http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/log/drivers/gpu/drm/i915/i915_gem_execbuffer.c

[opensuse-security-announce] 20190218 [security-announce] openSUSE-SU-2019:0203-1: important: Security update for the Linux Kernel

[oss-security] 20190123 Linux Kernel: Missing access_ok() checks in IOCTL function  (gpu/drm/i915 Driver)

106748

https://access.redhat.com/security/cve/cve-2018-20669

https://security.netapp.com/advisory/ntap-20190404-0002/

https://support.f5.com/csp/article/K32059550

USN-4485-1

The SUSE Linux Enterprise 12 SP5 Azure kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2018-20669: Fixed an improper check i915_gem_execbuffer2_ioctl in drivers/gpu/drm/i915/i915_gem_execbuffer.c (bsc#1122971).

CVE-2019-20934: Fixed a use-after-free in show_numa_stats() because NUMA fault statistics were inappropriately freed, aka CID-16d51a590a8c (bsc#1179663).

CVE-2020-0444: Fixed a bad kfree due to a logic error in audit_data_to_entry (bnc#1180027).

CVE-2020-0465: Fixed multiple missing bounds checks in hid-multitouch.c that could have led to local privilege escalation (bnc#1180029).

CVE-2020-0466: Fixed a use-after-free due to a logic error in do_epoll_ctl and ep_loop_check_proc of eventpoll.c (bnc#1180031).

CVE-2020-4788: Fixed an issue with IBM Power9 processors could have allowed a local user to obtain sensitive information from the data in the L1 cache under extenuating circumstances (bsc#1177666).

CVE-2020-15436: Fixed a use after free vulnerability in fs/block_dev.c which could have allowed local users to gain privileges or cause a denial of service (bsc#1179141).

CVE-2020-27068: Fixed an out-of-bounds read due to a missing bounds check in the nl80211_policy policy of nl80211.c (bnc#1180086).

CVE-2020-27777: Fixed a privilege escalation in the Run-Time Abstraction Services (RTAS) interface, affecting guests running on top of PowerVM or KVM hypervisors (bnc#1179107).

CVE-2020-27786: Fixed an out-of-bounds write in the MIDI implementation (bnc#1179601).

CVE-2020-27825: Fixed a race in the trace_open and buffer resize calls (bsc#1179960).

CVE-2020-29371: Fixed uninitialized memory leaks to userspace (bsc#1179429).

CVE-2020-29660: Fixed a locking inconsistency in the tty subsystem that may have allowed a read-after-free attack against TIOCGSID (bnc#1179745).

CVE-2020-29661: Fixed a locking issue in the tty subsystem that allowed a use-after-free attack against TIOCSPGRP (bsc#1179745).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 15-SP1 RT kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2018-20669: Fixed an improper check i915_gem_execbuffer2_ioctl in drivers/gpu/drm/i915/i915_gem_execbuffer.c (bsc#1122971).

CVE-2019-20934: Fixed a use-after-free in show_numa_stats() because NUMA fault statistics were inappropriately freed, aka CID-16d51a590a8c (bsc#1179663).

CVE-2020-15436: Fixed a use after free vulnerability in fs/block_dev.c which could have allowed local users to gain privileges or cause a denial of service (bsc#1179141).

CVE-2020-15437: Fixed a NULL pointer dereference which could have allowed local users to cause a denial of service(bsc#1179140).

CVE-2020-25669: Fixed a use-after-free read in sunkbd_reinit() (bsc#1178182).

CVE-2020-27777: Restrict RTAS requests from userspace (bsc#1179107)

CVE-2020-27786: Fixed a use after free in kernel midi subsystem snd_rawmidi_kernel_read1() (bsc#1179601).

CVE-2020-28915: Fixed a buffer over-read in the fbcon code which could have been used by local attackers to read kernel memory (bsc#1178886).

CVE-2020-28974: Fixed a slab-out-of-bounds read in fbcon which could have been used by local attackers to read privileged information or potentially crash the kernel, aka CID-3c4e0dff2095 (bsc#1178589).

CVE-2020-29371: Fixed uninitialized memory leaks to userspace (bsc#1179429).

CVE-2020-4788: Fixed an issue with IBM Power9 processors could have allowed a local user to obtain sensitive information from the data in the L1 cache under extenuating circumstances (bsc#1177666).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote Oracle Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2020-5885 advisory.

  - An issue where a provided address with access_ok() is not checked was discovered in     i915_gem_execbuffer2_ioctl in drivers/gpu/drm/i915/i915_gem_execbuffer.c in the Linux kernel through     4.19.13. A local attacker can craft a malicious IOCTL function call to overwrite arbitrary kernel memory,     resulting in a Denial of Service or privilege escalation. (CVE-2018-20669)

  - The SCTP socket buffer used by a userspace application is not accounted by the cgroups subsystem. An     attacker can use this flaw to cause a denial of service attack. Kernel 3.10.x and 4.18.x branches are     believed to be vulnerable. (CVE-2019-3874)

  - fs/btrfs/volumes.c in the Linux kernel before 5.1 allows a btrfs_verify_dev_extents NULL pointer     dereference via a crafted btrfs image because fs_devices->devices is mishandled within find_device, aka     CID-09ba3bc9dd15. (CVE-2019-18885)

  - A flaw was found in the Linux kernel before 5.8-rc1 in the implementation of the Enhanced IBPB (Indirect     Branch Prediction Barrier). The IBPB mitigation will be disabled when STIBP is not available or when the     Enhanced Indirect Branch Restricted Speculation (IBRS) is available. This flaw allows a local attacker to     perform a Spectre V2 style attack when this configuration is active. The highest threat from this     vulnerability is to confidentiality. (CVE-2020-10767)

  - A flaw was found in the Linux Kernel before 5.8-rc6 in the ZRAM kernel module, where a user with a local     account and the ability to read the /sys/class/zram-control/hot_add file can create ZRAM device nodes in     the /dev/ directory. This read allocates kernel memory and is not accounted for a user that triggers the     creation of that ZRAM device. With this vulnerability, continually reading the device may consume a large     amount of system memory and cause the Out-of-Memory (OOM) killer to activate and terminate random     userspace processes, possibly making the system inoperable. (CVE-2020-10781)

  - A memory out-of-bounds read flaw was found in the Linux kernel before 5.9-rc2 with the ext3/ext4 file     system, in the way it accesses a directory with broken indexing. This flaw allows a local user to crash     the system if the directory exists. The highest threat from this vulnerability is to system availability.
    (CVE-2020-14314)

  - A flaw was found in the Linux kernels implementation of the invert video code on VGA consoles when a     local attacker attempts to resize the console, calling an ioctl VT_RESIZE, which causes an out-of-bounds     write to occur. This flaw allows a local user with access to the VGA console to crash the system,     potentially escalating their privileges on the system. The highest threat from this vulnerability is to     data confidentiality and integrity as well as system availability. (CVE-2020-14331)

  - A flaw was found in the Linux kernel before 5.9-rc4. Memory corruption can be exploited to gain root     privileges from unprivileged processes. The highest threat from this vulnerability is to data     confidentiality and integrity. (CVE-2020-14386)

  - The Linux kernel through 5.7.11 allows remote attackers to make observations that help to obtain sensitive     information about the internal state of the network RNG, aka CID-f227e3ec3b5c. This is related to     drivers/char/random.c and kernel/time/timer.c. (CVE-2020-16166)

  - In the Linux kernel before 5.7.8, fs/nfsd/vfs.c (in the NFS server) can set incorrect permissions on new     filesystem objects when the filesystem lacks ACL support, aka CID-22cf8419f131. This occurs because the     current umask is not considered. (CVE-2020-24394)

  - A TOCTOU mismatch in the NFS client code in the Linux kernel before 5.8.3 could be used by local attackers     to corrupt memory or possibly have unspecified other impact because a size check is in fs/nfs/nfs4proc.c     instead of fs/nfs/nfs4xdr.c, aka CID-b4487b935452. (CVE-2020-25212)

  - The rbd block device driver in drivers/block/rbd.c in the Linux kernel through 5.8.9 used incomplete     permission checking for access to rbd devices, which could be leveraged by local attackers to map or unmap     rbd block devices, aka CID-f44d04e696fe. (CVE-2020-25284)

  - A race condition between hugetlb sysctl handlers in mm/hugetlb.c in the Linux kernel before 5.8.8 could be     used by local attackers to corrupt memory, cause a NULL pointer dereference, or possibly have unspecified     other impact, aka CID-17743798d812. (CVE-2020-25285)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Timothy Michaud discovered that the i915 graphics driver in the Linux kernel did not properly validate user memory locations for the i915_gem_execbuffer2_ioctl. A local attacker could possibly use this to cause a denial of service or execute arbitrary code.
(CVE-2018-20669) It was discovered that the Kvaser CAN/USB driver in the Linux kernel did not properly initialize memory in certain situations. A local attacker could possibly use this to expose sensitive information (kernel memory). (CVE-2019-19947) Chuhong Yuan discovered that go7007 USB audio device driver in the Linux kernel did not properly deallocate memory in some failure conditions. A physically proximate attacker could use this to cause a denial of service (memory exhaustion). (CVE-2019-20810) It was discovered that the elf handling code in the Linux kernel did not initialize memory before using it in certain situations. A local attacker could use this to possibly expose sensitive information (kernel memory).
(CVE-2020-10732) It was discovered that the Linux kernel did not correctly apply Speculative Store Bypass Disable (SSBD) mitigations in certain situations. A local attacker could possibly use this to expose sensitive information. (CVE-2020-10766) It was discovered that the Linux kernel did not correctly apply Indirect Branch Predictor Barrier (IBPB) mitigations in certain situations. A local attacker could possibly use this to expose sensitive information. (CVE-2020-10767) It was discovered that the Linux kernel could incorrectly enable Indirect Branch Speculation after it has been disabled for a process via a prctl() call. A local attacker could possibly use this to expose sensitive information. (CVE-2020-10768) Luca Bruno discovered that the zram module in the Linux kernel did not properly restrict unprivileged users from accessing the hot_add sysfs file. A local attacker could use this to cause a denial of service (memory exhaustion).
(CVE-2020-10781) It was discovered that the XFS file system implementation in the Linux kernel did not properly validate meta data in some circumstances. An attacker could use this to construct a malicious XFS image that, when mounted, could cause a denial of service. (CVE-2020-12655) It was discovered that the bcache subsystem in the Linux kernel did not properly release a lock in some error conditions. A local attacker could possibly use this to cause a denial of service. (CVE-2020-12771) It was discovered that the Virtual Terminal keyboard driver in the Linux kernel contained an integer overflow. A local attacker could possibly use this to have an unspecified impact. (CVE-2020-13974) Kyungtae Kim discovered that the USB testing driver in the Linux kernel did not properly deallocate memory on disconnect events. A physically proximate attacker could use this to cause a denial of service (memory exhaustion).
(CVE-2020-15393) It was discovered that the NFS server implementation in the Linux kernel did not properly honor umask settings when setting permissions while creating file system objects if the underlying file system did not support ACLs. An attacker could possibly use this to expose sensitive information or violate system integrity.
(CVE-2020-24394) It was discovered that the Kerberos SUNRPC GSS implementation in the Linux kernel did not properly deallocate memory on module unload. A local privileged attacker could possibly use this to cause a denial of service (memory exhaustion). (CVE-2020-12656).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

An issue where a provided address with access_ok() is not checked was discovered in i915_gem_execbuffer2_ioctl in drivers/gpu/drm/i915/i915_gem_execbuffer.c in the Linux kernel through 4.19.13. A local attacker can craft a malicious IOCTL function call to overwrite arbitrary kernel memory, resulting in a Denial of Service or privilege escalation. (CVE-2018-20669)

A flaw was found in the prctl() function, where it can be used to enable indirect branch speculation after it has been disabled. This call incorrectly reports it as being 'force disabled' when it is not and opens the system to Spectre v2 attacks. The highest threat from this vulnerability is to confidentiality. (CVE-2020-10768)

relay_open in kernel/relay.c in the Linux kernel through 5.4.1 allows local users to cause a denial of service (such as relay blockage) by triggering a NULL alloc_percpu result. (CVE-2019-19462)

A logic bug flaw was found in the Linux kernel's implementation of SSBD. A bug in the logic handling allows an attacker with a local account to disable SSBD protection during a context switch when additional speculative execution mitigations are in place. This issue was introduced when the per task/process conditional STIPB switching was added on top of the existing SSBD switching. The highest threat from this vulnerability is to confidentiality. (CVE-2020-10766)

A flaw was found in the Linux kernel's implementation of the Enhanced IBPB (Indirect Branch Prediction Barrier). The IBPB mitigation will be disabled when STIBP is not available or when the Enhanced Indirect Branch Restricted Speculation (IBRS) is available. This flaw allows a local attacker to perform a Spectre V2 style attack when this configuration is active. The highest threat from this vulnerability is to confidentiality. ( CVE-2020-10767)

An issue was discovered in the Linux kernel through 5.6.11.
btree_gc_coalesce in drivers/md/bcache/btree.c has a deadlock if a coalescing operation fails. (CVE-2020-12771)

A flaw was found in the Linux kernel's implementation of Userspace core dumps. This flaw allows an attacker with a local account to crash a trivial program and exfiltrate private kernel data. (CVE-2020-10732)

A flaw was found in the Linux Kernel in versions after 4.5-rc1 in the way mremap handled DAX Huge Pages. This flaw allows a local attacker with access to a DAX enabled storage to escalate their privileges on the system. (CVE-2020-10757)

An issue where a provided address with access_ok() is not checked was discovered in i915_gem_execbuffer2_ioctl in drivers/gpu/drm/i915/i915_gem_execbuffer.c in the Linux kernel through 4.19.13. A local attacker can craft a malicious IOCTL function call to overwrite arbitrary kernel memory, resulting in a Denial of Service or privilege escalation. (CVE-2018-20669)

A flaw was found in the prctl() function, where it can be used to enable indirect branch speculation after it has been disabled. This call incorrectly reports it as being 'force disabled' when it is not and opens the system to Spectre v2 attacks. The highest threat from this vulnerability is to confidentiality. (CVE-2020-10768)

A new domain bypass transient execution attack known as Special Register Buffer Data Sampling (SRBDS) has been found. This flaw allows data values from special internal registers to be leaked by an attacker able to execute code on any core of the CPU. An unprivileged, local attacker can use this flaw to infer values returned by affected instructions known to be commonly used during cryptographic operations that rely on uniqueness, secrecy, or both. Incomplete cleanup from specific special register read operations in some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access. (CVE-2020-0543)

relay_open in kernel/relay.c in the Linux kernel through 5.4.1 allows local users to cause a denial of service (such as relay blockage) by triggering a NULL alloc_percpu result. (CVE-2019-19462)

A logic bug flaw was found in the Linux kernel's implementation of SSBD. A bug in the logic handling allows an attacker with a local account to disable SSBD protection during a context switch when additional speculative execution mitigations are in place. This issue was introduced when the per task/process conditional STIPB switching was added on top of the existing SSBD switching. The highest threat from this vulnerability is to confidentiality. (CVE-2019-19462)

A flaw was found in the Linux kernel's implementation of the Enhanced IBPB (Indirect Branch Prediction Barrier). The IBPB mitigation will be disabled when STIBP is not available or when the Enhanced Indirect Branch Restricted Speculation (IBRS) is available. This flaw allows a local attacker to perform a Spectre V2 style attack when this configuration is active. The highest threat from this vulnerability is to confidentiality. (CVE-2019-19462)

An issue was discovered in the Linux kernel through 5.6.11.
btree_gc_coalesce in drivers/md/bcache/btree.c has a deadlock if a coalescing operation fails. (CVE-2020-12771)

A flaw was found in the Linux kernel's implementation of Userspace core dumps. This flaw allows an attacker with a local account to crash a trivial program and exfiltrate private kernel data. (CVE-2020-10732)

A flaw was found in the Linux Kernel in versions after 4.5-rc1 in the way mremap handled DAX Huge Pages. This flaw allows a local attacker with access to a DAX enabled storage to escalate their privileges on the system. (CVE-2020-10757)

According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - The kernel package contains the Linux kernel (vmlinuz),     the core of any Linux operating system. The kernel     handles the basic functions of the operating system:
    memory allocation, process allocation, device input and     output, etc.Security Fix(es):The uas driver in the     Linux kernel before 4.13.6 allows local users to cause     a denial of service (out-of-bounds read and system     crash), or possibly have unspecified other impacts via     a crafted USB device, related to     drivers/usb/storage/uas-detect.h and     drivers/usb/storage/uas.c.(CVE-2017-16530)The     implementation of big key management in     security/keys/big_key.c in the Linux kernel before     4.8.7 mishandles unsuccessful crypto registration in     conjunction with successful key-type registration,     which allows local users to cause a denial of service     (NULL pointer dereference and panic) or possibly have     unspecified other impact via a crafted application that     uses the big_key data type.(CVE-2016-9313)The Linux     kernel allows remote attackers to execute arbitrary     code via UDP traffic that triggers an unsafe second     checksum calculation during execution of a recv system     call with the MSG_PEEK flag. This may create a kernel     panic or memory corruption leading to privilege     escalation.(CVE-2016-10229)Buffer overflow in the     exitcode_proc_write function in     arch/um/kernel/exitcode.c in the Linux kernel before     3.12 allows local users to cause a denial of service or     possibly have unspecified other impact by leveraging     root privileges for a write operation.(CVE-2013-4512)It     was found that unsharing a mount namespace could allow     a user to see data beneath their restricted     namespace.(CVE-2014-9717)A divide-by-zero flaw was     discovered in the Linux kernel built with KVM     virtualization support(CONFIG_KVM). The flaw occurs in     the KVM module's Programmable Interval Timer(PIT)     emulation, when PIT counters for channel 1 or 2 are set     to zero(0) and a privileged user inside the guest     attempts to read these counters. A privileged guest     user with access to PIT I/O ports could exploit this     issue to crash the host kernel (denial of     service).(CVE-2015-7513)The ims_pcu_parse_cdc_data     function in drivers/input/misc/ims-pcu.c in the Linux     kernel before 4.5.1 allows physically proximate     attackers to cause a denial of service (system crash)     via a USB device without both a master and a slave     interface.(CVE-2016-3689)Stack-based buffer overflow in     the brcmf_cfg80211_start_ap() function in     'driverset/wireless/broadcom/brcm80211/brcmfmac/cfg8021     1.c' in the Linux kernel before 4.7.5 allows local     users to cause a denial of service (system crash) or     possibly have unspecified other impact via a long SSID     Information Element in a command to a Netlink     socket.(CVE-2016-8658)drivers/hid/hid-sony.c in the     Human Interface Device (HID) subsystem in the Linux     kernel through 3.11, when CONFIG_HID_SONY is enabled,     allows physically proximate attackers to cause a denial     of service (heap-based out-of-bounds write) via a     crafted device.(CVE-2013-2890)An issue where a provided     address with access_ok() is not checked was discovered     in i915_gem_execbuffer2_ioctl in     drivers/gpu/drm/i915/i915_gem_execbuffer.c in the Linux     kernel through 4.19.13. A local attacker can craft a     malicious IOCTL function call to overwrite arbitrary     kernel memory, resulting in a Denial of Service or     privilege escalation.(CVE-2018-20669)It was found that     the permission checks performed by the Linux kernel     when a netlink message was received were not     sufficient. A local, unprivileged user could     potentially bypass these restrictions by passing a     netlink socket as stdout or stderr to a more privileged     process and altering the output of this     process.(CVE-2014-0181)An issue was discovered in the     XFS filesystem in fs/xfs/libxfs/xfs_attr_leaf.c in the     Linux kernel. A NULL pointer dereference may occur for     a corrupted xfs image after xfs_da_shrink_inode() is     called with a NULL bp. This can lead to a system crash     and a denial of service.(CVE-2018-13094)The     irda_setsockopt function in net/irda/af_irda.c in the     Linux kernel, through 4.16, allows local users to cause     a denial of service (due to a use-after-free of the     ias_object and a system crash) or possibly have     unspecified other impact by leveraging an AF_IRDA     socket.(CVE-2018-6555)The x86/fpu (Floating Point Unit)     subsystem in the Linux kernel, when a processor     supports the xsave feature but not the xsaves feature,     does not correctly handle attempts to set reserved bits     in the xstate header via the ptrace() or rt_sigreturn()     system call. This allows local users to read the FPU     registers of other processes on the system, related to     arch/x86/kernel/fpu/regset.c and     arch/x86/kernel/fpu/signal.c.(CVE-2017-15537)The     fst_get_iface function in driverset/wan/farsync.c in     the Linux kernel before 3.11.7 does not properly     initialize a certain data structure, which allows local     users to obtain sensitive information from kernel     memory by leveraging the CAP_NET_ADMIN capability for     an SIOCWANDEV ioctl call.(CVE-2014-1444)In the Linux     kernel, through 4.15.4, the floppy driver reveals the     addresses of kernel functions and global variables     using printk calls within the function show_floppy in     drivers/block/floppy.c. An attacker can read this     information from dmesg and use the addresses to find     the locations of kernel code and data and bypass kernel     security protections such as KASLR.(CVE-2018-7273)A     flaw in 'arch/arm64/kernel/sys.c' in the Linux kernel     allows local users to bypass the 'strict page     permissions' protection mechanism and modify the     system-call table and, consequently, gain privileges by     leveraging write access.(CVE-2015-8967)The Linux kernel     before 3.11 on ARM platforms, as used in Android before     2016-08-05 on Nexus 5 and 7 (2013) devices, does not     properly consider user-space access to the TPIDRURW     register, which allows local users to gain privileges     via a crafted application, aka Android internal bug     28749743 and Qualcomm internal bug     CR561044.(CVE-2014-9870)A NULL pointer dereference     security flaw was found in the Linux kernel in the     vcpu_scan_ioapic() function in arch/x86/kvm/x86.c. This     allows local users with certain privileges to cause a     denial of service via a crafted system call to the KVM     subsystem.(CVE-2018-19407)It was found that current     implementation of kl5kusb105 driver failed to detect     short transfers when attempting to read the line state     and logged the content of the uninitialized heap     transfer buffer.(CVE-2017-5549)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 15 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2019-2024: A use-after-free when disconnecting a source was fixed which could lead to crashes. bnc#1129179).

CVE-2019-9213: expand_downwards in mm/mmap.c lacks a check for the mmap minimum address, which made it easier for attackers to exploit kernel NULL pointer dereferences on non-SMAP platforms. This is related to a capability check for the wrong task (bnc#1128166).

CVE-2019-8980: A memory leak in the kernel_read_file function in fs/exec.c allowed attackers to cause a denial of service (memory consumption) by triggering vfs_read failures (bnc#1126209).

CVE-2019-3819: A flaw was found in the function hid_debug_events_read() in drivers/hid/hid-debug.c file which may enter an infinite loop with certain parameters passed from a userspace. A local privileged user ('root') can cause a system lock up and a denial of service. Versions from v4.18 and newer are vulnerable (bnc#1123161).

CVE-2019-8912: af_alg_release() in crypto/af_alg.c neglects to set a NULL value for a certain structure member, which leads to a use-after-free in sockfs_setattr (bnc#1125907).

CVE-2019-7308: kernel/bpf/verifier.c performed undesirable out-of-bounds speculation on pointer arithmetic in various cases, including cases of different branches with different state or limits to sanitize, leading to side-channel attacks (bnc#1124055).

CVE-2019-3459, CVE-2019-3460: The Bluetooth stack suffered from two remote information leak vulnerabilities in the code that handles incoming L2cap configuration packets (bsc#1120758).

CVE-2019-7221: Fixed a user-after-free vulnerability in the KVM hypervisor related to the emulation of a preemption timer, allowing an guest user/process to crash the host kernel. (bsc#1124732).

CVE-2019-7222: Fixed an information leakage in the KVM hypervisor related to handling page fault exceptions, which allowed a guest user/process to use this flaw to leak the host's stack memory contents to a guest (bsc#1124735).

CVE-2019-6974: kvm_ioctl_create_device in virt/kvm/kvm_main.c mishandled reference counting because of a race condition, leading to a use-after-free (bnc#1124728).

CVE-2018-20669: Missing access control checks in ioctl of gpu/drm/i915 driver were fixed which might have lead to information leaks.
(bnc#1122971).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise Server 12 SP4 Azure kernel was updated to fix various issues.

The following security bugs were fixed :

CVE-2019-2024: A use-after-free when disconnecting a source was fixed which could lead to crashes. bnc#1129179).

CVE-2019-9213: expand_downwards in mm/mmap.c lacked a check for the mmap minimum address, which made it easier for attackers to exploit kernel NULL pointer dereferences on non-SMAP platforms. This is related to a capability check for the wrong task (bnc#1128166 1128378 1129016).

CVE-2019-8980: A memory leak in the kernel_read_file function in fs/exec.c allowed attackers to cause a denial of service (memory consumption) by triggering vfs_read failures (bnc#1126209).

CVE-2019-3819: A flaw was found in the function hid_debug_events_read() in drivers/hid/hid-debug.c file which may enter an infinite loop with certain parameters passed from a userspace. A local privileged user ('root') can cause a system lock up and a denial of service. (bnc#1123161).

CVE-2019-8912: af_alg_release() in crypto/af_alg.c neglected to set a NULL value for a certain structure member, which led to a use-after-free in sockfs_setattr (bnc#1125907 1126284).

CVE-2019-7308: kernel/bpf/verifier.c performed undesirable out-of-bounds speculation on pointer arithmetic in various cases, including cases of different branches with different state or limits to sanitize, leading to side-channel attacks (bnc#1124055).

CVE-2019-3459, CVE-2019-3460: The Bluetooth stack suffered from two remote information leak vulnerabilities in the code that handles incoming L2cap configuration packets (bsc#1120758).

CVE-2019-7221: Fixed a use-after-free vulnerability in the KVM hypervisor related to the emulation of a preemption timer, allowing an guest user/process to crash the host kernel. (bsc#1124732).

CVE-2019-7222: Fixed an information leakage in the KVM hypervisor related to handling page fault exceptions, which allowed a guest user/process to use this flaw to leak the host's stack memory contents to a guest (bsc#1124735).

CVE-2019-6974: kvm_ioctl_create_device in virt/kvm/kvm_main.c mishandled reference counting because of a race condition, leading to a use-after-free (bnc#1124728).

CVE-2018-20669: An issue where a provided address with access_ok() is not checked was discovered in i915_gem_execbuffer2_ioctl in drivers/gpu/drm/i915/i915_gem_execbuffer.c where a local attacker can craft a malicious IOCTL function call to overwrite arbitrary kernel memory, resulting in a Denial of Service or privilege escalation (bnc#1122971).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 12 SP4 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2018-20669: Missing access control checks in ioctl of gpu/drm/i915 driver were fixed which might have lead to information leaks.
(bnc#1122971).

CVE-2019-3459, CVE-2019-3460: The Bluetooth stack suffered from two remote information leak vulnerabilities in the code that handles incoming L2cap configuration packets (bsc#1120758).

CVE-2019-3819: A flaw was found in the function hid_debug_events_read() in drivers/hid/hid-debug.c file which may enter an infinite loop with certain parameters passed from a userspace. A local privileged user ('root') can cause a system lock up and a denial of service. (bnc#1123161).

CVE-2019-6974: kvm_ioctl_create_device in virt/kvm/kvm_main.c mishandled reference counting because of a race condition, leading to a use-after-free (bnc#1124728 ).

CVE-2019-7221: Fixed a use-after-free vulnerability in the KVM hypervisor related to the emulation of a preemption timer, allowing an guest user/process to crash the host kernel. (bsc#1124732).

CVE-2019-7222: Fixed an information leakage in the KVM hypervisor related to handling page fault exceptions, which allowed a guest user/process to use this flaw to leak the host's stack memory contents to a guest (bsc#1124735).

CVE-2019-7308: kernel/bpf/verifier.c performed undesirable out-of-bounds speculation on pointer arithmetic in various cases, including cases of different branches with different state or limits to sanitize, leading to side-channel attacks (bnc#1124055).

CVE-2019-8912: af_alg_release() in crypto/af_alg.c neglects to set a NULL value for a certain structure member, which leads to a use-after-free in sockfs_setattr (bnc#1125907).

CVE-2019-8980: A memory leak in the kernel_read_file function in fs/exec.c allowed attackers to cause a denial of service (memory consumption) by triggering vfs_read failures (bnc#1126209).

CVE-2019-9213: expand_downwards in mm/mmap.c lacked a check for the mmap minimum address, which made it easier for attackers to exploit kernel NULL pointer dereferences on non-SMAP platforms. This is related to a capability check for the wrong task (bnc#1128166).

CVE-2019-2024: A use-after-free when disconnecting a source was fixed which could lead to crashes. bnc#1129179).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
144914	SUSE SLES12 Security Update : kernel (SUSE-SU-2021:0098-1)	Nessus	SuSE Local Security Checks	high
144259	SUSE SLES15 Security Update : kernel (SUSE-SU-2020:3798-1)	Nessus	SuSE Local Security Checks	high
143542	openSUSE Security Update : the Linux Kernel (openSUSE-2020-2193)	Nessus	SuSE Local Security Checks	high
141396	Oracle Linux 7 : Unbreakable Enterprise kernel (ELSA-2020-5885)	Nessus	Oracle Linux Local Security Checks	high
140183	Ubuntu 16.04 LTS / 18.04 LTS : Linux kernel vulnerabilities (USN-4485-1)	Nessus	Ubuntu Local Security Checks	high
138854	Amazon Linux 2 : kernel (ALAS-2020-1465)	Nessus	Amazon Linux Local Security Checks	high
138643	Amazon Linux AMI : kernel (ALAS-2020-1401)	Nessus	Amazon Linux Local Security Checks	high
124826	EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1503)	Nessus	Huawei Local Security Checks	critical
123496	SUSE SLED15 / SLES15 Security Update : kernel (SUSE-SU-2019:0784-1)	Nessus	SuSE Local Security Checks	high
123445	SUSE SLES12 Security Update : kernel (SUSE-SU-2019:0767-1)	Nessus	SuSE Local Security Checks	high
123413	SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2019:0765-1) (Spectre)	Nessus	SuSE Local Security Checks	high
122303	openSUSE Security Update : the Linux Kernel (openSUSE-2019-203)	Nessus	SuSE Local Security Checks	high

CVE-2018-20669

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins