http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=0558f33c06bb910e2879e355192227a8e8f0219d

103423

RHSA-2018:3083

RHSA-2018:3096

https://github.com/torvalds/linux/commit/0558f33c06bb910e2879e355192227a8e8f0219d

USN-4163-1

USN-4163-2

DSA-4187

It was discovered that a race condition existed in the ARC EMAC ethernet driver for the Linux kernel, resulting in a use-after-free vulnerability. An attacker could use this to cause a denial of service (system crash). (CVE-2016-10906)

It was discovered that a race condition existed in the Serial Attached SCSI (SAS) implementation in the Linux kernel when handling certain error conditions. A local attacker could use this to cause a denial of service (kernel deadlock). (CVE-2017-18232)

It was discovered that the RSI 91x Wi-Fi driver in the Linux kernel did not did not handle detach operations correctly, leading to a use-after-free vulnerability. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-21008)

Wen Huang discovered that the Marvell Wi-Fi device driver in the Linux kernel did not properly perform bounds checking, leading to a heap overflow. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-14814, CVE-2019-14816)

Matt Delco discovered that the KVM hypervisor implementation in the Linux kernel did not properly perform bounds checking when handling coalesced MMIO write operations. A local attacker with write access to /dev/kvm could use this to cause a denial of service (system crash).
(CVE-2019-14821)

Hui Peng and Mathias Payer discovered that the USB audio driver for the Linux kernel did not properly validate device meta data. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2019-15117)

Hui Peng and Mathias Payer discovered that the USB audio driver for the Linux kernel improperly performed recursion while handling device meta data. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2019-15118)

It was discovered that the Technisat DVB-S/S2 USB device driver in the Linux kernel contained a buffer overread. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly expose sensitive information. (CVE-2019-15505)

Brad Spengler discovered that a Spectre mitigation was improperly implemented in the ptrace susbsystem of the Linux kernel. A local attacker could possibly use this to expose sensitive information.
(CVE-2019-15902).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - A flaw named FragmentSmack was found in the way the     Linux kernel handled reassembly of fragmented IPv4 and     IPv6 packets. A remote attacker could use this flaw to     trigger time and calculation expensive fragment     reassembly algorithm by sending specially crafted     packets which could lead to a CPU saturation and hence     a denial of service on the system.(CVE-2018-5391)

  - Multiple out-of-bounds write flaws were found in the     way the Cherry Cymotion keyboard driver, KYE/Genius     device drivers, Logitech device drivers, Monterey     Genius KB29E keyboard driver, Petalynx Maxter remote     control driver, and Sunplus wireless desktop driver     handled HID reports with an invalid report descriptor     size. An attacker with physical access to the system     could use either of these flaws to write data past an     allocated memory buffer.(CVE-2014-3184)

  - The __get_data_block function in fs/f2fs/data.c in the     Linux kernel before 4.11 allows local users to cause a     denial of service (integer overflow and loop) via     crafted use of the open and fallocate system calls with     an FS_IOC_FIEMAP ioctl.(CVE-2017-18257)

  - net/netfilter/xt_osf.c in the Linux kernel through     4.14.4 does not require the CAP_NET_ADMIN capability     for add_callback and remove_callback operations. This     allows local users to bypass intended access     restrictions because the xt_osf_fingers data structure     is shared across all network     namespaces.(CVE-2017-17450)

  - A denial of service flaw was discovered in the Linux     kernel, where a race condition caused a NULL pointer     dereference in the RDS socket-creation code. A local     attacker could use this flaw to create a situation in     which a NULL pointer crashed the kernel.(CVE-2015-7990)

  - An issue was discovered in the Linux kernel before     4.19.9. The USB subsystem mishandles size checks during     the reading of an extra descriptor, related to
    __usb_get_extra_descriptor in     drivers/usb/core/usb.c.(CVE-2018-20169)

  - mm/memory.c in the Linux kernel before 4.1.4 mishandles     anonymous pages, which allows local users to gain     privileges or cause a denial of service (page tainting)     via a crafted application that triggers writing to page     zero.(CVE-2015-3288)

  - The ovl_setattr function in fs/overlayfs/inode.c in the     Linux kernel through 4.3.3 attempts to merge distinct     setattr operations, which allows local users to bypass     intended access restrictions and modify the attributes     of arbitrary overlay files via a crafted     application.(CVE-2015-8660)

  - A flaw was found in the Linux kernel where a local user     with a shell account can abuse the userfaultfd syscall     when using hugetlbfs. A missing size check in     hugetlb_mcopy_atomic_pte could create an invalid inode     variable, leading to a kernel panic.(CVE-2017-15128)

  - An integer overflow flaw was found in the way the     lzo1x_decompress_safe() function of the Linux kernel's     LZO implementation processed Literal Runs. A local     attacker could, in extremely rare cases, use this flaw     to crash the system or, potentially, escalate their     privileges on the system.(CVE-2014-4608)

  - It was found that Linux kernel's ptrace subsystem did     not properly sanitize the address-space-control bits     when the program-status word (PSW) was being set. On     IBM S/390 systems, a local, unprivileged user could use     this flaw to set address-space-control bits to the     kernel space, and thus gain read and write access to     kernel memory.(CVE-2014-3534)

  - A use-after-free flaw was found in the Linux kernel's     file system encryption implementation. A local user     could revoke keyring keys being used for ext4, f2fs, or     ubifs encryption, causing a denial of service on the     system.(CVE-2017-7374)

  - The usbip_recv_xbuff function in     drivers/usb/usbip/usbip_common.c in the Linux kernel     before 4.5.3 allows remote attackers to cause a denial     of service (out-of-bounds write) or possibly have     unspecified other impact via a crafted length value in     a USB/IP packet.(CVE-2016-3955)

  - A flaw was found in the patches used to fix the     'dirtycow' vulnerability (CVE-2016-5195). An attacker,     able to run local code, can exploit a race condition in     transparent huge pages to modify usually read-only huge     pages.(CVE-2017-1000405)

  - The aio_mount function in fs/aio.c in the Linux kernel     does not properly restrict execute access, which makes     it easier for local users to bypass intended SELinux     W^X policy restrictions.(CVE-2016-10044)

  - The Serial Attached SCSI (SAS) implementation in the     Linux kernel mishandles a mutex within libsas. This     allows local users to cause a denial of service     (deadlock) by triggering certain error-handling     code.(CVE-2017-18232)

  - A use-after-free vulnerability was found in     tcp_xmit_retransmit_queue and other tcp_* functions.
    This condition could allow an attacker to send an     incorrect selective acknowledgment to existing     connections, possibly resetting a     connection.(CVE-2016-6828)

  - The instruction decoder in arch/x86/kvm/emulate.c in     the KVM subsystem in the Linux kernel before 3.18-rc2     does not properly handle invalid instructions, which     allows guest OS users to cause a denial of service     (NULL pointer dereference and host OS crash) via a     crafted application that triggers (1) an improperly     fetched instruction or (2) an instruction that occupies     too many bytes. NOTE: this vulnerability exists because     of an incomplete fix for CVE-2014-8480.(CVE-2014-8481)

  - The snd_compress_check_input function in     sound/core/compress_offload.c in the ALSA subsystem in     the Linux kernel before 3.17 does not properly check     for an integer overflow, which allows local users to     cause a denial of service (insufficient memory     allocation) or possibly have unspecified other impact     via a crafted SNDRV_COMPRESS_SET_PARAMS ioctl     call.(CVE-2014-9904)

  - The resv_map_release function in mm/hugetlb.c in the     Linux kernel, through 4.15.7, allows local users to     cause a denial of service (BUG) via a crafted     application that makes mmap system calls and has a     large pgoff argument to the remap_file_pages system     call.(CVE-2018-7740)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

An update of the linux package has been released.

Security Fix(es) :

  - A flaw named FragmentSmack was found in the way the     Linux kernel handled reassembly of fragmented IPv4 and     IPv6 packets. A remote attacker could use this flaw to     trigger time and calculation expensive fragment     reassembly algorithm by sending specially crafted     packets which could lead to a CPU saturation and hence a     denial of service on the system. (CVE-2018-5391)

  - kernel: out-of-bounds access in the show_timer function     in kernel/time /posix-timers.c (CVE-2017-18344)

  - kernel: Integer overflow in udl_fb_mmap() can allow     attackers to execute code in kernel space     (CVE-2018-8781)

  - kernel: MIDI driver race condition leads to a     double-free (CVE-2018-10902)

  - kernel: Missing check in inode_init_owner() does not     clear SGID bit on non-directories for non-members     (CVE-2018-13405)

  - kernel: AIO write triggers integer overflow in some     protocols (CVE-2015-8830)

  - kernel: Use-after-free in snd_pcm_info function in ALSA     subsystem potentially leads to privilege escalation     (CVE-2017-0861)

  - kernel: Handling of might_cancel queueing is not     properly pretected against race (CVE-2017-10661)

  - kernel: Salsa20 encryption algorithm does not correctly     handle zero- length inputs allowing local attackers to     cause denial of service (CVE-2017-17805)

  - kernel: Inifinite loop vulnerability in     madvise_willneed() function allows local denial of     service (CVE-2017-18208)

  - kernel: fuse-backed file mmap-ed onto process cmdline     arguments causes denial of service (CVE-2018-1120)

  - kernel: a NULL pointer dereference in dccp_write_xmit()     leads to a system crash (CVE-2018-1130)

  - kernel: drivers/block/loop.c mishandles lo_release     serialization allowing denial of service (CVE-2018-5344)

  - kernel: Missing length check of payload in
    _sctp_make_chunk() function allows denial of service     (CVE-2018-5803)

  - kernel: buffer overflow in     drivers/net/wireless/ath/wil6210/wmi.c:wmi_set_ie() may     lead to memory corruption (CVE-2018-5848)

  - kernel: out-of-bound write in ext4_init_block_bitmap     function with a crafted ext4 image (CVE-2018-10878)

  - kernel: Improper validation in bnx2x network card driver     can allow for denial of service attacks via crafted     packet (CVE-2018-1000026)

  - kernel: Information leak when handling NM entries     containing NUL (CVE-2016-4913)

  - kernel: Mishandling mutex within libsas allowing local     Denial of Service (CVE-2017-18232)

  - kernel: NULL pointer dereference in     ext4_process_freed_data() when mounting crafted ext4     image (CVE-2018-1092)

  - kernel: NULL pointer dereference in     ext4_xattr_inode_hash() causes crash with crafted ext4     image (CVE-2018-1094)

  - kernel: vhost: Information disclosure in     vhost/vhost.c:vhost_new_msg() (CVE-2018-1118)

  - kernel: Denial of service in resv_map_release function     in mm/hugetlb.c (CVE-2018-7740)

  - kernel: Memory leak in the sas_smp_get_phy_events     function in drivers/scsi/libsas/sas_expander.c     (CVE-2018-7757)

  - kernel: Invalid pointer dereference in     xfs_ilock_attr_map_shared() when mounting crafted xfs     image allowing denial of service (CVE-2018-10322)

  - kernel: use-after-free detected in ext4_xattr_set_entry     with a crafted file (CVE-2018-10879)

  - kernel: out-of-bound access in ext4_get_group_info()     when mounting and operating a crafted ext4 image     (CVE-2018-10881)

  - kernel: stack-out-of-bounds write in     jbd2_journal_dirty_metadata function (CVE-2018-10883)

  - kernel: incorrect memory bounds check in     drivers/cdrom/cdrom.c (CVE-2018-10940)

An update for kernel is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es) :

* A flaw named FragmentSmack was found in the way the Linux kernel handled reassembly of fragmented IPv4 and IPv6 packets. A remote attacker could use this flaw to trigger time and calculation expensive fragment reassembly algorithm by sending specially crafted packets which could lead to a CPU saturation and hence a denial of service on the system. (CVE-2018-5391)

* kernel: out-of-bounds access in the show_timer function in kernel/time/ posix-timers.c (CVE-2017-18344)

* kernel: Integer overflow in udl_fb_mmap() can allow attackers to execute code in kernel space (CVE-2018-8781)

* kernel: MIDI driver race condition leads to a double-free (CVE-2018-10902)

* kernel: Missing check in inode_init_owner() does not clear SGID bit on non-directories for non-members (CVE-2018-13405)

* kernel: AIO write triggers integer overflow in some protocols (CVE-2015-8830)

* kernel: Use-after-free in snd_pcm_info function in ALSA subsystem potentially leads to privilege escalation (CVE-2017-0861)

* kernel: Handling of might_cancel queueing is not properly pretected against race (CVE-2017-10661)

* kernel: Salsa20 encryption algorithm does not correctly handle zero-length inputs allowing local attackers to cause denial of service (CVE-2017-17805)

* kernel: Inifinite loop vulnerability in madvise_willneed() function allows local denial of service (CVE-2017-18208)

* kernel: fuse-backed file mmap-ed onto process cmdline arguments causes denial of service (CVE-2018-1120)

* kernel: a NULL pointer dereference in dccp_write_xmit() leads to a system crash (CVE-2018-1130)

* kernel: drivers/block/loop.c mishandles lo_release serialization allowing denial of service (CVE-2018-5344)

* kernel: Missing length check of payload in _sctp_make_chunk() function allows denial of service (CVE-2018-5803)

* kernel: buffer overflow in drivers/net/wireless/ath/wil6210/ wmi.c:wmi_set_ie() may lead to memory corruption (CVE-2018-5848)

* kernel: out-of-bound write in ext4_init_block_bitmap function with a crafted ext4 image (CVE-2018-10878)

* kernel: Improper validation in bnx2x network card driver can allow for denial of service attacks via crafted packet (CVE-2018-1000026)

* kernel: Information leak when handling NM entries containing NUL (CVE-2016-4913)

* kernel: Mishandling mutex within libsas allowing local Denial of Service (CVE-2017-18232)

* kernel: NULL pointer dereference in ext4_process_freed_data() when mounting crafted ext4 image (CVE-2018-1092)

* kernel: NULL pointer dereference in ext4_xattr_inode_hash() causes crash with crafted ext4 image (CVE-2018-1094)

* kernel: vhost: Information disclosure in vhost/vhost.c:vhost_new_msg() (CVE-2018-1118)

* kernel: Denial of service in resv_map_release function in mm/hugetlb.c (CVE-2018-7740)

* kernel: Memory leak in the sas_smp_get_phy_events function in drivers/scsi/ libsas/sas_expander.c (CVE-2018-7757)

* kernel: Invalid pointer dereference in xfs_ilock_attr_map_shared() when mounting crafted xfs image allowing denial of service (CVE-2018-10322)

* kernel: use-after-free detected in ext4_xattr_set_entry with a crafted file (CVE-2018-10879)

* kernel: out-of-bound access in ext4_get_group_info() when mounting and operating a crafted ext4 image (CVE-2018-10881)

* kernel: stack-out-of-bounds write in jbd2_journal_dirty_metadata function (CVE-2018-10883)

* kernel: incorrect memory bounds check in drivers/cdrom/cdrom.c (CVE-2018-10940)

Red Hat would like to thank Juha-Matti Tilli (Aalto University - Department of Communications and Networking and Nokia Bell Labs) for reporting CVE-2018-5391; Trend Micro Zero Day Initiative for reporting CVE-2018-10902; Qualys Research Labs for reporting CVE-2018-1120;
Evgenii Shatokhin (Virtuozzo Team) for reporting CVE-2018-1130; and Wen Xu for reporting CVE-2018-1092 and CVE-2018-1094.

From Red Hat Security Advisory 2018:3083 :

An update for kernel is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es) :

* A flaw named FragmentSmack was found in the way the Linux kernel handled reassembly of fragmented IPv4 and IPv6 packets. A remote attacker could use this flaw to trigger time and calculation expensive fragment reassembly algorithm by sending specially crafted packets which could lead to a CPU saturation and hence a denial of service on the system. (CVE-2018-5391)

* kernel: out-of-bounds access in the show_timer function in kernel/time/ posix-timers.c (CVE-2017-18344)

* kernel: Integer overflow in udl_fb_mmap() can allow attackers to execute code in kernel space (CVE-2018-8781)

* kernel: MIDI driver race condition leads to a double-free (CVE-2018-10902)

* kernel: Missing check in inode_init_owner() does not clear SGID bit on non-directories for non-members (CVE-2018-13405)

* kernel: AIO write triggers integer overflow in some protocols (CVE-2015-8830)

* kernel: Use-after-free in snd_pcm_info function in ALSA subsystem potentially leads to privilege escalation (CVE-2017-0861)

* kernel: Handling of might_cancel queueing is not properly pretected against race (CVE-2017-10661)

* kernel: Salsa20 encryption algorithm does not correctly handle zero-length inputs allowing local attackers to cause denial of service (CVE-2017-17805)

* kernel: Inifinite loop vulnerability in madvise_willneed() function allows local denial of service (CVE-2017-18208)

* kernel: fuse-backed file mmap-ed onto process cmdline arguments causes denial of service (CVE-2018-1120)

* kernel: a NULL pointer dereference in dccp_write_xmit() leads to a system crash (CVE-2018-1130)

* kernel: drivers/block/loop.c mishandles lo_release serialization allowing denial of service (CVE-2018-5344)

* kernel: Missing length check of payload in _sctp_make_chunk() function allows denial of service (CVE-2018-5803)

* kernel: buffer overflow in drivers/net/wireless/ath/wil6210/ wmi.c:wmi_set_ie() may lead to memory corruption (CVE-2018-5848)

* kernel: out-of-bound write in ext4_init_block_bitmap function with a crafted ext4 image (CVE-2018-10878)

* kernel: Improper validation in bnx2x network card driver can allow for denial of service attacks via crafted packet (CVE-2018-1000026)

* kernel: Information leak when handling NM entries containing NUL (CVE-2016-4913)

* kernel: Mishandling mutex within libsas allowing local Denial of Service (CVE-2017-18232)

* kernel: NULL pointer dereference in ext4_process_freed_data() when mounting crafted ext4 image (CVE-2018-1092)

* kernel: NULL pointer dereference in ext4_xattr_inode_hash() causes crash with crafted ext4 image (CVE-2018-1094)

* kernel: vhost: Information disclosure in vhost/vhost.c:vhost_new_msg() (CVE-2018-1118)

* kernel: Denial of service in resv_map_release function in mm/hugetlb.c (CVE-2018-7740)

* kernel: Memory leak in the sas_smp_get_phy_events function in drivers/scsi/ libsas/sas_expander.c (CVE-2018-7757)

* kernel: Invalid pointer dereference in xfs_ilock_attr_map_shared() when mounting crafted xfs image allowing denial of service (CVE-2018-10322)

* kernel: use-after-free detected in ext4_xattr_set_entry with a crafted file (CVE-2018-10879)

* kernel: out-of-bound access in ext4_get_group_info() when mounting and operating a crafted ext4 image (CVE-2018-10881)

* kernel: stack-out-of-bounds write in jbd2_journal_dirty_metadata function (CVE-2018-10883)

* kernel: incorrect memory bounds check in drivers/cdrom/cdrom.c (CVE-2018-10940)

Red Hat would like to thank Juha-Matti Tilli (Aalto University - Department of Communications and Networking and Nokia Bell Labs) for reporting CVE-2018-5391; Trend Micro Zero Day Initiative for reporting CVE-2018-10902; Qualys Research Labs for reporting CVE-2018-1120;
Evgenii Shatokhin (Virtuozzo Team) for reporting CVE-2018-1130; and Wen Xu for reporting CVE-2018-1092 and CVE-2018-1094.

An update for kernel-rt is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.

Security Fix(es) :

* A flaw named FragmentSmack was found in the way the Linux kernel handled reassembly of fragmented IPv4 and IPv6 packets. A remote attacker could use this flaw to trigger time and calculation expensive fragment reassembly algorithm by sending specially crafted packets which could lead to a CPU saturation and hence a denial of service on the system. (CVE-2018-5391)

* kernel: out-of-bounds access in the show_timer function in kernel/time/ posix-timers.c (CVE-2017-18344)

* kernel: Integer overflow in udl_fb_mmap() can allow attackers to execute code in kernel space (CVE-2018-8781)

* kernel: MIDI driver race condition leads to a double-free (CVE-2018-10902)

* kernel: Missing check in inode_init_owner() does not clear SGID bit on non-directories for non-members (CVE-2018-13405)

* kernel: AIO write triggers integer overflow in some protocols (CVE-2015-8830)

* kernel: Use-after-free in snd_pcm_info function in ALSA subsystem potentially leads to privilege escalation (CVE-2017-0861)

* kernel: Handling of might_cancel queueing is not properly pretected against race (CVE-2017-10661)

* kernel: Salsa20 encryption algorithm does not correctly handle zero-length inputs allowing local attackers to cause denial of service (CVE-2017-17805)

* kernel: Inifinite loop vulnerability in madvise_willneed() function allows local denial of service (CVE-2017-18208)

* kernel: fuse-backed file mmap-ed onto process cmdline arguments causes denial of service (CVE-2018-1120)

* kernel: a NULL pointer dereference in dccp_write_xmit() leads to a system crash (CVE-2018-1130)

* kernel: drivers/block/loop.c mishandles lo_release serialization allowing denial of service (CVE-2018-5344)

* kernel: Missing length check of payload in _sctp_make_chunk() function allows denial of service (CVE-2018-5803)

* kernel: buffer overflow in drivers/net/wireless/ath/wil6210/ wmi.c:wmi_set_ie() may lead to memory corruption (CVE-2018-5848)

* kernel: out-of-bound write in ext4_init_block_bitmap function with a crafted ext4 image (CVE-2018-10878)

* kernel: Improper validation in bnx2x network card driver can allow for denial of service attacks via crafted packet (CVE-2018-1000026)

* kernel: Information leak when handling NM entries containing NUL (CVE-2016-4913)

* kernel: Mishandling mutex within libsas allowing local Denial of Service (CVE-2017-18232)

* kernel: NULL pointer dereference in ext4_process_freed_data() when mounting crafted ext4 image (CVE-2018-1092)

* kernel: NULL pointer dereference in ext4_xattr_inode_hash() causes crash with crafted ext4 image (CVE-2018-1094)

* kernel: vhost: Information disclosure in vhost.c:vhost_new_msg() (CVE-2018-1118)

* kernel: Denial of service in resv_map_release function in mm/hugetlb.c (CVE-2018-7740)

* kernel: Memory leak in the sas_smp_get_phy_events function in drivers/scsi/ libsas/sas_expander.c (CVE-2018-7757)

* kernel: Invalid pointer dereference in xfs_ilock_attr_map_shared() when mounting crafted xfs image allowing denial of service (CVE-2018-10322)

* kernel: use-after-free detected in ext4_xattr_set_entry with a crafted file (CVE-2018-10879)

* kernel: out-of-bound access in ext4_get_group_info() when mounting and operating a crafted ext4 image (CVE-2018-10881)

* kernel: stack-out-of-bounds write in jbd2_journal_dirty_metadata function (CVE-2018-10883)

* kernel: incorrect memory bounds check in drivers/cdrom/cdrom.c (CVE-2018-10940)

Red Hat would like to thank Juha-Matti Tilli (Aalto University - Department of Communications and Networking and Nokia Bell Labs) for reporting CVE-2018-5391; Trend Micro Zero Day Initiative for reporting CVE-2018-10902; Qualys Research Labs for reporting CVE-2018-1120;
Evgenii Shatokhin (Virtuozzo Team) for reporting CVE-2018-1130; and Wen Xu for reporting CVE-2018-1092 and CVE-2018-1094.

An update of 'linux-aws', 'linux', 'linux-esx', 'linux-secure' packages of Photon OS has been released.

An update of 'linux', 'linux-esx' packages of Photon OS has been released.

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

  - CVE-2015-9016     Ming Lei reported a race condition in the multiqueue     block layer (blk-mq). On a system with a driver using     blk-mq (mtip32xx, null_blk, or virtio_blk), a local user     might be able to use this for denial of service or     possibly for privilege escalation.

  - CVE-2017-0861     Robb Glasser reported a potential use-after-free in the     ALSA (sound) PCM core. We believe this was not possible     in practice.

  - CVE-2017-5715     Multiple researchers have discovered a vulnerability in     various processors supporting speculative execution,     enabling an attacker controlling an unprivileged process     to read memory from arbitrary addresses, including from     the kernel and all other processes running on the     system.

  This specific attack has been named Spectre variant 2 (branch target   injection) and is mitigated for the x86 architecture (amd64 and   i386) by using the 'retpoline' compiler feature which allows   indirect branches to be isolated from speculative execution.

  - CVE-2017-5753     Multiple researchers have discovered a vulnerability in     various processors supporting speculative execution,     enabling an attacker controlling an unprivileged process     to read memory from arbitrary addresses, including from     the kernel and all other processes running on the     system.

  This specific attack has been named Spectre variant 1 (bounds-check   bypass) and is mitigated by identifying vulnerable code sections   (array bounds checking followed by array access) and replacing the   array access with the speculation-safe array_index_nospec()   function.

  More use sites will be added over time.

  - CVE-2017-13166     A bug in the 32-bit compatibility layer of the v4l2     ioctl handling code has been found. Memory protections     ensuring user-provided buffers always point to userland     memory were disabled, allowing destination addresses to     be in kernel space. On a 64-bit kernel a local user with     access to a suitable video device can exploit this to     overwrite kernel memory, leading to privilege     escalation.

  - CVE-2017-13220     Al Viro reported that the Bluetooth HIDP implementation     could dereference a pointer before performing the     necessary type check. A local user could use this to     cause a denial of service.

  - CVE-2017-16526     Andrey Konovalov reported that the UWB subsystem may     dereference an invalid pointer in an error case. A local     user might be able to use this for denial of service.

  - CVE-2017-16911     Secunia Research reported that the USB/IP vhci_hcd     driver exposed kernel heap addresses to local users.
    This information could aid the exploitation of other     vulnerabilities.

  - CVE-2017-16912     Secunia Research reported that the USB/IP stub driver     failed to perform a range check on a received packet     header field, leading to an out-of-bounds read. A remote     user able to connect to the USB/IP server could use this     for denial of service.

  - CVE-2017-16913     Secunia Research reported that the USB/IP stub driver     failed to perform a range check on a received packet     header field, leading to excessive memory allocation. A     remote user able to connect to the USB/IP server could     use this for denial of service.

  - CVE-2017-16914     Secunia Research reported that the USB/IP stub driver     failed to check for an invalid combination of fields in     a received packet, leading to a NULL pointer     dereference. A remote user able to connect to the USB/IP     server could use this for denial of service.

  - CVE-2017-18017     Denys Fedoryshchenko reported that the netfilter     xt_TCPMSS module failed to validate TCP header lengths,     potentially leading to a use-after-free. If this module     is loaded, it could be used by a remote attacker for     denial of service or possibly for code execution.

  - CVE-2017-18203     Hou Tao reported that there was a race condition in     creation and deletion of device-mapper (DM) devices. A     local user could potentially use this for denial of     service.

  - CVE-2017-18216     Alex Chen reported that the OCFS2 filesystem failed to     hold a necessary lock during nodemanager sysfs file     operations, potentially leading to a NULL pointer     dereference. A local user could use this for denial of     service.

  - CVE-2017-18232     Jason Yan reported a race condition in the SAS     (Serial-Attached SCSI) subsystem, between probing and     destroying a port. This could lead to a deadlock. A     physically present attacker could use this to cause a     denial of service.

  - CVE-2017-18241     Yunlei He reported that the f2fs implementation does not     properly initialise its state if the 'noflush_merge'     mount option is used. A local user with access to a     filesystem mounted with this option could use this to     cause a denial of service.

  - CVE-2018-1066     Dan Aloni reported to Red Hat that the CIFS client     implementation would dereference a NULL pointer if the     server sent an invalid response during NTLMSSP setup     negotiation. This could be used by a malicious server     for denial of service.

  - CVE-2018-1068     The syzkaller tool found that the 32-bit compatibility     layer of ebtables did not sufficiently validate offset     values. On a 64-bit kernel, a local user with the     CAP_NET_ADMIN capability (in any user namespace) could     use this to overwrite kernel memory, possibly leading to     privilege escalation. Debian disables unprivileged user     namespaces by default.

  - CVE-2018-1092     Wen Xu reported that a crafted ext4 filesystem image     would trigger a null dereference when mounted. A local     user able to mount arbitrary filesystems could use this     for denial of service.

  - CVE-2018-5332     Mohamed Ghannam reported that the RDS protocol did not     sufficiently validate RDMA requests, leading to an     out-of-bounds write. A local attacker on a system with     the rds module loaded could use this for denial of     service or possibly for privilege escalation.

  - CVE-2018-5333     Mohamed Ghannam reported that the RDS protocol did not     properly handle an error case, leading to a NULL pointer     dereference. A local attacker on a system with the rds     module loaded could possibly use this for denial of     service.

  - CVE-2018-5750     Wang Qize reported that the ACPI sbshc driver logged a     kernel heap address. This information could aid the     exploitation of other vulnerabilities.

  - CVE-2018-5803     Alexey Kodanev reported that the SCTP protocol did not     range-check the length of chunks to be created. A local     or remote user could use this to cause a denial of     service.

  - CVE-2018-6927     Li Jinyue reported that the FUTEX_REQUEUE operation on     futexes did not check for negative parameter values,     which might lead to a denial of service or other     security impact.

  - CVE-2018-7492     The syzkaller tool found that the RDS protocol was     lacking a null pointer check. A local attacker on a     system with the rds module loaded could use this for     denial of service.

  - CVE-2018-7566     Fan LongFei reported a race condition in the ALSA     (sound) sequencer core, between write and ioctl     operations. This could lead to an out-of-bounds access     or use-after-free. A local user with access to a     sequencer device could use this for denial of service or     possibly for privilege escalation.

  - CVE-2018-7740     Nic Losby reported that the hugetlbfs filesystem's mmap     operation did not properly range-check the file offset.
    A local user with access to files on a hugetlbfs     filesystem could use this to cause a denial of service.

  - CVE-2018-7757     Jason Yan reported a memory leak in the SAS     (Serial-Attached SCSI) subsystem. A local user on a     system with SAS devices could use this to cause a denial     of service.

  - CVE-2018-7995     Seunghun Han reported a race condition in the x86 MCE     (Machine Check Exception) driver. This is unlikely to     have any security impact.

  - CVE-2018-8781     Eyal Itkin reported that the udl (DisplayLink) driver's     mmap operation did not properly range-check the file     offset. A local user with access to a udl framebuffer     device could exploit this to overwrite kernel memory,     leading to privilege escalation.

  - CVE-2018-8822     Dr Silvio Cesare of InfoSect reported that the ncpfs     client implementation did not validate reply lengths     from the server. An ncpfs server could use this to cause     a denial of service or remote code execution in the     client.

  - CVE-2018-1000004     Luo Quan reported a race condition in the ALSA (sound)     sequencer core, between multiple ioctl operations. This     could lead to a deadlock or use-after-free. A local user     with access to a sequencer device could use this for     denial of service or possibly for privilege escalation.

  - CVE-2018-1000199     Andy Lutomirski discovered that the ptrace subsystem did     not sufficiently validate hardware breakpoint settings.
    Local users can use this to cause a denial of service,     or possibly for privilege escalation, on x86 (amd64 and     i386) and possibly other architectures.

Missing length check of payload in net/sctp/sm_make_chunk.c:_sctp_make_chunk() function allows denial of service :

An error in the '_sctp_make_chunk()' function (net/sctp/sm_make_chunk.c) when handling SCTP, packet length can be exploited by a malicious local user to cause a kernel crash and a DoS.
(CVE-2018-5803)

Mishandling mutex within libsas allowing local Denial of Service

The Serial Attached SCSI (SAS) implementation in the Linux kernel mishandles a mutex within libsas. This allows local users to cause a denial of service (deadlock) by triggering certain error-handling code. (CVE-2017-18232)

A flaw was found in the Linux kernel's client-side implementation of the cifs protocol. This flaw allows an attacker controlling the server to kernel panic a client which has the CIFS server mounted.(CVE-2018-1066)

Incremental update to fix kernel-devel issues.

----

The 4.15.12 update contains numerous fixes across the tree.

----

The 4.15.11 update contains a number of important fixes across the tree

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Incremental update to fix kernel-devel issues.

----

The 4.15.12 update contains a variety of fixes across the tree.

----

The 4.15.11 update contains a number of important fixes across the tree

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
131845	EulerOS 2.0 SP2 : kernel (EulerOS-SA-2019-2353)	Nessus	Huawei Local Security Checks	critical
130152	Ubuntu 16.04 LTS : linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon vulnerabilities (USN-4163-1)	Nessus	Ubuntu Local Security Checks	critical
124828	EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1505)	Nessus	Huawei Local Security Checks	critical
121966	Photon OS 2.0: Linux PHSA-2018-2.0-0072	Nessus	PhotonOS Local Security Checks	medium
121857	Photon OS 1.0: Linux PHSA-2018-1.0-0161	Nessus	PhotonOS Local Security Checks	medium
119187	Scientific Linux Security Update : kernel on SL7.x x86_64	Nessus	Scientific Linux Local Security Checks	high
118990	CentOS 7 : kernel (CESA-2018:3083)	Nessus	CentOS Local Security Checks	high
118770	Oracle Linux 7 : kernel (ELSA-2018-3083)	Nessus	Oracle Linux Local Security Checks	high
118528	RHEL 7 : kernel-rt (RHSA-2018:3096)	Nessus	Red Hat Local Security Checks	high
118525	RHEL 7 : kernel (RHSA-2018:3083)	Nessus	Red Hat Local Security Checks	high
111956	Photon OS 2.0: Linux PHSA-2018-2.0-0072 (deprecated)	Nessus	PhotonOS Local Security Checks	medium
111943	Photon OS 1.0: Linux PHSA-2018-1.0-0161 (deprecated)	Nessus	PhotonOS Local Security Checks	medium
109517	Debian DSA-4187-1 : linux - security update (Spectre)	Nessus	Debian Local Security Checks	critical
109183	Amazon Linux AMI : kernel (ALAS-2018-993)	Nessus	Amazon Linux Local Security Checks	high
108677	Fedora 27 : kernel (2018-e378863e47)	Nessus	Fedora Local Security Checks	low
108673	Fedora 26 : kernel (2018-ba39fc0e07)	Nessus	Fedora Local Security Checks	low

CVE-2017-18232

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins