http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=f63a8daa5812afef4f06c962351687e1ff9ccb2b

http://source.android.com/security/bulletin/2016-12-01.html

DSA-3791

94679

https://bugzilla.redhat.com/show_bug.cgi?id=1403842

https://github.com/torvalds/linux/commit/f63a8daa5812afef4f06c962351687e1ff9ccb2b

Race condition in kernel/events/core.c in the Linux kernel before 4.9.7 allows local users to gain privileges via a crafted application that makes concurrent perf_event_open system calls for moving a software group into a hardware context. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-6786. (CVE-2017-6001)

Impact

An authenticated attacker may be able to gain an escalation of privileges through a crafted application.

According to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - A vulnerability was found in Linux kernel. There is an     information leak in file 'sound/core/timer.c' of the     latest mainline Linux kernel, the stack object     aEURoetreadaEUR has a total size of 32 bytes. It contains a     8-bytes padding, which is not initialized but sent to     user via copy_to_user(), resulting a kernel     leak.(CVE-2016-4569)

  - A vulnerability was found in Linux kernel. There is an     information leak in file sound/core/timer.c of the     latest mainline Linux kernel. The stack object aEURoer1aEUR     has a total size of 32 bytes. Its field aEURoeeventaEUR and     aEURoevalaEUR both contain 4 bytes padding. These 8 bytes     padding bytes are sent to user without being     initialized.(CVE-2016-4578)

  - The x25_negotiate_facilities function in     net/x25/x25_facilities.c in the Linux kernel before     4.5.5 does not properly initialize a certain data     structure, which allows attackers to obtain sensitive     information from kernel stack memory via an X.25 Call     Request.(CVE-2016-4580)

  - fs/pnode.c in the Linux kernel before 4.5.4 does not     properly traverse a mount propagation tree in a certain     case involving a slave mount, which allows local users     to cause a denial of service (NULL pointer dereference     and OOPS) via a crafted series of mount system     calls.(CVE-2016-4581)

  - Use after free vulnerability was found in percpu using     previously allocated memory in bpf. First
    __alloc_percpu_gfp() is called, then the memory is     freed with free_percpu() which triggers async     pcpu_balance_work and then pcpu_extend_area_map could     use a chunk after it has been freed.(CVE-2016-4794)

  - Use-after-free vulnerability in     drivers/net/ppp/ppp_generic.c in the Linux kernel     before 4.5.2 allows local users to cause a denial of     service (memory corruption and system crash, or     spinlock) or possibly have unspecified other impact by     removing a network namespace, related to the     ppp_register_net_channel and ppp_unregister_channel     functions.(CVE-2016-4805)

  - A vulnerability was found in the Linux kernel. Payloads     of NM entries are not supposed to contain NUL. When     such entry is processed, only the part prior to the     first NUL goes into the concatenation (i.e. the     directory entry name being encoded by a bunch of NM     entries). The process stops when the amount collected     so far + the claimed amount in the current NM entry     exceed 254. However, the value returned as the total     length is the sum of *claimed* sizes, not the actual     amount collected. And that's what will be passed to     readdir() callback as the name length - 8Kb
    __copy_to_user() from a buffer allocated by
    __get_free_page().(CVE-2016-4913)

  - A flaw was discovered in processing setsockopt for 32     bit processes on 64 bit systems. This flaw will allow     attackers to alter arbitrary kernel memory when     unloading a kernel module. This action is usually     restricted to root-privileged users but can also be     leveraged if the kernel is compiled with CONFIG_USER_NS     and CONFIG_NET_NS and the user is granted elevated     privileges.(CVE-2016-4997)

  - An out-of-bounds heap memory access leading to a Denial     of Service, heap disclosure, or further impact was     found in setsockopt(). The function call is normally     restricted to root, however some processes with     cap_sys_admin may also be able to trigger this flaw in     privileged container environments.(CVE-2016-4998)

  - A race condition was found in the way the Linux     kernel's memory subsystem handled the copy-on-write     (COW) breakage of private read-only memory mappings. An     unprivileged, local user could use this flaw to gain     write access to otherwise read-only memory mappings and     thus increase their privileges on the     system.(CVE-2016-5195)

  - It was found that the RFC 5961 challenge ACK rate     limiting as implemented in the Linux kernel's     networking subsystem allowed an off-path attacker to     leak certain information about a given connection by     creating congestion on the global challenge ACK rate     limit counter and then measuring the changes by probing     packets. An off-path attacker could use this flaw to     either terminate TCP connection and/or inject payload     into non-secured TCP connection between two endpoints     on the network.(CVE-2016-5696)

  - A heap-based buffer overflow vulnerability was found in     the Linux kernel's hiddev driver. This flaw could allow     a local attacker to corrupt kernel memory, possible     privilege escalation or crashing the     system.(CVE-2016-5829)

  - When creating audit records for parameters to executed     children processes, an attacker can convince the Linux     kernel audit subsystem can create corrupt records which     may allow an attacker to misrepresent or evade logging     of executing commands.(CVE-2016-6136)

  - It was found that the unlink and rename functionality     in overlayfs did not verify the upper dentry for     staleness. A local, unprivileged user could use the     rename syscall on overlayfs on top of xfs to panic or     crash the system.(CVE-2016-6197)

  - A flaw was found that the vfs_rename() function did not     detect hard links on overlayfs. A local, unprivileged     user could use the rename syscall on overlayfs on top     of xfs to crash the system.(CVE-2016-6198)

  - System using the infiniband support module ib_srpt were     vulnerable to a denial of service by system crash by a     local attacker who is able to abort writes to a device     using this initiator.(CVE-2016-6327)

  - A race condition flaw was found in the ioctl_send_fib()     function in the Linux kernel's aacraid implementation.
    A local attacker could use this flaw to cause a denial     of service (out-of-bounds access or system crash) by     changing a certain size value.(CVE-2016-6480)

  - kernel/events/core.c in the performance subsystem in     the Linux kernel before 4.0 mismanages locks during     certain migrations, which allows local users to gain     privileges via a crafted application, aka Android     internal bug 30955111.(CVE-2016-6786)

  - kernel/events/core.c in the performance subsystem in     the Linux kernel before 4.0 mismanages locks during     certain migrations, which allows local users to gain     privileges via a crafted application, aka Android     internal bug 31095224.(CVE-2016-6787)

  - A use-after-free vulnerability was found in     tcp_xmit_retransmit_queue and other tcp_* functions.
    This condition could allow an attacker to send an     incorrect selective acknowledgment to existing     connections, possibly resetting a     connection.(CVE-2016-6828)

  - Linux kernel built with the 802.1Q/802.1ad     VLAN(CONFIG_VLAN_8021Q) OR Virtual eXtensible Local     Area Network(CONFIG_VXLAN) with Transparent Ethernet     Bridging(TEB) GRO support, is vulnerable to a stack     overflow issue. It could occur while receiving large     packets via GRO path, as an unlimited recursion could     unfold in both VLAN and TEB modules, leading to a stack     corruption in the kernel.(CVE-2016-7039)

  - It was found that when the gcc stack protector was     enabled, reading the /proc/keys file could cause a     panic in the Linux kernel due to stack corruption. This     happened because an incorrect buffer size was used to     hold a 64-bit timeout value rendered as     weeks.(CVE-2016-7042)

  - It was found that when file permissions were modified     via chmod and the user modifying them was not in the     owning group or capable of CAP_FSETID, the setgid bit     would be cleared. Setting a POSIX ACL via setxattr sets     the file permissions as well as the new ACL, but     doesn't clear the setgid bit in a similar way. This     could allow a local user to gain group privileges via     certain setgid applications.(CVE-2016-7097)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - The atalk_recvmsg function in net/appletalk/ddp.c in     the Linux kernel before 3.12.4 updates a certain length     value without ensuring that an associated data     structure has been initialized, which allows local     users to obtain sensitive information from kernel     memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg     system call.(CVE-2013-7267i1/4%0

  - fs/f2fs/segment.c in the Linux kernel allows local     users to cause a denial of service (NULL pointer     dereference and panic) by using a noflush_merge option     that triggers a NULL value for a flush_cmd_control data     structure.(CVE-2017-18241i1/4%0

  - fs/pnode.c in the Linux kernel before 4.5.4 does not     properly traverse a mount propagation tree in a certain     case involving a slave mount, which allows local users     to cause a denial of service (NULL pointer dereference     and OOPS) via a crafted series of mount system     calls.(CVE-2016-4581i1/4%0

  - drivers/vhost/net.c in the Linux kernel before 3.13.10,     when mergeable buffers are disabled, does not properly     validate packet lengths, which allows guest OS users to     cause a denial of service (memory corruption and host     OS crash) or possibly gain privileges on the host OS     via crafted packets, related to the handle_rx and     get_rx_bufs functions.(CVE-2014-0077i1/4%0

  - It was found that the fix for CVE-2016-9576 was     incomplete: the Linux kernel's sg implementation did     not properly restrict write operations in situations     where the KERNEL_DS option is set. A local attacker to     read or write to arbitrary kernel memory locations or     cause a denial of service (use-after-free) by     leveraging write access to a /dev/sg     device.(CVE-2016-10088i1/4%0

  - ** DISPUTED ** An issue was discovered in the Linux     kernel through 4.17.2. Since the page allocator does     not yield CPU resources to the owner of the oom_lock     mutex, a local unprivileged user can trivially lock up     the system forever by wasting CPU resources from the     page allocator (e.g., via concurrent page fault events)     when the global OOM killer is invoked. NOTE: the     software maintainer has not accepted certain proposed     patches, in part because of a viewpoint that 'the     underlying problem is non-trivial to     handle.'(CVE-2016-10723i1/4%0

  - A flaw was found in the way the Linux kernel's ASN.1     DER decoder processed certain certificate files with     tags of indefinite length. A local, unprivileged user     could use a specially crafted X.509 certificate DER     file to crash the system or, potentially, escalate     their privileges on the system.(CVE-2016-0758i1/4%0

  - A flaw was found in the way the Linux kernel's Stream     Control Transmission Protocol (SCTP) implementation     handled the association's output queue. A remote     attacker could send specially crafted packets that     would cause the system to use an excessive amount of     memory, leading to a denial of     service.(CVE-2014-3688i1/4%0

  - A use-after-free flaw was found in the way the     ping_init_sock() function of the Linux kernel handled     the group_info reference counter. A local, unprivileged     user could use this flaw to crash the system or,     potentially, escalate their privileges on the     system.(CVE-2014-2851i1/4%0

  - The compat_get_timex function in kernel/compat.c in the     Linux kernel before 4.16.9 allows local users to obtain     sensitive information from kernel memory via     adjtimex.(CVE-2018-11508i1/4%0

  - The cdc_parse_cdc_header() function in     'drivers/usb/core/message.c' in the Linux kernel,     before 4.13.6, allows local users to cause a denial of     service (out-of-bounds read and system crash) or     possibly have unspecified other impact via a crafted     USB device. Due to the nature of the flaw, privilege     escalation cannot be fully ruled out, although we     believe it is unlikely.(CVE-2017-16534i1/4%0

  - A flaw was found in the crypto subsystem of the Linux     kernel before version kernel-4.15-rc4. The 'null     skcipher' was being dropped when each af_alg_ctx was     freed instead of when the aead_tfm was freed. This can     cause the null skcipher to be freed while it is still     in use leading to a local user being able to crash the     system or possibly escalate     privileges.(CVE-2018-14619i1/4%0

  - The crypto_skcipher_init_tfm function in     crypto/skcipher.c in the Linux kernel through 4.11.2     relies on a setkey function that lacks a key-size     check, which allows local users to cause a denial of     service (NULL pointer dereference) via a crafted     application.(CVE-2017-9211i1/4%0

  - kernel/events/core.c in the performance subsystem in     the Linux kernel before 4.0 mismanages locks during     certain migrations, which allows local users to gain     privileges via a crafted application, aka Android     internal bug 30955111.(CVE-2016-6786i1/4%0

  - The KEYS subsystem in the Linux kernel omitted an     access-control check when writing a key to the current     task's default keyring, allowing a local user to bypass     security checks to the keyring. This compromises the     validity of the keyring for those who rely on     it.(CVE-2017-17807i1/4%0

  - A use-after-free flaw was found in the way the Linux     kernel's SCTP implementation handled authentication key     reference counting during INIT collisions. A remote     attacker could use this flaw to crash the system or,     potentially, escalate their privileges on the     system.(CVE-2015-1421i1/4%0

  - The waitid implementation in kernel/exit.c in the Linux     kernel through 4.13.4 accesses rusage data structures     in unintended cases. This can allow local users to     obtain sensitive information and bypass the KASLR     protection mechanism via a crafted system     call.(CVE-2017-14954i1/4%0

  - It was found that the Linux kernel's keyring     implementation would leak memory when adding a key to a     keyring via the add_key() function. A local attacker     could use this flaw to exhaust all available memory on     the system.(CVE-2015-1333i1/4%0

  - The msm_ipc_router_close function in     net/ipc_router/ipc_router_socket.c in the ipc_router     component for the Linux kernel 3.x, as used in Qualcomm     Innovation Center (QuIC) Android contributions for MSM     devices and other products, allow attackers to cause a     denial of service (NULL pointer dereference) or     possibly have unspecified other impact by triggering     failure of an accept system call for an AF_MSM_IPC     socket.(CVE-2016-5870i1/4%0

  - A reachable assertion failure flaw was found in the     Linux kernel built with KVM virtualisation(CONFIG_KVM)     support with Virtual Function I/O feature (CONFIG_VFIO)     enabled. This failure could occur if a malicious guest     device sent a virtual interrupt (guest IRQ) with a     larger (i1/4z1024) index value.(CVE-2017-1000252i1/4%0

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or have other impacts.

  - CVE-2016-6786 / CVE-2016-6787     It was discovered that the performance events subsystem     does not properly manage locks during certain     migrations, allowing a local attacker to escalate     privileges. This can be mitigated by disabling     unprivileged use of performance events:sysctl     kernel.perf_event_paranoid=3

  - CVE-2016-8405     Peter Pi of Trend Micro discovered that the frame buffer     video subsystem does not properly check bounds while     copying color maps to userspace, causing a heap buffer     out-of-bounds read, leading to information disclosure.

  - CVE-2016-9191     CAI Qian discovered that reference counting is not     properly handled within proc_sys_readdir in the sysctl     implementation, allowing a local denial of service     (system hang) or possibly privilege escalation.

  - CVE-2017-2583     Xiaohan Zhang reported that KVM for amd64 does not     correctly emulate loading of a null stack selector. This     can be used by a user in a guest VM for denial of     service (on an Intel CPU) or to escalate privileges     within the VM (on an AMD CPU).

  - CVE-2017-2584     Dmitry Vyukov reported that KVM for x86 does not     correctly emulate memory access by the SGDT and SIDT     instructions, which can result in a use-after-free and     information leak.

  - CVE-2017-2596     Dmitry Vyukov reported that KVM leaks page references     when emulating a VMON for a nested hypervisor. This can     be used by a privileged user in a guest VM for denial of     service or possibly to gain privileges in the host.

  - CVE-2017-2618     It was discovered that an off-by-one in the handling of     SELinux attributes in /proc/pid/attr could result in     local denial of service.

  - CVE-2017-5549     It was discovered that the KLSI KL5KUSB105 serial USB     device driver could log the contents of uninitialised     kernel memory, resulting in an information leak.

  - CVE-2017-5551     Jan Kara found that changing the POSIX ACL of a file on     tmpfs never cleared its set-group-ID flag, which should     be done if the user changing it is not a member of the     group-owner. In some cases, this would allow the     user-owner of an executable to gain the privileges of     the group-owner.

  - CVE-2017-5897     Andrey Konovalov discovered an out-of-bounds read flaw     in the ip6gre_err function in the IPv6 networking code.

  - CVE-2017-5970     Andrey Konovalov discovered a denial-of-service flaw in     the IPv4 networking code. This can be triggered by a     local or remote attacker if a local UDP or raw socket     has the IP_RETOPTS option enabled.

  - CVE-2017-6001     Di Shen discovered a race condition between concurrent     calls to the performance events subsystem, allowing a     local attacker to escalate privileges. This flaw exists     because of an incomplete fix of CVE-2016-6786. This can     be mitigated by disabling unprivileged use of     performance events: sysctl kernel.perf_event_paranoid=3

  - CVE-2017-6074     Andrey Konovalov discovered a use-after-free     vulnerability in the DCCP networking code, which could     result in denial of service or local privilege     escalation. On systems that do not already have the dccp     module loaded, this can be mitigated by disabling     it:echo >> /etc/modprobe.d/disable-dccp.conf install     dccp false

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or have other impacts.

CVE-2014-9888

Russell King found that on ARM systems, memory allocated for DMA buffers was mapped with executable permission. This made it easier to exploit other vulnerabilities in the kernel.

CVE-2014-9895

Dan Carpenter found that the MEDIA_IOC_ENUM_LINKS ioctl on media devices resulted in an information leak.

CVE-2016-6786 / CVE-2016-6787

It was discovered that the performance events subsystem does not properly manage locks during certain migrations, allowing a local attacker to escalate privileges. This can be mitigated by disabling unprivileged use of performance events: sysctl kernel.perf_event_paranoid=3

CVE-2016-8405

Peter Pi of Trend Micro discovered that the frame buffer video subsystem does not properly check bounds while copying color maps to userspace, causing a heap buffer out-of-bounds read, leading to information disclosure.

CVE-2017-5549

It was discovered that the KLSI KL5KUSB105 serial USB device driver could log the contents of uninitialised kernel memory, resulting in an information leak.

CVE-2017-6001

Di Shen discovered a race condition between concurrent calls to the performance events subsystem, allowing a local attacker to escalate privileges. This flaw exists because of an incomplete fix of CVE-2016-6786. This can be mitigated by disabling unprivileged use of performance events: sysctl kernel.perf_event_paranoid=3

CVE-2017-6074

Andrey Konovalov discovered a use-after-free vulnerability in the DCCP networking code, which could result in denial of service or local privilege escalation. On systems that do not already have the dccp module loaded, this can be mitigated by disabling it: echo >> /etc/modprobe.d/disable-dccp.conf install dccp false

For Debian 7 'Wheezy', these problems have been fixed in version 3.2.84-2.

For Debian 8 'Jessie', these problems have been fixed in version 3.16.39-1+deb8u1 or earlier.

We recommend that you upgrade your linux packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
127078	F5 Networks BIG-IP : Linux kernel vulnerability (K24578092)	Nessus	F5 Networks Local Security Checks	high
125100	EulerOS Virtualization 3.0.1.0 : kernel (EulerOS-SA-2019-1494)	Nessus	Huawei Local Security Checks	high
124987	EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1534)	Nessus	Huawei Local Security Checks	critical
97357	Debian DSA-3791-1 : linux - security update	Nessus	Debian Local Security Checks	high
97332	Debian DLA-833-1 : linux security update	Nessus	Debian Local Security Checks	high

CVE-2016-6786

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins