http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=fac8e0f579695a3ecbc4d3cac369139d7f819971

RHSA-2016:2047

RHSA-2016:2107

RHSA-2016:2110

RHSA-2017:0004

[oss-security] 20161013 CVE Request: another recursion in GRE

93562

RHSA-2017:0372

https://bto.bluecoat.com/security-advisory/sa134

https://bugzilla.redhat.com/show_bug.cgi?id=1384991

https://bugzilla.suse.com/show_bug.cgi?id=1001486

https://github.com/torvalds/linux/commit/fac8e0f579695a3ecbc4d3cac369139d7f819971

According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - Mounting a crafted EXT4 image read-only leads to an     attacker controlled memory corruption and     SLAB-Out-of-Bounds reads.(CVE-2016-10208i1/4%0

  - An issue was discovered in the hwpoison implementation     in mm/memory-failure.c in the Linux kernel before     5.0.4. When soft_offline_in_use_page() runs on a thp     tail page after pmd is split, an attacker can cause a     denial of service (BUG).(CVE-2019-10124i1/4%0

  - A stack-based buffer overflow flaw was found in the     Linux kernel's early load microcode functionality. On a     system with UEFI Secure Boot enabled, a local,     privileged user could use this flaw to increase their     privileges to the kernel (ring0) level, bypassing     intended restrictions in place.(CVE-2015-2666i1/4%0

  - A flaw was found in the way the Linux kernel's     networking subsystem handled offloaded packets with     multiple layers of encapsulation in the GRO (Generic     Receive Offload) code path. A remote attacker could use     this flaw to trigger unbounded recursion in the kernel     that could lead to stack corruption, resulting in a     system crash.(CVE-2016-8666i1/4%0

  - The ethtool_get_wol function in net/core/ethtool.c in     the Linux kernel through 4.7, as used in Android before     2016-08-05 on Nexus 5 and 7 (2013) devices, does not     initialize a certain data structure, which allows local     users to obtain sensitive information via a crafted     application, aka Android internal bug 28803952 and     Qualcomm internal bug CR570754.(CVE-2014-9900i1/4%0

  - A vulnerability was found in crypto/ahash.c in the     Linux kernel which allows attackers to cause a denial     of service (API operation calling its own callback, and     infinite recursion) by triggering EBUSY on a full     queue.(CVE-2017-7618i1/4%0

  - drivers/misc/qseecom.c in the QSEECOM driver for the     Linux kernel 3.x, as used in Qualcomm Innovation Center     (QuIC) Android contributions for MSM devices and other     products, does not validate certain offset, length, and     base values within an ioctl call, which allows     attackers to gain privileges or cause a denial of     service (memory corruption) via a crafted     application.(CVE-2014-4322i1/4%0

  - An integer overflow vulnerability was found in the     Linux kernel in xt_alloc_table_info, which on 32-bit     systems can lead to small structure allocation and a     copy_from_user based heap corruption.(CVE-2016-3135i1/4%0

  - Stack-based buffer overflow in the     supply_lm_input_write function in     drivers/thermal/supply_lm_core.c in the MSM Thermal     driver for the Linux kernel 3.x, as used in Qualcomm     Innovation Center (QuIC) Android contributions for MSM     devices and other products, allows attackers to cause a     denial of service or possibly have unspecified other     impact via a crafted application that sends a large     amount of data through the debugfs     interface.(CVE-2016-2063i1/4%0

  - The l2tp_ip_recvmsg function in net/l2tp/l2tp_ip.c in     the Linux kernel before 3.12.4 updates a certain length     value before ensuring that an associated data structure     has been initialized, which allows local users to     obtain sensitive information from kernel stack memory     via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system     call.(CVE-2013-7264i1/4%0

  - A bypass was found for the Spectre v1 hardening in the     eBPF engine of the Linux kernel. The code in the     kernel/bpf/verifier.c performs undesirable     out-of-bounds speculation on pointer arithmetic in     various cases, including cases of different branches     with different state or limits to sanitize, leading to     side-channel attacks.(CVE-2019-7308i1/4%0

  - The tcp_v6_syn_recv_sock function in     net/ipv6/tcp_ipv6.c in the Linux kernel mishandles     inheritance, which allows local users to cause a denial     of service or possibly have unspecified other impact     via crafted system calls, a related issue to     CVE-2017-8890. An unprivileged local user could use     this flaw to induce kernel memory corruption on the     system, leading to a crash. Due to the nature of the     flaw, privilege escalation cannot be fully ruled out,     although we believe it is unlikely.(CVE-2017-9077i1/4%0

  - The cgroup offline implementation in the Linux kernel     through 4.8.11 mishandles certain drain operations,     which allows local users to cause a denial of service     (system hang) by leveraging access to a container     environment for executing a crafted application, as     demonstrated by trinity.(CVE-2016-9191i1/4%0

  - The KVM implementation in the Linux kernel through     4.20.5 has a Use-after-Free.(CVE-2019-7221i1/4%0

  - A NULL pointer dereference flaw was found in the way     the Linux kernel's network subsystem handled socket     creation with an invalid protocol identifier. A local     user could use this flaw to crash the     system.(CVE-2015-8543i1/4%0

  - The drivers/media/usb/dvb-usb-v2/lmedm04.c in the Linux     kernel, through 4.13.11, allows local users to cause a     denial of service (general protection fault and system     crash) or possibly have unspecified other impact via a     crafted USB device, related to a missing warm-start     check and incorrect attach timing     (dm04_lme2510_frontend_attach versus     dm04_lme2510_tuner).(CVE-2017-16538i1/4%0

  - A use-after-free flaw was found in the way the Linux     kernel's Advanced Linux Sound Architecture (ALSA)     implementation handled user controls. A local,     privileged user could use this flaw to crash the     system.(CVE-2014-4653i1/4%0

  - A vulnerability leading to a local privilege escalation     was found in apparmor in the Linux kernel. When     proc_pid_attr_write() was changed to use memdup_user     apparmor's (interface violating) assumption that the     setprocattr buffer was always a single page was     violated.(CVE-2016-6187i1/4%0

  - A vulnerability was found in the Linux kernel in     'tmpfs' file system. When file permissions are modified     via 'chmod' and the user is not in the owning group or     capable of CAP_FSETID, the setgid bit is cleared in     inode_change_ok(). Setting a POSIX ACL via 'setxattr'     sets the file permissions as well as the new ACL, but     doesn't clear the setgid bit in a similar way this     allows to bypass the check in 'chmod'.(CVE-2017-5551i1/4%0

  - A flaw was found in the Linux Kernel in the     ucma_leave_multicast() function in     drivers/infiniband/core/ucma.c which allows access to a     certain data structure after freeing it in     ucma_process_join(). This allows an attacker to cause a     use-after-free bug and to induce kernel memory     corruption, leading to a system crash or other     unspecified impact. Due to the nature of the flaw,     privilege escalation cannot be fully ruled out,     although we believe it is unlikely.(CVE-2018-14734i1/4%0

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - A use-after-free vulnerability was found in the     kernel's socket recvmmsg subsystem. This may allow     remote attackers to corrupt memory and may allow     execution of arbitrary code. This corruption takes     place during the error handling routines within
    __sys_recvmmsg() function.(CVE-2016-7117)

  - A heap-buffer overflow vulnerability was found in the     arcmsr_iop_message_xfer() function in     'drivers/scsi/arcmsr/arcmsr_hba.c' file in the Linux     kernel through 4.8.2. The function does not restrict a     certain length field, which allows local users to gain     privileges or cause a denial of service via an     ARCMSR_MESSAGE_WRITE_WQBUFFER control code. This can     potentially cause kernel heap corruption and arbitrary     kernel code execution.(CVE-2016-7425)

  - A flaw was found in the Linux kernel's implementation     of seq_file where a local attacker could manipulate     memory in the put() function pointer. This could lead     to memory corruption and possible privileged     escalation.(CVE-2016-7910)

  - A use-after-free vulnerability in sys_ioprio_get() was     found due to get_task_ioprio() accessing the     task-i1/4zio_context without holding the task lock and     could potentially race with exit_io_context(), leading     to a use-after-free.(CVE-2016-7911)

  - The xc2028_set_config function in     drivers/media/tuners/tuner-xc2028.c in the Linux kernel     before 4.6 allows local users to gain privileges or     cause a denial of service (use-after-free) via vectors     involving omission of the firmware name from a certain     data structure. Due to the nature of the flaw,     privilege escalation cannot be fully ruled out,     although we believe it is unlikely.(CVE-2016-7913)

  - The assoc_array_insert_into_terminal_node() function in     'lib/assoc_array.c' in the Linux kernel before 4.5.3     does not check whether a slot is a leaf, which allows     local users to obtain sensitive information from kernel     memory or cause a denial of service (invalid pointer     dereference and out-of-bounds read) via an application     that uses associative-array data     structures.(CVE-2016-7914)

  - The hid_input_field() function in     'drivers/hid/hid-core.c' in the Linux kernel before 4.6     allows physically proximate attackers to obtain     sensitive information from kernel memory or cause a     denial of service (out-of-bounds read) by connecting a     device.(CVE-2016-7915)

  - Race condition in the environ_read() function in     'fs/proc/base.c' in the Linux kernel before 4.5.4     allows local users to obtain sensitive information from     kernel memory by reading a '/proc/*/environ' file     during a process-setup time interval in which     environment-variable copying is     incomplete.(CVE-2016-7916)

  - A flaw was found in the Linux networking subsystem     where a local attacker with CAP_NET_ADMIN capabilities     could cause an out-of-bounds memory access by creating     a smaller-than-expected ICMP header and sending to its     destination via sendto().(CVE-2016-8399)

  - Linux kernel built with the Kernel-based Virtual     Machine (CONFIG_KVM) support is vulnerable to a null     pointer dereference flaw. It could occur on x86     platform, when emulating an undefined instruction. An     attacker could use this flaw to crash the host kernel     resulting in DoS.(CVE-2016-8630)

  - A buffer overflow vulnerability due to a lack of input     filtering of incoming fragmented datagrams was found in     the IP-over-1394 driver firewire-net in a fragment     handling code in the Linux kernel. The vulnerability     exists since firewire supported IPv4, i.e. since     version 2.6.31 (year 2009) till version v4.9-rc4. A     maliciously formed fragment with a respectively large     datagram offset would cause a memcpy() past the     datagram buffer, which would cause a system panic or     possible arbitrary code execution.The flaw requires     firewire-net module to be loaded and is remotely     exploitable from connected firewire devices, but not     over a local network.(CVE-2016-8633)

  - It was discovered that the Linux kernel since 3.6-rc1     with 'net.ipv4.tcp_fastopen' set to 1 can hit BUG()     statement in tcp_collapse() function after making a     number of certain syscalls leading to a possible system     crash.(CVE-2016-8645)

  - A vulnerability was found in the Linux kernel. An     unprivileged local user could trigger oops in     shash_async_export() by attempting to force the     in-kernel hashing algorithms into decrypting an empty     data set.(CVE-2016-8646)

  - A flaw was found in the Linux kernel key management     subsystem in which a local attacker could crash the     kernel or corrupt the stack and additional memory     (denial of service) by supplying a specially crafted     RSA key. This flaw panics the machine during the     verification of the RSA key.(CVE-2016-8650)

  - A race condition issue leading to a use-after-free flaw     was found in the way the raw packet sockets     implementation in the Linux kernel networking subsystem     handled synchronization while creating the TPACKET_V3     ring buffer. A local user able to open a raw packet     socket (requires the CAP_NET_RAW capability) could use     this flaw to elevate their privileges on the     system.(CVE-2016-8655)

  - A flaw was found in the way the Linux kernel's     networking subsystem handled offloaded packets with     multiple layers of encapsulation in the GRO (Generic     Receive Offload) code path. A remote attacker could use     this flaw to trigger unbounded recursion in the kernel     that could lead to stack corruption, resulting in a     system crash.(CVE-2016-8666)

  - A flaw was discovered in the Linux kernel's     implementation of VFIO. An attacker issuing an ioctl     can create a situation where memory is corrupted and     modify memory outside of the expected area. This may     overwrite kernel memory and subvert kernel     execution.(CVE-2016-9083)

  - The use of a kzalloc with an integer multiplication     allowed an integer overflow condition to be reached in     vfio_pci_intrs.c. This combined with CVE-2016-9083 may     allow an attacker to craft an attack and use     unallocated memory, potentially crashing the     machine.(CVE-2016-9084)

  - A flaw was found in the Linux kernel's implementation     of the SCTP protocol. A remote attacker could trigger     an out-of-bounds read with an offset of up to 64kB     potentially causing the system to crash.(CVE-2016-9555)

  - It was found that the blk_rq_map_user_iov() function in     the Linux kernel's block device implementation did not     properly restrict the type of iterator, which could     allow a local attacker to read or write to arbitrary     kernel memory locations or cause a denial of service     (use-after-free) by leveraging write access to a     /dev/sg device.(CVE-2016-9576)

  - Linux kernel built with the KVM visualization support     (CONFIG_KVM), with nested visualization(nVMX) feature     enabled(nested=1), is vulnerable to an uncaught     exception issue. It could occur if an L2 guest was to     throw an exception which is not handled by an L1     guest.(CVE-2016-9588)

  - It was discovered that root can gain direct access to     an internal keyring, such as '.dns_resolver' in RHEL-7     or '.builtin_trusted_keys' upstream, by joining it as     its session keyring. This allows root to bypass module     signature verification by adding a new public key of     its own devising to the keyring.(CVE-2016-9604)

  - A flaw was found in the Linux kernel's implementation     of XFS file attributes. Two memory leaks were detected     in xfs_attr_shortform_list and xfs_attr3_leaf_list_int     when running a docker container backed by xfs/overlay2.
    A dedicated attacker could possible exhaust all memory     and create a denial of service     situation.(CVE-2016-9685)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - arch/x86/kvm/vmx.c in the Linux kernel through 4.9     mismanages the #BP and #OF exceptions, which allows     guest OS users to cause a denial of service (guest OS     crash) by declining to handle an exception thrown by an     L2 guest.(CVE-2016-9588)

  - The IP stack in the Linux kernel before 4.6 allows     remote attackers to cause a denial of service (stack     consumption and panic) or possibly have unspecified     other impact by triggering use of the GRO path for     packets with tunnel stacking, as demonstrated by     interleaved IPv4 headers and GRE headers, a related     issue to CVE-2016-7039.(CVE-2016-8666)

  - The blk_rq_map_user_iov function in block/blk-map.c in     the Linux kernel before 4.8.14 does not properly     restrict the type of iterator, which allows local users     to read or write to arbitrary kernel memory locations     or cause a denial of service (use-after-free) by     leveraging access to a /dev/sg device.(CVE-2016-9576)

  - Race condition in the netlink_dump function in     net/netlink/af_netlink.c in the Linux kernel before     4.6.3 allows local users to cause a denial of service     (double free) or possibly have unspecified other impact     via a crafted application that makes sendmsg system     calls, leading to a free operation associated with a     new dump that started earlier than     anticipated.(CVE-2016-9806)

  - The sg implementation in the Linux kernel through 4.9     does not properly restrict write operations in     situations where the KERNEL_DS option is set, which     allows local users to read or write to arbitrary kernel     memory locations or cause a denial of service     (use-after-free) by leveraging access to a /dev/sg     device, related to block/bsg.c and drivers/scsi/sg.c.
    NOTE: this vulnerability exists because of an     incomplete fix for CVE-2016-9576.(CVE-2016-10088)

  - A flaw was found in the Linux kernel's implementation     of the SCTP protocol. A remote attacker could trigger     an out-of-bounds read with an offset of up to 64kB     potentially causing the system to crash.
    (CVE-2016-9555)

  - The arch_pick_mmap_layout function in     arch/x86/mm/mmap.c in the Linux kernel through 4.5.2     does not properly randomize the legacy base address,     which makes it easier for local users to defeat the     intended restrictions on the ADDR_NO_RANDOMIZE flag,     and bypass the ASLR protection mechanism for a setuid     or setgid program, by disabling stack-consumption     resource limits.(CVE-2016-3672)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 12 SP2 kernel was updated to 4.4.38 to receive various security and bugfixes. The following security bugs were fixed :

  - CVE-2015-1350: The VFS subsystem in the Linux kernel 3.x     provides an incomplete set of requirements for setattr     operations that underspecifies removing extended     privilege attributes, which allowed local users to cause     a denial of service (capability stripping) via a failed     invocation of a system call, as demonstrated by using     chown to remove a capability from the ping or Wireshark     dumpcap program (bnc#914939).

  - CVE-2015-8964: The tty_set_termios_ldisc function in     drivers/tty/tty_ldisc.c in the Linux kernel allowed     local users to obtain sensitive information from kernel     memory by reading a tty data structure (bnc#1010507).

  - CVE-2016-7039: The IP stack in the Linux kernel allowed     remote attackers to cause a denial of service (stack     consumption and panic) or possibly have unspecified     other impact by triggering use of the GRO path for large     crafted packets, as demonstrated by packets that contain     only VLAN headers, a related issue to CVE-2016-8666     (bnc#1001486).

  - CVE-2016-7042: The proc_keys_show function in     security/keys/proc.c in the Linux kernel through 4.8.2,     when the GNU Compiler Collection (gcc) stack protector     is enabled, uses an incorrect buffer size for certain     timeout data, which allowed local users to cause a     denial of service (stack memory corruption and panic) by     reading the /proc/keys file (bnc#1004517).

  - CVE-2016-7425: The arcmsr_iop_message_xfer function in     drivers/scsi/arcmsr/arcmsr_hba.c in the Linux kernel did     not restrict a certain length field, which allowed local     users to gain privileges or cause a denial of service     (heap-based buffer overflow) via an     ARCMSR_MESSAGE_WRITE_WQBUFFER control code (bnc#999932).

  - CVE-2016-7913: The xc2028_set_config function in     drivers/media/tuners/tuner-xc2028.c in the Linux kernel     allowed local users to gain privileges or cause a denial     of service (use-after-free) via vectors involving     omission of the firmware name from a certain data     structure (bnc#1010478).

  - CVE-2016-7917: The nfnetlink_rcv_batch function in     net/netfilter/nfnetlink.c in the Linux kernel did not     check whether a batch message's length field is large     enough, which allowed local users to obtain sensitive     information from kernel memory or cause a denial of     service (infinite loop or out-of-bounds read) by     leveraging the CAP_NET_ADMIN capability (bnc#1010444).

  - CVE-2016-8645: The TCP stack in the Linux kernel     mishandled skb truncation, which allowed local users to     cause a denial of service (system crash) via a crafted     application that made sendto system calls, related to     net/ipv4/tcp_ipv4.c and net/ipv6/tcp_ipv6.c     (bnc#1009969).

  - CVE-2016-8666: The IP stack in the Linux kernel allowed     remote attackers to cause a denial of service (stack     consumption and panic) or possibly have unspecified     other impact by triggering use of the GRO path for     packets with tunnel stacking, as demonstrated by     interleaved IPv4 headers and GRE headers, a related     issue to CVE-2016-7039 (bnc#1003964).

  - CVE-2016-9083: drivers/vfio/pci/vfio_pci.c in the Linux     kernel allowed local users to bypass integer overflow     checks, and cause a denial of service (memory     corruption) or have unspecified other impact, by     leveraging access to a vfio PCI device file for a     VFIO_DEVICE_SET_IRQS ioctl call, aka a 'state machine     confusion bug (bnc#1007197).

  - CVE-2016-9084: drivers/vfio/pci/vfio_pci_intrs.c in the     Linux kernel misuses the kzalloc function, which allowed     local users to cause a denial of service (integer     overflow) or have unspecified other impact by leveraging     access to a vfio PCI device file (bnc#1007197).

  - CVE-2016-9793: A bug in SO_{SND|RCV}BUFFORCE     setsockopt() implementation was fixed, which allowed     CAP_NET_ADMIN users to cause memory corruption.
    (bsc#1013531).

  - CVE-2016-9919: The icmp6_send function in     net/ipv6/icmp.c in the Linux kernel omits a certain     check of the dst data structure, which allowed remote     attackers to cause a denial of service (panic) via a     fragmented IPv6 packet (bnc#1014701).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote OracleVM system is missing necessary patches to address critical security updates :

  - KEYS: Fix short sprintf buffer in /proc/keys show     function (David Howells) [Orabug: 25306361]     (CVE-2016-7042)

  - nvme: Limit command retries (Keith Busch) [Orabug:
    25374751]

  - fs/proc/task_mmu.c: fix mm_access mode parameter in     pagemap_read (Kenny Keslar) [Orabug: 25374977]

  - tcp: fix use after free in tcp_xmit_retransmit_queue     (Eric Dumazet) [Orabug: 25374364] (CVE-2016-6828)

  - tunnels: Don't apply GRO to multiple layers of     encapsulation. (Jesse Gross) [Orabug: 25036352]     (CVE-2016-8666)

  - i40e: Don't notify client(s) for DCB changes on all VSIs     (Neerav Parikh) [Orabug: 25046290]

  - packet: fix race condition in packet_set_ring (Philip     Pettersson) [Orabug: 25231617] (CVE-2016-8655)

  - netlink: Fix dump skb leak/double free (Herbert Xu)     [Orabug: 25231692] (CVE-2016-9806)

  - ALSA: pcm : Call kill_fasync in stream lock (Takashi     Iwai) [Orabug: 25231720] (CVE-2016-9794)

  - net: avoid signed overflows for SO_[SND|RCV]BUFFORCE     (Eric Dumazet) [Orabug: 25231751] (CVE-2016-9793)

  - rebuild bumping release

Description of changes:

kernel-uek [4.1.12-61.1.25.el7uek]
- KEYS: Fix short sprintf buffer in /proc/keys show function (David Howells)  [Orabug: 25306361]  {CVE-2016-7042}
- nvme: Limit command retries (Keith Busch)  [Orabug: 25374751]
- fs/proc/task_mmu.c: fix mm_access() mode parameter in pagemap_read() (Kenny Keslar)  [Orabug: 25374977]
- tcp: fix use after free in tcp_xmit_retransmit_queue() (Eric Dumazet)   [Orabug: 25374364]  {CVE-2016-6828}
- tunnels: Don't apply GRO to multiple layers of encapsulation. (Jesse Gross)  [Orabug: 25036352]  {CVE-2016-8666}
- i40e: Don't notify client(s) for DCB changes on all VSIs (Neerav Parikh)  [Orabug: 25046290]
- packet: fix race condition in packet_set_ring (Philip Pettersson) [Orabug: 25231617]  {CVE-2016-8655}
- netlink: Fix dump skb leak/double free (Herbert Xu)  [Orabug: 25231692]  {CVE-2016-9806}
- ALSA: pcm : Call kill_fasync() in stream lock (Takashi Iwai)  [Orabug: 25231720]  {CVE-2016-9794}
- net: avoid signed overflows for SO_{SND|RCV}BUFFORCE (Eric Dumazet) [Orabug: 25231751]  {CVE-2016-9793}

An update for kernel is now available for Red Hat Enterprise Linux 7.1 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es) :

* A flaw was found in the way the Linux kernel's networking subsystem handled offloaded packets with multiple layers of encapsulation in the GRO (Generic Receive Offload) code path. A remote attacker could use this flaw to trigger unbounded recursion in the kernel that could lead to stack corruption, resulting in a system crash. (CVE-2016-8666, Important)

Bug Fix(es) :

* When a virtual machine (VM) with PCI-Passthrough interfaces was recreated, the operating system rebooted. This update fixes the race condition between the eventfd daemon and the virqfd daemon. As a result, the operating system no longer reboots in the described situation. (BZ#1391609)

The SUSE Linux Enterprise 12 kernel was updated to 3.12.67 to receive various security and bugfixes. The following security bugs were fixed :

  - CVE-2016-7042: The proc_keys_show function in     security/keys/proc.c in the Linux kernel used an     incorrect buffer size for certain timeout data, which     allowed local users to cause a denial of service (stack     memory corruption and panic) by reading the /proc/keys     file (bsc#1004517).

  - CVE-2016-7097: The filesystem implementation in the     Linux kernel preserved the setgid bit during a setxattr     call, which allowed local users to gain group privileges     by leveraging the existence of a setgid program with     restrictions on execute permissions (bsc#995968).

  - CVE-2015-8956: The rfcomm_sock_bind function in     net/bluetooth/rfcomm/sock.c in the Linux kernel allowed     local users to obtain sensitive information or cause a     denial of service (NULL pointer dereference) via vectors     involving a bind system call on a Bluetooth RFCOMM     socket (bnc#1003925).

  - CVE-2016-5696: net/ipv4/tcp_input.c in the Linux kernel     did not properly determine the rate of challenge ACK     segments, which made it easier for man-in-the-middle     attackers to hijack TCP sessions via a blind in-window     attack (bnc#989152).

  - CVE-2016-6130: Race condition in the sclp_ctl_ioctl_sccb     function in drivers/s390/char/sclp_ctl.c in the Linux     kernel allowed local users to obtain sensitive     information from kernel memory by changing a certain     length value, aka a 'double fetch' vulnerability     (bnc#987542).

  - CVE-2016-6327: drivers/infiniband/ulp/srpt/ib_srpt.c in     the Linux kernel allowed local users to cause a denial     of service (NULL pointer dereference and system crash)     by using an ABORT_TASK command to abort a device write     operation (bnc#994748).

  - CVE-2016-6480: Race condition in the ioctl_send_fib     function in drivers/scsi/aacraid/commctrl.c in the Linux     kernel allowed local users to cause a denial of service     (out-of-bounds access or system crash) by changing a     certain size value, aka a 'double fetch' vulnerability     (bnc#991608).

  - CVE-2016-6828: The tcp_check_send_head function in     include/net/tcp.h in the Linux kernel did not properly     maintain certain SACK state after a failed data copy,     which allowed local users to cause a denial of service     (tcp_xmit_retransmit_queue use-after-free and system     crash) via a crafted SACK option (bnc#994296).

  - CVE-2016-7425: The arcmsr_iop_message_xfer function in     drivers/scsi/arcmsr/arcmsr_hba.c in the Linux kernel did     not restrict a certain length field, which allowed local     users to gain privileges or cause a denial of service     (heap-based buffer overflow) via an     ARCMSR_MESSAGE_WRITE_WQBUFFER control code (bnc#999932).

  - CVE-2016-8658: Stack-based buffer overflow in the     brcmf_cfg80211_start_ap function in     drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg8021     1.c in the Linux kernel allowed local users to cause a     denial of service (system crash) or possibly have     unspecified other impact via a long SSID Information     Element in a command to a Netlink socket (bnc#1004462).

  - CVE-2016-8666: The IP stack in the Linux kernel allowed     remote attackers to cause a denial of service (stack     consumption and panic) or possibly have unspecified     other impact by triggering use of the GRO path for     packets with tunnel stacking, as demonstrated by     interleaved IPv4 headers and GRE headers, a related     issue to CVE-2016-7039 (bsc#1001486).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The IP stack in the Linux kernel before 4.6 allows remote attackers to cause a denial of service (stack consumption and panic) or possibly have unspecified other impact by triggering use of the GRO path for packets with tunnel stacking, as demonstrated by interleaved IPv4 headers and GRE headers, a related issue to CVE-2016-7039 .
(CVE-2016-8666)

Linux kernel built with the 802.1Q/802.1ad VLAN(CONFIG_VLAN_8021Q) OR Virtual eXtensible Local Area Network(CONFIG_VXLAN) with Transparent Ethernet Bridging(TEB) GRO support, is vulnerable to a stack overflow issue. It could occur while receiving large packets via GRO path, as an unlimited recursion could unfold in both VLAN and TEB modules, leading to a stack corruption in the kernel. (CVE-2016-7039)

An update for kernel-rt is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.

Security Fix(es) :

* A race condition was found in the way the Linux kernel's memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings. An unprivileged, local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system. (CVE-2016-5195, Important)

* Linux kernel built with the 802.1Q/802.1ad VLAN(CONFIG_VLAN_8021Q) OR Virtual eXtensible Local Area Network(CONFIG_VXLAN) with Transparent Ethernet Bridging(TEB) GRO support, is vulnerable to a stack overflow issue. It could occur while receiving large packets via GRO path; As an unlimited recursion could unfold in both VLAN and TEB modules, leading to a stack corruption in the kernel. (CVE-2016-7039, Important)

Red Hat would like to thank Phil Oester for reporting CVE-2016-5195.

An update for kernel-rt is now available for Red Hat Enterprise MRG 2.5.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.

Security Fix(es) :

* A race condition was found in the way the Linux kernel's memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings. An unprivileged, local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system. (CVE-2016-5195, Important)

* Linux kernel built with the 802.1Q/802.1ad VLAN(CONFIG_VLAN_8021Q) OR Virtual eXtensible Local Area Network(CONFIG_VXLAN) with Transparent Ethernet Bridging(TEB) GRO support, is vulnerable to a stack overflow issue. It could occur while receiving large packets via GRO path; As an unlimited recursion could unfold in both VLAN and TEB modules, leading to a stack corruption in the kernel. (CVE-2016-7039, Important)

Red Hat would like to thank Phil Oester for reporting CVE-2016-5195.

The openSUSE 13.1 kernel was updated to fix bugs and security issues.

The following security bugs were fixed :

  - CVE-2016-8666: The IP stack in the Linux kernel allowed     remote attackers to cause a denial of service (stack     consumption and panic) or possibly have unspecified     other impact by triggering use of the GRO path for     packets with tunnel stacking, as demonstrated by     interleaved IPv4 headers and GRE headers, a related     issue to CVE-2016-7039 (bnc#1001486).

  - CVE-2016-5195: A local privilege escalation using     MAP_PRIVATE was fixed, which is reportedly exploited in     the wild (bsc#1004418).

The following non-security bugs were fixed :

  - sched/core: Fix a race between try_to_wake_up() and a     woken up task (bsc#1002165, bsc#1001419).

  - sched/core: Fix an SMP ordering race in try_to_wake_up()     vs. schedule() (bnc#1001419).

  - tunnels: Do not apply GRO to multiple layers of     encapsulation (bsc#1001486).

The openSUSE Leap 42.1 kernel was updated to 4.1.34, fixing bugs and security issues.

The following security bugs were fixed :

  - CVE-2016-5195: A local privilege escalation using     MAP_PRIVATE was fixed, which is reportedly exploited in     the wild (bsc#1004418).

  - CVE-2016-8658: Stack-based buffer overflow in the     brcmf_cfg80211_start_ap function in     drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg8021     1.c in the Linux kernel allowed local users to cause a     denial of service (system crash) or possibly have     unspecified other impact via a long SSID Information     Element in a command to a Netlink socket (bnc#1004462).

  - CVE-2016-7039: The IP stack in the Linux kernel allowed     remote attackers to cause a denial of service (stack     consumption and panic) or possibly have unspecified     other impact by triggering use of the GRO path for large     crafted packets, as demonstrated by packets that contain     only VLAN headers, a related issue to CVE-2016-8666     (bnc#1001486).

  - CVE-2016-7425: The arcmsr_iop_message_xfer function in     drivers/scsi/arcmsr/arcmsr_hba.c in the Linux kernel did     not restrict a certain length field, which allowed local     users to gain privileges or cause a denial of service     (heap-based buffer overflow) via an     ARCMSR_MESSAGE_WRITE_WQBUFFER control code (bnc#999932).

The following non-security bugs were fixed :

  - 9p: use file_dentry() (bsc#1005101).

  - af_unix: Do not set err in unix_stream_read_generic     unless there was an error (bsc#1005101).

  - alsa: hda - Fix superfluous HDMI jack repoll     (bsc#1005101).

  - alsa: hda - Turn off loopback mixing as default     (bsc#1001462).

  - apparmor: add missing id bounds check on dfa     verification (bsc#1000304).

  - apparmor: check that xindex is in trans_table bounds     (bsc#1000304).

  - apparmor: do not check for vmalloc_addr if kvzalloc()     failed (bsc#1000304).

  - apparmor: do not expose kernel stack (bsc#1000304).

  - apparmor: ensure the target profile name is always     audited (bsc#1000304).

  - apparmor: exec should not be returning ENOENT when it     denies (bsc#1000304).

  - apparmor: fix audit full profile hname on successful     load (bsc#1000304).

  - apparmor: fix change_hat not finding hat after policy     replacement (bsc#1000287).

  - apparmor: fix disconnected bind mnts reconnection     (bsc#1000304).

  - apparmor: fix log failures for all profiles in a set     (bsc#1000304).

  - apparmor: fix module parameters can be changed after     policy is locked (bsc#1000304).

  - apparmor: fix oops in profile_unpack() when policy_db is     not present (bsc#1000304).

  - apparmor: fix put() parent ref after updating the active     ref (bsc#1000304).

  - apparmor: fix refcount bug in profile replacement     (bsc#1000304).

  - apparmor: fix refcount race when finding a child profile     (bsc#1000304).

  - apparmor: fix replacement bug that adds new child to old     parent (bsc#1000304).

  - apparmor: fix uninitialized lsm_audit member     (bsc#1000304).

  - apparmor: fix update the mtime of the profile file on     replacement (bsc#1000304).

  - apparmor: internal paths should be treated as     disconnected (bsc#1000304).

  - apparmor: use list_next_entry instead of list_entry_next     (bsc#1000304).

  - arm: orion5x: Fix legacy get_irqnr_and_base     (bsc#1005101).

  - batman-adv: Fix memory leak on tt add with invalid vlan     (bsc#1005101).

  - batman-adv: replace WARN with rate limited output on     non-existing VLAN (bsc#1005101).

  - blacklist.conf: add some commits (bsc#1005101)

  - blacklist.conf: add unaplicable IB/uverbs commit     (bsc#1005101)

  - blacklist.conf: Blacklist unsupported architectures

  - blkfront: fix an error path memory leak (luckily none so     far).

  - blktap2: eliminate deadlock potential from shutdown path     (bsc#909994).

  - blktap2: eliminate race from deferred work queue     handling (bsc#911687).

  - btrfs: ensure that file descriptor used with subvol     ioctls is a dir (bsc#999600).

  - cdc-acm: added sanity checking for probe() (bsc#993891).

  - cgroup: add seq_file forward declaration for struct     cftype (bsc#1005101).

  - do 'fold checks into iterate_and_advance()' right     (bsc#972460).

  - drm/i915: Wait up to 3ms for the pcu to ack the cdclk     change request on SKL (bsc#1005101).

  - drm/rockchip: unset pgoff when mmap'ing gems     (bsc#1005101).

  - fold checks into iterate_and_advance() (bsc#972460).

  - fs/cifs: cifs_get_root shouldn't use path with tree name     (bsc#963655, bsc#979681, bsc#1000907).

  - fs/cifs: Compare prepaths when comparing superblocks     (bsc#799133).

  - fs/cifs: Fix memory leaks in cifs_do_mount()     (bsc#799133).

  - fs/cifs: Fix regression which breaks DFS mounting     (bsc#799133).

  - fs/cifs: Move check for prefix path to within     cifs_get_root() (bsc#799133).

  - hid: multitouch: force retrieving of Win8 signature blob     (bsc#1005101).

  - input: ALPS - add touchstick support for SS5 hardware     (bsc#987703).

  - input: ALPS - allow touchsticks to report pressure     (bsc#987703).

  - input: ALPS - handle 0-pressure 1F events (bsc#987703).

  - input: ALPS - set DualPoint flag for 74 03 28 devices     (bsc#987703).

  - ipip: Properly mark ipip GRO packets as encapsulated     (bsc#1001486).

  - ipv6: suppress sparse warnings in IP6_ECN_set_ce()     (bsc#1005101).

  - kabi: hide name change of napi_gro_cb::udp_mark     (bsc#1001486).

  - kaweth: fix firmware download (bsc#993890).

  - kaweth: fix oops upon failed memory allocation     (bsc#993890).

  - kvm: x86: only channel 0 of the i8254 is linked to the     HPET (bsc#1005101).

  - memcg: fix thresholds for 32b architectures     (bsc#1005101).

  - msi-x: fix an error path (luckily none so far).

  - netback: fix flipping mode (bsc#996664).

  - netback: fix flipping mode (bsc#996664).

  - netem: fix a use after free (bsc#1005101).

  - net: fix warnings in 'make htmldocs' by moving macro     definition out of field declaration (bsc#1005101).

  - netfront: linearize SKBs requiring too many slots     (bsc#991247).

  - netlink: not trim skb for mmaped socket when dump     (bsc#1005101).

  - net_sched: fix pfifo_head_drop behavior vs backlog     (bsc#1005101).

  - net_sched: keep backlog updated with qlen (bsc#1005101).

  - nfs: use file_dentry() (bsc#1005101).

  - ovl: fix open in stacked overlay (bsc#1005101).

  - pci: Prevent out of bounds access in numa_node override     (bsc#1005101).

  - perf/core: Do not leak event in the syscall error path     (bsc#1005101).

  - perf: Fix PERF_EVENT_IOC_PERIOD deadlock (bsc#1005101).

  - Revive iov_iter_fault_in_multipages_readable() for     4.1.34.

  - sch_drr: update backlog as well (bsc#1005101).

  - sch_hfsc: always keep backlog updated (bsc#1005101).

  - sch_prio: update backlog as well (bsc#1005101).

  - sch_qfq: keep backlog updated with qlen (bsc#1005101).

  - sch_red: update backlog as well (bsc#1005101).

  - sch_sfb: keep backlog updated with qlen (bsc#1005101).

  - sch_tbf: update backlog as well (bsc#1005101).

  - tpm: fix: return rc when devm_add_action() fails     (bsc#1005101).

  - tunnels: Do not apply GRO to multiple layers of     encapsulation (bsc#1001486).

  - Update blacklisting documentation to contain     path-blacklisting

  - usb: fix typo in wMaxPacketSize validation (bsc#991665).

  - usb: hub: Fix auto-remount of safely removed or ejected     USB-3 devices (bsc#922634).

  - x86/LDT: Print the real LDT base address (bsc#1005101).

  - x86/PCI: Mark Broadwell-EP Home Agent 1 as having     non-compliant BARs (bsc#1005101).

  - xenbus: do not bail early from     xenbus_dev_request_and_reply() (luckily none so far).

  - xenbus: inspect the correct type in     xenbus_dev_request_and_reply().

  - xen: Fix refcnt regression in xen netback introduced by     changes made for bug#881008 (bnc#978094)

  - xen: Linux 4.1.28.

An update for kernel is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es) :

* Linux kernel built with the 802.1Q/802.1ad VLAN(CONFIG_VLAN_8021Q) OR Virtual eXtensible Local Area Network(CONFIG_VXLAN) with Transparent Ethernet Bridging(TEB) GRO support, is vulnerable to a stack overflow issue. It could occur while receiving large packets via GRO path as an unlimited recursion could unfold in both VLAN and TEB modules leading to a stack corruption in the kernel. (CVE-2016-7039, Important)

From Red Hat Security Advisory 2016:2047 :

An update for kernel is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es) :

* Linux kernel built with the 802.1Q/802.1ad VLAN(CONFIG_VLAN_8021Q) OR Virtual eXtensible Local Area Network(CONFIG_VXLAN) with Transparent Ethernet Bridging(TEB) GRO support, is vulnerable to a stack overflow issue. It could occur while receiving large packets via GRO path as an unlimited recursion could unfold in both VLAN and TEB modules leading to a stack corruption in the kernel. (CVE-2016-7039, Important)

ID	Name	Product	Family	Severity
124978	EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1525)	Nessus	Huawei Local Security Checks	high
124819	EulerOS Virtualization 3.0.1.0 : kernel (EulerOS-SA-2019-1496)	Nessus	Huawei Local Security Checks	critical
99848	EulerOS 2.0 SP1 : kernel (EulerOS-SA-2017-1001)	Nessus	Huawei Local Security Checks	critical
96603	SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2017:0181-1)	Nessus	SuSE Local Security Checks	high
96517	OracleVM 3.4 : Unbreakable / etc (OVMSA-2017-0004)	Nessus	OracleVM Local Security Checks	high
96477	Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2017-3508)	Nessus	Oracle Linux Local Security Checks	high
96307	RHEL 7 : kernel (RHSA-2017:0004)	Nessus	Red Hat Local Security Checks	high
95701	openSUSE Security Update : the Linux Kernel (openSUSE-2016-1426)	Nessus	SuSE Local Security Checks	critical
95368	SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2016:2912-1)	Nessus	SuSE Local Security Checks	high
94682	Amazon Linux AMI : kernel (ALAS-2016-762)	Nessus	Amazon Linux Local Security Checks	high
94316	RHEL 7 : kernel-rt (RHSA-2016:2110) (Dirty COW)	Nessus	Red Hat Local Security Checks	high
94315	RHEL 6 : MRG (RHSA-2016:2107) (Dirty COW)	Nessus	Red Hat Local Security Checks	high
94239	openSUSE Security Update : the Linux Kernel (openSUSE-2016-1211) (Dirty COW)	Nessus	SuSE Local Security Checks	high
94219	openSUSE Security Update : the Linux Kernel (openSUSE-2016-1212) (Dirty COW)	Nessus	SuSE Local Security Checks	high
93967	CentOS 7 : kernel (CESA-2016:2047)	Nessus	CentOS Local Security Checks	high
93952	RHEL 7 : kernel (RHSA-2016:2047)	Nessus	Red Hat Local Security Checks	high
93949	Oracle Linux 7 : kernel (ELSA-2016-2047)	Nessus	Oracle Linux Local Security Checks	high

CVE-2016-8666

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins