[oss-security] 20151127 CVE-2015-5327 kernel: User triggerable out-of-bounds read

https://bugzilla.redhat.com/show_bug.cgi?id=1278978

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=cc25b994acfbc901429da682d0f73c190e960206

The remote OracleVM system is missing necessary patches to address critical security updates :

  - scsi: libfc: sanitize E_D_TOV and R_A_TOV setting     (Hannes Reinecke) [Orabug: 25933179]

  - scsi: libfc: use configured rport E_D_TOV (Hannes     Reinecke) [Orabug: 25933179]

  - scsi: libfc: additional debugging messages (Hannes     Reinecke) [Orabug: 25933179]

  - scsi: libfc: don't advance state machine for incoming     FLOGI (Hannes Reinecke) [Orabug: 25933179]

  - scsi: libfc: Do not login if the port is already started     (Hannes Reinecke) [Orabug: 25933179]

  - scsi: libfc: Do not drop down to FLOGI for     fc_rport_login (Hannes Reinecke) [Orabug: 25933179]

  - scsi: libfc: Do not take rdata->rp_mutex when processing     a -FC_EX_CLOSED ELS response. (Chad Dupuis) [Orabug:
    25933179]

  - scsi: libfc: Fixup disc_mutex handling (Hannes Reinecke)     [Orabug: 25933179]

  - xve: arm ud tx cq to generate completion interrupts     (Ajaykumar Hotchandani) [Orabug: 28267050]

  - net: sched: run ingress qdisc without locks (Alexei     Starovoitov) [Orabug: 29395374]

  - bnxt_en: Fix typo in firmware message timeout logic.
    (Michael Chan) [Orabug: 29412112]

  - bnxt_en: Wait longer for the firmware message response     to complete. (Michael Chan) [Orabug: 29412112]

  - mm,vmscan: Make unregister_shrinker no-op if     register_shrinker failed. (Tetsuo Handa) [Orabug:
    29456281]

  - X.509: Handle midnight alternative notation in     GeneralizedTime (David Howells) [Orabug: 29460344]     (CVE-2015-5327)

  - X.509: Support leap seconds (David Howells) [Orabug:
    29460344] (CVE-2015-5327)

  - X.509: Fix the time validation [ver #2] (David Howells)     [Orabug: 29460344] (CVE-2015-5327) (CVE-2015-5327)

  - be2net: enable new Kconfig items in kernel configs     (Brian Maly) [Orabug: 29475071]

  - benet: remove broken and unused macro (Lubomir Rintel)     [Orabug: 29475071]

  - be2net: don't flip hw_features when VXLANs are     added/deleted (Davide Caratti) [Orabug: 29475071]

  - be2net: Fix memory leak in be_cmd_get_profile_config     (Petr Oros) [Orabug: 29475071]

  - be2net: Use Kconfig flag to support for     enabling/disabling adapters (Petr Oros) [Orabug:
    29475071]

  - be2net: Mark expected switch fall-through (Gustavo A. R.
    Silva) [Orabug: 29475071]

  - be2net: fix spelling mistake 'seqence' -> 'sequence'     (Colin Ian King) [Orabug: 29475071]

  - be2net: Update the driver version to 12.0.0.0 (Suresh     Reddy) [Orabug: 29475071]

  - be2net: gather debug info and reset adapter (only for     Lancer) on a tx-timeout (Suresh Reddy) [Orabug:
    29475071]

  - be2net: move rss_flags field in rss_info to ensure     proper alignment (Ivan Vecera) [Orabug: 29475071]

  - be2net: re-order fields in be_error_recovert to avoid     hole (Ivan Vecera) [Orabug: 29475071]

  - be2net: remove unused tx_jiffies field from be_tx_stats     (Ivan Vecera) [Orabug: 29475071]

  - be2net: move txcp field in be_tx_obj to eliminate holes     in the struct (Ivan Vecera) [Orabug: 29475071]

  - be2net: reorder fields in be_eq_obj structure (Ivan     Vecera) [Orabug: 29475071]

  - be2net: remove unused old custom busy-poll fields (Ivan     Vecera) [Orabug: 29475071]

  - be2net: remove unused old AIC info (Ivan Vecera)     [Orabug: 29475071]

  - be2net: Fix error detection logic for BE3 (Suresh Reddy)     [Orabug: 29475071]

  - scsi: sd: Do not override max_sectors_kb sysfs setting     (Martin K. Petersen) [Orabug: 29596510]

  - USB: serial: io_ti: fix div-by-zero in set_termios     (Johan Hovold) [Orabug: 29487834] (CVE-2017-18360)

  - bnxt_en: Drop oversize TX packets to prevent errors.
    (Michael Chan) [Orabug: 29516462]

  - x86/speculation: Read per-cpu value of     x86_spec_ctrl_priv in x86_virt_spec_ctrl (Alejandro     Jimenez) [Orabug: 29526401]

  - x86/speculation: Keep enhanced IBRS on when prctl is     used for SSBD control (Alejandro Jimenez) [Orabug:
    29526401]

  - USB: hso: Fix OOB memory access in     hso_probe/hso_get_config_data (Hui Peng) [Orabug:
    29605982] (CVE-2018-19985) (CVE-2018-19985)

  - swiotlb: save io_tlb_used to local variable before     leaving critical section (Dongli Zhang) [Orabug:
    29637525]

  - swiotlb: dump used and total slots when swiotlb buffer     is full (Dongli Zhang) [Orabug: 29637525]

  - x86/bugs, kvm: don't miss SSBD when IBRS is in use.
    (Quentin Casasnovas) [Orabug: 29642113]

  - cifs: Fix use after free of a mid_q_entry (Shuning     Zhang) [Orabug: 29654888]

  - binfmt_elf: switch to new creds when switching to new mm     (Linus Torvalds) [Orabug: 29677233] (CVE-2019-11190)

  - x86/microcode: Don't return error if microcode update is     not needed (Boris Ostrovsky) [Orabug: 29759756]

Description of changes:

[4.1.12-124.27.1.el6uek]
- scsi: libfc: sanitize E_D_TOV and R_A_TOV setting (Hannes Reinecke)  [Orabug: 25933179]
- scsi: libfc: use configured rport E_D_TOV (Hannes Reinecke)  [Orabug: 25933179]
- scsi: libfc: additional debugging messages (Hannes Reinecke)  [Orabug: 25933179]
- scsi: libfc: don't advance state machine for incoming FLOGI (Hannes Reinecke)  [Orabug: 25933179]
- scsi: libfc: Do not login if the port is already started (Hannes Reinecke)  [Orabug: 25933179]
- scsi: libfc: Do not drop down to FLOGI for fc_rport_login() (Hannes Reinecke)  [Orabug: 25933179]
- scsi: libfc: Do not take rdata->rp_mutex when processing a -FC_EX_CLOSED ELS response. (Chad Dupuis)  [Orabug: 25933179]
- scsi: libfc: Fixup disc_mutex handling (Hannes Reinecke)  [Orabug: 25933179]
- xve: arm ud tx cq to generate completion interrupts (Ajaykumar Hotchandani)  [Orabug: 28267050]
- net: sched: run ingress qdisc without locks (Alexei Starovoitov)  [Orabug: 29395374]
- bnxt_en: Fix typo in firmware message timeout logic. (Michael Chan)  [Orabug: 29412112]
- bnxt_en: Wait longer for the firmware message response to complete. (Michael Chan)  [Orabug: 29412112]
- mm,vmscan: Make unregister_shrinker() no-op if register_shrinker() failed. (Tetsuo Handa)  [Orabug: 29456281]
- X.509: Handle midnight alternative notation in GeneralizedTime (David Howells)  [Orabug: 29460344]  {CVE-2015-5327}
- X.509: Support leap seconds (David Howells)  [Orabug: 29460344]  {CVE-2015-5327}
- X.509: Fix the time validation [ver #2] (David Howells)  [Orabug: 29460344]  {CVE-2015-5327} {CVE-2015-5327}
- be2net: enable new Kconfig items in kernel configs (Brian Maly)  [Orabug: 29475071]
- benet: remove broken and unused macro (Lubomir Rintel)  [Orabug: 29475071]
- be2net: don't flip hw_features when VXLANs are added/deleted (Davide Caratti)  [Orabug: 29475071]
- be2net: Fix memory leak in be_cmd_get_profile_config() (Petr Oros)  [Orabug: 29475071]
- be2net: Use Kconfig flag to support for enabling/disabling adapters (Petr Oros)  [Orabug: 29475071]
- be2net: Mark expected switch fall-through (Gustavo A. R. Silva)  [Orabug: 29475071]
- be2net: fix spelling mistake 'seqence' -> 'sequence' (Colin Ian King)  [Orabug: 29475071]
- be2net: Update the driver version to 12.0.0.0 (Suresh Reddy)  [Orabug: 29475071]
- be2net: gather debug info and reset adapter (only for Lancer) on a tx-timeout (Suresh Reddy)  [Orabug: 29475071]
- be2net: move rss_flags field in rss_info to ensure proper alignment (Ivan Vecera)  [Orabug: 29475071]
- be2net: re-order fields in be_error_recovert to avoid hole (Ivan Vecera)  [Orabug: 29475071]
- be2net: remove unused tx_jiffies field from be_tx_stats (Ivan Vecera)  [Orabug: 29475071]
- be2net: move txcp field in be_tx_obj to eliminate holes in the struct (Ivan Vecera)  [Orabug: 29475071]
- be2net: reorder fields in be_eq_obj structure (Ivan Vecera)  [Orabug: 29475071]
- be2net: remove unused old custom busy-poll fields (Ivan Vecera)  [Orabug: 29475071]
- be2net: remove unused old AIC info (Ivan Vecera)  [Orabug: 29475071]
- be2net: Fix error detection logic for BE3 (Suresh Reddy)  [Orabug: 29475071]
- scsi: sd: Do not override max_sectors_kb sysfs setting (Martin K. Petersen)  [Orabug: 29596510]
- USB: serial: io_ti: fix div-by-zero in set_termios (Johan Hovold)  [Orabug: 29487834]  {CVE-2017-18360}
- bnxt_en: Drop oversize TX packets to prevent errors. (Michael Chan)  [Orabug: 29516462]
- x86/speculation: Read per-cpu value of x86_spec_ctrl_priv in x86_virt_spec_ctrl() (Alejandro Jimenez)  [Orabug: 29526401]
- x86/speculation: Keep enhanced IBRS on when prctl is used for SSBD control (Alejandro Jimenez)  [Orabug: 29526401]
- USB: hso: Fix OOB memory access in hso_probe/hso_get_config_data (Hui Peng)  [Orabug: 29605982]  {CVE-2018-19985} {CVE-2018-19985}
- swiotlb: save io_tlb_used to local variable before leaving critical section (Dongli Zhang)  [Orabug: 29637525]
- swiotlb: dump used and total slots when swiotlb buffer is full (Dongli Zhang)  [Orabug: 29637525]
- x86/bugs, kvm: don't miss SSBD when IBRS is in use. (Quentin Casasnovas)  [Orabug: 29642113]
- cifs: Fix use after free of a mid_q_entry (Shuning Zhang)  [Orabug: 29654888]
- binfmt_elf: switch to new creds when switching to new mm (Linus Torvalds)  [Orabug: 29677233]  {CVE-2019-11190}
- x86/microcode: Don't return error if microcode update is not needed (Boris Ostrovsky)  [Orabug: 29759756]

According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - The Linux kernel, before version 4.14.3, is vulnerable     to a denial of service in     drivers/md/dm.c:dm_get_from_kobject() which can be     caused by local users leveraging a race condition with
    __dm_destroy() during creation and removal of DM     devices. Only privileged local users (with     CAP_SYS_ADMIN capability) can directly perform the     ioctl operations for dm device creation and removal and     this would typically be outside the direct control of     the unprivileged attacker.(CVE-2017-18203i1/4%0

  - The batadv_frag_merge_packets function in     net/batman-adv/fragmentation.c in the B.A.T.M.A.N.
    implementation in the Linux kernel through 3.18.1 uses     an incorrect length field during a calculation of an     amount of memory, which allows remote attackers to     cause a denial of service (mesh-node system crash) via     fragmented packets.(CVE-2014-9428i1/4%0

  - The regulator_ena_gpio_free function in     drivers/regulator/core.c in the Linux kernel allows     local users to gain privileges or cause a denial of     service (use-after-free) via a crafted     application.(CVE-2014-9940i1/4%0

  - The Linux kernel before 3.12, when UDP Fragmentation     Offload (UFO) is enabled, does not properly initialize     certain data structures, which allows local users to     cause a denial of service (memory corruption and system     crash) or possibly gain privileges via a crafted     application that uses the UDP_CORK option in a     setsockopt system call and sends both short and long     packets, related to the ip_ufo_append_data function in     net/ipv4/ip_output.c and the ip6_ufo_append_data     function in net/ipv6/ip6_output.c.(CVE-2013-4470i1/4%0

  - A use-after-free flaw was found in the way the Linux     kernel's Datagram Congestion Control Protocol (DCCP)     implementation freed SKB (socket buffer) resources for     a DCCP_PKT_REQUEST packet when the IPV6_RECVPKTINFO     option is set on the socket. A local, unprivileged user     could use this flaw to alter the kernel memory,     allowing them to escalate their privileges on the     system.(CVE-2017-6074i1/4%0

  - A NULL-pointer dereference vulnerability was found in     the Linux kernel's TCP stack, in     net/netfilter/nf_nat_redirect.c in the     nf_nat_redirect_ipv4() function. A remote,     unauthenticated user could exploit this flaw to create     a system crash (denial of service).(CVE-2015-8787i1/4%0

  - A use-after-free flaw was found in the CXGB3 kernel     driver when the network was considered to be congested.
    The kernel incorrectly misinterpreted the congestion as     an error condition and incorrectly freed or cleaned up     the socket buffer (skb). When the device then sent the     skb's queued data, these structures were referenced. A     local attacker could use this flaw to panic the system     (denial of service) or, with a local account, escalate     their privileges.(CVE-2015-8812i1/4%0

  - A flaw was found in the way the Linux kernel's     networking implementation handled UDP packets with     incorrect checksum values. A remote attacker could     potentially use this flaw to trigger an infinite loop     in the kernel, resulting in a denial of service on the     system, or cause a denial of service in applications     using the edge triggered epoll     functionality.(CVE-2015-5364i1/4%0

  - The timer_create syscall implementation in     kernel/time/posix-timers.c in the Linux kernel doesn't     properly validate the sigevent-i1/4zsigev_notify field,     which leads to out-of-bounds access in the show_timer     function.(CVE-2017-18344i1/4%0

  - A flaw was discovered in the way the Linux kernel dealt     with paging structures. When the kernel invalidated a     paging structure that was not in use locally, it could,     in principle, race against another CPU that is     switching to a process that uses the paging structure     in question. A local user could use a thread running     with a stale cached virtual-i1/4zphysical translation to     potentially escalate their privileges if the     translation in question were writable and the physical     page got reused for something critical (for example, a     page table).(CVE-2016-2069i1/4%0

  - Use after free vulnerability was found in percpu using     previously allocated memory in bpf. First
    __alloc_percpu_gfp() is called, then the memory is     freed with free_percpu() which triggers async     pcpu_balance_work and then pcpu_extend_area_map could     use a chunk after it has been freed.(CVE-2016-4794i1/4%0

  - A missing authorization check in the     fscrypt_process_policy function in fs/crypto/policy.c     in the ext4 and f2fs filesystem encryption support in     the Linux kernel allows a user to assign an encryption     policy to a directory owned by a different user,     potentially creating a denial of     service.(CVE-2016-10318i1/4%0

  - The security_context_to_sid_core function in     security/selinux/ss/services.c in the Linux kernel     before 3.13.4 allows local users to cause a denial of     service (system crash) by leveraging the CAP_MAC_ADMIN     capability to set a zero-length security     context.(CVE-2014-1874i1/4%0

  - The vfe31_proc_general function in     drivers/media/video/msm/vfe/msm_vfe31.c in the     MSM-VFE31 driver for the Linux kernel 3.x, as used in     Qualcomm Innovation Center (QuIC) Android contributions     for MSM devices and other products, does not validate a     certain id value, which allows attackers to gain     privileges or cause a denial of service (memory     corruption) via an application that makes a crafted     ioctl call.(CVE-2014-9410i1/4%0

  - A vulnerability was found in the Key Management sub     component of the Linux kernel, where when trying to     issue a KEYTCL_READ on a negative key would lead to a     NULL pointer dereference. A local attacker could use     this flaw to crash the kernel.(CVE-2017-12192i1/4%0

  - Out-of-bounds memory read in the x509_decode_time     function in x509_cert_parser.c in Linux kernels 4.3-rc1     and after.(CVE-2015-5327i1/4%0

  - It was found that the espfix functionality does not     work for 32-bit KVM paravirtualized guests. A local,     unprivileged guest user could potentially use this flaw     to leak kernel stack addresses.(CVE-2014-8134i1/4%0

  - An out-of-bounds write flaw was found in the way the     Apple Magic Mouse/Trackpad multi-touch driver handled     Human Interface Device (HID) reports with an invalid     size. An attacker with physical access to the system     could use this flaw to crash the system or,     potentially, escalate their privileges on the     system.(CVE-2014-3181i1/4%0

  - A use-after-free flaw was found in the way the Linux     kernel's key management subsystem handled keyring     object reference counting in certain error path of the     join_session_keyring() function. A local, unprivileged     user could use this flaw to escalate their privileges     on the system.(CVE-2016-0728i1/4%0

  - Use-after-free vulnerability in the skb_segment     function in net/core/skbuff.c in the Linux kernel     through 3.13.6 allows attackers to obtain sensitive     information from kernel memory by leveraging the     absence of a certain orphaning     operation.(CVE-2014-0131i1/4%0

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
125615	OracleVM 3.4 : Unbreakable / etc (OVMSA-2019-0022)	Nessus	OracleVM Local Security Checks	medium
125235	Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2019-4642)	Nessus	Oracle Linux Local Security Checks	medium
124980	EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1527)	Nessus	Huawei Local Security Checks	critical

CVE-2015-5327

MEDIUM

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Tenable Plugins

medium

medium

critical