http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=aa93d1fee85c890a34f2510a310e55ee76a27848

[oss-security] 20160725 CVE-2016-5400 - linux kernel: denial of service in airspy USB driver.

92104

1036432

USN-3070-1

USN-3070-2

USN-3070-3

USN-3070-4

https://bugzilla.redhat.com/show_bug.cgi?id=1358184

https://github.com/torvalds/linux/commit/aa93d1fee85c890a34f2510a310e55ee76a27848

According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - The ipx_recvmsg function in net/ipx/af_ipx.c in the     Linux kernel before 3.12.4 updates a certain length     value without ensuring that an associated data     structure has been initialized, which allows local     users to obtain sensitive information from kernel     memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg     system call.(CVE-2013-7268)

  - The move_pages system call in mm/migrate.c in the Linux     kernel doesn't check the effective uid of the target     process. This enables a local attacker to learn the     memory layout of a setuid executable allowing     mitigation of ASLR.(CVE-2017-14140)

  - Multiple array index errors in drivers/hid/hid-core.c     in the Human Interface Device (HID) subsystem in the     Linux kernel through 3.11 allow physically proximate     attackers to execute arbitrary code or cause a denial     of service (heap memory corruption) via a crafted     device that provides an invalid Report     ID.(CVE-2013-2888)

  - It was found that if a Non-Maskable Interrupt (NMI)     occurred immediately after a SYSCALL call or before a     SYSRET call with the user RSP pointing to the NMI IST     stack, the kernel could skip that NMI.(CVE-2015-3291)

  - The sound/core/seq_device.c in the Linux kernel, before     4.13.4, allows local users to cause a denial of service     (snd_rawmidi_dev_seq_free use-after-free and system     crash) or possibly have unspecified other impact via a     crafted USB device.(CVE-2017-16528)

  - net/ceph/auth_x.c in Ceph, as used in the Linux kernel     before 3.16.3, does not properly consider the     possibility of kmalloc failure, which allows remote     attackers to cause a denial of service (system crash)     or possibly have unspecified other impact via a long     unencrypted auth ticket.(CVE-2014-6417)

  - A NULL pointer dereference flaw was found in the Linux     kernel: the NFSv4.2 migration code improperly     initialized the kernel structure. A local,     authenticated user could use this flaw to cause a panic     of the NFS client (denial of service).(CVE-2015-8746)

  - A stack-based buffer overflow flaw was found in the     TechnoTrend/Hauppauge DEC USB device driver. A local     user with write access to the corresponding device     could use this flaw to crash the kernel or,     potentially, elevate their privileges on the     system.(CVE-2014-8884)

  - A flaw was found in the linux kernel's implementation     of the airspy USB device driver in which a leak was     found when a subdev or SDR are plugged into the host.An     attacker can create an targeted USB device which can     emulate 64 of these devices. Then by emulating an     additional device which continuously connects and     disconnects, each connection attempt will leak memory     which can not be recovered.(CVE-2016-5400)

  - The sound/usb/mixer.c in the Linux kernel, before     4.13.8, allows local users to cause a denial of service     (snd_usb_mixer_interrupt use-after-free and system     crash) or possibly have unspecified other impact via a     crafted USB device.(CVE-2017-16527)

  - The Human Interface Device (HID) subsystem in the Linux     kernel through 3.11, when CONFIG_LOGITECH_FF,     CONFIG_LOGIG940_FF, or CONFIG_LOGIWHEELS_FF is enabled,     allows physically proximate attackers to cause a denial     of service (heap-based out-of-bounds write) via a     crafted device, related to (1) drivers/hid/hid-lgff.c,     (2) drivers/hid/hid-lg3ff.c, and (3)     drivers/hid/hid-lg4ff.c.(CVE-2013-2893)

  - It was found that reporting emulation failures to user     space could lead to either a local (CVE-2014-7842) or a     L2->L1 (CVE-2010-5313) denial of service. In the case     of a local denial of service, an attacker must have     access to the MMIO area or be able to access an I/O     port. Please note that on certain systems, HPET is     mapped to userspace as part of vdso (vvar) and thus an     unprivileged user may generate MMIO transactions (and     enter the emulator) this way.(CVE-2014-7842)

  - A flaw was discovered in the way the Linux kernel's TTY     subsystem handled the tty shutdown phase. A local,     unprivileged user could use this flaw to cause denial     of service on the system by holding a reference to the     ldisc lock during tty shutdown, causing a     deadlock.(CVE-2015-4170)

  - The __ip6_append_data function in net/ipv6/ip6_output.c     in the Linux kernel through 4.11.3 is too late in     checking whether an overwrite of an skb data structure     may occur, which allows local users to cause a denial     of service (system crash) via crafted system     calls.(CVE-2017-9242)

  - The Linux kernel built with the KVM visualization     support (CONFIG_KVM), with nested visualization(nVMX)     feature enabled (nested=1), was vulnerable to a stack     buffer overflow issue. The vulnerability could occur     while traversing guest page table entries to resolve     guest virtual address(gva). An L1 guest could use this     flaw to crash the host kernel resulting in denial of     service (DoS) or potentially execute arbitrary code on     the host to gain privileges on the     system.(CVE-2017-12188)

  - The recalculate_apic_map function in     arch/x86/kvm/lapic.c in the KVM subsystem in the Linux     kernel through 3.12.5 allows guest OS users to cause a     denial of service (host OS crash) via a crafted ICR     write operation in x2apic mode.(CVE-2013-6376)

  - The wanxl_ioctl function in drivers/net/wan/wanxl.c in     the Linux kernel before 3.11.7 does not properly     initialize a certain data structure, which allows local     users to obtain sensitive information from kernel     memory via an ioctl call.(CVE-2014-1445)

  - The restore_fpu_checking function in     arch/x86/include/asm/fpu-internal.h in the Linux kernel     before 3.12.8 on the AMD K7 and K8 platforms does not     clear pending exceptions before proceeding to an EMMS     instruction, which allows local users to cause a denial     of service (task kill) or possibly gain privileges via     a crafted application.(CVE-2014-1438)

  - A race condition was found in the way the Linux     kernel's memory subsystem handled the copy-on-write     (COW) breakage of private read-only memory mappings. An     unprivileged, local user could use this flaw to gain     write access to otherwise read-only memory mappings and     thus increase their privileges on the     system.(CVE-2016-5195)

  - Algorithms not compatible with mcryptd could be spawned     by mcryptd with a direct crypto_alloc_tfm invocation     using a 'mcryptd(alg)' name construct. This causes     mcryptd to crash the kernel if an arbitrary 'alg' is     incompatible and not intended to be used with     mcryptd.(CVE-2016-10147)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

USN-3070-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS.

A missing permission check when settings ACLs was discovered in nfsd.
A local user could exploit this flaw to gain access to any file by setting an ACL. (CVE-2016-1237)

Kangjie Lu discovered an information leak in the Reliable Datagram Sockets (RDS) implementation in the Linux kernel. A local attacker could use this to obtain potentially sensitive information from kernel memory. (CVE-2016-5244)

James Patrick-Evans discovered that the airspy USB device driver in the Linux kernel did not properly handle certain error conditions. An attacker with physical access could use this to cause a denial of service (memory consumption). (CVE-2016-5400)

Yue Cao et al discovered a flaw in the TCP implementation's handling of challenge acks in the Linux kernel. A remote attacker could use this to cause a denial of service (reset connection) or inject content into an TCP stream. (CVE-2016-5696)

Pengfei Wang discovered a race condition in the MIC VOP driver in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or obtain potentially sensitive information from kernel memory. (CVE-2016-5728)

Cyril Bur discovered that on PowerPC platforms, the Linux kernel mishandled transactional memory state on exec(). A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2016-5828)

It was discovered that a heap based buffer overflow existed in the USB HID driver in the Linux kernel. A local attacker could use this cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2016-5829)

It was discovered that the OverlayFS implementation in the Linux kernel did not properly verify dentry state before proceeding with unlink and rename operations. A local attacker could use this to cause a denial of service (system crash). (CVE-2016-6197).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

A missing permission check when settings ACLs was discovered in nfsd.
A local user could exploit this flaw to gain access to any file by setting an ACL. (CVE-2016-1237)

Kangjie Lu discovered an information leak in the Reliable Datagram Sockets (RDS) implementation in the Linux kernel. A local attacker could use this to obtain potentially sensitive information from kernel memory. (CVE-2016-5244)

James Patrick-Evans discovered that the airspy USB device driver in the Linux kernel did not properly handle certain error conditions. An attacker with physical access could use this to cause a denial of service (memory consumption). (CVE-2016-5400)

Yue Cao et al discovered a flaw in the TCP implementation's handling of challenge acks in the Linux kernel. A remote attacker could use this to cause a denial of service (reset connection) or inject content into an TCP stream. (CVE-2016-5696)

Pengfei Wang discovered a race condition in the MIC VOP driver in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or obtain potentially sensitive information from kernel memory. (CVE-2016-5728)

Cyril Bur discovered that on PowerPC platforms, the Linux kernel mishandled transactional memory state on exec(). A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2016-5828)

It was discovered that a heap based buffer overflow existed in the USB HID driver in the Linux kernel. A local attacker could use this cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2016-5829)

It was discovered that the OverlayFS implementation in the Linux kernel did not properly verify dentry state before proceeding with unlink and rename operations. A local attacker could use this to cause a denial of service (system crash). (CVE-2016-6197).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Update to latest upstream stable release, Linux v4.6.5.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
124982	EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1529)	Nessus	Huawei Local Security Checks	high
93243	Ubuntu 14.04 LTS : linux-lts-xenial vulnerabilities (USN-3070-4)	Nessus	Ubuntu Local Security Checks	high
93242	Ubuntu 16.04 LTS : linux-snapdragon vulnerabilities (USN-3070-3)	Nessus	Ubuntu Local Security Checks	high
93241	Ubuntu 16.04 LTS : linux-raspi2 vulnerabilities (USN-3070-2)	Nessus	Ubuntu Local Security Checks	high
93217	Ubuntu 16.04 LTS : linux vulnerabilities (USN-3070-1)	Nessus	Ubuntu Local Security Checks	high
92804	Fedora 23 : kernel (2016-754e4768d8)	Nessus	Fedora Local Security Checks	medium
92799	Fedora 24 : kernel (2016-30e3636e79)	Nessus	Fedora Local Security Checks	medium

CVE-2016-5400

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins