[oss-security] 20161108 CVE-2016-8632 -- Linux kernel: tipc_msg_build() doesn't validate MTU that can trigger heap overflow

94211

https://bugzilla.redhat.com/show_bug.cgi?id=1390832

[netdev] 20161018 [PATCH net] tipc: Guard against tiny MTU in tipc_msg_build()

According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - A flaw was found in the USB-MIDI Linux kernel driver: a     double-free error could be triggered for the 'umidi'     object. An attacker with physical access to the system     could use this flaw to escalate their     privileges.(CVE-2016-2384)

  - A vulnerability was found in Linux kernel. There is an     information leak in file 'sound/core/timer.c' of the     latest mainline Linux kernel, the stack object 'tread'     has a total size of 32 bytes. It contains a 8-bytes     padding, which is not initialized but sent to user via     copy_to_user(), resulting a kernel leak.(CVE-2016-4569)

  - The dgram_recvmsg function in net/ieee802154/dgram.c in     the Linux kernel before 3.12.4 updates a certain length     value without ensuring that an associated data     structure has been initialized, which allows local     users to obtain sensitive information from kernel stack     memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg     system call.(CVE-2013-7281)

  - The tcp_v6_syn_recv_sock function in     net/ipv6/tcp_ipv6.c in the Linux kernel through 4.14.11     allows attackers to cause a denial of service (slab     out-of-bounds write) or possibly have unspecified other     impact via vectors involving TLS.(CVE-2018-5703)

  - An issue was discovered in the fd_locked_ioctl function     in drivers/block/floppy.c in the Linux kernel. The     floppy driver will copy a kernel pointer to user memory     in response to the FDGETPRM ioctl. An attacker can send     the FDGETPRM ioctl and use the obtained kernel pointer     to discover the location of kernel code and data and     bypass kernel security protections such as     KASLR.(CVE-2018-7755)

  - The usbnet_generic_cdc_bind function in     drivers/net/usb/cdc_ether.c in the Linux kernel through     4.13.11 allows local users to cause a denial of service     (divide-by-zero error and system crash) or possibly     have unspecified other impact via a crafted USB     device.(CVE-2017-16649)

  - Heap-based buffer overflow in the wcnss_wlan_write     function in drivers/net/wireless/wcnss/wcnss_wlan.c in     the wcnss_wlan device driver for the Linux kernel 3.x,     as used in Qualcomm Innovation Center (QuIC) Android     contributions for MSM devices and other products,     allows attackers to cause a denial of service or     possibly have unspecified other impact by writing to     /dev/wcnss_wlan with an unexpected amount of     data.(CVE-2016-5342)

  - drivers/media/usb/dvb-usb/dib0700_devices.c in the     Linux kernel through 4.13.11 allows local users to     cause a denial of service (BUG and system crash) or     possibly have unspecified other impact via a crafted     USB device.(CVE-2017-16646)

  - A flaw was found in the TIPC networking subsystem which     could allow for memory corruption and possible     privilege escalation. The flaw involves a system with     an unusually low MTU (60) on networking devices     configured as bearers for the TIPC protocol. An     attacker could create a packet which will overwrite     memory outside of allocated space and allow for     privilege escalation.(CVE-2016-8632)

  - An issue was discovered in the XFS filesystem in     fs/xfs/libxfs/xfs_inode_buf.c in the Linux kernel. A     denial of service due to the NULL pointer dereference     can occur for a corrupted xfs image upon encountering     an inode that is in extent format, but has more extents     than fit in the inode fork.(CVE-2018-13095)

  - Linux kernel built with the KVM visualization support     (CONFIG_KVM), with nested visualization (nVMX) feature     enabled (nested=1), is vulnerable to a crash due to     disabled external interrupts. As L2 guest could access     (r/w) hardware CR8 register of the host(L0). In a     nested visualization setup, L2 guest user could use     this flaw to potentially crash the host(L0) resulting     in DoS.(CVE-2017-12154)

  - The do_double_fault function in arch/x86/kernel/traps.c     in the Linux kernel through 3.17.4 does not properly     handle faults associated with the Stack Segment (SS)     segment register, which allows local users to cause a     denial of service (panic) via a modify_ldt system call,     as demonstrated by sigreturn_32 in the     linux-clock-tests test suite.(CVE-2014-9090)

  - A race condition flaw was found in the way the Linux     kernel's mac80211 subsystem implementation handled     synchronization between TX and STA wake-up code paths.
    A remote attacker could use this flaw to crash the     system.(CVE-2014-2706)

  - The snd_seq_ioctl_remove_events function in     sound/core/seq/seq_clientmgr.c in the Linux kernel     before 4.4.1 does not verify FIFO assignment before     proceeding with FIFO clearing, which allows local users     to cause a denial of service (NULL pointer dereference     and OOPS) via a crafted ioctl call.(CVE-2016-2543)

  - The gtco_probe function in drivers/input/tablet/gtco.c     in the Linux kernel through 4.5.2 allows physically     proximate attackers to cause a denial of service (NULL     pointer dereference and system crash) via a crafted     endpoints value in a USB device     descriptor.(CVE-2016-2187)

  - An integer overflow flaw was found in the Linux     kernel's create_elf_tables() function. An unprivileged     local user with access to SUID (or otherwise     privileged) binary could use this flaw to escalate     their privileges on the system.(CVE-2018-14634)

  - A use-after-free flaw was found in the Netlink     functionality of the Linux kernel networking subsystem.
    Due to the insufficient cleanup in the mq_notify     function, a local attacker could potentially use this     flaw to escalate their privileges on the     system.(CVE-2017-11176)

  - Array index error in the aio_read_events_ring function     in fs/aio.c in the Linux kernel through 3.15.1 allows     local users to obtain sensitive information from kernel     memory via a large head value.(CVE-2014-0206)

  - arch/arm/kernel/sys_oabi-compat.c in the Linux kernel     before 4.4 allows local users to gain privileges via a     crafted (1) F_OFD_GETLK, (2) F_OFD_SETLK, or (3)     F_OFD_SETLKW command in an fcntl64 system     call.(CVE-2015-8966)

  - An issue was discovered in the Linux kernel through     4.17.2. The filter parsing in     kernel/trace/trace_events_filter.c could be called with     no filter, which is an N=0 case when it expected at     least one line to have been read, thus making the N-1     index invalid. This allows attackers to cause a denial     of service (slab out-of-bounds write) or possibly have     unspecified other impact via crafted perf_event_open     and mmap system calls.(CVE-2018-12714)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Qian Zhang discovered a heap-based buffer overflow in the tipc_msg_build() function in the Linux kernel. A local attacker could use to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges. (CVE-2016-8632)

Dmitry Vyukov discovered that a race condition existed in the timerfd subsystem of the Linux kernel when handling might_cancel queuing. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-10661)

It was discovered that the Flash-Friendly File System (f2fs) implementation in the Linux kernel did not properly validate superblock metadata. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2017-10662, CVE-2017-10663)

Anthony Perard discovered that the Xen virtual block driver did not properly initialize some data structures before passing them to user space. A local attacker in a guest VM could use this to expose sensitive information from the host OS or other guest VMs.
(CVE-2017-10911)

It was discovered that a use-after-free vulnerability existed in the POSIX message queue implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-11176)

Dave Chinner discovered that the XFS filesystem did not enforce that the realtime inode flag was settable only on filesystems on a realtime device. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-14340).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

USN-3312-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS.

It was discovered that the netfilter netlink implementation in the Linux kernel did not properly validate batch messages. A local attacker with the CAP_NET_ADMIN capability could use this to expose sensitive information or cause a denial of service. (CVE-2016-7917)

Qian Zhang discovered a heap-based buffer overflow in the tipc_msg_build() function in the Linux kernel. A local attacker could use to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges. (CVE-2016-8632)

It was discovered that the keyring implementation in the Linux kernel in some situations did not prevent special internal keyrings from being joined by userspace keyrings. A privileged local attacker could use this to bypass module verification. (CVE-2016-9604)

Dmitry Vyukov discovered that KVM implementation in the Linux kernel improperly emulated the VMXON instruction. A local attacker in a guest OS could use this to cause a denial of service (memory consumption) in the host OS. (CVE-2017-2596)

Daniel Jiang discovered that a race condition existed in the ipv4 ping socket implementation in the Linux kernel. A local privileged attacker could use this to cause a denial of service (system crash).
(CVE-2017-2671)

Di Shen discovered that a race condition existed in the perf subsystem of the Linux kernel. A local attacker could use this to cause a denial of service or possibly gain administrative privileges. (CVE-2017-6001)

Eric Biggers discovered a memory leak in the keyring implementation in the Linux kernel. A local attacker could use this to cause a denial of service (memory consumption). (CVE-2017-7472)

Sabrina Dubroca discovered that the asynchronous cryptographic hash (ahash) implementation in the Linux kernel did not properly handle a full request queue. A local attacker could use this to cause a denial of service (infinite recursion). (CVE-2017-7618)

Tuomas Haanpaa and Ari Kauppi discovered that the NFSv2 and NFSv3 server implementations in the Linux kernel did not properly handle certain long RPC replies. A remote attacker could use this to cause a denial of service (system crash). (CVE-2017-7645)

Tommi Rantala and Brad Spengler discovered that the memory manager in the Linux kernel did not properly enforce the CONFIG_STRICT_DEVMEM protection mechanism. A local attacker with access to /dev/mem could use this to expose sensitive information or possibly execute arbitrary code. (CVE-2017-7889)

Tuomas Haanpaa and Ari Kauppi discovered that the NFSv2 and NFSv3 server implementations in the Linux kernel did not properly check for the end of buffer. A remote attacker could use this to craft requests that cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-7895)

It was discovered that a use-after-free vulnerability existed in the device driver for XCeive xc2028/xc3028 tuners in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2016-7913)

Vlad Tsyrklevich discovered an integer overflow vulnerability in the VFIO PCI driver for the Linux kernel. A local attacker with access to a vfio PCI device file could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2016-9083, CVE-2016-9084).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that the netfilter netlink implementation in the Linux kernel did not properly validate batch messages. A local attacker with the CAP_NET_ADMIN capability could use this to expose sensitive information or cause a denial of service. (CVE-2016-7917)

Qian Zhang discovered a heap-based buffer overflow in the tipc_msg_build() function in the Linux kernel. A local attacker could use to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges. (CVE-2016-8632)

It was discovered that the keyring implementation in the Linux kernel in some situations did not prevent special internal keyrings from being joined by userspace keyrings. A privileged local attacker could use this to bypass module verification. (CVE-2016-9604)

Dmitry Vyukov discovered that KVM implementation in the Linux kernel improperly emulated the VMXON instruction. A local attacker in a guest OS could use this to cause a denial of service (memory consumption) in the host OS. (CVE-2017-2596)

Daniel Jiang discovered that a race condition existed in the ipv4 ping socket implementation in the Linux kernel. A local privileged attacker could use this to cause a denial of service (system crash).
(CVE-2017-2671)

Di Shen discovered that a race condition existed in the perf subsystem of the Linux kernel. A local attacker could use this to cause a denial of service or possibly gain administrative privileges. (CVE-2017-6001)

Eric Biggers discovered a memory leak in the keyring implementation in the Linux kernel. A local attacker could use this to cause a denial of service (memory consumption). (CVE-2017-7472)

Sabrina Dubroca discovered that the asynchronous cryptographic hash (ahash) implementation in the Linux kernel did not properly handle a full request queue. A local attacker could use this to cause a denial of service (infinite recursion). (CVE-2017-7618)

Tuomas Haanpaa and Ari Kauppi discovered that the NFSv2 and NFSv3 server implementations in the Linux kernel did not properly handle certain long RPC replies. A remote attacker could use this to cause a denial of service (system crash). (CVE-2017-7645)

Tommi Rantala and Brad Spengler discovered that the memory manager in the Linux kernel did not properly enforce the CONFIG_STRICT_DEVMEM protection mechanism. A local attacker with access to /dev/mem could use this to expose sensitive information or possibly execute arbitrary code. (CVE-2017-7889)

Tuomas Haanpaa and Ari Kauppi discovered that the NFSv2 and NFSv3 server implementations in the Linux kernel did not properly check for the end of buffer. A remote attacker could use this to craft requests that cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-7895)

It was discovered that a use-after-free vulnerability existed in the device driver for XCeive xc2028/xc3028 tuners in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2016-7913)

Vlad Tsyrklevich discovered an integer overflow vulnerability in the VFIO PCI driver for the Linux kernel. A local attacker with access to a vfio PCI device file could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2016-9083, CVE-2016-9084).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote OracleVM system is missing necessary patches to address critical security updates :

  - Revert 'x86/mm: Expand the exception table logic to     allow new handling options' (Brian Maly) [Orabug:
    25790387] (CVE-2016-9644)

  - Revert 'fix minor infoleak in get_user_ex' (Brian Maly)     [Orabug: 25790387] (CVE-2016-9644)

  - x86/mm: Expand the exception table logic to allow new     handling options (Tony Luck) [Orabug: 25790387]     (CVE-2016-9644)

  - rebuild bumping release

  - net: ping: check minimum size on ICMP header length     (Kees Cook) [Orabug: 25766898] (CVE-2016-8399)     (CVE-2016-8399)

  - sg_write/bsg_write is not fit to be called under     KERNEL_DS (Al Viro) [Orabug: 25765436] (CVE-2016-10088)

  - scsi: sg: check length passed to SG_NEXT_CMD_LEN (peter     chang) [Orabug: 25751984] (CVE-2017-7187)

  - tty: n_hdlc: get rid of racy n_hdlc.tbuf (Alexander     Popov) [Orabug: 25696677] (CVE-2017-2636)

  - TTY: n_hdlc, fix lockdep false positive (Jiri Slaby)     [Orabug: 25696677] (CVE-2017-2636)

  - If Slot Status indicates changes in both Data Link Layer     Status and Presence Detect, prioritize the Link status     change. (Jack Vogel) 

  - PCI: pciehp: Leave power indicator on when enabling     already-enabled slot (Ashok Raj) [Orabug: 25353783]

  - firewire: net: guard against rx buffer overflows (Stefan     Richter) [Orabug: 25451520] (CVE-2016-8633)

  - usbnet: cleanup after bind in probe (Oliver Neukum)     [Orabug: 25463898] (CVE-2016-3951)

  - cdc_ncm: do not call usbnet_link_change from     cdc_ncm_bind (Bj&oslash rn Mork) [Orabug: 25463898]     (CVE-2016-3951)

  - cdc_ncm: Add support for moving NDP to end of NCM frame     (Enrico Mioso) [Orabug: 25463898] (CVE-2016-3951)

  - x86/mm/32: Enable full randomization on i386 and X86_32     (Hector Marco-Gisbert) [Orabug: 25463918]     (CVE-2016-3672)

  - kvm: fix page struct leak in handle_vmon (Paolo Bonzini)     [Orabug: 25507133] (CVE-2017-2596)

  - crypto: mcryptd - Check mcryptd algorithm compatibility     (tim) [Orabug: 25507153] (CVE-2016-10147)

  - kvm: nVMX: Allow L1 to intercept software exceptions     (#BP and #OF) (Jim Mattson) [Orabug: 25507188]     (CVE-2016-9588)

  - KVM: x86: drop error recovery in em_jmp_far and     em_ret_far (Radim Kr&#x10D m&aacute &#x159 ) [Orabug:
    25507213] (CVE-2016-9756)

  - tcp: take care of truncations done by sk_filter (Eric     Dumazet) [Orabug: 25507226] (CVE-2016-8645)

  - rose: limit sk_filter trim to payload (Willem de Bruijn)     [Orabug: 25507226] (CVE-2016-8645)

  - tipc: check minimum bearer MTU (Michal Kube&#x10D ek)     [Orabug: 25507239] (CVE-2016-8632) (CVE-2016-8632)

  - fix minor infoleak in get_user_ex (Al Viro) [Orabug:
    25507269] (CVE-2016-9178)

  - scsi: arcmsr: Simplify user_len checking (Borislav     Petkov) [Orabug: 25507319] (CVE-2016-7425)

  - scsi: arcmsr: Buffer overflow in arcmsr_iop_message_xfer     (Dan Carpenter) [Orabug: 25507319] (CVE-2016-7425)

  - tmpfs: clear S_ISGID when setting posix ACLs (Gu Zheng)     [Orabug: 25507341] (CVE-2016-7097) (CVE-2016-7097)

  - posix_acl: Clear SGID bit when setting file permissions     (Jan Kara) [Orabug: 25507341] (CVE-2016-7097)     (CVE-2016-7097)

  - ext2: convert to mbcache2 (Jan Kara) [Orabug: 25512366]     (CVE-2015-8952)

  - ext4: convert to mbcache2 (Jan Kara) [Orabug: 25512366]     (CVE-2015-8952)

  - mbcache2: reimplement mbcache (Jan Kara) [Orabug:
    25512366] (CVE-2015-8952)

  - USB: digi_acceleport: do sanity checking for the number     of ports (Oliver Neukum) [Orabug: 25512466]     (CVE-2016-3140)

  - net/llc: avoid BUG_ON in skb_orphan (Eric Dumazet)     [Orabug: 25682419] (CVE-2017-6345)

  - net/mlx4_core: Disallow creation of RAW QPs on a VF (Eli     Cohen) 

  - ipv4: keep skb->dst around in presence of IP options     (Eric Dumazet) [Orabug: 25698300] (CVE-2017-5970)

  - perf/core: Fix concurrent sys_perf_event_open vs.
    'move_group' race (Peter Zijlstra) [Orabug: 25698751]     (CVE-2017-6001)

  - ip6_gre: fix ip6gre_err invalid reads (Eric Dumazet)     [Orabug: 25699015] (CVE-2017-5897)

  - mpt3sas: Don't spam logs if logging level is 0 (Johannes     Thumshirn) 

  - xen-netfront: cast grant table reference first to type     int (Dongli Zhang)

  - xen-netfront: do not cast grant table reference to     signed short (Dongli Zhang)

Description of changes:

[4.1.12-61.1.33.el7uek]
- Revert 'x86/mm: Expand the exception table logic to allow new handling options' (Brian Maly)  [Orabug: 25790387]  {CVE-2016-9644}
- Revert 'fix minor infoleak in get_user_ex()' (Brian Maly)  [Orabug: 25790387]  {CVE-2016-9644}

[4.1.12-61.1.32.el7uek]
- x86/mm: Expand the exception table logic to allow new handling options (Tony Luck)  [Orabug: 25790387]  {CVE-2016-9644}

[4.1.12-61.1.31.el7uek]
- rebuild bumping release

[4.1.12-61.1.30.el7uek]
- net: ping: check minimum size on ICMP header length (Kees Cook) [Orabug: 25766898]  {CVE-2016-8399} {CVE-2016-8399}
- sg_write()/bsg_write() is not fit to be called under KERNEL_DS (Al Viro)  [Orabug: 25765436]  {CVE-2016-10088}
- scsi: sg: check length passed to SG_NEXT_CMD_LEN (peter chang) [Orabug: 25751984]  {CVE-2017-7187}

[4.1.12-61.1.29.el7uek]
- tty: n_hdlc: get rid of racy n_hdlc.tbuf (Alexander Popov)  [Orabug: 25696677]  {CVE-2017-2636}
- TTY: n_hdlc, fix lockdep false positive (Jiri Slaby)  [Orabug: 25696677]  {CVE-2017-2636}
- If Slot Status indicates changes in both Data Link Layer Status and Presence Detect, prioritize the Link status change. (Jack Vogel) [Orabug: 25353783]
- PCI: pciehp: Leave power indicator on when enabling already-enabled slot (Ashok Raj)  [Orabug: 25353783]
- firewire: net: guard against rx buffer overflows (Stefan Richter) [Orabug: 25451520]  {CVE-2016-8633}
- usbnet: cleanup after bind() in probe() (Oliver Neukum)  [Orabug: 25463898]  {CVE-2016-3951}
- cdc_ncm: do not call usbnet_link_change from cdc_ncm_bind (Bj&oslash rn Mork)   [Orabug: 25463898]  {CVE-2016-3951}
- cdc_ncm: Add support for moving NDP to end of NCM frame (Enrico Mioso)   [Orabug: 25463898]  {CVE-2016-3951}
- x86/mm/32: Enable full randomization on i386 and X86_32 (Hector Marco-Gisbert)  [Orabug: 25463918]  {CVE-2016-3672}
- kvm: fix page struct leak in handle_vmon (Paolo Bonzini)  [Orabug: 25507133]  {CVE-2017-2596}
- crypto: mcryptd - Check mcryptd algorithm compatibility (tim) [Orabug: 25507153]  {CVE-2016-10147}
- kvm: nVMX: Allow L1 to intercept software exceptions (#BP and #OF) (Jim Mattson)  [Orabug: 25507188]  {CVE-2016-9588}
- KVM: x86: drop error recovery in em_jmp_far and em_ret_far (Radim Kr&#x10D m&aacute &#x159 )  [Orabug: 25507213]  {CVE-2016-9756}
- tcp: take care of truncations done by sk_filter() (Eric Dumazet) [Orabug: 25507226]  {CVE-2016-8645}
- rose: limit sk_filter trim to payload (Willem de Bruijn)  [Orabug: 25507226]  {CVE-2016-8645}
- tipc: check minimum bearer MTU (Michal Kube&#x10D ek)  [Orabug: 25507239] {CVE-2016-8632} {CVE-2016-8632}
- fix minor infoleak in get_user_ex() (Al Viro)  [Orabug: 25507269] {CVE-2016-9178}
- scsi: arcmsr: Simplify user_len checking (Borislav Petkov)  [Orabug: 25507319]  {CVE-2016-7425}
- scsi: arcmsr: Buffer overflow in arcmsr_iop_message_xfer() (Dan Carpenter)  [Orabug: 25507319]  {CVE-2016-7425}
- tmpfs: clear S_ISGID when setting posix ACLs (Gu Zheng)  [Orabug: 25507341]  {CVE-2016-7097} {CVE-2016-7097}
- posix_acl: Clear SGID bit when setting file permissions (Jan Kara) [Orabug: 25507341]  {CVE-2016-7097} {CVE-2016-7097}
- ext2: convert to mbcache2 (Jan Kara)  [Orabug: 25512366]  {CVE-2015-8952}
- ext4: convert to mbcache2 (Jan Kara)  [Orabug: 25512366]  {CVE-2015-8952}
- mbcache2: reimplement mbcache (Jan Kara)  [Orabug: 25512366] {CVE-2015-8952}
- USB: digi_acceleport: do sanity checking for the number of ports (Oliver Neukum)  [Orabug: 25512466]  {CVE-2016-3140}
- net/llc: avoid BUG_ON() in skb_orphan() (Eric Dumazet)  [Orabug: 25682419]  {CVE-2017-6345}
- net/mlx4_core: Disallow creation of RAW QPs on a VF (Eli Cohen) [Orabug: 25697847]
- ipv4: keep skb->dst around in presence of IP options (Eric Dumazet) [Orabug: 25698300]  {CVE-2017-5970}
- perf/core: Fix concurrent sys_perf_event_open() vs. 'move_group' race (Peter Zijlstra)  [Orabug: 25698751]  {CVE-2017-6001}
- ip6_gre: fix ip6gre_err() invalid reads (Eric Dumazet)  [Orabug: 25699015]  {CVE-2017-5897}
- mpt3sas: Don't spam logs if logging level is 0 (Johannes Thumshirn) [Orabug: 25699035]
- xen-netfront: cast grant table reference first to type int (Dongli Zhang)
- xen-netfront: do not cast grant table reference to signed short (Dongli Zhang)

The SUSE Linux Enterprise 11 SP3 LTSS kernel was updated to receive various security and bugfixes. The following security bugs were fixed :

  - CVE-2015-8970: crypto/algif_skcipher.c in the Linux     kernel did not verify that a setkey operation has been     performed on an AF_ALG socket before an accept system     call is processed, which allowed local users to cause a     denial of service (NULL pointer dereference and system     crash) via a crafted application that did not supply a     key, related to the lrw_crypt function in crypto/lrw.c     (bnc#1008374).

  - CVE-2017-5551: Clear S_ISGID on tmpfs when setting posix     ACLs (bsc#1021258).

  - CVE-2016-7097: The filesystem implementation in the     Linux kernel preserves the setgid bit during a setxattr     call, which allowed local users to gain group privileges     by leveraging the existence of a setgid program with     restrictions on execute permissions (bnc#995968).

  - CVE-2016-10088: The sg implementation in the Linux     kernel did not properly restrict write operations in     situations where the KERNEL_DS option is set, which     allowed local users to read or write to arbitrary kernel     memory locations or cause a denial of service     (use-after-free) by leveraging access to a /dev/sg     device, related to block/bsg.c and drivers/scsi/sg.c.
    NOTE: this vulnerability exists because of an incomplete     fix for CVE-2016-9576 (bnc#1017710).

  - CVE-2004-0230: TCP, when using a large Window Size, made     it easier for remote attackers to guess sequence numbers     and cause a denial of service (connection loss) to     persistent TCP connections by repeatedly injecting a TCP     RST packet, especially in protocols that use long-lived     connections, such as BGP (bnc#969340).

  - CVE-2016-8632: The tipc_msg_build function in     net/tipc/msg.c in the Linux kernel did not validate the     relationship between the minimum fragment length and the     maximum packet size, which allowed local users to gain     privileges or cause a denial of service (heap-based     buffer overflow) by leveraging the CAP_NET_ADMIN     capability (bnc#1008831).

  - CVE-2016-8399: An elevation of privilege vulnerability     in the kernel networking subsystem could have enabled a     local malicious application to execute arbitrary code     within the context of the kernel bnc#1014746).

  - CVE-2016-9793: The sock_setsockopt function in     net/core/sock.c in the Linux kernel mishandled negative     values of sk_sndbuf and sk_rcvbuf, which allowed local     users to cause a denial of service (memory corruption     and system crash) or possibly have unspecified other     impact by leveraging the CAP_NET_ADMIN capability for a     crafted setsockopt system call with the (1)     SO_SNDBUFFORCE or (2) SO_RCVBUFFORCE option     (bnc#1013531).

  - CVE-2012-6704: The sock_setsockopt function in     net/core/sock.c in the Linux kernel mishandled negative     values of sk_sndbuf and sk_rcvbuf, which allowed local     users to cause a denial of service (memory corruption     and system crash) or possibly have unspecified other     impact by leveraging the CAP_NET_ADMIN capability for a     crafted setsockopt system call with the (1) SO_SNDBUF or     (2) SO_RCVBUF option (bnc#1013542).

  - CVE-2016-9756: arch/x86/kvm/emulate.c in the Linux     kernel did not properly initialize Code Segment (CS) in     certain error cases, which allowed local users to obtain     sensitive information from kernel stack memory via a     crafted application (bnc#1013038).

  - CVE-2016-3841: The IPv6 stack in the Linux kernel     mishandled options data, which allowed local users to     gain privileges or cause a denial of service     (use-after-free and system crash) via a crafted sendmsg     system call (bnc#992566).

  - CVE-2016-9685: Multiple memory leaks in error paths in     fs/xfs/xfs_attr_list.c in the Linux kernel allowed local     users to cause a denial of service (memory consumption)     via crafted XFS filesystem operations (bnc#1012832).

  - CVE-2015-1350: The VFS subsystem in the Linux kernel     provided an incomplete set of requirements for setattr     operations that underspecifies removing extended     privilege attributes, which allowed local users to cause     a denial of service (capability stripping) via a failed     invocation of a system call, as demonstrated by using     chown to remove a capability from the ping or Wireshark     dumpcap program (bnc#914939).

  - CVE-2015-8962: Double free vulnerability in the     sg_common_write function in drivers/scsi/sg.c in the     Linux kernel allowed local users to gain privileges or     cause a denial of service (memory corruption and system     crash) by detaching a device during an SG_IO ioctl call     (bnc#1010501).

  - CVE-2016-9555: The sctp_sf_ootb function in     net/sctp/sm_statefuns.c in the Linux kernel lacked     chunk-length checking for the first chunk, which allowed     remote attackers to cause a denial of service     (out-of-bounds slab access) or possibly have unspecified     other impact via crafted SCTP data (bnc#1011685).

  - CVE-2016-7910: Use-after-free vulnerability in the     disk_seqf_stop function in block/genhd.c in the Linux     kernel allowed local users to gain privileges by     leveraging the execution of a certain stop operation     even if the corresponding start operation had failed     (bnc#1010716).

  - CVE-2016-7911: Race condition in the get_task_ioprio     function in block/ioprio.c in the Linux kernel allowed     local users to gain privileges or cause a denial of     service (use-after-free) via a crafted ioprio_get system     call (bnc#1010711).

  - CVE-2015-8964: The tty_set_termios_ldisc function in     drivers/tty/tty_ldisc.c in the Linux kernel allowed     local users to obtain sensitive information from kernel     memory by reading a tty data structure (bnc#1010507).

  - CVE-2016-7916: Race condition in the environ_read     function in fs/proc/base.c in the Linux kernel allowed     local users to obtain sensitive information from kernel     memory by reading a /proc/*/environ file during a     process-setup time interval in which     environment-variable copying is incomplete     (bnc#1010467).

  - CVE-2016-8646: The hash_accept function in     crypto/algif_hash.c in the Linux kernel allowed local     users to cause a denial of service (OOPS) by attempting     to trigger use of in-kernel hash algorithms for a socket     that has received zero bytes of data (bnc#1010150).

  - CVE-2016-8633: drivers/firewire/net.c in the Linux     kernel in certain unusual hardware configurations     allowed remote attackers to execute arbitrary code via     crafted fragmented packets (bnc#1008833).

  - CVE-2016-7042: The proc_keys_show function in     security/keys/proc.c in the Linux, when the GNU Compiler     Collection (gcc) stack protector is enabled, used an     incorrect buffer size for certain timeout data, which     allowed local users to cause a denial of service (stack     memory corruption and panic) by reading the /proc/keys     file (bnc#1004517).

  - CVE-2015-8956: The rfcomm_sock_bind function in     net/bluetooth/rfcomm/sock.c in the Linux kernel allowed     local users to obtain sensitive information or cause a     denial of service (NULL pointer dereference) via vectors     involving a bind system call on a Bluetooth RFCOMM     socket (bnc#1003925).

  - CVE-2016-7117: Use-after-free vulnerability in the
    __sys_recvmmsg function in net/socket.c in the Linux     kernel allowed remote attackers to execute arbitrary     code via vectors involving a recvmmsg system call that     is mishandled during error processing (bnc#1003077).

  - CVE-2016-0823: The pagemap_open function in     fs/proc/task_mmu.c in the Linux kernel allowed local     users to obtain sensitive physical-address information     by reading a pagemap file (bnc#994759).

  - CVE-2016-7425: The arcmsr_iop_message_xfer function in     drivers/scsi/arcmsr/arcmsr_hba.c in the Linux kernel did     not restrict a certain length field, which allowed local     users to gain privileges or cause a denial of service     (heap-based buffer overflow) via an     ARCMSR_MESSAGE_WRITE_WQBUFFER control code (bnc#999932).

  - CVE-2016-6828: The tcp_check_send_head function in     include/net/tcp.h in the Linux kernel did not properly     maintain certain SACK state after a failed data copy,     which allowed local users to cause a denial of service     (tcp_xmit_retransmit_queue use-after-free and system     crash) via a crafted SACK option (bnc#994296).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Mikulas Patocka discovered that the asynchronous multibuffer cryptographic daemon (mcryptd) in the Linux kernel did not properly handle being invoked with incompatible algorithms. A local attacker could use this to cause a denial of service (system crash).
(CVE-2016-10147)

It was discovered that a use-after-free existed in the KVM susbsystem of the Linux kernel when creating devices. A local attacker could use this to cause a denial of service (system crash). (CVE-2016-10150)

Qidan He discovered that the ICMP implementation in the Linux kernel did not properly check the size of an ICMP header. A local attacker with CAP_NET_ADMIN could use this to expose sensitive information.
(CVE-2016-8399)

Qian Zhang discovered a heap-based buffer overflow in the tipc_msg_build() function in the Linux kernel. A local attacker could use to cause a denial of service (system crash) or possible execute arbitrary code with administrative privileges. (CVE-2016-8632)

Dmitry Vyukov discovered that the KVM implementation in the Linux kernel did not properly restrict the VCPU index when I/O APIC is enabled, An attacker in a guest VM could use this to cause a denial of service (system crash) or possibly gain privileges in the host OS.
(CVE-2016-9777).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 11 SP4 kernel was updated to 3.0.101-94 to receive various security and bugfixes. The following security bugs were fixed :

  - CVE-2017-5551: tmpfs: clear S_ISGID when setting posix     ACLs (bsc#1021258).

  - CVE-2016-10088: The sg implementation in the Linux     kernel did not properly restrict write operations in     situations where the KERNEL_DS option is set, which     allowed local users to read or write to arbitrary kernel     memory locations or cause a denial of service     (use-after-free) by leveraging access to a /dev/sg     device NOTE: this vulnerability existed because of an     incomplete fix for CVE-2016-9576 (bnc#1017710).

  - CVE-2016-5696: TCP, when using a large Window Size, made     it easier for remote attackers to guess sequence numbers     and cause a denial of service (connection loss) to     persistent TCP connections by repeatedly injecting a TCP     RST packet, especially in protocols that use long-lived     connections, such as BGP (bnc#989152).

  - CVE-2015-1350: The VFS subsystem in the Linux kernel 3.x     provided an incomplete set of requirements for setattr     operations that underspecified removing extended     privilege attributes, which allowed local users to cause     a denial of service (capability stripping) via a failed     invocation of a system call, as demonstrated by using     chown to remove a capability from the ping or Wireshark     dumpcap program (bnc#914939).

  - CVE-2016-8632: The tipc_msg_build function in     net/tipc/msg.c in the Linux kernel did not validate the     relationship between the minimum fragment length and the     maximum packet size, which allowed local users to gain     privileges or cause a denial of service (heap-based     buffer overflow) by leveraging the CAP_NET_ADMIN     capability (bnc#1008831).

  - CVE-2016-8399: An elevation of privilege vulnerability     in the kernel networking subsystem could enable a local     malicious application to execute arbitrary code within     the context of the kernel. This issue is rated as     Moderate because it first requires compromising a     privileged process and current compiler optimizations     restrict access to the vulnerable code. (bnc#1014746).

  - CVE-2016-9793: The sock_setsockopt function in     net/core/sock.c in the Linux kernel mishandled negative     values of sk_sndbuf and sk_rcvbuf, which allowed local     users to cause a denial of service (memory corruption     and system crash) or possibly have unspecified other     impact by leveraging the CAP_NET_ADMIN capability for a     crafted setsockopt system call with the (1)     SO_SNDBUFFORCE or (2) SO_RCVBUFFORCE option     (bnc#1013531).

  - CVE-2012-6704: The sock_setsockopt function in     net/core/sock.c in the Linux kernel mishandled negative     values of sk_sndbuf and sk_rcvbuf, which allowed local     users to cause a denial of service (memory corruption     and system crash) or possibly have unspecified other     impact by leveraging the CAP_NET_ADMIN capability for a     crafted setsockopt system call with the (1) SO_SNDBUF or     (2) SO_RCVBUF option (bnc#1013542).

  - CVE-2016-9756: arch/x86/kvm/emulate.c in the Linux     kernel did not properly initialize Code Segment (CS) in     certain error cases, which allowed local users to obtain     sensitive information from kernel stack memory via a     crafted application (bnc#1013038).

  - CVE-2016-9685: Multiple memory leaks in error paths in     fs/xfs/xfs_attr_list.c in the Linux kernel allowed local     users to cause a denial of service (memory consumption)     via crafted XFS filesystem operations (bnc#1012832).

  - CVE-2015-8962: Double free vulnerability in the     sg_common_write function in drivers/scsi/sg.c in the     Linux kernel allowed local users to gain privileges or     cause a denial of service (memory corruption and system     crash) by detaching a device during an SG_IO ioctl call     (bnc#1010501).

  - CVE-2016-9555: The sctp_sf_ootb function in     net/sctp/sm_statefuns.c in the Linux kernel lacked     chunk-length checking for the first chunk, which allowed     remote attackers to cause a denial of service     (out-of-bounds slab access) or possibly have unspecified     other impact via crafted SCTP data (bnc#1011685).

  - CVE-2016-7910: Use-after-free vulnerability in the     disk_seqf_stop function in block/genhd.c in the Linux     kernel allowed local users to gain privileges by     leveraging the execution of a certain stop operation     even if the corresponding start operation had failed     (bnc#1010716).

  - CVE-2016-7911: Race condition in the get_task_ioprio     function in block/ioprio.c in the Linux kernel allowed     local users to gain privileges or cause a denial of     service (use-after-free) via a crafted ioprio_get system     call (bnc#1010711).

  - CVE-2013-6368: The KVM subsystem in the Linux kernel     allowed local users to gain privileges or cause a denial     of service (system crash) via a VAPIC synchronization     operation involving a page-end address (bnc#853052).

  - CVE-2015-8964: The tty_set_termios_ldisc function in     drivers/tty/tty_ldisc.c in the Linux kernel allowed     local users to obtain sensitive information from kernel     memory by reading a tty data structure (bnc#1010507).

  - CVE-2016-7916: Race condition in the environ_read     function in fs/proc/base.c in the Linux kernel allowed     local users to obtain sensitive information from kernel     memory by reading a /proc/*/environ file during a     process-setup time interval in which     environment-variable copying is incomplete     (bnc#1010467).

  - CVE-2016-8646: The hash_accept function in     crypto/algif_hash.c in the Linux kernel allowed local     users to cause a denial of service (OOPS) by attempting     to trigger use of in-kernel hash algorithms for a socket     that has received zero bytes of data (bnc#1010150).

  - CVE-2016-8633: drivers/firewire/net.c in the Linux     kernel, in certain unusual hardware configurations,     allowed remote attackers to execute arbitrary code via     crafted fragmented packets (bnc#1008833).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 11 SP2 LTSS kernel was updated to receive various security and bugfixes. This is the last planned LTSS kernel update for the SUSE Linux Enterprise Server 11 SP2 LTSS. The following security bugs were fixed :

  - CVE-2016-10088: The sg implementation in the Linux     kernel did not properly restrict write operations in     situations where the KERNEL_DS option is set, which     allowed local users to read or write to arbitrary kernel     memory locations or cause a denial of service     (use-after-free) by leveraging access to a /dev/sg     device, related to block/bsg.c and drivers/scsi/sg.c.
    NOTE: this vulnerability exists because of an incomplete     fix for CVE-2016-9576 (bnc#1017710).

  - CVE-2004-0230: TCP, when using a large Window Size, made     it easier for remote attackers to guess sequence numbers     and cause a denial of service (connection loss) to     persistent TCP connections by repeatedly injecting a TCP     RST packet, especially in protocols that use long-lived     connections, such as BGP (bnc#969340).

  - CVE-2016-8632: The tipc_msg_build function in     net/tipc/msg.c in the Linux kernel did not validate the     relationship between the minimum fragment length and the     maximum packet size, which allowed local users to gain     privileges or cause a denial of service (heap-based     buffer overflow) by leveraging the CAP_NET_ADMIN     capability (bnc#1008831).

  - CVE-2016-8399: An out of bounds read in the ping     protocol handler could have lead to information     disclosure (bsc#1014746).

  - CVE-2016-9793: The sock_setsockopt function in     net/core/sock.c in the Linux kernel mishandled negative     values of sk_sndbuf and sk_rcvbuf, which allowed local     users to cause a denial of service (memory corruption     and system crash) or possibly have unspecified other     impact by leveraging the CAP_NET_ADMIN capability for a     crafted setsockopt system call with the (1)     SO_SNDBUFFORCE or (2) SO_RCVBUFFORCE option     (bnc#1013531).

  - CVE-2012-6704: The sock_setsockopt function in     net/core/sock.c in the Linux kernel mishandled negative     values of sk_sndbuf and sk_rcvbuf, which allowed local     users to cause a denial of service (memory corruption     and system crash) or possibly have unspecified other     impact by leveraging the CAP_NET_ADMIN capability for a     crafted setsockopt system call with the (1) SO_SNDBUF or     (2) SO_RCVBUF option (bnc#1013542).

  - CVE-2016-9756: arch/x86/kvm/emulate.c in the Linux     kernel did not properly initialize Code Segment (CS) in     certain error cases, which allowed local users to obtain     sensitive information from kernel stack memory via a     crafted application (bnc#1013038).

  - CVE-2016-3841: The IPv6 stack in the Linux kernel     mishandled options data, which allowed local users to     gain privileges or cause a denial of service     (use-after-free and system crash) via a crafted sendmsg     system call (bnc#992566).

  - CVE-2016-9685: Multiple memory leaks in error paths in     fs/xfs/xfs_attr_list.c in the Linux kernel allowed local     users to cause a denial of service (memory consumption)     via crafted XFS filesystem operations (bnc#1012832).

  - CVE-2015-1350: The VFS subsystem in the Linux kernel 3.x     provides an incomplete set of requirements for setattr     operations that underspecified removing extended     privilege attributes, which allowed local users to cause     a denial of service (capability stripping) via a failed     invocation of a system call, as demonstrated by using     chown to remove a capability from the ping or Wireshark     dumpcap program (bnc#914939).

  - CVE-2015-8962: Double free vulnerability in the     sg_common_write function in drivers/scsi/sg.c in the     Linux kernel allowed local users to gain privileges or     cause a denial of service (memory corruption and system     crash) by detaching a device during an SG_IO ioctl call     (bnc#1010501).

  - CVE-2016-9555: The sctp_sf_ootb function in     net/sctp/sm_statefuns.c in the Linux kernel lacked     chunk-length checking for the first chunk, which allowed     remote attackers to cause a denial of service     (out-of-bounds slab access) or possibly have unspecified     other impact via crafted SCTP data (bnc#1011685).

  - CVE-2016-7910: Use-after-free vulnerability in the     disk_seqf_stop function in block/genhd.c in the Linux     kernel allowed local users to gain privileges by     leveraging the execution of a certain stop operation     even if the corresponding start operation had failed     (bnc#1010716).

  - CVE-2016-7911: Race condition in the get_task_ioprio     function in block/ioprio.c in the Linux kernel allowed     local users to gain privileges or cause a denial of     service (use-after-free) via a crafted ioprio_get system     call (bnc#1010711).

  - CVE-2015-8964: The tty_set_termios_ldisc function in     drivers/tty/tty_ldisc.c in the Linux kernel allowed     local users to obtain sensitive information from kernel     memory by reading a tty data structure (bnc#1010507).

  - CVE-2016-7916: Race condition in the environ_read     function in fs/proc/base.c in the Linux kernel allowed     local users to obtain sensitive information from kernel     memory by reading a /proc/*/environ file during a     process-setup time interval in which     environment-variable copying is incomplete     (bnc#1010467).

  - CVE-2016-8646: The hash_accept function in     crypto/algif_hash.c in the Linux kernel allowed local     users to cause a denial of service (OOPS) by attempting     to trigger use of in-kernel hash algorithms for a socket     that has received zero bytes of data (bnc#1010150).

  - CVE-2016-8633: drivers/firewire/net.c in the Linux     kernel before 4.8.7, in certain unusual hardware     configurations, allowed remote attackers to execute     arbitrary code via crafted fragmented packets     (bnc#1008833).

  - CVE-2016-7042: The proc_keys_show function in     security/keys/proc.c in the Linux kernel used an     incorrect buffer size for certain timeout data, which     allowed local users to cause a denial of service (stack     memory corruption and panic) by reading the /proc/keys     file (bnc#1004517).

  - CVE-2016-7097: The filesystem implementation in the     Linux kernel preserves the setgid bit during a setxattr     call, which allowed local users to gain group privileges     by leveraging the existence of a setgid program with     restrictions on execute permissions (bnc#995968).

  - CVE-2017-5551: The filesystem implementation in the     Linux kernel preserves the setgid bit during a setxattr     call, which allowed local users to gain group privileges     by leveraging the existence of a setgid program with     restrictions on execute permissions. This CVE tracks the     fix for the tmpfs filesystem. (bsc#1021258).

  - CVE-2015-8956: The rfcomm_sock_bind function in     net/bluetooth/rfcomm/sock.c in the Linux kernel allowed     local users to obtain sensitive information or cause a     denial of service (NULL pointer dereference) via vectors     involving a bind system call on a Bluetooth RFCOMM     socket (bnc#1003925).

  - CVE-2016-7117: Use-after-free vulnerability in the
    __sys_recvmmsg function in net/socket.c in the Linux     kernel allowed remote attackers to execute arbitrary     code via vectors involving a recvmmsg system call that     is mishandled during error processing (bnc#1003077).

  - CVE-2016-0823: The pagemap_open function in     fs/proc/task_mmu.c in the Linux kernel allowed local     users to obtain sensitive physical-address information     by reading a pagemap file, aka Android internal bug     25739721 (bnc#994759).

  - CVE-2016-7425: The arcmsr_iop_message_xfer function in     drivers/scsi/arcmsr/arcmsr_hba.c in the Linux kernel did     not restrict a certain length field, which allowed local     users to gain privileges or cause a denial of service     (heap-based buffer overflow) via an     ARCMSR_MESSAGE_WRITE_WQBUFFER control code (bnc#999932).

  - CVE-2016-6828: The tcp_check_send_head function in     include/net/tcp.h in the Linux kernel did not properly     maintain certain SACK state after a failed data copy,     which allowed local users to cause a denial of service     (tcp_xmit_retransmit_queue use-after-free and system     crash) via a crafted SACK option (bnc#994296).

  - CVE-2016-6480: Race condition in the ioctl_send_fib     function in drivers/scsi/aacraid/commctrl.c in the Linux     kernel allowed local users to cause a denial of service     (out-of-bounds access or system crash) by changing a     certain size value, aka a 'double fetch' vulnerability     (bnc#991608).

  - CVE-2016-4998: The IPT_SO_SET_REPLACE setsockopt     implementation in the netfilter subsystem in the Linux     kernel allowed local users to cause a denial of service     (out-of-bounds read) or possibly obtain sensitive     information from kernel heap memory by leveraging     in-container root access to provide a crafted offset     value that leads to crossing a ruleset blob boundary     (bsc#986365).

  - CVE-2015-7513: arch/x86/kvm/x86.c in the Linux kernel     did not reset the PIT counter values during state     restoration, which allowed guest OS users to cause a     denial of service (divide-by-zero error and host OS     crash) via a zero value, related to the     kvm_vm_ioctl_set_pit and kvm_vm_ioctl_set_pit2 functions     (bnc#960689).

  - CVE-2013-4312: The Linux kernel allowed local users to     bypass file-descriptor limits and cause a denial of     service (memory consumption) by sending each descriptor     over a UNIX socket before closing it, related to     net/unix/af_unix.c and net/unix/garbage.c (bnc#839104).

  - CVE-2016-4997: The compat IPT_SO_SET_REPLACE and     IP6T_SO_SET_REPLACE setsockopt implementations in the     netfilter subsystem in the Linux kernel allow local     users to gain privileges or cause a denial of service     (memory corruption) by leveraging in-container root     access to provide a crafted offset value that triggers     an unintended decrement (bnc#986362).

  - CVE-2016-5829: Multiple heap-based buffer overflows in     the hiddev_ioctl_usage function in     drivers/hid/usbhid/hiddev.c in the Linux kernel allow     local users to cause a denial of service or possibly     have unspecified other impact via a crafted (1)     HIDIOCGUSAGES or (2) HIDIOCSUSAGES ioctl call     (bnc#986572).

  - CVE-2016-4470: The key_reject_and_link function in     security/keys/key.c in the Linux kernel did not ensure     that a certain data structure is initialized, which     allowed local users to cause a denial of service (system     crash) via vectors involving a crafted keyctl request2     command (bnc#984755).

  - CVE-2016-5244: The rds_inc_info_copy function in     net/rds/recv.c in the Linux kernel did not initialize a     certain structure member, which allowed remote attackers     to obtain sensitive information from kernel stack memory     by reading an RDS message (bnc#983213).

  - CVE-2016-1583: The ecryptfs_privileged_open function in     fs/ecryptfs/kthread.c in the Linux kernel allowed local     users to gain privileges or cause a denial of service     (stack memory consumption) via vectors involving crafted     mmap calls for /proc pathnames, leading to recursive     pagefault handling (bnc#983143).

  - CVE-2016-4913: The get_rock_ridge_filename function in     fs/isofs/rock.c in the Linux kernel mishandled NM (aka     alternate name) entries containing \0 characters, which     allowed local users to obtain sensitive information from     kernel memory or possibly have unspecified other impact     via a crafted isofs filesystem (bnc#980725).

  - CVE-2016-4580: The x25_negotiate_facilities function in     net/x25/x25_facilities.c in the Linux kernel did not     properly initialize a certain data structure, which     allowed attackers to obtain sensitive information from     kernel stack memory via an X.25 Call Request     (bnc#981267).

  - CVE-2016-4805: Use-after-free vulnerability in     drivers/net/ppp/ppp_generic.c in the Linux kernel     allowed local users to cause a denial of service (memory     corruption and system crash, or spinlock) or possibly     have unspecified other impact by removing a network     namespace, related to the ppp_register_net_channel and     ppp_unregister_channel functions (bnc#980371).

  - CVE-2015-7833: The usbvision driver in the Linux kernel     allowed physically proximate attackers to cause a denial     of service (panic) via a nonzero bInterfaceNumber value     in a USB device descriptor (bnc#950998).

  - CVE-2016-2187: The gtco_probe function in     drivers/input/tablet/gtco.c in the Linux kernel allowed     physically proximate attackers to cause a denial of     service (NULL pointer dereference and system crash) via     a crafted endpoints value in a USB device descriptor     (bnc#971944).

  - CVE-2016-4482: The proc_connectinfo function in     drivers/usb/core/devio.c in the Linux kernel did not     initialize a certain data structure, which allowed local     users to obtain sensitive information from kernel stack     memory via a crafted USBDEVFS_CONNECTINFO ioctl call     (bnc#978401).

  - CVE-2016-4565: The InfiniBand (aka IB) stack in the     Linux kernel incorrectly relies on the write system     call, which allowed local users to cause a denial of     service (kernel memory write operation) or possibly have     unspecified other impact via a uAPI interface     (bnc#979548).

  - CVE-2016-4485: The llc_cmsg_rcv function in     net/llc/af_llc.c in the Linux kernel did not initialize     a certain data structure, which allowed attackers to     obtain sensitive information from kernel stack memory by     reading a message (bnc#978821).

  - CVE-2016-4578: sound/core/timer.c in the Linux kernel     did not initialize certain r1 data structures, which     allowed local users to obtain sensitive information from     kernel stack memory via crafted use of the ALSA timer     interface, related to the (1) snd_timer_user_ccallback     and (2) snd_timer_user_tinterrupt functions     (bnc#979879).

  - CVE-2016-4569: The snd_timer_user_params function in     sound/core/timer.c in the Linux kernel did not     initialize a certain data structure, which allowed local     users to obtain sensitive information from kernel stack     memory via crafted use of the ALSA timer interface     (bnc#979213).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for the Linux Kernel 3.12.51-52_39 fixes several issues.
The following security bugs were fixed :

  - CVE-2016-9806: Race condition in the netlink_dump     function in net/netlink/af_netlink.c in the Linux kernel     allowed local users to cause a denial of service (double     free) or possibly have unspecified other impact via a     crafted application that made sendmsg system calls,     leading to a free operation associated with a new dump     that started earlier than anticipated (bsc#1017589).

  - CVE-2016-9794: Race condition in the     snd_pcm_period_elapsed function in sound/core/pcm_lib.c     in the ALSA subsystem in the Linux kernel allowed local     users to cause a denial of service (use-after-free) or     possibly have unspecified other impact via a crafted     SNDRV_PCM_TRIGGER_START command (bsc#1013543).

  - CVE-2016-8632: The tipc_msg_build function in     net/tipc/msg.c in the Linux kernel did not validate the     relationship between the minimum fragment length and the     maximum packet size, which allowed local users to gain     privileges or cause a denial of service (heap-based     buffer overflow) by leveraging the CAP_NET_ADMIN     capability (bsc#1012852).

  - CVE-2016-9576: The blk_rq_map_user_iov function in     block/blk-map.c in the Linux kernel did not properly     restrict the type of iterator, which allowed local users     to read or write to arbitrary kernel memory locations or     cause a denial of service (use-after-free) by leveraging     access to a /dev/sg device (bsc#1014271).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for the Linux Kernel 3.12.55-52_45 fixes several issues.
The following security bugs were fixed :

  - CVE-2016-9806: Race condition in the netlink_dump     function in net/netlink/af_netlink.c in the Linux kernel     allowed local users to cause a denial of service (double     free) or possibly have unspecified other impact via a     crafted application that made sendmsg system calls,     leading to a free operation associated with a new dump     that started earlier than anticipated (bsc#1017589).

  - CVE-2016-9794: Race condition in the     snd_pcm_period_elapsed function in sound/core/pcm_lib.c     in the ALSA subsystem in the Linux kernel allowed local     users to cause a denial of service (use-after-free) or     possibly have unspecified other impact via a crafted     SNDRV_PCM_TRIGGER_START command (bsc#1013543).

  - CVE-2016-8632: The tipc_msg_build function in     net/tipc/msg.c in the Linux kernel did not validate the     relationship between the minimum fragment length and the     maximum packet size, which allowed local users to gain     privileges or cause a denial of service (heap-based     buffer overflow) by leveraging the CAP_NET_ADMIN     capability (bsc#1012852).

  - CVE-2016-9576: The blk_rq_map_user_iov function in     block/blk-map.c in the Linux kernel did not properly     restrict the type of iterator, which allowed local users     to read or write to arbitrary kernel memory locations or     cause a denial of service (use-after-free) by leveraging     access to a /dev/sg device (bsc#1014271).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for the Linux Kernel 3.12.60-52_49 fixes several issues.
The following security bugs were fixed :

  - CVE-2016-9806: Race condition in the netlink_dump     function in net/netlink/af_netlink.c in the Linux kernel     allowed local users to cause a denial of service (double     free) or possibly have unspecified other impact via a     crafted application that made sendmsg system calls,     leading to a free operation associated with a new dump     that started earlier than anticipated (bsc#1017589).

  - CVE-2016-9794: Race condition in the     snd_pcm_period_elapsed function in sound/core/pcm_lib.c     in the ALSA subsystem in the Linux kernel allowed local     users to cause a denial of service (use-after-free) or     possibly have unspecified other impact via a crafted     SNDRV_PCM_TRIGGER_START command (bsc#1013543).

  - CVE-2016-8632: The tipc_msg_build function in     net/tipc/msg.c in the Linux kernel did not validate the     relationship between the minimum fragment length and the     maximum packet size, which allowed local users to gain     privileges or cause a denial of service (heap-based     buffer overflow) by leveraging the CAP_NET_ADMIN     capability (bsc#1012852).

  - CVE-2016-9576: The blk_rq_map_user_iov function in     block/blk-map.c in the Linux kernel did not properly     restrict the type of iterator, which allowed local users     to read or write to arbitrary kernel memory locations or     cause a denial of service (use-after-free) by leveraging     access to a /dev/sg device (bsc#1014271).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for the Linux Kernel 3.12.51-52_34 fixes several issues.
The following security bugs were fixed :

  - CVE-2016-9806: Race condition in the netlink_dump     function in net/netlink/af_netlink.c in the Linux kernel     allowed local users to cause a denial of service (double     free) or possibly have unspecified other impact via a     crafted application that made sendmsg system calls,     leading to a free operation associated with a new dump     that started earlier than anticipated (bsc#1017589).

  - CVE-2016-9794: Race condition in the     snd_pcm_period_elapsed function in sound/core/pcm_lib.c     in the ALSA subsystem in the Linux kernel allowed local     users to cause a denial of service (use-after-free) or     possibly have unspecified other impact via a crafted     SNDRV_PCM_TRIGGER_START command (bsc#1013543).

  - CVE-2016-8632: The tipc_msg_build function in     net/tipc/msg.c in the Linux kernel did not validate the     relationship between the minimum fragment length and the     maximum packet size, which allowed local users to gain     privileges or cause a denial of service (heap-based     buffer overflow) by leveraging the CAP_NET_ADMIN     capability (bsc#1012852).

  - CVE-2016-9576: The blk_rq_map_user_iov function in     block/blk-map.c in the Linux kernel did not properly     restrict the type of iterator, which allowed local users     to read or write to arbitrary kernel memory locations or     cause a denial of service (use-after-free) by leveraging     access to a /dev/sg device (bsc#1014271).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for the Linux Kernel 3.12.60-52_54 fixes several issues.
The following security bugs were fixed :

  - CVE-2016-9806: Race condition in the netlink_dump     function in net/netlink/af_netlink.c in the Linux kernel     allowed local users to cause a denial of service (double     free) or possibly have unspecified other impact via a     crafted application that made sendmsg system calls,     leading to a free operation associated with a new dump     that started earlier than anticipated (bsc#1017589).

  - CVE-2016-9794: Race condition in the     snd_pcm_period_elapsed function in sound/core/pcm_lib.c     in the ALSA subsystem in the Linux kernel allowed local     users to cause a denial of service (use-after-free) or     possibly have unspecified other impact via a crafted     SNDRV_PCM_TRIGGER_START command (bsc#1013543).

  - CVE-2016-8632: The tipc_msg_build function in     net/tipc/msg.c in the Linux kernel did not validate the     relationship between the minimum fragment length and the     maximum packet size, which allowed local users to gain     privileges or cause a denial of service (heap-based     buffer overflow) by leveraging the CAP_NET_ADMIN     capability (bsc#1012852).

  - CVE-2016-9576: The blk_rq_map_user_iov function in     block/blk-map.c in the Linux kernel did not properly     restrict the type of iterator, which allowed local users     to read or write to arbitrary kernel memory locations or     cause a denial of service (use-after-free) by leveraging     access to a /dev/sg device (bsc#1014271).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for the Linux Kernel 3.12.60-52_57 fixes several issues.
The following security bugs were fixed :

  - CVE-2016-9806: Race condition in the netlink_dump     function in net/netlink/af_netlink.c in the Linux kernel     allowed local users to cause a denial of service (double     free) or possibly have unspecified other impact via a     crafted application that made sendmsg system calls,     leading to a free operation associated with a new dump     that started earlier than anticipated (bsc#1017589).

  - CVE-2016-9794: Race condition in the     snd_pcm_period_elapsed function in sound/core/pcm_lib.c     in the ALSA subsystem in the Linux kernel allowed local     users to cause a denial of service (use-after-free) or     possibly have unspecified other impact via a crafted     SNDRV_PCM_TRIGGER_START command (bsc#1013543).

  - CVE-2016-8632: The tipc_msg_build function in     net/tipc/msg.c in the Linux kernel did not validate the     relationship between the minimum fragment length and the     maximum packet size, which allowed local users to gain     privileges or cause a denial of service (heap-based     buffer overflow) by leveraging the CAP_NET_ADMIN     capability (bsc#1012852).

  - CVE-2016-9576: The blk_rq_map_user_iov function in     block/blk-map.c in the Linux kernel did not properly     restrict the type of iterator, which allowed local users     to read or write to arbitrary kernel memory locations or     cause a denial of service (use-after-free) by leveraging     access to a /dev/sg device (bsc#1014271).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for the Linux Kernel 3.12.55-52_42 fixes several issues.
The following security bugs were fixed :

  - CVE-2016-9806: Race condition in the netlink_dump     function in net/netlink/af_netlink.c in the Linux kernel     allowed local users to cause a denial of service (double     free) or possibly have unspecified other impact via a     crafted application that made sendmsg system calls,     leading to a free operation associated with a new dump     that started earlier than anticipated (bsc#1017589).

  - CVE-2016-9794: Race condition in the     snd_pcm_period_elapsed function in sound/core/pcm_lib.c     in the ALSA subsystem in the Linux kernel allowed local     users to cause a denial of service (use-after-free) or     possibly have unspecified other impact via a crafted     SNDRV_PCM_TRIGGER_START command (bsc#1013543).

  - CVE-2016-8632: The tipc_msg_build function in     net/tipc/msg.c in the Linux kernel did not validate the     relationship between the minimum fragment length and the     maximum packet size, which allowed local users to gain     privileges or cause a denial of service (heap-based     buffer overflow) by leveraging the CAP_NET_ADMIN     capability (bsc#1012852).

  - CVE-2016-9576: The blk_rq_map_user_iov function in     block/blk-map.c in the Linux kernel did not properly     restrict the type of iterator, which allowed local users     to read or write to arbitrary kernel memory locations or     cause a denial of service (use-after-free) by leveraging     access to a /dev/sg device (bsc#1014271).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The openSUSE 13.1 kernel was updated to receive various critical security fixes.

The following security bugs were fixed :

  - CVE-2016-8655: A race condition in the af_packet     packet_set_ring function could be used by local     attackers to crash the kernel or gain privileges     (bsc#1012754).

  - CVE-2016-8632: The tipc_msg_build function in     net/tipc/msg.c in the Linux kernel did not validate the     relationship between the minimum fragment length and the     maximum packet size, which allowed local users to gain     privileges or cause a denial of service (heap-based     buffer overflow) by leveraging the CAP_NET_ADMIN     capability (bnc#1008831).

  - CVE-2016-9555: The sctp_sf_ootb function in     net/sctp/sm_statefuns.c in the Linux kernel lacks     chunk-length checking for the first chunk, which allowed     remote attackers to cause a denial of service     (out-of-bounds slab access) or possibly have unspecified     other impact via crafted SCTP data (bnc#1011685).

The SUSE Linux Enterprise 12 kernel was updated to receive critical security fixes. The following security bugs were fixed :

  - CVE-2016-8655: A race condition in the af_packet     packet_set_ring function could be used by local     attackers to crash the kernel or gain privileges     (bsc#1012754).

  - CVE-2016-8632: The tipc_msg_build function in     net/tipc/msg.c in the Linux kernel did not validate the     relationship between the minimum fragment length and the     maximum packet size, which allowed local users to gain     privileges or cause a denial of service (heap-based     buffer overflow) by leveraging the CAP_NET_ADMIN     capability (bnc#1008831).

  - CVE-2016-9555: The sctp_sf_ootb function in     net/sctp/sm_statefuns.c in the Linux kernel lacks     chunk-length checking for the first chunk, which allowed     remote attackers to cause a denial of service     (out-of-bounds slab access) or possibly have unspecified     other impact via crafted SCTP data (bnc#1011685).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 12 SP2 kernel was updated to receive critical security fixes. The following security bugs were fixed :

  - CVE-2016-8655: A race condition in the af_packet     packet_set_ring function could be used by local     attackers to crash the kernel or gain privileges     (bsc#1012754).

  - CVE-2016-8632: The tipc_msg_build function in     net/tipc/msg.c in the Linux kernel did not validate the     relationship between the minimum fragment length and the     maximum packet size, which allowed local users to gain     privileges or cause a denial of service (heap-based     buffer overflow) by leveraging the CAP_NET_ADMIN     capability (bnc#1008831).

  - CVE-2016-9555: The sctp_sf_ootb function in     net/sctp/sm_statefuns.c in the Linux kernel lacks     chunk-length checking for the first chunk, which allowed     remote attackers to cause a denial of service     (out-of-bounds slab access) or possibly have unspecified     other impact via crafted SCTP data (bnc#1011685).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 12 SP1 kernel was updated to receive various critical security fixes. The following security bugs were fixed :

  - CVE-2016-8655: A race condition in the af_packet     packet_set_ring function could be used by local     attackers to crash the kernel or gain privileges     (bsc#1012754).

  - CVE-2016-8632: The tipc_msg_build function in     net/tipc/msg.c in the Linux kernel did not validate the     relationship between the minimum fragment length and the     maximum packet size, which allowed local users to gain     privileges or cause a denial of service (heap-based     buffer overflow) by leveraging the CAP_NET_ADMIN     capability (bnc#1008831).

  - CVE-2016-9555: The sctp_sf_ootb function in     net/sctp/sm_statefuns.c in the Linux kernel lacks     chunk-length checking for the first chunk, which allowed     remote attackers to cause a denial of service     (out-of-bounds slab access) or possibly have unspecified     other impact via crafted SCTP data (bnc#1011685).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
125101	EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1513)	Nessus	Huawei Local Security Checks	critical
104322	Ubuntu 14.04 LTS : linux vulnerabilities (USN-3470-1)	Nessus	Ubuntu Local Security Checks	high
100665	Ubuntu 14.04 LTS : linux-lts-xenial vulnerabilities (USN-3312-2)	Nessus	Ubuntu Local Security Checks	critical
100664	Ubuntu 16.04 LTS : linux, linux-aws, linux-gke, linux-raspi2, linux-snapdragon vulnerabilities (USN-3312-1)	Nessus	Ubuntu Local Security Checks	critical
99162	OracleVM 3.4 : Unbreakable / etc (OVMSA-2017-0056)	Nessus	OracleVM Local Security Checks	high
99159	Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2017-3533)	Nessus	Oracle Linux Local Security Checks	high
97297	SUSE SLES11 Security Update : kernel (SUSE-SU-2017:0494-1)	Nessus	SuSE Local Security Checks	critical
97098	Ubuntu 16.10 : linux-raspi2 vulnerabilities (USN-3190-2)	Nessus	Ubuntu Local Security Checks	critical
97097	SUSE SLES11 Security Update : kernel (SUSE-SU-2017:0437-1)	Nessus	SuSE Local Security Checks	critical
97018	Ubuntu 16.10 : linux vulnerabilities (USN-3190-1)	Nessus	Ubuntu Local Security Checks	critical
96903	SUSE SLES11 Security Update : kernel (SUSE-SU-2017:0333-1)	Nessus	SuSE Local Security Checks	critical
96762	SUSE SLES12 Security Update : kernel (SUSE-SU-2017:0268-1)	Nessus	SuSE Local Security Checks	high
96702	SUSE SLES12 Security Update : kernel (SUSE-SU-2017:0249-1)	Nessus	SuSE Local Security Checks	high
96701	SUSE SLES12 Security Update : kernel (SUSE-SU-2017:0248-1)	Nessus	SuSE Local Security Checks	high
96700	SUSE SLES12 Security Update : kernel (SUSE-SU-2017:0247-1)	Nessus	SuSE Local Security Checks	high
96699	SUSE SLES12 Security Update : kernel (SUSE-SU-2017:0246-1)	Nessus	SuSE Local Security Checks	high
96698	SUSE SLES12 Security Update : kernel (SUSE-SU-2017:0245-1)	Nessus	SuSE Local Security Checks	high
96697	SUSE SLES12 Security Update : kernel (SUSE-SU-2017:0244-1)	Nessus	SuSE Local Security Checks	high
95708	openSUSE Security Update : the Linux Kernel (openSUSE-2016-1436)	Nessus	SuSE Local Security Checks	critical
95701	openSUSE Security Update : the Linux Kernel (openSUSE-2016-1426)	Nessus	SuSE Local Security Checks	critical
95660	SUSE SLES12 Security Update : kernel (SUSE-SU-2016:3063-1)	Nessus	SuSE Local Security Checks	critical
95628	SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2016:3049-1)	Nessus	SuSE Local Security Checks	critical
95606	SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2016:3039-1)	Nessus	SuSE Local Security Checks	critical

CVE-2016-8632

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins