     (bsc#933904).

  - CVE-2014-9729: Kernel built with the UDF file     system(CONFIG_UDF_FS) support were vulnerable to a crash     (bsc#933904).

  - CVE-2014-9730: Kernel built with the UDF file     system(CONFIG_UDF_FS) support were vulnerable to a crash     (bsc#933904).

  - CVE-2014-9731: Kernel built with the UDF file     system(CONFIG_UDF_FS) support were vulnerable to     information leakage (bsc#933896).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

A flaw was discovered in the kvm (kernel virtual machine) subsystem's kvm_apic_has_events function. A unprivileged local user could exploit this flaw to cause a denial of service (system crash). (CVE-2015-4692)

A flaw was discovered in how the Linux kernel handles invalid UDP checksums. A remote attacker could exploit this flaw to cause a denial of service using a flood of UDP packets with invalid checksums.
(CVE-2015-5364)

A flaw was discovered in how the Linux kernel handles invalid UDP checksums. A remote attacker can cause a denial of service against applications that use epoll by injecting a single packet with an invalid checksum. (CVE-2015-5366).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

A flaw was discovered in the kvm (kernel virtual machine) subsystem's kvm_apic_has_events function. A unprivileged local user could exploit this flaw to cause a denial of service (system crash). (CVE-2015-4692)

Daniel Borkmann reported a kernel crash in the Linux kernel's BPF filter JIT optimization. A local attacker could exploit this flaw to cause a denial of service (system crash). (CVE-2015-4700)

A flaw was discovered in how the Linux kernel handles invalid UDP checksums. A remote attacker could exploit this flaw to cause a denial of service using a flood of UDP packets with invalid checksums.
(CVE-2015-5364)

A flaw was discovered in how the Linux kernel handles invalid UDP checksums. A remote attacker can cause a denial of service against applications that use epoll by injecting a single packet with an invalid checksum. (CVE-2015-5366).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

A flaw was discovered in the user space memory copying for the pipe iovecs in the Linux kernel. An unprivileged local user could exploit this flaw to cause a denial of service (system crash) or potentially escalate their privileges. (CVE-2015-1805)

A flaw was discovered in the kvm (kernel virtual machine) subsystem's kvm_apic_has_events function. A unprivileged local user could exploit this flaw to cause a denial of service (system crash). (CVE-2015-4692)

Daniel Borkmann reported a kernel crash in the Linux kernel's BPF filter JIT optimization. A local attacker could exploit this flaw to cause a denial of service (system crash). (CVE-2015-4700)

A flaw was discovered in how the Linux kernel handles invalid UDP checksums. A remote attacker could exploit this flaw to cause a denial of service using a flood of UDP packets with invalid checksums.
(CVE-2015-5364)

A flaw was discovered in how the Linux kernel handles invalid UDP checksums. A remote attacker can cause a denial of service against applications that use epoll by injecting a single packet with an invalid checksum. (CVE-2015-5366).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The 4.0.6 stable update contains a number of important fixes across the tree.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
124988	EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1535)	Nessus	Huawei Local Security Checks	high
124811	EulerOS Virtualization 3.0.1.0 : kernel (EulerOS-SA-2019-1487)	Nessus	Huawei Local Security Checks	high
88545	openSUSE Security Update : the Linux Kernel (openSUSE-2016-124)	Nessus	SuSE Local Security Checks	critical
85432	openSUSE Security Update : the Linux Kernel (openSUSE-2015-543)	Nessus	SuSE Local Security Checks	high
85281	Debian DSA-3329-1 : linux - security update	Nessus	Debian Local Security Checks	high
85180	SUSE SLED12 / SLES12 Security Update : SUSE Linux Enterprise 12 kernel (SUSE-SU-2015:1324-1)	Nessus	SuSE Local Security Checks	high
84986	Ubuntu 14.10 : linux vulnerabilities (USN-2685-1)	Nessus	Ubuntu Local Security Checks	high
84985	Ubuntu 15.04 : linux vulnerabilities (USN-2684-1)	Nessus	Ubuntu Local Security Checks	high
84984	Ubuntu 14.04 LTS : linux-lts-vivid vulnerabilities (USN-2683-1)	Nessus	Ubuntu Local Security Checks	high
84983	Ubuntu 14.04 LTS : linux-lts-utopic vulnerabilities (USN-2682-1)	Nessus	Ubuntu Local Security Checks	high
84982	Ubuntu 14.04 LTS : linux vulnerabilities (USN-2681-1)	Nessus	Ubuntu Local Security Checks	high
84981	Ubuntu 12.04 LTS : linux-lts-trusty vulnerabilities (USN-2680-1)	Nessus	Ubuntu Local Security Checks	high
84480	Fedora 21 : kernel-4.0.6-200.fc21 (2015-10678)	Nessus	Fedora Local Security Checks	medium
84437	Fedora 22 : kernel-4.0.6-300.fc22 (2015-10677)	Nessus	Fedora Local Security Checks	medium

CVE-2015-4692

Description

References

Details

Risk Information

CVSS v2.0

Vulnerable Software

Configuration 1

Tenable Plugins