readykernel-patch-15.2-36.1-1.vl7

Kernel Update Version:
3.10.0-327.18.2.vz7.15.2
Release Date:
2022-03-02 08:28:02
  • CVE-2017-15649

    Use-after-free in af_packet.c.

    A vulnerability in fanout_add() in 'net/packet/af_packet.c' in the Linux kernel version 4.13.6 and older allows local users to gain privileges or cause a denial of service (kernel crash). A specially crafted sequence of system calls may trigger a race condition (involving fanout_add() and packet_do_bind() functions) that leads to a use-after-free.
    https://bugzilla.redhat.com/show_bug.cgi?id=1504574
  • CVE-2016-8399

    net: Out of bounds stack read in memcpy_fromiovec.

    A flaw was found in the Linux networking subsystem where a local attacker with CAP_NET_ADMIN capabilities could cause an out-of-bounds memory access by creating a smaller-than-expected ICMP header and sending to its destination via sendto().
    https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8399
  • CVE-2017-12190

    Memory leak when merging buffers in SCSI IO vectors.

    It was found that in the Linux kernel through v4.14-rc5, bio_map_user_iov() and bio_unmap_user() in 'block/bio.c' do unbalanced pages refcounting if IO vector has small consecutive buffers belonging to the same page. bio_add_pc_page() merges them into one, but the page reference is never dropped, causing a memory leak and possible system lockup due to out-of-memory condition.
    https://bugzilla.redhat.com/show_bug.cgi?id=1495089
  • PSBM-75641

    Kernel crash in rt6_ifdown().

    It was discovered that a specially crafted sequence of system calls could cause a kernel crash (general protection fault) in rt6_ifdown().
    https://bugzilla.redhat.com/show_bug.cgi?id=1492640
  • PSBM-75247

    NULL pointer dereference in __task_pid_nr_ns().

    It was discovered that the value of task->pids[type].pid was actually read twice in __task_pid_nr_ns() rather than only once, due to compiler optimizations. As a result, a race condition could happen and that value could become NULL between these reads, leading to a kernel crash (NULL pointer dereference).
  • CVE-2017-15274

    Adding invalid keys with NULL payload but nonzero payload length leads to kernel crash.

    A flaw was discovered in the key management subsystem of the Linux kernel. It allowed to pass NULL payload with non-zero payload length as parameters to sys_add_key() and the KEYCTL_UPDATE operation of sys_keyctl(). A local unprivileged user could exploit this to cause a kernel crash (NULL pointer dereference).
    https://bugzilla.redhat.com/show_bug.cgi?id=1500391
  • PSBM-71536

    autofs: unbalanced pid get/put operation in the error path in autofs4_fill_super().

    autofs: unbalanced pid get/put operation in the error path in autofs4_fill_super().
  • CVE-2017-15299

    Incorrect updates of uninstantiated keys crash the kernel.

    It was discovered that the key management subsystem of the Linux kernel could perform incorrect update operations on uninstantiated keys. A local unprivileged user could exploit this flaw to cause a NULL pointer dereference in the kernel.
    https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-15299
  • CVE-2017-1000253

    load_elf_binary() does not allocate sufficient space for the entire binary in some cases.

    A flaw was found in the way the Linux kernel loaded ELF executables. Provided that an application was built as Position Independent Executable (PIE), the loader could allow part of that application's data segment to map over the memory area reserved for its stack, potentially resulting in memory corruption. An unprivileged local user with access to SUID (or otherwise privileged) PIE binary could use this flaw to escalate their privileges on the system.
    https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-1000253
  • CVE-2017-1000251

    Buffer overflow in the native Bluetooth stack.

    It was discovered that a buffer overflow existed in the Bluetooth stack of the Linux kernel when handling L2CAP configuration responses. A physically proximate attacker could use this to cause a denial of service (system crash).
    https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-1000251
  • CVE-2017-12154

    kvm: nVMX: L2 guest could access hardware (L0) CR8 register.

    If nested virtualisation (nVMX) feature is enabled in the kernel, L2 guest system could access the hardware CR8 register of the host(L0) and use that to crash the host system.
    https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-12154
  • CVE-2017-12192

    Kernel crash due to missing error handling for negatively instantiated keys.

    An unprivileged user inside a container can cause a denial of service (kernel crash in user_read() function) using a specially crafted sequence of system calls.
    https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-12192
  • CVE-2017-14489

    scsi: nlmsg not properly parsed in iscsi_if_rx function.

    The iscsi_if_rx function in drivers/scsi/scsi_transport_iscsi.c in the Linux kernel through 4.13.2 allows local users to cause a denial of service (panic) by leveraging incorrect length validation.
    https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-14489
  • CVE-2017-14106

    net/ipv4: divide error in __tcp_select_window().

    A vulnerability was found in the Linux kernel. A privileged user inside a container can cause a denial of service (kernel crash due to a divide-by-zero error in __tcp_select_window()) using a specially crafted sequence of system calls.
    https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-14106
  • PSBM-70151

    A container could not be stopped in certain situations because of an infinite loop in __get_user_pages().

    If transparent huge pages were enabled, certain processes could enter an infinite loop in __get_user_pages() and become unkillable preventing the container from stopping.
  • PSBM-70063

    Race on map->levels[] update in ploop.

    ploop could use inconsistent values for iblock and the corresponding delta for IO because of a race over map->levels[]. This could result in incorrect read and write operations for ploop devices.
  • CVE-2017-1000112

    A race condition in the UDP Fragmentation Offload (UFO).

    Andrey Konovalov discovered a race condition in the UDP Fragmentation Offload (UFO) code in the Linux kernel. A local attacker could use this to cause a denial of service or execute arbitrary code.
    https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-1000112.html
  • CVE-2017-1000111

    Heap out-of-bounds in AF_PACKET sockets.

    Andrey Konovalov discovered a race condition in AF_PACKET socket option handling code which may result in out-of-bounds accesses to the heap memory. A local unprivileged attacker could use this to cause a denial of service or possibly execute arbitrary code.
    http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-1000111.html
  • CVE-2017-7533

    A race between inotify_handle_event() and sys_rename().

    Fan Wu and Shixiong Zhao discovered a race condition between inotify events and vfs rename operations in the Linux kernel. An unprivileged local attacker could use this to cause a denial of service (system crash) or execute arbitrary code.
    http://seclists.org/oss-sec/2017/q3/240
  • PSBM-68292

    lseek(SEEK_DATA) and lseek(SEEK_HOLE) returned incorrect results on ext4 in some cases.

    It was discovered that lseek(SEEK_DATA) and lseek(SEEK_HOLE) returned incorrect values on ext4 FS in some cases, causing corruption of QCOW2 disk images used by VMs.
  • PSBM-69018

    Division by zero in dcache_is_low().

    Division by zero in dcache_is_low().
  • CVE-2017-11600

    Out-of-bounds access via an XFRM_MSG_MIGRATE xfrm Netlink message.

    A vulnerability was found in the handling of xfrm Netlink messages. A privileged user inside a container could cause a denial of service (kernel crash) by sending a crafted Netlink message with type XFRM_MSG_MIGRATE to the kernel.
    http://seclists.org/bugtraq/2017/Jul/30
  • CVE-2017-7541

    Possible heap buffer overflow in brcmf_cfg80211_mgmt_tx().

    Kernel memory corruption due to a buffer overflow was found in brcmf_cfg80211_mgmt_tx() function in Linux kernels from v3.9-rc1 to v4.13-rc1. The vulnerability can be triggered by sending a crafted NL80211_CMD_FRAME packet via netlink. An unprivileged local user could use this flaw to induce kernel memory corruption on the system, leading to a crash.
    https://bugzilla.redhat.com/show_bug.cgi?id=1473198
  • CVE-2017-7542

    Integer overflow in ip6_find_1stfragopt().

    Integer overflow vulnerability in ip6_find_1stfragopt() function was found. Local attacker that has privileges to open raw sockets can cause infinite loop inside ip6_find_1stfragopt() function.
    https://bugzilla.redhat.com/show_bug.cgi?id=1473649
  • PSBM-68472

    Kernel crash when accessing /proc/$PID/map_files.

    A data race was discovered in the implementation of /proc/$PID/map_files. A privileged user on the host could crash the kernel by using mmap and munmap for a file and simultaneously trying to access /proc/$PID/map_files.
  • PSBM-64050

    sctp: potential kernel crash in sctp_wait_for_sndbuf().

    If sctp module was loaded on the host, a privileged user inside a container could make sctp listen on a socket in an inappropriate state, causing a kernel crash (use-after-free in sctp_wait_for_sndbuf()).
  • PSBM-68362

    Kernel crash due to incorrect skb headroom calculation and missing checks.

    It was found that the kernel could crash (skb_under_panic) if an skb from a virtual (NETIF_F_VENET) device was processed in a particular networking configuration. The problem was caused by the incorrect skb headroom calculation and missing headroom checks.
  • PSBM-67513

    Kernel crash in ploop due to the list corruption during parallel push backups.

    A data race was discovered in ploop, which could lead to the kernel crash due to the list corruption during parallel push backups.
  • PSBM-68052

    The values shown in /proc/loadavg can be calculated incorrectly in some cases.

    A data race between calc_load_fold_active() and try_to_wake_up() was discovered. As a result of that race, the values shown in /proc/loadavg could be calculated incorrectly in some cases.
  • CVE-2017-11176

    Use-after-free in sys_mq_notify().

    The implementation of mq_notify system call in the Linux kernel through 4.11.9 does not set the sock pointer to NULL upon entry into the retry logic. During a user-space close of a Netlink socket, it allows attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact.
    https://bugzilla.redhat.com/show_bug.cgi?id=1470659
  • PSBM-64752

    ipv4: deadlock in ip_ra_control().

    A vulnerability was found in the implementation of setsockopt() operations in the Linux kernel. A privileged user inside a container could cause a DoS on the host (kernel deadlock in ip_ra_control() function) using a specially crafted sequence of system calls.
  • CVE-2017-8797

    NFSv4 server does not properly validate layout type when processing NFSv4 pNFS LAYOUTGET operand.

    The NFSv4 server in the Linux kernel compiled with CONFIG_NFSD_PNFS enabled does not properly validate layout type when processing NFSv4 pNFS LAYOUTGET and GETDEVICEINFO operands. The attack payload fits to single one-way UDP packet. The provided input value is used for array dereferencing. This may lead to a remote DoS of [knfsd] and so to a soft-lockup of a whole system.
    https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-8797
  • CVE-2017-9242

    Kernel crash (out-of-bounds write) in __ip6_append_data().

    The __ip6_append_data function in net/ipv6/ip6_output.c in the Linux kernel through 4.11.3 is too late in checking whether an overwrite of an skb data structure may occur, which allows local users to cause a denial of service (system crash) via crafted system calls.
    http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-9242.html
  • PSBM-67221

    Kernel crash (general protection fault) in cleanup_timers().

    A vulnerability was found in the signal handling in the Linux kernel. A local unprivileged user may cause a kernel crash (general protection fault) in cleanup_timers() function by using rt_tgsigqueueinfo() system call with a specially crafted set of arguments.
  • PSBM-67300

    Kernel crash (NULL pointer dereference) in list_lru_destroy().

    Kernel crash (NULL pointer dereference) in list_lru_destroy().
  • CVE-2017-9074

    IPv6 fragmentation implementation of nexthdr field may be associated with an invalid option.

    The IPv6 fragmentation implementation in the Linux kernel does not consider that the nexthdr field may be associated with an invalid option, which allows local users to cause a denial of service (out-of-bounds read and BUG()) or possibly have unspecified other impact via crafted socket() and send() system calls.
    https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-9074
  • CVE-2017-9075

    sctp_v6_create_accept_sk function mishandles inheritance.

    sctp_v6_create_accept_sk function in net/sctp/ipv6.c in the Linux kernel mishandles inheritance, which allows local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, an issue related to CVE-2017-8890. An unprivileged local user could use this flaw to cause corruption of the kernel memory in the system, leading to a crash.
    https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-9075
  • CVE-2017-9077

    tcp_v6_syn_recv_sock function mishandles inheritance.

    tcp_v6_syn_recv_sock function in net/ipv6/tcp_ipv6.c in the Linux kernel mishandles inheritance, which allows local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, an issue related to CVE-2017-8890. An unprivileged local user could use this flaw to cause corruption of the kernel memory in the system, leading to a crash.
    https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-9077
  • CVE-2017-9076

    IPv6 DCCP implementation mishandles inheritance.

    The IPv6 DCCP implementation in the Linux kernel mishandles inheritance, which allows local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, an issue related to CVE-2017-8890. An unprivileged local user could use this flaw to cause corruption of the kernel memory in the system, leading to a crash.
    https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-9076
  • CVE-2017-8890

    Double free in inet_csk_clone_lock() function in net/ipv4/inet_connection_sock.c.

    inet_csk_clone_lock() function in net/ipv4/inet_connection_sock.c in the Linux kernel allows attackers to cause a denial of service (double free) or possibly have unspecified other impact by using a specially crafted sequence of system calls including accept(). An unprivileged local user could use this flaw to cause corruption of the kernel memory in the system, leading to a crash.
    https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-8890
  • CVE-2016-8646

    Kernel crash in shash_async_export().

    An unprivileged local user could trigger a kernel crash in shash_async_export() by attempting to force the in-kernel hashing algorithms into decrypting an empty data set.
    https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8646
  • CVE-2017-7895

    NFSv3 server does not handle payload bounds checking of WRITE requests properly.

    The NFSv2 and NFSv3 server implementations in the Linux kernel through 4.10.13 lack certain checks for the end of a buffer. A remote attacker could trigger a pointer-arithmetic error or possibly have unspecified other impact via crafted requests related to fs/nfsd/nfs3xdr.c and fs/nfsd/nfsxdr.c.
    https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7895
  • CVE-2017-7645

    nfsd: Incorrect handling of long RPC replies.

    The NFS2/3 RPC client could send long arguments to nfsd server. These encoded arguments are stored in an array of memory pages, and accessed via various pointer variables. Arbitrarily long arguments could make these pointers point outside the array, thus causing out-of-bounds memory access. A remote user/program could use this flaw to crash the kernel resulting in DoS.
    https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7645
  • PSBM-65826

    sctp: Null pointer dereference in sctp_endpoint_destroy().

    If sctp module is loaded on the host, a privileged user inside a container can cause a kernel crash by triggering a NULL pointer dererefence in sctp_endpoint_destroy() function with a specially crafted sequence of system calls.
  • PSBM-65345

    User-triggerable BUG_ON() in unregister_netdevice_many().

    A privileged user inside a container can cause a kernel crash by triggering a BUG_ON in unregister_netdevice_many() function with a specially crafted sequence of system calls.
  • PSBM-64734

    Use after free in __sctp_connect().

    A vulnerability was found in the implementation of SCTP protocol in the Linux kernel. If sctp module is loaded on the host, a privileged user inside a container could cause a kernel crash by triggering use after free in __sctp_connect() function with a specially crafted sequence of system calls.
  • CVE-2017-5970

    ipv4: Invalid IP options could cause skb->dst drop.

    A vulnerability was found in the Linux kernel where having malicious IP options present would cause the ipv4_pktinfo_prepare() function to drop/free the dst. This could result in a system crash or possible privilege escalation.
    https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-5970
  • CVE-2017-6353

    Possible double free in stcp_sendmsg().

    net/sctp/socket.c in the Linux kernel through 4.10.1 does not properly restrict association peel-off operations during certain wait states, which allows local users to cause a denial of service (invalid unlock and double free) via a multithreaded application.
    https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-6353
  • CVE-2017-5986

    Kernel crash in sctp_wait_for_sndbuf().

    Race condition in the sctp_wait_for_sndbuf function in net/sctp/socket.c in the Linux kernel before 4.9.11 allows local users to cause a denial of service (assertion failure and panic) via a multithreaded application that peels off an association in a certain buffer-full state.
    https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-5986
  • CVE-2017-7472

    Memory leak in keyctl_set_reqkey_keyring().

    A vulnerability was found in the Linux kernel. keyctl_set_reqkey_keyring() function leaks thread keyring which allows an unprivileged local user to exhaust kernel memory.
    https://bugzilla.redhat.com/show_bug.cgi?id=1442086
  • PSBM-56705

    Kernel crash in proc_flush_task() triggerable by wait4() syscall.

    A vulnerability was discovered in the handling of pid namespaces in the kernel. A privileged user inside a container may trigger a kernel crash (NULL pointer dereference in proc_flush_task()) using a sequence of system calls including wait4().
  • PSBM-44587

    Kernel crash in synchronize_mapping_faults_vma() when pfcache is active.

    Kernel crash in synchronize_mapping_faults_vma() when pfcache is active.
  • PSBM-52369

    Kernel crash in cgroup_show_path() while running rkt in a container.

    Kernel crash in cgroup_show_path() while running rkt in a container.
  • PSBM-63197

    L1 VZ7 guest: kernel crash due to a race between attach and invalidate page.

    L1 VZ7 guest: kernel crash due to a race between attach and invalidate page.
  • CVE-2017-2636

    Race condition access to n_hdlc.tbuf causes double free in n_hdlc_release().

    A race condition flaw was found in the N_HLDC Linux kernel driver when accessing n_hdlc.tbuf list that can lead to double free. A local, unprivileged user able to set the HDLC line discipline on the tty device could use this flaw to increase their privileges on the system.
    https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2636
  • CVE-2017-7308

    Integer overflows in packet_set_ring().

    The packet_set_ring function in net/packet/af_packet.c in the Linux kernel through 4.10.6 does not properly validate certain block-size data, which allows local users to cause a denial of service (overflow) or possibly have unspecified other impact via crafted system calls.
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7308
  • CVE-2017-7184

    Local privilege escalation in XFRM framework.

    It was discovered that the xfrm framework for transforming packets in the Linux kernel did not properly validate data received from user space. A local attacker could use this to cause a denial of service (system crash) or execute arbitrary code with administrative privileges.
    http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7184.html
  • CVE-2017-2647

    Null pointer dereference in search_keyring().

    A flaw was discovered in the Linux kernel's key subsystem. Calling request_key() system call with the specially crafted set of arguments may result in a NULL-pointer dereference inside search_keyring() function. A local unprivileged user can use this vulnerability to crash the system.
    https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2647
  • CVE-2017-6214

    ipv4/tcp: Infinite loop in tcp_splice_read().

    The tcp_splice_read function in net/ipv4/tcp.c allows remote attackers to cause a denial of service (infinite loop and soft lockup) via vectors involving a TCP packet with the URG flag.
    https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-6214
  • PSBM-57512

    A privileged user inside a container can cause a host kernel crash in udp_lib_get_port().

    A privileged user inside a container can cause a host kernel crash in udp_lib_get_port().
  • PSBM-59964

    Broken isolation for some of 'ip ntable' settings.

    Broken isolation for some of "ip ntable" settings.
  • CVE-2017-6074

    Use after free in the implementation of DCCP protocol.

    A use-after-free flaw was found in the way the Linux kernel's Datagram Congestion Control Protocol (DCCP) implementation freed SKB (socket buffer) resources for a DCCP_PKT_REQUEST packet when the IPV6_RECVPKTINFO option is set on the socket. A local, unprivileged user could use this flaw to alter the kernel memory, allowing them to escalate their privileges on the system.
    https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-6074
  • PSBM-57511

    General protection fault in sendmsg() -> netlink_sendmsg() -> netlink_unicast().

    General protection fault in sendmsg() -> netlink_sendmsg() -> netlink_unicast().
  • PSBM-57499

    NULL pointer dereference in write() -> netlink_sendmsg() -> netlink_unicast().

    NULL pointer dereference in write() -> netlink_sendmsg() -> netlink_unicast().
  • PSBM-59983

    iptables: forwarding does not work with '--netfilter full'.

    iptables: forwarding does not work with '--netfilter full'.
  • CVE-2016-9793

    Signed overflow for SO_{SND|RCV}BUFFORCE.

    Andrey Konovalov discovered that signed integer overflows existed in the setsockopt() system call when handling the SO_SNDBUFFORCE and SO_RCVBUFFORCE options. A local attacker with the CAP_NET_ADMIN capability could use this to cause a denial of service (system crash or memory corruption).
    http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-9793.html
  • CVE-2017-2584

    kvm: use after free in complete_emulated_mmio.

    Linux kernel built with the Kernel-based Virtual Machine(CONFIG_KVM) support is vulnerable to a use after free flaw. It could occur on x86 platform, when emulating instructions fxsave, fxrstor, sgdt, etc. A user/process could use this flaw to crash the host kernel resulting in DoS.
    https://bugzilla.redhat.com/show_bug.cgi?id=1413001
  • CVE-2017-2583

    kvm: vmx/svm potential privilege escalation inside guest.

    Linux kernel built with the Kernel-based Virtual Machine (CONFIG_KVM) support is vulnerable to an incorrect segment selector (SS) value error. The error could occur while loading values into the SS register in long mode. A user/process inside guest could use this flaw to crash the guest resulting in DoS or potentially escalate their privileges inside guest.
    https://bugzilla.redhat.com/show_bug.cgi?id=1414735
  • PSBM-57460

    Potential deadlock in fuse_invalidate_files()

  • PSBM-57915

    fs/fadvise: a way was needed to deactivate pages after cached reads.

    Support for FADV_DEACTIVATE flag (fs/fadvise) was added to the kernel to address this.
  • CVE-2015-8539

    Keys: general protection fault in trusted_update().

    A flaw was found in the handling of negatively instantiated keys in the Linux kernel. A local unprivileged user can use this vulnerability to crash the system.
    https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-8539
  • CVE-2016-6198

    vfs: missing detection of hardlinks in vfs_rename() on overlayfs.

    A flaw was found that the vfs_rename() function did not detect hard links on overlayfs. A local, unprivileged user could use the rename syscall on overlayfs on top of xfs to crash the system.
    https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-6198
  • PSBM-57010

    Fuse: potential lockup in fuse_wait_on_page_writeback().

    Fuse: potential lockup in fuse_wait_on_page_writeback().
  • PSBM-56703

    User-triggerable WARN_ON() in the page allocator.

    It was found that a user may trigger WARN_ON() in page allocator by requesting too many groups.
  • PSBM-56606

    Lockdep: suspicious rcu_dereference_protected() usage in af_netlink.c.

    Lockdep: suspicious rcu_dereference_protected() usage in af_netlink.c.
  • PSBM-55919

    Fuse: performance problems in the implementation of fsync/fdatasync.

    1. There is no need for mtime flush on fdatasync(). 2. Excessive locking in fuse_fsync().
  • PSBM-56474

    Fuse: lockup in invalidate_inode_pages2_range().

    Fuse: lockup in invalidate_inode_pages2_range().
  • PSBM-56609

    Out-of-bounds memory read in keyring_compare_object().

    A problem was found in the implementation of assoc_array that may cause an out-of-bounds read access in keyring_compare_object().
  • PSBM-56839

    Some operations with btrfs subvolumes may consume all kernel memory.

    An unprivileged user with the read-write access to more than one btrfs subvolume may easily consume all kernel memory (eventually triggering oom-killer).
  • CVE-2016-9806

    Potential double free in netlink_dump().

    A double free vulnerability was found in netlink_dump(), which could cause a denial of service or possibly other unspecified impact.
    https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-9806
  • CVE-2016-8645

    A BUG() statement can be hit in net/ipv4/tcp_input.c.

    It was discovered that the Linux kernel since 3.6-rc1 with net.ipv4.tcp_fastopen set to 1 can hit BUG() statement in tcp_collapse() function after making a number of certain syscalls leading to a possible system crash.
    https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8645
  • CVE-2016-8655

    Race condition in net/packet/af_packet.c which leads to a use-after-free.

    A race-condition was found in net/packet/af_packet.c. It can be exploited to gain kernel code execution from unprivileged processes.
    http://seclists.org/oss-sec/2016/q4/607
  • CVE-2016-9555

    Slab out-of-bounds access in sctp_sf_ootb().

    A bug was found in the Linux kernel sctp implementation which allows a remote attacker to trigger a slab-out-of-bounds access with an offset up to 64K bytes and cause a system crash.
    https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-9555
  • CVE-2016-0723

    Kernel memory disclosure and crash in tty layer.

    A use-after-free flaw was discovered in the Linux kernel's tty subsystem, which allows for the disclosure of uncontrolled memory location and possible kernel panic. The information leak is caused by a race condition when attempting to set and read the tty line discipline. A local attacker could use the TIOCSETD (via tty_set_ldisc) to switch to a new line discipline; a concurrent call to a TIOCGETD ioctl performing a read on a given tty could then access previously allocated memory. Up to 4 bytes could be leaked when querying the line discipline or the kernel could panic with a NULL-pointer dereference.
    https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-0723
  • CVE-2016-8650

    Null pointer dereference via keyctl.

    A flaw was found in the Linux kernel key management subsystem in which a local attacker could crash the kernel or corrupt the stack and additional memory (denial of service) by supplying a specially crafted RSA key. This flaw panics the machine during the verification of the RSA key.
    https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8650
  • CVE-2016-7911

    block: fix use-after-free in sys_ioprio_get().

    Race condition in the get_task_ioprio function in block/ioprio.c in the Linux kernel before 4.6.6 allows local users to gain privileges or cause a denial of service (use-after-free) via a crafted ioprio_get system call.
    https://source.android.com/security/bulletin/2016-11-01.html
  • CVE-2016-7910

    block: fix use-after-free in seq file.

    Use-after-free vulnerability in the disk_seqf_stop function in block/genhd.c in the Linux kernel before 4.7.1 allows local users to gain privileges by leveraging the execution of a certain stop operation even if the corresponding start operation had failed.
    https://source.android.com/security/bulletin/2016-11-01.html
  • CVE-2016-2053

    Kernel panic and system lockup by triggering BUG_ON() in public_key_verify_signature()

    A syntax vulnerability was discovered in the kernel's ASN1.1 DER decoder, which could lead to memory corruption or a complete local denial of service through x509 certificate DER files. A local system user could use a specially created key file to trigger BUG_ON() in the public_key_verify_signature() function (crypto/asymmetric_keys/public_key.c), to cause a kernel panic and crash the system.
    https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-2053
  • CVE-2016-8630

    kvm: x86: NULL pointer dereference during instruction decode.

    An error was found in the x86 instruction decoder in KVM that may result in the kernel crash on the host. Trying to process some invalid instructions may trigger a NULL pointer dereference.
    https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8630
  • CVE-2016-7097

    Setting a POSIX ACL via setxattr doesn't clear the setgid bit.

    When file permissions are modified via chmod and the user is not in the owning group or capable of CAP_FSETID, the setgid bit is cleared in inode_change_ok(). Setting a POSIX ACL via setxattr sets the file permissions as well as the new ACL, but doesn't clear the setgid bit in a similar way; this allows to bypass the check in chmod.
    https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-7097
  • PSBM-54126

    Out of bounds access in sctp_add_bind_addr.

    It was found that sctp_add_bind_addr() may read more bytes than expected in case the parameter is a IPv4 address supplied by the user. The kernel might crash as a result.
    https://groups.google.com/forum/#!msg/syzkaller/BhOYz2ZBraw/-k3iDvD8BAAJ
  • CVE-2016-7117

    Use after free in the recvmmsg exit path.

    A use after free vulnerability was found in the kernel's socket recvmmsg subsystem. It may allow remote attackers to corrupt memory and may also allow execution of arbitrary code.
    https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-7117
  • CVE-2016-7039

    Remotely triggerable unbounded recursion in the VLAN GRO code leading to a kernel crash.

    Linux kernel built with the 802.1Q/802.1ad VLAN(CONFIG_VLAN_8021Q) OR Virtual eXtensible Local Area Network(CONFIG_VXLAN) with Transparent Ethernet Bridging(TEB) GRO support is vulnerable to a stack overflow issue. It could occur while receiving large packets via GRO path, as an unlimited recursion could happen in both VLAN and TEB modules, leading to a stack corruption in the kernel.
    https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-7039
  • CVE-2016-5195

    mm: privilege escalation via MAP_PRIVATE COW breakage.

    A race condition was found in the way the Linux kernel's memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings. An unprivileged local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system.
    https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-5195
  • PSBM-52390

    virtio-net: tx stall due to failed allocations of large skbs.

    virtio-net: tx stall due to failed allocations of large skbs.
  • CVE-2016-3070

    Null pointer dereference in trace_writeback_dirty_page().

    An attempt to move page mapped by AIO ring buffer to the other node triggers NULL pointer dereference at trace_writeback_dirty_page(), because aio_fs_backing_dev_info.dev is 0.
    https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-3070
  • CVE-2016-3134

    netfilter: missing bounds check in ipt_entry structure.

    A security flaw was found in the Linux kernel in the mark_source_chains() function in "net/ipv4/netfilter/ip_tables.c". It is possible for a user-supplied "ipt_entry" structure to have a large "next_offset" field. This field is not bounds checked prior to writing to a counter value at the supplied offset. Patches: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=54d83fc74aa9ec72794373cb47432c5f7fb1a309 http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=f24e230d257af1ad7476c6e81a8dc3127a74204e
    https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-3134
  • CVE-2015-8953

    overlayfs: Double dentry reference leak in copy-up failure.

    A flaw was found in the implementation of overlayfs in the Linux kernel. An attacker can make the system leak resources by opening a large file for writing on an overlay filesystem that does not have enough space to handle writing of such amounts of data. Patch: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ab79efab0a0ba01a74df782eb7fa44b044dae8b5
    https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-8953
  • CVE-2016-6828

    Use after free in tcp_xmit_retransmit_queue.

    A use after free vulnerability was found in tcp_xmit_retransmit_queue and other tcp_* functions. Patch: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=bb1fceca22492109be12640d49f5ea5a544c6bb4
    https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-6828
  • CVE-2016-6136

    audit: Race condition vulnerability in execve argv arguments.

    Race condition in the audit_log_single_execve_arg function in the Linux kernel allows local users to bypass intended character-set restrictions or disrupt audit of the system calls. Patch: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=43761473c254b45883a64441dd0bc85a42f3645c
    https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-6136
  • PSBM-49885

    ext4: mfsync() was broken.

    ext4: mfsync() was broken.
  • PSBM-50864

    ext4: fsync() for dirs/symlink was broken.

    ext4: fsync() for dirs/symlink was broken.
  • PSBM-51754

    Container start and stop operations took too long when many network namespaces were created and destroyed.

    Container start and stop operations took too long when many network namespaces were created and destroyed.
  • PSBM-49918

    Page allocator: freed memory pages could be accessed in the error paths.

    Page allocator: freed memory pages could be accessed in the error paths.
  • PSBM-50248

    MAC filter was silently disabled for the containers in some cases.

    MAC filter was silently disabled for the containers in some cases.
  • CVE-2016-5696

    tcp: challenge ACK counter information disclosure.

    A flaw was found in the implementation of the Linux kernel's handling of networking challenge ack where an attacker is able to determine the shared counter which could be used to determine sequence numbers for TCP stream injection. Patch: https://git.kernel.org/cgit/linux/kernel/git/davem/net.git/commit/?id=75ff39ccc1bd5d3c455b6822ab09e533c551f758
    https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-5696
  • CVE-2016-4470

    Uninitialized variable in key_reject_and_link() causes a kernel crash in the error path

    A flaw was found in the Linux kernel's keyring handling code. An uninitialized variable in key_reject_and_link() function could lead to a system crash or a use-after-free. Patch: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=38327424b40bcebe2de92d07312c89360ac9229a
    https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-4470
  • CVE-2015-8543

    IPv6 connect causes DoS via NULL pointer dereference.

    A NULL pointer dereference flaw was found in the way the Linux kernel's network subsystem handled socket creation with an invalid protocol identifier. A local user could use this flaw to crash the system. Patch: https://git.kernel.org/cgit/linux/kernel/git/davem/net.git/commit/?id=79462ad02e861803b3840cc782248c7359451cd9
    https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-8543