103356

https://bugzilla.suse.com/show_bug.cgi?id=1084755

https://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git/commit/?id=b3b7c4795ccab5be71f080774c45bbbcc75c2aaf

[debian-lts-announce] 20180502 [SECURITY] [DLA 1369-1] linux security update

https://lkml.org/lkml/2018/3/2/970

USN-3654-1

USN-3654-2

USN-3656-1

DSA-4187

DSA-4188

According to the version of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerability :

  - A race condition in the store_int_with_restart()     function in arch/x86/kernel/cpu/mcheck/mce.c in the     Linux kernel allows local users to cause a denial of     service (panic) by leveraging root access to write to     the check_interval file in a     /sys/devices/system/machinecheck/machinecheck(cpu     number) directory.(CVE-2018-7995)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - Missing check in fs/inode.c:inode_init_owner() does not     clear SGID bit on non-directories for     non-members.(CVE-2018-13405)

  - A null pointer dereference in dccp_write_xmit()     function in net/dccp/output.c in the Linux kernel     allows a local user to cause a denial of service by a     number of certain crafted system calls.(CVE-2018-1130)

  - A flaw was found in the Linux kernel, before 4.16.6     where the cdrom_ioctl_media_changed function in     drivers/cdrom/cdrom.c allows local attackers to use a     incorrect bounds check in the CDROM driver     CDROM_MEDIA_CHANGED ioctl to read out kernel     memory.(CVE-2018-10940)

  - The madvise_willneed function in the Linux kernel     allows local users to cause a denial of service     (infinite loop) by triggering use of MADVISE_WILLNEED     for a DAX mapping.(CVE-2017-18208)

  - fuse-backed file mmap-ed onto process cmdline arguments     causes denial of service.(CVE-2018-1120)

  - Memory leak in the sas_smp_get_phy_events function in     drivers/scsi/libsas/sas_expander.c in the Linux kernel     allows local users to cause a denial of service (kernel     memory exhaustion) via multiple read accesses to files     in the /sys/class/sas_phy directory.(CVE-2018-7757)

  - A vulnerability was found in the Linux kernel's     kernel/events/core.c:perf_cpu_time_max_percent_handler(     ) function. Local privileged users could exploit this     flaw to cause a denial of service due to integer     overflow or possibly have unspecified other     impact.(CVE-2017-18255)

  - A flaw was found in the Linux kernel in the way a local     user could create keyrings for other users via keyctl     commands. This may allow an attacker to set unwanted     defaults, a denial of service, or possibly leak keyring     information between users.(CVE-2017-18270)

  - The mm subsystem in the Linux kernel through 4.10.10     does not properly enforce the CONFIG_STRICT_DEVMEM     protection mechanism, which allows local users to read     or write to kernel memory locations in the first     megabyte (and bypass slab-allocation access     restrictions) via an application that opens the     /dev/mem file, related to arch/x86/mm/init.c and     drivers/char/mem.c.(CVE-2017-7889)

  - The code in the drivers/scsi/libsas/sas_scsi_host.c     file in the Linux kernel allow a physically proximate     attacker to cause a memory leak in the ATA command     queue and, thus, denial of service by triggering     certain failure conditions.(CVE-2018-10021)

  - A flaw was found in the Linux kernel's client-side     implementation of the cifs protocol. This flaw allows     an attacker controlling the server to kernel panic a     client which has the CIFS server     mounted.(CVE-2018-1066)

  - A flaw was found in the alarm_timer_nsleep() function     in kernel/time/alarmtimer.c in the Linux kernel. The     ktime_add_safe() function is not used and an integer     overflow can happen causing an alarm not to fire or     possibly a denial-of-service if using a large relative     timeout.(CVE-2018-13053)

  - An issue was discovered in the XFS filesystem in     fs/xfs/libxfs/xfs_attr_leaf.c in the Linux kernel. A     NULL pointer dereference may occur for a corrupted xfs     image after xfs_da_shrink_inode() is called with a NULL     bp. This can lead to a system crash and a denial of     service.(CVE-2018-13094)

  - A flaw was found in the Linux Kernel in the     ucma_leave_multicast() function in     drivers/infiniband/core/ucma.c which allows access to a     certain data structure after freeing it in     ucma_process_join(). This allows an attacker to cause a     use-after-free bug and to induce kernel memory     corruption, leading to a system crash or other     unspecified impact. Due to the nature of the flaw,     privilege escalation cannot be fully ruled out,     although we believe it is unlikely.(CVE-2018-14734)

  - A race condition in the store_int_with_restart()     function in arch/x86/kernel/cpu/mcheck/mce.c in the     Linux kernel allows local users to cause a denial of     service (panic) by leveraging root access to write to     the check_interval file in a     /sys/devices/system/machinecheck/machinecheck (cpu     number) directory.(CVE-2018-7995)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote OracleVM system is missing necessary patches to address critical security updates :

  - rds: congestion updates can be missed when kernel low on     memory (Mukesh Kacker) [Orabug: 28425811]

  - net/rds: ib: Fix endless RNR Retries caused by memory     allocation failures (Venkat Venkatsubra) [Orabug:
    28127993]

  - net: rds: fix excess initialization of the recv SGEs     (Zhu Yanjun) [Orabug: 29004503]

  - xhci: fix usb2 resume timing and races. (Mathias Nyman)     [Orabug: 29028940]

  - xhci: Fix a race in usb2 LPM resume, blocking U3 for     usb2 devices (Mathias Nyman) [Orabug: 29028940]

  - userfaultfd: check VM_MAYWRITE was set after verifying     the uffd is registered (Andrea Arcangeli) [Orabug:
    29163750] (CVE-2018-18397)

  - userfaultfd: shmem/hugetlbfs: only allow to register     VM_MAYWRITE vmas (Andrea Arcangeli) [Orabug: 29163750]     (CVE-2018-18397)

  - x86/apic/x2apic: set affinity of a single interrupt to     one cpu (Jianchao Wang) [Orabug: 29196396]

  - xen/blkback: rework validate_io_op (Dongli Zhang)     [Orabug: 29199843]

  - xen/blkback: optimize validate_io_op to filter     BLKIF_OP_RESERVED_1 operation (Dongli Zhang) [Orabug:
    29199843]

  - xen/blkback: do not BUG for invalid blkif_request from     frontend (Dongli Zhang) [Orabug: 29199843]

  - net/rds: WARNING: at net/rds/recv.c:222     rds_recv_hs_exthdrs+0xf8/0x1e0 (Venkat Venkatsubra)     [Orabug: 29201779]

  - xen-netback: wake up xenvif_dealloc_kthread when it     should stop (Dongli Zhang) [Orabug: 29217927]

  - Revert 'xfs: remove nonblocking mode from     xfs_vm_writepage' (Wengang Wang) [Orabug: 29279692]

  - Revert 'xfs: remove xfs_cancel_ioend' (Wengang Wang)     [Orabug: 29279692]

  - Revert 'xfs: Introduce writeback context for writepages'     (Wengang Wang) [Orabug: 29279692]

  - Revert 'xfs: xfs_cluster_write is redundant' (Wengang     Wang) [Orabug: 29279692]

  - Revert 'xfs: factor mapping out of xfs_do_writepage'     (Wengang Wang) [Orabug: 29279692]

  - Revert 'xfs: don't chain ioends during writepage     submission' (Wengang Wang) [Orabug: 29279692]

  - mstflint: Fix coding style issues - left with     LINUX_VERSION_CODE (Idan Mehalel) [Orabug: 28878697]

  - mstflint: Fix coding-style issues (Idan Mehalel)     [Orabug: 28878697]

  - mstflint: Fix errors found with checkpatch script (Idan     Mehalel) [Orabug: 28878697]

  - Added support for 5th Gen devices in Secure Boot module     and mtcr (Adham Masarwah) [Orabug: 28878697]

  - Fix typos in mst_kernel (Adham Masarwah) [Orabug:
    28878697]

  - bnxt_en: Report PCIe link properties with     pcie_print_link_status (Brian Maly) [Orabug: 28942099]

  - selinux: Perform both commoncap and selinux xattr checks     (Eric W. Biederman) [Orabug: 28951521]

  - Introduce v3 namespaced file capabilities (Serge E.
    Hallyn) [Orabug: 28951521]

  - rds: ib: Use a delay when reconnecting to the very same     IP address (H&aring kon Bugge) [Orabug: 29138813]

  - Change mincore to count 'mapped' pages rather than     'cached' pages (Linus Torvalds) [Orabug: 29187415]     (CVE-2019-5489)

  - NFSD: Set the attributes used to store the verifier for     EXCLUSIVE4_1 (Kinglong Mee) [Orabug: 29204157]

  - ext4: update i_disksize when new eof exceeds it (Shan     Hai) [Orabug: 28940828]

  - ext4: update i_disksize if direct write past ondisk size     (Eryu Guan) [Orabug: 28940828]

  - ext4: protect i_disksize update by i_data_sem in direct     write path (Eryu Guan) [Orabug: 28940828]

  - ALSA: usb-audio: Fix UAF decrement if card has no live     interfaces in card.c (Hui Peng) [Orabug: 29042981]     (CVE-2018-19824)

  - ALSA: usb-audio: Replace probing flag with active     refcount (Takashi Iwai) [Orabug: 29042981]     (CVE-2018-19824)

  - ALSA: usb-audio: Avoid nested autoresume calls (Takashi     Iwai) [Orabug: 29042981] (CVE-2018-19824)

  - ext4: validate that metadata blocks do not overlap     superblock (Theodore Ts'o) [Orabug: 29114440]     (CVE-2018-1094)

  - ext4: update inline int ext4_has_metadata_csum(struct     super_block *sb) (John Donnelly) [Orabug: 29114440]     (CVE-2018-1094)

  - ext4: always initialize the crc32c checksum driver     (Theodore Ts'o) [Orabug: 29114440] (CVE-2018-1094)     (CVE-2018-1094)

  - Revert 'bnxt_en: Reduce default rings on multi-port     cards.' (Brian Maly) [Orabug: 28687746]

  - mlx4_core: Disable P_Key Violation Traps (H&aring kon     Bugge) [Orabug: 27693633]

  - rds: RDS connection does not reconnect after CQ access     violation error (Venkat Venkatsubra) [Orabug: 28733324]

  - KVM/SVM: Allow direct access to MSR_IA32_SPEC_CTRL     (KarimAllah Ahmed) [Orabug: 28069548]

  - KVM/VMX: Allow direct access to MSR_IA32_SPEC_CTRL -     reloaded (Mihai Carabas) [Orabug: 28069548]

  - KVM/x86: Add IBPB support (Ashok Raj) [Orabug: 28069548]

  - KVM: x86: pass host_initiated to functions that read     MSRs (Paolo Bonzini) [Orabug: 28069548]

  - KVM: VMX: make MSR bitmaps per-VCPU (Paolo Bonzini)     [Orabug: 28069548]

  - KVM: VMX: introduce alloc_loaded_vmcs (Paolo Bonzini)     [Orabug: 28069548]

  - KVM: nVMX: Eliminate vmcs02 pool (Jim Mattson) [Orabug:
    28069548]

  - KVM: nVMX: fix msr bitmaps to prevent L2 from accessing     L0 x2APIC (Radim Kr&#x10D m&aacute &#x159 ) [Orabug:
    28069548]

  - ocfs2: don't clear bh uptodate for block read (Junxiao     Bi) [Orabug: 28762940]

  - ocfs2: clear journal dirty flag after shutdown journal     (Junxiao Bi) [Orabug: 28924775]

  - ocfs2: fix panic due to unrecovered local alloc (Junxiao     Bi) [Orabug: 28924775]

  - net: rds: fix rds_ib_sysctl_max_recv_allocation error     (Zhu Yanjun) [Orabug: 28947481]

  - x86/speculation: Always disable IBRS in     disable_ibrs_and_friends (Alejandro Jimenez) [Orabug:
    29139710]

  - pinctrl: amd: Use devm_pinctrl_register for pinctrl     registration (Laxman Dewangan) [Orabug: 27539246]     (CVE-2017-18174)

  - mlock: fix mlock count can not decrease in race     condition (Yisheng Xie) [Orabug: 27677611]     (CVE-2017-18221)

  - perf/core: Fix the perf_cpu_time_max_percent check (Tan     Xiaojun) [Orabug: 27823815] (CVE-2017-18255)

  - x86/microcode/intel: Fix a wrong assignment of revision     in _save_mc (Zhenzhong Duan) [Orabug: 28190263]

  - mm: cma: fix incorrect type conversion for size during     dma allocation (Rohit Vaswani) [Orabug: 28407826]     (CVE-2017-9725)

  - x86/speculation: Make enhanced IBRS the default spectre     v2 mitigation (Alejandro Jimenez) [Orabug: 28474851]

  - x86/speculation: Enable enhanced IBRS usage (Alejandro     Jimenez) [Orabug: 28474851]

  - x86/speculation: functions for supporting enhanced IBRS     (Alejandro Jimenez) [Orabug: 28474851]

  - xen/blkback: fix disconnect while I/Os in flight     (Juergen Gross) [Orabug: 28744234]

  - mlx4_vnic: use the mlid while calling ib_detach_mcast     (aru kolappan) [Orabug: 29029705]

  - ext4: fail ext4_iget for root directory if unallocated     (Theodore Ts'o) [Orabug: 29048557] (CVE-2018-1092)     (CVE-2018-1092)

  - Bluetooth: hidp: buffer overflow in hidp_process_report     (Mark Salyzyn) [Orabug: 29121215] (CVE-2018-9363)     (CVE-2018-9363)

  - HID: debug: check length before copy_to_user (Daniel     Rosenberg) [Orabug: 29128165] (CVE-2018-9516)

  - x86/MCE: Serialize sysfs changes (Seunghun Han) [Orabug:
    29149888] (CVE-2018-7995)

  - Input: i8042 - fix crash at boot time (Chen Hong)     [Orabug: 29152328] (CVE-2017-18079)

  - base/memory, hotplug: fix a kernel oops in     show_valid_zones (Toshi Kani) [Orabug: 29050538]

  - mm/memory_hotplug.c: check start_pfn in     test_pages_in_a_zone (Toshi Kani) [Orabug: 29050538]

  - drivers/base/memory.c: prohibit offlining of memory     blocks with missing sections (Seth Jennings) [Orabug:
    29050538]

  - mm: Check if section present during memory block     (un)registering (Yinghai Lu) [Orabug: 29050538]

  - hugetlb: take PMD sharing into account when flushing     tlb/caches (Mike Kravetz) [Orabug: 28951854]

  - mm: migration: fix migration of huge PMD shared pages     (Mike Kravetz) [Orabug: 28951854]

  - hugetlbfs: use truncate mutex to prevent pmd sharing     race (Mike Kravetz) [Orabug: 28896255]

  - rds: ib: Improve tracing during failover/back     (H&aring kon Bugge) [Orabug: 28860366]

  - rds: ib: Remove superfluous add of address on fail-back     device (H&aring kon Bugge) [Orabug: 28860366]

  - libiscsi: Fix NULL pointer dereference in     iscsi_eh_session_reset (Fred Herard) [Orabug: 28946207]

  - wil6210: missing length check in wmi_set_ie (Lior David)     [Orabug: 28951265] (CVE-2018-5848)

  - netfilter: xt_osf: Add missing permission checks (Kevin     Cernekee) [Orabug: 29037831] (CVE-2017-17450)

  - x86/speculation: Fix bad argument to rdmsrl in     cpu_set_bug_bits (Alejandro Jimenez) [Orabug: 29044805]

Description of changes:

kernel-uek [3.8.13-118.29.1.el7uek]
- Copy secure_boot flag in boot params across kexec reboot (Dave Young) [Orabug: 22066352] {CVE-2015-7837}
- ipv6: tcp: add rcu locking in tcp_v6_send_synack() (Eric Dumazet) [Orabug: 25059183] {CVE-2016-3841}
- ipv6: add complete rcu protection around np->opt (Eric Dumazet) [Orabug: 25059183] {CVE-2016-3841}
- scsi: qla2xxx: Fix an integer overflow in sysfs code (Dan Carpenter) [Orabug: 28220420] {CVE-2017-14051}
- ext4: fail ext4_iget for root directory if unallocated (Theodore Ts'o) [Orabug: 28220433] {CVE-2018-1092} {CVE-2018-1092}
- certs: Add Oracle's new X509 cert into the kernel keyring (Eric Snowberg) [Orabug: 28926205] - ALSA: seq: Fix regression by incorrect ioctl_mutex usages (Takashi Iwai) [Orabug: 29005190] {CVE-2018-1000004}
- netfilter: xt_osf: Add missing permission checks (Kevin Cernekee) [Orabug: 29037832] {CVE-2017-17450}
- wil6210: missing length check in wmi_set_ie (Lior David) [Orabug: 29060697] {CVE-2018-5848}
- HID: debug: check length before copy_to_user() (Daniel Rosenberg) [Orabug: 29128167] {CVE-2018-9516}
- x86/MCE: Serialize sysfs changes (Seunghun Han) [Orabug: 29152249] {CVE-2018-7995}
- Input: i8042 - fix crash at boot time (Chen Hong) [Orabug: 29152329] {CVE-2017-18079}

Description of changes:

[4.1.12-124.24.1.el7uek]
- pinctrl: amd: Use devm_pinctrl_register() for pinctrl registration (Laxman Dewangan)  [Orabug: 27539246]  {CVE-2017-18174}
- mlock: fix mlock count can not decrease in race condition (Yisheng Xie)  [Orabug: 27677611]  {CVE-2017-18221}
- perf/core: Fix the perf_cpu_time_max_percent check (Tan Xiaojun) [Orabug: 27823815]  {CVE-2017-18255}
- x86/microcode/intel: Fix a wrong assignment of revision in _save_mc (Zhenzhong Duan)  [Orabug: 28190263] - mm: cma: fix incorrect type conversion for size during dma allocation (Rohit Vaswani)  [Orabug: 28407826]  {CVE-2017-9725}
- x86/speculation: Make enhanced IBRS the default spectre v2 mitigation (Alejandro Jimenez)  [Orabug: 28474851] - x86/speculation: Enable enhanced IBRS usage (Alejandro Jimenez)  [Orabug: 28474851] - x86/speculation: functions for supporting enhanced IBRS (Alejandro Jimenez)  [Orabug: 28474851] - xen/blkback: fix disconnect while I/Os in flight (Juergen Gross)  [Orabug: 28744234] - mlx4_vnic: use the mlid while calling ib_detach_mcast (aru kolappan)  [Orabug: 29029705] - ext4: fail ext4_iget for root directory if unallocated (Theodore Ts'o) [Orabug: 29048557]  {CVE-2018-1092} {CVE-2018-1092}
- Bluetooth: hidp: buffer overflow in hidp_process_report (Mark Salyzyn)   [Orabug: 29121215]  {CVE-2018-9363} {CVE-2018-9363}
- HID: debug: check length before copy_to_user() (Daniel Rosenberg) [Orabug: 29128165]  {CVE-2018-9516}
- x86/MCE: Serialize sysfs changes (Seunghun Han)  [Orabug: 29149888] {CVE-2018-7995}
- Input: i8042 - fix crash at boot time (Chen Hong)  [Orabug: 29152328] {CVE-2017-18079}

According to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - A flaw was found in the Linux kernel's client-side     implementation of the cifs protocol. This flaw allows     an attacker controlling the server to kernel panic a     client which has the CIFS server     mounted.(CVE-2018-1066)

  - In the Linux Kernel before version 4.15.8, 4.14.25,     4.9.87, 4.4.121, 4.1.51, and 3.2.102, an error in the     '_sctp_make_chunk()' function     (net/sctp/sm_make_chunk.c) when handling SCTP packets     length can be exploited to cause a kernel     crash.(CVE-2018-5803)

  - Memory leak in the sas_smp_get_phy_events function in     drivers/scsi/libsas/sas_expander.c in the Linux kernel     allows local users to cause a denial of service (kernel     memory exhaustion) via multiple read accesses to files     in the /sys/class/sas_phy directory.(CVE-2018-7757)

  - A race condition in the store_int_with_restart()     function in arch/x86/kernel/cpu/mcheck/mce.c in the     Linux kernel allows local users to cause a denial of     service (panic) by leveraging root access to write to     the check_interval file in a     /sys/devices/system/machinecheck/machinecheck (cpu     number) directory.(CVE-2018-7995)

  - ALSA sequencer core initializes the event pool on     demand by invoking snd_seq_pool_init() when the first     write happens and the pool is empty. A user can reset     the pool size manually via ioctl concurrently, and this     may lead to UAF or out-of-bound access.(CVE-2018-7566)

  - A flaw was found in the Linux kernel's implementation     of 32-bit syscall interface for bridging. This allowed     a privileged user to arbitrarily write to a limited     range of kernel memory.(CVE-2018-1068)

  - A vulnerability was found in the Linux kernel's     kernel/events/core.c:perf_cpu_time_max_percent_handler(     ) function. Local privileged users could exploit this     flaw to cause a denial of service due to integer     overflow or possibly have unspecified other     impact.(CVE-2017-18255)

  - The code in the drivers/scsi/libsas/sas_scsi_host.c     file in the Linux kernel allow a physically proximate     attacker to cause a memory leak in the ATA command     queue and, thus, denial of service by triggering     certain failure conditions.(CVE-2018-10021)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

A weakness was found in the Linux kernel's implementation of random seed data. Programs, early in the boot sequence, could use the data allocated for the seed before it was sufficiently generated.
(CVE-2018-1108)

A flaw was found in the way the Linux kernel handled exceptions delivered after a stack switch operation via Mov SS or Pop SS instructions. During the stack switch operation, the processor did not deliver interrupts and exceptions, rather they are delivered once the first instruction after the stack switch is executed. An unprivileged system user could use this flaw to crash the system kernel resulting in the denial of service. (CVE-2018-8897)

A flaw was found in the Linux kernel's implementation of 32-bit syscall interface for bridging. This allowed a privileged user to arbitrarily write to a limited range of kernel memory. (CVE-2018-1068)

The Linux kernel is vulerable to a use-after-free flaw when Transformation User configuration interface(CONFIG_XFRM_USER) compile-time configuration were enabled. This vulnerability occurs while closing a xfrm netlink socket in xfrm_dump_policy_done. A user/process could abuse this flaw to potentially escalate their privileges on a system. (CVE-2017-16939)

A flaw was found in the Linux kernel where a crash can be triggered from unprivileged userspace during core dump on a POWER system with a certain configuration. This is due to a missing processor feature check and an erroneous use of transactional memory (TM) instructions in the core dump path leading to a denial of service.(CVE-2018-1091)

An address corruption flaw was discovered in the Linux kernel built with hardware breakpoint (CONFIG_HAVE_HW_BREAKPOINT) support. While modifying a h/w breakpoint via 'modify_user_hw_breakpoint' routine, an unprivileged user/process could use this flaw to crash the system kernel resulting in DoS OR to potentially escalate privileges on a the system.(CVE-2018-1000199)

A flaw was found in the way the Linux kernel's KVM hypervisor handled exceptions delivered after a stack switch operation via Mov SS or Pop SS instructions. During the stack switch operation, the processor did not deliver interrupts and exceptions, rather they are delivered once the first instruction after the stack switch is executed. An unprivileged KVM guest user could use this flaw to crash the guest or, potentially, escalate their privileges in the guest.(CVE-2018-1087)

A flaw was found in the Linux kernel's skcipher component, which affects the skcipher_recvmsg function. Attackers using a specific input can lead to a privilege escalation.(CVE-2017-13215)

The do_get_mempolicy() function in mm/mempolicy.c in the Linux kernel allows local users to hit a use-after-free bug via crafted system calls and thus cause a denial of service (DoS) or possibly have unspecified other impact. Due to the nature of the flaw, privilege escalation cannot be fully ruled out.(CVE-2018-10675)

A flaw was found in Linux kernel's KVM virtualization subsystem. The VMX code does not restore the GDT.LIMIT to the previous host value, but instead sets it to 64KB. With a corrupted GDT limit a host's userspace code has an ability to place malicious entries in the GDT, particularly to the per-cpu variables. An attacker can use this to escalate their privileges.(CVE-2018-10901)

A race condition in the store_int_with_restart() function in arch/x86/kernel/cpu/mcheck/mce.c in the Linux kernel allows local users to cause a denial of service (panic) by leveraging root access to write to the check_interval file in a /sys/devices/system/machinecheck/machinecheck<cpu number> directory.
(CVE-2018-7995)

Tuba Yavuz discovered that a double-free error existed in the USBTV007 driver of the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2017-17975)

It was discovered that a race condition existed in the F2FS implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-18193)

It was discovered that a buffer overflow existed in the Hisilicon HNS Ethernet Device driver in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-18222)

It was discovered that the netfilter subsystem in the Linux kernel did not validate that rules containing jumps contained user-defined chains. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-1065)

It was discovered that the netfilter subsystem of the Linux kernel did not properly validate ebtables offsets. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-1068)

It was discovered that a NULL pointer dereference vulnerability existed in the DCCP protocol implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2018-1130)

It was discovered that the SCTP Protocol implementation in the Linux kernel did not properly validate userspace provided payload lengths in some situations. A local attacker could use this to cause a denial of service (system crash). (CVE-2018-5803)

It was discovered that a double free error existed in the block layer subsystem of the Linux kernel when setting up a request queue. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-7480)

It was discovered that a memory leak existed in the SAS driver subsystem of the Linux kernel. A local attacker could use this to cause a denial of service (memory exhaustion). (CVE-2018-7757)

It was discovered that a race condition existed in the x86 machine check handler in the Linux kernel. A local privileged attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-7995)

Eyal Itkin discovered that the USB displaylink video adapter driver in the Linux kernel did not properly validate mmap offsets sent from userspace. A local attacker could use this to expose sensitive information (kernel memory) or possibly execute arbitrary code.
(CVE-2018-8781)

Silvio Cesare discovered a buffer overwrite existed in the NCPFS implementation in the Linux kernel. A remote attacker controlling a malicious NCPFS server could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-8822).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

USN-3654-1 fixed vulnerabilities and added mitigations in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS.

Jann Horn and Ken Johnson discovered that microprocessors utilizing speculative execution of a memory read may allow unauthorized memory reads via a sidechannel attack. This flaw is known as Spectre Variant 4. A local attacker could use this to expose sensitive information, including kernel memory. (CVE-2018-3639)

Tuba Yavuz discovered that a double-free error existed in the USBTV007 driver of the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2017-17975)

It was discovered that a race condition existed in the F2FS implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-18193)

It was discovered that a buffer overflow existed in the Hisilicon HNS Ethernet Device driver in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-18222)

It was discovered that the netfilter subsystem in the Linux kernel did not validate that rules containing jumps contained user-defined chains. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-1065)

It was discovered that the netfilter subsystem of the Linux kernel did not properly validate ebtables offsets. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-1068)

It was discovered that a NULL pointer dereference vulnerability existed in the DCCP protocol implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2018-1130)

It was discovered that the SCTP Protocol implementation in the Linux kernel did not properly validate userspace provided payload lengths in some situations. A local attacker could use this to cause a denial of service (system crash). (CVE-2018-5803)

It was discovered that a double free error existed in the block layer subsystem of the Linux kernel when setting up a request queue. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-7480)

It was discovered that a memory leak existed in the SAS driver subsystem of the Linux kernel. A local attacker could use this to cause a denial of service (memory exhaustion). (CVE-2018-7757)

It was discovered that a race condition existed in the x86 machine check handler in the Linux kernel. A local privileged attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-7995)

Eyal Itkin discovered that the USB displaylink video adapter driver in the Linux kernel did not properly validate mmap offsets sent from userspace. A local attacker could use this to expose sensitive information (kernel memory) or possibly execute arbitrary code.
(CVE-2018-8781)

Silvio Cesare discovered a buffer overwrite existed in the NCPFS implementation in the Linux kernel. A remote attacker controlling a malicious NCPFS server could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-8822).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Jann Horn and Ken Johnson discovered that microprocessors utilizing speculative execution of a memory read may allow unauthorized memory reads via a sidechannel attack. This flaw is known as Spectre Variant 4. A local attacker could use this to expose sensitive information, including kernel memory. (CVE-2018-3639)

Tuba Yavuz discovered that a double-free error existed in the USBTV007 driver of the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2017-17975)

It was discovered that a race condition existed in the F2FS implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-18193)

It was discovered that a buffer overflow existed in the Hisilicon HNS Ethernet Device driver in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-18222)

It was discovered that the netfilter subsystem in the Linux kernel did not validate that rules containing jumps contained user-defined chains. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-1065)

It was discovered that the netfilter subsystem of the Linux kernel did not properly validate ebtables offsets. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-1068)

It was discovered that a NULL pointer dereference vulnerability existed in the DCCP protocol implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2018-1130)

It was discovered that the SCTP Protocol implementation in the Linux kernel did not properly validate userspace provided payload lengths in some situations. A local attacker could use this to cause a denial of service (system crash). (CVE-2018-5803)

It was discovered that a double free error existed in the block layer subsystem of the Linux kernel when setting up a request queue. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-7480)

It was discovered that a memory leak existed in the SAS driver subsystem of the Linux kernel. A local attacker could use this to cause a denial of service (memory exhaustion). (CVE-2018-7757)

It was discovered that a race condition existed in the x86 machine check handler in the Linux kernel. A local privileged attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-7995)

Eyal Itkin discovered that the USB displaylink video adapter driver in the Linux kernel did not properly validate mmap offsets sent from userspace. A local attacker could use this to expose sensitive information (kernel memory) or possibly execute arbitrary code.
(CVE-2018-8781)

Silvio Cesare discovered a buffer overwrite existed in the NCPFS implementation in the Linux kernel. A remote attacker controlling a malicious NCPFS server could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-8822).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

CVE-2017-0861

Robb Glasser reported a potential use-after-free in the ALSA (sound) PCM core. We believe this was not possible in practice.

CVE-2017-5715

Multiple researchers have discovered a vulnerability in various processors supporting speculative execution, enabling an attacker controlling an unprivileged process to read memory from arbitrary addresses, including from the kernel and all other processes running on the system.

This specific attack has been named Spectre variant 2 (branch target injection) and is mitigated for the x86 architecture (amd64 and i386) by using the 'retpoline' compiler feature which allows indirect branches to be isolated from speculative execution.

CVE-2017-13166

A bug in the 32-bit compatibility layer of the v4l2 ioctl handling code has been found. Memory protections ensuring user-provided buffers always point to userland memory were disabled, allowing destination addresses to be in kernel space. On a 64-bit kernel (amd64 flavour) a local user with access to a suitable video device can exploit this to overwrite kernel memory, leading to privilege escalation.

CVE-2017-16526

Andrey Konovalov reported that the UWB subsystem may dereference an invalid pointer in an error case. A local user might be able to use this for denial of service.

CVE-2017-16911

Secunia Research reported that the USB/IP vhci_hcd driver exposed kernel heap addresses to local users. This information could aid the exploitation of other vulnerabilities.

CVE-2017-16912

Secunia Research reported that the USB/IP stub driver failed to perform a range check on a received packet header field, leading to an out-of-bounds read. A remote user able to connect to the USB/IP server could use this for denial of service.

CVE-2017-16913

Secunia Research reported that the USB/IP stub driver failed to perform a range check on a received packet header field, leading to excessive memory allocation. A remote user able to connect to the USB/IP server could use this for denial of service.

CVE-2017-16914

Secunia Research reported that the USB/IP stub driver failed to check for an invalid combination of fields in a recieved packet, leading to a NULL pointer dereference. A remote user able to connect to the USB/IP server could use this for denial of service.

CVE-2017-18017

Denys Fedoryshchenko reported that the netfilter xt_TCPMSS module failed to validate TCP header lengths, potentially leading to a use-after-free. If this module is loaded, it could be used by a remote attacker for denial of service or possibly for code execution.

CVE-2017-18203

Hou Tao reported that there was a race condition in creation and deletion of device-mapper (DM) devices. A local user could potentially use this for denial of service.

CVE-2017-18216

Alex Chen reported that the OCFS2 filesystem failed to hold a necessary lock during nodemanager sysfs file operations, potentially leading to a NULL pointer dereference. A local user could use this for denial of service.

CVE-2018-1068

The syzkaller tool found that the 32-bit compatibility layer of ebtables did not sufficiently validate offset values. On a 64-bit kernel (amd64 flavour), a local user with the CAP_NET_ADMIN capability could use this to overwrite kernel memory, possibly leading to privilege escalation.

CVE-2018-1092

Wen Xu reported that a crafted ext4 filesystem image would trigger a null dereference when mounted. A local user able to mount arbitrary filesystems could use this for denial of service.

CVE-2018-5332

Mohamed Ghannam reported that the RDS protocol did not sufficiently validate RDMA requests, leading to an out-of-bounds write. A local attacker on a system with the rds module loaded could use this for denial of service or possibly for privilege escalation.

CVE-2018-5333

Mohamed Ghannam reported that the RDS protocol did not properly handle an error case, leading to a NULL pointer dereference. A local attacker on a system with the rds module loaded could possibly use this for denial of service.

CVE-2018-5750

Wang Qize reported that the ACPI sbshc driver logged a kernel heap address. This information could aid the exploitation of other vulnerabilities.

CVE-2018-5803

Alexey Kodanev reported that the SCTP protocol did not range-check the length of chunks to be created. A local or remote user could use this to cause a denial of service.

CVE-2018-6927

Li Jinyue reported that the FUTEX_REQUEUE operation on futexes did not check for negative parameter values, which might lead to a denial of service or other security impact.

CVE-2018-7492

The syzkaller tool found that the RDS protocol was lacking a NULL pointer check. A local attacker on a system with the rds module loaded could use this for denial of service.

CVE-2018-7566

&#x8303;&#x9F99;&#x98DE; (Fan LongFei) reported a race condition in the ALSA (sound) sequencer core, between write and ioctl operations.
This could lead to an out-of-bounds access or use-after-free. A local user with access to a sequencer device could use this for denial of service or possibly for privilege escalation.

CVE-2018-7740

Nic Losby reported that the hugetlbfs filesystem's mmap operation did not properly range-check the file offset. A local user with access to files on a hugetlbfs filesystem could use this to cause a denial of service.

CVE-2018-7757

Jason Yan reported a memory leak in the SAS (Serial-Attached SCSI) subsystem. A local user on a system with SAS devices could use this to cause a denial of service.

CVE-2018-7995

Seunghun Han reported a race condition in the x86 MCE (Machine Check Exception) driver. This is unlikely to have any security impact.

CVE-2018-8781

Eyal Itkin reported that the udl (DisplayLink) driver's mmap operation did not properly range-check the file offset. A local user with access to a udl framebuffer device could exploit this to overwrite kernel memory, leading to privilege escalation.

CVE-2018-8822

Dr Silvio Cesare of InfoSect reported that the ncpfs client implementation did not validate reply lengths from the server. An ncpfs server could use this to cause a denial of service or remote code execution in the client.

CVE-2018-1000004

Luo Quan reported a race condition in the ALSA (sound) sequencer core, between multiple ioctl operations. This could lead to a deadlock or use-after-free. A local user with access to a sequencer device could use this for denial of service or possibly for privilege escalation.

CVE-2018-1000199

Andy Lutomirski discovered that the ptrace subsystem did not sufficiently validate hardware breakpoint settings. Local users can use this to cause a denial of service, or possibly for privilege escalation, on x86 (amd64 and i386) and possibly other architectures.

Additionally, some mitigations for CVE-2017-5753 are included in this release :

CVE-2017-5753

Multiple researchers have discovered a vulnerability in various processors supporting speculative execution, enabling an attacker controlling an unprivileged process to read memory from arbitrary addresses, including from the kernel and all other processes running on the system.

This specific attack has been named Spectre variant 1 (bounds-check bypass) and is mitigated by identifying vulnerable code sections (array bounds checking followed by array access) and replacing the array access with the speculation-safe array_index_nospec() function.

More use sites will be added over time.

For Debian 7 'Wheezy', these problems have been fixed in version 3.2.101-1. This version also includes bug fixes from upstream versions up to and including 3.2.101. It also fixes a regression in the procfs hidepid option in the previous version (Debian bug #887106).

We recommend that you upgrade your linux packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

  - CVE-2017-5715     Multiple researchers have discovered a vulnerability in     various processors supporting speculative execution,     enabling an attacker controlling an unprivileged process     to read memory from arbitrary addresses, including from     the kernel and all other processes running on the     system.

  This specific attack has been named Spectre variant 2 (branch target   injection) and is mitigated for the x86 architecture (amd64 and   i386) by using the 'retpoline' compiler feature which allows   indirect branches to be isolated from speculative execution.

  - CVE-2017-5753     Multiple researchers have discovered a vulnerability in     various processors supporting speculative execution,     enabling an attacker controlling an unprivileged process     to read memory from arbitrary addresses, including from     the kernel and all other processes running on the     system.

  This specific attack has been named Spectre variant 1 (bounds-check   bypass) and is mitigated by identifying vulnerable code sections   (array bounds checking followed by array access) and replacing the   array access with the speculation-safe array_index_nospec()   function.

  More use sites will be added over time.

  - CVE-2017-17975     Tuba Yavuz reported a use-after-free flaw in the     USBTV007 audio-video grabber driver. A local user could     use this for denial of service by triggering failure of     audio registration.

  - CVE-2017-18193     Yunlei He reported that the f2fs implementation does not     properly handle extent trees, allowing a local user to     cause a denial of service via an application with     multiple threads.

  - CVE-2017-18216     Alex Chen reported that the OCFS2 filesystem failed to     hold a necessary lock during nodemanager sysfs file     operations, potentially leading to a NULL pointer     dereference. A local user could use this for denial of     service.

  - CVE-2017-18218     Jun He reported a use-after-free flaw in the Hisilicon     HNS ethernet driver. A local user could use this for     denial of service.

  - CVE-2017-18222     It was reported that the Hisilicon Network Subsystem     (HNS) driver implementation does not properly handle     ethtool private flags. A local user could use this for     denial of service or possibly have other impact.

  - CVE-2017-18224     Alex Chen reported that the OCFS2 filesystem omits the     use of a semaphore and consequently has a race condition     for access to the extent tree during read operations in     DIRECT mode. A local user could use this for denial of     service.

  - CVE-2017-18241     Yunlei He reported that the f2fs implementation does not     properly initialise its state if the 'noflush_merge'     mount option is used. A local user with access to a     filesystem mounted with this option could use this to     cause a denial of service.

  - CVE-2017-18257     It was reported that the f2fs implementation is prone to     an infinite loop caused by an integer overflow in the
    __get_data_block() function. A local user can use this     for denial of service via crafted use of the open and     fallocate system calls with an FS_IOC_FIEMAP ioctl.

  - CVE-2018-1065     The syzkaller tool found a NULL pointer dereference flaw     in the netfilter subsystem when handling certain     malformed iptables rulesets. A local user with the     CAP_NET_RAW or CAP_NET_ADMIN capability (in any user     namespace) could use this to cause a denial of service.
    Debian disables unprivileged user namespaces by default.

  - CVE-2018-1066     Dan Aloni reported to Red Hat that the CIFS client     implementation would dereference a NULL pointer if the     server sent an invalid response during NTLMSSP setup     negotiation. This could be used by a malicious server     for denial of service.

  - CVE-2018-1068     The syzkaller tool found that the 32-bit compatibility     layer of ebtables did not sufficiently validate offset     values. On a 64-bit kernel, a local user with the     CAP_NET_ADMIN capability (in any user namespace) could     use this to overwrite kernel memory, possibly leading to     privilege escalation. Debian disables unprivileged user     namespaces by default.

  - CVE-2018-1092     Wen Xu reported that a crafted ext4 filesystem image     would trigger a null dereference when mounted. A local     user able to mount arbitrary filesystems could use this     for denial of service.

  - CVE-2018-1093     Wen Xu reported that a crafted ext4 filesystem image     could trigger an out-of-bounds read in the     ext4_valid_block_bitmap() function. A local user able to     mount arbitrary filesystems could use this for denial of     service.

  - CVE-2018-1108     Jann Horn reported that crng_ready() does not properly     handle the crng_init variable states and the RNG could     be treated as cryptographically safe too early after     system boot.

  - CVE-2018-5803     Alexey Kodanev reported that the SCTP protocol did not     range-check the length of chunks to be created. A local     or remote user could use this to cause a denial of     service.

  - CVE-2018-7480     Hou Tao discovered a double-free flaw in the     blkcg_init_queue() function in block/blk-cgroup.c. A     local user could use this to cause a denial of service     or have other impact.

  - CVE-2018-7566     Fan LongFei reported a race condition in the ALSA     (sound) sequencer core, between write and ioctl     operations. This could lead to an out-of-bounds access     or use-after-free. A local user with access to a     sequencer device could use this for denial of service or     possibly for privilege escalation.

  - CVE-2018-7740     Nic Losby reported that the hugetlbfs filesystem's mmap     operation did not properly range-check the file offset.
    A local user with access to files on a hugetlbfs     filesystem could use this to cause a denial of service.

  - CVE-2018-7757     Jason Yan reported a memory leak in the SAS     (Serial-Attached SCSI) subsystem. A local user on a     system with SAS devices could use this to cause a denial     of service.

  - CVE-2018-7995     Seunghun Han reported a race condition in the x86 MCE     (Machine Check Exception) driver. This is unlikely to     have any security impact.

  - CVE-2018-8087     A memory leak flaw was found in the hwsim_new_radio_nl()     function in the simulated radio testing tool driver for     mac80211, allowing a local user to cause a denial of     service.

  - CVE-2018-8781     Eyal Itkin reported that the udl (DisplayLink) driver's     mmap operation did not properly range-check the file     offset. A local user with access to a udl framebuffer     device could exploit this to overwrite kernel memory,     leading to privilege escalation.

  - CVE-2018-8822     Dr Silvio Cesare of InfoSect reported that the ncpfs     client implementation did not validate reply lengths     from the server. An ncpfs server could use this to cause     a denial of service or remote code execution in the     client.

  - CVE-2018-10323     Wen Xu reported a NULL pointer dereference flaw in the     xfs_bmapi_write() function triggered when mounting and     operating a crafted xfs filesystem image. A local user     able to mount arbitrary filesystems could use this for     denial of service.

  - CVE-2018-1000199     Andy Lutomirski discovered that the ptrace subsystem did     not sufficiently validate hardware breakpoint settings.
    Local users can use this to cause a denial of service,     or possibly for privilege escalation, on x86 (amd64 and     i386) and possibly other architectures.

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

  - CVE-2015-9016     Ming Lei reported a race condition in the multiqueue     block layer (blk-mq). On a system with a driver using     blk-mq (mtip32xx, null_blk, or virtio_blk), a local user     might be able to use this for denial of service or     possibly for privilege escalation.

  - CVE-2017-0861     Robb Glasser reported a potential use-after-free in the     ALSA (sound) PCM core. We believe this was not possible     in practice.

  - CVE-2017-5715     Multiple researchers have discovered a vulnerability in     various processors supporting speculative execution,     enabling an attacker controlling an unprivileged process     to read memory from arbitrary addresses, including from     the kernel and all other processes running on the     system.

  This specific attack has been named Spectre variant 2 (branch target   injection) and is mitigated for the x86 architecture (amd64 and   i386) by using the 'retpoline' compiler feature which allows   indirect branches to be isolated from speculative execution.

  - CVE-2017-5753     Multiple researchers have discovered a vulnerability in     various processors supporting speculative execution,     enabling an attacker controlling an unprivileged process     to read memory from arbitrary addresses, including from     the kernel and all other processes running on the     system.

  This specific attack has been named Spectre variant 1 (bounds-check   bypass) and is mitigated by identifying vulnerable code sections   (array bounds checking followed by array access) and replacing the   array access with the speculation-safe array_index_nospec()   function.

  More use sites will be added over time.

  - CVE-2017-13166     A bug in the 32-bit compatibility layer of the v4l2     ioctl handling code has been found. Memory protections     ensuring user-provided buffers always point to userland     memory were disabled, allowing destination addresses to     be in kernel space. On a 64-bit kernel a local user with     access to a suitable video device can exploit this to     overwrite kernel memory, leading to privilege     escalation.

  - CVE-2017-13220     Al Viro reported that the Bluetooth HIDP implementation     could dereference a pointer before performing the     necessary type check. A local user could use this to     cause a denial of service.

  - CVE-2017-16526     Andrey Konovalov reported that the UWB subsystem may     dereference an invalid pointer in an error case. A local     user might be able to use this for denial of service.

  - CVE-2017-16911     Secunia Research reported that the USB/IP vhci_hcd     driver exposed kernel heap addresses to local users.
    This information could aid the exploitation of other     vulnerabilities.

  - CVE-2017-16912     Secunia Research reported that the USB/IP stub driver     failed to perform a range check on a received packet     header field, leading to an out-of-bounds read. A remote     user able to connect to the USB/IP server could use this     for denial of service.

  - CVE-2017-16913     Secunia Research reported that the USB/IP stub driver     failed to perform a range check on a received packet     header field, leading to excessive memory allocation. A     remote user able to connect to the USB/IP server could     use this for denial of service.

  - CVE-2017-16914     Secunia Research reported that the USB/IP stub driver     failed to check for an invalid combination of fields in     a received packet, leading to a NULL pointer     dereference. A remote user able to connect to the USB/IP     server could use this for denial of service.

  - CVE-2017-18017     Denys Fedoryshchenko reported that the netfilter     xt_TCPMSS module failed to validate TCP header lengths,     potentially leading to a use-after-free. If this module     is loaded, it could be used by a remote attacker for     denial of service or possibly for code execution.

  - CVE-2017-18203     Hou Tao reported that there was a race condition in     creation and deletion of device-mapper (DM) devices. A     local user could potentially use this for denial of     service.

  - CVE-2017-18216     Alex Chen reported that the OCFS2 filesystem failed to     hold a necessary lock during nodemanager sysfs file     operations, potentially leading to a NULL pointer     dereference. A local user could use this for denial of     service.

  - CVE-2017-18232     Jason Yan reported a race condition in the SAS     (Serial-Attached SCSI) subsystem, between probing and     destroying a port. This could lead to a deadlock. A     physically present attacker could use this to cause a     denial of service.

  - CVE-2017-18241     Yunlei He reported that the f2fs implementation does not     properly initialise its state if the 'noflush_merge'     mount option is used. A local user with access to a     filesystem mounted with this option could use this to     cause a denial of service.

  - CVE-2018-1066     Dan Aloni reported to Red Hat that the CIFS client     implementation would dereference a NULL pointer if the     server sent an invalid response during NTLMSSP setup     negotiation. This could be used by a malicious server     for denial of service.

  - CVE-2018-1068     The syzkaller tool found that the 32-bit compatibility     layer of ebtables did not sufficiently validate offset     values. On a 64-bit kernel, a local user with the     CAP_NET_ADMIN capability (in any user namespace) could     use this to overwrite kernel memory, possibly leading to     privilege escalation. Debian disables unprivileged user     namespaces by default.

  - CVE-2018-1092     Wen Xu reported that a crafted ext4 filesystem image     would trigger a null dereference when mounted. A local     user able to mount arbitrary filesystems could use this     for denial of service.

  - CVE-2018-5332     Mohamed Ghannam reported that the RDS protocol did not     sufficiently validate RDMA requests, leading to an     out-of-bounds write. A local attacker on a system with     the rds module loaded could use this for denial of     service or possibly for privilege escalation.

  - CVE-2018-5333     Mohamed Ghannam reported that the RDS protocol did not     properly handle an error case, leading to a NULL pointer     dereference. A local attacker on a system with the rds     module loaded could possibly use this for denial of     service.

  - CVE-2018-5750     Wang Qize reported that the ACPI sbshc driver logged a     kernel heap address. This information could aid the     exploitation of other vulnerabilities.

  - CVE-2018-5803     Alexey Kodanev reported that the SCTP protocol did not     range-check the length of chunks to be created. A local     or remote user could use this to cause a denial of     service.

  - CVE-2018-6927     Li Jinyue reported that the FUTEX_REQUEUE operation on     futexes did not check for negative parameter values,     which might lead to a denial of service or other     security impact.

  - CVE-2018-7492     The syzkaller tool found that the RDS protocol was     lacking a null pointer check. A local attacker on a     system with the rds module loaded could use this for     denial of service.

  - CVE-2018-7566     Fan LongFei reported a race condition in the ALSA     (sound) sequencer core, between write and ioctl     operations. This could lead to an out-of-bounds access     or use-after-free. A local user with access to a     sequencer device could use this for denial of service or     possibly for privilege escalation.

  - CVE-2018-7740     Nic Losby reported that the hugetlbfs filesystem's mmap     operation did not properly range-check the file offset.
    A local user with access to files on a hugetlbfs     filesystem could use this to cause a denial of service.

  - CVE-2018-7757     Jason Yan reported a memory leak in the SAS     (Serial-Attached SCSI) subsystem. A local user on a     system with SAS devices could use this to cause a denial     of service.

  - CVE-2018-7995     Seunghun Han reported a race condition in the x86 MCE     (Machine Check Exception) driver. This is unlikely to     have any security impact.

  - CVE-2018-8781     Eyal Itkin reported that the udl (DisplayLink) driver's     mmap operation did not properly range-check the file     offset. A local user with access to a udl framebuffer     device could exploit this to overwrite kernel memory,     leading to privilege escalation.

  - CVE-2018-8822     Dr Silvio Cesare of InfoSect reported that the ncpfs     client implementation did not validate reply lengths     from the server. An ncpfs server could use this to cause     a denial of service or remote code execution in the     client.

  - CVE-2018-1000004     Luo Quan reported a race condition in the ALSA (sound)     sequencer core, between multiple ioctl operations. This     could lead to a deadlock or use-after-free. A local user     with access to a sequencer device could use this for     denial of service or possibly for privilege escalation.

  - CVE-2018-1000199     Andy Lutomirski discovered that the ptrace subsystem did     not sufficiently validate hardware breakpoint settings.
    Local users can use this to cause a denial of service,     or possibly for privilege escalation, on x86 (amd64 and     i386) and possibly other architectures.

According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - A flaw was found in the Linux kernel's client-side     implementation of the cifs protocol. This flaw allows     an attacker controlling the server to kernel panic a     client which has the CIFS server     mounted.(CVE-2018-1066)

  - Memory leak in the sas_smp_get_phy_events function in     drivers/scsi/libsas/sas_expander.c in the Linux kernel     allows local users to cause a denial of service (kernel     memory exhaustion) via multiple read accesses to files     in the /sys/class/sas_phy directory.(CVE-2018-7757)

  - A race condition in the store_int_with_restart()     function in arch/x86/kernel/cpu/mcheck/mce.c in the     Linux kernel allows local users to cause a denial of     service (panic) by leveraging root access to write to     the check_interval file in a     /sys/devices/system/machinecheck/machinecheck (cpu     number) directory.(CVE-2018-7995)

  - Improper validation in the bnx2x network card driver of     the Linux kernel version 4.15 can allow for denial of     service (DoS) attacks via a packet with a gso_size     larger than ~9700 bytes. Untrusted guest VMs can     exploit this vulnerability in the host machine, causing     a crash in the network card.(CVE-2018-1000026)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Race condition in the store_int_with_restart() function in cpu/mcheck/mce.c :

A race condition in the store_int_with_restart() function in arch/x86/kernel/cpu/mcheck/mce.c in the Linux kernel allows local users to cause a denial of service (panic) by leveraging root access to write to the check_interval file in a /sys/devices/system/machinecheck/machinecheck<cpu number> directory.
(CVE-2018-7995)

Out-of-bounds write via userland offsets in ebt_entry struct in netfilter/ebtables.c :

A flaw was found in the Linux kernel's implementation of 32-bit syscall interface for bridging. This allowed a privileged user to arbitrarily write to a limited range of kernel memory. (CVE-2018-1068)

A flaw was found in the Linux kernel's skcipher component, which affects the skcipher_recvmsg function. Attackers using a specific input can lead to a privilege escalation.(CVE-2017-13215)

The do_get_mempolicy() function in mm/mempolicy.c in the Linux kernel allows local users to hit a use-after-free bug via crafted system calls and thus cause a denial of service (DoS) or possibly have unspecified other impact. Due to the nature of the flaw, privilege escalation cannot be fully ruled out.(CVE-2018-10675)

A flaw was found in Linux kernel's KVM virtualization subsystem. The VMX code does not restore the GDT.LIMIT to the previous host value, but instead sets it to 64KB. With a corrupted GDT limit a host's userspace code has an ability to place malicious entries in the GDT, particularly to the per-cpu variables. An attacker can use this to escalate their privileges.(CVE-2018-10901)

The 4.15.9 update contains a number of important fixes across the tree.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
124820	EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1497)	Nessus	Huawei Local Security Checks	medium
122414	EulerOS 2.0 SP2 : kernel (EulerOS-SA-2019-1062)	Nessus	Huawei Local Security Checks	high
121605	OracleVM 3.4 : Unbreakable / etc (OVMSA-2019-0002)	Nessus	OracleVM Local Security Checks	high
120977	Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2019-4316)	Nessus	Oracle Linux Local Security Checks	high
120976	Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2019-4315)	Nessus	Oracle Linux Local Security Checks	high
117569	EulerOS Virtualization 2.5.0 : kernel (EulerOS-SA-2018-1260)	Nessus	Huawei Local Security Checks	high
110197	Amazon Linux AMI : kernel (ALAS-2018-1023)	Nessus	Amazon Linux Local Security Checks	high
110051	Ubuntu 16.04 LTS : linux-raspi2, linux-snapdragon vulnerabilities (USN-3656-1)	Nessus	Ubuntu Local Security Checks	high
110049	Ubuntu 14.04 LTS : linux-lts-xenial, linux-aws vulnerabilities (USN-3654-2) (Spectre)	Nessus	Ubuntu Local Security Checks	high
110048	Ubuntu 16.04 LTS : linux, linux-aws, linux-kvm, vulnerabilities (USN-3654-1) (Spectre)	Nessus	Ubuntu Local Security Checks	high
109531	Debian DLA-1369-1 : linux security update (Spectre)	Nessus	Debian Local Security Checks	critical
109518	Debian DSA-4188-1 : linux - security update (Spectre)	Nessus	Debian Local Security Checks	high
109517	Debian DSA-4187-1 : linux - security update (Spectre)	Nessus	Debian Local Security Checks	critical
109483	EulerOS 2.0 SP1 : kernel (EulerOS-SA-2018-1085)	Nessus	Huawei Local Security Checks	high
109177	Amazon Linux 2 : kernel (ALAS-2018-994)	Nessus	Amazon Linux Local Security Checks	high
108428	Fedora 27 : kernel (2018-cf76003e1f)	Nessus	Fedora Local Security Checks	medium
108427	Fedora 26 : kernel (2018-bf60ec1389)	Nessus	Fedora Local Security Checks	medium

CVE-2018-7995

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Configuration 2

Configuration 3

Tenable Plugins