http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=22f6b4d34fcf039c63a94e7670e0da24f8575a5a

http://source.android.com/security/bulletin/2017-02-01.html

http://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.7.7

96122

1037798

https://github.com/torvalds/linux/commit/22f6b4d34fcf039c63a94e7670e0da24f8575a5a

According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - The kernel package contains the Linux kernel (vmlinuz),     the core of any Linux operating system. The kernel     handles the basic functions of the operating system:
    memory allocation, process allocation, device input and     output, etc.Security Fix(es):A flaw named FragmentSmack     was found in the way the Linux kernel handled     reassembly of fragmented IPv4 and IPv6 packets. A     remote attacker could use this flaw to trigger time and     calculation expensive fragment reassembly algorithm by     sending specially crafted packets which could lead to a     CPU saturation and hence a denial of service on the     system.(CVE-2018-5391)Multiple out-of-bounds write     flaws were found in the way the Cherry Cymotion     keyboard driver, KYE/Genius device drivers, Logitech     device drivers, Monterey Genius KB29E keyboard driver,     Petalynx Maxter remote control driver, and Sunplus     wireless desktop driver handled HID reports with an     invalid report descriptor size. An attacker with     physical access to the system could use either of these     flaws to write data past an allocated memory     buffer.(CVE-2014-3184)The __get_data_block function in     fs/f2fs/data.c in the Linux kernel before 4.11 allows     local users to cause a denial of service (integer     overflow and loop) via crafted use of the open and     fallocate system calls with an FS_IOC_FIEMAP     ioctl.(CVE-2017-18257)netetfilter/xt_osf.c in the Linux     kernel through 4.14.4 does not require the     CAP_NET_ADMIN capability for add_callback and     remove_callback operations. This allows local users to     bypass intended access restrictions because the     xt_osf_fingers data structure is shared across all     network namespaces.(CVE-2017-17450)A denial of service     flaw was discovered in the Linux kernel, where a race     condition caused a NULL pointer dereference in the RDS     socket-creation code. A local attacker could use this     flaw to create a situation in which a NULL pointer     crashed the kernel.(CVE-2015-7990)An issue was     discovered in the Linux kernel before 4.19.9. The USB     subsystem mishandles size checks during the reading of     an extra descriptor, related to
    __usb_get_extra_descriptor in     drivers/usb/core/usb.c.(CVE-2018-20169)mm/memory.c in     the Linux kernel before 4.1.4 mishandles anonymous     pages, which allows local users to gain privileges or     cause a denial of service (page tainting) via a crafted     application that triggers writing to page     zero.(CVE-2015-3288)The ovl_setattr function in     fs/overlayfs/inode.c in the Linux kernel through 4.3.3     attempts to merge distinct setattr operations, which     allows local users to bypass intended access     restrictions and modify the attributes of arbitrary     overlay files via a crafted     application.(CVE-2015-8660)A flaw was found in the     Linux kernel where a local user with a shell account     can abuse the userfaultfd syscall when using hugetlbfs.
    A missing size check in hugetlb_mcopy_atomic_pte could     create an invalid inode variable, leading to a kernel     panic.(CVE-2017-15128)An integer overflow flaw was     found in the way the lzo1x_decompress_safe() function     of the Linux kernel's LZO implementation processed     Literal Runs. A local attacker could, in extremely rare     cases, use this flaw to crash the system or,     potentially, escalate their privileges on the     system.(CVE-2014-4608)It was found that Linux kernel's     ptrace subsystem did not properly sanitize the     address-space-control bits when the program-status word     (PSW) was being set. On IBM S/390 systems, a local,     unprivileged user could use this flaw to set     address-space-control bits to the kernel space, and     thus gain read and write access to kernel     memory.(CVE-2014-3534)A use-after-free flaw was found     in the Linux kernel's file system encryption     implementation. A local user could revoke keyring keys     being used for ext4, f2fs, or ubifs encryption, causing     a denial of service on the system.(CVE-2017-7374)The     usbip_recv_xbuff function in     drivers/usb/usbip/usbip_common.c in the Linux kernel     before 4.5.3 allows remote attackers to cause a denial     of service (out-of-bounds write) or possibly have     unspecified other impact via a crafted length value in     a USB/IP packet.(CVE-2016-3955)A flaw was found in the     patches used to fix the 'dirtycow' vulnerability     (CVE-2016-5195). An attacker, able to run local code,     can exploit a race condition in transparent huge pages     to modify usually read-only huge     pages.(CVE-2017-1000405)The aio_mount function in     fs/aio.c in the Linux kernel does not properly restrict     execute access, which makes it easier for local users     to bypass intended SELinux W^X policy     restrictions.(CVE-2016-10044)The Serial Attached SCSI     (SAS) implementation in the Linux kernel mishandles a     mutex within libsas. This allows local users to cause a     denial of service (deadlock) by triggering certain     error-handling code.(CVE-2017-18232)A use-after-free     vulnerability was found in tcp_xmit_retransmit_queue     and other tcp_* functions. This condition could allow     an attacker to send an incorrect selective     acknowledgment to existing connections, possibly     resetting a connection.(CVE-2016-6828)The instruction     decoder in arch/x86/kvm/emulate.c in the KVM subsystem     in the Linux kernel before 3.18-rc2 does not properly     handle invalid instructions, which allows guest OS     users to cause a denial of service (NULL pointer     dereference and host OS crash) via a crafted     application that triggers (1) an improperly fetched     instruction or (2) an instruction that occupies too     many bytes. NOTE: this vulnerability exists because of     an incomplete fix for CVE-2014-8480.(CVE-2014-8481)The     snd_compress_check_input function in     sound/core/compress_offload.c in the ALSA subsystem in     the Linux kernel before 3.17 does not properly check     for an integer overflow, which allows local users to     cause a denial of service (insufficient memory     allocation) or possibly have unspecified other impact     via a crafted SNDRV_COMPRESS_SET_PARAMS ioctl     call.(CVE-2014-9904)The resv_map_release function in     mm/hugetlb.c in the Linux kernel, through 4.15.7,     allows local users to cause a denial of service (BUG)     via a crafted application that makes mmap system calls     and has a large pgoff argument to the remap_file_pages     system call.(CVE-2018-7740)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - A use-after-free flaw was found in the way the Linux     kernel's key management subsystem handled keyring     object reference counting in certain error path of the     join_session_keyring() function. A local, unprivileged     user could use this flaw to escalate their privileges     on the system.(CVE-2016-0728)

  - A flaw was found in the way the Linux kernel's ASN.1     DER decoder processed certain certificate files with     tags of indefinite length. A local, unprivileged user     could use a specially crafted X.509 certificate DER     file to crash the system or, potentially, escalate     their privileges on the system.(CVE-2016-0758)

  - The LIST_POISON feature in include/linux/poison.h in     the Linux kernel before 4.3, as used in Android 6.0.1     before 2016-03-01, does not properly consider the     relationship to the mmap_min_addr value, which makes it     easier for attackers to bypass a poison-pointer     protection mechanism by triggering the use of an     uninitialized list entry, aka Android internal bug     26186802, a different vulnerability than     CVE-2015-3636.(CVE-2016-0821)

  - The pagemap_open function in fs/proc/task_mmu.c in the     Linux kernel before 3.19.3, as used in Android 6.0.1     before 2016-03-01, allows local users to obtain     sensitive physical-address information by reading a     pagemap file, aka Android internal bug     25739721.(CVE-2016-0823)

  - The aio_mount function in fs/aio.c in the Linux kernel     does not properly restrict execute access, which makes     it easier for local users to bypass intended SELinux     W^X policy restrictions.(CVE-2016-10044)

  - It was found that the fix for CVE-2016-9576 was     incomplete: the Linux kernel's sg implementation did     not properly restrict write operations in situations     where the KERNEL_DS option is set. A local attacker to     read or write to arbitrary kernel memory locations or     cause a denial of service (use-after-free) by     leveraging write access to a /dev/sg     device.(CVE-2016-10088)

  - A use-after-free flaw was found in the Linux kernel     which enables a race condition in the L2TPv3 IP     Encapsulation feature. A local user could use this flaw     to escalate their privileges or crash the     system.(CVE-2016-10200)

  - Mounting a crafted EXT4 image read-only leads to an     attacker controlled memory corruption and     SLAB-Out-of-Bounds reads.(CVE-2016-10208)

  - The Linux kernel allows remote attackers to execute     arbitrary code via UDP traffic that triggers an unsafe     second checksum calculation during execution of a recv     system call with the MSG_PEEK flag. This may create a     kernel panic or memory corruption leading to privilege     escalation.(CVE-2016-10229)

  - The overlayfs implementation in the Linux kernel     through 4.5.2 does not properly maintain POSIX ACL     xattr data, which allows local users to gain privileges     by leveraging a group-writable setgid     directory.(CVE-2016-1575)

  - The overlayfs implementation in the Linux kernel     through 4.5.2 does not properly restrict the mount     namespace, which allows local users to gain privileges     by mounting an overlayfs filesystem on top of a FUSE     filesystem, and then executing a crafted setuid     program.(CVE-2016-1576)

  - A syntax vulnerability was discovered in the kernel's     ASN1.1 DER decoder, which could lead to memory     corruption or a complete local denial of service     through x509 certificate DER files. A local system user     could use a specially created key file to trigger     BUG_ON() in the public_key_verify_signature() function     (crypto/asymmetric_keys/public_key.c), to cause a     kernel panic and crash the system.(CVE-2016-2053)

  - A flaw was discovered in the way the Linux kernel dealt     with paging structures. When the kernel invalidated a     paging structure that was not in use locally, it could,     in principle, race against another CPU that is     switching to a process that uses the paging structure     in question. A local user could use a thread running     with a stale cached virtual-i1/4zphysical translation to     potentially escalate their privileges if the     translation in question were writable and the physical     page got reused for something critical (for example, a     page table).(CVE-2016-2069)

  - A divide-by-zero vulnerability was found in a way the     kernel processes TCP connections. The error can occur     if a connection starts another cwnd reduction phase by     setting tp-i1/4zprior_cwnd to the current cwnd (0) in     tcp_init_cwnd_reduction(). A remote, unauthenticated     attacker could use this flaw to crash the kernel     (denial of service).(CVE-2016-2070)

  - It was discovered that the atl2_probe() function in the     Atheros L2 Ethernet driver in the Linux kernel     incorrectly enabled scatter/gather I/O. A remote     attacker could use this flaw to obtain potentially     sensitive information from the kernel     memory.(CVE-2016-2117)

  - The create_fixed_stream_quirk function in     sound/usb/quirks.c in the snd-usb-audio driver in the     Linux kernel before 4.5.1 allows physically proximate     attackers to cause a denial of service (NULL pointer     dereference or double free, and system crash) via a     crafted endpoints value in a USB device     descriptor.(CVE-2016-2184)

  - The ati_remote2_probe function in     drivers/input/misc/ati_remote2.c in the Linux kernel     before 4.5.1 allows physically proximate attackers to     cause a denial of service (NULL pointer dereference and     system crash) via a crafted endpoints value in a USB     device descriptor.(CVE-2016-2185)

  - The powermate_probe function in     drivers/input/misc/powermate.c in the Linux kernel     before 4.5.1 allows physically proximate attackers to     cause a denial of service (NULL pointer dereference and     system crash) via a crafted endpoints value in a USB     device descriptor.(CVE-2016-2186)

  - The gtco_probe function in drivers/input/tablet/gtco.c     in the Linux kernel through 4.5.2 allows physically     proximate attackers to cause a denial of service (NULL     pointer dereference and system crash) via a crafted     endpoints value in a USB device     descriptor.(CVE-2016-2187)

  - The iowarrior_probe function in     drivers/usb/misc/iowarrior.c in the Linux kernel before     4.5.1 allows physically proximate attackers to cause a     denial of service (NULL pointer dereference and system     crash) via a crafted endpoints value in a USB device     descriptor.(CVE-2016-2188)

  - A flaw was found in the USB-MIDI Linux kernel driver: a     double-free error could be triggered for the 'umidi'     object. An attacker with physical access to the system     could use this flaw to escalate their     privileges.(CVE-2016-2384)

  - The snd_seq_ioctl_remove_events function in     sound/core/seq/seq_clientmgr.c in the Linux kernel     before 4.4.1 does not verify FIFO assignment before     proceeding with FIFO clearing, which allows local users     to cause a denial of service (NULL pointer dereference     and OOPS) via a crafted ioctl call.(CVE-2016-2543)

  - Race condition in the queue_delete function in     sound/core/seq/seq_queue.c in the Linux kernel before     4.4.1 allows local users to cause a denial of service     (use-after-free and system crash) by making an ioctl     call at a certain time.(CVE-2016-2544)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2018-0015 for details.

The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2017-0174 for details.

The remote Oracle Linux host is missing a security update for the Unbreakable Enterprise kernel package(s).

The remote OracleVM system is missing necessary patches to address critical security updates :

  - tty: Fix race in pty_write leading to NULL deref (Todd     Vierling) 

  - ocfs2/dlm: ignore cleaning the migration mle that is     inuse (xuejiufei) [Orabug: 26479780]

  - KEYS: fix dereferencing NULL payload with nonzero length     (Eric Biggers) [Orabug: 26592025]

  - oracleasm: Copy the integrity descriptor (Martin K.
    Petersen) 

  - mm: Tighten x86 /dev/mem with zeroing reads (Kees Cook)     [Orabug: 26675925] (CVE-2017-7889)

  - xscore: add dma address check (Zhu Yanjun) [Orabug:
    27058468]

  - more bio_map_user_iov leak fixes (Al Viro) [Orabug:
    27069042] (CVE-2017-12190)

  - fix unbalanced page refcounting in bio_map_user_iov     (Vitaly Mayatskikh) [Orabug: 27069042] (CVE-2017-12190)

  - nvme: Drop nvmeq->q_lock before dma_pool_alloc, so as to     prevent hard lockups (Aruna Ramakrishna) [Orabug:
    25409587]

  - nvme: Handle PM1725 HIL reset (Martin K. Petersen)     [Orabug: 26277600]

  - char: lp: fix possible integer overflow in lp_setup     (Willy Tarreau) [Orabug: 26403940] (CVE-2017-1000363)

  - ALSA: timer: Fix missing queue indices reset at     SNDRV_TIMER_IOCTL_SELECT (Takashi Iwai) [Orabug:
    26403956] (CVE-2017-1000380)

  - ALSA: timer: Fix race between read and ioctl (Takashi     Iwai) [Orabug: 26403956] (CVE-2017-1000380)

  - ALSA: timer: fix NULL pointer dereference in read/ioctl     race (Vegard Nossum) [Orabug: 26403956]     (CVE-2017-1000380)

  - ALSA: timer: Fix negative queue usage by racy accesses     (Takashi Iwai) [Orabug: 26403956] (CVE-2017-1000380)

  - ALSA: timer: Fix race at concurrent reads (Takashi Iwai)     [Orabug: 26403956] (CVE-2017-1000380)

  - ALSA: timer: Fix race among timer ioctls (Takashi Iwai)     [Orabug: 26403956] (CVE-2017-1000380)

  - ipv6/dccp: do not inherit ipv6_mc_list from parent (WANG     Cong) [Orabug: 26404005] (CVE-2017-9077)

  - ocfs2: fix deadlock issue when taking inode lock at vfs     entry points (Eric Ren) [Orabug: 26427126]

  - ocfs2/dlmglue: prepare tracking logic to avoid recursive     cluster lock (Eric Ren) [Orabug: 26427126]

  - ping: implement proper locking (Eric Dumazet) [Orabug:
    26540286] (CVE-2017-2671)

  - aio: mark AIO pseudo-fs noexec (Jann Horn) [Orabug:
    26643598] (CVE-2016-10044)

  - vfs: Commit to never having exectuables on proc and     sysfs. (Eric W. Biederman) [Orabug: 26643598]     (CVE-2016-10044)

  - vfs, writeback: replace FS_CGROUP_WRITEBACK with     SB_I_CGROUPWB (Tejun Heo) [Orabug: 26643598]     (CVE-2016-10044)

  - x86/acpi: Prevent out of bound access caused by broken     ACPI tables (Seunghun Han) [Orabug: 26643645]     (CVE-2017-11473)

  - sctp: do not inherit ipv6_[mc|ac|fl]_list from parent     (Eric Dumazet) [Orabug: 26650883] (CVE-2017-9075)

  - [media] saa7164: fix double fetch PCIe access condition     (Steven Toth) [Orabug: 26675142] (CVE-2017-8831)

  - [media] saa7164: fix sparse warnings (Hans Verkuil)     [Orabug: 26675142] (CVE-2017-8831)

  - fs: __generic_file_splice_read retry lookup on     AOP_TRUNCATED_PAGE (Abhi Das) [Orabug: 26797306]

  - timerfd: Protect the might cancel mechanism proper     (Thomas Gleixner) [Orabug: 26899787] (CVE-2017-10661)

  - scsi: scsi_transport_iscsi: fix the issue that     iscsi_if_rx doesn't parse nlmsg properly (Xin Long)     [Orabug: 26988627] (CVE-2017-14489)

  - mqueue: fix a use-after-free in sys_mq_notify (Cong     Wang) [Orabug: 26643556] (CVE-2017-11176)

  - ipv6: avoid overflow of offset in ip6_find_1stfragopt     (Sabrina Dubroca) [Orabug: 27011273] (CVE-2017-7542)

  - packet: fix tp_reserve race in packet_set_ring (Willem     de Bruijn) [Orabug: 27002450] (CVE-2017-1000111)

  - mlx4_core: calculate log_num_mtt based on total system     memory (Wei Lin Guay) [Orabug: 26883934]

  - xen/x86: Add interface for querying amount of host     memory (Boris Ostrovsky) [Orabug: 26883934]

  - Bluetooth: Properly check L2CAP config option output     buffer length (Ben Seri) [Orabug: 26796364]     (CVE-2017-1000251)

  - xen: fix bio vec merging (Roger Pau Monne) [Orabug:
    26645550] (CVE-2017-12134)

  - fs/exec.c: account for argv/envp pointers (Kees Cook)     [Orabug: 26638921] (CVE-2017-1000365) (CVE-2017-1000365)

  - l2tp: fix racy SOCK_ZAPPED flag check in     l2tp_ip[,6]_bind (Guillaume Nault) [Orabug: 26586047]     (CVE-2016-10200)

  - xfs: fix two memory leaks in xfs_attr_list.c error paths     (Mateusz Guzik) [Orabug: 26586022] (CVE-2016-9685)

  - KEYS: Disallow keyrings beginning with '.' to be joined     as session keyrings (David Howells) [Orabug: 26585994]     (CVE-2016-9604)

  - ipv6: fix out of bound writes in __ip6_append_data (Eric     Dumazet) [Orabug: 26578198] (CVE-2017-9242)

  - posix_acl: Clear SGID bit when setting file permissions     (Jan Kara) [Orabug: 25507344] (CVE-2016-7097)     (CVE-2016-7097)

  - nfsd: check for oversized NFSv2/v3 arguments (J. Bruce     Fields) [Orabug: 26366022] (CVE-2017-7645)

Description of changes:

[2.6.39-400.298.1.el6uek]
- ocfs2/dlm: ignore cleaning the migration mle that is inuse (xuejiufei)   [Orabug: 23320090]
- tty: Fix race in pty_write() leading to NULL deref (Todd Vierling) [Orabug: 24337879]
- xen-netfront: cast grant table reference first to type int (Dongli Zhang)  [Orabug: 25102637]
- xen-netfront: do not cast grant table reference to signed short (Dongli Zhang)  [Orabug: 25102637]
- RDS: Print failed rdma op details if failure is remote access error (Rama Nichanamatlu)  [Orabug: 25440316]
- ping: implement proper locking (Eric Dumazet)  [Orabug: 26540288] {CVE-2017-2671}
- KEYS: fix dereferencing NULL payload with nonzero length (Eric Biggers)  [Orabug: 26592013]
- oracleasm: Copy the integrity descriptor (Martin K. Petersen) [Orabug: 26650039]
- mm: Tighten x86 /dev/mem with zeroing reads (Kees Cook)  [Orabug: 26675934]  {CVE-2017-7889}
- fs: __generic_file_splice_read retry lookup on AOP_TRUNCATED_PAGE (Abhi Das)  [Orabug: 26797307]
- xscore: add dma address check (Zhu Yanjun)  [Orabug: 27058559]
- more bio_map_user_iov() leak fixes (Al Viro)  [Orabug: 27069045] {CVE-2017-12190}
- fix unbalanced page refcounting in bio_map_user_iov (Vitaly Mayatskikh)  [Orabug: 27069045]  {CVE-2017-12190}
- xsigo: [backport] Fix race in freeing aged Forwarding tables (Pradeep Gopanapalli)  [Orabug: 24823234]
- ocfs2: fix deadlock issue when taking inode lock at vfs entry points (Eric Ren)  [Orabug: 25671723]
- ocfs2/dlmglue: prepare tracking logic to avoid recursive cluster lock (Eric Ren)  [Orabug: 25671723]
- net/packet: fix overflow in check for tp_reserve (Andrey Konovalov) [Orabug: 26143563]  {CVE-2017-7308}
- net/packet: fix overflow in check for tp_frame_nr (Andrey Konovalov) [Orabug: 26143563]  {CVE-2017-7308}
- char: lp: fix possible integer overflow in lp_setup() (Willy Tarreau) [Orabug: 26403941]  {CVE-2017-1000363}
- ALSA: timer: Fix missing queue indices reset at SNDRV_TIMER_IOCTL_SELECT (Takashi Iwai)  [Orabug: 26403958] {CVE-2017-1000380}
- ALSA: timer: Fix race between read and ioctl (Takashi Iwai)  [Orabug: 26403958]  {CVE-2017-1000380}
- ALSA: timer: fix NULL pointer dereference in read()/ioctl() race (Vegard Nossum)  [Orabug: 26403958]  {CVE-2017-1000380}
- ALSA: timer: Fix negative queue usage by racy accesses (Takashi Iwai) [Orabug: 26403958]  {CVE-2017-1000380}
- ALSA: timer: Fix race at concurrent reads (Takashi Iwai)  [Orabug: 26403958]  {CVE-2017-1000380}
- ALSA: timer: Fix race among timer ioctls (Takashi Iwai)  [Orabug: 26403958]  {CVE-2017-1000380}
- ipv6: xfrm: Handle errors reported by xfrm6_find_1stfragopt() (Ben Hutchings)  [Orabug: 26403974]  {CVE-2017-9074}
- ipv6: Check ip6_find_1stfragopt() return value properly. (David S. Miller)  [Orabug: 26403974]  {CVE-2017-9074}
- ipv6: Prevent overrun when parsing v6 header options (Craig Gallek) [Orabug: 26403974]  {CVE-2017-9074}
- ipv6/dccp: do not inherit ipv6_mc_list from parent (WANG Cong) [Orabug: 26404007]  {CVE-2017-9077}
- aio: mark AIO pseudo-fs noexec (Jann Horn)  [Orabug: 26643601] {CVE-2016-10044}
- vfs: Commit to never having exectuables on proc and sysfs. (Eric W. Biederman)  [Orabug: 26643601]  {CVE-2016-10044}
- vfs, writeback: replace FS_CGROUP_WRITEBACK with SB_I_CGROUPWB (Tejun Heo)  [Orabug: 26643601]  {CVE-2016-10044}
- x86/acpi: Prevent out of bound access caused by broken ACPI tables (Seunghun Han)  [Orabug: 26643652]  {CVE-2017-11473}
- sctp: do not inherit ipv6_{mc|ac|fl}_list from parent (Eric Dumazet) [Orabug: 26650889]  {CVE-2017-9075}
- saa7164: fix double fetch PCIe access condition (Steven Toth) [Orabug: 26675148]  {CVE-2017-8831}
- saa7164: fix sparse warnings (Hans Verkuil)  [Orabug: 26675148] {CVE-2017-8831}
- saa7164: get rid of warning: no previous prototype (Mauro Carvalho Chehab)  [Orabug: 26675148]  {CVE-2017-8831}
- [scsi] lpfc 8.3.44: Fix kernel panics from corrupted ndlp (James Smart)  [Orabug: 26765341]
- timerfd: Protect the might cancel mechanism proper (Thomas Gleixner) [Orabug: 26899791]  {CVE-2017-10661}
- scsi: scsi_transport_iscsi: fix the issue that iscsi_if_rx doesn't parse nlmsg properly (Xin Long)  [Orabug: 26988628]  {CVE-2017-14489}
- mqueue: fix a use-after-free in sys_mq_notify() (Cong Wang)  [Orabug: 26643562]  {CVE-2017-11176}
- ipv6: avoid overflow of offset in ip6_find_1stfragopt (Sabrina Dubroca)  [Orabug: 27011278]  {CVE-2017-7542}
- packet: fix tp_reserve race in packet_set_ring (Willem de Bruijn) [Orabug: 27002453]  {CVE-2017-1000111}
- mlx4_core: calculate log_mtt based on total system memory (Wei Lin Guay)  [Orabug: 26867355]
- xen/x86: Add interface for querying amount of host memory (Boris Ostrovsky)  [Orabug: 26867355]
- fs/binfmt_elf.c: fix bug in loading of PIE binaries (Michael Davidson)   [Orabug: 26870958]  {CVE-2017-1000253}
- Bluetooth: Properly check L2CAP config option output buffer length (Ben Seri)  [Orabug: 26796428]  {CVE-2017-1000251}
- xen: fix bio vec merging (Roger Pau Monne)  [Orabug: 26645562] {CVE-2017-12134}
- fs/exec.c: account for argv/envp pointers (Kees Cook)  [Orabug: 26638926]  {CVE-2017-1000365} {CVE-2017-1000365}
- l2tp: fix racy SOCK_ZAPPED flag check in l2tp_ip{,6}_bind() (Guillaume Nault)  [Orabug: 26586050]  {CVE-2016-10200}
- xfs: fix two memory leaks in xfs_attr_list.c error paths (Mateusz Guzik)  [Orabug: 26586024]  {CVE-2016-9685}
- KEYS: Disallow keyrings beginning with '.' to be joined as session keyrings (David Howells)  [Orabug: 26586002]  {CVE-2016-9604}
- ipv6: fix out of bound writes in __ip6_append_data() (Eric Dumazet) [Orabug: 26578202]  {CVE-2017-9242}
- selinux: quiet the filesystem labeling behavior message (Paul Moore) [Orabug: 25721485]
- RDS/IB: active bonding port state fix for intfs added late (Mukesh Kacker)  [Orabug: 25875426]
- HID: hid-cypress: validate length of report (Greg Kroah-Hartman) [Orabug: 25891914]  {CVE-2017-7273}
- udf: Remove repeated loads blocksize (Jan Kara)  [Orabug: 25905722] {CVE-2015-4167}
- udf: Check length of extended attributes and allocation descriptors (Jan Kara)  [Orabug: 25905722]  {CVE-2015-4167}
- udf: Verify i_size when loading inode (Jan Kara)  [Orabug: 25905722] {CVE-2015-4167}
- btrfs: drop unused parameter from btrfs_item_nr (Ross Kirk)  [Orabug: 25948102]  {CVE-2014-9710}
- Btrfs: cleanup of function where fixup_low_keys() is called (Tsutomu Itoh)  [Orabug: 25948102]  {CVE-2014-9710}
- Btrfs: remove unused argument of fixup_low_keys() (Tsutomu Itoh) [Orabug: 25948102]  {CVE-2014-9710}
- Btrfs: remove unused argument of btrfs_extend_item() (Tsutomu Itoh) [Orabug: 25948102]  {CVE-2014-9710}
- Btrfs: add support for asserts (Josef Bacik)  [Orabug: 25948102] {CVE-2014-9710}
- Btrfs: make xattr replace operations atomic (Filipe Manana)  [Orabug: 25948102]  {CVE-2014-9710}
- net: validate the range we feed to iov_iter_init() in sys_sendto/sys_recvfrom (Al Viro)  [Orabug: 25948149]  {CVE-2015-2686}
- xsigo: Compute node crash on FC failover (Joe Jin)  [Orabug: 25965445]
- PCI: Prevent VPD access for QLogic ISP2722 (Ethan Zhao)  [Orabug: 25975513]
- PCI: Prevent VPD access for buggy devices (Babu Moger)  [Orabug: 25975513]
- ipv4: try to cache dst_entries which would cause a redirect (Hannes Frederic Sowa)  [Orabug: 26032377]  {CVE-2015-1465}
- mm: larger stack guard gap, between vmas (Hugh Dickins)  [Orabug: 26326145]  {CVE-2017-1000364}
- nfsd: check for oversized NFSv2/v3 arguments (J. Bruce Fields) [Orabug: 26366024]  {CVE-2017-7645}
- dm mpath: allow ioctls to trigger pg init (Mikulas Patocka)  [Orabug: 25645229]
- xen/manage: Always freeze/thaw processes when suspend/resuming (Ross Lagerwall)  [Orabug: 25795530]
- lpfc cannot establish connection with targets that send PRLI under P2P mode (Joe Jin)  [Orabug: 25955028]

Description of changes:

[3.8.13-118.20.1.el7uek]
- tty: Fix race in pty_write() leading to NULL deref (Todd Vierling) [Orabug: 25392692]
- ocfs2/dlm: ignore cleaning the migration mle that is inuse (xuejiufei)   [Orabug: 26479780]
- KEYS: fix dereferencing NULL payload with nonzero length (Eric Biggers)  [Orabug: 26592025]
- oracleasm: Copy the integrity descriptor (Martin K. Petersen) [Orabug: 26649818]
- mm: Tighten x86 /dev/mem with zeroing reads (Kees Cook)  [Orabug: 26675925]  {CVE-2017-7889}
- xscore: add dma address check (Zhu Yanjun)  [Orabug: 27058468]
- more bio_map_user_iov() leak fixes (Al Viro)  [Orabug: 27069042] {CVE-2017-12190}
- fix unbalanced page refcounting in bio_map_user_iov (Vitaly Mayatskikh)  [Orabug: 27069042]  {CVE-2017-12190}
- nvme: Drop nvmeq->q_lock before dma_pool_alloc(), so as to prevent hard lockups (Aruna Ramakrishna)  [Orabug: 25409587]
- nvme: Handle PM1725 HIL reset (Martin K. Petersen)  [Orabug: 26277600]
- char: lp: fix possible integer overflow in lp_setup() (Willy Tarreau) [Orabug: 26403940]  {CVE-2017-1000363}
- ALSA: timer: Fix missing queue indices reset at SNDRV_TIMER_IOCTL_SELECT (Takashi Iwai)  [Orabug: 26403956] {CVE-2017-1000380}
- ALSA: timer: Fix race between read and ioctl (Takashi Iwai)  [Orabug: 26403956]  {CVE-2017-1000380}
- ALSA: timer: fix NULL pointer dereference in read()/ioctl() race (Vegard Nossum)  [Orabug: 26403956]  {CVE-2017-1000380}
- ALSA: timer: Fix negative queue usage by racy accesses (Takashi Iwai) [Orabug: 26403956]  {CVE-2017-1000380}
- ALSA: timer: Fix race at concurrent reads (Takashi Iwai)  [Orabug: 26403956]  {CVE-2017-1000380}
- ALSA: timer: Fix race among timer ioctls (Takashi Iwai)  [Orabug: 26403956]  {CVE-2017-1000380}
- ipv6/dccp: do not inherit ipv6_mc_list from parent (WANG Cong) [Orabug: 26404005]  {CVE-2017-9077}
- ocfs2: fix deadlock issue when taking inode lock at vfs entry points (Eric Ren)  [Orabug: 26427126]
- ocfs2/dlmglue: prepare tracking logic to avoid recursive cluster lock (Eric Ren)  [Orabug: 26427126]
- ping: implement proper locking (Eric Dumazet)  [Orabug: 26540286] {CVE-2017-2671}
- aio: mark AIO pseudo-fs noexec (Jann Horn)  [Orabug: 26643598] {CVE-2016-10044}
- vfs: Commit to never having exectuables on proc and sysfs. (Eric W. Biederman)  [Orabug: 26643598]  {CVE-2016-10044}
- vfs, writeback: replace FS_CGROUP_WRITEBACK with SB_I_CGROUPWB (Tejun Heo)  [Orabug: 26643598]  {CVE-2016-10044}
- x86/acpi: Prevent out of bound access caused by broken ACPI tables (Seunghun Han)  [Orabug: 26643645]  {CVE-2017-11473}
- sctp: do not inherit ipv6_{mc|ac|fl}_list from parent (Eric Dumazet) [Orabug: 26650883]  {CVE-2017-9075}
- [media] saa7164: fix double fetch PCIe access condition (Steven Toth) [Orabug: 26675142]  {CVE-2017-8831}
- [media] saa7164: fix sparse warnings (Hans Verkuil)  [Orabug: 26675142]  {CVE-2017-8831}
- fs: __generic_file_splice_read retry lookup on AOP_TRUNCATED_PAGE (Abhi Das)  [Orabug: 26797306]
- timerfd: Protect the might cancel mechanism proper (Thomas Gleixner) [Orabug: 26899787]  {CVE-2017-10661}
- scsi: scsi_transport_iscsi: fix the issue that iscsi_if_rx doesn't parse nlmsg properly (Xin Long)  [Orabug: 26988627]  {CVE-2017-14489}
- mqueue: fix a use-after-free in sys_mq_notify() (Cong Wang)  [Orabug: 26643556]  {CVE-2017-11176}
- ipv6: avoid overflow of offset in ip6_find_1stfragopt (Sabrina Dubroca)  [Orabug: 27011273]  {CVE-2017-7542}
- packet: fix tp_reserve race in packet_set_ring (Willem de Bruijn) [Orabug: 27002450]  {CVE-2017-1000111}
- mlx4_core: calculate log_num_mtt based on total system memory (Wei Lin Guay)  [Orabug: 26883934]
- xen/x86: Add interface for querying amount of host memory (Boris Ostrovsky)  [Orabug: 26883934]
- Bluetooth: Properly check L2CAP config option output buffer length (Ben Seri)  [Orabug: 26796364]  {CVE-2017-1000251}
- xen: fix bio vec merging (Roger Pau Monne)  [Orabug: 26645550] {CVE-2017-12134}
- fs/exec.c: account for argv/envp pointers (Kees Cook)  [Orabug: 26638921]  {CVE-2017-1000365} {CVE-2017-1000365}
- l2tp: fix racy SOCK_ZAPPED flag check in l2tp_ip{,6}_bind() (Guillaume Nault)  [Orabug: 26586047]  {CVE-2016-10200}
- xfs: fix two memory leaks in xfs_attr_list.c error paths (Mateusz Guzik)  [Orabug: 26586022]  {CVE-2016-9685}
- KEYS: Disallow keyrings beginning with '.' to be joined as session keyrings (David Howells)  [Orabug: 26585994]  {CVE-2016-9604}
- ipv6: fix out of bound writes in __ip6_append_data() (Eric Dumazet) [Orabug: 26578198]  {CVE-2017-9242}
- posix_acl: Clear SGID bit when setting file permissions (Jan Kara) [Orabug: 25507344]  {CVE-2016-7097} {CVE-2016-7097}
- nfsd: check for oversized NFSv2/v3 arguments (J. Bruce Fields) [Orabug: 26366022]  {CVE-2017-7645}

The remote OracleVM system is missing necessary patches to address critical security updates :

  - nvme: Drop nvmeq->q_lock before dma_pool_alloc, so as to     prevent hard lockups (Aruna Ramakrishna) [Orabug:
    25409587]

  - nvme: Handle PM1725 HIL reset (Martin K. Petersen)     [Orabug: 26277600] 

  - char: lp: fix possible integer overflow in lp_setup     (Willy Tarreau) [Orabug: 26403940] (CVE-2017-1000363)

  - ALSA: timer: Fix missing queue indices reset at     SNDRV_TIMER_IOCTL_SELECT (Takashi Iwai) [Orabug:
    26403956] (CVE-2017-1000380)

  - ALSA: timer: Fix race between read and ioctl (Takashi     Iwai) [Orabug: 26403956] (CVE-2017-1000380)

  - ALSA: timer: fix NULL pointer dereference in read/ioctl     race (Vegard Nossum) [Orabug: 26403956]     (CVE-2017-1000380)

  - ALSA: timer: Fix negative queue usage by racy accesses     (Takashi Iwai) [Orabug: 26403956] (CVE-2017-1000380)

  - ALSA: timer: Fix race at concurrent reads (Takashi Iwai)     [Orabug: 26403956] (CVE-2017-1000380)

  - ALSA: timer: Fix race among timer ioctls (Takashi Iwai)     [Orabug: 26403956] (CVE-2017-1000380)

  - ipv6/dccp: do not inherit ipv6_mc_list from parent (WANG     Cong) [Orabug: 26404005] (CVE-2017-9077)

  - ocfs2: fix deadlock issue when taking inode lock at vfs     entry points (Eric Ren) [Orabug: 26427126] -     ocfs2/dlmglue: prepare tracking logic to avoid recursive     cluster lock (Eric Ren) [Orabug: 26427126] - ping:
    implement proper locking (Eric Dumazet) [Orabug:
    26540286] (CVE-2017-2671)

  - aio: mark AIO pseudo-fs noexec (Jann Horn) [Orabug:
    26643598] (CVE-2016-10044)

  - vfs: Commit to never having exectuables on proc and     sysfs. (Eric W. Biederman) [Orabug: 26643598]     (CVE-2016-10044)

  - vfs, writeback: replace FS_CGROUP_WRITEBACK with     SB_I_CGROUPWB (Tejun Heo) [Orabug: 26643598]     (CVE-2016-10044)

  - x86/acpi: Prevent out of bound access caused by broken     ACPI tables (Seunghun Han) [Orabug: 26643645]     (CVE-2017-11473)

  - sctp: do not inherit ipv6_[mc|ac|fl]_list from parent     (Eric Dumazet) [Orabug: 26650883] (CVE-2017-9075)

  - [media] saa7164: fix double fetch PCIe access condition     (Steven Toth) [Orabug: 26675142] (CVE-2017-8831)

  - [media] saa7164: fix sparse warnings (Hans Verkuil)     [Orabug: 26675142] (CVE-2017-8831)

  - fs: __generic_file_splice_read retry lookup on     AOP_TRUNCATED_PAGE (Abhi Das) [Orabug: 26797306] -     timerfd: Protect the might cancel mechanism proper     (Thomas Gleixner) [Orabug: 26899787] (CVE-2017-10661)

  - scsi: scsi_transport_iscsi: fix the issue that     iscsi_if_rx doesn't parse nlmsg properly (Xin Long)     [Orabug: 26988627] (CVE-2017-14489)

Description of changes:

[2.6.39-400.297.12.el6uek]
- xsigo: [backport] Fix race in freeing aged Forwarding tables (Pradeep Gopanapalli)  [Orabug: 24823234]
- ocfs2: fix deadlock issue when taking inode lock at vfs entry points (Eric Ren)  [Orabug: 25671723]
- ocfs2/dlmglue: prepare tracking logic to avoid recursive cluster lock (Eric Ren)  [Orabug: 25671723]
- net/packet: fix overflow in check for tp_reserve (Andrey Konovalov) [Orabug: 26143563]  {CVE-2017-7308}
- net/packet: fix overflow in check for tp_frame_nr (Andrey Konovalov) [Orabug: 26143563]  {CVE-2017-7308}
- char: lp: fix possible integer overflow in lp_setup() (Willy Tarreau) [Orabug: 26403941]  {CVE-2017-1000363}
- ALSA: timer: Fix missing queue indices reset at SNDRV_TIMER_IOCTL_SELECT (Takashi Iwai)  [Orabug: 26403958] {CVE-2017-1000380}
- ALSA: timer: Fix race between read and ioctl (Takashi Iwai)  [Orabug: 26403958]  {CVE-2017-1000380}
- ALSA: timer: fix NULL pointer dereference in read()/ioctl() race (Vegard Nossum)  [Orabug: 26403958]  {CVE-2017-1000380}
- ALSA: timer: Fix negative queue usage by racy accesses (Takashi Iwai) [Orabug: 26403958]  {CVE-2017-1000380}
- ALSA: timer: Fix race at concurrent reads (Takashi Iwai)  [Orabug: 26403958]  {CVE-2017-1000380}
- ALSA: timer: Fix race among timer ioctls (Takashi Iwai)  [Orabug: 26403958]  {CVE-2017-1000380}
- ipv6: xfrm: Handle errors reported by xfrm6_find_1stfragopt() (Ben Hutchings)  [Orabug: 26403974]  {CVE-2017-9074}
- ipv6: Check ip6_find_1stfragopt() return value properly. (David S. Miller)  [Orabug: 26403974]  {CVE-2017-9074}
- ipv6: Prevent overrun when parsing v6 header options (Craig Gallek) [Orabug: 26403974]  {CVE-2017-9074}
- ipv6/dccp: do not inherit ipv6_mc_list from parent (WANG Cong) [Orabug: 26404007]  {CVE-2017-9077}
- aio: mark AIO pseudo-fs noexec (Jann Horn)  [Orabug: 26643601] {CVE-2016-10044}
- vfs: Commit to never having exectuables on proc and sysfs. (Eric W. Biederman)  [Orabug: 26643601]  {CVE-2016-10044}
- vfs, writeback: replace FS_CGROUP_WRITEBACK with SB_I_CGROUPWB (Tejun Heo)  [Orabug: 26643601]  {CVE-2016-10044}
- x86/acpi: Prevent out of bound access caused by broken ACPI tables (Seunghun Han)  [Orabug: 26643652]  {CVE-2017-11473}
- sctp: do not inherit ipv6_{mc|ac|fl}_list from parent (Eric Dumazet) [Orabug: 26650889]  {CVE-2017-9075}
- saa7164: fix double fetch PCIe access condition (Steven Toth) [Orabug: 26675148]  {CVE-2017-8831}
- saa7164: fix sparse warnings (Hans Verkuil)  [Orabug: 26675148] {CVE-2017-8831}
- saa7164: get rid of warning: no previous prototype (Mauro Carvalho Chehab)  [Orabug: 26675148]  {CVE-2017-8831}
- [scsi] lpfc 8.3.44: Fix kernel panics from corrupted ndlp (James Smart)  [Orabug: 26765341]
- timerfd: Protect the might cancel mechanism proper (Thomas Gleixner) [Orabug: 26899791]  {CVE-2017-10661}
- scsi: scsi_transport_iscsi: fix the issue that iscsi_if_rx doesn't parse nlmsg properly (Xin Long)  [Orabug: 26988628]  {CVE-2017-14489}

Description of changes:

kernel-uek [3.8.13-118.19.12.el7uek]
- nvme: Drop nvmeq->q_lock before dma_pool_alloc(), so as to prevent hard lockups (Aruna Ramakrishna)  [Orabug: 25409587]

[3.8.13-118.19.11.el7uek]
- nvme: Handle PM1725 HIL reset (Martin K. Petersen)  [Orabug: 26277600]
- char: lp: fix possible integer overflow in lp_setup() (Willy Tarreau) [Orabug: 26403940]  {CVE-2017-1000363}
- ALSA: timer: Fix missing queue indices reset at SNDRV_TIMER_IOCTL_SELECT (Takashi Iwai)  [Orabug: 26403956] {CVE-2017-1000380}
- ALSA: timer: Fix race between read and ioctl (Takashi Iwai)  [Orabug: 26403956]  {CVE-2017-1000380}
- ALSA: timer: fix NULL pointer dereference in read()/ioctl() race (Vegard Nossum)  [Orabug: 26403956]  {CVE-2017-1000380}
- ALSA: timer: Fix negative queue usage by racy accesses (Takashi Iwai) [Orabug: 26403956]  {CVE-2017-1000380}
- ALSA: timer: Fix race at concurrent reads (Takashi Iwai)  [Orabug: 26403956]  {CVE-2017-1000380}
- ALSA: timer: Fix race among timer ioctls (Takashi Iwai)  [Orabug: 26403956]  {CVE-2017-1000380}
- ipv6/dccp: do not inherit ipv6_mc_list from parent (WANG Cong) [Orabug: 26404005]  {CVE-2017-9077}
- ocfs2: fix deadlock issue when taking inode lock at vfs entry points (Eric Ren)  [Orabug: 26427126]
- ocfs2/dlmglue: prepare tracking logic to avoid recursive cluster lock (Eric Ren)  [Orabug: 26427126]
- ping: implement proper locking (Eric Dumazet)  [Orabug: 26540286] {CVE-2017-2671}
- aio: mark AIO pseudo-fs noexec (Jann Horn)  [Orabug: 26643598] {CVE-2016-10044}
- vfs: Commit to never having exectuables on proc and sysfs. (Eric W. Biederman)  [Orabug: 26643598]  {CVE-2016-10044}
- vfs, writeback: replace FS_CGROUP_WRITEBACK with SB_I_CGROUPWB (Tejun Heo)  [Orabug: 26643598]  {CVE-2016-10044}
- x86/acpi: Prevent out of bound access caused by broken ACPI tables (Seunghun Han)  [Orabug: 26643645]  {CVE-2017-11473}
- sctp: do not inherit ipv6_{mc|ac|fl}_list from parent (Eric Dumazet) [Orabug: 26650883]  {CVE-2017-9075}
- [media] saa7164: fix double fetch PCIe access condition (Steven Toth) [Orabug: 26675142]  {CVE-2017-8831}
- [media] saa7164: fix sparse warnings (Hans Verkuil)  [Orabug: 26675142]  {CVE-2017-8831}
- fs: __generic_file_splice_read retry lookup on AOP_TRUNCATED_PAGE (Abhi Das)  [Orabug: 26797306]
- timerfd: Protect the might cancel mechanism proper (Thomas Gleixner) [Orabug: 26899787]  {CVE-2017-10661}
- scsi: scsi_transport_iscsi: fix the issue that iscsi_if_rx doesn't parse nlmsg properly (Xin Long)  [Orabug: 26988627]  {CVE-2017-14489}

It was discovered that a buffer overflow existed in the Bluetooth stack of the Linux kernel when handling L2CAP configuration responses.
A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-1000251)

It was discovered that the asynchronous I/O (aio) subsystem of the Linux kernel did not properly set permissions on aio memory mappings in some situations. An attacker could use this to more easily exploit other vulnerabilities. (CVE-2016-10044)

Baozeng Ding and Andrey Konovalov discovered a race condition in the L2TPv3 IP Encapsulation implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2016-10200)

Andreas Gruenbacher and Jan Kara discovered that the filesystem implementation in the Linux kernel did not clear the setgid bit during a setxattr call. A local attacker could use this to possibly elevate group privileges. (CVE-2016-7097)

Sergej Schumilo, Ralf Spenneberg, and Hendrik Schwartke discovered that the key management subsystem in the Linux kernel did not properly allocate memory in some situations. A local attacker could use this to cause a denial of service (system crash). (CVE-2016-8650)

Vlad Tsyrklevich discovered an integer overflow vulnerability in the VFIO PCI driver for the Linux kernel. A local attacker with access to a vfio PCI device file could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2016-9083, CVE-2016-9084)

It was discovered that an information leak existed in
__get_user_asm_ex() in the Linux kernel. A local attacker could use this to expose sensitive information. (CVE-2016-9178)

CAI Qian discovered that the sysctl implementation in the Linux kernel did not properly perform reference counting in some situations. An unprivileged attacker could use this to cause a denial of service (system hang). (CVE-2016-9191)

It was discovered that the keyring implementation in the Linux kernel in some situations did not prevent special internal keyrings from being joined by userspace keyrings. A privileged local attacker could use this to bypass module verification. (CVE-2016-9604)

It was discovered that an integer overflow existed in the trace subsystem of the Linux kernel. A local privileged attacker could use this to cause a denial of service (system crash). (CVE-2016-9754)

Andrey Konovalov discovered that the IPv4 implementation in the Linux kernel did not properly handle invalid IP options in some situations.
An attacker could use this to cause a denial of service or possibly execute arbitrary code. (CVE-2017-5970)

Dmitry Vyukov discovered that the Linux kernel did not properly handle TCP packets with the URG flag. A remote attacker could use this to cause a denial of service. (CVE-2017-6214)

It was discovered that a race condition existed in the AF_PACKET handling code in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-6346)

It was discovered that the keyring implementation in the Linux kernel did not properly restrict searches for dead keys. A local attacker could use this to cause a denial of service (system crash).
(CVE-2017-6951)

Dmitry Vyukov discovered that the generic SCSI (sg) subsystem in the Linux kernel contained a stack-based buffer overflow. A local attacker with access to an sg device could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2017-7187)

Eric Biggers discovered a memory leak in the keyring implementation in the Linux kernel. A local attacker could use this to cause a denial of service (memory consumption). (CVE-2017-7472)

It was discovered that a buffer overflow existed in the Broadcom FullMAC WLAN driver in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-7541).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 12 SP1 kernel was updated to 3.12.74 to receive various security and bugfixes. Notable new/improved features :

  - Improved support for Hyper-V

  - Support for the tcp_westwood TCP scheduling algorithm     The following security bugs were fixed :

  - CVE-2017-8106: The handle_invept function in     arch/x86/kvm/vmx.c in the Linux kernel allowed     privileged KVM guest OS users to cause a denial of     service (NULL pointer dereference and host OS crash) via     a single-context INVEPT instruction with a NULL EPT     pointer (bsc#1035877).

  - CVE-2017-6951: The keyring_search_aux function in     security/keys/keyring.c in the Linux kernel allowed     local users to cause a denial of service (NULL pointer     dereference and OOPS) via a request_key system call for     the 'dead' type. (bsc#1029850).

  - CVE-2017-2647: The KEYS subsystem in the Linux kernel     allowed local users to gain privileges or cause a denial     of service (NULL pointer dereference and system crash)     via vectors involving a NULL value for a certain match     field, related to the keyring_search_iterator function     in keyring.c. (bsc#1030593)

  - CVE-2016-9604: This fixes handling of keyrings starting     with '.' in KEYCTL_JOIN_SESSION_KEYRING, which could     have allowed local users to manipulate privileged     keyrings (bsc#1035576)

  - CVE-2017-7616: Incorrect error handling in the     set_mempolicy and mbind compat syscalls in     mm/mempolicy.c in the Linux kernel allowed local users     to obtain sensitive information from uninitialized stack     data by triggering failure of a certain bitmap     operation. (bnc#1033336).

  - CVE-2017-7645: The NFSv2/NFSv3 server in the nfsd     subsystem in the Linux kernel allowed remote attackers     to cause a denial of service (system crash) via a long     RPC reply, related to net/sunrpc/svc.c,     fs/nfsd/nfs3xdr.c, and fs/nfsd/nfsxdr.c. (bsc#1034670).

  - CVE-2017-7308: The packet_set_ring function in     net/packet/af_packet.c in the Linux kernel did not     properly validate certain block-size data, which allowed     local users to cause a denial of service (overflow) or     possibly have unspecified other impact via crafted     system calls (bnc#1031579)

  - CVE-2017-2671: The ping_unhash function in     net/ipv4/ping.c in the Linux kernel was too late in     obtaining a certain lock and consequently could not     ensure that disconnect function calls are safe, which     allowed local users to cause a denial of service (panic)     by leveraging access to the protocol value of     IPPROTO_ICMP in a socket system call (bnc#1031003)

  - CVE-2017-7294: The vmw_surface_define_ioctl function in     drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux     kernel did not validate addition of certain levels data,     which allowed local users to trigger an integer overflow     and out-of-bounds write, and cause a denial of service     (system hang or crash) or possibly gain privileges, via     a crafted ioctl call for a /dev/dri/renderD* device     (bnc#1031440)

  - CVE-2017-7261: The vmw_surface_define_ioctl function in     drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux     kernel did not check for a zero value of certain levels     data, which allowed local users to cause a denial of     service (ZERO_SIZE_PTR dereference, and GPF and possibly     panic) via a crafted ioctl call for a /dev/dri/renderD*     device (bnc#1031052)

  - CVE-2017-7187: The sg_ioctl function in     drivers/scsi/sg.c in the Linux kernel allowed local     users to cause a denial of service (stack-based buffer     overflow) or possibly have unspecified other impact via     a large command size in an SG_NEXT_CMD_LEN ioctl call,     leading to out-of-bounds write access in the sg_write     function (bnc#1030213)

  - CVE-2016-9588: arch/x86/kvm/vmx.c in the Linux kernel     mismanaged the #BP and #OF exceptions, which allowed     guest OS users to cause a denial of service (guest OS     crash) by declining to handle an exception thrown by an     L2 guest (bsc#1015703).

  - CVE-2017-5669: The do_shmat function in ipc/shm.c in the     Linux kernel did not restrict the address calculated by     a certain rounding operation, which allowed local users     to map page zero, and consequently bypass a protection     mechanism that exists for the mmap system call, by     making crafted shmget and shmat system calls in a     privileged context (bnc#1026914).

  - CVE-2016-10200: Race condition in the L2TPv3 IP     Encapsulation feature in the Linux kernel allowed local     users to gain privileges or cause a denial of service     (use-after-free) by making multiple bind system calls     without properly ascertaining whether a socket has the     SOCK_ZAPPED status, related to net/l2tp/l2tp_ip.c and     net/l2tp/l2tp_ip6.c (bnc#1028415)

  - CVE-2016-10208: The ext4_fill_super function in     fs/ext4/super.c in the Linux kernel did not properly     validate meta block groups, which allowed physically     proximate attackers to cause a denial of service     (out-of-bounds read and system crash) via a crafted ext4     image (bnc#1023377).

  - CVE-2017-5897: The ip6gre_err function in     net/ipv6/ip6_gre.c in the Linux kernel allowed remote     attackers to have unspecified impact via vectors     involving GRE flags in an IPv6 packet, which trigger an     out-of-bounds access (bsc#1023762).

  - CVE-2017-5986: A race condition in the     sctp_wait_for_sndbuf function in net/sctp/socket.c in     the Linux kernel allowed local users to cause a denial     of service (assertion failure and panic) via a     multithreaded application that peels off an association     in a certain buffer-full state (bsc#1025235).

  - CVE-2017-6074: The dccp_rcv_state_process function in     net/dccp/input.c in the Linux kernel mishandled     DCCP_PKT_REQUEST packet data structures in the LISTEN     state, which allowed local users to obtain root     privileges or cause a denial of service (double free)     via an application that made an IPV6_RECVPKTINFO     setsockopt system call (bnc#1026024)

  - CVE-2016-9191: The cgroup offline implementation in the     Linux kernel mishandled certain drain operations, which     allowed local users to cause a denial of service (system     hang) by leveraging access to a container environment     for executing a crafted application (bnc#1008842)

  - CVE-2017-6348: The hashbin_delete function in     net/irda/irqueue.c in the Linux kernel improperly     managed lock dropping, which allowed local users to     cause a denial of service (deadlock) via crafted     operations on IrDA devices (bnc#1027178).

  - CVE-2016-10044: The aio_mount function in fs/aio.c in     the Linux kernel did not properly restrict execute     access, which made it easier for local users to bypass     intended SELinux W^X policy restrictions, and     consequently gain privileges, via an io_setup system     call (bnc#1023992).

  - CVE-2016-3070: The trace_writeback_dirty_page     implementation in include/trace/events/writeback.h in     the Linux kernel improperly interacts with mm/migrate.c,     which allowed local users to cause a denial of service     (NULL pointer dereference and system crash) or possibly     have unspecified other impact by triggering a certain     page move (bnc#979215).

  - CVE-2016-5243: The tipc_nl_compat_link_dump function in     net/tipc/netlink_compat.c in the Linux kernel did not     properly copy a certain string, which allowed local     users to obtain sensitive information from kernel stack     memory by reading a Netlink message (bnc#983212).

  - CVE-2017-6345: The LLC subsystem in the Linux kernel did     not ensure that a certain destructor exists in required     circumstances, which allowed local users to cause a     denial of service (BUG_ON) or possibly have unspecified     other impact via crafted system calls (bnc#1027190)

  - CVE-2017-6346: Race condition in net/packet/af_packet.c     in the Linux kernel allowed local users to cause a     denial of service (use-after-free) or possibly have     unspecified other impact via a multithreaded application     that made PACKET_FANOUT setsockopt system calls     (bnc#1027189)

  - CVE-2017-6353: net/sctp/socket.c in the Linux kernel did     not properly restrict association peel-off operations     during certain wait states, which allowed local users to     cause a denial of service (invalid unlock and double     free) via a multithreaded application. NOTE: this     vulnerability exists because of an incorrect fix for     CVE-2017-5986 (bnc#1027066)

  - CVE-2017-5986: Race condition in the     sctp_wait_for_sndbuf function in net/sctp/socket.c in     the Linux kernel allowed local users to cause a denial     of service (assertion failure and panic) via a     multithreaded application that peels off an association     in a certain buffer-full state (bsc#1025235).

  - CVE-2017-6214: The tcp_splice_read function in     net/ipv4/tcp.c in the Linux kernel allowed remote     attackers to cause a denial of service (infinite loop     and soft lockup) via vectors involving a TCP packet with     the URG flag (bnc#1026722)

  - CVE-2016-2117: The atl2_probe function in     drivers/net/ethernet/atheros/atlx/atl2.c in the Linux     kernel incorrectly enables scatter/gather I/O, which     allowed remote attackers to obtain sensitive information     from kernel memory by reading packet data (bnc#968697)

  - CVE-2015-1350: The VFS subsystem in the Linux kernel     provided an incomplete set of requirements for setattr     operations that underspecifies removing extended     privilege attributes, which allowed local users to cause     a denial of service (capability stripping) via a failed     invocation of a system call, as demonstrated by using     chown to remove a capability from the ping or Wireshark     dumpcap program (bsc#914939).

  - CVE-2016-7117: Use-after-free vulnerability in the
    __sys_recvmmsg function in net/socket.c in the Linux     kernel allowed remote attackers to execute arbitrary     code via vectors involving a recvmmsg system call that     is mishandled during error processing (bsc#1003077).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 12 GA LTSS kernel was updated to receive various security and bugfixes. The following security bugs were fixed :

  - CVE-2015-1350: The VFS subsystem in the Linux kernel     provided an incomplete set of requirements for setattr     operations that underspecifies removing extended     privilege attributes, which allowed local users to cause     a denial of service (capability stripping) via a failed     invocation of a system call, as demonstrated by using     chown to remove a capability from the ping or Wireshark     dumpcap program (bnc#914939).

  - CVE-2016-2117: The atl2_probe function in     drivers/net/ethernet/atheros/atlx/atl2.c in the Linux     kernel incorrectly enabled scatter/gather I/O, which     allowed remote attackers to obtain sensitive information     from kernel memory by reading packet data (bnc#968697).

  - CVE-2016-3070: The trace_writeback_dirty_page     implementation in include/trace/events/writeback.h in     the Linux kernel improperly interacted with     mm/migrate.c, which allowed local users to cause a     denial of service (NULL pointer dereference and system     crash) or possibly have unspecified other impact by     triggering a certain page move (bnc#979215).

  - CVE-2016-5243: The tipc_nl_compat_link_dump function in     net/tipc/netlink_compat.c in the Linux kernel did not     properly copy a certain string, which allowed local     users to obtain sensitive information from kernel stack     memory by reading a Netlink message (bnc#983212).

  - CVE-2016-7117: Use-after-free vulnerability in the
    __sys_recvmmsg function in net/socket.c in the Linux     kernel allowed remote attackers to execute arbitrary     code via vectors involving a recvmmsg system call that     is mishandled during error processing (bnc#1003077).

  - CVE-2016-9588: arch/x86/kvm/vmx.c in the Linux kernel     mismanages the #BP and #OF exceptions, which allowed     guest OS users to cause a denial of service (guest OS     crash) by declining to handle an exception thrown by an     L2 guest (bnc#1015703).

  - CVE-2016-10044: The aio_mount function in fs/aio.c in     the Linux kernel did not properly restrict execute     access, which made it easier for local users to bypass     intended SELinux W^X policy restrictions, and     consequently gain privileges, via an io_setup system     call (bnc#1023992).

  - CVE-2016-10200: Race condition in the L2TPv3 IP     Encapsulation feature in the Linux kernel allowed local     users to gain privileges or cause a denial of service     (use-after-free) by making multiple bind system calls     without properly ascertaining whether a socket has the     SOCK_ZAPPED status, related to net/l2tp/l2tp_ip.c and     net/l2tp/l2tp_ip6.c (bnc#1028415).

  - CVE-2016-10208: The ext4_fill_super function in     fs/ext4/super.c in the Linux kernel did not properly     validate meta block groups, which allowed physically     proximate attackers to cause a denial of service     (out-of-bounds read and system crash) via a crafted ext4     image (bnc#1023377).

  - CVE-2017-2671: The ping_unhash function in     net/ipv4/ping.c in the Linux kernel is too late in     obtaining a certain lock and consequently cannot ensure     that disconnect function calls are safe, which allowed     local users to cause a denial of service (panic) by     leveraging access to the protocol value of IPPROTO_ICMP     in a socket system call (bnc#1031003).

  - CVE-2017-5669: The do_shmat function in ipc/shm.c in the     Linux kernel did not restrict the address calculated by     a certain rounding operation, which allowed local users     to map page zero, and consequently bypass a protection     mechanism that exists for the mmap system call, by     making crafted shmget and shmat system calls in a     privileged context (bnc#1026914).

  - CVE-2017-5897: The ip6gre_err function in     net/ipv6/ip6_gre.c in the Linux kernel allowed remote     attackers to have unspecified impact via vectors     involving GRE flags in an IPv6 packet, which trigger an     out-of-bounds access (bnc#1023762).

  - CVE-2017-5970: The ipv4_pktinfo_prepare function in     net/ipv4/ip_sockglue.c in the Linux kernel allowed     attackers to cause a denial of service (system crash)     via (1) an application that made crafted system calls or     possibly (2) IPv4 traffic with invalid IP options     (bnc#1024938).

  - CVE-2017-5986: Race condition in the     sctp_wait_for_sndbuf function in net/sctp/socket.c in     the Linux kernel allowed local users to cause a denial     of service (assertion failure and panic) via a     multithreaded application that peels off an association     in a certain buffer-full state (bnc#1025235).

  - CVE-2017-6074: The dccp_rcv_state_process function in     net/dccp/input.c in the Linux kernel mishandled     DCCP_PKT_REQUEST packet data structures in the LISTEN     state, which allowed local users to obtain root     privileges or cause a denial of service (double free)     via an application that made an IPV6_RECVPKTINFO     setsockopt system call (bnc#1026024).

  - CVE-2017-6214: The tcp_splice_read function in     net/ipv4/tcp.c in the Linux kernel allowed remote     attackers to cause a denial of service (infinite loop     and soft lockup) via vectors involving a TCP packet with     the URG flag (bnc#1026722).

  - CVE-2017-6345: The LLC subsystem in the Linux kernel did     not ensure that a certain destructor exists in required     circumstances, which allowed local users to cause a     denial of service (BUG_ON) or possibly have unspecified     other impact via crafted system calls (bnc#1027190).

  - CVE-2017-6346: Race condition in net/packet/af_packet.c     in the Linux kernel allowed local users to cause a     denial of service (use-after-free) or possibly have     unspecified other impact via a multithreaded application     that made PACKET_FANOUT setsockopt system calls     (bnc#1027189).

  - CVE-2017-6348: The hashbin_delete function in     net/irda/irqueue.c in the Linux kernel improperly     managed lock dropping, which allowed local users to     cause a denial of service (deadlock) via crafted     operations on IrDA devices (bnc#1027178).

  - CVE-2017-6353: net/sctp/socket.c in the Linux kernel did     not properly restrict association peel-off operations     during certain wait states, which allowed local users to     cause a denial of service (invalid unlock and double     free) via a multithreaded application. NOTE: this     vulnerability exists because of an incorrect fix for     CVE-2017-5986 (bnc#1027066).

  - CVE-2017-7187: The sg_ioctl function in     drivers/scsi/sg.c in the Linux kernel allowed local     users to cause a denial of service (stack-based buffer     overflow) or possibly have unspecified other impact via     a large command size in an SG_NEXT_CMD_LEN ioctl call,     leading to out-of-bounds write access in the sg_write     function (bnc#1030213).

  - CVE-2017-7261: The vmw_surface_define_ioctl function in     drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux     kernel did not check for a zero value of certain levels     data, which allowed local users to cause a denial of     service (ZERO_SIZE_PTR dereference, and GPF and possibly     panic) via a crafted ioctl call for a /dev/dri/renderD*     device (bnc#1031052).

  - CVE-2017-7294: The vmw_surface_define_ioctl function in     drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux     kernel did not validate addition of certain levels data,     which allowed local users to trigger an integer overflow     and out-of-bounds write, and cause a denial of service     (system hang or crash) or possibly gain privileges, via     a crafted ioctl call for a /dev/dri/renderD* device     (bnc#1031440).

  - CVE-2017-7308: The packet_set_ring function in     net/packet/af_packet.c in the Linux kernel did not     properly validate certain block-size data, which allowed     local users to cause a denial of service (overflow) or     possibly have unspecified other impact via crafted     system calls (bnc#1031579).

  - CVE-2017-7616: Incorrect error handling in the     set_mempolicy and mbind compat syscalls in     mm/mempolicy.c in the Linux kernel allowed local users     to obtain sensitive information from uninitialized stack     data by triggering failure of a certain bitmap operation     (bnc#1033336).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
124828	EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1505)	Nessus	Huawei Local Security Checks	critical
124815	EulerOS Virtualization 3.0.1.0 : kernel (EulerOS-SA-2019-1491)	Nessus	Huawei Local Security Checks	critical
106469	OracleVM 3.4 : Unbreakable / etc (OVMSA-2018-0015) (BlueBorne) (Meltdown) (Spectre) (Stack Clash)	Nessus	OracleVM Local Security Checks	critical
105248	OracleVM 3.4 : Unbreakable / etc (OVMSA-2017-0174) (BlueBorne) (Dirty COW) (Stack Clash)	Nessus	OracleVM Local Security Checks	high
105247	Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2017-3659) (BlueBorne) (Dirty COW) (Stack Clash)	Nessus	Oracle Linux Local Security Checks	high
105147	OracleVM 3.3 : Unbreakable / etc (OVMSA-2017-0173) (BlueBorne) (Stack Clash)	Nessus	OracleVM Local Security Checks	high
105145	Oracle Linux 6 : Unbreakable Enterprise kernel (ELSA-2017-3658) (BlueBorne) (Stack Clash)	Nessus	Oracle Linux Local Security Checks	high
105144	Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2017-3657) (BlueBorne) (Stack Clash)	Nessus	Oracle Linux Local Security Checks	high
104454	OracleVM 3.3 : Unbreakable / etc (OVMSA-2017-0168)	Nessus	OracleVM Local Security Checks	high
104371	Oracle Linux 6 : Unbreakable Enterprise kernel (ELSA-2017-3637)	Nessus	Oracle Linux Local Security Checks	high
104370	Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2017-3636)	Nessus	Oracle Linux Local Security Checks	high
103326	Ubuntu 14.04 LTS : linux vulnerabilities (USN-3422-1) (BlueBorne)	Nessus	Ubuntu Local Security Checks	high
100320	SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2017:1360-1)	Nessus	SuSE Local Security Checks	critical
100150	SUSE SLES12 Security Update : kernel (SUSE-SU-2017:1247-1)	Nessus	SuSE Local Security Checks	critical

CVE-2016-10044

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins