http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=744692dc059845b2a3022119871846e74d4f6e11

http://mirror.linux.org.au/linux/kernel/v2.6/ChangeLog-2.6.34

RHSA-2016:0855

[oss-security] 20151123 CVE request -- linux kernel: Null pointer dereference when mounting ext4 filesystem

http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html

https://bugzilla.redhat.com/show_bug.cgi?id=1267261

https://github.com/torvalds/linux/commit/744692dc059845b2a3022119871846e74d4f6e11

Security Fix(es) :

  - It was found that reporting emulation failures to user     space could lead to either a local (CVE-2014-7842) or a     L2->L1 (CVE-2010-5313) denial of service. In the case of     a local denial of service, an attacker must have access     to the MMIO area or be able to access an I/O port.
    Please note that on certain systems, HPET is mapped to     userspace as part of vdso (vvar) and thus an     unprivileged user may generate MMIO transactions (and     enter the emulator) this way. (CVE-2010-5313,     CVE-2014-7842, Moderate)

  - It was found that the Linux kernel did not properly     account file descriptors passed over the unix socket     against the process limit. A local user could use this     flaw to exhaust all available memory on the system.
    (CVE-2013-4312, Moderate)

  - A buffer overflow flaw was found in the way the Linux     kernel's virtio- net subsystem handled certain fraglists     when the GRO (Generic Receive Offload) functionality was     enabled in a bridged network configuration. An attacker     on the local network could potentially use this flaw to     crash the system, or, although unlikely, elevate their     privileges on the system. (CVE-2015-5156, Moderate)

  - It was found that the Linux kernel's IPv6 network stack     did not properly validate the value of the MTU variable     when it was set. A remote attacker could potentially use     this flaw to disrupt a target system's networking     (packet loss) by setting an invalid MTU value, for     example, via a NetworkManager daemon that is processing     router advertisement packets running on the target     system. (CVE-2015-8215, Moderate)

  - A NULL pointer dereference flaw was found in the way the     Linux kernel's network subsystem handled socket creation     with an invalid protocol identifier. A local user could     use this flaw to crash the system. (CVE-2015-8543,     Moderate)

  - It was found that the espfix functionality does not work     for 32-bit KVM paravirtualized guests. A local,     unprivileged guest user could potentially use this flaw     to leak kernel stack addresses. (CVE-2014-8134, Low)

  - A flaw was found in the way the Linux kernel's ext4 file     system driver handled non-journal file systems with an     orphan list. An attacker with physical access to the     system could use this flaw to crash the system or,     although unlikely, escalate their privileges on the     system. (CVE-2015-7509, Low)

  - A NULL pointer dereference flaw was found in the way the     Linux kernel's ext4 file system driver handled certain     corrupted file system images. An attacker with physical     access to the system could use this flaw to crash the     system. (CVE-2015-8324, Low)

Notes :

  - Problems have been reported with this kernel and     VirtualBox. More info is available in the notes for the     VirtualBox ticket here: <a     href='https://www.virtualbox.org/ticket/14866'     target='_blank'>https://www.virtualbox.org/ticket/14866<     /a>

The remote Oracle Linux 5 / 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2016-3567 advisory.

  - The Linux kernel before 4.4.1 allows local users to bypass file-descriptor limits and cause a denial of     service (memory consumption) by sending each descriptor over a UNIX socket before closing it, related to     net/unix/af_unix.c and net/unix/garbage.c. (CVE-2013-4312)

  - net/ipv6/addrconf.c in the IPv6 stack in the Linux kernel before 4.0 does not validate attempted changes     to the MTU value, which allows context-dependent attackers to cause a denial of service (packet loss) via     a value that is (1) smaller than the minimum compliant value or (2) larger than the MTU of an interface,     as demonstrated by a Router Advertisement (RA) message that is not validated by a daemon, a different     vulnerability than CVE-2015-0272. NOTE: the scope of CVE-2015-0272 is limited to the NetworkManager     product. (CVE-2015-8215)

  - The ext4 implementation in the Linux kernel before 2.6.34 does not properly track the initialization of     certain data structures, which allows physically proximate attackers to cause a denial of service (NULL     pointer dereference and panic) via a crafted USB device, related to the ext4_fill_super function.
    (CVE-2015-8324)

  - The networking implementation in the Linux kernel through 4.3.3, as used in Android and other products,     does not validate protocol identifiers for certain protocol families, which allows local users to cause a     denial of service (NULL function pointer dereference and system crash) or possibly gain privileges by     leveraging CLONE_NEWUSER support to execute a crafted SOCK_RAW application. (CVE-2015-8543)

  - fs/ext4/namei.c in the Linux kernel before 3.7 allows physically proximate attackers to cause a denial of     service (system crash) via a crafted no-journal filesystem, a related issue to CVE-2013-2015.
    (CVE-2015-7509)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2016-0855 advisory.

  - The paravirt_ops_setup function in arch/x86/kernel/kvm.c in the Linux kernel through 3.18 uses an improper     paravirt_enabled setting for KVM guest kernels, which makes it easier for guest OS users to bypass the     ASLR protection mechanism via a crafted application that reads a 16-bit value. (CVE-2014-8134)

  - The virtnet_probe function in drivers/net/virtio_net.c in the Linux kernel before 4.2 attempts to support     a FRAGLIST feature without proper memory allocation, which allows guest OS users to cause a denial of     service (buffer overflow and memory corruption) via a crafted sequence of fragmented packets.
    (CVE-2015-5156)

  - Race condition in arch/x86/kvm/x86.c in the Linux kernel before 2.6.38 allows L2 guest OS users to cause a     denial of service (L1 guest OS crash) via a crafted instruction that triggers an L2 emulation failure     report, a similar issue to CVE-2014-7842. (CVE-2010-5313)

  - Race condition in arch/x86/kvm/x86.c in the Linux kernel before 3.17.4 allows guest OS users to cause a     denial of service (guest OS crash) via a crafted application that performs an MMIO transaction or a PIO     transaction to trigger a guest userspace emulation error report, a similar issue to CVE-2010-5313.
    (CVE-2014-7842)

  - The Linux kernel before 4.4.1 allows local users to bypass file-descriptor limits and cause a denial of     service (memory consumption) by sending each descriptor over a UNIX socket before closing it, related to     net/unix/af_unix.c and net/unix/garbage.c. (CVE-2013-4312)

  - net/ipv6/addrconf.c in the IPv6 stack in the Linux kernel before 4.0 does not validate attempted changes     to the MTU value, which allows context-dependent attackers to cause a denial of service (packet loss) via     a value that is (1) smaller than the minimum compliant value or (2) larger than the MTU of an interface,     as demonstrated by a Router Advertisement (RA) message that is not validated by a daemon, a different     vulnerability than CVE-2015-0272. NOTE: the scope of CVE-2015-0272 is limited to the NetworkManager     product. (CVE-2015-8215)

  - The ext4 implementation in the Linux kernel before 2.6.34 does not properly track the initialization of     certain data structures, which allows physically proximate attackers to cause a denial of service (NULL     pointer dereference and panic) via a crafted USB device, related to the ext4_fill_super function.
    (CVE-2015-8324)

  - The networking implementation in the Linux kernel through 4.3.3, as used in Android and other products,     does not validate protocol identifiers for certain protocol families, which allows local users to cause a     denial of service (NULL function pointer dereference and system crash) or possibly gain privileges by     leveraging CLONE_NEWUSER support to execute a crafted SOCK_RAW application. (CVE-2015-8543)

  - fs/ext4/namei.c in the Linux kernel before 3.7 allows physically proximate attackers to cause a denial of     service (system crash) via a crafted no-journal filesystem, a related issue to CVE-2013-2015.
    (CVE-2015-7509)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

An update for kernel is now available for Red Hat Enterprise Linux 6.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es) :

* It was found that reporting emulation failures to user space could lead to either a local (CVE-2014-7842) or a L2->L1 (CVE-2010-5313) denial of service. In the case of a local denial of service, an attacker must have access to the MMIO area or be able to access an I/O port. Please note that on certain systems, HPET is mapped to userspace as part of vdso (vvar) and thus an unprivileged user may generate MMIO transactions (and enter the emulator) this way. (CVE-2010-5313, CVE-2014-7842, Moderate)

* It was found that the Linux kernel did not properly account file descriptors passed over the unix socket against the process limit. A local user could use this flaw to exhaust all available memory on the system. (CVE-2013-4312, Moderate)

* A buffer overflow flaw was found in the way the Linux kernel's virtio-net subsystem handled certain fraglists when the GRO (Generic Receive Offload) functionality was enabled in a bridged network configuration. An attacker on the local network could potentially use this flaw to crash the system, or, although unlikely, elevate their privileges on the system. (CVE-2015-5156, Moderate)

* It was found that the Linux kernel's IPv6 network stack did not properly validate the value of the MTU variable when it was set. A remote attacker could potentially use this flaw to disrupt a target system's networking (packet loss) by setting an invalid MTU value, for example, via a NetworkManager daemon that is processing router advertisement packets running on the target system. (CVE-2015-8215, Moderate)

* A NULL pointer dereference flaw was found in the way the Linux kernel's network subsystem handled socket creation with an invalid protocol identifier. A local user could use this flaw to crash the system. (CVE-2015-8543, Moderate)

* It was found that the espfix functionality does not work for 32-bit KVM paravirtualized guests. A local, unprivileged guest user could potentially use this flaw to leak kernel stack addresses.
(CVE-2014-8134, Low)

* A flaw was found in the way the Linux kernel's ext4 file system driver handled non-journal file systems with an orphan list. An attacker with physical access to the system could use this flaw to crash the system or, although unlikely, escalate their privileges on the system. (CVE-2015-7509, Low)

* A NULL pointer dereference flaw was found in the way the Linux kernel's ext4 file system driver handled certain corrupted file system images. An attacker with physical access to the system could use this flaw to crash the system. (CVE-2015-8324, Low)

Red Hat would like to thank Nadav Amit for reporting CVE-2010-5313 and CVE-2014-7842, Andy Lutomirski for reporting CVE-2014-8134, and Dmitriy Monakhov (OpenVZ) for reporting CVE-2015-8324. The CVE-2015-5156 issue was discovered by Jason Wang (Red Hat).

Additional Changes :

* Refer to Red Hat Enterprise Linux 6.8 Release Notes for information on new kernel features and known issues, and Red Hat Enterprise Linux Technical Notes for information on device driver updates, important changes to external kernel parameters, notable bug fixes, and technology previews. Both of these documents are linked to in the References section.

This update fixes the CVEs described below.

CVE-2013-7446

Dmitry Vyukov discovered that a particular sequence of valid operations on local (AF_UNIX) sockets can result in a use-after-free.
This may be used to cause a denial of service (crash) or possibly for privilege escalation.

CVE-2015-7799

&#x90ED;&#x6C38;&#x521A; discovered that a user granted access to /dev/ppp can cause a denial of service (crash) by passing invalid parameters to the PPPIOCSMAXCID ioctl. This also applies to ISDN PPP device nodes.

CVE-2015-7833

Sergej Schumilo, Hendrik Schwartke and Ralf Spenneberg discovered a flaw in the processing of certain USB device descriptors in the usbvision driver. An attacker with physical access to the system can use this flaw to crash the system.

CVE-2015-7990

It was discovered that the fix for CVE-2015-6937 was incomplete. A race condition when sending a message on unbound socket can still cause a NULL pointer dereference. A remote attacker might be able to cause a denial of service (crash) by sending a crafted packet.

CVE-2015-8324

'Valintinr' reported that an attempt to mount a corrupted ext4 filesystem may result in a kernel panic. A user permitted to mount filesystems could use this flaw to crash the system.

For the oldoldstable distribution (squeeze), these problems have been fixed in version 2.6.32-48squeeze17. We recommend that you upgrade your linux-2.6 packages.

For the oldstable (wheezy) and stable (jessie) distributions, CVE-2015-7833, CVE-2015-7990 and CVE-2015-8324 have been fixed and the other issues will be fixed soon.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
91643	Scientific Linux Security Update : kernel on SL6.x i386/x86_64 (20160510)	Nessus	Scientific Linux Local Security Checks	high
91293	Oracle Linux 5 / 6 : Unbreakable Enterprise kernel (ELSA-2016-3567)	Nessus	Oracle Linux Local Security Checks	high
91210	Oracle Linux 6 : kernel (ELSA-2016-0855)	Nessus	Oracle Linux Local Security Checks	high
91170	CentOS 6 : kernel (CESA-2016:0855)	Nessus	CentOS Local Security Checks	high
91077	RHEL 6 : kernel (RHSA-2016:0855)	Nessus	Red Hat Local Security Checks	high
87265	Debian DLA-360-1 : linux-2.6 security update	Nessus	Debian Local Security Checks	medium

CVE-2015-8324

medium

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Tenable Plugins

high

high

high

high

high

medium