http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=3e4c56d41eef5595035872a2ec5a483f42e8917f

103353

https://github.com/torvalds/linux/commit/3e4c56d41eef5595035872a2ec5a483f42e8917f

DSA-4188

According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - Use-after-free vulnerability in drivers/net/tun.c in     the Linux kernel through 3.11.1 allows local users to     gain privileges by leveraging the CAP_NET_ADMIN     capability and providing an invalid tuntap interface     name in a TUNSETIFF ioctl call.(CVE-2013-4343)

  - It was found that when the gcc stack protector was     enabled, reading the /proc/keys file could cause a     panic in the Linux kernel due to stack corruption. This     happened because an incorrect buffer size was used to     hold a 64-bit timeout value rendered as     weeks.(CVE-2016-7042)

  - A flaw was found in the Linux kernel that     fs/ocfs2/aops.c omits use of a semaphore and     consequently has a race condition for access to the     extent tree during read operations in DIRECT mode. This     allows local users to cause a denial of service by     modifying a certain e_cpos field.(CVE-2017-18224)

  - The sctp_v6_create_accept_sk function in     net/sctp/ipv6.c in the Linux kernel mishandles     inheritance, which allows local users to cause a denial     of service or possibly have unspecified other impact     via crafted system calls, a related issue to     CVE-2017-8890. An unprivileged local user could use     this flaw to induce kernel memory corruption on the     system, leading to a crash. Due to the nature of the     flaw, privilege escalation cannot be fully ruled out,     although we believe it is unlikely.(CVE-2017-9075)

  - In the function sbusfb_ioctl_helper() in     drivers/video/fbdev/sbuslib.c in the Linux kernel, up     to and including 4.15, an integer signedness error     allows arbitrary information leakage for the     FBIOPUTCMAP_SPARC and FBIOGETCMAP_SPARC     commands.(CVE-2018-6412)

  - A race condition flaw was found in the way the Linux     kernel's mmap(2), madvise(2), and fallocate(2) system     calls interacted with each other while operating on     virtual memory file system files. A local user could     use this flaw to cause a denial of     service.(CVE-2014-4171)

  - ** RESERVED ** This candidate has been reserved by an     organization or individual that will use it when     announcing a new security problem. When the candidate     has been publicized, the details for this candidate     will be provided.(CVE-2018-1095)

  - A NULL pointer dereference flaw was found in the way     the Linux kernel's Stream Control Transmission Protocol     (SCTP) implementation handled simultaneous connections     between the same hosts. A remote attacker could use     this flaw to crash the system.(CVE-2014-5077)

  - A vulnerability was found in the     fs/inode.c:inode_init_owner() function logic of the     LInux kernel that allows local users to create files     with an unintended group ownership and with group     execution and SGID permission bits set, in a scenario     where a directory is SGID and belongs to a certain     group and is writable by a user who is not a member of     this group. This can lead to excessive permissions     granted in case when they should not.(CVE-2018-13405)

  - In the Linux kernel before 4.20.8,     kvm_ioctl_create_device in virt/kvm/kvm_main.c     mishandles reference counting because of a race     condition, leading to a use-after-free.(CVE-2019-6974)

  - A flaw was found in the way Linux kernel allocates heap     memory to build the scattergather list from a fragment     list(skb_shinfo(skb)->frag_list) in the socket     buffer(skb_buff). The heap overflow occurred if     'MAX_SKB_FRAGS + 1' parameter and 'NETIF_F_FRAGLIST'     feature are both used together. A remote user or     process could use this flaw to potentially escalate     their privilege on a system.(CVE-2017-7477)

  - Multiple integer overflows in Alchemy LCD frame-buffer     drivers in the Linux kernel before 3.12 allow local     users to create a read-write memory mapping for the     entirety of kernel memory, and consequently gain     privileges, via crafted mmap operations, related to the     (1) au1100fb_fb_mmap function in     drivers/video/au1100fb.c and the (2) au1200fb_fb_mmap     function in drivers/video/au1200fb.c.(CVE-2013-4511)

  - It was found that in the Linux kernel through     v4.14-rc5, bio_map_user_iov() and bio_unmap_user() in     'block/bio.c' do unbalanced pages refcounting if IO     vector has small consecutive buffers belonging to the     same page. bio_add_pc_page() merges them into one, but     the page reference is never dropped, causing a memory     leak and possible system lockup due to out-of-memory     condition.(CVE-2017-12190)

  - An issue was discovered in the Linux kernel before     4.19.3. crypto_report_one() and related functions in     crypto/crypto_user.c (the crypto user configuration     API) do not fully initialize structures that are copied     to userspace, potentially leaking sensitive memory to     user programs. NOTE: this is a CVE-2013-2547 regression     but with easier exploitability because the attacker     does not need a capability (however, the system must     have the CONFIG_CRYPTO_USER kconfig     option).(CVE-2018-19854)

  - The userfaultfd implementation in the Linux kernel     before 4.19.7 mishandles access control for certain     UFFDIO_ ioctl calls, as demonstrated by allowing local     users to write data into holes in a tmpfs file (if the     user has read-only access to that file, and that file     contains holes), related to fs/userfaultfd.c and     mm/userfaultfd.c.(CVE-2018-18397)

  - The TCP stack in the Linux kernel through 4.10.6     mishandles the SCM_TIMESTAMPING_OPT_STATS feature,     which allows local users to obtain sensitive     information from the kernel's internal socket data     structures or cause a denial of service (out-of-bounds     read) via crafted system calls, related to     net/core/skbuff.c and net/socket.c.(CVE-2017-7277)

  - A flaw was found in the way the Linux kernel's vhost     driver treated userspace provided log file descriptor     when processing the VHOST_SET_LOG_FD ioctl command. The     file descriptor was never released and continued to     consume kernel memory. A privileged local user with     access to the /dev/vhost-net files could use this flaw     to create a denial-of-service attack.(CVE-2015-6252)

  - A buffer overflow flaw was found in the way the Linux     kernel's virtio-net subsystem handled certain fraglists     when the GRO (Generic Receive Offload) functionality     was enabled in a bridged network configuration. An     attacker on the local network could potentially use     this flaw to crash the system, or, although unlikely,     elevate their privileges on the system.(CVE-2015-5156)

  - The MSM QDSP6 audio driver (aka sound driver) for the     Linux kernel 3.x, as used in Qualcomm Innovation Center     (QuIC) Android contributions for MSM devices and other     products, allows attackers to gain privileges or cause     a denial of service (integer overflow, and buffer     overflow or buffer over-read) via a crafted application     that performs a (1) AUDIO_EFFECTS_WRITE or (2)     AUDIO_EFFECTS_READ operation, aka Qualcomm internal bug     CR1006609.(CVE-2016-2068)

  - The icmp6_send function in net/ipv6/icmp.c in the Linux     kernel through 4.8.12 omits a certain check of the dst     data structure which allows remote attackers to cause a     denial of service (panic) via a fragmented IPv6     packet.(CVE-2016-9919)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 15 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2018-18445: A faulty computation of numeric bounds in the BPF verifier permits out-of-bounds memory accesses because adjust_scalar_min_max_vals in kernel/bpf/verifier.c mishandled 32-bit right shifts (bnc#1112372).

CVE-2018-18386: drivers/tty/n_tty.c allowed local attackers (who are able to access pseudo terminals) to hang/block further usage of any pseudo terminal devices due to an EXTPROC versus ICANON confusion in TIOCINQ (bnc#1094825).

CVE-2017-18224: fs/ocfs2/aops.c omits use of a semaphore and consequently has a race condition for access to the extent tree during read operations in DIRECT mode, which allowed local users to cause a denial of service (BUG) by modifying a certain e_cpos field (bnc#1084831).

CVE-2017-16533: The usbhid_parse function in drivers/hid/usbhid/hid-core.c allowed local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1066674).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 12 SP4 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2018-19824: A local user could exploit a use-after-free in the ALSA driver by supplying a malicious USB Sound device (with zero interfaces) that is mishandled in usb_audio_probe in sound/usb/card.c (bnc#1118152).

CVE-2018-18281: The mremap() syscall performs TLB flushes after dropping pagetable locks. If a syscall such as ftruncate() removed entries from the pagetables of a task that is in the middle of mremap(), a stale TLB entry could remain for a short time that permits access to a physical page after it has been released back to the page allocator and reused. (bnc#1113769).

CVE-2018-18710: An information leak in cdrom_ioctl_select_disc in drivers/cdrom/cdrom.c could be used by local attackers to read kernel memory because a cast from unsigned long to int interferes with bounds checking. This is similar to CVE-2018-10940 and CVE-2018-16658 (bnc#1113751).

CVE-2018-18445: Faulty computation of numeric bounds in the BPF verifier permitted out-of-bounds memory accesses because adjust_scalar_min_max_vals in kernel/bpf/verifier.c mishandled 32-bit right shifts (bnc#1112372).

CVE-2018-18386: drivers/tty/n_tty.c allowed local attackers (who are able to access pseudo terminals) to hang/block further usage of any pseudo terminal devices due to an EXTPROC versus ICANON confusion in TIOCINQ (bnc#1094825).

CVE-2017-18224: fs/ocfs2/aops.c omitted use of a semaphore and consequently had a race condition for access to the extent tree during read operations in DIRECT mode, which allowed local users to cause a denial of service (BUG) by modifying a certain e_cpos field (bnc#1084831).

CVE-2017-16533: The usbhid_parse function in drivers/hid/usbhid/hid-core.c allowed local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1066674).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 12 SP4 kernel for Azure was updated to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2018-18710: An information leak in cdrom_ioctl_select_disc in drivers/cdrom/cdrom.c could be used by local attackers to read kernel memory because a cast from unsigned long to int interferes with bounds checking. This is similar to CVE-2018-10940 and CVE-2018-16658 (bnc#1113751).

CVE-2018-18445: Faulty computation of numeric bounds in the BPF verifier permits out-of-bounds memory accesses because adjust_scalar_min_max_vals in kernel/bpf/verifier.c mishandled 32-bit right shifts (bnc#1112372).

CVE-2018-18386: drivers/tty/n_tty.c allowed local attackers (who are able to access pseudo terminals) to hang/block further usage of any pseudo terminal devices due to an EXTPROC versus ICANON confusion in TIOCINQ (bnc#1094825).

CVE-2017-18224: fs/ocfs2/aops.c omits use of a semaphore and consequently has a race condition for access to the extent tree during read operations in DIRECT mode, which allowed local users to cause a denial of service (BUG) by modifying a certain e_cpos field (bnc#1084831).

CVE-2017-16533: The usbhid_parse function in drivers/hid/usbhid/hid-core.c allowed local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1066674).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

  - CVE-2017-5715     Multiple researchers have discovered a vulnerability in     various processors supporting speculative execution,     enabling an attacker controlling an unprivileged process     to read memory from arbitrary addresses, including from     the kernel and all other processes running on the     system.

  This specific attack has been named Spectre variant 2 (branch target   injection) and is mitigated for the x86 architecture (amd64 and   i386) by using the 'retpoline' compiler feature which allows   indirect branches to be isolated from speculative execution.

  - CVE-2017-5753     Multiple researchers have discovered a vulnerability in     various processors supporting speculative execution,     enabling an attacker controlling an unprivileged process     to read memory from arbitrary addresses, including from     the kernel and all other processes running on the     system.

  This specific attack has been named Spectre variant 1 (bounds-check   bypass) and is mitigated by identifying vulnerable code sections   (array bounds checking followed by array access) and replacing the   array access with the speculation-safe array_index_nospec()   function.

  More use sites will be added over time.

  - CVE-2017-17975     Tuba Yavuz reported a use-after-free flaw in the     USBTV007 audio-video grabber driver. A local user could     use this for denial of service by triggering failure of     audio registration.

  - CVE-2017-18193     Yunlei He reported that the f2fs implementation does not     properly handle extent trees, allowing a local user to     cause a denial of service via an application with     multiple threads.

  - CVE-2017-18216     Alex Chen reported that the OCFS2 filesystem failed to     hold a necessary lock during nodemanager sysfs file     operations, potentially leading to a NULL pointer     dereference. A local user could use this for denial of     service.

  - CVE-2017-18218     Jun He reported a use-after-free flaw in the Hisilicon     HNS ethernet driver. A local user could use this for     denial of service.

  - CVE-2017-18222     It was reported that the Hisilicon Network Subsystem     (HNS) driver implementation does not properly handle     ethtool private flags. A local user could use this for     denial of service or possibly have other impact.

  - CVE-2017-18224     Alex Chen reported that the OCFS2 filesystem omits the     use of a semaphore and consequently has a race condition     for access to the extent tree during read operations in     DIRECT mode. A local user could use this for denial of     service.

  - CVE-2017-18241     Yunlei He reported that the f2fs implementation does not     properly initialise its state if the 'noflush_merge'     mount option is used. A local user with access to a     filesystem mounted with this option could use this to     cause a denial of service.

  - CVE-2017-18257     It was reported that the f2fs implementation is prone to     an infinite loop caused by an integer overflow in the
    __get_data_block() function. A local user can use this     for denial of service via crafted use of the open and     fallocate system calls with an FS_IOC_FIEMAP ioctl.

  - CVE-2018-1065     The syzkaller tool found a NULL pointer dereference flaw     in the netfilter subsystem when handling certain     malformed iptables rulesets. A local user with the     CAP_NET_RAW or CAP_NET_ADMIN capability (in any user     namespace) could use this to cause a denial of service.
    Debian disables unprivileged user namespaces by default.

  - CVE-2018-1066     Dan Aloni reported to Red Hat that the CIFS client     implementation would dereference a NULL pointer if the     server sent an invalid response during NTLMSSP setup     negotiation. This could be used by a malicious server     for denial of service.

  - CVE-2018-1068     The syzkaller tool found that the 32-bit compatibility     layer of ebtables did not sufficiently validate offset     values. On a 64-bit kernel, a local user with the     CAP_NET_ADMIN capability (in any user namespace) could     use this to overwrite kernel memory, possibly leading to     privilege escalation. Debian disables unprivileged user     namespaces by default.

  - CVE-2018-1092     Wen Xu reported that a crafted ext4 filesystem image     would trigger a null dereference when mounted. A local     user able to mount arbitrary filesystems could use this     for denial of service.

  - CVE-2018-1093     Wen Xu reported that a crafted ext4 filesystem image     could trigger an out-of-bounds read in the     ext4_valid_block_bitmap() function. A local user able to     mount arbitrary filesystems could use this for denial of     service.

  - CVE-2018-1108     Jann Horn reported that crng_ready() does not properly     handle the crng_init variable states and the RNG could     be treated as cryptographically safe too early after     system boot.

  - CVE-2018-5803     Alexey Kodanev reported that the SCTP protocol did not     range-check the length of chunks to be created. A local     or remote user could use this to cause a denial of     service.

  - CVE-2018-7480     Hou Tao discovered a double-free flaw in the     blkcg_init_queue() function in block/blk-cgroup.c. A     local user could use this to cause a denial of service     or have other impact.

  - CVE-2018-7566     Fan LongFei reported a race condition in the ALSA     (sound) sequencer core, between write and ioctl     operations. This could lead to an out-of-bounds access     or use-after-free. A local user with access to a     sequencer device could use this for denial of service or     possibly for privilege escalation.

  - CVE-2018-7740     Nic Losby reported that the hugetlbfs filesystem's mmap     operation did not properly range-check the file offset.
    A local user with access to files on a hugetlbfs     filesystem could use this to cause a denial of service.

  - CVE-2018-7757     Jason Yan reported a memory leak in the SAS     (Serial-Attached SCSI) subsystem. A local user on a     system with SAS devices could use this to cause a denial     of service.

  - CVE-2018-7995     Seunghun Han reported a race condition in the x86 MCE     (Machine Check Exception) driver. This is unlikely to     have any security impact.

  - CVE-2018-8087     A memory leak flaw was found in the hwsim_new_radio_nl()     function in the simulated radio testing tool driver for     mac80211, allowing a local user to cause a denial of     service.

  - CVE-2018-8781     Eyal Itkin reported that the udl (DisplayLink) driver's     mmap operation did not properly range-check the file     offset. A local user with access to a udl framebuffer     device could exploit this to overwrite kernel memory,     leading to privilege escalation.

  - CVE-2018-8822     Dr Silvio Cesare of InfoSect reported that the ncpfs     client implementation did not validate reply lengths     from the server. An ncpfs server could use this to cause     a denial of service or remote code execution in the     client.

  - CVE-2018-10323     Wen Xu reported a NULL pointer dereference flaw in the     xfs_bmapi_write() function triggered when mounting and     operating a crafted xfs filesystem image. A local user     able to mount arbitrary filesystems could use this for     denial of service.

  - CVE-2018-1000199     Andy Lutomirski discovered that the ptrace subsystem did     not sufficiently validate hardware breakpoint settings.
    Local users can use this to cause a denial of service,     or possibly for privilege escalation, on x86 (amd64 and     i386) and possibly other architectures.

ID	Name	Product	Family	Severity
124984	EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1531)	Nessus	Huawei Local Security Checks	high
123366	openSUSE Security Update : the Linux Kernel (openSUSE-2019-893)	Nessus	SuSE Local Security Checks	high
120151	SUSE SLED15 / SLES15 Security Update : kernel (SUSE-SU-2018:3589-1)	Nessus	SuSE Local Security Checks	high
119647	SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2018:4069-1)	Nessus	SuSE Local Security Checks	high
119286	SUSE SLES12 Security Update : kernel (SUSE-SU-2018:3934-1)	Nessus	SuSE Local Security Checks	high
118818	openSUSE Security Update : the Linux Kernel (openSUSE-2018-1342)	Nessus	SuSE Local Security Checks	high
109518	Debian DSA-4188-1 : linux - security update (Spectre)	Nessus	Debian Local Security Checks	high

CVE-2017-18224

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins