http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=eda98796aff0d9bf41094b06811f5def3b4c333c

openSUSE-SU-2016:1008

[oss-security] 20151021 Re: CVE Request: Linux Kernel ioctl infoleaks on vivid-osd and dgnc

77317

1034893

USN-2842-1

USN-2842-2

USN-2843-1

USN-2843-2

USN-2843-3

https://bugzilla.redhat.com/show_bug.cgi?id=1274726

https://github.com/torvalds/linux/commit/eda98796aff0d9bf41094b06811f5def3b4c333c

According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - A memory corruption flaw was found in the way the USB     ConnectTech WhiteHEAT serial driver processed     completion commands sent via USB Request Blocks     buffers. An attacker with physical access to the system     could use this flaw to crash the system or,     potentially, escalate their privileges on the     system.(CVE-2014-3185)

  - Use-after-free vulnerability in the msm_set_crop     function in drivers/media/video/msm/msm_camera.c in the     MSM-Camera driver for the Linux kernel 3.x, as used in     Qualcomm Innovation Center (QuIC) Android contributions     for MSM devices and other products, allows attackers to     gain privileges or cause a denial of service (memory     corruption) via an application that makes a crafted     ioctl call.(CVE-2015-0568)

  - The vivid_fb_ioctl function in     drivers/media/platform/vivid/vivid-osd.c in the Linux     kernel through 4.3.3 does not initialize a certain     structure member, which allows local users to obtain     sensitive information from kernel memory via a crafted     application.(CVE-2015-7884)

  - The usb_get_bos_descriptor function in     drivers/usb/core/config.c in the Linux kernel can allow     a local users to cause a denial of service     (out-of-bounds read and system crash) or possibly have     unspecified other impact via a crafted USB     device.(CVE-2017-16535)

  - The ACPI parsing functionality in the Linux kernel does     not flush the node and node_ext caches which causes a     kernel stack dump. This allows local users to obtain     sensitive information from kernel memory and use this     information to bypass the KASLR protection mechanism by     creating and applying crafted ACPI     table.(CVE-2017-13694)

  - The is_ashmem_file function in     drivers/staging/android/ashmem.c in a certain Qualcomm     Innovation Center (QuIC) Android patch for the Linux     kernel 3.x mishandles pointer validation within the     KGSL Linux Graphics Module, which allows attackers to     bypass intended access restrictions by using the     /ashmem string as the dentry name.(CVE-2016-5340)

  - It was found that the Linux kernel did not properly     account file descriptors passed over the unix socket     against the process limit. A local user could use this     flaw to exhaust all available memory on the     system.(CVE-2013-4312)

  - Kernel memory corruption due to a buffer overflow was     found in brcmf_cfg80211_mgmt_tx() function in Linux     kernels from v3.9-rc1 to v4.13-rc1. The vulnerability     can be triggered by sending a crafted NL80211_CMD_FRAME     packet via netlink. This flaw is unlikely to be     triggered remotely as certain userspace code is needed     for this. An unprivileged local user could use this     flaw to induce kernel memory corruption on the system,     leading to a crash. Due to the nature of the flaw,     privilege escalation cannot be fully ruled out,     although it is unlikely.(CVE-2017-7541)

  - A flaw in the netback module allowed frontends to     control mapping of requests to request queues. An     attacker can change this mapping by requesting invalid     mapping requests allowing the (usually privileged)     backend to access out-of-bounds memory access for     reading and writing.(CVE-2018-15471)

  - A buffer overflow vulnerability due to a lack of input     filtering of incoming fragmented datagrams was found in     the IP-over-1394 driver firewire-net in a fragment     handling code in the Linux kernel. The vulnerability     exists since firewire supported IPv4, i.e. since     version 2.6.31 (year 2009) till version v4.9-rc4. A     maliciously formed fragment with a respectively large     datagram offset would cause a memcpy() past the     datagram buffer, which would cause a system panic or     possible arbitrary code execution.The flaw requires     firewire-net module to be loaded and is remotely     exploitable from connected firewire devices, but not     over a local network.(CVE-2016-8633)

  - It was found that the Linux kernel can hit a BUG_ON()     statement in the __xfs_get_blocks() in the     fs/xfs/xfs_aops.c because of a race condition between     direct and memory-mapped I/O associated with a hole in     a file that is handled with BUG_ON() instead of an I/O     failure. This allows a local unprivileged attacker to     cause a system crash and a denial of     service.(CVE-2016-10741)

  - A vulnerability was found in the Linux kernel. The     pointer to the netlink socket attribute is not checked,     which could cause a null pointer dereference when     parsing the nested attributes in function     tipc_nl_publ_dump(). This allows local users to cause a     DoS.(CVE-2016-4951)

  - It was reported that with Linux kernel, earlier than     version v4.10-rc8, an application may trigger a BUG_ON     in sctp_wait_for_sndbuf if the socket tx buffer is     full, a thread is waiting on it to queue more data, and     meanwhile another thread peels off the association     being used by the first thread.(CVE-2017-5986)

  - The kvm_vm_ioctl_check_extension function in     arch/powerpc/kvm/powerpc.c in the Linux kernel before     4.13.11 allows local users to cause a denial of service     (NULL pointer dereference and system crash) via a     KVM_CHECK_EXTENSION KVM_CAP_PPC_HTM ioctl call to     /dev/kvm.(CVE-2017-15306)

  - A flaw was found in the way the Linux kernel's 32-bit     emulation implementation handled forking or closing of     a task with an 'int80' entry. A local user could     potentially use this flaw to escalate their privileges     on the system.(CVE-2015-2830)

  - A flaw was found in the way the Linux kernel's SCTP     implementation validated INIT chunks when performing     Address Configuration Change (ASCONF). A remote     attacker could use this flaw to crash the system by     sending a specially crafted SCTP packet to trigger a     NULL pointer dereference on the system.(CVE-2014-7841)

  - A race condition issue leading to a use-after-free flaw     was found in the way the raw packet sockets are     implemented in the Linux kernel networking subsystem     handling synchronization. A local user able to open a     raw packet socket (requires the CAP_NET_RAW capability)     can use this issue to crash the     system.(CVE-2017-1000111)

  - A flaw was found in the way the Linux kernel performed     forking inside of a transaction. A local, unprivileged     user on a PowerPC system that supports transactional     memory could use this flaw to crash the     system.(CVE-2014-2673)

  - The hashbin_delete function in net/irda/irqueue.c in     the Linux kernel improperly manages lock dropping,     which allows local users to cause a denial of service     (deadlock) via crafted operations on IrDA     devices.(CVE-2017-6348)

  - An out-of-bounds flaw was found in the kernel, where     the length of the sockaddr parameter was not checked in     the pptp_bind() and pptp_connect() functions. As a     result, more kernel memory was copied out than     required, leaking information from the kernel stack     (including kernel addresses). A local system user could     exploit this flaw to bypass kernel ASLR or leak other     information.(CVE-2015-8569)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The openSUSE Leap 42.1 kernel was updated to 4.1.20 to receive various security and bugfixes.

The following security bugs were fixed :

  - CVE-2015-1339: A memory leak in cuse could be used to     exhaust kernel memory. (bsc#969356).

  - CVE-2015-7799: The slhc_init function in     drivers/net/slip/slhc.c in the Linux kernel did not     ensure that certain slot numbers are valid, which     allowed local users to cause a denial of service (NULL     pointer dereference and system crash) via a crafted     PPPIOCSMAXCID ioctl call (bnc#949936 951638).

  - CVE-2015-7872: The key_gc_unused_keys function in     security/keys/gc.c in the Linux kernel allowed local     users to cause a denial of service (OOPS) via crafted     keyctl commands (bnc#951440).

  - CVE-2015-7884: The vivid_fb_ioctl function in     drivers/media/platform/vivid/vivid-osd.c in the Linux     kernel did not initialize a certain structure member,     which allowed local users to obtain sensitive     information from kernel memory via a crafted application     (bnc#951626).

  - CVE-2015-8104: The KVM subsystem in the Linux kernel     allowed guest OS users to cause a denial of service     (host OS panic or hang) by triggering many #DB (aka     Debug) exceptions, related to svm.c (bnc#954404).

  - CVE-2015-8709: kernel/ptrace.c in the Linux kernel     mishandled uid and gid mappings, which allowed local     users to gain privileges by establishing a user     namespace, waiting for a root process to enter that     namespace with an unsafe uid or gid, and then using the     ptrace system call. NOTE: the vendor states 'there is no     kernel bug here (bnc#959709).

  - CVE-2015-8767: net/sctp/sm_sideeffect.c in the Linux     kernel did not properly manage the relationship between     a lock and a socket, which allowed local users to cause     a denial of service (deadlock) via a crafted sctp_accept     call. (bsc#961509)

  - CVE-2015-8785: The fuse_fill_write_pages function in     fs/fuse/file.c in the Linux kernel allowed local users     to cause a denial of service (infinite loop) via a     writev system call that triggers a zero length for the     first segment of an iov (bnc#963765).

  - CVE-2015-8787: The nf_nat_redirect_ipv4 function in     net/netfilter/nf_nat_redirect.c in the Linux kernel     allowed remote attackers to cause a denial of service     (NULL pointer dereference and system crash) or possibly     have unspecified other impact by sending certain IPv4     packets to an incompletely configured interface, a     related issue to CVE-2003-1604 (bnc#963931).

  - CVE-2015-8812: A flaw was found in the CXGB3 kernel     driver when the network was considered congested. The     kernel would incorrectly misinterpret the congestion as     an error condition and incorrectly free/clean up the     skb. When the device would then send the skb's queued,     these structures would be referenced and may panic the     system or allow an attacker to escalate privileges in a     use-after-free scenario. (bsc#966437).

  - CVE-2016-0723: Race condition in the tty_ioctl function     in drivers/tty/tty_io.c in the Linux kernel allowed     local users to obtain sensitive information from kernel     memory or cause a denial of service (use-after-free and     system crash) by making a TIOCGETD ioctl call during     processing of a TIOCSETD ioctl call (bnc#961500).

  - CVE-2016-2069: When Linux invalidated a paging structure     that is not in use locally, it could, in principle, race     against another CPU that is switching to a process that     uses the paging structure in question. (bsc#963767)

  - CVE-2016-2184: A malicious USB device could cause a     kernel crash in the alsa usb-audio driver. (bsc#971125)

  - CVE-2016-2383: Incorrect branch fixups for eBPF allow     arbitrary read of kernel memory. (bsc#966684)

  - CVE-2016-2384: A malicious USB device could cause a     kernel crash in the alsa usb-audio driver. (bsc#966693)

The following non-security bugs were fixed :

  - alsa: hda - Apply clock gate workaround to Skylake, too     (bsc#966137).

  - alsa: hda - disable dynamic clock gating on Broxton     before reset (bsc#966137).

  - alsa: hda - Fix playback noise with 24/32 bit sample     size on BXT (bsc#966137).

  - alsa: seq: Fix double port list deletion (bsc#968018).

  - alsa: seq: Fix leak of pool buffer at concurrent writes     (bsc#968018).

  - alsa: timer: Fix race between stop and interrupt     (bsc#968018).

  - alsa: timer: Fix wrong instance passed to slave     callbacks (bsc#968018).

  - arm64: Add workaround for Cavium erratum 27456.

  - arm64: Backport arm64 patches from SLE12-SP1-ARM

  - btrfs: teach backref walking about backrefs with     underflowed (bsc#966259).

  - cgroup kabi fix for 4.1.19.

  - config: Disable CONFIG_DDR. CONFIG_DDR is selected     automatically by drivers which need it.

  - config: Disable MFD_TPS65218 The TPS65218 is a power     management IC for 32-bit ARM systems.

  - config: Modularize NF_REJECT_IPV4/V6 There is no reason     why these helper modules should be built-in when the     rest of netfilter is built as modules.

  - config: Update x86 config files: Enable Intel RAPL This     driver is useful when power caping is needed. It was     enabled in the SLE kernel 2 years ago.

  - Delete patches.fixes/bridge-module-get-put.patch. As     discussed in     http://lists.opensuse.org/opensuse-kernel/2015-11/msg000     46.html

  - drm/i915: Fix double unref in intelfb_alloc failure path     (boo#962866, boo#966179).

  - drm/i915: Fix failure paths around initial fbdev     allocation (boo#962866, boo#966179).

  - drm/i915: Pin the ifbdev for the info->system_base GGTT     mmapping (boo#962866, boo#966179).

  - e1000e: Avoid divide by zero error (bsc#965125).

  - e1000e: fix division by zero on jumbo MTUs (bsc#965125).

  - e1000e: fix systim issues (bsc#965125).

  - e1000e: Fix tight loop implementation of systime read     algorithm (bsc#965125).

  - ibmvnic: Fix ibmvnic_capability struct.

  - intel: Disable Skylake support in intel_idle driver     again (boo#969582) This turned out to bring a regression     on some machines, unfortunately. It should be addressed     in the upstream at first.

  - intel_idle: allow idle states to be freeze-mode specific     (boo#969582).

  - intel_idle: Skylake Client Support (boo#969582).

  - intel_idle: Skylake Client Support - updated     (boo#969582).

  - libceph: fix scatterlist last_piece calculation     (bsc#963746).

  - lio: Add LIO clustered RBD backend (fate#318836)

  - net kabi fixes for 4.1.19.

  - numa patches updated to v15

  - ocfs2: fix dlmglue deadlock issue(bnc#962257)

  - pci: thunder: Add driver for ThunderX-pass{1,2} on-chip     devices

  - pci: thunder: Add PCIe host driver for ThunderX     processors

  - sd: Optimal I/O size is in bytes, not sectors     (boo#961263).

  - sd: Reject optimal transfer length smaller than page     size (boo#961263).

  - series.conf: move cxgb3 patch to network drivers section

Guoyong Gang discovered that the ppp implementation in the Linux kernel did not ensure that certain slot numbers are valid. A local attacker with the privilege to call ioctl() on /dev/ppp could cause a denial of service (system crash). (CVE-2015-7799)

Dmitry Vyukov discovered that the Linux kernel's keyring handler attempted to garbage collect incompletely instantiated keys. A local unprivileged attacker could use this to cause a denial of service (system crash). (CVE-2015-7872)

It was discovered that the virtual video osd test driver in the Linux kernel did not properly initialize data structures. A local attacker could use this to obtain sensitive information from the kernel.
(CVE-2015-7884)

It was discovered that the driver for Digi Neo and ClassicBoard devices did not properly initialize data structures. A local attacker could use this to obtain sensitive information from the kernel.
(CVE-2015-7885).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Jan Beulich discovered that the KVM svm hypervisor implementation in the Linux kernel did not properly catch Debug exceptions on AMD processors. An attacker in a guest virtual machine could use this to cause a denial of service (system crash) in the host OS.
(CVE-2015-8104)

Guoyong Gang discovered that the ppp implementation in the Linux kernel did not ensure that certain slot numbers are valid. A local attacker with the privilege to call ioctl() on /dev/ppp could cause a denial of service (system crash). (CVE-2015-7799)

Dmitry Vyukov discovered that the Linux kernel's keyring handler attempted to garbage collect incompletely instantiated keys. A local unprivileged attacker could use this to cause a denial of service (system crash). (CVE-2015-7872)

It was discovered that the virtual video osd test driver in the Linux kernel did not properly initialize data structures. A local attacker could use this to obtain sensitive information from the kernel.
(CVE-2015-7884)

It was discovered that the driver for Digi Neo and ClassicBoard devices did not properly initialize data structures. A local attacker could use this to obtain sensitive information from the kernel.
(CVE-2015-7885).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Jan Beulich discovered that the KVM svm hypervisor implementation in the Linux kernel did not properly catch Debug exceptions on AMD processors. An attacker in a guest virtual machine could use this to cause a denial of service (system crash) in the host OS.
(CVE-2015-8104)

Guoyong Gang discovered that the ppp implementation in the Linux kernel did not ensure that certain slot numbers are valid. A local attacker with the privilege to call ioctl() on /dev/ppp could cause a denial of service (system crash). (CVE-2015-7799)

It was discovered that the virtual video osd test driver in the Linux kernel did not properly initialize data structures. A local attacker could use this to obtain sensitive information from the kernel.
(CVE-2015-7884)

It was discovered that the driver for Digi Neo and ClassicBoard devices did not properly initialize data structures. A local attacker could use this to obtain sensitive information from the kernel.
(CVE-2015-7885).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
124970	EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1517)	Nessus	Huawei Local Security Checks	high
90482	openSUSE Security Update : the Linux Kernel (openSUSE-2016-445)	Nessus	SuSE Local Security Checks	critical
87498	Ubuntu 15.10 : linux-raspi2 vulnerabilities (USN-2843-3)	Nessus	Ubuntu Local Security Checks	medium
87497	Ubuntu 14.04 LTS : linux-lts-wily vulnerabilities (USN-2843-2)	Nessus	Ubuntu Local Security Checks	medium
87470	Ubuntu 15.10 : linux vulnerabilities (USN-2843-1)	Nessus	Ubuntu Local Security Checks	medium
87469	Ubuntu 14.04 LTS : linux-lts-vivid vulnerabilities (USN-2842-2)	Nessus	Ubuntu Local Security Checks	medium
87468	Ubuntu 15.04 : linux vulnerabilities (USN-2842-1)	Nessus	Ubuntu Local Security Checks	medium

CVE-2015-7884

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins