http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=0f2ff82e11c86c05d051cae32b58226392d33bbf

http://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.7

[oss-security] 20170122 CVE request: Linux kernel: vc4: int overflow leading to heap-based buffer overflow

95767

https://bugzilla.redhat.com/show_bug.cgi?id=1416436

https://github.com/torvalds/linux/commit/0f2ff82e11c86c05d051cae32b58226392d33bbf

[linux-kernel] 20170118 [PATCH 1/2] drm/vc4: Fix an integer overflow in temporary allocation layout.

According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - The pagemap_open function in fs/proc/task_mmu.c in the     Linux kernel before 3.19.3, as used in Android 6.0.1     before 2016-03-01, allows local users to obtain     sensitive physical-address information by reading a     pagemap file, aka Android internal bug     25739721.(CVE-2016-0823i1/4%0

  - drivers/hid/hid-steelseries.c in the Human Interface     Device (HID) subsystem in the Linux kernel through     3.11, when CONFIG_HID_STEELSERIES is enabled, allows     physically proximate attackers to cause a denial of     service (heap-based out-of-bounds write) via a crafted     device.(CVE-2013-2891i1/4%0

  - The overlayfs implementation in the Linux kernel     through 4.5.2 does not properly maintain POSIX ACL     xattr data, which allows local users to gain privileges     by leveraging a group-writable setgid     directory.(CVE-2016-1575i1/4%0

  - Integer overflow in the vc4_get_bcl function in     drivers/gpu/drm/vc4/vc4_gem.c in the VideoCore DRM     driver in the Linux kernel before 4.9.7 allows local     users to cause a denial of service or possibly have     unspecified other impact via a crafted size value in a     VC4_SUBMIT_CL ioctl call.(CVE-2017-5576i1/4%0

  - The KVM subsystem in the Linux kernel through 3.12.5     allows local users to gain privileges or cause a denial     of service (system crash) via a VAPIC synchronization     operation involving a page-end     address.(CVE-2013-6368i1/4%0

  - It was found that the code in net/sctp/socket.c in the     Linux kernel through 4.10.1 does not properly restrict     association peel-off operations during certain wait     states, which allows local users to cause a denial of     service (invalid unlock and double free) via a     multithreaded application. This vulnerability was     introduced by CVE-2017-5986 fix (commit     2dcab5984841).(CVE-2017-6353i1/4%0

  - net/netfilter/nf_conntrack_proto_dccp.c in the Linux     kernel through 3.13.6 uses a DCCP header pointer     incorrectly, which allows remote attackers to cause a     denial of service (system crash) or possibly execute     arbitrary code via a DCCP packet that triggers a call     to the (1) dccp_new, (2) dccp_packet, or (3) dccp_error     function.(CVE-2014-2523i1/4%0

  - Race condition vulnerability was found in     drivers/misc/mic/vop/vop_vringh.c in the MIC VOP driver     in the Linux kernel before 4.6.1. MIC VOP driver does     two successive reads from user space to read a variable     length data structure. Local user can obtain sensitive     information from kernel memory or can cause DoS by     corrupting kernel memory if the data structure changes     between the two reads.(CVE-2016-5728i1/4%0

  - An issue was discovered in the btrfs filesystem code in     the Linux kernel. An invalid pointer dereference in     io_ctl_map_page() when mounting and operating a crafted     btrfs image is due to a lack of block group item     validation in check_leaf_item() in     fs/btrfs/tree-checker.c function. This could lead to a     system crash and a denial of service.(CVE-2018-14613i1/4%0

  - A flaw was found in the way the Linux kernel handled GS     segment register base switching when recovering from a     #SS (stack segment) fault on an erroneous return to     user space. A local, unprivileged user could use this     flaw to escalate their privileges on the     system.(CVE-2014-9322i1/4%0

  - The keyring_search_aux function in     security/keys/keyring.c in the Linux kernel allows     local users to cause a denial of service via a     request_key system call for the 'dead' key     type.(CVE-2017-6951i1/4%0

  - A flaw was found in the way the Linux kernel's XFS file     system handled replacing of remote attributes under     certain conditions. A local user with access to XFS     file system mount could potentially use this flaw to     escalate their privileges on the     system.(CVE-2015-0274i1/4%0

  - A memory leak in the kernel_read_file function in     fs/exec.c in the Linux kernel through 4.20.11 allows     attackers to cause a denial of service (memory     consumption) by triggering vfs_read     failures.(CVE-2019-8980i1/4%0

  - A flaw was found in the kernel's implementation of the     Berkeley Packet Filter (BPF). A local attacker could     craft BPF code to crash the system by creating a     situation in which the JIT compiler would fail to     correctly optimize the JIT image on the last pass. This     would lead to the CPU executing instructions that were     not part of the JIT code.(CVE-2015-4700i1/4%0

  - A security flaw was discovered in     nl80211_set_rekey_data() function in the Linux kernel     since v3.1-rc1 through v4.13. This function does not     check whether the required attributes are present in a     netlink request. This request can be issued by a user     with CAP_NET_ADMIN privilege and may result in NULL     dereference and a system crash.(CVE-2017-12153i1/4%0

  - The atyfb_ioctl function in     drivers/video/fbdev/aty/atyfb_base.c in the Linux     kernel through 4.12.10 does not initialize a certain     data structure, which allows local users to obtain     sensitive information from kernel stack memory by     reading locations associated with padding     bytes.(CVE-2017-14156i1/4%0

  - kernel/events/core.c in the performance subsystem in     the Linux kernel before 4.0 mismanages locks during     certain migrations, which allows local users to gain     privileges via a crafted application, aka Android     internal bug 31095224.(CVE-2016-6787i1/4%0

  - The ioresources_init function in kernel/resource.c in     the Linux kernel through 4.7, as used in Android before     2016-08-05 on Nexus 6 and 7 (2013) devices, uses weak     permissions for /proc/iomem, which allows local users     to obtain sensitive information by reading this file,     aka Android internal bug 28814213 and Qualcomm internal     bug CR786116. NOTE: the permissions may be intentional     in most non-Android contexts.(CVE-2015-8944i1/4%0

  - Race condition in the ioctl_file_dedupe_range function     in fs/ioctl.c in the Linux kernel through 4.7 allows     local users to cause a denial of service (heap-based     buffer overflow) or possibly gain privileges by     changing a certain count value, aka a 'double fetch'     vulnerability.(CVE-2016-6516i1/4%0

  - It was found that the timer functionality in the Linux     kernel ALSA subsystem is prone to a race condition     between read and ioctl system call handlers, resulting     in an uninitialized memory disclosure to user space. A     local user could use this flaw to read information     belonging to other users.(CVE-2017-1000380i1/4%0

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

USN-3358-1 fixed vulnerabilities in the Linux kernel for Ubuntu 17.04.
This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 17.04 for Ubuntu 16.04 LTS. Please note that this update changes the Linux HWE kernel to the 4.10 based kernel from Ubuntu 17.04, superseding the 4.8 based HWE kernel from Ubuntu 16.10.

Ben Harris discovered that the Linux kernel would strip extended privilege attributes of files when performing a failed unprivileged system call. A local attacker could use this to cause a denial of service. (CVE-2015-1350)

Ralf Spenneberg discovered that the ext4 implementation in the Linux kernel did not properly validate meta block groups. An attacker with physical access could use this to specially craft an ext4 image that causes a denial of service (system crash). (CVE-2016-10208)

Peter Pi discovered that the colormap handling for frame buffer devices in the Linux kernel contained an integer overflow. A local attacker could use this to disclose sensitive information (kernel memory). (CVE-2016-8405)

It was discovered that an integer overflow existed in the InfiniBand RDMA over ethernet (RXE) transport implementation in the Linux kernel.
A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2016-8636)

Vlad Tsyrklevich discovered an integer overflow vulnerability in the VFIO PCI driver for the Linux kernel. A local attacker with access to a vfio PCI device file could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2016-9083, CVE-2016-9084)

CAI Qian discovered that the sysctl implementation in the Linux kernel did not properly perform reference counting in some situations. An unprivileged attacker could use this to cause a denial of service (system hang). (CVE-2016-9191)

It was discovered that the keyring implementation in the Linux kernel in some situations did not prevent special internal keyrings from being joined by userspace keyrings. A privileged local attacker could use this to bypass module verification. (CVE-2016-9604)

Dmitry Vyukov, Andrey Konovalov, Florian Westphal, and Eric Dumazet discovered that the netfiler subsystem in the Linux kernel mishandled IPv6 packet reassembly. A local user could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2016-9755)

Andy Lutomirski and Willy Tarreau discovered that the KVM implementation in the Linux kernel did not properly emulate instructions on the SS segment register. A local attacker in a guest virtual machine could use this to cause a denial of service (guest OS crash) or possibly gain administrative privileges in the guest OS.
(CVE-2017-2583)

Dmitry Vyukov discovered that the KVM implementation in the Linux kernel improperly emulated certain instructions. A local attacker could use this to obtain sensitive information (kernel memory).
(CVE-2017-2584)

Dmitry Vyukov discovered that KVM implementation in the Linux kernel improperly emulated the VMXON instruction. A local attacker in a guest OS could use this to cause a denial of service (memory consumption) in the host OS. (CVE-2017-2596)

It was discovered that SELinux in the Linux kernel did not properly handle empty writes to /proc/pid/attr. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-2618)

Daniel Jiang discovered that a race condition existed in the ipv4 ping socket implementation in the Linux kernel. A local privileged attacker could use this to cause a denial of service (system crash).
(CVE-2017-2671)

It was discovered that the freelist-randomization in the SLAB memory allocator allowed duplicate freelist entries. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-5546)

It was discovered that the KLSI KL5KUSB105 serial-to-USB device driver in the Linux kernel did not properly initialize memory related to logging. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2017-5549)

It was discovered that a fencepost error existed in the pipe_advance() function in the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2017-5550)

It was discovered that the Linux kernel did not clear the setgid bit during a setxattr call on a tmpfs filesystem. A local attacker could use this to gain elevated group privileges. (CVE-2017-5551)

Murray McAllister discovered that an integer overflow existed in the VideoCore DRM driver of the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-5576)

Gareth Evans discovered that the shm IPC subsystem in the Linux kernel did not properly restrict mapping page zero. A local privileged attacker could use this to execute arbitrary code. (CVE-2017-5669)

Andrey Konovalov discovered an out-of-bounds access in the IPv6 Generic Routing Encapsulation (GRE) tunneling implementation in the Linux kernel. An attacker could use this to possibly expose sensitive information. (CVE-2017-5897)

Andrey Konovalov discovered that the IPv4 implementation in the Linux kernel did not properly handle invalid IP options in some situations.
An attacker could use this to cause a denial of service or possibly execute arbitrary code. (CVE-2017-5970)

Di Shen discovered that a race condition existed in the perf subsystem of the Linux kernel. A local attacker could use this to cause a denial of service or possibly gain administrative privileges. (CVE-2017-6001)

Dmitry Vyukov discovered that the Linux kernel did not properly handle TCP packets with the URG flag. A remote attacker could use this to cause a denial of service. (CVE-2017-6214)

Andrey Konovalov discovered that the LLC subsytem in the Linux kernel did not properly set up a destructor in certain situations. A local attacker could use this to cause a denial of service (system crash).
(CVE-2017-6345)

It was discovered that a race condition existed in the AF_PACKET handling code in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-6346)

Andrey Konovalov discovered that the IP layer in the Linux kernel made improper assumptions about internal data layout when performing checksums. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2017-6347)

Dmitry Vyukov discovered race conditions in the Infrared (IrDA) subsystem in the Linux kernel. A local attacker could use this to cause a denial of service (deadlock). (CVE-2017-6348)

Dmitry Vyukov discovered that the generic SCSI (sg) subsystem in the Linux kernel contained a stack-based buffer overflow. A local attacker with access to an sg device could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2017-7187)

It was discovered that a NULL pointer dereference existed in the Direct Rendering Manager (DRM) driver for VMware devices in the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-7261)

It was discovered that the USB Cypress HID drivers for the Linux kernel did not properly validate reported information from the device.
An attacker with physical access could use this to expose sensitive information (kernel memory). (CVE-2017-7273)

Eric Biggers discovered a memory leak in the keyring implementation in the Linux kernel. A local attacker could use this to cause a denial of service (memory consumption). (CVE-2017-7472)

It was discovered that an information leak existed in the set_mempolicy and mbind compat syscalls in the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2017-7616)

Sabrina Dubroca discovered that the asynchronous cryptographic hash (ahash) implementation in the Linux kernel did not properly handle a full request queue. A local attacker could use this to cause a denial of service (infinite recursion). (CVE-2017-7618)

Tuomas Haanpaa and Ari Kauppi discovered that the NFSv2 and NFSv3 server implementations in the Linux kernel did not properly handle certain long RPC replies. A remote attacker could use this to cause a denial of service (system crash). (CVE-2017-7645)

Tommi Rantala and Brad Spengler discovered that the memory manager in the Linux kernel did not properly enforce the CONFIG_STRICT_DEVMEM protection mechanism. A local attacker with access to /dev/mem could use this to expose sensitive information or possibly execute arbitrary code. (CVE-2017-7889)

Tuomas Haanpaa and Ari Kauppi discovered that the NFSv2 and NFSv3 server implementations in the Linux kernel did not properly check for the end of buffer. A remote attacker could use this to craft requests that cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-7895)

It was discovered that an integer underflow existed in the Edgeport USB Serial Converter device driver of the Linux kernel. An attacker with physical access could use this to expose sensitive information (kernel memory). (CVE-2017-8924)

It was discovered that the USB ZyXEL omni.net LCD PLUS driver in the Linux kernel did not properly perform reference counting. A local attacker could use this to cause a denial of service (tty exhaustion).
(CVE-2017-8925)

Jann Horn discovered that bpf in Linux kernel does not restrict the output of the print_bpf_insn function. A local attacker could use this to obtain sensitive address information. (CVE-2017-9150).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that the Linux kernel did not properly initialize a Wake- on-Lan data structure. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2014-9900)

Dmitry Vyukov, Andrey Konovalov, Florian Westphal, and Eric Dumazet discovered that the netfiler subsystem in the Linux kernel mishandled IPv6 packet reassembly. A local user could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2016-9755)

Alexander Potapenko discovered a race condition in the Advanced Linux Sound Architecture (ALSA) subsystem in the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2017-1000380)

It was discovered that the Linux kernel did not clear the setgid bit during a setxattr call on a tmpfs filesystem. A local attacker could use this to gain elevated group privileges. (CVE-2017-5551)

Murray McAllister discovered that an integer overflow existed in the VideoCore DRM driver of the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-5576)

Li Qiang discovered that the DRM driver for VMware Virtual GPUs in the Linux kernel did not properly validate some ioctl arguments. A local attacker could use this to cause a denial of service (system crash).
(CVE-2017-7346)

Tuomas Haanpaa and Ari Kauppi discovered that the NFSv2 and NFSv3 server implementations in the Linux kernel did not properly check for the end of buffer. A remote attacker could use this to craft requests that cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-7895)

It was discovered that an integer underflow existed in the Edgeport USB Serial Converter device driver of the Linux kernel. An attacker with physical access could use this to expose sensitive information (kernel memory). (CVE-2017-8924)

It was discovered that the USB ZyXEL omni.net LCD PLUS driver in the Linux kernel did not properly perform reference counting. A local attacker could use this to cause a denial of service (tty exhaustion).
(CVE-2017-8925)

Jann Horn discovered that bpf in Linux kernel does not restrict the output of the print_bpf_insn function. A local attacker could use this to obtain sensitive address information. (CVE-2017-9150)

Murray McAllister discovered that the DRM driver for VMware Virtual GPUs in the Linux kernel did not properly initialize memory. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2017-9605).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 12 SP2 kernel was updated to 4.4.49 to receive various security and bugfixes. The following security bugs were fixed :

  - CVE-2016-7117: Use-after-free vulnerability in the
    __sys_recvmmsg function in net/socket.c in the Linux     kernel allowed remote attackers to execute arbitrary     code via vectors involving a recvmmsg system call that     was mishandled during error processing (bnc#1003077).

  - CVE-2017-5576: Integer overflow in the vc4_get_bcl     function in drivers/gpu/drm/vc4/vc4_gem.c in the     VideoCore DRM driver in the Linux kernel allowed local     users to cause a denial of service or possibly have     unspecified other impact via a crafted size value in a     VC4_SUBMIT_CL ioctl call (bnc#1021294).

  - CVE-2017-5577: The vc4_get_bcl function in     drivers/gpu/drm/vc4/vc4_gem.c in the VideoCore DRM     driver in the Linux kernel did not set an errno value     upon certain overflow detections, which allowed local     users to cause a denial of service (incorrect pointer     dereference and OOPS) via inconsistent size values in a     VC4_SUBMIT_CL ioctl call (bnc#1021294).

  - CVE-2017-5551: The simple_set_acl function in     fs/posix_acl.c in the Linux kernel preserved the setgid     bit during a setxattr call involving a tmpfs filesystem,     which allowed local users to gain group privileges by     leveraging the existence of a setgid program with     restrictions on execute permissions. (bnc#1021258).

  - CVE-2017-2583: The load_segment_descriptor     implementation in arch/x86/kvm/emulate.c in the Linux     kernel improperly emulated a 'MOV SS, NULL selector'     instruction, which allowed guest OS users to cause a     denial of service (guest OS crash) or gain guest OS     privileges via a crafted application (bnc#1020602).

  - CVE-2017-2584: arch/x86/kvm/emulate.c in the Linux     kernel allowed local users to obtain sensitive     information from kernel memory or cause a denial of     service (use-after-free) via a crafted application that     leverages instruction emulation for fxrstor, fxsave,     sgdt, and sidt (bnc#1019851).

  - CVE-2015-8709: kernel/ptrace.c in the Linux kernel     mishandled uid and gid mappings, which allowed local     users to gain privileges by establishing a user     namespace, waiting for a root process to enter that     namespace with an unsafe uid or gid, and then using the     ptrace system call. NOTE: the vendor states 'there is no     kernel bug here' (bnc#1010933).

  - CVE-2016-9806: Race condition in the netlink_dump     function in net/netlink/af_netlink.c in the Linux kernel     allowed local users to cause a denial of service (double     free) or possibly have unspecified other impact via a     crafted application that made sendmsg system calls,     leading to a free operation associated with a new dump     that started earlier than anticipated (bnc#1013540).

  - CVE-2017-5897: fixed a bug in the Linux kernel IPv6     implementation which allowed remote attackers to trigger     an out-of-bounds access, leading to a denial-of-service     attack (bnc#1023762).

  - CVE-2017-5970: Fixed a possible denial-of-service that     could have been triggered by sending bad IP options on a     socket (bsc#1024938).

  - CVE-2017-5986: an application could have triggered a     BUG_ON() in sctp_wait_for_sndbuf() if the socket TX     buffer was full, a thread was waiting on it to queue     more data, and meanwhile another thread peeled off the     association being used by the first thread     (bsc#1025235).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The 4.9.6 stable kernel update contains a number of important fixes across the tree.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
124829	EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1506)	Nessus	Huawei Local Security Checks	critical
101929	Ubuntu 16.04 LTS : linux-hwe vulnerabilities (USN-3361-1)	Nessus	Ubuntu Local Security Checks	critical
101894	Ubuntu 16.10 : linux, linux-raspi2 vulnerabilities (USN-3359-1)	Nessus	Ubuntu Local Security Checks	critical
97466	SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2017:0575-1)	Nessus	SuSE Local Security Checks	critical
97274	openSUSE Security Update : the Linux Kernel (openSUSE-2017-245)	Nessus	SuSE Local Security Checks	critical
96894	Fedora 25 : kernel (2017-81fbd592d4)	Nessus	Fedora Local Security Checks	high
96890	Fedora 24 : kernel (2017-6cc158c193)	Nessus	Fedora Local Security Checks	high

CVE-2017-5576

HIGH

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins

critical

critical

critical

critical

critical

high

high