http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=b9dc6f65bc5e232d1c05fe34b5daadc7e8bbf1fb

http://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.5

[oss-security] 20170120 Re: CVE REQUEST: linux kernel: process with pgid zero able to crash kernel

95716

https://bugzilla.redhat.com/show_bug.cgi?id=1416116

https://github.com/torvalds/linux/commit/b9dc6f65bc5e232d1c05fe34b5daadc7e8bbf1fb

According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - A use-after-free vulnerability was found in DCCP socket     code affecting the Linux kernel since 2.6.16. This     vulnerability could allow an attacker to their escalate     privileges.(CVE-2017-8824)

  - The OZWPAN driver in the Linux kernel through 4.0.5     relies on an untrusted length field during packet     parsing, which allows remote attackers to obtain     sensitive information from kernel memory or cause a     denial of service (out-of-bounds read and system crash)     via a crafted packet.(CVE-2015-4004)

  - Integer signedness error in the MSM V4L2 video driver     for the Linux kernel 3.x, as used in Qualcomm     Innovation Center (QuIC) Android contributions for MSM     devices and other products, allows attackers to gain     privileges or cause a denial of service (array overflow     and memory corruption) via a crafted application that     triggers an msm_isp_axi_create_stream     call.(CVE-2016-2061)

  - A denial of service flaw was found in the way the Linux     kernel's XFS file system implementation ordered     directory hashes under certain conditions. A local     attacker could use this flaw to corrupt the file system     by creating directories with colliding hash values,     potentially resulting in a system crash.(CVE-2014-7283)

  - It was found that the Linux kernel's ping socket     implementation did not properly handle socket unhashing     during spurious disconnects, which could lead to a     use-after-free flaw. On x86-64 architecture systems, a     local user able to create ping sockets could use this     flaw to crash the system. On non-x86-64 architecture     systems, a local user able to create ping sockets could     use this flaw to escalate their privileges on the     system.(CVE-2015-3636)

  - Incorrect buffer length handling was found in the     ncp_read_kernel function in fs/ncpfs/ncplib_kernel.c in     the Linux kernel, which could be exploited by malicious     NCPFS servers to crash the kernel or possibly execute     an arbitrary code.(CVE-2018-8822)

  - ** DISPUTED ** Kernel Samepage Merging (KSM) in the     Linux kernel 2.6.32 through 4.x does not prevent use of     a write-timing side channel, which allows guest OS     users to defeat the ASLR protection mechanism on other     guest OS instances via a Cross-VM ASL INtrospection     (CAIN) attack. NOTE: the vendor states 'Basically if     you care about this attack vector, disable     deduplication.' Share-until-written approaches for     memory conservation among mutually untrusting tenants     are inherently detectable for information disclosure,     and can be classified as potentially misunderstood     behaviors rather than vulnerabilities.(CVE-2015-2877)

  - The tty_set_termios_ldisc() function in     'drivers/tty/tty_ldisc.c' in the Linux kernel before     4.5 allows local users to obtain sensitive information     from kernel memory by reading a tty data     structure.(CVE-2015-8964)

  - An issue was discovered in the Linux kernel through     4.17.2. vbg_misc_device_ioctl() in     drivers/virt/vboxguest/vboxguest_linux.c reads the same     user data twice with copy_from_user. The header part of     the user data is double-fetched, and a malicious user     thread can tamper with the critical variables     (hdr.size_in and hdr.size_out) in the header between     the two fetches because of a race condition, leading to     severe kernel errors, such as buffer over-accesses.
    This bug can cause a local denial of service and     information leakage.(CVE-2018-12633)

  - ** RESERVED ** This candidate has been reserved by an     organization or individual that will use it when     announcing a new security problem. When the candidate     has been publicized, the details for this candidate     will be provided.(CVE-2018-1092)

  - fs/f2fs/extent_cache.c in the Linux kernel, before     4.13, mishandles extent trees. This allows local users     to cause a denial of service via an application with     multiple threads.(CVE-2017-18193)

  - A design flaw was found in the file extended attribute     handling of the Linux kernel's handling of cached     attributes. Too many entries in the cache cause a soft     lockup while attempting to iterate the cache and access     relevant locks.(CVE-2015-8952)

  - Off-by-one error in the pipe_advance function in     lib/iov_iter.c in the Linux kernel before 4.9.5 allows     local users to obtain sensitive information from     uninitialized heap-memory locations in opportunistic     circumstances by reading from a pipe after an incorrect     buffer-release decision.(CVE-2017-5550)

  - The HMAC implementation (crypto/hmac.c) in the Linux     kernel, before 4.14.8, does not validate that the     underlying cryptographic hash algorithm is unkeyed.
    This allows a local attacker, able to use the     AF_ALG-based hash interface     (CONFIG_CRYPTO_USER_API_HASH) and the SHA-3 hash     algorithm (CONFIG_CRYPTO_SHA3), to cause a kernel stack     buffer overflow by executing a crafted sequence of     system calls that encounter a missing SHA-3     initialization.(CVE-2017-17806)

  - The mp_get_count function in     drivers/staging/sb105x/sb_pci_mp.c in the Linux kernel     before 3.12 does not initialize a certain data     structure, which allows local users to obtain sensitive     information from kernel stack memory via a TIOCGICOUNT     ioctl call.(CVE-2013-4516)

  - The perf_cpu_time_max_percent_handler function in     kernel/events/core.c in the Linux kernel before 4.11     allows local users to cause a denial of service     (integer overflow) or possibly have unspecified other     impact via a large value, as demonstrated by an     incorrect sample-rate calculation.(CVE-2017-18255)

  - An issue was discovered in the btrfs filesystem code in     the Linux kernel. An invalid pointer dereference in
    __del_reloc_root() in fs/btrfs/relocation.c when     mounting a crafted btrfs image could lead to a system     crash and a denial of service.(CVE-2018-14609)

  - The oz_usb_handle_ep_data function in     drivers/staging/ozwpan/ozusbsvc1.c in the OZWPAN driver     in the Linux kernel through 4.0.5 allows remote     attackers to cause a denial of service (divide-by-zero     error and system crash) via a crafted     packet.(CVE-2015-4003)

  - drivers/hid/hid-logitech-dj.c in the Human Interface     Device (HID) subsystem in the Linux kernel through     3.11, when CONFIG_HID_LOGITECH_DJ is enabled, allows     physically proximate attackers to cause a denial of     service (NULL pointer dereference and OOPS) or obtain     sensitive information from kernel memory via a crafted     device.(CVE-2013-2895)

  - drivers/usb/serial/cypress_m8.c in the Linux kernel     before 4.5.1 allows physically proximate attackers to     cause a denial of service (NULL pointer dereference and     system crash) via a USB device without both an     interrupt-in and an interrupt-out endpoint descriptor,     related to the cypress_generic_port_probe and     cypress_open functions.(CVE-2016-3137)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

USN-3358-1 fixed vulnerabilities in the Linux kernel for Ubuntu 17.04.
This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 17.04 for Ubuntu 16.04 LTS. Please note that this update changes the Linux HWE kernel to the 4.10 based kernel from Ubuntu 17.04, superseding the 4.8 based HWE kernel from Ubuntu 16.10.

Ben Harris discovered that the Linux kernel would strip extended privilege attributes of files when performing a failed unprivileged system call. A local attacker could use this to cause a denial of service. (CVE-2015-1350)

Ralf Spenneberg discovered that the ext4 implementation in the Linux kernel did not properly validate meta block groups. An attacker with physical access could use this to specially craft an ext4 image that causes a denial of service (system crash). (CVE-2016-10208)

Peter Pi discovered that the colormap handling for frame buffer devices in the Linux kernel contained an integer overflow. A local attacker could use this to disclose sensitive information (kernel memory). (CVE-2016-8405)

It was discovered that an integer overflow existed in the InfiniBand RDMA over ethernet (RXE) transport implementation in the Linux kernel.
A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2016-8636)

Vlad Tsyrklevich discovered an integer overflow vulnerability in the VFIO PCI driver for the Linux kernel. A local attacker with access to a vfio PCI device file could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2016-9083, CVE-2016-9084)

CAI Qian discovered that the sysctl implementation in the Linux kernel did not properly perform reference counting in some situations. An unprivileged attacker could use this to cause a denial of service (system hang). (CVE-2016-9191)

It was discovered that the keyring implementation in the Linux kernel in some situations did not prevent special internal keyrings from being joined by userspace keyrings. A privileged local attacker could use this to bypass module verification. (CVE-2016-9604)

Dmitry Vyukov, Andrey Konovalov, Florian Westphal, and Eric Dumazet discovered that the netfiler subsystem in the Linux kernel mishandled IPv6 packet reassembly. A local user could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2016-9755)

Andy Lutomirski and Willy Tarreau discovered that the KVM implementation in the Linux kernel did not properly emulate instructions on the SS segment register. A local attacker in a guest virtual machine could use this to cause a denial of service (guest OS crash) or possibly gain administrative privileges in the guest OS.
(CVE-2017-2583)

Dmitry Vyukov discovered that the KVM implementation in the Linux kernel improperly emulated certain instructions. A local attacker could use this to obtain sensitive information (kernel memory).
(CVE-2017-2584)

Dmitry Vyukov discovered that KVM implementation in the Linux kernel improperly emulated the VMXON instruction. A local attacker in a guest OS could use this to cause a denial of service (memory consumption) in the host OS. (CVE-2017-2596)

It was discovered that SELinux in the Linux kernel did not properly handle empty writes to /proc/pid/attr. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-2618)

Daniel Jiang discovered that a race condition existed in the ipv4 ping socket implementation in the Linux kernel. A local privileged attacker could use this to cause a denial of service (system crash).
(CVE-2017-2671)

It was discovered that the freelist-randomization in the SLAB memory allocator allowed duplicate freelist entries. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-5546)

It was discovered that the KLSI KL5KUSB105 serial-to-USB device driver in the Linux kernel did not properly initialize memory related to logging. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2017-5549)

It was discovered that a fencepost error existed in the pipe_advance() function in the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2017-5550)

It was discovered that the Linux kernel did not clear the setgid bit during a setxattr call on a tmpfs filesystem. A local attacker could use this to gain elevated group privileges. (CVE-2017-5551)

Murray McAllister discovered that an integer overflow existed in the VideoCore DRM driver of the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-5576)

Gareth Evans discovered that the shm IPC subsystem in the Linux kernel did not properly restrict mapping page zero. A local privileged attacker could use this to execute arbitrary code. (CVE-2017-5669)

Andrey Konovalov discovered an out-of-bounds access in the IPv6 Generic Routing Encapsulation (GRE) tunneling implementation in the Linux kernel. An attacker could use this to possibly expose sensitive information. (CVE-2017-5897)

Andrey Konovalov discovered that the IPv4 implementation in the Linux kernel did not properly handle invalid IP options in some situations.
An attacker could use this to cause a denial of service or possibly execute arbitrary code. (CVE-2017-5970)

Di Shen discovered that a race condition existed in the perf subsystem of the Linux kernel. A local attacker could use this to cause a denial of service or possibly gain administrative privileges. (CVE-2017-6001)

Dmitry Vyukov discovered that the Linux kernel did not properly handle TCP packets with the URG flag. A remote attacker could use this to cause a denial of service. (CVE-2017-6214)

Andrey Konovalov discovered that the LLC subsytem in the Linux kernel did not properly set up a destructor in certain situations. A local attacker could use this to cause a denial of service (system crash).
(CVE-2017-6345)

It was discovered that a race condition existed in the AF_PACKET handling code in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-6346)

Andrey Konovalov discovered that the IP layer in the Linux kernel made improper assumptions about internal data layout when performing checksums. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2017-6347)

Dmitry Vyukov discovered race conditions in the Infrared (IrDA) subsystem in the Linux kernel. A local attacker could use this to cause a denial of service (deadlock). (CVE-2017-6348)

Dmitry Vyukov discovered that the generic SCSI (sg) subsystem in the Linux kernel contained a stack-based buffer overflow. A local attacker with access to an sg device could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2017-7187)

It was discovered that a NULL pointer dereference existed in the Direct Rendering Manager (DRM) driver for VMware devices in the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-7261)

It was discovered that the USB Cypress HID drivers for the Linux kernel did not properly validate reported information from the device.
An attacker with physical access could use this to expose sensitive information (kernel memory). (CVE-2017-7273)

Eric Biggers discovered a memory leak in the keyring implementation in the Linux kernel. A local attacker could use this to cause a denial of service (memory consumption). (CVE-2017-7472)

It was discovered that an information leak existed in the set_mempolicy and mbind compat syscalls in the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2017-7616)

Sabrina Dubroca discovered that the asynchronous cryptographic hash (ahash) implementation in the Linux kernel did not properly handle a full request queue. A local attacker could use this to cause a denial of service (infinite recursion). (CVE-2017-7618)

Tuomas Haanpaa and Ari Kauppi discovered that the NFSv2 and NFSv3 server implementations in the Linux kernel did not properly handle certain long RPC replies. A remote attacker could use this to cause a denial of service (system crash). (CVE-2017-7645)

Tommi Rantala and Brad Spengler discovered that the memory manager in the Linux kernel did not properly enforce the CONFIG_STRICT_DEVMEM protection mechanism. A local attacker with access to /dev/mem could use this to expose sensitive information or possibly execute arbitrary code. (CVE-2017-7889)

Tuomas Haanpaa and Ari Kauppi discovered that the NFSv2 and NFSv3 server implementations in the Linux kernel did not properly check for the end of buffer. A remote attacker could use this to craft requests that cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-7895)

It was discovered that an integer underflow existed in the Edgeport USB Serial Converter device driver of the Linux kernel. An attacker with physical access could use this to expose sensitive information (kernel memory). (CVE-2017-8924)

It was discovered that the USB ZyXEL omni.net LCD PLUS driver in the Linux kernel did not properly perform reference counting. A local attacker could use this to cause a denial of service (tty exhaustion).
(CVE-2017-8925)

Jann Horn discovered that bpf in Linux kernel does not restrict the output of the print_bpf_insn function. A local attacker could use this to obtain sensitive address information. (CVE-2017-9150).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
124800	EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1476)	Nessus	Huawei Local Security Checks	high
101929	Ubuntu 16.04 LTS : linux-hwe vulnerabilities (USN-3361-1)	Nessus	Ubuntu Local Security Checks	critical

CVE-2017-5550

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins