http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=93362fa47fe98b62e4a34ab408c4a418432e7939

DSA-3791

[oss-security] 20161105 Re: CVE request: linux kernel - local DoS with cgroup offline code

94129

https://bugzilla.redhat.com/show_bug.cgi?id=1392439

https://github.com/torvalds/linux/commit/93362fa47fe98b62e4a34ab408c4a418432e7939

https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03802en_us

According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - Mounting a crafted EXT4 image read-only leads to an     attacker controlled memory corruption and     SLAB-Out-of-Bounds reads.(CVE-2016-10208)

  - An issue was discovered in the hwpoison implementation     in mm/memory-failure.c in the Linux kernel before     5.0.4. When soft_offline_in_use_page() runs on a thp     tail page after pmd is split, an attacker can cause a     denial of service (BUG).(CVE-2019-10124)

  - A stack-based buffer overflow flaw was found in the     Linux kernel's early load microcode functionality. On a     system with UEFI Secure Boot enabled, a local,     privileged user could use this flaw to increase their     privileges to the kernel (ring0) level, bypassing     intended restrictions in place.(CVE-2015-2666)

  - A flaw was found in the way the Linux kernel's     networking subsystem handled offloaded packets with     multiple layers of encapsulation in the GRO (Generic     Receive Offload) code path. A remote attacker could use     this flaw to trigger unbounded recursion in the kernel     that could lead to stack corruption, resulting in a     system crash.(CVE-2016-8666)

  - The ethtool_get_wol function in net/core/ethtool.c in     the Linux kernel through 4.7, as used in Android before     2016-08-05 on Nexus 5 and 7 (2013) devices, does not     initialize a certain data structure, which allows local     users to obtain sensitive information via a crafted     application, aka Android internal bug 28803952 and     Qualcomm internal bug CR570754.(CVE-2014-9900)

  - A vulnerability was found in crypto/ahash.c in the     Linux kernel which allows attackers to cause a denial     of service (API operation calling its own callback, and     infinite recursion) by triggering EBUSY on a full     queue.(CVE-2017-7618)

  - drivers/misc/qseecom.c in the QSEECOM driver for the     Linux kernel 3.x, as used in Qualcomm Innovation Center     (QuIC) Android contributions for MSM devices and other     products, does not validate certain offset, length, and     base values within an ioctl call, which allows     attackers to gain privileges or cause a denial of     service (memory corruption) via a crafted     application.(CVE-2014-4322)

  - An integer overflow vulnerability was found in the     Linux kernel in xt_alloc_table_info, which on 32-bit     systems can lead to small structure allocation and a     copy_from_user based heap corruption.(CVE-2016-3135)

  - Stack-based buffer overflow in the     supply_lm_input_write function in     drivers/thermal/supply_lm_core.c in the MSM Thermal     driver for the Linux kernel 3.x, as used in Qualcomm     Innovation Center (QuIC) Android contributions for MSM     devices and other products, allows attackers to cause a     denial of service or possibly have unspecified other     impact via a crafted application that sends a large     amount of data through the debugfs     interface.(CVE-2016-2063)

  - The l2tp_ip_recvmsg function in net/l2tp/l2tp_ip.c in     the Linux kernel before 3.12.4 updates a certain length     value before ensuring that an associated data structure     has been initialized, which allows local users to     obtain sensitive information from kernel stack memory     via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system     call.(CVE-2013-7264)

  - A bypass was found for the Spectre v1 hardening in the     eBPF engine of the Linux kernel. The code in the     kernel/bpf/verifier.c performs undesirable     out-of-bounds speculation on pointer arithmetic in     various cases, including cases of different branches     with different state or limits to sanitize, leading to     side-channel attacks.(CVE-2019-7308)

  - The tcp_v6_syn_recv_sock function in     net/ipv6/tcp_ipv6.c in the Linux kernel mishandles     inheritance, which allows local users to cause a denial     of service or possibly have unspecified other impact     via crafted system calls, a related issue to     CVE-2017-8890. An unprivileged local user could use     this flaw to induce kernel memory corruption on the     system, leading to a crash. Due to the nature of the     flaw, privilege escalation cannot be fully ruled out,     although we believe it is unlikely.(CVE-2017-9077)

  - The cgroup offline implementation in the Linux kernel     through 4.8.11 mishandles certain drain operations,     which allows local users to cause a denial of service     (system hang) by leveraging access to a container     environment for executing a crafted application, as     demonstrated by trinity.(CVE-2016-9191)

  - The KVM implementation in the Linux kernel through     4.20.5 has a Use-after-Free.(CVE-2019-7221)

  - A NULL pointer dereference flaw was found in the way     the Linux kernel's network subsystem handled socket     creation with an invalid protocol identifier. A local     user could use this flaw to crash the     system.(CVE-2015-8543)

  - The drivers/media/usb/dvb-usb-v2/lmedm04.c in the Linux     kernel, through 4.13.11, allows local users to cause a     denial of service (general protection fault and system     crash) or possibly have unspecified other impact via a     crafted USB device, related to a missing warm-start     check and incorrect attach timing     (dm04_lme2510_frontend_attach versus     dm04_lme2510_tuner).(CVE-2017-16538)

  - A use-after-free flaw was found in the way the Linux     kernel's Advanced Linux Sound Architecture (ALSA)     implementation handled user controls. A local,     privileged user could use this flaw to crash the     system.(CVE-2014-4653)

  - A vulnerability leading to a local privilege escalation     was found in apparmor in the Linux kernel. When     proc_pid_attr_write() was changed to use memdup_user     apparmor's (interface violating) assumption that the     setprocattr buffer was always a single page was     violated.(CVE-2016-6187)

  - A vulnerability was found in the Linux kernel in     'tmpfs' file system. When file permissions are modified     via 'chmod' and the user is not in the owning group or     capable of CAP_FSETID, the setgid bit is cleared in     inode_change_ok(). Setting a POSIX ACL via 'setxattr'     sets the file permissions as well as the new ACL, but     doesn't clear the setgid bit in a similar way; this     allows to bypass the check in 'chmod'.(CVE-2017-5551)

  - A flaw was found in the Linux Kernel in the     ucma_leave_multicast() function in     drivers/infiniband/core/ucma.c which allows access to a     certain data structure after freeing it in     ucma_process_join(). This allows an attacker to cause a     use-after-free bug and to induce kernel memory     corruption, leading to a system crash or other     unspecified impact. Due to the nature of the flaw,     privilege escalation cannot be fully ruled out,     although we believe it is unlikely.(CVE-2018-14734)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2018-0035 for details.

The remote Oracle Linux host is missing a security update for the Unbreakable Enterprise kernel package(s).

The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2017-0174 for details.

The remote OracleVM system is missing necessary patches to address critical security updates :

  - mm, thp: Do not make page table dirty unconditionally in     follow_trans_huge_pmd (Kirill A. Shutemov) [Orabug:
    27200879] (CVE-2017-1000405)

  - NFS: Add static NFS I/O tracepoints (Chuck Lever)

  - storvsc: don't assume SG list is contiguous (Aruna     Ramakrishna) 

  - fix unbalanced page refcounting in bio_map_user_iov     (Vitaly Mayatskikh) [Orabug: 27069038] (CVE-2017-12190)

  - more bio_map_user_iov leak fixes (Al Viro) [Orabug:
    27069038] (CVE-2017-12190)

  - packet: in packet_do_bind, test fanout with bind_lock     held (Willem de Bruijn) [Orabug: 27069065]     (CVE-2017-15649)

  - packet: hold bind lock when rebinding to fanout hook     (Willem de Bruijn) [Orabug: 27069065] (CVE-2017-15649)

  - net: convert packet_fanout.sk_ref from atomic_t to     refcount_t (Reshetova, Elena) [Orabug: 27069065]     (CVE-2017-15649)

  - packet: fix races in fanout_add (Eric Dumazet) [Orabug:
    27069065] (CVE-2017-15649)

  - refcount_t: Introduce a special purpose refcount type     (Peter Zijlstra) [Orabug: 27069065] (CVE-2017-15649)

  - locking/atomics: Add _[acquire|release|relaxed] variants     of some atomic operations (Will Deacon) [Orabug:
    27069065] (CVE-2017-15649)

  - net: qmi_wwan: fix divide by 0 on bad descriptors     (Bj&oslash rn Mork) [Orabug: 27215225] (CVE-2017-16650)

  - ALSA: usb-audio: Kill stray URB at exiting (Takashi     Iwai) [Orabug: 27148276] (CVE-2017-16527)

  - scsi: Add STARGET_CREATED_REMOVE state to     scsi_target_state (Ewan D. Milne) [Orabug: 27187217]

  - ocfs2: fix posix_acl_create deadlock (Junxiao Bi)     [Orabug: 27126129]

  - scsi: Don't abort scsi_scan due to unexpected response     (John Sobecki) 

  - ocfs2: code clean up for direct io (Ryan Ding)

  - xscore: add dma address check (Zhu Yanjun) [Orabug:
    27076919]

  - KVM: nVMX: Fix loss of L2's NMI blocking state (Wanpeng     Li) [Orabug: 27062498]

  - KVM: nVMX: track NMI blocking state separately for each     VMCS (Paolo Bonzini) [Orabug: 27062498]

  - KVM: VMX: require virtual NMI support (Paolo Bonzini)     [Orabug: 27062498]

  - KVM: nVMX: Fix the NMI IDT-vectoring handling (Wanpeng     Li) [Orabug: 27062498]

  - uek-rpm: disable CONFIG_NUMA_BALANCING_DEFAULT_ENABLED     (Fred Herard) 

  - thp: run vma_adjust_trans_huge outside i_mmap_rwsem     (Kirill A. Shutemov) [Orabug: 27026180]

  - selinux: fix off-by-one in setprocattr (Stephen Smalley)     [Orabug: 27001717] (CVE-2017-2618) (CVE-2017-2618)     (CVE-2017-2618)

  - sysctl: Drop reference added by grab_header in     proc_sys_readdir (Zhou Chengming) [Orabug: 27036903]     (CVE-2016-9191) (CVE-2016-9191) (CVE-2016-9191)

  - KEYS: prevent KEYCTL_READ on negative key (Eric Biggers)     [Orabug: 27050248] (CVE-2017-12192)

  - IB/ipoib: For sendonly join free the multicast group on     leave (Christoph Lameter) [Orabug: 27077718]

  - IB/ipoib: increase the max mcast backlog queue (Doug     Ledford) 

  - IB/ipoib: Make sendonly multicast joins create the mcast     group (Doug Ledford) [Orabug: 27077718]

  - IB/ipoib: Expire sendonly multicast joins (Christoph     Lameter) 

  - IB/ipoib: Suppress warning for send only join failures     (Jason Gunthorpe) [Orabug: 27077718]

  - IB/ipoib: Clean up send-only multicast joins (Doug     Ledford) [Orabug: 27077718]

  - netlink: allow to listen 'all' netns (Nicolas Dichtel)     [Orabug: 27077944]

  - netlink: rename private flags and states (Nicolas     Dichtel) [Orabug: 27077944]

  - netns: use a spin_lock to protect nsid management     (Nicolas Dichtel) 

  - netns: notify new nsid outside __peernet2id (Nicolas     Dichtel) 

  - netns: rename peernet2id to peernet2id_alloc (Nicolas     Dichtel) 

  - netns: always provide the id to rtnl_net_fill (Nicolas     Dichtel) 

  - netns: returns always an id in __peernet2id (Nicolas     Dichtel) 

  - Hang/soft lockup in d_invalidate with simultaneous calls     (Al Viro) 

  - Revert 'drivers/char/mem.c: deny access in open     operation when securelevel is set' (Brian Maly) [Orabug:
    27037811]

Description of changes:

[4.1.12-103.10.1.el7uek]
- mm, thp: Do not make page table dirty unconditionally in follow_trans_huge_pmd() (Kirill A. Shutemov)  [Orabug: 27200879] {CVE-2017-1000405}
- NFS: Add static NFS I/O tracepoints (Chuck Lever)
- storvsc: don't assume SG list is contiguous (Aruna Ramakrishna) [Orabug: 27044692]
- fix unbalanced page refcounting in bio_map_user_iov (Vitaly Mayatskikh)  [Orabug: 27069038]  {CVE-2017-12190}
- more bio_map_user_iov() leak fixes (Al Viro)  [Orabug: 27069038] {CVE-2017-12190}
- packet: in packet_do_bind, test fanout with bind_lock held (Willem de Bruijn)  [Orabug: 27069065]  {CVE-2017-15649}
- packet: hold bind lock when rebinding to fanout hook (Willem de Bruijn)  [Orabug: 27069065]  {CVE-2017-15649}
- net: convert packet_fanout.sk_ref from atomic_t to refcount_t (Reshetova, Elena)  [Orabug: 27069065]  {CVE-2017-15649}
- packet: fix races in fanout_add() (Eric Dumazet)  [Orabug: 27069065] {CVE-2017-15649}
- refcount_t: Introduce a special purpose refcount type (Peter Zijlstra)   [Orabug: 27069065]  {CVE-2017-15649}
- locking/atomics: Add _{acquire|release|relaxed}() variants of some atomic operations (Will Deacon)  [Orabug: 27069065]  {CVE-2017-15649}
- net: qmi_wwan: fix divide by 0 on bad descriptors (Bj&oslash rn Mork) [Orabug: 27215225]  {CVE-2017-16650}
- ALSA: usb-audio: Kill stray URB at exiting (Takashi Iwai)  [Orabug: 27148276]  {CVE-2017-16527}
- scsi: Add STARGET_CREATED_REMOVE state to scsi_target_state (Ewan D. Milne)  [Orabug: 27187217]
- ocfs2: fix posix_acl_create deadlock (Junxiao Bi)  [Orabug: 27126129]
- scsi: Don't abort scsi_scan due to unexpected response (John Sobecki) [Orabug: 27119628]
- ocfs2: code clean up for direct io (Ryan Ding)
- xscore: add dma address check (Zhu Yanjun)  [Orabug: 27076919]
- KVM: nVMX: Fix loss of L2's NMI blocking state (Wanpeng Li)  [Orabug: 27062498]
- KVM: nVMX: track NMI blocking state separately for each VMCS (Paolo Bonzini)  [Orabug: 27062498]
- KVM: VMX: require virtual NMI support (Paolo Bonzini)  [Orabug: 27062498]
- KVM: nVMX: Fix the NMI IDT-vectoring handling (Wanpeng Li)  [Orabug: 27062498]
- uek-rpm: disable CONFIG_NUMA_BALANCING_DEFAULT_ENABLED (Fred Herard) [Orabug: 26798697]
- thp: run vma_adjust_trans_huge() outside i_mmap_rwsem (Kirill A. Shutemov)  [Orabug: 27026180]
- selinux: fix off-by-one in setprocattr (Stephen Smalley)  [Orabug: 27001717]  {CVE-2017-2618} {CVE-2017-2618} {CVE-2017-2618}
- sysctl: Drop reference added by grab_header in proc_sys_readdir (Zhou Chengming)  [Orabug: 27036903]  {CVE-2016-9191} {CVE-2016-9191} {CVE-2016-9191}
- KEYS: prevent KEYCTL_READ on negative key (Eric Biggers)  [Orabug: 27050248]  {CVE-2017-12192}
- IB/ipoib: For sendonly join free the multicast group on leave (Christoph Lameter)  [Orabug: 27077718]
- IB/ipoib: increase the max mcast backlog queue (Doug Ledford) [Orabug: 27077718]
- IB/ipoib: Make sendonly multicast joins create the mcast group (Doug Ledford)  [Orabug: 27077718]
- IB/ipoib: Expire sendonly multicast joins (Christoph Lameter) [Orabug: 27077718]
- IB/ipoib: Suppress warning for send only join failures (Jason Gunthorpe)  [Orabug: 27077718]
- IB/ipoib: Clean up send-only multicast joins (Doug Ledford)  [Orabug: 27077718]
- netlink: allow to listen 'all' netns (Nicolas Dichtel)  [Orabug: 27077944]
- netlink: rename private flags and states (Nicolas Dichtel)  [Orabug: 27077944]
- netns: use a spin_lock to protect nsid management (Nicolas Dichtel) [Orabug: 27077944]
- netns: notify new nsid outside __peernet2id() (Nicolas Dichtel) [Orabug: 27077944]
- netns: rename peernet2id() to peernet2id_alloc() (Nicolas Dichtel) [Orabug: 27077944]
- netns: always provide the id to rtnl_net_fill() (Nicolas Dichtel) [Orabug: 27077944]
- netns: returns always an id in __peernet2id() (Nicolas Dichtel) [Orabug: 27077944]
- Hang/soft lockup in d_invalidate with simultaneous calls (Al Viro) [Orabug: 27052681]
- Revert 'drivers/char/mem.c: deny access in open operation when securelevel is set' (Brian Maly)  [Orabug: 27037811]

The remote OracleVM system is missing necessary patches to address critical security updates :

  - thp: run vma_adjust_trans_huge outside i_mmap_rwsem     (Kirill A. Shutemov) [Orabug: 27026180]

  - selinux: fix off-by-one in setprocattr (Stephen Smalley)     [Orabug: 27001717] (CVE-2017-2618) (CVE-2017-2618)     (CVE-2017-2618)

  - sysctl: Drop reference added by grab_header in     proc_sys_readdir (Zhou Chengming) [Orabug: 27036903]     (CVE-2016-9191) (CVE-2016-9191) (CVE-2016-9191)

  - KEYS: prevent KEYCTL_READ on negative key (Eric Biggers)     [Orabug: 27050248] (CVE-2017-12192)

  - IB/ipoib: For sendonly join free the multicast group on     leave (Christoph Lameter) [Orabug: 27077718]

  - IB/ipoib: increase the max mcast backlog queue (Doug     Ledford) 

  - IB/ipoib: Make sendonly multicast joins create the mcast     group (Doug Ledford) [Orabug: 27077718]

  - IB/ipoib: Expire sendonly multicast joins (Christoph     Lameter) 

  - IB/ipoib: Suppress warning for send only join failures     (Jason Gunthorpe) [Orabug: 27077718]

  - IB/ipoib: Clean up send-only multicast joins (Doug     Ledford) [Orabug: 27077718]

  - netlink: allow to listen 'all' netns (Nicolas Dichtel)     [Orabug: 27077944]

  - netlink: rename private flags and states (Nicolas     Dichtel) [Orabug: 27077944]

  - netns: use a spin_lock to protect nsid management     (Nicolas Dichtel) 

  - netns: notify new nsid outside __peernet2id (Nicolas     Dichtel) 

  - netns: rename peernet2id to peernet2id_alloc (Nicolas     Dichtel) 

  - netns: always provide the id to rtnl_net_fill (Nicolas     Dichtel) 

  - netns: returns always an id in __peernet2id (Nicolas     Dichtel) 

  - Hang/soft lockup in d_invalidate with simultaneous calls     (Al Viro)

Description of changes:

[4.1.12-103.9.4.el7uek]
- thp: run vma_adjust_trans_huge() outside i_mmap_rwsem (Kirill A. Shutemov)  [Orabug: 27026180]

[4.1.12-103.9.3.el7uek]
- selinux: fix off-by-one in setprocattr (Stephen Smalley)  [Orabug: 27001717]  {CVE-2017-2618} {CVE-2017-2618} {CVE-2017-2618}
- sysctl: Drop reference added by grab_header in proc_sys_readdir (Zhou Chengming)  [Orabug: 27036903]  {CVE-2016-9191} {CVE-2016-9191} {CVE-2016-9191}
- KEYS: prevent KEYCTL_READ on negative key (Eric Biggers)  [Orabug: 27050248]  {CVE-2017-12192}
- IB/ipoib: For sendonly join free the multicast group on leave (Christoph Lameter)  [Orabug: 27077718]
- IB/ipoib: increase the max mcast backlog queue (Doug Ledford) [Orabug: 27077718]
- IB/ipoib: Make sendonly multicast joins create the mcast group (Doug Ledford)  [Orabug: 27077718]
- IB/ipoib: Expire sendonly multicast joins (Christoph Lameter) [Orabug: 27077718]
- IB/ipoib: Suppress warning for send only join failures (Jason Gunthorpe)  [Orabug: 27077718]
- IB/ipoib: Clean up send-only multicast joins (Doug Ledford)  [Orabug: 27077718]
- netlink: allow to listen 'all' netns (Nicolas Dichtel)  [Orabug: 27077944]
- netlink: rename private flags and states (Nicolas Dichtel)  [Orabug: 27077944]
- netns: use a spin_lock to protect nsid management (Nicolas Dichtel) [Orabug: 27077944]
- netns: notify new nsid outside __peernet2id() (Nicolas Dichtel) [Orabug: 27077944]
- netns: rename peernet2id() to peernet2id_alloc() (Nicolas Dichtel) [Orabug: 27077944]
- netns: always provide the id to rtnl_net_fill() (Nicolas Dichtel) [Orabug: 27077944]
- netns: returns always an id in __peernet2id() (Nicolas Dichtel) [Orabug: 27077944]
- Hang/soft lockup in d_invalidate with simultaneous calls (Al Viro) [Orabug: 27052681]

It was discovered that a buffer overflow existed in the Bluetooth stack of the Linux kernel when handling L2CAP configuration responses.
A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-1000251)

It was discovered that the asynchronous I/O (aio) subsystem of the Linux kernel did not properly set permissions on aio memory mappings in some situations. An attacker could use this to more easily exploit other vulnerabilities. (CVE-2016-10044)

Baozeng Ding and Andrey Konovalov discovered a race condition in the L2TPv3 IP Encapsulation implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2016-10200)

Andreas Gruenbacher and Jan Kara discovered that the filesystem implementation in the Linux kernel did not clear the setgid bit during a setxattr call. A local attacker could use this to possibly elevate group privileges. (CVE-2016-7097)

Sergej Schumilo, Ralf Spenneberg, and Hendrik Schwartke discovered that the key management subsystem in the Linux kernel did not properly allocate memory in some situations. A local attacker could use this to cause a denial of service (system crash). (CVE-2016-8650)

Vlad Tsyrklevich discovered an integer overflow vulnerability in the VFIO PCI driver for the Linux kernel. A local attacker with access to a vfio PCI device file could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2016-9083, CVE-2016-9084)

It was discovered that an information leak existed in
__get_user_asm_ex() in the Linux kernel. A local attacker could use this to expose sensitive information. (CVE-2016-9178)

CAI Qian discovered that the sysctl implementation in the Linux kernel did not properly perform reference counting in some situations. An unprivileged attacker could use this to cause a denial of service (system hang). (CVE-2016-9191)

It was discovered that the keyring implementation in the Linux kernel in some situations did not prevent special internal keyrings from being joined by userspace keyrings. A privileged local attacker could use this to bypass module verification. (CVE-2016-9604)

It was discovered that an integer overflow existed in the trace subsystem of the Linux kernel. A local privileged attacker could use this to cause a denial of service (system crash). (CVE-2016-9754)

Andrey Konovalov discovered that the IPv4 implementation in the Linux kernel did not properly handle invalid IP options in some situations.
An attacker could use this to cause a denial of service or possibly execute arbitrary code. (CVE-2017-5970)

Dmitry Vyukov discovered that the Linux kernel did not properly handle TCP packets with the URG flag. A remote attacker could use this to cause a denial of service. (CVE-2017-6214)

It was discovered that a race condition existed in the AF_PACKET handling code in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-6346)

It was discovered that the keyring implementation in the Linux kernel did not properly restrict searches for dead keys. A local attacker could use this to cause a denial of service (system crash).
(CVE-2017-6951)

Dmitry Vyukov discovered that the generic SCSI (sg) subsystem in the Linux kernel contained a stack-based buffer overflow. A local attacker with access to an sg device could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2017-7187)

Eric Biggers discovered a memory leak in the keyring implementation in the Linux kernel. A local attacker could use this to cause a denial of service (memory consumption). (CVE-2017-7472)

It was discovered that a buffer overflow existed in the Broadcom FullMAC WLAN driver in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-7541).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

USN-3358-1 fixed vulnerabilities in the Linux kernel for Ubuntu 17.04.
This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 17.04 for Ubuntu 16.04 LTS. Please note that this update changes the Linux HWE kernel to the 4.10 based kernel from Ubuntu 17.04, superseding the 4.8 based HWE kernel from Ubuntu 16.10.

Ben Harris discovered that the Linux kernel would strip extended privilege attributes of files when performing a failed unprivileged system call. A local attacker could use this to cause a denial of service. (CVE-2015-1350)

Ralf Spenneberg discovered that the ext4 implementation in the Linux kernel did not properly validate meta block groups. An attacker with physical access could use this to specially craft an ext4 image that causes a denial of service (system crash). (CVE-2016-10208)

Peter Pi discovered that the colormap handling for frame buffer devices in the Linux kernel contained an integer overflow. A local attacker could use this to disclose sensitive information (kernel memory). (CVE-2016-8405)

It was discovered that an integer overflow existed in the InfiniBand RDMA over ethernet (RXE) transport implementation in the Linux kernel.
A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2016-8636)

Vlad Tsyrklevich discovered an integer overflow vulnerability in the VFIO PCI driver for the Linux kernel. A local attacker with access to a vfio PCI device file could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2016-9083, CVE-2016-9084)

CAI Qian discovered that the sysctl implementation in the Linux kernel did not properly perform reference counting in some situations. An unprivileged attacker could use this to cause a denial of service (system hang). (CVE-2016-9191)

It was discovered that the keyring implementation in the Linux kernel in some situations did not prevent special internal keyrings from being joined by userspace keyrings. A privileged local attacker could use this to bypass module verification. (CVE-2016-9604)

Dmitry Vyukov, Andrey Konovalov, Florian Westphal, and Eric Dumazet discovered that the netfiler subsystem in the Linux kernel mishandled IPv6 packet reassembly. A local user could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2016-9755)

Andy Lutomirski and Willy Tarreau discovered that the KVM implementation in the Linux kernel did not properly emulate instructions on the SS segment register. A local attacker in a guest virtual machine could use this to cause a denial of service (guest OS crash) or possibly gain administrative privileges in the guest OS.
(CVE-2017-2583)

Dmitry Vyukov discovered that the KVM implementation in the Linux kernel improperly emulated certain instructions. A local attacker could use this to obtain sensitive information (kernel memory).
(CVE-2017-2584)

Dmitry Vyukov discovered that KVM implementation in the Linux kernel improperly emulated the VMXON instruction. A local attacker in a guest OS could use this to cause a denial of service (memory consumption) in the host OS. (CVE-2017-2596)

It was discovered that SELinux in the Linux kernel did not properly handle empty writes to /proc/pid/attr. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-2618)

Daniel Jiang discovered that a race condition existed in the ipv4 ping socket implementation in the Linux kernel. A local privileged attacker could use this to cause a denial of service (system crash).
(CVE-2017-2671)

It was discovered that the freelist-randomization in the SLAB memory allocator allowed duplicate freelist entries. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-5546)

It was discovered that the KLSI KL5KUSB105 serial-to-USB device driver in the Linux kernel did not properly initialize memory related to logging. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2017-5549)

It was discovered that a fencepost error existed in the pipe_advance() function in the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2017-5550)

It was discovered that the Linux kernel did not clear the setgid bit during a setxattr call on a tmpfs filesystem. A local attacker could use this to gain elevated group privileges. (CVE-2017-5551)

Murray McAllister discovered that an integer overflow existed in the VideoCore DRM driver of the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-5576)

Gareth Evans discovered that the shm IPC subsystem in the Linux kernel did not properly restrict mapping page zero. A local privileged attacker could use this to execute arbitrary code. (CVE-2017-5669)

Andrey Konovalov discovered an out-of-bounds access in the IPv6 Generic Routing Encapsulation (GRE) tunneling implementation in the Linux kernel. An attacker could use this to possibly expose sensitive information. (CVE-2017-5897)

Andrey Konovalov discovered that the IPv4 implementation in the Linux kernel did not properly handle invalid IP options in some situations.
An attacker could use this to cause a denial of service or possibly execute arbitrary code. (CVE-2017-5970)

Di Shen discovered that a race condition existed in the perf subsystem of the Linux kernel. A local attacker could use this to cause a denial of service or possibly gain administrative privileges. (CVE-2017-6001)

Dmitry Vyukov discovered that the Linux kernel did not properly handle TCP packets with the URG flag. A remote attacker could use this to cause a denial of service. (CVE-2017-6214)

Andrey Konovalov discovered that the LLC subsytem in the Linux kernel did not properly set up a destructor in certain situations. A local attacker could use this to cause a denial of service (system crash).
(CVE-2017-6345)

It was discovered that a race condition existed in the AF_PACKET handling code in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-6346)

Andrey Konovalov discovered that the IP layer in the Linux kernel made improper assumptions about internal data layout when performing checksums. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2017-6347)

Dmitry Vyukov discovered race conditions in the Infrared (IrDA) subsystem in the Linux kernel. A local attacker could use this to cause a denial of service (deadlock). (CVE-2017-6348)

Dmitry Vyukov discovered that the generic SCSI (sg) subsystem in the Linux kernel contained a stack-based buffer overflow. A local attacker with access to an sg device could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2017-7187)

It was discovered that a NULL pointer dereference existed in the Direct Rendering Manager (DRM) driver for VMware devices in the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-7261)

It was discovered that the USB Cypress HID drivers for the Linux kernel did not properly validate reported information from the device.
An attacker with physical access could use this to expose sensitive information (kernel memory). (CVE-2017-7273)

Eric Biggers discovered a memory leak in the keyring implementation in the Linux kernel. A local attacker could use this to cause a denial of service (memory consumption). (CVE-2017-7472)

It was discovered that an information leak existed in the set_mempolicy and mbind compat syscalls in the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2017-7616)

Sabrina Dubroca discovered that the asynchronous cryptographic hash (ahash) implementation in the Linux kernel did not properly handle a full request queue. A local attacker could use this to cause a denial of service (infinite recursion). (CVE-2017-7618)

Tuomas Haanpaa and Ari Kauppi discovered that the NFSv2 and NFSv3 server implementations in the Linux kernel did not properly handle certain long RPC replies. A remote attacker could use this to cause a denial of service (system crash). (CVE-2017-7645)

Tommi Rantala and Brad Spengler discovered that the memory manager in the Linux kernel did not properly enforce the CONFIG_STRICT_DEVMEM protection mechanism. A local attacker with access to /dev/mem could use this to expose sensitive information or possibly execute arbitrary code. (CVE-2017-7889)

Tuomas Haanpaa and Ari Kauppi discovered that the NFSv2 and NFSv3 server implementations in the Linux kernel did not properly check for the end of buffer. A remote attacker could use this to craft requests that cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-7895)

It was discovered that an integer underflow existed in the Edgeport USB Serial Converter device driver of the Linux kernel. An attacker with physical access could use this to expose sensitive information (kernel memory). (CVE-2017-8924)

It was discovered that the USB ZyXEL omni.net LCD PLUS driver in the Linux kernel did not properly perform reference counting. A local attacker could use this to cause a denial of service (tty exhaustion).
(CVE-2017-8925)

Jann Horn discovered that bpf in Linux kernel does not restrict the output of the print_bpf_insn function. A local attacker could use this to obtain sensitive address information. (CVE-2017-9150).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 12 SP1 kernel was updated to 3.12.74 to receive various security and bugfixes. Notable new/improved features :

  - Improved support for Hyper-V

  - Support for the tcp_westwood TCP scheduling algorithm     The following security bugs were fixed :

  - CVE-2017-8106: The handle_invept function in     arch/x86/kvm/vmx.c in the Linux kernel allowed     privileged KVM guest OS users to cause a denial of     service (NULL pointer dereference and host OS crash) via     a single-context INVEPT instruction with a NULL EPT     pointer (bsc#1035877).

  - CVE-2017-6951: The keyring_search_aux function in     security/keys/keyring.c in the Linux kernel allowed     local users to cause a denial of service (NULL pointer     dereference and OOPS) via a request_key system call for     the 'dead' type. (bsc#1029850).

  - CVE-2017-2647: The KEYS subsystem in the Linux kernel     allowed local users to gain privileges or cause a denial     of service (NULL pointer dereference and system crash)     via vectors involving a NULL value for a certain match     field, related to the keyring_search_iterator function     in keyring.c. (bsc#1030593)

  - CVE-2016-9604: This fixes handling of keyrings starting     with '.' in KEYCTL_JOIN_SESSION_KEYRING, which could     have allowed local users to manipulate privileged     keyrings (bsc#1035576)

  - CVE-2017-7616: Incorrect error handling in the     set_mempolicy and mbind compat syscalls in     mm/mempolicy.c in the Linux kernel allowed local users     to obtain sensitive information from uninitialized stack     data by triggering failure of a certain bitmap     operation. (bnc#1033336).

  - CVE-2017-7645: The NFSv2/NFSv3 server in the nfsd     subsystem in the Linux kernel allowed remote attackers     to cause a denial of service (system crash) via a long     RPC reply, related to net/sunrpc/svc.c,     fs/nfsd/nfs3xdr.c, and fs/nfsd/nfsxdr.c. (bsc#1034670).

  - CVE-2017-7308: The packet_set_ring function in     net/packet/af_packet.c in the Linux kernel did not     properly validate certain block-size data, which allowed     local users to cause a denial of service (overflow) or     possibly have unspecified other impact via crafted     system calls (bnc#1031579)

  - CVE-2017-2671: The ping_unhash function in     net/ipv4/ping.c in the Linux kernel was too late in     obtaining a certain lock and consequently could not     ensure that disconnect function calls are safe, which     allowed local users to cause a denial of service (panic)     by leveraging access to the protocol value of     IPPROTO_ICMP in a socket system call (bnc#1031003)

  - CVE-2017-7294: The vmw_surface_define_ioctl function in     drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux     kernel did not validate addition of certain levels data,     which allowed local users to trigger an integer overflow     and out-of-bounds write, and cause a denial of service     (system hang or crash) or possibly gain privileges, via     a crafted ioctl call for a /dev/dri/renderD* device     (bnc#1031440)

  - CVE-2017-7261: The vmw_surface_define_ioctl function in     drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux     kernel did not check for a zero value of certain levels     data, which allowed local users to cause a denial of     service (ZERO_SIZE_PTR dereference, and GPF and possibly     panic) via a crafted ioctl call for a /dev/dri/renderD*     device (bnc#1031052)

  - CVE-2017-7187: The sg_ioctl function in     drivers/scsi/sg.c in the Linux kernel allowed local     users to cause a denial of service (stack-based buffer     overflow) or possibly have unspecified other impact via     a large command size in an SG_NEXT_CMD_LEN ioctl call,     leading to out-of-bounds write access in the sg_write     function (bnc#1030213)

  - CVE-2016-9588: arch/x86/kvm/vmx.c in the Linux kernel     mismanaged the #BP and #OF exceptions, which allowed     guest OS users to cause a denial of service (guest OS     crash) by declining to handle an exception thrown by an     L2 guest (bsc#1015703).

  - CVE-2017-5669: The do_shmat function in ipc/shm.c in the     Linux kernel did not restrict the address calculated by     a certain rounding operation, which allowed local users     to map page zero, and consequently bypass a protection     mechanism that exists for the mmap system call, by     making crafted shmget and shmat system calls in a     privileged context (bnc#1026914).

  - CVE-2016-10200: Race condition in the L2TPv3 IP     Encapsulation feature in the Linux kernel allowed local     users to gain privileges or cause a denial of service     (use-after-free) by making multiple bind system calls     without properly ascertaining whether a socket has the     SOCK_ZAPPED status, related to net/l2tp/l2tp_ip.c and     net/l2tp/l2tp_ip6.c (bnc#1028415)

  - CVE-2016-10208: The ext4_fill_super function in     fs/ext4/super.c in the Linux kernel did not properly     validate meta block groups, which allowed physically     proximate attackers to cause a denial of service     (out-of-bounds read and system crash) via a crafted ext4     image (bnc#1023377).

  - CVE-2017-5897: The ip6gre_err function in     net/ipv6/ip6_gre.c in the Linux kernel allowed remote     attackers to have unspecified impact via vectors     involving GRE flags in an IPv6 packet, which trigger an     out-of-bounds access (bsc#1023762).

  - CVE-2017-5986: A race condition in the     sctp_wait_for_sndbuf function in net/sctp/socket.c in     the Linux kernel allowed local users to cause a denial     of service (assertion failure and panic) via a     multithreaded application that peels off an association     in a certain buffer-full state (bsc#1025235).

  - CVE-2017-6074: The dccp_rcv_state_process function in     net/dccp/input.c in the Linux kernel mishandled     DCCP_PKT_REQUEST packet data structures in the LISTEN     state, which allowed local users to obtain root     privileges or cause a denial of service (double free)     via an application that made an IPV6_RECVPKTINFO     setsockopt system call (bnc#1026024)

  - CVE-2016-9191: The cgroup offline implementation in the     Linux kernel mishandled certain drain operations, which     allowed local users to cause a denial of service (system     hang) by leveraging access to a container environment     for executing a crafted application (bnc#1008842)

  - CVE-2017-6348: The hashbin_delete function in     net/irda/irqueue.c in the Linux kernel improperly     managed lock dropping, which allowed local users to     cause a denial of service (deadlock) via crafted     operations on IrDA devices (bnc#1027178).

  - CVE-2016-10044: The aio_mount function in fs/aio.c in     the Linux kernel did not properly restrict execute     access, which made it easier for local users to bypass     intended SELinux W^X policy restrictions, and     consequently gain privileges, via an io_setup system     call (bnc#1023992).

  - CVE-2016-3070: The trace_writeback_dirty_page     implementation in include/trace/events/writeback.h in     the Linux kernel improperly interacts with mm/migrate.c,     which allowed local users to cause a denial of service     (NULL pointer dereference and system crash) or possibly     have unspecified other impact by triggering a certain     page move (bnc#979215).

  - CVE-2016-5243: The tipc_nl_compat_link_dump function in     net/tipc/netlink_compat.c in the Linux kernel did not     properly copy a certain string, which allowed local     users to obtain sensitive information from kernel stack     memory by reading a Netlink message (bnc#983212).

  - CVE-2017-6345: The LLC subsystem in the Linux kernel did     not ensure that a certain destructor exists in required     circumstances, which allowed local users to cause a     denial of service (BUG_ON) or possibly have unspecified     other impact via crafted system calls (bnc#1027190)

  - CVE-2017-6346: Race condition in net/packet/af_packet.c     in the Linux kernel allowed local users to cause a     denial of service (use-after-free) or possibly have     unspecified other impact via a multithreaded application     that made PACKET_FANOUT setsockopt system calls     (bnc#1027189)

  - CVE-2017-6353: net/sctp/socket.c in the Linux kernel did     not properly restrict association peel-off operations     during certain wait states, which allowed local users to     cause a denial of service (invalid unlock and double     free) via a multithreaded application. NOTE: this     vulnerability exists because of an incorrect fix for     CVE-2017-5986 (bnc#1027066)

  - CVE-2017-5986: Race condition in the     sctp_wait_for_sndbuf function in net/sctp/socket.c in     the Linux kernel allowed local users to cause a denial     of service (assertion failure and panic) via a     multithreaded application that peels off an association     in a certain buffer-full state (bsc#1025235).

  - CVE-2017-6214: The tcp_splice_read function in     net/ipv4/tcp.c in the Linux kernel allowed remote     attackers to cause a denial of service (infinite loop     and soft lockup) via vectors involving a TCP packet with     the URG flag (bnc#1026722)

  - CVE-2016-2117: The atl2_probe function in     drivers/net/ethernet/atheros/atlx/atl2.c in the Linux     kernel incorrectly enables scatter/gather I/O, which     allowed remote attackers to obtain sensitive information     from kernel memory by reading packet data (bnc#968697)

  - CVE-2015-1350: The VFS subsystem in the Linux kernel     provided an incomplete set of requirements for setattr     operations that underspecifies removing extended     privilege attributes, which allowed local users to cause     a denial of service (capability stripping) via a failed     invocation of a system call, as demonstrated by using     chown to remove a capability from the ping or Wireshark     dumpcap program (bsc#914939).

  - CVE-2016-7117: Use-after-free vulnerability in the
    __sys_recvmmsg function in net/socket.c in the Linux     kernel allowed remote attackers to execute arbitrary     code via vectors involving a recvmmsg system call that     is mishandled during error processing (bsc#1003077).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 12 SP2 kernel was updated to 4.4.58 to receive various security and bugfixes. Notable new/improved features :

  - Improved support for Hyper-V

  - Support for Matrox G200eH3

  - Support for tcp_westwood The following security bugs     were fixed :

  - CVE-2017-2671: The ping_unhash function in     net/ipv4/ping.c in the Linux kernel was too late in     obtaining a certain lock and consequently could not     ensure that disconnect function calls are safe, which     allowed local users to cause a denial of service (panic)     by leveraging access to the protocol value of     IPPROTO_ICMP in a socket system call (bnc#1031003).

  - CVE-2017-7308: The packet_set_ring function in     net/packet/af_packet.c in the Linux kernel did not     properly validate certain block-size data, which allowed     local users to cause a denial of service (overflow) or     possibly have unspecified other impact via crafted     system calls (bnc#1031579).

  - CVE-2017-7294: The vmw_surface_define_ioctl function in     drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux     kernel did not validate addition of certain levels data,     which allowed local users to trigger an integer overflow     and out-of-bounds write, and cause a denial of service     (system hang or crash) or possibly gain privileges, via     a crafted ioctl call for a /dev/dri/renderD* device     (bnc#1031440).

  - CVE-2017-7261: The vmw_surface_define_ioctl function in     drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux     kernel did not check for a zero value of certain levels     data, which allowed local users to cause a denial of     service (ZERO_SIZE_PTR dereference, and GPF and possibly     panic) via a crafted ioctl call for a /dev/dri/renderD*     device (bnc#1031052).

  - CVE-2017-7187: The sg_ioctl function in     drivers/scsi/sg.c in the Linux kernel allowed local     users to cause a denial of service (stack-based buffer     overflow) or possibly have unspecified other impact via     a large command size in an SG_NEXT_CMD_LEN ioctl call,     leading to out-of-bounds write access in the sg_write     function (bnc#1030213).

  - CVE-2017-7374: Use-after-free vulnerability in     fs/crypto/ in the Linux kernel allowed local users to     cause a denial of service (NULL pointer dereference) or     possibly gain privileges by revoking keyring keys being     used for ext4, f2fs, or ubifs encryption, causing     cryptographic transform objects to be freed prematurely     (bnc#1032006).

  - CVE-2016-10200: Race condition in the L2TPv3 IP     Encapsulation feature in the Linux kernel allowed local     users to gain privileges or cause a denial of service     (use-after-free) by making multiple bind system calls     without properly ascertaining whether a socket has the     SOCK_ZAPPED status, related to net/l2tp/l2tp_ip.c and     net/l2tp/l2tp_ip6.c (bnc#1028415).

  - CVE-2017-6345: The LLC subsystem in the Linux kernel did     not ensure that a certain destructor exists in required     circumstances, which allowed local users to cause a     denial of service (BUG_ON) or possibly have unspecified     other impact via crafted system calls (bnc#1027190).

  - CVE-2017-6346: Race condition in net/packet/af_packet.c     in the Linux kernel allowed local users to cause a     denial of service (use-after-free) or possibly have     unspecified other impact via a multithreaded application     that made PACKET_FANOUT setsockopt system calls     (bnc#1027189).

  - CVE-2017-6353: net/sctp/socket.c in the Linux kernel did     not properly restrict association peel-off operations     during certain wait states, which allowed local users to     cause a denial of service (invalid unlock and double     free) via a multithreaded application. NOTE: this     vulnerability exists because of an incorrect fix for     CVE-2017-5986 (bnc#1027066).

  - CVE-2017-6214: The tcp_splice_read function in     net/ipv4/tcp.c in the Linux kernel allowed remote     attackers to cause a denial of service (infinite loop     and soft lockup) via vectors involving a TCP packet with     the URG flag (bnc#1026722).

  - CVE-2016-2117: The atl2_probe function in     drivers/net/ethernet/atheros/atlx/atl2.c in the Linux     kernel incorrectly enables scatter/gather I/O, which     allowed remote attackers to obtain sensitive information     from kernel memory by reading packet data (bnc#968697).

  - CVE-2017-6347: The ip_cmsg_recv_checksum function in     net/ipv4/ip_sockglue.c in the Linux kernel had incorrect     expectations about skb data layout, which allowed local     users to cause a denial of service (buffer over-read) or     possibly have unspecified other impact via crafted     system calls, as demonstrated by use of the MSG_MORE     flag in conjunction with loopback UDP transmission     (bnc#1027179).

  - CVE-2016-9191: The cgroup offline implementation in the     Linux kernel mishandled certain drain operations, which     allowed local users to cause a denial of service (system     hang) by leveraging access to a container environment     for executing a crafted application (bnc#1008842).

  - CVE-2017-2596: The nested_vmx_check_vmptr function in     arch/x86/kvm/vmx.c in the Linux kernel improperly     emulated the VMXON instruction, which allowed KVM L1     guest OS users to cause a denial of service (host OS     memory consumption) by leveraging the mishandling of     page references (bnc#1022785).

  - CVE-2017-6074: The dccp_rcv_state_process function in     net/dccp/input.c in the Linux kernel mishandled     DCCP_PKT_REQUEST packet data structures in the LISTEN     state, which allowed local users to obtain root     privileges or cause a denial of service (double free)     via an application that made an IPV6_RECVPKTINFO     setsockopt system call (bnc#1026024).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The openSUSE Leap 42.2 kernel was updated to 4.4.56 fix various security issues and bugs.

The following security bugs were fixed :

  - CVE-2017-7184: The xfrm_replay_verify_len function in     net/xfrm/xfrm_user.c in the Linux kernel did not     validate certain size data after an XFRM_MSG_NEWAE     update, which allowed local users to obtain root     privileges or cause a denial of service (heap-based     out-of-bounds access) by leveraging the CAP_NET_ADMIN     capability, as demonstrated during a Pwn2Own competition     at CanSecWest 2017 for the Ubuntu 16.10 linux-image-*     package 4.8.0.41.52 (bnc#1030573).

  - CVE-2016-10200: Race condition in the L2TPv3 IP     Encapsulation feature in the Linux kernel allowed local     users to gain privileges or cause a denial of service     (use-after-free) by making multiple bind system calls     without properly ascertaining whether a socket has the     SOCK_ZAPPED status, related to net/l2tp/l2tp_ip.c and     net/l2tp/l2tp_ip6.c (bnc#1028415).

  - CVE-2017-2636: Race condition in drivers/tty/n_hdlc.c in     the Linux kernel allowed local users to gain privileges     or cause a denial of service (double free) by setting     the HDLC line discipline (bnc#1027565).

  - CVE-2017-6345: The LLC subsystem in the Linux kernel did     not ensure that a certain destructor exists in required     circumstances, which allowed local users to cause a     denial of service (BUG_ON) or possibly have unspecified     other impact via crafted system calls (bnc#1027190).

  - CVE-2017-6346: Race condition in net/packet/af_packet.c     in the Linux kernel allowed local users to cause a     denial of service (use-after-free) or possibly have     unspecified other impact via a multithreaded application     that made PACKET_FANOUT setsockopt system calls     (bnc#1027189).

  - CVE-2017-6353: net/sctp/socket.c in the Linux kernel did     not properly restrict association peel-off operations     during certain wait states, which allowed local users to     cause a denial of service (invalid unlock and double     free) via a multithreaded application. NOTE: this     vulnerability exists because of an incorrect fix for     CVE-2017-5986 (bnc#1025235).

  - CVE-2017-6214: The tcp_splice_read function in     net/ipv4/tcp.c in the Linux kernel allowed remote     attackers to cause a denial of service (infinite loop     and soft lockup) via vectors involving a TCP packet with     the URG flag (bnc#1026722).

  - CVE-2016-2117: The atl2_probe function in     drivers/net/ethernet/atheros/atlx/atl2.c in the Linux     kernel incorrectly enables scatter/gather I/O, which     allowed remote attackers to obtain sensitive information     from kernel memory by reading packet data (bnc#968697).

  - CVE-2017-6347: The ip_cmsg_recv_checksum function in     net/ipv4/ip_sockglue.c in the Linux kernel has incorrect     expectations about skb data layout, which allowed local     users to cause a denial of service (buffer over-read) or     possibly have unspecified other impact via crafted     system calls, as demonstrated by use of the MSG_MORE     flag in conjunction with loopback UDP transmission     (bnc#1027179).

  - CVE-2016-9191: The cgroup offline implementation in the     Linux kernel mishandled certain drain operations, which     allowed local users to cause a denial of service (system     hang) by leveraging access to a container environment     for executing a crafted application, as demonstrated by     trinity (bnc#1008842).

  - CVE-2017-2596: The nested_vmx_check_vmptr function in     arch/x86/kvm/vmx.c in the Linux kernel improperly     emulates the VMXON instruction, which allowed KVM L1     guest OS users to cause a denial of service (host OS     memory consumption) by leveraging the mishandling of     page references (bnc#1022785).

The following non-security bugs were fixed :

  - ACPI: Do not create a platform_device for IOAPIC/IOxAPIC     (bsc#1028819).

  - ACPI, ioapic: Clear on-stack resource before using it     (bsc#1028819).

  - ACPI: Remove platform devices from a bus on removal     (bsc#1028819).

  - add mainline tag to one hyperv patch

  - bnx2x: allow adding VLANs while interface is down     (bsc#1027273).

  - btrfs: backref: Fix soft lockup in __merge_refs function     (bsc#1017641).

  - btrfs: incremental send, do not delay rename when parent     inode is new (bsc#1028325).

  - btrfs: incremental send, do not issue invalid rmdir     operations (bsc#1028325).

  - btrfs: qgroup: Move half of the qgroup accounting time     out of commit trans (bsc#1017461).

  - btrfs: send, fix failure to rename top level inode due     to name collision (bsc#1028325).

  - btrfs: serialize subvolume mounts with potentially     mismatching rw flags (bsc#951844 bsc#1024015)

  - crypto: algif_hash - avoid zero-sized array     (bnc#1007962).

  - cxgb4vf: do not offload Rx checksums for IPv6 fragments     (bsc#1026692).

  - drivers: hv: vmbus: Prevent sending data on a rescinded     channel (fate#320485, bug#1028217).

  - drm/i915: Add intel_uncore_suspend / resume functions     (bsc#1011913).

  - drm/i915: Listen for PMIC bus access notifications     (bsc#1011913).

  - drm/mgag200: Added support for the new device G200eH3     (bsc#1007959, fate#322780)

  - ext4: fix fencepost in s_first_meta_bg validation     (bsc#1029986).

  - Fix kABI breakage of dccp in 4.4.56 (stable-4.4.56).

  - futex: Add missing error handling to FUTEX_REQUEUE_PI     (bsc#969755).

  - futex: Fix potential use-after-free in FUTEX_REQUEUE_PI     (bsc#969755).

  - i2c: designware-baytrail: Acquire P-Unit access on bus     acquire (bsc#1011913).

  - i2c: designware-baytrail: Call     pmic_bus_access_notifier_chain (bsc#1011913).

  - i2c: designware-baytrail: Fix race when resetting the     semaphore (bsc#1011913).

  - i2c: designware-baytrail: Only check     iosf_mbi_available() for shared hosts (bsc#1011913).

  - i2c: designware: Disable pm for PMIC i2c-bus even if     there is no _SEM method (bsc#1011913).

  - i2c-designware: increase timeout (bsc#1011913).

  - i2c: designware: Never suspend i2c-busses used for     accessing the system PMIC (bsc#1011913).

  - i2c: designware: Rename accessor_flags to flags     (bsc#1011913).

  - kABI: protect struct iscsi_conn (kabi).

  - kABI: protect struct se_node_acl (kabi).

  - kABI: restore can_rx_register parameters (kabi).

  - kgr/module: make a taint flag module-specific     (fate#313296).

  - kgr: remove all arch-specific kgraft header files     (fate#313296).

  - l2tp: fix address test in __l2tp_ip6_bind_lookup()     (bsc#1028415).

  - l2tp: fix lookup for sockets not bound to a device in     l2tp_ip (bsc#1028415).

  - l2tp: fix racy socket lookup in l2tp_ip and l2tp_ip6     bind() (bsc#1028415).

  - l2tp: hold socket before dropping lock in l2tp_ip{,     6}_recv() (bsc#1028415).

  - l2tp: lock socket before checking flags in connect()     (bsc#1028415).

  - md/raid1: add rcu protection to rdev in fix_read_error     (References: bsc#998106,bsc#1020048,bsc#982783).

  - md/raid1: fix a use-after-free bug     (bsc#998106,bsc#1020048,bsc#982783).

  - md/raid1: handle flush request correctly     (bsc#998106,bsc#1020048,bsc#982783).

  - md/raid1: Refactor raid1_make_request     (bsc#998106,bsc#1020048,bsc#982783).

  - mm: fix set pageblock migratetype in deferred struct     page init (bnc#1027195).

  - mm/page_alloc: Remove useless parameter of
    __free_pages_boot_core (bnc#1027195).

  - module: move add_taint_module() to a header file     (fate#313296).

  - net/ena: change condition for host attribute     configuration (bsc#1026509).

  - net/ena: change driver's default timeouts (bsc#1026509).

  - net: ena: change the return type of ena_set_push_mode()     to be void (bsc#1026509).

  - net: ena: Fix error return code in ena_device_init()     (bsc#1026509).

  - net/ena: fix ethtool RSS flow configuration     (bsc#1026509).

  - net/ena: fix NULL dereference when removing the driver     after device reset failed (bsc#1026509).

  - net/ena: fix potential access to freed memory during     device reset (bsc#1026509).

  - net/ena: fix queues number calculation (bsc#1026509).

  - net/ena: fix RSS default hash configuration     (bsc#1026509).

  - net/ena: reduce the severity of ena printouts     (bsc#1026509).

  - net/ena: refactor ena_get_stats64 to be atomic context     safe (bsc#1026509).

  - net/ena: remove ntuple filter support from device     feature list (bsc#1026509).

  - net: ena: remove superfluous check in ena_remove()     (bsc#1026509).

  - net: ena: Remove unnecessary pci_set_drvdata()     (bsc#1026509).

  - net/ena: update driver version to 1.1.2 (bsc#1026509).

  - net/ena: use READ_ONCE to access completion descriptors     (bsc#1026509).

  - net: ena: use setup_timer() and mod_timer()     (bsc#1026509).

  - net/mlx4_core: Avoid command timeouts during VF driver     device shutdown (bsc#1028017).

  - net/mlx4_core: Avoid delays during VF driver device     shutdown (bsc#1028017).

  - net/mlx4_core: Fix racy CQ (Completion Queue) free     (bsc#1028017).

  - net/mlx4_core: Fix when to save some qp context flags     for dynamic VST to VGT transitions (bsc#1028017).

  - net/mlx4_core: Use cq quota in SRIOV when creating     completion EQs (bsc#1028017).

  - net/mlx4_en: Fix bad WQE issue (bsc#1028017).

  - NFS: do not try to cross a mountpount when there isn't     one there (bsc#1028041).

  - nvme: Do not suspend admin queue that wasn't created     (bsc#1026505).

  - nvme: Suspend all queues before deletion (bsc#1026505).

  - PCI: hv: Fix wslot_to_devfn() to fix warnings on device     removal (fate#320485, bug#1028217).

  - PCI: hv: Use device serial number as PCI domain     (fate#320485, bug#1028217).

  - powerpc: Blacklist GCC 5.4 6.1 and 6.2 (boo#1028895).

  - RAID1: a new I/O barrier implementation to remove resync     window (bsc#998106,bsc#1020048,bsc#982783).

  - RAID1: avoid unnecessary spin locks in I/O barrier code     (bsc#998106,bsc#1020048,bsc#982783).

  - Revert 'give up on gcc ilog2() constant optimizations'     (kabi).

  - Revert 'net: introduce device min_header_len' (kabi).

  - Revert 'net/mlx4_en: Avoid unregister_netdev at shutdown     flow' (bsc#1028017).

  - Revert 'nfit, libnvdimm: fix interleave set cookie     calculation' (kabi).

  - Revert 'RDMA/core: Fix incorrect structure packing for     booleans' (kabi).

  - Revert 'target: Fix NULL dereference during LUN lookup +     active I/O shutdown' (kabi).

  - rtlwifi: rtl_usb: Fix missing entry in USB driver's     private data (bsc#1026462).

  - s390/kmsg: add missing kmsg descriptions (bnc#1025683,     LTC#151573).

  - s390/mm: fix zone calculation in arch_add_memory()     (bnc#1025683, LTC#152318).

  - sched/loadavg: Avoid loadavg spikes caused by delayed     NO_HZ accounting (bsc#1018419).

  - scsi_dh_alua: Do not modify the interval value for     retries (bsc#1012910).

  - scsi: do not print 'reservation conflict' for TEST UNIT     READY (bsc#1027054).

  - softirq: Let ksoftirqd do its job (bsc#1019618).

  - supported.conf: Add tcp_westwood as supported module     (fate#322432)

  - taint/module: Clean up global and module taint flags     handling (fate#313296).

  - Update mainline reference in     patches.drivers/drm-ast-Fix-memleaks-in-error-path-in-as     t_fb_create.patch See (bsc#1028158) for the context in     which this was discovered upstream.

  - x86/apic/uv: Silence a shift wrapping warning     (bsc#1023866).

  - x86/mce: Do not print MCEs when mcelog is active     (bsc#1013994).

  - x86, mm: fix gup_pte_range() vs DAX mappings     (bsc#1026405).

  - x86/mm/gup: Simplify get_user_pages() PTE bit handling     (bsc#1026405).

  - x86/platform/intel/iosf_mbi: Add a mutex for P-Unit     access (bsc#1011913).

  - x86/platform/intel/iosf_mbi: Add a PMIC bus access     notifier (bsc#1011913).

  - x86/platform: Remove warning message for duplicate NMI     handlers (bsc#1029220).

  - x86/platform/UV: Add basic CPU NMI health check     (bsc#1023866).

  - x86/platform/UV: Add Support for UV4 Hubless NMIs     (bsc#1023866).

  - x86/platform/UV: Add Support for UV4 Hubless systems     (bsc#1023866).

  - x86/platform/UV: Clean up the NMI code to match current     coding style (bsc#1023866).

  - x86/platform/UV: Clean up the UV APIC code     (bsc#1023866).

  - x86/platform/UV: Ensure uv_system_init is called when     necessary (bsc#1023866).

  - x86/platform/UV: Fix 2 socket config problem     (bsc#1023866).

  - x86/platform/UV: Fix panic with missing UVsystab support     (bsc#1023866).

  - x86/platform/UV: Initialize PCH GPP_D_0 NMI Pin to be     NMI source (bsc#1023866).

  - x86/platform/UV: Verify NMI action is valid, default is     standard (bsc#1023866).

  - xen-blkfront: correct maximum segment accounting     (bsc#1018263).

  - xen-blkfront: do not call talk_to_blkback when already     connected to blkback.

  - xen/blkfront: Fix crash if backend does not follow the     right states.

  - xen-blkfront: free resources if xlvbd_alloc_gendisk     fails.

  - xen/netback: set default upper limit of tx/rx queues to     8 (bnc#1019163).

  - xen/netfront: set default upper limit of tx/rx queues to     8 (bnc#1019163).

  - xfs: do not take the IOLOCK exclusive for direct I/O     page invalidation (bsc#1015609).

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or have other impacts.

  - CVE-2016-6786 / CVE-2016-6787     It was discovered that the performance events subsystem     does not properly manage locks during certain     migrations, allowing a local attacker to escalate     privileges. This can be mitigated by disabling     unprivileged use of performance events:sysctl     kernel.perf_event_paranoid=3

  - CVE-2016-8405     Peter Pi of Trend Micro discovered that the frame buffer     video subsystem does not properly check bounds while     copying color maps to userspace, causing a heap buffer     out-of-bounds read, leading to information disclosure.

  - CVE-2016-9191     CAI Qian discovered that reference counting is not     properly handled within proc_sys_readdir in the sysctl     implementation, allowing a local denial of service     (system hang) or possibly privilege escalation.

  - CVE-2017-2583     Xiaohan Zhang reported that KVM for amd64 does not     correctly emulate loading of a null stack selector. This     can be used by a user in a guest VM for denial of     service (on an Intel CPU) or to escalate privileges     within the VM (on an AMD CPU).

  - CVE-2017-2584     Dmitry Vyukov reported that KVM for x86 does not     correctly emulate memory access by the SGDT and SIDT     instructions, which can result in a use-after-free and     information leak.

  - CVE-2017-2596     Dmitry Vyukov reported that KVM leaks page references     when emulating a VMON for a nested hypervisor. This can     be used by a privileged user in a guest VM for denial of     service or possibly to gain privileges in the host.

  - CVE-2017-2618     It was discovered that an off-by-one in the handling of     SELinux attributes in /proc/pid/attr could result in     local denial of service.

  - CVE-2017-5549     It was discovered that the KLSI KL5KUSB105 serial USB     device driver could log the contents of uninitialised     kernel memory, resulting in an information leak.

  - CVE-2017-5551     Jan Kara found that changing the POSIX ACL of a file on     tmpfs never cleared its set-group-ID flag, which should     be done if the user changing it is not a member of the     group-owner. In some cases, this would allow the     user-owner of an executable to gain the privileges of     the group-owner.

  - CVE-2017-5897     Andrey Konovalov discovered an out-of-bounds read flaw     in the ip6gre_err function in the IPv6 networking code.

  - CVE-2017-5970     Andrey Konovalov discovered a denial-of-service flaw in     the IPv4 networking code. This can be triggered by a     local or remote attacker if a local UDP or raw socket     has the IP_RETOPTS option enabled.

  - CVE-2017-6001     Di Shen discovered a race condition between concurrent     calls to the performance events subsystem, allowing a     local attacker to escalate privileges. This flaw exists     because of an incomplete fix of CVE-2016-6786. This can     be mitigated by disabling unprivileged use of     performance events: sysctl kernel.perf_event_paranoid=3

  - CVE-2017-6074     Andrey Konovalov discovered a use-after-free     vulnerability in the DCCP networking code, which could     result in denial of service or local privilege     escalation. On systems that do not already have the dccp     module loaded, this can be mitigated by disabling     it:echo >> /etc/modprobe.d/disable-dccp.conf install     dccp false

USN-3208-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS.

It was discovered that the generic SCSI block layer in the Linux kernel did not properly restrict write operations in certain situations. A local attacker could use this to cause a denial of service (system crash) or possibly gain administrative privileges.
(CVE-2016-10088)

CAI Qian discovered that the sysctl implementation in the Linux kernel did not properly perform reference counting in some situations. An unprivileged attacker could use this to cause a denial of service (system hang). (CVE-2016-9191)

Jim Mattson discovered that the KVM implementation in the Linux kernel mismanages the #BP and #OF exceptions. A local attacker in a guest virtual machine could use this to cause a denial of service (guest OS crash). (CVE-2016-9588)

Andy Lutomirski and Willy Tarreau discovered that the KVM implementation in the Linux kernel did not properly emulate instructions on the SS segment register. A local attacker in a guest virtual machine could use this to cause a denial of service (guest OS crash) or possibly gain administrative privileges in the guest OS.
(CVE-2017-2583)

Dmitry Vyukov discovered that the KVM implementation in the Linux kernel improperly emulated certain instructions. A local attacker could use this to obtain sensitive information (kernel memory).
(CVE-2017-2584)

It was discovered that the KLSI KL5KUSB105 serial-to-USB device driver in the Linux kernel did not properly initialize memory related to logging. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2017-5549)

Andrey Konovalov discovered a use-after-free vulnerability in the DCCP implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly gain administrative privileges. (CVE-2017-6074).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that the generic SCSI block layer in the Linux kernel did not properly restrict write operations in certain situations. A local attacker could use this to cause a denial of service (system crash) or possibly gain administrative privileges.
(CVE-2016-10088)

CAI Qian discovered that the sysctl implementation in the Linux kernel did not properly perform reference counting in some situations. An unprivileged attacker could use this to cause a denial of service (system hang). (CVE-2016-9191)

Jim Mattson discovered that the KVM implementation in the Linux kernel mismanages the #BP and #OF exceptions. A local attacker in a guest virtual machine could use this to cause a denial of service (guest OS crash). (CVE-2016-9588)

Andy Lutomirski and Willy Tarreau discovered that the KVM implementation in the Linux kernel did not properly emulate instructions on the SS segment register. A local attacker in a guest virtual machine could use this to cause a denial of service (guest OS crash) or possibly gain administrative privileges in the guest OS.
(CVE-2017-2583)

Dmitry Vyukov discovered that the KVM implementation in the Linux kernel improperly emulated certain instructions. A local attacker could use this to obtain sensitive information (kernel memory).
(CVE-2017-2584)

It was discovered that the KLSI KL5KUSB105 serial-to-USB device driver in the Linux kernel did not properly initialize memory related to logging. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2017-5549)

Andrey Konovalov discovered a use-after-free vulnerability in the DCCP implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly gain administrative privileges. (CVE-2017-6074).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
124978	EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1525)	Nessus	Huawei Local Security Checks	critical
109158	OracleVM 3.4 : Unbreakable / etc (OVMSA-2018-0035) (Dirty COW) (Meltdown) (Spectre)	Nessus	OracleVM Local Security Checks	high
109156	Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2018-4071) (Dirty COW) (Meltdown) (Spectre)	Nessus	Oracle Linux Local Security Checks	high
105248	OracleVM 3.4 : Unbreakable / etc (OVMSA-2017-0174) (BlueBorne) (Dirty COW) (Stack Clash)	Nessus	OracleVM Local Security Checks	high
105247	Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2017-3659) (BlueBorne) (Dirty COW) (Stack Clash)	Nessus	Oracle Linux Local Security Checks	high
105146	OracleVM 3.4 : Unbreakable / etc (OVMSA-2017-0172) (Dirty COW)	Nessus	OracleVM Local Security Checks	high
105143	Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2017-3651) (Dirty COW)	Nessus	Oracle Linux Local Security Checks	high
104619	OracleVM 3.4 : Unbreakable / etc (OVMSA-2017-0169)	Nessus	OracleVM Local Security Checks	medium
104565	Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2017-3640)	Nessus	Oracle Linux Local Security Checks	medium
103326	Ubuntu 14.04 LTS : linux vulnerabilities (USN-3422-1) (BlueBorne)	Nessus	Ubuntu Local Security Checks	high
101929	Ubuntu 16.04 LTS : linux-hwe vulnerabilities (USN-3361-1)	Nessus	Ubuntu Local Security Checks	critical
100320	SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2017:1360-1)	Nessus	SuSE Local Security Checks	critical
100023	SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2017:1183-1)	Nessus	SuSE Local Security Checks	high
99156	openSUSE Security Update : the Linux Kernel (openSUSE-2017-418)	Nessus	SuSE Local Security Checks	high
97357	Debian DSA-3791-1 : linux - security update	Nessus	Debian Local Security Checks	high
97323	Ubuntu 14.04 LTS : linux-lts-xenial vulnerabilities (USN-3208-2)	Nessus	Ubuntu Local Security Checks	high
97322	Ubuntu 16.04 LTS : linux, linux-snapdragon vulnerabilities (USN-3208-1)	Nessus	Ubuntu Local Security Checks	high

CVE-2016-9191

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins