http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=36ae3c0a36b7456432fedce38ae2f7bd3e01a563

http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=3a8b0677fc6180a467e26cc32ce6b0c09a32f9bb

DSA-3981

http://www.openwall.com/lists/oss-security/2017/09/15/4

101022

RHSA-2018:0676

RHSA-2018:1062

RHSA-2018:1130

https://bugzilla.redhat.com/show_bug.cgi?id=1490781

https://github.com/torvalds/linux/commit/36ae3c0a36b7456432fedce38ae2f7bd3e01a563

https://github.com/torvalds/linux/commit/3a8b0677fc6180a467e26cc32ce6b0c09a32f9bb

https://marc.info/?l=kvm&m=150549145711115&w=2

https://marc.info/?l=kvm&m=150549146311117&w=2

According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - The atalk_recvmsg function in net/appletalk/ddp.c in     the Linux kernel before 3.12.4 updates a certain length     value without ensuring that an associated data     structure has been initialized, which allows local     users to obtain sensitive information from kernel     memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg     system call.(CVE-2013-7267)

  - fs/f2fs/segment.c in the Linux kernel allows local     users to cause a denial of service (NULL pointer     dereference and panic) by using a noflush_merge option     that triggers a NULL value for a flush_cmd_control data     structure.(CVE-2017-18241)

  - fs/pnode.c in the Linux kernel before 4.5.4 does not     properly traverse a mount propagation tree in a certain     case involving a slave mount, which allows local users     to cause a denial of service (NULL pointer dereference     and OOPS) via a crafted series of mount system     calls.(CVE-2016-4581)

  - drivers/vhost/net.c in the Linux kernel before 3.13.10,     when mergeable buffers are disabled, does not properly     validate packet lengths, which allows guest OS users to     cause a denial of service (memory corruption and host     OS crash) or possibly gain privileges on the host OS     via crafted packets, related to the handle_rx and     get_rx_bufs functions.(CVE-2014-0077)

  - It was found that the fix for CVE-2016-9576 was     incomplete: the Linux kernel's sg implementation did     not properly restrict write operations in situations     where the KERNEL_DS option is set. A local attacker to     read or write to arbitrary kernel memory locations or     cause a denial of service (use-after-free) by     leveraging write access to a /dev/sg     device.(CVE-2016-10088)

  - ** DISPUTED ** An issue was discovered in the Linux     kernel through 4.17.2. Since the page allocator does     not yield CPU resources to the owner of the oom_lock     mutex, a local unprivileged user can trivially lock up     the system forever by wasting CPU resources from the     page allocator (e.g., via concurrent page fault events)     when the global OOM killer is invoked. NOTE: the     software maintainer has not accepted certain proposed     patches, in part because of a viewpoint that 'the     underlying problem is non-trivial to     handle.'(CVE-2016-10723)

  - A flaw was found in the way the Linux kernel's ASN.1     DER decoder processed certain certificate files with     tags of indefinite length. A local, unprivileged user     could use a specially crafted X.509 certificate DER     file to crash the system or, potentially, escalate     their privileges on the system.(CVE-2016-0758)

  - A flaw was found in the way the Linux kernel's Stream     Control Transmission Protocol (SCTP) implementation     handled the association's output queue. A remote     attacker could send specially crafted packets that     would cause the system to use an excessive amount of     memory, leading to a denial of service.(CVE-2014-3688)

  - A use-after-free flaw was found in the way the     ping_init_sock() function of the Linux kernel handled     the group_info reference counter. A local, unprivileged     user could use this flaw to crash the system or,     potentially, escalate their privileges on the     system.(CVE-2014-2851)

  - The compat_get_timex function in kernel/compat.c in the     Linux kernel before 4.16.9 allows local users to obtain     sensitive information from kernel memory via     adjtimex.(CVE-2018-11508)

  - The cdc_parse_cdc_header() function in     'drivers/usb/core/message.c' in the Linux kernel,     before 4.13.6, allows local users to cause a denial of     service (out-of-bounds read and system crash) or     possibly have unspecified other impact via a crafted     USB device. Due to the nature of the flaw, privilege     escalation cannot be fully ruled out, although we     believe it is unlikely.(CVE-2017-16534)

  - A flaw was found in the crypto subsystem of the Linux     kernel before version kernel-4.15-rc4. The 'null     skcipher' was being dropped when each af_alg_ctx was     freed instead of when the aead_tfm was freed. This can     cause the null skcipher to be freed while it is still     in use leading to a local user being able to crash the     system or possibly escalate privileges.(CVE-2018-14619)

  - The crypto_skcipher_init_tfm function in     crypto/skcipher.c in the Linux kernel through 4.11.2     relies on a setkey function that lacks a key-size     check, which allows local users to cause a denial of     service (NULL pointer dereference) via a crafted     application.(CVE-2017-9211)

  - kernel/events/core.c in the performance subsystem in     the Linux kernel before 4.0 mismanages locks during     certain migrations, which allows local users to gain     privileges via a crafted application, aka Android     internal bug 30955111.(CVE-2016-6786)

  - The KEYS subsystem in the Linux kernel omitted an     access-control check when writing a key to the current     task's default keyring, allowing a local user to bypass     security checks to the keyring. This compromises the     validity of the keyring for those who rely on     it.(CVE-2017-17807)

  - A use-after-free flaw was found in the way the Linux     kernel's SCTP implementation handled authentication key     reference counting during INIT collisions. A remote     attacker could use this flaw to crash the system or,     potentially, escalate their privileges on the     system.(CVE-2015-1421)

  - The waitid implementation in kernel/exit.c in the Linux     kernel through 4.13.4 accesses rusage data structures     in unintended cases. This can allow local users to     obtain sensitive information and bypass the KASLR     protection mechanism via a crafted system     call.(CVE-2017-14954)

  - It was found that the Linux kernel's keyring     implementation would leak memory when adding a key to a     keyring via the add_key() function. A local attacker     could use this flaw to exhaust all available memory on     the system.(CVE-2015-1333)

  - The msm_ipc_router_close function in     net/ipc_router/ipc_router_socket.c in the ipc_router     component for the Linux kernel 3.x, as used in Qualcomm     Innovation Center (QuIC) Android contributions for MSM     devices and other products, allow attackers to cause a     denial of service (NULL pointer dereference) or     possibly have unspecified other impact by triggering     failure of an accept system call for an AF_MSM_IPC     socket.(CVE-2016-5870)

  - A reachable assertion failure flaw was found in the     Linux kernel built with KVM virtualisation(CONFIG_KVM)     support with Virtual Function I/O feature (CONFIG_VFIO)     enabled. This failure could occur if a malicious guest     device sent a virtual interrupt (guest IRQ) with a     larger (>1024) index value.(CVE-2017-1000252)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kvm package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - The msr_mtrr_valid function in arch/x86/kvm/mtrr.c in     the Linux kernel before 4.6.1 supports MSR 0x2f8, which     allows guest OS users to read or write to the     kvm_arch_vcpu data structure, and consequently obtain     sensitive information or cause a denial of service     (system crash), via a crafted ioctl     call.(CVE-2016-3713)

  - Linux kernel built with the Kernel-based Virtual     Machine (CONFIG_KVM) support is vulnerable to a null     pointer dereference flaw. It could occur on x86     platform, when emulating an undefined instruction. An     attacker could use this flaw to crash the host kernel     resulting in DoS.(CVE-2016-8630)

  - Linux kernel built with the Kernel-based Virtual     Machine (CONFIG_KVM) support was vulnerable to an     incorrect segment selector(SS) value error. The error     could occur while loading values into the SS register     in long mode. A user or process inside a guest could     use this flaw to crash the guest, resulting in DoS or     potentially escalate their privileges inside the     guest.(CVE-2017-2583)

  - arch/x86/kvm/emulate.c in the Linux kernel through     4.9.3 allows local users to obtain sensitive     information from kernel memory or cause a denial of     service (use-after-free) via a crafted application that     leverages instruction emulation for fxrstor, fxsave,     sgdt, and sidt.(CVE-2017-2584)

  - A reachable assertion failure flaw was found in the     Linux kernel built with KVM virtualisation(CONFIG_KVM)     support with Virtual Function I/O feature (CONFIG_VFIO)     enabled. This failure could occur if a malicious guest     device sent a virtual interrupt (guest IRQ) with a     larger (>1024) index value.(CVE-2017-1000252)

  - An industry-wide issue was found in the way many modern     microprocessor designs have implemented speculative     execution of instructions (a commonly used performance     optimization). There are three primary variants of the     issue which differ in the way the speculative execution     can be exploited. Variant CVE-2017-5715 triggers the     speculative execution by utilizing branch target     injection. It relies on the presence of a     precisely-defined instruction sequence in the     privileged code as well as the fact that memory     accesses may cause allocation into the microprocessor's     data cache even for speculatively executed instructions     that never actually commit (retire). As a result, an     unprivileged attacker could use this flaw to cross the     syscall and guest/host boundaries and read privileged     memory by conducting targeted cache side-channel     attacks.(CVE-2017-5715)

  - A flaw was found in the way the Linux KVM module     processed the trap flag(TF) bit in EFLAGS during     emulation of the syscall instruction, which leads to a     debug exception(#DB) being raised in the guest stack. A     user/process inside a guest could use this flaw to     potentially escalate their privileges inside the guest.
    Linux guests are not affected by this.(CVE-2017-7518)

  - Linux kernel compiled with the KVM virtualization     (CONFIG_KVM) support is vulnerable to an out-of-bounds     read access issue. It could occur when emulating vmcall     instructions invoked by a guest. A guest user/process     could use this flaw to disclose kernel memory     bytes.(CVE-2017-17741)

  - Systems with microprocessors utilizing speculative     execution and speculative execution of memory reads     before the addresses of all prior memory writes are     known may allow unauthorized disclosure of information     to an attacker with local user access via a     side-channel analysis, aka Speculative Store Bypass     (SSB), Variant 4.(CVE-2018-3639)

  - kernel: kvm: guest userspace to guest kernel     write(CVE-2018-10853)

  - In the Linux kernel before 4.20.8,     kvm_ioctl_create_device in virt/kvm/kvm_main.c     mishandles reference counting because of a race     condition, leading to a use-after-free.(CVE-2019-6974)

  - The KVM implementation in the Linux kernel through     4.20.5 has an Information Leak.(CVE-2019-7222)

  - The KVM implementation in the Linux kernel through     4.20.5 has a Use-after-Free.(CVE-2019-7221)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - An integer overflow vulnerability was found in the     ring_buffer_resize() calculations in which a privileged     user can adjust the size of the ringbuffer message     size. These calculations can create an issue where the     kernel memory allocator will not allocate the correct     count of pages yet expect them to be usable. This can     lead to the ftrace() output to appear to corrupt kernel     memory and possibly be used for privileged escalation     or more likely kernel panic.(CVE-2016-9754)

  - A flaw was found in the Linux kernel's implementation     of setsockopt for the SO_{SND|RCV}BUFFORCE setsockopt()     system call. Users with non-namespace CAP_NET_ADMIN are     able to trigger this call and create a situation in     which the sockets sendbuff data size could be negative.
    This could adversely affect memory allocations and     create situations where the system could crash or cause     memory corruption.(CVE-2016-9793)

  - A use-after-free vulnerability was found in ALSA pcm     layer, which allows local users to cause a denial of     service, memory corruption, or possibly other     unspecified impact. Due to the nature of the flaw,     privilege escalation cannot be fully ruled out,     although we believe it is unlikely.(CVE-2016-9794)

  - A double free vulnerability was found in netlink_dump,     which could cause a denial of service or possibly other     unspecified impact. Due to the nature of the flaw,     privilege escalation cannot be fully ruled out,     although we believe it is unlikely.(CVE-2016-9806)

  - A race condition issue leading to a use-after-free flaw     was found in the way the raw packet sockets are     implemented in the Linux kernel networking subsystem     handling synchronization. A local user able to open a     raw packet socket (requires the CAP_NET_RAW capability)     can use this issue to crash the     system.(CVE-2017-1000111)

  - An exploitable memory corruption flaw was found in the     Linux kernel. The append path can be erroneously     switched from UFO to non-UFO in ip_ufo_append_data()     when building an UFO packet with MSG_MORE option. If     unprivileged user namespaces are available, this flaw     can be exploited to gain root     privileges.(CVE-2017-1000112)

  - A stack buffer overflow flaw was found in the way the     Bluetooth subsystem of the Linux kernel processed     pending L2CAP configuration responses from a client. On     systems with the stack protection feature enabled in     the kernel (CONFIG_CC_STACKPROTECTOR=y, which is     enabled on all architectures other than s390x and     ppc64le), an unauthenticated attacker able to initiate     a connection to a system via Bluetooth could use this     flaw to crash the system. Due to the nature of the     stack protection feature, code execution cannot be     fully ruled out, although we believe it is unlikely. On     systems without the stack protection feature (ppc64le;
    the Bluetooth modules are not built on s390x), an     unauthenticated attacker able to initiate a connection     to a system via Bluetooth could use this flaw to     remotely execute arbitrary code on the system with ring     0 (kernel) privileges.(CVE-2017-1000251)

  - A reachable assertion failure flaw was found in the     Linux kernel built with KVM virtualisation(CONFIG_KVM)     support with Virtual Function I/O feature (CONFIG_VFIO)     enabled. This failure could occur if a malicious guest     device sent a virtual interrupt (guest IRQ) with a     larger (>1024) index value.(CVE-2017-1000252)

  - A flaw was found in the way memory was being allocated     on the stack for user space binaries. If heap (or     different memory region) and stack memory regions were     adjacent to each other, an attacker could use this flaw     to jump over the stack guard gap, cause controlled     memory corruption on process stack or the adjacent     memory region, and thus increase their privileges on     the system. This is a kernel-side mitigation which     increases the stack guard gap size from one page to 1     MiB to make successful exploitation of this issue more     difficult.(CVE-2017-1000364)

  - The Linux Kernel imposes a size restriction on the     arguments and environmental strings passed through     RLIMIT_STACK/RLIMIT_INFINITY, but does not take the     argument and environment pointers into account, which     allows attackers to bypass this     limitation.(CVE-2017-1000365)

  - The offset2lib patch as used in the Linux Kernel     contains a vulnerability that allows a PIE binary to be     execve()'ed with 1GB of arguments or environmental     strings then the stack occupies the address 0x80000000     and the PIE binary is mapped above 0x40000000     nullifying the protection of the offset2lib patch. This     affects Linux Kernel version 4.11.5 and earlier. This     is a different issue than CVE-2017-1000371. This issue     appears to be limited to i386 based     systems.(CVE-2017-1000370)

  - A flaw was found in the processing of incoming L2CAP     bluetooth commands. Uninitialized stack variables can     be sent to an attacker leaking data in kernel address     space.(CVE-2017-1000410)

  - A race condition was found in the Linux kernel before     version 4.11-rc1 in 'fs/timerfd.c' file which allows a     local user to cause a kernel list corruption or     use-after-free via simultaneous operations with a file     descriptor which leverage improper 'might_cancel'     queuing. An unprivileged local user could use this flaw     to cause a denial of service of the system. Due to the     nature of the flaw, privilege escalation cannot be     fully ruled out, although we believe it is     unlikely.(CVE-2017-10661)

  - Memory leak in the virtio_gpu_object_create function in     drivers/gpu/drm/virtio/virtgpu_object.c in the Linux     kernel through 4.11.8 allows attackers to cause a     denial of service (memory consumption) by triggering     object-initialization failures.(CVE-2017-10810)

  - The make_response function in     drivers/block/xen-blkback/blkback.c in the Linux kernel     before 4.11.8 allows guest OS users to obtain sensitive     information from host OS (or other guest OS) kernel     memory by leveraging the copying of uninitialized     padding fields in Xen block-interface response     structures, aka XSA-216.(CVE-2017-10911)

  - A use-after-free flaw was found in the Netlink     functionality of the Linux kernel networking subsystem.
    Due to the insufficient cleanup in the mq_notify     function, a local attacker could potentially use this     flaw to escalate their privileges on the     system.(CVE-2017-11176)

  - Buffer overflow in the mp_override_legacy_irq()     function in arch/x86/kernel/acpi/boot.c in the Linux     kernel through 4.12.2 allows local users to gain     privileges via a crafted ACPI table.(CVE-2017-11473)

  - The xfrm_migrate() function in the     net/xfrm/xfrm_policy.c file in the Linux kernel built     with CONFIG_XFRM_MIGRATE does not verify if the dir     parameter is less than XFRM_POLICY_MAX. This allows a     local attacker to cause a denial of service     (out-of-bounds access) or possibly have unspecified     other impact by sending a XFRM_MSG_MIGRATE netlink     message. This flaw is present in the Linux kernel since     an introduction of XFRM_MSG_MIGRATE in 2.6.21-rc1, up     to 4.13-rc3.(CVE-2017-11600)

  - A security flaw was discovered in     nl80211_set_rekey_data() function in the Linux kernel     since v3.1-rc1 through v4.13. This function does not     check whether the required attributes are present in a     netlink request. This request can be issued by a user     with CAP_NET_ADMIN privilege and may result in NULL     dereference and a system crash.(CVE-2017-12153)

  - Linux kernel built with the KVM visualization support     (CONFIG_KVM), with nested visualization (nVMX) feature     enabled (nested=1), is vulnerable to a crash due to     disabled external interrupts. As L2 guest could access     (r/w) hardware CR8 register of the host(L0). In a     nested visualization setup, L2 guest user could use     this flaw to potentially crash the host(L0) resulting     in DoS.(CVE-2017-12154)

  - The Linux kernel built with the KVM visualization     support (CONFIG_KVM), with nested visualization(nVMX)     feature enabled (nested=1), was vulnerable to a stack     buffer overflow issue. The vulnerability could occur     while traversing guest page table entries to resolve     guest virtual address(gva). An L1 guest could use this     flaw to crash the host kernel resulting in denial of     service (DoS) or potentially execute arbitrary code on     the host to gain privileges on the     system.(CVE-2017-12188)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Security Fix(es) :

  - hw: cpu: speculative execution permission faults     handling (CVE-2017-5754, Important, KVM for Power)

  - kernel: Buffer overflow in firewire driver via crafted     incoming packets (CVE-2016-8633, Important)

  - kernel: Use-after-free vulnerability in DCCP socket     (CVE-2017-8824, Important)

  - Kernel: kvm: nVMX: L2 guest could access hardware(L0)     CR8 register (CVE-2017-12154, Important)

  - kernel: v4l2: disabled memory access protection     mechanism allowing privilege escalation (CVE-2017-13166,     Important)

  - kernel: media: use-after-free in [tuner-xc2028] media     driver (CVE-2016-7913, Moderate)

  - kernel: drm/vmwgfx: fix integer overflow in     vmw_surface_define_ioctl() (CVE-2017-7294, Moderate)

  - kernel: Incorrect type conversion for size during dma     allocation (CVE-2017-9725, Moderate)

  - kernel: memory leak when merging buffers in SCSI IO     vectors (CVE-2017-12190, Moderate)

  - kernel: vfs: BUG in truncate_inode_pages_range() and     fuse client (CVE-2017-15121, Moderate)

  - kernel: Use-after-free in     userfaultfd_event_wait_completion function in     userfaultfd.c (CVE-2017-15126, Moderate)

  - kernel: net: double-free and memory corruption in     get_net_ns_by_id() (CVE-2017-15129, Moderate)

  - kernel: Use-after-free in snd_seq_ioctl_create_port()     (CVE-2017-15265, Moderate)

  - kernel: Missing capabilities check in     net/netfilter/nfnetlink_cthelper.c allows for     unprivileged access to systemwide nfnl_cthelper_list     structure (CVE-2017-17448, Moderate)

  - kernel: Missing namespace check in     net/netlink/af_netlink.c allows for network monitors to     observe systemwide activity (CVE-2017-17449, Moderate)

  - kernel: Unallocated memory access by malicious USB     device via bNumInterfaces overflow (CVE-2017-17558,     Moderate)

  - kernel: netfilter: use-after-free in     tcpmss_mangle_packet function in     net/netfilter/xt_TCPMSS.c (CVE-2017-18017, Moderate)

  - kernel: Race condition in     drivers/md/dm.c:dm_get_from_kobject() allows local users     to cause a denial of service (CVE-2017-18203, Moderate)

  - kernel: kvm: Reachable BUG() on out-of-bounds guest IRQ     (CVE-2017-1000252, Moderate)

  - Kernel: KVM: DoS via write flood to I/O port 0x80     (CVE-2017-1000407, Moderate)

  - kernel: Stack information leak in the EFS element     (CVE-2017-1000410, Moderate)

  - kernel: Kernel address information leak in     drivers/acpi/sbshc.c:acpi_smbus_hc_add() function     potentially allowing KASLR bypass (CVE-2018-5750,     Moderate)

  - kernel: Race condition in sound system can lead to     denial of service (CVE-2018-1000004, Moderate)

  - kernel: multiple Low security impact security issues     (CVE-2016-3672, CVE-2017-14140, CVE-2017-15116,     CVE-2017-15127, CVE-2018-6927, Low)

Additional Changes :

An update for kernel is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es) :

* hw: cpu: speculative execution permission faults handling (CVE-2017-5754, Important, KVM for Power)

* kernel: Buffer overflow in firewire driver via crafted incoming packets (CVE-2016-8633, Important)

* kernel: Use-after-free vulnerability in DCCP socket (CVE-2017-8824, Important)

* Kernel: kvm: nVMX: L2 guest could access hardware(L0) CR8 register (CVE-2017-12154, Important)

* kernel: v4l2: disabled memory access protection mechanism allowing privilege escalation (CVE-2017-13166, Important)

* kernel: media: use-after-free in [tuner-xc2028] media driver (CVE-2016-7913, Moderate)

* kernel: drm/vmwgfx: fix integer overflow in vmw_surface_define_ioctl() (CVE-2017-7294, Moderate)

* kernel: Incorrect type conversion for size during dma allocation (CVE-2017-9725, Moderate)

* kernel: memory leak when merging buffers in SCSI IO vectors (CVE-2017-12190, Moderate)

* kernel: vfs: BUG in truncate_inode_pages_range() and fuse client (CVE-2017-15121, Moderate)

* kernel: Use-after-free in userfaultfd_event_wait_completion function in userfaultfd.c (CVE-2017-15126, Moderate)

* kernel: net: double-free and memory corruption in get_net_ns_by_id() (CVE-2017-15129, Moderate)

* kernel: Use-after-free in snd_seq_ioctl_create_port() (CVE-2017-15265, Moderate)

* kernel: Missing capabilities check in net/netfilter/nfnetlink_cthelper.c allows for unprivileged access to systemwide nfnl_cthelper_list structure (CVE-2017-17448, Moderate)

* kernel: Missing namespace check in net/netlink/af_netlink.c allows for network monitors to observe systemwide activity (CVE-2017-17449, Moderate)

* kernel: Unallocated memory access by malicious USB device via bNumInterfaces overflow (CVE-2017-17558, Moderate)

* kernel: netfilter: use-after-free in tcpmss_mangle_packet function in net/ netfilter/xt_TCPMSS.c (CVE-2017-18017, Moderate)

* kernel: Race condition in drivers/md/dm.c:dm_get_from_kobject() allows local users to cause a denial of service (CVE-2017-18203, Moderate)

* kernel: kvm: Reachable BUG() on out-of-bounds guest IRQ (CVE-2017-1000252, Moderate)

* Kernel: KVM: DoS via write flood to I/O port 0x80 (CVE-2017-1000407, Moderate)

* kernel: Stack information leak in the EFS element (CVE-2017-1000410, Moderate)

* kernel: Kernel address information leak in drivers/acpi/ sbshc.c:acpi_smbus_hc_add() function potentially allowing KASLR bypass (CVE-2018-5750, Moderate)

* kernel: Race condition in sound system can lead to denial of service (CVE-2018-1000004, Moderate)

* kernel: multiple Low security impact security issues (CVE-2016-3672, CVE-2017-14140, CVE-2017-15116, CVE-2017-15127, CVE-2018-6927, Low)

Red Hat would like to thank Eyal Itkin for reporting CVE-2016-8633;
Google Project Zero for reporting CVE-2017-5754; Mohamed Ghannam for reporting CVE-2017-8824; Jim Mattson (Google.com) for reporting CVE-2017-12154; Vitaly Mayatskih for reporting CVE-2017-12190; Andrea Arcangeli (Engineering) for reporting CVE-2017-15126; Kirill Tkhai for reporting CVE-2017-15129; Jan H. Schonherr (Amazon) for reporting CVE-2017-1000252; and Armis Labs for reporting CVE-2017-1000410. The CVE-2017-15121 issue was discovered by Miklos Szeredi (Red Hat) and the CVE-2017-15116 issue was discovered by ChunYu Wang (Red Hat).

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes :

For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.5 Release Notes linked from the References section.

An update for kernel is now available for Red Hat Enterprise Linux 7.4 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es) :

* kernel: Use-after-free vulnerability in DCCP socket (CVE-2017-8824, Important)

* kernel: v4l2: disabled memory access protection mechanism allowing privilege escalation (CVE-2017-13166, Important)

* kernel: Incorrect type conversion for size during dma allocation (CVE-2017-9725, Moderate)

* kernel: Use-after-free in snd_seq_ioctl_create_port() (CVE-2017-15265, Moderate)

* kernel: Missing namespace check in net/netlink/af_netlink.c allows for network monitors to observe systemwide activity (CVE-2017-17449, Moderate)

* kernel: netfilter: use-after-free in tcpmss_mangle_packet function in net/ netfilter/xt_TCPMSS.c (CVE-2017-18017, Moderate)

* kernel: kvm: Reachable BUG() on out-of-bounds guest IRQ (CVE-2017-1000252, Moderate)

* kernel: Stack information leak in the EFS element (CVE-2017-1000410, Moderate)

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Red Hat would like to thank Mohamed Ghannam for reporting CVE-2017-8824; Jan H. Schonherr (Amazon) for reporting CVE-2017-1000252; and Armis Labs for reporting CVE-2017-1000410.

Bug Fix(es) :

These updated kernel packages include also numerous bug fixes. Space precludes documenting all of these bug fixes in this advisory. See the bug fix descriptions in the related Knowledge Article:
https://access.redhat.com/articles/3411331

From Red Hat Security Advisory 2018:1062 :

An update for kernel is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es) :

* hw: cpu: speculative execution permission faults handling (CVE-2017-5754, Important, KVM for Power)

* kernel: Buffer overflow in firewire driver via crafted incoming packets (CVE-2016-8633, Important)

* kernel: Use-after-free vulnerability in DCCP socket (CVE-2017-8824, Important)

* Kernel: kvm: nVMX: L2 guest could access hardware(L0) CR8 register (CVE-2017-12154, Important)

* kernel: v4l2: disabled memory access protection mechanism allowing privilege escalation (CVE-2017-13166, Important)

* kernel: media: use-after-free in [tuner-xc2028] media driver (CVE-2016-7913, Moderate)

* kernel: drm/vmwgfx: fix integer overflow in vmw_surface_define_ioctl() (CVE-2017-7294, Moderate)

* kernel: Incorrect type conversion for size during dma allocation (CVE-2017-9725, Moderate)

* kernel: memory leak when merging buffers in SCSI IO vectors (CVE-2017-12190, Moderate)

* kernel: vfs: BUG in truncate_inode_pages_range() and fuse client (CVE-2017-15121, Moderate)

* kernel: Use-after-free in userfaultfd_event_wait_completion function in userfaultfd.c (CVE-2017-15126, Moderate)

* kernel: net: double-free and memory corruption in get_net_ns_by_id() (CVE-2017-15129, Moderate)

* kernel: Use-after-free in snd_seq_ioctl_create_port() (CVE-2017-15265, Moderate)

* kernel: Missing capabilities check in net/netfilter/nfnetlink_cthelper.c allows for unprivileged access to systemwide nfnl_cthelper_list structure (CVE-2017-17448, Moderate)

* kernel: Missing namespace check in net/netlink/af_netlink.c allows for network monitors to observe systemwide activity (CVE-2017-17449, Moderate)

* kernel: Unallocated memory access by malicious USB device via bNumInterfaces overflow (CVE-2017-17558, Moderate)

* kernel: netfilter: use-after-free in tcpmss_mangle_packet function in net/ netfilter/xt_TCPMSS.c (CVE-2017-18017, Moderate)

* kernel: Race condition in drivers/md/dm.c:dm_get_from_kobject() allows local users to cause a denial of service (CVE-2017-18203, Moderate)

* kernel: kvm: Reachable BUG() on out-of-bounds guest IRQ (CVE-2017-1000252, Moderate)

* Kernel: KVM: DoS via write flood to I/O port 0x80 (CVE-2017-1000407, Moderate)

* kernel: Stack information leak in the EFS element (CVE-2017-1000410, Moderate)

* kernel: Kernel address information leak in drivers/acpi/ sbshc.c:acpi_smbus_hc_add() function potentially allowing KASLR bypass (CVE-2018-5750, Moderate)

* kernel: Race condition in sound system can lead to denial of service (CVE-2018-1000004, Moderate)

* kernel: multiple Low security impact security issues (CVE-2016-3672, CVE-2017-14140, CVE-2017-15116, CVE-2017-15127, CVE-2018-6927, Low)

Red Hat would like to thank Eyal Itkin for reporting CVE-2016-8633;
Google Project Zero for reporting CVE-2017-5754; Mohamed Ghannam for reporting CVE-2017-8824; Jim Mattson (Google.com) for reporting CVE-2017-12154; Vitaly Mayatskih for reporting CVE-2017-12190; Andrea Arcangeli (Engineering) for reporting CVE-2017-15126; Kirill Tkhai for reporting CVE-2017-15129; Jan H. Schonherr (Amazon) for reporting CVE-2017-1000252; and Armis Labs for reporting CVE-2017-1000410. The CVE-2017-15121 issue was discovered by Miklos Szeredi (Red Hat) and the CVE-2017-15116 issue was discovered by ChunYu Wang (Red Hat).

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes :

For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.5 Release Notes linked from the References section.

An update for kernel-rt is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.

Security Fix(es) :

* kernel: Buffer overflow in firewire driver via crafted incoming packets (CVE-2016-8633, Important)

* kernel: Use-after-free vulnerability in DCCP socket (CVE-2017-8824, Important)

* Kernel: kvm: nVMX: L2 guest could access hardware(L0) CR8 register (CVE-2017-12154, Important)

* kernel: v4l2: disabled memory access protection mechanism allowing privilege escalation (CVE-2017-13166, Important)

* kernel: media: use-after-free in [tuner-xc2028] media driver (CVE-2016-7913, Moderate)

* kernel: drm/vmwgfx: fix integer overflow in vmw_surface_define_ioctl() (CVE-2017-7294, Moderate)

* kernel: Incorrect type conversion for size during dma allocation (CVE-2017-9725, Moderate)

* kernel: memory leak when merging buffers in SCSI IO vectors (CVE-2017-12190, Moderate)

* kernel: vfs: BUG in truncate_inode_pages_range() and fuse client (CVE-2017-15121, Moderate)

* kernel: Use-after-free in userfaultfd_event_wait_completion function in userfaultfd.c (CVE-2017-15126, Moderate)

* kernel: net: double-free and memory corruption in get_net_ns_by_id() (CVE-2017-15129, Moderate)

* kernel: Use-after-free in snd_seq_ioctl_create_port() (CVE-2017-15265, Moderate)

* kernel: Incorrect handling in arch/x86/include/asm/ mmu_context.h:init_new_context function allowing use-after-free (CVE-2017-17053, Moderate)

* kernel: Missing capabilities check in net/netfilter/nfnetlink_cthelper.c allows for unprivileged access to systemwide nfnl_cthelper_list structure (CVE-2017-17448, Moderate)

* kernel: Missing namespace check in net/netlink/af_netlink.c allows for network monitors to observe systemwide activity (CVE-2017-17449, Moderate)

* kernel: Unallocated memory access by malicious USB device via bNumInterfaces overflow (CVE-2017-17558, Moderate)

* kernel: netfilter: use-after-free in tcpmss_mangle_packet function in net/ netfilter/xt_TCPMSS.c (CVE-2017-18017, Moderate)

* kernel: Race condition in drivers/md/dm.c:dm_get_from_kobject() allows local users to cause a denial of service (CVE-2017-18203, Moderate)

* kernel: kvm: Reachable BUG() on out-of-bounds guest IRQ (CVE-2017-1000252, Moderate)

* Kernel: KVM: DoS via write flood to I/O port 0x80 (CVE-2017-1000407, Moderate)

* kernel: Stack information leak in the EFS element (CVE-2017-1000410, Moderate)

* kernel: Kernel address information leak in drivers/acpi/ sbshc.c:acpi_smbus_hc_add() function potentially allowing KASLR bypass (CVE-2018-5750, Moderate)

* kernel: Race condition in sound system can lead to denial of service (CVE-2018-1000004, Moderate)

* kernel: unlimiting the stack disables ASLR (CVE-2016-3672, Low)

* kernel: Missing permission check in move_pages system call (CVE-2017-14140, Low)

* kernel: NULL pointer dereference in rngapi_reset function (CVE-2017-15116, Low)

* kernel: Improper error handling of VM_SHARED hugetlbfs mapping in mm/ hugetlb.c (CVE-2017-15127, Low)

* kernel: Integer overflow in futex.c:futux_requeue can lead to denial of service or unspecified impact (CVE-2018-6927, Low)

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Red Hat would like to thank Eyal Itkin for reporting CVE-2016-8633;
Mohamed Ghannam for reporting CVE-2017-8824; Jim Mattson (Google.com) for reporting CVE-2017-12154; Vitaly Mayatskih for reporting CVE-2017-12190; Andrea Arcangeli (Engineering) for reporting CVE-2017-15126; Kirill Tkhai for reporting CVE-2017-15129; Jan H.
Schonherr (Amazon) for reporting CVE-2017-1000252; and Armis Labs for reporting CVE-2017-1000410. The CVE-2017-15121 issue was discovered by Miklos Szeredi (Red Hat) and the CVE-2017-15116 issue was discovered by ChunYu Wang (Red Hat).

Additional Changes :

See the Red Hat Enterprise Linux 7.5 Release Notes linked from References.

It was discovered that the KVM subsystem in the Linux kernel did not properly bound guest IRQs. A local attacker in a guest VM could use this to cause a denial of service (host system crash).
(CVE-2017-1000252)

It was discovered that the Flash-Friendly File System (f2fs) implementation in the Linux kernel did not properly validate superblock metadata. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2017-10663)

Anthony Perard discovered that the Xen virtual block driver did not properly initialize some data structures before passing them to user space. A local attacker in a guest VM could use this to expose sensitive information from the host OS or other guest VMs.
(CVE-2017-10911)

It was discovered that a use-after-free vulnerability existed in the POSIX message queue implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-11176)

Dave Chinner discovered that the XFS filesystem did not enforce that the realtime inode flag was settable only on filesystems on a realtime device. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-14340).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

USN-3468-1 fixed vulnerabilities in the Linux kernel for Ubuntu 17.04.
This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 17.04 for Ubuntu 16.04 LTS.

It was discovered that the KVM subsystem in the Linux kernel did not properly bound guest IRQs. A local attacker in a guest VM could use this to cause a denial of service (host system crash).
(CVE-2017-1000252)

It was discovered that the Flash-Friendly File System (f2fs) implementation in the Linux kernel did not properly validate superblock metadata. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2017-10663)

Anthony Perard discovered that the Xen virtual block driver did not properly initialize some data structures before passing them to user space. A local attacker in a guest VM could use this to expose sensitive information from the host OS or other guest VMs.
(CVE-2017-10911)

It was discovered that a use-after-free vulnerability existed in the POSIX message queue implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-11176)

Dave Chinner discovered that the XFS filesystem did not enforce that the realtime inode flag was settable only on filesystems on a realtime device. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-14340).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 12 SP2 kernel was updated to 4.4.90 to receive various security and bugfixes. The following security bugs were fixed :

  - CVE-2017-1000252: The KVM subsystem in the Linux kernel     allowed guest OS users to cause a denial of service     (assertion failure, and hypervisor hang or crash) via an     out-of bounds guest_irq value, related to     arch/x86/kvm/vmx.c and virt/kvm/eventfd.c (bnc#1058038).

  - CVE-2017-10810: Memory leak in the     virtio_gpu_object_create function in     drivers/gpu/drm/virtio/virtgpu_object.c in the Linux     kernel allowed attackers to cause a denial of service     (memory consumption) by triggering object-initialization     failures (bnc#1047277).

  - CVE-2017-11472: The acpi_ns_terminate() function in     drivers/acpi/acpica/nsutils.c in the Linux kernel did     not flush the operand cache and causes a kernel stack     dump, which allowed local users to obtain sensitive     information from kernel memory and bypass the KASLR     protection mechanism (in the kernel through 4.9) via a     crafted ACPI table (bnc#1049580).

  - CVE-2017-11473: Buffer overflow in the     mp_override_legacy_irq() function in     arch/x86/kernel/acpi/boot.c in the Linux kernel allowed     local users to gain privileges via a crafted ACPI table     (bnc#1049603).

  - CVE-2017-12134: The xen_biovec_phys_mergeable function     in drivers/xen/biomerge.c in Xen might allow local OS     guest users to corrupt block device data streams and     consequently obtain sensitive memory information, cause     a denial of service, or gain host OS privileges by     leveraging incorrect block IO merge-ability calculation     (bnc#1051790 bnc#1053919).

  - CVE-2017-12153: A security flaw was discovered in the     nl80211_set_rekey_data() function in     net/wireless/nl80211.c in the Linux kernel This function     did not check whether the required attributes are     present in a Netlink request. This request can be issued     by a user with the CAP_NET_ADMIN capability and may     result in a NULL pointer dereference and system crash     (bnc#1058410).

  - CVE-2017-12154: The prepare_vmcs02 function in     arch/x86/kvm/vmx.c in the Linux kernel did not ensure     that the 'CR8-load exiting' and 'CR8-store exiting' L0     vmcs02 controls exist in cases where L1 omits the 'use     TPR shadow' vmcs12 control, which allowed KVM L2 guest     OS users to obtain read and write access to the hardware     CR8 register (bnc#1058507).

  - CVE-2017-13080: Wi-Fi Protected Access (WPA and WPA2)     allowed reinstallation of the Group Temporal Key (GTK)     during the group key handshake, allowing an attacker     within radio range to replay frames from access points     to clients (bnc#1063667).

  - CVE-2017-14051: An integer overflow in the     qla2x00_sysfs_write_optrom_ctl function in     drivers/scsi/qla2xxx/qla_attr.c in the Linux kernel     allowed local users to cause a denial of service (memory     corruption and system crash) by leveraging root access     (bnc#1056588).

  - CVE-2017-14106: The tcp_disconnect function in     net/ipv4/tcp.c in the Linux kernel allowed local users     to cause a denial of service (__tcp_select_window     divide-by-zero error and system crash) by triggering a     disconnect within a certain tcp_recvmsg code path     (bnc#1056982).

  - CVE-2017-14489: The iscsi_if_rx function in     drivers/scsi/scsi_transport_iscsi.c in the Linux kernel     allowed local users to cause a denial of service (panic)     by leveraging incorrect length validation (bnc#1059051).

  - CVE-2017-15649: net/packet/af_packet.c in the Linux     kernel allowed local users to gain privileges via     crafted system calls that trigger mishandling of     packet_fanout data structures, because of a race     condition (involving fanout_add and packet_do_bind) that     leads to a use-after-free, a different vulnerability     than CVE-2017-6346 (bnc#1064388).

  - CVE-2017-7518: The Linux kernel was vulnerable to an     incorrect debug exception(#DB) error. It could occur     while emulating a syscall instruction and potentially     lead to guest privilege escalation. (bsc#1045922).

  - CVE-2017-7541: The brcmf_cfg80211_mgmt_tx function in     drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg8021     1.c in the Linux kernel allowed local users to cause a     denial of service (buffer overflow and system crash) or     possibly gain privileges via a crafted NL80211_CMD_FRAME     Netlink packet (bnc#1049645).

  - CVE-2017-7542: The ip6_find_1stfragopt function in     net/ipv6/output_core.c in the Linux kernel allowed local     users to cause a denial of service (integer overflow and     infinite loop) by leveraging the ability to open a raw     socket (bnc#1049882).

  - CVE-2017-8831: The saa7164_bus_get function in     drivers/media/pci/saa7164/saa7164-bus.c in the Linux     kernel allowed local users to cause a denial of service     (out-of-bounds array access) or possibly have     unspecified other impact by changing a certain     sequence-number value, aka a 'double fetch'     vulnerability (bnc#1037994).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 12 SP3 kernel was updated to 4.4.92 to receive various security and bugfixes. The following security bugs were fixed :

  - CVE-2017-1000252: The KVM subsystem in the Linux kernel     allowed guest OS users to cause a denial of service     (assertion failure, and hypervisor hang or crash) via an     out-of bounds guest_irq value, related to     arch/x86/kvm/vmx.c and virt/kvm/eventfd.c (bnc#1058038).

  - CVE-2017-11472: The acpi_ns_terminate() function in     drivers/acpi/acpica/nsutils.c in the Linux kernel did     not flush the operand cache and causes a kernel stack     dump, which allowed local users to obtain sensitive     information from kernel memory and bypass the KASLR     protection mechanism (in the kernel through 4.9) via a     crafted ACPI table (bnc#1049580).

  - CVE-2017-12134: The xen_biovec_phys_mergeable function     in drivers/xen/biomerge.c in Xen might allow local OS     guest users to corrupt block device data streams and     consequently obtain sensitive memory information, cause     a denial of service, or gain host OS privileges by     leveraging incorrect block IO merge-ability calculation     (bnc#1051790 bsc#1053919).

  - CVE-2017-12153: A security flaw was discovered in the     nl80211_set_rekey_data() function in     net/wireless/nl80211.c in the Linux kernel This function     did not check whether the required attributes are     present in a Netlink request. This request can be issued     by a user with the CAP_NET_ADMIN capability and may     result in a NULL pointer dereference and system crash     (bnc#1058410).

  - CVE-2017-12154: The prepare_vmcs02 function in     arch/x86/kvm/vmx.c in the Linux kernel did not ensure     that the 'CR8-load exiting' and 'CR8-store exiting' L0     vmcs02 controls exist in cases where L1 omits the 'use     TPR shadow' vmcs12 control, which allowed KVM L2 guest     OS users to obtain read and write access to the hardware     CR8 register (bnc#1058507).

  - CVE-2017-13080: Wi-Fi Protected Access (WPA and WPA2)     allowed reinstallation of the Group Temporal Key (GTK)     during the group key handshake, allowing an attacker     within radio range to replay frames from access points     to clients (bnc#1056061 1063479 1063667 1063671).

  - CVE-2017-14051: An integer overflow in the     qla2x00_sysfs_write_optrom_ctl function in     drivers/scsi/qla2xxx/qla_attr.c in the Linux kernel     allowed local users to cause a denial of service (memory     corruption and system crash) by leveraging root access     (bnc#1056588).

  - CVE-2017-14106: The tcp_disconnect function in     net/ipv4/tcp.c in the Linux kernel allowed local users     to cause a denial of service (__tcp_select_window     divide-by-zero error and system crash) by triggering a     disconnect within a certain tcp_recvmsg code path     (bnc#1056982).

  - CVE-2017-14489: The iscsi_if_rx function in     drivers/scsi/scsi_transport_iscsi.c in the Linux kernel     allowed local users to cause a denial of service (panic)     by leveraging incorrect length validation (bnc#1059051).

  - CVE-2017-15265: Use-after-free vulnerability in the     Linux kernel before 4.14-rc5 allowed local users to have     unspecified impact via vectors related to /dev/snd/seq     (bnc#1062520).

  - CVE-2017-15649: net/packet/af_packet.c in the Linux     kernel allowed local users to gain privileges via     crafted system calls that trigger mishandling of     packet_fanout data structures, because of a race     condition (involving fanout_add and packet_do_bind) that     leads to a use-after-free, a different vulnerability     than CVE-2017-6346 (bnc#1064388).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The openSUSE Leap 42.3 kernel was updated to 4.4.90 to receive various security and bugfixes.

The following security bugs were fixed :

  - CVE-2017-1000252: The KVM subsystem in the Linux kernel     allowed guest OS users to cause a denial of service     (assertion failure, and hypervisor hang or crash) via an     out-of bounds guest_irq value, related to     arch/x86/kvm/vmx.c and virt/kvm/eventfd.c (bnc#1058038).

  - CVE-2017-14489: The iscsi_if_rx function in     drivers/scsi/scsi_transport_iscsi.c in the Linux kernel     allowed local users to cause a denial of service (panic)     by leveraging incorrect length validation (bnc#1059051).

  - CVE-2017-12153: A security flaw was discovered in the     nl80211_set_rekey_data() function in     net/wireless/nl80211.c in the Linux kernel This function     did not check whether the required attributes are     present in a Netlink request. This request can be issued     by a user with the CAP_NET_ADMIN capability and may     result in a NULL pointer dereference and system crash     (bnc#1058410).

  - CVE-2017-12154: The prepare_vmcs02 function in     arch/x86/kvm/vmx.c in the Linux kernel did not ensure     that the 'CR8-load exiting' and 'CR8-store exiting' L0     vmcs02 controls exist in cases where L1 omits the 'use     TPR shadow' vmcs12 control, which allowed KVM L2 guest     OS users to obtain read and write access to the hardware     CR8 register (bnc#1058507).

The following non-security bugs were fixed :

  - arc: Re-enable MMU upon Machine Check exception     (bnc#1012382).

  - arm64: fault: Route pte translation faults via     do_translation_fault (bnc#1012382).

  - arm64: Make sure SPsel is always set (bnc#1012382).

  - arm: pxa: add the number of DMA requestor lines     (bnc#1012382).

  - arm: pxa: fix the number of DMA requestor lines     (bnc#1012382).

  - bcache: correct cache_dirty_target in
    __update_writeback_rate() (bnc#1012382).

  - bcache: Correct return value for sysfs attach errors     (bnc#1012382).

  - bcache: do not subtract sectors_to_gc for bypassed IO     (bnc#1012382).

  - bcache: fix bch_hprint crash and improve output     (bnc#1012382).

  - bcache: fix for gc and write-back race (bnc#1012382).

  - bcache: Fix leak of bdev reference (bnc#1012382).

  - bcache: initialize dirty stripes in flash_dev_run()     (bnc#1012382).

  - block: Relax a check in blk_start_queue() (bnc#1012382).

  - bsg-lib: do not free job in bsg_prepare_job     (bnc#1012382).

  - btrfs: change how we decide to commit transactions     during flushing (bsc#1060197).

  - btrfs: fix NULL pointer dereference from     free_reloc_roots() (bnc#1012382).

  - btrfs: prevent to set invalid default subvolid     (bnc#1012382).

  - btrfs: propagate error to btrfs_cmp_data_prepare caller     (bnc#1012382).

  - btrfs: qgroup: move noisy underflow warning to debugging     build (bsc#1055755).

  - cifs: Fix SMB3.1.1 guest authentication to Samba     (bnc#1012382).

  - cifs: release auth_key.response for reconnect     (bnc#1012382).

  - crypto: AF_ALG - remove SGL terminator indicator when     chaining (bnc#1012382).

  - crypto: talitos - Do not provide setkey for non hmac     hashing algs (bnc#1012382).

  - crypto: talitos - fix sha224 (bnc#1012382).

  - cxl: Fix driver use count (bnc#1012382).

  - dmaengine: mmp-pdma: add number of requestors     (bnc#1012382).

  - drivers: net: phy: xgene: Fix mdio write (bsc#1057383).

  - drm: Add driver-private objects to atomic state     (bsc#1055493).

  - drm/dp: Introduce MST topology state to track available     link bandwidth (bsc#1055493).

  - efi/fb: Avoid reconfiguration of BAR that covers the     framebuffer (bsc#1051987).

  - efi/fb: Correct PCI_STD_RESOURCE_END usage     (bsc#1051987).

  - ext4: fix incorrect quotaoff if the quota feature is     enabled (bnc#1012382).

  - ext4: fix quota inconsistency during orphan cleanup for     read-only mounts (bnc#1012382).

  - f2fs: check hot_data for roll-forward recovery     (bnc#1012382).

  - fix xen_swiotlb_dma_mmap prototype (bnc#1012382).

  - ftrace: Fix memleak when unregistering dynamic ops when     tracing disabled (bnc#1012382).

  - ftrace: Fix selftest goto location on error     (bnc#1012382).

  - genirq: Fix for_each_action_of_desc() macro     (bsc#1061064).

  - getcwd: Close race with d_move called by lustre     (bsc#1052593).

  - gfs2: Fix debugfs glocks dump (bnc#1012382).

  - gianfar: Fix Tx flow control deactivation (bnc#1012382).

  - hid: usbhid: Add HID_QUIRK_NOGET for Aten CS-1758 KVM     switch (bnc#1022967).

  - input: i8042 - add Gigabyte P57 to the keyboard reset     table (bnc#1012382).

  - iommu/vt-d: Avoid calling virt_to_phys() on NULL pointer     (bsc#1061067).

  - ipv6: accept 64k - 1 packet length in     ip6_find_1stfragopt() (bnc#1012382).

  - ipv6: add rcu grace period before freeing fib6_node     (bnc#1012382).

  - ipv6: fix memory leak with multiple tables during netns     destruction (bnc#1012382).

  - ipv6: fix sparse warning on rt6i_node (bnc#1012382).

  - ipv6: fix typo in fib6_net_exit() (bnc#1012382).

  - iw_cxgb4: put ep reference in pass_accept_req()     (fate#321658 bsc#1005778 fate#321660 bsc#1005780     fate#321661 bsc#1005781).

  - KABI fix drivers/nvme/target/nvmet.h (bsc#1058550).

  - kabi/severities: ignore nfs_pgio_data_destroy

  - kABI: Workaround kABI breakage of AMD-AVIC fixes     (bsc#1044503).

  - keys: fix writing past end of user-supplied buffer in     keyring_read() (bnc#1012382).

  - keys: prevent creating a different user's keyrings     (bnc#1012382).

  - keys: prevent KEYCTL_READ on negative key (bnc#1012382).

  - kvm: Add struct kvm_vcpu pointer parameter to     get_enable_apicv() (bsc#1044503).

  - kvm: async_pf: Fix #DF due to inject 'Page not Present'     and 'Page Ready' exceptions simultaneously     (bsc#1061017).

  - kvm: PPC: Book3S: Fix race and leak in     kvm_vm_ioctl_create_spapr_tce() (bnc#1012382).

  - kvm: SVM: Add a missing 'break' statement (bsc#1061017).

  - kvm: SVM: Add irqchip_split() checks before enabling     AVIC (bsc#1044503).

  - kvm: SVM: delete avic_vm_id_bitmap (2 megabyte static     array) (bsc#1059500).

  - kvm: SVM: Refactor AVIC vcpu initialization into     avic_init_vcpu() (bsc#1044503).

  - kvm: VMX: do not change SN bit in vmx_update_pi_irte()     (bsc#1061017).

  - kvm: VMX: remove WARN_ON_ONCE in     kvm_vcpu_trigger_posted_interrupt (bsc#1061017).

  - kvm: VMX: use cmpxchg64 (bnc#1012382).

  - mac80211: flush hw_roc_start work before cancelling the     ROC (bnc#1012382).

  - md/bitmap: disable bitmap_resize for file-backed bitmaps     (bsc#1061172).

  - md/raid5: preserve STRIPE_ON_UNPLUG_LIST in     break_stripe_batch_list (bnc#1012382).

  - md/raid5: release/flush io in raid5_do_work()     (bnc#1012382).

  - media: uvcvideo: Prevent heap overflow when accessing     mapped controls (bnc#1012382).

  - media: v4l2-compat-ioctl32: Fix timespec conversion     (bnc#1012382).

  - mips: math-emu: <MAXA|MINA>.<D|S>: Fix cases of both     infinite inputs (bnc#1012382).

  - mips: math-emu: <MAXA|MINA>.<D|S>: Fix cases of input     values with opposite signs (bnc#1012382).

  - mips: math-emu: <MAX|MAXA|MIN|MINA>.<D|S>: Fix cases of     both inputs zero (bnc#1012382).

  - mips: math-emu: <MAX|MAXA|MIN|MINA>.<D|S>: Fix quiet NaN     propagation (bnc#1012382).

  - mips: math-emu: <MAX|MIN>.<D|S>: Fix cases of both     inputs negative (bnc#1012382).

  - mips: math-emu: MINA.<D|S>: Fix some cases of infinity     and zero inputs (bnc#1012382).

  - mm: prevent double decrease of nr_reserved_highatomic     (bnc#1012382).

  - nfsd: Fix general protection fault in     release_lock_stateid() (bnc#1012382).

  - nvme-fabrics: generate spec-compliant UUID NQNs     (bsc#1057498).

  - nvmet: Move serial number from controller to subsystem     (bsc#1058550).

  - nvmet: preserve controller serial number between reboots     (bsc#1058550).

  - pci: Allow PCI express root ports to find themselves     (bsc#1061046).

  - pci: fix oops when try to find Root Port for a PCI     device (bsc#1061046).

  - pci: Fix race condition with driver_override     (bnc#1012382).

  - pci: Mark AMD Stoney GPU ATS as broken (bsc#1061046).

  - pci: shpchp: Enable bridge bus mastering if MSI is     enabled (bnc#1012382).

  - perf/x86: Fix RDPMC vs. mm_struct tracking     (bsc#1061831).

  - perf/x86: kABI Workaround for 'perf/x86: Fix RDPMC vs.
    mm_struct tracking' (bsc#1061831).

  - perf: xgene: Add APM X-Gene SoC Performance Monitoring     Unit driver (bsc#1036737).

  - perf: xgene: Include module.h (bsc#1036737).

  - perf: xgene: Move PMU leaf functions into function     pointer structure (bsc#1036737).

  - perf: xgene: Parse PMU subnode from the match table     (bsc#1036737).

  - powerpc: Fix DAR reporting when alignment handler faults     (bnc#1012382).

  - powerpc/perf: Cleanup of PM_BR_CMPL vs. PM_BRU_CMPL in     Power9 event list (bsc#1056686, fate#321438,     bsc#1047238, git-fixes 34922527a2bc).

  - powerpc/perf: Factor out PPMU_ONLY_COUNT_RUN check code     from power8 (fate#321438, bsc#1053043, git-fixes     efe881afdd999).

  - powerpc/pseries: Fix parent_dn reference leak in     add_dt_node() (bnc#1012382).

  - qlge: avoid memcpy buffer overflow (bnc#1012382).

  - rdma/bnxt_re: Allocate multiple notification queues     (bsc#1037579).

  - rdma/bnxt_re: Implement the alloc/get_hw_stats callback     (bsc#1037579).

  - Revert 'net: fix percpu memory leaks' (bnc#1012382).

  - Revert 'net: phy: Correctly process PHY_HALTED in     phy_stop_machine()' (bnc#1012382).

  - Revert 'net: use lib/percpu_counter API for     fragmentation mem accounting' (bnc#1012382).

  - Revert 'Update     patches.fixes/xfs-refactor-log-record-unpack-and-data-pr     ocessing.patch (bsc#1043598, bsc#1036215).' 

  - Revert 'xfs: detect and handle invalid iclog size set by     mkfs (bsc#1043598).'

  - Revert 'xfs: detect and trim torn writes during log     recovery (bsc#1036215).' 

  - Revert 'xfs: refactor and open code log record crc check     (bsc#1036215).'

  - Revert 'xfs: refactor log record start detection into a     new helper (bsc#1036215).'

  - Revert 'xfs: return start block of first bad log record     during recovery (bsc#1036215).'

  - Revert 'xfs: support a crc verification only log record     pass (bsc#1036215).'

  - scsi: ILLEGAL REQUEST + ASC==27 => target failure     (bsc#1059465).

  - scsi: megaraid_sas: Check valid aen class range to avoid     kernel panic (bnc#1012382).

  - scsi: megaraid_sas: Return pended IOCTLs with cmd_status     MFI_STAT_WRONG_STATE in case adapter is dead     (bnc#1012382).

  - scsi: sg: factor out sg_fill_request_table()     (bnc#1012382).

  - scsi: sg: fixup infoleak when using SG_GET_REQUEST_TABLE     (bnc#1012382).

  - scsi: sg: off by one in sg_ioctl() (bnc#1012382).

  - scsi: sg: remove 'save_scat_len' (bnc#1012382).

  - scsi: sg: use standard lists for sg_requests     (bnc#1012382).

  - scsi: storvsc: fix memory leak on ring buffer busy     (bnc#1012382).

  - scsi_transport_fc: Also check for NOTPRESENT in     fc_remote_port_add() (bsc#1037890).

  - scsi: zfcp: add handling for FCP_RESID_OVER to the fcp     ingress path (bnc#1012382).

  - scsi: zfcp: fix capping of unsuccessful GPN_FT SAN     response trace records (bnc#1012382).

  - scsi: zfcp: fix missing trace records for early returns     in TMF eh handlers (bnc#1012382).

  - scsi: zfcp: fix passing fsf_req to SCSI trace on TMF to     correlate with HBA (bnc#1012382).

  - scsi: zfcp: fix payload with full FCP_RSP IU in SCSI     trace records (bnc#1012382).

  - scsi: zfcp: fix queuecommand for scsi_eh commands when     DIX enabled (bnc#1012382).

  - scsi: zfcp: trace HBA FSF response by default on dismiss     or timedout late response (bnc#1012382).

  - scsi: zfcp: trace high part of 'new' 64 bit SCSI LUN     (bnc#1012382).

  - seccomp: fix the usage of get/put_seccomp_filter() in     seccomp_get_filter() (bnc#1012382).

  - skd: Avoid that module unloading triggers a     use-after-free (bnc#1012382).

  - skd: Submit requests to firmware before triggering the     doorbell (bnc#1012382).

  - smb3: Do not ignore O_SYNC/O_DSYNC and O_DIRECT flags     (bnc#1012382).

  - smb: Validate negotiate (to protect against downgrade)     even if signing off (bnc#1012382).

  - swiotlb-xen: implement xen_swiotlb_dma_mmap callback     (bnc#1012382).

  - timer/sysclt: Restrict timer migration sysctl values to     0 and 1 (bnc#1012382).

  - tracing: Apply trace_clock changes to instance max     buffer (bnc#1012382).

  - tracing: Erase irqsoff trace with empty write     (bnc#1012382).

  - tracing: Fix trace_pipe behavior for instance traces     (bnc#1012382).

  - tty: fix __tty_insert_flip_char regression     (bnc#1012382).

  - tty: improve tty_insert_flip_char() fast path     (bnc#1012382).

  - tty: improve tty_insert_flip_char() slow path     (bnc#1012382).

  - Update     patches.drivers/0029-perf-xgene-Remove-bogus-IS_ERR-chec     k.patch (bsc#1036737).

  - vfs: Return -ENXIO for negative SEEK_HOLE / SEEK_DATA     offsets (bnc#1012382).

  - video: fbdev: aty: do not leak uninitialized padding in     clk to userspace (bnc#1012382).

  - Workaround for kABI compatibility with DP-MST patches     (bsc#1055493).

  - x86/cpu/amd: Hide unused legacy_fixup_core_id() function     (bsc#1060229).

  - x86/cpu/amd: Limit cpu_core_id fixup to families older     than F17h (bsc#1060229).

  - x86/fpu: Do not let userspace set bogus xcomp_bv     (bnc#1012382).

  - x86/fsgsbase/64: Report FSBASE and GSBASE correctly in     core dumps (bnc#1012382).

  - x86/ldt: Fix off by one in get_segment_base()     (bsc#1061872).

  - x86/mm: Fix boot crash caused by incorrect loop count     calculation in sync_global_pgds() (bsc#1058512).

  - x86/mm: Fix fault error path using unsafe vma pointer     (fate#321300).

The openSUSE Leap 42.2 Kernel was updated to 4.4.90 to receive various security and bugfixes.

The following security bugs were fixed :

  - CVE-2017-1000252: The KVM subsystem in the Linux kernel     allowed guest OS users to cause a denial of service     (assertion failure, and hypervisor hang or crash) via an     out-of bounds guest_irq value, related to     arch/x86/kvm/vmx.c and virt/kvm/eventfd.c (bnc#1058038).

  - CVE-2017-14489: The iscsi_if_rx function in     drivers/scsi/scsi_transport_iscsi.c in the Linux kernel     allowed local users to cause a denial of service (panic)     by leveraging incorrect length validation (bnc#1059051).

  - CVE-2017-12153: A security flaw was discovered in the     nl80211_set_rekey_data() function in     net/wireless/nl80211.c in the Linux kernel This function     did not check whether the required attributes are     present in a Netlink request. This request can be issued     by a user with the CAP_NET_ADMIN capability and may     result in a NULL pointer dereference and system crash     (bnc#1058410).

  - CVE-2017-12154: The prepare_vmcs02 function in     arch/x86/kvm/vmx.c in the Linux kernel did not ensure     that the 'CR8-load exiting' and 'CR8-store exiting' L0     vmcs02 controls exist in cases where L1 omits the 'use     TPR shadow' vmcs12 control, which allowed KVM L2 guest     OS users to obtain read and write access to the hardware     CR8 register (bnc#1058507).

The following non-security bugs were fixed :

  - arc: Re-enable MMU upon Machine Check exception     (bnc#1012382).

  - arm64: fault: Route pte translation faults via     do_translation_fault (bnc#1012382).

  - arm64: Make sure SPsel is always set (bnc#1012382).

  - arm: pxa: add the number of DMA requestor lines     (bnc#1012382).

  - arm: pxa: fix the number of DMA requestor lines     (bnc#1012382).

  - bcache: correct cache_dirty_target in
    __update_writeback_rate() (bnc#1012382).

  - bcache: Correct return value for sysfs attach errors     (bnc#1012382).

  - bcache: do not subtract sectors_to_gc for bypassed IO     (bnc#1012382).

  - bcache: fix bch_hprint crash and improve output     (bnc#1012382).

  - bcache: fix for gc and write-back race (bnc#1012382).

  - bcache: Fix leak of bdev reference (bnc#1012382).

  - bcache: initialize dirty stripes in flash_dev_run()     (bnc#1012382).

  - blacklist.conf: Add commit b5accbb0dfae

  - blacklist.conf: add one more

  - block: Relax a check in blk_start_queue() (bnc#1012382).

  - bsg-lib: do not free job in bsg_prepare_job     (bnc#1012382).

  - btrfs: change how we decide to commit transactions     during flushing (bsc#1060197).

  - btrfs: fix NULL pointer dereference from     free_reloc_roots() (bnc#1012382).

  - btrfs: prevent to set invalid default subvolid     (bnc#1012382).

  - btrfs: propagate error to btrfs_cmp_data_prepare caller     (bnc#1012382).

  - btrfs: qgroup: move noisy underflow warning to debugging     build (bsc#1055755).

  - cifs: Fix SMB3.1.1 guest authentication to Samba     (bnc#1012382).

  - cifs: release auth_key.response for reconnect     (bnc#1012382).

  - crypto: AF_ALG - remove SGL terminator indicator when     chaining (bnc#1012382).

  - crypto: talitos - Do not provide setkey for non hmac     hashing algs (bnc#1012382).

  - crypto: talitos - fix sha224 (bnc#1012382).

  - cxl: Fix driver use count (bnc#1012382).

  - dmaengine: mmp-pdma: add number of requestors     (bnc#1012382).

  - drm: Add driver-private objects to atomic state     (bsc#1055493).

  - drm/dp: Introduce MST topology state to track available     link bandwidth (bsc#1055493).

  - ext4: fix incorrect quotaoff if the quota feature is     enabled (bnc#1012382).

  - ext4: fix quota inconsistency during orphan cleanup for     read-only mounts (bnc#1012382).

  - f2fs: check hot_data for roll-forward recovery     (bnc#1012382).

  - fix xen_swiotlb_dma_mmap prototype (bnc#1012382).

  - ftrace: Fix memleak when unregistering dynamic ops when     tracing disabled (bnc#1012382).

  - ftrace: Fix selftest goto location on error     (bnc#1012382).

  - genirq: Fix for_each_action_of_desc() macro     (bsc#1061064).

  - getcwd: Close race with d_move called by lustre     (bsc#1052593).

  - gfs2: Fix debugfs glocks dump (bnc#1012382).

  - gianfar: Fix Tx flow control deactivation (bnc#1012382).

  - hid: usbhid: Add HID_QUIRK_NOGET for Aten CS-1758 KVM     switch (bnc#1022967).

  - input: i8042 - add Gigabyte P57 to the keyboard reset     table (bnc#1012382).

  - iommu/vt-d: Avoid calling virt_to_phys() on NULL pointer     (bsc#1061067).

  - ipv6: accept 64k - 1 packet length in     ip6_find_1stfragopt() (bnc#1012382).

  - ipv6: add rcu grace period before freeing fib6_node     (bnc#1012382).

  - ipv6: fix memory leak with multiple tables during netns     destruction (bnc#1012382).

  - ipv6: fix sparse warning on rt6i_node (bnc#1012382).

  - ipv6: fix typo in fib6_net_exit() (bnc#1012382).

  - kabi/severities: ignore nfs_pgio_data_destroy

  - keys: fix writing past end of user-supplied buffer in     keyring_read() (bnc#1012382).

  - keys: prevent creating a different user's keyrings     (bnc#1012382).

  - keys: prevent KEYCTL_READ on negative key (bnc#1012382).

  - kvm: async_pf: Fix #DF due to inject 'Page not Present'     and 'Page Ready' exceptions simultaneously     (bsc#1061017).

  - kvm: PPC: Book3S: Fix race and leak in     kvm_vm_ioctl_create_spapr_tce() (bnc#1012382).

  - kvm: SVM: Add a missing 'break' statement (bsc#1061017).

  - kvm: VMX: do not change SN bit in vmx_update_pi_irte()     (bsc#1061017).

  - kvm: VMX: remove WARN_ON_ONCE in     kvm_vcpu_trigger_posted_interrupt (bsc#1061017).

  - kvm: VMX: use cmpxchg64 (bnc#1012382).

  - mac80211: flush hw_roc_start work before cancelling the     ROC (bnc#1012382).

  - md/bitmap: disable bitmap_resize for file-backed bitmaps     (bsc#1061172).

  - md/raid5: preserve STRIPE_ON_UNPLUG_LIST in     break_stripe_batch_list (bnc#1012382).

  - md/raid5: release/flush io in raid5_do_work()     (bnc#1012382).

  - media: uvcvideo: Prevent heap overflow when accessing     mapped controls (bnc#1012382).

  - media: v4l2-compat-ioctl32: Fix timespec conversion     (bnc#1012382).

  - mips: math-emu: <MAXA|MINA>.<D|S>: Fix cases of both     infinite inputs (bnc#1012382).

  - mips: math-emu: <MAXA|MINA>.<D|S>: Fix cases of input     values with opposite signs (bnc#1012382).

  - mips: math-emu: <MAX|MAXA|MIN|MINA>.<D|S>: Fix cases of     both inputs zero (bnc#1012382).

  - mips: math-emu: <MAX|MAXA|MIN|MINA>.<D|S>: Fix quiet NaN     propagation (bnc#1012382).

  - mips: math-emu: <MAX|MIN>.<D|S>: Fix cases of both     inputs negative (bnc#1012382).

  - mips: math-emu: MINA.<D|S>: Fix some cases of infinity     and zero inputs (bnc#1012382).

  - mm: prevent double decrease of nr_reserved_highatomic     (bnc#1012382).

  - nfsd: Fix general protection fault in     release_lock_stateid() (bnc#1012382).

  - pci: Allow PCI express root ports to find themselves     (bsc#1061046).

  - pci: fix oops when try to find Root Port for a PCI     device (bsc#1061046).

  - pci: Fix race condition with driver_override     (bnc#1012382).

  - pci: shpchp: Enable bridge bus mastering if MSI is     enabled (bnc#1012382).

  - perf/x86: Fix RDPMC vs. mm_struct tracking     (bsc#1061831).

  - perf/x86: kABI Workaround for 'perf/x86: Fix RDPMC vs.
    mm_struct tracking' (bsc#1061831).

  - powerpc: Fix DAR reporting when alignment handler faults     (bnc#1012382).

  - powerpc/pseries: Fix parent_dn reference leak in     add_dt_node() (bnc#1012382).

  - qlge: avoid memcpy buffer overflow (bnc#1012382).

  - Revert 'net: fix percpu memory leaks' (bnc#1012382).

  - Revert 'net: phy: Correctly process PHY_HALTED in     phy_stop_machine()' (bnc#1012382).

  - Revert 'net: use lib/percpu_counter API for     fragmentation mem accounting' (bnc#1012382).

  - scsi: ILLEGAL REQUEST + ASC==27 => target failure     (bsc#1059465).

  - scsi: megaraid_sas: Check valid aen class range to avoid     kernel panic (bnc#1012382).

  - scsi: megaraid_sas: Return pended IOCTLs with cmd_status     MFI_STAT_WRONG_STATE in case adapter is dead     (bnc#1012382).

  - scsi: sg: factor out sg_fill_request_table()     (bnc#1012382).

  - scsi: sg: fixup infoleak when using SG_GET_REQUEST_TABLE     (bnc#1012382).

  - scsi: sg: off by one in sg_ioctl() (bnc#1012382).

  - scsi: sg: remove 'save_scat_len' (bnc#1012382).

  - scsi: sg: use standard lists for sg_requests     (bnc#1012382).

  - scsi: storvsc: fix memory leak on ring buffer busy     (bnc#1012382).

  - scsi: zfcp: add handling for FCP_RESID_OVER to the fcp     ingress path (bnc#1012382).

  - scsi: zfcp: fix capping of unsuccessful GPN_FT SAN     response trace records (bnc#1012382).

  - scsi: zfcp: fix missing trace records for early returns     in TMF eh handlers (bnc#1012382).

  - scsi: zfcp: fix passing fsf_req to SCSI trace on TMF to     correlate with HBA (bnc#1012382).

  - scsi: zfcp: fix payload with full FCP_RSP IU in SCSI     trace records (bnc#1012382).

  - scsi: zfcp: fix queuecommand for scsi_eh commands when     DIX enabled (bnc#1012382).

  - scsi: zfcp: trace HBA FSF response by default on dismiss     or timedout late response (bnc#1012382).

  - scsi: zfcp: trace high part of 'new' 64 bit SCSI LUN     (bnc#1012382).

  - seccomp: fix the usage of get/put_seccomp_filter() in     seccomp_get_filter() (bnc#1012382).

  - skd: Avoid that module unloading triggers a     use-after-free (bnc#1012382).

  - skd: Submit requests to firmware before triggering the     doorbell (bnc#1012382).

  - smb3: Do not ignore O_SYNC/O_DSYNC and O_DIRECT flags     (bnc#1012382).

  - smb: Validate negotiate (to protect against downgrade)     even if signing off (bnc#1012382).

  - swiotlb-xen: implement xen_swiotlb_dma_mmap callback     (bnc#1012382).

  - timer/sysclt: Restrict timer migration sysctl values to     0 and 1 (bnc#1012382).

  - tracing: Apply trace_clock changes to instance max     buffer (bnc#1012382).

  - tracing: Erase irqsoff trace with empty write     (bnc#1012382).

  - tracing: Fix trace_pipe behavior for instance traces     (bnc#1012382).

  - tty: fix __tty_insert_flip_char regression     (bnc#1012382).

  - tty: improve tty_insert_flip_char() fast path     (bnc#1012382).

  - tty: improve tty_insert_flip_char() slow path     (bnc#1012382).

  - vfs: Return -ENXIO for negative SEEK_HOLE / SEEK_DATA     offsets (bnc#1012382).

  - video: fbdev: aty: do not leak uninitialized padding in     clk to userspace (bnc#1012382).

  - Workaround for kABI compatibility with DP-MST patches     (bsc#1055493).

  - x86/fpu: Do not let userspace set bogus xcomp_bv     (bnc#1012382).

  - x86/fsgsbase/64: Report FSBASE and GSBASE correctly in     core dumps (bnc#1012382).

  - x86/ldt: Fix off by one in get_segment_base()     (bsc#1061872).

  - xfs/dmapi: fix incorrect file->f_path.dentry->d_inode     usage (bsc#1055896).

Several vulnerabilities have been discovered in the Linux kernel that may lead to privilege escalation, denial of service or information leaks.

  - CVE-2017-7518     Andy Lutomirski discovered that KVM is prone to an     incorrect debug exception (#DB) error occurring while     emulating a syscall instruction. A process inside a     guest can take advantage of this flaw for privilege     escalation inside a guest.

  - CVE-2017-7558 (stretch only)     Stefano Brivio of Red Hat discovered that the SCTP     subsystem is prone to a data leak vulnerability due to     an out-of-bounds read flaw, allowing to leak up to 100     uninitialized bytes to userspace.

  - CVE-2017-10661 (jessie only)     Dmitry Vyukov of Google reported that the timerfd     facility does not properly handle certain concurrent     operations on a single file descriptor. This allows a     local attacker to cause a denial of service or     potentially execute arbitrary code.

  - CVE-2017-11600     Bo Zhang reported that the xfrm subsystem does not     properly validate one of the parameters to a netlink     message. Local users with the CAP_NET_ADMIN capability     can use this to cause a denial of service or potentially     to execute arbitrary code.

  - CVE-2017-12134 / #866511 / XSA-229     Jan H. Schoenherr of Amazon discovered that when Linux     is running in a Xen PV domain on an x86 system, it may     incorrectly merge block I/O requests. A buggy or     malicious guest may trigger this bug in dom0 or a PV     driver domain, causing a denial of service or     potentially execution of arbitrary code.

  This issue can be mitigated by disabling merges on the underlying   back-end block devices, e.g.:echo 2 >   /sys/block/nvme0n1/queue/nomerges

  - CVE-2017-12146 (stretch only)     Adrian Salido of Google reported a race condition in     access to the'driver_override' attribute for platform     devices in sysfs. If unprivileged users are permitted to     access this attribute, this might allow them to gain     privileges.

  - CVE-2017-12153     Bo Zhang reported that the cfg80211 (wifi) subsystem     does not properly validate the parameters to a netlink     message. Local users with the CAP_NET_ADMIN capability     (in any user namespace with a wifi device) can use this     to cause a denial of service.

  - CVE-2017-12154     Jim Mattson of Google reported that the KVM     implementation for Intel x86 processors did not     correctly handle certain nested hypervisor     configurations. A malicious guest (or nested guest in a     suitable L1 hypervisor) could use this for denial of     service.

  - CVE-2017-14106     Andrey Konovalov discovered that a user-triggerable     division by zero in the tcp_disconnect() function could     result in local denial of service.

  - CVE-2017-14140     Otto Ebeling reported that the move_pages() system call     performed insufficient validation of the UIDs of the     calling and target processes, resulting in a partial     ASLR bypass. This made it easier for local users to     exploit vulnerabilities in programs installed with the     set-UID permission bit set.

  - CVE-2017-14156     'sohu0106' reported an information leak in the atyfb     video driver. A local user with access to a framebuffer     device handled by this driver could use this to obtain     sensitive information.

  - CVE-2017-14340     Richard Wareing discovered that the XFS implementation     allows the creation of files with the 'realtime' flag on     a filesystem with no realtime device, which can result     in a crash (oops). A local user with access to an XFS     filesystem that does not have a realtime device can use     this for denial of service.

  - CVE-2017-14489     ChunYu Wang of Red Hat discovered that the iSCSI     subsystem does not properly validate the length of a     netlink message, leading to memory corruption. A local     user with permission to manage iSCSI devices can use     this for denial of service or possibly to execute     arbitrary code.

  - CVE-2017-14497 (stretch only)     Benjamin Poirier of SUSE reported that vnet headers are     not properly handled within the tpacket_rcv() function     in the raw packet (af_packet) feature. A local user with     the CAP_NET_RAW capability can take advantage of this     flaw to cause a denial of service (buffer overflow, and     disk and memory corruption) or have other impact.

  - CVE-2017-1000111     Andrey Konovalov of Google reported a race condition in     the raw packet (af_packet) feature. Local users with the     CAP_NET_RAW capability can use this for denial of     service or possibly to execute arbitrary code.

  - CVE-2017-1000112     Andrey Konovalov of Google reported a race condition     flaw in the UDP Fragmentation Offload (UFO) code. A     local user can use this flaw for denial of service or     possibly to execute arbitrary code.

  - CVE-2017-1000251 / #875881     Armis Labs discovered that the Bluetooth subsystem does     not properly validate L2CAP configuration responses,     leading to a stack-based buffer overflow. This is one of     several vulnerabilities dubbed 'Blueborne'. A nearby     attacker can use this to cause a denial of service or     possibly to execute arbitrary code on a system with     Bluetooth enabled.

  - CVE-2017-1000252 (stretch only)     Jan H. Schoenherr of Amazon reported that the KVM     implementation for Intel x86 processors did not     correctly validate interrupt injection requests. A local     user with permission to use KVM could use this for     denial of service.

  - CVE-2017-1000370     The Qualys Research Labs reported that a large argument     or environment list can result in ASLR bypass for 32-bit     PIE binaries.

  - CVE-2017-1000371     The Qualys Research Labs reported that a large argument     or environment list can result in a stack/heap clash for     32-bit PIE binaries.

  - CVE-2017-1000380     Alexander Potapenko of Google reported a race condition     in the ALSA (sound) timer driver, leading to an     information leak. A local user with permission to access     sound devices could use this to obtain sensitive     information.

Debian disables unprivileged user namespaces by default, but if they are enabled (via the kernel.unprivileged_userns_clone sysctl) then CVE-2017-11600, CVE-2017-14497 and CVE-2017-1000111 can be exploited by any local user.

ID	Name	Product	Family	Severity
124987	EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1534)	Nessus	Huawei Local Security Checks	critical
124953	EulerOS Virtualization 3.0.1.0 : kvm (EulerOS-SA-2019-1450)	Nessus	Huawei Local Security Checks	medium
124821	EulerOS Virtualization 3.0.1.0 : kernel (EulerOS-SA-2019-1498)	Nessus	Huawei Local Security Checks	high
109449	Scientific Linux Security Update : kernel on SL7.x x86_64 (Meltdown)	Nessus	Scientific Linux Local Security Checks	critical
109380	CentOS 7 : kernel (CESA-2018:1062)	Nessus	CentOS Local Security Checks	critical
109116	RHEL 7 : kernel (RHSA-2018:1130)	Nessus	Red Hat Local Security Checks	critical
109113	Oracle Linux 7 : kernel (ELSA-2018-1062)	Nessus	Oracle Linux Local Security Checks	critical
108997	RHEL 7 : kernel (RHSA-2018:1062)	Nessus	Red Hat Local Security Checks	critical
108984	RHEL 7 : kernel-rt (RHSA-2018:0676)	Nessus	Red Hat Local Security Checks	critical
104319	Ubuntu 16.04 LTS : linux-gcp vulnerabilities (USN-3468-3)	Nessus	Ubuntu Local Security Checks	high
104318	Ubuntu 16.04 LTS : linux-hwe vulnerabilities (USN-3468-2)	Nessus	Ubuntu Local Security Checks	high
104317	Ubuntu 17.04 : linux, linux-raspi2 vulnerabilities (USN-3468-1)	Nessus	Ubuntu Local Security Checks	high
104253	SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2017:2869-1) (KRACK)	Nessus	SuSE Local Security Checks	high
104171	SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2017:2847-1) (KRACK)	Nessus	SuSE Local Security Checks	high
104075	openSUSE Security Update : the Linux Kernel (openSUSE-2017-1160)	Nessus	SuSE Local Security Checks	medium
104074	openSUSE Security Update : the Linux Kernel (openSUSE-2017-1159)	Nessus	SuSE Local Security Checks	medium
103365	Debian DSA-3981-1 : linux - security update (BlueBorne) (Stack Clash)	Nessus	Debian Local Security Checks	high

CVE-2017-1000252

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins