http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=dd504589577d8e8e70f51f997ad487a4cb6c026f

http://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.2

[oss-security] 20161104 Re: CVE request -- linux kernel: crypto: GPF in lrw_crypt caused by null-deref

94217

RHSA-2017:1842

RHSA-2017:2077

RHSA-2017:2437

RHSA-2017:2444

https://bugzilla.redhat.com/show_bug.cgi?id=1386286

https://github.com/torvalds/linux/commit/dd504589577d8e8e70f51f997ad487a4cb6c026f

https://groups.google.com/forum/#!msg/syzkaller/frb2XrB5aWk/xCXzkIBcDAAJ

According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - The kernel package contains the Linux kernel (vmlinuz),     the core of any Linux operating system. The kernel     handles the basic functions of the operating system:
    memory allocation, process allocation, device input and     output, etc.Security Fix(es):A buffer overflow was     discovered in tpacket_rcv() function in the Linux     kernel since v4.6-rc1 through v4.13. A number of     socket-related syscalls can be made to set up a     configuration when each packet received by a network     interface can cause writing up to 10 bytes to a kernel     memory outside of a kernel buffer. This can cause     unspecified kernel data corruption effects, including     damage of in-memory and on-disk XFS     data.(CVE-2017-14497)The qmi_wwan_bind function in     driverset/usb/qmi_wwan.c in the Linux kernel through     4.13.11 allows local users to cause a denial of service     (divide-by-zero error and system crash) or possibly     have unspecified other impact via a crafted USB     device.(CVE-2017-16650)A race condition flaw was found     in the way the Linux kernel's SCTP implementation     handled sctp_accept() during the processing of     heartbeat timeout events. A remote attacker could use     this flaw to prevent further connections to be accepted     by the SCTP server running on the system, resulting in     a denial of service.(CVE-2015-8767)A race condition     flaw was found in the way the Linux kernel's KVM     subsystem handled PIT (Programmable Interval Timer)     emulation. A guest user who has access to the PIT I/O     ports could use this flaw to crash the     host.(CVE-2014-3611)The Linux kernel is vulnerable to a     memory leak in the     driverset/wireless/mac80211_hwsim.c:hwsim_new_radio_nl(     ) function. An attacker could exploit this to cause a     potential denial of service.(CVE-2018-8087)An integer     underflow flaw was found in the way the Linux kernel's     Stream Control Transmission Protocol (SCTP)     implementation processed certain COOKIE_ECHO packets.
    By sending a specially crafted SCTP packet, a remote     attacker could use this flaw to prevent legitimate     connections to a particular SCTP server socket to be     made.(CVE-2014-4667)The cx231xx_usb_probe function in     drivers/media/usb/cx231xx/cx231xx-cards.c in the Linux     kernel through 4.13.11 allows local users to cause a     denial of service (NULL pointer dereference and system     crash) or possibly have unspecified other impact via a     crafted USB device.(CVE-2017-16536)The     snd_usb_create_streams function in sound/usb/card.c in     the Linux kernel, before 4.13.6, allows local users to     cause a denial of service (out-of-bounds read and     system crash) or possibly have unspecified other impact     via a crafted USB device.(CVE-2017-16529)A flaw was     found in the Linux kernel's random number generator     API. A null pointer dereference in the rngapi_reset     function may result in denial of service, crashing the     system.(CVE-2017-15116)The __netlink_deliver_tap_skb     function in netetlink/af_netlink.c in the Linux kernel,     through 4.14.4, does not restrict observations of     Netlink messages to a single net namespace, when     CONFIG_NLMON is enabled. This allows local users to     obtain sensitive information by leveraging the     CAP_NET_ADMIN capability to sniff an nlmon interface     for all Netlink activity on the     system.(CVE-2017-17449)arch/arm64/kernel/perf_event.c     in the Linux kernel before 4.1 on arm64 platforms     allows local users to gain privileges or cause a denial     of service (invalid pointer dereference) via vectors     involving events that are mishandled during a span of     multiple HW PMUs.(CVE-2015-8955)The aac_compat_ioctl     function in drivers/scsi/aacraid/linit.c in the Linux     kernel before 3.11.8 does not require the CAP_SYS_RAWIO     capability, which allows local users to bypass intended     access restrictions via a crafted ioctl     call.(CVE-2013-6383)Linux kernel before version     4.16-rc7 is vulnerable to a null pointer dereference in     dccp_write_xmit() function in net/dccp/output.c in that     allows a local user to cause a denial of service by a     number of certain crafted system     calls.(CVE-2018-1130)The Linux kernel is vulerable to a     use-after-free flaw when Transformation User     configuration interface(CONFIG_XFRM_USER) compile-time     configuration were enabled. This vulnerability occurs     while closing a xfrm netlink socket in     xfrm_dump_policy_done. A user/process could abuse this     flaw to potentially escalate their privileges on a     system.(CVE-2017-16939)A vulnerability was found in the     Linux kernel in function rds_inc_info_copy of file     net/rds/recv.c. The last field 'flags' of object     'minfo' is not initialized. This can leak data     previously at the flags location to     userspace.(CVE-2016-5244)A flaw was found in the     kernel's ACPI interpreter when it does not flush the     operand cache and causes a kernel stack dump. This     allows local users to obtain sensitive information from     kernel memory and bypass the KASLR protection     mechanism.(CVE-2017-13693)It was found that     kernel/events/core.c in the Linux kernel mishandles     counter grouping, which allows local users to gain     privileges via a crafted application, related to the     perf_pmu_register and perf_event_open     functions.(CVE-2015-9004)The xfs_bmap_extents_to_btree     function in fs/xfs/libxfs/xfs_bmap.c in the Linux     kernel through 4.16.3 allows local users to cause a     denial of service (xfs_bmapi_write NULL pointer     dereference) via a crafted xfs     image.(CVE-2018-10323)The lrw_crypt() function in     'crypto/lrw.c' in the Linux kernel before 4.5 allows     local users to cause a system crash and a denial of     service by the NULL pointer dereference via accept(2)     system call for AF_ALG socket without calling setkey()     first to set a cipher key.(CVE-2015-8970)The IPv6     fragmentation implementation in the Linux kernel does     not consider that the nexthdr field may be associated     with an invalid option, which allows local users to     cause a denial of service (out-of-bounds read and BUG)     or possibly have unspecified other impact via crafted     socket and send system calls. Due to the nature of the     flaw, privilege escalation cannot be fully ruled out,     although we believe it is unlikely.(CVE-2017-9074)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - An information-leak vulnerability was found in the     kernel when it truncated a file to a smaller size which     consisted of an inline extent that was compressed. The     data between the new file size and the old file size     was not discarded and the number of bytes used by the     inode were not correctly decremented, which gave the     wrong report for callers of the stat(2) syscall. This     wasted metadata space and allowed for the truncated     data to be leaked, and data corruption or loss to     occur. A caller of the clone ioctl could exploit this     flaw by using only standard file-system operations     without root access to read the truncated     data.(CVE-2015-8374)

  - A flaw was found in the Linux kernel's key management     system where it was possible for an attacker to     escalate privileges or crash the machine. If a user key     gets negatively instantiated, an error code is cached     in the payload area. A negatively instantiated key may     be then be positively instantiated by updating it with     valid data. However, the -i1/4zupdate key type method     must be aware that the error code may be     there.(CVE-2015-8539)

  - A NULL pointer dereference flaw was found in the way     the Linux kernel's network subsystem handled socket     creation with an invalid protocol identifier. A local     user could use this flaw to crash the     system.(CVE-2015-8543)

  - An out-of-bounds flaw was found in the kernel, where     the length of the sockaddr parameter was not checked in     the pptp_bind() and pptp_connect() functions. As a     result, more kernel memory was copied out than     required, leaking information from the kernel stack     (including kernel addresses). A local system user could     exploit this flaw to bypass kernel ASLR or leak other     information.(CVE-2015-8569)

  - An out-of-bounds flaw was found in the kernel, where     the sco_sock_bind() function (bluetooth/sco) did not     check the length of its sockaddr parameter. As a     result, more kernel memory was copied out than     required, leaking information from the kernel stack     (including kernel addresses). A local user could     exploit this flaw to bypass kernel ASLR or leak other     information.(CVE-2015-8575)

  - The ovl_setattr function in fs/overlayfs/inode.c in the     Linux kernel through 4.3.3 attempts to merge distinct     setattr operations, which allows local users to bypass     intended access restrictions and modify the attributes     of arbitrary overlay files via a crafted     application.(CVE-2015-8660)

  - A NULL pointer dereference flaw was found in the Linux     kernel: the NFSv4.2 migration code improperly     initialized the kernel structure. A local,     authenticated user could use this flaw to cause a panic     of the NFS client (denial of service).(CVE-2015-8746)

  - A race condition flaw was found in the way the Linux     kernel's SCTP implementation handled sctp_accept()     during the processing of heartbeat timeout events. A     remote attacker could use this flaw to prevent further     connections to be accepted by the SCTP server running     on the system, resulting in a denial of     service.(CVE-2015-8767)

  - An infinite-loop flaw was found in the kernel. When a     local user calls the sys_writev syscall with a     specially crafted sequence of iov structs, the     fuse_fill_write_pages kernel function might never     terminate, instead continuing in a tight loop. This     process cannot be terminated and requires a     reboot.(CVE-2015-8785)

  - A NULL-pointer dereference vulnerability was found in     the Linux kernel's TCP stack, in     net/netfilter/nf_nat_redirect.c in the     nf_nat_redirect_ipv4() function. A remote,     unauthenticated user could exploit this flaw to create     a system crash (denial of service).(CVE-2015-8787)

  - A use-after-free flaw was found in the CXGB3 kernel     driver when the network was considered to be congested.
    The kernel incorrectly misinterpreted the congestion as     an error condition and incorrectly freed or cleaned up     the socket buffer (skb). When the device then sent the     skb's queued data, these structures were referenced. A     local attacker could use this flaw to panic the system     (denial of service) or, with a local account, escalate     their privileges.(CVE-2015-8812)

  - The hub_activate function in drivers/usb/core/hub.c in     the Linux kernel before 4.3.5 does not properly     maintain a hub-interface data structure, which allows     physically proximate attackers to cause a denial of     service (invalid memory access and system crash) or     possibly have unspecified other impact by unplugging a     USB hub device.(CVE-2015-8816)

  - The ioresources_init function in kernel/resource.c in     the Linux kernel through 4.7, as used in Android before     2016-08-05 on Nexus 6 and 7 (2013) devices, uses weak     permissions for /proc/iomem, which allows local users     to obtain sensitive information by reading this file,     aka Android internal bug 28814213 and Qualcomm internal     bug CR786116. NOTE: the permissions may be intentional     in most non-Android contexts.(CVE-2015-8944)

  - 'A flaw was found in the Linux kernel's implementation     of overlayfs. An attacker can leak file resources in     the system by opening a large file with write     permissions on a overlay filesystem that is     insufficient to deal with the size of the write.

  - When unmounting the underlying device, the system is     unable to free an inode and this will consume     resources. Repeating this for all available inodes and     memory will create a denial of service     situation.(CVE-2015-8953)'

  - The rfcomm_sock_bind function in     net/bluetooth/rfcomm/sock.c in the Linux kernel before     4.2 allows local users to obtain sensitive information     or cause a denial of service (NULL pointer dereference)     via vectors involving a bind system call on a Bluetooth     RFCOMM socket.(CVE-2015-8956)

  - A flaw was found in the ext4 subsystem. This     vulnerability is a use after free vulnerability was     found in __ext4_journal_stop(). Attackers could abuse     this to allow any code which attempts to deal with the     journal failure to be mishandled or not fail at all.
    This could lead to data corruption or     crashes.(CVE-2015-8961)

  - A flaw was found in the Linux kernel SCSI subsystem,     which allowed a local user to gain privileges or cause     a denial of service (memory corruption and system     crash) by issuing an SG_IO ioctl call while a device     was being detached.(CVE-2015-8962)

  - Race condition in kernel/events/core.c in the Linux     kernel before 4.4 allows local users to gain privileges     or cause a denial of service via use-after-free     vulnerability by leveraging incorrect handling of an     swevent data structure during a CPU unplug     operation.(CVE-2015-8963)

  - The tty_set_termios_ldisc() function in     'drivers/tty/tty_ldisc.c' in the Linux kernel before     4.5 allows local users to obtain sensitive information     from kernel memory by reading a tty data     structure.(CVE-2015-8964)

  - The lrw_crypt() function in 'crypto/lrw.c' in the Linux     kernel before 4.5 allows local users to cause a system     crash and a denial of service by the NULL pointer     dereference via accept(2) system call for AF_ALG socket     without calling setkey() first to set a cipher     key.(CVE-2015-8970)

  - It was found that kernel/events/core.c in the Linux     kernel mishandles counter grouping, which allows local     users to gain privileges via a crafted application,     related to the perf_pmu_register and perf_event_open     functions.(CVE-2015-9004)

  - A use-after-free flaw was discovered in the Linux     kernel's tty subsystem, which allows for the disclosure     of uncontrolled memory location and possible kernel     panic. The information leak is caused by a race     condition when attempting to set and read the tty line     discipline. A local attacker could use the TIOCSETD     (via tty_set_ldisc ) to switch to a new line discipline     a concurrent call to a TIOCGETD ioctl performing a read     on a given tty could then access previously allocated     memory. Up to 4 bytes could be leaked when querying the     line discipline or the kernel could panic with a     NULL-pointer dereference.(CVE-2016-0723)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

An update for kernel is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es) :

* An use-after-free flaw was found in the Linux kernel which enables a race condition in the L2TPv3 IP Encapsulation feature. A local user could use this flaw to escalate their privileges or crash the system.
(CVE-2016-10200, Important)

* A flaw was found that can be triggered in keyring_search_iterator in keyring.c if type->match is NULL. A local user could use this flaw to crash the system or, potentially, escalate their privileges.
(CVE-2017-2647, Important)

* It was found that the NFSv4 server in the Linux kernel did not properly validate layout type when processing NFSv4 pNFS LAYOUTGET and GETDEVICEINFO operands. A remote attacker could use this flaw to soft-lockup the system and thus cause denial of service.
(CVE-2017-8797, Important)

This update also fixes multiple Moderate and Low impact security issues :

* CVE-2015-8839, CVE-2015-8970, CVE-2016-9576, CVE-2016-7042, CVE-2016-7097, CVE-2016-8645, CVE-2016-9576, CVE-2016-9588, CVE-2016-9806, CVE-2016-10088, CVE-2016-10147, CVE-2017-2596, CVE-2017-2671, CVE-2017-5970, CVE-2017-6001, CVE-2017-6951, CVE-2017-7187, CVE-2017-7616, CVE-2017-7889, CVE-2017-8890, CVE-2017-9074, CVE-2017-8890, CVE-2017-9075, CVE-2017-8890, CVE-2017-9076, CVE-2017-8890, CVE-2017-9077, CVE-2017-9242, CVE-2014-7970, CVE-2014-7975, CVE-2016-6213, CVE-2016-9604, CVE-2016-9685

Documentation for these issues is available from the Release Notes document linked from the References section.

Red Hat would like to thank Igor Redko (Virtuozzo) and Andrey Ryabinin (Virtuozzo) for reporting CVE-2017-2647; Igor Redko (Virtuozzo) and Vasily Averin (Virtuozzo) for reporting CVE-2015-8970; Marco Grassi for reporting CVE-2016-8645; and Dmitry Vyukov (Google Inc.) for reporting CVE-2017-2596. The CVE-2016-7042 issue was discovered by Ondrej Kozina (Red Hat); the CVE-2016-7097 issue was discovered by Andreas Gruenbacher (Red Hat) and Jan Kara (SUSE); the CVE-2016-6213 and CVE-2016-9685 issues were discovered by Qian Cai (Red Hat); and the CVE-2016-9604 issue was discovered by David Howells (Red Hat).

Additional Changes :

For detailed information on other changes in this release, see the Red Hat Enterprise Linux 7.4 Release Notes linked from the References section.

Security Fix(es) :

  - An use-after-free flaw was found in the Linux kernel     which enables a race condition in the L2TPv3 IP     Encapsulation feature. A local user could use this flaw     to escalate their privileges or crash the system.
    (CVE-2016-10200, Important)

  - A flaw was found that can be triggered in     keyring_search_iterator in keyring.c if type->match is     NULL. A local user could use this flaw to crash the     system or, potentially, escalate their privileges.
    (CVE-2017-2647, Important)

  - It was found that the NFSv4 server in the Linux kernel     did not properly validate layout type when processing     NFSv4 pNFS LAYOUTGET and GETDEVICEINFO operands. A     remote attacker could use this flaw to soft- lockup the     system and thus cause denial of service. (CVE-2017-8797,     Important)

This update also fixes multiple Moderate and Low impact security issues :

  - CVE-2015-8839, CVE-2015-8970, CVE-2016-9576,     CVE-2016-7042, CVE-2016-7097, CVE-2016-8645,     CVE-2016-9576, CVE-2016-9588, CVE-2016-9806,     CVE-2016-10088, CVE-2016-10147, CVE-2017-2596,     CVE-2017-2671, CVE-2017-5970, CVE-2017-6001,     CVE-2017-6951, CVE-2017-7187, CVE-2017-7616,     CVE-2017-7889, CVE-2017-8890, CVE-2017-9074,     CVE-2017-8890, CVE-2017-9075, CVE-2017-8890,     CVE-2017-9076, CVE-2017-8890, CVE-2017-9077,     CVE-2017-9242, CVE-2014-7970, CVE-2014-7975,     CVE-2016-6213, CVE-2016-9604, CVE-2016-9685

The remote Oracle Linux host is missing a security update for the kernel package(s).

An update for kernel-rt is now available for Red Hat Enterprise MRG 2.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.

Security Fix(es) :

* A use-after-free flaw was found in the Linux kernel which enables a race condition in the L2TPv3 IP Encapsulation feature. A local user could use this flaw to escalate their privileges or crash the system.
(CVE-2016-10200, Important)

* A flaw was found that can be triggered in keyring_search_iterator in keyring.c if type->match is NULL. A local user could use this flaw to crash the system or, potentially, escalate their privileges.
(CVE-2017-2647, Important)

* The lrw_crypt() function in 'crypto/lrw.c' in the Linux kernel before 4.5 allows local users to cause a system crash and a denial of service by the NULL pointer dereference via accept(2) system call for AF_ALG socket without calling setkey() first to set a cipher key.
(CVE-2015-8970, Moderate)

Red Hat would like to thank Igor Redko (Virtuozzo) and Andrey Ryabinin (Virtuozzo) for reporting CVE-2017-2647 and Igor Redko (Virtuozzo) and Vasily Averin (Virtuozzo) for reporting CVE-2015-8970.

Bug Fix(es) :

* Writing model-specific register (MSR) registers during intel_idle initialization could previously cause exceptions. Consequently, a kernel panic occurred during this initialization. The function call to write to the MSR with exception handling was modified to use wrmsrl_safe() instead of wrmsrl(). In this scenario, the kernel no longer panics. (BZ#1447438)

* The ixgbe driver was using incorrect bitwise operations on received PTP flags. Consequently, systems that were using the ixgbe driver could not synchronize time using PTP. The provided patch corrected the bitwise operations on received PTP flags allowing these system to correctly synchronize time using PTP. (BZ#1469795) (BZ#1451821)

The kernel-rt packages have been upgraded to version 3.10.0-514.rt56.230, which provides a number of security and bug fixes over the previous version. (BZ#1463427)

An update for kernel is now available for Red Hat Enterprise Linux 7.3 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es) :

* A use-after-free flaw was found in the Linux kernel which enables a race condition in the L2TPv3 IP Encapsulation feature. A local user could use this flaw to escalate their privileges or crash the system.
(CVE-2016-10200, Important)

* A flaw was found that can be triggered in keyring_search_iterator in keyring.c if type->match is NULL. A local user could use this flaw to crash the system or, potentially, escalate their privileges.
(CVE-2017-2647, Important)

* It was found that the NFSv4 server in the Linux kernel did not properly validate layout type when processing NFSv4 pNFS LAYOUTGET and GETDEVICEINFO operands. A remote attacker could use this flaw to soft-lockup the system and thus cause denial of service.
(CVE-2017-8797, Important)

* The lrw_crypt() function in 'crypto/lrw.c' in the Linux kernel before 4.5 allows local users to cause a system crash and a denial of service by the NULL pointer dereference via accept(2) system call for AF_ALG socket without calling setkey() first to set a cipher key.
(CVE-2015-8970, Moderate)

Red Hat would like to thank Igor Redko (Virtuozzo) and Andrey Ryabinin (Virtuozzo) for reporting CVE-2017-2647 and Igor Redko (Virtuozzo) and Vasily Averin (Virtuozzo) for reporting CVE-2015-8970.

Bug Fix(es) :

* When running the LPAR with IBM Power 8 SMT8 mode, system performance degradation occurred due to the load getting spread across threads from the same core. The provided patches fix scheduler performance issues and assure the load is spread across cores, thus improving the system performance significantly. (BZ#1434853)

* Upon reboot, the bond slave with some network adapter ports became unresponsive in the backup state and never proceeded to the active state. As a consequence, the bond slave never transmitted any LACP PDU and the bond interface was never produced properly. With this update, the i40e network driver has been fixed for long link-down notification time and the bond slave now transmits LACP PDUs as expected.
(BZ#1446783)

* When attempting to configure two or more Ethernet adapter cards using Virtual Function I/O (VFIO) in the KVM guest, subsequent KVM guests previously failed to boot returning an error message. The provided patch adds the ability of VFIO to support more than one card in the KVM guest environment. (BZ#1447718)

* It is possible to define the CPUs in which unbound kworkers can run by setting a 'mask' in a specific file in the sysfs file system, helping on CPU isolation. However, this setup did not work properly, and unbounded kworkers were being activated on CPUs in which they were set to _NOT_ run. The provided patchset prevents unbound kworkers from being run on CPUs that are masked, thus fixing this bug. (BZ#1458203)

* Due to a regression, the kernel previously failed to create the /sys/block/ /devices/enclosure_device symlinks. The provided patch corrects the call to the scsi_is_sas_rphy() function, which is now made on the SAS end device, instead of the SCSI device. (BZ#1460204)

* Previously, the system panic occurred when running mkfs.ext4 on newly created software RAID1 partitions on SATA SDD drives. The provided patch ensures the ext4 file system is created on the /dev/md0 partition and is mounted there successfully. (BZ#1463359)

From Red Hat Security Advisory 2017:1842 :

An update for kernel is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es) :

* An use-after-free flaw was found in the Linux kernel which enables a race condition in the L2TPv3 IP Encapsulation feature. A local user could use this flaw to escalate their privileges or crash the system.
(CVE-2016-10200, Important)

* A flaw was found that can be triggered in keyring_search_iterator in keyring.c if type->match is NULL. A local user could use this flaw to crash the system or, potentially, escalate their privileges.
(CVE-2017-2647, Important)

* It was found that the NFSv4 server in the Linux kernel did not properly validate layout type when processing NFSv4 pNFS LAYOUTGET and GETDEVICEINFO operands. A remote attacker could use this flaw to soft-lockup the system and thus cause denial of service.
(CVE-2017-8797, Important)

This update also fixes multiple Moderate and Low impact security issues :

* CVE-2015-8839, CVE-2015-8970, CVE-2016-9576, CVE-2016-7042, CVE-2016-7097, CVE-2016-8645, CVE-2016-9576, CVE-2016-9588, CVE-2016-9806, CVE-2016-10088, CVE-2016-10147, CVE-2017-2596, CVE-2017-2671, CVE-2017-5970, CVE-2017-6001, CVE-2017-6951, CVE-2017-7187, CVE-2017-7616, CVE-2017-7889, CVE-2017-8890, CVE-2017-9074, CVE-2017-8890, CVE-2017-9075, CVE-2017-8890, CVE-2017-9076, CVE-2017-8890, CVE-2017-9077, CVE-2017-9242, CVE-2014-7970, CVE-2014-7975, CVE-2016-6213, CVE-2016-9604, CVE-2016-9685

Documentation for these issues is available from the Release Notes document linked from the References section.

Red Hat would like to thank Igor Redko (Virtuozzo) and Andrey Ryabinin (Virtuozzo) for reporting CVE-2017-2647; Igor Redko (Virtuozzo) and Vasily Averin (Virtuozzo) for reporting CVE-2015-8970; Marco Grassi for reporting CVE-2016-8645; and Dmitry Vyukov (Google Inc.) for reporting CVE-2017-2596. The CVE-2016-7042 issue was discovered by Ondrej Kozina (Red Hat); the CVE-2016-7097 issue was discovered by Andreas Gruenbacher (Red Hat) and Jan Kara (SUSE); the CVE-2016-6213 and CVE-2016-9685 issues were discovered by Qian Cai (Red Hat); and the CVE-2016-9604 issue was discovered by David Howells (Red Hat).

Additional Changes :

For detailed information on other changes in this release, see the Red Hat Enterprise Linux 7.4 Release Notes linked from the References section.

An update for kernel-rt is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.

Security Fix(es) :

* An use-after-free flaw was found in the Linux kernel which enables a race condition in the L2TPv3 IP Encapsulation feature. A local user could use this flaw to escalate their privileges or crash the system.
(CVE-2016-10200, Important)

* A flaw was found that can be triggered in keyring_search_iterator in keyring.c if type->match is NULL. A local user could use this flaw to crash the system or, potentially, escalate their privileges.
(CVE-2017-2647, Important)

* It was found that the NFSv4 server in the Linux kernel did not properly validate layout type when processing NFSv4 pNFS LAYOUTGET and GETDEVICEINFO operands. A remote attacker could use this flaw to soft-lockup the system and thus cause denial of service.
(CVE-2017-8797, Important)

This update also fixes multiple Moderate and Low impact security issues :

* CVE-2015-8839, CVE-2015-8970, CVE-2016-9576, CVE-2016-7042, CVE-2016-7097, CVE-2016-8645, CVE-2016-9576, CVE-2016-9588, CVE-2016-9806, CVE-2016-10088, CVE-2016-10147, CVE-2017-2596, CVE-2017-2671, CVE-2017-5970, CVE-2017-6001, CVE-2017-6951, CVE-2017-7187, CVE-2017-7616, CVE-2017-7889, CVE-2017-8890, CVE-2017-9074, CVE-2017-8890, CVE-2017-9075, CVE-2017-8890, CVE-2017-9076, CVE-2017-8890, CVE-2017-9077, CVE-2017-9242, CVE-2014-7970, CVE-2014-7975, CVE-2016-6213, CVE-2016-9604, CVE-2016-9685

Documentation for these issues is available from the Release Notes document linked from the References section.

Red Hat would like to thank Igor Redko (Virtuozzo) and Andrey Ryabinin (Virtuozzo) for reporting CVE-2017-2647; Igor Redko (Virtuozzo) and Vasily Averin (Virtuozzo) for reporting CVE-2015-8970; Marco Grassi for reporting CVE-2016-8645; and Dmitry Vyukov (Google Inc.) for reporting CVE-2017-2596. The CVE-2016-7042 issue was discovered by Ondrej Kozina (Red Hat); the CVE-2016-7097 issue was discovered by Andreas Gruenbacher (Red Hat) and Jan Kara (SUSE); the CVE-2016-6213 and CVE-2016-9685 issues were discovered by Qian Cai (Red Hat); and the CVE-2016-9604 issue was discovered by David Howells (Red Hat).

Additional Changes :

For detailed information on other changes in this release, see the Red Hat Enterprise Linux 7.4 Release Notes linked from the References section.

The SUSE Linux Enterprise 11 SP4 kernel was updated to receive various security and bugfixes. Notable new features :

  - Toleration of newer crypto hardware for z Systems

  - USB 2.0 Link power management for Haswell-ULT The     following security bugs were fixed :

  - CVE-2017-7308: The packet_set_ring function in     net/packet/af_packet.c in the Linux kernel did not     properly validate certain block-size data, which allowed     local users to cause a denial of service (overflow) or     possibly have unspecified other impact via crafted     system calls (bnc#1031579)

  - CVE-2017-2671: The ping_unhash function in     net/ipv4/ping.c in the Linux kernel was too late in     obtaining a certain lock and consequently could not     ensure that disconnect function calls are safe, which     allowed local users to cause a denial of service (panic)     by leveraging access to the protocol value of     IPPROTO_ICMP in a socket system call (bnc#1031003)

  - CVE-2017-7184: The xfrm_replay_verify_len function in     net/xfrm/xfrm_user.c in the Linux kernel did not     validate certain size data after an XFRM_MSG_NEWAE     update, which allowed local users to obtain root     privileges or cause a denial of service (heap-based     out-of-bounds access) by leveraging the CAP_NET_ADMIN     capability (bsc#1030573).

  - CVE-2017-5970: The ipv4_pktinfo_prepare function in     net/ipv4/ip_sockglue.c in the Linux kernel allowed     attackers to cause a denial of service (system crash)     via (1) an application that made crafted system calls or     possibly (2) IPv4 traffic with invalid IP options     (bsc#1024938).

  - CVE-2017-7616: Incorrect error handling in the     set_mempolicy and mbind compat syscalls in     mm/mempolicy.c in the Linux kernel allowed local users     to obtain sensitive information from uninitialized stack     data by triggering failure of a certain bitmap operation     (bsc#1033336).

  - CVE-2017-7294: The vmw_surface_define_ioctl function in     drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux     kernel did not validate addition of certain levels data,     which allowed local users to trigger an integer overflow     and out-of-bounds write, and cause a denial of service     (system hang or crash) or possibly gain privileges, via     a crafted ioctl call for a /dev/dri/renderD* device     (bnc#1031440)

  - CVE-2017-7261: The vmw_surface_define_ioctl function in     drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux     kernel did not check for a zero value of certain levels     data, which allowed local users to cause a denial of     service (ZERO_SIZE_PTR dereference, and GPF and possibly     panic) via a crafted ioctl call for a /dev/dri/renderD*     device (bnc#1031052)

  - CVE-2017-7187: The sg_ioctl function in     drivers/scsi/sg.c in the Linux kernel allowed local     users to cause a denial of service (stack-based buffer     overflow) or possibly have unspecified other impact via     a large command size in an SG_NEXT_CMD_LEN ioctl call,     leading to out-of-bounds write access in the sg_write     function (bnc#1030213)

  - CVE-2017-6348: The hashbin_delete function in     net/irda/irqueue.c in the Linux kernel improperly     managed lock dropping, which allowed local users to     cause a denial of service (deadlock) via crafted     operations on IrDA devices (bnc#1027178)

  - CVE-2017-5669: The do_shmat function in ipc/shm.c in the     Linux kernel did not restrict the address calculated by     a certain rounding operation, which allowed local users     to map page zero, and consequently bypass a protection     mechanism that exists for the mmap system call, by     making crafted shmget and shmat system calls in a     privileged context (bnc#1026914)

  - CVE-2015-3288: mm/memory.c in the Linux kernel     mishandled anonymous pages, which allowed local users to     gain privileges or cause a denial of service (page     tainting) via a crafted application that triggers     writing to page zero (bsc#979021).

  - CVE-2016-10200: Race condition in the L2TPv3 IP     Encapsulation feature in the Linux kernel allowed local     users to gain privileges or cause a denial of service     (use-after-free) by making multiple bind system calls     without properly ascertaining whether a socket has the     SOCK_ZAPPED status, related to net/l2tp/l2tp_ip.c and     net/l2tp/l2tp_ip6.c (bnc#1028415)

  - CVE-2016-5243: The tipc_nl_compat_link_dump function in     net/tipc/netlink_compat.c in the Linux kernel did not     properly copy a certain string, which allowed local     users to obtain sensitive information from kernel stack     memory by reading a Netlink message (bnc#983212)

  - CVE-2017-6353: net/sctp/socket.c in the Linux kernel did     not properly restrict association peel-off operations     during certain wait states, which allowed local users to     cause a denial of service (invalid unlock and double     free) via a multithreaded application (bnc#1027066)

  - CVE-2017-6214: The tcp_splice_read function in     net/ipv4/tcp.c in the Linux kernel allowed remote     attackers to cause a denial of service (infinite loop     and soft lockup) via vectors involving a TCP packet with     the URG flag (bnc#1026722)

  - CVE-2017-6074: The dccp_rcv_state_process function in     net/dccp/input.c in the Linux kernel mishandled     DCCP_PKT_REQUEST packet data structures in the LISTEN     state, which allowed local users to obtain root     privileges or cause a denial of service (double free)     via an application that made an IPV6_RECVPKTINFO     setsockopt system call (bnc#1026024)

  - CVE-2017-5986: Race condition in the     sctp_wait_for_sndbuf function in net/sctp/socket.c in     the Linux kernel allowed local users to cause a denial     of service (assertion failure and panic) via a     multithreaded application that peels off an association     in a certain buffer-full state (bsc#1025235)

  - CVE-2015-8970: crypto/algif_skcipher.c in the Linux     kernel did not verify that a setkey operation has been     performed on an AF_ALG socket an accept system call is     processed, which allowed local users to cause a denial     of service (NULL pointer dereference and system crash)     via a crafted application that does not supply a key,     related to the lrw_crypt function in crypto/lrw.c     (bsc#1008374).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 11 SP3 LTSS kernel was updated to receive various security and bugfixes. The following security bugs were fixed :

  - CVE-2015-8970: crypto/algif_skcipher.c in the Linux     kernel did not verify that a setkey operation has been     performed on an AF_ALG socket before an accept system     call is processed, which allowed local users to cause a     denial of service (NULL pointer dereference and system     crash) via a crafted application that did not supply a     key, related to the lrw_crypt function in crypto/lrw.c     (bnc#1008374).

  - CVE-2017-5551: Clear S_ISGID on tmpfs when setting posix     ACLs (bsc#1021258).

  - CVE-2016-7097: The filesystem implementation in the     Linux kernel preserves the setgid bit during a setxattr     call, which allowed local users to gain group privileges     by leveraging the existence of a setgid program with     restrictions on execute permissions (bnc#995968).

  - CVE-2016-10088: The sg implementation in the Linux     kernel did not properly restrict write operations in     situations where the KERNEL_DS option is set, which     allowed local users to read or write to arbitrary kernel     memory locations or cause a denial of service     (use-after-free) by leveraging access to a /dev/sg     device, related to block/bsg.c and drivers/scsi/sg.c.
    NOTE: this vulnerability exists because of an incomplete     fix for CVE-2016-9576 (bnc#1017710).

  - CVE-2004-0230: TCP, when using a large Window Size, made     it easier for remote attackers to guess sequence numbers     and cause a denial of service (connection loss) to     persistent TCP connections by repeatedly injecting a TCP     RST packet, especially in protocols that use long-lived     connections, such as BGP (bnc#969340).

  - CVE-2016-8632: The tipc_msg_build function in     net/tipc/msg.c in the Linux kernel did not validate the     relationship between the minimum fragment length and the     maximum packet size, which allowed local users to gain     privileges or cause a denial of service (heap-based     buffer overflow) by leveraging the CAP_NET_ADMIN     capability (bnc#1008831).

  - CVE-2016-8399: An elevation of privilege vulnerability     in the kernel networking subsystem could have enabled a     local malicious application to execute arbitrary code     within the context of the kernel bnc#1014746).

  - CVE-2016-9793: The sock_setsockopt function in     net/core/sock.c in the Linux kernel mishandled negative     values of sk_sndbuf and sk_rcvbuf, which allowed local     users to cause a denial of service (memory corruption     and system crash) or possibly have unspecified other     impact by leveraging the CAP_NET_ADMIN capability for a     crafted setsockopt system call with the (1)     SO_SNDBUFFORCE or (2) SO_RCVBUFFORCE option     (bnc#1013531).

  - CVE-2012-6704: The sock_setsockopt function in     net/core/sock.c in the Linux kernel mishandled negative     values of sk_sndbuf and sk_rcvbuf, which allowed local     users to cause a denial of service (memory corruption     and system crash) or possibly have unspecified other     impact by leveraging the CAP_NET_ADMIN capability for a     crafted setsockopt system call with the (1) SO_SNDBUF or     (2) SO_RCVBUF option (bnc#1013542).

  - CVE-2016-9756: arch/x86/kvm/emulate.c in the Linux     kernel did not properly initialize Code Segment (CS) in     certain error cases, which allowed local users to obtain     sensitive information from kernel stack memory via a     crafted application (bnc#1013038).

  - CVE-2016-3841: The IPv6 stack in the Linux kernel     mishandled options data, which allowed local users to     gain privileges or cause a denial of service     (use-after-free and system crash) via a crafted sendmsg     system call (bnc#992566).

  - CVE-2016-9685: Multiple memory leaks in error paths in     fs/xfs/xfs_attr_list.c in the Linux kernel allowed local     users to cause a denial of service (memory consumption)     via crafted XFS filesystem operations (bnc#1012832).

  - CVE-2015-1350: The VFS subsystem in the Linux kernel     provided an incomplete set of requirements for setattr     operations that underspecifies removing extended     privilege attributes, which allowed local users to cause     a denial of service (capability stripping) via a failed     invocation of a system call, as demonstrated by using     chown to remove a capability from the ping or Wireshark     dumpcap program (bnc#914939).

  - CVE-2015-8962: Double free vulnerability in the     sg_common_write function in drivers/scsi/sg.c in the     Linux kernel allowed local users to gain privileges or     cause a denial of service (memory corruption and system     crash) by detaching a device during an SG_IO ioctl call     (bnc#1010501).

  - CVE-2016-9555: The sctp_sf_ootb function in     net/sctp/sm_statefuns.c in the Linux kernel lacked     chunk-length checking for the first chunk, which allowed     remote attackers to cause a denial of service     (out-of-bounds slab access) or possibly have unspecified     other impact via crafted SCTP data (bnc#1011685).

  - CVE-2016-7910: Use-after-free vulnerability in the     disk_seqf_stop function in block/genhd.c in the Linux     kernel allowed local users to gain privileges by     leveraging the execution of a certain stop operation     even if the corresponding start operation had failed     (bnc#1010716).

  - CVE-2016-7911: Race condition in the get_task_ioprio     function in block/ioprio.c in the Linux kernel allowed     local users to gain privileges or cause a denial of     service (use-after-free) via a crafted ioprio_get system     call (bnc#1010711).

  - CVE-2015-8964: The tty_set_termios_ldisc function in     drivers/tty/tty_ldisc.c in the Linux kernel allowed     local users to obtain sensitive information from kernel     memory by reading a tty data structure (bnc#1010507).

  - CVE-2016-7916: Race condition in the environ_read     function in fs/proc/base.c in the Linux kernel allowed     local users to obtain sensitive information from kernel     memory by reading a /proc/*/environ file during a     process-setup time interval in which     environment-variable copying is incomplete     (bnc#1010467).

  - CVE-2016-8646: The hash_accept function in     crypto/algif_hash.c in the Linux kernel allowed local     users to cause a denial of service (OOPS) by attempting     to trigger use of in-kernel hash algorithms for a socket     that has received zero bytes of data (bnc#1010150).

  - CVE-2016-8633: drivers/firewire/net.c in the Linux     kernel in certain unusual hardware configurations     allowed remote attackers to execute arbitrary code via     crafted fragmented packets (bnc#1008833).

  - CVE-2016-7042: The proc_keys_show function in     security/keys/proc.c in the Linux, when the GNU Compiler     Collection (gcc) stack protector is enabled, used an     incorrect buffer size for certain timeout data, which     allowed local users to cause a denial of service (stack     memory corruption and panic) by reading the /proc/keys     file (bnc#1004517).

  - CVE-2015-8956: The rfcomm_sock_bind function in     net/bluetooth/rfcomm/sock.c in the Linux kernel allowed     local users to obtain sensitive information or cause a     denial of service (NULL pointer dereference) via vectors     involving a bind system call on a Bluetooth RFCOMM     socket (bnc#1003925).

  - CVE-2016-7117: Use-after-free vulnerability in the
    __sys_recvmmsg function in net/socket.c in the Linux     kernel allowed remote attackers to execute arbitrary     code via vectors involving a recvmmsg system call that     is mishandled during error processing (bnc#1003077).

  - CVE-2016-0823: The pagemap_open function in     fs/proc/task_mmu.c in the Linux kernel allowed local     users to obtain sensitive physical-address information     by reading a pagemap file (bnc#994759).

  - CVE-2016-7425: The arcmsr_iop_message_xfer function in     drivers/scsi/arcmsr/arcmsr_hba.c in the Linux kernel did     not restrict a certain length field, which allowed local     users to gain privileges or cause a denial of service     (heap-based buffer overflow) via an     ARCMSR_MESSAGE_WRITE_WQBUFFER control code (bnc#999932).

  - CVE-2016-6828: The tcp_check_send_head function in     include/net/tcp.h in the Linux kernel did not properly     maintain certain SACK state after a failed data copy,     which allowed local users to cause a denial of service     (tcp_xmit_retransmit_queue use-after-free and system     crash) via a crafted SACK option (bnc#994296).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
124990	EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1537)	Nessus	Huawei Local Security Checks	high
124813	EulerOS Virtualization 3.0.1.0 : kernel (EulerOS-SA-2019-1489)	Nessus	Huawei Local Security Checks	critical
102734	CentOS 7 : kernel (CESA-2017:1842) (Stack Clash)	Nessus	CentOS Local Security Checks	high
102645	Scientific Linux Security Update : kernel on SL7.x x86_64 (20170801)	Nessus	Scientific Linux Local Security Checks	high
102511	Oracle Linux 7 : kernel (ELSA-2017-1842-1) (Stack Clash)	Nessus	Oracle Linux Local Security Checks	critical
102350	RHEL 6 : MRG (RHSA-2017:2444)	Nessus	Red Hat Local Security Checks	high
102349	RHEL 7 : kernel (RHSA-2017:2437)	Nessus	Red Hat Local Security Checks	high
102281	Oracle Linux 7 : kernel (ELSA-2017-1842) (Stack Clash)	Nessus	Oracle Linux Local Security Checks	high
102151	RHEL 7 : kernel-rt (RHSA-2017:2077)	Nessus	Red Hat Local Security Checks	high
102143	RHEL 7 : kernel (RHSA-2017:1842) (Stack Clash)	Nessus	Red Hat Local Security Checks	high
100214	SUSE SLES11 Security Update : kernel (SUSE-SU-2017:1301-1)	Nessus	SuSE Local Security Checks	high
97297	SUSE SLES11 Security Update : kernel (SUSE-SU-2017:0494-1)	Nessus	SuSE Local Security Checks	critical

CVE-2015-8970

MEDIUM

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Tenable Plugins

high

critical

high

high

critical

high

high

high

high

high

high

critical