http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=11f3710417d026ea2f4fcf362d866342c5274185

RHSA-2016:1847

RHSA-2016:1875

[oss-security] 20160711 Re: cvs request: local DoS using rename syscall on overlayfs on top of xfs to crash the kernel - Linux kernel

http://www.oracle.com/technetwork/topics/security/linuxbulletinjul2016-3090544.html

http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html

91709

1036273

USN-3070-1

USN-3070-2

USN-3070-3

USN-3070-4

https://bugzilla.redhat.com/show_bug.cgi?id=1355650

https://github.com/torvalds/linux/commit/11f3710417d026ea2f4fcf362d866342c5274185

According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - The kernel package contains the Linux kernel (vmlinuz),     the core of any Linux operating system. The kernel     handles the basic functions of the operating system:
    memory allocation, process allocation, device input and     output, etc.Security Fix(es):** DISPUTED ** Multiple     integer overflows in the lzo1x_decompress_safe function     in lib/lzo/lzo1x_decompress_safe.c in the LZO     decompressor in the Linux kernel before 3.15.2 allow     context-dependent attackers to cause a denial of     service (memory corruption) via a crafted Literal Run.
    NOTE: the author of the LZO algorithms says 'the Linux     kernel is *not* affected media hype.'(CVE-2014-4608)A     certain backport in the TCP Fast Open implementation     for the Linux kernel before 3.18 does not properly     maintain a count value, which allow local users to     cause a denial of service (system crash) via the Fast     Open feature, as demonstrated by visiting the     chrome://flags/#enable-tcp-fast-open URL when using     certain 3.10.x through 3.16.x kernel builds, including     longterm-maintenance releases and ckt (aka Canonical     Kernel Team) builds.(CVE-2015-3332)An elevation of     privilege vulnerability in the kernel scsi driver.
    Product: Android. Versions: Android kernel. Android ID     A-65023233.(CVE-2017-13168)An issue was discovered in     drivers/i2c/i2c-core-smbus.c in the Linux kernel before     4.14.15. There is an out of bounds write in the     function i2c_smbus_xfer_emulated.(CVE-2017-18551)An     issue was discovered in net/ipv6/ip6mr.c in the Linux     kernel before 4.11. By setting a specific socket     option, an attacker can control a pointer in kernel     land and cause an inet_csk_listen_stop general     protection fault, or potentially execute arbitrary code     under certain circumstances. The issue can be triggered     as root (e.g., inside a default LXC container or with     the CAP_NET_ADMIN capability) or after namespace     unsharing. This occurs because sk_type and protocol are     not checked in the appropriate part of the ip6_mroute_*     functions. NOTE: this affects Linux distributions that     use 4.9.x longterm kernels before     4.9.187.(CVE-2017-18509)An issue was discovered in the     Linux kernel before 4.14.11. A double free may be     caused by the function allocate_trace_buffer in the     file kernel/trace/trace.c.(CVE-2017-18595)An issue was     discovered in the Linux kernel through 4.17.10. There     is a NULL pointer dereference and panic in     hfsplus_lookup() in fs/hfsplus/dir.c when opening a     file (that is purportedly a hard link) in an hfs+     filesystem that has malformed catalog data, and is     mounted read-only without a metadata     directory.(CVE-2018-14617)An issue was discovered in     write_tpt_entry in drivers/infiniband/hw/cxgb4/mem.c in     the Linux kernel through 5.3.2. The cxgb4 driver is     directly calling dma_map_single (a DMA function) from a     stack variable. This could allow an attacker to trigger     a Denial of Service, exploitable if this driver is used     on an architecture for which this stack/DMA interaction     has security relevance.(CVE-2019-17075)Double free     vulnerability in the snd_usbmidi_create function in     sound/usb/midi.c in the Linux kernel before 4.5 allows     physically proximate attackers to cause a denial of     service (panic) or possibly have unspecified other     impact via vectors involving an invalid USB     descriptor.(CVE-2016-2384)fsamespace.c in the Linux     kernel through 3.16.1 does not properly restrict     clearing MNT_NODEV, MNT_NOSUID, and MNT_NOEXEC and     changing MNT_ATIME_MASK during a remount of a bind     mount, which allows local users to gain privileges,     interfere with backups and auditing on systems that had     atime enabled, or cause a denial of service (excessive     filesystem updating) on systems that had atime disabled     via a 'mount -o remount' command within a user     namespace.(CVE-2014-5207)fs/overlayfs/dir.c in the     OverlayFS filesystem implementation in the Linux kernel     before 4.6 does not properly verify the upper dentry     before proceeding with unlink and rename system-call     processing, which allows local users to cause a denial     of service (system crash) via a rename system call that     specifies a self-hardlink.(CVE-2016-6197)In the Linux     kernel before 4.1.4, a buffer overflow occurs when     checking userspace params in     drivers/media/dvb-frontends/cx24116.c. The maximum size     for a DiSEqC command is 6, according to the userspace     API. However, the code allows larger values such as     23.(CVE-2015-9289)In the Linux kernel through 5.3.2,     cfg80211_mgd_wext_giwessid in net/wireless/wext-sme.c     does not reject a long SSID IE, leading to a Buffer     Overflow.(CVE-2019-17133)Insufficient access control in     the Intel(R) PROSet/Wireless WiFi Software driver     before version 21.10 may allow an unauthenticated user     to potentially enable denial of service via adjacent     access.(CVE-2019-0136)Linux distributions that have not     patched their long-term kernels with     https://git.kernel.org/linus/a87938b2e246b81b4fb713edb3     71a9fa3c5c3c86 (committed on April 14, 2015). This     kernel vulnerability was fixed in April 2015 by commit     a87938b2e246b81b4fb713edb371a9fa3c5c3c86 (backported to     Linux 3.10.77 in May 2015), but it was not recognized     as a security threat. With     CONFIG_ARCH_BINFMT_ELF_RANDOMIZE_PIE enabled, and a     normal top-down address allocation strategy,     load_elf_binary() will attempt to map a PIE binary into     an address range immediately below mm->mmap_base.
    Unfortunately, load_elf_ binary() does not take account     of the need to allocate sufficient space for the entire     binary which means that, while the first PT_LOAD     segment is mapped below mm->mmap_base, the subsequent     PT_LOAD segment(s) end up being mapped above     mm->mmap_base into the are that is supposed to be the     'gap' between the stack and the     binary.(CVE-2017-1000253)Race condition in the     sclp_ctl_ioctl_sccb function in     drivers/s390/char/sclp_ctl.c in the Linux kernel before     4.6 allows local users to obtain sensitive information     from kernel memory by changing a certain length value,     aka a 'double fetch'     vulnerability.(CVE-2016-6130)rtl_p2p_noa_ie in     driverset/wireless/realtek/rtlwifi/ps.c in the Linux     kernel through 5.3.6 lacks a certain upper-bound check,     leading to a buffer     overflow.(CVE-2019-17666)sound/core/timer.c in the     Linux kernel through 4.6 does not initialize certain r1     data structures, which allows local users to obtain     sensitive information from kernel stack memory via     crafted use of the ALSA timer interface, related to the     (1) snd_timer_user_ccallback and (2)     snd_timer_user_tinterrupt     functions.(CVE-2016-4578)Systems with microprocessors     utilizing speculative execution and branch prediction     may allow unauthorized disclosure of information to an     attacker with local user access via a side-channel     analysis.(CVE-2017-5753)The acm_probe function in     drivers/usb/class/cdc-acm.c in the Linux kernel before     4.5.1 allows physically proximate attackers to cause a     denial of service (NULL pointer dereference and system     crash) via a USB device without both a control and a     data endpoint descriptor.(CVE-2016-3138)The     arcmsr_iop_message_xfer function in     drivers/scsi/arcmsr/arcmsr_hba.c in the Linux kernel     through 4.8.2 does not restrict a certain length field,     which allows local users to gain privileges or cause a     denial of service (heap-based buffer overflow) via an     ARCMSR_MESSAGE_WRITE_WQBUFFER control     code.(CVE-2016-7425)The ati_remote2_probe function in     drivers/input/misc/ati_remote2.c in the Linux kernel     before 4.5.1 allows physically proximate attackers to     cause a denial of service (NULL pointer dereference and     system crash) via a crafted endpoints value in a USB     device descriptor.(CVE-2016-2185)The     create_fixed_stream_quirk function in     sound/usb/quirks.c in the snd-usb-audio driver in the     Linux kernel before 4.5.1 allows physically proximate     attackers to cause a denial of service (NULL pointer     dereference or double free, and system crash) via a     crafted endpoints value in a USB device     descriptor.(CVE-2016-2184)The digi_port_init function     in drivers/usb/serial/digi_acceleport.c in the Linux     kernel before 4.5.1 allows physically proximate     attackers to cause a denial of service (NULL pointer     dereference and system crash) via a crafted endpoints     value in a USB device descriptor.(CVE-2016-3140)The     do_remount function in fsamespace.c in the Linux kernel     through 3.16.1 does not maintain the MNT_LOCK_READONLY     bit across a remount of a bind mount, which allows     local users to bypass an intended read-only restriction     and defeat certain sandbox protection mechanisms via a     'mount -o remount' command within a user     namespace.(CVE-2014-5206)The gtco_probe function in     drivers/input/tablet/gtco.c in the Linux kernel through     4.5.2 allows physically proximate attackers to cause a     denial of service (NULL pointer dereference and system     crash) via a crafted endpoints value in a USB device     descriptor.(CVE-2016-2187)The hub_activate function in     drivers/usb/core/hub.c in the Linux kernel before 4.3.5     does not properly maintain a hub-interface data     structure, which allows physically proximate attackers     to cause a denial of service (invalid memory access and     system crash) or possibly have unspecified other impact     by unplugging a USB hub device.(CVE-2015-8816)The     ims_pcu_parse_cdc_data function in     drivers/input/misc/ims-pcu.c in the Linux kernel before     4.5.1 allows physically proximate attackers to cause a     denial of service (system crash) via a USB device     without both a master and a slave     interface.(CVE-2016-3689)The Linux Kernel running on     AMD64 systems will sometimes map the contents of PIE     executable, the heap or ld.so to where the stack is     mapped allowing attackers to more easily manipulate the     stack. Linux Kernel version 4.11.5 is     affected.(CVE-2017-1000379)The powermate_probe function     in drivers/input/misc/powermate.c in the Linux kernel     before 4.5.1 allows physically proximate attackers to     cause a denial of service (NULL pointer dereference and     system crash) via a crafted endpoints value in a USB     device descriptor.(CVE-2016-2186)The signal     implementation in the Linux kernel before 4.3.5 on     powerpc platforms does not check for an MSR with both     the S and T bits set, which allows local users to cause     a denial of service (TM Bad Thing exception and panic)     via a crafted application.(CVE-2015-8844)The     snd_timer_user_params function in sound/core/timer.c in     the Linux kernel through 4.6 does not initialize a     certain data structure, which allows local users to     obtain sensitive information from kernel stack memory     via crafted use of the ALSA timer     interface.(CVE-2016-4569)The tm_reclaim_thread function     in arch/powerpc/kernel/process.c in the Linux kernel     before 4.4.1 on powerpc platforms does not ensure that     TM suspend mode exists before proceeding with a     tm_reclaim call, which allows local users to cause a     denial of service (TM Bad Thing exception and panic)     via a crafted application.(CVE-2015-8845)The VFS     subsystem in the Linux kernel 3.x provides an     incomplete set of requirements for setattr operations     that underspecifies removing extended privilege     attributes, which allows local users to cause a denial     of service (capability stripping) via a failed     invocation of a system call, as demonstrated by using     chown to remove a capability from the ping or Wireshark     dumpcap program.(CVE-2015-1350)The wacom_probe function     in drivers/input/tablet/wacom_sys.c in the Linux kernel     before 3.17 allows physically proximate attackers to     cause a denial of service (NULL pointer dereference and     system crash) via a crafted endpoints value in a USB     device descriptor.(CVE-2016-3139)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - A vulnerability was found in Linux kernel. There is an     information leak in file 'sound/core/timer.c' of the     latest mainline Linux kernel, the stack object 'tread'     has a total size of 32 bytes. It contains a 8-bytes     padding, which is not initialized but sent to user via     copy_to_user(), resulting a kernel leak.(CVE-2016-4569)

  - A vulnerability was found in Linux kernel. There is an     information leak in file sound/core/timer.c of the     latest mainline Linux kernel. The stack object 'r1' has     a total size of 32 bytes. Its field 'event' and 'val'     both contain 4 bytes padding. These 8 bytes padding     bytes are sent to user without being     initialized.(CVE-2016-4578)

  - The x25_negotiate_facilities function in     net/x25/x25_facilities.c in the Linux kernel before     4.5.5 does not properly initialize a certain data     structure, which allows attackers to obtain sensitive     information from kernel stack memory via an X.25 Call     Request.(CVE-2016-4580)

  - fs/pnode.c in the Linux kernel before 4.5.4 does not     properly traverse a mount propagation tree in a certain     case involving a slave mount, which allows local users     to cause a denial of service (NULL pointer dereference     and OOPS) via a crafted series of mount system     calls.(CVE-2016-4581)

  - Use after free vulnerability was found in percpu using     previously allocated memory in bpf. First
    __alloc_percpu_gfp() is called, then the memory is     freed with free_percpu() which triggers async     pcpu_balance_work and then pcpu_extend_area_map could     use a chunk after it has been freed.(CVE-2016-4794)

  - Use-after-free vulnerability in     drivers/net/ppp/ppp_generic.c in the Linux kernel     before 4.5.2 allows local users to cause a denial of     service (memory corruption and system crash, or     spinlock) or possibly have unspecified other impact by     removing a network namespace, related to the     ppp_register_net_channel and ppp_unregister_channel     functions.(CVE-2016-4805)

  - A vulnerability was found in the Linux kernel. Payloads     of NM entries are not supposed to contain NUL. When     such entry is processed, only the part prior to the     first NUL goes into the concatenation (i.e. the     directory entry name being encoded by a bunch of NM     entries). The process stops when the amount collected     so far + the claimed amount in the current NM entry     exceed 254. However, the value returned as the total     length is the sum of *claimed* sizes, not the actual     amount collected. And that's what will be passed to     readdir() callback as the name length - 8Kb
    __copy_to_user() from a buffer allocated by
    __get_free_page().(CVE-2016-4913)

  - A flaw was discovered in processing setsockopt for 32     bit processes on 64 bit systems. This flaw will allow     attackers to alter arbitrary kernel memory when     unloading a kernel module. This action is usually     restricted to root-privileged users but can also be     leveraged if the kernel is compiled with CONFIG_USER_NS     and CONFIG_NET_NS and the user is granted elevated     privileges.(CVE-2016-4997)

  - An out-of-bounds heap memory access leading to a Denial     of Service, heap disclosure, or further impact was     found in setsockopt(). The function call is normally     restricted to root, however some processes with     cap_sys_admin may also be able to trigger this flaw in     privileged container environments.(CVE-2016-4998)

  - A race condition was found in the way the Linux     kernel's memory subsystem handled the copy-on-write     (COW) breakage of private read-only memory mappings. An     unprivileged, local user could use this flaw to gain     write access to otherwise read-only memory mappings and     thus increase their privileges on the     system.(CVE-2016-5195)

  - It was found that the RFC 5961 challenge ACK rate     limiting as implemented in the Linux kernel's     networking subsystem allowed an off-path attacker to     leak certain information about a given connection by     creating congestion on the global challenge ACK rate     limit counter and then measuring the changes by probing     packets. An off-path attacker could use this flaw to     either terminate TCP connection and/or inject payload     into non-secured TCP connection between two endpoints     on the network.(CVE-2016-5696)

  - A heap-based buffer overflow vulnerability was found in     the Linux kernel's hiddev driver. This flaw could allow     a local attacker to corrupt kernel memory, possible     privilege escalation or crashing the     system.(CVE-2016-5829)

  - When creating audit records for parameters to executed     children processes, an attacker can convince the Linux     kernel audit subsystem can create corrupt records which     may allow an attacker to misrepresent or evade logging     of executing commands.(CVE-2016-6136)

  - It was found that the unlink and rename functionality     in overlayfs did not verify the upper dentry for     staleness. A local, unprivileged user could use the     rename syscall on overlayfs on top of xfs to panic or     crash the system.(CVE-2016-6197)

  - A flaw was found that the vfs_rename() function did not     detect hard links on overlayfs. A local, unprivileged     user could use the rename syscall on overlayfs on top     of xfs to crash the system.(CVE-2016-6198)

  - System using the infiniband support module ib_srpt were     vulnerable to a denial of service by system crash by a     local attacker who is able to abort writes to a device     using this initiator.(CVE-2016-6327)

  - A race condition flaw was found in the ioctl_send_fib()     function in the Linux kernel's aacraid implementation.
    A local attacker could use this flaw to cause a denial     of service (out-of-bounds access or system crash) by     changing a certain size value.(CVE-2016-6480)

  - kernel/events/core.c in the performance subsystem in     the Linux kernel before 4.0 mismanages locks during     certain migrations, which allows local users to gain     privileges via a crafted application, aka Android     internal bug 30955111.(CVE-2016-6786)

  - kernel/events/core.c in the performance subsystem in     the Linux kernel before 4.0 mismanages locks during     certain migrations, which allows local users to gain     privileges via a crafted application, aka Android     internal bug 31095224.(CVE-2016-6787)

  - A use-after-free vulnerability was found in     tcp_xmit_retransmit_queue and other tcp_* functions.
    This condition could allow an attacker to send an     incorrect selective acknowledgment to existing     connections, possibly resetting a     connection.(CVE-2016-6828)

  - Linux kernel built with the 802.1Q/802.1ad     VLAN(CONFIG_VLAN_8021Q) OR Virtual eXtensible Local     Area Network(CONFIG_VXLAN) with Transparent Ethernet     Bridging(TEB) GRO support, is vulnerable to a stack     overflow issue. It could occur while receiving large     packets via GRO path, as an unlimited recursion could     unfold in both VLAN and TEB modules, leading to a stack     corruption in the kernel.(CVE-2016-7039)

  - It was found that when the gcc stack protector was     enabled, reading the /proc/keys file could cause a     panic in the Linux kernel due to stack corruption. This     happened because an incorrect buffer size was used to     hold a 64-bit timeout value rendered as     weeks.(CVE-2016-7042)

  - It was found that when file permissions were modified     via chmod and the user modifying them was not in the     owning group or capable of CAP_FSETID, the setgid bit     would be cleared. Setting a POSIX ACL via setxattr sets     the file permissions as well as the new ACL, but     doesn't clear the setgid bit in a similar way. This     could allow a local user to gain group privileges via     certain setgid applications.(CVE-2016-7097)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - It was found that the parse_rock_ridge_inode_internal()     function of the Linux kernel's ISOFS implementation did     not correctly check relocated directories when     processing Rock Ridge child link (CL) tags. An attacker     with physical access to the system could use a     specially crafted ISO image to crash the system or,     potentially, escalate their privileges on the     system.(CVE-2014-5472)

  - An issue was discovered in the Linux kernel's F2FS     filesystem code. An out-of-bounds access vulnerability     is possible the in __remove_dirty_segment() in     fs/f2fs/segment.c function when mounting a crafted f2fs     image.(CVE-2018-14614)

  - Race condition in kernel/events/core.c in the Linux     kernel before 4.4 allows local users to gain privileges     or cause a denial of service via use-after-free     vulnerability by leveraging incorrect handling of an     swevent data structure during a CPU unplug     operation.(CVE-2015-8963)

  - The skbs processed by ip_cmsg_recv() are not guaranteed     to be linear (e.g. when sending UDP packets over     loopback with MSGMORE). Using csum_partial() on     potentially the whole skb len is dangerous instead be     on the safe side and use skb_checksum(). This may lead     to an infoleak as the kernel memory may be checksummed     and sent as part of the packet.(CVE-2017-6347)

  - The apic_get_tmcct function in arch/x86/kvm/lapic.c in     the KVM subsystem in the Linux kernel through 3.12.5     allows guest OS users to cause a denial of service     (divide-by-zero error and host OS crash) via crafted     modifications of the TMICT value.(CVE-2013-6367)

  - A use-after-free issue was found in the way the Linux     kernel's KVM hypervisor processed posted interrupts     when nested(=1) virtualization is enabled. In     nested_get_vmcs12_pages(), in case of an error while     processing posted interrupt address, it unmaps the     'pi_desc_page' without resetting 'pi_desc' descriptor     address, which is later used in pi_test_and_clear_on().
    A guest user/process could use this flaw to crash the     host kernel resulting in DoS or potentially gain     privileged access to a system.(CVE-2018-16882)

  - It was discovered that the atl2_probe() function in the     Atheros L2 Ethernet driver in the Linux kernel     incorrectly enabled scatter/gather I/O. A remote     attacker could use this flaw to obtain potentially     sensitive information from the kernel     memory.(CVE-2016-2117)

  - A flaw was found in the way the nft_flush_table()     function of the Linux kernel's netfilter tables     implementation flushed rules that were referencing     deleted chains. A local user who has the CAP_NET_ADMIN     capability could use this flaw to crash the     system.(CVE-2015-1573)

  - The powermate_probe function in     drivers/input/misc/powermate.c in the Linux kernel     before 4.5.1 allows physically proximate attackers to     cause a denial of service (NULL pointer dereference and     system crash) via a crafted endpoints value in a USB     device descriptor.(CVE-2016-2186)

  - It was found that KVM's Write to Model Specific     Register (WRMSR) instruction emulation would write     non-canonical values passed in by the guest to certain     MSRs in the host's context. A privileged guest user     could use this flaw to crash the host.(CVE-2014-3610)

  - The BPF_S_ANC_NLATTR_NEST extension implementation in     the sk_run_filter function in net/core/filter.c in the     Linux kernel through 3.14.3 uses the reverse order in a     certain subtraction, which allows local users to cause     a denial of service (over-read and system crash) via     crafted BPF instructions. NOTE: the affected code was     moved to the __skb_get_nlattr_nest function before the     vulnerability was announced.(CVE-2014-3145)

  - The yam_ioctl function in drivers/net/hamradio/yam.c in     the Linux kernel before 3.12.8 does not initialize a     certain structure member, which allows local users to     obtain sensitive information from kernel memory by     leveraging the CAP_NET_ADMIN capability for an     SIOCYAMGCFG ioctl call.(CVE-2014-1446)

  - A race condition flaw was found in the N_HLDC Linux     kernel driver when accessing n_hdlc.tbuf list that can     lead to double free. A local, unprivileged user able to     set the HDLC line discipline on the tty device could     use this flaw to increase their privileges on the     system.(CVE-2017-2636)

  - A flaw was found in the way Linux kernel's Transparent     Huge Pages (THP) implementation handled non-huge page     migration. A local, unprivileged user could use this     flaw to crash the kernel by migrating transparent     hugepages.(CVE-2014-3940)

  - A security flaw was found in the     chap_server_compute_md5() function in the ISCSI target     code in the Linux kernel in a way an authentication     request from an ISCSI initiator is processed. An     unauthenticated remote attacker can cause a stack     buffer overflow and smash up to 17 bytes of the stack.
    The attack requires the iSCSI target to be enabled on     the victim host. Depending on how the target's code was     built (i.e. depending on a compiler, compile flags and     hardware architecture) an attack may lead to a system     crash and thus to a denial of service or possibly to a     non-authorized access to data exported by an iSCSI     target. Due to the nature of the flaw, privilege     escalation cannot be fully ruled out, although we     believe it is highly unlikely.(CVE-2018-14633)

  - A vulnerability was found in the Linux kernel where     filesystems mounted with data=ordered mode may allow an     attacker to read stale data from recently allocated     blocks in new files after a system 'reset' by abusing     ext4 mechanics of delayed allocation.(CVE-2017-7495)

  - drivers/media/platform/msm/broadcast/tsc.c in the TSC     driver for the Linux kernel 3.x, as used in Qualcomm     Innovation Center (QuIC) Android contributions for MSM     devices and other products, allows attackers to cause a     denial of service (invalid pointer dereference) or     possibly have unspecified other impact via a crafted     application that makes a TSC_GET_CARD_STATUS ioctl     call.(CVE-2015-0573)

  - It was found that the unlink and rename functionality     in overlayfs did not verify the upper dentry for     staleness. A local, unprivileged user could use the     rename syscall on overlayfs on top of xfs to panic or     crash the system.(CVE-2016-6197)

  - In net/socket.c in the Linux kernel through 4.17.1,     there is a race condition between fchownat and close in     cases where they target the same socket file     descriptor, related to the sock_close and     sockfs_setattr functions. fchownat does not increment     the file descriptor reference count, which allows close     to set the socket to NULL during fchownat's execution,     leading to a NULL pointer dereference and system     crash.(CVE-2018-12232)

  - The ath9k_htc_set_bssid_mask function in     drivers/net/wireless/ath/ath9k/htc_drv_main.c in the     Linux kernel through 3.12 uses a BSSID masking approach     to determine the set of MAC addresses on which a Wi-Fi     device is listening, which allows remote attackers to     discover the original MAC address after spoofing by     sending a series of packets to MAC addresses with     certain bit manipulations.(CVE-2013-4579)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2016-0100 for details.

An update for kernel is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es) :

* A security flaw was found in the Linux kernel in the mark_source_chains() function in 'net/ipv4/netfilter/ip_tables.c'. It is possible for a user-supplied 'ipt_entry' structure to have a large 'next_offset' field. This field is not bounds checked prior to writing to a counter value at the supplied offset. (CVE-2016-3134, Important)

* A flaw was discovered in processing setsockopt for 32 bit processes on 64 bit systems. This flaw will allow attackers to alter arbitrary kernel memory when unloading a kernel module. This action is usually restricted to root-privileged users but can also be leveraged if the kernel is compiled with CONFIG_USER_NS and CONFIG_NET_NS and the user is granted elevated privileges. (CVE-2016-4997, Important)

* An out-of-bounds heap memory access leading to a Denial of Service, heap disclosure, or further impact was found in setsockopt(). The function call is normally restricted to root, however some processes with cap_sys_admin may also be able to trigger this flaw in privileged container environments. (CVE-2016-4998, Moderate)

Bug Fix(es) :

* In some cases, running the ipmitool command caused a kernel panic due to a race condition in the ipmi message handler. This update fixes the race condition, and the kernel panic no longer occurs in the described scenario. (BZ#1353947)

* Previously, running I/O-intensive operations in some cases caused the system to terminate unexpectedly after a NULL pointer dereference in the kernel. With this update, a set of patches has been applied to the 3w-9xxx and 3w-sas drivers that fix this bug. As a result, the system no longer crashes in the described scenario. (BZ#1362040)

* Previously, the Stream Control Transmission Protocol (SCTP) sockets did not inherit the SELinux labels properly. As a consequence, the sockets were labeled with the unlabeled_t SELinux type which caused SCTP connections to fail. The underlying source code has been modified, and SCTP connections now works as expected. (BZ#1354302)

* Previously, the bnx2x driver waited for transmission completions when recovering from a parity event, which substantially increased the recovery time. With this update, bnx2x does not wait for transmission completion in the described circumstances. As a result, the recovery of bnx2x after a parity event now takes less time. (BZ#1351972)

Enhancement(s) :

* With this update, the audit subsystem enables filtering of processes by name besides filtering by PID. Users can now audit by executable name (with the '-F exe=' option), which allows expression of many new audit rules. This functionality can be used to create events when specific applications perform a syscall. (BZ#1345774)

* With this update, the Nonvolatile Memory Express (NVMe) and the multi-queue block layer (blk_mq) have been upgraded to the Linux 4.5 upstream version. Previously, a race condition between timeout and freeing request in blk_mq occurred, which could affect the blk_mq_tag_to_rq() function and consequently a kernel oops could occur. The provided patch fixes this race condition by updating the tags with the active request. The patch simplifies blk_mq_tag_to_rq() and ensures that the two requests are not active at the same time.
(BZ#1350352)

* The Hyper-V storage driver (storvsc) has been upgraded from upstream. This update provides moderate performance improvement of I/O operations when using storvscr for certain workloads. (BZ#1360161)

Additional Changes :

Space precludes documenting all of the bug fixes and enhancements included in this advisory. To see the complete list of bug fixes and enhancements, refer to the following KnowledgeBase article:
https://access.redhat.com/articles/2592321

An update for kernel-rt is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.

The kernel-rt packages have been upgraded to the kernel-3.10.0-327.36.1 source tree, which provides a number of bug fixes over the previous version. (BZ# 1366538)

Security Fix(es) :

* A security flaw was found in the Linux kernel in the mark_source_chains() function in 'net/ipv4/netfilter/ip_tables.c'. It is possible for a user-supplied 'ipt_entry' structure to have a large 'next_offset' field. This field is not bounds checked prior to writing to a counter value at the supplied offset. (CVE-2016-3134, Important)

* A flaw was discovered in processing setsockopt for 32 bit processes on 64 bit systems. This flaw will allow attackers to alter arbitrary kernel memory when unloading a kernel module. This action is usually restricted to root-privileged users but can also be leveraged if the kernel is compiled with CONFIG_USER_NS and CONFIG_NET_NS and the user is granted elevated privileges. (CVE-2016-4997, Important)

* An out-of-bounds heap memory access leading to a Denial of Service, heap disclosure, or further impact was found in setsockopt(). The function call is normally restricted to root, however some processes with cap_sys_admin may also be able to trigger this flaw in privileged container environments. (CVE-2016-4998, Moderate)

From Red Hat Security Advisory 2016:1847 :

An update for kernel is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es) :

* A security flaw was found in the Linux kernel in the mark_source_chains() function in 'net/ipv4/netfilter/ip_tables.c'. It is possible for a user-supplied 'ipt_entry' structure to have a large 'next_offset' field. This field is not bounds checked prior to writing to a counter value at the supplied offset. (CVE-2016-3134, Important)

* A flaw was discovered in processing setsockopt for 32 bit processes on 64 bit systems. This flaw will allow attackers to alter arbitrary kernel memory when unloading a kernel module. This action is usually restricted to root-privileged users but can also be leveraged if the kernel is compiled with CONFIG_USER_NS and CONFIG_NET_NS and the user is granted elevated privileges. (CVE-2016-4997, Important)

* An out-of-bounds heap memory access leading to a Denial of Service, heap disclosure, or further impact was found in setsockopt(). The function call is normally restricted to root, however some processes with cap_sys_admin may also be able to trigger this flaw in privileged container environments. (CVE-2016-4998, Moderate)

Bug Fix(es) :

* In some cases, running the ipmitool command caused a kernel panic due to a race condition in the ipmi message handler. This update fixes the race condition, and the kernel panic no longer occurs in the described scenario. (BZ#1353947)

* Previously, running I/O-intensive operations in some cases caused the system to terminate unexpectedly after a NULL pointer dereference in the kernel. With this update, a set of patches has been applied to the 3w-9xxx and 3w-sas drivers that fix this bug. As a result, the system no longer crashes in the described scenario. (BZ#1362040)

* Previously, the Stream Control Transmission Protocol (SCTP) sockets did not inherit the SELinux labels properly. As a consequence, the sockets were labeled with the unlabeled_t SELinux type which caused SCTP connections to fail. The underlying source code has been modified, and SCTP connections now works as expected. (BZ#1354302)

* Previously, the bnx2x driver waited for transmission completions when recovering from a parity event, which substantially increased the recovery time. With this update, bnx2x does not wait for transmission completion in the described circumstances. As a result, the recovery of bnx2x after a parity event now takes less time. (BZ#1351972)

Enhancement(s) :

* With this update, the audit subsystem enables filtering of processes by name besides filtering by PID. Users can now audit by executable name (with the '-F exe=' option), which allows expression of many new audit rules. This functionality can be used to create events when specific applications perform a syscall. (BZ#1345774)

* With this update, the Nonvolatile Memory Express (NVMe) and the multi-queue block layer (blk_mq) have been upgraded to the Linux 4.5 upstream version. Previously, a race condition between timeout and freeing request in blk_mq occurred, which could affect the blk_mq_tag_to_rq() function and consequently a kernel oops could occur. The provided patch fixes this race condition by updating the tags with the active request. The patch simplifies blk_mq_tag_to_rq() and ensures that the two requests are not active at the same time.
(BZ#1350352)

* The Hyper-V storage driver (storvsc) has been upgraded from upstream. This update provides moderate performance improvement of I/O operations when using storvscr for certain workloads. (BZ#1360161)

Additional Changes :

Space precludes documenting all of the bug fixes and enhancements included in this advisory. To see the complete list of bug fixes and enhancements, refer to the following KnowledgeBase article:
https://access.redhat.com/articles/2592321

USN-3070-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS.

A missing permission check when settings ACLs was discovered in nfsd.
A local user could exploit this flaw to gain access to any file by setting an ACL. (CVE-2016-1237)

Kangjie Lu discovered an information leak in the Reliable Datagram Sockets (RDS) implementation in the Linux kernel. A local attacker could use this to obtain potentially sensitive information from kernel memory. (CVE-2016-5244)

James Patrick-Evans discovered that the airspy USB device driver in the Linux kernel did not properly handle certain error conditions. An attacker with physical access could use this to cause a denial of service (memory consumption). (CVE-2016-5400)

Yue Cao et al discovered a flaw in the TCP implementation's handling of challenge acks in the Linux kernel. A remote attacker could use this to cause a denial of service (reset connection) or inject content into an TCP stream. (CVE-2016-5696)

Pengfei Wang discovered a race condition in the MIC VOP driver in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or obtain potentially sensitive information from kernel memory. (CVE-2016-5728)

Cyril Bur discovered that on PowerPC platforms, the Linux kernel mishandled transactional memory state on exec(). A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2016-5828)

It was discovered that a heap based buffer overflow existed in the USB HID driver in the Linux kernel. A local attacker could use this cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2016-5829)

It was discovered that the OverlayFS implementation in the Linux kernel did not properly verify dentry state before proceeding with unlink and rename operations. A local attacker could use this to cause a denial of service (system crash). (CVE-2016-6197).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

A missing permission check when settings ACLs was discovered in nfsd.
A local user could exploit this flaw to gain access to any file by setting an ACL. (CVE-2016-1237)

Kangjie Lu discovered an information leak in the Reliable Datagram Sockets (RDS) implementation in the Linux kernel. A local attacker could use this to obtain potentially sensitive information from kernel memory. (CVE-2016-5244)

James Patrick-Evans discovered that the airspy USB device driver in the Linux kernel did not properly handle certain error conditions. An attacker with physical access could use this to cause a denial of service (memory consumption). (CVE-2016-5400)

Yue Cao et al discovered a flaw in the TCP implementation's handling of challenge acks in the Linux kernel. A remote attacker could use this to cause a denial of service (reset connection) or inject content into an TCP stream. (CVE-2016-5696)

Pengfei Wang discovered a race condition in the MIC VOP driver in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or obtain potentially sensitive information from kernel memory. (CVE-2016-5728)

Cyril Bur discovered that on PowerPC platforms, the Linux kernel mishandled transactional memory state on exec(). A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2016-5828)

It was discovered that a heap based buffer overflow existed in the USB HID driver in the Linux kernel. A local attacker could use this cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2016-5829)

It was discovered that the OverlayFS implementation in the Linux kernel did not properly verify dentry state before proceeding with unlink and rename operations. A local attacker could use this to cause a denial of service (system crash). (CVE-2016-6197).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote Oracle Linux host is missing a security update for the Unbreakable Enterprise kernel package(s).

The remote OracleVM system is missing necessary patches to address critical security updates :

  - vfs: rename: check backing inode being equal (Miklos     Szeredi) [Orabug: 24010060] (CVE-2016-6198)     (CVE-2016-6197)

  - vfs: add vfs_select_inode helper (Miklos Szeredi)     [Orabug: 24010060] (CVE-2016-6198) (CVE-2016-6197)

  - ovl: verify upper dentry before unlink and rename     (Miklos Szeredi) [Orabug: 24010060] (CVE-2016-6198)     (CVE-2016-6197)

  - ovl: fix getcwd failure after unsuccessful rmdir (Rui     Wang) [Orabug: 24010060] (CVE-2016-6198) (CVE-2016-6197)

  - xen: use same main loop for counting and remapping pages     (Juergen Gross) [Orabug: 24012238]

  - Revert 'ocfs2: bump up o2cb network protocol version'     (Junxiao Bi) 

  - atl2: Disable unimplemented scatter/gather feature (Ben     Hutchings) [Orabug: 23704078] (CVE-2016-2117)

  - Revert 'perf tools: Bump default sample freq to 4 kHz'     (ashok.vairavan) [Orabug: 23634802]

  - block: Initialize max_dev_sectors to 0 (Keith Busch)     [Orabug: 23333444]

  - sd: Fix rw_max for devices that report an optimal xfer     size (Martin K. Petersen) [Orabug: 23333444]

  - sd: Fix excessive capacity printing on devices with     blocks bigger than 512 bytes (Martin K. Petersen)     [Orabug: 23333444]

  - sd: Optimal I/O size is in bytes, not sectors (Martin K.
    Petersen) 

  - sd: Reject optimal transfer length smaller than page     size (Martin K. Petersen) [Orabug: 23333444]

  - Fix kabi issue for upstream commit ca369d51 (Joe Jin)     [Orabug: 23333444]

  - block/sd: Fix device-imposed transfer length limits (Joe     Jin)

Description of changes:

[4.1.12-37.6.1.el7uek]
- vfs: rename: check backing inode being equal (Miklos Szeredi) [Orabug: 24010060]  {CVE-2016-6198} {CVE-2016-6197}
- vfs: add vfs_select_inode() helper (Miklos Szeredi)  [Orabug: 24010060]  {CVE-2016-6198} {CVE-2016-6197}
- ovl: verify upper dentry before unlink and rename (Miklos Szeredi) [Orabug: 24010060]  {CVE-2016-6198} {CVE-2016-6197}
- ovl: fix getcwd() failure after unsuccessful rmdir (Rui Wang) [Orabug: 24010060]  {CVE-2016-6198} {CVE-2016-6197}
- xen: use same main loop for counting and remapping pages (Juergen Gross)  [Orabug: 24012238]
- Revert 'ocfs2: bump up o2cb network protocol version' (Junxiao Bi) [Orabug: 23710417]
- atl2: Disable unimplemented scatter/gather feature (Ben Hutchings) [Orabug: 23704078]  {CVE-2016-2117}
- Revert 'perf tools: Bump default sample freq to 4 kHz' (ashok.vairavan)  [Orabug: 23634802]
- block: Initialize max_dev_sectors to 0 (Keith Busch)  [Orabug: 23333444]
- sd: Fix rw_max for devices that report an optimal xfer size (Martin K. Petersen)  [Orabug: 23333444]
- sd: Fix excessive capacity printing on devices with blocks bigger than 512 bytes (Martin K. Petersen)  [Orabug: 23333444]
- sd: Optimal I/O size is in bytes, not sectors (Martin K. Petersen) [Orabug: 23333444]
- sd: Reject optimal transfer length smaller than page size (Martin K. Petersen)  [Orabug: 23333444]
- Fix kabi issue for upstream commit ca369d51 (Joe Jin)  [Orabug: 23333444]
- block/sd: Fix device-imposed transfer length limits (Joe Jin) [Orabug: 23333444]

ID	Name	Product	Family	Severity
132134	EulerOS 2.0 SP3 : kernel (EulerOS-SA-2019-2599)	Nessus	Huawei Local Security Checks	high
125100	EulerOS Virtualization 3.0.1.0 : kernel (EulerOS-SA-2019-1494)	Nessus	Huawei Local Security Checks	high
124810	EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1486)	Nessus	Huawei Local Security Checks	critical
93679	OracleVM 3.4 : Unbreakable / etc (OVMSA-2016-0100)	Nessus	OracleVM Local Security Checks	critical
93594	CentOS 7 : kernel (CESA-2016:1847)	Nessus	CentOS Local Security Checks	high
93556	RHEL 7 : kernel-rt (RHSA-2016:1875)	Nessus	Red Hat Local Security Checks	high
93555	RHEL 7 : kernel (RHSA-2016:1847)	Nessus	Red Hat Local Security Checks	high
93501	Oracle Linux 7 : kernel (ELSA-2016-1847)	Nessus	Oracle Linux Local Security Checks	high
93243	Ubuntu 14.04 LTS : linux-lts-xenial vulnerabilities (USN-3070-4)	Nessus	Ubuntu Local Security Checks	high
93242	Ubuntu 16.04 LTS : linux-snapdragon vulnerabilities (USN-3070-3)	Nessus	Ubuntu Local Security Checks	high
93241	Ubuntu 16.04 LTS : linux-raspi2 vulnerabilities (USN-3070-2)	Nessus	Ubuntu Local Security Checks	high
93217	Ubuntu 16.04 LTS : linux vulnerabilities (USN-3070-1)	Nessus	Ubuntu Local Security Checks	high
93148	Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2016-3596)	Nessus	Oracle Linux Local Security Checks	critical
92658	OracleVM 3.4 : kernel-uek (OVMSA-2016-0091)	Nessus	OracleVM Local Security Checks	medium
92656	Oracle Linux 6 / 7 : kernel-uek (ELSA-2016-3587)	Nessus	Oracle Linux Local Security Checks	medium

CVE-2016-6197

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Configuration 2

Configuration 3

Tenable Plugins