http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=11f3710417d026ea2f4fcf362d866342c5274185

RHSA-2016:1847

RHSA-2016:1875

[oss-security] 20160711 Re: cvs request: local DoS using rename syscall on overlayfs on top of xfs to crash the kernel - Linux kernel

http://www.oracle.com/technetwork/topics/security/linuxbulletinjul2016-3090544.html

http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html

91709

1036273

USN-3070-1

USN-3070-2

USN-3070-3

USN-3070-4

https://bugzilla.redhat.com/show_bug.cgi?id=1355650

https://github.com/torvalds/linux/commit/11f3710417d026ea2f4fcf362d866342c5274185

According to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - A vulnerability was found in Linux kernel. There is an     information leak in file 'sound/core/timer.c' of the     latest mainline Linux kernel, the stack object 'tread'     has a total size of 32 bytes. It contains a 8-bytes     padding, which is not initialized but sent to user via     copy_to_user(), resulting a kernel leak.(CVE-2016-4569)

  - A vulnerability was found in Linux kernel. There is an     information leak in file sound/core/timer.c of the     latest mainline Linux kernel. The stack object 'r1' has     a total size of 32 bytes. Its field 'event' and 'val'     both contain 4 bytes padding. These 8 bytes padding     bytes are sent to user without being     initialized.(CVE-2016-4578)

  - The x25_negotiate_facilities function in     net/x25/x25_facilities.c in the Linux kernel before     4.5.5 does not properly initialize a certain data     structure, which allows attackers to obtain sensitive     information from kernel stack memory via an X.25 Call     Request.(CVE-2016-4580)

  - fs/pnode.c in the Linux kernel before 4.5.4 does not     properly traverse a mount propagation tree in a certain     case involving a slave mount, which allows local users     to cause a denial of service (NULL pointer dereference     and OOPS) via a crafted series of mount system     calls.(CVE-2016-4581)

  - Use after free vulnerability was found in percpu using     previously allocated memory in bpf. First
    __alloc_percpu_gfp() is called, then the memory is     freed with free_percpu() which triggers async     pcpu_balance_work and then pcpu_extend_area_map could     use a chunk after it has been freed.(CVE-2016-4794)

  - Use-after-free vulnerability in     drivers/net/ppp/ppp_generic.c in the Linux kernel     before 4.5.2 allows local users to cause a denial of     service (memory corruption and system crash, or     spinlock) or possibly have unspecified other impact by     removing a network namespace, related to the     ppp_register_net_channel and ppp_unregister_channel     functions.(CVE-2016-4805)

  - A vulnerability was found in the Linux kernel. Payloads     of NM entries are not supposed to contain NUL. When     such entry is processed, only the part prior to the     first NUL goes into the concatenation (i.e. the     directory entry name being encoded by a bunch of NM     entries). The process stops when the amount collected     so far + the claimed amount in the current NM entry     exceed 254. However, the value returned as the total     length is the sum of *claimed* sizes, not the actual     amount collected. And that's what will be passed to     readdir() callback as the name length - 8Kb
    __copy_to_user() from a buffer allocated by
    __get_free_page().(CVE-2016-4913)

  - A flaw was discovered in processing setsockopt for 32     bit processes on 64 bit systems. This flaw will allow     attackers to alter arbitrary kernel memory when     unloading a kernel module. This action is usually     restricted to root-privileged users but can also be     leveraged if the kernel is compiled with CONFIG_USER_NS     and CONFIG_NET_NS and the user is granted elevated     privileges.(CVE-2016-4997)

  - An out-of-bounds heap memory access leading to a Denial     of Service, heap disclosure, or further impact was     found in setsockopt(). The function call is normally     restricted to root, however some processes with     cap_sys_admin may also be able to trigger this flaw in     privileged container environments.(CVE-2016-4998)

  - A race condition was found in the way the Linux     kernel's memory subsystem handled the copy-on-write     (COW) breakage of private read-only memory mappings. An     unprivileged, local user could use this flaw to gain     write access to otherwise read-only memory mappings and     thus increase their privileges on the     system.(CVE-2016-5195)

  - It was found that the RFC 5961 challenge ACK rate     limiting as implemented in the Linux kernel's     networking subsystem allowed an off-path attacker to     leak certain information about a given connection by     creating congestion on the global challenge ACK rate     limit counter and then measuring the changes by probing     packets. An off-path attacker could use this flaw to     either terminate TCP connection and/or inject payload     into non-secured TCP connection between two endpoints     on the network.(CVE-2016-5696)

  - A heap-based buffer overflow vulnerability was found in     the Linux kernel's hiddev driver. This flaw could allow     a local attacker to corrupt kernel memory, possible     privilege escalation or crashing the     system.(CVE-2016-5829)

  - When creating audit records for parameters to executed     children processes, an attacker can convince the Linux     kernel audit subsystem can create corrupt records which     may allow an attacker to misrepresent or evade logging     of executing commands.(CVE-2016-6136)

  - It was found that the unlink and rename functionality     in overlayfs did not verify the upper dentry for     staleness. A local, unprivileged user could use the     rename syscall on overlayfs on top of xfs to panic or     crash the system.(CVE-2016-6197)

  - A flaw was found that the vfs_rename() function did not     detect hard links on overlayfs. A local, unprivileged     user could use the rename syscall on overlayfs on top     of xfs to crash the system.(CVE-2016-6198)

  - System using the infiniband support module ib_srpt were     vulnerable to a denial of service by system crash by a     local attacker who is able to abort writes to a device     using this initiator.(CVE-2016-6327)

  - A race condition flaw was found in the ioctl_send_fib()     function in the Linux kernel's aacraid implementation.
    A local attacker could use this flaw to cause a denial     of service (out-of-bounds access or system crash) by     changing a certain size value.(CVE-2016-6480)

  - kernel/events/core.c in the performance subsystem in     the Linux kernel before 4.0 mismanages locks during     certain migrations, which allows local users to gain     privileges via a crafted application, aka Android     internal bug 30955111.(CVE-2016-6786)

  - kernel/events/core.c in the performance subsystem in     the Linux kernel before 4.0 mismanages locks during     certain migrations, which allows local users to gain     privileges via a crafted application, aka Android     internal bug 31095224.(CVE-2016-6787)

  - A use-after-free vulnerability was found in     tcp_xmit_retransmit_queue and other tcp_* functions.
    This condition could allow an attacker to send an     incorrect selective acknowledgment to existing     connections, possibly resetting a     connection.(CVE-2016-6828)

  - Linux kernel built with the 802.1Q/802.1ad     VLAN(CONFIG_VLAN_8021Q) OR Virtual eXtensible Local     Area Network(CONFIG_VXLAN) with Transparent Ethernet     Bridging(TEB) GRO support, is vulnerable to a stack     overflow issue. It could occur while receiving large     packets via GRO path, as an unlimited recursion could     unfold in both VLAN and TEB modules, leading to a stack     corruption in the kernel.(CVE-2016-7039)

  - It was found that when the gcc stack protector was     enabled, reading the /proc/keys file could cause a     panic in the Linux kernel due to stack corruption. This     happened because an incorrect buffer size was used to     hold a 64-bit timeout value rendered as     weeks.(CVE-2016-7042)

  - It was found that when file permissions were modified     via chmod and the user modifying them was not in the     owning group or capable of CAP_FSETID, the setgid bit     would be cleared. Setting a POSIX ACL via setxattr sets     the file permissions as well as the new ACL, but     doesn't clear the setgid bit in a similar way. This     could allow a local user to gain group privileges via     certain setgid applications.(CVE-2016-7097)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - It was found that the parse_rock_ridge_inode_internal()     function of the Linux kernel's ISOFS implementation did     not correctly check relocated directories when     processing Rock Ridge child link (CL) tags. An attacker     with physical access to the system could use a     specially crafted ISO image to crash the system or,     potentially, escalate their privileges on the     system.(CVE-2014-5472)

  - An issue was discovered in the Linux kernel's F2FS     filesystem code. An out-of-bounds access vulnerability     is possible the in __remove_dirty_segment() in     fs/f2fs/segment.c function when mounting a crafted f2fs     image.(CVE-2018-14614)

  - Race condition in kernel/events/core.c in the Linux     kernel before 4.4 allows local users to gain privileges     or cause a denial of service via use-after-free     vulnerability by leveraging incorrect handling of an     swevent data structure during a CPU unplug     operation.(CVE-2015-8963)

  - The skbs processed by ip_cmsg_recv() are not guaranteed     to be linear (e.g. when sending UDP packets over     loopback with MSGMORE). Using csum_partial() on     potentially the whole skb len is dangerous; instead be     on the safe side and use skb_checksum(). This may lead     to an infoleak as the kernel memory may be checksummed     and sent as part of the packet.(CVE-2017-6347)

  - The apic_get_tmcct function in arch/x86/kvm/lapic.c in     the KVM subsystem in the Linux kernel through 3.12.5     allows guest OS users to cause a denial of service     (divide-by-zero error and host OS crash) via crafted     modifications of the TMICT value.(CVE-2013-6367)

  - A use-after-free issue was found in the way the Linux     kernel's KVM hypervisor processed posted interrupts     when nested(=1) virtualization is enabled. In     nested_get_vmcs12_pages(), in case of an error while     processing posted interrupt address, it unmaps the     'pi_desc_page' without resetting 'pi_desc' descriptor     address, which is later used in pi_test_and_clear_on().
    A guest user/process could use this flaw to crash the     host kernel resulting in DoS or potentially gain     privileged access to a system.(CVE-2018-16882)

  - It was discovered that the atl2_probe() function in the     Atheros L2 Ethernet driver in the Linux kernel     incorrectly enabled scatter/gather I/O. A remote     attacker could use this flaw to obtain potentially     sensitive information from the kernel     memory.(CVE-2016-2117)

  - A flaw was found in the way the nft_flush_table()     function of the Linux kernel's netfilter tables     implementation flushed rules that were referencing     deleted chains. A local user who has the CAP_NET_ADMIN     capability could use this flaw to crash the     system.(CVE-2015-1573)

  - The powermate_probe function in     drivers/input/misc/powermate.c in the Linux kernel     before 4.5.1 allows physically proximate attackers to     cause a denial of service (NULL pointer dereference and     system crash) via a crafted endpoints value in a USB     device descriptor.(CVE-2016-2186)

  - It was found that KVM's Write to Model Specific     Register (WRMSR) instruction emulation would write     non-canonical values passed in by the guest to certain     MSRs in the host's context. A privileged guest user     could use this flaw to crash the host.(CVE-2014-3610)

  - The BPF_S_ANC_NLATTR_NEST extension implementation in     the sk_run_filter function in net/core/filter.c in the     Linux kernel through 3.14.3 uses the reverse order in a     certain subtraction, which allows local users to cause     a denial of service (over-read and system crash) via     crafted BPF instructions. NOTE: the affected code was     moved to the __skb_get_nlattr_nest function before the     vulnerability was announced.(CVE-2014-3145)

  - The yam_ioctl function in drivers/net/hamradio/yam.c in     the Linux kernel before 3.12.8 does not initialize a     certain structure member, which allows local users to     obtain sensitive information from kernel memory by     leveraging the CAP_NET_ADMIN capability for an     SIOCYAMGCFG ioctl call.(CVE-2014-1446)

  - A race condition flaw was found in the N_HLDC Linux     kernel driver when accessing n_hdlc.tbuf list that can     lead to double free. A local, unprivileged user able to     set the HDLC line discipline on the tty device could     use this flaw to increase their privileges on the     system.(CVE-2017-2636)

  - A flaw was found in the way Linux kernel's Transparent     Huge Pages (THP) implementation handled non-huge page     migration. A local, unprivileged user could use this     flaw to crash the kernel by migrating transparent     hugepages.(CVE-2014-3940)

  - A security flaw was found in the     chap_server_compute_md5() function in the ISCSI target     code in the Linux kernel in a way an authentication     request from an ISCSI initiator is processed. An     unauthenticated remote attacker can cause a stack     buffer overflow and smash up to 17 bytes of the stack.
    The attack requires the iSCSI target to be enabled on     the victim host. Depending on how the target's code was     built (i.e. depending on a compiler, compile flags and     hardware architecture) an attack may lead to a system     crash and thus to a denial of service or possibly to a     non-authorized access to data exported by an iSCSI     target. Due to the nature of the flaw, privilege     escalation cannot be fully ruled out, although we     believe it is highly unlikely.(CVE-2018-14633)

  - A vulnerability was found in the Linux kernel where     filesystems mounted with data=ordered mode may allow an     attacker to read stale data from recently allocated     blocks in new files after a system 'reset' by abusing     ext4 mechanics of delayed allocation.(CVE-2017-7495)

  - drivers/media/platform/msm/broadcast/tsc.c in the TSC     driver for the Linux kernel 3.x, as used in Qualcomm     Innovation Center (QuIC) Android contributions for MSM     devices and other products, allows attackers to cause a     denial of service (invalid pointer dereference) or     possibly have unspecified other impact via a crafted     application that makes a TSC_GET_CARD_STATUS ioctl     call.(CVE-2015-0573)

  - It was found that the unlink and rename functionality     in overlayfs did not verify the upper dentry for     staleness. A local, unprivileged user could use the     rename syscall on overlayfs on top of xfs to panic or     crash the system.(CVE-2016-6197)

  - In net/socket.c in the Linux kernel through 4.17.1,     there is a race condition between fchownat and close in     cases where they target the same socket file     descriptor, related to the sock_close and     sockfs_setattr functions. fchownat does not increment     the file descriptor reference count, which allows close     to set the socket to NULL during fchownat's execution,     leading to a NULL pointer dereference and system     crash.(CVE-2018-12232)

  - The ath9k_htc_set_bssid_mask function in     drivers/net/wireless/ath/ath9k/htc_drv_main.c in the     Linux kernel through 3.12 uses a BSSID masking approach     to determine the set of MAC addresses on which a Wi-Fi     device is listening, which allows remote attackers to     discover the original MAC address after spoofing by     sending a series of packets to MAC addresses with     certain bit manipulations.(CVE-2013-4579)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2016-0100 for details.

An update for kernel is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es) :

* A security flaw was found in the Linux kernel in the mark_source_chains() function in 'net/ipv4/netfilter/ip_tables.c'. It is possible for a user-supplied 'ipt_entry' structure to have a large 'next_offset' field. This field is not bounds checked prior to writing to a counter value at the supplied offset. (CVE-2016-3134, Important)

* A flaw was discovered in processing setsockopt for 32 bit processes on 64 bit systems. This flaw will allow attackers to alter arbitrary kernel memory when unloading a kernel module. This action is usually restricted to root-privileged users but can also be leveraged if the kernel is compiled with CONFIG_USER_NS and CONFIG_NET_NS and the user is granted elevated privileges. (CVE-2016-4997, Important)

* An out-of-bounds heap memory access leading to a Denial of Service, heap disclosure, or further impact was found in setsockopt(). The function call is normally restricted to root, however some processes with cap_sys_admin may also be able to trigger this flaw in privileged container environments. (CVE-2016-4998, Moderate)

Bug Fix(es) :

* In some cases, running the ipmitool command caused a kernel panic due to a race condition in the ipmi message handler. This update fixes the race condition, and the kernel panic no longer occurs in the described scenario. (BZ#1353947)

* Previously, running I/O-intensive operations in some cases caused the system to terminate unexpectedly after a NULL pointer dereference in the kernel. With this update, a set of patches has been applied to the 3w-9xxx and 3w-sas drivers that fix this bug. As a result, the system no longer crashes in the described scenario. (BZ#1362040)

* Previously, the Stream Control Transmission Protocol (SCTP) sockets did not inherit the SELinux labels properly. As a consequence, the sockets were labeled with the unlabeled_t SELinux type which caused SCTP connections to fail. The underlying source code has been modified, and SCTP connections now works as expected. (BZ#1354302)

* Previously, the bnx2x driver waited for transmission completions when recovering from a parity event, which substantially increased the recovery time. With this update, bnx2x does not wait for transmission completion in the described circumstances. As a result, the recovery of bnx2x after a parity event now takes less time. (BZ#1351972)

Enhancement(s) :

* With this update, the audit subsystem enables filtering of processes by name besides filtering by PID. Users can now audit by executable name (with the '-F exe=' option), which allows expression of many new audit rules. This functionality can be used to create events when specific applications perform a syscall. (BZ#1345774)

* With this update, the Nonvolatile Memory Express (NVMe) and the multi-queue block layer (blk_mq) have been upgraded to the Linux 4.5 upstream version. Previously, a race condition between timeout and freeing request in blk_mq occurred, which could affect the blk_mq_tag_to_rq() function and consequently a kernel oops could occur. The provided patch fixes this race condition by updating the tags with the active request. The patch simplifies blk_mq_tag_to_rq() and ensures that the two requests are not active at the same time.
(BZ#1350352)

* The Hyper-V storage driver (storvsc) has been upgraded from upstream. This update provides moderate performance improvement of I/O operations when using storvscr for certain workloads. (BZ#1360161)

Additional Changes :

Space precludes documenting all of the bug fixes and enhancements included in this advisory. To see the complete list of bug fixes and enhancements, refer to the following KnowledgeBase article:
https://access.redhat.com/articles/2592321

An update for kernel-rt is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.

The kernel-rt packages have been upgraded to the kernel-3.10.0-327.36.1 source tree, which provides a number of bug fixes over the previous version. (BZ# 1366538)

Security Fix(es) :

* A security flaw was found in the Linux kernel in the mark_source_chains() function in 'net/ipv4/netfilter/ip_tables.c'. It is possible for a user-supplied 'ipt_entry' structure to have a large 'next_offset' field. This field is not bounds checked prior to writing to a counter value at the supplied offset. (CVE-2016-3134, Important)

* A flaw was discovered in processing setsockopt for 32 bit processes on 64 bit systems. This flaw will allow attackers to alter arbitrary kernel memory when unloading a kernel module. This action is usually restricted to root-privileged users but can also be leveraged if the kernel is compiled with CONFIG_USER_NS and CONFIG_NET_NS and the user is granted elevated privileges. (CVE-2016-4997, Important)

* An out-of-bounds heap memory access leading to a Denial of Service, heap disclosure, or further impact was found in setsockopt(). The function call is normally restricted to root, however some processes with cap_sys_admin may also be able to trigger this flaw in privileged container environments. (CVE-2016-4998, Moderate)

From Red Hat Security Advisory 2016:1847 :

An update for kernel is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es) :

* A security flaw was found in the Linux kernel in the mark_source_chains() function in 'net/ipv4/netfilter/ip_tables.c'. It is possible for a user-supplied 'ipt_entry' structure to have a large 'next_offset' field. This field is not bounds checked prior to writing to a counter value at the supplied offset. (CVE-2016-3134, Important)

* A flaw was discovered in processing setsockopt for 32 bit processes on 64 bit systems. This flaw will allow attackers to alter arbitrary kernel memory when unloading a kernel module. This action is usually restricted to root-privileged users but can also be leveraged if the kernel is compiled with CONFIG_USER_NS and CONFIG_NET_NS and the user is granted elevated privileges. (CVE-2016-4997, Important)

* An out-of-bounds heap memory access leading to a Denial of Service, heap disclosure, or further impact was found in setsockopt(). The function call is normally restricted to root, however some processes with cap_sys_admin may also be able to trigger this flaw in privileged container environments. (CVE-2016-4998, Moderate)

Bug Fix(es) :

* In some cases, running the ipmitool command caused a kernel panic due to a race condition in the ipmi message handler. This update fixes the race condition, and the kernel panic no longer occurs in the described scenario. (BZ#1353947)

* Previously, running I/O-intensive operations in some cases caused the system to terminate unexpectedly after a NULL pointer dereference in the kernel. With this update, a set of patches has been applied to the 3w-9xxx and 3w-sas drivers that fix this bug. As a result, the system no longer crashes in the described scenario. (BZ#1362040)

* Previously, the Stream Control Transmission Protocol (SCTP) sockets did not inherit the SELinux labels properly. As a consequence, the sockets were labeled with the unlabeled_t SELinux type which caused SCTP connections to fail. The underlying source code has been modified, and SCTP connections now works as expected. (BZ#1354302)

* Previously, the bnx2x driver waited for transmission completions when recovering from a parity event, which substantially increased the recovery time. With this update, bnx2x does not wait for transmission completion in the described circumstances. As a result, the recovery of bnx2x after a parity event now takes less time. (BZ#1351972)

Enhancement(s) :

* With this update, the audit subsystem enables filtering of processes by name besides filtering by PID. Users can now audit by executable name (with the '-F exe=' option), which allows expression of many new audit rules. This functionality can be used to create events when specific applications perform a syscall. (BZ#1345774)

* With this update, the Nonvolatile Memory Express (NVMe) and the multi-queue block layer (blk_mq) have been upgraded to the Linux 4.5 upstream version. Previously, a race condition between timeout and freeing request in blk_mq occurred, which could affect the blk_mq_tag_to_rq() function and consequently a kernel oops could occur. The provided patch fixes this race condition by updating the tags with the active request. The patch simplifies blk_mq_tag_to_rq() and ensures that the two requests are not active at the same time.
(BZ#1350352)

* The Hyper-V storage driver (storvsc) has been upgraded from upstream. This update provides moderate performance improvement of I/O operations when using storvscr for certain workloads. (BZ#1360161)

Additional Changes :

Space precludes documenting all of the bug fixes and enhancements included in this advisory. To see the complete list of bug fixes and enhancements, refer to the following KnowledgeBase article:
https://access.redhat.com/articles/2592321

USN-3070-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS.

A missing permission check when settings ACLs was discovered in nfsd.
A local user could exploit this flaw to gain access to any file by setting an ACL. (CVE-2016-1237)

Kangjie Lu discovered an information leak in the Reliable Datagram Sockets (RDS) implementation in the Linux kernel. A local attacker could use this to obtain potentially sensitive information from kernel memory. (CVE-2016-5244)

James Patrick-Evans discovered that the airspy USB device driver in the Linux kernel did not properly handle certain error conditions. An attacker with physical access could use this to cause a denial of service (memory consumption). (CVE-2016-5400)

Yue Cao et al discovered a flaw in the TCP implementation's handling of challenge acks in the Linux kernel. A remote attacker could use this to cause a denial of service (reset connection) or inject content into an TCP stream. (CVE-2016-5696)

Pengfei Wang discovered a race condition in the MIC VOP driver in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or obtain potentially sensitive information from kernel memory. (CVE-2016-5728)

Cyril Bur discovered that on PowerPC platforms, the Linux kernel mishandled transactional memory state on exec(). A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2016-5828)

It was discovered that a heap based buffer overflow existed in the USB HID driver in the Linux kernel. A local attacker could use this cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2016-5829)

It was discovered that the OverlayFS implementation in the Linux kernel did not properly verify dentry state before proceeding with unlink and rename operations. A local attacker could use this to cause a denial of service (system crash). (CVE-2016-6197).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

A missing permission check when settings ACLs was discovered in nfsd.
A local user could exploit this flaw to gain access to any file by setting an ACL. (CVE-2016-1237)

Kangjie Lu discovered an information leak in the Reliable Datagram Sockets (RDS) implementation in the Linux kernel. A local attacker could use this to obtain potentially sensitive information from kernel memory. (CVE-2016-5244)

James Patrick-Evans discovered that the airspy USB device driver in the Linux kernel did not properly handle certain error conditions. An attacker with physical access could use this to cause a denial of service (memory consumption). (CVE-2016-5400)

Yue Cao et al discovered a flaw in the TCP implementation's handling of challenge acks in the Linux kernel. A remote attacker could use this to cause a denial of service (reset connection) or inject content into an TCP stream. (CVE-2016-5696)

Pengfei Wang discovered a race condition in the MIC VOP driver in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or obtain potentially sensitive information from kernel memory. (CVE-2016-5728)

Cyril Bur discovered that on PowerPC platforms, the Linux kernel mishandled transactional memory state on exec(). A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2016-5828)

It was discovered that a heap based buffer overflow existed in the USB HID driver in the Linux kernel. A local attacker could use this cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2016-5829)

It was discovered that the OverlayFS implementation in the Linux kernel did not properly verify dentry state before proceeding with unlink and rename operations. A local attacker could use this to cause a denial of service (system crash). (CVE-2016-6197).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote Oracle Linux host is missing a security update for the Unbreakable Enterprise kernel package(s).

The remote OracleVM system is missing necessary patches to address critical security updates :

  - vfs: rename: check backing inode being equal (Miklos     Szeredi) [Orabug: 24010060] (CVE-2016-6198)     (CVE-2016-6197)

  - vfs: add vfs_select_inode helper (Miklos Szeredi)     [Orabug: 24010060] (CVE-2016-6198) (CVE-2016-6197)

  - ovl: verify upper dentry before unlink and rename     (Miklos Szeredi) [Orabug: 24010060] (CVE-2016-6198)     (CVE-2016-6197)

  - ovl: fix getcwd failure after unsuccessful rmdir (Rui     Wang) [Orabug: 24010060] (CVE-2016-6198) (CVE-2016-6197)

  - xen: use same main loop for counting and remapping pages     (Juergen Gross) [Orabug: 24012238]

  - Revert 'ocfs2: bump up o2cb network protocol version'     (Junxiao Bi) 

  - atl2: Disable unimplemented scatter/gather feature (Ben     Hutchings) [Orabug: 23704078] (CVE-2016-2117)

  - Revert 'perf tools: Bump default sample freq to 4 kHz'     (ashok.vairavan) [Orabug: 23634802]

  - block: Initialize max_dev_sectors to 0 (Keith Busch)     [Orabug: 23333444]

  - sd: Fix rw_max for devices that report an optimal xfer     size (Martin K. Petersen) [Orabug: 23333444]

  - sd: Fix excessive capacity printing on devices with     blocks bigger than 512 bytes (Martin K. Petersen)     [Orabug: 23333444]

  - sd: Optimal I/O size is in bytes, not sectors (Martin K.
    Petersen) 

  - sd: Reject optimal transfer length smaller than page     size (Martin K. Petersen) [Orabug: 23333444]

  - Fix kabi issue for upstream commit ca369d51 (Joe Jin)     [Orabug: 23333444]

  - block/sd: Fix device-imposed transfer length limits (Joe     Jin)

Description of changes:

[4.1.12-37.6.1.el7uek]
- vfs: rename: check backing inode being equal (Miklos Szeredi) [Orabug: 24010060]  {CVE-2016-6198} {CVE-2016-6197}
- vfs: add vfs_select_inode() helper (Miklos Szeredi)  [Orabug: 24010060]  {CVE-2016-6198} {CVE-2016-6197}
- ovl: verify upper dentry before unlink and rename (Miklos Szeredi) [Orabug: 24010060]  {CVE-2016-6198} {CVE-2016-6197}
- ovl: fix getcwd() failure after unsuccessful rmdir (Rui Wang) [Orabug: 24010060]  {CVE-2016-6198} {CVE-2016-6197}
- xen: use same main loop for counting and remapping pages (Juergen Gross)  [Orabug: 24012238]
- Revert 'ocfs2: bump up o2cb network protocol version' (Junxiao Bi) [Orabug: 23710417]
- atl2: Disable unimplemented scatter/gather feature (Ben Hutchings) [Orabug: 23704078]  {CVE-2016-2117}
- Revert 'perf tools: Bump default sample freq to 4 kHz' (ashok.vairavan)  [Orabug: 23634802]
- block: Initialize max_dev_sectors to 0 (Keith Busch)  [Orabug: 23333444]
- sd: Fix rw_max for devices that report an optimal xfer size (Martin K. Petersen)  [Orabug: 23333444]
- sd: Fix excessive capacity printing on devices with blocks bigger than 512 bytes (Martin K. Petersen)  [Orabug: 23333444]
- sd: Optimal I/O size is in bytes, not sectors (Martin K. Petersen) [Orabug: 23333444]
- sd: Reject optimal transfer length smaller than page size (Martin K. Petersen)  [Orabug: 23333444]
- Fix kabi issue for upstream commit ca369d51 (Joe Jin)  [Orabug: 23333444]
- block/sd: Fix device-imposed transfer length limits (Joe Jin) [Orabug: 23333444]

ID	Name	Product	Family	Severity
125100	EulerOS Virtualization 3.0.1.0 : kernel (EulerOS-SA-2019-1494)	Nessus	Huawei Local Security Checks	high
124810	EulerOS : kernel (EulerOS-SA-2019-1486)	Nessus	Huawei Local Security Checks	critical
93679	OracleVM 3.4 : Unbreakable / etc (OVMSA-2016-0100)	Nessus	OracleVM Local Security Checks	critical
93594	CentOS 7 : kernel (CESA-2016:1847)	Nessus	CentOS Local Security Checks	high
93556	RHEL 7 : kernel-rt (RHSA-2016:1875)	Nessus	Red Hat Local Security Checks	high
93555	RHEL 7 : kernel (RHSA-2016:1847)	Nessus	Red Hat Local Security Checks	high
93501	Oracle Linux 7 : kernel (ELSA-2016-1847)	Nessus	Oracle Linux Local Security Checks	high
93243	Ubuntu 14.04 LTS : linux-lts-xenial vulnerabilities (USN-3070-4)	Nessus	Ubuntu Local Security Checks	high
93242	Ubuntu 16.04 LTS : linux-snapdragon vulnerabilities (USN-3070-3)	Nessus	Ubuntu Local Security Checks	high
93241	Ubuntu 16.04 LTS : linux-raspi2 vulnerabilities (USN-3070-2)	Nessus	Ubuntu Local Security Checks	high
93217	Ubuntu 16.04 LTS : linux vulnerabilities (USN-3070-1)	Nessus	Ubuntu Local Security Checks	high
93148	Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2016-3596)	Nessus	Oracle Linux Local Security Checks	critical
92658	OracleVM 3.4 : kernel-uek (OVMSA-2016-0091)	Nessus	OracleVM Local Security Checks	medium
92656	Oracle Linux 6 / 7 : kernel-uek (ELSA-2016-3587)	Nessus	Oracle Linux Local Security Checks	medium

CVE-2016-6197

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Configuration 2

Configuration 3

Tenable Plugins