102156

https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.8

https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.114

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/drivers/usb/usbip?id=2f2d0088eb93db5c649d2a5e34a3800a8a935fc5

[debian-lts-announce] 20180502 [SECURITY] [DLA 1369-1] linux security update

https://secuniaresearch.flexerasoftware.com/advisories/80454/

https://secuniaresearch.flexerasoftware.com/secunia_research/2017-20/

USN-3619-1

USN-3619-2

USN-3754-1

DSA-4187

https://www.spinics.net/lists/linux-usb/msg163480.html

Ralf Spenneberg discovered that the ext4 implementation in the Linux kernel did not properly validate meta block groups. An attacker with physical access could use this to specially craft an ext4 image that causes a denial of service (system crash). (CVE-2016-10208)

It was discovered that an information disclosure vulnerability existed in the ACPI implementation of the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory addresses).
(CVE-2017-11472)

It was discovered that a buffer overflow existed in the ACPI table parsing implementation in the Linux kernel. A local attacker could use this to construct a malicious ACPI table that, when loaded, caused a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2017-11473)

It was discovered that the generic SCSI driver in the Linux kernel did not properly initialize data returned to user space in some situations. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2017-14991)

It was discovered that a race condition existed in the packet fanout implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-15649)

Andrey Konovalov discovered that the Ultra Wide Band driver in the Linux kernel did not properly check for an error condition. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2017-16526)

Andrey Konovalov discovered that the ALSA subsystem in the Linux kernel contained a use-after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16527)

Andrey Konovalov discovered that the ALSA subsystem in the Linux kernel did not properly validate USB audio buffer descriptors. A physically proximate attacker could use this cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16529)

Andrey Konovalov discovered that the USB subsystem in the Linux kernel did not properly validate USB interface association descriptors. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16531)

Andrey Konovalov discovered that the usbtest device driver in the Linux kernel did not properly validate endpoint metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16532)

Andrey Konovalov discovered that the USB subsystem in the Linux kernel did not properly validate USB HID descriptors. A physically proximate attacker could use this to cause a denial of service (system crash).
(CVE-2017-16533)

Andrey Konovalov discovered that the USB subsystem in the Linux kernel did not properly validate USB BOS metadata. A physically proximate attacker could use this to cause a denial of service (system crash).
(CVE-2017-16535)

Andrey Konovalov discovered that the Conexant cx231xx USB video capture driver in the Linux kernel did not properly validate interface descriptors. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16536)

Andrey Konovalov discovered that the SoundGraph iMON USB driver in the Linux kernel did not properly validate device metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16537)

It was discovered that the DM04/QQBOX USB driver in the Linux kernel did not properly handle device attachment and warm-start. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16538)

Andrey Konovalov discovered an out-of-bounds read in the GTCO digitizer USB driver for the Linux kernel. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16643)

Andrey Konovalov discovered that the video4linux driver for Hauppauge HD PVR USB devices in the Linux kernel did not properly handle some error conditions. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16644)

Andrey Konovalov discovered that the IMS Passenger Control Unit USB driver in the Linux kernel did not properly validate device descriptors. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16645)

Andrey Konovalov discovered that the QMI WWAN USB driver did not properly validate device descriptors. A physically proximate attacker could use this to cause a denial of service (system crash).
(CVE-2017-16650)

It was discovered that the USB Virtual Host Controller Interface (VHCI) driver in the Linux kernel contained an information disclosure vulnerability. A physically proximate attacker could use this to expose sensitive information (kernel memory). (CVE-2017-16911)

It was discovered that the USB over IP implementation in the Linux kernel did not validate endpoint numbers. A remote attacker could use this to cause a denial of service (system crash). (CVE-2017-16912)

It was discovered that the USB over IP implementation in the Linux kernel did not properly validate CMD_SUBMIT packets. A remote attacker could use this to cause a denial of service (excessive memory consumption). (CVE-2017-16913)

It was discovered that the USB over IP implementation in the Linux kernel contained a NULL pointer dereference error. A remote attacker could use this to cause a denial of service (system crash).
(CVE-2017-16914)

It was discovered that the core USB subsystem in the Linux kernel did not validate the number of configurations and interfaces in a device.
A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-17558)

It was discovered that an integer overflow existed in the perf subsystem of the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-18255)

It was discovered that the keyring subsystem in the Linux kernel did not properly prevent a user from creating keyrings for other users. A local attacker could use this cause a denial of service or expose sensitive information. (CVE-2017-18270)

Andy Lutomirski and Willy Tarreau discovered that the KVM implementation in the Linux kernel did not properly emulate instructions on the SS segment register. A local attacker in a guest virtual machine could use this to cause a denial of service (guest OS crash) or possibly gain administrative privileges in the guest OS.
(CVE-2017-2583)

Dmitry Vyukov discovered that the KVM implementation in the Linux kernel improperly emulated certain instructions. A local attacker could use this to obtain sensitive information (kernel memory).
(CVE-2017-2584)

It was discovered that the KLSI KL5KUSB105 serial-to-USB device driver in the Linux kernel did not properly initialize memory related to logging. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2017-5549)

Andrey Konovalov discovered an out-of-bounds access in the IPv6 Generic Routing Encapsulation (GRE) tunneling implementation in the Linux kernel. An attacker could use this to possibly expose sensitive information. (CVE-2017-5897)

Andrey Konovalov discovered that the LLC subsytem in the Linux kernel did not properly set up a destructor in certain situations. A local attacker could use this to cause a denial of service (system crash).
(CVE-2017-6345)

Dmitry Vyukov discovered race conditions in the Infrared (IrDA) subsystem in the Linux kernel. A local attacker could use this to cause a denial of service (deadlock). (CVE-2017-6348)

Andy Lutomirski discovered that the KVM implementation in the Linux kernel was vulnerable to a debug exception error when single-stepping through a syscall. A local attacker in a non-Linux guest vm could possibly use this to gain administrative privileges in the guest vm.
(CVE-2017-7518)

Tuomas Haanpaa and Ari Kauppi discovered that the NFSv2 and NFSv3 server implementations in the Linux kernel did not properly handle certain long RPC replies. A remote attacker could use this to cause a denial of service (system crash). (CVE-2017-7645)

Pengfei Wang discovered that a race condition existed in the NXP SAA7164 TV Decoder driver for the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-8831)

Pengfei Wang discovered that the Turtle Beach MultiSound audio device driver in the Linux kernel contained race conditions when fetching from the ring-buffer. A local attacker could use this to cause a denial of service (infinite loop). (CVE-2017-9984, CVE-2017-9985)

It was discovered that the wait4() system call in the Linux kernel did not properly validate its arguments in some situations. A local attacker could possibly use this to cause a denial of service.
(CVE-2018-10087)

It was discovered that the kill() system call implementation in the Linux kernel did not properly validate its arguments in some situations. A local attacker could possibly use this to cause a denial of service. (CVE-2018-10124)

Wen Xu discovered that the XFS filesystem implementation in the Linux kernel did not properly validate meta-data information. An attacker could use this to construct a malicious xfs image that, when mounted, could cause a denial of service (system crash). (CVE-2018-10323)

Zhong Jiang discovered that a use-after-free vulnerability existed in the NUMA memory policy implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-10675)

Wen Xu discovered that a buffer overflow existed in the ext4 filesystem implementation in the Linux kernel. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-10877)

Wen Xu discovered that the ext4 filesystem implementation in the Linux kernel did not properly keep meta-data information consistent in some situations. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash). (CVE-2018-10881)

Wen Xu discovered that the ext4 filesystem implementation in the Linux kernel did not properly handle corrupted meta data in some situations.
An attacker could use this to specially craft an ext4 file system that caused a denial of service (system crash) when mounted.
(CVE-2018-1092)

Wen Xu discovered that the ext4 filesystem implementation in the Linux kernel did not properly handle corrupted meta data in some situations.
An attacker could use this to specially craft an ext4 filesystem that caused a denial of service (system crash) when mounted.
(CVE-2018-1093)

It was discovered that the cdrom driver in the Linux kernel contained an incorrect bounds check. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2018-10940)

Shankara Pailoor discovered that the JFS filesystem implementation in the Linux kernel contained a buffer overflow when handling extended attributes. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2018-12233)

Wen Xu discovered that the XFS filesystem implementation in the Linux kernel did not properly handle an error condition with a corrupted xfs image. An attacker could use this to construct a malicious xfs image that, when mounted, could cause a denial of service (system crash).
(CVE-2018-13094)

It was discovered that the Linux kernel did not properly handle setgid file creation when performed by a non-member of the group. A local attacker could use this to gain elevated privileges. (CVE-2018-13405)

Silvio Cesare discovered that the generic VESA frame buffer driver in the Linux kernel contained an integer overflow. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-13406)

Daniel Jiang discovered that a race condition existed in the ipv4 ping socket implementation in the Linux kernel. A local privileged attacker could use this to cause a denial of service (system crash).
(CVE-2017-2671)

It was discovered that an information leak existed in the generic SCSI driver in the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2018-1000204)

It was discovered that a memory leak existed in the Serial Attached SCSI (SAS) implementation in the Linux kernel. A physically proximate attacker could use this to cause a denial of service (memory exhaustion). (CVE-2018-10021).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 11 SP3 LTSS kernel was updated to receive various security and bugfixes. The following security bugs were fixed :

  - CVE-2018-1087: And an unprivileged KVM guest user could     use this flaw to potentially escalate their privileges     inside a guest. (bsc#1087088)

  - CVE-2018-8897: An unprivileged system user could use     incorrect set up interrupt stacks to crash the Linux     kernel resulting in DoS issue. (bsc#1087088)

  - CVE-2018-10124: The kill_something_info function in     kernel/signal.c might allow local users to cause a     denial of service via an INT_MIN argument (bnc#1089752).

  - CVE-2018-10087: The kernel_wait4 function in     kernel/exit.c might allow local users to cause a denial     of service by triggering an attempted use of the
    -INT_MIN value (bnc#1089608).

  - CVE-2018-7757: Memory leak in the sas_smp_get_phy_events     function in drivers/scsi/libsas/sas_expander.c allowed     local users to cause a denial of service (memory     consumption) via many read accesses to files in the     /sys/class/sas_phy directory, as demonstrated by the     /sys/class/sas_phy/phy-1:0:12/invalid_dword_count file     (bnc#1084536 1087209).

  - CVE-2018-7566: A Buffer Overflow via an     SNDRV_SEQ_IOCTL_SET_CLIENT_POOL ioctl write operation to     /dev/snd/seq by a local user was fixed (bnc#1083483).

  - CVE-2017-0861: Use-after-free vulnerability in the     snd_pcm_info function in the ALSA subsystem allowed     attackers to gain privileges via unspecified vectors     (bnc#1088260).

  - CVE-2018-8822: Incorrect buffer length handling in the     ncp_read_kernel function in fs/ncpfs/ncplib_kernel.c     could be exploited by malicious NCPFS servers to crash     the kernel or execute code (bnc#1086162).

  - CVE-2017-13166: An elevation of privilege vulnerability     in the kernel v4l2 video driver. (bnc#1072865).

  - CVE-2017-18203: The dm_get_from_kobject function in     drivers/md/dm.c allow local users to cause a denial of     service (BUG) by leveraging a race condition with
    __dm_destroy during creation and removal of DM devices     (bnc#1083242).

  - CVE-2017-16911: The vhci_hcd driver allowed allows local     attackers to disclose kernel memory addresses.
    Successful exploitation requires that a USB device is     attached over IP (bnc#1078674).

  - CVE-2017-18208: The madvise_willneed function in     mm/madvise.c allowed local users to cause a denial of     service (infinite loop) by triggering use of     MADVISE_WILLNEED for a DAX mapping (bnc#1083494).

  - CVE-2017-16644: The hdpvr_probe function in     drivers/media/usb/hdpvr/hdpvr-core.c allowed local users     to cause a denial of service (improper error handling     and system crash) or possibly have unspecified other     impact via a crafted USB device (bnc#1067118).

  - CVE-2018-6927: The futex_requeue function in     kernel/futex.c might allow attackers to cause a denial     of service (integer overflow) or possibly have     unspecified other impact by triggering a negative wake     or requeue value (bnc#1080757).

  - CVE-2017-16914: The 'stub_send_ret_submit()' function     (drivers/usb/usbip/stub_tx.c) allowed attackers to cause     a denial of service (NULL pointer dereference) via a     specially crafted USB over IP packet (bnc#1078669).

  - CVE-2016-7915: The hid_input_field function in     drivers/hid/hid-core.c allowed physically proximate     attackers to obtain sensitive information from kernel     memory or cause a denial of service (out-of-bounds read)     by connecting a device, as demonstrated by a Logitech DJ     receiver (bnc#1010470).

  - CVE-2015-5156: The virtnet_probe function in     drivers/net/virtio_net.c attempted to support a FRAGLIST     feature without proper memory allocation, which allowed     guest OS users to cause a denial of service (buffer     overflow and memory corruption) via a crafted sequence     of fragmented packets (bnc#940776).

  - CVE-2017-12190: The bio_map_user_iov and bio_unmap_user     functions in block/bio.c did unbalanced refcounting when     a SCSI I/O vector has small consecutive buffers     belonging to the same page. The bio_add_pc_page function     merges them into one, but the page reference is never     dropped. This causes a memory leak and possible system     lockup (exploitable against the host OS by a guest OS     user, if a SCSI disk is passed through to a virtual     machine) due to an out-of-memory condition     (bnc#1062568).

  - CVE-2017-16912: The 'get_pipe()' function     (drivers/usb/usbip/stub_rx.c) allowed attackers to cause     a denial of service (out-of-bounds read) via a specially     crafted USB over IP packet (bnc#1078673).

  - CVE-2017-16913: The 'stub_recv_cmd_submit()' function     (drivers/usb/usbip/stub_rx.c) when handling CMD_SUBMIT     packets allowed attackers to cause a denial of service     (arbitrary memory allocation) via a specially crafted     USB over IP packet (bnc#1078672).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

CVE-2017-0861

Robb Glasser reported a potential use-after-free in the ALSA (sound) PCM core. We believe this was not possible in practice.

CVE-2017-5715

Multiple researchers have discovered a vulnerability in various processors supporting speculative execution, enabling an attacker controlling an unprivileged process to read memory from arbitrary addresses, including from the kernel and all other processes running on the system.

This specific attack has been named Spectre variant 2 (branch target injection) and is mitigated for the x86 architecture (amd64 and i386) by using the 'retpoline' compiler feature which allows indirect branches to be isolated from speculative execution.

CVE-2017-13166

A bug in the 32-bit compatibility layer of the v4l2 ioctl handling code has been found. Memory protections ensuring user-provided buffers always point to userland memory were disabled, allowing destination addresses to be in kernel space. On a 64-bit kernel (amd64 flavour) a local user with access to a suitable video device can exploit this to overwrite kernel memory, leading to privilege escalation.

CVE-2017-16526

Andrey Konovalov reported that the UWB subsystem may dereference an invalid pointer in an error case. A local user might be able to use this for denial of service.

CVE-2017-16911

Secunia Research reported that the USB/IP vhci_hcd driver exposed kernel heap addresses to local users. This information could aid the exploitation of other vulnerabilities.

CVE-2017-16912

Secunia Research reported that the USB/IP stub driver failed to perform a range check on a received packet header field, leading to an out-of-bounds read. A remote user able to connect to the USB/IP server could use this for denial of service.

CVE-2017-16913

Secunia Research reported that the USB/IP stub driver failed to perform a range check on a received packet header field, leading to excessive memory allocation. A remote user able to connect to the USB/IP server could use this for denial of service.

CVE-2017-16914

Secunia Research reported that the USB/IP stub driver failed to check for an invalid combination of fields in a recieved packet, leading to a NULL pointer dereference. A remote user able to connect to the USB/IP server could use this for denial of service.

CVE-2017-18017

Denys Fedoryshchenko reported that the netfilter xt_TCPMSS module failed to validate TCP header lengths, potentially leading to a use-after-free. If this module is loaded, it could be used by a remote attacker for denial of service or possibly for code execution.

CVE-2017-18203

Hou Tao reported that there was a race condition in creation and deletion of device-mapper (DM) devices. A local user could potentially use this for denial of service.

CVE-2017-18216

Alex Chen reported that the OCFS2 filesystem failed to hold a necessary lock during nodemanager sysfs file operations, potentially leading to a NULL pointer dereference. A local user could use this for denial of service.

CVE-2018-1068

The syzkaller tool found that the 32-bit compatibility layer of ebtables did not sufficiently validate offset values. On a 64-bit kernel (amd64 flavour), a local user with the CAP_NET_ADMIN capability could use this to overwrite kernel memory, possibly leading to privilege escalation.

CVE-2018-1092

Wen Xu reported that a crafted ext4 filesystem image would trigger a null dereference when mounted. A local user able to mount arbitrary filesystems could use this for denial of service.

CVE-2018-5332

Mohamed Ghannam reported that the RDS protocol did not sufficiently validate RDMA requests, leading to an out-of-bounds write. A local attacker on a system with the rds module loaded could use this for denial of service or possibly for privilege escalation.

CVE-2018-5333

Mohamed Ghannam reported that the RDS protocol did not properly handle an error case, leading to a NULL pointer dereference. A local attacker on a system with the rds module loaded could possibly use this for denial of service.

CVE-2018-5750

Wang Qize reported that the ACPI sbshc driver logged a kernel heap address. This information could aid the exploitation of other vulnerabilities.

CVE-2018-5803

Alexey Kodanev reported that the SCTP protocol did not range-check the length of chunks to be created. A local or remote user could use this to cause a denial of service.

CVE-2018-6927

Li Jinyue reported that the FUTEX_REQUEUE operation on futexes did not check for negative parameter values, which might lead to a denial of service or other security impact.

CVE-2018-7492

The syzkaller tool found that the RDS protocol was lacking a NULL pointer check. A local attacker on a system with the rds module loaded could use this for denial of service.

CVE-2018-7566

&#x8303;&#x9F99;&#x98DE; (Fan LongFei) reported a race condition in the ALSA (sound) sequencer core, between write and ioctl operations.
This could lead to an out-of-bounds access or use-after-free. A local user with access to a sequencer device could use this for denial of service or possibly for privilege escalation.

CVE-2018-7740

Nic Losby reported that the hugetlbfs filesystem's mmap operation did not properly range-check the file offset. A local user with access to files on a hugetlbfs filesystem could use this to cause a denial of service.

CVE-2018-7757

Jason Yan reported a memory leak in the SAS (Serial-Attached SCSI) subsystem. A local user on a system with SAS devices could use this to cause a denial of service.

CVE-2018-7995

Seunghun Han reported a race condition in the x86 MCE (Machine Check Exception) driver. This is unlikely to have any security impact.

CVE-2018-8781

Eyal Itkin reported that the udl (DisplayLink) driver's mmap operation did not properly range-check the file offset. A local user with access to a udl framebuffer device could exploit this to overwrite kernel memory, leading to privilege escalation.

CVE-2018-8822

Dr Silvio Cesare of InfoSect reported that the ncpfs client implementation did not validate reply lengths from the server. An ncpfs server could use this to cause a denial of service or remote code execution in the client.

CVE-2018-1000004

Luo Quan reported a race condition in the ALSA (sound) sequencer core, between multiple ioctl operations. This could lead to a deadlock or use-after-free. A local user with access to a sequencer device could use this for denial of service or possibly for privilege escalation.

CVE-2018-1000199

Andy Lutomirski discovered that the ptrace subsystem did not sufficiently validate hardware breakpoint settings. Local users can use this to cause a denial of service, or possibly for privilege escalation, on x86 (amd64 and i386) and possibly other architectures.

Additionally, some mitigations for CVE-2017-5753 are included in this release :

CVE-2017-5753

Multiple researchers have discovered a vulnerability in various processors supporting speculative execution, enabling an attacker controlling an unprivileged process to read memory from arbitrary addresses, including from the kernel and all other processes running on the system.

This specific attack has been named Spectre variant 1 (bounds-check bypass) and is mitigated by identifying vulnerable code sections (array bounds checking followed by array access) and replacing the array access with the speculation-safe array_index_nospec() function.

More use sites will be added over time.

For Debian 7 'Wheezy', these problems have been fixed in version 3.2.101-1. This version also includes bug fixes from upstream versions up to and including 3.2.101. It also fixes a regression in the procfs hidepid option in the previous version (Debian bug #887106).

We recommend that you upgrade your linux packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

  - CVE-2015-9016     Ming Lei reported a race condition in the multiqueue     block layer (blk-mq). On a system with a driver using     blk-mq (mtip32xx, null_blk, or virtio_blk), a local user     might be able to use this for denial of service or     possibly for privilege escalation.

  - CVE-2017-0861     Robb Glasser reported a potential use-after-free in the     ALSA (sound) PCM core. We believe this was not possible     in practice.

  - CVE-2017-5715     Multiple researchers have discovered a vulnerability in     various processors supporting speculative execution,     enabling an attacker controlling an unprivileged process     to read memory from arbitrary addresses, including from     the kernel and all other processes running on the     system.

  This specific attack has been named Spectre variant 2 (branch target   injection) and is mitigated for the x86 architecture (amd64 and   i386) by using the 'retpoline' compiler feature which allows   indirect branches to be isolated from speculative execution.

  - CVE-2017-5753     Multiple researchers have discovered a vulnerability in     various processors supporting speculative execution,     enabling an attacker controlling an unprivileged process     to read memory from arbitrary addresses, including from     the kernel and all other processes running on the     system.

  This specific attack has been named Spectre variant 1 (bounds-check   bypass) and is mitigated by identifying vulnerable code sections   (array bounds checking followed by array access) and replacing the   array access with the speculation-safe array_index_nospec()   function.

  More use sites will be added over time.

  - CVE-2017-13166     A bug in the 32-bit compatibility layer of the v4l2     ioctl handling code has been found. Memory protections     ensuring user-provided buffers always point to userland     memory were disabled, allowing destination addresses to     be in kernel space. On a 64-bit kernel a local user with     access to a suitable video device can exploit this to     overwrite kernel memory, leading to privilege     escalation.

  - CVE-2017-13220     Al Viro reported that the Bluetooth HIDP implementation     could dereference a pointer before performing the     necessary type check. A local user could use this to     cause a denial of service.

  - CVE-2017-16526     Andrey Konovalov reported that the UWB subsystem may     dereference an invalid pointer in an error case. A local     user might be able to use this for denial of service.

  - CVE-2017-16911     Secunia Research reported that the USB/IP vhci_hcd     driver exposed kernel heap addresses to local users.
    This information could aid the exploitation of other     vulnerabilities.

  - CVE-2017-16912     Secunia Research reported that the USB/IP stub driver     failed to perform a range check on a received packet     header field, leading to an out-of-bounds read. A remote     user able to connect to the USB/IP server could use this     for denial of service.

  - CVE-2017-16913     Secunia Research reported that the USB/IP stub driver     failed to perform a range check on a received packet     header field, leading to excessive memory allocation. A     remote user able to connect to the USB/IP server could     use this for denial of service.

  - CVE-2017-16914     Secunia Research reported that the USB/IP stub driver     failed to check for an invalid combination of fields in     a received packet, leading to a NULL pointer     dereference. A remote user able to connect to the USB/IP     server could use this for denial of service.

  - CVE-2017-18017     Denys Fedoryshchenko reported that the netfilter     xt_TCPMSS module failed to validate TCP header lengths,     potentially leading to a use-after-free. If this module     is loaded, it could be used by a remote attacker for     denial of service or possibly for code execution.

  - CVE-2017-18203     Hou Tao reported that there was a race condition in     creation and deletion of device-mapper (DM) devices. A     local user could potentially use this for denial of     service.

  - CVE-2017-18216     Alex Chen reported that the OCFS2 filesystem failed to     hold a necessary lock during nodemanager sysfs file     operations, potentially leading to a NULL pointer     dereference. A local user could use this for denial of     service.

  - CVE-2017-18232     Jason Yan reported a race condition in the SAS     (Serial-Attached SCSI) subsystem, between probing and     destroying a port. This could lead to a deadlock. A     physically present attacker could use this to cause a     denial of service.

  - CVE-2017-18241     Yunlei He reported that the f2fs implementation does not     properly initialise its state if the 'noflush_merge'     mount option is used. A local user with access to a     filesystem mounted with this option could use this to     cause a denial of service.

  - CVE-2018-1066     Dan Aloni reported to Red Hat that the CIFS client     implementation would dereference a NULL pointer if the     server sent an invalid response during NTLMSSP setup     negotiation. This could be used by a malicious server     for denial of service.

  - CVE-2018-1068     The syzkaller tool found that the 32-bit compatibility     layer of ebtables did not sufficiently validate offset     values. On a 64-bit kernel, a local user with the     CAP_NET_ADMIN capability (in any user namespace) could     use this to overwrite kernel memory, possibly leading to     privilege escalation. Debian disables unprivileged user     namespaces by default.

  - CVE-2018-1092     Wen Xu reported that a crafted ext4 filesystem image     would trigger a null dereference when mounted. A local     user able to mount arbitrary filesystems could use this     for denial of service.

  - CVE-2018-5332     Mohamed Ghannam reported that the RDS protocol did not     sufficiently validate RDMA requests, leading to an     out-of-bounds write. A local attacker on a system with     the rds module loaded could use this for denial of     service or possibly for privilege escalation.

  - CVE-2018-5333     Mohamed Ghannam reported that the RDS protocol did not     properly handle an error case, leading to a NULL pointer     dereference. A local attacker on a system with the rds     module loaded could possibly use this for denial of     service.

  - CVE-2018-5750     Wang Qize reported that the ACPI sbshc driver logged a     kernel heap address. This information could aid the     exploitation of other vulnerabilities.

  - CVE-2018-5803     Alexey Kodanev reported that the SCTP protocol did not     range-check the length of chunks to be created. A local     or remote user could use this to cause a denial of     service.

  - CVE-2018-6927     Li Jinyue reported that the FUTEX_REQUEUE operation on     futexes did not check for negative parameter values,     which might lead to a denial of service or other     security impact.

  - CVE-2018-7492     The syzkaller tool found that the RDS protocol was     lacking a null pointer check. A local attacker on a     system with the rds module loaded could use this for     denial of service.

  - CVE-2018-7566     Fan LongFei reported a race condition in the ALSA     (sound) sequencer core, between write and ioctl     operations. This could lead to an out-of-bounds access     or use-after-free. A local user with access to a     sequencer device could use this for denial of service or     possibly for privilege escalation.

  - CVE-2018-7740     Nic Losby reported that the hugetlbfs filesystem's mmap     operation did not properly range-check the file offset.
    A local user with access to files on a hugetlbfs     filesystem could use this to cause a denial of service.

  - CVE-2018-7757     Jason Yan reported a memory leak in the SAS     (Serial-Attached SCSI) subsystem. A local user on a     system with SAS devices could use this to cause a denial     of service.

  - CVE-2018-7995     Seunghun Han reported a race condition in the x86 MCE     (Machine Check Exception) driver. This is unlikely to     have any security impact.

  - CVE-2018-8781     Eyal Itkin reported that the udl (DisplayLink) driver's     mmap operation did not properly range-check the file     offset. A local user with access to a udl framebuffer     device could exploit this to overwrite kernel memory,     leading to privilege escalation.

  - CVE-2018-8822     Dr Silvio Cesare of InfoSect reported that the ncpfs     client implementation did not validate reply lengths     from the server. An ncpfs server could use this to cause     a denial of service or remote code execution in the     client.

  - CVE-2018-1000004     Luo Quan reported a race condition in the ALSA (sound)     sequencer core, between multiple ioctl operations. This     could lead to a deadlock or use-after-free. A local user     with access to a sequencer device could use this for     denial of service or possibly for privilege escalation.

  - CVE-2018-1000199     Andy Lutomirski discovered that the ptrace subsystem did     not sufficiently validate hardware breakpoint settings.
    Local users can use this to cause a denial of service,     or possibly for privilege escalation, on x86 (amd64 and     i386) and possibly other architectures.

The SUSE Linux Enterprise 11 SP4 kernel was updated to receive various security and bugfixes. The following security bugs were fixed :

  - CVE-2017-5715: Systems with microprocessors utilizing     speculative execution and indirect branch prediction may     allow unauthorized disclosure of information to an     attacker with local user access via a side-channel     analysis (bnc#1068032). Enhancements and bugfixes over     the previous fixes have been added to this kernel.

  - CVE-2018-10087: The kernel_wait4 function in     kernel/exit.c might have allowed local users to cause a     denial of service by triggering an attempted use of the
    -INT_MIN value (bnc#1089608).

  - CVE-2018-7757: Memory leak in the sas_smp_get_phy_events     function in drivers/scsi/libsas/sas_expander.c allowed     local users to cause a denial of service (memory     consumption) via many read accesses to files in the     /sys/class/sas_phy directory, as demonstrated by the     /sys/class/sas_phy/phy-1:0:12/invalid_dword_count file     (bnc#1084536).

  - CVE-2018-7566: There was a buffer overflow via an     SNDRV_SEQ_IOCTL_SET_CLIENT_POOL ioctl write operation to     /dev/snd/seq by a local user (bnc#1083483).

  - CVE-2017-0861: Use-after-free vulnerability in the     snd_pcm_info function in the ALSA subsystem allowed     attackers to gain privileges via unspecified vectors     (bnc#1088260).

  - CVE-2018-8822: Incorrect buffer length handling in the     ncp_read_kernel function in fs/ncpfs/ncplib_kernel.c     could be exploited by malicious NCPFS servers to crash     the kernel or execute code (bnc#1086162).

  - CVE-2017-13166: An elevation of privilege vulnerability     in the kernel v4l2 video driver. (bnc#1072865).

  - CVE-2017-18203: The dm_get_from_kobject function in     drivers/md/dm.c allowed local users to cause a denial of     service (BUG) by leveraging a race condition with
    __dm_destroy during creation and removal of DM devices     (bnc#1083242).

  - CVE-2017-16911: The vhci_hcd driver allowed allows local     attackers to disclose kernel memory addresses.
    Successful exploitation requires that a USB device is     attached over IP (bnc#1078674).

  - CVE-2017-18208: The madvise_willneed function in     mm/madvise.c local users to cause a denial of service     (infinite loop) by triggering use of MADVISE_WILLNEED     for a DAX mapping (bnc#1083494).

  - CVE-2017-16644: The hdpvr_probe function in     drivers/media/usb/hdpvr/hdpvr-core.c allowed local users     to cause a denial of service (improper error handling     and system crash) or possibly have unspecified other     impact via a crafted USB device (bnc#1067118).

  - CVE-2018-6927: The futex_requeue function in     kernel/futex.c in the Linux kernel might allow attackers     to cause a denial of service (integer overflow) or     possibly have unspecified other impact by triggering a     negative wake or requeue value (bnc#1080757).

  - CVE-2017-16914: The 'stub_send_ret_submit()' function     (drivers/usb/usbip/stub_tx.c) allowed attackers to cause     a denial of service (NULL pointer dereference) via a     specially crafted USB over IP packet (bnc#1078669).

  - CVE-2016-7915: The hid_input_field function in     drivers/hid/hid-core.c allowed physically proximate     attackers to obtain sensitive information from kernel     memory or cause a denial of service (out-of-bounds read)     by connecting a device, as demonstrated by a Logitech DJ     receiver (bnc#1010470).

  - CVE-2015-5156: The virtnet_probe function in     drivers/net/virtio_net.c attempted to support a FRAGLIST     feature without proper memory allocation, which allowed     guest OS users to cause a denial of service (buffer     overflow and memory corruption) via a crafted sequence     of fragmented packets (bnc#940776).

  - CVE-2017-12190: The bio_map_user_iov and bio_unmap_user     functions in block/bio.c did unbalanced refcounting when     a SCSI I/O vector has small consecutive buffers     belonging to the same page. The bio_add_pc_page function     merges them into one, but the page reference is never     dropped. This causes a memory leak and possible system     lockup (exploitable against the host OS by a guest OS     user, if a SCSI disk is passed through to a virtual     machine) due to an out-of-memory condition     (bnc#1062568).

  - CVE-2017-16912: The 'get_pipe()' function     (drivers/usb/usbip/stub_rx.c) allowed attackers to cause     a denial of service (out-of-bounds read) via a specially     crafted USB over IP packet (bnc#1078673).

  - CVE-2017-16913: The 'stub_recv_cmd_submit()' function     (drivers/usb/usbip/stub_rx.c) when handling CMD_SUBMIT     packets allowed attackers to cause a denial of service     (arbitrary memory allocation) via a specially crafted     USB over IP packet (bnc#1078672).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

USN-3619-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS.

Jann Horn discovered that the Berkeley Packet Filter (BPF) implementation in the Linux kernel improperly performed sign extension in some situations. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2017-16995)

It was discovered that a race condition leading to a use-after-free vulnerability existed in the ALSA PCM subsystem of the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-0861)

It was discovered that the KVM implementation in the Linux kernel allowed passthrough of the diagnostic I/O port 0x80. An attacker in a guest VM could use this to cause a denial of service (system crash) in the host OS. (CVE-2017-1000407)

It was discovered that an information disclosure vulnerability existed in the ACPI implementation of the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory addresses).
(CVE-2017-11472)

It was discovered that a use-after-free vulnerability existed in the network namespaces implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-15129)

It was discovered that the Advanced Linux Sound Architecture (ALSA) subsystem in the Linux kernel contained a use-after-free when handling device removal. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16528)

Andrey Konovalov discovered that the usbtest device driver in the Linux kernel did not properly validate endpoint metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16532)

Andrey Konovalov discovered that the Conexant cx231xx USB video capture driver in the Linux kernel did not properly validate interface descriptors. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16536)

Andrey Konovalov discovered that the SoundGraph iMON USB driver in the Linux kernel did not properly validate device metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16537)

Andrey Konovalov discovered that the IMS Passenger Control Unit USB driver in the Linux kernel did not properly validate device descriptors. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16645)

Andrey Konovalov discovered that the DiBcom DiB0700 USB DVB driver in the Linux kernel did not properly handle detach events. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16646)

Andrey Konovalov discovered that the CDC USB Ethernet driver did not properly validate device descriptors. A physically proximate attacker could use this to cause a denial of service (system crash).
(CVE-2017-16649)

Andrey Konovalov discovered that the QMI WWAN USB driver did not properly validate device descriptors. A physically proximate attacker could use this to cause a denial of service (system crash).
(CVE-2017-16650)

It was discovered that the USB Virtual Host Controller Interface (VHCI) driver in the Linux kernel contained an information disclosure vulnerability. A physically proximate attacker could use this to expose sensitive information (kernel memory). (CVE-2017-16911)

It was discovered that the USB over IP implementation in the Linux kernel did not validate endpoint numbers. A remote attacker could use this to cause a denial of service (system crash). (CVE-2017-16912)

It was discovered that the USB over IP implementation in the Linux kernel did not properly validate CMD_SUBMIT packets. A remote attacker could use this to cause a denial of service (excessive memory consumption). (CVE-2017-16913)

It was discovered that the USB over IP implementation in the Linux kernel contained a NULL pointer dereference error. A remote attacker could use this to cause a denial of service (system crash).
(CVE-2017-16914)

It was discovered that the HugeTLB component of the Linux kernel did not properly handle holes in hugetlb ranges. A local attacker could use this to expose sensitive information (kernel memory).
(CVE-2017-16994)

It was discovered that the netfilter component of the Linux did not properly restrict access to the connection tracking helpers list. A local attacker could use this to bypass intended access restrictions.
(CVE-2017-17448)

It was discovered that the netlink subsystem in the Linux kernel did not properly restrict observations of netlink messages to the appropriate net namespace. A local attacker could use this to expose sensitive information (kernel netlink traffic). (CVE-2017-17449)

It was discovered that the netfilter passive OS fingerprinting (xt_osf) module did not properly perform access control checks. A local attacker could improperly modify the system-wide OS fingerprint list. (CVE-2017-17450)

It was discovered that the core USB subsystem in the Linux kernel did not validate the number of configurations and interfaces in a device.
A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-17558)

Dmitry Vyukov discovered that the KVM implementation in the Linux kernel contained an out-of-bounds read when handling memory-mapped I/O. A local attacker could use this to expose sensitive information.
(CVE-2017-17741)

It was discovered that the Salsa20 encryption algorithm implementations in the Linux kernel did not properly handle zero-length inputs. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-17805)

It was discovered that the HMAC implementation did not validate the state of the underlying cryptographic hash algorithm. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-17806)

It was discovered that the keyring implementation in the Linux kernel did not properly check permissions when a key request was performed on a task's default keyring. A local attacker could use this to add keys to unauthorized keyrings. (CVE-2017-17807)

Alexei Starovoitov discovered that the Berkeley Packet Filter (BPF) implementation in the Linux kernel contained a branch-pruning logic issue around unreachable code. A local attacker could use this to cause a denial of service. (CVE-2017-17862)

It was discovered that the parallel cryptography component of the Linux kernel incorrectly freed kernel memory. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-18075)

It was discovered that a race condition existed in the Device Mapper component of the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-18203)

It was discovered that a race condition existed in the OCFS2 file system implementation in the Linux kernel. A local attacker could use this to cause a denial of service (kernel deadlock). (CVE-2017-18204)

It was discovered that an infinite loop could occur in the the madvise(2) implementation in the Linux kernel in certain circumstances. A local attacker could use this to cause a denial of service (system hang). (CVE-2017-18208)

Andy Lutomirski discovered that the KVM implementation in the Linux kernel was vulnerable to a debug exception error when single-stepping through a syscall. A local attacker in a non-Linux guest vm could possibly use this to gain administrative privileges in the guest vm.
(CVE-2017-7518)

It was discovered that the Broadcom NetXtremeII ethernet driver in the Linux kernel did not properly validate Generic Segment Offload (GSO) packet sizes. An attacker could use this to cause a denial of service (interface unavailability). (CVE-2018-1000026)

It was discovered that the Reliable Datagram Socket (RDS) implementation in the Linux kernel contained an out-of-bounds write during RDMA page allocation. An attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2018-5332)

Mohamed Ghannam discovered a NULL pointer dereference in the RDS (Reliable Datagram Sockets) protocol implementation of the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2018-5333)

Fan Long Fei  discovered that a race condition existed in loop block device implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-5344)

It was discovered that an integer overflow error existed in the futex implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2018-6927)

It was discovered that a NULL pointer dereference existed in the RDS (Reliable Datagram Sockets) protocol implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2018-7492)

It was discovered that the Broadcom UniMAC MDIO bus controller driver in the Linux kernel did not properly validate device resources. A local attacker could use this to cause a denial of service (system crash). (CVE-2018-8043).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Jann Horn discovered that the Berkeley Packet Filter (BPF) implementation in the Linux kernel improperly performed sign extension in some situations. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2017-16995)

It was discovered that a race condition leading to a use-after-free vulnerability existed in the ALSA PCM subsystem of the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-0861)

It was discovered that the KVM implementation in the Linux kernel allowed passthrough of the diagnostic I/O port 0x80. An attacker in a guest VM could use this to cause a denial of service (system crash) in the host OS. (CVE-2017-1000407)

It was discovered that an information disclosure vulnerability existed in the ACPI implementation of the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory addresses).
(CVE-2017-11472)

It was discovered that a use-after-free vulnerability existed in the network namespaces implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-15129)

It was discovered that the Advanced Linux Sound Architecture (ALSA) subsystem in the Linux kernel contained a use-after-free when handling device removal. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16528)

Andrey Konovalov discovered that the usbtest device driver in the Linux kernel did not properly validate endpoint metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16532)

Andrey Konovalov discovered that the Conexant cx231xx USB video capture driver in the Linux kernel did not properly validate interface descriptors. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16536)

Andrey Konovalov discovered that the SoundGraph iMON USB driver in the Linux kernel did not properly validate device metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16537)

Andrey Konovalov discovered that the IMS Passenger Control Unit USB driver in the Linux kernel did not properly validate device descriptors. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16645)

Andrey Konovalov discovered that the DiBcom DiB0700 USB DVB driver in the Linux kernel did not properly handle detach events. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16646)

Andrey Konovalov discovered that the CDC USB Ethernet driver did not properly validate device descriptors. A physically proximate attacker could use this to cause a denial of service (system crash).
(CVE-2017-16649)

Andrey Konovalov discovered that the QMI WWAN USB driver did not properly validate device descriptors. A physically proximate attacker could use this to cause a denial of service (system crash).
(CVE-2017-16650)

It was discovered that the USB Virtual Host Controller Interface (VHCI) driver in the Linux kernel contained an information disclosure vulnerability. A physically proximate attacker could use this to expose sensitive information (kernel memory). (CVE-2017-16911)

It was discovered that the USB over IP implementation in the Linux kernel did not validate endpoint numbers. A remote attacker could use this to cause a denial of service (system crash). (CVE-2017-16912)

It was discovered that the USB over IP implementation in the Linux kernel did not properly validate CMD_SUBMIT packets. A remote attacker could use this to cause a denial of service (excessive memory consumption). (CVE-2017-16913)

It was discovered that the USB over IP implementation in the Linux kernel contained a NULL pointer dereference error. A remote attacker could use this to cause a denial of service (system crash).
(CVE-2017-16914)

It was discovered that the HugeTLB component of the Linux kernel did not properly handle holes in hugetlb ranges. A local attacker could use this to expose sensitive information (kernel memory).
(CVE-2017-16994)

It was discovered that the netfilter component of the Linux did not properly restrict access to the connection tracking helpers list. A local attacker could use this to bypass intended access restrictions.
(CVE-2017-17448)

It was discovered that the netlink subsystem in the Linux kernel did not properly restrict observations of netlink messages to the appropriate net namespace. A local attacker could use this to expose sensitive information (kernel netlink traffic). (CVE-2017-17449)

It was discovered that the netfilter passive OS fingerprinting (xt_osf) module did not properly perform access control checks. A local attacker could improperly modify the system-wide OS fingerprint list. (CVE-2017-17450)

It was discovered that the core USB subsystem in the Linux kernel did not validate the number of configurations and interfaces in a device.
A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-17558)

Dmitry Vyukov discovered that the KVM implementation in the Linux kernel contained an out-of-bounds read when handling memory-mapped I/O. A local attacker could use this to expose sensitive information.
(CVE-2017-17741)

It was discovered that the Salsa20 encryption algorithm implementations in the Linux kernel did not properly handle zero-length inputs. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-17805)

It was discovered that the HMAC implementation did not validate the state of the underlying cryptographic hash algorithm. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-17806)

It was discovered that the keyring implementation in the Linux kernel did not properly check permissions when a key request was performed on a task's' default keyring. A local attacker could use this to add keys to unauthorized keyrings. (CVE-2017-17807)

Alexei Starovoitov discovered that the Berkeley Packet Filter (BPF) implementation in the Linux kernel contained a branch-pruning logic issue around unreachable code. A local attacker could use this to cause a denial of service. (CVE-2017-17862)

It was discovered that the parallel cryptography component of the Linux kernel incorrectly freed kernel memory. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-18075)

It was discovered that a race condition existed in the Device Mapper component of the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-18203)

It was discovered that a race condition existed in the OCFS2 file system implementation in the Linux kernel. A local attacker could use this to cause a denial of service (kernel deadlock). (CVE-2017-18204)

It was discovered that an infinite loop could occur in the the madvise(2) implementation in the Linux kernel in certain circumstances. A local attacker could use this to cause a denial of service (system hang). (CVE-2017-18208)

Andy Lutomirski discovered that the KVM implementation in the Linux kernel was vulnerable to a debug exception error when single-stepping through a syscall. A local attacker in a non-Linux guest vm could possibly use this to gain administrative privileges in the guest vm.
(CVE-2017-7518)

It was discovered that the Broadcom NetXtremeII ethernet driver in the Linux kernel did not properly validate Generic Segment Offload (GSO) packet sizes. An attacker could use this to cause a denial of service (interface unavailability). (CVE-2018-1000026)

It was discovered that the Reliable Datagram Socket (RDS) implementation in the Linux kernel contained an out-of-bounds write during RDMA page allocation. An attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2018-5332)

Mohamed Ghannam discovered a NULL pointer dereference in the RDS (Reliable Datagram Sockets) protocol implementation of the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2018-5333)

Fan Long Fei  discovered that a race condition existed in loop block device implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-5344)

It was discovered that an integer overflow error existed in the futex implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2018-6927)

It was discovered that a NULL pointer dereference existed in the RDS (Reliable Datagram Sockets) protocol implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2018-7492)

It was discovered that the Broadcom UniMAC MDIO bus controller driver in the Linux kernel did not properly validate device resources. A local attacker could use this to cause a denial of service (system crash). (CVE-2018-8043).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 12 SP1 kernel was updated to receive various security and bugfixes. The following security bugs were fixed :

  - CVE-2018-1068: Fixed flaw in the implementation of     32-bit syscall interface for bridging. This allowed a     privileged user to arbitrarily write to a limited range     of kernel memory (bnc#1085107).

  - CVE-2017-18221: The __munlock_pagevec function allowed     local users to cause a denial of service (NR_MLOCK     accounting corruption) via crafted use of mlockall and     munlockall system calls (bnc#1084323).

  - CVE-2018-1066: Prevent NULL pointer dereference in     fs/cifs/cifsencrypt.c:setup_ntlmv2_rsp() that allowed an     attacker controlling a CIFS server to kernel panic a     client that has this server mounted, because an empty     TargetInfo field in an NTLMSSP setup negotiation     response was mishandled during session recovery     (bnc#1083640).

  - CVE-2017-13166: Prevent elevation of privilege     vulnerability in the kernel v4l2 video driver     (bnc#1072865).

  - CVE-2017-16911: The vhci_hcd driver allowed local     attackers to disclose kernel memory addresses.
    Successful exploitation required that a USB device was     attached over IP (bnc#1078674).

  - CVE-2017-15299: The KEYS subsystem mishandled use of     add_key for a key that already exists but is     uninstantiated, which allowed local users to cause a     denial of service (NULL pointer dereference and system     crash) or possibly have unspecified other impact via a     crafted system call (bnc#1063416).

  - CVE-2017-18208: The madvise_willneed function kernel     allowed local users to cause a denial of service     (infinite loop) by triggering use of MADVISE_WILLNEED     for a DAX mapping (bnc#1083494).

  - CVE-2018-7566: The ALSA sequencer core initializes the     event pool on demand by invoking snd_seq_pool_init()     when the first write happens and the pool is empty. A     user could have reset the pool size manually via ioctl     concurrently, which may have lead UAF or out-of-bound     access (bsc#1083483).

  - CVE-2017-18204: The ocfs2_setattr function allowed local     users to cause a denial of service (deadlock) via DIO     requests (bnc#1083244).

  - CVE-2017-16644: The hdpvr_probe function allowed local     users to cause a denial of service (improper error     handling and system crash) or possibly have unspecified     other impact via a crafted USB device (bnc#1067118).

  - CVE-2018-6927: The futex_requeue function allowed     attackers to cause a denial of service (integer     overflow) or possibly have unspecified other impact by     triggering a negative wake or requeue value     (bnc#1080757).

  - CVE-2017-16914: The 'stub_send_ret_submit()' function     allowed attackers to cause a denial of service (NULL     pointer dereference) via a specially crafted USB over IP     packet (bnc#1078669).

  - CVE-2016-7915: The hid_input_field function allowed     physically proximate attackers to obtain sensitive     information from kernel memory or cause a denial of     service (out-of-bounds read) by connecting a device     (bnc#1010470).

  - CVE-2017-12190: The bio_map_user_iov and bio_unmap_user     functions did unbalanced refcounting when a SCSI I/O     vector had small consecutive buffers belonging to the     same page. The bio_add_pc_page function merged them into     one, but the page reference was never dropped. This     caused a memory leak and possible system lockup     (exploitable against the host OS by a guest OS user, if     a SCSI disk is passed through to a virtual machine) due     to an out-of-memory condition (bnc#1062568).

  - CVE-2017-16912: The 'get_pipe()' function allowed     attackers to cause a denial of service (out-of-bounds     read) via a specially crafted USB over IP packet     (bnc#1078673).

  - CVE-2017-16913: The 'stub_recv_cmd_submit()' function     when handling CMD_SUBMIT packets allowed attackers to     cause a denial of service (arbitrary memory allocation)     via a specially crafted USB over IP packet     (bnc#1078672).

  - CVE-2018-5332: The rds_message_alloc_sgs() function did     not validate a value that is used during DMA page     allocation, leading to a heap-based out-of-bounds write     (related to the rds_rdma_extra_size function in     net/rds/rdma.c) (bnc#1075621).

  - CVE-2018-5333: The rds_cmsg_atomic function in     net/rds/rdma.c mishandled cases where page pinning fails     or an invalid address is supplied, leading to an     rds_atomic_free_op NULL pointer dereference     (bnc#1075617).

  - CVE-2017-18017: The tcpmss_mangle_packet function     allowed remote attackers to cause a denial of service     (use-after-free and memory corruption) or possibly have     unspecified other impact by leveraging the presence of     xt_TCPMSS in an iptables action (bnc#1074488).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 12 kernel was updated to receive various security and bugfixes. The following security bugs were fixed :

  - CVE-2018-1068: Fixed flaw in the implementation of     32-bit syscall interface for bridging. This allowed a     privileged user to arbitrarily write to a limited range     of kernel memory (bnc#1085107).

  - CVE-2017-18221: The __munlock_pagevec function allowed     local users to cause a denial of service (NR_MLOCK     accounting corruption) via crafted use of mlockall and     munlockall system calls (bnc#1084323).

  - CVE-2018-1066: Prevent NULL pointer dereference in     fs/cifs/cifsencrypt.c:setup_ntlmv2_rsp() that allowed an     attacker controlling a CIFS server to kernel panic a     client that has this server mounted, because an empty     TargetInfo field in an NTLMSSP setup negotiation     response was mishandled during session recovery     (bnc#1083640).

  - CVE-2017-13166: Prevent elevation of privilege     vulnerability in the kernel v4l2 video driver     (bnc#1072865).

  - CVE-2017-16911: The vhci_hcd driver allowed local     attackers to disclose kernel memory addresses.
    Successful exploitation required that a USB device was     attached over IP (bnc#1078674).

  - CVE-2017-15299: The KEYS subsystem mishandled use of     add_key for a key that already exists but is     uninstantiated, which allowed local users to cause a     denial of service (NULL pointer dereference and system     crash) or possibly have unspecified other impact via a     crafted system call (bnc#1063416).

  - CVE-2017-18208: The madvise_willneed function kernel     allowed local users to cause a denial of service     (infinite loop) by triggering use of MADVISE_WILLNEED     for a DAX mapping (bnc#1083494).

  - CVE-2018-7566: The ALSA sequencer core initializes the     event pool on demand by invoking snd_seq_pool_init()     when the first write happens and the pool is empty. A     user could have reset the pool size manually via ioctl     concurrently, which may have lead UAF or out-of-bound     access (bsc#1083483).

  - CVE-2017-18204: The ocfs2_setattr function allowed local     users to cause a denial of service (deadlock) via DIO     requests (bnc#1083244).

  - CVE-2017-16644: The hdpvr_probe function allowed local     users to cause a denial of service (improper error     handling and system crash) or possibly have unspecified     other impact via a crafted USB device (bnc#1067118).

  - CVE-2018-6927: The futex_requeue function allowed     attackers to cause a denial of service (integer     overflow) or possibly have unspecified other impact by     triggering a negative wake or requeue value     (bnc#1080757).

  - CVE-2017-16914: The 'stub_send_ret_submit()' function     allowed attackers to cause a denial of service (NULL     pointer dereference) via a specially crafted USB over IP     packet (bnc#1078669).

  - CVE-2016-7915: The hid_input_field function allowed     physically proximate attackers to obtain sensitive     information from kernel memory or cause a denial of     service (out-of-bounds read) by connecting a device     (bnc#1010470).

  - CVE-2017-12190: The bio_map_user_iov and bio_unmap_user     functions did unbalanced refcounting when a SCSI I/O     vector had small consecutive buffers belonging to the     same page. The bio_add_pc_page function merged them into     one, but the page reference was never dropped. This     caused a memory leak and possible system lockup     (exploitable against the host OS by a guest OS user, if     a SCSI disk is passed through to a virtual machine) due     to an out-of-memory condition (bnc#1062568).

  - CVE-2017-16912: The 'get_pipe()' function allowed     attackers to cause a denial of service (out-of-bounds     read) via a specially crafted USB over IP packet     (bnc#1078673).

  - CVE-2017-16913: The 'stub_recv_cmd_submit()' function     when handling CMD_SUBMIT packets allowed attackers to     cause a denial of service (arbitrary memory allocation)     via a specially crafted USB over IP packet     (bnc#1078672).

  - CVE-2018-5332: The rds_message_alloc_sgs() function did     not validate a value that is used during DMA page     allocation, leading to a heap-based out-of-bounds write     (related to the rds_rdma_extra_size function in     net/rds/rdma.c) (bnc#1075621).

  - CVE-2018-5333: The rds_cmsg_atomic function in     net/rds/rdma.c mishandled cases where page pinning fails     or an invalid address is supplied, leading to an     rds_atomic_free_op NULL pointer dereference     (bnc#1075617).

  - CVE-2017-18017: The tcpmss_mangle_packet function     allowed remote attackers to cause a denial of service     (use-after-free and memory corruption) or possibly have     unspecified other impact by leveraging the presence of     xt_TCPMSS in an iptables action (bnc#1074488).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
112113	Ubuntu 14.04 LTS : linux vulnerabilities (USN-3754-1)	Nessus	Ubuntu Local Security Checks	high
109646	SUSE SLES11 Security Update : kernel (SUSE-SU-2018:1172-1)	Nessus	SuSE Local Security Checks	high
109531	Debian DLA-1369-1 : linux security update (Spectre)	Nessus	Debian Local Security Checks	critical
109517	Debian DSA-4187-1 : linux - security update (Spectre)	Nessus	Debian Local Security Checks	critical
109360	SUSE SLES11 Security Update : kernel (SUSE-SU-2018:1080-1) (Spectre)	Nessus	SuSE Local Security Checks	high
108878	Ubuntu 14.04 LTS : linux-lts-xenial, linux-aws vulnerabilities (USN-3619-2)	Nessus	Ubuntu Local Security Checks	high
108842	Ubuntu 16.04 LTS : linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon vulnerabilities (USN-3619-1)	Nessus	Ubuntu Local Security Checks	high
108748	SUSE SLES12 Security Update : kernel (SUSE-SU-2018:0848-1)	Nessus	SuSE Local Security Checks	critical
108705	SUSE SLES12 Security Update : kernel (SUSE-SU-2018:0834-1)	Nessus	SuSE Local Security Checks	critical

CVE-2017-16911

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins