http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=1c109fabbd51863475cd12ac206bdd249aee35af

http://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.7.5

[oss-security] 20161104 Re: kernel: fix minor infoleak in get_user_ex()

94144

https://bugzilla.redhat.com/show_bug.cgi?id=1391908

https://github.com/torvalds/linux/commit/1c109fabbd51863475cd12ac206bdd249aee35af

According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - The offset2lib patch as used in the Linux Kernel     contains a vulnerability that allows a PIE binary to be     execve()'ed with 1GB of arguments or environmental     strings then the stack occupies the address 0x80000000     and the PIE binary is mapped above 0x40000000     nullifying the protection of the offset2lib patch. This     affects Linux Kernel version 4.11.5 and earlier. This     is a different issue than CVE-2017-1000371. This issue     appears to be limited to i386 based     systems.(CVE-2017-1000370i1/4%0

  - Integer overflow in the LZ4 algorithm implementation,     as used in Yann Collet LZ4 before r118 and in the     lz4_uncompress function in lib/lz4/lz4_decompress.c in     the Linux kernel before 3.15.2, on 32-bit platforms     might allow context-dependent attackers to cause a     denial of service (memory corruption) or possibly have     unspecified other impact via a crafted Literal Run that     would be improperly handled by programs not complying     with an API limitation, a different vulnerability than     CVE-2014-4715.(CVE-2014-4611i1/4%0

  - The replace_map_fd_with_map_ptr function in     kernel/bpf/verifier.c in the Linux kernel before 4.5.5     does not properly maintain an fd data structure, which     allows local users to gain privileges or cause a denial     of service (use-after-free) via crafted BPF     instructions that reference an incorrect file     descriptor.(CVE-2016-4557i1/4%0

  - The usb_destroy_configuration() function, in     'drivers/usb/core/config.c' in the USB core subsystem,     in the Linux kernel through 4.14.5 does not consider     the maximum number of configurations and interfaces     before attempting to release resources. This allows     local users to cause a denial of service, due to     out-of-bounds write access, or possibly have     unspecified other impact via a crafted USB device. Due     to the nature of the flaw, privilege escalation cannot     be fully ruled out, although we believe it is     unlikely.(CVE-2017-17558i1/4%0

  - The cdrom_ioctl_media_changed function in     drivers/cdrom/cdrom.c in the Linux kernel before 4.16.6     allows local attackers to use a incorrect bounds check     in the CDROM driver CDROM_MEDIA_CHANGED ioctl to read     out kernel memory.(CVE-2018-10940i1/4%0

  - It was found that the parse_rock_ridge_inode_internal()     function of the Linux kernel's ISOFS implementation did     not correctly check relocated directories when     processing Rock Ridge child link (CL) tags. An attacker     with physical access to the system could use a     specially crafted ISO image to crash the system or,     potentially, escalate their privileges on the     system.(CVE-2014-5471i1/4%0

  - A flaw was found in the Linux kernel's implementation     of Unix sockets. A server polling for client-socket     data could put the peer socket on a wait list the peer     socket could then close the connection, making the     reference on the wait list no longer valid. This could     lead to bypassing the permissions on a Unix socket and     packets being injected into the stream, and could also     panic the machine (denial of service).(CVE-2013-7446i1/4%0

  - The do_check function in kernel/bpf/verifier.c in the     Linux kernel before 4.11.1 does not make the     allow_ptr_leaks value available for restricting the     output of the print_bpf_insn function, which allows     local users to obtain sensitive address information via     crafted bpf system calls.(CVE-2017-9150i1/4%0

  - The WLAN (aka Wi-Fi) driver for the Linux kernel 3.x     and 4.x, as used in Qualcomm Innovation Center (QuIC)     Android contributions for MSM devices and other     products, does not verify authorization for private SET     IOCTL calls, which allows attackers to gain privileges     via a crafted application, related to     wlan_hdd_hostapd.c and     wlan_hdd_wext.c.(CVE-2015-0571i1/4%0

  - arch/arm64/kvm/guest.c in KVM in the Linux kernel     before 4.18.12 on the arm64 platform mishandles the     KVM_SET_ON_REG ioctl. This is exploitable by attackers     who can create virtual machines. An attacker can     arbitrarily redirect the hypervisor flow of control     (with full register control). An attacker can also     cause a denial of service (hypervisor panic) via an     illegal exception return. This occurs because of     insufficient restrictions on userspace access to the     core register file, and because PSTATE.M validation     does not prevent unintended execution     modes.(CVE-2018-18021i1/4%0

  - A resource-exhaustion vulnerability was found in the     kernel, where an unprivileged process could allocate     and accumulate far more file descriptors than the     process' limit. A local, unauthenticated user could     exploit this flaw by sending file descriptors over a     Unix socket and then closing them to keep the process'     fd count low, thereby creating kernel-memory or     file-descriptors exhaustion (denial of     service).(CVE-2016-2550i1/4%0

  - The Linux kernel before 3.12.4 updates certain length     values before ensuring that associated data structures     have been initialized, which allows local users to     obtain sensitive information from kernel stack memory     via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system     call, related to net/ipv4/ping.c, net/ipv4/raw.c,     net/ipv4/udp.c, net/ipv6/raw.c, and     net/ipv6/udp.c.(CVE-2013-7263i1/4%0

  - It is possible for a single process to cause an OOM     condition by filling large pipes with data that are     never read. A typical process filling 4096 pipes with 1     MB of data will use 4 GB of memory and there can be     multiple such processes, up to a     per-user-limit.(CVE-2016-2847i1/4%0

  - The __get_user_asm_ex macro in     arch/x86/include/asm/uaccess.h in the Linux kernel     before 4.7.5 does not initialize a certain integer     variable, which allows local users to obtain sensitive     information from kernel stack memory by triggering     failure of a get_user_ex call.(CVE-2016-9178i1/4%0

  - It was found that the x86 ISA (Instruction Set     Architecture) is prone to a denial of service attack     inside a virtualized environment in the form of an     infinite loop in the microcode due to the way     (sequential) delivering of benign exceptions such as     #DB (debug exception) is handled. A privileged user     inside a guest could use this flaw to create denial of     service conditions on the host kernel.(CVE-2015-8104i1/4%0

  - The Direct Rendering Manager (DRM) subsystem in the     Linux kernel through 4.x mishandles requests for     Graphics Execution Manager (GEM) objects, which allows     context-dependent attackers to cause a denial of     service (memory consumption) via an application that     processes graphics data, as demonstrated by JavaScript     code that creates many CANVAS elements for rendering by     Chrome or Firefox.(CVE-2013-7445i1/4%0

  - A flaw was found in the Linux kernel which does not     initialize certain data structures used by DMA transfer     on ARM64 based systems. This could allow local users to     obtain sensitive information from kernel memory by     triggering a dma_mmap call and reconstructing the     data.(CVE-2015-8950i1/4%0

  - A race condition was found in the Linux kernel before     version 4.11-rc1 in 'fs/timerfd.c' file which allows a     local user to cause a kernel list corruption or     use-after-free via simultaneous operations with a file     descriptor which leverage improper 'might_cancel'     queuing. An unprivileged local user could use this flaw     to cause a denial of service of the system. Due to the     nature of the flaw, privilege escalation cannot be     fully ruled out, although we believe it is     unlikely.(CVE-2017-10661i1/4%0

  - The sg_ioctl() function in 'drivers/scsi/sg.c' in the     Linux kernel, from version 4.12-rc1 to 4.14-rc2, allows     local users to obtain sensitive information from     uninitialized kernel heap-memory locations via an     SG_GET_REQUEST_TABLE ioctl call for     '/dev/sg0'.(CVE-2017-14991i1/4%0

  - A race condition in the ip4_datagram_release_cb     function in net/ipv4/datagram.c in the Linux kernel     allows local users to gain privileges or cause a denial     of service (use-after-free) by leveraging incorrect     expectations about locking during multithreaded access     to internal data structures for IPv4 UDP     sockets.(CVE-2014-9914i1/4%0

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that a buffer overflow existed in the Bluetooth stack of the Linux kernel when handling L2CAP configuration responses.
A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-1000251)

It was discovered that the asynchronous I/O (aio) subsystem of the Linux kernel did not properly set permissions on aio memory mappings in some situations. An attacker could use this to more easily exploit other vulnerabilities. (CVE-2016-10044)

Baozeng Ding and Andrey Konovalov discovered a race condition in the L2TPv3 IP Encapsulation implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2016-10200)

Andreas Gruenbacher and Jan Kara discovered that the filesystem implementation in the Linux kernel did not clear the setgid bit during a setxattr call. A local attacker could use this to possibly elevate group privileges. (CVE-2016-7097)

Sergej Schumilo, Ralf Spenneberg, and Hendrik Schwartke discovered that the key management subsystem in the Linux kernel did not properly allocate memory in some situations. A local attacker could use this to cause a denial of service (system crash). (CVE-2016-8650)

Vlad Tsyrklevich discovered an integer overflow vulnerability in the VFIO PCI driver for the Linux kernel. A local attacker with access to a vfio PCI device file could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2016-9083, CVE-2016-9084)

It was discovered that an information leak existed in
__get_user_asm_ex() in the Linux kernel. A local attacker could use this to expose sensitive information. (CVE-2016-9178)

CAI Qian discovered that the sysctl implementation in the Linux kernel did not properly perform reference counting in some situations. An unprivileged attacker could use this to cause a denial of service (system hang). (CVE-2016-9191)

It was discovered that the keyring implementation in the Linux kernel in some situations did not prevent special internal keyrings from being joined by userspace keyrings. A privileged local attacker could use this to bypass module verification. (CVE-2016-9604)

It was discovered that an integer overflow existed in the trace subsystem of the Linux kernel. A local privileged attacker could use this to cause a denial of service (system crash). (CVE-2016-9754)

Andrey Konovalov discovered that the IPv4 implementation in the Linux kernel did not properly handle invalid IP options in some situations.
An attacker could use this to cause a denial of service or possibly execute arbitrary code. (CVE-2017-5970)

Dmitry Vyukov discovered that the Linux kernel did not properly handle TCP packets with the URG flag. A remote attacker could use this to cause a denial of service. (CVE-2017-6214)

It was discovered that a race condition existed in the AF_PACKET handling code in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-6346)

It was discovered that the keyring implementation in the Linux kernel did not properly restrict searches for dead keys. A local attacker could use this to cause a denial of service (system crash).
(CVE-2017-6951)

Dmitry Vyukov discovered that the generic SCSI (sg) subsystem in the Linux kernel contained a stack-based buffer overflow. A local attacker with access to an sg device could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2017-7187)

Eric Biggers discovered a memory leak in the keyring implementation in the Linux kernel. A local attacker could use this to cause a denial of service (memory consumption). (CVE-2017-7472)

It was discovered that a buffer overflow existed in the Broadcom FullMAC WLAN driver in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-7541).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2017-0057 for details.

The remote OracleVM system is missing necessary patches to address critical security updates :

  - Revert 'x86/mm: Expand the exception table logic to     allow new handling options' (Brian Maly) [Orabug:
    25790387] (CVE-2016-9644)

  - Revert 'fix minor infoleak in get_user_ex' (Brian Maly)     [Orabug: 25790387] (CVE-2016-9644)

  - x86/mm: Expand the exception table logic to allow new     handling options (Tony Luck) [Orabug: 25790387]     (CVE-2016-9644)

  - rebuild bumping release

  - net: ping: check minimum size on ICMP header length     (Kees Cook) [Orabug: 25766898] (CVE-2016-8399)     (CVE-2016-8399)

  - sg_write/bsg_write is not fit to be called under     KERNEL_DS (Al Viro) [Orabug: 25765436] (CVE-2016-10088)

  - scsi: sg: check length passed to SG_NEXT_CMD_LEN (peter     chang) [Orabug: 25751984] (CVE-2017-7187)

  - tty: n_hdlc: get rid of racy n_hdlc.tbuf (Alexander     Popov) [Orabug: 25696677] (CVE-2017-2636)

  - TTY: n_hdlc, fix lockdep false positive (Jiri Slaby)     [Orabug: 25696677] (CVE-2017-2636)

  - If Slot Status indicates changes in both Data Link Layer     Status and Presence Detect, prioritize the Link status     change. (Jack Vogel) 

  - PCI: pciehp: Leave power indicator on when enabling     already-enabled slot (Ashok Raj) [Orabug: 25353783]

  - firewire: net: guard against rx buffer overflows (Stefan     Richter) [Orabug: 25451520] (CVE-2016-8633)

  - usbnet: cleanup after bind in probe (Oliver Neukum)     [Orabug: 25463898] (CVE-2016-3951)

  - cdc_ncm: do not call usbnet_link_change from     cdc_ncm_bind (Bj&oslash rn Mork) [Orabug: 25463898]     (CVE-2016-3951)

  - cdc_ncm: Add support for moving NDP to end of NCM frame     (Enrico Mioso) [Orabug: 25463898] (CVE-2016-3951)

  - x86/mm/32: Enable full randomization on i386 and X86_32     (Hector Marco-Gisbert) [Orabug: 25463918]     (CVE-2016-3672)

  - kvm: fix page struct leak in handle_vmon (Paolo Bonzini)     [Orabug: 25507133] (CVE-2017-2596)

  - crypto: mcryptd - Check mcryptd algorithm compatibility     (tim) [Orabug: 25507153] (CVE-2016-10147)

  - kvm: nVMX: Allow L1 to intercept software exceptions     (#BP and #OF) (Jim Mattson) [Orabug: 25507188]     (CVE-2016-9588)

  - KVM: x86: drop error recovery in em_jmp_far and     em_ret_far (Radim Kr&#x10D m&aacute &#x159 ) [Orabug:
    25507213] (CVE-2016-9756)

  - tcp: take care of truncations done by sk_filter (Eric     Dumazet) [Orabug: 25507226] (CVE-2016-8645)

  - rose: limit sk_filter trim to payload (Willem de Bruijn)     [Orabug: 25507226] (CVE-2016-8645)

  - tipc: check minimum bearer MTU (Michal Kube&#x10D ek)     [Orabug: 25507239] (CVE-2016-8632) (CVE-2016-8632)

  - fix minor infoleak in get_user_ex (Al Viro) [Orabug:
    25507269] (CVE-2016-9178)

  - scsi: arcmsr: Simplify user_len checking (Borislav     Petkov) [Orabug: 25507319] (CVE-2016-7425)

  - scsi: arcmsr: Buffer overflow in arcmsr_iop_message_xfer     (Dan Carpenter) [Orabug: 25507319] (CVE-2016-7425)

  - tmpfs: clear S_ISGID when setting posix ACLs (Gu Zheng)     [Orabug: 25507341] (CVE-2016-7097) (CVE-2016-7097)

  - posix_acl: Clear SGID bit when setting file permissions     (Jan Kara) [Orabug: 25507341] (CVE-2016-7097)     (CVE-2016-7097)

  - ext2: convert to mbcache2 (Jan Kara) [Orabug: 25512366]     (CVE-2015-8952)

  - ext4: convert to mbcache2 (Jan Kara) [Orabug: 25512366]     (CVE-2015-8952)

  - mbcache2: reimplement mbcache (Jan Kara) [Orabug:
    25512366] (CVE-2015-8952)

  - USB: digi_acceleport: do sanity checking for the number     of ports (Oliver Neukum) [Orabug: 25512466]     (CVE-2016-3140)

  - net/llc: avoid BUG_ON in skb_orphan (Eric Dumazet)     [Orabug: 25682419] (CVE-2017-6345)

  - net/mlx4_core: Disallow creation of RAW QPs on a VF (Eli     Cohen) 

  - ipv4: keep skb->dst around in presence of IP options     (Eric Dumazet) [Orabug: 25698300] (CVE-2017-5970)

  - perf/core: Fix concurrent sys_perf_event_open vs.
    'move_group' race (Peter Zijlstra) [Orabug: 25698751]     (CVE-2017-6001)

  - ip6_gre: fix ip6gre_err invalid reads (Eric Dumazet)     [Orabug: 25699015] (CVE-2017-5897)

  - mpt3sas: Don't spam logs if logging level is 0 (Johannes     Thumshirn) 

  - xen-netfront: cast grant table reference first to type     int (Dongli Zhang)

  - xen-netfront: do not cast grant table reference to     signed short (Dongli Zhang)

Description of changes:

[3.8.13-118.17.4.el7uek]
- Revert 'fix minor infoleak in get_user_ex()' (Brian Maly)  [Orabug: 25790392]  {CVE-2016-9644}

[3.8.13-118.17.3.el7uek]
- net: ping: check minimum size on ICMP header length (Kees Cook) [Orabug: 25766911]  {CVE-2016-8399}

[3.8.13-118.17.2.el7uek]
- ipv6: stop sending PTB packets for MTU < 1280 (Hagen Paul Pfeifer) [Orabug: 25765776]  {CVE-2016-10142}
- sg_write()/bsg_write() is not fit to be called under KERNEL_DS (Al Viro)  [Orabug: 25765445]  {CVE-2016-10088}
- scsi: sg: check length passed to SG_NEXT_CMD_LEN (peter chang) [Orabug: 25751996]  {CVE-2017-7187}

[3.8.13-118.17.1.el7uek]
- tty: n_hdlc: get rid of racy n_hdlc.tbuf (Alexander Popov)  [Orabug: 25696686]  {CVE-2017-2636}
- TTY: n_hdlc, fix lockdep false positive (Jiri Slaby)  [Orabug: 25696686]  {CVE-2017-2636}
- drivers/tty/n_hdlc.c: replace kmalloc/memset by kzalloc (Fabian Frederick)  [Orabug: 25696686]  {CVE-2017-2636}
- x86: bpf_jit: fix compilation of large bpf programs (Alexei Starovoitov)  [Orabug: 21305080]  {CVE-2015-4700}
- net: filter: return -EINVAL if BPF_S_ANC* operation is not supported (Daniel Borkmann)  [Orabug: 22187148] - KEYS: request_key() should reget expired keys rather than give EKEYEXPIRED (David Howells)  - KEYS: Increase root_maxkeys and root_maxbytes sizes (Steve Dickson)  - firewire: net: guard against rx buffer overflows (Stefan Richter) [Orabug: 25451530]  {CVE-2016-8633}
- x86/mm/32: Enable full randomization on i386 and X86_32 (Hector Marco-Gisbert)  [Orabug: 25463927]  {CVE-2016-3672}
- x86 get_unmapped_area: Access mmap_legacy_base through mm_struct member (Radu Caragea)  [Orabug: 25463927]  {CVE-2016-3672}
- pptp: verify sockaddr_len in pptp_bind() and pptp_connect() (WANG Cong)  [Orabug: 25490335]  {CVE-2015-8569}
- sg_start_req(): make sure that there's not too many elements in iovec (Al Viro)  [Orabug: 25490372]  {CVE-2015-5707}
- kvm: nVMX: Allow L1 to intercept software exceptions (#BP and #OF) (Jim Mattson)  [Orabug: 25507195]  {CVE-2016-9588}
- tcp: take care of truncations done by sk_filter() (Eric Dumazet) [Orabug: 25507230]  {CVE-2016-8645}
- rose: limit sk_filter trim to payload (Willem de Bruijn)  [Orabug: 25507230]  {CVE-2016-8645}
- fix minor infoleak in get_user_ex() (Al Viro)  [Orabug: 25507281] {CVE-2016-9178}
- scsi: arcmsr: Simplify user_len checking (Borislav Petkov)  [Orabug: 25507328]  {CVE-2016-7425}
- scsi: arcmsr: Buffer overflow in arcmsr_iop_message_xfer() (Dan Carpenter)  [Orabug: 25507328]  {CVE-2016-7425}
- net: fix a kernel infoleak in x25 module (Kangjie Lu)  [Orabug: 25512413]  {CVE-2016-4580}
- USB: digi_acceleport: do sanity checking for the number of ports (Oliver Neukum)  [Orabug: 25512471]  {CVE-2016-3140}
- ipv4: keep skb->dst around in presence of IP options (Eric Dumazet) [Orabug: 25543892]  {CVE-2017-5970}
- net/llc: avoid BUG_ON() in skb_orphan() (Eric Dumazet)  [Orabug: 25682430]  {CVE-2017-6345}
- dccp: fix freeing skb too early for IPV6_RECVPKTINFO (Andrey Konovalov)   {CVE-2017-6074}
- crypto: algif_hash - Only export and import on sockets with data (Herbert Xu)  [Orabug: 25417805]  {CVE-2016-8646}
- USB: usbfs: fix potential infoleak in devio (Kangjie Lu)  [Orabug: 25462760]  {CVE-2016-4482}
- net: fix infoleak in llc (Kangjie Lu)  [Orabug: 25462807]  {CVE-2016-4485}
- af_unix: Guard against other == sk in unix_dgram_sendmsg (Rainer Weikusat)  [Orabug: 25463996]  {CVE-2013-7446}
- unix: avoid use-after-free in ep_remove_wait_queue (Rainer Weikusat) [Orabug: 25463996]  {CVE-2013-7446}
- net: avoid signed overflows for SO_{SND|RCV}BUFFORCE (Eric Dumazet) [Orabug: 25203623]  {CVE-2016-9793}

Description of changes:

[4.1.12-61.1.33.el7uek]
- Revert 'x86/mm: Expand the exception table logic to allow new handling options' (Brian Maly)  [Orabug: 25790387]  {CVE-2016-9644}
- Revert 'fix minor infoleak in get_user_ex()' (Brian Maly)  [Orabug: 25790387]  {CVE-2016-9644}

[4.1.12-61.1.32.el7uek]
- x86/mm: Expand the exception table logic to allow new handling options (Tony Luck)  [Orabug: 25790387]  {CVE-2016-9644}

[4.1.12-61.1.31.el7uek]
- rebuild bumping release

[4.1.12-61.1.30.el7uek]
- net: ping: check minimum size on ICMP header length (Kees Cook) [Orabug: 25766898]  {CVE-2016-8399} {CVE-2016-8399}
- sg_write()/bsg_write() is not fit to be called under KERNEL_DS (Al Viro)  [Orabug: 25765436]  {CVE-2016-10088}
- scsi: sg: check length passed to SG_NEXT_CMD_LEN (peter chang) [Orabug: 25751984]  {CVE-2017-7187}

[4.1.12-61.1.29.el7uek]
- tty: n_hdlc: get rid of racy n_hdlc.tbuf (Alexander Popov)  [Orabug: 25696677]  {CVE-2017-2636}
- TTY: n_hdlc, fix lockdep false positive (Jiri Slaby)  [Orabug: 25696677]  {CVE-2017-2636}
- If Slot Status indicates changes in both Data Link Layer Status and Presence Detect, prioritize the Link status change. (Jack Vogel) [Orabug: 25353783]
- PCI: pciehp: Leave power indicator on when enabling already-enabled slot (Ashok Raj)  [Orabug: 25353783]
- firewire: net: guard against rx buffer overflows (Stefan Richter) [Orabug: 25451520]  {CVE-2016-8633}
- usbnet: cleanup after bind() in probe() (Oliver Neukum)  [Orabug: 25463898]  {CVE-2016-3951}
- cdc_ncm: do not call usbnet_link_change from cdc_ncm_bind (Bj&oslash rn Mork)   [Orabug: 25463898]  {CVE-2016-3951}
- cdc_ncm: Add support for moving NDP to end of NCM frame (Enrico Mioso)   [Orabug: 25463898]  {CVE-2016-3951}
- x86/mm/32: Enable full randomization on i386 and X86_32 (Hector Marco-Gisbert)  [Orabug: 25463918]  {CVE-2016-3672}
- kvm: fix page struct leak in handle_vmon (Paolo Bonzini)  [Orabug: 25507133]  {CVE-2017-2596}
- crypto: mcryptd - Check mcryptd algorithm compatibility (tim) [Orabug: 25507153]  {CVE-2016-10147}
- kvm: nVMX: Allow L1 to intercept software exceptions (#BP and #OF) (Jim Mattson)  [Orabug: 25507188]  {CVE-2016-9588}
- KVM: x86: drop error recovery in em_jmp_far and em_ret_far (Radim Kr&#x10D m&aacute &#x159 )  [Orabug: 25507213]  {CVE-2016-9756}
- tcp: take care of truncations done by sk_filter() (Eric Dumazet) [Orabug: 25507226]  {CVE-2016-8645}
- rose: limit sk_filter trim to payload (Willem de Bruijn)  [Orabug: 25507226]  {CVE-2016-8645}
- tipc: check minimum bearer MTU (Michal Kube&#x10D ek)  [Orabug: 25507239] {CVE-2016-8632} {CVE-2016-8632}
- fix minor infoleak in get_user_ex() (Al Viro)  [Orabug: 25507269] {CVE-2016-9178}
- scsi: arcmsr: Simplify user_len checking (Borislav Petkov)  [Orabug: 25507319]  {CVE-2016-7425}
- scsi: arcmsr: Buffer overflow in arcmsr_iop_message_xfer() (Dan Carpenter)  [Orabug: 25507319]  {CVE-2016-7425}
- tmpfs: clear S_ISGID when setting posix ACLs (Gu Zheng)  [Orabug: 25507341]  {CVE-2016-7097} {CVE-2016-7097}
- posix_acl: Clear SGID bit when setting file permissions (Jan Kara) [Orabug: 25507341]  {CVE-2016-7097} {CVE-2016-7097}
- ext2: convert to mbcache2 (Jan Kara)  [Orabug: 25512366]  {CVE-2015-8952}
- ext4: convert to mbcache2 (Jan Kara)  [Orabug: 25512366]  {CVE-2015-8952}
- mbcache2: reimplement mbcache (Jan Kara)  [Orabug: 25512366] {CVE-2015-8952}
- USB: digi_acceleport: do sanity checking for the number of ports (Oliver Neukum)  [Orabug: 25512466]  {CVE-2016-3140}
- net/llc: avoid BUG_ON() in skb_orphan() (Eric Dumazet)  [Orabug: 25682419]  {CVE-2017-6345}
- net/mlx4_core: Disallow creation of RAW QPs on a VF (Eli Cohen) [Orabug: 25697847]
- ipv4: keep skb->dst around in presence of IP options (Eric Dumazet) [Orabug: 25698300]  {CVE-2017-5970}
- perf/core: Fix concurrent sys_perf_event_open() vs. 'move_group' race (Peter Zijlstra)  [Orabug: 25698751]  {CVE-2017-6001}
- ip6_gre: fix ip6gre_err() invalid reads (Eric Dumazet)  [Orabug: 25699015]  {CVE-2017-5897}
- mpt3sas: Don't spam logs if logging level is 0 (Johannes Thumshirn) [Orabug: 25699035]
- xen-netfront: cast grant table reference first to type int (Dongli Zhang)
- xen-netfront: do not cast grant table reference to signed short (Dongli Zhang)

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

CVE-2012-6704, CVE-2016-9793

Eric Dumazet found that a local user with CAP_NET_ADMIN capability could set a socket's buffer size to be negative, leading to a denial of service or other security impact. Additionally, in kernel versions prior to 3.5, any user could do this if sysctl net.core.rmem_max was changed to a very large value.

CVE-2015-1350 / #770492

Ben Harris reported that local users could remove set-capability attributes from any file visible to them, allowing a denial of service.

CVE-2015-8962

Calvin Owens fouund that removing a SCSI device while it was being accessed through the SCSI generic (sg) driver led to a double- free, possibly causing a denial of service (crash or memory corruption) or privilege escalation. This could be exploited by local users with permision to access a SCSI device node.

CVE-2015-8963

Sasha Levin reported that hot-unplugging a CPU resulted in a use-after-free by the performance events (perf) subsystem, possibly causing a denial of service (crash or memory corruption) or privilege escalation. This could by exploited by any local user.

CVE-2015-8964

It was found that the terminal/serial (tty) subsystem did not reliably reset the terminal buffer state when the terminal line discipline was changed. This could allow a local user with access to a terminal device to read sensitive information from kernel memory.

CVE-2016-7097

Jan Kara found that changing the POSIX ACL of a file never cleared its set-group-ID flag, which should be done if the user changing it is not a member of the group-owner. In some cases, this would allow the user-owner of an executable to gain the privileges of the group-owner.

CVE-2016-7910

Vegard Nossum discovered that a memory allocation failure while handling a read of /proc/diskstats or /proc/partitions could lead to a use-after-free, possibly causing a denial of service (crash or memory corruption) or privilege escalation.

CVE-2016-7911

Dmitry Vyukov reported that a race between ioprio_get() and ioprio_set() system calls could result in a use-after-free, possibly causing a denial of service (crash) or leaking sensitive information.

CVE-2016-7915

Benjamin Tissoires found that HID devices could trigger an out-of- bounds memory access in the HID core. A physically present user could possibly use this for denial of service (crash) or to leak sensitive information.

CVE-2016-8399

Qidan He reported that the IPv4 ping socket implementation did not validate the length of packets to be sent. A user with permisson to use ping sockets could cause an out-of-bounds read, possibly resulting in a denial of service or information leak. However, on Debian systems no users have permission to create ping sockets by default.

CVE-2016-8633

Eyal Itkin reported that the IP-over-Firewire driver (firewire-net) did not validate the offset or length in link-layer fragmentation headers. This allowed a remote system connected by Firewire to write to memory after a packet buffer, leading to a denial of service (crash) or remote code execution.

CVE-2016-8645

Marco Grassi reported that if a socket filter (BPF program) attached to a TCP socket truncates or removes the TCP header, this could cause a denial of service (crash). This was exploitable by any local user.

CVE-2016-8655

Philip Pettersson found that the implementation of packet sockets (AF_PACKET family) had a race condition between enabling a transmit ring buffer and changing the version of buffers used, which could result in a use-after-free. A local user with the CAP_NET_ADMIN capability could exploit this for privilege escalation.

CVE-2016-9178

Al Viro found that a failure to read data from user memory might lead to a information leak on the x86 architecture (amd64 or i386).

CVE-2016-9555

Andrey Konovalov reported that the SCTP implementation does not validate 'out of the blue' packet chunk lengths early enough. A remote system able could use this to cause a denial of service (crash) or other security impact for systems using SCTP.

CVE-2016-9576, CVE-2016-10088

Dmitry Vyukov reported that using splice() with the SCSI generic driver led to kernel memory corruption. Local users with permision to access a SCSI device node could exploit this for privilege escalation.

CVE-2016-9756

Dmitry Vyukov reported that KVM for the x86 architecture (amd64 or i386) did not correctly handle the failure of certain instructions that require software emulation on older processors. This could be exploited by guest systems to leak sensitive information or for denial of service (log spam).

CVE-2016-9794

Baozeng Ding reported a race condition in the ALSA (sound) subsystem that could result in a use-after-free. Local users with access to a PCM sound device could exploit this for denial of service (crash or memory corruption) or other security impact.

For Debian 7 'Wheezy', these problems have been fixed in version 3.2.84-1. This version also includes bug fixes from upstream version 3.2.84 and updates the PREEMPT_RT featureset to version 3.2.84-rt122.
Finally, this version adds the option to mitigate security issues in the performance events (perf) subsystem by disabling use by unprivileged users. This can be done by setting sysctl kernel.perf_event_paranoid=3.

For Debian 8 'Jessie', these problems have been fixed in version 3.16.39-1 which will be included in the next point release (8.6).

We recommend that you upgrade your linux packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Tilman Schmidt and Sasha Levin discovered a use-after-free condition in the TTY implementation in the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory).
(CVE-2015-8964)

It was discovered that the Video For Linux Two (v4l2) implementation in the Linux kernel did not properly handle multiple planes when processing a VIDIOC_DQBUF ioctl(). A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2016-4568)

CAI Qian discovered that shared bind mounts in a mount namespace exponentially added entries without restriction to the Linux kernel's mount table. A local attacker could use this to cause a denial of service (system crash). (CVE-2016-6213)

Ondrej Kozina discovered that the keyring interface in the Linux kernel contained a buffer overflow when displaying timeout events via the /proc/keys interface. A local attacker could use this to cause a denial of service (system crash). (CVE-2016-7042)

Andreas Gruenbacher and Jan Kara discovered that the filesystem implementation in the Linux kernel did not clear the setgid bit during a setxattr call. A local attacker could use this to possibly elevate group privileges. (CVE-2016-7097)

Marco Grassi discovered that the driver for Areca RAID Controllers in the Linux kernel did not properly validate control messages. A local attacker could use this to cause a denial of service (system crash) or possibly gain privileges. (CVE-2016-7425)

It was discovered that the KVM implementation for x86/x86_64 in the Linux kernel could dereference a NULL pointer. An attacker in a guest virtual machine could use this to cause a denial of service (system crash) in the KVM host. (CVE-2016-8630)

Eyal Itkin discovered that the IP over IEEE 1394 (FireWire) implementation in the Linux kernel contained a buffer overflow when handling fragmented packets. A remote attacker could use this to possibly execute arbitrary code with administrative privileges.
(CVE-2016-8633)

Marco Grassi discovered that the TCP implementation in the Linux kernel mishandles socket buffer (skb) truncation. A local attacker could use this to cause a denial of service (system crash).
(CVE-2016-8645)

Daxing Guo discovered a stack-based buffer overflow in the Broadcom IEEE802.11n FullMAC driver in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly gain privileges. (CVE-2016-8658)

It was discovered that an information leak existed in
__get_user_asm_ex() in the Linux kernel. A local attacker could use this to expose sensitive information. (CVE-2016-9178)

Andrey Konovalov discovered that the SCTP implementation in the Linux kernel improperly handled validation of incoming data. A remote attacker could use this to cause a denial of service (system crash).
(CVE-2016-9555).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The openSUSE Leap 42.1 kernel was updated to 4.1.36 to receive various security and bugfixes.

The following security bugs were fixed :

  - CVE-2016-8655: A race condition in the af_packet     packet_set_ring function could be used by local     attackers to crash the kernel or gain privileges     (bsc#1012754).

  - CVE-2016-9794: A use-after-free in ALSA pcm could lead     to crashes or allowed local users to potentially gain     privileges (bsc#1013533).

  - CVE-2015-8962: Double free vulnerability in the     sg_common_write function in drivers/scsi/sg.c in the     Linux kernel allowed local users to gain privileges or     cause a denial of service (memory corruption and system     crash) by detaching a device during an SG_IO ioctl call     (bnc#1010501).

  - CVE-2016-9178: The __get_user_asm_ex macro in     arch/x86/include/asm/uaccess.h in the Linux kernel did     not initialize a certain integer variable, which allowed     local users to obtain sensitive information from kernel     stack memory by triggering failure of a get_user_ex call     (bnc#1008650).

  - CVE-2016-7913: The xc2028_set_config function in     drivers/media/tuners/tuner-xc2028.c in the Linux kernel     allowed local users to gain privileges or cause a denial     of service (use-after-free) via vectors involving     omission of the firmware name from a certain data     structure (bnc#1010478).

  - CVE-2016-9555: The sctp_sf_ootb function in     net/sctp/sm_statefuns.c in the Linux kernel lacks     chunk-length checking for the first chunk, which allowed     remote attackers to cause a denial of service     (out-of-bounds slab access) or possibly have unspecified     other impact via crafted SCTP data (bnc#1011685).

  - CVE-2015-8963: Race condition in kernel/events/core.c in     the Linux kernel allowed local users to gain privileges     or cause a denial of service (use-after-free) by     leveraging incorrect handling of an swevent data     structure during a CPU unplug operation (bnc#1010502).

  - CVE-2015-8964: The tty_set_termios_ldisc function in     drivers/tty/tty_ldisc.c in the Linux kernel allowed     local users to obtain sensitive information from kernel     memory by reading a tty data structure (bnc#1010507).

  - CVE-2016-8646: The hash_accept function in     crypto/algif_hash.c in the Linux kernel allowed local     users to cause a denial of service (OOPS) by attempting     to trigger use of in-kernel hash algorithms for a socket     that has received zero bytes of data (bnc#1010150).

  - CVE-2016-8633: drivers/firewire/net.c in the Linux     kernel in certain unusual hardware configurations,     allowed remote attackers to execute arbitrary code via     crafted fragmented packets (bnc#1008833).

  - CVE-2016-8630: The x86_decode_insn function in     arch/x86/kvm/emulate.c in the Linux kernel, when KVM is     enabled, allowed local users to cause a denial of     service (host OS crash) via a certain use of a ModR/M     byte in an undefined instruction (bnc#1009222).

  - CVE-2016-9083: drivers/vfio/pci/vfio_pci.c in the Linux     kernel allowed local users to bypass integer overflow     checks, and cause a denial of service (memory     corruption) or have unspecified other impact, by     leveraging access to a vfio PCI device file for a     VFIO_DEVICE_SET_IRQS ioctl call, aka a 'state machine     confusion bug (bnc#1007197).

  - CVE-2016-9084: drivers/vfio/pci/vfio_pci_intrs.c in the     Linux kernel misuses the kzalloc function, which allowed     local users to cause a denial of service (integer     overflow) or have unspecified other impact by leveraging     access to a vfio PCI device file (bnc#1007197).

  - CVE-2016-7042: The proc_keys_show function in     security/keys/proc.c in the Linux kernel through 4.8.2,     when the GNU Compiler Collection (gcc) stack protector     is enabled, uses an incorrect buffer size for certain     timeout data, which allowed local users to cause a     denial of service (stack memory corruption and panic) by     reading the /proc/keys file (bnc#1004517).

  - CVE-2016-7097: The filesystem implementation in the     Linux kernel preserves the setgid bit during a setxattr     call, which allowed local users to gain group privileges     by leveraging the existence of a setgid program with     restrictions on execute permissions (bnc#995968).

  - CVE-2015-8956: The rfcomm_sock_bind function in     net/bluetooth/rfcomm/sock.c in the Linux kernel allowed     local users to obtain sensitive information or cause a     denial of service (NULL pointer dereference) via vectors     involving a bind system call on a Bluetooth RFCOMM     socket (bnc#1003925).

The following non-security bugs were fixed :

  - ata: ahci_xgene: dereferencing uninitialized pointer in     probe (bsc#1006580).

  - blacklist.conf: add some commits (bsc#1006580)

  - bna: Add synchronization for tx ring (bsc#993739).

  - bonding: set carrier off for devices created through     netlink (bsc#999577).

  - btrfs: deal with duplicates during extent_map insertion     in btrfs_get_extent (bsc#1001171).

  - btrfs: deal with existing encompassing extent map in     btrfs_get_extent() (bsc#1001171).

  - btrfs: fix extent tree corruption due to relocation     (bsc#990384).

  - btrfs: fix races on root_log_ctx lists (bsc#1007653).

  - ext4: fix data exposure after a crash (bsc#1012876).

  - ext4: fix reference counting bug on block allocation     error (bsc#1012876).

  - gre: Disable segmentation offloads w/ CSUM and we are     encapsulated via FOU (bsc#1001486).

  - gro: Allow tunnel stacking in the case of FOU/GUE     (bsc#1001486).

  - ipv6: send NEWLINK on RA managed/otherconf changes     (bsc#934067).

  - ipv6: send only one NEWLINK when RA causes changes     (bsc#934067).

  - isofs: Do not return EACCES for unknown filesystems     (bsc#1012876).

  - jbd2: fix checkpoint list cleanup (bsc#1012876).

  - jbd2: Fix unreclaimed pages after truncate in     data=journal mode (bsc#1010909).

  - locking/static_key: Fix concurrent static_key_slow_inc()     (bsc#1006580).

  - mmc: Fix kabi breakage of mmc-block in 4.1.36     (stable-4.1.36).

  - posix_acl: Added fix for f2fs.

  - Revert 'kbuild: add -fno-PIE' (stable-4.1.36).

  - Revert 'x86/mm: Expand the exception table logic to     allow new handling options' (stable-4.1.36).

  - tunnels: Remove encapsulation offloads on decap     (bsc#1001486).

  - usbhid: add ATEN CS962 to list of quirky devices     (bsc#1007615).

  - vmxnet3: Wake queue from reset work (bsc#999907).

ID	Name	Product	Family	Severity
124989	EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1536)	Nessus	Huawei Local Security Checks	high
103326	Ubuntu 14.04 LTS : linux vulnerabilities (USN-3422-1) (BlueBorne)	Nessus	Ubuntu Local Security Checks	high
99163	OracleVM 3.3 : Unbreakable / etc (OVMSA-2017-0057) (Dirty COW)	Nessus	OracleVM Local Security Checks	critical
99162	OracleVM 3.4 : Unbreakable / etc (OVMSA-2017-0056)	Nessus	OracleVM Local Security Checks	high
99160	Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2017-3534)	Nessus	Oracle Linux Local Security Checks	high
99159	Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2017-3533)	Nessus	Oracle Linux Local Security Checks	high
96188	Debian DLA-772-1 : linux security update	Nessus	Debian Local Security Checks	critical
95997	Ubuntu 16.04 LTS : linux-raspi2 vulnerabilities (USN-3161-3)	Nessus	Ubuntu Local Security Checks	critical
95702	openSUSE Security Update : the Linux Kernel (openSUSE-2016-1428)	Nessus	SuSE Local Security Checks	critical

CVE-2016-9178

LOW

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins

high

high

critical

high

high

high

critical

critical

critical