http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=48a992727d82cb7db076fa15d372178743b1f4cd

[linux-crypto] 20161202 Crash in crypto mcryptd

http://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.8.15

[oss-security] 20170117 CVE request -- linux kernel: crash by spawning mcrypt(alg) with incompatible algorithm

95677

RHSA-2017:1842

RHSA-2017:2077

https://bugzilla.redhat.com/show_bug.cgi?id=1404200

https://github.com/torvalds/linux/commit/48a992727d82cb7db076fa15d372178743b1f4cd

According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - The ipx_recvmsg function in net/ipx/af_ipx.c in the     Linux kernel before 3.12.4 updates a certain length     value without ensuring that an associated data     structure has been initialized, which allows local     users to obtain sensitive information from kernel     memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg     system call.(CVE-2013-7268i1/4%0

  - The move_pages system call in mm/migrate.c in the Linux     kernel doesn't check the effective uid of the target     process. This enables a local attacker to learn the     memory layout of a setuid executable allowing     mitigation of ASLR.(CVE-2017-14140i1/4%0

  - Multiple array index errors in drivers/hid/hid-core.c     in the Human Interface Device (HID) subsystem in the     Linux kernel through 3.11 allow physically proximate     attackers to execute arbitrary code or cause a denial     of service (heap memory corruption) via a crafted     device that provides an invalid Report     ID.(CVE-2013-2888i1/4%0

  - It was found that if a Non-Maskable Interrupt (NMI)     occurred immediately after a SYSCALL call or before a     SYSRET call with the user RSP pointing to the NMI IST     stack, the kernel could skip that NMI.(CVE-2015-3291i1/4%0

  - The sound/core/seq_device.c in the Linux kernel, before     4.13.4, allows local users to cause a denial of service     (snd_rawmidi_dev_seq_free use-after-free and system     crash) or possibly have unspecified other impact via a     crafted USB device.(CVE-2017-16528i1/4%0

  - net/ceph/auth_x.c in Ceph, as used in the Linux kernel     before 3.16.3, does not properly consider the     possibility of kmalloc failure, which allows remote     attackers to cause a denial of service (system crash)     or possibly have unspecified other impact via a long     unencrypted auth ticket.(CVE-2014-6417i1/4%0

  - A NULL pointer dereference flaw was found in the Linux     kernel: the NFSv4.2 migration code improperly     initialized the kernel structure. A local,     authenticated user could use this flaw to cause a panic     of the NFS client (denial of service).(CVE-2015-8746i1/4%0

  - A stack-based buffer overflow flaw was found in the     TechnoTrend/Hauppauge DEC USB device driver. A local     user with write access to the corresponding device     could use this flaw to crash the kernel or,     potentially, elevate their privileges on the     system.(CVE-2014-8884i1/4%0

  - A flaw was found in the linux kernel's implementation     of the airspy USB device driver in which a leak was     found when a subdev or SDR are plugged into the host.An     attacker can create an targeted USB device which can     emulate 64 of these devices. Then by emulating an     additional device which continuously connects and     disconnects, each connection attempt will leak memory     which can not be recovered.(CVE-2016-5400i1/4%0

  - The sound/usb/mixer.c in the Linux kernel, before     4.13.8, allows local users to cause a denial of service     (snd_usb_mixer_interrupt use-after-free and system     crash) or possibly have unspecified other impact via a     crafted USB device.(CVE-2017-16527i1/4%0

  - The Human Interface Device (HID) subsystem in the Linux     kernel through 3.11, when CONFIG_LOGITECH_FF,     CONFIG_LOGIG940_FF, or CONFIG_LOGIWHEELS_FF is enabled,     allows physically proximate attackers to cause a denial     of service (heap-based out-of-bounds write) via a     crafted device, related to (1) drivers/hid/hid-lgff.c,     (2) drivers/hid/hid-lg3ff.c, and (3)     drivers/hid/hid-lg4ff.c.(CVE-2013-2893i1/4%0

  - It was found that reporting emulation failures to user     space could lead to either a local (CVE-2014-7842) or a     L2-i1/4zL1 (CVE-2010-5313) denial of service. In the case     of a local denial of service, an attacker must have     access to the MMIO area or be able to access an I/O     port. Please note that on certain systems, HPET is     mapped to userspace as part of vdso (vvar) and thus an     unprivileged user may generate MMIO transactions (and     enter the emulator) this way.(CVE-2014-7842i1/4%0

  - A flaw was discovered in the way the Linux kernel's TTY     subsystem handled the tty shutdown phase. A local,     unprivileged user could use this flaw to cause denial     of service on the system by holding a reference to the     ldisc lock during tty shutdown, causing a     deadlock.(CVE-2015-4170i1/4%0

  - The __ip6_append_data function in net/ipv6/ip6_output.c     in the Linux kernel through 4.11.3 is too late in     checking whether an overwrite of an skb data structure     may occur, which allows local users to cause a denial     of service (system crash) via crafted system     calls.(CVE-2017-9242i1/4%0

  - The Linux kernel built with the KVM visualization     support (CONFIG_KVM), with nested visualization(nVMX)     feature enabled (nested=1), was vulnerable to a stack     buffer overflow issue. The vulnerability could occur     while traversing guest page table entries to resolve     guest virtual address(gva). An L1 guest could use this     flaw to crash the host kernel resulting in denial of     service (DoS) or potentially execute arbitrary code on     the host to gain privileges on the     system.(CVE-2017-12188i1/4%0

  - The recalculate_apic_map function in     arch/x86/kvm/lapic.c in the KVM subsystem in the Linux     kernel through 3.12.5 allows guest OS users to cause a     denial of service (host OS crash) via a crafted ICR     write operation in x2apic mode.(CVE-2013-6376i1/4%0

  - The wanxl_ioctl function in drivers/net/wan/wanxl.c in     the Linux kernel before 3.11.7 does not properly     initialize a certain data structure, which allows local     users to obtain sensitive information from kernel     memory via an ioctl call.(CVE-2014-1445i1/4%0

  - The restore_fpu_checking function in     arch/x86/include/asm/fpu-internal.h in the Linux kernel     before 3.12.8 on the AMD K7 and K8 platforms does not     clear pending exceptions before proceeding to an EMMS     instruction, which allows local users to cause a denial     of service (task kill) or possibly gain privileges via     a crafted application.(CVE-2014-1438i1/4%0

  - A race condition was found in the way the Linux     kernel's memory subsystem handled the copy-on-write     (COW) breakage of private read-only memory mappings. An     unprivileged, local user could use this flaw to gain     write access to otherwise read-only memory mappings and     thus increase their privileges on the     system.(CVE-2016-5195i1/4%0

  - Algorithms not compatible with mcryptd could be spawned     by mcryptd with a direct crypto_alloc_tfm invocation     using a 'mcryptd(alg)' name construct. This causes     mcryptd to crash the kernel if an arbitrary 'alg' is     incompatible and not intended to be used with     mcryptd.(CVE-2016-10147i1/4%0

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

An update for kernel is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es) :

* An use-after-free flaw was found in the Linux kernel which enables a race condition in the L2TPv3 IP Encapsulation feature. A local user could use this flaw to escalate their privileges or crash the system.
(CVE-2016-10200, Important)

* A flaw was found that can be triggered in keyring_search_iterator in keyring.c if type->match is NULL. A local user could use this flaw to crash the system or, potentially, escalate their privileges.
(CVE-2017-2647, Important)

* It was found that the NFSv4 server in the Linux kernel did not properly validate layout type when processing NFSv4 pNFS LAYOUTGET and GETDEVICEINFO operands. A remote attacker could use this flaw to soft-lockup the system and thus cause denial of service.
(CVE-2017-8797, Important)

This update also fixes multiple Moderate and Low impact security issues :

* CVE-2015-8839, CVE-2015-8970, CVE-2016-9576, CVE-2016-7042, CVE-2016-7097, CVE-2016-8645, CVE-2016-9576, CVE-2016-9588, CVE-2016-9806, CVE-2016-10088, CVE-2016-10147, CVE-2017-2596, CVE-2017-2671, CVE-2017-5970, CVE-2017-6001, CVE-2017-6951, CVE-2017-7187, CVE-2017-7616, CVE-2017-7889, CVE-2017-8890, CVE-2017-9074, CVE-2017-8890, CVE-2017-9075, CVE-2017-8890, CVE-2017-9076, CVE-2017-8890, CVE-2017-9077, CVE-2017-9242, CVE-2014-7970, CVE-2014-7975, CVE-2016-6213, CVE-2016-9604, CVE-2016-9685

Documentation for these issues is available from the Release Notes document linked from the References section.

Red Hat would like to thank Igor Redko (Virtuozzo) and Andrey Ryabinin (Virtuozzo) for reporting CVE-2017-2647; Igor Redko (Virtuozzo) and Vasily Averin (Virtuozzo) for reporting CVE-2015-8970; Marco Grassi for reporting CVE-2016-8645; and Dmitry Vyukov (Google Inc.) for reporting CVE-2017-2596. The CVE-2016-7042 issue was discovered by Ondrej Kozina (Red Hat); the CVE-2016-7097 issue was discovered by Andreas Gruenbacher (Red Hat) and Jan Kara (SUSE); the CVE-2016-6213 and CVE-2016-9685 issues were discovered by Qian Cai (Red Hat); and the CVE-2016-9604 issue was discovered by David Howells (Red Hat).

Additional Changes :

For detailed information on other changes in this release, see the Red Hat Enterprise Linux 7.4 Release Notes linked from the References section.

Security Fix(es) :

  - An use-after-free flaw was found in the Linux kernel     which enables a race condition in the L2TPv3 IP     Encapsulation feature. A local user could use this flaw     to escalate their privileges or crash the system.
    (CVE-2016-10200, Important)

  - A flaw was found that can be triggered in     keyring_search_iterator in keyring.c if type->match is     NULL. A local user could use this flaw to crash the     system or, potentially, escalate their privileges.
    (CVE-2017-2647, Important)

  - It was found that the NFSv4 server in the Linux kernel     did not properly validate layout type when processing     NFSv4 pNFS LAYOUTGET and GETDEVICEINFO operands. A     remote attacker could use this flaw to soft- lockup the     system and thus cause denial of service. (CVE-2017-8797,     Important)

This update also fixes multiple Moderate and Low impact security issues :

  - CVE-2015-8839, CVE-2015-8970, CVE-2016-9576,     CVE-2016-7042, CVE-2016-7097, CVE-2016-8645,     CVE-2016-9576, CVE-2016-9588, CVE-2016-9806,     CVE-2016-10088, CVE-2016-10147, CVE-2017-2596,     CVE-2017-2671, CVE-2017-5970, CVE-2017-6001,     CVE-2017-6951, CVE-2017-7187, CVE-2017-7616,     CVE-2017-7889, CVE-2017-8890, CVE-2017-9074,     CVE-2017-8890, CVE-2017-9075, CVE-2017-8890,     CVE-2017-9076, CVE-2017-8890, CVE-2017-9077,     CVE-2017-9242, CVE-2014-7970, CVE-2014-7975,     CVE-2016-6213, CVE-2016-9604, CVE-2016-9685

The remote Oracle Linux host is missing a security update for the kernel package(s).

From Red Hat Security Advisory 2017:1842 :

An update for kernel is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es) :

* An use-after-free flaw was found in the Linux kernel which enables a race condition in the L2TPv3 IP Encapsulation feature. A local user could use this flaw to escalate their privileges or crash the system.
(CVE-2016-10200, Important)

* A flaw was found that can be triggered in keyring_search_iterator in keyring.c if type->match is NULL. A local user could use this flaw to crash the system or, potentially, escalate their privileges.
(CVE-2017-2647, Important)

* It was found that the NFSv4 server in the Linux kernel did not properly validate layout type when processing NFSv4 pNFS LAYOUTGET and GETDEVICEINFO operands. A remote attacker could use this flaw to soft-lockup the system and thus cause denial of service.
(CVE-2017-8797, Important)

This update also fixes multiple Moderate and Low impact security issues :

* CVE-2015-8839, CVE-2015-8970, CVE-2016-9576, CVE-2016-7042, CVE-2016-7097, CVE-2016-8645, CVE-2016-9576, CVE-2016-9588, CVE-2016-9806, CVE-2016-10088, CVE-2016-10147, CVE-2017-2596, CVE-2017-2671, CVE-2017-5970, CVE-2017-6001, CVE-2017-6951, CVE-2017-7187, CVE-2017-7616, CVE-2017-7889, CVE-2017-8890, CVE-2017-9074, CVE-2017-8890, CVE-2017-9075, CVE-2017-8890, CVE-2017-9076, CVE-2017-8890, CVE-2017-9077, CVE-2017-9242, CVE-2014-7970, CVE-2014-7975, CVE-2016-6213, CVE-2016-9604, CVE-2016-9685

Documentation for these issues is available from the Release Notes document linked from the References section.

Red Hat would like to thank Igor Redko (Virtuozzo) and Andrey Ryabinin (Virtuozzo) for reporting CVE-2017-2647; Igor Redko (Virtuozzo) and Vasily Averin (Virtuozzo) for reporting CVE-2015-8970; Marco Grassi for reporting CVE-2016-8645; and Dmitry Vyukov (Google Inc.) for reporting CVE-2017-2596. The CVE-2016-7042 issue was discovered by Ondrej Kozina (Red Hat); the CVE-2016-7097 issue was discovered by Andreas Gruenbacher (Red Hat) and Jan Kara (SUSE); the CVE-2016-6213 and CVE-2016-9685 issues were discovered by Qian Cai (Red Hat); and the CVE-2016-9604 issue was discovered by David Howells (Red Hat).

Additional Changes :

For detailed information on other changes in this release, see the Red Hat Enterprise Linux 7.4 Release Notes linked from the References section.

An update for kernel-rt is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.

Security Fix(es) :

* An use-after-free flaw was found in the Linux kernel which enables a race condition in the L2TPv3 IP Encapsulation feature. A local user could use this flaw to escalate their privileges or crash the system.
(CVE-2016-10200, Important)

* A flaw was found that can be triggered in keyring_search_iterator in keyring.c if type->match is NULL. A local user could use this flaw to crash the system or, potentially, escalate their privileges.
(CVE-2017-2647, Important)

* It was found that the NFSv4 server in the Linux kernel did not properly validate layout type when processing NFSv4 pNFS LAYOUTGET and GETDEVICEINFO operands. A remote attacker could use this flaw to soft-lockup the system and thus cause denial of service.
(CVE-2017-8797, Important)

This update also fixes multiple Moderate and Low impact security issues :

* CVE-2015-8839, CVE-2015-8970, CVE-2016-9576, CVE-2016-7042, CVE-2016-7097, CVE-2016-8645, CVE-2016-9576, CVE-2016-9588, CVE-2016-9806, CVE-2016-10088, CVE-2016-10147, CVE-2017-2596, CVE-2017-2671, CVE-2017-5970, CVE-2017-6001, CVE-2017-6951, CVE-2017-7187, CVE-2017-7616, CVE-2017-7889, CVE-2017-8890, CVE-2017-9074, CVE-2017-8890, CVE-2017-9075, CVE-2017-8890, CVE-2017-9076, CVE-2017-8890, CVE-2017-9077, CVE-2017-9242, CVE-2014-7970, CVE-2014-7975, CVE-2016-6213, CVE-2016-9604, CVE-2016-9685

Documentation for these issues is available from the Release Notes document linked from the References section.

Red Hat would like to thank Igor Redko (Virtuozzo) and Andrey Ryabinin (Virtuozzo) for reporting CVE-2017-2647; Igor Redko (Virtuozzo) and Vasily Averin (Virtuozzo) for reporting CVE-2015-8970; Marco Grassi for reporting CVE-2016-8645; and Dmitry Vyukov (Google Inc.) for reporting CVE-2017-2596. The CVE-2016-7042 issue was discovered by Ondrej Kozina (Red Hat); the CVE-2016-7097 issue was discovered by Andreas Gruenbacher (Red Hat) and Jan Kara (SUSE); the CVE-2016-6213 and CVE-2016-9685 issues were discovered by Qian Cai (Red Hat); and the CVE-2016-9604 issue was discovered by David Howells (Red Hat).

Additional Changes :

For detailed information on other changes in this release, see the Red Hat Enterprise Linux 7.4 Release Notes linked from the References section.

The remote OracleVM system is missing necessary patches to address critical security updates :

  - Revert 'x86/mm: Expand the exception table logic to     allow new handling options' (Brian Maly) [Orabug:
    25790387] (CVE-2016-9644)

  - Revert 'fix minor infoleak in get_user_ex' (Brian Maly)     [Orabug: 25790387] (CVE-2016-9644)

  - x86/mm: Expand the exception table logic to allow new     handling options (Tony Luck) [Orabug: 25790387]     (CVE-2016-9644)

  - rebuild bumping release

  - net: ping: check minimum size on ICMP header length     (Kees Cook) [Orabug: 25766898] (CVE-2016-8399)     (CVE-2016-8399)

  - sg_write/bsg_write is not fit to be called under     KERNEL_DS (Al Viro) [Orabug: 25765436] (CVE-2016-10088)

  - scsi: sg: check length passed to SG_NEXT_CMD_LEN (peter     chang) [Orabug: 25751984] (CVE-2017-7187)

  - tty: n_hdlc: get rid of racy n_hdlc.tbuf (Alexander     Popov) [Orabug: 25696677] (CVE-2017-2636)

  - TTY: n_hdlc, fix lockdep false positive (Jiri Slaby)     [Orabug: 25696677] (CVE-2017-2636)

  - If Slot Status indicates changes in both Data Link Layer     Status and Presence Detect, prioritize the Link status     change. (Jack Vogel) 

  - PCI: pciehp: Leave power indicator on when enabling     already-enabled slot (Ashok Raj) [Orabug: 25353783]

  - firewire: net: guard against rx buffer overflows (Stefan     Richter) [Orabug: 25451520] (CVE-2016-8633)

  - usbnet: cleanup after bind in probe (Oliver Neukum)     [Orabug: 25463898] (CVE-2016-3951)

  - cdc_ncm: do not call usbnet_link_change from     cdc_ncm_bind (Bj&oslash rn Mork) [Orabug: 25463898]     (CVE-2016-3951)

  - cdc_ncm: Add support for moving NDP to end of NCM frame     (Enrico Mioso) [Orabug: 25463898] (CVE-2016-3951)

  - x86/mm/32: Enable full randomization on i386 and X86_32     (Hector Marco-Gisbert) [Orabug: 25463918]     (CVE-2016-3672)

  - kvm: fix page struct leak in handle_vmon (Paolo Bonzini)     [Orabug: 25507133] (CVE-2017-2596)

  - crypto: mcryptd - Check mcryptd algorithm compatibility     (tim) [Orabug: 25507153] (CVE-2016-10147)

  - kvm: nVMX: Allow L1 to intercept software exceptions     (#BP and #OF) (Jim Mattson) [Orabug: 25507188]     (CVE-2016-9588)

  - KVM: x86: drop error recovery in em_jmp_far and     em_ret_far (Radim Kr&#x10D m&aacute &#x159 ) [Orabug:
    25507213] (CVE-2016-9756)

  - tcp: take care of truncations done by sk_filter (Eric     Dumazet) [Orabug: 25507226] (CVE-2016-8645)

  - rose: limit sk_filter trim to payload (Willem de Bruijn)     [Orabug: 25507226] (CVE-2016-8645)

  - tipc: check minimum bearer MTU (Michal Kube&#x10D ek)     [Orabug: 25507239] (CVE-2016-8632) (CVE-2016-8632)

  - fix minor infoleak in get_user_ex (Al Viro) [Orabug:
    25507269] (CVE-2016-9178)

  - scsi: arcmsr: Simplify user_len checking (Borislav     Petkov) [Orabug: 25507319] (CVE-2016-7425)

  - scsi: arcmsr: Buffer overflow in arcmsr_iop_message_xfer     (Dan Carpenter) [Orabug: 25507319] (CVE-2016-7425)

  - tmpfs: clear S_ISGID when setting posix ACLs (Gu Zheng)     [Orabug: 25507341] (CVE-2016-7097) (CVE-2016-7097)

  - posix_acl: Clear SGID bit when setting file permissions     (Jan Kara) [Orabug: 25507341] (CVE-2016-7097)     (CVE-2016-7097)

  - ext2: convert to mbcache2 (Jan Kara) [Orabug: 25512366]     (CVE-2015-8952)

  - ext4: convert to mbcache2 (Jan Kara) [Orabug: 25512366]     (CVE-2015-8952)

  - mbcache2: reimplement mbcache (Jan Kara) [Orabug:
    25512366] (CVE-2015-8952)

  - USB: digi_acceleport: do sanity checking for the number     of ports (Oliver Neukum) [Orabug: 25512466]     (CVE-2016-3140)

  - net/llc: avoid BUG_ON in skb_orphan (Eric Dumazet)     [Orabug: 25682419] (CVE-2017-6345)

  - net/mlx4_core: Disallow creation of RAW QPs on a VF (Eli     Cohen) 

  - ipv4: keep skb->dst around in presence of IP options     (Eric Dumazet) [Orabug: 25698300] (CVE-2017-5970)

  - perf/core: Fix concurrent sys_perf_event_open vs.
    'move_group' race (Peter Zijlstra) [Orabug: 25698751]     (CVE-2017-6001)

  - ip6_gre: fix ip6gre_err invalid reads (Eric Dumazet)     [Orabug: 25699015] (CVE-2017-5897)

  - mpt3sas: Don't spam logs if logging level is 0 (Johannes     Thumshirn) 

  - xen-netfront: cast grant table reference first to type     int (Dongli Zhang)

  - xen-netfront: do not cast grant table reference to     signed short (Dongli Zhang)

Description of changes:

[4.1.12-61.1.33.el7uek]
- Revert 'x86/mm: Expand the exception table logic to allow new handling options' (Brian Maly)  [Orabug: 25790387]  {CVE-2016-9644}
- Revert 'fix minor infoleak in get_user_ex()' (Brian Maly)  [Orabug: 25790387]  {CVE-2016-9644}

[4.1.12-61.1.32.el7uek]
- x86/mm: Expand the exception table logic to allow new handling options (Tony Luck)  [Orabug: 25790387]  {CVE-2016-9644}

[4.1.12-61.1.31.el7uek]
- rebuild bumping release

[4.1.12-61.1.30.el7uek]
- net: ping: check minimum size on ICMP header length (Kees Cook) [Orabug: 25766898]  {CVE-2016-8399} {CVE-2016-8399}
- sg_write()/bsg_write() is not fit to be called under KERNEL_DS (Al Viro)  [Orabug: 25765436]  {CVE-2016-10088}
- scsi: sg: check length passed to SG_NEXT_CMD_LEN (peter chang) [Orabug: 25751984]  {CVE-2017-7187}

[4.1.12-61.1.29.el7uek]
- tty: n_hdlc: get rid of racy n_hdlc.tbuf (Alexander Popov)  [Orabug: 25696677]  {CVE-2017-2636}
- TTY: n_hdlc, fix lockdep false positive (Jiri Slaby)  [Orabug: 25696677]  {CVE-2017-2636}
- If Slot Status indicates changes in both Data Link Layer Status and Presence Detect, prioritize the Link status change. (Jack Vogel) [Orabug: 25353783]
- PCI: pciehp: Leave power indicator on when enabling already-enabled slot (Ashok Raj)  [Orabug: 25353783]
- firewire: net: guard against rx buffer overflows (Stefan Richter) [Orabug: 25451520]  {CVE-2016-8633}
- usbnet: cleanup after bind() in probe() (Oliver Neukum)  [Orabug: 25463898]  {CVE-2016-3951}
- cdc_ncm: do not call usbnet_link_change from cdc_ncm_bind (Bj&oslash rn Mork)   [Orabug: 25463898]  {CVE-2016-3951}
- cdc_ncm: Add support for moving NDP to end of NCM frame (Enrico Mioso)   [Orabug: 25463898]  {CVE-2016-3951}
- x86/mm/32: Enable full randomization on i386 and X86_32 (Hector Marco-Gisbert)  [Orabug: 25463918]  {CVE-2016-3672}
- kvm: fix page struct leak in handle_vmon (Paolo Bonzini)  [Orabug: 25507133]  {CVE-2017-2596}
- crypto: mcryptd - Check mcryptd algorithm compatibility (tim) [Orabug: 25507153]  {CVE-2016-10147}
- kvm: nVMX: Allow L1 to intercept software exceptions (#BP and #OF) (Jim Mattson)  [Orabug: 25507188]  {CVE-2016-9588}
- KVM: x86: drop error recovery in em_jmp_far and em_ret_far (Radim Kr&#x10D m&aacute &#x159 )  [Orabug: 25507213]  {CVE-2016-9756}
- tcp: take care of truncations done by sk_filter() (Eric Dumazet) [Orabug: 25507226]  {CVE-2016-8645}
- rose: limit sk_filter trim to payload (Willem de Bruijn)  [Orabug: 25507226]  {CVE-2016-8645}
- tipc: check minimum bearer MTU (Michal Kube&#x10D ek)  [Orabug: 25507239] {CVE-2016-8632} {CVE-2016-8632}
- fix minor infoleak in get_user_ex() (Al Viro)  [Orabug: 25507269] {CVE-2016-9178}
- scsi: arcmsr: Simplify user_len checking (Borislav Petkov)  [Orabug: 25507319]  {CVE-2016-7425}
- scsi: arcmsr: Buffer overflow in arcmsr_iop_message_xfer() (Dan Carpenter)  [Orabug: 25507319]  {CVE-2016-7425}
- tmpfs: clear S_ISGID when setting posix ACLs (Gu Zheng)  [Orabug: 25507341]  {CVE-2016-7097} {CVE-2016-7097}
- posix_acl: Clear SGID bit when setting file permissions (Jan Kara) [Orabug: 25507341]  {CVE-2016-7097} {CVE-2016-7097}
- ext2: convert to mbcache2 (Jan Kara)  [Orabug: 25512366]  {CVE-2015-8952}
- ext4: convert to mbcache2 (Jan Kara)  [Orabug: 25512366]  {CVE-2015-8952}
- mbcache2: reimplement mbcache (Jan Kara)  [Orabug: 25512366] {CVE-2015-8952}
- USB: digi_acceleport: do sanity checking for the number of ports (Oliver Neukum)  [Orabug: 25512466]  {CVE-2016-3140}
- net/llc: avoid BUG_ON() in skb_orphan() (Eric Dumazet)  [Orabug: 25682419]  {CVE-2017-6345}
- net/mlx4_core: Disallow creation of RAW QPs on a VF (Eli Cohen) [Orabug: 25697847]
- ipv4: keep skb->dst around in presence of IP options (Eric Dumazet) [Orabug: 25698300]  {CVE-2017-5970}
- perf/core: Fix concurrent sys_perf_event_open() vs. 'move_group' race (Peter Zijlstra)  [Orabug: 25698751]  {CVE-2017-6001}
- ip6_gre: fix ip6gre_err() invalid reads (Eric Dumazet)  [Orabug: 25699015]  {CVE-2017-5897}
- mpt3sas: Don't spam logs if logging level is 0 (Johannes Thumshirn) [Orabug: 25699035]
- xen-netfront: cast grant table reference first to type int (Dongli Zhang)
- xen-netfront: do not cast grant table reference to signed short (Dongli Zhang)

The openSUSE Leap 42.1 kernel to 4.1.38 to receive various security and bugfixes.

The following security bugs were fixed :

  - CVE-2016-7117: Use-after-free vulnerability in the
    __sys_recvmmsg function in net/socket.c in the Linux     kernel allowed remote attackers to execute arbitrary     code via vectors involving a recvmmsg system call that     is mishandled during error processing (bnc#1003077).

  - CVE-2017-5551: tmpfs: Fixed a bug that could have     allowed users to set setgid bits on files they don't     down (bsc#1021258).

  - CVE-2016-10147: crypto/mcryptd.c in the Linux kernel     allowed local users to cause a denial of service (NULL     pointer dereference and system crash) by using an AF_ALG     socket with an incompatible algorithm, as demonstrated     by mcryptd(md5) (bnc#1020381).

  - CVE-2016-10088: The sg implementation in the Linux     kernel did not properly restrict write operations in     situations where the KERNEL_DS option is set, which     allowed local users to read or write to arbitrary kernel     memory locations or cause a denial of service     (use-after-free) by leveraging access to a /dev/sg     device, related to block/bsg.c and drivers/scsi/sg.c.
    NOTE: this vulnerability exists because of an incomplete     fix for CVE-2016-9576 (bnc#1017710).

  - CVE-2016-7917: The nfnetlink_rcv_batch function in     net/netfilter/nfnetlink.c in the Linux kernel did not     check whether a batch message's length field is large     enough, which allowed local users to obtain sensitive     information from kernel memory or cause a denial of     service (infinite loop or out-of-bounds read) by     leveraging the CAP_NET_ADMIN capability (bnc#1010444).

  - CVE-2016-8645: The TCP stack in the Linux kernel     mishandled skb truncation, which allowed local users to     cause a denial of service (system crash) via a crafted     application that made sendto system calls, related to     net/ipv4/tcp_ipv4.c and net/ipv6/tcp_ipv6.c     (bnc#1009969).

  - CVE-2016-9806: Race condition in the netlink_dump     function in net/netlink/af_netlink.c in the Linux kernel     allowed local users to cause a denial of service (double     free) or possibly have unspecified other impact via a     crafted application that made sendmsg system calls,     leading to a free operation associated with a new dump     that started earlier than anticipated (bnc#1013540     1017589).

  - CVE-2016-9793: The sock_setsockopt function in     net/core/sock.c in the Linux kernel mishandled negative     values of sk_sndbuf and sk_rcvbuf, which allowed local     users to cause a denial of service (memory corruption     and system crash) or possibly have unspecified other     impact by leveraging the CAP_NET_ADMIN capability for a     crafted setsockopt system call with the (1)     SO_SNDBUFFORCE or (2) SO_RCVBUFFORCE option (bnc#1013531     1013542).

The following non-security bugs were fixed :

  - PCI: generic: Fix pci_remap_iospace() failure path     (bsc#1019658).

  - bcache: partition support: add 16 minors per bcacheN     device (bsc#1019784).

  - bnx2x: Correct ringparam estimate when DOWN     (bsc#1020214).

  - clk: xgene: Do not call __pa on ioremaped address     (bsc#1019660).

  - kABI workaround for 4.1.37 mount changes     (stable-4.1.37).

  - kABI: reintroduce sk_filter (bsc#1009969).

  - kabi/severities: Ignore inode_change_ok change It's     renamed in 4.1.37 to setattr_prepare()

  - mpi: Fix NULL ptr dereference in mpi_powm() [ver #3]     (bsc#1011820).

  - net: introduce __sock_queue_rcv_skb() function     (bsc#1009969).

  - netback: correct array index (bsc#983348).

  - netfront: do not truncate grant references.

  - netfront: use correct linear area after linearizing an     skb (bsc#1007886).

  - reiserfs: fix race in prealloc discard (bsc#987576).

  - rose: limit sk_filter trim to payload (bsc#1009969).

  - scsi: bfa: Increase requested firmware version to     3.2.5.1 (bsc#1013273).

  - xenbus: correctly signal errors from     xenstored_local_init() (luckily none so far).

  - xenbus: do not invoke ->is_ready() for most device     states (bsc#987333).

Mikulas Patocka discovered that the asynchronous multibuffer cryptographic daemon (mcryptd) in the Linux kernel did not properly handle being invoked with incompatible algorithms. A local attacker could use this to cause a denial of service (system crash).
(CVE-2016-10147)

It was discovered that a use-after-free existed in the KVM susbsystem of the Linux kernel when creating devices. A local attacker could use this to cause a denial of service (system crash). (CVE-2016-10150)

Qidan He discovered that the ICMP implementation in the Linux kernel did not properly check the size of an ICMP header. A local attacker with CAP_NET_ADMIN could use this to expose sensitive information.
(CVE-2016-8399)

Qian Zhang discovered a heap-based buffer overflow in the tipc_msg_build() function in the Linux kernel. A local attacker could use to cause a denial of service (system crash) or possible execute arbitrary code with administrative privileges. (CVE-2016-8632)

Dmitry Vyukov discovered that the KVM implementation in the Linux kernel did not properly restrict the VCPU index when I/O APIC is enabled, An attacker in a guest VM could use this to cause a denial of service (system crash) or possibly gain privileges in the host OS.
(CVE-2016-9777).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

USN-3189-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS.

Mikulas Patocka discovered that the asynchronous multibuffer cryptographic daemon (mcryptd) in the Linux kernel did not properly handle being invoked with incompatible algorithms. A local attacker could use this to cause a denial of service (system crash).
(CVE-2016-10147)

Qidan He discovered that the ICMP implementation in the Linux kernel did not properly check the size of an ICMP header. A local attacker with CAP_NET_ADMIN could use this to expose sensitive information.
(CVE-2016-8399).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Mikulas Patocka discovered that the asynchronous multibuffer cryptographic daemon (mcryptd) in the Linux kernel did not properly handle being invoked with incompatible algorithms. A local attacker could use this to cause a denial of service (system crash).
(CVE-2016-10147)

Qidan He discovered that the ICMP implementation in the Linux kernel did not properly check the size of an ICMP header. A local attacker with CAP_NET_ADMIN could use this to expose sensitive information.
(CVE-2016-8399).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

A flaw was found in the Linux kernel key management subsystem in which a local attacker could crash the kernel or corrupt the stack and additional memory (denial of service) by supplying a specially crafted RSA key. This flaw panics the machine during the verification of the RSA key. (CVE-2016-8650)

The blk_rq_map_user_iov function in block/blk-map.c in the Linux kernel before 4.8.14 does not properly restrict the type of iterator, which allows local users to read or write to arbitrary kernel memory locations or cause a denial of service (use-after-free) by leveraging access to a /dev/sg device. (CVE-2016-9576)

The sock_setsockopt function in net/core/sock.c in the Linux kernel before 4.8.14 mishandles negative values of sk_sndbuf and sk_rcvbuf, which allows local users to cause a denial of service (memory corruption and system crash) or possibly have unspecified other impact by leveraging the CAP_NET_ADMIN capability for a crafted setsockopt system call with the (1) SO_SNDBUFFORCE or (2) SO_RCVBUFFORCE option.
(CVE-2016-9793)

A flaw was found in the Linux networking subsystem where a local attacker with CAP_NET_ADMIN capabilities could cause an out of bounds read by creating a smaller-than-expected ICMP header and sending to its destination via sendto(). (CVE-2016-8399)

Algorithms not compatible with mcryptd could be spawned by mcryptd with a direct crypto_alloc_tfm invocation using a 'mcryptd(alg)' name construct. This causes mcryptd to crash the kernel if an arbitrary 'alg' is incompatible and not intended to be used with mcryptd.
(CVE-2016-10147)

(Updated on 2017-01-19: CVE-2016-8399 was fixed in this release but was previously not part of this errata.)

(Updated on 2017-02-22: CVE-2016-10147 was fixed in this release but was previously not part of this errata.)

ID	Name	Product	Family	Severity
124982	EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1529)	Nessus	Huawei Local Security Checks	high
102734	CentOS 7 : kernel (CESA-2017:1842) (Stack Clash)	Nessus	CentOS Local Security Checks	high
102645	Scientific Linux Security Update : kernel on SL7.x x86_64 (20170801)	Nessus	Scientific Linux Local Security Checks	high
102511	Oracle Linux 7 : kernel (ELSA-2017-1842-1) (Stack Clash)	Nessus	Oracle Linux Local Security Checks	critical
102281	Oracle Linux 7 : kernel (ELSA-2017-1842) (Stack Clash)	Nessus	Oracle Linux Local Security Checks	high
102151	RHEL 7 : kernel-rt (RHSA-2017:2077)	Nessus	Red Hat Local Security Checks	high
102143	RHEL 7 : kernel (RHSA-2017:1842) (Stack Clash)	Nessus	Red Hat Local Security Checks	high
99162	OracleVM 3.4 : Unbreakable / etc (OVMSA-2017-0056)	Nessus	OracleVM Local Security Checks	high
99159	Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2017-3533)	Nessus	Oracle Linux Local Security Checks	high
97138	openSUSE Security Update : the Linux Kernel (openSUSE-2017-246)	Nessus	SuSE Local Security Checks	critical
97098	Ubuntu 16.10 : linux-raspi2 vulnerabilities (USN-3190-2)	Nessus	Ubuntu Local Security Checks	critical
97018	Ubuntu 16.10 : linux vulnerabilities (USN-3190-1)	Nessus	Ubuntu Local Security Checks	critical
97017	Ubuntu 14.04 LTS : linux-lts-xenial vulnerabilities (USN-3189-2)	Nessus	Ubuntu Local Security Checks	high
97016	Ubuntu 16.04 LTS : linux, linux-raspi2, linux-snapdragon vulnerabilities (USN-3189-1)	Nessus	Ubuntu Local Security Checks	high
96284	Amazon Linux AMI : kernel (ALAS-2017-782)	Nessus	Amazon Linux Local Security Checks	high

CVE-2016-10147

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins