http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/log/drivers/gpu/drm/i915/i915_gem_execbuffer.c

[opensuse-security-announce] 20190218 [security-announce] openSUSE-SU-2019:0203-1: important: Security update for the Linux Kernel

[oss-security] 20190123 Linux Kernel: Missing access_ok() checks in IOCTL function  (gpu/drm/i915 Driver)

106748

https://access.redhat.com/security/cve/cve-2018-20669

https://security.netapp.com/advisory/ntap-20190404-0002/

https://support.f5.com/csp/article/K32059550

According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - The uas driver in the Linux kernel before 4.13.6 allows     local users to cause a denial of service (out-of-bounds     read and system crash), or possibly have unspecified     other impacts via a crafted USB device, related to     drivers/usb/storage/uas-detect.h and     drivers/usb/storage/uas.c.(CVE-2017-16530i1/4%0

  - The implementation of big key management in     security/keys/big_key.c in the Linux kernel before     4.8.7 mishandles unsuccessful crypto registration in     conjunction with successful key-type registration,     which allows local users to cause a denial of service     (NULL pointer dereference and panic) or possibly have     unspecified other impact via a crafted application that     uses the big_key data type.(CVE-2016-9313i1/4%0

  - The Linux kernel allows remote attackers to execute     arbitrary code via UDP traffic that triggers an unsafe     second checksum calculation during execution of a recv     system call with the MSG_PEEK flag. This may create a     kernel panic or memory corruption leading to privilege     escalation.(CVE-2016-10229i1/4%0

  - Buffer overflow in the exitcode_proc_write function in     arch/um/kernel/exitcode.c in the Linux kernel before     3.12 allows local users to cause a denial of service or     possibly have unspecified other impact by leveraging     root privileges for a write operation.(CVE-2013-4512i1/4%0

  - It was found that unsharing a mount namespace could     allow a user to see data beneath their restricted     namespace.(CVE-2014-9717i1/4%0

  - A divide-by-zero flaw was discovered in the Linux     kernel built with KVM virtualization     support(CONFIG_KVM). The flaw occurs in the KVM     module's Programmable Interval Timer(PIT) emulation,     when PIT counters for channel 1 or 2 are set to zero(0)     and a privileged user inside the guest attempts to read     these counters. A privileged guest user with access to     PIT I/O ports could exploit this issue to crash the     host kernel (denial of service).(CVE-2015-7513i1/4%0

  - The ims_pcu_parse_cdc_data function in     drivers/input/misc/ims-pcu.c in the Linux kernel before     4.5.1 allows physically proximate attackers to cause a     denial of service (system crash) via a USB device     without both a master and a slave     interface.(CVE-2016-3689i1/4%0

  - Stack-based buffer overflow in the     brcmf_cfg80211_start_ap() function in     'drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80     211.c' in the Linux kernel before 4.7.5 allows local     users to cause a denial of service (system crash) or     possibly have unspecified other impact via a long SSID     Information Element in a command to a Netlink     socket.(CVE-2016-8658i1/4%0

  - drivers/hid/hid-sony.c in the Human Interface Device     (HID) subsystem in the Linux kernel through 3.11, when     CONFIG_HID_SONY is enabled, allows physically proximate     attackers to cause a denial of service (heap-based     out-of-bounds write) via a crafted     device.(CVE-2013-2890i1/4%0

  - An issue where a provided address with access_ok() is     not checked was discovered in     i915_gem_execbuffer2_ioctl in     drivers/gpu/drm/i915/i915_gem_execbuffer.c in the Linux     kernel through 4.19.13. A local attacker can craft a     malicious IOCTL function call to overwrite arbitrary     kernel memory, resulting in a Denial of Service or     privilege escalation.(CVE-2018-20669i1/4%0

  - It was found that the permission checks performed by     the Linux kernel when a netlink message was received     were not sufficient. A local, unprivileged user could     potentially bypass these restrictions by passing a     netlink socket as stdout or stderr to a more privileged     process and altering the output of this     process.(CVE-2014-0181i1/4%0

  - An issue was discovered in the XFS filesystem in     fs/xfs/libxfs/xfs_attr_leaf.c in the Linux kernel. A     NULL pointer dereference may occur for a corrupted xfs     image after xfs_da_shrink_inode() is called with a NULL     bp. This can lead to a system crash and a denial of     service.(CVE-2018-13094i1/4%0

  - The irda_setsockopt function in net/irda/af_irda.c in     the Linux kernel, through 4.16, allows local users to     cause a denial of service (due to a use-after-free of     the ias_object and a system crash) or possibly have     unspecified other impact by leveraging an AF_IRDA     socket.(CVE-2018-6555i1/4%0

  - The x86/fpu (Floating Point Unit) subsystem in the     Linux kernel, when a processor supports the xsave     feature but not the xsaves feature, does not correctly     handle attempts to set reserved bits in the xstate     header via the ptrace() or rt_sigreturn() system call.
    This allows local users to read the FPU registers of     other processes on the system, related to     arch/x86/kernel/fpu/regset.c and     arch/x86/kernel/fpu/signal.c.(CVE-2017-15537i1/4%0

  - The fst_get_iface function in drivers/net/wan/farsync.c     in the Linux kernel before 3.11.7 does not properly     initialize a certain data structure, which allows local     users to obtain sensitive information from kernel     memory by leveraging the CAP_NET_ADMIN capability for     an SIOCWANDEV ioctl call.(CVE-2014-1444i1/4%0

  - In the Linux kernel, through 4.15.4, the floppy driver     reveals the addresses of kernel functions and global     variables using printk calls within the function     show_floppy in drivers/block/floppy.c. An attacker can     read this information from dmesg and use the addresses     to find the locations of kernel code and data and     bypass kernel security protections such as     KASLR.(CVE-2018-7273i1/4%0

  - A flaw in 'arch/arm64/kernel/sys.c' in the Linux kernel     allows local users to bypass the 'strict page     permissions' protection mechanism and modify the     system-call table and, consequently, gain privileges by     leveraging write access.(CVE-2015-8967i1/4%0

  - The Linux kernel before 3.11 on ARM platforms, as used     in Android before 2016-08-05 on Nexus 5 and 7 (2013)     devices, does not properly consider user-space access     to the TPIDRURW register, which allows local users to     gain privileges via a crafted application, aka Android     internal bug 28749743 and Qualcomm internal bug     CR561044.(CVE-2014-9870i1/4%0

  - A NULL pointer dereference security flaw was found in     the Linux kernel in the vcpu_scan_ioapic() function in     arch/x86/kvm/x86.c. This allows local users with     certain privileges to cause a denial of service via a     crafted system call to the KVM     subsystem.(CVE-2018-19407i1/4%0

  - It was found that current implementation of kl5kusb105     driver failed to detect short transfers when attempting     to read the line state and logged the content of the     uninitialized heap transfer buffer.(CVE-2017-5549i1/4%0

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 15 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2019-2024: A use-after-free when disconnecting a source was fixed which could lead to crashes. bnc#1129179).

CVE-2019-9213: expand_downwards in mm/mmap.c lacks a check for the mmap minimum address, which made it easier for attackers to exploit kernel NULL pointer dereferences on non-SMAP platforms. This is related to a capability check for the wrong task (bnc#1128166).

CVE-2019-8980: A memory leak in the kernel_read_file function in fs/exec.c allowed attackers to cause a denial of service (memory consumption) by triggering vfs_read failures (bnc#1126209).

CVE-2019-3819: A flaw was found in the function hid_debug_events_read() in drivers/hid/hid-debug.c file which may enter an infinite loop with certain parameters passed from a userspace. A local privileged user ('root') can cause a system lock up and a denial of service. Versions from v4.18 and newer are vulnerable (bnc#1123161).

CVE-2019-8912: af_alg_release() in crypto/af_alg.c neglects to set a NULL value for a certain structure member, which leads to a use-after-free in sockfs_setattr (bnc#1125907).

CVE-2019-7308: kernel/bpf/verifier.c performed undesirable out-of-bounds speculation on pointer arithmetic in various cases, including cases of different branches with different state or limits to sanitize, leading to side-channel attacks (bnc#1124055).

CVE-2019-3459, CVE-2019-3460: The Bluetooth stack suffered from two remote information leak vulnerabilities in the code that handles incoming L2cap configuration packets (bsc#1120758).

CVE-2019-7221: Fixed a user-after-free vulnerability in the KVM hypervisor related to the emulation of a preemption timer, allowing an guest user/process to crash the host kernel. (bsc#1124732).

CVE-2019-7222: Fixed an information leakage in the KVM hypervisor related to handling page fault exceptions, which allowed a guest user/process to use this flaw to leak the host's stack memory contents to a guest (bsc#1124735).

CVE-2019-6974: kvm_ioctl_create_device in virt/kvm/kvm_main.c mishandled reference counting because of a race condition, leading to a use-after-free (bnc#1124728).

CVE-2018-20669: Missing access control checks in ioctl of gpu/drm/i915 driver were fixed which might have lead to information leaks.
(bnc#1122971).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise Server 12 SP4 Azure kernel was updated to fix various issues.

The following security bugs were fixed :

CVE-2019-2024: A use-after-free when disconnecting a source was fixed which could lead to crashes. bnc#1129179).

CVE-2019-9213: expand_downwards in mm/mmap.c lacked a check for the mmap minimum address, which made it easier for attackers to exploit kernel NULL pointer dereferences on non-SMAP platforms. This is related to a capability check for the wrong task (bnc#1128166 1128378 1129016).

CVE-2019-8980: A memory leak in the kernel_read_file function in fs/exec.c allowed attackers to cause a denial of service (memory consumption) by triggering vfs_read failures (bnc#1126209).

CVE-2019-3819: A flaw was found in the function hid_debug_events_read() in drivers/hid/hid-debug.c file which may enter an infinite loop with certain parameters passed from a userspace. A local privileged user ('root') can cause a system lock up and a denial of service. (bnc#1123161).

CVE-2019-8912: af_alg_release() in crypto/af_alg.c neglected to set a NULL value for a certain structure member, which led to a use-after-free in sockfs_setattr (bnc#1125907 1126284).

CVE-2019-7308: kernel/bpf/verifier.c performed undesirable out-of-bounds speculation on pointer arithmetic in various cases, including cases of different branches with different state or limits to sanitize, leading to side-channel attacks (bnc#1124055).

CVE-2019-3459, CVE-2019-3460: The Bluetooth stack suffered from two remote information leak vulnerabilities in the code that handles incoming L2cap configuration packets (bsc#1120758).

CVE-2019-7221: Fixed a use-after-free vulnerability in the KVM hypervisor related to the emulation of a preemption timer, allowing an guest user/process to crash the host kernel. (bsc#1124732).

CVE-2019-7222: Fixed an information leakage in the KVM hypervisor related to handling page fault exceptions, which allowed a guest user/process to use this flaw to leak the host's stack memory contents to a guest (bsc#1124735).

CVE-2019-6974: kvm_ioctl_create_device in virt/kvm/kvm_main.c mishandled reference counting because of a race condition, leading to a use-after-free (bnc#1124728).

CVE-2018-20669: An issue where a provided address with access_ok() is not checked was discovered in i915_gem_execbuffer2_ioctl in drivers/gpu/drm/i915/i915_gem_execbuffer.c where a local attacker can craft a malicious IOCTL function call to overwrite arbitrary kernel memory, resulting in a Denial of Service or privilege escalation (bnc#1122971).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 12 SP4 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2018-20669: Missing access control checks in ioctl of gpu/drm/i915 driver were fixed which might have lead to information leaks.
(bnc#1122971).

CVE-2019-3459, CVE-2019-3460: The Bluetooth stack suffered from two remote information leak vulnerabilities in the code that handles incoming L2cap configuration packets (bsc#1120758).

CVE-2019-3819: A flaw was found in the function hid_debug_events_read() in drivers/hid/hid-debug.c file which may enter an infinite loop with certain parameters passed from a userspace. A local privileged user ('root') can cause a system lock up and a denial of service. (bnc#1123161).

CVE-2019-6974: kvm_ioctl_create_device in virt/kvm/kvm_main.c mishandled reference counting because of a race condition, leading to a use-after-free (bnc#1124728 ).

CVE-2019-7221: Fixed a use-after-free vulnerability in the KVM hypervisor related to the emulation of a preemption timer, allowing an guest user/process to crash the host kernel. (bsc#1124732).

CVE-2019-7222: Fixed an information leakage in the KVM hypervisor related to handling page fault exceptions, which allowed a guest user/process to use this flaw to leak the host's stack memory contents to a guest (bsc#1124735).

CVE-2019-7308: kernel/bpf/verifier.c performed undesirable out-of-bounds speculation on pointer arithmetic in various cases, including cases of different branches with different state or limits to sanitize, leading to side-channel attacks (bnc#1124055).

CVE-2019-8912: af_alg_release() in crypto/af_alg.c neglects to set a NULL value for a certain structure member, which leads to a use-after-free in sockfs_setattr (bnc#1125907).

CVE-2019-8980: A memory leak in the kernel_read_file function in fs/exec.c allowed attackers to cause a denial of service (memory consumption) by triggering vfs_read failures (bnc#1126209).

CVE-2019-9213: expand_downwards in mm/mmap.c lacked a check for the mmap minimum address, which made it easier for attackers to exploit kernel NULL pointer dereferences on non-SMAP platforms. This is related to a capability check for the wrong task (bnc#1128166).

CVE-2019-2024: A use-after-free when disconnecting a source was fixed which could lead to crashes. bnc#1129179).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
124826	EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1503)	Nessus	Huawei Local Security Checks	critical
123496	SUSE SLED15 / SLES15 Security Update : kernel (SUSE-SU-2019:0784-1)	Nessus	SuSE Local Security Checks	high
123445	SUSE SLES12 Security Update : kernel (SUSE-SU-2019:0767-1)	Nessus	SuSE Local Security Checks	high
123413	SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2019:0765-1) (Spectre)	Nessus	SuSE Local Security Checks	high
122303	openSUSE Security Update : the Linux Kernel (openSUSE-2019-203)	Nessus	SuSE Local Security Checks	high

CVE-2018-20669

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins